chore(deps): fix golang.org/x/tools and gopls compatibility

Update dependencies to resolve compatibility issues between golang.org/x/tools and gopls that were causing build errors. - Update buf to v1.56.0 (compatible with golang.org/x/tools) - Update golang.org/x/tools to v0.35.1-0.20250728180453-01a3475a31bc - Update gopls to v0.20.0 - Downgrade quic-go to v0.54.1 for compatibility
chore: run go mod tidy after rebase
2025-12-10 23:00:48 -08:00 · 2025-10-21 10:51:21 +04:00 · 2025-10-21 10:29:49 +04:00 · 2025-10-21 10:28:27 +04:00 · 2025-10-21 10:24:27 +04:00 · 2025-10-20 19:12:08 +00:00
757 changed files with 22796 additions and 10833 deletions
--- a/.clang-format
+++ b/.clang-format
@@ -1,5 +0,0 @@
---
-Language: Proto
-BasedOnStyle: Google
-AlignConsecutiveAssignments: true
-AlignConsecutiveDeclarations: true
--- a/.github/actions/trivy-triage/helpers.js
+++ b/.github/actions/trivy-triage/helpers.js
@@ -1,6 +1,11 @@
+const patterns = {
+    Scanner: /### Scanner\r?\n\r?\n(.+)/,
+    Target: /### Target\r?\n\r?\n(.+)/,
+};
+
 module.exports = {
    detectDiscussionLabels: (discussion, configDiscussionLabels) => {
-        res = [];
+        const res = [];
        const discussionId = discussion.id;
        const category = discussion.category.name;
        const body = discussion.body;
@@ -8,15 +13,21 @@ module.exports = {
            console.log(`skipping discussion with category ${category} and body ${body}`);
            return [];
        }
-        const scannerPattern = /### Scanner\n\n(.+)/;
-        const scannerFound = body.match(scannerPattern);
-        if (scannerFound && scannerFound.length > 1) {
-            res.push(configDiscussionLabels[scannerFound[1]]);
-        }
-        const targetPattern = /### Target\n\n(.+)/;
-        const targetFound = body.match(targetPattern);
-        if (targetFound && targetFound.length > 1) {
-            res.push(configDiscussionLabels[targetFound[1]]);
+
+        for (const key in patterns) {
+            const match = body.match(patterns[key]);
+            if (match && match.length > 1 && match[1] !== "None") {
+                const val = configDiscussionLabels[match[1]];
+                if (val === undefined && match[1]) {
+                    console.warn(
+                        `Value for ${key.toLowerCase()} key "${
+                            match[1]
+                        }" not found in configDiscussionLabels`
+                    );
+                } else {
+                    res.push(val);
+                }
+            }
        }
        return res;
    },
--- a/.github/actions/trivy-triage/helpers.test.js
+++ b/.github/actions/trivy-triage/helpers.test.js
@@ -62,6 +62,17 @@ describe('trivy-triage', async function() {
      assert(labels.includes('ContainerImageLabel'));
      assert(labels.includes('VulnerabilityLabel'));
    });
+    it('detect scanner and target labels on windows', async function() {
+      const discussion = {
+        body: 'hello hello\r\nbla bla.\r\n### Scanner\r\n\r\nVulnerability\r\n### Target\r\n\r\nContainer Image\r\nbye bye.',
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+      assert(labels.includes('VulnerabilityLabel'));
+    });
    it('not detect other labels', async function() {
      const discussion = {
        body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
@@ -73,6 +84,16 @@ describe('trivy-triage', async function() {
      assert(!labels.includes('FilesystemLabel'));
      assert(!labels.includes('MisconfigurationLabel'));
    });
+    it('ignores unmatched label values from body', async function() {
+      const discussion = {
+        body: '### Target\r\n\r\nNone\r\n\r\n### Scanner\r\n\r\nMisconfiguration', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert.deepStrictEqual(labels, ['MisconfigurationLabel']);
+    });
    it('process only relevant categories', async function() {
      const discussion = {
        body: 'hello world', 
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -21,6 +21,8 @@ updates:
    directory: /
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 3
    ignore:
      - dependency-name: "github.com/aquasecurity/trivy-*" ## `trivy-*` dependencies are updated manually
    groups:
--- a/.github/workflows/apidiff.yaml
+++ b/.github/workflows/apidiff.yaml
@@ -0,0 +1,132 @@
+name: API Diff Check
+
+on:
+  # SECURITY: Using pull_request_target to support fork PRs with write permissions.
+  # PR code is checked out but only for static analysis - it is never executed.
+  # If modifying this workflow, ensure PR code is never executed and user inputs are not used unsafely.
+  pull_request_target:
+    types: [opened, synchronize]
+    paths:
+      - 'pkg/**/*.go'
+      - 'rpc/**/*.go'
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  apidiff:
+    runs-on: ubuntu-24.04
+    name: API Diff Check
+    steps:
+      # Checkout PR code for static analysis only
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Set up Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      # Ensure the base commit exists locally when checkout uses depth=1 (default).
+      - name: Fetch base commit
+        run: |
+          BASE_REF="${{ github.event.pull_request.base.sha || github.event.merge_group.base_sha }}"
+          if [ -n "$BASE_REF" ]; then
+            git fetch --depth=1 origin "$BASE_REF"
+          fi
+
+      # NOTE: go-apidiff is not managed in go.mod because installing it via `go get -tool`
+      # would cause `mage tool:install` to attempt building it on Windows, which currently
+      # fails due to platform-specific issues.
+      - name: Run go-apidiff
+        id: apidiff
+        continue-on-error: true
+        uses: joelanford/go-apidiff@60c4206be8f84348ebda2a3e0c3ac9cb54b8f685 # v0.8.3
+        with:
+          version: v0.8.3
+
+      - name: Add apidiff label
+        if: ${{ steps.apidiff.outputs.semver-type == 'major' }}
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            const label = 'apidiff';
+            await github.rest.issues.addLabels({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              labels: [label],
+            });
+
+      - name: Comment API diff
+        if: ${{ steps.apidiff.outputs.semver-type == 'major' }}
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          APIDIFF_OUTPUT: ${{ steps.apidiff.outputs.output }}
+          SEMVER_TYPE: ${{ steps.apidiff.outputs.semver-type }}
+        with:
+          script: |
+            const header = '## 📊 API Changes Detected';
+            const diff = process.env.APIDIFF_OUTPUT.trim();
+            const semver = process.env.SEMVER_TYPE || 'unknown';
+            const body = [
+              header,
+              '',
+              `Semver impact: \`${semver}\``,
+              '',
+              '```',
+              diff,
+              '```',
+            ].join('\n');
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+
+            const existing = comments.find(comment =>
+              comment.user.type === 'Bot' &&
+              comment.body.startsWith(header),
+            );
+
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body,
+              });
+            }
+
+      # Attempt to request the premium reviewers; needs org-scoped token because GITHUB_TOKEN lacks read:org.
+      - name: Request trivy-premium review
+        if: ${{ steps.apidiff.outputs.semver-type == 'major' }}
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          github-token: ${{ secrets.ORG_REPO_TOKEN }}
+          script: |
+            try {
+              await github.rest.pulls.requestReviewers({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.issue.number,
+                team_reviewers: ['trivy-premium'],
+              });
+              console.log('Requested review from aquasecurity/trivy-premium team');
+            } catch (error) {
+              core.error(`Failed to request trivy-premium reviewers: ${error.message}`);
+              throw error;
+            }
--- a/.github/workflows/auto-close-issue.yaml
+++ b/.github/workflows/auto-close-issue.yaml
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Close issue if user does not have write or admin permissions
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            // Get the issue creator's username
--- a/.github/workflows/auto-ready-for-review.yaml
+++ b/.github/workflows/auto-ready-for-review.yaml
@@ -0,0 +1,138 @@
+name: Auto Ready for Review
+
+on:
+  workflow_run:
+    workflows: ["Test", "Validate PR Title"]
+    types: [completed]
+
+jobs:
+  auto-ready-for-review:
+    runs-on: ubuntu-24.04
+    if: github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: Get PR context
+        id: pr-context
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_BRANCH: |-
+            ${{
+              (github.event.workflow_run.head_repository.owner.login != github.event.workflow_run.repository.owner.login)
+                && format('{0}:{1}', github.event.workflow_run.head_repository.owner.login, github.event.workflow_run.head_branch)
+                || github.event.workflow_run.head_branch
+            }}
+        run: |
+          echo "[INFO] Searching for PR with branch: ${PR_BRANCH}"
+          if gh pr view --repo "${{ github.repository }}" "${PR_BRANCH}" --json 'number' --jq '"number=\(.number)"' >> "${GITHUB_OUTPUT}"; then
+            echo "[INFO] PR found successfully"
+          else
+            echo "[INFO] No PR found for branch ${PR_BRANCH}, skipping"
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+          fi
+          
+      - name: Check PR and all workflows status
+        if: steps.pr-context.outputs.skip != 'true'
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            const prNumber = ${{ steps.pr-context.outputs.number }};
+            console.log(`[INFO] Processing PR #${prNumber}`);
+            
+            // Get PR info
+            const { data: pr } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: prNumber
+            });
+            
+            console.log(`[INFO] PR #${prNumber} - Draft: ${pr.draft}, Labels: ${pr.labels.map(l => l.name).join(', ')}`);
+            
+            // Check if PR has autoready label and is draft
+            const hasAutoreadyLabel = pr.labels.some(label => label.name === 'autoready');
+            
+            if (!pr.draft) {
+              console.log(`[INFO] PR #${prNumber} is not draft, skipping`);
+              return;
+            }
+            
+            if (!hasAutoreadyLabel) {
+              console.log(`[INFO] PR #${prNumber} doesn't have autoready label, skipping`);
+              return;
+            }
+            
+            // Get all workflow runs for this PR's head commit (head_sha)
+            const { data: workflowRuns } = await github.rest.actions.listWorkflowRunsForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              head_sha: pr.head.sha,
+              per_page: 100
+            });
+            
+            console.log(`[INFO] Found ${workflowRuns.workflow_runs.length} workflow runs for PR #${prNumber}`);
+            
+            // Check workflow status
+            const runningWorkflows = workflowRuns.workflow_runs.filter(run => 
+              run.status === 'in_progress' || run.status === 'queued'
+            );
+            
+            const failedWorkflows = workflowRuns.workflow_runs.filter(run => 
+              run.conclusion === 'failure' || run.conclusion === 'cancelled'
+            );
+            
+            const successfulWorkflows = workflowRuns.workflow_runs.filter(run => 
+              run.conclusion === 'success'
+            );
+            
+            console.log(`[INFO] Workflow status - Running: ${runningWorkflows.length}, Failed: ${failedWorkflows.length}, Success: ${successfulWorkflows.length}`);
+            
+            if (runningWorkflows.length > 0) {
+              console.log(`[INFO] Some workflows are still running: ${runningWorkflows.map(w => w.name).join(', ')}`);
+              return;
+            }
+            
+            if (failedWorkflows.length > 0) {
+              console.log(`[INFO] Some workflows failed: ${failedWorkflows.map(w => w.name).join(', ')}`);
+              return;
+            }
+            
+            console.log(`[INFO] All workflows passed! Marking PR #${prNumber} as ready for review...`);
+            
+            // Mark PR as ready for review using GraphQL API
+            // Reference: https://github.com/orgs/community/discussions/70061
+            try {
+              const mutation = `
+                mutation MarkPullRequestReadyForReview($pullRequestId: ID!) {
+                  markPullRequestReadyForReview(input: { pullRequestId: $pullRequestId }) {
+                    pullRequest {
+                      id
+                      isDraft
+                      number
+                    }
+                  }
+                }
+              `;
+              
+              const updateResult = await github.graphql(mutation, {
+                pullRequestId: pr.node_id
+              });
+              
+              const isDraft = updateResult.markPullRequestReadyForReview.pullRequest.isDraft;
+              console.log(`[SUCCESS] PR #${prNumber} marked as ready for review. Draft status: ${isDraft}`);
+            } catch (error) {
+              console.log(`[ERROR] Failed to mark PR #${prNumber} as ready for review: ${error.message}`);
+              console.log(`[ERROR] Error details: ${JSON.stringify(error.response?.data || error, null, 2)}`);
+              return;
+            }
+            
+            // Remove autoready label
+            try {
+              const labelResult = await github.rest.issues.removeLabel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                name: 'autoready'
+              });
+              console.log(`[SUCCESS] autoready label removed from PR #${prNumber}. Status: ${labelResult.status}`);
+            } catch (error) {
+              console.log(`[WARNING] Could not remove autoready label from PR #${prNumber}: ${error.message}`);
+              console.log(`[WARNING] Error details: ${JSON.stringify(error.response?.data || error, null, 2)}`);
+            }
--- a/.github/workflows/auto-update-labels.yaml
+++ b/.github/workflows/auto-update-labels.yaml
@@ -11,10 +11,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout main
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod
          cache: false
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@@ -16,7 +16,7 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission')
+          PERMISSION=$(gh api /repos/$GITHUB_REPOSITORY/collaborators/$GITHUB_ACTOR/permission --jq '.permission')
          if [ "$PERMISSION" == "admin" ] || [ "$PERMISSION" == "write" ]; then
           echo "is_maintainer=true" >> $GITHUB_OUTPUT
          else
@@ -36,7 +36,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0

@@ -44,8 +44,12 @@ jobs:
        env:
          COMMENT_BODY: ${{ github.event.comment.body }}
        run: |
-          BRANCH_NAME=$(echo $COMMENT_BODY | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
-          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
+          BRANCH_NAME=$(echo "$COMMENT_BODY" | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
+          if [[ -z "$BRANCH_NAME" || "$BRANCH_NAME" == *".."* || ! "$BRANCH_NAME" =~ ^[A-Za-z0-9._-]+(/[A-Za-z0-9._-]+)*$ ]]; then
+            echo "Error: Invalid branch name extracted (unsafe characters detected)." >&2
+            exit 1
+          fi
+          echo "BRANCH_NAME=$BRANCH_NAME" >> "$GITHUB_ENV"

      - name: Set up Git user
        run: |
@@ -53,8 +57,9 @@ jobs:
          git config --global user.name "GitHub Actions"

      - name: Run backport script
-        run: ./misc/backport/backport.sh ${{ env.BRANCH_NAME }} ${{ github.event.issue.number }}
        env:
          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
          # This allows the created PR to trigger tests and other workflows
-          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+        run: ./misc/backport/backport.sh "$BRANCH_NAME" "$ISSUE_NUMBER"
--- a/.github/workflows/cache-test-assets.yaml
+++ b/.github/workflows/cache-test-assets.yaml
@@ -1,7 +1,12 @@
-name: Cache test images
+name: Cache test assets
+# This workflow runs on the main branch to create caches that can be accessed by PRs.
+# GitHub Actions cache isolation restricts access:
+# - PRs can only restore caches from: current branch, base branch, and default branch (main)
+# - PRs cannot restore caches from sibling branches or other PR branches
+# - By creating caches on the main branch, all PRs can benefit from shared cache
 on:
-  schedule:
-    - cron: "0 0 * * *" # Run this workflow every day at 00:00 to avoid cache deletion.
+  push:
+    branches: [main]
  workflow_dispatch:

 jobs:
@@ -10,10 +15,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod
          cache: false
@@ -22,7 +27,6 @@ jobs:
        run: go install tool # GOBIN is added to the PATH by the setup-go action

      - name: Generate image list digest
-        if: github.ref_name == 'main'
        id: image-digest
        run: |
          source integration/testimages.ini
@@ -30,16 +34,13 @@ jobs:
          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

-      ## We need to work with test image cache only for main branch
      - name: Restore and save test images cache
-        if: github.ref_name == 'main'
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: integration/testdata/fixtures/images
          key: cache-test-images-${{ steps.image-digest.outputs.digest }}

      - name: Download test images
-        if: github.ref_name == 'main'
        run: mage test:fixtureContainerImages

  test-vm-images:
@@ -47,10 +48,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod
          cache: false
@@ -59,7 +60,6 @@ jobs:
        run: go install tool # GOBIN is added to the PATH by the setup-go action

      - name: Generate image list digest
-        if: github.ref_name == 'main'
        id: image-digest
        run: |
          source integration/testimages.ini
@@ -67,14 +67,32 @@ jobs:
          DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags |= sort' | sha256sum | cut -d' ' -f1)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

-      ## We need to work with test VM image cache only for main branch
      - name: Restore and save test VM images cache
-        if: github.ref_name == 'main'
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: integration/testdata/fixtures/vm-images
          key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}

      - name: Download test VM images
-        if: github.ref_name == 'main'
-        run: mage test:fixtureVMImages
+        run: mage test:fixtureVMImages
+
+  lint-cache:
+    name: Cache lint results
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Set up Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Run golangci-lint for caching
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        with:
+          version: v2.4
+          args: --verbose
+        env:
+          GOEXPERIMENT: jsonv2
--- a/.github/workflows/canary.yaml
+++ b/.github/workflows/canary.yaml
@@ -25,36 +25,43 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: dist/
-          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+          key: ${{ runner.os }}-bins-${{ github.workflow }}-${{ github.sha }}

        # Upload artifacts
      - name: Upload artifacts (trivy_Linux-64bit)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: trivy_Linux-64bit
          path: dist/trivy_*_Linux-64bit.tar.gz
          if-no-files-found: error

      - name: Upload artifacts (trivy_Linux-ARM64)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: trivy_Linux-ARM64
          path: dist/trivy_*_Linux-ARM64.tar.gz
          if-no-files-found: error

      - name: Upload artifacts (trivy_macOS-64bit)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: trivy_macOS-64bit
          path: dist/trivy_*_macOS-64bit.tar.gz
          if-no-files-found: error

      - name: Upload artifacts (trivy_macOS-ARM64)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: trivy_macOS-ARM64
          path: dist/trivy_*_macOS-ARM64.tar.gz
-          if-no-files-found: error
+          if-no-files-found: error
+
+      - name: Delete cache after upload
+        run: |
+          gh cache delete "$CACHE_KEY" --repo "${{ github.repository }}"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CACHE_KEY: ${{ runner.os }}-bins-${{ github.workflow }}-${{ github.sha }}
--- a/.github/workflows/mkdocs-dev.yaml
+++ b/.github/workflows/mkdocs-dev.yaml
@@ -12,11 +12,11 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout main
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: true
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: 3.x
      - name: Install dependencies
--- a/.github/workflows/mkdocs-latest.yaml
+++ b/.github/workflows/mkdocs-latest.yaml
@@ -14,11 +14,11 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout main
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          persist-credentials: true
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: 3.x
      - name: Install dependencies
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -25,23 +25,26 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
        with:
          version: v3.14.4
      - name: Set up python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: '3.x'
          check-latest: true
      - name: Setup Chart Linting
        id: lint
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+        with:
+          # v6.0.0 resolved the compatibility issue with Python > 3.13. may be removed after the action itself is updated
+          yamale_version: "6.0.0"
      - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
          version: ${{ env.KIND_VERSION }}
          image: ${{ env.KIND_IMAGE }}
@@ -61,7 +64,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
      - name: Install chart-releaser
--- a/.github/workflows/release-please.yaml
+++ b/.github/workflows/release-please.yaml
@@ -19,7 +19,7 @@ jobs:
    steps:
      - name: Release Please
        id: release
-        uses: googleapis/release-please-action@v4
+        uses: googleapis/release-please-action@c2a5a2bd6a758a0937f1ddb1e8950609867ed15c # v4.3.0
        with:
          token: ${{ secrets.ORG_REPO_TOKEN }}
          target-branch: ${{ github.ref_name }}
@@ -56,7 +56,7 @@ jobs:

      - name: Tag release
        if: ${{ steps.extract_info.outputs.version }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ secrets.ORG_REPO_TOKEN }} # To trigger another workflow
          script: |
@@ -70,7 +70,7 @@ jobs:
      # When v0.50.0 is released, a release branch "release/v0.50" is created.
      - name: Create release branch for patch versions
        if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }} # Should not trigger the workflow again
          script: |
@@ -98,7 +98,7 @@ jobs:
      # cf. https://github.com/googleapis/release-please?tab=readme-ov-file#release-please-bot-does-not-create-a-release-pr-why
      - name: Remove the label from PR
        if: ${{ steps.extract_info.outputs.pr_number }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -19,12 +19,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0

      - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: dist/
          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -35,11 +35,10 @@ jobs:
          sudo apt-get -y install rpm reprepro createrepo-c distro-info

      - name: Checkout trivy-repo
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          repository: ${{ github.repository_owner }}/trivy-repo
          path: trivy-repo
-          fetch-depth: 0
          token: ${{ secrets.ORG_REPO_TOKEN }}

      - name: Setup git settings
@@ -62,7 +61,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0

@@ -72,9 +71,10 @@ jobs:
          git config --global user.name "GitHub Actions"

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod
+          cache: false

      - name: Install Go tools
        run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -85,3 +85,43 @@ jobs:
          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
          # This allows the created PR to trigger tests and other workflows
          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
+  # `trigger-version-update` triggers the `update_version` workflow in the `trivy-telemetry` repository
+  # and the trivy-downloads repository.
+  trigger-version-update:
+    needs: deploy-packages
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Trigger update_version workflow in trivy-telemetry
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows triggering workflows in other repositories
+          GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+        run: |
+          gh workflow run update_version.yml \
+            --repo ${{ github.repository_owner }}/trivy-telemetry \
+            --ref main \
+            --field version=${{ github.ref_name }}
+
+      - name: Trigger update_version workflow in trivy-downloads
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows triggering workflows in other repositories
+          GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+        run: |
+          gh workflow run update_version.yml \
+            --repo ${{ github.repository_owner }}/trivy-downloads \
+            --ref main \
+            --field version=${{ github.ref_name }} \
+            --field artifact=trivy
+
+      - name: Trigger version update and release workflow in trivy-chocolatey
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows triggering workflows in other repositories
+          GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+        run: |
+          gh workflow run release.yml \
+            --repo ${{ github.repository_owner }}/trivy-chocolatey \
+            --ref main \
+            --field version=${{ github.ref_name }}
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -27,51 +27,51 @@ jobs:
      contents: read  # Not required for public repositories, but for clarity
    steps:
      - name: Cosign install
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
+        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

      - name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Show available Docker Buildx platforms
        run: echo ${{ steps.buildx.outputs.platforms }}

      - name: Login to docker.io registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to ghcr.io registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ env.GH_USER }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Login to ECR
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}

      - name: Checkout code
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0

      - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod
          cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.

      - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v2
+        uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
        with:
          args: mod -licenses -json -output bom.json
          version: ^v1
@@ -88,7 +88,7 @@ jobs:
          mkdir tmp    

      - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
        with:
          version: v2.1.0
          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
@@ -107,7 +107,7 @@ jobs:
      # because GoReleaser Free doesn't support pushing images with the `--snapshot` flag.
      - name: Build and push
        if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          platforms: linux/amd64, linux/arm64
          file: ./Dockerfile.canary # path to Dockerfile
@@ -119,7 +119,7 @@ jobs:
            public.ecr.aws/aquasecurity/trivy:canary

      - name: Cache Trivy binaries
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: dist/
          # use 'github.sha' to create a unique cache folder for each run.
--- a/.github/workflows/roadmap.yaml
+++ b/.github/workflows/roadmap.yaml
@@ -11,14 +11,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
-      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
          labeled: kind/feature, priority/backlog
          label-operator: AND
        id: add-backlog-issue
-      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+      - uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
        if: ${{ steps.add-backlog-issue.outputs.itemId }}
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
@@ -28,14 +28,14 @@ jobs:
          field-values: Backlog

      # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
-      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
          labeled: kind/feature, priority/important-longterm
          label-operator: AND
        id: add-longterm-issue
-      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+      - uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
        if: ${{ steps.add-longterm-issue.outputs.itemId }}
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
@@ -45,14 +45,14 @@ jobs:
          field-values: Important (long-term)

      # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
-      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
          labeled: kind/feature, priority/important-soon
          label-operator: AND
        id: add-soon-issue
-      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+      - uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
        if: ${{ steps.add-soon-issue.outputs.itemId }}
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
@@ -62,14 +62,14 @@ jobs:
          field-values: Important (soon)

      # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
-      - uses: actions/add-to-project@v1.0.2 # add new issue to project
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
          labeled: kind/feature, priority/critical-urgent
          label-operator: AND
        id: add-urgent-issue
-      - uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
+      - uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
        if: ${{ steps.add-urgent-issue.outputs.itemId }}
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -10,10 +10,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Run Trivy vulnerability scanner and create GitHub issues
-        uses: knqyf263/trivy-issue-action@v0.0.6
+        uses: knqyf263/trivy-issue-action@4466f52d1401b66dd2a2ab9e0c40cddc021829ec # v0.0.6
        with:
          assignee: knqyf263
          severity: CRITICAL
--- a/.github/workflows/semantic-pr.yaml
+++ b/.github/workflows/semantic-pr.yaml
@@ -68,6 +68,7 @@ jobs:
            windows
            minimos
            rootio
+            seal

            # Languages
            ruby
--- a/.github/workflows/spdx-cron.yaml
+++ b/.github/workflows/spdx-cron.yaml
@@ -10,27 +10,28 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Check out code
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod

      - name: Install Go tools
        run: go install tool # GOBIN is added to the PATH by the setup-go action

-      - name: Check if SPDX exceptions are up-to-date
+      - name: Check if SPDX license IDs and exceptions are up-to-date
+        id: exceptions_check
        run: |
-          mage spdx:updateLicenseExceptions
+          mage spdx:updateLicenseEntries
          if [ -n "$(git status --porcelain)" ]; then
-            echo "Run 'mage spdx:updateLicenseExceptions' and push it"
-            exit 1
-          fi        
+            echo "Run 'mage spdx:updateLicenseEntries' and push it"
+            echo "send_notify=true" >> $GITHUB_OUTPUT
+          fi

      - name: Microsoft Teams Notification
-        uses: Skitionek/notify-microsoft-teams@e7a2493ac87dad8aa7a62f079f295e54ff511d88
-        if: failure()
+        uses: Skitionek/notify-microsoft-teams@e7a2493ac87dad8aa7a62f079f295e54ff511d88 # main
+        if: steps.exceptions_check.outputs.send_notify == 'true'
        with:
          webhook_url: ${{ secrets.TRIVY_MSTEAMS_WEBHOOK }}
          needs: ${{ toJson(needs) }}
--- a/.github/workflows/stale-issues.yaml
+++ b/.github/workflows/stale-issues.yaml
@@ -7,7 +7,7 @@ jobs:
    timeout-minutes: 1
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/stale@v9
+    - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-pr-message: 'This PR is stale because it has been labeled with inactivity.'
--- a/.github/workflows/test-docs.yaml
+++ b/.github/workflows/test-docs.yaml
@@ -10,11 +10,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
-      uses: actions/checkout@v4.1.6
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        fetch-depth: 0
        persist-credentials: true
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: 3.x
    - name: Install dependencies
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -19,10 +19,10 @@ jobs:
      matrix:
        operating-system: [ubuntu-latest, windows-latest, macos-latest]
    steps:
-      - uses: actions/checkout@v4.1.6
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod
          cache: false
@@ -38,10 +38,13 @@ jobs:

      - name: Lint
        id: lint
-        uses: golangci/golangci-lint-action@v7.0.0
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
-          version: v2.1
+          version: v2.4
          args: --verbose
+          skip-save-cache: true  # Restore cache from main branch but don't save new cache
+        env:
+          GOEXPERIMENT: jsonv2
        if: matrix.operating-system == 'ubuntu-latest'

      - name: Check if linter failed
@@ -70,10 +73,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod
          cache: false
@@ -90,7 +93,7 @@ jobs:
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      - name: Restore test images from cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: integration/testdata/fixtures/images
          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
@@ -103,10 +106,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod
          cache: false
@@ -122,10 +125,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod
          cache: false
@@ -142,7 +145,7 @@ jobs:
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      - name: Restore test images from cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: integration/testdata/fixtures/images
          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
@@ -157,10 +160,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod
          cache: false
@@ -177,7 +180,7 @@ jobs:
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      - name: Restore test VM images from cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: integration/testdata/fixtures/vm-images
          key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
@@ -186,6 +189,25 @@ jobs:
        run: |
          mage test:vm

+  e2e-test:
+    name: E2E Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Set up Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Run E2E tests
+        run: mage test:e2e
+
  build-test:
    name: Build Test
    runs-on: ${{ matrix.operating-system }}
@@ -196,10 +218,10 @@ jobs:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    steps:
    - name: Checkout
-      uses: actions/checkout@v4.1.6
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

    - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
      with:
        go-version-file: go.mod
        cache: false
@@ -217,7 +239,7 @@ jobs:
        fi

    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v6
+      uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
      with:
        version: v2.1.0
        args: build --snapshot --clean --timeout 90m ${{ steps.goreleaser_id.outputs.id }}
--- a/.github/workflows/triage.yaml
+++ b/.github/workflows/triage.yaml
@@ -10,7 +10,7 @@ jobs:
  label:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: ./.github/actions/trivy-triage
        with:
          discussion_num: ${{ github.event.inputs.discussion_num }}
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -59,6 +59,9 @@ linters:
              recommendations:
                - github.com/aquasecurity/go-version
              reason: "`aquasecurity/go-version` is designed for our use-cases"
+          - github.com/liamg/memoryfs:
+              recommendations:
+                - github.com/aquasecurity/trivy/pkg/mapfs
    gosec:
      excludes:
        - G101
@@ -193,7 +196,7 @@ linters:
    warn-unused: true

 run:
-  go: '1.24'
+  go: '1.25'
  timeout: 30m

 formatters:
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1 +1 @@
-{".":"0.64.1"}
+{".":"0.67.0"}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,14 +1,108 @@
 # Changelog

-## [0.64.1](https://github.com/aquasecurity/trivy/compare/v0.64.0...v0.64.1) (2025-07-03)
+## [0.67.0](https://github.com/aquasecurity/trivy/compare/v0.66.0...v0.67.0) (2025-09-30)
+
+
+### Features
+
+* add documentation URL for database lock errors ([#9531](https://github.com/aquasecurity/trivy/issues/9531)) ([eba48af](https://github.com/aquasecurity/trivy/commit/eba48afd583391cef346e45a176aa5a6d77b704f))
+* **cli:** change --list-all-pkgs default to true ([#9510](https://github.com/aquasecurity/trivy/issues/9510)) ([7b663d8](https://github.com/aquasecurity/trivy/commit/7b663d86ca65ee3eb332c857b77bfa18e6da56c4))
+* **cloudformation:** support default values and list results in Fn::FindInMap ([#9515](https://github.com/aquasecurity/trivy/issues/9515)) ([42b3bf3](https://github.com/aquasecurity/trivy/commit/42b3bf37bb7d39139911843297c8b8ab3551c31a))
+* **cyclonedx:** preserve SBOM structure when scanning SBOM files with vulnerability updates ([#9439](https://github.com/aquasecurity/trivy/issues/9439)) ([aff03eb](https://github.com/aquasecurity/trivy/commit/aff03ebab2e7874dd997e20b4ec9962a41eae7bb))
+* **redhat:** add os-release detection for RHEL-based images ([#9458](https://github.com/aquasecurity/trivy/issues/9458)) ([cb25a07](https://github.com/aquasecurity/trivy/commit/cb25a074501c5cf48050fdf6a0ae7c85c4f385ea))
+* **sbom:** added support for CoreOS ([#9448](https://github.com/aquasecurity/trivy/issues/9448)) ([6d562a3](https://github.com/aquasecurity/trivy/commit/6d562a3b48926b6efd508e067e1059564173b270))
+* **seal:** add seal support ([#9370](https://github.com/aquasecurity/trivy/issues/9370)) ([e4af279](https://github.com/aquasecurity/trivy/commit/e4af279b29ed5b77ed1d62e31b232b1f9b92ef4f))


 ### Bug Fixes

-* **alma:** parse epochs from rpmqa file [backport: release/v0.64] ([#9119](https://github.com/aquasecurity/trivy/issues/9119)) ([8cf1bf9](https://github.com/aquasecurity/trivy/commit/8cf1bf9f6f86936ee7dcd29e0d1cd1ec106e28f6))
-* **cli:** Add more non-sensitive flags to telemetry [backport: release/v0.64] ([#9124](https://github.com/aquasecurity/trivy/issues/9124)) ([9a7d384](https://github.com/aquasecurity/trivy/commit/9a7d38432cf00f00970259e5ac3edd060e00ccff))
-* **misconf:** skip rewriting expr if attr is nil [backport: release/v0.64] ([#9127](https://github.com/aquasecurity/trivy/issues/9127)) ([4e12722](https://github.com/aquasecurity/trivy/commit/4e1272283a643bfca2d7231d286006219715fada))
-* **rootio:** check full version to detect `root.io` packages [backport: release/v0.64] ([#9120](https://github.com/aquasecurity/trivy/issues/9120)) ([53adfba](https://github.com/aquasecurity/trivy/commit/53adfba3c25664b01e3a36fdec334b39b53c07f1))
+* **aws:** use `BuildableClient` insead of `xhttp.Client` ([#9436](https://github.com/aquasecurity/trivy/issues/9436)) ([fa6f1bf](https://github.com/aquasecurity/trivy/commit/fa6f1bfecfb68c29ad4684a6fb5d86948c7d6887))
+* close file descriptors and pipes on error paths ([#9536](https://github.com/aquasecurity/trivy/issues/9536)) ([a4cbd6a](https://github.com/aquasecurity/trivy/commit/a4cbd6a1380b7b4dc650a312ec4e5bc47501f674))
+* **db:** Dowload database when missing but metadata still exists ([#9393](https://github.com/aquasecurity/trivy/issues/9393)) ([92ebc7e](https://github.com/aquasecurity/trivy/commit/92ebc7e4d72424c17d93c54e5f24891710c85a60))
+* **k8s:** disable parallel traversal with fs cache for k8s images ([#9534](https://github.com/aquasecurity/trivy/issues/9534)) ([c0c7a6b](https://github.com/aquasecurity/trivy/commit/c0c7a6bf1b92c868ed44172b3cd15c51667b8a6e))
+* **misconf:** handle tofu files in module detection ([#9486](https://github.com/aquasecurity/trivy/issues/9486)) ([bfd2f6b](https://github.com/aquasecurity/trivy/commit/bfd2f6ba697c223d60a7378283293d8e1fc8a8fe))
+* **misconf:** strip build metadata suffixes from image history ([#9498](https://github.com/aquasecurity/trivy/issues/9498)) ([c938806](https://github.com/aquasecurity/trivy/commit/c9388069a4325a9f8bc53bc8a82ff46d84d06847))
+* **misconf:** unmark cty values before access ([#9495](https://github.com/aquasecurity/trivy/issues/9495)) ([8e40d27](https://github.com/aquasecurity/trivy/commit/8e40d27a43ecb96795a8a7d4a2444241fc7fce9a))
+* **misconf:** wrap legacy ENV values in quotes to preserve spaces ([#9497](https://github.com/aquasecurity/trivy/issues/9497)) ([267a970](https://github.com/aquasecurity/trivy/commit/267a9700fa233abe1a04eada8f3ea513f3ebacb3))
+* **nodejs:** parse workspaces as objects for package-lock.json files ([#9518](https://github.com/aquasecurity/trivy/issues/9518)) ([404abb3](https://github.com/aquasecurity/trivy/commit/404abb3d91cb3b1c1ee027169de5a40e32ba8b8a))
+* **nodejs:** use snapshot string as `Package.ID` for pnpm packages ([#9330](https://github.com/aquasecurity/trivy/issues/9330)) ([4517e8c](https://github.com/aquasecurity/trivy/commit/4517e8c0ef5e942b8e2e498729257374634ffbf8))
+* **vex:** don't  suppress vulns for packages with infinity loop ([#9465](https://github.com/aquasecurity/trivy/issues/9465)) ([78f0d4a](https://github.com/aquasecurity/trivy/commit/78f0d4ae0378f81940a5faa6497e6905cb5d034a))
+* **vuln:** compare `nuget` package names in lower case ([#9456](https://github.com/aquasecurity/trivy/issues/9456)) ([1ff9ac7](https://github.com/aquasecurity/trivy/commit/1ff9ac79488e0d4deab4226f1a969676a9851cdb))
+
+## [0.66.0](https://github.com/aquasecurity/trivy/compare/v0.65.0...v0.66.0) (2025-09-02)
+
+
+### Features
+
+* add timeout handling for cache database operations ([#9307](https://github.com/aquasecurity/trivy/issues/9307)) ([235c24e](https://github.com/aquasecurity/trivy/commit/235c24e71a546b6196f7264fced2d02d836e3f85))
+* **misconf:** added audit config attribute ([#9249](https://github.com/aquasecurity/trivy/issues/9249)) ([4d4a244](https://github.com/aquasecurity/trivy/commit/4d4a2444b692512aca137dcbd367ff224fe25597))
+* **secret:** implement streaming secret scanner with byte offset tracking ([#9264](https://github.com/aquasecurity/trivy/issues/9264)) ([5a5e097](https://github.com/aquasecurity/trivy/commit/5a5e0972c72e629ddf2915ef066d632d58b8d3b0))
+* **terraform:** use .terraform cache for remote modules in plan scanning ([#9277](https://github.com/aquasecurity/trivy/issues/9277)) ([298a994](https://github.com/aquasecurity/trivy/commit/298a9941f098d2701b9524a703b9f9b1b9451785))
+
+
+### Bug Fixes
+
+* **conda:** memory leak by adding closure method for `package.json` file ([#9349](https://github.com/aquasecurity/trivy/issues/9349)) ([03d039f](https://github.com/aquasecurity/trivy/commit/03d039f17d94cf668152e83d0cf9dabf3b27d3dd))
+* create temp file under composite fs dir ([#9387](https://github.com/aquasecurity/trivy/issues/9387)) ([ce22f54](https://github.com/aquasecurity/trivy/commit/ce22f54a39a1abac08fa3ad540697c668792bf50))
+* **cyclonedx:** handle multiple license types ([#9378](https://github.com/aquasecurity/trivy/issues/9378)) ([46ab76a](https://github.com/aquasecurity/trivy/commit/46ab76a5af828c98cf93fc988ed6a405b7b07392))
+* **fs:** avoid shadowing errors in file.glob ([#9286](https://github.com/aquasecurity/trivy/issues/9286)) ([b51c789](https://github.com/aquasecurity/trivy/commit/b51c789330141d634a9b14bd10994c997862940f))
+* **image:** use standardized HTTP client for ECR authentication ([#9322](https://github.com/aquasecurity/trivy/issues/9322)) ([84fbf86](https://github.com/aquasecurity/trivy/commit/84fbf8674dfc0f91d8795a50bafa6041cce83ba2))
+* **misconf:** ensure ignore rules respect subdirectory chart paths ([#9324](https://github.com/aquasecurity/trivy/issues/9324)) ([d3cd101](https://github.com/aquasecurity/trivy/commit/d3cd101266eb7bf9b8ffe5899765efa7bd1abe30))
+* **misconf:** ensure module source is known ([#9404](https://github.com/aquasecurity/trivy/issues/9404)) ([81d9425](https://github.com/aquasecurity/trivy/commit/81d94253c8bc816ad932f7e0c0b8907e1cd759bb))
+* **misconf:** preserve original paths of remote submodules from .terraform ([#9294](https://github.com/aquasecurity/trivy/issues/9294)) ([1319d8d](https://github.com/aquasecurity/trivy/commit/1319d8dc7f4796177876af18f0e13ba1f7086348))
+* **misconf:** use correct field log_bucket instead of target_bucket in gcp bucket ([#9296](https://github.com/aquasecurity/trivy/issues/9296)) ([04ad0c4](https://github.com/aquasecurity/trivy/commit/04ad0c4fc2926a92e9e9ec11bb8eae826ed95827))
+* persistent flag option typo ([#9374](https://github.com/aquasecurity/trivy/issues/9374)) ([6e99dd3](https://github.com/aquasecurity/trivy/commit/6e99dd304c7fad8213489039e7ca42909383b5ff))
+* **plugin:** don't remove plugins when updating index.yaml file ([#9358](https://github.com/aquasecurity/trivy/issues/9358)) ([5f067ac](https://github.com/aquasecurity/trivy/commit/5f067ac15e5c609283bef26a211746a279b6b5d0))
+* **python:** impove package name normalization  ([#9290](https://github.com/aquasecurity/trivy/issues/9290)) ([1473e88](https://github.com/aquasecurity/trivy/commit/1473e88b74ca269691de7827e045703612b90050))
+* **repo:** preserve RepoMetadata on FS cache hit ([#9389](https://github.com/aquasecurity/trivy/issues/9389)) ([4f2a44e](https://github.com/aquasecurity/trivy/commit/4f2a44ea45bed1e842bb2072077da67ec7e744ac))
+* **repo:** sanitize git repo URL before inserting into report metadata ([#9391](https://github.com/aquasecurity/trivy/issues/9391)) ([1ac9b1f](https://github.com/aquasecurity/trivy/commit/1ac9b1f07cea429cc122bf9721e8909c649549cf))
+* **sbom:** add support for `file` component type of `CycloneDX` ([#9372](https://github.com/aquasecurity/trivy/issues/9372)) ([aa7cf43](https://github.com/aquasecurity/trivy/commit/aa7cf4387c5e82c1f629ac14cd6a35b48fc95983))
+* suppress debug log for context cancellation errors ([#9298](https://github.com/aquasecurity/trivy/issues/9298)) ([2458d5e](https://github.com/aquasecurity/trivy/commit/2458d5e28a54da9adec0b36f6b1e6bd4f15a72ce))
+
+## [0.65.0](https://github.com/aquasecurity/trivy/compare/v0.64.0...v0.65.0) (2025-07-30)
+
+
+### Features
+
+* add graceful shutdown with signal handling ([#9242](https://github.com/aquasecurity/trivy/issues/9242)) ([2c05882](https://github.com/aquasecurity/trivy/commit/2c05882f45071928c14d8212ef6c4f0f7048245d))
+* add HTTP request/response tracing support ([#9125](https://github.com/aquasecurity/trivy/issues/9125)) ([aa5b32a](https://github.com/aquasecurity/trivy/commit/aa5b32a19f4d61d0df72c11fd314c5a0b7284202))
+* **alma:** add AlmaLinux 10 support ([#9207](https://github.com/aquasecurity/trivy/issues/9207)) ([861d51e](https://github.com/aquasecurity/trivy/commit/861d51e99a45ee448f86fe195dedcaefb811c919))
+* **flag:** add schema validation for `--server` flag ([#9270](https://github.com/aquasecurity/trivy/issues/9270)) ([ed4640e](https://github.com/aquasecurity/trivy/commit/ed4640ec27f2575a50d7e6d516c9e2e45a59bb7f))
+* **image:** add Docker context resolution ([#9166](https://github.com/aquasecurity/trivy/issues/9166)) ([99cd4e7](https://github.com/aquasecurity/trivy/commit/99cd4e776c0c6cc689126e53fa86ee6333ba6277))
+* **license:** observe pkg types option in license scanner ([#9091](https://github.com/aquasecurity/trivy/issues/9091)) ([d44af8c](https://github.com/aquasecurity/trivy/commit/d44af8cfa21a145d14ca6e5e1ed4742d892f2dc5))
+* **misconf:** add private ip google access attribute to subnetwork ([#9199](https://github.com/aquasecurity/trivy/issues/9199)) ([263845c](https://github.com/aquasecurity/trivy/commit/263845cfc1419401f24adc8bc6316f3ea0caacad))
+* **misconf:** added logging and versioning to the gcp storage bucket ([#9226](https://github.com/aquasecurity/trivy/issues/9226)) ([110f80e](https://github.com/aquasecurity/trivy/commit/110f80ea29951863997dd5a1c48fe14eb81e230b))
+* **repo:** add git repository metadata to reports ([#9252](https://github.com/aquasecurity/trivy/issues/9252)) ([f4b2cf1](https://github.com/aquasecurity/trivy/commit/f4b2cf10e917d58c0840f789e083bd3f268a8af1))
+* **report:** add CVSS vectors in sarif report ([#9157](https://github.com/aquasecurity/trivy/issues/9157)) ([60723e6](https://github.com/aquasecurity/trivy/commit/60723e6cfce82ede2863cf545a189c581246f4e9))
+* **sbom:** add SHA-512 hash support for CycloneDX SBOM ([#9126](https://github.com/aquasecurity/trivy/issues/9126)) ([12d6706](https://github.com/aquasecurity/trivy/commit/12d6706961423acb12430c8b3d986b4aa4671d04))
+
+
+### Bug Fixes
+
+* **alma:** parse epochs from rpmqa file ([#9101](https://github.com/aquasecurity/trivy/issues/9101)) ([82db2fc](https://github.com/aquasecurity/trivy/commit/82db2fcc8034c911cc7a67f5a82d2f081d9c1fdf))
+* also check `filepath` when removing duplicate packages ([#9142](https://github.com/aquasecurity/trivy/issues/9142)) ([4d10a81](https://github.com/aquasecurity/trivy/commit/4d10a815dde53f5e128366f1dd0837a1dc29c17b))
+* **aws:** update amazon linux 2 EOL date ([#9176](https://github.com/aquasecurity/trivy/issues/9176)) ([0ecfed6](https://github.com/aquasecurity/trivy/commit/0ecfed6ea75cfe33e0f436a9015ac72a679e754e))
+* **cli:** Add more non-sensitive flags to telemetry ([#9110](https://github.com/aquasecurity/trivy/issues/9110)) ([7041a39](https://github.com/aquasecurity/trivy/commit/7041a39bdcf21c5b3114137d9a931f529eac2566))
+* **cli:** ensure correct command is picked by telemetry ([#9260](https://github.com/aquasecurity/trivy/issues/9260)) ([b4ad00f](https://github.com/aquasecurity/trivy/commit/b4ad00f301a5fd7326060a567871c6f4a9711696))
+* **cli:** panic: attempt to get os.Args[1] when len(os.Args) &lt; 2 ([#9206](https://github.com/aquasecurity/trivy/issues/9206)) ([adfa879](https://github.com/aquasecurity/trivy/commit/adfa879e4e8ab88f211222a13d2b89013ae9a853))
+* **license:** add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping ([#9116](https://github.com/aquasecurity/trivy/issues/9116)) ([a692f29](https://github.com/aquasecurity/trivy/commit/a692f296d15f7241ba5ff082e4e69926b1c728a8))
+* **license:** handle WITH operator for `LaxSplitLicenses` ([#9232](https://github.com/aquasecurity/trivy/issues/9232)) ([b4193d0](https://github.com/aquasecurity/trivy/commit/b4193d0d31a167aafdcd9d9ccd89f3f124eef7ee))
+* migrate from `*.list` to `*.md5sums` files for `dpkg` ([#9131](https://github.com/aquasecurity/trivy/issues/9131)) ([f224de3](https://github.com/aquasecurity/trivy/commit/f224de3e39b08672212ec0f94660c36bef77bc30))
+* **misconf:** correctly adapt azure storage account ([#9138](https://github.com/aquasecurity/trivy/issues/9138)) ([51aa022](https://github.com/aquasecurity/trivy/commit/51aa0222604829706193eb2ff3a6886742bb42b4))
+* **misconf:** correctly parse empty port ranges in google_compute_firewall ([#9237](https://github.com/aquasecurity/trivy/issues/9237)) ([77bab7b](https://github.com/aquasecurity/trivy/commit/77bab7b6d25c712e2db7dc53956985c2721728e9))
+* **misconf:** fix log bucket in schema ([#9235](https://github.com/aquasecurity/trivy/issues/9235)) ([7ebc129](https://github.com/aquasecurity/trivy/commit/7ebc129ab726f3133d940708837b7edda2621105))
+* **misconf:** skip rewriting expr if attr is nil ([#9113](https://github.com/aquasecurity/trivy/issues/9113)) ([42ccd3d](https://github.com/aquasecurity/trivy/commit/42ccd3df9a7c838a99facb8248e1a68eaf47a999))
+* **nodejs:** don't use prerelease logic for compare npm constraints  ([#9208](https://github.com/aquasecurity/trivy/issues/9208)) ([fe96436](https://github.com/aquasecurity/trivy/commit/fe96436b99bae3bbfc7498d2ad222d4acccdfcf1))
+* prevent graceful shutdown message on normal exit ([#9244](https://github.com/aquasecurity/trivy/issues/9244)) ([6095984](https://github.com/aquasecurity/trivy/commit/6095984d5340633740204a7a40f002a5643802b9))
+* **rootio:** check full version to detect `root.io` packages ([#9117](https://github.com/aquasecurity/trivy/issues/9117)) ([c2ddd44](https://github.com/aquasecurity/trivy/commit/c2ddd44d98594a2066cb5b5acbb9ad2aaad8fd96))
+* **rootio:** fix severity selection ([#9181](https://github.com/aquasecurity/trivy/issues/9181)) ([6fafbeb](https://github.com/aquasecurity/trivy/commit/6fafbeb60609a020b47266743250ea847234cbbd))
+* **sbom:** merge in-graph and out-of-graph OS packages in scan results ([#9194](https://github.com/aquasecurity/trivy/issues/9194)) ([aa944cc](https://github.com/aquasecurity/trivy/commit/aa944cc6da43e2035f74e9d842f487c0d2f993f4))
+* **sbom:** use correct field for licenses in CycloneDX reports ([#9057](https://github.com/aquasecurity/trivy/issues/9057)) ([143da88](https://github.com/aquasecurity/trivy/commit/143da88dd82dfbe204f4c2afe46af3b01701675d))
+* **secret:** add UTF-8 validation in secret scanner to prevent protobuf marshalling errors ([#9253](https://github.com/aquasecurity/trivy/issues/9253)) ([54832a7](https://github.com/aquasecurity/trivy/commit/54832a77b50e2da3a3ceacbb6ce1b13e45605cde))
+* **secret:** fix line numbers for multiple-line secrets ([#9104](https://github.com/aquasecurity/trivy/issues/9104)) ([e579746](https://github.com/aquasecurity/trivy/commit/e57974649e4a3a275b9cf02db191b3f6bf10340f))
+* **server:** add HTTP transport setup to server mode ([#9217](https://github.com/aquasecurity/trivy/issues/9217)) ([1163b04](https://github.com/aquasecurity/trivy/commit/1163b044c7e91a81bba3a862cc4a38e90182f0b4))
+* supporting .egg-info/METADATA in python.Packaging analyzer ([#9151](https://github.com/aquasecurity/trivy/issues/9151)) ([e306e2d](https://github.com/aquasecurity/trivy/commit/e306e2dc5275c0e75f056c8c7ee9ff9261c78e7f))
+* **terraform:** `for_each` on a map returns a resource for every key ([#9156](https://github.com/aquasecurity/trivy/issues/9156)) ([153318f](https://github.com/aquasecurity/trivy/commit/153318f65f7e5059bcc064bd2cd651cc720791a9))

 ## [0.64.0](https://github.com/aquasecurity/trivy/compare/v0.63.0...v0.64.0) (2025-06-30)

--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.21.3
+FROM alpine:3.22.1
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.canary
+++ b/Dockerfile.canary
@@ -1,10 +1,10 @@
-FROM alpine:3.21.3
+FROM alpine:3.22.1
 RUN apk --no-cache add ca-certificates git

 # binaries were created with GoReleaser
 # need to copy binaries from folder with correct architecture
 # example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
-# GoReleaser adds _v* to the folder name, but only when GOARCH is amd64 
+# GoReleaser adds _v* to the folder name, but only when GOARCH is amd64
 ARG TARGETARCH
 COPY "dist/trivy_canary_build_linux_${TARGETARCH}*/trivy" /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -1,20 +0,0 @@
-FROM --platform=linux/amd64 golang:1.24
-
-# Set environment variable for protoc
-ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
-
-# Install unzip for protoc installation and clean up cache
-RUN apt-get update && apt-get install -y unzip && rm -rf /var/lib/apt/lists/*
-
-# Download and install protoc
-RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
-    && unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
-    && unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \
-    && rm -f $PROTOC_ZIP
-
-# Install Go tools
-RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
-RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.0
-RUN go install github.com/magefile/mage@v1.15.0
-
-ENV TRIVY_PROTOC_CONTAINER=true
--- a/buf.gen.yaml
+++ b/buf.gen.yaml
@@ -0,0 +1,13 @@
+version: v2
+plugins:
+  - remote: buf.build/protocolbuffers/go:v1.34.0
+    out: .
+    opt:
+      - paths=source_relative
+  # Using local protoc-gen-twirp since the remote twirp plugin is not available on buf.build
+  - local: protoc-gen-twirp
+    out: .
+    opt:
+      - paths=source_relative
+inputs:
+  - directory: .
--- a/buf.yaml
+++ b/buf.yaml
@@ -0,0 +1,10 @@
+version: v2
+modules:
+  - path: .
+    name: buf.build/aquasecurity/trivy
+lint:
+  use:
+    - STANDARD
+breaking:
+  use:
+    - FILE
--- a/ci/deploy-rpm.sh
+++ b/ci/deploy-rpm.sh
@@ -16,7 +16,7 @@ function create_common_rpm_repo () {

                mkdir -p $rpm_path/$arch
                cp ../dist/*${prefix}.rpm ${rpm_path}/$arch/
-                createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path/$arch
+                createrepo_c -u https://get.trivy.dev/rpm/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path/$arch
                rm ${rpm_path}/$arch/*${prefix}.rpm
        done
 }
@@ -28,7 +28,7 @@ function create_rpm_repo () {
        mkdir -p $rpm_path
        cp ../dist/*64bit.rpm ${rpm_path}/

-        createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path
+        createrepo_c -u https://get.trivy.dev/rpm/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path

        rm ${rpm_path}/*64bit.rpm
 }
--- a/cmd/trivy/main.go
+++ b/cmd/trivy/main.go
@@ -41,6 +41,11 @@ func run() error {
 		return nil
 	}

-	app := commands.NewApp()
-	return app.Execute()
+	// Ensure cleanup on exit
+	defer commands.Cleanup()
+
+	// Set up signal handling for graceful shutdown
+	ctx := commands.NotifyContext(context.Background())
+
+	return commands.Run(ctx)
 }
--- a/docs/assets/css/_glass_v2.scss
+++ b/docs/assets/css/_glass_v2.scss
@@ -0,0 +1,210 @@
+/* glass_v2 */
+
+.glass_v2 {
+	position: relative;
+	min-width: 100px;
+	min-height: 100px;
+	border-radius: 20px;
+	border: 1px solid rgba(#ffffff, 0.15);
+	padding: 2em;
+	background: 
+		linear-gradient(235deg, rgba($aq-royal-blue, 0.18), rgba($aq-royal-blue, 0) 33%), 
+		linear-gradient(45deg, rgba($aq-neon-blue, 0.18), rgba($aq-neon-blue, 0) 33%), 
+		linear-gradient(rgba($aq-trivy-dark, 0.45));
+	backdrop-filter: blur(12px);
+	box-shadow: 
+		rgba($aq-neon-blue, 0.08) 0px 8px 12px -6px, 
+		rgba($aq-neon-blue, 0.12) 0px 16px 24px -10px,
+		inset 0 1px 0 rgba($aq-royal-blue, 0.4),
+		inset 1px 0 0 rgba($aq-royal-blue, 0.3),
+		inset 0 0 0 0.5px rgba(#ffffff, 0.1);
+
+	//top-right shine effect
+	&::before {
+		content: "";
+		pointer-events: none;
+		position: absolute;
+		right: -1px;
+		top: -1px;
+		width: 50%;
+		height: 50%;
+		border-radius: 0;
+		border-top-right-radius: inherit;
+		border-bottom-left-radius: inherit;
+		border: 1px solid transparent;
+		z-index: 1;
+		background: conic-gradient(
+			from -45deg at center in oklch,
+			transparent 8%, 
+			rgba($aq-royal-blue, 0.5), 
+			transparent 45%
+		) border-box;
+		mask: 
+			linear-gradient(transparent), 
+			linear-gradient(black);
+		mask-repeat: no-repeat;
+		mask-clip: padding-box, border-box;
+		mask-composite: subtract;
+	}
+
+	//bottom-left shine effect
+	&::after {
+		content: "";
+		pointer-events: none;
+		position: absolute;
+		left: -1px;
+		bottom: -1px;
+		width: 25%;
+		height: 25%;
+		border-radius: 0;
+		border-top-right-radius: inherit;
+		border-bottom-left-radius: inherit;
+		border: 1px solid transparent;
+		z-index: 1;
+		background: conic-gradient(
+			from 135deg at center in oklch,
+			transparent 15%, 
+			rgba($aq-neon-blue, 0.15), 
+			transparent 30%
+		) border-box;
+		mask: 
+			linear-gradient(transparent), 
+			linear-gradient(black);
+		mask-repeat: no-repeat;
+		mask-clip: padding-box, border-box;
+		mask-composite: subtract;
+	}
+
+	.glow_topright {
+		pointer-events: none;
+		position: absolute;
+		right: -12px;
+		top: -12px;
+		width: 40%;
+		height: 40%;
+		border-top-right-radius: 20px;
+		border-bottom-left-radius: 20px;
+		border: 12px solid transparent;
+		opacity: 0.7;
+		filter: blur(8px) saturate(1.2) brightness(0.7);
+		mix-blend-mode: plus-lighter;
+		z-index: 3;
+
+		&::before {
+			content: "";
+			position: absolute;
+			inset: 0;
+			border: inherit;
+			border-radius: inherit;
+			background: conic-gradient(
+				from -45deg at center in oklch,
+				transparent 5%, 
+				rgba($aq-royal-blue, 0.4), 
+				transparent 40%
+			) border-box;
+			mask: 
+				linear-gradient(transparent), 
+				linear-gradient(black);
+			mask-repeat: no-repeat;
+			mask-clip: padding-box, border-box;
+			mask-composite: subtract;
+		}
+
+		&::after {
+			content: "";
+			position: absolute;
+			inset: -3px;
+			border: 18px solid transparent;
+			border-radius: 25px;
+			z-index: 4;
+			opacity: 0.5;
+			background: conic-gradient(
+				from -45deg at center in oklch,
+				transparent 8%, 
+				rgba($aq-royal-blue, 0.6), 
+				transparent 35%
+			) border-box;
+			mask: 
+				linear-gradient(transparent), 
+				linear-gradient(black);
+			mask-repeat: no-repeat;
+			mask-clip: padding-box, border-box;
+			mask-composite: subtract;
+		}
+	}
+
+	//bottom-left glow
+	.glow_bottomleft {
+		pointer-events: none;
+		position: absolute;
+		left: -4px;
+		bottom: -4px;
+		width: 20%;
+		height: 20%;
+		border-top-right-radius: 15px;
+		border-bottom-left-radius: 15px;
+		border: 4px solid transparent;
+		opacity: 0.2;
+		filter: blur(6px) saturate(1.0) brightness(0.4);
+		mix-blend-mode: plus-lighter;
+		z-index: 3;
+
+		&::before {
+			content: "";
+			position: absolute;
+			inset: 0;
+			border: inherit;
+			border-radius: inherit;
+			background: conic-gradient(
+				from 135deg at center in oklch,
+				transparent 12%, 
+				rgba($aq-neon-blue, 0.15), 
+				transparent 28%
+			) border-box;
+			mask: 
+				linear-gradient(transparent), 
+				linear-gradient(black);
+			mask-repeat: no-repeat;
+			mask-clip: padding-box, border-box;
+			mask-composite: subtract;
+		}
+
+		&::after {
+			content: "";
+			position: absolute;
+			inset: -1px;
+			border: 6px solid transparent;
+			border-radius: 18px;
+			z-index: 4;
+			opacity: 0.15;
+			background: conic-gradient(
+				from 135deg at center in oklch,
+				transparent 15%, 
+				rgba($aq-neon-blue, 0.25), 
+				transparent 25%
+			) border-box;
+			mask: 
+				linear-gradient(transparent), 
+				linear-gradient(black);
+			mask-repeat: no-repeat;
+			mask-clip: padding-box, border-box;
+			mask-composite: subtract;
+		}
+	} //glow_bottomleft
+
+
+&.light_glass {
+	background: 
+		linear-gradient(235deg, rgba(#ffffff, 0.6), rgba(#ffffff, 0.3) 33%),
+		linear-gradient(45deg, rgba(#ffffff, 0.7), rgba(#ffffff, 0.20) 33%),
+		linear-gradient(rgba(#ffffff, 0.25));
+
+	border: 1px solid rgba(#ffffff, 0.3);
+	color: $aq-blue-abyss;
+}
+
+
+
+
+
+} //glass_v2
--- a/docs/assets/css/_hubspot_form.scss
+++ b/docs/assets/css/_hubspot_form.scss
@@ -0,0 +1,47 @@
+/* hubspot_form_wrap */
+.hubspot_form_wrap {
+	padding-top:20px;padding-bottom:35px;position:relative;z-index:5;
+
+	* {
+		font-family: "Inter", sans-serif;
+	}
+}
+
+/* hubspot form styles */
+.hs-form .hs-form-field {text-align:left;}
+.hs-form .hs-form-required {opacity:0.5;padding-left:0.2em;}
+.hs-form label {font-size: 14px;font-weight: 400;}
+.hs-form input[type="text"],.hs-form input[type="password"], .hs-form input[type="datetime"], .hs-form input[type="datetime-local"], .hs-form input[type="date"], .hs-form input[type="month"], .hs-form input[type="time"], .hs-form input[type="week"], .hs-form input[type="number"], .hs-form input[type="email"], .hs-form input[type="url"], .hs-form input[type="search"], .hs-form input[type="tel"], .hs-form input[type="color"],.hs-form input[type="file"],.hs-form textarea,.hs-form select {width:100%;height:38px;padding:6px 10px;background-color:#fff;border:1px solid #D1D1D1 !important;border-radius:4px;box-shadow:none;box-sizing:border-box;}
+.hs-form input[type="file"] {border:0px;padding:0px;}
+.hs-form input[type="text"]:focus,.hs-form input[type="password"]:focus, .hs-form input[type="datetime"]:focus, .hs-form input[type="datetime-local"]:focus, .hs-form input[type="date"]:focus, .hs-form input[type="month"]:focus, .hs-form input[type="time"]:focus, .hs-form input[type="week"]:focus, .hs-form input[type="number"]:focus, .hs-form input[type="email"]:focus, .hs-form input[type="url"]:focus, .hs-form input[type="search"]:focus, .hs-form input[type="tel"]:focus, .hs-form input[type="color"]:focus,.hs-form input[type="file"]:focus,.hs-form textarea:focus,.hs-form select:focus {border:1px solid #08b1d5;outline:0;}
+.hs-form textarea:focus {border:1px solid #08b1d5;outline:0;}
+.hs-form input:focus:required:invalid:focus, 
+.hs-form textarea:focus:required:invalid:focus, 
+.hs-form select:focus:required:invalid:focus {border:1px solid #08b1d5;outline:0;}
+.hs-form .hs-error-msgs {list-style-type:none;padding-left:0px;margin:5px 0 0 0;font-size: 14px;}
+.hs-form .hs-error-msgs label {color:$aq-coral-red;font-weight:normal;font-size:90%;}
+.hs-form .hs-recaptcha {margin-bottom: 20px;}
+::-webkit-input-placeholder {color:#999999;}
+:-moz-placeholder {color:#999999;}
+::-moz-placeholder {color:#999999;}
+:-ms-input-placeholder {color:#999999;}
+.hs-form fieldset.form-columns-0, .hs-form fieldset.form-columns-1, .hs-form fieldset.form-columns-2 {margin-bottom:0px;max-width:100%;}
+.hs-form fieldset.form-columns-3 {display:none;}
+.hs-form .field {margin-bottom:20px;}
+body .hs-form fieldset.form-columns-1 .hs-input {width:100%;}
+.hs-form .hs_submit {text-align:center;}
+.hs-form .hs-richtext {margin-bottom: 20px;}
+.hs-form .hs-richtext span {background-color: transparent !important;}
+.hs-form .hs-richtext a {color: $aq-neon-blue;}
+.hs-form .hs-recaptcha {visibility: hidden;position: absolute;}
+.hs-form .hs-fieldtype-textarea {min-height: 6em;}
+.hs-form .hs-field-desc {font-size: 14px;margin-bottom:10px;}
+.hs-button.primary {background-color:$aq-neon-blue;
+	border-color:$aq-neon-blue;
+	color:$aq-blue-abyss;-moz-user-select:none;background-image:none;border:1px solid rgba(0, 0, 0, 0);cursor:pointer;display:inline-block;font-weight:400;line-height:1.42857;margin-bottom:0;text-align:center;vertical-align:middle;white-space:nowrap;border-radius:4px;font-size:16px;padding:8px 15px;
+}
+
+/* ff fix */
+@-moz-document url-prefix() {
+	fieldset {display:table-cell;}
+}
--- a/docs/assets/css/_slick_slider.scss
+++ b/docs/assets/css/_slick_slider.scss
@@ -89,7 +89,7 @@
 		height: 20px;
 		content: "";
 		background-color: transparent;
-		border: 2px solid $aq-sea-foam;
+		border: 2px solid $aq-neon-blue;
 		border-radius: 50%;
 		display: block;
 		opacity: 0.7;
@@ -103,7 +103,7 @@
 		width: 10px;
 		height: 10px;
 		content: "";
-		background-color: $aq-sea-foam;
+		background-color: $aq-neon-blue;
 		//border: 1px solid #666;
 		border-radius: 50%;
 		//box-shadow: inset 1px 1px 1px #888;
--- a/docs/assets/css/_trivy_homepage.scss
+++ b/docs/assets/css/_trivy_homepage.scss
@@ -157,14 +157,14 @@
 					.page_title {
 						color: #ffffff;
 						font-weight: $weight-bold;
-						font-size: 48px; //3rem;
+						font-size: 48px; //3rem
 						line-height: 1.3;
 					}//page_title
 			
 					.page_subtitle {
 						color: #ffffff;
 						font-weight: $weight-normal;
-						font-size: 24px; //1.5rem;
+						font-size: 24px; //1.5rem
 						line-height: 1.3;
 						margin-bottom: 30px;
 					} //page_subtitle
@@ -179,11 +179,11 @@
 						width: 100%;

 						.page_title {
-							font-size: 32px; //2rem;
+							font-size: 32px; //2rem
 						}//page_title
 			
 						.page_subtitle {
-							font-size: 18px; //1.125rem;
+							font-size: 18px; //1.125rem
 						}//page_subtitle
 			
 					} //until tablet
@@ -194,7 +194,7 @@
 			} //header_title_wrap

 			@media screen and (min-width: $tablet), print { //769
-				padding: 48px 24px; //3rem 1.5rem;
+				padding: 48px 24px; //3rem 1.5rem
 			}
 		}

@@ -256,10 +256,10 @@


 	.community_title {
-		color: $aq-sea-foam;
-		font-size: 60px; //3.75rem;
+		color: $aq-neon-blue;
+		font-size: 60px; //3.75rem
 		font-weight: $weight-bold;
-		margin-bottom: 24px; ////1.5rem;
+		margin-bottom: 24px; //1.5rem
 		line-height: 1.2;
 		

@@ -267,8 +267,8 @@

 	.community_subtitle  {
 		color: #ffffff;
-		font-size: 26px; //1.625rem;
-		margin-bottom: 24px; ////1.5rem;
+		font-size: 26px; //1.625rem
+		margin-bottom: 24px; //1.5rem
 		

 	}
@@ -309,28 +309,28 @@
 				display: block;
 				position: relative;
 				color: #ffffff;
-				border: 1px solid rgba($aq-sea-foam,0.2);
-				background-color: rgba($aq-sea-foam,0.05);
+				border: 1px solid rgba($aq-neon-blue,0.2);
+				background-color: rgba($aq-neon-blue,0.05);
 				border-radius: 4px;
 				padding: 25px;

 				.quote_name {
-					font-size: 16px; //1rem;
+					font-size: 16px; //1rem
 					font-weight: $weight-semibold;
 				}

 				.quote_twitter_handle {
 					opacity: 0.6;
-					font-size: 13px; //0.8125rem;
+					font-size: 13px; //0.8125rem
 				}

 				.quote_company {
 					opacity: 0.6;
-					font-size: 13px; //0.8125rem;
+					font-size: 13px; //0.8125rem
 				}

 				.quote_text {
-					font-size: 16px; //1rem;
+					font-size: 16px; //1rem
 					font-weight: $weight-normal;
 					line-height: 1.3;
 				}
@@ -397,10 +397,10 @@
 	@media screen and (max-width: $tablet), print { //tablet

 		.community_title {
-			font-size: 32px; //2rem;
+			font-size: 32px; //2rem
 		}
 		.community_subtitle {
-			font-size: 18px; //1.125rem;
+			font-size: 18px; //1.125rem
 		}

 	} //until
--- a/docs/assets/css/_trivy_partners.scss
+++ b/docs/assets/css/_trivy_partners.scss
@@ -2,10 +2,99 @@
 .trivy_v1_homepage_wrap.partners_wrap {
 	position: relative;
 	z-index: 3;
+	background-color: $aq-trivy-dark;
+	color: #ffffff;
+	padding-bottom: 80px; //5rem
+
+	.generic_title {
+		color: #ffffff;
+	}
+
+
+	.section_title_wrap {
+		position: relative;
+		padding-bottom: $gap;
+		padding-top: $gap/2;
+		text-align: center;
+		z-index: 1;
+
+		.section_title, .section_subtitle {
+			position: relative;
+			z-index: 2;
+		}
+
+		.section_title_icon {
+			position: relative;
+			z-index: 2;
+			text-align: center;
+			
+			img {
+				display: block;
+				animation: float 3s ease-out infinite;
+				margin: 0px auto;
+			}
+			
+			&::after {
+				content: "";
+				position: relative;
+				margin: 30px auto 10px auto;
+				background-color: rgba(#ffffff,0.1);
+				width: 90px;
+				display: block;
+				height: 15px;
+				border-radius: 50%;
+				animation: shrink 3s ease-out infinite;
+				// transform-origin: center center;
+			}
+		}
+
+		@keyframes float {
+			50% {
+				transform: translate(0, 10px);
+			}
+		}
+
+
+		@keyframes shrink {
+		0% {
+			width: 80px;
+		}
+		50% {
+			width: 100px;
+		}
+		100% {
+			width: 80px;
+		}
+		}
+
+
+		.section_title_icon + .section_title {
+			margin-top: 0px;
+		}
+
+
+
+
+		&::before {
+			content: "";
+			position: absolute;
+			left: 20%;
+			width: 60%;
+			padding: 30% 0;
+			transform: translate(0, -70%) rotate(-45deg);
+			background: radial-gradient(circle at left bottom, rgba($aq-neon-blue, 0.5) 10%, rgba($aq-royal-blue, 0.4) 20%, rgba($aq-trivy-dark, 0) 60%);
+			filter: blur(40px);
+			z-index: 1;
+			pointer-events: none;
+
+		} //before
+
+
+	} //section_title_wrap

 	.partners_hero_wrap {
 		background-color: $aq-trivy-dark;
-		background-image: radial-gradient(1600px at 70% 120%, #031145 10%, $aq-trivy-dark 100%);
+		background-image: radial-gradient(60vw at 50%, #031145 10%, $aq-trivy-dark 100%);
 		min-height: 500px;
 		position: relative;
 		z-index: 10;
@@ -63,8 +152,7 @@

 		
 		.hero-body {
-			padding: 80px 0px;
-			// border: 1px solid red;
+			// padding: 80px 0px;

 			.header_title_wrap.with_columns {

@@ -72,7 +160,6 @@
 				flex-direction: row;

 				@media screen and (max-width: $desktop) {
-
 					flex-direction: column;
 				}

@@ -83,17 +170,37 @@
 					position: relative;
 					z-index: 3;

-					&.partners_hero_stage_image {
+
+
+					.page_title {
+						font-size: 64px; //4rem
+						margin-bottom: 0px;
+					}
+
+					&.partners_hero_titles {
+						display: flex;
 						align-self: center;
-						align-content: center;
+						justify-content: center;
+						flex-direction: column;
+					}
+
+					&.partners_hero_stage_image {
+						display: flex;
+						align-self: center;
+						justify-content: center;
 						img {
 							max-width: 100%;
+							height: auto;
 						}
 					}


 					@media screen and (max-width: $widescreen), print {
 						width: 70%;
+
+						.page_title {
+							font-size: 48px; //3rem
+						}
 					} //until widescreen

 					@media screen and (max-width: $tablet), print { //769
@@ -101,11 +208,11 @@
 						width: 100%;

 						.page_title {
-							font-size: 32px; //2rem;
+							font-size: 32px; //2rem
 						}//page_title
 			
 						.page_subtitle {
-							font-size: 18px; //1.125rem;
+							font-size: 18px; //1.125rem
 						}//page_subtitle
 			
 					} //until tablet
@@ -116,7 +223,7 @@
 			} //header_title_wrap

 			@media screen and (min-width: $tablet), print { //769
-				padding: 48px 24px; //3rem 1.5rem;
+				padding: 24px;
 			}
 		}

@@ -126,7 +233,7 @@
 } //trivy_v1_homepage_wrap partners_wrap


-
+/* logos */
 .partners_logos_wrap {
 	background-color: $aq-trivy-dark;
 	padding: 50px 0px;
@@ -141,7 +248,7 @@
 		flex-direction: row;
 		justify-content: center;
 		align-items: center;
-		gap: 4rem;
+		gap: 64px; //4rem
 		flex-wrap: wrap;

 		.logo_item {
@@ -163,7 +270,7 @@

 		@media screen and (max-width: $tablet) {

-			gap: 2rem;
+			gap: 32px; //2rem

 			.logo_item {
 				img {
@@ -174,4 +281,211 @@
 		}

 	} //partners_logos
-} //partners_logos_wrap
+} //partners_logos_wrap
+
+
+
+/* benefits */
+.partners_benefits_wrap {
+	position: relative;
+	z-index: 10;
+	padding: $gap;
+
+	.benefit_items {
+		display: flex;
+		flex-direction: row;
+		gap: $gap;
+		padding: 12px; //.75rem
+		position: relative;
+		z-index: 5;
+
+		@media screen and (max-width: $desktop) {
+			flex-direction: column;
+		}
+
+		.benefit_item {
+			flex: 1;
+
+			.benefit_icon {
+				text-align: center;
+				
+				img {
+					max-width: 150px;
+					margin-left: auto;
+					margin-right: auto;
+					height: auto;
+				}
+			}
+			
+			.benefit_title {
+				text-align: center;
+				font-size: 32px; //2rem
+			}
+
+
+			.benefit_content {
+				font-size: 18px; //1.125rem
+				line-height: 1.3;
+				margin: 12px; //.75rem
+				text-align: center;
+			}
+		} //benefit_item
+	} //benefit_items
+} //partners_benefits_wrap
+
+
+
+/* plans */
+.partners_plans_wrap {
+	position: relative;
+	z-index: 10;
+	padding: $gap;
+
+
+	.plan_items {
+
+		display: flex;
+		flex-direction: column;
+		gap: $gap;
+		padding: 12px; //.75rem
+		position: relative;
+		z-index: 5;
+
+		.plan_item {
+			// border: 1px solid orange;
+			padding-left: 60px;
+			
+			
+			.glass_content {
+				
+				display: flex;
+				flex-direction: row;
+				align-items: center;
+				gap: $gap;
+				margin: 0 12px; //.75rem
+				min-height: 180px;
+
+				.plan_titles_wrap {
+	
+					width: 80%;
+	
+					.plan_title {
+						font-size: 32px; //2rem
+						margin: 12px 0px;
+					}
+		
+					.plan_subtitle {
+						font-size: 26px; //1.625rem
+						margin: 12px 0px;
+					}
+				} //plan_titles_wrap
+
+				.plan_content {
+					font-size: 20px; //1.25rem
+					line-height: 1.3;
+					margin: 12px; //.75rem
+					width: 100%;
+				}
+
+
+
+				
+				@media screen and (max-width: $desktop) {
+					flex-direction: column;
+					gap: 0px;
+
+					.plan_titles_wrap {
+						width: 100%;
+					}
+
+				} //desktop
+
+
+			} //glass_content
+
+
+		} //plan_item
+
+	} //plan_items
+
+
+
+	.plan_level {
+		position: absolute;
+		top: 10%;
+		left: 24px;
+		height: 80%;
+		width: 20px;
+		background-color: $aq-royal-blue;
+		border-radius: 10px;
+		pointer-events: none;
+		overflow: hidden;
+
+		&.level_1 {background-color: $aq-starfish-yellow;}
+		&.level_2 {background-color: $aq-coral-red;}
+		&.level_3 {background-color: $aq-legacy-blue;}
+
+		&::after {
+			content: '';
+			position: absolute;
+			top: -150%;
+			left: -150%;
+			width: 400%;
+			height: 400%;
+			background: linear-gradient(
+				-45deg,
+				transparent 40%,
+				rgba(255, 255, 255, 0.05) 47%,
+				rgba(255, 255, 255, 0.2) 50%,
+				rgba(255, 255, 255, 0.05) 53%,
+				transparent 60%
+			);
+			transform: rotate(-45deg);
+			animation: shimmer 1.2s ease-out infinite;
+			animation-delay: 2s;
+			opacity: 0;
+		}
+
+		@keyframes shimmer {
+			0% {
+				transform: translateX(-120%) rotate(-45deg);
+				opacity: 0;
+			}
+			20% {
+				opacity: 1;
+			}
+			80% {
+				opacity: 1;
+			}
+			100% {
+				transform: translateX(120%) rotate(-45deg);
+				opacity: 0;
+			}
+		}
+	} //plan_level
+
+} //partners_plans_wrap
+
+
+.partners_contact_wrap {
+
+	.partners_contact_title {
+		text-align: center;
+	}
+
+	.contact_form_wrap {
+		position: relative;
+		z-index: 5;
+		max-width: 60%;
+		margin: 0 auto;
+
+		.hubspot_form_wrap {
+
+		} //hubspot_form_wrap
+
+		@media screen and (max-width: $desktop) {
+			max-width: 90%;
+		}
+
+	} //contact_form_wrap
+} //partners_contact_wrap
--- a/docs/assets/css/trivy_v1_styles.css
+++ b/docs/assets/css/trivy_v1_styles.css
--- a/docs/assets/css/trivy_v1_styles.min.css
+++ b/docs/assets/css/trivy_v1_styles.min.css
--- a/docs/assets/css/trivy_v1_styles.scss
+++ b/docs/assets/css/trivy_v1_styles.scss
@@ -6,9 +6,11 @@ $aq-legacy-blue: #08b1d5;
 $aq-coral-red: #ff445f;
 $aq-starfish-yellow: #ffc900;
 $aq-dark-abyss: #07242d;
+$aq-blue-abyss: #031730;
 $aq-deep-sea-blue: #183278;
 $aq-ocean-ash: #405a75;
-$aq-sea-foam: #00ffe4;
+// $aq-sea-foam: #00ffe4;
+$aq-neon-blue: #50f0ff;

 $aq-neo-background: #ebf3fa;
 $aq-neo-background-hover: #f0f8ff;
@@ -65,19 +67,50 @@ body {


 .generic_title {
-	font-size: 1.75rem;
+	font-size: 28px; //1.75rem
 	font-weight: $weight-bold;
-	margin: 0.75rem 1.25rem 0.75rem 0.75rem;
+	margin: 12px; //0.75rem
 	color: $aq-royal-blue;
 }

 .generic_subtitle {
-	font-size: 1.125rem;
+	font-size: 18px; //1.125rem
 	opacity: 0.8;
-	margin: 0.75rem;
+	margin: 12px; //0.75rem
 }


+	.section_title {
+		color: #ffffff; //$aq-neon-blue;
+		font-size: 48px; //3rem
+		font-weight: $weight-bold;
+		margin-bottom: 24px; //1.5rem
+		line-height: 1.2;
+
+		&.is_smaller {
+			font-size: 40px; //2.5rem
+		}
+	}
+
+	.section_subtitle  {
+		color: #ffffff;
+		font-size: 26px; //1.625rem
+		margin-bottom: 24px; //1.5rem
+	}
+
+
+	@media screen and (max-width: $tablet) {
+
+		.section_title, .section_title.is_smaller {
+			font-size: 32px; //2rem
+		}
+		.section_subtitle {
+			font-size: 18px; //1.125rem
+		}
+
+	} //until
+
+
 .button {

 	background-color: #ebf3fa;
@@ -99,20 +132,20 @@ body {
 	font-weight: 700;
 	
 	&.is-seafoam {
-		background-color: $aq-sea-foam;
-		border-color: $aq-sea-foam;
-		color: $aq-dark-abyss;
+		background-color: $aq-neon-blue;
+		border-color: $aq-neon-blue;
+		color: $aq-blue-abyss;


 		&.is-outlined {
 			background-color: rgba(0,0,0,0);
-			border-color: $aq-sea-foam;
-			color: $aq-sea-foam;
+			border-color: $aq-neon-blue;
+			color: $aq-neon-blue;
 			border-width: 2px;

 			&:hover {
-				background-color: $aq-sea-foam;
-				color: $aq-dark-abyss;
+				background-color: $aq-neon-blue;
+				color: $aq-blue-abyss;
 			}
 		} //is-outlines
 		
@@ -132,17 +165,17 @@ body {

 	&.solidseafoamarrowbutton {
 		
-		background-color: $aq-sea-foam;
+		background-color: $aq-neon-blue;
 		font-weight: 700;
-		border: 2px solid $aq-sea-foam;
-		font-size: 22px; //1.375rem; //1.125rem;
+		border: 2px solid $aq-neon-blue;
+		font-size: 22px; //1.375rem
 		padding: 16px 27px;
-		color: $aq-dark-abyss;
+		color: $aq-blue-abyss;


 		&:after {
 				content: "";
-				border: solid $aq-dark-abyss;
+				border: solid $aq-blue-abyss;
 				border-width: 0 2px 2px 0;
 				display: inline-block;
 				padding: 4px;
@@ -161,6 +194,8 @@ body {


@import "_slick_slider";
+@import "_glass_v2";
+@import "_hubspot_form";

@import "_trivy_homepage";
@import "_trivy_partners";
--- a/docs/assets/images/partners_hero_stage_03.png
+++ b/docs/assets/images/partners_hero_stage_03.png
--- a/docs/assets/images/partners_hero_stage_full.svg
+++ b/docs/assets/images/partners_hero_stage_full.svg
@@ -1,136 +0,0 @@
-<svg width="955" height="552" viewBox="0 0 955 552" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_105_3404)">
-<path style="mix-blend-mode:screen" d="M477.5 550.515C739.041 550.515 951.062 493.881 951.062 424.02C951.062 354.159 739.041 297.525 477.5 297.525C215.959 297.525 3.93848 354.159 3.93848 424.02C3.93848 493.881 215.959 550.515 477.5 550.515Z" fill="url(#paint0_radial_105_3404)"/>
-<path d="M477.429 517.872C662.885 517.872 813.227 471.96 813.227 415.324C813.227 358.688 662.885 312.776 477.429 312.776C291.972 312.776 141.63 358.688 141.63 415.324C141.63 471.96 291.972 517.872 477.429 517.872Z" fill="url(#paint1_radial_105_3404)" style="mix-blend-mode:screen"/>
-<path d="M477.499 483.397C408.305 483.397 346.09 475.886 297.949 462.558C257.175 451.269 232.037 437.294 221.353 422.418C212.469 410.048 214.366 398.034 224.335 386.952C232.921 377.408 247.227 368.914 265.452 361.526C281.004 355.221 298.91 349.929 318.43 345.55C335.215 341.785 353.006 338.733 371.507 336.329C388.652 334.101 406.148 332.463 423.91 331.372C441.601 330.285 459.458 329.75 477.499 329.75C495.541 329.75 513.398 330.285 531.089 331.372C548.851 332.463 566.347 334.101 583.492 336.329C601.993 338.733 619.784 341.785 636.569 345.55C656.089 349.929 673.995 355.221 689.547 361.526C707.771 368.914 722.078 377.408 730.664 386.952C740.633 398.034 742.53 410.048 733.646 422.418C722.962 437.294 697.824 451.269 657.05 462.558C608.908 475.886 546.694 483.397 477.499 483.397ZM477.499 332.335C409.79 332.335 332.638 342.537 291.568 361.526C217.996 395.542 266.477 452.503 477.499 452.503C688.522 452.503 737.002 395.542 663.431 361.526C622.361 342.537 545.209 332.335 477.499 332.335Z" fill="url(#paint2_linear_105_3404)"/>
-<path d="M477.499 483.397C408.305 483.397 346.09 475.886 297.949 462.558C257.175 451.269 232.037 437.294 221.353 422.418C212.469 410.048 214.366 398.034 224.335 386.952C232.921 377.408 247.227 368.914 265.452 361.526C281.004 355.221 298.91 349.929 318.43 345.55C335.215 341.785 353.006 338.733 371.507 336.329C388.652 334.101 406.148 332.463 423.91 331.372C441.601 330.285 459.458 329.75 477.499 329.75C495.541 329.75 513.398 330.285 531.089 331.372C548.851 332.463 566.347 334.101 583.492 336.329C601.993 338.733 619.784 341.785 636.569 345.55C656.089 349.929 673.995 355.221 689.547 361.526C707.771 368.914 722.078 377.408 730.664 386.952C740.633 398.034 742.53 410.048 733.646 422.418C722.962 437.294 697.824 451.269 657.05 462.558C608.908 475.886 546.694 483.397 477.499 483.397ZM477.499 332.335C409.79 332.335 332.638 342.537 291.568 361.526C217.996 395.542 266.477 452.503 477.499 452.503C688.522 452.503 737.002 395.542 663.431 361.526C622.361 342.537 545.209 332.335 477.499 332.335Z" fill="url(#paint3_radial_105_3404)" style="mix-blend-mode:screen"/>
-<path d="M259.918 195.625V396.907C259.918 421.741 335.038 450.272 479.289 450.272C623.54 450.272 694.755 421.741 694.755 396.907V195.625H259.918Z" fill="url(#paint4_radial_105_3404)" style="mix-blend-mode:screen"/>
-</g>
-<rect x="270" width="127.4" height="127.4" rx="63.7" fill="url(#paint5_radial_105_3404)" style="mix-blend-mode:screen"/>
-<path d="M308.683 38.6782V88.7221H358.717V38.6782H308.683ZM333.897 71.9874H331.365V60.4175C331.365 59.6592 331.191 59.0418 330.844 58.5655C330.496 58.0677 329.945 57.8189 329.186 57.8189C328.47 57.8189 327.886 58.0888 327.431 58.6311C326.996 59.1521 326.78 59.9644 326.78 61.0677V71.9874H324.245V60.2883C324.245 59.5724 324.05 58.988 323.661 58.5325C323.271 58.056 322.75 57.8166 322.1 57.8166C321.321 57.8166 320.713 58.0982 320.281 58.6617C319.87 59.2249 319.663 59.962 319.663 60.8704V71.985H317.128V55.8661H319.663V57.6218H320.053C320.335 56.8636 320.746 56.3119 321.288 55.9646C321.83 55.596 322.468 55.4128 323.205 55.4128C323.985 55.4128 324.626 55.6194 325.123 56.0302C325.642 56.4411 326.001 56.9715 326.196 57.6218H326.585C327.323 56.1476 328.492 55.4128 330.095 55.4128C331.308 55.4128 332.24 55.8026 332.89 56.5818C333.562 57.3401 333.897 58.3378 333.897 59.5724V71.9874ZM350.271 64.8814H338.523V62.5192H350.271V64.8814Z" fill="white"/>
-<rect x="582" y="53" width="127.4" height="127.4" rx="63.7" fill="url(#paint6_radial_105_3404)" style="mix-blend-mode:screen"/>
-<path d="M657.129 101.741C648.057 101.741 640.676 109.178 640.676 118.319V131.66H650.723V118.319C650.723 114.76 653.597 111.864 657.129 111.864H664.322V101.741H657.129Z" fill="white"/>
-<path d="M627.078 109.722V119.845H634.27C637.803 119.845 640.677 122.741 640.677 126.3V131.659H650.724V126.3C650.724 117.159 643.343 109.722 634.27 109.722L627.078 109.722Z" fill="white"/>
-<rect x="413" y="142" width="127.4" height="127.4" rx="63.7" fill="url(#paint7_radial_105_3404)" style="mix-blend-mode:screen"/>
-<path d="M474.372 205.716C474.372 215.983 479.546 223.174 482.084 226.069C482.931 227.035 482.713 227.493 481.429 227.384C469.882 226.407 460.826 217.079 460.826 205.716C460.826 194.134 470.236 184.665 482.103 184.001C482.562 183.975 482.807 184.557 482.491 184.89C480.169 187.338 474.372 194.563 474.372 205.716Z" fill="white"/>
-<path d="M492.574 205.7C492.574 213.349 490.099 219.549 487.604 219.549C485.108 219.549 482.634 213.349 482.634 205.7C482.634 198.052 485.108 191.852 487.604 191.852C490.099 191.852 492.574 198.052 492.574 205.7Z" fill="white"/>
-<defs>
-<radialGradient id="paint0_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(477.5 424.02) scale(473.592 126.487)">
-<stop offset="0.21561" stop-opacity="0"/>
-<stop offset="0.35857" stop-color="#000001" stop-opacity="0.01719"/>
-<stop offset="0.41007" stop-color="#000008" stop-opacity="0.07948"/>
-<stop offset="0.44677" stop-color="#000014" stop-opacity="0.18793"/>
-<stop offset="0.47644" stop-color="#000025" stop-opacity="0.34281"/>
-<stop offset="0.50185" stop-color="#00003B" stop-opacity="0.54446"/>
-<stop offset="0.52396" stop-color="#000055" stop-opacity="0.78851"/>
-<stop offset="0.53903" stop-color="#00006D"/>
-<stop offset="0.61684" stop-color="#00004F" stop-opacity="0.73138"/>
-<stop offset="0.72594" stop-color="#00002D" stop-opacity="0.41483"/>
-<stop offset="0.82925" stop-color="#000014" stop-opacity="0.18628"/>
-<stop offset="0.92338" stop-color="#000005" stop-opacity="0.048"/>
-<stop offset="1" stop-opacity="0"/>
-</radialGradient>
-<radialGradient id="paint1_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(476.404 415.324) scale(334.454 101.214)">
-<stop offset="0.37547" stop-opacity="0"/>
-<stop offset="0.52923" stop-color="#000001" stop-opacity="0.01"/>
-<stop offset="0.58463" stop-color="#000308" stop-opacity="0.03399"/>
-<stop offset="0.62411" stop-color="#000914" stop-opacity="0.08036"/>
-<stop offset="0.65606" stop-color="#001025" stop-opacity="0.14667"/>
-<stop offset="0.6834" stop-color="#001A3B" stop-opacity="0.23299"/>
-<stop offset="0.70763" stop-color="#002656" stop-opacity="0.33967"/>
-<stop offset="0.72955" stop-color="#003577" stop-opacity="0.46688"/>
-<stop offset="0.74969" stop-color="#00469C" stop-opacity="0.61488"/>
-<stop offset="0.76843" stop-color="#0059C7" stop-opacity="0.78417"/>
-<stop offset="0.78506" stop-color="#006DF5" stop-opacity="0.96381"/>
-<stop offset="0.7881" stop-color="#0072FF"/>
-<stop offset="0.79431" stop-color="#0067E7" stop-opacity="0.90832"/>
-<stop offset="0.80858" stop-color="#0052B7" stop-opacity="0.71982"/>
-<stop offset="0.82404" stop-color="#003E8B" stop-opacity="0.54822"/>
-<stop offset="0.84034" stop-color="#002D66" stop-opacity="0.40029"/>
-<stop offset="0.8577" stop-color="#001F46" stop-opacity="0.27587"/>
-<stop offset="0.87644" stop-color="#00132C" stop-opacity="0.17473"/>
-<stop offset="0.89707" stop-color="#000B18" stop-opacity="0.09676"/>
-<stop offset="0.92064" stop-color="#00040A" stop-opacity="0.04174"/>
-<stop offset="0.94961" stop-color="#000102" stop-opacity="0.01"/>
-<stop offset="1" stop-opacity="0"/>
-</radialGradient>
-<linearGradient id="paint2_linear_105_3404" x1="215.656" y1="406.574" x2="739.343" y2="406.574" gradientUnits="userSpaceOnUse">
-<stop stop-color="#0F0F4D" stop-opacity="0"/>
-<stop offset="0.06993" stop-color="#09092F" stop-opacity="0.38183"/>
-<stop offset="0.5"/>
-<stop offset="0.93423" stop-color="#141437" stop-opacity="0.3394"/>
-<stop offset="1" stop-color="#1F1F54" stop-opacity="0"/>
-</linearGradient>
-<radialGradient id="paint3_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(479.469 413.466) scale(288.083 84.978)">
-<stop offset="0.34944" stop-color="#0000FF"/>
-<stop offset="0.38473" stop-color="#0000DF" stop-opacity="0.87819"/>
-<stop offset="0.45062" stop-color="#0000AC" stop-opacity="0.67456"/>
-<stop offset="0.51936" stop-color="#00007D" stop-opacity="0.49409"/>
-<stop offset="0.58969" stop-color="#000057" stop-opacity="0.3418"/>
-<stop offset="0.66193" stop-color="#000037" stop-opacity="0.21771"/>
-<stop offset="0.73665" stop-color="#00001F" stop-opacity="0.12169"/>
-<stop offset="0.81499" stop-color="#00000D" stop-opacity="0.05347"/>
-<stop offset="0.89922" stop-color="#000003" stop-opacity="0.01299"/>
-<stop offset="1" stop-opacity="0"/>
-</radialGradient>
-<radialGradient id="paint4_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(476.238 239.456) scale(407.82 212.251)">
-<stop offset="0.52932" stop-opacity="0"/>
-<stop offset="0.55556" stop-color="#000005" stop-opacity="0.02053"/>
-<stop offset="0.58783" stop-color="#020214" stop-opacity="0.07976"/>
-<stop offset="0.62327" stop-color="#04042D" stop-opacity="0.17775"/>
-<stop offset="0.66098" stop-color="#080850" stop-opacity="0.31462"/>
-<stop offset="0.70049" stop-color="#0D0D7D" stop-opacity="0.49051"/>
-<stop offset="0.74152" stop-color="#1313B3" stop-opacity="0.70559"/>
-<stop offset="0.78306" stop-color="#1A1AF3" stop-opacity="0.95483"/>
-<stop offset="0.79009" stop-color="#1C1CFF"/>
-<stop offset="0.88294" stop-color="#0E88FF"/>
-<stop offset="0.96101" stop-color="#04DDFF"/>
-<stop offset="0.99628" stop-color="#00FFFF"/>
-</radialGradient>
-<radialGradient id="paint5_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(333.378 21.9285) scale(119.484 106.189)">
-<stop offset="0.52932" stop-opacity="0"/>
-<stop offset="0.55556" stop-color="#000005" stop-opacity="0.02053"/>
-<stop offset="0.58783" stop-color="#020214" stop-opacity="0.07976"/>
-<stop offset="0.62327" stop-color="#04042D" stop-opacity="0.17775"/>
-<stop offset="0.66098" stop-color="#080850" stop-opacity="0.31462"/>
-<stop offset="0.70049" stop-color="#0D0D7D" stop-opacity="0.49051"/>
-<stop offset="0.74152" stop-color="#1313B3" stop-opacity="0.70559"/>
-<stop offset="0.78306" stop-color="#1A1AF3" stop-opacity="0.95483"/>
-<stop offset="0.79009" stop-color="#1C1CFF"/>
-<stop offset="0.88294" stop-color="#0E88FF"/>
-<stop offset="0.96101" stop-color="#04DDFF"/>
-<stop offset="0.99628" stop-color="#00FFFF"/>
-</radialGradient>
-<radialGradient id="paint6_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(645.378 74.9285) scale(119.484 106.189)">
-<stop offset="0.52932" stop-opacity="0"/>
-<stop offset="0.55556" stop-color="#000005" stop-opacity="0.02053"/>
-<stop offset="0.58783" stop-color="#020214" stop-opacity="0.07976"/>
-<stop offset="0.62327" stop-color="#04042D" stop-opacity="0.17775"/>
-<stop offset="0.66098" stop-color="#080850" stop-opacity="0.31462"/>
-<stop offset="0.70049" stop-color="#0D0D7D" stop-opacity="0.49051"/>
-<stop offset="0.74152" stop-color="#1313B3" stop-opacity="0.70559"/>
-<stop offset="0.78306" stop-color="#1A1AF3" stop-opacity="0.95483"/>
-<stop offset="0.79009" stop-color="#1C1CFF"/>
-<stop offset="0.88294" stop-color="#0E88FF"/>
-<stop offset="0.96101" stop-color="#04DDFF"/>
-<stop offset="0.99628" stop-color="#00FFFF"/>
-</radialGradient>
-<radialGradient id="paint7_radial_105_3404" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(476.378 163.928) scale(119.484 106.189)">
-<stop offset="0.52932" stop-opacity="0"/>
-<stop offset="0.55556" stop-color="#000005" stop-opacity="0.02053"/>
-<stop offset="0.58783" stop-color="#020214" stop-opacity="0.07976"/>
-<stop offset="0.62327" stop-color="#04042D" stop-opacity="0.17775"/>
-<stop offset="0.66098" stop-color="#080850" stop-opacity="0.31462"/>
-<stop offset="0.70049" stop-color="#0D0D7D" stop-opacity="0.49051"/>
-<stop offset="0.74152" stop-color="#1313B3" stop-opacity="0.70559"/>
-<stop offset="0.78306" stop-color="#1A1AF3" stop-opacity="0.95483"/>
-<stop offset="0.79009" stop-color="#1C1CFF"/>
-<stop offset="0.88294" stop-color="#0E88FF"/>
-<stop offset="0.96101" stop-color="#04DDFF"/>
-<stop offset="0.99628" stop-color="#00FFFF"/>
-</radialGradient>
-<clipPath id="clip0_105_3404">
-<rect width="955" height="356.375" fill="white" transform="translate(0 195.625)"/>
-</clipPath>
-</defs>
-</svg>
--- a/docs/assets/images/partners_icon_01.png
+++ b/docs/assets/images/partners_icon_01.png
--- a/docs/assets/images/partners_icon_02.png
+++ b/docs/assets/images/partners_icon_02.png
--- a/docs/assets/images/partners_icon_03.png
+++ b/docs/assets/images/partners_icon_03.png
--- a/docs/assets/images/section_icon_12.png
+++ b/docs/assets/images/section_icon_12.png
--- a/docs/build/requirements.txt
+++ b/docs/build/requirements.txt
@@ -72,7 +72,7 @@ pathspec==0.12.1
    #   mkdocs-macros-plugin
 platformdirs==4.3.6
    # via mkdocs-get-deps
-pygments==2.18.0
+pygments==2.19.2
    # via mkdocs-material
 pymdown-extensions==10.12
    # via mkdocs-material
--- a/docs/commercial/compare.md
+++ b/docs/commercial/compare.md
@@ -1,7 +1,7 @@
 # Aqua Security is the home of Trivy

 Trivy is proudly maintained by [Aqua Security](https://aquasec.com).
-If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.  
+If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
 In this page you can find a high level comparison between Trivy Open Source and Aqua's commercial product.
 If you'd like to learn more or request a demo, [click here to contact us](./contact.md).

@@ -66,7 +66,7 @@ If you'd like to learn more or request a demo, [click here to contact us](./cont

 | Feature | Trivy OSS | Aqua |
 | --- | --- | --- |
-| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://trivy.dev/latest/docs/scanner/misconfiguration/policy/builtin/) | In addition, Build Pipeline configuration scanning |
+| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://trivy.dev/latest/docs/scanner/misconfiguration/check/builtin/) | In addition, Build Pipeline configuration scanning |
 | Checks customization | Create custom checks with Rego | Create custom checks in no-code interface <br> Customize existing checks with organizational preferences |
 | Cloud scanning | AWS (subset of services) | AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud |
 | Compliance frameworks | CIS, NSA, vendor guides | More than 25 compliance programs |
--- a/docs/community/contribute/pr.md
+++ b/docs/community/contribute/pr.md
@@ -54,6 +54,21 @@ Your PR must pass all the integration tests. You can test it as below.
 $ mage test:integration
 ```

+### Protocol Buffers
+If you update protobuf files (`.proto`), you need to regenerate the Go code:
+
+```shell
+$ mage protoc:generate
+```
+
+You can also format and lint protobuf files:
+
+```shell
+$ mage protoc:fmt     # Format protobuf files
+$ mage protoc:lint    # Lint protobuf files
+$ mage protoc:breaking # Check for breaking changes against main branch
+```
+
 ### Documentation
 If you update CLI flags, you need to generate the CLI references.
 The test will fail if they are not up-to-date.
--- a/docs/community/contribute/vulnerability-database/add-vulnerability-source.md
+++ b/docs/community/contribute/vulnerability-database/add-vulnerability-source.md
@@ -0,0 +1,144 @@
+# Add Vulnerability Advisory Source
+
+This guide walks through the process of adding a new vulnerability advisory source to Trivy.
+
+!!! info
+    For an overview of how Trivy's vulnerability database works, see the [Overview](overview.md) page.
+
+## Prerequisites
+
+Before starting, ensure you have:
+
+1. Identified the upstream advisory source and its API/format
+2. Checked that the data source doesn't already exist in Trivy
+3. Created a GitHub discussion or issue to discuss the addition
+
+## Required Changes
+
+To add a new vulnerability advisory source, you'll need to make changes across three repositories. Below we'll use the Echo OS support as an example.
+
+### Step 1: Add Fetcher Script (vuln-list-update)
+
+!!! note
+    Skip this step if your advisory source is already managed in a Git repository (e.g., GitHub, GitLab).
+
+Create a fetcher script in [vuln-list-update] to collect advisories from the upstream source.
+
+**Key tasks:**
+
+- Fetch advisories from the upstream API or source
+- Validate the advisory format and data
+- Save advisories as JSON files in the [vuln-list] directory structure
+- **Store original data as-is where possible**: Avoid preprocessing or modifying advisory fields. Save the raw data exactly as provided by the upstream source (format conversion like YAML to JSON is acceptable for consistency)
+- Include all necessary metadata (CVE ID, affected versions, severity, etc.)
+
+**Example PR:**
+
+- [feat(echo): Add Echo Support (vuln-list-update#350)](https://github.com/aquasecurity/vuln-list-update/pull/350)
+
+### Step 2: Add Parser (trivy-db)
+
+Create a parser in [trivy-db] to transform raw advisories into Trivy's database format.
+
+**Key tasks:**
+
+- Create a new vulnerability source in `pkg/vulnsrc/`
+- Implement the advisory parsing logic
+- Map advisory fields to Trivy's vulnerability schema
+- Handle version ranges and affected packages correctly
+- Store CVE mappings if available
+- Add unit tests for the parser
+
+**Example PR:**
+
+- [feat(echo): Add Echo Support (trivy-db#528)](https://github.com/aquasecurity/trivy-db/pull/528)
+
+### Step 3: Add OS/Ecosystem Support (Trivy)
+
+Update [trivy] to support the new operating system or package ecosystem.
+
+**Key tasks:**
+
+- Add OS analyzer in `pkg/fanal/analyzer/os/` to detect the OS
+- Implement vulnerability detection logic if special handling is needed
+- Add integration tests with test data
+- Update documentation to include the new data source
+
+**Example PR:**
+
+- [feat(echo): Add Echo Support (trivy#8833)](https://github.com/aquasecurity/trivy/pull/8833)
+
+## Complete Example: Echo OS Support
+
+The Echo OS support was added through three coordinated PRs:
+
+1. **vuln-list-update**: Fetches Echo advisories from `https://advisory.echohq.com/data.json`
+    - PR: https://github.com/aquasecurity/vuln-list-update/pull/350
+2. **trivy-db**: Parses Echo advisories and stores them in the database
+    - PR: https://github.com/aquasecurity/trivy-db/pull/528
+3. **Trivy**: Detects Echo OS and scans for vulnerabilities
+    - PR: https://github.com/aquasecurity/trivy/pull/8833
+
+## Testing Your Changes
+
+### Test vuln-list-update
+
+First, fetch all existing advisories (required for building the database):
+
+```bash
+cd vuln-list-update
+go run main.go -vuln-list-dir /path/to/vuln-list
+```
+
+Then, test your new data source by fetching only your target:
+
+```bash
+go run main.go -target your-source -vuln-list-dir /path/to/vuln-list
+```
+
+Verify that advisories are correctly saved in the vuln-list directory.
+
+### Test trivy-db
+
+```bash
+cd trivy-db
+make db-build CACHE_DIR=/path/to/cache
+```
+
+Check that the database is built without errors and contains your advisories.
+
+!!! note
+    The `CACHE_DIR` should point to the parent directory of your vuln-list directory. For example, if your vuln-list is at `/tmp/test/vuln-list`, set `CACHE_DIR=/tmp/test`.
+
+You can inspect the built database using BoltDB viewer tools like [boltwiz](https://github.com/Moniseeta/boltwiz):
+
+```bash
+# Open the database
+boltwiz out/trivy.db
+```
+
+This allows you to verify that your vulnerabilities are correctly stored in the database.
+
+### Test Trivy
+
+```bash
+# Build Trivy with your changes
+mage build
+
+# Use your local database
+./trivy image --skip-db-update --cache-dir /path/to/cache your-test-image
+```
+
+Verify that vulnerabilities from your new data source are detected correctly.
+
+## Getting Help
+
+If you have questions or need help:
+
+1. Check existing data sources for reference implementations
+2. [Start a discussion](https://github.com/aquasecurity/trivy/discussions/new) in the Trivy repository
+
+[vuln-list]: https://github.com/aquasecurity/vuln-list
+[vuln-list-update]: https://github.com/aquasecurity/vuln-list-update
+[trivy-db]: https://github.com/aquasecurity/trivy-db
+[trivy]: https://github.com/aquasecurity/trivy
--- a/docs/community/contribute/vulnerability-database/overview.md
+++ b/docs/community/contribute/vulnerability-database/overview.md
@@ -0,0 +1,86 @@
+# Vulnerability Data Sources
+
+This section explains how Trivy's vulnerability database works and how to contribute new advisory data sources.
+
+## Overview
+
+Trivy's vulnerability database is built through a multi-repository workflow involving three main repositories:
+
+```mermaid
+graph LR
+    A[Advisory Sources] -->|vuln-list-update| B[vuln-list]
+    B --> C["trivy-db<br/>(Trivy DB)"]
+    C --> D["trivy<br/>(Trivy CLI)"]
+    E[GitHub-managed<br/>Advisories] --> C
+```
+
+### Workflow Steps
+
+1. **Advisory Collection** ([vuln-list-update])
+    - Fetch raw advisories from upstream sources
+    - Store them in [vuln-list] repository
+    - Run periodically via cron to keep advisories up-to-date
+    - This step can be skipped if advisories are already managed in a Git repository (e.g., GitHub Security Advisories)
+
+2. **Database Build** ([trivy-db])
+    - Parse advisories from [vuln-list] or directly from Git-managed sources
+    - Transform them into Trivy's database format
+    - Publish the built database periodically via cron
+
+3. **Database Consumption** ([trivy])
+    - Download the latest vulnerability database at scan time
+    - Use it to detect vulnerabilities in scan targets
+
+## Why Store Advisories in vuln-list?
+
+For data sources that are not already Git-managed, storing advisories in the [vuln-list] repository provides several benefits:
+
+- **Transparency**: Easy to track changes and differences between advisory versions
+- **Web UI**: Browse advisories directly on GitHub with a user-friendly interface
+- **Stability**: Mitigate issues when upstream advisory servers are unstable or unavailable
+- **Shareability**: Provide stable URLs to reference specific advisories
+- **Data Quality**: Validate advisory data before committing to vuln-list, preventing malformed data or unexpected format changes from breaking Trivy DB
+- **Historical Data**: Preserve past advisories when upstream formats change
+
+## Repository Overview
+
+### [vuln-list-update]
+
+This repository contains scripts that fetch advisories from various upstream sources. Each data source has its own package that handles:
+
+- Fetching advisories from APIs or web sources
+- Validating the advisory format and data
+- Saving them to the [vuln-list] repository
+
+### [vuln-list]
+
+This repository serves as a data storage for raw advisories fetched by [vuln-list-update]. Key characteristics:
+
+- Contains raw advisory data in JSON format
+- Updated automatically by [vuln-list-update] scripts via cron
+- **Not for manual contributions**: Direct pull requests to this repository are not accepted
+- Used as the source for [trivy-db] to build the vulnerability database
+
+### [trivy-db]
+
+This repository contains parsers that transform raw advisories into Trivy's database format. Each data source has its own vulnerability source handler that:
+
+- Reads advisory files from [vuln-list] or directly from Git-managed sources (e.g., GitHub Security Advisories)
+- Maps advisory fields to Trivy's schema
+- Stores vulnerability information in the database
+
+### [trivy]
+
+The main Trivy repository contains:
+
+- OS and package analyzers to detect what's installed
+- Vulnerability detection logic
+
+## Next Steps
+
+Ready to add a new vulnerability advisory source? See the [Add Vulnerability Advisory Source](add-vulnerability-source.md) guide for detailed steps.
+
+[vuln-list]: https://github.com/aquasecurity/vuln-list
+[vuln-list-update]: https://github.com/aquasecurity/vuln-list-update
+[trivy-db]: https://github.com/aquasecurity/trivy-db
+[trivy]: https://github.com/aquasecurity/trivy
--- a/docs/docs/advanced/modules.md
+++ b/docs/docs/advanced/modules.md
@@ -47,8 +47,8 @@ Trivy adheres to the XDG specification, so the location depends on whether XDG_D
 Trivy will now search XDG_DATA_HOME for the location of the Trivy modules cache.
 The preference order is as follows:

- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
- $HOME/.trivy/plugins
+- XDG_DATA_HOME if set and .trivy/modules exists within the XDG_DATA_HOME dir
+- $HOME/.trivy/modules

 For example, to download the WebAssembly module, you can execute the following command:

@@ -137,6 +137,10 @@ $ go mod init github.com/aquasecurity/trivy-module-wordpress
 ```go
 package main

+import (
+    "github.com/aquasecurity/trivy/pkg/module/wasm"
+)
+
 const (
    version = 1
    name = "wordpress-module"
@@ -145,6 +149,10 @@ const (
 // main is required for Go to compile the Wasm module
 func main() {}  

+func init() {
+	wasm.RegisterModule(WordpressModule{})
+}
+
 type WordpressModule struct{
 	// Cannot define fields as modules can't keep state.
 }
--- a/docs/docs/advanced/telemetry-flags.md
+++ b/docs/docs/advanced/telemetry-flags.md
@@ -35,6 +35,7 @@
 --slow
 --tf-exclude-downloaded-modules
 --timeout
--trace
+--trace-http
+--trace-rego
 --vuln-severity-source
 ```
--- a/docs/docs/configuration/filtering.md
+++ b/docs/docs/configuration/filtering.md
@@ -480,6 +480,19 @@ ignore {
 trivy image --ignore-policy examples/ignore-policies/basic.rego centos:7
 ```

+To filter findings of a specific type based on a field that may exist in multiple structures (for example, `PkgName` in both `DetectedVulnerability` and `DetectedLicense`), you can use the `Type` field. This field is automatically added when exporting findings to Rego and indicates the kind of finding. Possible values are: `vulnerability`, `misconfiguration`, `secret`, and `license`.
+
+For example, the following policy ignores vulnerabilities with a specific package name without affecting other finding types:
+
+```rego
+package trivy
+
+ignore {
+  input.Type == "vulnerability"
+  input.PkgName == "foo"
+}
+```
+
 For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`.
 More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go).

--- a/docs/docs/configuration/reporting.md
+++ b/docs/docs/configuration/reporting.md
@@ -118,6 +118,11 @@ Nuances of table contents:
    - `-` means that the scanner didn't scan this target.
    - `0` means that the scanner scanned this target, but found no security issues.

+!!! Note
+    For the secret/license scanner, the Trivy report contains only findings.
+    Therefore, we can’t say for sure whether Trivy scanned at least one file or simply didn’t find any findings.
+    That’s why, for these scanners, the summary table uses “-” if no findings are found.
+
 <details>
 <summary>Report Summary</summary>

@@ -612,19 +617,15 @@ For more details, please check [here](../plugin/user-guide.md#output-mode-suppor
 To generate multiple reports, you can generate the JSON report first and convert it to other formats with the `convert` subcommand.

 ```shell
-$ trivy image --format json -o result.json --list-all-pkgs debian:11
+$ trivy image --format json -o result.json debian:11
 $ trivy convert --format cyclonedx --output result.cdx result.json
 ```

-!!! note
-    Please note that if you want to convert to a format that requires a list of packages,
-    such as SBOM, you need to add the `--list-all-pkgs` flag when outputting in JSON.
-
 [Filtering options](./filtering.md) such as `--severity` are also available with `convert`.

 ```shell
 # Output all severities in JSON
-$ trivy image --format json -o result.json --list-all-pkgs debian:11
+$ trivy image --format json -o result.json debian:11

 # Output only critical issues in table format
 $ trivy convert --format table --severity CRITICAL result.json
--- a/docs/docs/coverage/language/python.md
+++ b/docs/docs/coverage/language/python.md
@@ -145,7 +145,7 @@ Trivy parses the manifest files of installed packages in container image scannin
 See [here](https://packaging.python.org/en/latest/discussions/package-formats/) for the detail.

 ### Egg
-Trivy looks for `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO` to identify Python packages.
+Trivy looks for `*.egg-info`, `*.egg-info/METADATA`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO` to identify Python packages.

 ### Wheel
 Trivy looks for `.dist-info/METADATA` to identify Python packages.
--- a/docs/docs/coverage/os/alma.md
+++ b/docs/docs/coverage/os/alma.md
@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |

 ## SBOM
 Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
--- a/docs/docs/coverage/os/alpine.md
+++ b/docs/docs/coverage/os/alpine.md
@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |

 ## SBOM
 Trivy detects packages that have been installed through `apk`.
--- a/docs/docs/coverage/os/amazon.md
+++ b/docs/docs/coverage/os/amazon.md
@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |

 ## SBOM
 Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
--- a/docs/docs/coverage/os/azure.md
+++ b/docs/docs/coverage/os/azure.md
@@ -28,6 +28,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |    Detect unfixed vulnerabilities    |     ✓     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     -     |

 ## SBOM
 Trivy detects packages that have been installed through package managers such as `tdnf`, `dnf` and `yum`.
--- a/docs/docs/coverage/os/bottlerocket.md
+++ b/docs/docs/coverage/os/bottlerocket.md
@@ -9,6 +9,12 @@ Trivy supports the following scanners for OS packages.

 Please see [here](index.md#supported-os) for supported versions.

+The table below outlines the features offered by Trivy.
+
+|               Feature                | Supported |
+|:------------------------------------:|:---------:|
+|        End of life awareness         |     -     |
+
 ## SBOM
 Trivy detects packages that are listed in the [software inventory].

--- a/docs/docs/coverage/os/centos.md
+++ b/docs/docs/coverage/os/centos.md
@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 | :-----------------------------------: | :-------: |
 |        Unfixed vulnerabilities        |     ✓     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |

 ## SBOM
 Same as [RHEL](rhel.md#sbom).
--- a/docs/docs/coverage/os/chainguard.md
+++ b/docs/docs/coverage/os/chainguard.md
@@ -13,6 +13,7 @@ The table below outlines the features offered by Trivy.
 | :-----------------------------------: | :-------: |
 |    Detect unfixed vulnerabilities     |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     -     |

 ## SBOM
 Same as [Alpine Linux](alpine.md#sbom).
--- a/docs/docs/coverage/os/coreos.md
+++ b/docs/docs/coverage/os/coreos.md
@@ -0,0 +1,17 @@
+# CoreOS
+This page describes the deprecated `CoreOS Container Linux` (EOL) and its successor, [Fedora CoreOS][fedora-coreos].
+
+Trivy supports the following scanners for OS packages on these systems.
+
+|    Scanner    | Supported |
+|:-------------:|:---------:|
+|     SBOM      |     ✓     |
+| Vulnerability |     -     |
+|    License    |     -     |
+
+Please see [here](index.md#supported-os) for supported versions.
+
+## SBOM
+Trivy detects packages that are listed in the RPM database.
+
+[fedora-coreos]: https://fedoraproject.org/coreos/
--- a/docs/docs/coverage/os/debian.md
+++ b/docs/docs/coverage/os/debian.md
@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 | :-----------------------------------: | :-------: |
 |        Unfixed vulnerabilities        |     ✓     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |

 ## SBOM
 Trivy detects packages that have been installed through package managers such as `apt` and `dpkg`.
--- a/docs/docs/coverage/os/echo.md
+++ b/docs/docs/coverage/os/echo.md
@@ -13,6 +13,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |    Unfixed vulnerabilities           |     ✓     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     -     |

 ## SBOM
 Same as [Debian](debian.md#sbom).
--- a/docs/docs/coverage/os/google-distroless.md
+++ b/docs/docs/coverage/os/google-distroless.md
@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 | :----------------------------------: | :-------: |
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     -     |

 ## SBOM
 Trivy detects packages pre-installed in distroless images.
--- a/docs/docs/coverage/os/index.md
+++ b/docs/docs/coverage/os/index.md
@@ -9,42 +9,44 @@ Trivy supports operating systems for

 ## Supported OS

-| OS                                    | Supported Versions                  | Package Managers |
-|---------------------------------------|-------------------------------------|------------------|
-| [Alpine Linux](alpine.md)             | 2.2 - 2.7, 3.0 - 3.22, edge         | apk              |
-| [Wolfi Linux](wolfi.md)               | (n/a)                               | apk              |
-| [Chainguard](chainguard.md)           | (n/a)                               | apk              |
-| [MinimOS](minimos.md)                 | (n/a)                               | apk              |
-| [Red Hat Enterprise Linux](rhel.md)   | 6, 7, 8, 9                          | dnf/yum/rpm      |
-| [Red Hat Enterprise Linux](rhel.md)   | 10 (SBOM only)                      | dnf/yum/rpm      |
-| [CentOS](centos.md)[^1]               | 6, 7, 8                             | dnf/yum/rpm      |
-| [AlmaLinux](alma.md)                  | 8, 9                                | dnf/yum/rpm      |
-| [Rocky Linux](rocky.md)               | 8, 9                                | dnf/yum/rpm      |
-| [Oracle Linux](oracle.md)             | 5, 6, 7, 8                          | dnf/yum/rpm      |
-| [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0                       | tdnf/dnf/yum/rpm |
-| [Amazon Linux](amazon.md)             | 1, 2, 2023                          | dnf/yum/rpm      |
-| [openSUSE Leap](suse.md)              | 42, 15                              | zypper/rpm       |
-| [openSUSE Tumbleweed](suse.md)        | (n/a)                               | zypper/rpm       |
-| [SUSE Linux Enterprise](suse.md)      | 11, 12, 15                          | zypper/rpm       |
-| [SUSE Linux Enterprise Micro](suse.md)| 5, 6                                | zypper/rpm       |
-| [Photon OS](photon.md)                | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
-| [Echo](echo.md)                       | (n/a)                               | apt/dpkg         |
-| [Debian GNU/Linux](debian.md)         | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
-| [Ubuntu](ubuntu.md)                   | All versions supported by Canonical | apt/dpkg         |
-| [Bottlerocket](bottlerocket.md)       | 1.7.0 and upper                     | bottlerocket     |
-| [OSs with installed Conda](../others/conda.md)  | -                                   | conda            |
+| OS                                             | Supported Versions                  | Package Managers |
+|------------------------------------------------|-------------------------------------|------------------|
+| [Alpine Linux](alpine.md)                      | 2.2 - 2.7, 3.0 - 3.22, edge         | apk              |
+| [Wolfi Linux](wolfi.md)                        | (n/a)                               | apk              |
+| [Chainguard](chainguard.md)                    | (n/a)                               | apk              |
+| [MinimOS](minimos.md)                          | (n/a)                               | apk              |
+| [Red Hat Enterprise Linux](rhel.md)            | 6, 7, 8, 9                          | dnf/yum/rpm      |
+| [Red Hat Enterprise Linux](rhel.md)            | 10 (SBOM only)                      | dnf/yum/rpm      |
+| [CentOS](centos.md)[^1]                        | 6, 7, 8                             | dnf/yum/rpm      |
+| [AlmaLinux](alma.md)                           | 8, 9, 10                            | dnf/yum/rpm      |
+| [Rocky Linux](rocky.md)                        | 8, 9                                | dnf/yum/rpm      |
+| [Oracle Linux](oracle.md)                      | 5, 6, 7, 8                          | dnf/yum/rpm      |
+| [Azure Linux (CBL-Mariner)](azure.md)          | 1.0, 2.0, 3.0                       | tdnf/dnf/yum/rpm |
+| [Amazon Linux](amazon.md)                      | 1, 2, 2023                          | dnf/yum/rpm      |
+| [openSUSE Leap](suse.md)                       | 42, 15                              | zypper/rpm       |
+| [openSUSE Tumbleweed](suse.md)                 | (n/a)                               | zypper/rpm       |
+| [SUSE Linux Enterprise](suse.md)               | 11, 12, 15                          | zypper/rpm       |
+| [SUSE Linux Enterprise Micro](suse.md)         | 5, 6                                | zypper/rpm       |
+| [Photon OS](photon.md)                         | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
+| [CoreOS](coreos.md)[^3]                        | All versions (SBOM only)            | rpm              |
+| [Echo](echo.md)                                | (n/a)                               | apt/dpkg         |
+| [Debian GNU/Linux](debian.md)                  | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
+| [Ubuntu](ubuntu.md)                            | All versions supported by Canonical | apt/dpkg         |
+| [Bottlerocket](bottlerocket.md)                | 1.7.0 and upper                     | bottlerocket     |
+| [OSs with installed Conda](../others/conda.md) | -                                   | conda            |

 ## Supported container images

-| Container image                               | Supported Versions                  | Package Managers |
-|-----------------------------------------------|-------------------------------------|------------------|
-| [Google Distroless](google-distroless.md)[^2] | Any                                 | apt/dpkg         |
-| [Bitnami](../others/bitnami.md)                         | Any                                 | -                |
+| Container image                               | Supported Versions | Package Managers |
+|-----------------------------------------------|--------------------|------------------|
+| [Google Distroless](google-distroless.md)[^2] | Any                | apt/dpkg         |
+| [Bitnami](../others/bitnami.md)               | Any                | -                |

 Each page gives more details.

 [^1]: CentOS Stream is not supported 
 [^2]: https://github.com/GoogleContainerTools/distroless
+[^3]: Fedora CoreOS and the deprecated CoreOS Container Linux


 [sbom]: ../../supply-chain/sbom.md
--- a/docs/docs/coverage/os/minimos.md
+++ b/docs/docs/coverage/os/minimos.md
@@ -13,6 +13,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |    Detect unfixed vulnerabilities    |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     -     |

 ## SBOM
 Same as [Alpine Linux](alpine.md#sbom).
--- a/docs/docs/coverage/os/oracle.md
+++ b/docs/docs/coverage/os/oracle.md
@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 | :-----------------------------------: | :-------: |
 |        Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |

 ## SBOM
 Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
--- a/docs/docs/coverage/os/photon.md
+++ b/docs/docs/coverage/os/photon.md
@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |

 ## SBOM
 Trivy detects packages that have been installed through package managers such as `tdnf` and `yum`.
--- a/docs/docs/coverage/os/rhel.md
+++ b/docs/docs/coverage/os/rhel.md
@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 | :----------------------------------: | :-------: |
 |       Unfixed vulnerabilities        |     ✓     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |

 ## SBOM
 Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
--- a/docs/docs/coverage/os/rocky.md
+++ b/docs/docs/coverage/os/rocky.md
@@ -15,6 +15,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |

 ## SBOM
 Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
--- a/docs/docs/coverage/os/suse.md
+++ b/docs/docs/coverage/os/suse.md
@@ -22,6 +22,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |       Unfixed vulnerabilities        |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |

 ## SBOM
 Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
--- a/docs/docs/coverage/os/ubuntu.md
+++ b/docs/docs/coverage/os/ubuntu.md
@@ -15,6 +15,7 @@ The following table provides an outline of the features Trivy offers.
 |:------------------------------------:|:---------:|
 |    Detect unfixed vulnerabilities    |     ✓     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     ✓     |

 ## SBOM
 Same as [Debian](debian.md#sbom).
--- a/docs/docs/coverage/os/wolfi.md
+++ b/docs/docs/coverage/os/wolfi.md
@@ -13,6 +13,7 @@ The table below outlines the features offered by Trivy.
 |:------------------------------------:|:---------:|
 |    Detect unfixed vulnerabilities    |     -     |
 | [Dependency graph][dependency-graph] |     ✓     |
+|        End of life awareness         |     -     |

 ## SBOM
 Same as [Alpine Linux](alpine.md#sbom).
--- a/docs/docs/coverage/others/index.md
+++ b/docs/docs/coverage/others/index.md
@@ -16,6 +16,7 @@ Trivy supports them for
 | [Conda](conda.md)              | `<conda-root>/envs/<env>/conda-meta/<package>.json` |     ✅     |     ✅      |       -        |       -        |
 |                                | `environment.yml`                                   |     -     |     -      |       ✅        |       ✅        |
 | [Root.io images](rootio.md)    | -                                                   |     ✅     |     ✅      |       -        |       -        |
+| [Seal Security](seal.md)       | -                                                   |     ✅     |     ✅      |       -        |       -        |
 | [RPM Archives](rpm.md)         | `*.rpm`                                             |   ✅[^5]   |   ✅[^5]    |     ✅[^5]      |     ✅[^5]      |

 [sbom]: ../../supply-chain/sbom.md
--- a/docs/docs/coverage/others/rootio.md
+++ b/docs/docs/coverage/others/rootio.md
@@ -13,6 +13,9 @@ Root.io patches are detected when Trivy finds packages with specific version suf
 When Root.io patches are detected, Trivy automatically switches to Root.io scanning mode for vulnerability detection.
 Even when the original OS distributor (Debian, Ubuntu, Alpine) has not provided a patch for a vulnerability, Trivy will display Root.io patches if they are available.

+!!! note
+    For vulnerabilities, Trivy uses the severity level from the original OS vendor (if the vendor has specified a severity).
+
 For detailed information about supported scanners, features, and functionality, please refer to the documentation for the underlying OS:

 - [Debian](../os/debian.md)
--- a/docs/docs/coverage/others/seal.md
+++ b/docs/docs/coverage/others/seal.md
@@ -0,0 +1,27 @@
+# Seal Security
+
+!!! warning "EXPERIMENTAL"
+    Scanning results may be inaccurate.
+
+While it is not an OS, this page describes the details of the [Seal Security]( https://sealsecurity.io/) vulnerability feed.
+Seal provides security advisories and patched versions for multiple Linux distributions, including [Debian](../os/debian.md), [Ubuntu](../os/ubuntu.md), [Alpine](../os/alpine.md), [Red Hat Enterprise Linux](../os/rhel.md), [CentOS](../os/centos.md), [Oracle Linux](../os/oracle.md), and [Azure Linux (CBL‑Mariner)](../os/azure.md).
+
+Seal advisories are used when Trivy finds packages that indicate Seal-provided components:
+
+- Packages whose name or source name starts with `seal-` (for example, `seal-wget`, `seal-zlib`).
+
+When such Seal packages are detected, Trivy automatically enables Seal scanning for those packages while continuing to use the base OS scanner for the rest.
+
+!!! note
+    For vulnerabilities, Trivy prefers severity from the base OS vendor when available.
+
+For details on supported scanners, features, and behavior for each base OS, refer to their respective pages:
+
+- [Debian](../os/debian.md)
+- [Ubuntu](../os/ubuntu.md)
+- [Alpine](../os/alpine.md)
+- [Red Hat Enterprise Linux](../os/rhel.md)
+- [CentOS](../os/centos.md)
+- [Oracle Linux](../os/oracle.md)
+- [Azure Linux (CBL‑Mariner)](../os/azure.md)
+
--- a/docs/docs/references/configuration/cli/trivy.md
+++ b/docs/docs/references/configuration/cli/trivy.md
@@ -44,11 +44,14 @@ trivy [global flags] command [flags] target
 ### SEE ALSO

 * [trivy clean](trivy_clean.md)	 - Remove cached files
+* [trivy cloud](trivy_cloud.md)	 - Control Trivy Cloud platform integration settings
 * [trivy config](trivy_config.md)	 - Scan config files for misconfigurations
 * [trivy convert](trivy_convert.md)	 - Convert Trivy JSON report into a different format
 * [trivy filesystem](trivy_filesystem.md)	 - Scan local filesystem
 * [trivy image](trivy_image.md)	 - Scan a container image
 * [trivy kubernetes](trivy_kubernetes.md)	 - [EXPERIMENTAL] Scan kubernetes cluster
+* [trivy login](trivy_login.md)	 - Log in to the Trivy Cloud platform
+* [trivy logout](trivy_logout.md)	 - Log out of Trivy Cloud platform
 * [trivy module](trivy_module.md)	 - Manage modules
 * [trivy plugin](trivy_plugin.md)	 - Manage plugins
 * [trivy registry](trivy_registry.md)	 - Manage registry authentication
--- a/docs/docs/references/configuration/cli/trivy_cloud.md
+++ b/docs/docs/references/configuration/cli/trivy_cloud.md
@@ -0,0 +1,28 @@
+## trivy cloud
+
+Control Trivy Cloud platform integration settings
+
+### Options
+
+```
+  -h, --help   help for cloud
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+* [trivy cloud config](trivy_cloud_config.md)	 - Control Trivy Cloud configuration
+
--- a/docs/docs/references/configuration/cli/trivy_cloud_config.md
+++ b/docs/docs/references/configuration/cli/trivy_cloud_config.md
@@ -0,0 +1,32 @@
+## trivy cloud config
+
+Control Trivy Cloud configuration
+
+### Options
+
+```
+  -h, --help   help for config
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy cloud](trivy_cloud.md)	 - Control Trivy Cloud platform integration settings
+* [trivy cloud config edit](trivy_cloud_config_edit.md)	 - Edit Trivy Cloud configuration
+* [trivy cloud config get](trivy_cloud_config_get.md)	 - Get Trivy Cloud configuration
+* [trivy cloud config list](trivy_cloud_config_list.md)	 - List Trivy Cloud configuration
+* [trivy cloud config set](trivy_cloud_config_set.md)	 - Set Trivy Cloud configuration
+* [trivy cloud config unset](trivy_cloud_config_unset.md)	 - Unset Trivy Cloud configuration
+
--- a/docs/docs/references/configuration/cli/trivy_cloud_config_edit.md
+++ b/docs/docs/references/configuration/cli/trivy_cloud_config_edit.md
@@ -0,0 +1,35 @@
+## trivy cloud config edit
+
+Edit Trivy Cloud configuration
+
+### Synopsis
+
+Edit Trivy Cloud platform configuration in the default editor specified in the EDITOR environment variable
+
+```
+trivy cloud config edit [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for edit
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy cloud config](trivy_cloud_config.md)	 - Control Trivy Cloud configuration
+
--- a/docs/docs/references/configuration/cli/trivy_cloud_config_get.md
+++ b/docs/docs/references/configuration/cli/trivy_cloud_config_get.md
@@ -0,0 +1,44 @@
+## trivy cloud config get
+
+Get Trivy Cloud configuration
+
+### Synopsis
+
+Get a Trivy Cloud platform configuration
+			
+Available config settings can be viewed by using the `trivy cloud config list` command
+
+```
+trivy cloud config get [setting] [flags]
+```
+
+### Examples
+
+```
+  $ trivy cloud config get server.scanning.enabled
+  $ trivy cloud config get server.scanning.upload-results
+```
+
+### Options
+
+```
+  -h, --help   help for get
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy cloud config](trivy_cloud_config.md)	 - Control Trivy Cloud configuration
+
--- a/docs/docs/references/configuration/cli/trivy_cloud_config_list.md
+++ b/docs/docs/references/configuration/cli/trivy_cloud_config_list.md
@@ -0,0 +1,35 @@
+## trivy cloud config list
+
+List Trivy Cloud configuration
+
+### Synopsis
+
+List Trivy Cloud platform configuration in human readable format
+
+```
+trivy cloud config list [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for list
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy cloud config](trivy_cloud_config.md)	 - Control Trivy Cloud configuration
+
--- a/docs/docs/references/configuration/cli/trivy_cloud_config_set.md
+++ b/docs/docs/references/configuration/cli/trivy_cloud_config_set.md
@@ -0,0 +1,44 @@
+## trivy cloud config set
+
+Set Trivy Cloud configuration
+
+### Synopsis
+
+Set a Trivy Cloud platform setting
+			
+Available config settings can be viewed by using the `trivy cloud config list` command
+
+```
+trivy cloud config set [setting] [value] [flags]
+```
+
+### Examples
+
+```
+  $ trivy cloud config set server.scanning.enabled true
+  $ trivy cloud config set server.scanning.upload-results false
+```
+
+### Options
+
+```
+  -h, --help   help for set
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy cloud config](trivy_cloud_config.md)	 - Control Trivy Cloud configuration
+
--- a/docs/docs/references/configuration/cli/trivy_cloud_config_unset.md
+++ b/docs/docs/references/configuration/cli/trivy_cloud_config_unset.md
@@ -0,0 +1,44 @@
+## trivy cloud config unset
+
+Unset Trivy Cloud configuration
+
+### Synopsis
+
+Unset a Trivy Cloud platform configuration and return it to the default setting
+			
+Available config settings can be viewed by using the `trivy cloud config list` command
+
+```
+trivy cloud config unset [setting] [flags]
+```
+
+### Examples
+
+```
+  $ trivy cloud config unset server.scanning.enabled
+  $ trivy cloud config unset server.scanning.upload-results
+```
+
+### Options
+
+```
+  -h, --help   help for unset
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy cloud config](trivy_cloud_config.md)	 - Control Trivy Cloud configuration
+
--- a/docs/docs/references/configuration/cli/trivy_config.md
+++ b/docs/docs/references/configuration/cli/trivy_config.md
@@ -76,7 +76,7 @@ trivy config [flags] DIR
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
 ```

--- a/docs/docs/references/configuration/cli/trivy_convert.md
+++ b/docs/docs/references/configuration/cli/trivy_convert.md
@@ -10,7 +10,7 @@ trivy convert [flags] RESULT_JSON

 ```
  # report conversion
-  $ trivy image --format json --output result.json --list-all-pkgs debian:11
+  $ trivy image --format json --output result.json debian:11
  $ trivy convert --format cyclonedx --output result.cdx result.json

 ```
@@ -37,7 +37,7 @@ trivy convert [flags] RESULT_JSON
  -h, --help                       help for convert
      --ignore-policy string       specify the Rego file path to evaluate each vulnerability
      --ignorefile string          specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs              output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs              output all packages in the JSON report regardless of vulnerability (default true)
  -o, --output string              output file name
      --output-plugin-arg string   [EXPERIMENTAL] output plugin arguments
      --report string              specify a report format for the output (allowed values: all,summary) (default "all")
--- a/docs/docs/references/configuration/cli/trivy_filesystem.md
+++ b/docs/docs/references/configuration/cli/trivy_filesystem.md
@@ -81,7 +81,7 @@ trivy filesystem [flags] PATH
      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
@@ -135,7 +135,7 @@ trivy filesystem [flags] PATH
      --tf-vars strings                   specify paths to override the Terraform tfvars files
      --token string                      for authentication in client/server mode
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
--- a/docs/docs/references/configuration/cli/trivy_image.md
+++ b/docs/docs/references/configuration/cli/trivy_image.md
@@ -99,7 +99,7 @@ trivy image [flags] IMAGE_NAME
      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
      --max-image-size string             [EXPERIMENTAL] maximum image size to process, specified in a human-readable format (e.g., '44kB', '17MB'); an error will be returned if the image exceeds this size
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
@@ -156,7 +156,7 @@ trivy image [flags] IMAGE_NAME
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --token string                      for authentication in client/server mode
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
--- a/docs/docs/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -91,7 +91,7 @@ trivy kubernetes [flags] [CONTEXT]
      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
      --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
      --kubeconfig string                 specify the kubeconfig file path to use
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
      --no-progress                       suppress progress bar
      --node-collector-imageref string    indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.3.1")
@@ -144,7 +144,7 @@ trivy kubernetes [flags] [CONTEXT]
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tolerations strings               specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
--- a/docs/docs/references/configuration/cli/trivy_login.md
+++ b/docs/docs/references/configuration/cli/trivy_login.md
@@ -0,0 +1,45 @@
+## trivy login
+
+Log in to the Trivy Cloud platform
+
+### Synopsis
+
+Log in to the Trivy Cloud platform to enable scanning of images and repositories in the cloud using the token retrieved from the Trivy Cloud platform
+
+```
+trivy login [flags]
+```
+
+### Examples
+
+```
+  # Log in to the Trivy Cloud platform
+  $ trivy login --token <token>
+```
+
+### Options
+
+```
+      --api-url string            API URL for Trivy Cloud platform (default "https://api.trivy.dev")
+  -h, --help                      help for login
+      --token string              Token used to athenticate with Trivy Cloud platform
+      --trivy-server-url string   Trivy Server URL for Trivy Cloud platform (default "https://scan.trivy.dev")
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+
--- a/docs/docs/references/configuration/cli/trivy_logout.md
+++ b/docs/docs/references/configuration/cli/trivy_logout.md
@@ -0,0 +1,31 @@
+## trivy logout
+
+Log out of Trivy Cloud platform
+
+```
+trivy logout [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for logout
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+
--- a/docs/docs/references/configuration/cli/trivy_repository.md
+++ b/docs/docs/references/configuration/cli/trivy_repository.md
@@ -80,7 +80,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
@@ -134,7 +134,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --tf-vars strings                   specify paths to override the Terraform tfvars files
      --token string                      for authentication in client/server mode
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
--- a/docs/docs/references/configuration/cli/trivy_rootfs.md
+++ b/docs/docs/references/configuration/cli/trivy_rootfs.md
@@ -83,7 +83,7 @@ trivy rootfs [flags] ROOTDIR
      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
@@ -136,7 +136,7 @@ trivy rootfs [flags] ROOTDIR
      --tf-vars strings                   specify paths to override the Terraform tfvars files
      --token string                      for authentication in client/server mode
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --trace                             enable more verbose trace output for custom queries
+      --trace-rego                        enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level
--- a/docs/docs/references/configuration/cli/trivy_sbom.md
+++ b/docs/docs/references/configuration/cli/trivy_sbom.md
@@ -64,7 +64,7 @@ trivy sbom [flags] SBOM_PATH
      --ignored-licenses strings       specify a list of license to ignore
      --ignorefile string              specify .trivyignore file (default ".trivyignore")
      --java-db-repository strings     OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
-      --list-all-pkgs                  output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                  output all packages in the JSON report regardless of vulnerability (default true)
      --no-progress                    suppress progress bar
      --offline-scan                   do not issue API requests to identify dependencies
  -o, --output string                  output file name
--- a/Show More
+++ b/Show More