chore(deps): bump the docker group across 1 directory with 2 updates

Bumps the docker group with 2 updates in the / directory: [github.com/docker/cli](https://github.com/docker/cli) and [github.com/moby/buildkit](https://github.com/moby/buildkit). Updates `github.com/docker/cli` from 29.1.1+incompatible to 29.1.3+incompatible - [Commits](https://github.com/docker/cli/compare/v29.1.1...v29.1.3) Updates `github.com/moby/buildkit` from 0.26.2 to 0.26.3 - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](https://github.com/moby/buildkit/compare/v0.26.2...v0.26.3) --- updated-dependencies: - dependency-name: github.com/docker/cli dependency-version: 29.1.3+incompatible dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker - dependency-name: github.com/moby/buildkit dependency-version: 0.26.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker ... Signed-off-by: dependabot[bot] <support@github.com>
chore(deps): bump golang.org/x/tools to v0.40.0 + gopls to v0.21.0 (#9973 )
2025-12-23 07:29:00 -08:00 · 2025-12-22 14:02:14 +00:00 · 2025-12-22 12:20:10 +00:00 · 2025-12-22 11:45:49 +00:00 · 2025-12-22 10:56:30 +00:00 · 2025-12-22 08:55:26 +00:00
171 changed files with 13430 additions and 1647 deletions
--- a/.github/workflows/apidiff.yaml
+++ b/.github/workflows/apidiff.yaml
@@ -65,6 +65,7 @@ jobs:
        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod
+          check-latest: true # Ensure we use the latest Go patch version
          cache: false

      # Ensure the base commit exists locally for go-apidiff to compare against.
--- a/.github/workflows/auto-update-labels.yaml
+++ b/.github/workflows/auto-update-labels.yaml
@@ -18,6 +18,7 @@ jobs:
        with:
          go-version-file: go.mod
          cache: false
+          check-latest: true # Ensure we use the latest Go patch version

      - name: Install Go tools
        run: go install tool # GOBIN is added to the PATH by the setup-go action
--- a/.github/workflows/cache-test-assets.yaml
+++ b/.github/workflows/cache-test-assets.yaml
@@ -22,6 +22,7 @@ jobs:
        with:
          go-version-file: go.mod
          cache: false
+          check-latest: true # Ensure we use the latest Go patch version

      - name: Install Go tools
        run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -55,6 +56,7 @@ jobs:
        with:
          go-version-file: go.mod
          cache: false
+          check-latest: true # Ensure we use the latest Go patch version

      - name: Install Go tools
        run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -88,6 +90,7 @@ jobs:
        with:
          go-version-file: go.mod
          cache: false
+          check-latest: true # Ensure we use the latest Go patch version

      - name: Run golangci-lint for caching
        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -74,6 +74,7 @@ jobs:
        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod
+          check-latest: true # Ensure we use the latest Go patch version
          cache: false

      - name: Install Go tools
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -69,6 +69,7 @@ jobs:
        with:
          go-version-file: go.mod
          cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.
+          check-latest: true # Ensure we use the latest Go patch version

      - name: Generate SBOM
        uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
--- a/.github/workflows/spdx-cron.yaml
+++ b/.github/workflows/spdx-cron.yaml
@@ -16,6 +16,8 @@ jobs:
        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version-file: go.mod
+          cache: false
+          check-latest: true # Ensure we use the latest Go patch version

      - name: Install Go tools
        run: go install tool # GOBIN is added to the PATH by the setup-go action
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -26,6 +26,7 @@ jobs:
        with:
          go-version-file: go.mod
          cache: false
+          check-latest: true # Ensure we use the latest Go patch version

      - name: go mod tidy
        run: |
@@ -80,6 +81,7 @@ jobs:
        with:
          go-version-file: go.mod
          cache: false
+          check-latest: true # Ensure we use the latest Go patch version

      - name: Install Go tools
        run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -113,6 +115,7 @@ jobs:
        with:
          go-version-file: go.mod
          cache: false
+          check-latest: true # Ensure we use the latest Go patch version

      - name: Install Go tools
        run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -132,6 +135,7 @@ jobs:
        with:
          go-version-file: go.mod
          cache: false
+          check-latest: true # Ensure we use the latest Go patch version

      - name: Install tools
        run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -167,6 +171,7 @@ jobs:
        with:
          go-version-file: go.mod
          cache: false
+          check-latest: true # Ensure we use the latest Go patch version

      - name: Install Go tools
        run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -201,6 +206,7 @@ jobs:
        with:
          go-version-file: go.mod
          cache: false
+          check-latest: true # Ensure we use the latest Go patch version

      - name: Install Go tools
        run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -236,6 +242,7 @@ jobs:
      with:
        go-version-file: go.mod
        cache: false
+        check-latest: true # Ensure we use the latest Go patch version

    - name: Determine GoReleaser ID
      id: goreleaser_id
--- a/.vex/trivy.openvex.json
+++ b/.vex/trivy.openvex.json
@@ -599,6 +599,36 @@
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path",
      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2025-4192",
+        "name": "GO-2025-4192",
+        "description": "Sigstore Timestamp Authority allocates excessive memory during request parsing in github.com/sigstore/timestamp-authority",
+        "aliases": [
+          "CVE-2025-66564",
+          "GHSA-4qg8-fj49-pxjh"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
    }
  ]
 }
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.22.1
+FROM alpine:3.23.0
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.canary
+++ b/Dockerfile.canary
@@ -1,4 +1,4 @@
-FROM alpine:3.22.1
+FROM alpine:3.23.0
 RUN apk --no-cache add ca-certificates git

 # binaries were created with GoReleaser
--- a/contrib/install.sh
+++ b/contrib/install.sh
@@ -8,9 +8,11 @@ usage() {
  cat <<EOF
 $this: download go binaries for aquasecurity/trivy

-Usage: $this [-b] bindir [-d] [tag]
+Usage: $this [-b] bindir [-c] client [-d] [tag]
  -b sets bindir or installation directory, Defaults to ./bin
+  -c sets client identifier for download tracking (letters, digits, and '-' characters are allowed), Defaults to install-script
  -d turns on debug logging
+  -x turns on verbose logging
   [tag] is a tag from
   https://github.com/aquasecurity/trivy/releases
   If tag is missing, then the latest will be used.
@@ -27,9 +29,18 @@ parse_args() {
  # over-ridden by flag below

  BINDIR=${BINDIR:-./bin}
-  while getopts "b:dh?x" arg; do
+  CLIENT=${CLIENT:-install-script}
+  while getopts "b:c:dh?x" arg; do
    case "$arg" in
      b) BINDIR="$OPTARG" ;;
+      c)
+        if printf '%s' "$OPTARG" | grep -Eq '^[A-Za-z0-9-]+$'; then
+          CLIENT="$OPTARG"
+        else
+          log_crit "invalid client identifier '${OPTARG}'; allowed characters are: letters, digits, and '-'"
+          exit 1
+        fi
+        ;;
      d) log_set_priority 10 ;;
      h | \?) usage "$0" ;;
      x) set -x ;;
@@ -51,42 +62,14 @@ execute() {
  srcdir="${tmpdir}"
  (cd "${tmpdir}" && untar "${TARBALL}")
  test ! -d "${BINDIR}" && install -d "${BINDIR}"
-  for binexe in $BINARIES; do
-    if [ "$OS" = "windows" ]; then
-      binexe="${binexe}.exe"
-    fi
-    install "${srcdir}/${binexe}" "${BINDIR}/"
-    log_info "installed ${BINDIR}/${binexe}"
-  done
+  binexe="trivy"
+  if [ "$OS" = "windows" ]; then
+    binexe="${binexe}.exe"
+  fi
+  install "${srcdir}/${binexe}" "${BINDIR}/"
+  log_info "installed ${BINDIR}/${binexe}"
  rm -rf "${tmpdir}"
 }
-get_binaries() {
-  case "$PLATFORM" in
-    darwin/386) BINARIES="trivy" ;;
-    darwin/amd64) BINARIES="trivy" ;;
-    darwin/arm64) BINARIES="trivy" ;;
-    darwin/armv7) BINARIES="trivy" ;;
-    freebsd/386) BINARIES="trivy" ;;
-    freebsd/amd64) BINARIES="trivy" ;;
-    freebsd/arm64) BINARIES="trivy" ;;
-    freebsd/armv7) BINARIES="trivy" ;;
-    linux/386) BINARIES="trivy" ;;
-    linux/amd64) BINARIES="trivy" ;;
-    linux/ppc64le) BINARIES="trivy" ;;
-    linux/arm64) BINARIES="trivy" ;;
-    linux/armv7) BINARIES="trivy" ;;
-    linux/s390x) BINARIES="trivy" ;;
-    openbsd/386) BINARIES="trivy" ;;
-    openbsd/amd64) BINARIES="trivy" ;;
-    openbsd/arm64) BINARIES="trivy" ;;
-    openbsd/armv7) BINARIES="trivy" ;;
-    windows/amd64) BINARIES="trivy" ;;
-    *)
-      log_crit "platform $PLATFORM is not supported.  Make sure this script is up-to-date and file request at https://github.com/${PREFIX}/issues/new"
-      exit 1
-      ;;
-  esac
-}
 tag_to_version() {
  if [ -z "${TAG}" ]; then
    log_info "checking GitHub for latest tag"
@@ -137,12 +120,6 @@ adjust_arch() {
    arm64) ARCH=ARM64 ;;
    ppc64le) ARCH=PPC64LE ;;
    s390x) ARCH=s390x ;;
-    darwin) ARCH=macOS ;;
-    dragonfly) ARCH=DragonFlyBSD ;;
-    freebsd) ARCH=FreeBSD ;;
-    linux) ARCH=Linux ;;
-    netbsd) ARCH=NetBSD ;;
-    openbsd) ARCH=OpenBSD ;;
  esac
  true
 }
@@ -382,7 +359,6 @@ EOF
 PROJECT_NAME="trivy"
 OWNER=aquasecurity
 REPO="trivy"
-BINARY=trivy
 FORMAT=tar.gz
 OS=$(uname_os)
 ARCH=$(uname_arch)
@@ -392,16 +368,15 @@ PREFIX="$OWNER/$REPO"
 log_prefix() {
 	echo "$PREFIX"
 }
-PLATFORM="${OS}/${ARCH}"
+
 GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download
+GET_DOWNLOAD=https://get.trivy.dev/trivy

 uname_os_check "$OS"
 uname_arch_check "$ARCH"

 parse_args "$@"

-get_binaries
-
 tag_to_version

 adjust_format
@@ -414,7 +389,7 @@ log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}"

 NAME=${PROJECT_NAME}_${VERSION}_${OS}-${ARCH}
 TARBALL=${NAME}.${FORMAT}
-TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL}
+TARBALL_URL="${GET_DOWNLOAD}?os=${OS}&arch=${ARCH}&version=${VERSION}&type=${FORMAT}&client=${CLIENT}"
 CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt
 CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}

--- a/docs/getting-started/signature-verification.md
+++ b/docs/getting-started/signature-verification.md
@@ -26,16 +26,26 @@ The following checks were performed on each of these signatures:

 ## Verifying binary

-Download the required tarball, associated signature and certificate files from the [GitHub Release](https://github.com/aquasecurity/trivy/releases).
+Since Trivy v0.68.1, GitHub Releases provide [sigstore signature bundles](https://docs.sigstore.dev/cosign/bundle/). Separate `.sig` and certificate (`.pem`) files are no longer published.
+
+Download the required tarball and its associated `.sigstore.json` bundle file from the [GitHub Release](https://github.com/aquasecurity/trivy/releases).

 Use the following command for keyless verification:

 ```shell
-cosign verify-blob <path to binary> \
--certificate <path to cert> \
--signature <path to sig> \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+cosign verify-blob-attestation <path to tarball> \
+    --bundle <path to tarball>.sigstore.json \
+    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+    --certificate-identity 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/<release tag>'
+```
+
+Example for `trivy_0.68.1_Linux-64bit.tar.gz`:
+
+```shell
+cosign verify-blob-attestation trivy_0.68.1_Linux-64bit.tar.gz \
+    --bundle trivy_0.68.1_Linux-64bit.tar.gz.sigstore.json \
+    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+    --certificate-identity 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/v0.68.1'
 ```

 You should get the following output
--- a/docs/guide/configuration/skipping.md
+++ b/docs/guide/configuration/skipping.md
@@ -68,10 +68,13 @@ image:
 You can customize which files Trivy scans and how it interprets them with the `--file-patterns` flag.
 A file pattern configuration takes the following form: `<analyzer>:<path>`, such that files matching the `<path>` will be processed with the respective `<analyzer>`.

+!!! Note
+    `--file-patterns` flag doesn't disable the default file detection behavior of Trivy. It only adds the file detection based on the specified patterns.
+
 For example:

 ```bash
-trivy fs --file-patterns "pip:.requirements-test.txt ."
+trivy fs --file-patterns "pip:.requirements-test.txt" .
 ```

 This feature is relevant for the following scanners:
@@ -91,14 +94,14 @@ The file path can use a [regular expression](https://pkg.go.dev/regexp/syntax).

 ```bash
 # interpret any file with .txt extension as a python pip requirements file
-trivy fs --file-patterns "pip:requirements-.*\.txt .
+trivy fs --file-patterns "pip:requirements-.*\.txt" .
 ```

 The flag can be repeated for specifying multiple file patterns. For example:

 ```bash
 # look for Dockerfile called production.docker and a python pip requirements file called requirements-test.txt
-trivy fs --scanners misconfig,vuln --file-patterns "dockerfile:.production.docker" --file-patterns "pip:.requirements-test.txt ."
+trivy fs --scanners misconfig,vuln --file-patterns "dockerfile:.production.docker" --file-patterns "pip:.requirements-test.txt" .
 ```

 [^1]: Only work with the [license-full](../scanner/license.md) flag
--- a/docs/guide/coverage/iac/ansible.md
+++ b/docs/guide/coverage/iac/ansible.md
@@ -0,0 +1,177 @@
+# Ansible
+
+Trivy analyzes tasks in playbooks and roles for misconfigurations in cloud resources.
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+!!! warning "LIMITATIONS"
+    Not all Ansible features are supported. See the [Limitations](#limitations) section for a detailed list.
+
+## Misconfigurations
+
+Trivy recursively scans directories starting from the root and detects Ansible projects by the presence of key files and folders:
+
+- `ansible.cfg`, `inventory`, `group_vars`, `host_vars`, `roles` and `playbooks`
+- YAML files that resemble playbooks
+
+For each project, Trivy performs the following steps:
+
+- **Playbook discovery** — determines entry points, i.e., playbooks that are not used as imports in other playbooks.
+- **Task and variable resolution** — Trivy resolves tasks and variables from plays, imports, and roles.
+- **Module analysis** — modules used in tasks are scanned for insecure configurations. Currently, only cloud resource modules are supported.
+
+### Project scanning
+
+The Ansible scanner is enabled by default. To run only this scanner, use the `--misconfig-scanners ansible` flag:
+
+```bash
+trivy conf --misconfig-scanners ansible .
+```
+
+Example playbook:
+
+```yaml
+- name: Example playbook
+  hosts: localhost
+  connection: local
+  tasks:
+    - name: Create S3 bucket
+      amazon.aws.s3_bucket:
+        name: "{{ bucket_name }}"
+        region: "{{ bucket_region }}"
+        state: present
+```
+
+Scan result:
+
+```bash
+AVD-AWS-0093 (HIGH): Public access block does not restrict public buckets
+══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
+
+
+See https://avd.aquasec.com/misconfig/avd-aws-0093
+──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ test.yaml:6-9
+   via test.yaml:5-9 (tasks)
+    via test.yaml:1-9 (play)
+──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+   1   - name: Example playbook
+   2     hosts: localhost
+   3     connection: local
+   4     tasks:
+   5       - name: Create S3 bucket
+   6 ┌       amazon.aws.s3_bucket:
+   7 │         name: "{{ bucket_name }}"
+   8 │         region: "{{ bucket_region }}"
+   9 └         state: present
+──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+```
+
+If the project defines a collection (contains a `galaxy.yaml` file), Trivy can resolve roles using the full name `namespace.collection.role` within the project.
+
+Example `galaxy.yaml`:
+```yaml
+namespace: myorg
+name: mycollection
+version: 1.0.0
+```
+
+Project structure:
+```bash
+roles/
+  myrole/
+    tasks/
+      main.yml
+galaxy.yaml
+```
+
+Using the role in a playbook:
+```yaml
+- name: Apply custom role
+  hosts: localhost
+  tasks:
+    - name: Run role from collection
+      include_role:
+        name: myorg.mycollection.myrole
+```
+
+Trivy can correctly locate and analyze the `myrole` role via the full collection name.
+
+
+### Scanning specific playbooks
+
+To limit scanning to specific playbooks instead of automatically discovering them, use the `--ansible-playbook` flag (can be repeated) with the path to the playbook:
+
+```bash
+trivy config --ansible-playbook playbooks/main.yaml .
+```
+
+### Using inventory
+
+By default, Trivy searches for inventory [in the default location](https://docs.ansible.com/ansible/latest/inventory_guide/intro_inventory.html#how-to-build-your-inventory): `/etc/ansible/hosts`. If an `ansible.cfg` file exists at the project root, the inventory path is taken from it.
+
+To specify a custom inventory source, use the `--ansible-inventory` flag (same as Ansible’s `--inventory`). The flag can be repeated:
+
+```bash
+trivy config --ansible-inventory hosts.ini \
+    --ansible-inventory inventory .
+```
+
+### Passing extra variables
+
+To pass extra variables, use the `--ansible-extra-vars` flag (same as Ansible’s `--extra-vars`). The flag can be repeated:
+
+```bash
+trivy config --ansible-extra-vars region=us-east-1 \
+    --ansible-extra-vars @vars.json .
+```
+
+### Rendering misconfiguration snippet
+
+To display the rendered snippet, use the `--render-cause` flag.
+
+Example output for an S3 bucket task using the `amazon.aws.s3_bucket` module:
+
+```bash
+trivy config --render-cause ansible .
+...
+──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ 447       - name: "Hetzner Cloud: Create Object Storage (S3 bucket) {{ hetzner_object_storage_name }}"
+ 448 ┌       amazon.aws.s3_bucket:
+ 449 │         endpoint_url: "{{ hetzner_object_storage_endpoint }}"
+ 450 │         ceph: true
+ 451 │         aws_access_key: "{{ hetzner_object_storage_access_key }}"
+ 452 │         aws_secret_key: "{{ hetzner_object_storage_secret_key }}"
+ 453 │         name: "{{ hetzner_object_storage_name }}"
+ 454 │         region: "{{ hetzner_object_storage_region }}"
+ 455 └         requester_pays: false
+ ...   
+──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+Rendered cause:
+──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+amazon.aws.s3_bucket:
+    endpoint_url: https://us-east-1.your-objectstorage.com
+    ceph: true
+    aws_access_key: ""
+    aws_secret_key: ""
+    name: test-pgcluster-backup
+    region: us-east-1
+    requester_pays: false
+    state: present
+
+──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+```
+
+## Limitations
+
+Ansible scanning has several limitations and does not support the following:
+
+- Resolving remote collections
+- Inventory, lookup, and filter plugins (except `dirname`)
+- Setting facts (`set_fact`)
+- Loops: `loop`, `with_<lookup>`, etc.
+- Patterns in a play’s hosts field
+- Host ranges in inventory, e.g., `www[01:50:2].example.com`
+- Only supports the following services: AWS S3. If you have other services or clouds that you would like to see support for, please open a discussion in the Trivy project.
--- a/docs/guide/coverage/iac/index.md
+++ b/docs/guide/coverage/iac/index.md
@@ -8,17 +8,18 @@ Trivy scans Infrastructure as Code (IaC) files for

 ## Supported configurations

-| Config type                         | File patterns                    |
-|-------------------------------------|----------------------------------|
-| [Kubernetes](kubernetes.md)         | \*.yml, \*.yaml, \*.json         |
-| [Docker](docker.md)                 | Dockerfile, Containerfile        |
-| [Terraform](terraform.md)           | \*.tf, \*.tf.json, \*.tfvars     |
-| [Terraform Plan](terraform.md)      | tfplan, \*.tfplan, \*.json       |
-| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json         |
-| [Azure ARM Template](azure-arm.md)  | \*.json                          |
-| [Helm](helm.md)                     | \*.yaml, \*.tpl, \*.tar.gz, etc. |
-| [YAML][json-and-yaml]               | \*.yaml, \*.yml                  |
-| [JSON][json-and-yaml]               | \*.json                          |
+| Config type                         | File patterns                                       |
+|-------------------------------------|-----------------------------------------------------|
+| [Kubernetes](kubernetes.md)         | \*.yml, \*.yaml, \*.json                            |
+| [Docker](docker.md)                 | Dockerfile, Containerfile                           |
+| [Terraform](terraform.md)           | \*.tf, \*.tf.json, \*.tfvars                        |
+| [Terraform Plan](terraform.md)      | tfplan, \*.tfplan, \*.json                          |
+| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json                            |
+| [Azure ARM Template](azure-arm.md)  | \*.json                                             |
+| [Helm](helm.md)                     | \*.yml, \*.yaml, \*.tpl, \*.tar.gz, etc.            |
+| [YAML][json-and-yaml]               | \*.yaml, \*.yml                                     |
+| [JSON][json-and-yaml]               | \*.json                                             |
+| [Ansible](ansible.md)               | \*.yml, \*.yaml, \*.json, \*.ini, without extension |

 [misconf]: ../../scanner/misconfiguration/index.md
 [secret]: ../../scanner/secret.md
--- a/docs/guide/coverage/language/julia.md
+++ b/docs/guide/coverage/language/julia.md
@@ -7,7 +7,7 @@ The following scanners are supported.

 | Package manager | SBOM | Vulnerability | License |
 |-----------------|:----:|:-------------:|:-------:|
-| Pkg.jl          |  ✓   |       -       |    -    |
+| Pkg.jl          |  ✓   |       ✓       |    -    |

 The following table provides an outline of the features Trivy offers.

--- a/docs/guide/coverage/language/php.md
+++ b/docs/guide/coverage/language/php.md
@@ -11,10 +11,10 @@ The following scanners are supported.
 The following table provides an outline of the features Trivy offers.


-| Package manager | File           | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
-|-----------------|----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
-| Composer        | composer.lock  |            ✓            |     Excluded     |                  ✓                   |    ✓     |
-| Composer        | installed.json |            ✓            |     Excluded     |                  -                   |    ✓     |
+| Package manager | File           | Transitive dependencies |          Dev dependencies          | [Dependency graph][dependency-graph] | Position |
+|-----------------|----------------|:-----------------------:|:----------------------------------:|:------------------------------------:|:--------:|
+| Composer        | composer.lock  |            ✓            | [Excluded](#development-dependencies) |                  ✓                   |    ✓     |
+| Composer        | installed.json |            ✓            |              Excluded              |                  -                   |    ✓     |

 ## composer.lock
 In order to detect dependencies, Trivy searches for `composer.lock`.
@@ -23,6 +23,12 @@ Trivy also supports dependency trees; however, to display an accurate tree, it n
 Since this information is not included in `composer.lock`, Trivy parses `composer.json`, which should be located next to `composer.lock`.
 If you want to see the dependency tree, please ensure that `composer.json` is present.

+### Development dependencies
+By default, Trivy doesn't report development dependencies (`packages-dev` in `composer.lock`).
+Use the `--include-dev-deps` flag to include them.
+
+To correctly identify direct development dependencies, Trivy parses `require-dev` from `composer.json`, which should be located next to `composer.lock`.
+
 ## installed.json
 Trivy also supports dependency detection for `installed.json` files. By default, you can find this file at `path_to_app/vendor/composer/installed.json`.

--- a/docs/guide/references/configuration/cli/trivy_config.md
+++ b/docs/guide/references/configuration/cli/trivy_config.md
@@ -9,6 +9,9 @@ trivy config [flags] DIR
 ### Options

 ```
+      --ansible-extra-vars strings        set additional variables as key=value or @file (YAML/JSON)
+      --ansible-inventory strings         specify inventory host path or comma separated host list
+      --ansible-playbook strings          specify playbook file path(s) to scan
      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
@@ -46,7 +49,7 @@ trivy config [flags] DIR
      --include-deprecated-checks         include deprecated checks
      --include-non-failures              include successes, available with '--scanners misconfig'
      --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
  -o, --output string                     output file name
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
@@ -59,7 +62,7 @@ trivy config [flags] DIR
      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
      --registry-token string             registry token
      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
-      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
      --report string                     specify a compliance report format for the output (allowed values: all,summary) (default "all")
  -s, --severity strings                  severities of security issues to be displayed
                                          Allowed values:
--- a/docs/guide/references/configuration/cli/trivy_filesystem.md
+++ b/docs/guide/references/configuration/cli/trivy_filesystem.md
@@ -19,6 +19,9 @@ trivy filesystem [flags] PATH
 ### Options

 ```
+      --ansible-extra-vars strings        set additional variables as key=value or @file (YAML/JSON)
+      --ansible-inventory strings         specify inventory host path or comma separated host list
+      --ansible-playbook strings          specify playbook file path(s) to scan
      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
@@ -82,7 +85,7 @@ trivy filesystem [flags] PATH
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
      --offline-scan                      do not issue API requests to identify dependencies
@@ -108,7 +111,7 @@ trivy filesystem [flags] PATH
      --registry-token string             registry token
      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
      --report string                     specify a compliance report format for the output (allowed values: all,summary) (default "all")
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
@@ -168,6 +171,7 @@ trivy filesystem [flags] PATH
                                            - chainguard
                                            - bitnami
                                            - govulndb
+                                            - julia
                                            - echo
                                            - minimos
                                            - rootio
--- a/docs/guide/references/configuration/cli/trivy_image.md
+++ b/docs/guide/references/configuration/cli/trivy_image.md
@@ -34,6 +34,9 @@ trivy image [flags] IMAGE_NAME
 ### Options

 ```
+      --ansible-extra-vars strings        set additional variables as key=value or @file (YAML/JSON)
+      --ansible-inventory strings         specify inventory host path or comma separated host list
+      --ansible-playbook strings          specify playbook file path(s) to scan
      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --check-namespaces strings          Rego namespaces
@@ -101,7 +104,7 @@ trivy image [flags] IMAGE_NAME
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
      --max-image-size string             [EXPERIMENTAL] maximum image size to process, specified in a human-readable format (e.g., '44kB', '17MB'); an error will be returned if the image exceeds this size
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
      --offline-scan                      do not issue API requests to identify dependencies
@@ -130,7 +133,7 @@ trivy image [flags] IMAGE_NAME
      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --removed-pkgs                      detect vulnerabilities of removed packages (only for Alpine)
-      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
      --report string                     specify a format for the compliance report. (allowed values: all,summary) (default "summary")
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
@@ -189,6 +192,7 @@ trivy image [flags] IMAGE_NAME
                                            - chainguard
                                            - bitnami
                                            - govulndb
+                                            - julia
                                            - echo
                                            - minimos
                                            - rootio
--- a/docs/guide/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/guide/references/configuration/cli/trivy_kubernetes.md
@@ -29,6 +29,9 @@ trivy kubernetes [flags] [CONTEXT]
 ### Options

 ```
+      --ansible-extra-vars strings        set additional variables as key=value or @file (YAML/JSON)
+      --ansible-inventory strings         specify inventory host path or comma separated host list
+      --ansible-playbook strings          specify playbook file path(s) to scan
      --burst int                         specify the maximum burst for throttle (default 10)
      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
@@ -92,7 +95,7 @@ trivy kubernetes [flags] [CONTEXT]
      --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
      --kubeconfig string                 specify the kubeconfig file path to use
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
      --no-progress                       suppress progress bar
      --node-collector-imageref string    indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.3.1")
      --node-collector-namespace string   specify the namespace in which the node-collector job should be deployed (default "trivy-temp")
@@ -120,7 +123,7 @@ trivy kubernetes [flags] [CONTEXT]
      --registry-token string             registry token
      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
      --report string                     specify a report format for the output (allowed values: all,summary) (default "all")
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
@@ -177,6 +180,7 @@ trivy kubernetes [flags] [CONTEXT]
                                            - chainguard
                                            - bitnami
                                            - govulndb
+                                            - julia
                                            - echo
                                            - minimos
                                            - rootio
--- a/docs/guide/references/configuration/cli/trivy_repository.md
+++ b/docs/guide/references/configuration/cli/trivy_repository.md
@@ -18,6 +18,9 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
 ### Options

 ```
+      --ansible-extra-vars strings        set additional variables as key=value or @file (YAML/JSON)
+      --ansible-inventory strings         specify inventory host path or comma separated host list
+      --ansible-playbook strings          specify playbook file path(s) to scan
      --branch string                     pass the branch name to be scanned
      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
@@ -81,7 +84,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
      --offline-scan                      do not issue API requests to identify dependencies
@@ -107,7 +110,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --registry-token string             registry token
      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -167,6 +170,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
                                            - chainguard
                                            - bitnami
                                            - govulndb
+                                            - julia
                                            - echo
                                            - minimos
                                            - rootio
--- a/docs/guide/references/configuration/cli/trivy_rootfs.md
+++ b/docs/guide/references/configuration/cli/trivy_rootfs.md
@@ -22,6 +22,9 @@ trivy rootfs [flags] ROOTDIR
 ### Options

 ```
+      --ansible-extra-vars strings        set additional variables as key=value or @file (YAML/JSON)
+      --ansible-inventory strings         specify inventory host path or comma separated host list
+      --ansible-playbook strings          specify playbook file path(s) to scan
      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
@@ -84,7 +87,7 @@ trivy rootfs [flags] ROOTDIR
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
      --offline-scan                      do not issue API requests to identify dependencies
@@ -110,7 +113,7 @@ trivy rootfs [flags] ROOTDIR
      --registry-token string             registry token
      --rego-error-limit int              maximum number of compile errors allowed during Rego policy evaluation (default 10)
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -169,6 +172,7 @@ trivy rootfs [flags] ROOTDIR
                                            - chainguard
                                            - bitnami
                                            - govulndb
+                                            - julia
                                            - echo
                                            - minimos
                                            - rootio
--- a/docs/guide/references/configuration/cli/trivy_sbom.md
+++ b/docs/guide/references/configuration/cli/trivy_sbom.md
@@ -137,6 +137,7 @@ trivy sbom [flags] SBOM_PATH
                                         - chainguard
                                         - bitnami
                                         - govulndb
+                                         - julia
                                         - echo
                                         - minimos
                                         - rootio
--- a/docs/guide/references/configuration/cli/trivy_vm.md
+++ b/docs/guide/references/configuration/cli/trivy_vm.md
@@ -20,6 +20,9 @@ trivy vm [flags] VM_IMAGE
 ### Options

 ```
+      --ansible-extra-vars strings        set additional variables as key=value or @file (YAML/JSON)
+      --ansible-inventory strings         specify inventory host path or comma separated host list
+      --ansible-playbook strings          specify playbook file path(s) to scan
      --aws-region string                 AWS region to scan
      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
@@ -76,7 +79,7 @@ trivy vm [flags] VM_IMAGE
      --include-non-failures              include successes, available with '--scanners misconfig'
      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
      --offline-scan                      do not issue API requests to identify dependencies
@@ -98,7 +101,7 @@ trivy vm [flags] VM_IMAGE
      --redis-key string                  redis key file location, if using redis as cache backend
      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
+      --render-cause strings              specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
      --scanners strings                  comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -153,6 +156,7 @@ trivy vm [flags] VM_IMAGE
                                            - chainguard
                                            - bitnami
                                            - govulndb
+                                            - julia
                                            - echo
                                            - minimos
                                            - rootio
--- a/docs/guide/references/configuration/config-file.md
+++ b/docs/guide/references/configuration/config-file.md
@@ -379,6 +379,16 @@ license:
 ## Misconfiguration options

 ```yaml
+ansible:
+  # Same as '--ansible-extra-vars'
+  extra-vars: []
+
+  # Same as '--ansible-inventory'
+  inventories: []
+
+  # Same as '--ansible-playbook'
+  playbooks: []
+
 misconfiguration:
  # Same as '--checks-bundle-repository'
  checks-bundle-repository: "mirror.gcr.io/aquasec/trivy-checks:1"
@@ -428,6 +438,7 @@ misconfiguration:
   - terraform
   - terraformplan-json
   - terraformplan-snapshot
+   - ansible

  terraform:
    # Same as '--tf-exclude-downloaded-modules'
--- a/docs/guide/scanner/vulnerability.md
+++ b/docs/guide/scanner/vulnerability.md
@@ -137,6 +137,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 | Dart     | [GitHub Advisory Database (Pub)][pub-ghsa]          |       ✅        |     -     |
 | Elixir   | [GitHub Advisory Database (Erlang)][erlang-ghsa]    |       ✅        |     -     |
 | Swift    | [GitHub Advisory Database (Swift)][swift-ghsa]      |       ✅        |     -     |
+| Julia    | [Open Source Vulnerabilities (Julia)][julia-osv]    |       ✅        |     -     |

 [^1]: Intentional delay between vulnerability disclosure and registration in the DB

@@ -426,13 +427,14 @@ Example logic for the following vendor severity levels when scanning an Alpine i

 [python-osv]: https://osv.dev/list?q=&ecosystem=PyPI
 [rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
+[julia-osv]: https://osv.dev/list?q=&ecosystem=Julia

 [nvd]: https://nvd.nist.gov/vuln

 [k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/

 [CVE-2023-32681]: https://nvd.nist.gov/vuln/detail/CVE-2023-32681
-[RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520 
+[RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520
 [ghsa]: https://github.com/advisories
 [requests]: https://pypi.org/project/requests/
 [precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall
--- a/go.mod
+++ b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/aquasecurity/testdocker v0.0.0-20250616060700-ba6845ac6d17
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169
-	github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a
+	github.com/aquasecurity/trivy-db v0.0.0-20251222105351-a833f47f8f0d
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
 	github.com/aquasecurity/trivy-kubernetes v0.9.1
 	github.com/aws/aws-sdk-go-v2 v1.40.0
@@ -41,17 +41,17 @@ require (
 	github.com/containerd/containerd/v2 v2.2.0
 	github.com/containerd/platforms v1.0.0-rc.2
 	github.com/distribution/reference v0.6.0
-	github.com/docker/cli v29.0.3+incompatible
+	github.com/docker/cli v29.1.3+incompatible
 	github.com/docker/docker v28.5.2+incompatible
 	github.com/docker/go-connections v0.6.0
 	github.com/docker/go-units v0.5.0
 	github.com/fatih/color v1.18.0
-	github.com/go-git/go-git/v5 v5.16.3
+	github.com/go-git/go-git/v5 v5.16.4
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/go-viper/mapstructure/v2 v2.4.0
-	github.com/gocsaf/csaf/v3 v3.4.0
+	github.com/gocsaf/csaf/v3 v3.5.0
 	github.com/golang-jwt/jwt/v5 v5.3.0
-	github.com/google/go-containerregistry v0.20.6
+	github.com/google/go-containerregistry v0.20.7
 	github.com/google/go-github/v62 v62.0.0
 	github.com/google/licenseclassifier/v2 v2.0.0
 	github.com/google/uuid v1.6.0
@@ -59,7 +59,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-retryablehttp v0.7.8
 	github.com/hashicorp/go-uuid v1.0.3
-	github.com/hashicorp/go-version v1.7.0
+	github.com/hashicorp/go-version v1.8.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/hashicorp/hc-install v0.9.2
 	github.com/hashicorp/hcl/v2 v2.24.0
@@ -81,9 +81,10 @@ require (
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/moby/buildkit v0.26.2
+	github.com/moby/buildkit v0.26.3
 	github.com/moby/docker-image-spec v1.3.1
-	github.com/open-policy-agent/opa v1.10.1
+	github.com/moby/moby/client v0.2.1 // indirect
+	github.com/open-policy-agent/opa v1.11.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553
@@ -101,7 +102,7 @@ require (
 	github.com/sosedoff/gitkit v0.4.0
 	github.com/spdx/tools-golang v0.5.5 // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
 	github.com/spf13/cast v1.10.0
-	github.com/spf13/cobra v1.10.1
+	github.com/spf13/cobra v1.10.2
 	github.com/spf13/pflag v1.0.10
 	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
@@ -115,13 +116,13 @@ require (
 	github.com/zclconf/go-cty v1.17.0
 	github.com/zclconf/go-cty-yaml v1.1.0
 	go.etcd.io/bbolt v1.4.3
-	golang.org/x/crypto v0.45.0
-	golang.org/x/mod v0.30.0
-	golang.org/x/net v0.47.0
-	golang.org/x/sync v0.18.0
-	golang.org/x/term v0.37.0
-	golang.org/x/text v0.31.0
-	golang.org/x/tools v0.38.0
+	golang.org/x/crypto v0.46.0
+	golang.org/x/mod v0.31.0
+	golang.org/x/net v0.48.0
+	golang.org/x/sync v0.19.0
+	golang.org/x/term v0.38.0
+	golang.org/x/text v0.32.0
+	golang.org/x/tools v0.40.0
 	golang.org/x/vuln v1.1.4
 	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9
 	google.golang.org/protobuf v1.36.10
@@ -132,6 +133,11 @@ require (
 	modernc.org/sqlite v1.40.1
 )

+require (
+	github.com/go-ini/ini v1.67.0
+	github.com/nikolalohinski/gonja/v2 v2.4.2
+)
+
 require (
 	buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.36.6-20250718181942-e35f9b667443.1 // indirect
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250717185734-6c6e0d3c608e.1 // indirect
@@ -219,7 +225,7 @@ require (
 	github.com/containerd/fifo v1.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/plugin v1.0.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.17.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect
 	github.com/containerd/ttrpc v1.2.7 // indirect
 	github.com/containerd/typeurl/v2 v2.2.3 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
@@ -253,7 +259,6 @@ require (
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
-	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.2 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -281,7 +286,7 @@ require (
 	github.com/go-openapi/validate v0.25.1 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/goccy/go-yaml v1.15.23 // indirect
+	github.com/goccy/go-yaml v1.19.0 // indirect
 	github.com/gofrs/flock v0.13.0 // indirect
 	github.com/gofrs/uuid v4.3.1+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
@@ -314,6 +319,7 @@ require (
 	github.com/jdx/go-netrc v1.0.0 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
 	github.com/jmoiron/sqlx v1.4.0 // indirect
+	github.com/josephburnett/jd/v2 v2.3.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/compress v1.18.1 // indirect
@@ -326,7 +332,7 @@ require (
 	github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/httprc/v3 v3.0.1 // indirect
-	github.com/lestrrat-go/jwx/v3 v3.0.11 // indirect
+	github.com/lestrrat-go/jwx/v3 v3.0.12 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
@@ -345,7 +351,6 @@ require (
 	github.com/moby/go-archive v0.1.0 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/moby/api v1.52.0 // indirect
-	github.com/moby/moby/client v0.1.0 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/spdystream v0.5.0 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
@@ -365,8 +370,6 @@ require (
 	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/oklog/ulid/v2 v2.1.1 // indirect
-	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
-	github.com/onsi/gomega v1.36.3 // indirect
 	github.com/opencontainers/runtime-spec v1.2.1 // indirect
 	github.com/opencontainers/selinux v1.13.0 // indirect
 	github.com/owenrumney/squealer v1.2.11 // indirect
@@ -384,8 +387,8 @@ require (
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.66.1 // indirect
 	github.com/prometheus/procfs v0.17.0 // indirect
-	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/quic-go/quic-go v0.54.1 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
+	github.com/quic-go/quic-go v0.57.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
@@ -396,7 +399,7 @@ require (
 	github.com/samber/oops v1.18.1 // indirect
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
-	github.com/segmentio/asm v1.2.0 // indirect
+	github.com/segmentio/asm v1.2.1 // indirect
 	github.com/segmentio/encoding v0.5.3 // indirect
 	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
@@ -426,7 +429,7 @@ require (
 	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/valyala/fastjson v1.6.4 // indirect
 	github.com/vbatts/tar-split v0.12.2 // indirect
-	github.com/vektah/gqlparser/v2 v2.5.30 // indirect
+	github.com/vektah/gqlparser/v2 v2.5.31 // indirect
 	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
@@ -457,23 +460,22 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.7.1 // indirect
-	go.uber.org/mock v0.5.2 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	go.yaml.in/yaml/v4 v4.0.0-rc.3 // indirect
 	golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect
-	golang.org/x/oauth2 v0.32.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 // indirect
+	golang.org/x/oauth2 v0.33.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/telemetry v0.0.0-20251203150158-8fff8a5912fc // indirect
 	golang.org/x/time v0.14.0 // indirect
-	golang.org/x/tools/gopls v0.0.0-20251008221726-a22b5e8a9b8d // indirect
+	golang.org/x/tools/gopls v0.21.0 // indirect
 	google.golang.org/api v0.254.0 // indirect
 	google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
 	google.golang.org/grpc v1.76.0 // indirect
-	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
--- a/go.sum
+++ b/go.sum
@@ -222,8 +222,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
 github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169 h1:TckzIxUX7lZaU9f2lNxCN0noYYP8fzmSQf6a4JdV83w=
 github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169/go.mod h1:nT69xgRcBD4NlHwTBpWMYirpK5/Zpl8M+XDOgmjMn2k=
-github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a h1:Wmvjq3zQGsZ8Wlqh75zvujh7LZNTXU4YoEf8tyL1LoM=
-github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a/go.mod h1:upAJqDQkN5FdIJbtJMpokncGNhYAPGkpoCbaGciWPt4=
+github.com/aquasecurity/trivy-db v0.0.0-20251222105351-a833f47f8f0d h1:mwCxwhDRnW5UkSQdZfekTCjaLyWp1rqfIa6KKRdMDAo=
+github.com/aquasecurity/trivy-db v0.0.0-20251222105351-a833f47f8f0d/go.mod h1:B0cbg/BEHbJg2RcS7PLdlbGCzz2TkChcZAiI4oSs0VI=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.9.1 h1:bSErQcavKXDh7XMwbGX7Vy//jR5+xhe/bOgfn9G+9lQ=
@@ -316,8 +316,8 @@ github.com/buildkite/go-pipeline v0.3.2 h1:SW4EaXNwfjow7xDRPGgX0Rcx+dPj5C1kV9LKC
 github.com/buildkite/go-pipeline v0.3.2/go.mod h1:iY5jzs3Afc8yHg6KDUcu3EJVkfaUkd9x/v/OH98qyUA=
 github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 h1:k6UDF1uPYOs0iy1HPeotNa155qXRWrzKnqAaGXHLZCE=
 github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251/go.mod h1:gbPR1gPu9dB96mucYIR7T3B7p/78hRVSOuzIWLHK2Y4=
-github.com/bytecodealliance/wasmtime-go/v37 v37.0.0 h1:DPjdn2V3JhXHMoZ2ymRqGK+y1bDyr9wgpyYCvhjMky8=
-github.com/bytecodealliance/wasmtime-go/v37 v37.0.0/go.mod h1:Pf1l2JCTUFMnOqDIwkjzx1qfVJ09xbaXETKgRVE4jZ0=
+github.com/bytecodealliance/wasmtime-go/v39 v39.0.1 h1:RibaT47yiyCRxMOj/l2cvL8cWiWBSqDXHyqsa9sGcCE=
+github.com/bytecodealliance/wasmtime-go/v39 v39.0.1/go.mod h1:miR4NYIEBXeDNamZIzpskhJ0z/p8al+lwMWylQ/ZJb4=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
@@ -370,8 +370,8 @@ github.com/containerd/platforms v1.0.0-rc.2 h1:0SPgaNZPVWGEi4grZdV8VRYQn78y+nm6a
 github.com/containerd/platforms v1.0.0-rc.2/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
 github.com/containerd/plugin v1.0.0 h1:c8Kf1TNl6+e2TtMHZt+39yAPDbouRH9WAToRjex483Y=
 github.com/containerd/plugin v1.0.0/go.mod h1:hQfJe5nmWfImiqT1q8Si3jLv3ynMUIBB47bQ+KexvO8=
-github.com/containerd/stargz-snapshotter/estargz v0.17.0 h1:+TyQIsR/zSFI1Rm31EQBwpAA1ovYgIKHy7kctL3sLcE=
-github.com/containerd/stargz-snapshotter/estargz v0.17.0/go.mod h1:s06tWAiJcXQo9/8AReBCIo/QxcXFZ2n4qfsRnpl71SM=
+github.com/containerd/stargz-snapshotter/estargz v0.18.1 h1:cy2/lpgBXDA3cDKSyEfNOFMA/c10O1axL69EU7iirO8=
+github.com/containerd/stargz-snapshotter/estargz v0.18.1/go.mod h1:ALIEqa7B6oVDsrF37GkGN20SuvG/pIMm7FwP7ZmRb0Q=
 github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ=
 github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
 github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40=
@@ -424,8 +424,8 @@ github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5
 github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
 github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
 github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
-github.com/docker/cli v29.0.3+incompatible h1:8J+PZIcF2xLd6h5sHPsp5pvvJA+Sr2wGQxHkRl53a1E=
-github.com/docker/cli v29.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.1.3+incompatible h1:+kz9uDWgs+mAaIZojWfFt4d53/jv0ZUOOoSh5ZnH36c=
+github.com/docker/cli v29.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
@@ -508,8 +508,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN
 github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.16.3 h1:Z8BtvxZ09bYm/yYNgPKCzgWtaRqDTgIKRgIRHBfU6Z8=
-github.com/go-git/go-git/v5 v5.16.3/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
+github.com/go-git/go-git/v5 v5.16.4 h1:7ajIEZHZJULcyJebDLo99bGgS0jRrOxzZG4uCk2Yb2Y=
+github.com/go-git/go-git/v5 v5.16.4/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
 github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
 github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
@@ -598,10 +598,10 @@ github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJA
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-yaml v1.8.1/go.mod h1:wS4gNoLalDSJxo/SpngzPQ2BN4uuZVLCmbM4S3vd4+Y=
-github.com/goccy/go-yaml v1.15.23 h1:WS0GAX1uNPDLUvLkNU2vXq6oTnsmfVFocjQ/4qA48qo=
-github.com/goccy/go-yaml v1.15.23/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
-github.com/gocsaf/csaf/v3 v3.4.0 h1:rzVTiA5WmzTHumgGfK/823h0zQ0y4WAS+Rorhcm2LDE=
-github.com/gocsaf/csaf/v3 v3.4.0/go.mod h1:MmKPoT9IhckqbC590XvKbCkRstuba9vbL+HT3bsuQLk=
+github.com/goccy/go-yaml v1.19.0 h1:EmkZ9RIsX+Uq4DYFowegAuJo8+xdX3T/2dwNPXbxEYE=
+github.com/goccy/go-yaml v1.19.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/gocsaf/csaf/v3 v3.5.0 h1:tj8l1vK2V8GwjCh3axwKF/yJ9d28xuFn3NsZDdPSkJ8=
+github.com/gocsaf/csaf/v3 v3.5.0/go.mod h1:JKOjRGPvEFalUm5u2vP1itqqgUaojWTpBtGlhEUI7g0=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.13.0 h1:95JolYOvGMqeH31+FC7D2+uULf6mG61mEZ/A8dRYMzw=
@@ -662,8 +662,8 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU=
-github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y=
+github.com/google/go-containerregistry v0.20.7 h1:24VGNpS0IwrOZ2ms2P1QE3Xa5X9p4phx0aUgzYzHW6I=
+github.com/google/go-containerregistry v0.20.7/go.mod h1:Lx5LCZQjLH1QBaMPeGwsME9biPeo1lPx6lbGj/UmzgM=
 github.com/google/go-github/v31 v31.0.0 h1:JJUxlP9lFK+ziXKimTCprajMApV1ecWD4NB6CCb0plo=
 github.com/google/go-github/v31 v31.0.0/go.mod h1:NQPZol8/1sMoWYGN2yaALIBytu17gAWfhbweiEed3pM=
 github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg=
@@ -737,8 +737,8 @@ github.com/hashicorp/go-sockaddr v1.0.5 h1:dvk7TIXCZpmfOlM+9mlcrWmWjw/wlKT+VDq2w
 github.com/hashicorp/go-sockaddr v1.0.5/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
-github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/go-version v1.8.0 h1:KAkNb1HAiZd1ukkxDFGmokVZe1Xy9HG6NUp+bPle2i4=
+github.com/hashicorp/go-version v1.8.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
@@ -784,6 +784,8 @@ github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs=
 github.com/jmhodges/clock v1.2.0/go.mod h1:qKjhA7x7u/lQpPB1XAqX1b1lCI/w3/fNuYpI/ZjLynI=
 github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
 github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
+github.com/josephburnett/jd/v2 v2.3.0 h1:AyNT0zSStJ2j28zutWDO4fkc95JoICryWQRmDTRzPTQ=
+github.com/josephburnett/jd/v2 v2.3.0/go.mod h1:0I5+gbo7y8diuajJjm79AF44eqTheSJy1K7DSbIUFAQ=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
@@ -834,8 +836,8 @@ github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZ
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
 github.com/lestrrat-go/httprc/v3 v3.0.1 h1:3n7Es68YYGZb2Jf+k//llA4FTZMl3yCwIjFIk4ubevI=
 github.com/lestrrat-go/httprc/v3 v3.0.1/go.mod h1:2uAvmbXE4Xq8kAUjVrZOq1tZVYYYs5iP62Cmtru00xk=
-github.com/lestrrat-go/jwx/v3 v3.0.11 h1:yEeUGNUuNjcez/Voxvr7XPTYNraSQTENJgtVTfwvG/w=
-github.com/lestrrat-go/jwx/v3 v3.0.11/go.mod h1:XSOAh2SiXm0QgRe3DulLZLyt+wUuEdFo81zuKTLcvgQ=
+github.com/lestrrat-go/jwx/v3 v3.0.12 h1:p25r68Y4KrbBdYjIsQweYxq794CtGCzcrc5dGzJIRjg=
+github.com/lestrrat-go/jwx/v3 v3.0.12/go.mod h1:HiUSaNmMLXgZ08OmGBaPVvoZQgJVOQphSrGr5zMamS8=
 github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss=
@@ -900,8 +902,8 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/moby/buildkit v0.26.2 h1:EIh5j0gzRsCZmQzvgNNWzSDbuKqwUIiBH7ssqLv8RU8=
-github.com/moby/buildkit v0.26.2/go.mod h1:ylDa7IqzVJgLdi/wO7H1qLREFQpmhFbw2fbn4yoTw40=
+github.com/moby/buildkit v0.26.3 h1:D+ruZVAk/3ipRq5XRxBH9/DIFpRjSlTtMbghT5gQP9g=
+github.com/moby/buildkit v0.26.3/go.mod h1:4T4wJzQS4kYWIfFRjsbJry4QoxDBjK+UGOEOs1izL7w=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
@@ -910,8 +912,8 @@ github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/moby/api v1.52.0 h1:00BtlJY4MXkkt84WhUZPRqt5TvPbgig2FZvTbe3igYg=
 github.com/moby/moby/api v1.52.0/go.mod h1:8mb+ReTlisw4pS6BRzCMts5M49W5M7bKt1cJy/YbAqc=
-github.com/moby/moby/client v0.1.0 h1:nt+hn6O9cyJQqq5UWnFGqsZRTS/JirUqzPjEl0Bdc/8=
-github.com/moby/moby/client v0.1.0/go.mod h1:O+/tw5d4a1Ha/ZA/tPxIZJapJRUS6LNZ1wiVRxYHyUE=
+github.com/moby/moby/client v0.2.1 h1:1Grh1552mvv6i+sYOdY+xKKVTvzJegcVMhuXocyDz/k=
+github.com/moby/moby/client v0.2.1/go.mod h1:O+/tw5d4a1Ha/ZA/tPxIZJapJRUS6LNZ1wiVRxYHyUE=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
 github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
@@ -949,6 +951,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+
 github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
 github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/nikolalohinski/gonja/v2 v2.4.2 h1:1tmj/ICrskH8/9dtuQ9MNnQsyId4AkUe9qlCFmVQ9eI=
+github.com/nikolalohinski/gonja/v2 v2.4.2/go.mod h1:UIzXPVuOsr5h7dZ5DUbqk3/Z7oFA/NLGQGMjqT4L2aU=
 github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE=
 github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
@@ -973,10 +977,10 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
-github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
-github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
-github.com/open-policy-agent/opa v1.10.1 h1:haIvxZSPky8HLjRrvQwWAjCPLg8JDFSZMbbG4yyUHgY=
-github.com/open-policy-agent/opa v1.10.1/go.mod h1:7uPI3iRpOalJ0BhK6s1JALWPU9HvaV1XeBSSMZnr/PM=
+github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
+github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/open-policy-agent/opa v1.11.0 h1:eOd/jJrbavakiX477yT4LrXZfUWViAot/AsKsjsfe7o=
+github.com/open-policy-agent/opa v1.11.0/go.mod h1:QimuJO4T3KYxWzrmAymqlFvsIanCjKrGjmmC8GgAdgE=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
@@ -1039,10 +1043,10 @@ github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf h1:014O62
 github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
 github.com/quasilyte/go-ruleguard/dsl v0.3.23 h1:lxjt5B6ZCiBeeNO8/oQsegE6fLeCzuMRoVWSkXC4uvY=
 github.com/quasilyte/go-ruleguard/dsl v0.3.23/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
-github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
-github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.54.1 h1:4ZAWm0AhCb6+hE+l5Q1NAL0iRn/ZrMwqHRGQiFwj2eg=
-github.com/quic-go/quic-go v0.54.1/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
+github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
+github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
+github.com/quic-go/quic-go v0.57.0 h1:AsSSrrMs4qI/hLrKlTH/TGQeTMY0ib1pAOX7vA3AdqE=
+github.com/quic-go/quic-go v0.57.0/go.mod h1:ly4QBAjHA2VhdnxhojRsCUOeJwKYg+taDlos92xb1+s=
 github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8AOIL7EB/X911+m4EHsnWEHeJ0c+3TTBrg=
 github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho=
@@ -1085,8 +1089,8 @@ github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgm
 github.com/sassoftware/relic/v7 v7.6.2/go.mod h1:kjmP0IBVkJZ6gXeAu35/KCEfca//+PKM6vTAsyDPY+k=
 github.com/secure-systems-lab/go-securesystemslib v0.9.1 h1:nZZaNz4DiERIQguNy0cL5qTdn9lR8XKHf4RUyG1Sx3g=
 github.com/secure-systems-lab/go-securesystemslib v0.9.1/go.mod h1:np53YzT0zXGMv6x4iEWc9Z59uR+x+ndLwCLqPYpLXVU=
-github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
-github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
+github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=
+github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
 github.com/segmentio/encoding v0.5.3 h1:OjMgICtcSFuNvQCdwqMCv9Tg7lEOXGwm1J5RPQccx6w=
 github.com/segmentio/encoding v0.5.3/go.mod h1:HS1ZKa3kSN32ZHVZ7ZLPLXWvOVIiZtyJnO1gPH1sKt0=
 github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
@@ -1142,8 +1146,8 @@ github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
 github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
 github.com/spf13/cobra v0.0.0-20170130214531-35136c09d8da/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g=
-github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
-github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@@ -1226,8 +1230,8 @@ github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXV
 github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4=
 github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
-github.com/vektah/gqlparser/v2 v2.5.30 h1:EqLwGAFLIzt1wpx1IPpY67DwUujF1OfzgEyDsLrN6kE=
-github.com/vektah/gqlparser/v2 v2.5.30/go.mod h1:D1/VCZtV3LPnQrcPBeR/q5jkSQIPti0uYCP/RI0gIeo=
+github.com/vektah/gqlparser/v2 v2.5.31 h1:YhWGA1mfTjID7qJhd1+Vxhpk5HTgydrGU9IgkWBTJ7k=
+github.com/vektah/gqlparser/v2 v2.5.31/go.mod h1:c1I28gSOVNzlfc4WuDlqU7voQnsqI6OG2amkBAFmgts=
 github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
 github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8=
 github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
@@ -1351,13 +1355,15 @@ go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+go.yaml.in/yaml/v4 v4.0.0-rc.3 h1:3h1fjsh1CTAPjW7q/EMe+C8shx5d8ctzZTrLcs/j8Go=
+go.yaml.in/yaml/v4 v4.0.0-rc.3/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20250911091902-df9299821621 h1:2id6c1/gto0kaHYyrixvknJ8tUK/Qs5IsmBtrc+FtgU=
 golang.org/x/exp v0.0.0-20250911091902-df9299821621/go.mod h1:TwQYMMnGpvZyc+JpB/UAuTNIsVJifOlSkrZkhcvpVUk=
@@ -1366,8 +1372,8 @@ golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvx
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
-golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1386,18 +1392,18 @@ golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
-golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo=
+golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1431,22 +1437,22 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 h1:LvzTn0GQhWuvKH/kVRS3R3bVAsdQWI7hvfLHGgh9+lU=
-golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20251203150158-8fff8a5912fc h1:bH6xUXay0AIFMElXG2rQ4uiE+7ncwtiOdPfYK1NK2XA=
+golang.org/x/telemetry v0.0.0-20251203150158-8fff8a5912fc/go.mod h1:hKdjCMrbv9skySur+Nek8Hd0uJ0GuxJIoIX2payrIdQ=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1458,14 +1464,14 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
 golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
 golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
-golang.org/x/tools/gopls v0.0.0-20251008221726-a22b5e8a9b8d h1:6bY3I4SaYYyjRr2TVIK+OHCsZi4p+/JML81sG2SQqV0=
-golang.org/x/tools/gopls v0.0.0-20251008221726-a22b5e8a9b8d/go.mod h1:X0eOMgDrjTIsou7ZNWeP60nlRFUVEtxFuzXzwUa2e8s=
+golang.org/x/tools/gopls v0.21.0 h1:k8RlBm3ES+GVe+fbTSkzwKgarmNwN+6aDalb0T0xfag=
+golang.org/x/tools/gopls v0.21.0/go.mod h1:x/34IonzHuKpDDlMUjYezcjbwNOJ32FtrYOLqAuOmNo=
 golang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I=
 golang.org/x/vuln v1.1.4/go.mod h1:F+45wmU18ym/ca5PLTPLsSzr2KppzswxPP603ldA67s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1518,8 +1524,6 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk=
-gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
 gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
--- a/helm/trivy/Chart.yaml
+++ b/helm/trivy/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: trivy
-version: 0.19.1
-appVersion: 0.67.2
+version: 0.20.1
+appVersion: 0.68.2
 description: Trivy helm chart
 keywords:
  - scanner
--- a/helm/trivy/README.md
+++ b/helm/trivy/README.md
@@ -78,6 +78,7 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `trivy.existingSecret`                | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
 | `trivy.podAnnotations`                | Annotations for pods created by statefulset                             | `{}` |
 | `trivy.extraEnvVars`                  | extraEnvVars to be set on the container                                 | `{}` |
+| `trivy.sslCertDir`                    | Can be used to override the system default locations for SSL certificate files directory, example: `/ssl/certs` | `` |
 | `service.name`                        | If specified, the name used for the Trivy service                       |     |
 | `service.type`                        | Kubernetes service type                                                 | `ClusterIP` |
 | `service.port`                        | Kubernetes service port                                                 | `4954`      |
--- a/helm/trivy/templates/configmap.yaml
+++ b/helm/trivy/templates/configmap.yaml
@@ -27,3 +27,6 @@ data:
 {{- with .Values.trivy.extraEnvVars }}
  {{- . | toYaml | nindent 2 }}
 {{- end }}
+{{- if .Values.trivy.sslCertDir }}
+  SSL_CERT_DIR: {{ .Values.trivy.sslCertDir | quote }}
+{{- end }}
--- a/helm/trivy/templates/statefulset.yaml
+++ b/helm/trivy/templates/statefulset.yaml
@@ -17,7 +17,7 @@ spec:
      app.kubernetes.io/instance: {{ .Release.Name }}
  {{- if .Values.persistence.enabled }}
  volumeClaimTemplates:
-    - apiVersion: v1	
+    - apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: data
@@ -125,6 +125,11 @@ spec:
            - mountPath: /home/scanner/.cache
              name: data
              readOnly: false
+          {{- with .Values.trivy.sslCertDir }}
+            - mountPath: {{ . }}
+              name: ssl-cert-dir
+              readOnly: true
+          {{- end }}
          {{- if .Values.resources }}
          resources:
 {{ toYaml .Values.resources | indent 12 }}
@@ -136,3 +141,8 @@ spec:
        - name: data
          emptyDir: {}
        {{- end }}
+        {{- with .Values.trivy.sslCertDir }}
+        - name: ssl-cert-dir
+          hostPath:
+            path: {{ . }}
+        {{- end }}
--- a/helm/trivy/values.yaml
+++ b/helm/trivy/values.yaml
@@ -128,6 +128,8 @@ trivy:
  existingSecret: ""
  # extraEnvVars to be set on the container
  extraEnvVars: {}
+  # sslCertDir can be used to override the system default locations for SSL certificate files directory, example: /ssl/certs
+  sslCertDir: ""

 service:
  # If specified, the name used for the Trivy service.
--- a/integration/testdata/almalinux-8.json.golden
+++ b/integration/testdata/almalinux-8.json.golden
@@ -72,7 +72,7 @@
          "PkgName": "openssl-libs",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/alma/openssl-libs@1.1.1k-4.el8?arch=x86_64\u0026distro=alma-8.5\u0026epoch=1",
-            "UID": "3f965238234faa63"
+            "UID": "3ff1aff39832f37f"
          },
          "InstalledVersion": "1:1.1.1k-4.el8",
          "FixedVersion": "1:1.1.1k-5.el8_5",
--- a/integration/testdata/amazon-1.json.golden
+++ b/integration/testdata/amazon-1.json.golden
@@ -73,7 +73,7 @@
          "PkgName": "curl",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/amazon/curl@7.61.1-11.91.amzn1?arch=x86_64\u0026distro=amazon-AMI+release+2018.03",
-            "UID": "9fafb1be522b1e7"
+            "UID": "6120700171ade460"
          },
          "InstalledVersion": "7.61.1-11.91.amzn1",
          "FixedVersion": "7.61.1-12.93.amzn1",
--- a/integration/testdata/amazon-2.json.golden
+++ b/integration/testdata/amazon-2.json.golden
@@ -73,7 +73,7 @@
          "PkgName": "curl",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29",
-            "UID": "c5998529d683c5c3"
+            "UID": "6ae14ab68a9937a4"
          },
          "InstalledVersion": "7.61.1-9.amzn2.0.1",
          "FixedVersion": "7.61.1-12.amzn2.0.1",
@@ -146,7 +146,7 @@
          "PkgName": "curl",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29",
-            "UID": "c5998529d683c5c3"
+            "UID": "6ae14ab68a9937a4"
          },
          "InstalledVersion": "7.61.1-9.amzn2.0.1",
          "FixedVersion": "7.61.1-11.amzn2.0.2",
--- a/integration/testdata/centos-6.json.golden
+++ b/integration/testdata/centos-6.json.golden
@@ -95,7 +95,7 @@
          "PkgName": "glibc",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/centos/glibc@2.12-1.212.el6?arch=x86_64\u0026distro=centos-6.10",
-            "UID": "24b11591bb7262c4"
+            "UID": "8a375d9a81c8ed09"
          },
          "InstalledVersion": "2.12-1.212.el6",
          "Status": "end_of_life",
@@ -153,7 +153,7 @@
          "PkgName": "openssl",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/centos/openssl@1.0.1e-57.el6?arch=x86_64\u0026distro=centos-6.10",
-            "UID": "935959fd0ed81eb9"
+            "UID": "3250412c84ceb835"
          },
          "InstalledVersion": "1.0.1e-57.el6",
          "FixedVersion": "1.0.1e-58.el6_10",
--- a/integration/testdata/centos-7-ignore-unfixed.json.golden
+++ b/integration/testdata/centos-7-ignore-unfixed.json.golden
@@ -88,7 +88,7 @@
          "PkgName": "openssl-libs",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
-            "UID": "20f09cdcea6545a2"
+            "UID": "74d0a3456f5c43a3"
          },
          "InstalledVersion": "1:1.0.2k-16.el7",
          "FixedVersion": "1:1.0.2k-19.el7",
@@ -183,7 +183,7 @@
          "PkgName": "openssl-libs",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
-            "UID": "20f09cdcea6545a2"
+            "UID": "74d0a3456f5c43a3"
          },
          "InstalledVersion": "1:1.0.2k-16.el7",
          "FixedVersion": "1:1.0.2k-19.el7",
--- a/integration/testdata/centos-7-medium.json.golden
+++ b/integration/testdata/centos-7-medium.json.golden
@@ -88,7 +88,7 @@
          "PkgName": "openssl-libs",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
-            "UID": "20f09cdcea6545a2"
+            "UID": "74d0a3456f5c43a3"
          },
          "InstalledVersion": "1:1.0.2k-16.el7",
          "FixedVersion": "1:1.0.2k-19.el7",
--- a/integration/testdata/centos-7.json.golden
+++ b/integration/testdata/centos-7.json.golden
@@ -85,7 +85,7 @@
          "PkgName": "bash",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64\u0026distro=centos-7.6.1810",
-            "UID": "64aff37eb11b9c25"
+            "UID": "1e73732cad16e536"
          },
          "InstalledVersion": "4.2.46-31.el7",
          "Status": "will_not_fix",
@@ -147,7 +147,7 @@
          "PkgName": "openssl-libs",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
-            "UID": "20f09cdcea6545a2"
+            "UID": "74d0a3456f5c43a3"
          },
          "InstalledVersion": "1:1.0.2k-16.el7",
          "FixedVersion": "1:1.0.2k-19.el7",
@@ -242,7 +242,7 @@
          "PkgName": "openssl-libs",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
-            "UID": "20f09cdcea6545a2"
+            "UID": "74d0a3456f5c43a3"
          },
          "InstalledVersion": "1:1.0.2k-16.el7",
          "FixedVersion": "1:1.0.2k-19.el7",
--- a/integration/testdata/debian-buster-ignore-unfixed.json.golden
+++ b/integration/testdata/debian-buster-ignore-unfixed.json.golden
@@ -76,7 +76,7 @@
          "PkgName": "libidn2-0",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1",
-            "UID": "24f9b08969c58720"
+            "UID": "ba4e8c27afaa206c"
          },
          "InstalledVersion": "2.0.5-1",
          "FixedVersion": "2.0.5-1+deb10u1",
--- a/integration/testdata/debian-buster.json.golden
+++ b/integration/testdata/debian-buster.json.golden
@@ -73,7 +73,7 @@
          "PkgName": "bash",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/bash@5.0-4?arch=amd64\u0026distro=debian-10.1",
-            "UID": "170e4e5a30145f9c"
+            "UID": "ccac7cdb2b01effd"
          },
          "InstalledVersion": "5.0-4",
          "Status": "affected",
@@ -141,7 +141,7 @@
          "PkgName": "libidn2-0",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1",
-            "UID": "24f9b08969c58720"
+            "UID": "ba4e8c27afaa206c"
          },
          "InstalledVersion": "2.0.5-1",
          "FixedVersion": "2.0.5-1+deb10u1",
--- a/integration/testdata/debian-stretch.json.golden
+++ b/integration/testdata/debian-stretch.json.golden
@@ -73,7 +73,7 @@
          "PkgName": "bash",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/bash@4.4-5?arch=amd64\u0026distro=debian-9.9",
-            "UID": "17a77561513a84ba"
+            "UID": "5050d6cecedb6b16"
          },
          "InstalledVersion": "4.4-5",
          "Status": "end_of_life",
@@ -141,7 +141,7 @@
          "PkgName": "e2fslibs",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/e2fslibs@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
-            "UID": "f7397849f56886cf"
+            "UID": "4fbd6c91e1a18086"
          },
          "InstalledVersion": "1.43.4-2",
          "FixedVersion": "1.43.4-2+deb9u1",
@@ -216,7 +216,7 @@
          "PkgName": "e2fsprogs",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/e2fsprogs@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
-            "UID": "84536029ca820a6c"
+            "UID": "b0c2238df13ced7c"
          },
          "InstalledVersion": "1.43.4-2",
          "FixedVersion": "1.43.4-2+deb9u1",
@@ -291,7 +291,7 @@
          "PkgName": "libcomerr2",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/libcomerr2@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
-            "UID": "d911133b560d334c"
+            "UID": "fb99250ee0ffc0d0"
          },
          "InstalledVersion": "1.43.4-2",
          "FixedVersion": "1.43.4-2+deb9u1",
@@ -366,7 +366,7 @@
          "PkgName": "libss2",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/libss2@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
-            "UID": "d9396c7f91558633"
+            "UID": "c5648e376c234084"
          },
          "InstalledVersion": "1.43.4-2",
          "FixedVersion": "1.43.4-2+deb9u1",
--- a/integration/testdata/distroless-base.json.golden
+++ b/integration/testdata/distroless-base.json.golden
@@ -76,7 +76,7 @@
          "PkgName": "libssl1.1",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
-            "UID": "96b92444b87304a5"
+            "UID": "4115f1455e5bd09d"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "Status": "affected",
@@ -162,7 +162,7 @@
          "PkgName": "libssl1.1",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
-            "UID": "96b92444b87304a5"
+            "UID": "4115f1455e5bd09d"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "FixedVersion": "1.1.0l-1~deb9u1",
@@ -254,7 +254,7 @@
          "PkgName": "openssl",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
-            "UID": "ed86402b9a8c2be6"
+            "UID": "c007f47f4b22b5a9"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "Status": "affected",
@@ -340,7 +340,7 @@
          "PkgName": "openssl",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
-            "UID": "ed86402b9a8c2be6"
+            "UID": "c007f47f4b22b5a9"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "FixedVersion": "1.1.0l-1~deb9u1",
--- a/integration/testdata/distroless-python27.json.golden
+++ b/integration/testdata/distroless-python27.json.golden
@@ -103,7 +103,7 @@
          "PkgName": "libssl1.1",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
-            "UID": "96b92444b87304a5"
+            "UID": "4115f1455e5bd09d"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "Status": "affected",
@@ -189,7 +189,7 @@
          "PkgName": "libssl1.1",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
-            "UID": "96b92444b87304a5"
+            "UID": "4115f1455e5bd09d"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "FixedVersion": "1.1.0l-1~deb9u1",
@@ -281,7 +281,7 @@
          "PkgName": "openssl",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
-            "UID": "ed86402b9a8c2be6"
+            "UID": "c007f47f4b22b5a9"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "Status": "affected",
@@ -367,7 +367,7 @@
          "PkgName": "openssl",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
-            "UID": "ed86402b9a8c2be6"
+            "UID": "c007f47f4b22b5a9"
          },
          "InstalledVersion": "1.1.0k-1~deb9u1",
          "FixedVersion": "1.1.0l-1~deb9u1",
--- a/integration/testdata/fluentd-gems.json.golden
+++ b/integration/testdata/fluentd-gems.json.golden
@@ -154,7 +154,7 @@
          "PkgName": "libidn2-0",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.2",
-            "UID": "14f80a7091a08e71"
+            "UID": "cd3028817db3f25a"
          },
          "InstalledVersion": "2.0.5-1",
          "FixedVersion": "2.0.5-1+deb10u1",
--- a/integration/testdata/mariner-1.0.json.golden
+++ b/integration/testdata/mariner-1.0.json.golden
@@ -57,7 +57,7 @@
          "PkgName": "vim",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0",
-            "UID": "3f08cd76fa5ba73d"
+            "UID": "437a9a3c0d29deb9"
          },
          "InstalledVersion": "8.2.4081-1.cm1",
          "Status": "affected",
@@ -95,7 +95,7 @@
          "PkgName": "vim",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0",
-            "UID": "3f08cd76fa5ba73d"
+            "UID": "437a9a3c0d29deb9"
          },
          "InstalledVersion": "8.2.4081-1.cm1",
          "FixedVersion": "8.2.4082-1.cm1",
--- a/integration/testdata/opensuse-leap-151.json.golden
+++ b/integration/testdata/opensuse-leap-151.json.golden
@@ -81,7 +81,7 @@
          "PkgName": "libopenssl1_1",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/opensuse/libopenssl1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse-leap-15.1",
-            "UID": "898b73ddd0412f57"
+            "UID": "a5c414d06155f471"
          },
          "InstalledVersion": "1.1.0i-lp151.8.3.1",
          "FixedVersion": "1.1.0i-lp151.8.6.1",
@@ -115,7 +115,7 @@
          "PkgName": "openssl-1_1",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/opensuse/openssl-1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse-leap-15.1",
-            "UID": "58980d005de43f54"
+            "UID": "937f6db3d7249e11"
          },
          "InstalledVersion": "1.1.0i-lp151.8.3.1",
          "FixedVersion": "1.1.0i-lp151.8.6.1",
--- a/integration/testdata/opensuse-tumbleweed.json.golden
+++ b/integration/testdata/opensuse-tumbleweed.json.golden
@@ -84,7 +84,7 @@
          "PkgName": "libopenssl3",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/opensuse/libopenssl3@3.1.4-9.1?arch=x86_64\u0026distro=opensuse-tumbleweed-20240607",
-            "UID": "f051425f385d2b99"
+            "UID": "f71b3dc2f2cc0d84"
          },
          "InstalledVersion": "3.1.4-9.1",
          "FixedVersion": "3.1.5-9.1",
--- a/integration/testdata/oraclelinux-8.json.golden
+++ b/integration/testdata/oraclelinux-8.json.golden
@@ -82,7 +82,7 @@
          "PkgName": "curl",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0",
-            "UID": "6837a94bd82971ac"
+            "UID": "a8682a2156651fbe"
          },
          "InstalledVersion": "7.61.1-8.el8",
          "FixedVersion": "7.61.1-11.el8",
@@ -154,7 +154,7 @@
          "PkgName": "curl",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0",
-            "UID": "6837a94bd82971ac"
+            "UID": "a8682a2156651fbe"
          },
          "InstalledVersion": "7.61.1-8.el8",
          "FixedVersion": "7.61.1-12.el8",
--- a/integration/testdata/photon-30.json.golden
+++ b/integration/testdata/photon-30.json.golden
@@ -83,7 +83,7 @@
          "PkgName": "bash",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/photon/bash@4.4.18-1.ph3?arch=x86_64\u0026distro=photon-3.0",
-            "UID": "a092142482df7886"
+            "UID": "8bd74904a15c7d6d"
          },
          "InstalledVersion": "4.4.18-1.ph3",
          "FixedVersion": "4.4.18-2.ph3",
@@ -148,7 +148,7 @@
          "PkgName": "curl",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/photon/curl@7.61.1-4.ph3?arch=x86_64\u0026distro=photon-3.0",
-            "UID": "1f44492024a630e8"
+            "UID": "6b6a4de732e563ee"
          },
          "InstalledVersion": "7.61.1-4.ph3",
          "FixedVersion": "7.61.1-5.ph3",
@@ -221,7 +221,7 @@
          "PkgName": "curl-libs",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/photon/curl-libs@7.61.1-4.ph3?arch=x86_64\u0026distro=photon-3.0",
-            "UID": "434cc417a46529a9"
+            "UID": "b33cf1cac05c76c2"
          },
          "InstalledVersion": "7.61.1-4.ph3",
          "FixedVersion": "7.61.1-5.ph3",
--- a/integration/testdata/rockylinux-8.json.golden
+++ b/integration/testdata/rockylinux-8.json.golden
@@ -72,7 +72,7 @@
          "PkgName": "openssl-libs",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/rocky/openssl-libs@1.1.1k-4.el8?arch=x86_64\u0026distro=rocky-8.5\u0026epoch=1",
-            "UID": "2a2f49f9bf5fc512"
+            "UID": "cb8148bafbe15690"
          },
          "InstalledVersion": "1:1.1.1k-4.el8",
          "FixedVersion": "1:1.1.1k-5.el8_5",
--- a/integration/testdata/ubi-7-comprehensive.json.golden
+++ b/integration/testdata/ubi-7-comprehensive.json.golden
@@ -101,7 +101,7 @@
          "PkgName": "bash",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/redhat/bash@4.2.46-33.el7?arch=x86_64\u0026distro=redhat-7.7",
-            "UID": "f5b786381193ad1b"
+            "UID": "12819dd4d4181abf"
          },
          "InstalledVersion": "4.2.46-33.el7",
          "Status": "will_not_fix",
--- a/integration/testdata/ubi-7.json.golden
+++ b/integration/testdata/ubi-7.json.golden
@@ -101,7 +101,7 @@
          "PkgName": "bash",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/redhat/bash@4.2.46-33.el7?arch=x86_64\u0026distro=redhat-7.7",
-            "UID": "f5b786381193ad1b"
+            "UID": "12819dd4d4181abf"
          },
          "InstalledVersion": "4.2.46-33.el7",
          "Status": "will_not_fix",
--- a/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden
+++ b/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden
@@ -106,7 +106,7 @@
          "PkgName": "e2fsprogs",
          "PkgIdentifier": {
            "PURL": "pkg:deb/ubuntu/e2fsprogs@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
-            "UID": "f43bbfe1f933f718"
+            "UID": "eddde4dbdb2df58c"
          },
          "InstalledVersion": "1.44.1-1ubuntu1.1",
          "FixedVersion": "1.44.1-1ubuntu1.2",
@@ -178,7 +178,7 @@
          "PkgName": "libcom-err2",
          "PkgIdentifier": {
            "PURL": "pkg:deb/ubuntu/libcom-err2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
-            "UID": "e7d11d906afeb678"
+            "UID": "87ee4bdeca236f23"
          },
          "InstalledVersion": "1.44.1-1ubuntu1.1",
          "FixedVersion": "1.44.1-1ubuntu1.2",
@@ -250,7 +250,7 @@
          "PkgName": "libext2fs2",
          "PkgIdentifier": {
            "PURL": "pkg:deb/ubuntu/libext2fs2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
-            "UID": "19d89bf66d83962e"
+            "UID": "f5dac6a49dfab96c"
          },
          "InstalledVersion": "1.44.1-1ubuntu1.1",
          "FixedVersion": "1.44.1-1ubuntu1.2",
@@ -322,7 +322,7 @@
          "PkgName": "libss2",
          "PkgIdentifier": {
            "PURL": "pkg:deb/ubuntu/libss2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
-            "UID": "231804324b8f13c6"
+            "UID": "119f1602425ea3a0"
          },
          "InstalledVersion": "1.44.1-1ubuntu1.1",
          "FixedVersion": "1.44.1-1ubuntu1.2",
--- a/integration/testdata/ubuntu-1804.json.golden
+++ b/integration/testdata/ubuntu-1804.json.golden
@@ -106,7 +106,7 @@
          "PkgName": "bash",
          "PkgIdentifier": {
            "PURL": "pkg:deb/ubuntu/bash@4.4.18-2ubuntu1.2?arch=amd64\u0026distro=ubuntu-18.04",
-            "UID": "55652e248d848fa2"
+            "UID": "c9e621778b151be2"
          },
          "InstalledVersion": "4.4.18-2ubuntu1.2",
          "Status": "affected",
@@ -170,7 +170,7 @@
          "PkgName": "e2fsprogs",
          "PkgIdentifier": {
            "PURL": "pkg:deb/ubuntu/e2fsprogs@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
-            "UID": "f43bbfe1f933f718"
+            "UID": "eddde4dbdb2df58c"
          },
          "InstalledVersion": "1.44.1-1ubuntu1.1",
          "FixedVersion": "1.44.1-1ubuntu1.2",
@@ -242,7 +242,7 @@
          "PkgName": "libcom-err2",
          "PkgIdentifier": {
            "PURL": "pkg:deb/ubuntu/libcom-err2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
-            "UID": "e7d11d906afeb678"
+            "UID": "87ee4bdeca236f23"
          },
          "InstalledVersion": "1.44.1-1ubuntu1.1",
          "FixedVersion": "1.44.1-1ubuntu1.2",
@@ -314,7 +314,7 @@
          "PkgName": "libext2fs2",
          "PkgIdentifier": {
            "PURL": "pkg:deb/ubuntu/libext2fs2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
-            "UID": "19d89bf66d83962e"
+            "UID": "f5dac6a49dfab96c"
          },
          "InstalledVersion": "1.44.1-1ubuntu1.1",
          "FixedVersion": "1.44.1-1ubuntu1.2",
@@ -386,7 +386,7 @@
          "PkgName": "libss2",
          "PkgIdentifier": {
            "PURL": "pkg:deb/ubuntu/libss2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
-            "UID": "231804324b8f13c6"
+            "UID": "119f1602425ea3a0"
          },
          "InstalledVersion": "1.44.1-1ubuntu1.1",
          "FixedVersion": "1.44.1-1ubuntu1.2",
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -99,15 +99,16 @@ nav:
              - Elixir: guide/coverage/language/elixir.md
              - Go: guide/coverage/language/golang.md
              - Java: guide/coverage/language/java.md
+              - Julia: guide/coverage/language/julia.md
              - Node.js: guide/coverage/language/nodejs.md
              - PHP: guide/coverage/language/php.md
              - Python: guide/coverage/language/python.md
              - Ruby: guide/coverage/language/ruby.md
              - Rust: guide/coverage/language/rust.md
              - Swift: guide/coverage/language/swift.md
-              - Julia: guide/coverage/language/julia.md
          - IaC:
              - Overview: guide/coverage/iac/index.md
+              - Ansible: guide/coverage/iac/ansible.md
              - Azure ARM Template: guide/coverage/iac/azure-arm.md
              - CloudFormation: guide/coverage/iac/cloudformation.md
              - Docker: guide/coverage/iac/docker.md
--- a/pkg/commands/artifact/run.go
+++ b/pkg/commands/artifact/run.go
@@ -1,9 +1,12 @@
 package artifact

 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
+	"maps"
 	"os"
 	"slices"
 	"strings"
@@ -12,6 +15,7 @@ import (
 	"github.com/samber/lo"
 	"github.com/spf13/viper"
 	"golang.org/x/xerrors"
+	"gopkg.in/yaml.v3"

 	"github.com/aquasecurity/trivy/pkg/cache"
 	"github.com/aquasecurity/trivy/pkg/commands/operation"
@@ -734,6 +738,12 @@ func initMisconfScannerOption(ctx context.Context, opts flag.Options) (misconf.S
 		return misconf.ScannerOption{}, xerrors.Errorf("load schemas error: %w", err)
 	}

+	ansibleExtraVars, err := resolveAnsibleExtraVars(opts.AnsibleExtraVars)
+	if err != nil {
+		log.DebugContext(ctx, "Failed to resolve Ansible extra-vars", log.Err(err))
+		ansibleExtraVars = make(map[string]any)
+	}
+
 	misconfOpts := misconf.ScannerOption{
 		Trace:                    opts.RegoOptions.Trace,
 		Namespaces:               append(opts.CheckNamespaces, rego.BuiltinNamespaces()...),
@@ -758,6 +768,9 @@ func initMisconfScannerOption(ctx context.Context, opts flag.Options) (misconf.S
 		ConfigFileSchemas:        configSchemas,
 		SkipFiles:                opts.SkipFiles,
 		SkipDirs:                 opts.SkipDirs,
+		AnsiblePlaybooks:         opts.AnsiblePlaybooks,
+		AnsibleInventories:       opts.AnsibleInventories,
+		AnsibleExtraVars:         ansibleExtraVars,
 	}

 	regoScanner, err := misconf.InitRegoScanner(misconfOpts)
@@ -768,3 +781,44 @@ func initMisconfScannerOption(ctx context.Context, opts flag.Options) (misconf.S
 	misconfOpts.RegoScanner = regoScanner
 	return misconfOpts, nil
 }
+
+func resolveAnsibleExtraVars(inputs []string) (map[string]any, error) {
+	result := make(map[string]any)
+
+	for _, input := range inputs {
+		var vars map[string]any
+
+		switch {
+		case strings.HasPrefix(input, "@"):
+			data, err := os.ReadFile(input[1:])
+			if err != nil {
+				return nil, fmt.Errorf("read extra-vars file %s: %w", input[1:], err)
+			}
+			trimmed := bytes.TrimSpace(data)
+			if len(trimmed) > 0 && trimmed[0] == '{' {
+				// parse as JSON object
+				if err := json.Unmarshal(trimmed, &vars); err != nil {
+					return nil, fmt.Errorf("parse extra-vars JSON file %s: %w", input[1:], err)
+				}
+			} else {
+				// parse as YAML
+				if err := yaml.Unmarshal(trimmed, &vars); err != nil {
+					return nil, fmt.Errorf("parse extra-vars YAML file %s: %w", input[1:], err)
+				}
+			}
+		case strings.Contains(input, "="):
+			kv := strings.SplitN(input, "=", 2)
+			var val string
+			if len(kv) == 2 {
+				val = kv[1]
+			}
+			vars = map[string]any{kv[0]: val}
+		default:
+			return nil, fmt.Errorf("invalid extra-vars input: %s", input)
+		}
+
+		maps.Copy(result, vars)
+	}
+
+	return result, nil
+}
--- a/pkg/dependency/parser/php/composer/parse.go
+++ b/pkg/dependency/parser/php/composer/parse.go
@@ -17,7 +17,8 @@ import (
 )

 type LockFile struct {
-	Packages []packageInfo `json:"packages"`
+	Packages    []packageInfo `json:"packages"`
+	PackagesDev []packageInfo `json:"packages-dev"`
 }
 type packageInfo struct {
 	Name    string            `json:"name"`
@@ -45,30 +46,11 @@ func (p *Parser) Parse(_ context.Context, r xio.ReadSeekerAt) ([]ftypes.Package,

 	pkgs := make(map[string]ftypes.Package)
 	foundDeps := make(map[string][]string)
-	for _, lpkg := range lockFile.Packages {
-		pkg := ftypes.Package{
-			ID:           dependency.ID(ftypes.Composer, lpkg.Name, lpkg.Version),
-			Name:         lpkg.Name,
-			Version:      lpkg.Version,
-			Relationship: ftypes.RelationshipUnknown, // composer.lock file doesn't have info about direct/indirect dependencies
-			Licenses:     licenses(lpkg.License),
-			Locations:    []ftypes.Location{ftypes.Location(lpkg.Location)},
-		}
-		pkgs[pkg.Name] = pkg

-		var dependsOn []string
-		for depName := range lpkg.Require {
-			// Require field includes required php version, skip this
-			// Also skip PHP extensions
-			if depName == "php" || strings.HasPrefix(depName, "ext") {
-				continue
-			}
-			dependsOn = append(dependsOn, depName) // field uses range of versions, so later we will fill in the versions from the packages
-		}
-		if len(dependsOn) > 0 {
-			foundDeps[pkg.ID] = dependsOn
-		}
-	}
+	// Production packages are parsed first to ensure they take precedence
+	// when the same package exists in both "packages" and "packages-dev".
+	p.parseProdPackages(lockFile, pkgs, foundDeps)
+	p.parseDevPackages(lockFile, pkgs, foundDeps)

 	// fill deps versions
 	var deps ftypes.Dependencies
@@ -95,6 +77,50 @@ func (p *Parser) Parse(_ context.Context, r xio.ReadSeekerAt) ([]ftypes.Package,
 	return pkgSlice, deps, nil
 }

+// parseProdPackages parses packages from the "packages" field in composer.lock.
+func (p *Parser) parseProdPackages(lockFile LockFile, pkgs map[string]ftypes.Package, foundDeps map[string][]string) {
+	p.parsePackages(lockFile.Packages, false, pkgs, foundDeps)
+}
+
+// parseDevPackages parses packages from the "packages-dev" field in composer.lock.
+// Packages already present in pkgs (i.e., production packages) are skipped.
+func (p *Parser) parseDevPackages(lockFile LockFile, pkgs map[string]ftypes.Package, foundDeps map[string][]string) {
+	p.parsePackages(lockFile.PackagesDev, true, pkgs, foundDeps)
+}
+
+func (p *Parser) parsePackages(lockPkgs []packageInfo, isDev bool, pkgs map[string]ftypes.Package, foundDeps map[string][]string) {
+	for _, lpkg := range lockPkgs {
+		// Skip if the package already exists (production packages take precedence over dev packages)
+		if _, ok := pkgs[lpkg.Name]; ok {
+			continue
+		}
+
+		pkg := ftypes.Package{
+			ID:           dependency.ID(ftypes.Composer, lpkg.Name, lpkg.Version),
+			Name:         lpkg.Name,
+			Version:      lpkg.Version,
+			Relationship: ftypes.RelationshipUnknown, // composer.lock file doesn't have info about direct/indirect dependencies
+			Licenses:     licenses(lpkg.License),
+			Locations:    []ftypes.Location{ftypes.Location(lpkg.Location)},
+			Dev:          isDev,
+		}
+		pkgs[pkg.Name] = pkg
+
+		var dependsOn []string
+		for depName := range lpkg.Require {
+			// Require field includes required php version, skip this
+			// Also skip PHP extensions
+			if depName == "php" || strings.HasPrefix(depName, "ext") {
+				continue
+			}
+			dependsOn = append(dependsOn, depName) // field uses range of versions, so later we will fill in the versions from the packages
+		}
+		if len(dependsOn) > 0 {
+			foundDeps[pkg.ID] = dependsOn
+		}
+	}
+}
+
 // licenses returns slice of licenses from string, string with separators (`or`, `and`, etc.) or string array
 // cf. https://getcomposer.org/doc/04-schema.md#license
 func licenses(val any) []string {
--- a/pkg/dependency/parser/php/composer/parse_test.go
+++ b/pkg/dependency/parser/php/composer/parse_test.go
@@ -54,6 +54,32 @@ var (
 				},
 			},
 		},
+		{
+			ID:       "pear/log@1.13.3",
+			Name:     "pear/log",
+			Version:  "1.13.3",
+			Dev:      true,
+			Licenses: []string{"MIT"},
+			Locations: []ftypes.Location{
+				{
+					StartLine: 660,
+					EndLine:   719,
+				},
+			},
+		},
+		{
+			ID:       "pear/pear_exception@v1.0.2",
+			Name:     "pear/pear_exception",
+			Version:  "v1.0.2",
+			Dev:      true,
+			Licenses: []string{"BSD-2-Clause"},
+			Locations: []ftypes.Location{
+				{
+					StartLine: 720,
+					EndLine:   778,
+				},
+			},
+		},
 		{
 			ID:       "psr/http-message@1.0.1",
 			Name:     "psr/http-message",
@@ -132,6 +158,12 @@ var (
 				"ralouphie/getallheaders@3.0.3",
 			},
 		},
+		{
+			ID: "pear/log@1.13.3",
+			DependsOn: []string{
+				"pear/pear_exception@v1.0.2",
+			},
+		},
 		{
 			ID: "symfony/polyfill-intl-idn@v1.27.0",
 			DependsOn: []string{
--- a/pkg/detector/library/driver.go
+++ b/pkg/detector/library/driver.go
@@ -83,8 +83,8 @@ func NewDriver(libType ftypes.LangType) (Driver, bool) {
 		eco = ecosystem.Kubernetes
 		comparer = compare.GenericComparer{}
 	case ftypes.Julia:
-		log.Warn("Julia is supported for SBOM, not for vulnerability scanning")
-		return Driver{}, false
+		eco = ecosystem.Julia
+		comparer = compare.GenericComparer{}
 	default:
 		log.Warn("The library type is not supported for vulnerability scanning",
 			log.String("type", string(libType)))
@@ -129,6 +129,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D

 		vuln := types.DetectedVulnerability{
 			VulnerabilityID:  adv.VulnerabilityID,
+			VendorIDs:        adv.VendorIDs, // Any vendors have specific IDs, e.g. GHSA, JLSEC
 			PkgID:            pkgID,
 			PkgName:          pkgName,
 			InstalledVersion: pkgVer,
--- a/pkg/detector/library/driver_test.go
+++ b/pkg/detector/library/driver_test.go
@@ -66,7 +66,10 @@ func TestDriver_Detect(t *testing.T) {
 			},
 			want: []types.DetectedVulnerability{
 				{
-					VulnerabilityID:  "CVE-2022-21235",
+					VulnerabilityID: "CVE-2022-21235",
+					VendorIDs: []string{
+						"GHSA-6635-c626-vj4r",
+					},
 					PkgName:          "github.com/Masterminds/vcs",
 					InstalledVersion: "v1.13.1",
 					FixedVersion:     "v1.13.2",
@@ -78,6 +81,34 @@ func TestDriver_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "julia package",
+			fixtures: []string{
+				"testdata/fixtures/julia.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			libType: ftypes.Julia,
+			args: args{
+				pkgName: "HTTP",
+				pkgVer:  "1.10.16",
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2025-52479",
+					PkgName:          "HTTP",
+					InstalledVersion: "1.10.16",
+					FixedVersion:     "1.10.17",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.Julia,
+						Name: "Julia Ecosystem Security Advisories",
+						URL:  "https://github.com/JuliaLang/SecurityAdvisories.jl",
+					},
+					VendorIDs: []string{
+						"JLSEC-2025-1",
+					},
+				},
+			},
+		},
 		{
 			name:     "non-prefixed buckets",
 			fixtures: []string{"testdata/fixtures/php-without-prefix.yaml"},
--- a/pkg/detector/library/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/library/testdata/fixtures/data-source.yaml
@@ -30,3 +30,8 @@
        ID: "ghsa"
        Name: "GitHub Security Advisory Go"
        URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
+    - key: "julia::Julia Ecosystem Security Advisories"
+      value:
+        ID: "julia"
+        Name: "Julia Ecosystem Security Advisories"
+        URL: "https://github.com/JuliaLang/SecurityAdvisories.jl"
--- a/pkg/detector/library/testdata/fixtures/go.yaml
+++ b/pkg/detector/library/testdata/fixtures/go.yaml
@@ -8,3 +8,5 @@
              - v1.13.2
            VulnerableVersions:
              - "<v1.13.2"
+            VendorIDs:
+              - "GHSA-6635-c626-vj4r"
--- a/pkg/detector/library/testdata/fixtures/julia.yaml
+++ b/pkg/detector/library/testdata/fixtures/julia.yaml
@@ -0,0 +1,12 @@
+- bucket: "julia::Julia Ecosystem Security Advisories"
+  pairs:
+    - bucket: HTTP
+      pairs:
+        - key: CVE-2025-52479
+          value:
+            PatchedVersions:
+              - 1.10.17
+            VulnerableVersions:
+              - "<1.10.17"
+            VendorIDs:
+              - "JLSEC-2025-1"
--- a/pkg/detector/ospkg/alpine/alpine.go
+++ b/pkg/detector/ospkg/alpine/alpine.go
@@ -50,6 +50,7 @@ var eolDates = map[string]time.Time{
 	"3.20": time.Date(2026, 4, 1, 23, 59, 59, 0, time.UTC),
 	"3.21": time.Date(2026, 12, 5, 23, 59, 59, 0, time.UTC),
 	"3.22": time.Date(2027, 4, 30, 23, 59, 59, 0, time.UTC),
+	"3.23": time.Date(2027, 11, 1, 23, 59, 59, 0, time.UTC),
 	"edge": time.Date(9999, 1, 1, 0, 0, 0, 0, time.UTC),
 }

--- a/pkg/detector/ospkg/debian/debian.go
+++ b/pkg/detector/ospkg/debian/debian.go
@@ -63,6 +63,11 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository

 	var vulns []types.DetectedVulnerability
 	for _, pkg := range pkgs {
+		// Skip third-party packages as they are not covered by Debian security advisories
+		if pkg.Repository.Class == ftypes.RepositoryClassThirdParty {
+			continue
+		}
+
 		sourceVersion, err := version.NewVersion(utils.FormatSrcVersion(pkg))
 		if err != nil {
 			log.DebugContext(ctx, "Installed package version error", log.Err(err))
--- a/pkg/detector/ospkg/rootio/rootio.go
+++ b/pkg/detector/ospkg/rootio/rootio.go
@@ -1,7 +1,6 @@
 package rootio

 import (
-	"cmp"
 	"context"
 	"strings"

@@ -104,9 +103,7 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
 					Severity: adv.Severity.String(),
 				}

-				// Datasource contains BaseID + ID for root.io advisories,
-				// But baseOS (e.g. Debian) advisories use ID only.
-				vuln.SeveritySource = cmp.Or(adv.DataSource.BaseID, adv.DataSource.ID)
+				vuln.SeveritySource = adv.DataSource.ID
 			}

 			vulns = append(vulns, vuln)
--- a/pkg/detector/ospkg/rootio/rootio_test.go
+++ b/pkg/detector/ospkg/rootio/rootio_test.go
@@ -51,7 +51,7 @@ func TestScanner_Detect(t *testing.T) {
 					VulnerabilityID:  "CVE-2024-13176", // Debian and Root.io contain this CVE
 					InstalledVersion: "3.0.15-1~deb12u1.root.io.0",
 					FixedVersion:     "3.0.15-1~deb12u1.root.io.1, 3.0.16-1~deb12u1",
-					SeveritySource:   vulnerability.Debian,
+					SeveritySource:   vulnerability.RootIO,
 					DataSource: &dbTypes.DataSource{
 						ID:     vulnerability.RootIO,
 						BaseID: vulnerability.Debian,
@@ -103,12 +103,16 @@ func TestScanner_Detect(t *testing.T) {
 					VulnerabilityID:  "CVE-2023-44487",
 					InstalledVersion: "1.22.1-9+deb12u2.root.io.0",
 					FixedVersion:     "1.22.1-9+deb12u2.root.io.1",
+					SeveritySource:   vulnerability.RootIO,
 					DataSource: &dbTypes.DataSource{
 						ID:     vulnerability.RootIO,
 						BaseID: vulnerability.Ubuntu,
 						Name:   "Root.io Security Patches (ubuntu)",
 						URL:    "https://api.root.io/external/patch_feed",
 					},
+					Vulnerability: dbTypes.Vulnerability{
+						Severity: dbTypes.SeverityHigh.String(),
+					},
 				},
 			},
 		},
--- a/pkg/detector/ospkg/rootio/testdata/fixtures/rootio.yaml
+++ b/pkg/detector/ospkg/rootio/testdata/fixtures/rootio.yaml
@@ -28,6 +28,7 @@
            PatchedVersions:
              - "3.0.15-1~deb12u1.root.io.1"
              - "3.0.16-1~deb12u1"
+            Severity: 2
 - bucket: root.io ubuntu 20.04
  pairs:
    - bucket: nginx
@@ -38,6 +39,7 @@
              - "<1.22.1-9+deb12u2.root.io.1"
            PatchedVersions:
              - "1.22.1-9+deb12u2.root.io.1"
+            Severity: 3
 - bucket: root.io alpine 3.19
  pairs:
    - bucket: less
--- a/pkg/detector/ospkg/ubuntu/ubuntu.go
+++ b/pkg/detector/ospkg/ubuntu/ubuntu.go
@@ -105,6 +105,11 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository

 	var vulns []types.DetectedVulnerability
 	for _, pkg := range pkgs {
+		// Skip third-party packages as they are not covered by Ubuntu security advisories
+		if pkg.Repository.Class == ftypes.RepositoryClassThirdParty {
+			continue
+		}
+
 		osVer = s.versionFromEolDates(ctx, osVer)
 		advisories, err := s.vs.Get(db.GetParams{
 			Release: osVer,
--- a/pkg/fanal/analyzer/analyzer_test.go
+++ b/pkg/fanal/analyzer/analyzer_test.go
@@ -676,7 +676,7 @@ func TestAnalyzerGroup_AnalyzerVersions(t *testing.T) {
 					"ubuntu-esm":   1,
 				},
 				PostAnalyzers: map[string]int{
-					"dpkg":   5,
+					"dpkg":   6,
 					"jar":    1,
 					"poetry": 1,
 				},
--- a/pkg/fanal/analyzer/config/all/import.go
+++ b/pkg/fanal/analyzer/config/all/import.go
@@ -1,6 +1,7 @@
 package all

 import (
+	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/ansible"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/azurearm"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/cloudformation"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/dockerfile"
--- a/pkg/fanal/analyzer/config/ansible/ansible.go
+++ b/pkg/fanal/analyzer/config/ansible/ansible.go
@@ -0,0 +1,37 @@
+package ansible
+
+import (
+	"os"
+	"path/filepath"
+	"slices"
+
+	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
+	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
+	"github.com/aquasecurity/trivy/pkg/iac/detection"
+)
+
+const (
+	version      = 1
+	analyzerType = analyzer.TypeAnsible
+)
+
+func init() {
+	analyzer.RegisterPostAnalyzer(analyzerType, newAnsibleConfigAnalyzer)
+}
+
+type ansibleConfigAnalyzer struct {
+	*config.Analyzer
+}
+
+func newAnsibleConfigAnalyzer(opts analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
+	a, err := config.NewAnalyzer(analyzerType, version, detection.FileTypeAnsible, opts)
+	if err != nil {
+		return nil, err
+	}
+	return &ansibleConfigAnalyzer{Analyzer: a}, nil
+}
+
+func (a *ansibleConfigAnalyzer) Required(filePath string, _ os.FileInfo) bool {
+	return filepath.Base(filePath) == "ansible.cfg" ||
+		slices.Contains([]string{"", ".yml", ".yaml", ".json", ".ini"}, filepath.Ext(filePath))
+}
--- a/pkg/fanal/analyzer/config/ansible/ansible_test.go
+++ b/pkg/fanal/analyzer/config/ansible/ansible_test.go
@@ -0,0 +1,61 @@
+package ansible
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
+)
+
+func Test_ansibleConfigAnalyzer_Required(t *testing.T) {
+	tests := []struct {
+		name     string
+		filePath string
+		want     bool
+	}{
+		{
+			name:     "yaml",
+			filePath: "test.yaml",
+			want:     true,
+		},
+		{
+			name:     "yml",
+			filePath: "test.yml",
+			want:     true,
+		},
+		{
+			name:     "json",
+			filePath: "test.json",
+			want:     true,
+		},
+		{
+			name:     "init",
+			filePath: "test.ini",
+			want:     true,
+		},
+		{
+			name:     "without extension",
+			filePath: "test",
+			want:     true,
+		},
+		{
+			name:     "config file",
+			filePath: "ansible.cfg",
+			want:     true,
+		},
+		{
+			name:     "just cfg",
+			filePath: "test.cfg",
+			want:     false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a, err := newAnsibleConfigAnalyzer(analyzer.AnalyzerOptions{})
+			require.NoError(t, err)
+			assert.Equal(t, tt.want, a.Required(tt.filePath, nil))
+		})
+	}
+}
--- a/pkg/fanal/analyzer/const.go
+++ b/pkg/fanal/analyzer/const.go
@@ -132,6 +132,7 @@ const (
 	TypeTerraformPlanSnapshot Type = Type(detection.FileTypeTerraformPlanSnapshot)
 	TypeYAML                  Type = Type(detection.FileTypeYAML)
 	TypeJSON                  Type = Type(detection.FileTypeJSON)
+	TypeAnsible               Type = Type(detection.FileTypeAnsible)

 	// ========
 	// License
@@ -266,5 +267,6 @@ var (
 		TypeTerraformPlanSnapshot,
 		TypeYAML,
 		TypeJSON,
+		TypeAnsible,
 	}
 )
--- a/pkg/fanal/analyzer/language/php/composer/composer.go
+++ b/pkg/fanal/analyzer/language/php/composer/composer.go
@@ -106,7 +106,7 @@ func (a composerAnalyzer) parseComposerLock(ctx context.Context, path string, r
 func (a composerAnalyzer) mergeComposerJson(fsys fs.FS, dir string, app *types.Application) error {
 	// Parse composer.json to identify the direct dependencies
 	path := filepath.Join(dir, types.ComposerJson)
-	p, err := a.parseComposerJson(fsys, path)
+	cj, err := a.parseComposerJson(fsys, path)
 	if errors.Is(err, fs.ErrNotExist) {
 		// Assume all the packages are direct dependencies as it cannot identify them from composer.lock
 		log.Debug("Unable to determine the direct dependencies, composer.json not found", log.FilePath(path))
@@ -117,7 +117,9 @@ func (a composerAnalyzer) mergeComposerJson(fsys fs.FS, dir string, app *types.A

 	for i, pkg := range app.Packages {
 		// Identify the direct/transitive dependencies
-		if _, ok := p[pkg.Name]; ok {
+		if _, ok := cj.Require[pkg.Name]; ok {
+			app.Packages[i].Relationship = types.RelationshipDirect
+		} else if _, ok := cj.RequireDev[pkg.Name]; ok {
 			app.Packages[i].Relationship = types.RelationshipDirect
 		} else {
 			app.Packages[i].Indirect = true
@@ -129,21 +131,22 @@ func (a composerAnalyzer) mergeComposerJson(fsys fs.FS, dir string, app *types.A
 }

 type composerJson struct {
-	Require map[string]string `json:"require"`
+	Require    map[string]string `json:"require"`
+	RequireDev map[string]string `json:"require-dev"`
 }

-func (a composerAnalyzer) parseComposerJson(fsys fs.FS, path string) (map[string]string, error) {
+func (a composerAnalyzer) parseComposerJson(fsys fs.FS, path string) (composerJson, error) {
 	// Parse composer.json
 	f, err := fsys.Open(path)
 	if err != nil {
-		return nil, xerrors.Errorf("file open error: %w", err)
+		return composerJson{}, xerrors.Errorf("file open error: %w", err)
 	}
 	defer func() { _ = f.Close() }()

-	jsonFile := composerJson{}
+	var jsonFile composerJson
 	err = json.NewDecoder(f).Decode(&jsonFile)
 	if err != nil {
-		return nil, xerrors.Errorf("json decode error: %w", err)
+		return composerJson{}, xerrors.Errorf("json decode error: %w", err)
 	}
-	return jsonFile.Require, nil
+	return jsonFile, nil
 }
--- a/pkg/fanal/analyzer/language/php/composer/composer_test.go
+++ b/pkg/fanal/analyzer/language/php/composer/composer_test.go
@@ -151,6 +151,65 @@ func Test_composerAnalyzer_PostAnalyze(t *testing.T) {
 			dir:  "testdata/composer/sad",
 			want: &analyzer.AnalysisResult{},
 		},
+		{
+			name: "with dev dependencies",
+			dir:  "testdata/composer/with-dev",
+			want: &analyzer.AnalysisResult{
+				Applications: []types.Application{
+					{
+						Type:     types.Composer,
+						FilePath: "composer.lock",
+						Packages: types.Packages{
+							{
+								ID:           "pear/log@1.14.6",
+								Name:         "pear/log",
+								Version:      "1.14.6",
+								Dev:          true,
+								Indirect:     false,
+								Relationship: types.RelationshipDirect,
+								Licenses:     []string{"MIT"},
+								Locations: []types.Location{
+									{
+										StartLine: 61,
+										EndLine:   121,
+									},
+								},
+								DependsOn: []string{"pear/pear_exception@v1.0.2"},
+							},
+							{
+								ID:           "psr/log@1.1.4",
+								Name:         "psr/log",
+								Version:      "1.1.4",
+								Indirect:     false,
+								Relationship: types.RelationshipDirect,
+								Licenses:     []string{"MIT"},
+								Locations: []types.Location{
+									{
+										StartLine: 9,
+										EndLine:   58,
+									},
+								},
+							},
+							{
+								ID:           "pear/pear_exception@v1.0.2",
+								Name:         "pear/pear_exception",
+								Version:      "v1.0.2",
+								Dev:          true,
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+								Licenses:     []string{"BSD-2-Clause"},
+								Locations: []types.Location{
+									{
+										StartLine: 122,
+										EndLine:   180,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 	}

 	for _, tt := range tests {
--- a/pkg/fanal/analyzer/language/php/composer/testdata/composer/with-dev/composer.json
+++ b/pkg/fanal/analyzer/language/php/composer/testdata/composer/with-dev/composer.json
@@ -0,0 +1,8 @@
+{
+  "require": {
+    "psr/log": "^1.0"
+  },
+  "require-dev": {
+    "pear/log": "^1.13"
+  }
+}
--- a/pkg/fanal/analyzer/language/php/composer/testdata/composer/with-dev/composer.lock
+++ b/pkg/fanal/analyzer/language/php/composer/testdata/composer/with-dev/composer.lock
@@ -0,0 +1,190 @@
+{
+    "_readme": [
+        "This file locks the dependencies of your project to a known state",
+        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
+        "This file is @generated automatically"
+    ],
+    "content-hash": "2c9e13a2460669ca09226814c0aefb51",
+    "packages": [
+        {
+            "name": "psr/log",
+            "version": "1.1.4",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/log.git",
+                "reference": "d49695b909c3b7628b6289db5479a1c204601f11"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/log/zipball/d49695b909c3b7628b6289db5479a1c204601f11",
+                "reference": "d49695b909c3b7628b6289db5479a1c204601f11",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.1.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Log\\": "Psr/Log/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "https://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for logging libraries",
+            "homepage": "https://github.com/php-fig/log",
+            "keywords": [
+                "log",
+                "psr",
+                "psr-3"
+            ],
+            "support": {
+                "source": "https://github.com/php-fig/log/tree/1.1.4"
+            },
+            "time": "2021-05-03T11:20:27+00:00"
+        }
+    ],
+    "packages-dev": [
+        {
+            "name": "pear/log",
+            "version": "1.14.6",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/pear/Log.git",
+                "reference": "e136d31ff6d5991e9707862f5fbfb97d40cd37a3"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/pear/Log/zipball/e136d31ff6d5991e9707862f5fbfb97d40cd37a3",
+                "reference": "e136d31ff6d5991e9707862f5fbfb97d40cd37a3",
+                "shasum": ""
+            },
+            "require": {
+                "pear/pear_exception": "1.0.1 || 1.0.2",
+                "php": ">=7.4"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "*",
+                "rector/rector": "*"
+            },
+            "suggest": {
+                "pear/db": "Install optionally via your project's composer.json"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-0": {
+                    "Log": "./"
+                },
+                "exclude-from-classmap": [
+                    "/examples/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "include-path": [
+                ""
+            ],
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Jon Parise",
+                    "email": "jon@php.net",
+                    "homepage": "https://www.indelible.org/",
+                    "role": "Developer"
+                }
+            ],
+            "description": "PEAR Logging Framework",
+            "homepage": "https://pear.github.io/Log/",
+            "keywords": [
+                "log",
+                "logging"
+            ],
+            "support": {
+                "issues": "https://github.com/pear/Log/issues",
+                "source": "https://github.com/pear/Log"
+            },
+            "time": "2025-07-27T00:25:20+00:00"
+        },
+        {
+            "name": "pear/pear_exception",
+            "version": "v1.0.2",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/pear/PEAR_Exception.git",
+                "reference": "b14fbe2ddb0b9f94f5b24cf08783d599f776fff0"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/pear/PEAR_Exception/zipball/b14fbe2ddb0b9f94f5b24cf08783d599f776fff0",
+                "reference": "b14fbe2ddb0b9f94f5b24cf08783d599f776fff0",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.2.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "<9"
+            },
+            "type": "class",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "classmap": [
+                    "PEAR/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "include-path": [
+                "."
+            ],
+            "license": [
+                "BSD-2-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Helgi Thormar",
+                    "email": "dufuz@php.net"
+                },
+                {
+                    "name": "Greg Beaver",
+                    "email": "cellog@php.net"
+                }
+            ],
+            "description": "The PEAR Exception base class.",
+            "homepage": "https://github.com/pear/PEAR_Exception",
+            "keywords": [
+                "exception"
+            ],
+            "support": {
+                "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=PEAR_Exception",
+                "source": "https://github.com/pear/PEAR_Exception"
+            },
+            "time": "2021-03-21T15:43:46+00:00"
+        }
+    ],
+    "aliases": [],
+    "minimum-stability": "stable",
+    "stability-flags": {},
+    "prefer-stable": false,
+    "prefer-lowest": false,
+    "platform": {},
+    "platform-dev": {},
+    "plugin-api-version": "2.9.0"
+}
--- a/pkg/fanal/analyzer/pkg/dpkg/dpkg.go
+++ b/pkg/fanal/analyzer/pkg/dpkg/dpkg.go
@@ -41,7 +41,7 @@ func newDpkgAnalyzer(_ analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error)
 }

 const (
-	analyzerVersion = 5
+	analyzerVersion = 6

 	statusFile    = "var/lib/dpkg/status"
 	statusDir     = "var/lib/dpkg/status.d/"
@@ -54,6 +54,56 @@ const (
 var (
 	dpkgSrcCaptureRegexp      = regexp.MustCompile(`(?P<name>[^\s]*)( \((?P<version>.*)\))?`)
 	dpkgSrcCaptureRegexpNames = dpkgSrcCaptureRegexp.SubexpNames()
+
+	// thirdPartyMaintainerPatterns contains patterns that indicate a package is from a third-party repository.
+	// Packages with maintainers matching these patterns will NOT have their InstalledFiles tracked,
+	// allowing language scanners to properly analyze files installed by those packages.
+	// See https://github.com/aquasecurity/trivy/issues/9916 for more details.
+	thirdPartyMaintainerPatterns = []string{
+		// Container & orchestration
+		"support@docker.com", // Docker
+
+		// Cloud providers & infrastructure
+		"@nvidia.com",              // NVIDIA CUDA
+		"Google Cloud CLI Authors", // Google Cloud SDK
+		"sapmachine@sap.com",       // SAP Machine JDK
+		"@hashicorp.com",           // HashiCorp (Terraform, Vault, Consul, etc.)
+		"@microsoft.com",           // Microsoft (VS Code, Azure CLI, .NET, etc.)
+
+		// Databases
+		"@mongodb.com",                 // MongoDB
+		"developers@lists.mariadb.org", // MariaDB
+		"dev@couchdb.apache.org",       // Apache CouchDB
+		"info@elastic.co",              // Elastic (Elasticsearch, Kibana, etc.)
+
+		// Web servers & API gateways
+		"nginx-packaging@f5.com", // NGINX (from nginx.org, not Debian)
+		"@konghq.com",            // Kong
+		"@cloudflare.com",        // Cloudflare (cloudflared, WARP)
+
+		// Monitoring & observability
+		"support@influxdb.com", // InfluxData (InfluxDB, Telegraf)
+		"support@gitlab.com",   // GitLab
+		"contact@grafana.com",  // Grafana Labs
+		"@datadoghq.com",       // Datadog
+
+		// Language runtimes (third-party repos)
+		"@nodesource.com", // NodeSource (Node.js)
+
+		// Networking & VPN
+		"info@tailscale.com", // Tailscale
+
+		// Robotics
+		"@openrobotics.org",  // ROS (Robot Operating System)
+		"@osrfoundation.org", // ROS (Robot Operating System)
+	}
+
+	// thirdPartyMaintainerExact contains maintainer strings that require exact match.
+	// These are too short or generic for substring matching.
+	thirdPartyMaintainerExact = []string{
+		"GitHub",    // GitHub CLI
+		"HashiCorp", // HashiCorp (Terraform, Vault, Consul, etc.)
+	}
 )

 func (a dpkgAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysisInput) (*analyzer.AnalysisResult, error) {
@@ -82,7 +132,7 @@ func (a dpkgAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysis
 				return xerrors.Errorf("failed to parse %s file: %w", path, err)
 			}
 			packageFiles[strings.TrimSuffix(filepath.Base(path), md5sumsExtension)] = systemFiles
-			systemInstalledFiles = append(systemInstalledFiles, systemFiles...)
+			// Note: systemInstalledFiles will be populated later based on maintainer check
 			return nil
 		}
 		// parse status files
@@ -97,14 +147,32 @@ func (a dpkgAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysis
 		return nil, xerrors.Errorf("dpkg walk error: %w", err)
 	}

-	// map the packages to their respective files
+	// Map packages to their respective files.
+	// Third-party packages will NOT have their InstalledFiles populated to avoid filtering out
+	// language packages (npm, pip, etc.) installed by those third-party OS packages.
 	for i, pkgInfo := range packageInfos {
 		for j, pkg := range pkgInfo.Packages {
 			installedFiles, found := packageFiles[pkg.Name]
 			if !found {
 				installedFiles = packageFiles[pkg.Name+":"+pkg.Arch]
 			}
+
+			// Skip InstalledFiles for third-party packages
+			if isThirdPartyPackage(pkg.Maintainer) {
+				a.logger.Debug("Third-party package detected",
+					log.String("package", pkg.Name),
+					log.String("maintainer", pkg.Maintainer))
+				packageInfos[i].Packages[j].Repository = types.PackageRepository{
+					Class: types.RepositoryClassThirdParty,
+				}
+				continue
+			}
+
+			packageInfos[i].Packages[j].Repository = types.PackageRepository{
+				Class: types.RepositoryClassOfficial,
+			}
 			packageInfos[i].Packages[j].InstalledFiles = installedFiles
+			systemInstalledFiles = append(systemInstalledFiles, installedFiles...)
 		}
 	}

@@ -349,6 +417,21 @@ func (a dpkgAnalyzer) isMd5SumsFile(dir, fileName string) bool {
 	return strings.HasSuffix(fileName, md5sumsExtension)
 }

+// isThirdPartyPackage checks if a package is from a third-party repository
+// by examining the Maintainer field against known third-party patterns.
+//
+// Unlike RPM which has a dedicated "Vendor" field, dpkg packages don't have a reliable
+// way to identify their origin. We use a heuristic approach based on maintainer patterns.
+// See https://github.com/aquasecurity/trivy/issues/9916 for more details.
+func isThirdPartyPackage(maintainer string) bool {
+	if slices.Contains(thirdPartyMaintainerExact, maintainer) {
+		return true
+	}
+	return slices.ContainsFunc(thirdPartyMaintainerPatterns, func(pattern string) bool {
+		return strings.Contains(maintainer, pattern)
+	})
+}
+
 func (a dpkgAnalyzer) Type() analyzer.Type {
 	return analyzer.TypeDpkg
 }
--- a/pkg/fanal/analyzer/pkg/dpkg/dpkg_test.go
+++ b/pkg/fanal/analyzer/pkg/dpkg/dpkg_test.go
@@ -43,6 +43,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "all",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "apt@1.6.3ubuntu0.1",
@@ -63,6 +64,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "base-files@10.1ubuntu2.2",
@@ -72,6 +74,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcVersion: "10.1ubuntu2.2",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "base-passwd@3.5.44",
@@ -85,6 +88,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Colin Watson <cjwatson@debian.org>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "bash@4.4.18-2ubuntu1",
@@ -100,6 +104,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "bsdutils@1:2.31.1-0.4ubuntu3.1",
@@ -112,6 +117,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "0.4ubuntu3.1",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "bzip2@1.0.6-8.1",
@@ -127,6 +133,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "coreutils@8.28-1ubuntu1",
@@ -138,6 +145,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "1ubuntu1",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "dash@0.5.8-2.10",
@@ -153,6 +161,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "debconf@1.5.66",
@@ -162,6 +171,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcVersion: "1.5.66",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "all",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "debianutils@4.8.4",
@@ -171,6 +181,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcVersion: "4.8.4",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "diffutils@1:3.6-1",
@@ -184,6 +195,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "1",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "dpkg@1.19.0.5ubuntu2",
@@ -196,6 +208,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "e2fsprogs@1.44.1-1",
@@ -207,6 +220,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "1",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "fdisk@2.31.1-0.4ubuntu3.1",
@@ -226,6 +240,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "findutils@4.6.0+git+20170828-2",
@@ -237,6 +252,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "2",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "gcc-8-base@8-20180414-1ubuntu2",
@@ -248,6 +264,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "1ubuntu2",
 								Maintainer: "Ubuntu Core developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "gpgv@2.2.4-1ubuntu1.1",
@@ -266,6 +283,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "grep@3.1-2",
@@ -280,6 +298,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "gzip@1.6-5ubuntu1",
@@ -294,6 +313,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "hostname@3.20",
@@ -303,6 +323,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcVersion: "3.20",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "init-system-helpers@1.51",
@@ -315,6 +336,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "all",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libacl1@2.2.52-3build1",
@@ -330,6 +352,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libapt-pkg5.0@1.6.3ubuntu0.1",
@@ -350,6 +373,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libattr1@1:2.4.47-2build1",
@@ -366,6 +390,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libaudit-common@1:2.8.2-1ubuntu1",
@@ -379,6 +404,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "1ubuntu1",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "all",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libaudit1@1:2.8.2-1ubuntu1",
@@ -397,6 +423,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libblkid1@2.31.1-0.4ubuntu3.1",
@@ -412,6 +439,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libbz2-1.0@1.0.6-8.1",
@@ -426,6 +454,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libc-bin@2.27-3ubuntu1",
@@ -440,6 +469,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libc6@2.27-3ubuntu1",
@@ -454,6 +484,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libcap-ng0@0.7.7-3.1",
@@ -468,6 +499,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libcom-err2@1.44.1-1",
@@ -482,6 +514,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libdb5.3@5.3.28-13.1ubuntu1",
@@ -496,6 +529,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libdebconfclient0@0.213ubuntu1",
@@ -508,6 +542,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libext2fs2@1.44.1-1",
@@ -522,6 +557,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libfdisk1@2.31.1-0.4ubuntu3.1",
@@ -538,6 +574,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libffi6@3.2.1-8",
@@ -552,6 +589,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libgcc1@1:8-20180414-1ubuntu2",
@@ -568,6 +606,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Core developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libgcrypt20@1.8.1-4ubuntu1.1",
@@ -583,6 +622,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libgmp10@2:6.1.2+dfsg-2",
@@ -599,6 +639,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libgnutls30@3.5.18-1ubuntu1",
@@ -621,6 +662,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:   "libgpg-error0@1.27-6",
@@ -636,6 +678,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libhogweed4@3.4-1",
@@ -652,6 +695,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libidn2-0@2.0.4-1.1build2",
@@ -667,6 +711,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "liblz4-1@0.0~r131-2ubuntu3",
@@ -681,6 +726,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "liblzma5@5.1.1alpha+20120614-2+b3",
@@ -695,6 +741,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Jonathan Nieder <jrnieder@gmail.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libmount1@2.31.1-0.4ubuntu3.1",
@@ -711,6 +758,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libncurses5@6.1-1ubuntu1.18.04",
@@ -726,6 +774,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libncursesw5@6.1-1ubuntu1.18.04",
@@ -741,6 +790,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libnettle6@3.4-1",
@@ -755,6 +805,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libp11-kit0@0.23.9-2",
@@ -770,6 +821,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libpam-modules@1.1.8-3.6ubuntu2",
@@ -781,6 +833,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "3.6ubuntu2",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libpam-modules-bin@1.1.8-3.6ubuntu2",
@@ -798,6 +851,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libpam-runtime@1.1.8-3.6ubuntu2",
@@ -813,6 +867,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "all",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libpam0g@1.1.8-3.6ubuntu2",
@@ -829,6 +884,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libpcre3@2:8.39-9",
@@ -845,6 +901,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libprocps6@2:3.3.12-3ubuntu1.1",
@@ -862,6 +919,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libseccomp2@2.3.1-2.1ubuntu4",
@@ -876,6 +934,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libselinux1@2.7-2build2",
@@ -891,6 +950,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libsemanage-common@2.7-2build2",
@@ -902,6 +962,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "2build2",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "all",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libsemanage1@2.7-2build2",
@@ -921,6 +982,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libsepol1@2.7-1",
@@ -935,6 +997,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libsmartcols1@2.31.1-0.4ubuntu3.1",
@@ -949,6 +1012,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libss2@1.44.1-1",
@@ -964,6 +1028,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libstdc++6@8-20180414-1ubuntu2",
@@ -980,6 +1045,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Core developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libsystemd0@237-3ubuntu10.3",
@@ -991,6 +1057,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "3ubuntu10.3",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libtasn1-6@4.13-2",
@@ -1005,6 +1072,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libtinfo5@6.1-1ubuntu1.18.04",
@@ -1019,6 +1087,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libudev1@237-3ubuntu10.3",
@@ -1033,6 +1102,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libunistring2@0.9.9-0ubuntu1",
@@ -1047,6 +1117,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libustr-1.0-1@1.0.4-3+b2",
@@ -1061,6 +1132,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Vaclav Ovsik <vaclav.ovsik@i.cz>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libuuid1@2.31.1-0.4ubuntu3.1",
@@ -1075,6 +1147,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libzstd1@1.3.3+dfsg-2ubuntu1",
@@ -1089,6 +1162,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "login@1:4.5-1ubuntu1",
@@ -1102,6 +1176,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "1ubuntu1",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "lsb-base@9.20170808ubuntu1",
@@ -1111,6 +1186,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcVersion: "9.20170808ubuntu1",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "all",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "mawk@1.3.3-17ubuntu3",
@@ -1122,6 +1198,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "17ubuntu3",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "mount@2.31.1-0.4ubuntu3.1",
@@ -1136,6 +1213,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "ncurses-base@6.1-1ubuntu1.18.04",
@@ -1147,6 +1225,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "1ubuntu1.18.04",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "all",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "ncurses-bin@6.1-1ubuntu1.18.04",
@@ -1158,6 +1237,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "1ubuntu1.18.04",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "passwd@1:4.5-1ubuntu1",
@@ -1179,6 +1259,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "perl-base@5.26.1-6ubuntu0.2",
@@ -1190,6 +1271,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "6ubuntu0.2",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "procps@2:3.3.12-3ubuntu1.1",
@@ -1212,6 +1294,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "sed@4.4-2",
@@ -1223,6 +1306,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "2",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "sensible-utils@0.0.12",
@@ -1232,6 +1316,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcVersion: "0.0.12",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "all",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "sysvinit-utils@2.88dsf-59.10ubuntu1",
@@ -1248,6 +1333,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "tar@1.29b-2",
@@ -1259,6 +1345,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "2",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "ubuntu-keyring@2018.02.28",
@@ -1268,6 +1355,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcVersion: "2018.02.28",
 								Maintainer: "Dimitri John Ledkov <dimitri.ledkov@canonical.com>",
 								Arch:       "all",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "util-linux@2.31.1-0.4ubuntu3.1",
@@ -1282,6 +1370,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "zlib1g@1:1.2.11.dfsg-0ubuntu2",
@@ -1298,6 +1387,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								},
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 						},
 					},
@@ -1323,6 +1413,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "12ubuntu1",
 								Maintainer: "Ubuntu Core developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libpam-modules-bin@1.1.8-3.1ubuntu3",
@@ -1334,6 +1425,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "3.1ubuntu3",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "libpam-runtime@1.1.8-3.1ubuntu3",
@@ -1345,6 +1437,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "3.1ubuntu3",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "all",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "makedev@2.3.1-93ubuntu1",
@@ -1356,6 +1449,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "93ubuntu1",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "all",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 						},
 					},
@@ -1374,6 +1468,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								ID: "apt@1.6.3ubuntu0.1", Name: "apt", Version: "1.6.3ubuntu0.1",
 								SrcName: "apt", SrcVersion: "1.6.3ubuntu0.1",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>", Arch: "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 						},
 					},
@@ -1401,6 +1496,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "2",
 								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 							},
 							{
 								ID:         "tar@1.34+dfsg-1",
@@ -1412,6 +1508,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 								SrcRelease: "1",
 								Maintainer: "Janos Lenart <ocsi@debian.org>",
 								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 								Digest:     "sha256:bd8e963c6edcf1c806df97cd73560794c347aa94b9aaaf3b88eea585bb2d2f3c",
 							},
 						},
@@ -1420,9 +1517,46 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 			},
 		},
 		{
-			name:      "md5sums",
-			testFiles: map[string]string{"./testdata/tar.md5sums": "var/lib/dpkg/info/tar.md5sums"},
+			name: "md5sums",
+			testFiles: map[string]string{
+				"./testdata/tar-status":  "var/lib/dpkg/status",
+				"./testdata/tar.md5sums": "var/lib/dpkg/info/tar.md5sums",
+			},
 			want: &analyzer.AnalysisResult{
+				PackageInfos: []types.PackageInfo{
+					{
+						FilePath: "var/lib/dpkg/status",
+						Packages: types.Packages{
+							{
+								ID:         "tar@1.29b-2",
+								Name:       "tar",
+								Version:    "1.29b",
+								Release:    "2",
+								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
+								SrcName:    "tar",
+								SrcVersion: "1.29b",
+								SrcRelease: "2",
+								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
+								InstalledFiles: []string{
+									"/usr/bin/tar",
+									"/usr/lib/mime/packages/tar",
+									"/usr/sbin/rmt-tar",
+									"/usr/sbin/tarcat",
+									"/usr/share/doc/tar/AUTHORS",
+									"/usr/share/doc/tar/NEWS.gz",
+									"/usr/share/doc/tar/README.Debian",
+									"/usr/share/doc/tar/THANKS.gz",
+									"/usr/share/doc/tar/changelog.Debian.gz",
+									"/usr/share/doc/tar/copyright",
+									"/usr/share/man/man1/tar.1.gz",
+									"/usr/share/man/man1/tarcat.1.gz",
+									"/usr/share/man/man8/rmt-tar.8.gz",
+								},
+							},
+						},
+					},
+				},
 				SystemInstalledFiles: []string{
 					"/usr/bin/tar",
 					"/usr/lib/mime/packages/tar",
@@ -1440,6 +1574,43 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:      "third-party package",
+			testFiles: map[string]string{"./testdata/dpkg-third-party": "var/lib/dpkg/status"},
+			want: &analyzer.AnalysisResult{
+				PackageInfos: []types.PackageInfo{
+					{
+						FilePath: "var/lib/dpkg/status",
+						Packages: []types.Package{
+							{
+								ID:         "apt@1.6.3ubuntu0.1",
+								Name:       "apt",
+								Version:    "1.6.3ubuntu0.1",
+								SrcName:    "apt",
+								SrcVersion: "1.6.3ubuntu0.1",
+								Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
+								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
+							},
+							{
+								ID:         "docker-ce@5:20.10.7~3-0~debian-buster",
+								Name:       "docker-ce",
+								Version:    "20.10.7~3-0~debian",
+								Release:    "buster",
+								Epoch:      5,
+								SrcName:    "docker-ce",
+								SrcVersion: "20.10.7~3-0~debian",
+								SrcRelease: "buster",
+								SrcEpoch:   5,
+								Maintainer: "Docker <support@docker.com>",
+								Arch:       "amd64",
+								Repository: types.PackageRepository{Class: types.RepositoryClassThirdParty},
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -1470,6 +1641,23 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
 	}
 }

+func Test_isThirdPartyPackage(t *testing.T) {
+	tests := []struct {
+		name       string
+		maintainer string
+		want       bool
+	}{
+		{"third-party (Docker)", "Docker <support@docker.com>", true},
+		{"third-party (GitHub - exact match)", "GitHub", true},
+		{"official (Ubuntu)", "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.want, isThirdPartyPackage(tt.maintainer))
+		})
+	}
+}
+
 func Test_dpkgAnalyzer_Required(t *testing.T) {
 	tests := []struct {
 		name     string
--- a/pkg/fanal/analyzer/pkg/dpkg/testdata/dpkg-third-party
+++ b/pkg/fanal/analyzer/pkg/dpkg/testdata/dpkg-third-party
@@ -0,0 +1,27 @@
+Package: docker-ce
+Status: install ok installed
+Priority: optional
+Section: admin
+Installed-Size: 83560
+Maintainer: Docker <support@docker.com>
+Architecture: amd64
+Version: 5:20.10.7~3-0~debian-buster
+Replaces: docker, docker-ce
+Depends: containerd.io (>= 1.4.1), docker-ce-cli, iptables, libc6 (>= 2.8), libseccomp2 (>= 2.4.1), libc6 (>= 2.17), libdevmapper1.02.1 (>= 2:1.02.97)
+Recommends: ca-certificates, docker-ce-rootless-extras, git, pigz, xz-utils
+Description: Docker: the open-source application container engine
+ Docker is a product for you to build, ship and run any application as a
+ lightweight container.
+Homepage: https://www.docker.com
+
+Package: apt
+Status: install ok installed
+Priority: important
+Section: admin
+Installed-Size: 4148
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+Architecture: amd64
+Version: 1.6.3ubuntu0.1
+Depends: base-files (>= 7.2ubuntu5.6)
+Description: commandline package manager
+
--- a/pkg/fanal/analyzer/pkg/dpkg/testdata/tar-status
+++ b/pkg/fanal/analyzer/pkg/dpkg/testdata/tar-status
@@ -0,0 +1,17 @@
+Package: tar
+Essential: yes
+Status: install ok installed
+Priority: required
+Section: utils
+Installed-Size: 864
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+Architecture: amd64
+Multi-Arch: foreign
+Version: 1.29b-2
+Replaces: cpio (<< 2.4.2-39)
+Pre-Depends: libacl1 (>= 2.2.51-8), libc6 (>= 2.17), libselinux1 (>= 1.32)
+Suggests: bzip2, ncompress, xz-utils, tar-scripts, tar-doc
+Breaks: dpkg-dev (<< 1.14.26)
+Conflicts: cpio (<= 2.4.2-38)
+Description: GNU version of the tar archiving utility
+
--- a/pkg/fanal/analyzer/pkg/rpm/rpm.go
+++ b/pkg/fanal/analyzer/pkg/rpm/rpm.go
@@ -140,8 +140,12 @@ func (a rpmPkgAnalyzer) listPkgs(ctx context.Context, db RPMDB) (types.Packages,

 		// Check if the package is vendor-provided.
 		// If the package is not provided by vendor, the installed files should not be skipped.
+		repo := types.PackageRepository{
+			Class: types.RepositoryClassThirdParty,
+		}
 		var files []string
 		if packageProvidedByVendor(pkg) {
+			repo.Class = types.RepositoryClassOfficial
 			files, err = pkg.InstalledFileNames()
 			if err != nil {
 				return nil, nil, xerrors.Errorf("unable to get installed files: %w", err)
@@ -179,6 +183,7 @@ func (a rpmPkgAnalyzer) listPkgs(ctx context.Context, db RPMDB) (types.Packages,
 			Licenses:        licenses,
 			DependsOn:       pkg.Requires, // Will be replaced with package IDs
 			Maintainer:      pkg.Vendor,
+			Repository:      repo,
 			Digest:          d,
 			InstalledFiles:  files,
 		}
--- a/pkg/fanal/analyzer/pkg/rpm/rpm_test.go
+++ b/pkg/fanal/analyzer/pkg/rpm/rpm_test.go
@@ -158,6 +158,7 @@ func Test_rpmPkgAnalyzer_listPkgs(t *testing.T) {
 					SrcVersion: "2.17",
 					SrcRelease: "317.el7",
 					Maintainer: "Red Hat",
+					Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 					InstalledFiles: []string{
 						"/etc/ld.so.conf",
 						"/etc/rpc",
@@ -216,6 +217,7 @@ func Test_rpmPkgAnalyzer_listPkgs(t *testing.T) {
 					SrcName:    "curl",
 					SrcVersion: "8.3.0",
 					SrcRelease: "1.amzn2023.0.2",
+					Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 					InstalledFiles: []string{
 						"/usr/bin/curl",
 						"/usr/lib/.build-id",
@@ -248,11 +250,12 @@ func Test_rpmPkgAnalyzer_listPkgs(t *testing.T) {
 			},
 			wantPkgs: types.Packages{
 				{
-					ID:      "glibc@2.17-307.el7.1.x86_64",
-					Name:    "glibc",
-					Version: "2.17",
-					Release: "307.el7.1",
-					Arch:    "x86_64",
+					ID:         "glibc@2.17-307.el7.1.x86_64",
+					Name:       "glibc",
+					Version:    "2.17",
+					Release:    "307.el7.1",
+					Arch:       "x86_64",
+					Repository: types.PackageRepository{Class: types.RepositoryClassThirdParty},
 				},
 			},
 		},
--- a/pkg/fanal/artifact/image/image_test.go
+++ b/pkg/fanal/artifact/image/image_test.go
@@ -36,7 +36,7 @@ import (

 // Common blob IDs used across multiple test cases to reduce duplication
 const (
-	alpineBaseLayerID     = "sha256:be60f1fe61fc63ab50b10fe0779614e605a973a38cd7d2a02f3f20b081e56d4a"
+	alpineBaseLayerID     = "sha256:6c42077a82b21707f581759b12a99cc9a593ce35a0d7be4c19c01eb48bd5ba33"
 	alpineBaseLayerDiffID = "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203"
 	alpineArtifactID      = "sha256:3c709d2a158be3a97051e10cd0e30f047225cb9505101feb3fadcd395c2e0408"
 	composerImageID       = "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72"
@@ -510,7 +510,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			},
 			wantBlobs: []cachetest.WantBlob{
 				{
-					ID: "sha256:f2a647dcf780c603f864e491dca1a042b1e98062b530c813681d1bb4a85bcb18",
+					ID: "sha256:75a461ca76eecc6cea981889d69aa1c2dd78c436108be8be1bbc29295520c7d4",
 					BlobInfo: types.BlobInfo{
 						SchemaVersion: types.BlobJSONSchemaVersion,
 						Size:          3061760,
@@ -533,6 +533,7 @@ func TestArtifact_Inspect(t *testing.T) {
 										SrcVersion: "9.9+deb9u9",
 										Maintainer: "Santiago Vila <sanvila@debian.org>",
 										Arch:       "amd64",
+										Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 									},
 								},
 							},
@@ -547,6 +548,7 @@ func TestArtifact_Inspect(t *testing.T) {
 										SrcVersion: "5.4",
 										Maintainer: "Marco d'Itri <md@linux.it>",
 										Arch:       "all",
+										Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 									},
 								},
 							},
@@ -563,6 +565,7 @@ func TestArtifact_Inspect(t *testing.T) {
 										SrcRelease: "0+deb9u1",
 										Maintainer: "GNU Libc Maintainers <debian-glibc@lists.debian.org>",
 										Arch:       "all",
+										Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 									},
 								},
 							},
@@ -598,7 +601,7 @@ func TestArtifact_Inspect(t *testing.T) {
 					},
 				},
 				{
-					ID: "sha256:c988cc5a0b8f3dc542c15c303d9200dee47d4fbed0e498a5bfbf3b4bef7a5af7",
+					ID: "sha256:81afc1747d0fdec7a606c27570313634ae331fab6f13566b23d0f6b3e498c050",
 					BlobInfo: types.BlobInfo{
 						SchemaVersion: types.BlobJSONSchemaVersion,
 						Size:          15441920,
@@ -619,6 +622,7 @@ func TestArtifact_Inspect(t *testing.T) {
 										SrcRelease: "11+deb9u4",
 										Maintainer: "GNU Libc Maintainers <debian-glibc@lists.debian.org>",
 										Arch:       "amd64",
+										Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 									},
 								},
 							},
@@ -635,6 +639,7 @@ func TestArtifact_Inspect(t *testing.T) {
 										SrcRelease: "1~deb9u1",
 										Maintainer: "Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>",
 										Arch:       "amd64",
+										Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 									},
 								},
 							},
@@ -651,6 +656,7 @@ func TestArtifact_Inspect(t *testing.T) {
 										SrcRelease: "1~deb9u1",
 										Maintainer: "Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>",
 										Arch:       "amd64",
+										Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
 									},
 								},
 							},
@@ -693,7 +699,7 @@ func TestArtifact_Inspect(t *testing.T) {
 					},
 				},
 				{
-					ID: "sha256:05c19ffd5d898588400522070abd98c770b2965a7f4867d5c882c2a8783e40cc",
+					ID: "sha256:0778c3e388c54f736a3d6e74ed390a91fdb42c6809f8fb743d4f72acb41a5d6d",
 					BlobInfo: types.BlobInfo{
 						SchemaVersion: types.BlobJSONSchemaVersion,
 						Size:          29696,
@@ -900,7 +906,7 @@ func TestArtifact_Inspect(t *testing.T) {
 					},
 				},
 				{
-					ID: "sha256:c737743c0f8b35906650a02125f05c8b35916c0febf64984f4dfaacd0f72509d",
+					ID: "sha256:5a3e3f25fdc97a14d69d99c63dd640cd2d38af5b987b7a95084cce3d835970fb",
 					BlobInfo: types.BlobInfo{
 						SchemaVersion: types.BlobJSONSchemaVersion,
 						Size:          6656,
@@ -1763,10 +1769,10 @@ func TestArtifact_Inspect(t *testing.T) {
 				Type: types.TypeContainerImage,
 				ID:   "sha256:0bebf0773ffd87baa7c64fbdbdf79a24ae125e3f99a8adebe52d1ccbe6bed16b",
 				BlobIDs: []string{
-					"sha256:f2a647dcf780c603f864e491dca1a042b1e98062b530c813681d1bb4a85bcb18",
-					"sha256:c988cc5a0b8f3dc542c15c303d9200dee47d4fbed0e498a5bfbf3b4bef7a5af7",
-					"sha256:05c19ffd5d898588400522070abd98c770b2965a7f4867d5c882c2a8783e40cc",
-					"sha256:c737743c0f8b35906650a02125f05c8b35916c0febf64984f4dfaacd0f72509d",
+					"sha256:75a461ca76eecc6cea981889d69aa1c2dd78c436108be8be1bbc29295520c7d4",
+					"sha256:81afc1747d0fdec7a606c27570313634ae331fab6f13566b23d0f6b3e498c050",
+					"sha256:0778c3e388c54f736a3d6e74ed390a91fdb42c6809f8fb743d4f72acb41a5d6d",
+					"sha256:5a3e3f25fdc97a14d69d99c63dd640cd2d38af5b987b7a95084cce3d835970fb",
 				},
 				ImageMetadata: artifact.ImageMetadata{
 					ID: "sha256:58701fd185bda36cab0557bb6438661831267aa4a9e0b54211c4d5317a48aff4",
@@ -1874,7 +1880,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			},
 			wantBlobs: []cachetest.WantBlob{
 				{
-					ID: "sha256:48b4a983ef1ec8f0d19934ccf7fca3d2114466ad32207e16371620628f149984",
+					ID: "sha256:a83985cade3970577a9af328db9c88c0bf15cad40f7d2cf6d76e83882bc8146d",
 					BlobInfo: types.BlobInfo{
 						SchemaVersion: types.BlobJSONSchemaVersion,
 						Size:          3061760,
@@ -1884,7 +1890,7 @@ func TestArtifact_Inspect(t *testing.T) {
 					},
 				},
 				{
-					ID: "sha256:a4d2820bd2c076f6153a9053843d4a56d31147ce486ec5e4a2c0405cec506d6c",
+					ID: "sha256:b109622c2d106193db505762f1f3e78cf0035a69e559caf07c305c92ddb89356",
 					BlobInfo: types.BlobInfo{
 						SchemaVersion: types.BlobJSONSchemaVersion,
 						Size:          15441920,
@@ -1894,7 +1900,7 @@ func TestArtifact_Inspect(t *testing.T) {
 					},
 				},
 				{
-					ID: "sha256:c5fa5e736cee843c563c222963eb89fc775f0620020ff9d51d5e5db8ef62eec4",
+					ID: "sha256:115f689385cb66077c338c52f2c9d6f3018a18c89be7fe7d23f1645422d7d59d",
 					BlobInfo: types.BlobInfo{
 						SchemaVersion: types.BlobJSONSchemaVersion,
 						Size:          29696,
@@ -1905,7 +1911,7 @@ func TestArtifact_Inspect(t *testing.T) {
 					},
 				},
 				{
-					ID: "sha256:7e223b95d6d589cdb196e29ef6c6ac0acdd2c471350dd9880a420b4249f6e7bb",
+					ID: "sha256:60129d309cd4f16d69262106d6074f37c6d37f6c9089a9710ec96ae067716636",
 					BlobInfo: types.BlobInfo{
 						SchemaVersion: types.BlobJSONSchemaVersion,
 						Size:          6656,
@@ -1921,10 +1927,10 @@ func TestArtifact_Inspect(t *testing.T) {
 				Type: types.TypeContainerImage,
 				ID:   "sha256:0bebf0773ffd87baa7c64fbdbdf79a24ae125e3f99a8adebe52d1ccbe6bed16b",
 				BlobIDs: []string{
-					"sha256:48b4a983ef1ec8f0d19934ccf7fca3d2114466ad32207e16371620628f149984",
-					"sha256:a4d2820bd2c076f6153a9053843d4a56d31147ce486ec5e4a2c0405cec506d6c",
-					"sha256:c5fa5e736cee843c563c222963eb89fc775f0620020ff9d51d5e5db8ef62eec4",
-					"sha256:7e223b95d6d589cdb196e29ef6c6ac0acdd2c471350dd9880a420b4249f6e7bb",
+					"sha256:a83985cade3970577a9af328db9c88c0bf15cad40f7d2cf6d76e83882bc8146d",
+					"sha256:b109622c2d106193db505762f1f3e78cf0035a69e559caf07c305c92ddb89356",
+					"sha256:115f689385cb66077c338c52f2c9d6f3018a18c89be7fe7d23f1645422d7d59d",
+					"sha256:60129d309cd4f16d69262106d6074f37c6d37f6c9089a9710ec96ae067716636",
 				},
 				ImageMetadata: artifact.ImageMetadata{
 					ID: "sha256:58701fd185bda36cab0557bb6438661831267aa4a9e0b54211c4d5317a48aff4",
--- a/pkg/fanal/artifact/local/fs_test.go
+++ b/pkg/fanal/artifact/local/fs_test.go
@@ -226,7 +226,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			wantBlobs: []cachetest.WantBlob{
 				{
 					// Cache key is based on commit hash (8a19b492a589955c3e70c6ad8efd1e4ec6ae0d35)
-					ID: "sha256:c7173e152a268c038257b877794285986c52ac569de7e516b2963f557f4e26ee",
+					ID: "sha256:d37c788d6fe832712cce9020943746b8764c04f7e323ed4ad68de36c5bf7d846",
 					BlobInfo: types.BlobInfo{
 						SchemaVersion: types.BlobJSONSchemaVersion,
 					},
@@ -235,9 +235,9 @@ func TestArtifact_Inspect(t *testing.T) {
 			want: artifact.Reference{
 				Name: "../../../../internal/gittest/testdata/test-repo",
 				Type: types.TypeRepository,
-				ID:   "sha256:c7173e152a268c038257b877794285986c52ac569de7e516b2963f557f4e26ee",
+				ID:   "sha256:d37c788d6fe832712cce9020943746b8764c04f7e323ed4ad68de36c5bf7d846",
 				BlobIDs: []string{
-					"sha256:c7173e152a268c038257b877794285986c52ac569de7e516b2963f557f4e26ee",
+					"sha256:d37c788d6fe832712cce9020943746b8764c04f7e323ed4ad68de36c5bf7d846",
 				},
 				RepoMetadata: artifact.RepoMetadata{
 					RepoURL:   "https://github.com/aquasecurity/trivy-test-repo/",
@@ -2383,7 +2383,7 @@ func TestYAMLConfigScan(t *testing.T) {
 											Severity: "LOW",
 										},
 										CauseMetadata: types.CauseMetadata{
-											Provider: "Generic",
+											Provider: "Yaml",
 											Service:  "general",
 										},
 									},
@@ -2405,7 +2405,7 @@ func TestYAMLConfigScan(t *testing.T) {
 											Severity: "LOW",
 										},
 										CauseMetadata: types.CauseMetadata{
-											Provider: "Generic",
+											Provider: "Yaml",
 											Service:  "general",
 										},
 									},
@@ -2454,7 +2454,7 @@ func TestYAMLConfigScan(t *testing.T) {
 											Severity: "LOW",
 										},
 										CauseMetadata: types.CauseMetadata{
-											Provider: "Generic",
+											Provider: "Yaml",
 											Service:  "general",
 										},
 									},
--- a/pkg/fanal/artifact/local/testdata/misconfig/yaml/passed/checks/test.rego
+++ b/pkg/fanal/artifact/local/testdata/misconfig/yaml/passed/checks/test.rego
@@ -4,6 +4,9 @@
 #   id: TEST001
 #   avd_id: TEST001
 #   severity: LOW
+#   input:
+#     selector:
+#       - type: yaml
 package user.test_yaml_check

 deny[res] {
--- a/pkg/fanal/artifact/local/testdata/misconfig/yaml/with-schema/checks/test.rego
+++ b/pkg/fanal/artifact/local/testdata/misconfig/yaml/with-schema/checks/test.rego
@@ -4,6 +4,9 @@
 #   id: TEST001
 #   avd_id: TEST001
 #   severity: LOW
+#   input:
+#     selector:
+#       - type: yaml
 package user.test_yaml_check

 deny[res] {
--- a/pkg/fanal/artifact/repo/git_test.go
+++ b/pkg/fanal/artifact/repo/git_test.go
@@ -183,9 +183,9 @@ func TestArtifact_Inspect(t *testing.T) {
 			want: artifact.Reference{
 				Name: ts.URL + "/test-repo.git",
 				Type: types.TypeRepository,
-				ID:   "sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c", // Calculated from commit hash
+				ID:   "sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d", // Calculated from commit hash
 				BlobIDs: []string{
-					"sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c", // Calculated from commit hash
+					"sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d", // Calculated from commit hash
 				},
 				RepoMetadata: artifact.RepoMetadata{
 					RepoURL:   ts.URL + "/test-repo.git",
@@ -207,9 +207,9 @@ func TestArtifact_Inspect(t *testing.T) {
 			want: artifact.Reference{
 				Name: "../../../../internal/gittest/testdata/test-repo",
 				Type: types.TypeRepository,
-				ID:   "sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c", // Calculated from commit hash
+				ID:   "sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d", // Calculated from commit hash
 				BlobIDs: []string{
-					"sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c", // Calculated from commit hash
+					"sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d", // Calculated from commit hash
 				},
 				RepoMetadata: artifact.RepoMetadata{
 					RepoURL:   "https://github.com/aquasecurity/trivy-test-repo/",
@@ -267,16 +267,16 @@ func TestArtifact_Inspect(t *testing.T) {
 					},
 				}
 				// Store the blob info in the cache to test cache hit
-				cacheKey := "sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c"
+				cacheKey := "sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d"
 				err := c.PutBlob(t.Context(), cacheKey, blobInfo)
 				require.NoError(t, err)
 			},
 			want: artifact.Reference{
 				Name: "../../../../internal/gittest/testdata/test-repo",
 				Type: types.TypeRepository,
-				ID:   "sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c",
+				ID:   "sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d",
 				BlobIDs: []string{
-					"sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c",
+					"sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d",
 				},
 				RepoMetadata: artifact.RepoMetadata{
 					RepoURL:   "https://github.com/aquasecurity/trivy-test-repo/",
--- a/pkg/fanal/test/integration/testdata/goldens/packages/amazon-2.json.golden
+++ b/pkg/fanal/test/integration/testdata/goldens/packages/amazon-2.json.golden
--- a/pkg/fanal/test/integration/testdata/goldens/packages/debian-buster.json.golden
+++ b/pkg/fanal/test/integration/testdata/goldens/packages/debian-buster.json.golden
--- a/pkg/fanal/test/integration/testdata/goldens/packages/fedora-35.json.golden
+++ b/pkg/fanal/test/integration/testdata/goldens/packages/fedora-35.json.golden
--- a/pkg/fanal/test/integration/testdata/goldens/packages/opensuse-leap-151.json.golden
+++ b/pkg/fanal/test/integration/testdata/goldens/packages/opensuse-leap-151.json.golden
--- a/pkg/fanal/test/integration/testdata/goldens/packages/opensuse-tumbleweed.json.golden
+++ b/pkg/fanal/test/integration/testdata/goldens/packages/opensuse-tumbleweed.json.golden
--- a/pkg/fanal/test/integration/testdata/goldens/packages/photon-30.json.golden
+++ b/pkg/fanal/test/integration/testdata/goldens/packages/photon-30.json.golden
@@ -11,7 +11,10 @@
    "Licenses": [
      "GPLv3"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "bzip2-libs@1.0.6-10.ph3.x86_64",
@@ -25,7 +28,10 @@
    "Licenses": [
      "BSD"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "ca-certificates@20190521-1.ph3.x86_64",
@@ -39,7 +45,10 @@
    "Licenses": [
      "Custom"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "ca-certificates-pki@20190521-1.ph3.x86_64",
@@ -53,7 +62,10 @@
    "Licenses": [
      "Custom"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "curl@7.61.1-4.ph3.x86_64",
@@ -67,7 +79,10 @@
    "Licenses": [
      "MIT"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "curl-libs@7.61.1-4.ph3.x86_64",
@@ -81,7 +96,10 @@
    "Licenses": [
      "MIT"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "e2fsprogs-libs@1.44.3-2.ph3.x86_64",
@@ -95,7 +113,10 @@
    "Licenses": [
      "GPLv2+"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "elfutils-libelf@0.176-1.ph3.x86_64",
@@ -109,7 +130,10 @@
    "Licenses": [
      "GPLv2+ or LGPLv3+"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "expat-libs@2.2.6-2.ph3.x86_64",
@@ -123,7 +147,10 @@
    "Licenses": [
      "MIT"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "filesystem@1.1-4.ph3.x86_64",
@@ -137,7 +164,10 @@
    "Licenses": [
      "GPLv3"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "glibc@2.28-3.ph3.x86_64",
@@ -151,7 +181,10 @@
    "Licenses": [
      "LGPLv2+"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "gpg-pubkey@66fd4949-4803fe57.",
@@ -161,7 +194,10 @@
    "Arch": "None",
    "Licenses": [
      "pubkey"
-    ]
+    ],
+    "Repository": {
+      "Class": "third-party"
+    }
  },
  {
    "ID": "krb5@1.17-1.ph3.x86_64",
@@ -175,7 +211,10 @@
    "Licenses": [
      "MIT"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "libcap@2.25-8.ph3.x86_64",
@@ -189,7 +228,10 @@
    "Licenses": [
      "GPLv2+"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "libdb@5.3.28-2.ph3.x86_64",
@@ -203,7 +245,10 @@
    "Licenses": [
      "BSD and LGPLv2 and Sleepycat"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "libgcc@7.3.0-4.ph3.x86_64",
@@ -217,7 +262,10 @@
    "Licenses": [
      "GPLv2+"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "libsolv@0.6.26-5.ph3.x86_64",
@@ -231,7 +279,10 @@
    "Licenses": [
      "BSD"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "libssh2@1.9.0-1.ph3.x86_64",
@@ -245,7 +296,10 @@
    "Licenses": [
      "BSD"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "ncurses-libs@6.1-1.ph3.x86_64",
@@ -259,7 +313,10 @@
    "Licenses": [
      "MIT"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "nspr@4.21-1.ph3.x86_64",
@@ -273,7 +330,10 @@
    "Licenses": [
      "MPLv2.0"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "nss-libs@3.44-2.ph3.x86_64",
@@ -287,7 +347,10 @@
    "Licenses": [
      "MPLv2.0"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "openssl@1.0.2s-1.ph3.x86_64",
@@ -301,7 +364,10 @@
    "Licenses": [
      "OpenSSL"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "photon-release@3.0-3.ph3.noarch",
@@ -315,7 +381,10 @@
    "Licenses": [
      "Apache License"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "photon-repos@3.0-3.ph3.noarch",
@@ -329,7 +398,10 @@
    "Licenses": [
      "Apache License"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "popt@1.16-5.ph3.x86_64",
@@ -343,7 +415,10 @@
    "Licenses": [
      "MIT"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "readline@7.0-2.ph3.x86_64",
@@ -357,7 +432,10 @@
    "Licenses": [
      "GPLv3+"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "rpm-libs@4.14.2-4.ph3.x86_64",
@@ -371,7 +449,10 @@
    "Licenses": [
      "GPLv2+"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "sqlite-libs@3.27.2-3.ph3.x86_64",
@@ -385,7 +466,10 @@
    "Licenses": [
      "Public Domain"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "tdnf@2.0.0-10.ph3.x86_64",
@@ -399,7 +483,10 @@
    "Licenses": [
      "LGPLv2.1,GPLv2"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "tdnf-cli-libs@2.0.0-10.ph3.x86_64",
@@ -413,7 +500,10 @@
    "Licenses": [
      "LGPLv2.1,GPLv2"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "toybox@0.7.7-1.ph3.x86_64",
@@ -427,7 +517,10 @@
    "Licenses": [
      "BSD"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "xz-libs@5.2.4-1.ph3.x86_64",
@@ -441,7 +534,10 @@
    "Licenses": [
      "GPLv2+ and GPLv3+ and LGPLv2+"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  },
  {
    "ID": "zlib@1.2.11-1.ph3.x86_64",
@@ -455,6 +551,9 @@
    "Licenses": [
      "zlib"
    ],
-    "Maintainer": "VMware, Inc."
+    "Maintainer": "VMware, Inc.",
+    "Repository": {
+      "Class": "official"
+    }
  }
 ]
--- a/pkg/fanal/test/integration/testdata/goldens/packages/suse-15.3_ndb.json.golden
+++ b/pkg/fanal/test/integration/testdata/goldens/packages/suse-15.3_ndb.json.golden
--- a/pkg/fanal/test/integration/testdata/goldens/packages/ubi-7.json.golden
+++ b/pkg/fanal/test/integration/testdata/goldens/packages/ubi-7.json.golden
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
dependabot[bot]	467b159e68	chore(deps): bump the docker group across 1 directory with 2 updates Bumps the docker group with 2 updates in the / directory: [github.com/docker/cli](https://github.com/docker/cli) and [github.com/moby/buildkit](https://github.com/moby/buildkit). Updates `github.com/docker/cli` from 29.1.1+incompatible to 29.1.3+incompatible - [Commits](https://github.com/docker/cli/compare/v29.1.1...v29.1.3) Updates `github.com/moby/buildkit` from 0.26.2 to 0.26.3 - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](https://github.com/moby/buildkit/compare/v0.26.2...v0.26.3) --- updated-dependencies: - dependency-name: github.com/docker/cli dependency-version: 29.1.3+incompatible dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker - dependency-name: github.com/moby/buildkit dependency-version: 0.26.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker ... Signed-off-by: dependabot[bot] <support@github.com>	2025-12-22 14:02:14 +00:00
DmitriyLewen	7a6594c745	chore(deps): bump `golang.org/x/tools` to `v0.40.0` + `gopls` to `v0.21.0` (#9973 )	2025-12-22 12:20:10 +00:00
urimils	d3096e7617	feat(rootio): Update trivy db to support usage of Severity from root.io feed (#9930 ) Co-authored-by: urimils <urimils@users.noreply.github.com> Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>	2025-12-22 11:45:49 +00:00
Teppei Fukuda	74819bf457	feat(vuln): skip vulnerability scanning for third-party packages in Debian/Ubuntu (#9932 )	2025-12-22 10:56:30 +00:00
DmitriyLewen	56f93a1bcf	docs: add info that `--file-pattern` flag doesn't disable default behaviuor (#9961 )	2025-12-22 08:55:26 +00:00
Ankit Pramanik	10a50a7429	perf(misconf): optimize string concatenation in azure scanner (#9969 )	2025-12-22 05:37:36 +00:00
Owen Rumney	75c4dc0f45	chore: add client option to install script (#9962 ) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>	2025-12-19 09:49:08 +00:00
Aqua Security automated builds	87772521b6	ci(helm): bump Trivy version to 0.68.2 for Trivy Helm Chart 0.20.1 (#9956 ) Co-authored-by: GitHub Actions <actions@github.com>	2025-12-17 07:13:29 +00:00
dependabot[bot]	5eda0a4e85	chore(deps): bump github.com/quic-go/quic-go from 0.54.1 to 0.57.0 (#9952 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-17 06:07:48 +00:00
Igor Adulyan	718ec29ec6	docs: update binary signature verification for sigstore bundles (#9929 )	2025-12-12 06:56:26 +00:00
DmitriyLewen	d528250a1d	chore(deps): bump alpine from `3.22.1` to `3.23.0` (#9935 )	2025-12-12 06:55:39 +00:00
DmitriyLewen	f50b96a815	chore(alpine): add EOL date for alpine 3.23 (#9934 )	2025-12-12 06:55:09 +00:00
Nikita Pivkin	d65b504cb2	feat(cloudformation): add support for Fn::ForEach (#9508 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-12-11 18:53:03 +00:00
DmitriyLewen	1a901e5c75	ci: enable `check-latest` for `setup-go` (#9931 )	2025-12-11 08:17:40 +00:00
Teppei Fukuda	effc1c0d4d	feat(debian): detect third-party packages using maintainer list (#9917 )	2025-12-11 05:18:31 +00:00
DmitriyLewen	335cc993fa	fix(vex): add CVE-2025-66564 as not_affected into Trivy VEX file (#9924 )	2025-12-10 12:16:31 +00:00
Kélian Saint-Bonnet	879e4fca12	feat(helm): add sslCertDir parameter (#9697 )	2025-12-09 23:15:31 +00:00
Nikita Pivkin	18ecf75176	fix(misconf): respect .yml files when Helm charts are detected (#9912 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-12-09 23:07:39 +00:00
Teppei Fukuda	56b59e8abb	feat(php): add support for dev dependencies in Composer (#9910 )	2025-12-09 12:40:05 +00:00
dependabot[bot]	f58826fb2a	chore(deps): bump the common group across 1 directory with 9 updates (#9903 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-09 05:35:08 +00:00
dependabot[bot]	39273f34cc	chore(deps): bump github.com/docker/cli from 29.0.3+incompatible to 29.1.1+incompatible in the docker group (#9859 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>	2025-12-08 10:25:32 +00:00
Thomas Hille	9db123ccf8	fix: remove trailing tab in statefulset template (#9889 )	2025-12-08 06:17:59 +00:00
Matt Bauman	c2f82add3a	feat(julia): enable vulnerability scanning for the Julia language ecosystem (#9800 ) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>	2025-12-05 10:15:16 +00:00
Nikita Pivkin	9275e1532b	feat(misconf): initial ansible scanning support (#9332 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: Simar <simar@linux.com> Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>	2025-12-05 06:20:37 +00:00
yagreut	48dfedeb1e	feat(misconf): Update Azure Database schema (#9811 ) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>	2025-12-05 05:28:25 +00:00
Aqua Security automated builds	75171128a4	ci(helm): bump Trivy version to 0.68.1 for Trivy Helm Chart 0.20.0 (#9869 ) Co-authored-by: GitHub Actions <actions@github.com>	2025-12-04 01:06:08 +00:00
Owen Rumney	32f3df11a2	chore: update the install script (#9874 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2025-12-03 17:12:33 +00:00