release: v0.67.0 [main] (#9432)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: knqyf263 <knqyf263@gmail.com>

.clang-format

@@ -1,5 +0,0 @@
----
-Language: Proto
-BasedOnStyle: Google
-AlignConsecutiveAssignments: true
-AlignConsecutiveDeclarations: true

.github/CODEOWNERS

@@ -15,8 +15,8 @@ pkg/cloud/                           @simar7 @nikpivkin
 pkg/iac/                             @simar7 @nikpivkin
 
 # Helm chart
-helm/trivy/ @afdesk
+helm/trivy/ @afdesk @simar7
 
 # Kubernetes scanning
-pkg/k8s/                         @afdesk
-docs/docs/target/kubernetes.md   @afdesk
+pkg/k8s/                         @afdesk @simar7
+docs/docs/target/kubernetes.md   @afdesk @simar7

.github/DISCUSSION_TEMPLATE/bugs.yml

@@ -10,7 +10,7 @@ body:
         
         **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
         
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
   - type: textarea
     attributes:
       label: Description
@@ -117,7 +117,7 @@ body:
       description: Have you tried the following?
       options:
         - label: Run `trivy clean --all`
-        - label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
+        - label: Read [the troubleshooting](https://trivy.dev/latest/docs/references/troubleshooting/)
   - type: markdown
     attributes:
       value: |

.github/DISCUSSION_TEMPLATE/documentation.yml

@@ -7,7 +7,7 @@ body:
         Feel free to create a docs report if something doesn't work as expected or is unclear in the documentation.
         Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
         
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
   - type: textarea
     attributes:
       label: Description

.github/DISCUSSION_TEMPLATE/false-detection.yml

@@ -8,7 +8,7 @@ body:
         
         **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
         
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
   - type: input
     attributes:
       label: IDs
@@ -86,7 +86,7 @@ body:
     attributes:
       label: Checklist
       options:
-        - label: Read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection)
+        - label: Read [the documentation regarding wrong detection](https://trivy.dev/dev/community/contribute/discussion/#false-detection)
         - label: Ran Trivy with `-f json` that shows data sources and confirmed that the security advisory in data sources was correct
     validations:
       required: true

.github/DISCUSSION_TEMPLATE/ideas.yml

@@ -9,7 +9,7 @@ body:
         
         **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
         
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
   - type: textarea
     attributes:
       label: Description

.github/DISCUSSION_TEMPLATE/q-a.yml

@@ -9,7 +9,7 @@ body:
         
         **Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
         
-        Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
+        Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
   - type: textarea
     attributes:
       label: Question

.github/ISSUE_TEMPLATE/maintainer.md

@@ -0,0 +1,11 @@
+---
+name: Maintainer
+about: Create an issue by maintainers
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+## Are you a maintainer of the Trivy project?
+If not, please open [a discussion](https://github.com/aquasecurity/trivy/discussions); if you are, please review [the guideline](https://trivy.dev/latest/community/contribute/discussion/).

.github/actions/trivy-triage/helpers.js

@@ -1,6 +1,11 @@
+const patterns = {
+    Scanner: /### Scanner\r?\n\r?\n(.+)/,
+    Target: /### Target\r?\n\r?\n(.+)/,
+};
+
 module.exports = {
     detectDiscussionLabels: (discussion, configDiscussionLabels) => {
-        res = [];
+        const res = [];
         const discussionId = discussion.id;
         const category = discussion.category.name;
         const body = discussion.body;
@@ -8,15 +13,21 @@ module.exports = {
             console.log(`skipping discussion with category ${category} and body ${body}`);
             return [];
         }
-        const scannerPattern = /### Scanner\n\n(.+)/;
-        const scannerFound = body.match(scannerPattern);
-        if (scannerFound && scannerFound.length > 1) {
-            res.push(configDiscussionLabels[scannerFound[1]]);
-        }
-        const targetPattern = /### Target\n\n(.+)/;
-        const targetFound = body.match(targetPattern);
-        if (targetFound && targetFound.length > 1) {
-            res.push(configDiscussionLabels[targetFound[1]]);
+
+        for (const key in patterns) {
+            const match = body.match(patterns[key]);
+            if (match && match.length > 1 && match[1] !== "None") {
+                const val = configDiscussionLabels[match[1]];
+                if (val === undefined && match[1]) {
+                    console.warn(
+                        `Value for ${key.toLowerCase()} key "${
+                            match[1]
+                        }" not found in configDiscussionLabels`
+                    );
+                } else {
+                    res.push(val);
+                }
+            }
         }
         return res;
     },

.github/actions/trivy-triage/helpers.test.js

@@ -62,6 +62,17 @@ describe('trivy-triage', async function() {
       assert(labels.includes('ContainerImageLabel'));
       assert(labels.includes('VulnerabilityLabel'));
     });
+    it('detect scanner and target labels on windows', async function() {
+      const discussion = {
+        body: 'hello hello\r\nbla bla.\r\n### Scanner\r\n\r\nVulnerability\r\n### Target\r\n\r\nContainer Image\r\nbye bye.',
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+      assert(labels.includes('VulnerabilityLabel'));
+    });
     it('not detect other labels', async function() {
       const discussion = {
         body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
@@ -73,6 +84,16 @@ describe('trivy-triage', async function() {
       assert(!labels.includes('FilesystemLabel'));
       assert(!labels.includes('MisconfigurationLabel'));
     });
+    it('ignores unmatched label values from body', async function() {
+      const discussion = {
+        body: '### Target\r\n\r\nNone\r\n\r\n### Scanner\r\n\r\nMisconfiguration', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert.deepStrictEqual(labels, ['MisconfigurationLabel']);
+    });
     it('process only relevant categories', async function() {
       const discussion = {
         body: 'hello world', 

.github/dependabot.yml

@@ -21,6 +21,8 @@ updates:
     directory: /
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 3
     ignore:
       - dependency-name: "github.com/aquasecurity/trivy-*" ## `trivy-*` dependencies are updated manually
     groups:

.github/pull_request_template.md

@@ -10,8 +10,8 @@
 Remove this section if you don't have related PRs.
 
 ## Checklist
-- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
-- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
+- [ ] I've read the [guidelines for contributing](https://trivy.dev/latest/community/contribute/pr/) to this repository.
+- [ ] I've followed the [conventions](https://trivy.dev/latest/community/contribute/pr/#title) in the PR title.
 - [ ] I've added tests that prove my fix is effective or that my feature works.
 - [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
 - [ ] I've added usage information (if the PR introduces new options)

.github/workflows/auto-close-issue.yaml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Close issue if user does not have write or admin permissions
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             // Get the issue creator's username
@@ -26,7 +26,7 @@ jobs:
             
             // If the user does not have write or admin permissions, leave a comment and close the issue
             if (permission !== 'write' && permission !== 'admin') {
-              const commentBody = "Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/";
+              const commentBody = "Please see https://trivy.dev/latest/community/contribute/issue/";
               await github.rest.issues.createComment({
                 owner: context.repo.owner,
                 repo: context.repo.repo,

.github/workflows/auto-ready-for-review.yaml

@@ -0,0 +1,138 @@
+name: Auto Ready for Review
+
+on:
+  workflow_run:
+    workflows: ["Test", "Validate PR Title"]
+    types: [completed]
+
+jobs:
+  auto-ready-for-review:
+    runs-on: ubuntu-24.04
+    if: github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: Get PR context
+        id: pr-context
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_BRANCH: |-
+            ${{
+              (github.event.workflow_run.head_repository.owner.login != github.event.workflow_run.repository.owner.login)
+                && format('{0}:{1}', github.event.workflow_run.head_repository.owner.login, github.event.workflow_run.head_branch)
+                || github.event.workflow_run.head_branch
+            }}
+        run: |
+          echo "[INFO] Searching for PR with branch: ${PR_BRANCH}"
+          if gh pr view --repo "${{ github.repository }}" "${PR_BRANCH}" --json 'number' --jq '"number=\(.number)"' >> "${GITHUB_OUTPUT}"; then
+            echo "[INFO] PR found successfully"
+          else
+            echo "[INFO] No PR found for branch ${PR_BRANCH}, skipping"
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+          fi
+          
+      - name: Check PR and all workflows status
+        if: steps.pr-context.outputs.skip != 'true'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const prNumber = ${{ steps.pr-context.outputs.number }};
+            console.log(`[INFO] Processing PR #${prNumber}`);
+            
+            // Get PR info
+            const { data: pr } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: prNumber
+            });
+            
+            console.log(`[INFO] PR #${prNumber} - Draft: ${pr.draft}, Labels: ${pr.labels.map(l => l.name).join(', ')}`);
+            
+            // Check if PR has autoready label and is draft
+            const hasAutoreadyLabel = pr.labels.some(label => label.name === 'autoready');
+            
+            if (!pr.draft) {
+              console.log(`[INFO] PR #${prNumber} is not draft, skipping`);
+              return;
+            }
+            
+            if (!hasAutoreadyLabel) {
+              console.log(`[INFO] PR #${prNumber} doesn't have autoready label, skipping`);
+              return;
+            }
+            
+            // Get all workflow runs for this PR's head commit (head_sha)
+            const { data: workflowRuns } = await github.rest.actions.listWorkflowRunsForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              head_sha: pr.head.sha,
+              per_page: 100
+            });
+            
+            console.log(`[INFO] Found ${workflowRuns.workflow_runs.length} workflow runs for PR #${prNumber}`);
+            
+            // Check workflow status
+            const runningWorkflows = workflowRuns.workflow_runs.filter(run => 
+              run.status === 'in_progress' || run.status === 'queued'
+            );
+            
+            const failedWorkflows = workflowRuns.workflow_runs.filter(run => 
+              run.conclusion === 'failure' || run.conclusion === 'cancelled'
+            );
+            
+            const successfulWorkflows = workflowRuns.workflow_runs.filter(run => 
+              run.conclusion === 'success'
+            );
+            
+            console.log(`[INFO] Workflow status - Running: ${runningWorkflows.length}, Failed: ${failedWorkflows.length}, Success: ${successfulWorkflows.length}`);
+            
+            if (runningWorkflows.length > 0) {
+              console.log(`[INFO] Some workflows are still running: ${runningWorkflows.map(w => w.name).join(', ')}`);
+              return;
+            }
+            
+            if (failedWorkflows.length > 0) {
+              console.log(`[INFO] Some workflows failed: ${failedWorkflows.map(w => w.name).join(', ')}`);
+              return;
+            }
+            
+            console.log(`[INFO] All workflows passed! Marking PR #${prNumber} as ready for review...`);
+            
+            // Mark PR as ready for review using GraphQL API
+            // Reference: https://github.com/orgs/community/discussions/70061
+            try {
+              const mutation = `
+                mutation MarkPullRequestReadyForReview($pullRequestId: ID!) {
+                  markPullRequestReadyForReview(input: { pullRequestId: $pullRequestId }) {
+                    pullRequest {
+                      id
+                      isDraft
+                      number
+                    }
+                  }
+                }
+              `;
+              
+              const updateResult = await github.graphql(mutation, {
+                pullRequestId: pr.node_id
+              });
+              
+              const isDraft = updateResult.markPullRequestReadyForReview.pullRequest.isDraft;
+              console.log(`[SUCCESS] PR #${prNumber} marked as ready for review. Draft status: ${isDraft}`);
+            } catch (error) {
+              console.log(`[ERROR] Failed to mark PR #${prNumber} as ready for review: ${error.message}`);
+              console.log(`[ERROR] Error details: ${JSON.stringify(error.response?.data || error, null, 2)}`);
+              return;
+            }
+            
+            // Remove autoready label
+            try {
+              const labelResult = await github.rest.issues.removeLabel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                name: 'autoready'
+              });
+              console.log(`[SUCCESS] autoready label removed from PR #${prNumber}. Status: ${labelResult.status}`);
+            } catch (error) {
+              console.log(`[WARNING] Could not remove autoready label from PR #${prNumber}: ${error.message}`);
+              console.log(`[WARNING] Error details: ${JSON.stringify(error.response?.data || error, null, 2)}`);
+            }

.github/workflows/auto-update-labels.yaml

@@ -5,27 +5,22 @@ on:
       - 'misc/triage/labels.yaml'
     branches:
       - main
-env:
-  GO_VERSION: '1.22'
 jobs:
   deploy:
     name: Auto-update labels
     runs-on: ubuntu-latest
     steps:
       - name: Checkout main
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          # cf. https://github.com/aquasecurity/trivy/pull/6711
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
           cache: false
 
-      - name: Install aqua tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: update labels
         env:

.github/workflows/backport.yaml

@@ -16,7 +16,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission')
+          PERMISSION=$(gh api /repos/$GITHUB_REPOSITORY/collaborators/$GITHUB_ACTOR/permission --jq '.permission')
           if [ "$PERMISSION" == "admin" ] || [ "$PERMISSION" == "write" ]; then
            echo "is_maintainer=true" >> $GITHUB_OUTPUT
           else
@@ -36,13 +36,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Extract branch name
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
         run: |
-          BRANCH_NAME=$(echo ${{ github.event.comment.body }} | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
+          BRANCH_NAME=$(echo $COMMENT_BODY | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
           echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
 
       - name: Set up Git user
@@ -51,8 +53,9 @@ jobs:
           git config --global user.name "GitHub Actions"
 
       - name: Run backport script
-        run: ./misc/backport/backport.sh ${{ env.BRANCH_NAME }} ${{ github.event.issue.number }}
         env:
           # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
           # This allows the created PR to trigger tests and other workflows
-          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+        run: ./misc/backport/backport.sh "$BRANCH_NAME" "$ISSUE_NUMBER"

.github/workflows/cache-test-assets.yaml

@@ -0,0 +1,98 @@
+name: Cache test assets
+# This workflow runs on the main branch to create caches that can be accessed by PRs.
+# GitHub Actions cache isolation restricts access:
+# - PRs can only restore caches from: current branch, base branch, and default branch (main)
+# - PRs cannot restore caches from sibling branches or other PR branches
+# - By creating caches on the main branch, all PRs can benefit from shared cache
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  test-images:
+    name: Cache test images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Generate image list digest
+        id: image-digest
+        run: |
+          source integration/testimages.ini
+          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Restore and save test images cache
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        with:
+          path: integration/testdata/fixtures/images
+          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
+
+      - name: Download test images
+        run: mage test:fixtureContainerImages
+
+  test-vm-images:
+    name: Cache test VM images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Generate image list digest
+        id: image-digest
+        run: |
+          source integration/testimages.ini
+          IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags |= sort' | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Restore and save test VM images cache
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        with:
+          path: integration/testdata/fixtures/vm-images
+          key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
+
+      - name: Download test VM images
+        run: mage test:fixtureVMImages
+
+  lint-cache:
+    name: Cache lint results
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Run golangci-lint for caching
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        with:
+          version: v2.4
+          args: --verbose
+        env:
+          GOEXPERIMENT: jsonv2

.github/workflows/cache-test-images.yaml

@@ -1,88 +0,0 @@
-name: Cache test images
-on:
-  schedule:
-    - cron: "0 0 * * *" # Run this workflow every day at 00:00 to avoid cache deletion.
-  workflow_dispatch:
-
-jobs:
-  test-images:
-    name: Cache test images
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.6
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          cache: false
-
-      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
-
-      - name: Generate image list digest
-        if: github.ref_name == 'main'
-        id: image-digest
-        run: |
-          source integration/testimages.ini
-          IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
-          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
-
-      ## We need to work with test image cache only for main branch
-      - name: Restore and save test images cache
-        if: github.ref_name == 'main'
-        uses: actions/cache@v4
-        with:
-          path: integration/testdata/fixtures/images
-          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
-          restore-keys:
-            cache-test-images-
-
-      - name: Download test images
-        if: github.ref_name == 'main'
-        run: mage test:fixtureContainerImages
-
-  test-vm-images:
-    name: Cache test VM images
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.6
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          cache: false
-
-      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
-
-      - name: Generate image list digest
-        if: github.ref_name == 'main'
-        id: image-digest
-        run: |
-          source integration/testimages.ini
-          IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags | sort' | sha256sum | cut -d' ' -f1)
-          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
-
-      ## We need to work with test VM image cache only for main branch
-      - name: Restore and save test VM images cache
-        if: github.ref_name == 'main'
-        uses: actions/cache@v4
-        with:
-          path: integration/testdata/fixtures/vm-images
-          key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
-          restore-keys:
-            cache-test-vm-images-
-
-      - name: Download test VM images
-        if: github.ref_name == 'main'
-        run: mage test:fixtureVMImages

.github/workflows/canary.yaml

@@ -25,36 +25,43 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4.0.2
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: dist/
-          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+          key: ${{ runner.os }}-bins-${{ github.workflow }}-${{ github.sha }}
 
         # Upload artifacts
       - name: Upload artifacts (trivy_Linux-64bit)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: trivy_Linux-64bit
           path: dist/trivy_*_Linux-64bit.tar.gz
           if-no-files-found: error
 
       - name: Upload artifacts (trivy_Linux-ARM64)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: trivy_Linux-ARM64
           path: dist/trivy_*_Linux-ARM64.tar.gz
           if-no-files-found: error
 
       - name: Upload artifacts (trivy_macOS-64bit)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: trivy_macOS-64bit
           path: dist/trivy_*_macOS-64bit.tar.gz
           if-no-files-found: error
 
       - name: Upload artifacts (trivy_macOS-ARM64)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: trivy_macOS-ARM64
           path: dist/trivy_*_macOS-ARM64.tar.gz
-          if-no-files-found: error
+          if-no-files-found: error
+
+      - name: Delete cache after upload
+        run: |
+          gh cache delete "$CACHE_KEY" --repo "${{ github.repository }}"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CACHE_KEY: ${{ runner.os }}-bins-${{ github.workflow }}-${{ github.sha }}

.github/workflows/mkdocs-dev.yaml

@@ -12,11 +12,11 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/mkdocs-latest.yaml

@@ -14,11 +14,11 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout main
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/publish-chart.yaml

@@ -13,9 +13,6 @@ on:
       - main
     paths:
       - 'helm/trivy/**'
-  push:
-    tags:
-      - "v*"
 env:
   HELM_REP: helm-charts
   GH_OWNER: aquasecurity
@@ -25,27 +22,26 @@ env:
 jobs:
   # `test-chart` job starts if a PR with Helm Chart is created, merged etc.
   test-chart:
-    if: github.event_name != 'push'
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
         with:
           version: v3.14.4
       - name: Set up python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3.x'
           check-latest: true
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
       - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
           version: ${{ env.KIND_VERSION }}
           image: ${{ env.KIND_IMAGE }}
@@ -56,32 +52,6 @@ jobs:
           sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
           ct lint-and-install --validate-maintainers=false --charts helm/trivy
 
-  # `update-chart-version` job starts if a new tag is pushed
-  update-chart-version:
-    if: github.event_name == 'push'
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4.1.6
-        with:
-          fetch-depth: 0
-      - name: Set up Git user
-        run: |
-          git config --global user.email "actions@github.com"
-          git config --global user.name "GitHub Actions"
-
-      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
-          aqua_opts: ""
-
-      - name: Create a PR with Trivy version
-        run: mage helm:updateVersion
-        env:
-          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
-          # This allows the created PR to trigger tests and other workflows
-          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
 
   # `publish-chart` job starts if a PR with a new Helm Chart is merged or manually
   publish-chart:
@@ -91,7 +61,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
       - name: Install chart-releaser

.github/workflows/release-please.yaml

@@ -19,7 +19,7 @@ jobs:
     steps:
       - name: Release Please
         id: release
-        uses: googleapis/release-please-action@v4
+        uses: googleapis/release-please-action@c2a5a2bd6a758a0937f1ddb1e8950609867ed15c # v4.3.0
         with:
           token: ${{ secrets.ORG_REPO_TOKEN }}
           target-branch: ${{ github.ref_name }}
@@ -47,14 +47,16 @@ jobs:
       - name: Extract version and PR number from commit message
         id: extract_info
         shell: bash
+        env:
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
         run: |
-          echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
-          echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
-          echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
+          echo "version=$( echo "$COMMIT_MESSAGE" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
+          echo "pr_number=$( echo "$COMMIT_MESSAGE" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
+          echo "release_branch=release/v$( echo "$COMMIT_MESSAGE" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
 
       - name: Tag release
         if: ${{ steps.extract_info.outputs.version }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.ORG_REPO_TOKEN }} # To trigger another workflow
           script: |
@@ -68,7 +70,7 @@ jobs:
       # When v0.50.0 is released, a release branch "release/v0.50" is created.
       - name: Create release branch for patch versions
         if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }} # Should not trigger the workflow again
           script: |
@@ -96,7 +98,7 @@ jobs:
       # cf. https://github.com/googleapis/release-please?tab=readme-ov-file#release-please-bot-does-not-create-a-release-pr-why
       - name: Remove the label from PR
         if: ${{ steps.extract_info.outputs.pr_number }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/release-pr-check.yaml

@@ -0,0 +1,21 @@
+name: Backport PR Check
+
+on:
+  pull_request:
+    branches:
+      - 'release/v*'
+
+jobs:
+  check-pr-author:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check PR author
+        id: check_author
+        env:
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+        run: |
+          if [ "$PR_AUTHOR" != "aqua-bot" ]; then
+            echo "::error::This branch is intended for automated backporting by bot. Please refer to the documentation:"
+            echo "::error::https://trivy.dev/latest/community/maintainer/backporting/"
+            exit 1
+          fi

.github/workflows/release.yaml

@@ -19,12 +19,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4.0.2
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -35,7 +35,7 @@ jobs:
           sudo apt-get -y install rpm reprepro createrepo-c distro-info
 
       - name: Checkout trivy-repo
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: ${{ github.repository_owner }}/trivy-repo
           path: trivy-repo
@@ -55,3 +55,74 @@ jobs:
 
       - name: Create deb repository
         run: ci/deploy-deb.sh
+
+  # `update-chart-version` creates a new PR for updating the helm chart
+  update-chart-version:
+    needs: deploy-packages
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Git user
+        run: |
+          git config --global user.email "actions@github.com"
+          git config --global user.name "GitHub Actions"
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Create a PR with Trivy version
+        run: mage helm:updateVersion
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows the created PR to trigger tests and other workflows
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
+  # `trigger-version-update` triggers the `update_version` workflow in the `trivy-telemetry` repository
+  # and the trivy-downloads repository.
+  trigger-version-update:
+    needs: deploy-packages
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Trigger update_version workflow in trivy-telemetry
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows triggering workflows in other repositories
+          GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+        run: |
+          gh workflow run update_version.yml \
+            --repo ${{ github.repository_owner }}/trivy-telemetry \
+            --ref main \
+            --field version=${{ github.ref_name }}
+
+      - name: Trigger update_version workflow in trivy-downloads
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows triggering workflows in other repositories
+          GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+        run: |
+          gh workflow run update_version.yml \
+            --repo ${{ github.repository_owner }}/trivy-downloads \
+            --ref main \
+            --field version=${{ github.ref_name }} \
+            --field artifact=trivy
+
+      - name: Trigger version update and release workflow in trivy-chocolatey
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows triggering workflows in other repositories
+          GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+        run: |
+          gh workflow run release.yml \
+            --repo ${{ github.repository_owner }}/trivy-chocolatey \
+            --ref main \
+            --field version=${{ github.ref_name }}

.github/workflows/reusable-release.yaml

@@ -14,7 +14,6 @@ on:
 
 env:
   GH_USER: "aqua-bot"
-  GO_VERSION: '1.22'
 
 jobs:
   release:
@@ -28,51 +27,51 @@ jobs:
       contents: read  # Not required for public repositories, but for clarity
     steps:
       - name: Cosign install
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Show available Docker Buildx platforms
         run: echo ${{ steps.buildx.outputs.platforms }}
 
       - name: Login to docker.io registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to ghcr.io registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
           username: ${{ env.GH_USER }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to ECR
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: public.ecr.aws
           username: ${{ secrets.ECR_ACCESS_KEY_ID }}
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
           cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.
 
       - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v2
+        uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
         with:
           args: mod -licenses -json -output bom.json
           version: ^v1
@@ -89,7 +88,7 @@ jobs:
           mkdir tmp    
 
       - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           version: v2.1.0
           args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
@@ -108,7 +107,7 @@ jobs:
       # because GoReleaser Free doesn't support pushing images with the `--snapshot` flag.
       - name: Build and push
         if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           platforms: linux/amd64, linux/arm64
           file: ./Dockerfile.canary # path to Dockerfile
@@ -120,7 +119,7 @@ jobs:
             public.ecr.aws/aquasecurity/trivy:canary
 
       - name: Cache Trivy binaries
-        uses: actions/cache@v4.0.2
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: dist/
           # use 'github.sha' to create a unique cache folder for each run.

.github/workflows/roadmap.yaml

@@ -11,14 +11,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
-      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
           labeled: kind/feature, priority/backlog
           label-operator: AND
         id: add-backlog-issue
-      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+      - uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
         if: ${{ steps.add-backlog-issue.outputs.itemId }}
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
@@ -28,14 +28,14 @@ jobs:
           field-values: Backlog
 
       # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
-      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
           labeled: kind/feature, priority/important-longterm
           label-operator: AND
         id: add-longterm-issue
-      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+      - uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
         if: ${{ steps.add-longterm-issue.outputs.itemId }}
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
@@ -45,14 +45,14 @@ jobs:
           field-values: Important (long-term)
 
       # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
-      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
           labeled: kind/feature, priority/important-soon
           label-operator: AND
         id: add-soon-issue
-      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+      - uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
         if: ${{ steps.add-soon-issue.outputs.itemId }}
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
@@ -62,14 +62,14 @@ jobs:
           field-values: Important (soon)
 
       # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
-      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
           labeled: kind/feature, priority/critical-urgent
           label-operator: AND
         id: add-urgent-issue
-      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+      - uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
         if: ${{ steps.add-urgent-issue.outputs.itemId }}
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25

.github/workflows/scan.yaml

@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run Trivy vulnerability scanner and create GitHub issues
-        uses: knqyf263/trivy-issue-action@v0.0.6
+        uses: knqyf263/trivy-issue-action@4466f52d1401b66dd2a2ab9e0c40cddc021829ec # v0.0.6
         with:
           assignee: knqyf263
           severity: CRITICAL

.github/workflows/semantic-pr.yaml

@@ -1,22 +1,23 @@
-name: "Lint PR title"
+name: "Validate PR Title"
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - edited
       - synchronize
 
 jobs:
-  main:
+  validate:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - name: Validate PR title
+        shell: bash
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          types: |
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          # Valid types
+          VALID_TYPES: |
             feat
             fix
             docs
@@ -29,13 +30,15 @@ jobs:
             chore
             revert
             release
-
-          scopes: |
+          # Valid scopes categorized by area
+          VALID_SCOPES: |
+            # Scanners
             vuln
             misconf
             secret
             license
 
+            # Targets
             image
             fs
             repo
@@ -46,6 +49,7 @@ jobs:
             vm
             plugin
 
+            # OS
             alpine
             wolfi
             chainguard
@@ -59,9 +63,14 @@ jobs:
             amazon
             suse
             photon
+            echo
             distroless
             windows
+            minimos
+            rootio
+            seal
 
+            # Languages
             ruby
             php
             python
@@ -71,7 +80,7 @@ jobs:
             java
             go
             c
-            c\+\+
+            c++
             elixir
             dart
             swift
@@ -79,29 +88,80 @@ jobs:
             conda
             julia
 
+            # Package types
             os
             lang
 
+            # IaC
             kubernetes
             dockerfile
             terraform
             cloudformation
 
+            # Container
             docker
             podman
             containerd
             oci
 
+            # SBOM
+            sbom
+            spdx
+            cyclonedx
+
+            # Misc
             cli
             flag
-
-            cyclonedx
-            spdx
             purl
             vex
-
             helm
             report
             db
             parser
             deps
+        run: |
+          set -euo pipefail
+
+          # Convert env vars to regex alternatives, excluding comments and empty lines
+          TYPES_REGEX=$(echo "$VALID_TYPES" | grep -v '^$' | paste -sd '|')
+          SCOPES_REGEX=$(echo "$VALID_SCOPES" | grep -v '^$' | grep -v '^#' | paste -sd '|')
+
+          # Basic format check (should match: type(scope): description or type: description)
+          FORMAT_REGEX="^[a-z]+(\([a-z0-9+]+\))?!?: .+$"
+          if ! echo "$PR_TITLE" | grep -qE "$FORMAT_REGEX"; then
+            echo "Error: Invalid PR title format"
+            echo "Expected format: <type>(<scope>): <description> or <type>: <description>"
+            echo "Examples:"
+            echo "  feat(vuln): add new vulnerability detection"
+            echo "  fix: correct parsing logic"
+            echo "  docs(kubernetes): update installation guide"
+            echo -e "\nCurrent title: $PR_TITLE"
+            exit 1
+          fi
+
+          # Extract type and scope for validation
+          TYPE=$(echo "$PR_TITLE" | sed -E 's/^([a-z]+)(\([a-z0-9+]+\))?!?: .+$/\1/')
+          SCOPE=$(echo "$PR_TITLE" | sed -E 's/^[a-z]+\(([a-z0-9+]+)\)!?: .+$/\1/; t; s/.*//')
+
+          # Validate type
+          if ! echo "$VALID_TYPES" | grep -qx "$TYPE"; then
+            echo "Error: Invalid type '${TYPE}'"
+            echo -e "\nValid types:"
+            echo "$VALID_TYPES" | grep -v '^$' | sed 's/^/- /'
+            echo -e "\nCurrent title: $PR_TITLE"
+            exit 1
+          fi
+
+          # Validate scope if present
+          if [ -n "$SCOPE" ]; then
+            if ! echo "$VALID_SCOPES" | grep -v '^#' | grep -qx "$SCOPE"; then
+              echo "Error: Invalid scope '${SCOPE}'"
+              echo -e "\nValid scopes:"
+              echo "$VALID_SCOPES" | grep -v '^$' | grep -v '^#' | sed 's/^/- /'
+              echo -e "\nCurrent title: $PR_TITLE"
+              exit 1
+            fi
+          fi
+
+          echo "PR title validation passed ✅"
+          echo "Current title: $PR_TITLE"

.github/workflows/spdx-cron.yaml

@@ -0,0 +1,39 @@
+name: SPDX licenses cron
+on:
+  schedule:
+    - cron: '0 0 * * 0' # every Sunday at 00:00
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Check if SPDX exceptions
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Check if SPDX exceptions are up-to-date
+        id: exceptions_check
+        run: |
+          mage spdx:updateLicenseExceptions
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'mage spdx:updateLicenseExceptions' and push it"
+            echo "send_notify=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Microsoft Teams Notification
+        uses: Skitionek/notify-microsoft-teams@e7a2493ac87dad8aa7a62f079f295e54ff511d88 # main
+        if: steps.exceptions_check.outputs.send_notify == 'true'
+        with:
+          webhook_url: ${{ secrets.TRIVY_MSTEAMS_WEBHOOK }}
+          needs: ${{ toJson(needs) }}
+          job: ${{ toJson(job) }}
+          steps: ${{ toJson(steps) }}

.github/workflows/stale-issues.yaml

@@ -7,7 +7,7 @@ jobs:
     timeout-minutes: 1
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v9
+    - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-pr-message: 'This PR is stale because it has been labeled with inactivity.'

.github/workflows/test-docs.yaml

@@ -10,11 +10,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v4.1.6
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
         persist-credentials: true
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: 3.x
     - name: Install dependencies

.github/workflows/test.yaml

@@ -11,8 +11,6 @@ on:
   merge_group:
   workflow_dispatch:
 
-env:
-  GO_VERSION: '1.22'
 jobs:
   test:
     name: Test
@@ -21,12 +19,12 @@ jobs:
       matrix:
         operating-system: [ubuntu-latest, windows-latest, macos-latest]
     steps:
-      - uses: actions/checkout@v4.1.6
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
           cache: false
 
       - name: go mod tidy
@@ -40,10 +38,13 @@ jobs:
 
       - name: Lint
         id: lint
-        uses: golangci/golangci-lint-action@v6.1.1
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
-          version: v1.61
-          args: --verbose --out-format=line-number
+          version: v2.4
+          args: --verbose
+          skip-save-cache: true  # Restore cache from main branch but don't save new cache
+        env:
+          GOEXPERIMENT: jsonv2
         if: matrix.operating-system == 'ubuntu-latest'
 
       - name: Check if linter failed
@@ -53,10 +54,7 @@ jobs:
         if: ${{ failure() && steps.lint.conclusion == 'failure' }}
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
-          aqua_opts: ""
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: Check if CLI references are up-to-date
         run: |
@@ -75,34 +73,30 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
           cache: false
 
-      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: Generate image list digest
         id: image-digest
         run: |
           source integration/testimages.ini
           IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
           echo "digest=$DIGEST" >> $GITHUB_OUTPUT
 
       - name: Restore test images from cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: integration/testdata/fixtures/images
           key: cache-test-images-${{ steps.image-digest.outputs.digest }}
-          restore-keys:
-            cache-test-images-
 
       - name: Run integration tests
         run: mage test:integration
@@ -112,18 +106,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
           cache: false
 
-      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: Run k8s integration tests
         run: mage test:k8s
@@ -133,34 +125,30 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
           cache: false
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: Generate image list digest
         id: image-digest
         run: |
           source integration/testimages.ini
           IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags | sort' | sha256sum | cut -d' ' -f1)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
           echo "digest=$DIGEST" >> $GITHUB_OUTPUT
 
       - name: Restore test images from cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: integration/testdata/fixtures/images
           key: cache-test-images-${{ steps.image-digest.outputs.digest }}
-          restore-keys:
-            cache-test-images-
 
       - name: Run module integration tests
         shell: bash
@@ -172,39 +160,54 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
           cache: false
 
-      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.0.1
-        with:
-          aqua_version: v1.25.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: Generate image list digest
         id: image-digest
         run: |
           source integration/testimages.ini
           IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
-          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags | sort' | sha256sum | cut -d' ' -f1)
+          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags |= sort' | sha256sum | cut -d' ' -f1)
           echo "digest=$DIGEST" >> $GITHUB_OUTPUT
 
       - name: Restore test VM images from cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: integration/testdata/fixtures/vm-images
           key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
-          restore-keys:
-            cache-test-vm-images-
 
       - name: Run vm integration tests
         run: |
           mage test:vm
 
+  e2e-test:
+    name: E2E Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Run E2E tests
+        run: mage test:e2e
+
   build-test:
     name: Build Test
     runs-on: ${{ matrix.operating-system }}
@@ -215,12 +218,12 @@ jobs:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
     - name: Checkout
-      uses: actions/checkout@v4.1.6
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
-        go-version: ${{ env.GO_VERSION }}
+        go-version-file: go.mod
         cache: false
 
     - name: Determine GoReleaser ID
@@ -236,7 +239,7 @@ jobs:
         fi
 
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v6
+      uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
       with:
         version: v2.1.0
         args: build --snapshot --clean --timeout 90m ${{ steps.goreleaser_id.outputs.id }}

.github/workflows/triage.yaml

@@ -10,7 +10,7 @@ jobs:
   label:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: ./.github/actions/trivy-triage
         with:
           discussion_num: ${{ github.event.inputs.discussion_num }}

.gitignore

@@ -26,6 +26,7 @@ thumbs.db
 coverage.txt
 integration/testdata/fixtures/images
 integration/testdata/fixtures/vm-images
+internal/gittest/testdata/test-repo
 
 # SBOMs generated during CI
 /bom.json

.golangci.yaml

@@ -1,144 +1,221 @@
-linters-settings:
-  depguard:
-    rules:
-      main:
-        list-mode: lax
-        deny:
-          # Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
-          - pkg: "golang.org/x/exp/slices"
-            desc: "Use 'slices' instead"
-          - pkg: "golang.org/x/exp/maps"
-            desc: "Use 'maps' or 'github.com/samber/lo' instead"
-  dupl:
-    threshold: 100
-  errcheck:
-    check-type-assertions: true
-    check-blank: true
-  gci:
-    sections:
-      - standard
-      - default
-      - prefix(github.com/aquasecurity/)
-      - blank
-      - dot
-  goconst:
-    min-len: 3
-    min-occurrences: 3
-  gocritic:
-    disabled-checks:
-      - appendAssign
-      - unnamedResult
-      - whyNoLint
-      - indexAlloc
-      - octalLiteral
-      - hugeParam
-      - rangeValCopy
-      - regexpSimplify
-      - sloppyReassign
-      - commentedOutCode
-    enabled-tags:
-      - diagnostic
-      - style
-      - performance
-      - experimental
-      - opinionated
-    settings:
-      ruleguard:
-        failOn: all
-        rules: '${configDir}/misc/lint/rules.go'
-  gocyclo:
-    min-complexity: 20
-  gofmt:
-    simplify: false
-    rewrite-rules:
-      - pattern: 'interface{}'
-        replacement: 'any'
-  gomodguard:
-    blocked:
-      modules:
-        - github.com/hashicorp/go-version:
-            recommendations:
-              - github.com/aquasecurity/go-version
-            reason: "`aquasecurity/go-version` is designed for our use-cases"
-        - github.com/Masterminds/semver:
-            recommendations:
-              - github.com/aquasecurity/go-version
-            reason: "`aquasecurity/go-version` is designed for our use-cases"
-  gosec:
-    excludes:
-      - G101
-      - G114
-      - G115
-      - G204
-      - G304
-      - G402
-  govet:
-    check-shadowing: false
-  misspell:
-    locale: US
-    ignore-words:
-      - behaviour
-      - licence
-      - optimise
-      - simmilar
-  revive:
-    ignore-generated-header: true
-  testifylint:
-    enable-all: true
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+
 linters:
-  disable-all: true
+  settings:
+    depguard:
+      rules:
+        main:
+          list-mode: lax
+          deny:
+            # Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
+            - pkg: "golang.org/x/exp/slices"
+              desc: "Use 'slices' instead"
+            - pkg: "golang.org/x/exp/maps"
+              desc: "Use 'maps' or 'github.com/samber/lo' instead"
+            - pkg: "io/ioutil"
+              desc: "io/ioutil is deprecated. Use 'io' or 'os' instead"
+    dupl:
+      threshold: 100
+    errcheck:
+      check-type-assertions: true
+      check-blank: true
+    goconst:
+      min-len: 3
+      min-occurrences: 3
+    gocritic:
+      disabled-checks:
+        - appendAssign
+        - commentedOutCode
+        - hugeParam
+        - importShadow # FIXME
+        - indexAlloc
+        - rangeValCopy
+        - regexpSimplify
+        - sloppyReassign
+        - unnamedResult
+        - whyNoLint
+      enabled-tags:
+        - diagnostic
+        - style
+        - performance
+        - experimental
+        - opinionated
+      settings:
+        ruleguard:
+          failOn: all
+          rules: '${base-path}/misc/lint/rules.go'
+    gocyclo:
+      min-complexity: 20
+    gomodguard:
+      blocked:
+        modules:
+          - github.com/hashicorp/go-version:
+              recommendations:
+                - github.com/aquasecurity/go-version
+              reason: "`aquasecurity/go-version` is designed for our use-cases"
+          - github.com/Masterminds/semver:
+              recommendations:
+                - github.com/aquasecurity/go-version
+              reason: "`aquasecurity/go-version` is designed for our use-cases"
+          - github.com/liamg/memoryfs:
+              recommendations:
+                - github.com/aquasecurity/trivy/pkg/mapfs
+    gosec:
+      excludes:
+        - G101
+        - G114
+        - G115
+        - G204
+        - G304
+        - G402
+    govet:
+      disable:
+        - shadow
+    misspell:
+      locale: US
+      ignore-rules:
+        - behaviour
+        - licence
+        - optimise
+        - simmilar
+    perfsprint:
+      # Optimizes even if it requires an int or uint type cast.
+      int-conversion: true
+      # Optimizes into `err.Error()` even if it is only equivalent for non-nil errors.
+      err-error: true
+      # Optimizes `fmt.Errorf`.
+      errorf: true
+      # Optimizes `fmt.Sprintf` with only one argument.
+      sprintf1: false
+      # Optimizes into strings concatenation.
+      strconcat: false
+    revive:
+      max-open-files: 2048
+      # https://github.com/mgechev/revive/blob/HEAD/RULES_DESCRIPTIONS.md
+      rules:
+        - name: bool-literal-in-expr
+        - name: context-as-argument
+          arguments:
+            - allowTypesBefore: "*testing.T"
+        - name: duplicated-imports
+        - name: early-return
+          arguments:
+            - preserve-scope
+        - name: if-return
+        - name: increment-decrement
+        - name: indent-error-flow
+          arguments:
+            - preserve-scope
+        - name: range
+        - name: range-val-address
+        - name: superfluous-else
+          arguments:
+            - preserve-scope
+        - name: time-equal
+        - name: unnecessary-stmt
+        - name: unused-parameter
+        - name: use-any
+
+    staticcheck:
+      checks:
+        - all
+        - -QF1008 # Omit embedded fields from selector expression
+        - -S1007  # Simplify regular expression by using raw string literal
+        - -S1011  # Use a single append to concatenate two slices
+        - -S1023  # Omit redundant control flow
+        - -SA1019 # Using a deprecated function, variable, constant or field
+        - -SA1024 # A string cutset contains duplicate characters
+        - -SA4004 # The loop exits unconditionally after one iteration
+        - -SA4023 # Impossible comparison of interface value with untyped nil
+        - -SA4032 # Comparing runtime.GOOS or runtime.GOARCH against impossible value
+        - -SA5011 # Possible nil pointer dereference
+        - -ST1003 # Poorly chosen identifier
+        - -ST1012 # Poorly chosen name for error variable
+
+    testifylint:
+      enable-all: true
+
+  default: none
+
   enable:
     - bodyclose
     - depguard
-    - gci
     - goconst
     - gocritic
     - gocyclo
-    - gofmt
     - gomodguard
     - gosec
     - govet
     - ineffassign
     - misspell
+    - perfsprint
     - revive
-    - tenv
+    - staticcheck
     - testifylint
-    - typecheck
     - unconvert
     - unused
     - usestdlibvars
+    - usetesting
+
+  exclusions:
+    generated: lax
+    paths:
+      - "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
+    rules:
+      - path: ".*_test.go$"
+        linters:
+          - goconst
+          - gosec
+          - unused
+      - path: ".*_test.go$"
+        linters:
+          - govet
+        text: "copylocks:"
+      - path: ".*_test.go$"
+        linters:
+          - gocritic
+        text: "commentFormatting:"
+      - path: ".*_test.go$"
+        linters:
+          - gocritic
+        text: "exitAfterDefer:"
+      - path: ".*_test.go$"
+        linters:
+          - gocritic
+        text: "importShadow:"
+      - linters:
+          - goconst
+        text: "string `each` has 3 occurrences, make it a constant"  # FIXME
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    warn-unused: true
 
 run:
-  go: '1.22'
+  go: '1.25'
   timeout: 30m
 
-issues:
-  exclude-files:
-    - "mock_*.go$"
-    - "examples/*"
-  exclude-dirs:
-    - "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
-  exclude-rules:
-    - path: ".*_test.go$"
-      linters:
-        - goconst
-        - gosec
-        - unused
-    - path: ".*_test.go$"
-      linters:
-        - govet
-      text: "copylocks:"
-    - path: ".*_test.go$"
-      linters:
-        - gocritic
-      text: "commentFormatting:"
-    - path: ".*_test.go$"
-      linters:
-        - gocritic
-      text: "exitAfterDefer:"
-    - path: ".*_test.go$"
-      linters:
-        - gocritic
-      text: "importShadow:"
-  exclude-use-default: false
-  max-same-issues: 0
+formatters:
+  enable:
+    - gci
+    - gofmt
+
+  exclusions:
+    generated: lax
+
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - prefix(github.com/aquasecurity/)
+        - blank
+        - dot
+    gofmt:
+      simplify: false
+
+version: "2"

.release-please-manifest.json

@@ -1 +1 @@
-{".":"0.58.2"}
+{".":"0.67.0"}

.vex/trivy.openvex.json

@@ -540,6 +540,65 @@
       "status": "not_affected",
       "justification": "vulnerable_code_not_in_execute_path",
       "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3321",
+        "name": "GO-2024-3321",
+        "description": "Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto",
+        "aliases": [
+          "CVE-2024-45337",
+          "GHSA-v778-237x-gjrc"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/crypto",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/crypto"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3333",
+        "name": "GO-2024-3333",
+        "description": "Non-linear parsing of case-insensitive content in golang.org/x/net/html",
+        "aliases": [
+          "CVE-2024-45338"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/net",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/net"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
     }
   ]
 }

CHANGELOG.md

@@ -1,27 +1,351 @@
 # Changelog
 
-## [0.58.2](https://github.com/aquasecurity/trivy/compare/v0.58.1...v0.58.2) (2025-01-13)
+## [0.67.0](https://github.com/aquasecurity/trivy/compare/v0.66.0...v0.67.0) (2025-09-30)
+
+
+### Features
+
+* add documentation URL for database lock errors ([#9531](https://github.com/aquasecurity/trivy/issues/9531)) ([eba48af](https://github.com/aquasecurity/trivy/commit/eba48afd583391cef346e45a176aa5a6d77b704f))
+* **cli:** change --list-all-pkgs default to true ([#9510](https://github.com/aquasecurity/trivy/issues/9510)) ([7b663d8](https://github.com/aquasecurity/trivy/commit/7b663d86ca65ee3eb332c857b77bfa18e6da56c4))
+* **cloudformation:** support default values and list results in Fn::FindInMap ([#9515](https://github.com/aquasecurity/trivy/issues/9515)) ([42b3bf3](https://github.com/aquasecurity/trivy/commit/42b3bf37bb7d39139911843297c8b8ab3551c31a))
+* **cyclonedx:** preserve SBOM structure when scanning SBOM files with vulnerability updates ([#9439](https://github.com/aquasecurity/trivy/issues/9439)) ([aff03eb](https://github.com/aquasecurity/trivy/commit/aff03ebab2e7874dd997e20b4ec9962a41eae7bb))
+* **redhat:** add os-release detection for RHEL-based images ([#9458](https://github.com/aquasecurity/trivy/issues/9458)) ([cb25a07](https://github.com/aquasecurity/trivy/commit/cb25a074501c5cf48050fdf6a0ae7c85c4f385ea))
+* **sbom:** added support for CoreOS ([#9448](https://github.com/aquasecurity/trivy/issues/9448)) ([6d562a3](https://github.com/aquasecurity/trivy/commit/6d562a3b48926b6efd508e067e1059564173b270))
+* **seal:** add seal support ([#9370](https://github.com/aquasecurity/trivy/issues/9370)) ([e4af279](https://github.com/aquasecurity/trivy/commit/e4af279b29ed5b77ed1d62e31b232b1f9b92ef4f))
 
 
 ### Bug Fixes
 
-* CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] ([#8215](https://github.com/aquasecurity/trivy/issues/8215)) ([b733ecc](https://github.com/aquasecurity/trivy/commit/b733ecc7bc752d61837d08f2650bd480b645bb1d))
-* **misconf:** allow null values only for tf variables [backport: release/v0.58] ([#8238](https://github.com/aquasecurity/trivy/issues/8238)) ([f72d2bc](https://github.com/aquasecurity/trivy/commit/f72d2bce8d3418dbcb670434bc15bb857b421f98))
-* **suse:** SUSE - update OSType constants and references for compatility [backport: release/v0.58] ([#8237](https://github.com/aquasecurity/trivy/issues/8237)) ([2896367](https://github.com/aquasecurity/trivy/commit/289636758eccf990f36ea2be34f6db2c02cfab6b))
+* **aws:** use `BuildableClient` insead of `xhttp.Client` ([#9436](https://github.com/aquasecurity/trivy/issues/9436)) ([fa6f1bf](https://github.com/aquasecurity/trivy/commit/fa6f1bfecfb68c29ad4684a6fb5d86948c7d6887))
+* close file descriptors and pipes on error paths ([#9536](https://github.com/aquasecurity/trivy/issues/9536)) ([a4cbd6a](https://github.com/aquasecurity/trivy/commit/a4cbd6a1380b7b4dc650a312ec4e5bc47501f674))
+* **db:** Dowload database when missing but metadata still exists ([#9393](https://github.com/aquasecurity/trivy/issues/9393)) ([92ebc7e](https://github.com/aquasecurity/trivy/commit/92ebc7e4d72424c17d93c54e5f24891710c85a60))
+* **k8s:** disable parallel traversal with fs cache for k8s images ([#9534](https://github.com/aquasecurity/trivy/issues/9534)) ([c0c7a6b](https://github.com/aquasecurity/trivy/commit/c0c7a6bf1b92c868ed44172b3cd15c51667b8a6e))
+* **misconf:** handle tofu files in module detection ([#9486](https://github.com/aquasecurity/trivy/issues/9486)) ([bfd2f6b](https://github.com/aquasecurity/trivy/commit/bfd2f6ba697c223d60a7378283293d8e1fc8a8fe))
+* **misconf:** strip build metadata suffixes from image history ([#9498](https://github.com/aquasecurity/trivy/issues/9498)) ([c938806](https://github.com/aquasecurity/trivy/commit/c9388069a4325a9f8bc53bc8a82ff46d84d06847))
+* **misconf:** unmark cty values before access ([#9495](https://github.com/aquasecurity/trivy/issues/9495)) ([8e40d27](https://github.com/aquasecurity/trivy/commit/8e40d27a43ecb96795a8a7d4a2444241fc7fce9a))
+* **misconf:** wrap legacy ENV values in quotes to preserve spaces ([#9497](https://github.com/aquasecurity/trivy/issues/9497)) ([267a970](https://github.com/aquasecurity/trivy/commit/267a9700fa233abe1a04eada8f3ea513f3ebacb3))
+* **nodejs:** parse workspaces as objects for package-lock.json files ([#9518](https://github.com/aquasecurity/trivy/issues/9518)) ([404abb3](https://github.com/aquasecurity/trivy/commit/404abb3d91cb3b1c1ee027169de5a40e32ba8b8a))
+* **nodejs:** use snapshot string as `Package.ID` for pnpm packages ([#9330](https://github.com/aquasecurity/trivy/issues/9330)) ([4517e8c](https://github.com/aquasecurity/trivy/commit/4517e8c0ef5e942b8e2e498729257374634ffbf8))
+* **vex:** don't  suppress vulns for packages with infinity loop ([#9465](https://github.com/aquasecurity/trivy/issues/9465)) ([78f0d4a](https://github.com/aquasecurity/trivy/commit/78f0d4ae0378f81940a5faa6497e6905cb5d034a))
+* **vuln:** compare `nuget` package names in lower case ([#9456](https://github.com/aquasecurity/trivy/issues/9456)) ([1ff9ac7](https://github.com/aquasecurity/trivy/commit/1ff9ac79488e0d4deab4226f1a969676a9851cdb))
 
-## [0.58.1](https://github.com/aquasecurity/trivy/compare/v0.58.0...v0.58.1) (2024-12-24)
+## [0.66.0](https://github.com/aquasecurity/trivy/compare/v0.65.0...v0.66.0) (2025-09-02)
+
+
+### Features
+
+* add timeout handling for cache database operations ([#9307](https://github.com/aquasecurity/trivy/issues/9307)) ([235c24e](https://github.com/aquasecurity/trivy/commit/235c24e71a546b6196f7264fced2d02d836e3f85))
+* **misconf:** added audit config attribute ([#9249](https://github.com/aquasecurity/trivy/issues/9249)) ([4d4a244](https://github.com/aquasecurity/trivy/commit/4d4a2444b692512aca137dcbd367ff224fe25597))
+* **secret:** implement streaming secret scanner with byte offset tracking ([#9264](https://github.com/aquasecurity/trivy/issues/9264)) ([5a5e097](https://github.com/aquasecurity/trivy/commit/5a5e0972c72e629ddf2915ef066d632d58b8d3b0))
+* **terraform:** use .terraform cache for remote modules in plan scanning ([#9277](https://github.com/aquasecurity/trivy/issues/9277)) ([298a994](https://github.com/aquasecurity/trivy/commit/298a9941f098d2701b9524a703b9f9b1b9451785))
 
 
 ### Bug Fixes
 
-* handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] ([#8121](https://github.com/aquasecurity/trivy/issues/8121)) ([9a56e7c](https://github.com/aquasecurity/trivy/commit/9a56e7cd6964ffd4187a8e44a36d49b54587db56))
-* **java:** correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] ([#8119](https://github.com/aquasecurity/trivy/issues/8119)) ([4278a09](https://github.com/aquasecurity/trivy/commit/4278a09f59590ee16494e0a1ad31fb374f2e243f))
-* **oracle:** add architectures support for advisories [backport: release/v0.58] ([#8125](https://github.com/aquasecurity/trivy/issues/8125)) ([89b341f](https://github.com/aquasecurity/trivy/commit/89b341f0c6dc7f24239f9a9e4809524ec289a864))
-* **python:** skip dev group's deps for poetry [backport: release/v0.58] ([#8158](https://github.com/aquasecurity/trivy/issues/8158)) ([8b93081](https://github.com/aquasecurity/trivy/commit/8b930816bc527166ced5d57754ad7fccb1cef832))
-* **redhat:** correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] ([#8135](https://github.com/aquasecurity/trivy/issues/8135)) ([33818e1](https://github.com/aquasecurity/trivy/commit/33818e121f989fd12c15aa65affd2d01b867db61))
-* **sbom:** attach nested packages to Application [backport: release/v0.58] ([#8168](https://github.com/aquasecurity/trivy/issues/8168)) ([03160e4](https://github.com/aquasecurity/trivy/commit/03160e4fd1b0a6aef8c4f3d96529e68fed7e70ee))
-* **sbom:** fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] ([#8124](https://github.com/aquasecurity/trivy/issues/8124)) ([f842fe1](https://github.com/aquasecurity/trivy/commit/f842fe1675b434e72a8194628525c42fd3e155af))
-* **sbom:** use root package for `unknown` dependencies (if exists) [backport: release/v0.58] ([#8156](https://github.com/aquasecurity/trivy/issues/8156)) ([18cd1a5](https://github.com/aquasecurity/trivy/commit/18cd1a59cbb32d87371fe8ab24497f06855e0c80))
+* **conda:** memory leak by adding closure method for `package.json` file ([#9349](https://github.com/aquasecurity/trivy/issues/9349)) ([03d039f](https://github.com/aquasecurity/trivy/commit/03d039f17d94cf668152e83d0cf9dabf3b27d3dd))
+* create temp file under composite fs dir ([#9387](https://github.com/aquasecurity/trivy/issues/9387)) ([ce22f54](https://github.com/aquasecurity/trivy/commit/ce22f54a39a1abac08fa3ad540697c668792bf50))
+* **cyclonedx:** handle multiple license types ([#9378](https://github.com/aquasecurity/trivy/issues/9378)) ([46ab76a](https://github.com/aquasecurity/trivy/commit/46ab76a5af828c98cf93fc988ed6a405b7b07392))
+* **fs:** avoid shadowing errors in file.glob ([#9286](https://github.com/aquasecurity/trivy/issues/9286)) ([b51c789](https://github.com/aquasecurity/trivy/commit/b51c789330141d634a9b14bd10994c997862940f))
+* **image:** use standardized HTTP client for ECR authentication ([#9322](https://github.com/aquasecurity/trivy/issues/9322)) ([84fbf86](https://github.com/aquasecurity/trivy/commit/84fbf8674dfc0f91d8795a50bafa6041cce83ba2))
+* **misconf:** ensure ignore rules respect subdirectory chart paths ([#9324](https://github.com/aquasecurity/trivy/issues/9324)) ([d3cd101](https://github.com/aquasecurity/trivy/commit/d3cd101266eb7bf9b8ffe5899765efa7bd1abe30))
+* **misconf:** ensure module source is known ([#9404](https://github.com/aquasecurity/trivy/issues/9404)) ([81d9425](https://github.com/aquasecurity/trivy/commit/81d94253c8bc816ad932f7e0c0b8907e1cd759bb))
+* **misconf:** preserve original paths of remote submodules from .terraform ([#9294](https://github.com/aquasecurity/trivy/issues/9294)) ([1319d8d](https://github.com/aquasecurity/trivy/commit/1319d8dc7f4796177876af18f0e13ba1f7086348))
+* **misconf:** use correct field log_bucket instead of target_bucket in gcp bucket ([#9296](https://github.com/aquasecurity/trivy/issues/9296)) ([04ad0c4](https://github.com/aquasecurity/trivy/commit/04ad0c4fc2926a92e9e9ec11bb8eae826ed95827))
+* persistent flag option typo ([#9374](https://github.com/aquasecurity/trivy/issues/9374)) ([6e99dd3](https://github.com/aquasecurity/trivy/commit/6e99dd304c7fad8213489039e7ca42909383b5ff))
+* **plugin:** don't remove plugins when updating index.yaml file ([#9358](https://github.com/aquasecurity/trivy/issues/9358)) ([5f067ac](https://github.com/aquasecurity/trivy/commit/5f067ac15e5c609283bef26a211746a279b6b5d0))
+* **python:** impove package name normalization  ([#9290](https://github.com/aquasecurity/trivy/issues/9290)) ([1473e88](https://github.com/aquasecurity/trivy/commit/1473e88b74ca269691de7827e045703612b90050))
+* **repo:** preserve RepoMetadata on FS cache hit ([#9389](https://github.com/aquasecurity/trivy/issues/9389)) ([4f2a44e](https://github.com/aquasecurity/trivy/commit/4f2a44ea45bed1e842bb2072077da67ec7e744ac))
+* **repo:** sanitize git repo URL before inserting into report metadata ([#9391](https://github.com/aquasecurity/trivy/issues/9391)) ([1ac9b1f](https://github.com/aquasecurity/trivy/commit/1ac9b1f07cea429cc122bf9721e8909c649549cf))
+* **sbom:** add support for `file` component type of `CycloneDX` ([#9372](https://github.com/aquasecurity/trivy/issues/9372)) ([aa7cf43](https://github.com/aquasecurity/trivy/commit/aa7cf4387c5e82c1f629ac14cd6a35b48fc95983))
+* suppress debug log for context cancellation errors ([#9298](https://github.com/aquasecurity/trivy/issues/9298)) ([2458d5e](https://github.com/aquasecurity/trivy/commit/2458d5e28a54da9adec0b36f6b1e6bd4f15a72ce))
+
+## [0.65.0](https://github.com/aquasecurity/trivy/compare/v0.64.0...v0.65.0) (2025-07-30)
+
+
+### Features
+
+* add graceful shutdown with signal handling ([#9242](https://github.com/aquasecurity/trivy/issues/9242)) ([2c05882](https://github.com/aquasecurity/trivy/commit/2c05882f45071928c14d8212ef6c4f0f7048245d))
+* add HTTP request/response tracing support ([#9125](https://github.com/aquasecurity/trivy/issues/9125)) ([aa5b32a](https://github.com/aquasecurity/trivy/commit/aa5b32a19f4d61d0df72c11fd314c5a0b7284202))
+* **alma:** add AlmaLinux 10 support ([#9207](https://github.com/aquasecurity/trivy/issues/9207)) ([861d51e](https://github.com/aquasecurity/trivy/commit/861d51e99a45ee448f86fe195dedcaefb811c919))
+* **flag:** add schema validation for `--server` flag ([#9270](https://github.com/aquasecurity/trivy/issues/9270)) ([ed4640e](https://github.com/aquasecurity/trivy/commit/ed4640ec27f2575a50d7e6d516c9e2e45a59bb7f))
+* **image:** add Docker context resolution ([#9166](https://github.com/aquasecurity/trivy/issues/9166)) ([99cd4e7](https://github.com/aquasecurity/trivy/commit/99cd4e776c0c6cc689126e53fa86ee6333ba6277))
+* **license:** observe pkg types option in license scanner ([#9091](https://github.com/aquasecurity/trivy/issues/9091)) ([d44af8c](https://github.com/aquasecurity/trivy/commit/d44af8cfa21a145d14ca6e5e1ed4742d892f2dc5))
+* **misconf:** add private ip google access attribute to subnetwork ([#9199](https://github.com/aquasecurity/trivy/issues/9199)) ([263845c](https://github.com/aquasecurity/trivy/commit/263845cfc1419401f24adc8bc6316f3ea0caacad))
+* **misconf:** added logging and versioning to the gcp storage bucket ([#9226](https://github.com/aquasecurity/trivy/issues/9226)) ([110f80e](https://github.com/aquasecurity/trivy/commit/110f80ea29951863997dd5a1c48fe14eb81e230b))
+* **repo:** add git repository metadata to reports ([#9252](https://github.com/aquasecurity/trivy/issues/9252)) ([f4b2cf1](https://github.com/aquasecurity/trivy/commit/f4b2cf10e917d58c0840f789e083bd3f268a8af1))
+* **report:** add CVSS vectors in sarif report ([#9157](https://github.com/aquasecurity/trivy/issues/9157)) ([60723e6](https://github.com/aquasecurity/trivy/commit/60723e6cfce82ede2863cf545a189c581246f4e9))
+* **sbom:** add SHA-512 hash support for CycloneDX SBOM ([#9126](https://github.com/aquasecurity/trivy/issues/9126)) ([12d6706](https://github.com/aquasecurity/trivy/commit/12d6706961423acb12430c8b3d986b4aa4671d04))
+
+
+### Bug Fixes
+
+* **alma:** parse epochs from rpmqa file ([#9101](https://github.com/aquasecurity/trivy/issues/9101)) ([82db2fc](https://github.com/aquasecurity/trivy/commit/82db2fcc8034c911cc7a67f5a82d2f081d9c1fdf))
+* also check `filepath` when removing duplicate packages ([#9142](https://github.com/aquasecurity/trivy/issues/9142)) ([4d10a81](https://github.com/aquasecurity/trivy/commit/4d10a815dde53f5e128366f1dd0837a1dc29c17b))
+* **aws:** update amazon linux 2 EOL date ([#9176](https://github.com/aquasecurity/trivy/issues/9176)) ([0ecfed6](https://github.com/aquasecurity/trivy/commit/0ecfed6ea75cfe33e0f436a9015ac72a679e754e))
+* **cli:** Add more non-sensitive flags to telemetry ([#9110](https://github.com/aquasecurity/trivy/issues/9110)) ([7041a39](https://github.com/aquasecurity/trivy/commit/7041a39bdcf21c5b3114137d9a931f529eac2566))
+* **cli:** ensure correct command is picked by telemetry ([#9260](https://github.com/aquasecurity/trivy/issues/9260)) ([b4ad00f](https://github.com/aquasecurity/trivy/commit/b4ad00f301a5fd7326060a567871c6f4a9711696))
+* **cli:** panic: attempt to get os.Args[1] when len(os.Args) < 2 ([#9206](https://github.com/aquasecurity/trivy/issues/9206)) ([adfa879](https://github.com/aquasecurity/trivy/commit/adfa879e4e8ab88f211222a13d2b89013ae9a853))
+* **license:** add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping ([#9116](https://github.com/aquasecurity/trivy/issues/9116)) ([a692f29](https://github.com/aquasecurity/trivy/commit/a692f296d15f7241ba5ff082e4e69926b1c728a8))
+* **license:** handle WITH operator for `LaxSplitLicenses` ([#9232](https://github.com/aquasecurity/trivy/issues/9232)) ([b4193d0](https://github.com/aquasecurity/trivy/commit/b4193d0d31a167aafdcd9d9ccd89f3f124eef7ee))
+* migrate from `*.list` to `*.md5sums` files for `dpkg` ([#9131](https://github.com/aquasecurity/trivy/issues/9131)) ([f224de3](https://github.com/aquasecurity/trivy/commit/f224de3e39b08672212ec0f94660c36bef77bc30))
+* **misconf:** correctly adapt azure storage account ([#9138](https://github.com/aquasecurity/trivy/issues/9138)) ([51aa022](https://github.com/aquasecurity/trivy/commit/51aa0222604829706193eb2ff3a6886742bb42b4))
+* **misconf:** correctly parse empty port ranges in google_compute_firewall ([#9237](https://github.com/aquasecurity/trivy/issues/9237)) ([77bab7b](https://github.com/aquasecurity/trivy/commit/77bab7b6d25c712e2db7dc53956985c2721728e9))
+* **misconf:** fix log bucket in schema ([#9235](https://github.com/aquasecurity/trivy/issues/9235)) ([7ebc129](https://github.com/aquasecurity/trivy/commit/7ebc129ab726f3133d940708837b7edda2621105))
+* **misconf:** skip rewriting expr if attr is nil ([#9113](https://github.com/aquasecurity/trivy/issues/9113)) ([42ccd3d](https://github.com/aquasecurity/trivy/commit/42ccd3df9a7c838a99facb8248e1a68eaf47a999))
+* **nodejs:** don't use prerelease logic for compare npm constraints  ([#9208](https://github.com/aquasecurity/trivy/issues/9208)) ([fe96436](https://github.com/aquasecurity/trivy/commit/fe96436b99bae3bbfc7498d2ad222d4acccdfcf1))
+* prevent graceful shutdown message on normal exit ([#9244](https://github.com/aquasecurity/trivy/issues/9244)) ([6095984](https://github.com/aquasecurity/trivy/commit/6095984d5340633740204a7a40f002a5643802b9))
+* **rootio:** check full version to detect `root.io` packages ([#9117](https://github.com/aquasecurity/trivy/issues/9117)) ([c2ddd44](https://github.com/aquasecurity/trivy/commit/c2ddd44d98594a2066cb5b5acbb9ad2aaad8fd96))
+* **rootio:** fix severity selection ([#9181](https://github.com/aquasecurity/trivy/issues/9181)) ([6fafbeb](https://github.com/aquasecurity/trivy/commit/6fafbeb60609a020b47266743250ea847234cbbd))
+* **sbom:** merge in-graph and out-of-graph OS packages in scan results ([#9194](https://github.com/aquasecurity/trivy/issues/9194)) ([aa944cc](https://github.com/aquasecurity/trivy/commit/aa944cc6da43e2035f74e9d842f487c0d2f993f4))
+* **sbom:** use correct field for licenses in CycloneDX reports ([#9057](https://github.com/aquasecurity/trivy/issues/9057)) ([143da88](https://github.com/aquasecurity/trivy/commit/143da88dd82dfbe204f4c2afe46af3b01701675d))
+* **secret:** add UTF-8 validation in secret scanner to prevent protobuf marshalling errors ([#9253](https://github.com/aquasecurity/trivy/issues/9253)) ([54832a7](https://github.com/aquasecurity/trivy/commit/54832a77b50e2da3a3ceacbb6ce1b13e45605cde))
+* **secret:** fix line numbers for multiple-line secrets ([#9104](https://github.com/aquasecurity/trivy/issues/9104)) ([e579746](https://github.com/aquasecurity/trivy/commit/e57974649e4a3a275b9cf02db191b3f6bf10340f))
+* **server:** add HTTP transport setup to server mode ([#9217](https://github.com/aquasecurity/trivy/issues/9217)) ([1163b04](https://github.com/aquasecurity/trivy/commit/1163b044c7e91a81bba3a862cc4a38e90182f0b4))
+* supporting .egg-info/METADATA in python.Packaging analyzer ([#9151](https://github.com/aquasecurity/trivy/issues/9151)) ([e306e2d](https://github.com/aquasecurity/trivy/commit/e306e2dc5275c0e75f056c8c7ee9ff9261c78e7f))
+* **terraform:** `for_each` on a map returns a resource for every key ([#9156](https://github.com/aquasecurity/trivy/issues/9156)) ([153318f](https://github.com/aquasecurity/trivy/commit/153318f65f7e5059bcc064bd2cd651cc720791a9))
+
+## [0.64.0](https://github.com/aquasecurity/trivy/compare/v0.63.0...v0.64.0) (2025-06-30)
+
+
+### Features
+
+* **cli:** add version constraints to annoucements ([#9023](https://github.com/aquasecurity/trivy/issues/9023)) ([19efa9f](https://github.com/aquasecurity/trivy/commit/19efa9fd372242d2ec582a248e9e6573d2caef00))
+* **java:** dereference all maven settings.xml env placeholders ([#9024](https://github.com/aquasecurity/trivy/issues/9024)) ([5aade69](https://github.com/aquasecurity/trivy/commit/5aade698c71450badf8db028be61e12ec85c6248))
+* **misconf:** add OpenTofu file extension support ([#8747](https://github.com/aquasecurity/trivy/issues/8747)) ([57801d0](https://github.com/aquasecurity/trivy/commit/57801d0324384d990889ba39d856c881e5b8b070))
+* **misconf:** normalize CreatedBy for buildah and legacy docker builder ([#8953](https://github.com/aquasecurity/trivy/issues/8953)) ([65e155f](https://github.com/aquasecurity/trivy/commit/65e155fdaf0ad02ec82f00a004427f126faf65ed))
+* **redhat:** Add EOL date for RHEL 10. ([#8910](https://github.com/aquasecurity/trivy/issues/8910)) ([48258a7](https://github.com/aquasecurity/trivy/commit/48258a701a7adb210c433310de52f48568ccee19))
+* reject unsupported artifact types in remote image retrieval ([#9052](https://github.com/aquasecurity/trivy/issues/9052)) ([1e1e1b5](https://github.com/aquasecurity/trivy/commit/1e1e1b5fa6a884da978fe1ed4c222d613d6eafbd))
+* **sbom:** add manufacturer field to CycloneDX tools metadata ([#9019](https://github.com/aquasecurity/trivy/issues/9019)) ([41d0f94](https://github.com/aquasecurity/trivy/commit/41d0f949c874609641c08fa2620fa10bf4ceef78))
+* **terraform:** add partial evaluation for policy templates ([#8967](https://github.com/aquasecurity/trivy/issues/8967)) ([a9f7dcd](https://github.com/aquasecurity/trivy/commit/a9f7dcdb9c5973746c3737f2bbc3306a74be5408))
+* **ubuntu:** add end of life date for Ubuntu 25.04 ([#9077](https://github.com/aquasecurity/trivy/issues/9077)) ([367564a](https://github.com/aquasecurity/trivy/commit/367564a3bec0c202566c59598dcff087bf50a23d))
+* **ubuntu:** add eol date for 20.04-ESM ([#8981](https://github.com/aquasecurity/trivy/issues/8981)) ([87118a0](https://github.com/aquasecurity/trivy/commit/87118a0ec4a6ae492523b7bac9834c2b93a14557))
+* **vuln:** add Root.io support for container image scanning ([#9073](https://github.com/aquasecurity/trivy/issues/9073)) ([3a0ec0f](https://github.com/aquasecurity/trivy/commit/3a0ec0f2acff6a13ed6ab348b6b220d49e14a298))
+
+
+### Bug Fixes
+
+* Add missing version check flags ([#8951](https://github.com/aquasecurity/trivy/issues/8951)) ([ef5f8de](https://github.com/aquasecurity/trivy/commit/ef5f8de8dadf5534a2c965aecca01c7067e5baca))
+* **cli:** add some values to the telemetry call ([#9056](https://github.com/aquasecurity/trivy/issues/9056)) ([fd2bc91](https://github.com/aquasecurity/trivy/commit/fd2bc91e133f846bc9f0910c19ac3be3fbfe4009))
+* Correctly check for semver versions for trivy version check ([#8948](https://github.com/aquasecurity/trivy/issues/8948)) ([b813527](https://github.com/aquasecurity/trivy/commit/b813527449c4604f5afad71ae82b13399bb48680))
+* don't show corrupted trivy-db warning for first run ([#8991](https://github.com/aquasecurity/trivy/issues/8991)) ([4ed78e3](https://github.com/aquasecurity/trivy/commit/4ed78e39afe57e81c12482fef9102dc3f85d1493))
+* **misconf:** .Config.User always takes precedence over USER in .History ([#9050](https://github.com/aquasecurity/trivy/issues/9050)) ([371b8cc](https://github.com/aquasecurity/trivy/commit/371b8cc02f2ffa3f42534a437ce8727519e7b9b9))
+* **misconf:** correct Azure value-to-time conversion in AsTimeValue ([#9015](https://github.com/aquasecurity/trivy/issues/9015)) ([40d017b](https://github.com/aquasecurity/trivy/commit/40d017b67da38131734eab90c42ad945ac3b5013))
+* **misconf:** move disabled checks filtering after analyzer scan ([#9002](https://github.com/aquasecurity/trivy/issues/9002)) ([a58c36d](https://github.com/aquasecurity/trivy/commit/a58c36de124cba7250e1a5ae0cc32d83018391fe))
+* **misconf:** reduce log noise on incompatible check ([#9029](https://github.com/aquasecurity/trivy/issues/9029)) ([99c5151](https://github.com/aquasecurity/trivy/commit/99c5151d6ea1dabe85cce75ff9bb91166532b11f))
+* **nodejs:** correctly parse `packages` array of `bun.lock` file ([#8998](https://github.com/aquasecurity/trivy/issues/8998)) ([875ec3a](https://github.com/aquasecurity/trivy/commit/875ec3a9d2568e15a6824c8f84ad6a59f03eb212))
+* **report:** don't panic when report contains vulns, but doesn't contain packages for `table` format ([#8549](https://github.com/aquasecurity/trivy/issues/8549)) ([87fda76](https://github.com/aquasecurity/trivy/commit/87fda76f38a3a6939a87828c3df0c5ac2cf7fce3))
+* **sbom:** remove unnecessary OS detection check in SBOM decoding ([#9034](https://github.com/aquasecurity/trivy/issues/9034)) ([198789a](https://github.com/aquasecurity/trivy/commit/198789a07b857b053c73f8fcd1f508902fac344d))
+
+## [0.63.0](https://github.com/aquasecurity/trivy/compare/v0.62.0...v0.63.0) (2025-05-29)
+
+
+### Features
+
+* add Bottlerocket OS package analyzer ([#8653](https://github.com/aquasecurity/trivy/issues/8653)) ([07ef63b](https://github.com/aquasecurity/trivy/commit/07ef63b4830f9f3d791a07433287a99118d7590a))
+* add JSONC support for comments and trailing commas ([#8862](https://github.com/aquasecurity/trivy/issues/8862)) ([0b0e406](https://github.com/aquasecurity/trivy/commit/0b0e4061ef955efc0f94280d2d390f11ff6e2409))
+* **alpine:** add maintainer field extraction for APK packages ([#8930](https://github.com/aquasecurity/trivy/issues/8930)) ([104bbc1](https://github.com/aquasecurity/trivy/commit/104bbc18ea85caec17125296dc4fe2dea9c49826))
+* **cli:** Add available version checking ([#8553](https://github.com/aquasecurity/trivy/issues/8553)) ([5a0bf9e](https://github.com/aquasecurity/trivy/commit/5a0bf9ed31ad34248895e69231da602935e66785))
+* **echo:** Add Echo Support ([#8833](https://github.com/aquasecurity/trivy/issues/8833)) ([c7b8cc3](https://github.com/aquasecurity/trivy/commit/c7b8cc392eb28eb63e10561cf1ff7991e5e3c548))
+* **go:** support license scanning in both GOPATH and vendor ([#8843](https://github.com/aquasecurity/trivy/issues/8843)) ([26437be](https://github.com/aquasecurity/trivy/commit/26437be083960d17bee8b1b37b8a6780eff07981))
+* **k8s:** get components from namespaced resources ([#8918](https://github.com/aquasecurity/trivy/issues/8918)) ([4f1ab23](https://github.com/aquasecurity/trivy/commit/4f1ab238693919772a65450de9fb9fb2f873c0d6))
+* **license:** improve work text licenses with custom classification ([#8888](https://github.com/aquasecurity/trivy/issues/8888)) ([ee52230](https://github.com/aquasecurity/trivy/commit/ee522300b73a2afc72829fc2fa7ff419712fc89a))
+* **license:** improve work with custom classification of licenses from config file ([#8861](https://github.com/aquasecurity/trivy/issues/8861)) ([c321fdf](https://github.com/aquasecurity/trivy/commit/c321fdfcdd58f34d076fc730e2b63fdd13e426a9))
+* **license:** scan vendor directory for license for go.mod files ([#8689](https://github.com/aquasecurity/trivy/issues/8689)) ([dd6a6e5](https://github.com/aquasecurity/trivy/commit/dd6a6e50a44b7b543fd9dba634da599a76650acb))
+* **license:** Support compound licenses (licenses using SPDX operators) ([#8816](https://github.com/aquasecurity/trivy/issues/8816)) ([39f9ed1](https://github.com/aquasecurity/trivy/commit/39f9ed128b2c0fb599ad9092a3cf5675106bffdc))
+* **minimos:** Add support for MinimOS ([#8792](https://github.com/aquasecurity/trivy/issues/8792)) ([c2dde33](https://github.com/aquasecurity/trivy/commit/c2dde33c3f19d499258a7089d7658a9f90722acf))
+* **misconf:** add misconfiguration location to junit template ([#8793](https://github.com/aquasecurity/trivy/issues/8793)) ([a516775](https://github.com/aquasecurity/trivy/commit/a516775da6fda92a55a62418a081561127a1d5ca))
+* **misconf:** Add support for `Minimum Trivy Version` ([#8880](https://github.com/aquasecurity/trivy/issues/8880)) ([3b2a397](https://github.com/aquasecurity/trivy/commit/3b2a3976ac7e7785828655903b132e84ebd9d727))
+* **misconf:** export raw Terraform data to Rego ([#8741](https://github.com/aquasecurity/trivy/issues/8741)) ([aaecc29](https://github.com/aquasecurity/trivy/commit/aaecc29e909db4d5dac03caa0daf223035bfb877))
+* **nodejs:** add a bun.lock analyzer ([#8897](https://github.com/aquasecurity/trivy/issues/8897)) ([7ca656d](https://github.com/aquasecurity/trivy/commit/7ca656d54b99346253fc6ac6422eecaca169514e))
+* **nodejs:** add bun.lock parser ([#8851](https://github.com/aquasecurity/trivy/issues/8851)) ([1dcf816](https://github.com/aquasecurity/trivy/commit/1dcf81666f1c814600702b9ab603b4070da0b940))
+* terraform parser option to set current working directory ([#8909](https://github.com/aquasecurity/trivy/issues/8909)) ([8939451](https://github.com/aquasecurity/trivy/commit/893945117464bf6e090a55e3822f8299825f26d4))
+
+
+### Bug Fixes
+
+* check post-analyzers for StaticPaths ([#8904](https://github.com/aquasecurity/trivy/issues/8904)) ([93e6680](https://github.com/aquasecurity/trivy/commit/93e6680b1c6bbb590157f521c667c0f611775143))
+* **cli:** disable `--skip-dir` and `--skip-files` flags for `sbom` command ([#8886](https://github.com/aquasecurity/trivy/issues/8886)) ([69a5fa1](https://github.com/aquasecurity/trivy/commit/69a5fa18ca86ff7e5206abacf98732d46c000c7a))
+* **cli:** don't use allow values for `--compliance` flag ([#8881](https://github.com/aquasecurity/trivy/issues/8881)) ([35e8889](https://github.com/aquasecurity/trivy/commit/35e88890c3c201b3eb11f95376172e57bf44df4b))
+* filter all files when processing files installed from package managers ([#8842](https://github.com/aquasecurity/trivy/issues/8842)) ([6ebde88](https://github.com/aquasecurity/trivy/commit/6ebde88dbcaf22f25932bad4844b3c9eaca90560))
+* **java:** exclude dev dependencies in gradle lockfile ([#8803](https://github.com/aquasecurity/trivy/issues/8803)) ([8995838](https://github.com/aquasecurity/trivy/commit/8995838e8d184ee9178d5b52d2d3fa9b4e403015))
+* julia parser panicing ([#8883](https://github.com/aquasecurity/trivy/issues/8883)) ([be8c7b7](https://github.com/aquasecurity/trivy/commit/be8c7b796dbe36d8dc3889e0bdea23336de9a1ab))
+* **julia:** add `Relationship` field support ([#8939](https://github.com/aquasecurity/trivy/issues/8939)) ([22f040f](https://github.com/aquasecurity/trivy/commit/22f040f94790060132c7b0a635f44c35d5a35fb6))
+* **k8s:** use in-memory cache backend during misconfig scanning ([#8873](https://github.com/aquasecurity/trivy/issues/8873)) ([fe12771](https://github.com/aquasecurity/trivy/commit/fe127715e505d753e0d878d52c5f280cdc326b76))
+* **misconf:** check if for-each is known when expanding dyn block ([#8808](https://github.com/aquasecurity/trivy/issues/8808)) ([5706603](https://github.com/aquasecurity/trivy/commit/570660314698472ab831a7e0d55044e0b1e9c6c0))
+* **misconf:** use argument value in WithIncludeDeprecatedChecks ([#8942](https://github.com/aquasecurity/trivy/issues/8942)) ([7e9a54c](https://github.com/aquasecurity/trivy/commit/7e9a54cd6bf4bc15e485c6233d140b389e432fe5))
+* more revive rules ([#8814](https://github.com/aquasecurity/trivy/issues/8814)) ([3ab459e](https://github.com/aquasecurity/trivy/commit/3ab459e3b674f319bf349d478917a531a69754c0))
+* octalLiteral from go-critic ([#8811](https://github.com/aquasecurity/trivy/issues/8811)) ([a19e0aa](https://github.com/aquasecurity/trivy/commit/a19e0aa1ba0350198c898fd57c9405fbf38fa432))
+* **redhat:** Also try to find buildinfo in root layer (layer 0) ([#8924](https://github.com/aquasecurity/trivy/issues/8924)) ([906b037](https://github.com/aquasecurity/trivy/commit/906b037cff97060267d20f8947f429e078419d66))
+* **redhat:** save contentSets for OS packages in fs/vm modes ([#8820](https://github.com/aquasecurity/trivy/issues/8820)) ([9256804](https://github.com/aquasecurity/trivy/commit/9256804df8577d8a746fb8b97c508c247ab82f8f))
+* **redhat:** trim invalid suffix from content_sets in manifest parsing ([#8818](https://github.com/aquasecurity/trivy/issues/8818)) ([fa1077b](https://github.com/aquasecurity/trivy/commit/fa1077bbf5863a519f6f180a600afe5e2d6180d8))
+* **server:** add missed Relationship field for `rpc` ([#8872](https://github.com/aquasecurity/trivy/issues/8872)) ([38f17c9](https://github.com/aquasecurity/trivy/commit/38f17c945e3ef7784607037c0457fb1e06a99959))
+* use-any from revive ([#8810](https://github.com/aquasecurity/trivy/issues/8810)) ([883c63b](https://github.com/aquasecurity/trivy/commit/883c63bf29568f0feab37e5d36ae1c417eef88f5))
+* **vex:** use `lo.IsNil` to check `VEX` from OCI artifact ([#8858](https://github.com/aquasecurity/trivy/issues/8858)) ([e97af98](https://github.com/aquasecurity/trivy/commit/e97af9806ab13e1ec8b792e0586b486c4982c170))
+* **wolfi:** support new APK database location ([#8937](https://github.com/aquasecurity/trivy/issues/8937)) ([b15d9a6](https://github.com/aquasecurity/trivy/commit/b15d9a60e6a3ed40811d5ca6387082266ae92ea7))
+
+
+### Performance Improvements
+
+* **secret:** only match secrets of meaningful length, allow example strings to not be matched ([#8602](https://github.com/aquasecurity/trivy/issues/8602)) ([60fef1b](https://github.com/aquasecurity/trivy/commit/60fef1b615a765248c5870b814ba0c4345220c0e))
+
+## [0.62.0](https://github.com/aquasecurity/trivy/compare/v0.61.0...v0.62.0) (2025-04-30)
+
+
+### Features
+
+* **image:** save layers metadata into report ([#8394](https://github.com/aquasecurity/trivy/issues/8394)) ([a95cab0](https://github.com/aquasecurity/trivy/commit/a95cab0eab0fcaab57eb554e74e17da71bc4809f))
+* **misconf:** add option to pass Rego scanner to IaC scanner ([#8369](https://github.com/aquasecurity/trivy/issues/8369)) ([890a360](https://github.com/aquasecurity/trivy/commit/890a3602444ad2e5320044c9b8cc79ca883d17ec))
+* **misconf:** convert AWS managed policy to document ([#8757](https://github.com/aquasecurity/trivy/issues/8757)) ([7abf5f0](https://github.com/aquasecurity/trivy/commit/7abf5f0199ec65c40056d4f9addc3d27e373725a))
+* **misconf:** support auto_provisioning_defaults in google_container_cluster ([#8705](https://github.com/aquasecurity/trivy/issues/8705)) ([9792611](https://github.com/aquasecurity/trivy/commit/9792611b36271efbf79f635deebae7e51f497b70))
+* **nodejs:** add root and workspace for `yarn` packages ([#8535](https://github.com/aquasecurity/trivy/issues/8535)) ([bf4cd4f](https://github.com/aquasecurity/trivy/commit/bf4cd4f2d2dda0bb3a7018606db9a6c1e56e4f38))
+* **rust:** add root and workspace relationships/package for `cargo` lock files ([#8676](https://github.com/aquasecurity/trivy/issues/8676)) ([93efe07](https://github.com/aquasecurity/trivy/commit/93efe0789ed9d9a71e04e93d87be63032ad9cae7))
+
+
+### Bug Fixes
+
+* early-return, indent-error-flow and superfluous-else rules from revive  ([#8796](https://github.com/aquasecurity/trivy/issues/8796)) ([43350dd](https://github.com/aquasecurity/trivy/commit/43350dd9b487b39d7d19bd0875274c90262dbed9))
+* **k8s:** correct compare artifact versions ([#8682](https://github.com/aquasecurity/trivy/issues/8682)) ([cc47711](https://github.com/aquasecurity/trivy/commit/cc4771158b72b88258057fa379deba9f39190994))
+* **k8s:** remove using `last-applied-configuration` ([#8791](https://github.com/aquasecurity/trivy/issues/8791)) ([7a58ccb](https://github.com/aquasecurity/trivy/commit/7a58ccbc7fffdfb1e5ccff9fd4cb6ca08c03a9ea))
+* **k8s:** skip passed misconfigs for the summary report ([#8684](https://github.com/aquasecurity/trivy/issues/8684)) ([bff0e9b](https://github.com/aquasecurity/trivy/commit/bff0e9b034f39d0d1ca02457558b1f89847009ac))
+* **misconf:** add missing variable as unknown ([#8683](https://github.com/aquasecurity/trivy/issues/8683)) ([9dcd06f](https://github.com/aquasecurity/trivy/commit/9dcd06fda717347eab1ac8ef0710687a3bfd8588))
+* **misconf:** check if metadata is not nil ([#8647](https://github.com/aquasecurity/trivy/issues/8647)) ([b7dfd64](https://github.com/aquasecurity/trivy/commit/b7dfd64987b94b4bdd8b7c5a68ba2b8f1a0a9198))
+* **misconf:** filter null nodes when parsing json manifest ([#8785](https://github.com/aquasecurity/trivy/issues/8785)) ([e10929a](https://github.com/aquasecurity/trivy/commit/e10929a669f43861bae80652bdfc9f39fad7225f))
+* **misconf:** perform operations on attribute safely ([#8774](https://github.com/aquasecurity/trivy/issues/8774)) ([3ce7d59](https://github.com/aquasecurity/trivy/commit/3ce7d59bb16553ab487762a5a660a046bcd63334))
+* **misconf:** populate context correctly for module instances ([#8656](https://github.com/aquasecurity/trivy/issues/8656)) ([efd177b](https://github.com/aquasecurity/trivy/commit/efd177b300950d82e381992e1dea39308cc39bc3))
+* **report:** clean buffer after flushing ([#8725](https://github.com/aquasecurity/trivy/issues/8725)) ([9a5383e](https://github.com/aquasecurity/trivy/commit/9a5383e993222d919d63f8d9934729cf4e291c06))
+* **secret:** ignore .dist-info directories during secret scanning ([#8646](https://github.com/aquasecurity/trivy/issues/8646)) ([a032ad6](https://github.com/aquasecurity/trivy/commit/a032ad696aa58850b9576d889128559149282ad3))
+* **server:** fix redis key when trying to delete blob ([#8649](https://github.com/aquasecurity/trivy/issues/8649)) ([36f8d0f](https://github.com/aquasecurity/trivy/commit/36f8d0fd6705bb0da5b43507128c772b153dafec))
+* **terraform:** `evaluateStep` to correctly set `EvalContext` for multiple instances of blocks ([#8555](https://github.com/aquasecurity/trivy/issues/8555)) ([e25de25](https://github.com/aquasecurity/trivy/commit/e25de25262fd1cd559879dee07bb2db2747eedd4))
+* **terraform:** hcl object expressions to return references ([#8271](https://github.com/aquasecurity/trivy/issues/8271)) ([0d3efa5](https://github.com/aquasecurity/trivy/commit/0d3efa5dc150dba437d975a2f8335de8786f94d6))
+* testifylint last issues ([#8768](https://github.com/aquasecurity/trivy/issues/8768)) ([ee4f7dc](https://github.com/aquasecurity/trivy/commit/ee4f7dc6b4be437666e91383406bba8443eec199))
+* unused-parameter rule from revive ([#8794](https://github.com/aquasecurity/trivy/issues/8794)) ([6562082](https://github.com/aquasecurity/trivy/commit/6562082e280a9df6199892927f2e3f7dc8f0c8ce))
+
+## [0.61.0](https://github.com/aquasecurity/trivy/compare/v0.60.0...v0.61.0) (2025-03-28)
+
+
+### Features
+
+* **fs:** optimize scanning performance by direct file access for known paths ([#8525](https://github.com/aquasecurity/trivy/issues/8525)) ([8bf6caf](https://github.com/aquasecurity/trivy/commit/8bf6caf98e2b1eff7bd16987f6791122d827747c))
+* **k8s:** add support for controllers ([#8614](https://github.com/aquasecurity/trivy/issues/8614)) ([1bf0117](https://github.com/aquasecurity/trivy/commit/1bf0117f776953bbfe67cf32e4231360010fdf33))
+* **misconf:** adapt aws_default_security_group ([#8538](https://github.com/aquasecurity/trivy/issues/8538)) ([b57eccb](https://github.com/aquasecurity/trivy/commit/b57eccb09c33df4ad0423fb148ddeaa292028401))
+* **misconf:** adapt aws_opensearch_domain ([#8550](https://github.com/aquasecurity/trivy/issues/8550)) ([9913465](https://github.com/aquasecurity/trivy/commit/9913465a535c29b377bd2f2563163ccf7cbcd6a4))
+* **misconf:** adapt AWS::DynamoDB::Table ([#8529](https://github.com/aquasecurity/trivy/issues/8529)) ([8112cdf](https://github.com/aquasecurity/trivy/commit/8112cdf8d638fa2bf57e5687e32f54b704c7e6b7))
+* **misconf:** adapt AWS::EC2::VPC ([#8534](https://github.com/aquasecurity/trivy/issues/8534)) ([0d9865f](https://github.com/aquasecurity/trivy/commit/0d9865f48f46e85595af40140faa5ff6f02b9a02))
+* **misconf:** Add support for aws_ami ([#8499](https://github.com/aquasecurity/trivy/issues/8499)) ([573502e](https://github.com/aquasecurity/trivy/commit/573502e2e83ff18020d5e7dcad498468a548733e))
+* replace TinyGo with standard Go for WebAssembly modules ([#8496](https://github.com/aquasecurity/trivy/issues/8496)) ([529957e](https://github.com/aquasecurity/trivy/commit/529957eac1fc790c57fa3d93524a901ce842a9f5))
+
+
+### Bug Fixes
+
+* **debian:** don't include empty licenses for `dpkgs` ([#8623](https://github.com/aquasecurity/trivy/issues/8623)) ([346f5b3](https://github.com/aquasecurity/trivy/commit/346f5b3553b9247f99f89d859d4f835e955d34e9))
+* **fs:** check postAnalyzers for StaticPaths ([#8543](https://github.com/aquasecurity/trivy/issues/8543)) ([c228307](https://github.com/aquasecurity/trivy/commit/c22830766e8cf1532f20198864757161eed6fda4))
+* **k8s:** show report for `--report all` ([#8613](https://github.com/aquasecurity/trivy/issues/8613)) ([dbb6f28](https://github.com/aquasecurity/trivy/commit/dbb6f288712240ef5dec59952e33b73e3a6d5b06))
+* **misconf:** add ephemeral block type to config schema ([#8513](https://github.com/aquasecurity/trivy/issues/8513)) ([41512f8](https://github.com/aquasecurity/trivy/commit/41512f846e75bae73984138ad7b3d03284a53f19))
+* **misconf:** Check values wholly prior to evalution ([#8604](https://github.com/aquasecurity/trivy/issues/8604)) ([ad58cf4](https://github.com/aquasecurity/trivy/commit/ad58cf4457ebef80ff0bc4c113d4ab4c86a9fe56))
+* **misconf:** do not skip loading documents from subdirectories ([#8526](https://github.com/aquasecurity/trivy/issues/8526)) ([de7eb13](https://github.com/aquasecurity/trivy/commit/de7eb13938f2709983a27ab3f59dbfac3fb74651))
+* **misconf:** do not use cty.NilVal for non-nil values ([#8567](https://github.com/aquasecurity/trivy/issues/8567)) ([400a79c](https://github.com/aquasecurity/trivy/commit/400a79c2c693e462ad2e1cfc21305ef13d2ec224))
+* **misconf:** identify the chart file exactly by name ([#8590](https://github.com/aquasecurity/trivy/issues/8590)) ([ba77dbe](https://github.com/aquasecurity/trivy/commit/ba77dbe5f952d67bbbbc0f43543d5f34135bc280))
+* **misconf:** Improve logging for unsupported checks ([#8634](https://github.com/aquasecurity/trivy/issues/8634)) ([5b7704d](https://github.com/aquasecurity/trivy/commit/5b7704d1d091a12822df060ee7a679135185f2ae))
+* **misconf:** set default values for AWS::EKS::Cluster.ResourcesVpcConfig ([#8548](https://github.com/aquasecurity/trivy/issues/8548)) ([1f05b45](https://github.com/aquasecurity/trivy/commit/1f05b4545d8f1de3ee703de66a7b3df2baaa07a7))
+* **misconf:** skip Azure CreateUiDefinition ([#8503](https://github.com/aquasecurity/trivy/issues/8503)) ([c7814f1](https://github.com/aquasecurity/trivy/commit/c7814f1401b0cc66a557292fe07da24d0ea7b5cc))
+* **spdx:** save text licenses into `otherLicenses` without normalize ([#8502](https://github.com/aquasecurity/trivy/issues/8502)) ([e5072f1](https://github.com/aquasecurity/trivy/commit/e5072f1eef8f3a78f4db48b4ac3f7c48aeec5e92))
+* use `--file-patterns` flag for all post analyzers ([#7365](https://github.com/aquasecurity/trivy/issues/7365)) ([8b88238](https://github.com/aquasecurity/trivy/commit/8b88238f07e389cc32e2478f84aceaf860e421ef))
+
+
+### Performance Improvements
+
+* **misconf:** parse input for Rego once ([#8483](https://github.com/aquasecurity/trivy/issues/8483)) ([0e5e909](https://github.com/aquasecurity/trivy/commit/0e5e9097650f60bc54f47a21ecc937a66e66e225))
+* **misconf:** retrieve check metadata from annotations once ([#8478](https://github.com/aquasecurity/trivy/issues/8478)) ([7b96351](https://github.com/aquasecurity/trivy/commit/7b96351c32d264d136978fe8fd9e113ada69bb2b))
+
+## [0.60.0](https://github.com/aquasecurity/trivy/compare/v0.59.0...v0.60.0) (2025-03-05)
+
+
+### Features
+
+* add `--vuln-severity-source` flag ([#8269](https://github.com/aquasecurity/trivy/issues/8269)) ([d464807](https://github.com/aquasecurity/trivy/commit/d4648073211e8451d66e4c0399e9441250b60a76))
+* add report summary table ([#8177](https://github.com/aquasecurity/trivy/issues/8177)) ([dd54f80](https://github.com/aquasecurity/trivy/commit/dd54f80d3fda7821dba13553480e9893ba8b4cb3))
+* **cyclonedx:** Add initial support for loading external VEX files from SBOM references ([#8254](https://github.com/aquasecurity/trivy/issues/8254)) ([4820eb7](https://github.com/aquasecurity/trivy/commit/4820eb70fc926a35d759c373112dbbdca890fd46))
+* **go:** fix parsing main module version for go >= 1.24 ([#8433](https://github.com/aquasecurity/trivy/issues/8433)) ([e58dcfc](https://github.com/aquasecurity/trivy/commit/e58dcfcf9f102c12825d5343ebbcc12a2d6c05c5))
+* **misconf:** render causes for Terraform ([#8360](https://github.com/aquasecurity/trivy/issues/8360)) ([a99498c](https://github.com/aquasecurity/trivy/commit/a99498cdd9b7bdac000140af6654bfe30135242d))
+
+
+### Bug Fixes
+
+* **db:** fix case when 2 trivy-db were copied at the same time ([#8452](https://github.com/aquasecurity/trivy/issues/8452)) ([bb3cca6](https://github.com/aquasecurity/trivy/commit/bb3cca6018551e96fdd357563dc177215ca29bd4))
+* don't use `scope` for `trivy registry login` command ([#8393](https://github.com/aquasecurity/trivy/issues/8393)) ([8715e5d](https://github.com/aquasecurity/trivy/commit/8715e5d14a727667c2e62d6f7a4b5308a0323386))
+* **go:** merge nested flags into string for ldflags for Go binaries ([#8368](https://github.com/aquasecurity/trivy/issues/8368)) ([b675b06](https://github.com/aquasecurity/trivy/commit/b675b06e897aaf374e7b1262d4323060a8a62edb))
+* **image:** disable AVD-DS-0007 for history scanning ([#8366](https://github.com/aquasecurity/trivy/issues/8366)) ([a3cd693](https://github.com/aquasecurity/trivy/commit/a3cd693a5ea88def2f9057df6178b0c0e7a6bdb0))
+* **k8s:** add missed option `PkgRelationships` ([#8442](https://github.com/aquasecurity/trivy/issues/8442)) ([f987e41](https://github.com/aquasecurity/trivy/commit/f987e4157494434f6e4e4566fedfedda92167565))
+* **misconf:** do not log scanners when misconfig scanning is disabled ([#8345](https://github.com/aquasecurity/trivy/issues/8345)) ([5695eb2](https://github.com/aquasecurity/trivy/commit/5695eb22dfed672eafacb64a71da8e9bdfbaab87))
+* **misconf:** ecs include enhanced for container insights ([#8326](https://github.com/aquasecurity/trivy/issues/8326)) ([39789ff](https://github.com/aquasecurity/trivy/commit/39789fff438d11bc6eccd254b3b890beb68c240b))
+* **misconf:** fix incorrect k8s locations due to JSON to YAML conversion ([#8073](https://github.com/aquasecurity/trivy/issues/8073)) ([a994453](https://github.com/aquasecurity/trivy/commit/a994453a7d0f543fe30c4dc8adbc92ad0c21bcbc))
+* **os:** add mapping OS aliases ([#8466](https://github.com/aquasecurity/trivy/issues/8466)) ([6b4cebe](https://github.com/aquasecurity/trivy/commit/6b4cebe9592f3a06bd91aa58ba6d65869afebbee))
+* **python:** add `poetry` v2 support ([#8323](https://github.com/aquasecurity/trivy/issues/8323)) ([10cd98c](https://github.com/aquasecurity/trivy/commit/10cd98cf55263749cb2583063a2e9e9953c7371a))
+* **report:** remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports ([#8344](https://github.com/aquasecurity/trivy/issues/8344)) ([3eb0b03](https://github.com/aquasecurity/trivy/commit/3eb0b03f7c9ee462daccfacb291b2c463d848ff5))
+* **sbom:** add SBOM file's filePath as Application FilePath if we can't detect its path ([#8346](https://github.com/aquasecurity/trivy/issues/8346)) ([ecc01bb](https://github.com/aquasecurity/trivy/commit/ecc01bb3fb876fd0cc503cb38efa23e4fb9484b4))
+* **sbom:** improve logic for binding direct dependency to parent component ([#8489](https://github.com/aquasecurity/trivy/issues/8489)) ([85cca8c](https://github.com/aquasecurity/trivy/commit/85cca8c07affee4ded5c232efb45b05dacf22242))
+* **sbom:** preserve OS packages from multiple SBOMs ([#8325](https://github.com/aquasecurity/trivy/issues/8325)) ([bd5baaf](https://github.com/aquasecurity/trivy/commit/bd5baaf93054d71223e0721c7547a0567dea3b02))
+* **server:** secrets inspectation for the config analyzer in client server mode ([#8418](https://github.com/aquasecurity/trivy/issues/8418)) ([a1c4bd7](https://github.com/aquasecurity/trivy/commit/a1c4bd746f5f901e2a8f09f48f58b973b9103165))
+* **spdx:** init `pkgFilePaths` map for all formats ([#8380](https://github.com/aquasecurity/trivy/issues/8380)) ([72ea4b0](https://github.com/aquasecurity/trivy/commit/72ea4b0632308bd6150aaf2f1549a3f10b60dc23))
+* **terraform:** apply parser options to submodule parsing ([#8377](https://github.com/aquasecurity/trivy/issues/8377)) ([398620b](https://github.com/aquasecurity/trivy/commit/398620b471c25e467018bc23df53a3a1c2aa661c))
+* update all documentation links ([#8045](https://github.com/aquasecurity/trivy/issues/8045)) ([49456ba](https://github.com/aquasecurity/trivy/commit/49456ba8410e0e4cc1756906ccea1fdd60006d2d))
+
+## [0.59.0](https://github.com/aquasecurity/trivy/compare/v0.58.0...v0.59.0) (2025-01-30)
+
+
+### Features
+
+* add `--distro` flag to manually specify OS distribution for vulnerability scanning ([#8070](https://github.com/aquasecurity/trivy/issues/8070)) ([da17dc7](https://github.com/aquasecurity/trivy/commit/da17dc72782cd68b5d2c4314a67936343462b75e))
+* add a examples field to check metadata ([#8068](https://github.com/aquasecurity/trivy/issues/8068)) ([6d84e0c](https://github.com/aquasecurity/trivy/commit/6d84e0cc0d48ae5c490cad868bb4e5e76392241c))
+* add support for registry mirrors ([#8244](https://github.com/aquasecurity/trivy/issues/8244)) ([4316bcb](https://github.com/aquasecurity/trivy/commit/4316bcbc5b9038eed21214a826981c49696bb27f))
+* **fs:** use git commit hash as cache key for clean repositories ([#8278](https://github.com/aquasecurity/trivy/issues/8278)) ([b5062f3](https://github.com/aquasecurity/trivy/commit/b5062f3ae20044d1452bf293f210a24cd1d419b3))
+* **image:** prevent scanning oversized container images ([#8178](https://github.com/aquasecurity/trivy/issues/8178)) ([509e030](https://github.com/aquasecurity/trivy/commit/509e03030c36d17f9427ab50a4e99fb1846ba65a))
+* **image:** return error early if total size of layers exceeds limit ([#8294](https://github.com/aquasecurity/trivy/issues/8294)) ([73bd20d](https://github.com/aquasecurity/trivy/commit/73bd20d6199a777d1ed7eb560e0184d8f1b4b550))
+* **k8s:** improve artifact selections for specific namespaces ([#8248](https://github.com/aquasecurity/trivy/issues/8248)) ([db9e57a](https://github.com/aquasecurity/trivy/commit/db9e57a34e460ac6934ee21dffaa2322db9fd56b))
+* **misconf:** generate placeholders for random provider resources ([#8051](https://github.com/aquasecurity/trivy/issues/8051)) ([ffe24e1](https://github.com/aquasecurity/trivy/commit/ffe24e18dc3dca816ec9ce5ccf66d5d7b5ea70d6))
+* **misconf:** support for ignoring by inline comments for Dockerfile ([#8115](https://github.com/aquasecurity/trivy/issues/8115)) ([c002327](https://github.com/aquasecurity/trivy/commit/c00232720a89df659c6cd0b56d99304d5ffea1a7))
+* **misconf:** support for ignoring by inline comments for Helm ([#8138](https://github.com/aquasecurity/trivy/issues/8138)) ([a0429f7](https://github.com/aquasecurity/trivy/commit/a0429f773b4f696fc613d91f1600cd0da38fb2c8))
+* **nodejs:** respect peer dependencies for dependency tree ([#7989](https://github.com/aquasecurity/trivy/issues/7989)) ([7389961](https://github.com/aquasecurity/trivy/commit/73899610e8eece670d2e5ddc1478fcc0a2a5760d))
+* **python:** add support for poetry dev dependencies ([#8152](https://github.com/aquasecurity/trivy/issues/8152)) ([774e04d](https://github.com/aquasecurity/trivy/commit/774e04d19dc2067725ac2e18ca871872f74082ab))
+* **python:** add support for uv ([#8080](https://github.com/aquasecurity/trivy/issues/8080)) ([c4a4a5f](https://github.com/aquasecurity/trivy/commit/c4a4a5fa971d73ae924afcf2259631f15e96e520))
+* **python:** add support for uv dev and optional dependencies ([#8134](https://github.com/aquasecurity/trivy/issues/8134)) ([49c54b4](https://github.com/aquasecurity/trivy/commit/49c54b49c6563590dd82007d52e425a7a4e07ac0))
+
+
+### Bug Fixes
+
+* CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass ([#8088](https://github.com/aquasecurity/trivy/issues/8088)) ([d7ac286](https://github.com/aquasecurity/trivy/commit/d7ac286085077c969734225a789e6cc056d5c5f5))
+* CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field ([#8207](https://github.com/aquasecurity/trivy/issues/8207)) ([670fbf2](https://github.com/aquasecurity/trivy/commit/670fbf2d81ea20ea691a86e4ed25a7454baf08e5))
+* de-duplicate same `dpkg` packages with different filePaths from different layers ([#8298](https://github.com/aquasecurity/trivy/issues/8298)) ([846498d](https://github.com/aquasecurity/trivy/commit/846498dd23a80531881f803147077eee19004a50))
+* enable err-error and errorf rules from perfsprint linter ([#7859](https://github.com/aquasecurity/trivy/issues/7859)) ([156a2aa](https://github.com/aquasecurity/trivy/commit/156a2aa4c49386828c0446f8978473c8da7a8754))
+* **flag:** skip hidden flags for `--generate-default-config` command ([#8046](https://github.com/aquasecurity/trivy/issues/8046)) ([5e68bdc](https://github.com/aquasecurity/trivy/commit/5e68bdc9d08f96d22451d7b5dd93e79ca576eeb7))
+* **fs:** fix cache key generation to use UUID ([#8275](https://github.com/aquasecurity/trivy/issues/8275)) ([eafd810](https://github.com/aquasecurity/trivy/commit/eafd810d7cb366215efbd0ab3b72c4651d31c6a6))
+* handle `BLOW_UNKNOWN` error to download DBs ([#8060](https://github.com/aquasecurity/trivy/issues/8060)) ([51f2123](https://github.com/aquasecurity/trivy/commit/51f2123c5ccc4f7a37d1068830b6670b4ccf9ac8))
+* improve conversion of image config to Dockerfile ([#8308](https://github.com/aquasecurity/trivy/issues/8308)) ([2e8e38a](https://github.com/aquasecurity/trivy/commit/2e8e38a8c094f3392893693ab15a605ab0d378f9))
+* **java:** correctly overwrite version from depManagement if dependency uses `project.*` props ([#8050](https://github.com/aquasecurity/trivy/issues/8050)) ([9d9f80d](https://github.com/aquasecurity/trivy/commit/9d9f80d9791f38a0b4c727152166ae4d237a83a9))
+* **license:** always trim leading and trailing spaces for licenses ([#8095](https://github.com/aquasecurity/trivy/issues/8095)) ([f5e4291](https://github.com/aquasecurity/trivy/commit/f5e429179df1637de96962ab9c19e4336056bb5d))
+* **misconf:** allow null values only for tf variables ([#8112](https://github.com/aquasecurity/trivy/issues/8112)) ([23dc3a6](https://github.com/aquasecurity/trivy/commit/23dc3a67535b7458728b2939514a96bd3de3aa81))
+* **misconf:** correctly handle all YAML tags in K8S templates ([#8259](https://github.com/aquasecurity/trivy/issues/8259)) ([f12054e](https://github.com/aquasecurity/trivy/commit/f12054e669f9df93c6322ba2755036dbccacaa83))
+* **misconf:** disable git terminal prompt on tf module load ([#8026](https://github.com/aquasecurity/trivy/issues/8026)) ([bbc5a85](https://github.com/aquasecurity/trivy/commit/bbc5a85444ec86b7bb26d6db27803d199431a8e6))
+* **misconf:** handle heredocs in dockerfile instructions ([#8284](https://github.com/aquasecurity/trivy/issues/8284)) ([0a3887c](https://github.com/aquasecurity/trivy/commit/0a3887ca0350d7dabf5db7e08aaf8152201fdf0d))
+* **misconf:** use log instead of fmt for logging ([#8033](https://github.com/aquasecurity/trivy/issues/8033)) ([07b2d7f](https://github.com/aquasecurity/trivy/commit/07b2d7fbd7f8ef5473c2438c560fffc8bdadf913))
+* **oracle:** add architectures support for advisories ([#4809](https://github.com/aquasecurity/trivy/issues/4809)) ([90f1d8d](https://github.com/aquasecurity/trivy/commit/90f1d8d78aa20b47fafab2c8ecb07247f075ef45))
+* **python:** skip dev group's deps for poetry ([#8106](https://github.com/aquasecurity/trivy/issues/8106)) ([a034d26](https://github.com/aquasecurity/trivy/commit/a034d26443704601c1fe330a5cc1f019f6974524))
+* **redhat:** check `usr/share/buildinfo/` dir to detect content sets ([#8222](https://github.com/aquasecurity/trivy/issues/8222)) ([f352f6b](https://github.com/aquasecurity/trivy/commit/f352f6b66355fe3636c9e4e9f3edd089c551a81c))
+* **redhat:** correct rewriting of recommendations for the same vulnerability ([#8063](https://github.com/aquasecurity/trivy/issues/8063)) ([4202c4b](https://github.com/aquasecurity/trivy/commit/4202c4ba0d8fcff4b89499fe03050ef4efd37330))
+* respect GITHUB_TOKEN to download artifacts from GHCR ([#7580](https://github.com/aquasecurity/trivy/issues/7580)) ([21b68e1](https://github.com/aquasecurity/trivy/commit/21b68e18188f91935ac1055a78ee97a7f35a110d))
+* **sbom:** attach nested packages to Application ([#8144](https://github.com/aquasecurity/trivy/issues/8144)) ([735335f](https://github.com/aquasecurity/trivy/commit/735335f08f84936f3928cbbc3eb71af3a3a4918d))
+* **sbom:** fix wrong overwriting of applications obtained from different sbom files but having same app type ([#8052](https://github.com/aquasecurity/trivy/issues/8052)) ([fd07074](https://github.com/aquasecurity/trivy/commit/fd07074e8033530eee2732193b00e59f27c73096))
+* **sbom:** scan results of SBOMs generated from container images are missing layers ([#7635](https://github.com/aquasecurity/trivy/issues/7635)) ([f9fceb5](https://github.com/aquasecurity/trivy/commit/f9fceb58bf64657dee92302df1ed97e597e474c9))
+* **sbom:** use root package for `unknown` dependencies (if exists) ([#8104](https://github.com/aquasecurity/trivy/issues/8104)) ([7558df7](https://github.com/aquasecurity/trivy/commit/7558df7c227c769235e5441fbdd3f9f7efb1ff84))
+* **spdx:** use the `hasExtractedLicensingInfos` field for licenses that are not listed in the SPDX ([#8077](https://github.com/aquasecurity/trivy/issues/8077)) ([aec8885](https://github.com/aquasecurity/trivy/commit/aec8885bc7f7e3c5a2a68214dca9aff28accd122))
+* **suse:** SUSE - update OSType constants and references for compatility ([#8236](https://github.com/aquasecurity/trivy/issues/8236)) ([ae28398](https://github.com/aquasecurity/trivy/commit/ae283985c926ca828b25b69ad0338008be31e5fe))
+* Updated twitter icon ([#7772](https://github.com/aquasecurity/trivy/issues/7772)) ([2c41ac8](https://github.com/aquasecurity/trivy/commit/2c41ac83a95e9347605d36f483171a60ffce0fa2))
+* wasm module test ([#8099](https://github.com/aquasecurity/trivy/issues/8099)) ([2200f38](https://github.com/aquasecurity/trivy/commit/2200f3846d675c64ab9302af43224d663a67c944))
+
+
+### Performance Improvements
+
+* avoid heap allocation in applier findPackage ([#7883](https://github.com/aquasecurity/trivy/issues/7883)) ([9bd6ed7](https://github.com/aquasecurity/trivy/commit/9bd6ed73e5d49d52856c76124e84c268475c5456))
 
 ## [0.58.0](https://github.com/aquasecurity/trivy/compare/v0.57.0...v0.58.0) (2024-12-02)
 

CONTRIBUTING.md

@@ -1 +1 @@
-See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)
+See [Issues](https://trivy.dev/latest/community/contribute/issue/) and [Pull Requests](https://trivy.dev/latest/community/contribute/pr/)

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.20.3
+FROM alpine:3.22.1
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.canary

@@ -1,10 +1,10 @@
-FROM alpine:3.20.0
+FROM alpine:3.22.1
 RUN apk --no-cache add ca-certificates git
 
 # binaries were created with GoReleaser
 # need to copy binaries from folder with correct architecture
 # example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
-# GoReleaser adds _v* to the folder name, but only when GOARCH is amd64 
+# GoReleaser adds _v* to the folder name, but only when GOARCH is amd64
 ARG TARGETARCH
 COPY "dist/trivy_canary_build_linux_${TARGETARCH}*/trivy" /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.protoc

@@ -1,20 +0,0 @@
-FROM --platform=linux/amd64 golang:1.22
-
-# Set environment variable for protoc
-ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
-
-# Install unzip for protoc installation and clean up cache
-RUN apt-get update && apt-get install -y unzip && rm -rf /var/lib/apt/lists/*
-
-# Download and install protoc
-RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
-    && unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
-    && unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \
-    && rm -f $PROTOC_ZIP
-
-# Install Go tools
-RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
-RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.0
-RUN go install github.com/magefile/mage@v1.15.0
-
-ENV TRIVY_PROTOC_CONTAINER=true

README.md

@@ -107,7 +107,7 @@ trivy k8s --report summary cluster
 ## Want more? Check out Aqua
 
 If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.  
-You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).  
+You can find a high level comparison table specific to Trivy users [here](https://trivy.dev/latest/commercial/compare/).
 In addition check out the <https://aquasec.com> website for more information about our products and services.
 If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>
 
@@ -116,7 +116,6 @@ If you'd like to contact Aqua or request a demo, please use this form: <https://
 Trivy is an [Aqua Security][aquasec] open source project.  
 Learn about our open source work and portfolio [here][oss].  
 Contact us about any matter by opening a GitHub Discussion [here][discussions]
-Join our [Slack community][slack] to stay up to date with community efforts.
 
 Please ensure to abide by our [Code of Conduct][code-of-conduct] during all interactions.
 
@@ -131,14 +130,13 @@ Please ensure to abide by our [Code of Conduct][code-of-conduct] during all inte
 [license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
 [license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
 [homepage]: https://trivy.dev
-[docs]: https://aquasecurity.github.io/trivy
+[docs]: https://trivy.dev/latest/docs/
 [pronunciation]: #how-to-pronounce-the-name-trivy
-[slack]: https://slack.aquasec.com
 [code-of-conduct]: https://github.com/aquasecurity/community/blob/main/CODE_OF_CONDUCT.md
 
-[Installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
-[Ecosystem]: https://aquasecurity.github.io/trivy/latest/ecosystem/
-[Scanning Coverage]: https://aquasecurity.github.io/trivy/latest/docs/coverage/
+[Installation]:https://trivy.dev/latest/getting-started/installation/
+[Ecosystem]: https://trivy.dev/latest/ecosystem/
+[Scanning Coverage]: https://trivy.dev/latest/docs/coverage/
 
 [alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
 [rego]: https://www.openpolicyagent.org/docs/latest/#rego

aqua.yaml

@@ -1,10 +0,0 @@
----
-# aqua - Declarative CLI Version Manager
-# https://aquaproj.github.io/
-registries:
-- type: standard
-  ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
-packages:
-- name: tinygo-org/tinygo@v0.31.1
-- name: WebAssembly/binaryen@version_112
-- name: magefile/mage@v1.14.0

buf.gen.yaml

@@ -0,0 +1,13 @@
+version: v2
+plugins:
+  - remote: buf.build/protocolbuffers/go:v1.34.0
+    out: .
+    opt:
+      - paths=source_relative
+  # Using local protoc-gen-twirp since the remote twirp plugin is not available on buf.build
+  - local: protoc-gen-twirp
+    out: .
+    opt:
+      - paths=source_relative
+inputs:
+  - directory: .

buf.yaml

@@ -0,0 +1,10 @@
+version: v2
+modules:
+  - path: .
+    name: buf.build/aquasecurity/trivy
+lint:
+  use:
+    - STANDARD
+breaking:
+  use:
+    - FILE

ci/deploy-rpm.sh

@@ -16,7 +16,7 @@ function create_common_rpm_repo () {
 
                 mkdir -p $rpm_path/$arch
                 cp ../dist/*${prefix}.rpm ${rpm_path}/$arch/
-                createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path/$arch
+                createrepo_c -u https://get.trivy.dev/rpm/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path/$arch
                 rm ${rpm_path}/$arch/*${prefix}.rpm
         done
 }
@@ -28,7 +28,7 @@ function create_rpm_repo () {
         mkdir -p $rpm_path
         cp ../dist/*64bit.rpm ${rpm_path}/
 
-        createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path
+        createrepo_c -u https://get.trivy.dev/rpm/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path
 
         rm ${rpm_path}/*64bit.rpm
 }

cmd/trivy/main.go

@@ -21,6 +21,12 @@ func main() {
 		if errors.As(err, &exitError) {
 			os.Exit(exitError.Code)
 		}
+
+		var userErr *types.UserError
+		if errors.As(err, &userErr) {
+			log.Fatal("Error", log.Err(userErr))
+		}
+
 		log.Fatal("Fatal error", log.Err(err))
 	}
 }
@@ -35,9 +41,11 @@ func run() error {
 		return nil
 	}
 
-	app := commands.NewApp()
-	if err := app.Execute(); err != nil {
-		return err
-	}
-	return nil
+	// Ensure cleanup on exit
+	defer commands.Cleanup()
+
+	// Set up signal handling for graceful shutdown
+	ctx := commands.NotifyContext(context.Background())
+
+	return commands.Run(ctx)
 }

contrib/junit.tpl

@@ -15,6 +15,7 @@
     {{- end }}
     </testsuite>
 
+{{- $target := .Target }}
 {{- if .MisconfSummary }}
     <testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{  .Target }}" errors="0" time="">
 {{- else }}
@@ -28,7 +29,23 @@
         {{ range .Misconfigurations }}
         <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
         {{- if (eq .Status "FAIL") }}
-            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
+            <failure message="{{ escapeXML .Title }}" type="description">&#xA;
+                {{- $target }}:
+                {{- with .CauseMetadata }}
+                    {{- .StartLine }}
+                    {{- if lt .StartLine .EndLine }}:{{ .EndLine }}{{ end }}:&#xA;&#xA;Occurrences:&#xA;
+                    {{- range $i := .Occurrences -}}
+                    via {{ .Filename }}:
+                    {{- .Location.StartLine }}
+                    {{- if lt .Location.StartLine .Location.EndLine }}:{{ .Location.EndLine }}{{ end }} ({{ .Resource }})&#xA;
+                    {{- end -}}
+                    &#xA;Code:&#xA;
+                    {{- range .Code.Lines }}
+                    {{- if .IsCause }}{{ escapeXML .Content }}&#xA;{{- end }}
+                    {{- end }}&#xA;
+                {{- end }}
+                {{- escapeXML .Description }}
+            </failure>
         {{- end }}
         </testcase>
     {{- end }}
@@ -44,5 +61,15 @@
     </testsuite>
 {{- end }}
 
+{{- if .Secrets }}
+    {{- $secrets := len .Secrets }}
+    <testsuite tests="{{ $secrets }}" failures="{{ $secrets }}" name="{{ .Target }}" time="0">{{ range .Secrets }}
+        <testcase classname="{{ .RuleID }}" name="[{{ .Severity }}] {{ .Title }}">
+            <failure message="{{ .Title }}" type="description">{{ escapeXML .Match }}</failure>
+        </testcase>
+    {{- end }}
+    </testsuite>
+{{- end }}
+
 {{- end }}
 </testsuites>

docs/assets/css/_glass_v2.scss

@@ -0,0 +1,210 @@
+/* glass_v2 */
+
+.glass_v2 {
+	position: relative;
+	min-width: 100px;
+	min-height: 100px;
+	border-radius: 20px;
+	border: 1px solid rgba(#ffffff, 0.15);
+	padding: 2em;
+	background: 
+		linear-gradient(235deg, rgba($aq-royal-blue, 0.18), rgba($aq-royal-blue, 0) 33%), 
+		linear-gradient(45deg, rgba($aq-neon-blue, 0.18), rgba($aq-neon-blue, 0) 33%), 
+		linear-gradient(rgba($aq-trivy-dark, 0.45));
+	backdrop-filter: blur(12px);
+	box-shadow: 
+		rgba($aq-neon-blue, 0.08) 0px 8px 12px -6px, 
+		rgba($aq-neon-blue, 0.12) 0px 16px 24px -10px,
+		inset 0 1px 0 rgba($aq-royal-blue, 0.4),
+		inset 1px 0 0 rgba($aq-royal-blue, 0.3),
+		inset 0 0 0 0.5px rgba(#ffffff, 0.1);
+
+	//top-right shine effect
+	&::before {
+		content: "";
+		pointer-events: none;
+		position: absolute;
+		right: -1px;
+		top: -1px;
+		width: 50%;
+		height: 50%;
+		border-radius: 0;
+		border-top-right-radius: inherit;
+		border-bottom-left-radius: inherit;
+		border: 1px solid transparent;
+		z-index: 1;
+		background: conic-gradient(
+			from -45deg at center in oklch,
+			transparent 8%, 
+			rgba($aq-royal-blue, 0.5), 
+			transparent 45%
+		) border-box;
+		mask: 
+			linear-gradient(transparent), 
+			linear-gradient(black);
+		mask-repeat: no-repeat;
+		mask-clip: padding-box, border-box;
+		mask-composite: subtract;
+	}
+
+	//bottom-left shine effect
+	&::after {
+		content: "";
+		pointer-events: none;
+		position: absolute;
+		left: -1px;
+		bottom: -1px;
+		width: 25%;
+		height: 25%;
+		border-radius: 0;
+		border-top-right-radius: inherit;
+		border-bottom-left-radius: inherit;
+		border: 1px solid transparent;
+		z-index: 1;
+		background: conic-gradient(
+			from 135deg at center in oklch,
+			transparent 15%, 
+			rgba($aq-neon-blue, 0.15), 
+			transparent 30%
+		) border-box;
+		mask: 
+			linear-gradient(transparent), 
+			linear-gradient(black);
+		mask-repeat: no-repeat;
+		mask-clip: padding-box, border-box;
+		mask-composite: subtract;
+	}
+
+	.glow_topright {
+		pointer-events: none;
+		position: absolute;
+		right: -12px;
+		top: -12px;
+		width: 40%;
+		height: 40%;
+		border-top-right-radius: 20px;
+		border-bottom-left-radius: 20px;
+		border: 12px solid transparent;
+		opacity: 0.7;
+		filter: blur(8px) saturate(1.2) brightness(0.7);
+		mix-blend-mode: plus-lighter;
+		z-index: 3;
+
+		&::before {
+			content: "";
+			position: absolute;
+			inset: 0;
+			border: inherit;
+			border-radius: inherit;
+			background: conic-gradient(
+				from -45deg at center in oklch,
+				transparent 5%, 
+				rgba($aq-royal-blue, 0.4), 
+				transparent 40%
+			) border-box;
+			mask: 
+				linear-gradient(transparent), 
+				linear-gradient(black);
+			mask-repeat: no-repeat;
+			mask-clip: padding-box, border-box;
+			mask-composite: subtract;
+		}
+
+		&::after {
+			content: "";
+			position: absolute;
+			inset: -3px;
+			border: 18px solid transparent;
+			border-radius: 25px;
+			z-index: 4;
+			opacity: 0.5;
+			background: conic-gradient(
+				from -45deg at center in oklch,
+				transparent 8%, 
+				rgba($aq-royal-blue, 0.6), 
+				transparent 35%
+			) border-box;
+			mask: 
+				linear-gradient(transparent), 
+				linear-gradient(black);
+			mask-repeat: no-repeat;
+			mask-clip: padding-box, border-box;
+			mask-composite: subtract;
+		}
+	}
+
+	//bottom-left glow
+	.glow_bottomleft {
+		pointer-events: none;
+		position: absolute;
+		left: -4px;
+		bottom: -4px;
+		width: 20%;
+		height: 20%;
+		border-top-right-radius: 15px;
+		border-bottom-left-radius: 15px;
+		border: 4px solid transparent;
+		opacity: 0.2;
+		filter: blur(6px) saturate(1.0) brightness(0.4);
+		mix-blend-mode: plus-lighter;
+		z-index: 3;
+
+		&::before {
+			content: "";
+			position: absolute;
+			inset: 0;
+			border: inherit;
+			border-radius: inherit;
+			background: conic-gradient(
+				from 135deg at center in oklch,
+				transparent 12%, 
+				rgba($aq-neon-blue, 0.15), 
+				transparent 28%
+			) border-box;
+			mask: 
+				linear-gradient(transparent), 
+				linear-gradient(black);
+			mask-repeat: no-repeat;
+			mask-clip: padding-box, border-box;
+			mask-composite: subtract;
+		}
+
+		&::after {
+			content: "";
+			position: absolute;
+			inset: -1px;
+			border: 6px solid transparent;
+			border-radius: 18px;
+			z-index: 4;
+			opacity: 0.15;
+			background: conic-gradient(
+				from 135deg at center in oklch,
+				transparent 15%, 
+				rgba($aq-neon-blue, 0.25), 
+				transparent 25%
+			) border-box;
+			mask: 
+				linear-gradient(transparent), 
+				linear-gradient(black);
+			mask-repeat: no-repeat;
+			mask-clip: padding-box, border-box;
+			mask-composite: subtract;
+		}
+	} //glow_bottomleft
+
+
+&.light_glass {
+	background: 
+		linear-gradient(235deg, rgba(#ffffff, 0.6), rgba(#ffffff, 0.3) 33%),
+		linear-gradient(45deg, rgba(#ffffff, 0.7), rgba(#ffffff, 0.20) 33%),
+		linear-gradient(rgba(#ffffff, 0.25));
+
+	border: 1px solid rgba(#ffffff, 0.3);
+	color: $aq-blue-abyss;
+}
+
+
+
+
+
+} //glass_v2

docs/assets/css/_hubspot_form.scss

@@ -0,0 +1,47 @@
+/* hubspot_form_wrap */
+.hubspot_form_wrap {
+	padding-top:20px;padding-bottom:35px;position:relative;z-index:5;
+
+	* {
+		font-family: "Inter", sans-serif;
+	}
+}
+
+/* hubspot form styles */
+.hs-form .hs-form-field {text-align:left;}
+.hs-form .hs-form-required {opacity:0.5;padding-left:0.2em;}
+.hs-form label {font-size: 14px;font-weight: 400;}
+.hs-form input[type="text"],.hs-form input[type="password"], .hs-form input[type="datetime"], .hs-form input[type="datetime-local"], .hs-form input[type="date"], .hs-form input[type="month"], .hs-form input[type="time"], .hs-form input[type="week"], .hs-form input[type="number"], .hs-form input[type="email"], .hs-form input[type="url"], .hs-form input[type="search"], .hs-form input[type="tel"], .hs-form input[type="color"],.hs-form input[type="file"],.hs-form textarea,.hs-form select {width:100%;height:38px;padding:6px 10px;background-color:#fff;border:1px solid #D1D1D1 !important;border-radius:4px;box-shadow:none;box-sizing:border-box;}
+.hs-form input[type="file"] {border:0px;padding:0px;}
+.hs-form input[type="text"]:focus,.hs-form input[type="password"]:focus, .hs-form input[type="datetime"]:focus, .hs-form input[type="datetime-local"]:focus, .hs-form input[type="date"]:focus, .hs-form input[type="month"]:focus, .hs-form input[type="time"]:focus, .hs-form input[type="week"]:focus, .hs-form input[type="number"]:focus, .hs-form input[type="email"]:focus, .hs-form input[type="url"]:focus, .hs-form input[type="search"]:focus, .hs-form input[type="tel"]:focus, .hs-form input[type="color"]:focus,.hs-form input[type="file"]:focus,.hs-form textarea:focus,.hs-form select:focus {border:1px solid #08b1d5;outline:0;}
+.hs-form textarea:focus {border:1px solid #08b1d5;outline:0;}
+.hs-form input:focus:required:invalid:focus, 
+.hs-form textarea:focus:required:invalid:focus, 
+.hs-form select:focus:required:invalid:focus {border:1px solid #08b1d5;outline:0;}
+.hs-form .hs-error-msgs {list-style-type:none;padding-left:0px;margin:5px 0 0 0;font-size: 14px;}
+.hs-form .hs-error-msgs label {color:$aq-coral-red;font-weight:normal;font-size:90%;}
+.hs-form .hs-recaptcha {margin-bottom: 20px;}
+::-webkit-input-placeholder {color:#999999;}
+:-moz-placeholder {color:#999999;}
+::-moz-placeholder {color:#999999;}
+:-ms-input-placeholder {color:#999999;}
+.hs-form fieldset.form-columns-0, .hs-form fieldset.form-columns-1, .hs-form fieldset.form-columns-2 {margin-bottom:0px;max-width:100%;}
+.hs-form fieldset.form-columns-3 {display:none;}
+.hs-form .field {margin-bottom:20px;}
+body .hs-form fieldset.form-columns-1 .hs-input {width:100%;}
+.hs-form .hs_submit {text-align:center;}
+.hs-form .hs-richtext {margin-bottom: 20px;}
+.hs-form .hs-richtext span {background-color: transparent !important;}
+.hs-form .hs-richtext a {color: $aq-neon-blue;}
+.hs-form .hs-recaptcha {visibility: hidden;position: absolute;}
+.hs-form .hs-fieldtype-textarea {min-height: 6em;}
+.hs-form .hs-field-desc {font-size: 14px;margin-bottom:10px;}
+.hs-button.primary {background-color:$aq-neon-blue;
+	border-color:$aq-neon-blue;
+	color:$aq-blue-abyss;-moz-user-select:none;background-image:none;border:1px solid rgba(0, 0, 0, 0);cursor:pointer;display:inline-block;font-weight:400;line-height:1.42857;margin-bottom:0;text-align:center;vertical-align:middle;white-space:nowrap;border-radius:4px;font-size:16px;padding:8px 15px;
+}
+
+/* ff fix */
+@-moz-document url-prefix() {
+	fieldset {display:table-cell;}
+}

docs/assets/css/_slick_slider.scss

@@ -0,0 +1,131 @@
+/* Slider */
+.slick-slider{position:relative;display:block;box-sizing:border-box;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;-webkit-touch-callout:none;-khtml-user-select:none;-ms-touch-action:pan-y;touch-action:pan-y;-webkit-tap-highlight-color:transparent;}
+.slick-list{position:relative;display:block;overflow:hidden;margin:0;padding:0;}
+.slick-list:focus{outline:none;}
+.slick-list.dragging{cursor:hand;}
+.slick-slider .slick-track,.slick-slider .slick-list{transform:translate3d(0,0,0);}
+.slick-track{position:relative;top:0;left:0;display:block;margin-left:auto;margin-right:auto;}
+.slick-track:before,.slick-track:after{display:table;content:'';}
+.slick-track:after{clear:both;}
+.slick-loading .slick-track{visibility:hidden;}
+.slick-slide{display:none;float:left;height:100%;min-height:1px;}
+.slick-slide:focus{outline:none;}
+.slick-slide img{display:block;}
+.slick-slide.slick-loading img{display:none;}
+.slick-slide.dragging img{pointer-events:none;}
+.slick-initialized .slick-slide{display:block;}
+.slick-loading .slick-slide{visibility:hidden;}
+.slick-vertical .slick-slide{display:block;height:auto;border:1px solid transparent;}
+.slick-arrow.slick-hidden{display:none;}
+
+.slick-arrow {display:block;background-color:transparent;border:none;color:transparent;cursor:pointer;position:absolute;top:0px;height:330px;width:80px;z-index:20;outline:none;}
+.slick-arrow:focus, .slick-arrow:active {outline:none;}
+.slick-arrow.slick-prev {left:0px;background-image:linear-gradient(to right, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
+.slick-arrow.slick-next {right:0px;background-image:linear-gradient(to left, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
+.slick-arrow:before {content:"";display:block;position:absolute;left:0px;top:0px;width:100%;height:100%;z-index:21;background-repeat:no-repeat;}
+.slick-arrow.slick-prev:before {background-image:url(../images/arrow_left.png);background-position:center left;}
+.slick-arrow.slick-next:before {background-image:url(../images/arrow_right.png);background-position:center right;}
+
+
+
+/* dots */
+.slick-dotted.slick-slider
+{
+	margin-bottom: 0px;
+}
+
+
+.slick-dots
+{
+	//position: absolute;
+	//bottom: -25px;
+	position: relative;
+	display: block;
+
+	width: 100%;
+	padding: 0;
+	margin: 0;
+
+	list-style: none;
+
+	text-align: center;
+}
+
+
+.slick-dots li {
+	position: relative;
+	display: inline-block;
+	width: 24px;
+	height: 24px;
+	margin: 0px 4px;
+	padding: 0;
+	cursor: pointer;
+}
+
+.slick-dots li button
+{
+	font-size: 0;
+	line-height: 0;
+
+	display: block;
+
+	width: 24px;
+	height: 24px;
+	padding: 0px;
+
+	cursor: pointer;
+
+	color: transparent;
+	border: 0;
+	outline: none;
+	background: transparent;
+
+	&:before {
+
+		position: relative;
+		top: 0px;
+		left: 0px;
+		width: 20px;
+		height: 20px;
+		content: "";
+		background-color: transparent;
+		border: 2px solid $aq-neon-blue;
+		border-radius: 50%;
+		display: block;
+		opacity: 0.7;
+	}
+
+	&:after {
+
+		position: absolute;
+		top: 7px;
+		left: 5px;
+		width: 10px;
+		height: 10px;
+		content: "";
+		background-color: $aq-neon-blue;
+		//border: 1px solid #666;
+		border-radius: 50%;
+		//box-shadow: inset 1px 1px 1px #888;
+		display: block;
+		opacity: 0;
+		transition: 0.2s ease-out;
+
+	}
+
+
+	
+
+}
+.slick-dots li button:hover,
+.slick-dots li button:focus
+{
+	outline: none;
+	&:after {
+		opacity: 1;
+	}
+}
+
+.slick-dots li.slick-active button:after {
+		opacity: 1;
+}

docs/assets/css/_trivy_homepage.scss

@@ -1,52 +1,4 @@
 /* trivy homepage */
-
-//aqua brand colors
-$aq-royal-blue: #1904da;
-$aq-legacy-blue: #08b1d5;
-$aq-coral-red: #ff445f;
-$aq-starfish-yellow: #ffc900;
-$aq-dark-abyss: #07242d;
-$aq-deep-sea-blue: #183278;
-$aq-ocean-ash: #405a75;
-$aq-sea-foam: #00ffe4;
-
-$aq-neo-background: #ebf3fa;
-$aq-neo-background-hover: #f0f8ff;
-
-
-$aq-royal-blue-dark: #1503ba;
-
-$aq-trivy-dark: #0a0b23;
-
-
-$weight-normal: 400;
-$weight-semibold: 600;
-$weight-bold: 700;
-
-
-
-$gap: 32px;
-// 960, 1152, and 1344 have been chosen because they are divisible by both 12 and 16
-$tablet: 769px;
-
-// 960px container + 4rem
-$desktop: 960px + 2 * $gap;
-
-// 1152px container + 4rem
-$widescreen: 1152px + 2 * $gap;
-$widescreen-enabled: true;
-
-// 1344px container + 4rem
-$fullhd: 1344px + 2 * $gap;
-$fullhd-enabled: true;
-
-
-
-body {
-
-	font-family: "Inter", sans-serif;
-}
-
 .trivy_v1_homepage_wrap {
 	position: relative;
  	z-index: 3;
@@ -55,97 +7,7 @@ body {
 		transition: all 0.2s ease !important;
 	}
 
-	.container {
-		width: 100%;
-		margin: 0 auto;
-		max-width: 1440px;
-
-		@media screen and (max-width: $tablet), print { //769
-			padding: 0 24px;
-			max-width: $tablet; //769
-		} //until tablet
-	}
-
-	.button {
 	
-		background-color: #ebf3fa;
-		border: 1px solid #dbdbdb;
-		border-width: 1px;
-		color: #363636;
-		cursor: pointer;
-		justify-content: center;
-		padding-bottom: calc(.5em - 1px);
-		padding-left: 1em;
-		padding-right: 1em;
-		padding-top: calc(.5em - 1px);
-		text-align: center;
-		white-space: nowrap;
-		border-radius: 4px;
-		transition: all .2s ease;
-		font-size: 16px;
-		display: inline-block;
-		font-weight: 700;
-		
-		&.is-seafoam {
-			background-color: $aq-sea-foam;
-			border-color: $aq-sea-foam;
-			color: $aq-dark-abyss;
-
-
-			&.is-outlined {
-				background-color: rgba(0,0,0,0);
-				border-color: $aq-sea-foam;
-				color: $aq-sea-foam;
-				border-width: 2px;
-
-				&:hover {
-					background-color: $aq-sea-foam;
-					color: $aq-dark-abyss;
-				}
-			} //is-outlines
-			
-		} //is-seafoam
-
-		&.large_btn {
-			font-size: 22px;
-			padding: 16px 27px;
-			margin-right: 12px;
-
-			@media screen and (max-width: $tablet), print {
-				font-size: 18px;
-			} //until tablet
-		}
-		
-
-
-		&.solidseafoamarrowbutton {
-			
-			background-color: $aq-sea-foam;
-			font-weight: 700;
-			border: 2px solid $aq-sea-foam;
-			font-size: 22px; //1.375rem; //1.125rem;
-			padding: 16px 27px;
-			color: $aq-dark-abyss;
-
-
-			&:after {
-					content: "";
-					border: solid $aq-dark-abyss;
-					border-width: 0 2px 2px 0;
-					display: inline-block;
-					padding: 4px;
-					transform: rotate(-45deg);
-					margin-left: 30px;
-					vertical-align: middle;
-					transition: all .2s;
-			}
-		} //solidseafoamarrowbutton
-
-	} //button
-
-	.margin-bottom-20 {
-		margin-bottom: 20px;
-	}
 
 	.hero_wrap {
 		background-color: $aq-trivy-dark;
@@ -155,10 +17,6 @@ body {
 		z-index: 10;
 
 
-
-		
-
-
 		.homepage_background_image_wrap {
 			position: absolute;
 			left: 0px;
@@ -299,14 +157,14 @@ body {
 					.page_title {
 						color: #ffffff;
 						font-weight: $weight-bold;
-						font-size: 48px; //3rem;
+						font-size: 48px; //3rem
 						line-height: 1.3;
 					}//page_title
 			
 					.page_subtitle {
 						color: #ffffff;
 						font-weight: $weight-normal;
-						font-size: 24px; //1.5rem;
+						font-size: 24px; //1.5rem
 						line-height: 1.3;
 						margin-bottom: 30px;
 					} //page_subtitle
@@ -321,11 +179,11 @@ body {
 						width: 100%;
 
 						.page_title {
-							font-size: 32px; //2rem;
+							font-size: 32px; //2rem
 						}//page_title
 			
 						.page_subtitle {
-							font-size: 18px; //1.125rem;
+							font-size: 18px; //1.125rem
 						}//page_subtitle
 			
 					} //until tablet
@@ -336,7 +194,7 @@ body {
 			} //header_title_wrap
 
 			@media screen and (min-width: $tablet), print { //769
-				padding: 48px 24px; //3rem 1.5rem;
+				padding: 48px 24px; //3rem 1.5rem
 			}
 		}
 
@@ -398,10 +256,10 @@ body {
 
 
 	.community_title {
-		color: $aq-sea-foam;
-		font-size: 60px; //3.75rem;
+		color: $aq-neon-blue;
+		font-size: 60px; //3.75rem
 		font-weight: $weight-bold;
-		margin-bottom: 24px; ////1.5rem;
+		margin-bottom: 24px; //1.5rem
 		line-height: 1.2;
 		
 
@@ -409,8 +267,8 @@ body {
 
 	.community_subtitle  {
 		color: #ffffff;
-		font-size: 26px; //1.625rem;
-		margin-bottom: 24px; ////1.5rem;
+		font-size: 26px; //1.625rem
+		margin-bottom: 24px; //1.5rem
 		
 
 	}
@@ -451,28 +309,28 @@ body {
 				display: block;
 				position: relative;
 				color: #ffffff;
-				border: 1px solid rgba($aq-sea-foam,0.2);
-				background-color: rgba($aq-sea-foam,0.05);
+				border: 1px solid rgba($aq-neon-blue,0.2);
+				background-color: rgba($aq-neon-blue,0.05);
 				border-radius: 4px;
 				padding: 25px;
 
 				.quote_name {
-					font-size: 16px; //1rem;
+					font-size: 16px; //1rem
 					font-weight: $weight-semibold;
 				}
 
 				.quote_twitter_handle {
 					opacity: 0.6;
-					font-size: 13px; //0.8125rem;
+					font-size: 13px; //0.8125rem
 				}
 
 				.quote_company {
 					opacity: 0.6;
-					font-size: 13px; //0.8125rem;
+					font-size: 13px; //0.8125rem
 				}
 
 				.quote_text {
-					font-size: 16px; //1rem;
+					font-size: 16px; //1rem
 					font-weight: $weight-normal;
 					line-height: 1.3;
 				}
@@ -539,10 +397,10 @@ body {
 	@media screen and (max-width: $tablet), print { //tablet
 
 		.community_title {
-			font-size: 32px; //2rem;
+			font-size: 32px; //2rem
 		}
 		.community_subtitle {
-			font-size: 18px; //1.125rem;
+			font-size: 18px; //1.125rem
 		}
 
 	} //until
@@ -550,144 +408,4 @@ body {
 
 	} //homepage_community_wrap
 
-} //trivy_homepage_wrap
-
-
-
-
-
-/* Slider */
-.slick-slider{position:relative;display:block;box-sizing:border-box;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;-webkit-touch-callout:none;-khtml-user-select:none;-ms-touch-action:pan-y;touch-action:pan-y;-webkit-tap-highlight-color:transparent;}
-.slick-list{position:relative;display:block;overflow:hidden;margin:0;padding:0;}
-.slick-list:focus{outline:none;}
-.slick-list.dragging{cursor:hand;}
-.slick-slider .slick-track,.slick-slider .slick-list{transform:translate3d(0,0,0);}
-.slick-track{position:relative;top:0;left:0;display:block;margin-left:auto;margin-right:auto;}
-.slick-track:before,.slick-track:after{display:table;content:'';}
-.slick-track:after{clear:both;}
-.slick-loading .slick-track{visibility:hidden;}
-.slick-slide{display:none;float:left;height:100%;min-height:1px;}
-.slick-slide:focus{outline:none;}
-.slick-slide img{display:block;}
-.slick-slide.slick-loading img{display:none;}
-.slick-slide.dragging img{pointer-events:none;}
-.slick-initialized .slick-slide{display:block;}
-.slick-loading .slick-slide{visibility:hidden;}
-.slick-vertical .slick-slide{display:block;height:auto;border:1px solid transparent;}
-.slick-arrow.slick-hidden{display:none;}
-
-.slick-arrow {display:block;background-color:transparent;border:none;color:transparent;cursor:pointer;position:absolute;top:0px;height:330px;width:80px;z-index:20;outline:none;}
-.slick-arrow:focus, .slick-arrow:active {outline:none;}
-.slick-arrow.slick-prev {left:0px;background-image:linear-gradient(to right, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
-.slick-arrow.slick-next {right:0px;background-image:linear-gradient(to left, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
-.slick-arrow:before {content:"";display:block;position:absolute;left:0px;top:0px;width:100%;height:100%;z-index:21;background-repeat:no-repeat;}
-.slick-arrow.slick-prev:before {background-image:url(../images/arrow_left.png);background-position:center left;}
-.slick-arrow.slick-next:before {background-image:url(../images/arrow_right.png);background-position:center right;}
-
-
-
-/* dots */
-.slick-dotted.slick-slider
-{
-	margin-bottom: 0px;
-}
-
-
-.slick-dots
-{
-	//position: absolute;
-	//bottom: -25px;
-	position: relative;
-	display: block;
-
-	width: 100%;
-	padding: 0;
-	margin: 0;
-
-	list-style: none;
-
-	text-align: center;
-}
-
-
-.slick-dots li {
-	position: relative;
-	display: inline-block;
-	width: 24px;
-	height: 24px;
-	margin: 0px 4px;
-	padding: 0;
-	cursor: pointer;
-}
-
-.slick-dots li button
-{
-	font-size: 0;
-	line-height: 0;
-
-	display: block;
-
-	width: 24px;
-	height: 24px;
-	padding: 0px;
-
-	cursor: pointer;
-
-	color: transparent;
-	border: 0;
-	outline: none;
-	background: transparent;
-
-	&:before {
-
-		position: relative;
-		top: 0px;
-		left: 0px;
-		width: 20px;
-		height: 20px;
-		content: "";
-		background-color: transparent;
-		border: 2px solid $aq-sea-foam;
-		border-radius: 50%;
-		display: block;
-		opacity: 0.7;
-	}
-
-	&:after {
-
-		position: absolute;
-		top: 7px;
-		left: 5px;
-		width: 10px;
-		height: 10px;
-		content: "";
-		background-color: $aq-sea-foam;
-		//border: 1px solid #666;
-		border-radius: 50%;
-		//box-shadow: inset 1px 1px 1px #888;
-		display: block;
-		opacity: 0;
-		transition: 0.2s ease-out;
-
-	}
-
-
-	
-
-}
-.slick-dots li button:hover,
-.slick-dots li button:focus
-{
-	outline: none;
-	&:after {
-		opacity: 1;
-	}
-}
-
-.slick-dots li.slick-active button:after {
-		opacity: 1;
-}
-
-
-
-
+} //trivy_homepage_wrap

docs/assets/css/_trivy_partners.scss

@@ -0,0 +1,491 @@
+/* trivy partners page */
+.trivy_v1_homepage_wrap.partners_wrap {
+	position: relative;
+	z-index: 3;
+	background-color: $aq-trivy-dark;
+	color: #ffffff;
+	padding-bottom: 80px; //5rem
+
+	.generic_title {
+		color: #ffffff;
+	}
+
+
+	.section_title_wrap {
+		position: relative;
+		padding-bottom: $gap;
+		padding-top: $gap/2;
+		text-align: center;
+		z-index: 1;
+
+		.section_title, .section_subtitle {
+			position: relative;
+			z-index: 2;
+		}
+
+		.section_title_icon {
+			position: relative;
+			z-index: 2;
+			text-align: center;
+			
+			img {
+				display: block;
+				animation: float 3s ease-out infinite;
+				margin: 0px auto;
+			}
+			
+			&::after {
+				content: "";
+				position: relative;
+				margin: 30px auto 10px auto;
+				background-color: rgba(#ffffff,0.1);
+				width: 90px;
+				display: block;
+				height: 15px;
+				border-radius: 50%;
+				animation: shrink 3s ease-out infinite;
+				// transform-origin: center center;
+			}
+		}
+
+		@keyframes float {
+			50% {
+				transform: translate(0, 10px);
+			}
+		}
+
+
+		@keyframes shrink {
+		0% {
+			width: 80px;
+		}
+		50% {
+			width: 100px;
+		}
+		100% {
+			width: 80px;
+		}
+		}
+
+
+		.section_title_icon + .section_title {
+			margin-top: 0px;
+		}
+
+
+
+
+		&::before {
+			content: "";
+			position: absolute;
+			left: 20%;
+			width: 60%;
+			padding: 30% 0;
+			transform: translate(0, -70%) rotate(-45deg);
+			background: radial-gradient(circle at left bottom, rgba($aq-neon-blue, 0.5) 10%, rgba($aq-royal-blue, 0.4) 20%, rgba($aq-trivy-dark, 0) 60%);
+			filter: blur(40px);
+			z-index: 1;
+			pointer-events: none;
+
+		} //before
+
+
+	} //section_title_wrap
+
+	.partners_hero_wrap {
+		background-color: $aq-trivy-dark;
+		background-image: radial-gradient(60vw at 50%, #031145 10%, $aq-trivy-dark 100%);
+		min-height: 500px;
+		position: relative;
+		z-index: 10;
+
+		.partners_background_image_wrap {
+			position: absolute;
+			left: 0px;
+			top: 0px;
+			width: 100%;
+			height: 100%;
+			z-index: 1;
+			pointer-events: none;
+
+			.stars_wrap {
+				position: absolute;
+				left: 0px;
+				top: 0px;
+				width: 100%;
+				height: 100%;
+				z-index: 1;
+				overflow: hidden;
+				
+				.stars_bg {
+					position: absolute;
+					width: 400vw;
+					height: 400vh;
+					top: 50%;
+					left: 50%;
+					margin-top: -200vh;
+					margin-left: -200vw;
+					animation: stars_ani 240s linear infinite;
+					background-size: 240px;
+					backface-visibility: visible;
+					background-image:url(../images/homepage_hero_stars_02.svg);
+					background-repeat: repeat;
+					
+				}
+
+
+				@keyframes stars_ani {
+					0% { transform: rotate(0deg); }
+					100% { transform: rotate(360deg); }
+				}
+
+			} //stars_wrap
+
+
+
+		} //hero_background_image_wrap
+	} //partners_hero_wrap
+
+
+
+	.hero {
+
+		
+		.hero-body {
+			// padding: 80px 0px;
+
+			.header_title_wrap.with_columns {
+
+				display: flex;
+				flex-direction: row;
+
+				@media screen and (max-width: $desktop) {
+					flex-direction: column;
+				}
+
+
+				.header_title_content_wrap {
+
+					width: 50%;
+					position: relative;
+					z-index: 3;
+
+
+
+					.page_title {
+						font-size: 64px; //4rem
+						margin-bottom: 0px;
+					}
+
+					&.partners_hero_titles {
+						display: flex;
+						align-self: center;
+						justify-content: center;
+						flex-direction: column;
+					}
+
+					&.partners_hero_stage_image {
+						display: flex;
+						align-self: center;
+						justify-content: center;
+						img {
+							max-width: 100%;
+							height: auto;
+						}
+					}
+
+
+					@media screen and (max-width: $widescreen), print {
+						width: 70%;
+
+						.page_title {
+							font-size: 48px; //3rem
+						}
+					} //until widescreen
+
+					@media screen and (max-width: $tablet), print { //769
+
+						width: 100%;
+
+						.page_title {
+							font-size: 32px; //2rem
+						}//page_title
+			
+						.page_subtitle {
+							font-size: 18px; //1.125rem
+						}//page_subtitle
+			
+					} //until tablet
+
+
+				} //header_title_content_wrap
+
+			} //header_title_wrap
+
+			@media screen and (min-width: $tablet), print { //769
+				padding: 24px;
+			}
+		}
+
+	} //hero
+
+	
+} //trivy_v1_homepage_wrap partners_wrap
+
+
+/* logos */
+.partners_logos_wrap {
+	background-color: $aq-trivy-dark;
+	padding: 50px 0px;
+
+	.partners_logos_title {
+		text-align: center;
+		color: #ffffff;
+	}
+
+	.partners_logos {
+		display: flex;
+		flex-direction: row;
+		justify-content: center;
+		align-items: center;
+		gap: 64px; //4rem
+		flex-wrap: wrap;
+
+		.logo_item {
+			display: inline-block;
+			padding: 20px;
+			margin: 0px;
+			
+			// background-color: red;
+			img {
+				display: block;
+				margin: 0px auto;
+				width: auto;
+				max-height: 115px;
+				max-width: 200px;
+				transition: all 0.3s ease;
+				// overflow: hidden;
+			}
+		} //logo_item
+
+		@media screen and (max-width: $tablet) {
+
+			gap: 32px; //2rem
+
+			.logo_item {
+				img {
+					max-height: 80px;
+					max-width: 150px;
+				}
+			}
+		}
+
+	} //partners_logos
+} //partners_logos_wrap
+
+
+
+/* benefits */
+.partners_benefits_wrap {
+	position: relative;
+	z-index: 10;
+	padding: $gap;
+
+	.benefit_items {
+		display: flex;
+		flex-direction: row;
+		gap: $gap;
+		padding: 12px; //.75rem
+		position: relative;
+		z-index: 5;
+
+		@media screen and (max-width: $desktop) {
+			flex-direction: column;
+		}
+
+		.benefit_item {
+			flex: 1;
+
+			.benefit_icon {
+				text-align: center;
+				
+				img {
+					max-width: 150px;
+					margin-left: auto;
+					margin-right: auto;
+					height: auto;
+				}
+			}
+			
+			.benefit_title {
+				text-align: center;
+				font-size: 32px; //2rem
+			}
+
+
+			.benefit_content {
+				font-size: 18px; //1.125rem
+				line-height: 1.3;
+				margin: 12px; //.75rem
+				text-align: center;
+			}
+		} //benefit_item
+	} //benefit_items
+} //partners_benefits_wrap
+
+
+
+/* plans */
+.partners_plans_wrap {
+	position: relative;
+	z-index: 10;
+	padding: $gap;
+
+
+	.plan_items {
+
+		display: flex;
+		flex-direction: column;
+		gap: $gap;
+		padding: 12px; //.75rem
+		position: relative;
+		z-index: 5;
+
+		.plan_item {
+			// border: 1px solid orange;
+			padding-left: 60px;
+			
+			
+			.glass_content {
+				
+				display: flex;
+				flex-direction: row;
+				align-items: center;
+				gap: $gap;
+				margin: 0 12px; //.75rem
+				min-height: 180px;
+
+				.plan_titles_wrap {
+	
+					width: 80%;
+	
+					.plan_title {
+						font-size: 32px; //2rem
+						margin: 12px 0px;
+					}
+		
+					.plan_subtitle {
+						font-size: 26px; //1.625rem
+						margin: 12px 0px;
+					}
+				} //plan_titles_wrap
+
+				.plan_content {
+					font-size: 20px; //1.25rem
+					line-height: 1.3;
+					margin: 12px; //.75rem
+					width: 100%;
+				}
+
+
+
+				
+				@media screen and (max-width: $desktop) {
+					flex-direction: column;
+					gap: 0px;
+
+					.plan_titles_wrap {
+						width: 100%;
+					}
+
+				} //desktop
+
+
+			} //glass_content
+
+
+		} //plan_item
+
+	} //plan_items
+
+
+
+	.plan_level {
+		position: absolute;
+		top: 10%;
+		left: 24px;
+		height: 80%;
+		width: 20px;
+		background-color: $aq-royal-blue;
+		border-radius: 10px;
+		pointer-events: none;
+		overflow: hidden;
+
+		&.level_1 {background-color: $aq-starfish-yellow;}
+		&.level_2 {background-color: $aq-coral-red;}
+		&.level_3 {background-color: $aq-legacy-blue;}
+
+		&::after {
+			content: '';
+			position: absolute;
+			top: -150%;
+			left: -150%;
+			width: 400%;
+			height: 400%;
+			background: linear-gradient(
+				-45deg,
+				transparent 40%,
+				rgba(255, 255, 255, 0.05) 47%,
+				rgba(255, 255, 255, 0.2) 50%,
+				rgba(255, 255, 255, 0.05) 53%,
+				transparent 60%
+			);
+			transform: rotate(-45deg);
+			animation: shimmer 1.2s ease-out infinite;
+			animation-delay: 2s;
+			opacity: 0;
+		}
+
+		@keyframes shimmer {
+			0% {
+				transform: translateX(-120%) rotate(-45deg);
+				opacity: 0;
+			}
+			20% {
+				opacity: 1;
+			}
+			80% {
+				opacity: 1;
+			}
+			100% {
+				transform: translateX(120%) rotate(-45deg);
+				opacity: 0;
+			}
+		}
+	} //plan_level
+
+} //partners_plans_wrap
+
+
+.partners_contact_wrap {
+
+	.partners_contact_title {
+		text-align: center;
+	}
+
+	.contact_form_wrap {
+		position: relative;
+		z-index: 5;
+		max-width: 60%;
+		margin: 0 auto;
+
+		.hubspot_form_wrap {
+
+		} //hubspot_form_wrap
+
+		@media screen and (max-width: $desktop) {
+			max-width: 90%;
+		}
+
+	} //contact_form_wrap
+} //partners_contact_wrap

docs/assets/css/trivy_v1_styles.scss

@@ -0,0 +1,201 @@
+/* trivy styles */
+
+//aqua brand colors
+$aq-royal-blue: #1904da;
+$aq-legacy-blue: #08b1d5;
+$aq-coral-red: #ff445f;
+$aq-starfish-yellow: #ffc900;
+$aq-dark-abyss: #07242d;
+$aq-blue-abyss: #031730;
+$aq-deep-sea-blue: #183278;
+$aq-ocean-ash: #405a75;
+// $aq-sea-foam: #00ffe4;
+$aq-neon-blue: #50f0ff;
+
+$aq-neo-background: #ebf3fa;
+$aq-neo-background-hover: #f0f8ff;
+
+
+$aq-royal-blue-dark: #1503ba;
+
+$aq-trivy-dark: #0a0b23;
+
+$weight-normal: 400;
+$weight-semibold: 600;
+$weight-bold: 700;
+
+
+
+$gap: 32px;
+// 960, 1152, and 1344 have been chosen because they are divisible by both 12 and 16
+$tablet: 769px;
+
+// 960px container + 4rem
+$desktop: 960px + 2 * $gap;
+
+// 1152px container + 4rem
+$widescreen: 1152px + 2 * $gap;
+$widescreen-enabled: true;
+
+// 1344px container + 4rem
+$fullhd: 1344px + 2 * $gap;
+$fullhd-enabled: true;
+
+
+
+body {
+
+	font-family: "Inter", sans-serif;
+}
+
+
+.container {
+	width: 100%;
+	margin: 0 auto;
+	max-width: 1440px;
+
+	&.is-relative {
+		position: relative;
+	}
+
+	@media screen and (max-width: $tablet), print { //769
+		padding: 0 24px;
+		max-width: calc( 100% - 48px); //$tablet; //769
+	} //until tablet
+
+}
+
+
+.generic_title {
+	font-size: 28px; //1.75rem
+	font-weight: $weight-bold;
+	margin: 12px; //0.75rem
+	color: $aq-royal-blue;
+}
+
+.generic_subtitle {
+	font-size: 18px; //1.125rem
+	opacity: 0.8;
+	margin: 12px; //0.75rem
+}
+
+
+	.section_title {
+		color: #ffffff; //$aq-neon-blue;
+		font-size: 48px; //3rem
+		font-weight: $weight-bold;
+		margin-bottom: 24px; //1.5rem
+		line-height: 1.2;
+
+		&.is_smaller {
+			font-size: 40px; //2.5rem
+		}
+	}
+
+	.section_subtitle  {
+		color: #ffffff;
+		font-size: 26px; //1.625rem
+		margin-bottom: 24px; //1.5rem
+	}
+
+
+	@media screen and (max-width: $tablet) {
+
+		.section_title, .section_title.is_smaller {
+			font-size: 32px; //2rem
+		}
+		.section_subtitle {
+			font-size: 18px; //1.125rem
+		}
+
+	} //until
+
+
+.button {
+
+	background-color: #ebf3fa;
+	border: 1px solid #dbdbdb;
+	border-width: 1px;
+	color: #363636;
+	cursor: pointer;
+	justify-content: center;
+	padding-bottom: calc(.5em - 1px);
+	padding-left: 1em;
+	padding-right: 1em;
+	padding-top: calc(.5em - 1px);
+	text-align: center;
+	white-space: nowrap;
+	border-radius: 4px;
+	transition: all .2s ease;
+	font-size: 16px;
+	display: inline-block;
+	font-weight: 700;
+	
+	&.is-seafoam {
+		background-color: $aq-neon-blue;
+		border-color: $aq-neon-blue;
+		color: $aq-blue-abyss;
+
+
+		&.is-outlined {
+			background-color: rgba(0,0,0,0);
+			border-color: $aq-neon-blue;
+			color: $aq-neon-blue;
+			border-width: 2px;
+
+			&:hover {
+				background-color: $aq-neon-blue;
+				color: $aq-blue-abyss;
+			}
+		} //is-outlines
+		
+	} //is-seafoam
+
+	&.large_btn {
+		font-size: 22px;
+		padding: 16px 27px;
+		margin-right: 12px;
+
+		@media screen and (max-width: $tablet), print {
+			font-size: 18px;
+		} //until tablet
+	}
+	
+
+
+	&.solidseafoamarrowbutton {
+		
+		background-color: $aq-neon-blue;
+		font-weight: 700;
+		border: 2px solid $aq-neon-blue;
+		font-size: 22px; //1.375rem
+		padding: 16px 27px;
+		color: $aq-blue-abyss;
+
+
+		&:after {
+				content: "";
+				border: solid $aq-blue-abyss;
+				border-width: 0 2px 2px 0;
+				display: inline-block;
+				padding: 4px;
+				transform: rotate(-45deg);
+				margin-left: 30px;
+				vertical-align: middle;
+				transition: all .2s;
+		}
+	} //solidseafoamarrowbutton
+
+} //button
+
+.margin-bottom-20 {
+	margin-bottom: 20px;
+}
+
+
+@import "_slick_slider";
+@import "_glass_v2";
+@import "_hubspot_form";
+
+@import "_trivy_homepage";
+@import "_trivy_partners";

docs/assets/images/partner_logo_echo.svg

@@ -0,0 +1,20 @@
+<svg width="214" height="63" viewBox="0 0 214 63" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_105_3432)">
+<g clip-path="url(#clip1_105_3432)">
+<path d="M91.1057 16.7456C93.9686 16.7456 96.4222 17.33 98.4665 18.4988C100.511 19.6676 102.079 21.2859 103.169 23.3538C104.305 25.3767 104.873 27.7143 104.873 30.3665C104.873 30.9509 104.851 31.5128 104.805 32.0523C104.759 32.5467 104.669 33.0188 104.533 33.4683H84.018C84.063 38.0985 84.9265 41.4251 86.6078 43.448C88.3341 45.4709 90.8333 46.4824 94.1048 46.4824C96.3765 46.4824 98.2166 46.1227 99.6255 45.4034C101.034 44.6393 102.329 43.5828 103.51 42.2343L104.601 43.2457C103.237 45.7182 101.374 47.6512 99.012 49.0447C96.6946 50.3933 93.923 51.0676 90.6971 51.0676C87.4706 51.0676 84.6309 50.3933 82.1773 49.0447C79.7238 47.6961 77.7931 45.7631 76.3842 43.2457C75.0209 40.6833 74.3398 37.6265 74.3398 34.0752C74.3398 30.389 75.1346 27.2647 76.7253 24.7024C78.3611 22.1401 80.451 20.1846 82.9952 18.8359C85.585 17.4424 88.2885 16.7456 91.1057 16.7456ZM90.7652 18.7011C89.4475 18.7011 88.2885 19.0832 87.2895 19.8474C86.3348 20.5667 85.5625 21.8703 84.9721 23.7584C84.4266 25.6015 84.1086 28.2088 84.018 31.5803H96.2172C96.7171 27.0399 96.5359 23.7584 95.6724 21.7354C94.8089 19.7125 93.1732 18.7011 90.7652 18.7011Z" fill="white"/>
+<path d="M125.043 51.0676C121.953 51.0676 119.159 50.4158 116.66 49.1121C114.16 47.7635 112.184 45.8305 110.73 43.3131C109.321 40.7508 108.617 37.649 108.617 34.0078C108.617 30.3666 109.413 27.2647 111.003 24.7024C112.593 22.1401 114.706 20.1846 117.341 18.8359C120.022 17.4424 122.953 16.7456 126.133 16.7456C128.723 16.7456 130.927 17.1727 132.744 18.0268C134.561 18.8809 135.947 19.9823 136.902 21.3309C137.856 22.6345 138.333 24.0281 138.333 25.5116C138.333 26.7703 137.947 27.7367 137.174 28.4111C136.447 29.0853 135.493 29.4225 134.311 29.4225C133.039 29.4225 131.995 28.9729 131.177 28.0739C130.404 27.1748 129.95 26.0285 129.814 24.635C129.768 23.7359 129.768 22.9717 129.814 22.3423C129.904 21.713 129.904 21.1061 129.814 20.5217C129.632 19.7575 129.314 19.2406 128.859 18.9708C128.45 18.7011 127.86 18.5662 127.088 18.5662C124.225 18.5662 122.021 19.7125 120.477 22.0052C118.977 24.2528 118.227 27.9165 118.227 32.9963C118.227 37.3568 119.068 40.7058 120.749 43.0434C122.43 45.381 125.043 46.5498 128.586 46.5498C130.677 46.5498 132.403 46.1677 133.767 45.4034C135.129 44.5943 136.379 43.448 137.515 41.9645L138.606 42.7737C137.47 45.4709 135.72 47.5388 133.357 48.9772C131.04 50.3708 128.268 51.0676 125.043 51.0676Z" fill="white"/>
+<path d="M140.628 50.1236V48.775L141.514 48.5053C143.15 48.0108 143.967 46.8869 143.967 45.1337V10.4072C143.967 9.46321 143.809 8.76643 143.491 8.31689C143.173 7.82236 142.559 7.46278 141.651 7.23798L140.628 6.96825V5.6871L152.146 2.7876L153.237 3.39447L152.964 12.9021V21.5332C154.555 20.2295 156.281 19.1057 158.144 18.1617C160.052 17.2177 162.097 16.7456 164.278 16.7456C167.277 16.7456 169.617 17.5773 171.298 19.2406C173.024 20.9039 173.888 23.4662 173.888 26.9276V45.2012C173.888 46.1002 174.07 46.8195 174.433 47.359C174.797 47.8984 175.433 48.303 176.342 48.5727L176.955 48.775V50.1236H161.416V48.775L162.234 48.5053C163.869 48.0557 164.687 46.9319 164.687 45.1337V25.6464C164.687 23.8034 164.369 22.5222 163.733 21.8029C163.097 21.0837 161.984 20.724 160.393 20.724C159.303 20.724 158.144 20.9263 156.917 21.3309C155.736 21.7355 154.487 22.4098 153.169 23.3538V45.2686C153.169 46.1677 153.351 46.8869 153.714 47.4264C154.077 47.9658 154.691 48.348 155.554 48.5727L156.167 48.775V50.1236L140.628 50.1236Z" fill="white"/>
+<path d="M196.734 51.0676C193.372 51.0676 190.418 50.3708 187.874 48.9772C185.375 47.5837 183.421 45.6058 182.012 43.0434C180.649 40.4811 179.968 37.4242 179.968 33.8729C179.968 30.3215 180.694 27.2647 182.148 24.7024C183.648 22.1401 185.647 20.1846 188.146 18.8359C190.691 17.4424 193.553 16.7456 196.734 16.7456C199.915 16.7456 202.754 17.4424 205.253 18.8359C207.798 20.1846 209.797 22.1401 211.251 24.7024C212.75 27.2198 213.5 30.2766 213.5 33.8729C213.5 37.4242 212.796 40.5035 211.387 43.1109C210.024 45.6732 208.093 47.6512 205.594 49.0447C203.095 50.3933 200.142 51.0676 196.734 51.0676ZM196.734 49.1796C198.369 49.1796 199.687 48.7525 200.687 47.8984C201.732 46.9993 202.482 45.4484 202.936 43.2457C203.39 41.043 203.618 37.9636 203.618 34.0078C203.618 30.0069 203.39 26.9051 202.936 24.7024C202.482 22.4547 201.732 20.9038 200.687 20.0497C199.687 19.1507 198.369 18.7011 196.734 18.7011C195.098 18.7011 193.78 19.1507 192.781 20.0497C191.782 20.9038 191.032 22.4547 190.532 24.7024C190.078 26.9051 189.85 30.0069 189.85 34.0078C189.85 37.9636 190.078 41.043 190.532 43.2457C191.032 45.4484 191.782 46.9993 192.781 47.8984C193.78 48.7525 195.098 49.1796 196.734 49.1796Z" fill="white"/>
+<path d="M19.851 31.1743C19.851 45.9125 27.2427 56.2352 30.8683 60.3905C32.079 61.7781 31.767 62.4352 29.9322 62.2793C13.4366 60.8757 0.5 47.4855 0.5 31.1743C0.5 14.5469 13.943 0.954861 30.8953 0.00118455C31.5519 -0.0357474 31.9018 0.79971 31.4502 1.27776C28.132 4.79122 19.851 15.1633 19.851 31.1743Z" fill="white"/>
+<path d="M45.4656 31.1876C45.4656 42.1671 41.9304 51.0676 38.3656 51.0676C34.8008 51.0676 31.2656 42.1671 31.2656 31.1876C31.2656 20.2082 34.8009 11.3076 38.3656 11.3076C41.9303 11.3076 45.4656 20.2082 45.4656 31.1876Z" fill="white"/>
+</g>
+</g>
+<defs>
+<clipPath id="clip0_105_3432">
+<rect width="213.24" height="61.9812" fill="white" transform="translate(0.612305 0.481934)"/>
+</clipPath>
+<clipPath id="clip1_105_3432">
+<rect width="213" height="62.3018" fill="white" transform="translate(0.5)"/>
+</clipPath>
+</defs>
+</svg>

docs/assets/images/partner_logo_minimus.svg

@@ -0,0 +1,17 @@
+<svg width="123" height="113" viewBox="0 0 123 113" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_105_3430)">
+<path d="M15.33 112.944H13.0356V102.463C13.0356 101.776 12.8778 101.217 12.5647 100.784C12.2516 100.333 11.7506 100.107 11.0643 100.107C10.4181 100.107 9.887 100.353 9.47629 100.844C9.08299 101.315 8.88765 102.052 8.88765 103.051V112.944H6.59327V102.345C6.59327 101.699 6.41796 101.168 6.06471 100.756C5.71157 100.325 5.24067 100.109 4.65203 100.109C3.94574 100.109 3.39715 100.365 3.00395 100.875C2.63068 101.386 2.44535 102.052 2.44535 102.876V112.944H0.148438V98.3424H2.44282V99.9321H2.79607C3.05149 99.2448 3.42477 98.7441 3.91316 98.431C4.40409 98.0968 4.98271 97.9292 5.64895 97.9292C6.35534 97.9292 6.93387 98.1147 7.38473 98.4879C7.85562 98.8621 8.17883 99.3428 8.35667 99.9321H8.70981C9.37604 98.5986 10.4356 97.9292 11.8883 97.9292C12.9879 97.9292 13.8296 98.2824 14.4182 98.9897C15.0269 99.676 15.3299 100.578 15.3299 101.699L15.33 112.944Z" fill="white"/>
+<path d="M24.2491 93.9842C24.2491 93.456 24.432 93.0101 24.7952 92.6433C25.1784 92.2606 25.6343 92.0698 26.1627 92.0698C26.6913 92.0698 27.1371 92.2606 27.5029 92.6433C27.8861 93.0101 28.0765 93.4561 28.0765 93.9842C28.0765 94.5134 27.8861 94.9698 27.5029 95.3525C27.1371 95.7183 26.6913 95.8996 26.1627 95.8996C25.6343 95.8996 25.1784 95.7162 24.7952 95.3525C24.4295 94.9698 24.2491 94.5134 24.2491 93.9842ZM20.1738 110.825H25.2936V100.463H21.2033V98.3431H27.588V110.825H32.3546V112.945H20.1738V110.825Z" fill="white"/>
+<path d="M39.4916 112.943H37.1973V98.3422H39.4916V100.816H39.8448C40.7465 98.8946 42.317 97.9321 44.5513 97.9321C46.2395 97.9321 47.582 98.4603 48.5815 99.5207C49.5809 100.56 50.0819 102.132 50.0819 104.23V112.943H47.7875V104.701C47.7875 103.169 47.4444 102.021 46.758 101.257C46.0717 100.493 45.14 100.11 43.9627 100.11C42.57 100.11 41.4704 100.591 40.6664 101.553C39.8824 102.496 39.4891 103.761 39.4891 105.349V112.946L39.4916 112.943Z" fill="white"/>
+<path d="M87.1294 112.944H84.8347V102.463C84.8347 101.776 84.6769 101.217 84.3638 100.784C84.0507 100.333 83.5498 100.107 82.8635 100.107C82.2172 100.107 81.6862 100.353 81.2754 100.844C80.8822 101.315 80.6869 102.052 80.6869 103.051V112.944H78.3925V102.345C78.3925 101.699 78.2171 101.168 77.8639 100.756C77.5108 100.325 77.0399 100.109 76.4513 100.109C75.7449 100.109 75.1964 100.365 74.8031 100.875C74.4299 101.386 74.2446 102.052 74.2446 102.876V112.944H71.9502V98.3424H74.2446V99.9321H74.5977C74.8533 99.2448 75.2264 98.7441 75.7148 98.431C76.2057 98.0968 76.7844 97.9292 77.4507 97.9292C78.157 97.9292 78.7356 98.1147 79.1865 98.4879C79.6574 98.8621 79.9805 99.3428 80.1583 99.9321H80.5115C81.1778 98.5986 82.2372 97.9292 83.6901 97.9292C84.7897 97.9292 85.6312 98.2824 86.2199 98.9897C86.829 99.676 87.1315 100.578 87.1315 101.699V112.944H87.1294Z" fill="white"/>
+<path d="M102.564 97.9292H104.858V112.529H102.564V109.881H102.211C101.74 110.824 101.121 111.57 100.357 112.119C99.5933 112.667 98.6214 112.944 97.4439 112.944C96.6396 112.944 95.8932 112.806 95.207 112.533C94.5408 112.276 93.962 111.885 93.4708 111.354C93.0006 110.826 92.6275 110.167 92.3544 109.383C92.0983 108.597 91.9707 107.685 91.9707 106.646V97.9324H94.2656V106.352C94.2656 107.884 94.5787 109.001 95.207 109.708C95.8353 110.415 96.7946 110.768 98.0901 110.768C99.4827 110.768 100.573 110.297 101.356 109.354C102.16 108.393 102.564 107.116 102.564 105.528V97.9292Z" fill="white"/>
+<path d="M112.703 101.699C112.703 102.405 112.996 102.944 113.585 103.318C114.193 103.691 115.29 103.937 116.88 104.055C118.587 104.192 119.881 104.603 120.766 105.29C121.667 105.956 122.118 106.939 122.118 108.234V108.409C122.118 109.117 121.971 109.753 121.678 110.325C121.401 110.873 121.011 111.344 120.5 111.737C120.009 112.132 119.401 112.425 118.676 112.62C117.97 112.836 117.196 112.943 116.352 112.943C115.215 112.943 114.233 112.796 113.409 112.502C112.606 112.189 111.929 111.786 111.377 111.295C110.849 110.783 110.446 110.214 110.17 109.588C109.895 108.941 109.739 108.292 109.699 107.645L111.876 107.117C111.974 108.234 112.404 109.139 113.172 109.826C113.935 110.492 114.957 110.825 116.232 110.825C117.311 110.825 118.174 110.62 118.822 110.207C119.488 109.776 119.821 109.177 119.821 108.409C119.821 107.585 119.498 106.997 118.849 106.643C118.203 106.289 117.153 106.064 115.701 105.966C114.013 105.849 112.72 105.455 111.816 104.788C110.915 104.122 110.463 103.149 110.463 101.874V101.699C110.463 101.011 110.611 100.412 110.904 99.9012C111.197 99.3731 111.59 98.9293 112.082 98.5761C112.593 98.2219 113.161 97.9563 113.787 97.7813C114.416 97.6063 115.072 97.5156 115.759 97.5156C116.72 97.5156 117.562 97.6537 118.289 97.9268C119.015 98.1819 119.623 98.5255 120.112 98.9567C120.602 99.3678 120.976 99.8485 121.229 100.4C121.505 100.949 121.68 101.498 121.758 102.05L119.581 102.578C119.483 101.635 119.1 100.898 118.434 100.37C117.788 99.8411 116.933 99.5755 115.873 99.5755C115.463 99.5755 115.06 99.6261 114.666 99.7241C114.293 99.801 113.96 99.9286 113.667 100.107C113.374 100.283 113.139 100.511 112.961 100.784C112.786 101.04 112.695 101.342 112.695 101.695L112.703 101.699Z" fill="white"/>
+<path d="M58.9985 93.9842C58.9985 93.456 59.1814 93.0101 59.5446 92.6433C59.9278 92.2606 60.3837 92.0698 60.9122 92.0698C61.4407 92.0698 61.8865 92.2606 62.2522 92.6433C62.6355 93.0101 62.8259 93.4561 62.8259 93.9842C62.8259 94.5134 62.6355 94.9698 62.2522 95.3525C61.8865 95.7183 61.4407 95.8996 60.9122 95.8996C60.3837 95.8996 59.9278 95.7162 59.5446 95.3525C59.1789 94.9698 58.9985 94.5134 58.9985 93.9842ZM54.9258 110.825H60.0455V100.463H55.9553V98.3431H62.3399V110.825H67.1065V112.945H54.9258V110.825Z" fill="white"/>
+<path d="M25.8652 0V71.4913H97.3429V0H25.8652ZM61.8864 47.5845H58.2681V31.0561C58.2681 29.9728 58.02 29.0909 57.5238 28.4104C57.0273 27.6993 56.2396 27.3439 55.1563 27.3439C54.1336 27.3439 53.2987 27.7294 52.6481 28.5041C52.0278 29.2484 51.7192 30.4088 51.7192 31.9849V47.5845H48.0976V30.8716C48.0976 29.8488 47.8191 29.0139 47.2627 28.3633C46.706 27.6826 45.9617 27.3405 45.0327 27.3405C43.9196 27.3405 43.051 27.7428 42.4341 28.5478C41.8473 29.3523 41.5521 30.4055 41.5521 31.7031V47.5812H37.9305V24.554H41.5521V27.0623H42.1087C42.511 25.9791 43.0981 25.191 43.8725 24.6948C44.6471 24.1683 45.5592 23.9065 46.6121 23.9065C47.7255 23.9065 48.6409 24.2017 49.3517 24.7885C50.0927 25.3756 50.6059 26.1332 50.8843 27.0623H51.4408C52.4939 24.9563 54.1637 23.9065 56.4539 23.9065C58.1875 23.9065 59.5189 24.4635 60.4477 25.5765C61.4069 26.6598 61.8864 28.0851 61.8864 29.8488V47.5845ZM85.2771 37.433H68.4942V34.0585H85.2771V37.433Z" fill="white"/>
+</g>
+<defs>
+<clipPath id="clip0_105_3430">
+<rect width="121.97" height="112.945" fill="white" transform="translate(0.148438)"/>
+</clipPath>
+</defs>
+</svg>

docs/assets/images/partner_logo_root.svg

@@ -0,0 +1,15 @@
+<svg width="195" height="45" viewBox="0 0 195 45" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_105_3431)">
+<path d="M90.2387 8.59574C86.5111 8.59574 83.6196 9.64525 81.5667 11.7397C79.5094 13.8342 78.4814 16.7784 78.4814 20.5738V43.2223H83.6775V21.0333C83.6775 18.4579 84.3028 16.5279 85.561 15.2417C86.8162 13.9525 88.5701 13.3086 90.8226 13.3086C91.6905 13.3086 92.5979 13.4177 93.5527 13.6359V8.98758C92.7717 8.72485 91.6691 8.59424 90.2402 8.59424" fill="white"/>
+<path d="M126.189 13.6696C122.833 10.289 118.644 8.59717 113.619 8.59717C108.594 8.59717 104.404 10.289 101.049 13.6696C97.6938 17.0534 96.0176 21.296 96.0176 26.4007C96.0176 31.5054 97.6815 35.7634 101.018 39.1655C104.352 42.5676 108.554 44.2702 113.619 44.2702C118.684 44.2702 122.885 42.5691 126.222 39.1655C129.556 35.7634 131.223 31.5069 131.223 26.4007C131.223 21.2945 129.547 17.0534 126.189 13.6696ZM122.455 35.7941C120.117 38.3035 117.17 39.5588 113.619 39.5588C110.068 39.5588 107.134 38.3127 104.816 35.828C102.501 33.34 101.343 30.1961 101.343 26.4007C101.343 22.6052 102.502 19.4642 104.816 16.9765C107.134 14.4887 110.068 13.2455 113.619 13.2455C117.17 13.2455 120.117 14.4887 122.455 16.9765C124.795 19.4642 125.964 22.6051 125.964 26.4007C125.964 30.1963 124.795 33.2848 122.455 35.7941Z" fill="white"/>
+<path d="M166.919 13.6696C163.564 10.289 159.375 8.59717 154.349 8.59717C149.324 8.59717 145.134 10.289 141.78 13.6696C138.424 17.0534 136.748 21.296 136.748 26.4007C136.748 31.5054 138.412 35.7634 141.749 39.1655C145.082 42.5676 149.285 44.2702 154.349 44.2702C159.415 44.2702 163.616 42.5691 166.952 39.1655C170.287 35.7634 171.954 31.5069 171.954 26.4007C171.954 21.2945 170.275 17.0534 166.919 13.6696ZM163.187 35.7941C160.845 38.3035 157.9 39.5588 154.349 39.5588C150.799 39.5588 147.865 38.3127 145.547 35.828C143.232 33.34 142.074 30.1961 142.074 26.4007C142.074 22.6052 143.233 19.4642 145.547 16.9765C147.865 14.4887 150.799 13.2455 154.349 13.2455C157.9 13.2455 160.845 14.4887 163.187 16.9765C165.525 19.4642 166.694 22.6051 166.694 26.4007C166.694 30.1963 165.525 33.2848 163.187 35.7941Z" fill="white"/>
+<path d="M182.225 9.6446L179.975 14.2284H194.612V9.6446H182.225ZM185.077 37.1658C183.778 35.8796 183.128 33.9727 183.128 31.4403V0.675293H177.932V31.9643C177.932 35.8042 178.959 38.7485 181.017 40.7983C183.074 42.8498 185.987 43.8731 189.754 43.8731C191.183 43.8731 192.436 43.655 193.521 43.2201V38.6378C192.74 38.9436 191.747 39.0974 190.532 39.0974C188.195 39.0974 186.379 38.455 185.075 37.1642" fill="white"/>
+<path d="M43.0491 0.675293C30.0883 0.675293 19.5439 11.2994 19.5439 24.3582V43.417H33.8967V24.3582C33.8967 19.2737 38.0028 15.1366 43.0491 15.1366H53.3235V0.675293H43.0491Z" fill="white"/>
+<path d="M0.118164 12.0776V26.5389H10.3926C15.4389 26.5389 19.545 30.6759 19.545 35.7604V43.4164H33.8978V35.7604C33.8978 22.7017 23.3534 12.0776 10.3926 12.0776L0.118164 12.0776Z" fill="white"/>
+</g>
+<defs>
+<clipPath id="clip0_105_3431">
+<rect width="194.494" height="43.5947" fill="white" transform="translate(0.118164 0.675293)"/>
+</clipPath>
+</defs>
+</svg>

docs/commercial/compare.md

@@ -0,0 +1,86 @@
+# Aqua Security is the home of Trivy
+
+Trivy is proudly maintained by [Aqua Security](https://aquasec.com).
+If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
+In this page you can find a high level comparison between Trivy Open Source and Aqua's commercial product.
+If you'd like to learn more or request a demo, [click here to contact us](./contact.md).
+
+## User experience
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Interface | CLI tool | CLI tool <br> Enterprise-grade web application <br> SaaS or on-prem |
+| Search & Discover | - | Easily search for security issues across all workloads and infrastructure in your organization <br> Visually discover risks across your organization |
+| User management | - | Multi account <br> Granular permissions (RBAC) <br> Single Sign On (SSO) |
+| Support | Some skills required for setup and integration <br> Best effort community support | Personal onboarding by Aqua Customer Success <br> SLA backed professional support |
+| Scalability & Availability | Single scan at a time | Centralized scanning service supports concurrent scans efficiently <br> Highly available production grade architecture |
+| Rate limiting | Assets hosted on public free infrastructure and could be rate limited | Assets hosted on Aqua infrastructure and does not have limitations |
+
+## Vulnerability scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Vulnerabilities sources | Based on open source vulnerability feeds | Based on open source and commercial vulnerability feeds |
+| New Vulnerabilities SLA | No SLA | Commercial level SLA |
+| Package managers | Find packages in lock files | Find packages in lock files or reconstructed lock files |
+| Vulnerability management | Manually ignore specific vulnerabilities by ID or property | Advanced vulnerability management solution <br> Vulnerability tracking and suppression <br> Incident lifecycle management |
+| Vulnerability prioritization | Manually triage by severity | Multiple prioritization tools:  <br> Accessibility of the affected resources <br> Exploitability of the vulnerability <br> Open Source packages health and trustworthiness score <br> Affected image layers |
+| Reachability analysis | - | Analyze source code to eliminate vulnerabilities of unused dependencies |
+| Contextual vulnerabilities | - | Reduce irrelevant vulnerabilities based on environmental factors (e.g. Spring4Shell not relevant due to JDK version) |
+| Compiled binaries | Find embedded dependencies in Go and Rust binaries <br> Find SBOM by hash in public Sigstore | In addition, identify popular applications |
+
+## Container scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Windows containers | - | Support scanning windows containers |
+| Scan container registries | - | Connect to any container registries and automatically scan it |
+| Private registries | Standard registry authenticationCloud authentication with ECR, GCR, ACR | Supports registry specific authentication schemes |
+| Layer cache | Local cache directory | Scalable Cloud cache |
+
+## Advanced scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Malware scanning | - | Scan container images for malware |
+| Sandbox scanning | - | Use DTA (Dynamic threat analysis) to run and test container images' behavior to detect sophisticated threats |
+| SAST (code scanning) | - | Analyze source code for security issues and vulnerabilities |
+
+## Policy and enforcement
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Kubernetes admission | - | Validating Kubernetes Admission based on automatic or user defined policy |
+| CI/CD policies | Can fail the entire build on any finding | Granular policies to fail builds based on custom criteria |
+| Container engine | - | Block incompliant images from running at container engine level |
+| Block vulnerable packages | - | vShield – monitor and block usage of vulnerable packages |
+
+## Secrets scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Detected patterns | Basic patterns | Advanced patterns |
+| Leaked secrets validation | - | Automatically checks if leaked secrets are valid and usable |
+
+## IaC/CSPM scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://trivy.dev/latest/docs/scanner/misconfiguration/check/builtin/) | In addition, Build Pipeline configuration scanning |
+| Checks customization | Create custom checks with Rego | Create custom checks in no-code interface <br> Customize existing checks with organizational preferences |
+| Cloud scanning | AWS (subset of services) | AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud |
+| Compliance frameworks | CIS, NSA, vendor guides | More than 25 compliance programs |
+| Custom compliance | Create in YAML | Create in a web UI |
+| Remediation advice | Basic | AI powered specialized remediation guides |
+
+## Kubernetes scanning
+
+| Feature | Trivy OSS | Aqua |
+| --- | --- | --- |
+Scan initiation | CLI / Kubernetes Operator | Kubernetes Operator / Management web application |
+Results consumption | kubectl / CRD / Prometheus exporter | In addition, Advanced UI dashboards, Automatic notifications and incident management flows |
+Cluster discovery | Kubeconfig | Automatic discovery thorough cloud onboarding |
+Workload image scanning | Scanning in cluster, requires capacity planning | Scanning offloaded to Aqua service, little impact on scanned clusters |
+| Cluster scanning | CIS, NSA, PSS | More than 25 compliance programs |
+| Scope |  Single cluster | Multi cluster, Cloud relationship |
+| Scalability | Reports limited by in-cluster etcd storage (size and number of reports) | Cloud-based storage (unlimited scalability) |

docs/commercial/contact.md

@@ -0,0 +1,17 @@
+<style>
+    .md-content .md-content__inner a, h1 {
+        display:none;
+    }
+    input.hs-input, textarea.hs-input {
+        border: silver solid 1px !important;
+        font-size: 0.8em;
+        padding: 5px;
+    }
+</style>
+<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script>
+<script>
+  hbspt.forms.create({
+    portalId: "1665891",
+    formId: "a1d0c098-3b3a-40d8-afb4-e04ddb697afe"
+  });
+</script>

docs/community/contribute/checks/overview.md

@@ -80,7 +80,7 @@ The package name should be in the format `builtin.PROVIDER.SERVICE.ID`, e.g. `bu
 
 ## Generating an ID
 
-Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribue your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID. 
+Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribute your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID. 
 
 Running `make id` in the root of the trivy-checks repository will provide you with the next available _ID_ for your rule. 
 

docs/community/contribute/checks/service-support.md

@@ -57,7 +57,7 @@ type AWS struct {
 
 ### Update Adapters
 
-Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adatper as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).
+Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adapter as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).
 
 Another example for updating the adapters is provided in the [following PR.](https://github.com/aquasecurity/defsec/pull/1000/files) Additionally, please refer to the respective Terraform documentation on the provider to which you are adding the service. For instance, the Terraform documentation for AWS CodeBuild is provided [here.](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project)
 

docs/community/contribute/discussion.md

@@ -24,7 +24,7 @@ There are 4 categories:
     If you find any false positives or false negatives, please make sure to report them under the "False Detection" category, not "Bugs".
 
 ## False detection
-Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#data-sources).
+Trivy depends on [multiple data sources](https://trivy.dev/latest/docs/scanner/vulnerability/#data-sources).
 Sometime these databases contain mistakes.
 
 If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:

docs/community/contribute/pr.md

@@ -54,6 +54,21 @@ Your PR must pass all the integration tests. You can test it as below.
 $ mage test:integration
 ```
 
+### Protocol Buffers
+If you update protobuf files (`.proto`), you need to regenerate the Go code:
+
+```shell
+$ mage protoc:generate
+```
+
+You can also format and lint protobuf files:
+
+```shell
+$ mage protoc:fmt     # Format protobuf files
+$ mage protoc:lint    # Lint protobuf files
+$ mage protoc:breaking # Check for breaking changes against main branch
+```
+
 ### Documentation
 If you update CLI flags, you need to generate the CLI references.
 The test will fail if they are not up-to-date.

docs/community/maintainer/pr-review.md

@@ -0,0 +1,24 @@
+# Pull Request Review Policy
+
+This document outlines the review policy for pull requests in the Trivy project.
+
+## Core Principles
+
+### 1. All Changes Through Pull Requests
+All changes to the `main` branch must be made through pull requests.
+Direct commits to `main` are not allowed.
+
+### 2. Required Approvals
+Every pull request requires approval from at least one CODEOWNER before merging.
+
+For changes that span multiple domains (e.g., both vulnerability and misconfiguration scanning), approval from at least one code owner from each affected domain is required.
+
+When a pull request is created by the only code owner of a domain, approval from any other maintainer is required.
+
+When a code owner wants additional input from other owners or maintainers, they should comment requesting feedback and wait for others to approve before providing their own approval.
+This prevents accidental merging by the PR author.
+
+### 3. Merge Responsibility
+- **General Rule**: The pull request author should click the merge button after receiving required approvals
+- **Exception**: For urgent fixes (hotfixes), a CODEOWNER may merge the PR directly
+- **External Contributors**: Pull requests from external contributors should be merged by a CODEOWNER

docs/community/maintainer/release-flow.md

@@ -12,6 +12,11 @@ For detailed behavior, please refer to [the GitHub Actions configuration][workfl
     Commits with prefixes like `chore` or `build` are not considered releasable, and no release PR is created.
     To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release-pr-creation).
 
+!!! tip
+    It's a good idea to check if there are any outstanding vulnerability updates created by dependabot waiting for your review.
+    They can be found in the "Security" tab of the repository.
+    If there are any, please review and merge them before creating a release. This will help to ensure that the release includes the latest security patches.
+
 ## Flow
 The release flow consists of the following main steps:
 
@@ -74,10 +79,20 @@ Replace URLs with appropriate ones.
 
 Example: https://github.com/aquasecurity/trivy/releases/tag/v0.52.0
 
+### Merging the auto-generated Helm chart update PR
+Once the release PR is merged, there will be an auto-generated PR that bumps the Trivy version for the Trivy Helm Chart. An example can be seen [here](https://github.com/aquasecurity/trivy/pull/8638).
+
+> [!NOTE]  
+> It is possible that the release action takes a while to finish and the Helm chart action runs prior. In such a case the Helm chart action will fail as it will not be able to find the latest Trivy container image.
+> In such a case, it is advised to manually restart the Helm chart action, once the release action is finished.
+
+If things look good, approve and merge this PR to further trigger the publishing of the Helm Chart.
+
+
+The release is now complete 🍻
 
-The release is now complete.
 
 [conventional-commits]: https://www.conventionalcommits.org/en/v1.0.0/
-[release-please]: https://github.com/googleapis/release-please 
+[release-please]: https://github.com/googleapis/release-please
 [goreleaser]: https://goreleaser.com/
-[workflows]: https://github.com/aquasecurity/trivy/tree/main/.github/workflows
+[workflows]: https://github.com/aquasecurity/trivy/tree/main/.github/workflows

docs/community/principles.md

@@ -48,6 +48,6 @@ As mentioned in [the Core Principles](#detecting-unintended-states), detection o
 ### User Interface
 Trivy primarily operates via CLI for displaying results, with a richer UI available in [the commercial version][aqua].
 
-[trivy-aqua]: https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md
+[trivy-aqua]: ../commercial/compare.md
 [tracee]: https://github.com/aquasecurity/tracee
 [aqua]: https://www.aquasec.com/

docs/docs/advanced/air-gap.md

@@ -10,7 +10,7 @@ External Resource | Feature | Details
 Vulnerability Database | Vulnerability scanning | [Trivy DB](../scanner/vulnerability.md)
 Java Vulnerability Database | Java vulnerability scanning | [Trivy Java DB](../coverage/language/java.md)
 Checks Bundle | Misconfigurations scanning | [Trivy Checks](../scanner/misconfiguration/check/builtin.md)
-VEX Hub | VEX Hub | [VEX Hub](../supply-chain/vex/repo/#vex-hub)
+VEX Hub | VEX Hub | [VEX Hub](../supply-chain/vex/repo.md)
 Maven Central / Remote Repositories | Java vulnerability scanning | [Java Scanner/Remote Repositories](../coverage/language/java.md#remote-repositories)
 
 !!! note
@@ -75,3 +75,8 @@ Trivy might attempt to connect (over HTTPS) to the following URLs:
 ### Offline mode
 
 There's no way to leverage Maven Central in a network-restricted environment, but you can prevent Trivy from trying to connect to it by using the `--offline-scan` flag.
+
+## Check updates service
+
+Trivy [checks for updates](../configuration/others.md#check-for-updates) and [collects usage telemetry](../advanced/telemetry.md) by connecting to the following domain: `https://check.trivy.dev`.
+Connectivity with this domain is entirely optional and is not necessary for the normal operation of Trivy.

docs/docs/advanced/container/unpacked-filesystem.md

@@ -113,4 +113,4 @@ Total: 20 (UNKNOWN: 0, LOW: 2, MEDIUM: 10, HIGH: 8, CRITICAL: 0)
 +--------------+------------------+----------+-------------------+---------------+---------------------------------------+
 ```
 
-</details>
+</details>

docs/docs/advanced/modules.md

@@ -12,7 +12,7 @@ They provide a way to extend the core feature set of Trivy, but without updating
 
 - They can be added and removed from a Trivy installation without impacting the core Trivy tool.
 - They can be written in any programming language supporting WebAssembly.
-  - It supports only [TinyGo][tinygo] at the moment.
+  - It supports only Go at the moment.
 
 You can write your own detection logic.
 
@@ -47,8 +47,8 @@ Trivy adheres to the XDG specification, so the location depends on whether XDG_D
 Trivy will now search XDG_DATA_HOME for the location of the Trivy modules cache.
 The preference order is as follows:
 
-- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
-- $HOME/.trivy/plugins
+- XDG_DATA_HOME if set and .trivy/modules exists within the XDG_DATA_HOME dir
+- $HOME/.trivy/modules
 
 For example, to download the WebAssembly module, you can execute the following command:
 
@@ -94,9 +94,9 @@ $ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell
 ```
 
 ## Building Modules
-It supports TinyGo only at the moment.
+It supports Go only at the moment.
 
-### TinyGo
+### Go
 Trivy provides Go SDK including three interfaces.
 Your own module needs to implement either or both `Analyzer` and `PostScanner` in addition to `Module`.
 
@@ -113,7 +113,7 @@ type Analyzer interface {
 
 type PostScanner interface {
     PostScanSpec() serialize.PostScanSpec
-    PostScan(serialize.Results) (serialize.Results, error)
+    PostScan(types.Results) (types.Results, error)
 }
 ```
 
@@ -137,11 +137,22 @@ $ go mod init github.com/aquasecurity/trivy-module-wordpress
 ```go
 package main
 
+import (
+    "github.com/aquasecurity/trivy/pkg/module/wasm"
+)
+
 const (
     version = 1
     name = "wordpress-module"
 )
 
+// main is required for Go to compile the Wasm module
+func main() {}  
+
+func init() {
+	wasm.RegisterModule(WordpressModule{})
+}
+
 type WordpressModule struct{
 	// Cannot define fields as modules can't keep state.
 }
@@ -203,7 +214,7 @@ func (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, erro
     }
 	
     return &serialize.AnalysisResult{
-        CustomResources: []serialize.CustomResource{
+        CustomResources: []ftypes.CustomResource{
             {
                 Type:     typeWPVersion,
                 FilePath: filePath,
@@ -246,7 +257,7 @@ func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
     }
 }
 
-func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
+func (WordpressModule) PostScan(results types.Results) (types.Results, error) {
     // e.g. results
     // [
     //   {
@@ -288,7 +299,7 @@ func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, e
 
     if vulnerable {
         // Add CVE-2020-36326
-        results = append(results, serialize.Result{
+        results = append(results, types.Result{
             Target: wpPath,
             Class:  types.ClassLangPkg,
 			Type:   "wordpress",
@@ -318,10 +329,10 @@ In the `Delete` action, `PostScan` needs to return results you want to delete.
 If `PostScan` returns an empty, Trivy will not delete anything.
 
 #### Build
-Follow [the install guide][tinygo-installation] and install TinyGo.
+Follow [the install guide][go-installation] and install Go.
 
 ```bash
-$ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go
+$ GOOS=wasip1 GOARCH=wasm go build -o wordpress.wasm -buildmode=c-shared wordpress.go
 ```
 
 Put the built binary to the module directory that is under the home directory by default.
@@ -347,12 +358,11 @@ Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f
 
 [regexp]: https://github.com/google/re2/wiki/Syntax
 
-[tinygo]: https://tinygo.org/
 [spring4shell]: https://blog.aquasec.com/zero-day-rce-vulnerability-spring4shell
 [wazero]: https://github.com/tetratelabs/wazero
 
 [trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
 [trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress
 
-[tinygo-installation]: https://tinygo.org/getting-started/install/
+[go-installation]: https://go.dev/doc/install
 [oras]: https://oras.land/cli/

docs/docs/advanced/self-hosting.md

@@ -14,7 +14,7 @@ To host these databases in your own infrastructure:
 
 ### Make a local copy
 
-Use any container registry manipulation tool (e.g , [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md, [ORAS](https://oras.land), [regclient](https://github.com/regclient/regclient/tree/main)) to copy the images to your destination registry.
+Use any container registry manipulation tool (e.g , [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md), [ORAS](https://oras.land), [regclient](https://github.com/regclient/regclient/tree/main)) to copy the images to your destination registry.
 
 !!! note
     You will need to keep the databases updated in order to maintain relevant scanning results over time.
@@ -123,10 +123,10 @@ To make a copy of VEX Hub in a location that is accessible to Trivy.
 
 To configure Trivy to use the local VEX Repository:
 
-1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo/#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
+1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo.md#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
 1. Disable the default VEX Hub repo (`enabled: false`)
-1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo/#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
+1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo.md#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
 
 ### Authentication
 
-If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo/#authentication).
+If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo.md#authentication).

docs/docs/advanced/telemetry-flags.md

@@ -0,0 +1,41 @@
+```
+--clear-cache
+--debug
+--dependency-tree
+--detection-priority
+--distro
+--exit-code
+--exit-on-eol
+--format
+--ignore-status
+--ignore-unfixed
+--image-config-scanners
+--include-deprecated-checks
+--include-dev-deps
+--include-non-failures
+--insecure
+--license-full
+--list-all-pkgs
+--misconfig-scanners
+--offline-scan
+--parallel
+--password-stdin
+--pkg-relationships
+--pkg-types
+--quiet
+--redis-tls
+--removed-pkgs
+--report
+--scanners
+--severity
+--show-suppressed
+--skip-check-update
+--skip-version-check
+--skip-vex-repo-update
+--slow
+--tf-exclude-downloaded-modules
+--timeout
+--trace-http
+--trace-rego
+--vuln-severity-source
+```

docs/docs/advanced/telemetry.md

@@ -0,0 +1,39 @@
+# Usage Telemetry
+
+Trivy collects anonymous usage data in order to help us improve the product. This document explains what is collected and how you can control it.
+
+## Data collected
+
+The following information could be collected:
+
+- Environmental information:
+    - Installation identifier
+    - Trivy version
+    - Operating system
+- Scan:
+    - Non-revealing scan options (see below for comprehensive list)
+
+### Captured scan options
+The following flags will be included with their value:
+
+--8<-- "./docs/docs/advanced/telemetry-flags.md"
+
+
+## Privacy
+
+No personal information, scan results, or sensitive data is specifically collected. We take the following measures to ensure that:
+
+- Installation identifier: one-way hash of machine fingerprint, resulting in opaque ID.
+- Scan: any option that is user-controlled is omitted (never collected). For example, file paths, image names, etc are never collected.
+
+Trivy is an Aqua Security product and adheres to the company's privacy policy: <https://aquasec.com/privacy>.
+
+## Disabling telemetry
+
+You can disable telemetry altogether using the `--disable-telemetry` flag. Like other Trivy flags, this can be set on the command line, YAML configuration file, or environment variable. For more details see [here](../configuration/index.md).
+
+For example:
+
+```bash
+trivy image --disable-telemetry alpine
+```

docs/docs/compliance/compliance.md

@@ -35,7 +35,6 @@ For the list of built-in compliance reports, please see the relevant section:
 
 - [Docker compliance](../target/container_image.md#compliance)
 - [Kubernetes compliance](../target/kubernetes.md#compliance)
-- [AWS compliance](../target/aws.md#compliance)
 
 ## Contribute a Built-in Compliance Report
 
@@ -166,7 +165,7 @@ Example of how to define command data under [commands folder](https://github.com
   title: kubelet.conf file permissions
   nodeType: worker
   audit: stat -c %a $kubelet.kubeconfig
-  platfroms:
+  platforms:
     - k8s
     - aks
 ```
@@ -181,7 +180,7 @@ make command-id
 
 #### Command Key
 
-- Re-use an existing key or specifiy a new one (make sure key name has no spaces)
+- Re-use an existing key or specify a new one (make sure key name has no spaces)
 
 Note: The key value should match the key name evaluated by the Rego check.
 
@@ -198,7 +197,7 @@ Specify the node type on which the command is supposed to run.
 
 ### Command Audit
 
-Specify here the shell command to be used please make sure to add error supression (2>/dev/null)
+Specify here the shell command to be used please make sure to add error suppression (2>/dev/null)
 
 ### Command Platforms
 

docs/docs/compliance/contrib-compliance.md

@@ -56,7 +56,7 @@ Thus, we can use the information already present:
 ```
 
 - The `ID`, `name`, and `description` is taken directly from the AWS EKS CIS Benchmarks
-- The `check` and `severity` are taken from the existing complaince check in the `k8s-cis-1.23.yaml`
+- The `check` and `severity` are taken from the existing compliance check in the `k8s-cis-1.23.yaml`
 
 
 #### 2. Referencing a check manually that is not part of the Trivy default checks

docs/docs/configuration/cache.md

@@ -51,9 +51,7 @@ It supports three types of backends for this cache:
     - TTL can be configured via `--cache-ttl`
 
 ### Local File System
-The local file system backend is the default choice for container and VM image scans.
-When scanning container images, it stores analysis results on a per-layer basis, using layer IDs as keys.
-This approach enables faster scans of the same container image or different images that share layers.
+The local file system backend is the default choice for container image, VM image and repository scans.
 
 !!! note
     Internally, this backend uses [BoltDB][boltdb], which has an important limitation: only one process can access the cache at a time.
@@ -63,7 +61,7 @@ This approach enables faster scans of the same container image or different imag
 ### Memory
 The memory backend stores analysis results in memory, which means the cache is discarded when the process ends.
 This makes it useful in scenarios where caching is not required or desired.
-It serves as the default for repository, filesystem and SBOM scans and can also be employed for container image scans when caching is unnecessary.
+It serves as the default for filesystem and SBOM scans and can also be employed for container image scans when caching is unnecessary.
 
 To use the memory backend for a container image scan, you can use the following command:
 
@@ -98,11 +96,11 @@ $ trivy server --cache-backend redis://localhost:6379 \
   --redis-key /path/to/key.pem
 ```
 
-[trivy-db]: ./db.md#vulnerability-database
-[trivy-java-db]: ./db.md#java-index-database
+[trivy-db]: ./db.md
+[trivy-java-db]: ./db.md
 [misconf-checks]: ../scanner/misconfiguration/check/builtin.md
 [boltdb]: https://github.com/etcd-io/bbolt
-[parallel-run]: https://aquasecurity.github.io/trivy/v0.52/docs/references/troubleshooting/#running-in-parallel-takes-same-time-as-series-run
+[parallel-run]: https://trivy.dev/{{ git.tag}}/docs/references/troubleshooting/#running-in-parallel-takes-same-time-as-series-run
 
 [^1]: Downloaded when scanning for vulnerabilities
 [^2]: Downloaded when scanning `jar/war/par/ear` files

docs/docs/configuration/filtering.md

@@ -394,7 +394,7 @@ $ trivy image --ignorefile ./.trivyignore.yaml python:3.9.16-alpine3.16
 2023-08-31T11:10:27.155+0600	INFO	Vulnerability scanning is enabled
 2023-08-31T11:10:27.155+0600	INFO	Secret scanning is enabled
 2023-08-31T11:10:27.155+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
-2023-08-31T11:10:27.155+0600	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
+2023-08-31T11:10:27.155+0600	INFO	Please see also https://trivy.dev/dev/docs/scanner/secret/#recommendation for faster secret detection
 2023-08-31T11:10:29.164+0600	INFO	Detected OS: alpine
 2023-08-31T11:10:29.164+0600	INFO	Detecting Alpine vulnerabilities...
 2023-08-31T11:10:29.169+0600	INFO	Number of language-specific files: 1

docs/docs/configuration/others.md

@@ -117,3 +117,57 @@ The following example will fail when a critical vulnerability is found or the OS
 ```
 $ trivy image --exit-code 1 --exit-on-eol 1 --severity CRITICAL alpine:3.16.3
 ```
+
+## Mirror Registries
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy supports mirrors for [remote container images](../target/container_image.md#container-registry) and [databases](./db.md).
+
+To configure them, add a list of mirrors along with the host to the [trivy config file](../references/configuration/config-file.md#registry-options).
+
+!!! note
+    Use the `index.docker.io` host for images from `Docker Hub`, even if you don't use that prefix.
+
+Example for `index.docker.io`:
+```yaml
+registry:
+  mirrors:
+    index.docker.io:
+     - mirror.gcr.io
+```
+
+### Registry check procedure
+Trivy uses the following registry order to get the image:
+
+- mirrors in the same order as they are specified in the configuration file
+- source registry
+
+In cases where we can't get the image from the mirror registry (e.g. when authentication fails, image doesn't exist, etc.) - Trivy will check other mirrors (or the source registry if all mirrors have already been checked).
+
+Example:
+```yaml
+registry:
+  mirrors:
+    index.docker.io:
+     - mirror.with.bad.auth // We don't have credentials for this registry
+     - mirror.without.image // Registry doesn't have this image
+```
+
+When we want to get the image `alpine` with the settings above. The logic will be as follows:
+
+1. Try to get the image from `mirror.with.bad.auth/library/alpine`, but we get an error because there are no credentials for this registry.
+2. Try to get the image from `mirror.without.image/library/alpine`, but we get an error because this registry doesn't have this image (but most likely it will be an error about authorization).
+3. Get the image from `index.docker.io` (the original registry).
+
+## Check for updates
+
+Trivy periodically checks for updates and notices, and displays a message to the user with recommendations.  
+Updates checking is non-blocking and has no impact on scanning time, performance, results, or any user experience aspect besides displaying the message.  
+You can disable updates checking by specifying the `--skip-version-check` flag.
+
+## Telemetry
+
+Trivy collected usage data for product improvement. More details in the [Telemetry document](../advanced/telemetry.md).
+You can disable telemetry collection using the `--disable-telemetry` flag.

docs/docs/configuration/reporting.md

@@ -19,9 +19,157 @@ Trivy supports the following formats:
 |      Secret      |     ✓     |
 |     License      |     ✓     |
 
+```bash
+$ trivy image -f table golang:1.22.11-alpine3.20
 ```
-$ trivy image -f table golang:1.12-alpine
+
+<details>
+<summary>Result</summary>
+
 ```
+...
+
+Report Summary
+
+┌─────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
+│                   Target                    │   Type   │ Vulnerabilities │ Secrets │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ golang:1.22.11-alpine3.20 (alpine 3.20.5)   │  alpine  │        6        │    -    │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ usr/local/go/bin/go                         │ gobinary │        1        │    -    │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+...
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ usr/local/go/pkg/tool/linux_amd64/vet       │ gobinary │        1        │    -    │
+└─────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
+
+
+golang:1.22.11-alpine3.20 (alpine 3.20.5)
+
+Total: 6 (UNKNOWN: 2, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
+
+┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
+├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ libcrypto3 │ CVE-2024-12797 │ HIGH     │ fixed  │ 3.3.2-r1          │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers    │
+│            │                │          │        │                   │               │ don't abort as expected                                     │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                  │
+│            ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r2      │ openssl: Timing side-channel in ECDSA signature computation │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
+├────────────┼────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│ libssl3    │ CVE-2024-12797 │ HIGH     │        │                   │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers    │
+│            │                │          │        │                   │               │ don't abort as expected                                     │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                  │
+│            ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r2      │ openssl: Timing side-channel in ECDSA signature computation │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                  │
+├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ musl       │ CVE-2025-26519 │ UNKNOWN  │        │ 1.2.5-r0          │ 1.2.5-r1      │ musl libc 0.9.13 through 1.2.5 before 1.2.6 has an          │
+│            │                │          │        │                   │               │ out-of-bounds write ......                                  │
+│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-26519                  │
+├────────────┤                │          │        │                   │               │                                                             │
+│ musl-utils │                │          │        │                   │               │                                                             │
+│            │                │          │        │                   │               │                                                             │
+│            │                │          │        │                   │               │                                                             │
+└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+
+usr/local/go/bin/go (gobinary)
+
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+
+┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
+│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
+├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ stdlib  │ CVE-2025-22866 │ MEDIUM   │ fixed  │ v1.22.11          │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
+│         │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
+│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
+└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
+
+...
+```
+
+</details>
+
+#### Table mode
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy supports the following modes for `table` format:
+
+|             Mode             | Enabled by default |
+|:----------------------------:|:-----------------:|
+|  [summary](#summary-table)   |       ✓[^1]       |
+| [detailed](#detailed-tables) |         ✓         |
+
+You can use `--table-mode` flag to enable/disable table mode(s). 
+
+
+##### Summary table
+Summary table contains general information about the scan performed.
+
+Nuances of table contents:
+
+- Table includes columns for enabled [scanners](../references/terminology.md#scanner) only. Use `--scanners` flag to enable/disable scanners.
+- Table includes separate lines for the same targets but different scanners.
+    - `-` means that the scanner didn't scan this target.
+    - `0` means that the scanner scanned this target, but found no security issues.
+
+!!! Note
+    For the secret/license scanner, the Trivy report contains only findings.
+    Therefore, we can’t say for sure whether Trivy scanned at least one file or simply didn’t find any findings.
+    That’s why, for these scanners, the summary table uses “-” if no findings are found.
+
+<details>
+<summary>Report Summary</summary>
+
+```
+┌───────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┬──────────┐
+│        Target         │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │ Licenses │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ test (alpine 3.20.3)  │   alpine   │        2        │         -         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ Java                  │    jar     │        2        │         -         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ app/Dockerfile        │ dockerfile │        -        │         2         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ requirements.txt      │    text    │        0        │         -         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ requirements.txt      │    text    │        -        │         -         │    1    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ OS Packages           │     -      │        -        │         -         │    -    │    1     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ Java                  │     -      │        -        │         -         │    -    │    0     │
+└───────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┴──────────┘
+```
+
+</details>
+
+##### Detailed tables
+Detailed tables contain information about found security issues for each target with more detailed information (CVE-ID, severity, version, etc.).
+
+<details>
+<summary>Detailed tables</summary>
+
+```
+
+usr/local/go/bin/go (gobinary)
+
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+
+┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
+│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
+├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
+│ stdlib  │ CVE-2025-22866 │ MEDIUM   │ fixed  │ v1.22.11          │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
+│         │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
+│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
+└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
+
+```
+</details>
 
 #### Show origins of vulnerable dependencies
 
@@ -58,6 +206,7 @@ The following languages are currently supported:
 |          | [yarn.lock][yarn-lock]                     |
 | .NET     | [packages.lock.json][dotnet-packages-lock] |
 | Python   | [poetry.lock][poetry-lock]                 |
+|          | [uv.lock][uv-lock]                         |
 | Ruby     | [Gemfile.lock][gemfile-lock]               |
 | Rust     | [cargo-auditable binaries][cargo-binaries] |
 | Go       | [go.mod][go-mod]                           |
@@ -120,124 +269,183 @@ Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to reso
 |     License      |     ✓     |
 
 ```
-$ trivy image -f json -o results.json golang:1.12-alpine
+$ trivy image -f json -o results.json alpine:latest
 ```
 
-<details>
-<summary>Result</summary>
-
-```
-2019-05-16T01:46:31.777+0900    INFO    Updating vulnerability database...
-2019-05-16T01:47:03.007+0900    INFO    Detecting Alpine vulnerabilities...
-```
-
-</details>
-
 <details>
 <summary>JSON</summary>
 
 ```
-[
-  {
-    "Target": "php-app/composer.lock",
-    "Vulnerabilities": null
-  },
-  {
-    "Target": "node-app/package-lock.json",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2018-16487",
-        "PkgName": "lodash",
-        "InstalledVersion": "4.17.4",
-        "FixedVersion": "\u003e=4.17.11",
-        "Title": "lodash: Prototype pollution in utilities function",
-        "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.",
-        "Severity": "HIGH",
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487",
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2024-12-26T21:58:15.943876+05:30",
+  "ArtifactName": "alpine:latest",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.20.3"
+    },
+    "ImageID": "sha256:511a44083d3a23416fadc62847c45d14c25cbace86e7a72b2b350436978a0450",
+    "DiffIDs": [
+      "sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8"
+    ],
+    "RepoTags": [
+      "alpine:latest"
+    ],
+    "RepoDigests": [
+      "alpine@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a"
+    ],
+    "ImageConfig": {
+      "architecture": "arm64",
+      "created": "2024-09-06T12:05:36Z",
+      "history": [
+        {
+          "created": "2024-09-06T12:05:36Z",
+          "created_by": "ADD alpine-minirootfs-3.20.3-aarch64.tar.gz / # buildkit",
+          "comment": "buildkit.dockerfile.v0"
+        },
+        {
+          "created": "2024-09-06T12:05:36Z",
+          "created_by": "CMD [\"/bin/sh\"]",
+          "comment": "buildkit.dockerfile.v0",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8"
         ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "WorkingDir": "/",
+        "ArgsEscaped": true
       }
-    ]
+    }
   },
-  {
-    "Target": "trivy-ci-test (alpine 3.7.1)",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2018-16840",
-        "PkgName": "curl",
-        "InstalledVersion": "7.61.0-r0",
-        "FixedVersion": "7.61.1-r1",
-        "Title": "curl: Use-after-free when closing \"easy\" handle in Curl_close()",
-        "Description": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. ",
-        "Severity": "HIGH",
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840",
-        ]
-      },
-      {
-        "VulnerabilityID": "CVE-2019-3822",
-        "PkgName": "curl",
-        "InstalledVersion": "7.61.0-r0",
-        "FixedVersion": "7.61.1-r2",
-        "Title": "curl: NTLMv2 type-3 header stack buffer overflow",
-        "Description": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. ",
-        "Severity": "HIGH",
-        "References": [
-          "https://curl.haxx.se/docs/CVE-2019-3822.html",
-          "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E"
-        ]
-      },
-      {
-        "VulnerabilityID": "CVE-2018-16839",
-        "PkgName": "curl",
-        "InstalledVersion": "7.61.0-r0",
-        "FixedVersion": "7.61.1-r1",
-        "Title": "curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()",
-        "Description": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
-        "Severity": "HIGH",
-        "References": [
-          "https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5",
-        ]
-      },
-      {
-        "VulnerabilityID": "CVE-2018-19486",
-        "PkgName": "git",
-        "InstalledVersion": "2.15.2-r0",
-        "FixedVersion": "2.15.3-r0",
-        "Title": "git: Improper handling of PATH allows for commands to be executed from the current directory",
-        "Description": "Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.",
-        "Severity": "HIGH",
-        "References": [
-          "https://usn.ubuntu.com/3829-1/",
-        ]
-      },
-      {
-        "VulnerabilityID": "CVE-2018-17456",
-        "PkgName": "git",
-        "InstalledVersion": "2.15.2-r0",
-        "FixedVersion": "2.15.3-r0",
-        "Title": "git: arbitrary code execution via .gitmodules",
-        "Description": "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.",
-        "Severity": "HIGH",
-        "References": [
-          "http://www.securitytracker.com/id/1041811",
-        ]
-      }
-    ]
-  },
-  {
-    "Target": "python-app/Pipfile.lock",
-    "Vulnerabilities": null
-  },
-  {
-    "Target": "ruby-app/Gemfile.lock",
-    "Vulnerabilities": null
-  },
-  {
-    "Target": "rust-app/Cargo.lock",
-    "Vulnerabilities": null
-  }
-]
+  "Results": [
+    {
+      "Target": "alpine:latest (alpine 3.20.3)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2024-9143",
+          "PkgID": "libcrypto3@3.3.2-r0",
+          "PkgName": "libcrypto3",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libcrypto3@3.3.2-r0?arch=aarch64\u0026distro=3.20.3",
+            "UID": "f705555b49cd2259"
+          },
+          "InstalledVersion": "3.3.2-r0",
+          "FixedVersion": "3.3.2-r1",
+          "Status": "fixed",
+          "Layer": {
+            "DiffID": "sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8"
+          },
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-9143",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access",
+          "Description": "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates.  Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds.  Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "VendorSeverity": {
+            "amazon": 3,
+            "redhat": 1,
+            "ubuntu": 1
+          },
+          "CVSS": {
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2024-9143",
+            "https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712",
+            "https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700",
+            "https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4",
+            "https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154",
+            "https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a",
+            "https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41",
+            "https://nvd.nist.gov/vuln/detail/CVE-2024-9143",
+            "https://openssl-library.org/news/secadv/20241016.txt",
+            "https://www.cve.org/CVERecord?id=CVE-2024-9143"
+          ],
+          "PublishedDate": "2024-10-16T17:15:18.13Z",
+          "LastModifiedDate": "2024-11-08T16:35:21.58Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2024-9143",
+          "PkgID": "libssl3@3.3.2-r0",
+          "PkgName": "libssl3",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libssl3@3.3.2-r0?arch=aarch64\u0026distro=3.20.3",
+            "UID": "c4a39ef718e71832"
+          },
+          "InstalledVersion": "3.3.2-r0",
+          "FixedVersion": "3.3.2-r1",
+          "Status": "fixed",
+          "Layer": {
+            "DiffID": "sha256:651d9022c23486dfbd396c13db293af6845731cbd098a5f5606db4bc9f5573e8"
+          },
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-9143",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access",
+          "Description": "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates.  Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds.  Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "VendorSeverity": {
+            "amazon": 3,
+            "redhat": 1,
+            "ubuntu": 1
+          },
+          "CVSS": {
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2024-9143",
+            "https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712",
+            "https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700",
+            "https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4",
+            "https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154",
+            "https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a",
+            "https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41",
+            "https://nvd.nist.gov/vuln/detail/CVE-2024-9143",
+            "https://openssl-library.org/news/secadv/20241016.txt",
+            "https://www.cve.org/CVERecord?id=CVE-2024-9143"
+          ],
+          "PublishedDate": "2024-10-16T17:15:18.13Z",
+          "LastModifiedDate": "2024-11-08T16:35:21.58Z"
+        }
+      ]
+    }
+  ]
+}
+
 ```
 
 </details>
@@ -339,8 +547,8 @@ If Trivy is installed using rpm then default templates can be found at `/usr/loc
 |:----------------:|:---------:|
 |  Vulnerability   |     ✓     |
 | Misconfiguration |     ✓     |
-|      Secret      |           |
-|     License      |           |
+|      Secret      |     ✓     |
+|     License      |     ✓     |
 
 In the following example using the template `junit.tpl` XML can be generated.
 ```
@@ -409,19 +617,15 @@ For more details, please check [here](../plugin/user-guide.md#output-mode-suppor
 To generate multiple reports, you can generate the JSON report first and convert it to other formats with the `convert` subcommand.
 
 ```shell
-$ trivy image --format json -o result.json --list-all-pkgs debian:11
+$ trivy image --format json -o result.json debian:11
 $ trivy convert --format cyclonedx --output result.cdx result.json
 ```
 
-!!! note
-    Please note that if you want to convert to a format that requires a list of packages, 
-    such as SBOM, you need to add the `--list-all-pkgs` flag when outputting in JSON.
-
 [Filtering options](./filtering.md) such as `--severity` are also available with `convert`.
 
 ```shell
 # Output all severities in JSON
-$ trivy image --format json -o result.json --list-all-pkgs debian:11
+$ trivy image --format json -o result.json debian:11
 
 # Output only critical issues in table format
 $ trivy convert --format table --severity CRITICAL result.json
@@ -449,6 +653,7 @@ $ trivy convert --format table --severity CRITICAL result.json
 [yarn-lock]: ../coverage/language/nodejs.md#yarn
 [dotnet-packages-lock]: ../coverage/language/dotnet.md#packageslockjson
 [poetry-lock]: ../coverage/language/python.md#poetry
+[uv-lock]: ../coverage/language/python.md#uv
 [gemfile-lock]: ../coverage/language/ruby.md#bundler
 [go-mod]: ../coverage/language/golang.md#go-module
 [composer-lock]: ../coverage/language/php.md#composerlock
@@ -457,3 +662,5 @@ $ trivy convert --format table --severity CRITICAL result.json
 [sbt-lockfile]: ../coverage/language/java.md#sbt
 [pubspec-lock]: ../coverage/language/dart.md#dart
 [cargo-binaries]: ../coverage/language/rust.md#binaries
+
+[^1]: To show summary table in `convert` mode - you need to enable the scanners used during JSON report generation.

docs/docs/configuration/skipping.md

@@ -1,8 +1,22 @@
-# Skipping Files and Directories
+# Selecting files for scanning
 
-This section details ways to specify the files and directories that Trivy should not scan.
+When scanning a target (image, code repository, etc), Trivy traverses all directories and files in that target and looks for known files to scan. For example, vulnerability scanner might look for `/lib/apk/db/installed` for Alpine APK scanning or `requirements.txt` file for Python pip scanning, and misconfiguration scanner might look for `Dockerfile` for Dockerfile scanning. This document explains how to control which files Trivy looks (including skipping files) for and how it should process them.
+
+!!! note
+    Selecting/skipping files is different from filtering/ignoring results, which is covered in the [Filtering document](./filtering.md)
+
+## Skip Files and Directories
+
+You can skip specific files and directories using the `--skip-files` and `--skip-dirs` flags.
+
+For example:
+
+```bash
+trivy image --skip-files "/Gemfile.lock" --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
+```
+
+This feature is relevant for the following scanners:
 
-## Skip Files
 |     Scanner      | Supported |
 |:----------------:|:---------:|
 |  Vulnerability   |     ✓     |
@@ -10,89 +24,58 @@ This section details ways to specify the files and directories that Trivy should
 |      Secret      |     ✓     |
 |     License      |     ✓     |
 
-By default, Trivy traverses directories and searches for all necessary files for scanning.
-You can skip files that you don't maintain using the `--skip-files` flag, or the equivalent Trivy YAML config option.
+It's possible to specify glob patterns when referring to a file or directory. The glob expression follows the ["doublestar" library syntax](https://pkg.go.dev/github.com/bmatcuk/doublestar/v4@v4.8.1#readme-patterns).
+
+Examples:
 
-Using the `--skip-files` flag:
 ```bash
-$ trivy image --skip-files "/Gemfile.lock" --skip-files "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
+# skip any file named `bar` in the subdirectories of testdata
+trivy image --skip-files "./testdata/*/bar" .
 ```
 
-Using the Trivy YAML configuration:
+```bash
+# skip any files with the extension `.tf` in subdirectories of foo at any depth
+trivy config --skip-files "./foo/**/*.tf" .
+```
+
+```bash
+# skip all subdirectories of the testdata directory.
+trivy image --skip-dirs "./testdata/*" .
+```
+
+```bash
+# skip subdirectories at any depth named `.terraform/`. 
+# this will match `./foo/.terraform` or `./foo/bar/.terraform`, but not `./.terraform`
+trivy config --skip-dirs "**/.terraform" .
+```
+
+Like any other flag, this is available as Trivy YAML configuration.
+
+For example:
+
 ```yaml
 image:
   skip-files:
     - foo
     - "testdata/*/bar"
-```
-
-It's possible to specify globs as part of the value.
-
-```bash
-$ trivy image --skip-files "./testdata/*/bar" .
-```
-
-This will skip any file named `bar` in the subdirectories of testdata.
-
-```bash
-$ trivy config --skip-files "./foo/**/*.tf" .
-```
-
-This will skip any files with the extension `.tf` in subdirectories of foo at any depth.
-
-## Skip Directories
-|     Scanner      | Supported |
-|:----------------:|:---------:|
-|  Vulnerability   |     ✓     |
-| Misconfiguration |     ✓     |
-|      Secret      |     ✓     |
-|     License      |     ✓     |
-
-By default, Trivy traverses directories and searches for all necessary files for scanning.
-You can skip directories that you don't maintain using the `--skip-dirs` flag, or the equivalent Trivy YAML config option.
-
-Using the `--skip-dirs` flag:
-```bash
-$ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
-```
-
-Using the Trivy YAML configuration:
-```yaml
-image:
   skip-dirs:
     - foo/bar/
     - "**/.terraform"
 ```
 
-It's possible to specify globs as part of the value.
+## Customizing file handling
+
+You can customize which files Trivy scans and how it interprets them with the `--file-patterns` flag.
+A file pattern configuration takes the following form: `<analyzer>:<path>`, such that files matching the `<path>` will be processed with the respective `<analyzer>`.
+
+For example:
 
 ```bash
-$ trivy image --skip-dirs "./testdata/*" .
+trivy fs --file-patterns "pip:.requirements-test.txt ."
 ```
 
-This will skip all subdirectories of the testdata directory.
+This feature is relevant for the following scanners:
 
-```bash
-$ trivy config --skip-dirs "**/.terraform" .
-```
-
-This will skip subdirectories at any depth named `.terraform/`. (Note: this will match `./foo/.terraform` or
-`./foo/bar/.terraform`, but not `./.terraform`.)
-
-!!! tip
-    Glob patterns work with any trivy subcommand (image, config, etc.) and can be specified to skip both directories (with `--skip-dirs`) and files (with `--skip-files`).
-
-
-### Advanced globbing
-Trivy also supports bash style [extended](https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Pattern-Matching) glob pattern matching.
-
-```bash
-$ trivy image --skip-files "**/foo" image:tag
-```
-
-This will skip the file `foo` that happens to be nested under any parent(s). 
-
-## File patterns
 |     Scanner      | Supported |
 |:----------------:|:---------:|
 |  Vulnerability   |     ✓     |
@@ -100,20 +83,27 @@ This will skip the file `foo` that happens to be nested under any parent(s).
 |      Secret      |           |
 |     License      |   ✓[^1]   |
 
-When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
-The default file patterns are [here](../scanner/misconfiguration/custom/index.md).
+The list of analyzers can be found [here](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/pkg/fanal/analyzer/const.go).
+Note that this flag is not applicable for parsers that accepts files of different extensions, for example the Terraform file parser which handles .tf and .tf.json files.
 
-In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
-For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
 
-This can be repeated for specifying multiple file patterns.
+The file path can use a [regular expression](https://pkg.go.dev/regexp/syntax). For example:
 
-A file pattern contains the analyzer it is used for, and the pattern itself, joined by a semicolon. For example:
-```
---file-patterns "dockerfile:.*.docker" --file-patterns "kubernetes:*.tpl" --file-patterns "pip:requirements-.*\.txt"
+```bash
+# interpret any file with .txt extension as a python pip requirements file
+trivy fs --file-patterns "pip:requirements-.*\.txt .
 ```
 
-The prefixes are listed [here](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/pkg/fanal/analyzer/const.go)
+The flag can be repeated for specifying multiple file patterns. For example:
 
+```bash
+# look for Dockerfile called production.docker and a python pip requirements file called requirements-test.txt
+trivy fs --scanners misconfig,vuln --file-patterns "dockerfile:.production.docker" --file-patterns "pip:.requirements-test.txt ."
+```
 
-[^1]: Only work with the [license-full](../scanner/license.md) flag)
+[^1]: Only work with the [license-full](../scanner/license.md) flag
+
+## Avoid full filesystem traversal
+
+In specific scenarios Trivy can avoid traversing the entire filesystem, which makes scanning faster and more efficient.
+For more information see [here](../target/rootfs.md#performance-optimization)

docs/docs/coverage/iac/index.md

@@ -22,4 +22,4 @@ Trivy scans Infrastructure as Code (IaC) files for
 
 [misconf]: ../../scanner/misconfiguration/index.md
 [secret]: ../../scanner/secret.md
-[json-and-yaml]: ../../scanner/misconfiguration/index.md#scan-arbitrary-json-and-yaml-configurations
+[json-and-yaml]: ../../scanner/misconfiguration/config/config.md#scan-arbitrary-json-and-yaml-configurations

docs/docs/coverage/language/c.md

@@ -31,5 +31,5 @@ To correctly detection licenses, ensure that the cache directory contains all de
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 
 [^1]: The local cache should contain the dependencies used. See [licenses](#licenses).
-[^2]: `conan.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#file-patterns).
+[^2]: `conan.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#customizing-file-handling).
 [^3]: For `conan.lock` in version 2, indirect dependencies are included in analysis but not flagged explicitly in dependency tree

docs/docs/coverage/language/elixir.md

@@ -24,4 +24,4 @@ In order to detect dependencies, Trivy searches for `mix.lock`[^1].
 [hex]: https://hex.pm/
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 
-[^1]: `mix.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#file-patterns)
+[^1]: `mix.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#customizing-file-handling)

docs/docs/coverage/language/golang.md

@@ -82,8 +82,9 @@ It possibly produces false positives.
 See [the caveat](#stdlib-vulnerabilities) for details.
 
 ### License
-To identify licenses, you need to download modules to local cache beforehand, such as `go mod download`, `go mod tidy`, etc.
-Trivy traverses `$GOPATH/pkg/mod` and collects those extra information.
+To identify licenses, you need to download modules to local cache beforehand, such as `go mod download`, `go mod tidy`, `go mod vendor`, etc.
+If the `vendor` directory exists, Trivy uses this directory when scanning for license files.
+For other cases Trivy traverses `$GOPATH/pkg/mod`dir and collects those extra information.
 
 ### Dependency Graph
 Same as licenses, you need to download modules to local cache beforehand.
@@ -100,7 +101,7 @@ $ trivy rootfs ./your_binary
     It doesn't work with UPX-compressed binaries.
 
 ### Main Module
-Go binaries installed using the `go install` command contains correct (semver) version for the main module and therefor are detected by Trivy.
+Go binaries installed using the `go install` command contains correct (semver) version for the main module and therefore are detected by Trivy.
 In other cases, Go uses the `(devel)` version[^2].
 In this case, Trivy will attempt to parse any `-ldflags` as it's a common practice to pass versions this way.
 If unsuccessful, the version will be empty[^3].

docs/docs/coverage/language/index.md

@@ -22,6 +22,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 |                      | gemspec                                                                                    |     ✅     |     ✅      |       -        |       -        |
 | [Python](python.md)  | Pipfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | poetry.lock                                                                                |     -     |     -      |       ✅        |       ✅        |
+|                      | uv.lock                                                                                    |     -     |     -      |       ✅        |       ✅        |
 |                      | requirements.txt                                                                           |     -     |     -      |       ✅        |       ✅        |
 |                      | egg package[^1]                                                                            |     ✅     |     ✅      |       -        |       -        |
 |                      | wheel package[^2]                                                                          |     ✅     |     ✅      |       -        |       -        |
@@ -30,6 +31,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [Node.js](nodejs.md) | package-lock.json                                                                          |     -     |     -      |       ✅        |       ✅        |
 |                      | yarn.lock                                                                                  |     -     |     -      |       ✅        |       ✅        |
 |                      | pnpm-lock.yaml                                                                             |     -     |     -      |       ✅        |       ✅        |
+|                      | bun.lock                                                                                   |     -     |     -      |       ✅        |       ✅        |
 |                      | package.json                                                                               |     ✅     |     ✅      |       -        |       -        |
 | [.NET](dotnet.md)    | packages.lock.json                                                                         |     ✅     |     ✅      |       ✅        |       ✅        |
 |                      | packages.config                                                                            |     ✅     |     ✅      |       ✅        |       ✅        |
@@ -59,11 +61,11 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 [license]: ../../scanner/license.md
 
 [^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
-[^2]: `.dist-info/META-DATA`
+[^2]: `.dist-info/METADATA`
 [^3]: `*.jar`, `*.war`, `*.par` and `*.ear`
 [^4]: ✅ means "enabled" and `-` means "disabled" in the image scanning
 [^5]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
 [^6]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
 [^7]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
-[^8]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns)
+[^8]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#customizing-file-handling)
 [^9]: `Directory.Packages.props` and  legacy `Packages.props` file names are supported

docs/docs/coverage/language/java.md

@@ -12,12 +12,12 @@ Each artifact supports the following scanners:
 
 The following table provides an outline of the features Trivy offers.
 
-| Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
-|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
-| JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |                Not needed                |
-| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |                    -                     |
-| *gradle.lockfile |           -           |     Exclude      |                  ✓                   |    ✓     |                Not needed                |
-| *.sbt.lock       |           -           |     Exclude      |                  -                   |    ✓     |                Not needed                |
+| Artifact         |    Internet access    |    Dev dependencies    | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
+|------------------|:---------------------:|:----------------------:|:------------------------------------:|:--------:|:----------------------------------------:|
+| JAR/WAR/PAR/EAR  |     Trivy Java DB     |        Include         |                  -                   |    -     |                Not needed                |
+| pom.xml          | Maven repository [^1] |        Exclude         |                  ✓                   |  ✓[^7]   |                    -                     |
+| *gradle.lockfile |           -           | [Exclude](#gradlelock) |                  ✓                   |    ✓     |                Not needed                |
+| *.sbt.lock       |           -           |        Exclude         |                  -                   |    ✓     |                Not needed                |
 
 These may be enabled or disabled depending on the target.
 See [here](./index.md) for the detail.
@@ -96,6 +96,9 @@ If you need to show them, use the `--include-dev-deps` flag.
 !!!note
     All necessary files are checked locally. Gradle file scanning doesn't require internet access.
 
+By default, Trivy doesn't report development dependencies. 
+Use the `--include-dev-deps` flag to include them in the results.
+
 ### Dependency-tree
 !!! warning "EXPERIMENTAL"
     This feature might change without preserving backwards compatibility.
@@ -105,7 +108,7 @@ But there is no reliable way to determine direct dependencies (even using other
 Therefore, we mark all dependencies as indirect to use logic to guess direct dependencies and build a dependency tree.
 
 ### Licenses
-Trity also can detect licenses for dependencies.
+Trivy also can detect licenses for dependencies.
 
 Make sure that you have cache[^8] directory to find licenses from `*.pom` dependency files.
 

docs/docs/coverage/language/nodejs.md

@@ -18,7 +18,7 @@ The following table provides an outline of the features Trivy offers.
 |       npm       | package-lock.json |            ✓            |         [Excluded](#npm)          |                  ✓                   |    ✓     |
 |      Yarn       | yarn.lock         |            ✓            |         [Excluded](#yarn)         |                  ✓                   |    ✓     |
 |      pnpm       | pnpm-lock.yaml    |            ✓            | [Excluded](#lock-file-v9-version) |                  ✓                   |    -     |
-|       Bun       | yarn.lock         |            ✓            |         [Excluded](#yarn)         |                  ✓                   |    ✓     |
+|       Bun       | bun.lock          |            ✓            |         [Excluded](#bun)          |                  ✓                   |    ✓     |
 
 In addition, Trivy scans installed packages with `package.json`.
 
@@ -43,14 +43,26 @@ Trivy analyzes `node_modules` for licenses.
 By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
 
 ### Yarn
-Trivy parses `yarn.lock`, which doesn't contain information about development dependencies.
-Trivy also uses `package.json` file to handle [aliases](https://classic.yarnpkg.com/lang/en/docs/cli/add/#toc-yarn-add-alias).
+Trivy parses `yarn.lock`.
 
-To exclude devDependencies and allow aliases, `package.json` also needs to be present next to `yarn.lock`.
+Trivy also analyzes additional files to gather more information about the detected dependencies.
 
-Trivy analyzes `.yarn` (Yarn 2+) or `node_modules` (Yarn Classic) folder next to the yarn.lock file to detect licenses.
+- package.json
+- node_modules/**
 
-By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
+#### Package relationships
+`yarn.lock` files don't contain information about package relationships, such as direct or indirect dependencies.
+To enrich this information, Trivy parses the `package.json` file located next to the `yarn.lock` file as well as workspace `package.json` files.
+
+By default, Trivy doesn't report development dependencies.
+Use the `--include-dev-deps` flag to include them in the results.
+
+#### Development dependencies
+`yarn.lock` files don't contain information about package groups, such as production and development dependencies.
+To identify dev dependencies and support [aliases][yarn-aliases], Trivy parses the `package.json` file located next to the `yarn.lock` file as well as workspace `package.json` files.
+
+#### Licenses
+Trivy analyzes the `.yarn` directory (for Yarn 2+) or the `node_modules` directory (for Yarn Classic) located next to the `yarn.lock` file to detect licenses.
 
 ### pnpm
 Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
@@ -60,7 +72,13 @@ To identify licenses, you need to download dependencies to `node_modules` before
 Trivy supports `Dev` field for `pnpm-lock.yaml` v9 or later. Use the `--include-dev-deps` flag to include the developer's dependencies in the result.
 
 ### Bun
-Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`.
+Trivy also supports scanning `bun.lock` file generated by [Bun](https://bun.sh/blog/bun-lock-text-lockfile). 
+You can use Bun v1.2 which uses this file as default or use `bun install --save-text-lockfile` in Bun v1.1.39 to generate it.
+
+For previous Bun versions you can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock` and then scan it with Trivy.
+
+#### Development dependencies
+`bun.lock` contains information about package groups, such as production and development dependencies. By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
 
 !!! note
     `bun.lockb` is not supported.
@@ -74,5 +92,6 @@ It only extracts package names, versions and licenses for those packages.
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 [pnpm-lockfile-v6]: https://github.com/pnpm/spec/blob/fd3238639af86c09b7032cc942bab3438b497036/lockfile/6.0.md
+[yarn-aliases]: https://classic.yarnpkg.com/lang/en/docs/cli/add/#toc-yarn-add-alias
 
 [^1]: [yarn.lock](#bun) must be generated

docs/docs/coverage/language/python.md

@@ -8,6 +8,7 @@ The following scanners are supported for package managers.
 | pip             |  ✓   |       ✓       |    ✓    |
 | Pipenv          |  ✓   |       ✓       |    -    |
 | Poetry          |  ✓   |       ✓       |    -    |
+| uv              |  ✓   |       ✓       |    -    |
 
 In addition, Trivy supports three formats of Python packages: `egg`, `wheel` and `conda`.
 The following scanners are supported for Python packages.
@@ -25,7 +26,8 @@ The following table provides an outline of the features Trivy offers.
 |-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
 | pip             | requirements.txt |            -            |     Include      |                  -                   |    ✓     |                    ✓                     |
 | Pipenv          | Pipfile.lock     |            ✓            |     Include      |                  -                   |    ✓     |                Not needed                |
-| Poetry          | poetry.lock      |            ✓            |     Exclude      |                  ✓                   |    -     |                Not needed                |
+| Poetry          | poetry.lock      |            ✓            |     [Exclude](#poetry)      |                  ✓                   |    -     |                Not needed                |
+| uv              | uv.lock          |            ✓            |     [Exclude](#uv)      |                  ✓                   |    -     |                Not needed                |          |
 
 
 | Packaging | Dependency graph |
@@ -52,7 +54,8 @@ keyring >= 4.1.1            # Minimum version 4.1.1
 Mopidy-Dirble ~= 1.1        # Minimum version 1.1
 python-gitlab==2.0.*        # Minimum version 2.0.0
 ```
-Also, there is a way to convert unsupported version specifiers - use the `pip  freeze` command.
+Also, there is a way to convert unsupported version specifiers - use either the `pip-compile` tool (which doesn't install the packages)
+or call `pip freeze` from the virtual environment where the requirements are already installed.
 
 ```bash
 $ cat requirements.txt 
@@ -79,7 +82,8 @@ wheel==0.42.0
 `requirements.txt` files usually contain only the direct dependencies and not contain the transitive dependencies.
 Therefore, Trivy scans only for the direct dependencies with `requirements.txt`.
 
-To detect transitive dependencies as well, you need to generate `requirements.txt` with `pip freeze`.
+To detect transitive dependencies as well, you need to generate `requirements.txt` that contains them.
+Like described above, tou can do it with `pip freeze` or `pip-compile`.
 
 ```zsh
 $ cat requirements.txt # it will only find `requests@2.28.2`.
@@ -126,15 +130,25 @@ To build the correct dependency graph, `pyproject.toml` also needs to be present
 
 License detection is not supported for `Poetry`.
 
+By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
+
+
+### uv
+Trivy uses `uv.lock` to identify dependencies and find vulnerabilities.
+
+License detection is not supported for `uv`.
+
+By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
+
 ## Packaging
 Trivy parses the manifest files of installed packages in container image scanning and so on.
 See [here](https://packaging.python.org/en/latest/discussions/package-formats/) for the detail.
 
 ### Egg
-Trivy looks for `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO` to identify Python packages.
+Trivy looks for `*.egg-info`, `*.egg-info/METADATA`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO` to identify Python packages.
 
 ### Wheel
-Trivy looks for `.dist-info/META-DATA` to identify Python packages.
+Trivy looks for `.dist-info/METADATA` to identify Python packages.
 
 [^1]: Trivy checks `python`, `python3`, `python2` and `python.exe` file names.
 

docs/docs/coverage/language/ruby.md

@@ -1,7 +1,7 @@
 # Ruby
 
 Trivy supports [Bundler][bundler] and [RubyGems][rubygems].
-The following scanners are supported for Cargo.
+The following scanners are supported for Bundler and RubyGems.
 
 | Package manager | SBOM | Vulnerability | License |
 |-----------------|:----:|:-------------:|:-------:|

docs/docs/coverage/os/alma.md

@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
 
 ## SBOM
 Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.

docs/docs/coverage/os/alpine.md

@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |
 
 ## SBOM
 Trivy detects packages that have been installed through `apk`.