gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-19 10:42:43 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gitea-mirror:v0.68.2
Branches Tags
gitea-mirror:main gitea-mirror:release-please--branches--main gitea-mirror:gh-pages gitea-mirror:release/v0.68 gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/common-8f43369130 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.2 gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1
..
compare: gitea-mirror:v0.56.1
Branches Tags
gitea-mirror:release-please--branches--main gitea-mirror:main gitea-mirror:gh-pages gitea-mirror:release/v0.68 gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/common-8f43369130 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.2 gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1

2 Commits
v0.68.2 ... v0.56.1

Author SHA1 Message Date
Aqua Security automated builds
95dbf1152b release: v0.56.1 [release/v0.56] (#7648) 2024-10-03 14:10:29 +00:00
Aqua Security automated builds
5dbdadfe45 fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2024-10-03 13:26:26 +00:00
1654 changed files with 59125 additions and 85647 deletions
Expand all files Collapse all files

5
.clang-format Normal file
View File

@@ -0,0 +1,5 @@
---
Language: Proto
BasedOnStyle: Google
AlignConsecutiveAssignments: true
AlignConsecutiveDeclarations: true

16
.github/CODEOWNERS vendored
View File

@@ -8,15 +8,15 @@ pkg/sbom/ @knqyf263 @DmitriyLewen
pkg/scanner/ @knqyf263 @DmitriyLewen
# Misconfiguration scanning
docs/guide/scanner/misconfiguration/ @simar7 @nikpivkin
docs/guide/target/aws.md @simar7 @nikpivkin
pkg/fanal/analyzer/config/ @simar7 @nikpivkin
pkg/config/aws/ @simar7 @nikpivkin
pkg/iac/ @simar7 @nikpivkin
docs/docs/scanner/misconfiguration/ @simar7 @nikpivkin
docs/docs/target/aws.md @simar7 @nikpivkin
pkg/fanal/analyzer/config/ @simar7 @nikpivkin
pkg/cloud/ @simar7 @nikpivkin
pkg/iac/ @simar7 @nikpivkin
# Helm chart
helm/trivy/ @afdesk @simar7
helm/trivy/ @afdesk
# Kubernetes scanning
pkg/k8s/ @afdesk @simar7
docs/guide/target/kubernetes.md @afdesk @simar7
pkg/k8s/ @afdesk
docs/docs/target/kubernetes.md @afdesk

4
.github/DISCUSSION_TEMPLATE/bugs.yml vendored
View File

@@ -10,7 +10,7 @@ body:
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://trivy.dev/docs/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Description
@@ -117,7 +117,7 @@ body:
description: Have you tried the following?
options:
- label: Run `trivy clean --all`
- label: Read [the troubleshooting](https://trivy.dev/docs/latest/references/troubleshooting/)
- label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
- type: markdown
attributes:
value: |

2
.github/DISCUSSION_TEMPLATE/documentation.yml vendored
View File

@@ -7,7 +7,7 @@ body:
Feel free to create a docs report if something doesn't work as expected or is unclear in the documentation.
Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
Please also check [our contribution guidelines](https://trivy.dev/docs/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Description

4
.github/DISCUSSION_TEMPLATE/false-detection.yml vendored
View File

@@ -8,7 +8,7 @@ body:
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://trivy.dev/docs/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: input
attributes:
label: IDs
@@ -86,7 +86,7 @@ body:
attributes:
label: Checklist
options:
- label: Read [the documentation regarding wrong detection](https://trivy.dev/dev/community/contribute/discussion/#false-detection)
- label: Read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection)
- label: Ran Trivy with `-f json` that shows data sources and confirmed that the security advisory in data sources was correct
validations:
required: true

2
.github/DISCUSSION_TEMPLATE/ideas.yml vendored
View File

@@ -9,7 +9,7 @@ body:
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://trivy.dev/docs/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Description

2
.github/DISCUSSION_TEMPLATE/q-a.yml vendored
View File

@@ -9,7 +9,7 @@ body:
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://trivy.dev/docs/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Question

11
.github/ISSUE_TEMPLATE/maintainer.md vendored
View File

@@ -1,11 +0,0 @@
---
name: Maintainer
about: Create an issue by maintainers
title: ''
labels: ''
assignees: ''
---
## Are you a maintainer of the Trivy project?
If not, please open [a discussion](https://github.com/aquasecurity/trivy/discussions); if you are, please review [the guideline](https://trivy.dev/docs/latest/community/contribute/discussion/).

31
.github/actions/trivy-triage/helpers.js vendored
View File

@@ -1,11 +1,6 @@
const patterns = {
Scanner: /### Scanner\r?\n\r?\n(.+)/,
Target: /### Target\r?\n\r?\n(.+)/,
};
module.exports = {
detectDiscussionLabels: (discussion, configDiscussionLabels) => {
const res = [];
res = [];
const discussionId = discussion.id;
const category = discussion.category.name;
const body = discussion.body;
@@ -13,21 +8,15 @@ module.exports = {
console.log(`skipping discussion with category ${category} and body ${body}`);
return [];
}
for (const key in patterns) {
const match = body.match(patterns[key]);
if (match && match.length > 1 && match[1] !== "None") {
const val = configDiscussionLabels[match[1]];
if (val === undefined && match[1]) {
console.warn(
`Value for ${key.toLowerCase()} key "${
match[1]
}" not found in configDiscussionLabels`
);
} else {
res.push(val);
}
}
const scannerPattern = /### Scanner\n\n(.+)/;
const scannerFound = body.match(scannerPattern);
if (scannerFound && scannerFound.length > 1) {
res.push(configDiscussionLabels[scannerFound[1]]);
}
const targetPattern = /### Target\n\n(.+)/;
const targetFound = body.match(targetPattern);
if (targetFound && targetFound.length > 1) {
res.push(configDiscussionLabels[targetFound[1]]);
}
return res;
},

21
.github/actions/trivy-triage/helpers.test.js vendored
View File

@@ -62,17 +62,6 @@ describe('trivy-triage', async function() {
assert(labels.includes('ContainerImageLabel'));
assert(labels.includes('VulnerabilityLabel'));
});
it('detect scanner and target labels on windows', async function() {
const discussion = {
body: 'hello hello\r\nbla bla.\r\n### Scanner\r\n\r\nVulnerability\r\n### Target\r\n\r\nContainer Image\r\nbye bye.',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert(labels.includes('ContainerImageLabel'));
assert(labels.includes('VulnerabilityLabel'));
});
it('not detect other labels', async function() {
const discussion = {
body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.',
@@ -84,16 +73,6 @@ describe('trivy-triage', async function() {
assert(!labels.includes('FilesystemLabel'));
assert(!labels.includes('MisconfigurationLabel'));
});
it('ignores unmatched label values from body', async function() {
const discussion = {
body: '### Target\r\n\r\nNone\r\n\r\n### Scanner\r\n\r\nMisconfiguration',
category: {
name: 'Ideas'
}
};
const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
assert.deepStrictEqual(labels, ['MisconfigurationLabel']);
});
it('process only relevant categories', async function() {
const discussion = {
body: 'hello world',

2
.github/dependabot.yml vendored
View File

@@ -21,8 +21,6 @@ updates:
directory: /
schedule:
interval: weekly
cooldown:
default-days: 3
ignore:
- dependency-name: "github.com/aquasecurity/trivy-*" ## `trivy-*` dependencies are updated manually
groups:

4
.github/pull_request_template.md vendored
View File

@@ -10,8 +10,8 @@
Remove this section if you don't have related PRs.
## Checklist
- [ ] I've read the [guidelines for contributing](https://trivy.dev/docs/latest/community/contribute/pr/) to this repository.
- [ ] I've followed the [conventions](https://trivy.dev/docs/latest/community/contribute/pr/#title) in the PR title.
- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
- [ ] I've added tests that prove my fix is effective or that my feature works.
- [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)

182
.github/workflows/apidiff.yaml vendored
View File

@@ -1,182 +0,0 @@
name: API Diff Check
on:
# SECURITY: Using pull_request_target to support fork PRs with write permissions.
# PR code is checked out but only for static analysis - it is never executed.
# If modifying this workflow, ensure PR code is never executed and user inputs are not used unsafely.
pull_request_target:
types: [opened, synchronize]
paths:
- 'pkg/**/*.go'
- 'rpc/**/*.go'
permissions:
contents: read
pull-requests: write
issues: write
jobs:
apidiff:
runs-on: ubuntu-24.04
name: API Diff Check
steps:
# Check if PR has conflicts. When conflicts exist, the merge commit becomes
# frozen at an old state and apidiff cannot run correctly.
- name: Check for merge conflicts
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
# pull_request_target and mergeability are processed asynchronously.
# As a result, its possible that we start the check before GitHub has finished calculating the mergeability.
# To handle this, a retry mechanism has been added — it waits for 2 seconds after each attempt.
# If mergeable_state isnt obtained after 5 attempts, an error is returned.
run: |
MAX=5
for i in $(seq 1 "$MAX"); do
state=$(gh api "repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER" --jq .mergeable_state)
echo "mergeable_state=$state"
if [ "$state" = "dirty" ]; then
echo "::error::This PR has merge conflicts. Please resolve conflicts before running apidiff."
exit 1
fi
if [ -n "$state" ] && [ "$state" != "unknown" ] && [ "$state" != "null" ]; then
break
fi
if [ "$i" -lt "$MAX" ] && { [ -z "$state" ] || [ "$state" = "unknown" ] || [ "$state" = "null" ]; }; then
echo "::error::Could not determine mergeability after $i tries."
exit 1
fi
sleep 2
done
# Checkout PR merge commit to compare against base branch
# This ensures we compare the actual merge result with the base branch,
# avoiding false positives when PR is not rebased with latest main
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: go.mod
check-latest: true # Ensure we use the latest Go patch version
cache: false
# Ensure the base commit exists locally for go-apidiff to compare against.
# Even though we checkout the merge commit, go-apidiff needs the base ref to exist.
# Use base.ref instead of base.sha, since base.sha is outdated (not updated after every commit).
# cf. https://github.com/orgs/community/discussions/59677
- name: Fetch base commit
id: fetch_base
run: |
set -euo pipefail
BASE_REF="${{ github.event.pull_request.base.ref || github.event.merge_group.base_ref }}"
if [ -z "${BASE_REF:-}" ]; then
echo "::error::BASE_REF is empty (no base ref in event payload)"; exit 1
fi
git fetch --depth=1 origin "$BASE_REF"
BASE_SHA="$(git rev-parse "origin/$BASE_REF")"
if [ -z "${BASE_SHA:-}" ]; then
echo "::error::BASE_SHA is empty (failed to resolve origin/$BASE_REF)"; exit 1
fi
echo "base_sha=$BASE_SHA" >> "$GITHUB_OUTPUT"
# NOTE: go-apidiff is not managed in go.mod because installing it via `go get -tool`
# would cause `mage tool:install` to attempt building it on Windows, which currently
# fails due to platform-specific issues.
- name: Run go-apidiff
id: apidiff
continue-on-error: true
uses: joelanford/go-apidiff@60c4206be8f84348ebda2a3e0c3ac9cb54b8f685 # v0.8.3
with:
base-ref: ${{ steps.fetch_base.outputs.base_sha }}
version: v0.8.3
- name: Add apidiff label
if: ${{ steps.apidiff.outputs.semver-type == 'major' }}
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
const label = 'apidiff';
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
labels: [label],
});
- name: Comment API diff
if: ${{ steps.apidiff.outputs.semver-type == 'major' }}
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
APIDIFF_OUTPUT: ${{ steps.apidiff.outputs.output }}
SEMVER_TYPE: ${{ steps.apidiff.outputs.semver-type }}
with:
script: |
const header = '## 📊 API Changes Detected';
const diff = process.env.APIDIFF_OUTPUT.trim();
const semver = process.env.SEMVER_TYPE || 'unknown';
const body = [
header,
'',
`Semver impact: \`${semver}\``,
'',
'```',
diff,
'```',
].join('\n');
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
});
const existing = comments.find(comment =>
comment.user.type === 'Bot' &&
comment.body.startsWith(header),
);
if (existing) {
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: existing.id,
body,
});
} else {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body,
});
}
# Attempt to request the premium reviewers; needs org-scoped token because GITHUB_TOKEN lacks read:org.
- name: Request trivy-premium review
if: ${{ steps.apidiff.outputs.semver-type == 'major' }}
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
github-token: ${{ secrets.ORG_REPO_TOKEN }}
script: |
try {
await github.rest.pulls.requestReviewers({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
team_reviewers: ['trivy-premium'],
});
console.log('Requested review from aquasecurity/trivy-premium team');
} catch (error) {
core.error(`Failed to request trivy-premium reviewers: ${error.message}`);
throw error;
}

4
.github/workflows/auto-close-issue.yaml vendored
View File

@@ -9,7 +9,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Close issue if user does not have write or admin permissions
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
uses: actions/github-script@v7
with:
script: |
// Get the issue creator's username
@@ -26,7 +26,7 @@ jobs:
// If the user does not have write or admin permissions, leave a comment and close the issue
if (permission !== 'write' && permission !== 'admin') {
const commentBody = "Please see https://trivy.dev/docs/latest/community/contribute/issue/";
const commentBody = "Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/";
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,

138
.github/workflows/auto-ready-for-review.yaml vendored
View File

@@ -1,138 +0,0 @@
name: Auto Ready for Review
on:
workflow_run:
workflows: ["Test", "Validate PR Title"]
types: [completed]
jobs:
auto-ready-for-review:
runs-on: ubuntu-24.04
if: github.event.workflow_run.event == 'pull_request'
steps:
- name: Get PR context
id: pr-context
env:
GH_TOKEN: ${{ github.token }}
PR_BRANCH: |-
${{
(github.event.workflow_run.head_repository.owner.login != github.event.workflow_run.repository.owner.login)
&& format('{0}:{1}', github.event.workflow_run.head_repository.owner.login, github.event.workflow_run.head_branch)
|| github.event.workflow_run.head_branch
}}
run: |
echo "[INFO] Searching for PR with branch: ${PR_BRANCH}"
if gh pr view --repo "${{ github.repository }}" "${PR_BRANCH}" --json 'number' --jq '"number=\(.number)"' >> "${GITHUB_OUTPUT}"; then
echo "[INFO] PR found successfully"
else
echo "[INFO] No PR found for branch ${PR_BRANCH}, skipping"
echo "skip=true" >> "${GITHUB_OUTPUT}"
fi
- name: Check PR and all workflows status
if: steps.pr-context.outputs.skip != 'true'
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
const prNumber = ${{ steps.pr-context.outputs.number }};
console.log(`[INFO] Processing PR #${prNumber}`);
// Get PR info
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: prNumber
});
console.log(`[INFO] PR #${prNumber} - Draft: ${pr.draft}, Labels: ${pr.labels.map(l => l.name).join(', ')}`);
// Check if PR has autoready label and is draft
const hasAutoreadyLabel = pr.labels.some(label => label.name === 'autoready');
if (!pr.draft) {
console.log(`[INFO] PR #${prNumber} is not draft, skipping`);
return;
}
if (!hasAutoreadyLabel) {
console.log(`[INFO] PR #${prNumber} doesn't have autoready label, skipping`);
return;
}
// Get all workflow runs for this PR's head commit (head_sha)
const { data: workflowRuns } = await github.rest.actions.listWorkflowRunsForRepo({
owner: context.repo.owner,
repo: context.repo.repo,
head_sha: pr.head.sha,
per_page: 100
});
console.log(`[INFO] Found ${workflowRuns.workflow_runs.length} workflow runs for PR #${prNumber}`);
// Check workflow status
const runningWorkflows = workflowRuns.workflow_runs.filter(run =>
run.status === 'in_progress' || run.status === 'queued'
);
const failedWorkflows = workflowRuns.workflow_runs.filter(run =>
run.conclusion === 'failure' || run.conclusion === 'cancelled'
);
const successfulWorkflows = workflowRuns.workflow_runs.filter(run =>
run.conclusion === 'success'
);
console.log(`[INFO] Workflow status - Running: ${runningWorkflows.length}, Failed: ${failedWorkflows.length}, Success: ${successfulWorkflows.length}`);
if (runningWorkflows.length > 0) {
console.log(`[INFO] Some workflows are still running: ${runningWorkflows.map(w => w.name).join(', ')}`);
return;
}
if (failedWorkflows.length > 0) {
console.log(`[INFO] Some workflows failed: ${failedWorkflows.map(w => w.name).join(', ')}`);
return;
}
console.log(`[INFO] All workflows passed! Marking PR #${prNumber} as ready for review...`);
// Mark PR as ready for review using GraphQL API
// Reference: https://github.com/orgs/community/discussions/70061
try {
const mutation = `
mutation MarkPullRequestReadyForReview($pullRequestId: ID!) {
markPullRequestReadyForReview(input: { pullRequestId: $pullRequestId }) {
pullRequest {
id
isDraft
number
}
}
}
`;
const updateResult = await github.graphql(mutation, {
pullRequestId: pr.node_id
});
const isDraft = updateResult.markPullRequestReadyForReview.pullRequest.isDraft;
console.log(`[SUCCESS] PR #${prNumber} marked as ready for review. Draft status: ${isDraft}`);
} catch (error) {
console.log(`[ERROR] Failed to mark PR #${prNumber} as ready for review: ${error.message}`);
console.log(`[ERROR] Error details: ${JSON.stringify(error.response?.data || error, null, 2)}`);
return;
}
// Remove autoready label
try {
const labelResult = await github.rest.issues.removeLabel({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
name: 'autoready'
});
console.log(`[SUCCESS] autoready label removed from PR #${prNumber}. Status: ${labelResult.status}`);
} catch (error) {
console.log(`[WARNING] Could not remove autoready label from PR #${prNumber}: ${error.message}`);
console.log(`[WARNING] Error details: ${JSON.stringify(error.response?.data || error, null, 2)}`);
}

16
.github/workflows/auto-update-labels.yaml vendored
View File

@@ -5,23 +5,27 @@ on:
- 'misc/triage/labels.yaml'
branches:
- main
env:
GO_VERSION: '1.22'
jobs:
deploy:
name: Auto-update labels
runs-on: ubuntu-latest
steps:
- name: Checkout main
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
uses: actions/setup-go@v5
with:
go-version-file: go.mod
# cf. https://github.com/aquasecurity/trivy/pull/6711
go-version: ${{ env.GO_VERSION }}
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Install aqua tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: update labels
env:

17
.github/workflows/backport.yaml vendored
View File

@@ -16,7 +16,7 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
PERMISSION=$(gh api /repos/$GITHUB_REPOSITORY/collaborators/$GITHUB_ACTOR/permission --jq '.permission')
PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission')
if [ "$PERMISSION" == "admin" ] || [ "$PERMISSION" == "write" ]; then
echo "is_maintainer=true" >> $GITHUB_OUTPUT
else
@@ -36,20 +36,14 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Extract branch name
env:
COMMENT_BODY: ${{ github.event.comment.body }}
run: |
BRANCH_NAME=$(echo "$COMMENT_BODY" | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
if [[ -z "$BRANCH_NAME" || "$BRANCH_NAME" == *".."* || ! "$BRANCH_NAME" =~ ^[A-Za-z0-9._-]+(/[A-Za-z0-9._-]+)*$ ]]; then
echo "Error: Invalid branch name extracted (unsafe characters detected)." >&2
exit 1
fi
echo "BRANCH_NAME=$BRANCH_NAME" >> "$GITHUB_ENV"
BRANCH_NAME=$(echo ${{ github.event.comment.body }} | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
- name: Set up Git user
run: |
@@ -57,9 +51,8 @@ jobs:
git config --global user.name "GitHub Actions"
- name: Run backport script
run: ./misc/backport/backport.sh ${{ env.BRANCH_NAME }} ${{ github.event.issue.number }}
env:
# Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
# This allows the created PR to trigger tests and other workflows
GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
ISSUE_NUMBER: ${{ github.event.issue.number }}
run: ./misc/backport/backport.sh "$BRANCH_NAME" "$ISSUE_NUMBER"

2
.github/workflows/bypass-test.yaml vendored
View File

@@ -9,7 +9,6 @@ on:
- 'mkdocs.yml'
- 'LICENSE'
- '.release-please-manifest.json'
- 'helm/trivy/Chart.yaml'
pull_request:
paths:
- '**.md'
@@ -17,7 +16,6 @@ on:
- 'mkdocs.yml'
- 'LICENSE'
- '.release-please-manifest.json'
- 'helm/trivy/Chart.yaml'
jobs:
test:
name: Test

101
.github/workflows/cache-test-assets.yaml vendored
View File

@@ -1,101 +0,0 @@
name: Cache test assets
# This workflow runs on the main branch to create caches that can be accessed by PRs.
# GitHub Actions cache isolation restricts access:
# - PRs can only restore caches from: current branch, base branch, and default branch (main)
# - PRs cannot restore caches from sibling branches or other PR branches
# - By creating caches on the main branch, all PRs can benefit from shared cache
on:
push:
branches: [main]
workflow_dispatch:
jobs:
test-images:
name: Cache test images
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Generate image list digest
id: image-digest
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore and save test images cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: integration/testdata/fixtures/images
key: cache-test-images-${{ steps.image-digest.outputs.digest }}
- name: Download test images
run: mage test:fixtureContainerImages
test-vm-images:
name: Cache test VM images
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Generate image list digest
id: image-digest
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags |= sort' | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore and save test VM images cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: integration/testdata/fixtures/vm-images
key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
- name: Download test VM images
run: mage test:fixtureVMImages
lint-cache:
name: Cache lint results
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Run golangci-lint for caching
uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
with:
version: v2.4
args: --verbose
env:
GOEXPERIMENT: jsonv2

86
.github/workflows/cache-test-images.yaml vendored Normal file
View File

@@ -0,0 +1,86 @@
name: Cache test images
on:
schedule:
- cron: "0 0 * * *" # Run this workflow every day at 00:00 to avoid cache deletion.
workflow_dispatch:
jobs:
test-images:
name: Cache test images
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
if: github.ref_name == 'main'
id: image-digest
run: |
IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-images)
DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
## We need to work with test image cache only for main branch
- name: Restore and save test images cache
if: github.ref_name == 'main'
uses: actions/cache@v4
with:
path: integration/testdata/fixtures/images
key: cache-test-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-images-
- name: Download test images
if: github.ref_name == 'main'
run: mage test:fixtureContainerImages
test-vm-images:
name: Cache test VM images
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
if: github.ref_name == 'main'
id: image-digest
run: |
IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-vm-images)
DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
## We need to work with test VM image cache only for main branch
- name: Restore and save test VM images cache
if: github.ref_name == 'main'
uses: actions/cache@v4
with:
path: integration/testdata/fixtures/vm-images
key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-vm-images-
- name: Download test VM images
if: github.ref_name == 'main'
run: mage test:fixtureVMImages

19
.github/workflows/canary.yaml vendored
View File

@@ -25,43 +25,36 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Restore Trivy binaries from cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
uses: actions/cache@v4.0.2
with:
path: dist/
key: ${{ runner.os }}-bins-${{ github.workflow }}-${{ github.sha }}
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
# Upload artifacts
- name: Upload artifacts (trivy_Linux-64bit)
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
uses: actions/upload-artifact@v4
with:
name: trivy_Linux-64bit
path: dist/trivy_*_Linux-64bit.tar.gz
if-no-files-found: error
- name: Upload artifacts (trivy_Linux-ARM64)
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
uses: actions/upload-artifact@v4
with:
name: trivy_Linux-ARM64
path: dist/trivy_*_Linux-ARM64.tar.gz
if-no-files-found: error
- name: Upload artifacts (trivy_macOS-64bit)
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
uses: actions/upload-artifact@v4
with:
name: trivy_macOS-64bit
path: dist/trivy_*_macOS-64bit.tar.gz
if-no-files-found: error
- name: Upload artifacts (trivy_macOS-ARM64)
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
uses: actions/upload-artifact@v4
with:
name: trivy_macOS-ARM64
path: dist/trivy_*_macOS-ARM64.tar.gz
if-no-files-found: error
- name: Delete cache after upload
run: |
gh cache delete "$CACHE_KEY" --repo "${{ github.repository }}"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CACHE_KEY: ${{ runner.os }}-bins-${{ github.workflow }}-${{ github.sha }}

6
.github/workflows/mkdocs-dev.yaml vendored
View File

@@ -12,17 +12,17 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout main
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
persist-credentials: true
- uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
- uses: actions/setup-python@v5
with:
python-version: 3.x
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git@9.5.44-insiders-4.53.14
pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
pip install -r docs/build/requirements.txt
env:
GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}

22
.github/workflows/mkdocs-latest.yaml vendored
View File

@@ -14,17 +14,17 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout main
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
persist-credentials: true
- uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
- uses: actions/setup-python@v5
with:
python-version: 3.x
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git@9.5.44-insiders-4.53.14
pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
pip install -r docs/build/requirements.txt
env:
GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
@@ -40,19 +40,3 @@ jobs:
- name: Deploy the latest documents from manual trigger
if: ${{ github.event.inputs.version != '' }}
run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest
# This workflow is used to trigger the trivy-www deployment
trigger-trivy-www-deploy:
needs: deploy
runs-on: ubuntu-22.04
steps:
- name: Trigger update_version workflow in trivy-telemetry
env:
# Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
# This allows triggering workflows in other repositories
GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
run: |
gh workflow run build-docs.yml \
--repo ${{ github.repository_owner }}/trivy-www \
--ref main \
--field from_version=${{ github.ref_name }}

37
.github/workflows/publish-chart.yaml vendored
View File

@@ -4,15 +4,13 @@ name: Publish Helm chart
on:
workflow_dispatch:
pull_request:
types:
- opened
- synchronize
- reopened
- closed
branches:
- main
paths:
- 'helm/trivy/**'
push:
tags:
- "v*"
env:
HELM_REP: helm-charts
GH_OWNER: aquasecurity
@@ -20,31 +18,26 @@ env:
KIND_VERSION: "v0.14.0"
KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
jobs:
# `test-chart` job starts if a PR with Helm Chart is created, merged etc.
test-chart:
runs-on: ubuntu-24.04
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
- name: Install Helm
uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
with:
version: v3.14.4
version: v3.5.0
- name: Set up python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
uses: actions/setup-python@v5
with:
python-version: '3.x'
check-latest: true
python-version: 3.7
- name: Setup Chart Linting
id: lint
uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
with:
# v6.0.0 resolved the compatibility issue with Python > 3.13. may be removed after the action itself is updated
yamale_version: "6.0.0"
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992
- name: Setup Kubernetes cluster (KIND)
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
@@ -55,16 +48,14 @@ jobs:
sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
ct lint-and-install --validate-maintainers=false --charts helm/trivy
# `publish-chart` job starts if a PR with a new Helm Chart is merged or manually
publish-chart:
if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
needs:
- test-chart
runs-on: ubuntu-24.04
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
- name: Install chart-releaser

16
.github/workflows/release-please.yaml vendored
View File

@@ -19,7 +19,7 @@ jobs:
steps:
- name: Release Please
id: release
uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
uses: googleapis/release-please-action@v4
with:
token: ${{ secrets.ORG_REPO_TOKEN }}
target-branch: ${{ github.ref_name }}
@@ -47,16 +47,14 @@ jobs:
- name: Extract version and PR number from commit message
id: extract_info
shell: bash
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
echo "version=$( echo "$COMMIT_MESSAGE" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
echo "pr_number=$( echo "$COMMIT_MESSAGE" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
echo "release_branch=release/v$( echo "$COMMIT_MESSAGE" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
- name: Tag release
if: ${{ steps.extract_info.outputs.version }}
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
uses: actions/github-script@v7
with:
github-token: ${{ secrets.ORG_REPO_TOKEN }} # To trigger another workflow
script: |
@@ -70,7 +68,7 @@ jobs:
# When v0.50.0 is released, a release branch "release/v0.50" is created.
- name: Create release branch for patch versions
if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }} # Should not trigger the workflow again
script: |
@@ -98,7 +96,7 @@ jobs:
# cf. https://github.com/googleapis/release-please?tab=readme-ov-file#release-please-bot-does-not-create-a-release-pr-why
- name: Remove the label from PR
if: ${{ steps.extract_info.outputs.pr_number }}
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |

21
.github/workflows/release-pr-check.yaml vendored
View File

@@ -1,21 +0,0 @@
name: Backport PR Check
on:
pull_request:
branches:
- 'release/v*'
jobs:
check-pr-author:
runs-on: ubuntu-latest
steps:
- name: Check PR author
id: check_author
env:
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
run: |
if [ "$PR_AUTHOR" != "aqua-bot" ]; then
echo "::error::This branch is intended for automated backporting by bot. Please refer to the documentation:"
echo "::error::https://trivy.dev/docs/latest/community/maintainer/backporting/"
exit 1
fi

79
.github/workflows/release.yaml vendored
View File

@@ -19,12 +19,12 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
- name: Restore Trivy binaries from cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
uses: actions/cache@v4.0.2
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -35,10 +35,11 @@ jobs:
sudo apt-get -y install rpm reprepro createrepo-c distro-info
- name: Checkout trivy-repo
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
with:
repository: ${{ github.repository_owner }}/trivy-repo
path: trivy-repo
fetch-depth: 0
token: ${{ secrets.ORG_REPO_TOKEN }}
- name: Setup git settings
@@ -54,75 +55,3 @@ jobs:
- name: Create deb repository
run: ci/deploy-deb.sh
# `update-chart-version` creates a new PR for updating the helm chart
update-chart-version:
needs: deploy-packages
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- name: Set up Git user
run: |
git config --global user.email "actions@github.com"
git config --global user.name "GitHub Actions"
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: go.mod
check-latest: true # Ensure we use the latest Go patch version
cache: false
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Create a PR with Trivy version
run: mage helm:updateVersion
env:
# Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
# This allows the created PR to trigger tests and other workflows
GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
# `trigger-version-update` triggers the `update_version` workflow in the `trivy-telemetry` repository
# and the trivy-downloads repository.
trigger-version-update:
needs: deploy-packages
runs-on: ubuntu-22.04
steps:
- name: Trigger update_version workflow in trivy-telemetry
env:
# Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
# This allows triggering workflows in other repositories
GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
run: |
gh workflow run update_version.yml \
--repo ${{ github.repository_owner }}/trivy-telemetry \
--ref main \
--field version=${{ github.ref_name }}
- name: Trigger update_version workflow in trivy-downloads
env:
# Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
# This allows triggering workflows in other repositories
GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
run: |
gh workflow run update_version.yml \
--repo ${{ github.repository_owner }}/trivy-downloads \
--ref main \
--field version=${{ github.ref_name }} \
--field artifact=trivy
- name: Trigger version update and release workflow in trivy-chocolatey
env:
# Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
# This allows triggering workflows in other repositories
GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
run: |
gh workflow run release.yml \
--repo ${{ github.repository_owner }}/trivy-chocolatey \
--ref main \
--field version=${{ github.ref_name }}

28
.github/workflows/reusable-release.yaml vendored
View File

@@ -14,6 +14,7 @@ on:
env:
GH_USER: "aqua-bot"
GO_VERSION: '1.22'
jobs:
release:
@@ -27,52 +28,51 @@ jobs:
contents: read # Not required for public repositories, but for clarity
steps:
- name: Cosign install
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
uses: docker/setup-buildx-action@v3
- name: Show available Docker Buildx platforms
run: echo ${{ steps.buildx.outputs.platforms }}
- name: Login to docker.io registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to ghcr.io registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ env.GH_USER }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to ECR
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
uses: docker/login-action@v3
with:
registry: public.ecr.aws
username: ${{ secrets.ECR_ACCESS_KEY_ID }}
password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
- name: Checkout code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.
check-latest: true # Ensure we use the latest Go patch version
- name: Generate SBOM
uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
uses: CycloneDX/gh-gomod-generate-sbom@v2
with:
args: mod -licenses -json -output bom.json
version: ^v1
@@ -89,7 +89,7 @@ jobs:
mkdir tmp
- name: GoReleaser
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
uses: goreleaser/goreleaser-action@v6
with:
version: v2.1.0
args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
@@ -108,7 +108,7 @@ jobs:
# because GoReleaser Free doesn't support pushing images with the `--snapshot` flag.
- name: Build and push
if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
uses: docker/build-push-action@v6
with:
platforms: linux/amd64, linux/arm64
file: ./Dockerfile.canary # path to Dockerfile
@@ -120,7 +120,7 @@ jobs:
public.ecr.aws/aquasecurity/trivy:canary
- name: Cache Trivy binaries
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
uses: actions/cache@v4.0.2
with:
path: dist/
# use 'github.sha' to create a unique cache folder for each run.

16
.github/workflows/roadmap.yaml vendored
View File

@@ -11,14 +11,14 @@ jobs:
runs-on: ubuntu-latest
steps:
# 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
- uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
- uses: actions/add-to-project@v1.0.2 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
labeled: kind/feature, priority/backlog
label-operator: AND
id: add-backlog-issue
- uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
- uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
if: ${{ steps.add-backlog-issue.outputs.itemId }}
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
@@ -28,14 +28,14 @@ jobs:
field-values: Backlog
# 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
- uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
- uses: actions/add-to-project@v1.0.2 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
labeled: kind/feature, priority/important-longterm
label-operator: AND
id: add-longterm-issue
- uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
- uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
if: ${{ steps.add-longterm-issue.outputs.itemId }}
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
@@ -45,14 +45,14 @@ jobs:
field-values: Important (long-term)
# 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
- uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
- uses: actions/add-to-project@v1.0.2 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
labeled: kind/feature, priority/important-soon
label-operator: AND
id: add-soon-issue
- uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
- uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
if: ${{ steps.add-soon-issue.outputs.itemId }}
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
@@ -62,14 +62,14 @@ jobs:
field-values: Important (soon)
# 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
- uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
- uses: actions/add-to-project@v1.0.2 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
labeled: kind/feature, priority/critical-urgent
label-operator: AND
id: add-urgent-issue
- uses: titoportas/update-project-fields@421a54430b3cdc9eefd8f14f9ce0142ab7678751 # v0.1.0
- uses: titoportas/update-project-fields@v0.1.0 # change Priority(column) of added issue
if: ${{ steps.add-urgent-issue.outputs.itemId }}
with:
project-url: https://github.com/orgs/aquasecurity/projects/25

4
.github/workflows/scan.yaml vendored
View File

@@ -10,10 +10,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
- name: Run Trivy vulnerability scanner and create GitHub issues
uses: knqyf263/trivy-issue-action@4466f52d1401b66dd2a2ab9e0c40cddc021829ec # v0.0.6
uses: knqyf263/trivy-issue-action@v0.0.6
with:
assignee: knqyf263
severity: CRITICAL

88
.github/workflows/semantic-pr.yaml vendored
View File

@@ -1,23 +1,22 @@
name: "Validate PR Title"
name: "Lint PR title"
on:
pull_request:
pull_request_target:
types:
- opened
- edited
- synchronize
jobs:
validate:
main:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- name: Validate PR title
shell: bash
- uses: amannn/action-semantic-pull-request@v5
env:
PR_TITLE: ${{ github.event.pull_request.title }}
# Valid types
VALID_TYPES: |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
types: |
feat
fix
docs
@@ -30,15 +29,13 @@ jobs:
chore
revert
release
# Valid scopes categorized by area
VALID_SCOPES: |
# Scanners
scopes: |
vuln
misconf
secret
license
# Targets
image
fs
repo
@@ -49,7 +46,6 @@ jobs:
vm
plugin
# OS
alpine
wolfi
chainguard
@@ -63,14 +59,9 @@ jobs:
amazon
suse
photon
echo
distroless
windows
minimos
rootio
seal
# Languages
ruby
php
python
@@ -80,7 +71,7 @@ jobs:
java
go
c
c++
c\+\+
elixir
dart
swift
@@ -88,80 +79,29 @@ jobs:
conda
julia
# Package types
os
lang
# IaC
kubernetes
dockerfile
terraform
cloudformation
# Container
docker
podman
containerd
oci
# SBOM
sbom
spdx
cyclonedx
# Misc
cli
flag
cyclonedx
spdx
purl
vex
helm
report
db
parser
deps
run: |
set -euo pipefail
# Convert env vars to regex alternatives, excluding comments and empty lines
TYPES_REGEX=$(echo "$VALID_TYPES" | grep -v '^$' | paste -sd '|')
SCOPES_REGEX=$(echo "$VALID_SCOPES" | grep -v '^$' | grep -v '^#' | paste -sd '|')
# Basic format check (should match: type(scope): description or type: description)
FORMAT_REGEX="^[a-z]+(\([a-z0-9+]+\))?!?: .+$"
if ! echo "$PR_TITLE" | grep -qE "$FORMAT_REGEX"; then
echo "Error: Invalid PR title format"
echo "Expected format: <type>(<scope>): <description> or <type>: <description>"
echo "Examples:"
echo " feat(vuln): add new vulnerability detection"
echo " fix: correct parsing logic"
echo " docs(kubernetes): update installation guide"
echo -e "\nCurrent title: $PR_TITLE"
exit 1
fi
# Extract type and scope for validation
TYPE=$(echo "$PR_TITLE" | sed -E 's/^([a-z]+)(\([a-z0-9+]+\))?!?: .+$/\1/')
SCOPE=$(echo "$PR_TITLE" | sed -E 's/^[a-z]+\(([a-z0-9+]+)\)!?: .+$/\1/; t; s/.*//')
# Validate type
if ! echo "$VALID_TYPES" | grep -qx "$TYPE"; then
echo "Error: Invalid type '${TYPE}'"
echo -e "\nValid types:"
echo "$VALID_TYPES" | grep -v '^$' | sed 's/^/- /'
echo -e "\nCurrent title: $PR_TITLE"
exit 1
fi
# Validate scope if present
if [ -n "$SCOPE" ]; then
if ! echo "$VALID_SCOPES" | grep -v '^#' | grep -qx "$SCOPE"; then
echo "Error: Invalid scope '${SCOPE}'"
echo -e "\nValid scopes:"
echo "$VALID_SCOPES" | grep -v '^$' | grep -v '^#' | sed 's/^/- /'
echo -e "\nCurrent title: $PR_TITLE"
exit 1
fi
fi
echo "PR title validation passed ✅"
echo "Current title: $PR_TITLE"

41
.github/workflows/spdx-cron.yaml vendored
View File

@@ -1,41 +0,0 @@
name: SPDX licenses cron
on:
schedule:
- cron: '0 0 * * 0' # every Sunday at 00:00
workflow_dispatch:
jobs:
build:
name: Check if SPDX exceptions
runs-on: ubuntu-24.04
steps:
- name: Check out code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Check if SPDX license IDs and exceptions are up-to-date
id: exceptions_check
run: |
mage spdx:updateLicenseEntries
if [ -n "$(git status --porcelain)" ]; then
echo "Run 'mage spdx:updateLicenseEntries' and push it"
echo "send_notify=true" >> $GITHUB_OUTPUT
fi
- name: Microsoft Teams Notification
uses: Skitionek/notify-microsoft-teams@e7a2493ac87dad8aa7a62f079f295e54ff511d88 # main
if: steps.exceptions_check.outputs.send_notify == 'true'
with:
webhook_url: ${{ secrets.TRIVY_MSTEAMS_WEBHOOK }}
needs: ${{ toJson(needs) }}
job: ${{ toJson(job) }}
steps: ${{ toJson(steps) }}

2
.github/workflows/stale-issues.yaml vendored
View File

@@ -7,7 +7,7 @@ jobs:
timeout-minutes: 1
runs-on: ubuntu-latest
steps:
- uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
- uses: actions/stale@v9
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-pr-message: 'This PR is stale because it has been labeled with inactivity.'

4
.github/workflows/test-docs.yaml vendored
View File

@@ -10,11 +10,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
persist-credentials: true
- uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
- uses: actions/setup-python@v5
with:
python-version: 3.x
- name: Install dependencies

141
.github/workflows/test.yaml vendored
View File

@@ -7,10 +7,11 @@ on:
- 'mkdocs.yml'
- 'LICENSE'
- '.release-please-manifest.json' ## don't run tests for release-please PRs
- 'helm/trivy/Chart.yaml'
merge_group:
workflow_dispatch:
env:
GO_VERSION: '1.22'
jobs:
test:
name: Test
@@ -19,14 +20,13 @@ jobs:
matrix:
operating-system: [ubuntu-latest, windows-latest, macos-latest]
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: go mod tidy
run: |
@@ -39,13 +39,10 @@ jobs:
- name: Lint
id: lint
uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
uses: golangci/golangci-lint-action@v6.0.1
with:
version: v2.4
args: --verbose
skip-save-cache: true # Restore cache from main branch but don't save new cache
env:
GOEXPERIMENT: jsonv2
version: v1.59
args: --verbose --out-format=line-number
if: matrix.operating-system == 'ubuntu-latest'
- name: Check if linter failed
@@ -55,7 +52,10 @@ jobs:
if: ${{ failure() && steps.lint.conclusion == 'failure' }}
- name: Install tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
aqua_opts: ""
- name: Check if CLI references are up-to-date
run: |
@@ -74,31 +74,33 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
id: image-digest
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-images)
DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore test images from cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
uses: actions/cache/restore@v4
with:
path: integration/testdata/fixtures/images
key: cache-test-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-images-
- name: Run integration tests
run: mage test:integration
@@ -108,17 +110,18 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Run k8s integration tests
run: mage test:k8s
@@ -128,31 +131,33 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
id: image-digest
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)
IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-images)
DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore test images from cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
uses: actions/cache/restore@v4
with:
path: integration/testdata/fixtures/images
key: cache-test-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-images-
- name: Run module integration tests
shell: bash
@@ -164,56 +169,38 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Generate image list digest
id: image-digest
run: |
source integration/testimages.ini
IMAGE_LIST=$(skopeo list-tags docker://$TEST_VM_IMAGES)
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags |= sort' | sha256sum | cut -d' ' -f1)
IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-vm-images)
DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore test VM images from cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
uses: actions/cache/restore@v4
with:
path: integration/testdata/fixtures/vm-images
key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-vm-images-
- name: Run vm integration tests
run: |
mage test:vm
e2e-test:
name: E2E Test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Run E2E tests
run: mage test:e2e
build-test:
name: Build Test
runs-on: ${{ matrix.operating-system }}
@@ -223,26 +210,14 @@ jobs:
env:
DOCKER_CLI_EXPERIMENTAL: "enabled"
steps:
# The go-build (GOCACHE env) directory requires a large amount of free disk space.
- name: Free up disk space
if: matrix.operating-system == 'ubuntu-latest'
run: |
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo docker image prune --all --force
df -h
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
uses: actions/setup-go@v5
with:
go-version-file: go.mod
go-version: ${{ env.GO_VERSION }}
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Determine GoReleaser ID
id: goreleaser_id
@@ -257,7 +232,7 @@ jobs:
fi
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
uses: goreleaser/goreleaser-action@v6
with:
version: v2.1.0
args: build --snapshot --clean --timeout 90m ${{ steps.goreleaser_id.outputs.id }}

2
.github/workflows/triage.yaml vendored
View File

@@ -10,7 +10,7 @@ jobs:
label:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: actions/checkout@v4
- uses: ./.github/actions/trivy-triage
with:
discussion_num: ${{ github.event.inputs.discussion_num }}

1
.gitignore vendored
View File

@@ -26,7 +26,6 @@ thumbs.db
coverage.txt
integration/testdata/fixtures/images
integration/testdata/fixtures/vm-images
internal/gittest/testdata/test-repo
# SBOMs generated during CI
/bom.json

323
.golangci.yaml
View File

@@ -1,221 +1,142 @@
issues:
max-issues-per-linter: 0
max-same-issues: 0
linters-settings:
depguard:
rules:
main:
list-mode: lax
deny:
# Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
- pkg: "golang.org/x/exp/slices"
desc: "Use 'slices' instead"
- pkg: "golang.org/x/exp/maps"
desc: "Use 'maps' or 'github.com/samber/lo' instead"
dupl:
threshold: 100
errcheck:
check-type-assertions: true
check-blank: true
gci:
sections:
- standard
- default
- prefix(github.com/aquasecurity/)
- blank
- dot
goconst:
min-len: 3
min-occurrences: 3
gocritic:
disabled-checks:
- appendAssign
- unnamedResult
- whyNoLint
- indexAlloc
- octalLiteral
- hugeParam
- rangeValCopy
- regexpSimplify
- sloppyReassign
- commentedOutCode
enabled-tags:
- diagnostic
- style
- performance
- experimental
- opinionated
settings:
ruleguard:
failOn: all
rules: '${configDir}/misc/lint/rules.go'
gocyclo:
min-complexity: 20
gofmt:
simplify: false
rewrite-rules:
- pattern: 'interface{}'
replacement: 'any'
gomodguard:
blocked:
modules:
- github.com/hashicorp/go-version:
recommendations:
- github.com/aquasecurity/go-version
reason: "`aquasecurity/go-version` is designed for our use-cases"
- github.com/Masterminds/semver:
recommendations:
- github.com/aquasecurity/go-version
reason: "`aquasecurity/go-version` is designed for our use-cases"
gosec:
excludes:
- G101
- G114
- G204
- G304
- G402
govet:
check-shadowing: false
misspell:
locale: US
ignore-words:
- behaviour
- licence
- optimise
- simmilar
revive:
ignore-generated-header: true
testifylint:
enable-all: true
linters:
settings:
depguard:
rules:
main:
list-mode: lax
deny:
# Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
- pkg: "golang.org/x/exp/slices"
desc: "Use 'slices' instead"
- pkg: "golang.org/x/exp/maps"
desc: "Use 'maps' or 'github.com/samber/lo' instead"
- pkg: "io/ioutil"
desc: "io/ioutil is deprecated. Use 'io' or 'os' instead"
dupl:
threshold: 100
errcheck:
check-type-assertions: true
check-blank: true
goconst:
min-len: 3
min-occurrences: 3
gocritic:
disabled-checks:
- appendAssign
- commentedOutCode
- hugeParam
- importShadow # FIXME
- indexAlloc
- rangeValCopy
- regexpSimplify
- sloppyReassign
- unnamedResult
- whyNoLint
enabled-tags:
- diagnostic
- style
- performance
- experimental
- opinionated
settings:
ruleguard:
failOn: all
rules: '${base-path}/misc/lint/rules.go'
gocyclo:
min-complexity: 20
gomodguard:
blocked:
modules:
- github.com/hashicorp/go-version:
recommendations:
- github.com/aquasecurity/go-version
reason: "`aquasecurity/go-version` is designed for our use-cases"
- github.com/Masterminds/semver:
recommendations:
- github.com/aquasecurity/go-version
reason: "`aquasecurity/go-version` is designed for our use-cases"
- github.com/liamg/memoryfs:
recommendations:
- github.com/aquasecurity/trivy/pkg/mapfs
gosec:
excludes:
- G101
- G114
- G115
- G204
- G304
- G402
govet:
disable:
- shadow
misspell:
locale: US
ignore-rules:
- behaviour
- licence
- optimise
- simmilar
perfsprint:
# Optimizes even if it requires an int or uint type cast.
int-conversion: true
# Optimizes into `err.Error()` even if it is only equivalent for non-nil errors.
err-error: true
# Optimizes `fmt.Errorf`.
errorf: true
# Optimizes `fmt.Sprintf` with only one argument.
sprintf1: false
# Optimizes into strings concatenation.
strconcat: false
revive:
max-open-files: 2048
# https://github.com/mgechev/revive/blob/HEAD/RULES_DESCRIPTIONS.md
rules:
- name: bool-literal-in-expr
- name: context-as-argument
arguments:
- allowTypesBefore: "*testing.T"
- name: duplicated-imports
- name: early-return
arguments:
- preserve-scope
- name: if-return
- name: increment-decrement
- name: indent-error-flow
arguments:
- preserve-scope
- name: range
- name: range-val-address
- name: superfluous-else
arguments:
- preserve-scope
- name: time-equal
- name: unnecessary-stmt
- name: unused-parameter
- name: use-any
staticcheck:
checks:
- all
- -QF1008 # Omit embedded fields from selector expression
- -S1007 # Simplify regular expression by using raw string literal
- -S1011 # Use a single append to concatenate two slices
- -S1023 # Omit redundant control flow
- -SA1019 # Using a deprecated function, variable, constant or field
- -SA1024 # A string cutset contains duplicate characters
- -SA4004 # The loop exits unconditionally after one iteration
- -SA4023 # Impossible comparison of interface value with untyped nil
- -SA4032 # Comparing runtime.GOOS or runtime.GOARCH against impossible value
- -SA5011 # Possible nil pointer dereference
- -ST1003 # Poorly chosen identifier
- -ST1012 # Poorly chosen name for error variable
testifylint:
enable-all: true
default: none
disable-all: true
enable:
- bodyclose
- depguard
- gci
- goconst
- gocritic
- gocyclo
- gofmt
- gomodguard
- gosec
- govet
- ineffassign
- misspell
- perfsprint
- revive
- staticcheck
- tenv
- testifylint
- typecheck
- unconvert
- unused
- usestdlibvars
- usetesting
exclusions:
generated: lax
paths:
- "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
rules:
- path: ".*_test.go$"
linters:
- goconst
- gosec
- unused
- path: ".*_test.go$"
linters:
- govet
text: "copylocks:"
- path: ".*_test.go$"
linters:
- gocritic
text: "commentFormatting:"
- path: ".*_test.go$"
linters:
- gocritic
text: "exitAfterDefer:"
- path: ".*_test.go$"
linters:
- gocritic
text: "importShadow:"
- linters:
- goconst
text: "string `each` has 3 occurrences, make it a constant" # FIXME
presets:
- comments
- common-false-positives
- legacy
- std-error-handling
warn-unused: true
run:
go: '1.25'
go: '1.22'
timeout: 30m
formatters:
enable:
- gci
- gofmt
exclusions:
generated: lax
settings:
gci:
sections:
- standard
- default
- prefix(github.com/aquasecurity/)
- blank
- dot
gofmt:
simplify: false
version: "2"
issues:
exclude-files:
- "mock_*.go$"
- "examples/*"
exclude-dirs:
- "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
exclude-rules:
- path: ".*_test.go$"
linters:
- goconst
- gosec
- unused
- path: ".*_test.go$"
linters:
- govet
text: "copylocks:"
- path: ".*_test.go$"
linters:
- gocritic
text: "commentFormatting:"
- path: ".*_test.go$"
linters:
- gocritic
text: "exitAfterDefer:"
- path: ".*_test.go$"
linters:
- gocritic
text: "importShadow:"
exclude-use-default: false
max-same-issues: 0

2
.release-please-manifest.json
View File

@@ -1 +1 @@
{".":"0.68.2"}
{".":"0.56.1"}

59
.vex/trivy.openvex.json
View File

@@ -540,65 +540,6 @@
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-3321",
"name": "GO-2024-3321",
"description": "Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto",
"aliases": [
"CVE-2024-45337",
"GHSA-v778-237x-gjrc"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/golang.org/x/crypto",
"identifiers": {
"purl": "pkg:golang/golang.org/x/crypto"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2024-3333",
"name": "GO-2024-3333",
"description": "Non-linear parsing of case-insensitive content in golang.org/x/net/html",
"aliases": [
"CVE-2024-45338"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/golang.org/x/net",
"identifiers": {
"purl": "pkg:golang/golang.org/x/net"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
}
]
}

509
CHANGELOG.md
View File

@@ -1,516 +1,11 @@
# Changelog
## [0.68.2](https://github.com/aquasecurity/trivy/compare/v0.68.1...v0.68.2) (2025-12-16)
## [0.56.1](https://github.com/aquasecurity/trivy/compare/v0.56.0...v0.56.1) (2024-10-03)
### Bug Fixes
* **deps:** bump alpine from `3.22.1` to `3.23.0` [backport: release/v0.68] ([#9949](https://github.com/aquasecurity/trivy/issues/9949)) ([db28945](https://github.com/aquasecurity/trivy/commit/db2894561daa20301eb144cad467d75d8a3d2647))
## [0.68.1](https://github.com/aquasecurity/trivy/compare/v0.68.0...v0.68.1) (2025-12-03)
### Bug Fixes
* update cosing settings for GoReleaser after bumping cosing to v3 ([#9863](https://github.com/aquasecurity/trivy/issues/9863)) ([c7accc8](https://github.com/aquasecurity/trivy/commit/c7accc85c66c27ec5c51b33acda97f4002cad584))
## [0.68.0](https://github.com/aquasecurity/trivy/compare/v0.67.0...v0.68.0) (2025-12-02)
### Features
* add ArtifactID field to uniquely identify scan targets ([#9663](https://github.com/aquasecurity/trivy/issues/9663)) ([84a7d9a](https://github.com/aquasecurity/trivy/commit/84a7d9a5d6880ef4248ead6bcf2e580deed9107b))
* add ReportID field to scan reports ([#9670](https://github.com/aquasecurity/trivy/issues/9670)) ([fc976be](https://github.com/aquasecurity/trivy/commit/fc976bea480599e52365d306ad8d6031718d4303))
* allow ignoring findings by type in Rego ([#9578](https://github.com/aquasecurity/trivy/issues/9578)) ([c638fc6](https://github.com/aquasecurity/trivy/commit/c638fc646c3c0d56ea50c830a31609badb477c5e))
* **aws:** Add support for dualstack ECR endpoints ([#9862](https://github.com/aquasecurity/trivy/issues/9862)) ([e74e2b1](https://github.com/aquasecurity/trivy/commit/e74e2b1b0a8ca124b1299969abc9196789f30e8b))
* **cli:** Add trivy cloud suppport ([#9637](https://github.com/aquasecurity/trivy/issues/9637)) ([8e6a7ff](https://github.com/aquasecurity/trivy/commit/8e6a7ff670c64106d4dea6972ac3f6228f9c6269))
* **db:** enable concurrent access to vulnerability database ([#9750](https://github.com/aquasecurity/trivy/issues/9750)) ([d70d994](https://github.com/aquasecurity/trivy/commit/d70d994d8882a6e7a8b0c9a9b08524a2cae32ea4))
* **dotnet:** add dependency graph support for .deps.json files ([#9726](https://github.com/aquasecurity/trivy/issues/9726)) ([18c0ee8](https://github.com/aquasecurity/trivy/commit/18c0ee86f318c7d2b1dab979370f62dd00b73979))
* **flag:** add `--cacert` flag ([#9781](https://github.com/aquasecurity/trivy/issues/9781)) ([6048173](https://github.com/aquasecurity/trivy/commit/604817326683cdf5628550540aef63b97affc3b0))
* **fs:** change artifact type to repository when git info is detected ([#9613](https://github.com/aquasecurity/trivy/issues/9613)) ([cff91ac](https://github.com/aquasecurity/trivy/commit/cff91acdef91fbce22306a72000c43a26ac8d79b))
* **image:** add RepoTags support for Docker archives ([#9690](https://github.com/aquasecurity/trivy/issues/9690)) ([a9a3031](https://github.com/aquasecurity/trivy/commit/a9a3031675150e70a32df8d55b4aec2c4a33084b))
* **image:** add Sigstore bundle SBOM support ([#9516](https://github.com/aquasecurity/trivy/issues/9516)) ([e1f3f28](https://github.com/aquasecurity/trivy/commit/e1f3f28ae4b86dd7f518a261080dc8d24ac2cdad))
* **image:** pass global context to docker/podman image save func ([#9733](https://github.com/aquasecurity/trivy/issues/9733)) ([2690ac9](https://github.com/aquasecurity/trivy/commit/2690ac99341dcdf06eb16316d3ca20e6070969b3))
* include registry and repository in artifact ID calculation ([#9689](https://github.com/aquasecurity/trivy/issues/9689)) ([758f271](https://github.com/aquasecurity/trivy/commit/758f2710403d5f0e9b3e138a604f95cbcab6f275))
* **java:** add support remote repositories from settings.xml files ([#9708](https://github.com/aquasecurity/trivy/issues/9708)) ([eff52eb](https://github.com/aquasecurity/trivy/commit/eff52eb2e60a700d831cbc3d260217162b38e45c))
* **license:** use separate SPDX ids to ignore SPDX expressions ([#9087](https://github.com/aquasecurity/trivy/issues/9087)) ([012f3d7](https://github.com/aquasecurity/trivy/commit/012f3d75359e019df1eb2602460146d43cb59715))
* **misconf:** add agentpools to azure container schema ([#9714](https://github.com/aquasecurity/trivy/issues/9714)) ([69f400c](https://github.com/aquasecurity/trivy/commit/69f400c1839cc16013f2af3d1942c86f496e7017))
* **misconf:** Add RoleAssignments attribute ([#9396](https://github.com/aquasecurity/trivy/issues/9396)) ([3fb8703](https://github.com/aquasecurity/trivy/commit/3fb8703f8cd659a36d6a9affe0d2e20cd752a1e4))
* **misconf:** Add support for configurable Rego error limit ([#9657](https://github.com/aquasecurity/trivy/issues/9657)) ([445cd2b](https://github.com/aquasecurity/trivy/commit/445cd2b6b4faf78349245bc6541176e2fbf88715))
* **misconf:** include map key in manifest snippet for diagnostics ([#9681](https://github.com/aquasecurity/trivy/issues/9681)) ([197c9e1](https://github.com/aquasecurity/trivy/commit/197c9e1dce450737fc705184eed4c24fcfc1ecc1))
* **misconf:** support https_traffic_only_enabled in Az storage account ([#9784](https://github.com/aquasecurity/trivy/issues/9784)) ([c8d5ab7](https://github.com/aquasecurity/trivy/commit/c8d5ab7690b63a0af14d648eacabc62b868fdfe9))
* **misconf:** Update AppService schema ([#9792](https://github.com/aquasecurity/trivy/issues/9792)) ([c6d95d7](https://github.com/aquasecurity/trivy/commit/c6d95d7cd271c3d29ce147f1ad5983cafc1caf48))
* **misconf:** Update Azure Compute schema ([#9675](https://github.com/aquasecurity/trivy/issues/9675)) ([cb58bf6](https://github.com/aquasecurity/trivy/commit/cb58bf639eaea0a94584b4afbefe19d0010eef38))
* **misconf:** Update Azure Container Schema ([#9673](https://github.com/aquasecurity/trivy/issues/9673)) ([43a7546](https://github.com/aquasecurity/trivy/commit/43a7546d31f2cc8dd5f8d68f82822aff1bddc4d2))
* **misconf:** Update Azure network schema for new checks ([#9791](https://github.com/aquasecurity/trivy/issues/9791)) ([ea2dc58](https://github.com/aquasecurity/trivy/commit/ea2dc586b83fec6eac1b5de04fd9e5a06db4e16a))
* **misconf:** Update azure storage schema ([#9728](https://github.com/aquasecurity/trivy/issues/9728)) ([c3bfecf](https://github.com/aquasecurity/trivy/commit/c3bfecf3ef236f333ebf1ace7fa2f739fdcbdcca))
* **misconf:** Update SecurityCenter schema ([#9674](https://github.com/aquasecurity/trivy/issues/9674)) ([58819c5](https://github.com/aquasecurity/trivy/commit/58819c5285520b55bc6a5ed30aab82826aee3065))
* **report:** add fingerprint generation for vulnerabilities ([#9794](https://github.com/aquasecurity/trivy/issues/9794)) ([cbad9ca](https://github.com/aquasecurity/trivy/commit/cbad9ca3a888cb3fb6b8649e683efe4f7047a8ed))
* **report:** add image reference to report metadata ([#9729](https://github.com/aquasecurity/trivy/issues/9729)) ([d020f26](https://github.com/aquasecurity/trivy/commit/d020f2690e58c328f96e3083ce57fe2b71f308f3))
* **report:** switch ReportID from UUIDv4 to UUIDv7 ([#9749](https://github.com/aquasecurity/trivy/issues/9749)) ([6fb3fde](https://github.com/aquasecurity/trivy/commit/6fb3fde916f991ccca8f23e18ab4d46e0780e50d))
* **sbom:** add support for SPDX attestations ([#9829](https://github.com/aquasecurity/trivy/issues/9829)) ([d8eaaeb](https://github.com/aquasecurity/trivy/commit/d8eaaeb611151f1da3583ec50100a7be09ce9bc5))
* **sbom:** use SPDX license IDs list to validate SPDX IDs ([#9569](https://github.com/aquasecurity/trivy/issues/9569)) ([35db88c](https://github.com/aquasecurity/trivy/commit/35db88c81cc5cdb8ab25362aea455c586d2e1d32))
* **suse:** Add new openSUSE, Micro and SLES releases end of life dates ([#9788](https://github.com/aquasecurity/trivy/issues/9788)) ([019af7f](https://github.com/aquasecurity/trivy/commit/019af7fefdc1da55610446ca07f13b2ea84348b5))
### Bug Fixes
* add `buildInfo` for `BlobInfo` in `rpc` package ([#9608](https://github.com/aquasecurity/trivy/issues/9608)) ([6def66e](https://github.com/aquasecurity/trivy/commit/6def66e002427eadcc6dbabe56b01c37c1eae075))
* close all opened resources if an error occurs ([#9665](https://github.com/aquasecurity/trivy/issues/9665)) ([fa6f779](https://github.com/aquasecurity/trivy/commit/fa6f77902234f5bee70287a841e8cfa42ca4a505))
* **flag:** remove viper.SetDefault to fix IsSet() for config-only flags ([#9732](https://github.com/aquasecurity/trivy/issues/9732)) ([bf43629](https://github.com/aquasecurity/trivy/commit/bf43629d320426b18e7177b4b6f05affb6f93374))
* **java:** update order for resolving package fields from multiple demManagement ([#9575](https://github.com/aquasecurity/trivy/issues/9575)) ([e286c5e](https://github.com/aquasecurity/trivy/commit/e286c5e207b6d8a1ef01f3f634f874e2e3d4c0f0))
* **java:** use `true` as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files ([#9751](https://github.com/aquasecurity/trivy/issues/9751)) ([d87d9b9](https://github.com/aquasecurity/trivy/commit/d87d9b97d1a61d05a9b1742caaa7e0125c481e2c))
* **license:** don't normalize `unlicensed` licenses into `unlicense` ([#9611](https://github.com/aquasecurity/trivy/issues/9611)) ([09162e5](https://github.com/aquasecurity/trivy/commit/09162e52ecf2a3e7a65dcf4ab2c2ea43ee6f5437))
* **license:** handle SPDX WITH exceptions as single license in category detection ([#9380](https://github.com/aquasecurity/trivy/issues/9380)) ([212f078](https://github.com/aquasecurity/trivy/commit/212f0781c552cd0395791a4a0276e1e39579f491))
* **misconf:** ensure boolean metadata values are correctly interpreted ([#9770](https://github.com/aquasecurity/trivy/issues/9770)) ([a6ceff7](https://github.com/aquasecurity/trivy/commit/a6ceff7e83121e2c9e618dcb0584aa62e7077bbf))
* **misconf:** ensure value used as ignore marker is non-null and known ([#9835](https://github.com/aquasecurity/trivy/issues/9835)) ([7aca801](https://github.com/aquasecurity/trivy/commit/7aca80151c2073999aa43213ae03a86b3d13a54c))
* **misconf:** handle unsupported experimental flags in Dockerfile ([#9769](https://github.com/aquasecurity/trivy/issues/9769)) ([08d51a8](https://github.com/aquasecurity/trivy/commit/08d51a8e08c1c7f159ca491810d0d08dc787f93e))
* **misconf:** map healthcheck start period flag to --start-period instead of --startPeriod ([#9837](https://github.com/aquasecurity/trivy/issues/9837)) ([7b2b4d4](https://github.com/aquasecurity/trivy/commit/7b2b4d4b459358ed0f561aa30639282211c80cc1))
* **nodejs:** fix npmjs parser.pkgNameFromPath() panic issue ([#9688](https://github.com/aquasecurity/trivy/issues/9688)) ([231492d](https://github.com/aquasecurity/trivy/commit/231492db52ce69c8d9186b039b038bf0153f8dfa))
* **nodejs:** use the default ID format to match licenses in pnpm packages. ([#9661](https://github.com/aquasecurity/trivy/issues/9661)) ([804ea4a](https://github.com/aquasecurity/trivy/commit/804ea4aa575e486fd888f59c9ceb495857b57f8c))
* **os:** Add photon 5.0 in supported OS ([#9724](https://github.com/aquasecurity/trivy/issues/9724)) ([29f0347](https://github.com/aquasecurity/trivy/commit/29f034796590bc6b7a17fa4fee8b43c822a77c13))
* **report:** correct field order in SARIF license results ([#9712](https://github.com/aquasecurity/trivy/issues/9712)) ([d20216e](https://github.com/aquasecurity/trivy/commit/d20216edf6fdbd0281173b25b796880bc6b2b210))
* restore compatibility for google.protobuf.Value ([#9559](https://github.com/aquasecurity/trivy/issues/9559)) ([aeeb2a1](https://github.com/aquasecurity/trivy/commit/aeeb2a1f842b56147996b600bd34db2cf05cd28e))
* **sbom:** add `buildInfo` info as properties ([#9683](https://github.com/aquasecurity/trivy/issues/9683)) ([2c43425](https://github.com/aquasecurity/trivy/commit/2c43425e051d80d45169a2c675dba79caa91b1e7))
* **sbom:** dont panic on SBOM format if scanned CycloneDX file has empty metadata ([#9562](https://github.com/aquasecurity/trivy/issues/9562)) ([fb0593b](https://github.com/aquasecurity/trivy/commit/fb0593bee68a24b7ecddeb737e1d8e3c3a3c0364))
* Trim the end-of-range suffix ([#9618](https://github.com/aquasecurity/trivy/issues/9618)) ([e18b038](https://github.com/aquasecurity/trivy/commit/e18b038ee2dce6c239246592fcef769853c11660))
* update all documentation links ([#9777](https://github.com/aquasecurity/trivy/issues/9777)) ([738b2b4](https://github.com/aquasecurity/trivy/commit/738b2b474a8ca94386a558c66442d8632acdce3c))
* Use `fetch-level: 1` to check out trivy-repo in the release workflow ([#9636](https://github.com/aquasecurity/trivy/issues/9636)) ([6e53686](https://github.com/aquasecurity/trivy/commit/6e53686526ef21e8a347fc07daa2f628e24eb9e5))
* use context for analyzers ([#9538](https://github.com/aquasecurity/trivy/issues/9538)) ([b885d3a](https://github.com/aquasecurity/trivy/commit/b885d3a3693a62bd2f506aeb238025242735ef1d))
* using SrcVersion instead of Version for echo detector ([#9552](https://github.com/aquasecurity/trivy/issues/9552)) ([66479f0](https://github.com/aquasecurity/trivy/commit/66479f050dc1f0faa314c5a4b9159f38bb1f146b))
* validate backport branch name ([#9548](https://github.com/aquasecurity/trivy/issues/9548)) ([f0fd432](https://github.com/aquasecurity/trivy/commit/f0fd432a7aeced7cca1acab5a52d72cd960e7171))
* **vex:** don't use reused BOM ([#9604](https://github.com/aquasecurity/trivy/issues/9604)) ([7422cc7](https://github.com/aquasecurity/trivy/commit/7422cc7168ab917ec96b75de784be72e9b6bdb2e))
* **vex:** use a separate `visited` set for each DFS path ([#9760](https://github.com/aquasecurity/trivy/issues/9760)) ([c274f5b](https://github.com/aquasecurity/trivy/commit/c274f5b986afb82a805f1f6d3a79d44231a7edf6))
## [0.67.0](https://github.com/aquasecurity/trivy/compare/v0.66.0...v0.67.0) (2025-09-30)
### Features
* add documentation URL for database lock errors ([#9531](https://github.com/aquasecurity/trivy/issues/9531)) ([eba48af](https://github.com/aquasecurity/trivy/commit/eba48afd583391cef346e45a176aa5a6d77b704f))
* **cli:** change --list-all-pkgs default to true ([#9510](https://github.com/aquasecurity/trivy/issues/9510)) ([7b663d8](https://github.com/aquasecurity/trivy/commit/7b663d86ca65ee3eb332c857b77bfa18e6da56c4))
* **cloudformation:** support default values and list results in Fn::FindInMap ([#9515](https://github.com/aquasecurity/trivy/issues/9515)) ([42b3bf3](https://github.com/aquasecurity/trivy/commit/42b3bf37bb7d39139911843297c8b8ab3551c31a))
* **cyclonedx:** preserve SBOM structure when scanning SBOM files with vulnerability updates ([#9439](https://github.com/aquasecurity/trivy/issues/9439)) ([aff03eb](https://github.com/aquasecurity/trivy/commit/aff03ebab2e7874dd997e20b4ec9962a41eae7bb))
* **redhat:** add os-release detection for RHEL-based images ([#9458](https://github.com/aquasecurity/trivy/issues/9458)) ([cb25a07](https://github.com/aquasecurity/trivy/commit/cb25a074501c5cf48050fdf6a0ae7c85c4f385ea))
* **sbom:** added support for CoreOS ([#9448](https://github.com/aquasecurity/trivy/issues/9448)) ([6d562a3](https://github.com/aquasecurity/trivy/commit/6d562a3b48926b6efd508e067e1059564173b270))
* **seal:** add seal support ([#9370](https://github.com/aquasecurity/trivy/issues/9370)) ([e4af279](https://github.com/aquasecurity/trivy/commit/e4af279b29ed5b77ed1d62e31b232b1f9b92ef4f))
### Bug Fixes
* **aws:** use `BuildableClient` insead of `xhttp.Client` ([#9436](https://github.com/aquasecurity/trivy/issues/9436)) ([fa6f1bf](https://github.com/aquasecurity/trivy/commit/fa6f1bfecfb68c29ad4684a6fb5d86948c7d6887))
* close file descriptors and pipes on error paths ([#9536](https://github.com/aquasecurity/trivy/issues/9536)) ([a4cbd6a](https://github.com/aquasecurity/trivy/commit/a4cbd6a1380b7b4dc650a312ec4e5bc47501f674))
* **db:** Dowload database when missing but metadata still exists ([#9393](https://github.com/aquasecurity/trivy/issues/9393)) ([92ebc7e](https://github.com/aquasecurity/trivy/commit/92ebc7e4d72424c17d93c54e5f24891710c85a60))
* **k8s:** disable parallel traversal with fs cache for k8s images ([#9534](https://github.com/aquasecurity/trivy/issues/9534)) ([c0c7a6b](https://github.com/aquasecurity/trivy/commit/c0c7a6bf1b92c868ed44172b3cd15c51667b8a6e))
* **misconf:** handle tofu files in module detection ([#9486](https://github.com/aquasecurity/trivy/issues/9486)) ([bfd2f6b](https://github.com/aquasecurity/trivy/commit/bfd2f6ba697c223d60a7378283293d8e1fc8a8fe))
* **misconf:** strip build metadata suffixes from image history ([#9498](https://github.com/aquasecurity/trivy/issues/9498)) ([c938806](https://github.com/aquasecurity/trivy/commit/c9388069a4325a9f8bc53bc8a82ff46d84d06847))
* **misconf:** unmark cty values before access ([#9495](https://github.com/aquasecurity/trivy/issues/9495)) ([8e40d27](https://github.com/aquasecurity/trivy/commit/8e40d27a43ecb96795a8a7d4a2444241fc7fce9a))
* **misconf:** wrap legacy ENV values in quotes to preserve spaces ([#9497](https://github.com/aquasecurity/trivy/issues/9497)) ([267a970](https://github.com/aquasecurity/trivy/commit/267a9700fa233abe1a04eada8f3ea513f3ebacb3))
* **nodejs:** parse workspaces as objects for package-lock.json files ([#9518](https://github.com/aquasecurity/trivy/issues/9518)) ([404abb3](https://github.com/aquasecurity/trivy/commit/404abb3d91cb3b1c1ee027169de5a40e32ba8b8a))
* **nodejs:** use snapshot string as `Package.ID` for pnpm packages ([#9330](https://github.com/aquasecurity/trivy/issues/9330)) ([4517e8c](https://github.com/aquasecurity/trivy/commit/4517e8c0ef5e942b8e2e498729257374634ffbf8))
* **vex:** don't suppress vulns for packages with infinity loop ([#9465](https://github.com/aquasecurity/trivy/issues/9465)) ([78f0d4a](https://github.com/aquasecurity/trivy/commit/78f0d4ae0378f81940a5faa6497e6905cb5d034a))
* **vuln:** compare `nuget` package names in lower case ([#9456](https://github.com/aquasecurity/trivy/issues/9456)) ([1ff9ac7](https://github.com/aquasecurity/trivy/commit/1ff9ac79488e0d4deab4226f1a969676a9851cdb))
## [0.66.0](https://github.com/aquasecurity/trivy/compare/v0.65.0...v0.66.0) (2025-09-02)
### Features
* add timeout handling for cache database operations ([#9307](https://github.com/aquasecurity/trivy/issues/9307)) ([235c24e](https://github.com/aquasecurity/trivy/commit/235c24e71a546b6196f7264fced2d02d836e3f85))
* **misconf:** added audit config attribute ([#9249](https://github.com/aquasecurity/trivy/issues/9249)) ([4d4a244](https://github.com/aquasecurity/trivy/commit/4d4a2444b692512aca137dcbd367ff224fe25597))
* **secret:** implement streaming secret scanner with byte offset tracking ([#9264](https://github.com/aquasecurity/trivy/issues/9264)) ([5a5e097](https://github.com/aquasecurity/trivy/commit/5a5e0972c72e629ddf2915ef066d632d58b8d3b0))
* **terraform:** use .terraform cache for remote modules in plan scanning ([#9277](https://github.com/aquasecurity/trivy/issues/9277)) ([298a994](https://github.com/aquasecurity/trivy/commit/298a9941f098d2701b9524a703b9f9b1b9451785))
### Bug Fixes
* **conda:** memory leak by adding closure method for `package.json` file ([#9349](https://github.com/aquasecurity/trivy/issues/9349)) ([03d039f](https://github.com/aquasecurity/trivy/commit/03d039f17d94cf668152e83d0cf9dabf3b27d3dd))
* create temp file under composite fs dir ([#9387](https://github.com/aquasecurity/trivy/issues/9387)) ([ce22f54](https://github.com/aquasecurity/trivy/commit/ce22f54a39a1abac08fa3ad540697c668792bf50))
* **cyclonedx:** handle multiple license types ([#9378](https://github.com/aquasecurity/trivy/issues/9378)) ([46ab76a](https://github.com/aquasecurity/trivy/commit/46ab76a5af828c98cf93fc988ed6a405b7b07392))
* **fs:** avoid shadowing errors in file.glob ([#9286](https://github.com/aquasecurity/trivy/issues/9286)) ([b51c789](https://github.com/aquasecurity/trivy/commit/b51c789330141d634a9b14bd10994c997862940f))
* **image:** use standardized HTTP client for ECR authentication ([#9322](https://github.com/aquasecurity/trivy/issues/9322)) ([84fbf86](https://github.com/aquasecurity/trivy/commit/84fbf8674dfc0f91d8795a50bafa6041cce83ba2))
* **misconf:** ensure ignore rules respect subdirectory chart paths ([#9324](https://github.com/aquasecurity/trivy/issues/9324)) ([d3cd101](https://github.com/aquasecurity/trivy/commit/d3cd101266eb7bf9b8ffe5899765efa7bd1abe30))
* **misconf:** ensure module source is known ([#9404](https://github.com/aquasecurity/trivy/issues/9404)) ([81d9425](https://github.com/aquasecurity/trivy/commit/81d94253c8bc816ad932f7e0c0b8907e1cd759bb))
* **misconf:** preserve original paths of remote submodules from .terraform ([#9294](https://github.com/aquasecurity/trivy/issues/9294)) ([1319d8d](https://github.com/aquasecurity/trivy/commit/1319d8dc7f4796177876af18f0e13ba1f7086348))
* **misconf:** use correct field log_bucket instead of target_bucket in gcp bucket ([#9296](https://github.com/aquasecurity/trivy/issues/9296)) ([04ad0c4](https://github.com/aquasecurity/trivy/commit/04ad0c4fc2926a92e9e9ec11bb8eae826ed95827))
* persistent flag option typo ([#9374](https://github.com/aquasecurity/trivy/issues/9374)) ([6e99dd3](https://github.com/aquasecurity/trivy/commit/6e99dd304c7fad8213489039e7ca42909383b5ff))
* **plugin:** don't remove plugins when updating index.yaml file ([#9358](https://github.com/aquasecurity/trivy/issues/9358)) ([5f067ac](https://github.com/aquasecurity/trivy/commit/5f067ac15e5c609283bef26a211746a279b6b5d0))
* **python:** impove package name normalization ([#9290](https://github.com/aquasecurity/trivy/issues/9290)) ([1473e88](https://github.com/aquasecurity/trivy/commit/1473e88b74ca269691de7827e045703612b90050))
* **repo:** preserve RepoMetadata on FS cache hit ([#9389](https://github.com/aquasecurity/trivy/issues/9389)) ([4f2a44e](https://github.com/aquasecurity/trivy/commit/4f2a44ea45bed1e842bb2072077da67ec7e744ac))
* **repo:** sanitize git repo URL before inserting into report metadata ([#9391](https://github.com/aquasecurity/trivy/issues/9391)) ([1ac9b1f](https://github.com/aquasecurity/trivy/commit/1ac9b1f07cea429cc122bf9721e8909c649549cf))
* **sbom:** add support for `file` component type of `CycloneDX` ([#9372](https://github.com/aquasecurity/trivy/issues/9372)) ([aa7cf43](https://github.com/aquasecurity/trivy/commit/aa7cf4387c5e82c1f629ac14cd6a35b48fc95983))
* suppress debug log for context cancellation errors ([#9298](https://github.com/aquasecurity/trivy/issues/9298)) ([2458d5e](https://github.com/aquasecurity/trivy/commit/2458d5e28a54da9adec0b36f6b1e6bd4f15a72ce))
## [0.65.0](https://github.com/aquasecurity/trivy/compare/v0.64.0...v0.65.0) (2025-07-30)
### Features
* add graceful shutdown with signal handling ([#9242](https://github.com/aquasecurity/trivy/issues/9242)) ([2c05882](https://github.com/aquasecurity/trivy/commit/2c05882f45071928c14d8212ef6c4f0f7048245d))
* add HTTP request/response tracing support ([#9125](https://github.com/aquasecurity/trivy/issues/9125)) ([aa5b32a](https://github.com/aquasecurity/trivy/commit/aa5b32a19f4d61d0df72c11fd314c5a0b7284202))
* **alma:** add AlmaLinux 10 support ([#9207](https://github.com/aquasecurity/trivy/issues/9207)) ([861d51e](https://github.com/aquasecurity/trivy/commit/861d51e99a45ee448f86fe195dedcaefb811c919))
* **flag:** add schema validation for `--server` flag ([#9270](https://github.com/aquasecurity/trivy/issues/9270)) ([ed4640e](https://github.com/aquasecurity/trivy/commit/ed4640ec27f2575a50d7e6d516c9e2e45a59bb7f))
* **image:** add Docker context resolution ([#9166](https://github.com/aquasecurity/trivy/issues/9166)) ([99cd4e7](https://github.com/aquasecurity/trivy/commit/99cd4e776c0c6cc689126e53fa86ee6333ba6277))
* **license:** observe pkg types option in license scanner ([#9091](https://github.com/aquasecurity/trivy/issues/9091)) ([d44af8c](https://github.com/aquasecurity/trivy/commit/d44af8cfa21a145d14ca6e5e1ed4742d892f2dc5))
* **misconf:** add private ip google access attribute to subnetwork ([#9199](https://github.com/aquasecurity/trivy/issues/9199)) ([263845c](https://github.com/aquasecurity/trivy/commit/263845cfc1419401f24adc8bc6316f3ea0caacad))
* **misconf:** added logging and versioning to the gcp storage bucket ([#9226](https://github.com/aquasecurity/trivy/issues/9226)) ([110f80e](https://github.com/aquasecurity/trivy/commit/110f80ea29951863997dd5a1c48fe14eb81e230b))
* **repo:** add git repository metadata to reports ([#9252](https://github.com/aquasecurity/trivy/issues/9252)) ([f4b2cf1](https://github.com/aquasecurity/trivy/commit/f4b2cf10e917d58c0840f789e083bd3f268a8af1))
* **report:** add CVSS vectors in sarif report ([#9157](https://github.com/aquasecurity/trivy/issues/9157)) ([60723e6](https://github.com/aquasecurity/trivy/commit/60723e6cfce82ede2863cf545a189c581246f4e9))
* **sbom:** add SHA-512 hash support for CycloneDX SBOM ([#9126](https://github.com/aquasecurity/trivy/issues/9126)) ([12d6706](https://github.com/aquasecurity/trivy/commit/12d6706961423acb12430c8b3d986b4aa4671d04))
### Bug Fixes
* **alma:** parse epochs from rpmqa file ([#9101](https://github.com/aquasecurity/trivy/issues/9101)) ([82db2fc](https://github.com/aquasecurity/trivy/commit/82db2fcc8034c911cc7a67f5a82d2f081d9c1fdf))
* also check `filepath` when removing duplicate packages ([#9142](https://github.com/aquasecurity/trivy/issues/9142)) ([4d10a81](https://github.com/aquasecurity/trivy/commit/4d10a815dde53f5e128366f1dd0837a1dc29c17b))
* **aws:** update amazon linux 2 EOL date ([#9176](https://github.com/aquasecurity/trivy/issues/9176)) ([0ecfed6](https://github.com/aquasecurity/trivy/commit/0ecfed6ea75cfe33e0f436a9015ac72a679e754e))
* **cli:** Add more non-sensitive flags to telemetry ([#9110](https://github.com/aquasecurity/trivy/issues/9110)) ([7041a39](https://github.com/aquasecurity/trivy/commit/7041a39bdcf21c5b3114137d9a931f529eac2566))
* **cli:** ensure correct command is picked by telemetry ([#9260](https://github.com/aquasecurity/trivy/issues/9260)) ([b4ad00f](https://github.com/aquasecurity/trivy/commit/b4ad00f301a5fd7326060a567871c6f4a9711696))
* **cli:** panic: attempt to get os.Args[1] when len(os.Args) &lt; 2 ([#9206](https://github.com/aquasecurity/trivy/issues/9206)) ([adfa879](https://github.com/aquasecurity/trivy/commit/adfa879e4e8ab88f211222a13d2b89013ae9a853))
* **license:** add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping ([#9116](https://github.com/aquasecurity/trivy/issues/9116)) ([a692f29](https://github.com/aquasecurity/trivy/commit/a692f296d15f7241ba5ff082e4e69926b1c728a8))
* **license:** handle WITH operator for `LaxSplitLicenses` ([#9232](https://github.com/aquasecurity/trivy/issues/9232)) ([b4193d0](https://github.com/aquasecurity/trivy/commit/b4193d0d31a167aafdcd9d9ccd89f3f124eef7ee))
* migrate from `*.list` to `*.md5sums` files for `dpkg` ([#9131](https://github.com/aquasecurity/trivy/issues/9131)) ([f224de3](https://github.com/aquasecurity/trivy/commit/f224de3e39b08672212ec0f94660c36bef77bc30))
* **misconf:** correctly adapt azure storage account ([#9138](https://github.com/aquasecurity/trivy/issues/9138)) ([51aa022](https://github.com/aquasecurity/trivy/commit/51aa0222604829706193eb2ff3a6886742bb42b4))
* **misconf:** correctly parse empty port ranges in google_compute_firewall ([#9237](https://github.com/aquasecurity/trivy/issues/9237)) ([77bab7b](https://github.com/aquasecurity/trivy/commit/77bab7b6d25c712e2db7dc53956985c2721728e9))
* **misconf:** fix log bucket in schema ([#9235](https://github.com/aquasecurity/trivy/issues/9235)) ([7ebc129](https://github.com/aquasecurity/trivy/commit/7ebc129ab726f3133d940708837b7edda2621105))
* **misconf:** skip rewriting expr if attr is nil ([#9113](https://github.com/aquasecurity/trivy/issues/9113)) ([42ccd3d](https://github.com/aquasecurity/trivy/commit/42ccd3df9a7c838a99facb8248e1a68eaf47a999))
* **nodejs:** don't use prerelease logic for compare npm constraints ([#9208](https://github.com/aquasecurity/trivy/issues/9208)) ([fe96436](https://github.com/aquasecurity/trivy/commit/fe96436b99bae3bbfc7498d2ad222d4acccdfcf1))
* prevent graceful shutdown message on normal exit ([#9244](https://github.com/aquasecurity/trivy/issues/9244)) ([6095984](https://github.com/aquasecurity/trivy/commit/6095984d5340633740204a7a40f002a5643802b9))
* **rootio:** check full version to detect `root.io` packages ([#9117](https://github.com/aquasecurity/trivy/issues/9117)) ([c2ddd44](https://github.com/aquasecurity/trivy/commit/c2ddd44d98594a2066cb5b5acbb9ad2aaad8fd96))
* **rootio:** fix severity selection ([#9181](https://github.com/aquasecurity/trivy/issues/9181)) ([6fafbeb](https://github.com/aquasecurity/trivy/commit/6fafbeb60609a020b47266743250ea847234cbbd))
* **sbom:** merge in-graph and out-of-graph OS packages in scan results ([#9194](https://github.com/aquasecurity/trivy/issues/9194)) ([aa944cc](https://github.com/aquasecurity/trivy/commit/aa944cc6da43e2035f74e9d842f487c0d2f993f4))
* **sbom:** use correct field for licenses in CycloneDX reports ([#9057](https://github.com/aquasecurity/trivy/issues/9057)) ([143da88](https://github.com/aquasecurity/trivy/commit/143da88dd82dfbe204f4c2afe46af3b01701675d))
* **secret:** add UTF-8 validation in secret scanner to prevent protobuf marshalling errors ([#9253](https://github.com/aquasecurity/trivy/issues/9253)) ([54832a7](https://github.com/aquasecurity/trivy/commit/54832a77b50e2da3a3ceacbb6ce1b13e45605cde))
* **secret:** fix line numbers for multiple-line secrets ([#9104](https://github.com/aquasecurity/trivy/issues/9104)) ([e579746](https://github.com/aquasecurity/trivy/commit/e57974649e4a3a275b9cf02db191b3f6bf10340f))
* **server:** add HTTP transport setup to server mode ([#9217](https://github.com/aquasecurity/trivy/issues/9217)) ([1163b04](https://github.com/aquasecurity/trivy/commit/1163b044c7e91a81bba3a862cc4a38e90182f0b4))
* supporting .egg-info/METADATA in python.Packaging analyzer ([#9151](https://github.com/aquasecurity/trivy/issues/9151)) ([e306e2d](https://github.com/aquasecurity/trivy/commit/e306e2dc5275c0e75f056c8c7ee9ff9261c78e7f))
* **terraform:** `for_each` on a map returns a resource for every key ([#9156](https://github.com/aquasecurity/trivy/issues/9156)) ([153318f](https://github.com/aquasecurity/trivy/commit/153318f65f7e5059bcc064bd2cd651cc720791a9))
## [0.64.0](https://github.com/aquasecurity/trivy/compare/v0.63.0...v0.64.0) (2025-06-30)
### Features
* **cli:** add version constraints to annoucements ([#9023](https://github.com/aquasecurity/trivy/issues/9023)) ([19efa9f](https://github.com/aquasecurity/trivy/commit/19efa9fd372242d2ec582a248e9e6573d2caef00))
* **java:** dereference all maven settings.xml env placeholders ([#9024](https://github.com/aquasecurity/trivy/issues/9024)) ([5aade69](https://github.com/aquasecurity/trivy/commit/5aade698c71450badf8db028be61e12ec85c6248))
* **misconf:** add OpenTofu file extension support ([#8747](https://github.com/aquasecurity/trivy/issues/8747)) ([57801d0](https://github.com/aquasecurity/trivy/commit/57801d0324384d990889ba39d856c881e5b8b070))
* **misconf:** normalize CreatedBy for buildah and legacy docker builder ([#8953](https://github.com/aquasecurity/trivy/issues/8953)) ([65e155f](https://github.com/aquasecurity/trivy/commit/65e155fdaf0ad02ec82f00a004427f126faf65ed))
* **redhat:** Add EOL date for RHEL 10. ([#8910](https://github.com/aquasecurity/trivy/issues/8910)) ([48258a7](https://github.com/aquasecurity/trivy/commit/48258a701a7adb210c433310de52f48568ccee19))
* reject unsupported artifact types in remote image retrieval ([#9052](https://github.com/aquasecurity/trivy/issues/9052)) ([1e1e1b5](https://github.com/aquasecurity/trivy/commit/1e1e1b5fa6a884da978fe1ed4c222d613d6eafbd))
* **sbom:** add manufacturer field to CycloneDX tools metadata ([#9019](https://github.com/aquasecurity/trivy/issues/9019)) ([41d0f94](https://github.com/aquasecurity/trivy/commit/41d0f949c874609641c08fa2620fa10bf4ceef78))
* **terraform:** add partial evaluation for policy templates ([#8967](https://github.com/aquasecurity/trivy/issues/8967)) ([a9f7dcd](https://github.com/aquasecurity/trivy/commit/a9f7dcdb9c5973746c3737f2bbc3306a74be5408))
* **ubuntu:** add end of life date for Ubuntu 25.04 ([#9077](https://github.com/aquasecurity/trivy/issues/9077)) ([367564a](https://github.com/aquasecurity/trivy/commit/367564a3bec0c202566c59598dcff087bf50a23d))
* **ubuntu:** add eol date for 20.04-ESM ([#8981](https://github.com/aquasecurity/trivy/issues/8981)) ([87118a0](https://github.com/aquasecurity/trivy/commit/87118a0ec4a6ae492523b7bac9834c2b93a14557))
* **vuln:** add Root.io support for container image scanning ([#9073](https://github.com/aquasecurity/trivy/issues/9073)) ([3a0ec0f](https://github.com/aquasecurity/trivy/commit/3a0ec0f2acff6a13ed6ab348b6b220d49e14a298))
### Bug Fixes
* Add missing version check flags ([#8951](https://github.com/aquasecurity/trivy/issues/8951)) ([ef5f8de](https://github.com/aquasecurity/trivy/commit/ef5f8de8dadf5534a2c965aecca01c7067e5baca))
* **cli:** add some values to the telemetry call ([#9056](https://github.com/aquasecurity/trivy/issues/9056)) ([fd2bc91](https://github.com/aquasecurity/trivy/commit/fd2bc91e133f846bc9f0910c19ac3be3fbfe4009))
* Correctly check for semver versions for trivy version check ([#8948](https://github.com/aquasecurity/trivy/issues/8948)) ([b813527](https://github.com/aquasecurity/trivy/commit/b813527449c4604f5afad71ae82b13399bb48680))
* don't show corrupted trivy-db warning for first run ([#8991](https://github.com/aquasecurity/trivy/issues/8991)) ([4ed78e3](https://github.com/aquasecurity/trivy/commit/4ed78e39afe57e81c12482fef9102dc3f85d1493))
* **misconf:** .Config.User always takes precedence over USER in .History ([#9050](https://github.com/aquasecurity/trivy/issues/9050)) ([371b8cc](https://github.com/aquasecurity/trivy/commit/371b8cc02f2ffa3f42534a437ce8727519e7b9b9))
* **misconf:** correct Azure value-to-time conversion in AsTimeValue ([#9015](https://github.com/aquasecurity/trivy/issues/9015)) ([40d017b](https://github.com/aquasecurity/trivy/commit/40d017b67da38131734eab90c42ad945ac3b5013))
* **misconf:** move disabled checks filtering after analyzer scan ([#9002](https://github.com/aquasecurity/trivy/issues/9002)) ([a58c36d](https://github.com/aquasecurity/trivy/commit/a58c36de124cba7250e1a5ae0cc32d83018391fe))
* **misconf:** reduce log noise on incompatible check ([#9029](https://github.com/aquasecurity/trivy/issues/9029)) ([99c5151](https://github.com/aquasecurity/trivy/commit/99c5151d6ea1dabe85cce75ff9bb91166532b11f))
* **nodejs:** correctly parse `packages` array of `bun.lock` file ([#8998](https://github.com/aquasecurity/trivy/issues/8998)) ([875ec3a](https://github.com/aquasecurity/trivy/commit/875ec3a9d2568e15a6824c8f84ad6a59f03eb212))
* **report:** don't panic when report contains vulns, but doesn't contain packages for `table` format ([#8549](https://github.com/aquasecurity/trivy/issues/8549)) ([87fda76](https://github.com/aquasecurity/trivy/commit/87fda76f38a3a6939a87828c3df0c5ac2cf7fce3))
* **sbom:** remove unnecessary OS detection check in SBOM decoding ([#9034](https://github.com/aquasecurity/trivy/issues/9034)) ([198789a](https://github.com/aquasecurity/trivy/commit/198789a07b857b053c73f8fcd1f508902fac344d))
## [0.63.0](https://github.com/aquasecurity/trivy/compare/v0.62.0...v0.63.0) (2025-05-29)
### Features
* add Bottlerocket OS package analyzer ([#8653](https://github.com/aquasecurity/trivy/issues/8653)) ([07ef63b](https://github.com/aquasecurity/trivy/commit/07ef63b4830f9f3d791a07433287a99118d7590a))
* add JSONC support for comments and trailing commas ([#8862](https://github.com/aquasecurity/trivy/issues/8862)) ([0b0e406](https://github.com/aquasecurity/trivy/commit/0b0e4061ef955efc0f94280d2d390f11ff6e2409))
* **alpine:** add maintainer field extraction for APK packages ([#8930](https://github.com/aquasecurity/trivy/issues/8930)) ([104bbc1](https://github.com/aquasecurity/trivy/commit/104bbc18ea85caec17125296dc4fe2dea9c49826))
* **cli:** Add available version checking ([#8553](https://github.com/aquasecurity/trivy/issues/8553)) ([5a0bf9e](https://github.com/aquasecurity/trivy/commit/5a0bf9ed31ad34248895e69231da602935e66785))
* **echo:** Add Echo Support ([#8833](https://github.com/aquasecurity/trivy/issues/8833)) ([c7b8cc3](https://github.com/aquasecurity/trivy/commit/c7b8cc392eb28eb63e10561cf1ff7991e5e3c548))
* **go:** support license scanning in both GOPATH and vendor ([#8843](https://github.com/aquasecurity/trivy/issues/8843)) ([26437be](https://github.com/aquasecurity/trivy/commit/26437be083960d17bee8b1b37b8a6780eff07981))
* **k8s:** get components from namespaced resources ([#8918](https://github.com/aquasecurity/trivy/issues/8918)) ([4f1ab23](https://github.com/aquasecurity/trivy/commit/4f1ab238693919772a65450de9fb9fb2f873c0d6))
* **license:** improve work text licenses with custom classification ([#8888](https://github.com/aquasecurity/trivy/issues/8888)) ([ee52230](https://github.com/aquasecurity/trivy/commit/ee522300b73a2afc72829fc2fa7ff419712fc89a))
* **license:** improve work with custom classification of licenses from config file ([#8861](https://github.com/aquasecurity/trivy/issues/8861)) ([c321fdf](https://github.com/aquasecurity/trivy/commit/c321fdfcdd58f34d076fc730e2b63fdd13e426a9))
* **license:** scan vendor directory for license for go.mod files ([#8689](https://github.com/aquasecurity/trivy/issues/8689)) ([dd6a6e5](https://github.com/aquasecurity/trivy/commit/dd6a6e50a44b7b543fd9dba634da599a76650acb))
* **license:** Support compound licenses (licenses using SPDX operators) ([#8816](https://github.com/aquasecurity/trivy/issues/8816)) ([39f9ed1](https://github.com/aquasecurity/trivy/commit/39f9ed128b2c0fb599ad9092a3cf5675106bffdc))
* **minimos:** Add support for MinimOS ([#8792](https://github.com/aquasecurity/trivy/issues/8792)) ([c2dde33](https://github.com/aquasecurity/trivy/commit/c2dde33c3f19d499258a7089d7658a9f90722acf))
* **misconf:** add misconfiguration location to junit template ([#8793](https://github.com/aquasecurity/trivy/issues/8793)) ([a516775](https://github.com/aquasecurity/trivy/commit/a516775da6fda92a55a62418a081561127a1d5ca))
* **misconf:** Add support for `Minimum Trivy Version` ([#8880](https://github.com/aquasecurity/trivy/issues/8880)) ([3b2a397](https://github.com/aquasecurity/trivy/commit/3b2a3976ac7e7785828655903b132e84ebd9d727))
* **misconf:** export raw Terraform data to Rego ([#8741](https://github.com/aquasecurity/trivy/issues/8741)) ([aaecc29](https://github.com/aquasecurity/trivy/commit/aaecc29e909db4d5dac03caa0daf223035bfb877))
* **nodejs:** add a bun.lock analyzer ([#8897](https://github.com/aquasecurity/trivy/issues/8897)) ([7ca656d](https://github.com/aquasecurity/trivy/commit/7ca656d54b99346253fc6ac6422eecaca169514e))
* **nodejs:** add bun.lock parser ([#8851](https://github.com/aquasecurity/trivy/issues/8851)) ([1dcf816](https://github.com/aquasecurity/trivy/commit/1dcf81666f1c814600702b9ab603b4070da0b940))
* terraform parser option to set current working directory ([#8909](https://github.com/aquasecurity/trivy/issues/8909)) ([8939451](https://github.com/aquasecurity/trivy/commit/893945117464bf6e090a55e3822f8299825f26d4))
### Bug Fixes
* check post-analyzers for StaticPaths ([#8904](https://github.com/aquasecurity/trivy/issues/8904)) ([93e6680](https://github.com/aquasecurity/trivy/commit/93e6680b1c6bbb590157f521c667c0f611775143))
* **cli:** disable `--skip-dir` and `--skip-files` flags for `sbom` command ([#8886](https://github.com/aquasecurity/trivy/issues/8886)) ([69a5fa1](https://github.com/aquasecurity/trivy/commit/69a5fa18ca86ff7e5206abacf98732d46c000c7a))
* **cli:** don't use allow values for `--compliance` flag ([#8881](https://github.com/aquasecurity/trivy/issues/8881)) ([35e8889](https://github.com/aquasecurity/trivy/commit/35e88890c3c201b3eb11f95376172e57bf44df4b))
* filter all files when processing files installed from package managers ([#8842](https://github.com/aquasecurity/trivy/issues/8842)) ([6ebde88](https://github.com/aquasecurity/trivy/commit/6ebde88dbcaf22f25932bad4844b3c9eaca90560))
* **java:** exclude dev dependencies in gradle lockfile ([#8803](https://github.com/aquasecurity/trivy/issues/8803)) ([8995838](https://github.com/aquasecurity/trivy/commit/8995838e8d184ee9178d5b52d2d3fa9b4e403015))
* julia parser panicing ([#8883](https://github.com/aquasecurity/trivy/issues/8883)) ([be8c7b7](https://github.com/aquasecurity/trivy/commit/be8c7b796dbe36d8dc3889e0bdea23336de9a1ab))
* **julia:** add `Relationship` field support ([#8939](https://github.com/aquasecurity/trivy/issues/8939)) ([22f040f](https://github.com/aquasecurity/trivy/commit/22f040f94790060132c7b0a635f44c35d5a35fb6))
* **k8s:** use in-memory cache backend during misconfig scanning ([#8873](https://github.com/aquasecurity/trivy/issues/8873)) ([fe12771](https://github.com/aquasecurity/trivy/commit/fe127715e505d753e0d878d52c5f280cdc326b76))
* **misconf:** check if for-each is known when expanding dyn block ([#8808](https://github.com/aquasecurity/trivy/issues/8808)) ([5706603](https://github.com/aquasecurity/trivy/commit/570660314698472ab831a7e0d55044e0b1e9c6c0))
* **misconf:** use argument value in WithIncludeDeprecatedChecks ([#8942](https://github.com/aquasecurity/trivy/issues/8942)) ([7e9a54c](https://github.com/aquasecurity/trivy/commit/7e9a54cd6bf4bc15e485c6233d140b389e432fe5))
* more revive rules ([#8814](https://github.com/aquasecurity/trivy/issues/8814)) ([3ab459e](https://github.com/aquasecurity/trivy/commit/3ab459e3b674f319bf349d478917a531a69754c0))
* octalLiteral from go-critic ([#8811](https://github.com/aquasecurity/trivy/issues/8811)) ([a19e0aa](https://github.com/aquasecurity/trivy/commit/a19e0aa1ba0350198c898fd57c9405fbf38fa432))
* **redhat:** Also try to find buildinfo in root layer (layer 0) ([#8924](https://github.com/aquasecurity/trivy/issues/8924)) ([906b037](https://github.com/aquasecurity/trivy/commit/906b037cff97060267d20f8947f429e078419d66))
* **redhat:** save contentSets for OS packages in fs/vm modes ([#8820](https://github.com/aquasecurity/trivy/issues/8820)) ([9256804](https://github.com/aquasecurity/trivy/commit/9256804df8577d8a746fb8b97c508c247ab82f8f))
* **redhat:** trim invalid suffix from content_sets in manifest parsing ([#8818](https://github.com/aquasecurity/trivy/issues/8818)) ([fa1077b](https://github.com/aquasecurity/trivy/commit/fa1077bbf5863a519f6f180a600afe5e2d6180d8))
* **server:** add missed Relationship field for `rpc` ([#8872](https://github.com/aquasecurity/trivy/issues/8872)) ([38f17c9](https://github.com/aquasecurity/trivy/commit/38f17c945e3ef7784607037c0457fb1e06a99959))
* use-any from revive ([#8810](https://github.com/aquasecurity/trivy/issues/8810)) ([883c63b](https://github.com/aquasecurity/trivy/commit/883c63bf29568f0feab37e5d36ae1c417eef88f5))
* **vex:** use `lo.IsNil` to check `VEX` from OCI artifact ([#8858](https://github.com/aquasecurity/trivy/issues/8858)) ([e97af98](https://github.com/aquasecurity/trivy/commit/e97af9806ab13e1ec8b792e0586b486c4982c170))
* **wolfi:** support new APK database location ([#8937](https://github.com/aquasecurity/trivy/issues/8937)) ([b15d9a6](https://github.com/aquasecurity/trivy/commit/b15d9a60e6a3ed40811d5ca6387082266ae92ea7))
### Performance Improvements
* **secret:** only match secrets of meaningful length, allow example strings to not be matched ([#8602](https://github.com/aquasecurity/trivy/issues/8602)) ([60fef1b](https://github.com/aquasecurity/trivy/commit/60fef1b615a765248c5870b814ba0c4345220c0e))
## [0.62.0](https://github.com/aquasecurity/trivy/compare/v0.61.0...v0.62.0) (2025-04-30)
### Features
* **image:** save layers metadata into report ([#8394](https://github.com/aquasecurity/trivy/issues/8394)) ([a95cab0](https://github.com/aquasecurity/trivy/commit/a95cab0eab0fcaab57eb554e74e17da71bc4809f))
* **misconf:** add option to pass Rego scanner to IaC scanner ([#8369](https://github.com/aquasecurity/trivy/issues/8369)) ([890a360](https://github.com/aquasecurity/trivy/commit/890a3602444ad2e5320044c9b8cc79ca883d17ec))
* **misconf:** convert AWS managed policy to document ([#8757](https://github.com/aquasecurity/trivy/issues/8757)) ([7abf5f0](https://github.com/aquasecurity/trivy/commit/7abf5f0199ec65c40056d4f9addc3d27e373725a))
* **misconf:** support auto_provisioning_defaults in google_container_cluster ([#8705](https://github.com/aquasecurity/trivy/issues/8705)) ([9792611](https://github.com/aquasecurity/trivy/commit/9792611b36271efbf79f635deebae7e51f497b70))
* **nodejs:** add root and workspace for `yarn` packages ([#8535](https://github.com/aquasecurity/trivy/issues/8535)) ([bf4cd4f](https://github.com/aquasecurity/trivy/commit/bf4cd4f2d2dda0bb3a7018606db9a6c1e56e4f38))
* **rust:** add root and workspace relationships/package for `cargo` lock files ([#8676](https://github.com/aquasecurity/trivy/issues/8676)) ([93efe07](https://github.com/aquasecurity/trivy/commit/93efe0789ed9d9a71e04e93d87be63032ad9cae7))
### Bug Fixes
* early-return, indent-error-flow and superfluous-else rules from revive ([#8796](https://github.com/aquasecurity/trivy/issues/8796)) ([43350dd](https://github.com/aquasecurity/trivy/commit/43350dd9b487b39d7d19bd0875274c90262dbed9))
* **k8s:** correct compare artifact versions ([#8682](https://github.com/aquasecurity/trivy/issues/8682)) ([cc47711](https://github.com/aquasecurity/trivy/commit/cc4771158b72b88258057fa379deba9f39190994))
* **k8s:** remove using `last-applied-configuration` ([#8791](https://github.com/aquasecurity/trivy/issues/8791)) ([7a58ccb](https://github.com/aquasecurity/trivy/commit/7a58ccbc7fffdfb1e5ccff9fd4cb6ca08c03a9ea))
* **k8s:** skip passed misconfigs for the summary report ([#8684](https://github.com/aquasecurity/trivy/issues/8684)) ([bff0e9b](https://github.com/aquasecurity/trivy/commit/bff0e9b034f39d0d1ca02457558b1f89847009ac))
* **misconf:** add missing variable as unknown ([#8683](https://github.com/aquasecurity/trivy/issues/8683)) ([9dcd06f](https://github.com/aquasecurity/trivy/commit/9dcd06fda717347eab1ac8ef0710687a3bfd8588))
* **misconf:** check if metadata is not nil ([#8647](https://github.com/aquasecurity/trivy/issues/8647)) ([b7dfd64](https://github.com/aquasecurity/trivy/commit/b7dfd64987b94b4bdd8b7c5a68ba2b8f1a0a9198))
* **misconf:** filter null nodes when parsing json manifest ([#8785](https://github.com/aquasecurity/trivy/issues/8785)) ([e10929a](https://github.com/aquasecurity/trivy/commit/e10929a669f43861bae80652bdfc9f39fad7225f))
* **misconf:** perform operations on attribute safely ([#8774](https://github.com/aquasecurity/trivy/issues/8774)) ([3ce7d59](https://github.com/aquasecurity/trivy/commit/3ce7d59bb16553ab487762a5a660a046bcd63334))
* **misconf:** populate context correctly for module instances ([#8656](https://github.com/aquasecurity/trivy/issues/8656)) ([efd177b](https://github.com/aquasecurity/trivy/commit/efd177b300950d82e381992e1dea39308cc39bc3))
* **report:** clean buffer after flushing ([#8725](https://github.com/aquasecurity/trivy/issues/8725)) ([9a5383e](https://github.com/aquasecurity/trivy/commit/9a5383e993222d919d63f8d9934729cf4e291c06))
* **secret:** ignore .dist-info directories during secret scanning ([#8646](https://github.com/aquasecurity/trivy/issues/8646)) ([a032ad6](https://github.com/aquasecurity/trivy/commit/a032ad696aa58850b9576d889128559149282ad3))
* **server:** fix redis key when trying to delete blob ([#8649](https://github.com/aquasecurity/trivy/issues/8649)) ([36f8d0f](https://github.com/aquasecurity/trivy/commit/36f8d0fd6705bb0da5b43507128c772b153dafec))
* **terraform:** `evaluateStep` to correctly set `EvalContext` for multiple instances of blocks ([#8555](https://github.com/aquasecurity/trivy/issues/8555)) ([e25de25](https://github.com/aquasecurity/trivy/commit/e25de25262fd1cd559879dee07bb2db2747eedd4))
* **terraform:** hcl object expressions to return references ([#8271](https://github.com/aquasecurity/trivy/issues/8271)) ([0d3efa5](https://github.com/aquasecurity/trivy/commit/0d3efa5dc150dba437d975a2f8335de8786f94d6))
* testifylint last issues ([#8768](https://github.com/aquasecurity/trivy/issues/8768)) ([ee4f7dc](https://github.com/aquasecurity/trivy/commit/ee4f7dc6b4be437666e91383406bba8443eec199))
* unused-parameter rule from revive ([#8794](https://github.com/aquasecurity/trivy/issues/8794)) ([6562082](https://github.com/aquasecurity/trivy/commit/6562082e280a9df6199892927f2e3f7dc8f0c8ce))
## [0.61.0](https://github.com/aquasecurity/trivy/compare/v0.60.0...v0.61.0) (2025-03-28)
### Features
* **fs:** optimize scanning performance by direct file access for known paths ([#8525](https://github.com/aquasecurity/trivy/issues/8525)) ([8bf6caf](https://github.com/aquasecurity/trivy/commit/8bf6caf98e2b1eff7bd16987f6791122d827747c))
* **k8s:** add support for controllers ([#8614](https://github.com/aquasecurity/trivy/issues/8614)) ([1bf0117](https://github.com/aquasecurity/trivy/commit/1bf0117f776953bbfe67cf32e4231360010fdf33))
* **misconf:** adapt aws_default_security_group ([#8538](https://github.com/aquasecurity/trivy/issues/8538)) ([b57eccb](https://github.com/aquasecurity/trivy/commit/b57eccb09c33df4ad0423fb148ddeaa292028401))
* **misconf:** adapt aws_opensearch_domain ([#8550](https://github.com/aquasecurity/trivy/issues/8550)) ([9913465](https://github.com/aquasecurity/trivy/commit/9913465a535c29b377bd2f2563163ccf7cbcd6a4))
* **misconf:** adapt AWS::DynamoDB::Table ([#8529](https://github.com/aquasecurity/trivy/issues/8529)) ([8112cdf](https://github.com/aquasecurity/trivy/commit/8112cdf8d638fa2bf57e5687e32f54b704c7e6b7))
* **misconf:** adapt AWS::EC2::VPC ([#8534](https://github.com/aquasecurity/trivy/issues/8534)) ([0d9865f](https://github.com/aquasecurity/trivy/commit/0d9865f48f46e85595af40140faa5ff6f02b9a02))
* **misconf:** Add support for aws_ami ([#8499](https://github.com/aquasecurity/trivy/issues/8499)) ([573502e](https://github.com/aquasecurity/trivy/commit/573502e2e83ff18020d5e7dcad498468a548733e))
* replace TinyGo with standard Go for WebAssembly modules ([#8496](https://github.com/aquasecurity/trivy/issues/8496)) ([529957e](https://github.com/aquasecurity/trivy/commit/529957eac1fc790c57fa3d93524a901ce842a9f5))
### Bug Fixes
* **debian:** don't include empty licenses for `dpkgs` ([#8623](https://github.com/aquasecurity/trivy/issues/8623)) ([346f5b3](https://github.com/aquasecurity/trivy/commit/346f5b3553b9247f99f89d859d4f835e955d34e9))
* **fs:** check postAnalyzers for StaticPaths ([#8543](https://github.com/aquasecurity/trivy/issues/8543)) ([c228307](https://github.com/aquasecurity/trivy/commit/c22830766e8cf1532f20198864757161eed6fda4))
* **k8s:** show report for `--report all` ([#8613](https://github.com/aquasecurity/trivy/issues/8613)) ([dbb6f28](https://github.com/aquasecurity/trivy/commit/dbb6f288712240ef5dec59952e33b73e3a6d5b06))
* **misconf:** add ephemeral block type to config schema ([#8513](https://github.com/aquasecurity/trivy/issues/8513)) ([41512f8](https://github.com/aquasecurity/trivy/commit/41512f846e75bae73984138ad7b3d03284a53f19))
* **misconf:** Check values wholly prior to evalution ([#8604](https://github.com/aquasecurity/trivy/issues/8604)) ([ad58cf4](https://github.com/aquasecurity/trivy/commit/ad58cf4457ebef80ff0bc4c113d4ab4c86a9fe56))
* **misconf:** do not skip loading documents from subdirectories ([#8526](https://github.com/aquasecurity/trivy/issues/8526)) ([de7eb13](https://github.com/aquasecurity/trivy/commit/de7eb13938f2709983a27ab3f59dbfac3fb74651))
* **misconf:** do not use cty.NilVal for non-nil values ([#8567](https://github.com/aquasecurity/trivy/issues/8567)) ([400a79c](https://github.com/aquasecurity/trivy/commit/400a79c2c693e462ad2e1cfc21305ef13d2ec224))
* **misconf:** identify the chart file exactly by name ([#8590](https://github.com/aquasecurity/trivy/issues/8590)) ([ba77dbe](https://github.com/aquasecurity/trivy/commit/ba77dbe5f952d67bbbbc0f43543d5f34135bc280))
* **misconf:** Improve logging for unsupported checks ([#8634](https://github.com/aquasecurity/trivy/issues/8634)) ([5b7704d](https://github.com/aquasecurity/trivy/commit/5b7704d1d091a12822df060ee7a679135185f2ae))
* **misconf:** set default values for AWS::EKS::Cluster.ResourcesVpcConfig ([#8548](https://github.com/aquasecurity/trivy/issues/8548)) ([1f05b45](https://github.com/aquasecurity/trivy/commit/1f05b4545d8f1de3ee703de66a7b3df2baaa07a7))
* **misconf:** skip Azure CreateUiDefinition ([#8503](https://github.com/aquasecurity/trivy/issues/8503)) ([c7814f1](https://github.com/aquasecurity/trivy/commit/c7814f1401b0cc66a557292fe07da24d0ea7b5cc))
* **spdx:** save text licenses into `otherLicenses` without normalize ([#8502](https://github.com/aquasecurity/trivy/issues/8502)) ([e5072f1](https://github.com/aquasecurity/trivy/commit/e5072f1eef8f3a78f4db48b4ac3f7c48aeec5e92))
* use `--file-patterns` flag for all post analyzers ([#7365](https://github.com/aquasecurity/trivy/issues/7365)) ([8b88238](https://github.com/aquasecurity/trivy/commit/8b88238f07e389cc32e2478f84aceaf860e421ef))
### Performance Improvements
* **misconf:** parse input for Rego once ([#8483](https://github.com/aquasecurity/trivy/issues/8483)) ([0e5e909](https://github.com/aquasecurity/trivy/commit/0e5e9097650f60bc54f47a21ecc937a66e66e225))
* **misconf:** retrieve check metadata from annotations once ([#8478](https://github.com/aquasecurity/trivy/issues/8478)) ([7b96351](https://github.com/aquasecurity/trivy/commit/7b96351c32d264d136978fe8fd9e113ada69bb2b))
## [0.60.0](https://github.com/aquasecurity/trivy/compare/v0.59.0...v0.60.0) (2025-03-05)
### Features
* add `--vuln-severity-source` flag ([#8269](https://github.com/aquasecurity/trivy/issues/8269)) ([d464807](https://github.com/aquasecurity/trivy/commit/d4648073211e8451d66e4c0399e9441250b60a76))
* add report summary table ([#8177](https://github.com/aquasecurity/trivy/issues/8177)) ([dd54f80](https://github.com/aquasecurity/trivy/commit/dd54f80d3fda7821dba13553480e9893ba8b4cb3))
* **cyclonedx:** Add initial support for loading external VEX files from SBOM references ([#8254](https://github.com/aquasecurity/trivy/issues/8254)) ([4820eb7](https://github.com/aquasecurity/trivy/commit/4820eb70fc926a35d759c373112dbbdca890fd46))
* **go:** fix parsing main module version for go &gt;= 1.24 ([#8433](https://github.com/aquasecurity/trivy/issues/8433)) ([e58dcfc](https://github.com/aquasecurity/trivy/commit/e58dcfcf9f102c12825d5343ebbcc12a2d6c05c5))
* **misconf:** render causes for Terraform ([#8360](https://github.com/aquasecurity/trivy/issues/8360)) ([a99498c](https://github.com/aquasecurity/trivy/commit/a99498cdd9b7bdac000140af6654bfe30135242d))
### Bug Fixes
* **db:** fix case when 2 trivy-db were copied at the same time ([#8452](https://github.com/aquasecurity/trivy/issues/8452)) ([bb3cca6](https://github.com/aquasecurity/trivy/commit/bb3cca6018551e96fdd357563dc177215ca29bd4))
* don't use `scope` for `trivy registry login` command ([#8393](https://github.com/aquasecurity/trivy/issues/8393)) ([8715e5d](https://github.com/aquasecurity/trivy/commit/8715e5d14a727667c2e62d6f7a4b5308a0323386))
* **go:** merge nested flags into string for ldflags for Go binaries ([#8368](https://github.com/aquasecurity/trivy/issues/8368)) ([b675b06](https://github.com/aquasecurity/trivy/commit/b675b06e897aaf374e7b1262d4323060a8a62edb))
* **image:** disable AVD-DS-0007 for history scanning ([#8366](https://github.com/aquasecurity/trivy/issues/8366)) ([a3cd693](https://github.com/aquasecurity/trivy/commit/a3cd693a5ea88def2f9057df6178b0c0e7a6bdb0))
* **k8s:** add missed option `PkgRelationships` ([#8442](https://github.com/aquasecurity/trivy/issues/8442)) ([f987e41](https://github.com/aquasecurity/trivy/commit/f987e4157494434f6e4e4566fedfedda92167565))
* **misconf:** do not log scanners when misconfig scanning is disabled ([#8345](https://github.com/aquasecurity/trivy/issues/8345)) ([5695eb2](https://github.com/aquasecurity/trivy/commit/5695eb22dfed672eafacb64a71da8e9bdfbaab87))
* **misconf:** ecs include enhanced for container insights ([#8326](https://github.com/aquasecurity/trivy/issues/8326)) ([39789ff](https://github.com/aquasecurity/trivy/commit/39789fff438d11bc6eccd254b3b890beb68c240b))
* **misconf:** fix incorrect k8s locations due to JSON to YAML conversion ([#8073](https://github.com/aquasecurity/trivy/issues/8073)) ([a994453](https://github.com/aquasecurity/trivy/commit/a994453a7d0f543fe30c4dc8adbc92ad0c21bcbc))
* **os:** add mapping OS aliases ([#8466](https://github.com/aquasecurity/trivy/issues/8466)) ([6b4cebe](https://github.com/aquasecurity/trivy/commit/6b4cebe9592f3a06bd91aa58ba6d65869afebbee))
* **python:** add `poetry` v2 support ([#8323](https://github.com/aquasecurity/trivy/issues/8323)) ([10cd98c](https://github.com/aquasecurity/trivy/commit/10cd98cf55263749cb2583063a2e9e9953c7371a))
* **report:** remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports ([#8344](https://github.com/aquasecurity/trivy/issues/8344)) ([3eb0b03](https://github.com/aquasecurity/trivy/commit/3eb0b03f7c9ee462daccfacb291b2c463d848ff5))
* **sbom:** add SBOM file's filePath as Application FilePath if we can't detect its path ([#8346](https://github.com/aquasecurity/trivy/issues/8346)) ([ecc01bb](https://github.com/aquasecurity/trivy/commit/ecc01bb3fb876fd0cc503cb38efa23e4fb9484b4))
* **sbom:** improve logic for binding direct dependency to parent component ([#8489](https://github.com/aquasecurity/trivy/issues/8489)) ([85cca8c](https://github.com/aquasecurity/trivy/commit/85cca8c07affee4ded5c232efb45b05dacf22242))
* **sbom:** preserve OS packages from multiple SBOMs ([#8325](https://github.com/aquasecurity/trivy/issues/8325)) ([bd5baaf](https://github.com/aquasecurity/trivy/commit/bd5baaf93054d71223e0721c7547a0567dea3b02))
* **server:** secrets inspectation for the config analyzer in client server mode ([#8418](https://github.com/aquasecurity/trivy/issues/8418)) ([a1c4bd7](https://github.com/aquasecurity/trivy/commit/a1c4bd746f5f901e2a8f09f48f58b973b9103165))
* **spdx:** init `pkgFilePaths` map for all formats ([#8380](https://github.com/aquasecurity/trivy/issues/8380)) ([72ea4b0](https://github.com/aquasecurity/trivy/commit/72ea4b0632308bd6150aaf2f1549a3f10b60dc23))
* **terraform:** apply parser options to submodule parsing ([#8377](https://github.com/aquasecurity/trivy/issues/8377)) ([398620b](https://github.com/aquasecurity/trivy/commit/398620b471c25e467018bc23df53a3a1c2aa661c))
* update all documentation links ([#8045](https://github.com/aquasecurity/trivy/issues/8045)) ([49456ba](https://github.com/aquasecurity/trivy/commit/49456ba8410e0e4cc1756906ccea1fdd60006d2d))
## [0.59.0](https://github.com/aquasecurity/trivy/compare/v0.58.0...v0.59.0) (2025-01-30)
### Features
* add `--distro` flag to manually specify OS distribution for vulnerability scanning ([#8070](https://github.com/aquasecurity/trivy/issues/8070)) ([da17dc7](https://github.com/aquasecurity/trivy/commit/da17dc72782cd68b5d2c4314a67936343462b75e))
* add a examples field to check metadata ([#8068](https://github.com/aquasecurity/trivy/issues/8068)) ([6d84e0c](https://github.com/aquasecurity/trivy/commit/6d84e0cc0d48ae5c490cad868bb4e5e76392241c))
* add support for registry mirrors ([#8244](https://github.com/aquasecurity/trivy/issues/8244)) ([4316bcb](https://github.com/aquasecurity/trivy/commit/4316bcbc5b9038eed21214a826981c49696bb27f))
* **fs:** use git commit hash as cache key for clean repositories ([#8278](https://github.com/aquasecurity/trivy/issues/8278)) ([b5062f3](https://github.com/aquasecurity/trivy/commit/b5062f3ae20044d1452bf293f210a24cd1d419b3))
* **image:** prevent scanning oversized container images ([#8178](https://github.com/aquasecurity/trivy/issues/8178)) ([509e030](https://github.com/aquasecurity/trivy/commit/509e03030c36d17f9427ab50a4e99fb1846ba65a))
* **image:** return error early if total size of layers exceeds limit ([#8294](https://github.com/aquasecurity/trivy/issues/8294)) ([73bd20d](https://github.com/aquasecurity/trivy/commit/73bd20d6199a777d1ed7eb560e0184d8f1b4b550))
* **k8s:** improve artifact selections for specific namespaces ([#8248](https://github.com/aquasecurity/trivy/issues/8248)) ([db9e57a](https://github.com/aquasecurity/trivy/commit/db9e57a34e460ac6934ee21dffaa2322db9fd56b))
* **misconf:** generate placeholders for random provider resources ([#8051](https://github.com/aquasecurity/trivy/issues/8051)) ([ffe24e1](https://github.com/aquasecurity/trivy/commit/ffe24e18dc3dca816ec9ce5ccf66d5d7b5ea70d6))
* **misconf:** support for ignoring by inline comments for Dockerfile ([#8115](https://github.com/aquasecurity/trivy/issues/8115)) ([c002327](https://github.com/aquasecurity/trivy/commit/c00232720a89df659c6cd0b56d99304d5ffea1a7))
* **misconf:** support for ignoring by inline comments for Helm ([#8138](https://github.com/aquasecurity/trivy/issues/8138)) ([a0429f7](https://github.com/aquasecurity/trivy/commit/a0429f773b4f696fc613d91f1600cd0da38fb2c8))
* **nodejs:** respect peer dependencies for dependency tree ([#7989](https://github.com/aquasecurity/trivy/issues/7989)) ([7389961](https://github.com/aquasecurity/trivy/commit/73899610e8eece670d2e5ddc1478fcc0a2a5760d))
* **python:** add support for poetry dev dependencies ([#8152](https://github.com/aquasecurity/trivy/issues/8152)) ([774e04d](https://github.com/aquasecurity/trivy/commit/774e04d19dc2067725ac2e18ca871872f74082ab))
* **python:** add support for uv ([#8080](https://github.com/aquasecurity/trivy/issues/8080)) ([c4a4a5f](https://github.com/aquasecurity/trivy/commit/c4a4a5fa971d73ae924afcf2259631f15e96e520))
* **python:** add support for uv dev and optional dependencies ([#8134](https://github.com/aquasecurity/trivy/issues/8134)) ([49c54b4](https://github.com/aquasecurity/trivy/commit/49c54b49c6563590dd82007d52e425a7a4e07ac0))
### Bug Fixes
* CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass ([#8088](https://github.com/aquasecurity/trivy/issues/8088)) ([d7ac286](https://github.com/aquasecurity/trivy/commit/d7ac286085077c969734225a789e6cc056d5c5f5))
* CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field ([#8207](https://github.com/aquasecurity/trivy/issues/8207)) ([670fbf2](https://github.com/aquasecurity/trivy/commit/670fbf2d81ea20ea691a86e4ed25a7454baf08e5))
* de-duplicate same `dpkg` packages with different filePaths from different layers ([#8298](https://github.com/aquasecurity/trivy/issues/8298)) ([846498d](https://github.com/aquasecurity/trivy/commit/846498dd23a80531881f803147077eee19004a50))
* enable err-error and errorf rules from perfsprint linter ([#7859](https://github.com/aquasecurity/trivy/issues/7859)) ([156a2aa](https://github.com/aquasecurity/trivy/commit/156a2aa4c49386828c0446f8978473c8da7a8754))
* **flag:** skip hidden flags for `--generate-default-config` command ([#8046](https://github.com/aquasecurity/trivy/issues/8046)) ([5e68bdc](https://github.com/aquasecurity/trivy/commit/5e68bdc9d08f96d22451d7b5dd93e79ca576eeb7))
* **fs:** fix cache key generation to use UUID ([#8275](https://github.com/aquasecurity/trivy/issues/8275)) ([eafd810](https://github.com/aquasecurity/trivy/commit/eafd810d7cb366215efbd0ab3b72c4651d31c6a6))
* handle `BLOW_UNKNOWN` error to download DBs ([#8060](https://github.com/aquasecurity/trivy/issues/8060)) ([51f2123](https://github.com/aquasecurity/trivy/commit/51f2123c5ccc4f7a37d1068830b6670b4ccf9ac8))
* improve conversion of image config to Dockerfile ([#8308](https://github.com/aquasecurity/trivy/issues/8308)) ([2e8e38a](https://github.com/aquasecurity/trivy/commit/2e8e38a8c094f3392893693ab15a605ab0d378f9))
* **java:** correctly overwrite version from depManagement if dependency uses `project.*` props ([#8050](https://github.com/aquasecurity/trivy/issues/8050)) ([9d9f80d](https://github.com/aquasecurity/trivy/commit/9d9f80d9791f38a0b4c727152166ae4d237a83a9))
* **license:** always trim leading and trailing spaces for licenses ([#8095](https://github.com/aquasecurity/trivy/issues/8095)) ([f5e4291](https://github.com/aquasecurity/trivy/commit/f5e429179df1637de96962ab9c19e4336056bb5d))
* **misconf:** allow null values only for tf variables ([#8112](https://github.com/aquasecurity/trivy/issues/8112)) ([23dc3a6](https://github.com/aquasecurity/trivy/commit/23dc3a67535b7458728b2939514a96bd3de3aa81))
* **misconf:** correctly handle all YAML tags in K8S templates ([#8259](https://github.com/aquasecurity/trivy/issues/8259)) ([f12054e](https://github.com/aquasecurity/trivy/commit/f12054e669f9df93c6322ba2755036dbccacaa83))
* **misconf:** disable git terminal prompt on tf module load ([#8026](https://github.com/aquasecurity/trivy/issues/8026)) ([bbc5a85](https://github.com/aquasecurity/trivy/commit/bbc5a85444ec86b7bb26d6db27803d199431a8e6))
* **misconf:** handle heredocs in dockerfile instructions ([#8284](https://github.com/aquasecurity/trivy/issues/8284)) ([0a3887c](https://github.com/aquasecurity/trivy/commit/0a3887ca0350d7dabf5db7e08aaf8152201fdf0d))
* **misconf:** use log instead of fmt for logging ([#8033](https://github.com/aquasecurity/trivy/issues/8033)) ([07b2d7f](https://github.com/aquasecurity/trivy/commit/07b2d7fbd7f8ef5473c2438c560fffc8bdadf913))
* **oracle:** add architectures support for advisories ([#4809](https://github.com/aquasecurity/trivy/issues/4809)) ([90f1d8d](https://github.com/aquasecurity/trivy/commit/90f1d8d78aa20b47fafab2c8ecb07247f075ef45))
* **python:** skip dev group's deps for poetry ([#8106](https://github.com/aquasecurity/trivy/issues/8106)) ([a034d26](https://github.com/aquasecurity/trivy/commit/a034d26443704601c1fe330a5cc1f019f6974524))
* **redhat:** check `usr/share/buildinfo/` dir to detect content sets ([#8222](https://github.com/aquasecurity/trivy/issues/8222)) ([f352f6b](https://github.com/aquasecurity/trivy/commit/f352f6b66355fe3636c9e4e9f3edd089c551a81c))
* **redhat:** correct rewriting of recommendations for the same vulnerability ([#8063](https://github.com/aquasecurity/trivy/issues/8063)) ([4202c4b](https://github.com/aquasecurity/trivy/commit/4202c4ba0d8fcff4b89499fe03050ef4efd37330))
* respect GITHUB_TOKEN to download artifacts from GHCR ([#7580](https://github.com/aquasecurity/trivy/issues/7580)) ([21b68e1](https://github.com/aquasecurity/trivy/commit/21b68e18188f91935ac1055a78ee97a7f35a110d))
* **sbom:** attach nested packages to Application ([#8144](https://github.com/aquasecurity/trivy/issues/8144)) ([735335f](https://github.com/aquasecurity/trivy/commit/735335f08f84936f3928cbbc3eb71af3a3a4918d))
* **sbom:** fix wrong overwriting of applications obtained from different sbom files but having same app type ([#8052](https://github.com/aquasecurity/trivy/issues/8052)) ([fd07074](https://github.com/aquasecurity/trivy/commit/fd07074e8033530eee2732193b00e59f27c73096))
* **sbom:** scan results of SBOMs generated from container images are missing layers ([#7635](https://github.com/aquasecurity/trivy/issues/7635)) ([f9fceb5](https://github.com/aquasecurity/trivy/commit/f9fceb58bf64657dee92302df1ed97e597e474c9))
* **sbom:** use root package for `unknown` dependencies (if exists) ([#8104](https://github.com/aquasecurity/trivy/issues/8104)) ([7558df7](https://github.com/aquasecurity/trivy/commit/7558df7c227c769235e5441fbdd3f9f7efb1ff84))
* **spdx:** use the `hasExtractedLicensingInfos` field for licenses that are not listed in the SPDX ([#8077](https://github.com/aquasecurity/trivy/issues/8077)) ([aec8885](https://github.com/aquasecurity/trivy/commit/aec8885bc7f7e3c5a2a68214dca9aff28accd122))
* **suse:** SUSE - update OSType constants and references for compatility ([#8236](https://github.com/aquasecurity/trivy/issues/8236)) ([ae28398](https://github.com/aquasecurity/trivy/commit/ae283985c926ca828b25b69ad0338008be31e5fe))
* Updated twitter icon ([#7772](https://github.com/aquasecurity/trivy/issues/7772)) ([2c41ac8](https://github.com/aquasecurity/trivy/commit/2c41ac83a95e9347605d36f483171a60ffce0fa2))
* wasm module test ([#8099](https://github.com/aquasecurity/trivy/issues/8099)) ([2200f38](https://github.com/aquasecurity/trivy/commit/2200f3846d675c64ab9302af43224d663a67c944))
### Performance Improvements
* avoid heap allocation in applier findPackage ([#7883](https://github.com/aquasecurity/trivy/issues/7883)) ([9bd6ed7](https://github.com/aquasecurity/trivy/commit/9bd6ed73e5d49d52856c76124e84c268475c5456))
## [0.58.0](https://github.com/aquasecurity/trivy/compare/v0.57.0...v0.58.0) (2024-12-02)
### Features
* add `workspaceRelationship` ([#7889](https://github.com/aquasecurity/trivy/issues/7889)) ([d622ca2](https://github.com/aquasecurity/trivy/commit/d622ca2b1fe40a0eb588478ba9e15d3bd8471a78))
* add cvss v4 score and vector in scan response ([#7968](https://github.com/aquasecurity/trivy/issues/7968)) ([e0f2054](https://github.com/aquasecurity/trivy/commit/e0f2054f9d12dce87e8a0226350f6317f7167195))
* **go:** construct dependencies in the parser ([#7973](https://github.com/aquasecurity/trivy/issues/7973)) ([bcdc0bb](https://github.com/aquasecurity/trivy/commit/bcdc0bbf1f63777ff79d3ecadb8d4f916f376b7d))
* **go:** construct dependencies of `go.mod` main module in the parser ([#7977](https://github.com/aquasecurity/trivy/issues/7977)) ([5448ba2](https://github.com/aquasecurity/trivy/commit/5448ba2a5c1ee36cbcf74ee1c2e83409092c5715))
* **k8s:** add default commands for unknown platform ([#7863](https://github.com/aquasecurity/trivy/issues/7863)) ([b1c7f55](https://github.com/aquasecurity/trivy/commit/b1c7f5516fc39c6cbb76cbeae5c8677ccc9ce5dd))
* **misconf:** log causes of HCL file parsing errors ([#7634](https://github.com/aquasecurity/trivy/issues/7634)) ([e9a899a](https://github.com/aquasecurity/trivy/commit/e9a899a3cfe41a622202808a0241b7f40b54d338))
* **oracle:** add `flavors` support ([#7858](https://github.com/aquasecurity/trivy/issues/7858)) ([b9b383e](https://github.com/aquasecurity/trivy/commit/b9b383eb2714e88357af75900c856db2900b83ec))
* **secret:** Add built-in secrets rules for Private Packagist ([#7826](https://github.com/aquasecurity/trivy/issues/7826)) ([132d9df](https://github.com/aquasecurity/trivy/commit/132d9dfa19a8835c94f332c6939ab7f64641ee5f))
* **suse:** Align SUSE/OpenSUSE OS Identifiers ([#7965](https://github.com/aquasecurity/trivy/issues/7965)) ([45d3b40](https://github.com/aquasecurity/trivy/commit/45d3b40044202dec91384847ce2b50a7271f5977))
* Update registry fallbacks ([#7679](https://github.com/aquasecurity/trivy/issues/7679)) ([5ba9a83](https://github.com/aquasecurity/trivy/commit/5ba9a83a447c4f9e577ae6235c315df71f50b452))
### Bug Fixes
* **alpine:** add `UID` for removed packages ([#7887](https://github.com/aquasecurity/trivy/issues/7887)) ([07915da](https://github.com/aquasecurity/trivy/commit/07915da4816d4d9ec8a6c5e4cba17be2a0f4ad65))
* **aws:** change CPU and Memory type of ContainerDefinition to a string ([#7995](https://github.com/aquasecurity/trivy/issues/7995)) ([aeeba70](https://github.com/aquasecurity/trivy/commit/aeeba70d15c11443d9fe7c26f90fc7d9dcc7f92c))
* **cli:** Handle empty ignore files more gracefully ([#7962](https://github.com/aquasecurity/trivy/issues/7962)) ([4cfb2a9](https://github.com/aquasecurity/trivy/commit/4cfb2a97b27923182ab45c178544542ec65981d4))
* **debian:** infinite loop ([#7928](https://github.com/aquasecurity/trivy/issues/7928)) ([d982e6a](https://github.com/aquasecurity/trivy/commit/d982e6ab89967629f71ec09100cdc61e30a27c63))
* **fs:** add missing defered Cleanup() call to post analyzer fs ([#7882](https://github.com/aquasecurity/trivy/issues/7882)) ([ab32297](https://github.com/aquasecurity/trivy/commit/ab32297e0a8220a427fa330025f8625281e02275))
* Improve version comparisons when build identifiers are present ([#7873](https://github.com/aquasecurity/trivy/issues/7873)) ([eda4d76](https://github.com/aquasecurity/trivy/commit/eda4d7660d8908705bc08a6edc55d8144d02806a))
* **k8s:** check all results for vulnerabilities ([#7946](https://github.com/aquasecurity/trivy/issues/7946)) ([797b36f](https://github.com/aquasecurity/trivy/commit/797b36fbad90b8e7f04e16e2cf08d6bdc0255ac7))
* **misconf:** do not erase variable type for child modules ([#7941](https://github.com/aquasecurity/trivy/issues/7941)) ([de3b7ea](https://github.com/aquasecurity/trivy/commit/de3b7ea24c282bce22ce9cacb49a43d8d90e2bde))
* **misconf:** handle null properties in CloudFormation templates ([#7813](https://github.com/aquasecurity/trivy/issues/7813)) ([99b2db3](https://github.com/aquasecurity/trivy/commit/99b2db3978562689cef956a71281abb84ff0ce47))
* **misconf:** load full Terraform module ([#7925](https://github.com/aquasecurity/trivy/issues/7925)) ([fbc42a0](https://github.com/aquasecurity/trivy/commit/fbc42a04ea24e2246f81491434a965846d55ed69))
* **misconf:** properly resolve local Terraform cache ([#7983](https://github.com/aquasecurity/trivy/issues/7983)) ([fe3a897](https://github.com/aquasecurity/trivy/commit/fe3a8971b6697d896c1ec30b5326a10c20349d14))
* **misconf:** Update trivy-checks default repo to `mirror.gcr.io` ([#7953](https://github.com/aquasecurity/trivy/issues/7953)) ([9988147](https://github.com/aquasecurity/trivy/commit/9988147b8b0e463464fe494122bfcc66ccdf04e0))
* **misconf:** wrap AWS EnvVar to iac types ([#7407](https://github.com/aquasecurity/trivy/issues/7407)) ([54130dc](https://github.com/aquasecurity/trivy/commit/54130dcc1d775506d34b83a558952176fc549914))
* **redhat:** don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files ([#7912](https://github.com/aquasecurity/trivy/issues/7912)) ([38775a5](https://github.com/aquasecurity/trivy/commit/38775a5ed985eefe2b410e72407c454cdad3d075))
* **report:** handle `git@github.com` schema for misconfigs in `sarif` report ([#7898](https://github.com/aquasecurity/trivy/issues/7898)) ([19aea4b](https://github.com/aquasecurity/trivy/commit/19aea4b01f3ce5a3cd05d5a1091da5b0b3ba4af6))
* **sbom:** Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details ([#7871](https://github.com/aquasecurity/trivy/issues/7871)) ([461a68a](https://github.com/aquasecurity/trivy/commit/461a68afd60b77dd67e91047b3b4d558fa5bd2ec))
* **terraform:** set null value as fallback for missing variables ([#7669](https://github.com/aquasecurity/trivy/issues/7669)) ([611558e](https://github.com/aquasecurity/trivy/commit/611558e4ce61818330118684274534f26b1fda99))
## [0.57.0](https://github.com/aquasecurity/trivy/compare/v0.56.0...v0.57.0) (2024-10-31)
### ⚠ BREAKING CHANGES
* **k8s:** support k8s multi container ([#7444](https://github.com/aquasecurity/trivy/issues/7444))
### Features
* add end of life date for Ubuntu 24.10 ([#7787](https://github.com/aquasecurity/trivy/issues/7787)) ([ad3c09e](https://github.com/aquasecurity/trivy/commit/ad3c09e006e134f3c5b879ffc34ce9895a8c860f))
* **cli:** add `trivy auth` ([#7664](https://github.com/aquasecurity/trivy/issues/7664)) ([27117f8](https://github.com/aquasecurity/trivy/commit/27117f81d52483c3ceec56fe56ac298e242fbc9a))
* **cli:** error out when ignore file cannot be found ([#7624](https://github.com/aquasecurity/trivy/issues/7624)) ([cb0b3a9](https://github.com/aquasecurity/trivy/commit/cb0b3a9279b31810ecd686a385e5140e567ce86f))
* **cli:** rename `trivy auth` to `trivy registry` ([#7727](https://github.com/aquasecurity/trivy/issues/7727)) ([633a7ab](https://github.com/aquasecurity/trivy/commit/633a7abeea4287899392a24f2705f96dfeb7e312))
* **cyclonedx:** add file checksums to `CycloneDX` reports ([#7507](https://github.com/aquasecurity/trivy/issues/7507)) ([c225883](https://github.com/aquasecurity/trivy/commit/c225883649f58128a99fa2c1cef327d0e57940be))
* **db:** append errors ([#7843](https://github.com/aquasecurity/trivy/issues/7843)) ([5e78b6c](https://github.com/aquasecurity/trivy/commit/5e78b6c12fb5740c12dedeea3d335d48ec2f752b))
* **misconf:** export unresolvable field of IaC types to Rego ([#7765](https://github.com/aquasecurity/trivy/issues/7765)) ([9514148](https://github.com/aquasecurity/trivy/commit/9514148767865baddd73a49245385574927f7a74))
* **misconf:** public network support for Azure Storage Account ([#7601](https://github.com/aquasecurity/trivy/issues/7601)) ([ad91412](https://github.com/aquasecurity/trivy/commit/ad914123c4d203af1e1da6b7e2d3e49d9d3831d8))
* **misconf:** Show misconfig ID in output ([#7762](https://github.com/aquasecurity/trivy/issues/7762)) ([f75c0d1](https://github.com/aquasecurity/trivy/commit/f75c0d1f0069d4856cb4826d6049f32c5b9409d9))
* **misconf:** ssl_mode support for GCP SQL DB instance ([#7564](https://github.com/aquasecurity/trivy/issues/7564)) ([2eaa17e](https://github.com/aquasecurity/trivy/commit/2eaa17e0717940b27a79050e2efd9213b71178c9))
* **parser:** ignore white space in pom.xml files ([#7747](https://github.com/aquasecurity/trivy/issues/7747)) ([a7baa93](https://github.com/aquasecurity/trivy/commit/a7baa93b00b8636aa097e64cdb8eed97dbd68511))
* **report:** update gitlab template to populate operating_system value ([#7735](https://github.com/aquasecurity/trivy/issues/7735)) ([c0d79fa](https://github.com/aquasecurity/trivy/commit/c0d79fa09e645f3a3dbff878e393b8631fb17b64))
### Bug Fixes
* **cli:** `clean --all` deletes only relevant dirs ([#7704](https://github.com/aquasecurity/trivy/issues/7704)) ([672e886](https://github.com/aquasecurity/trivy/commit/672e886aed152ae0f09a16941706746f3053ca94))
* **cli:** add config name to skip-policy-update alias ([#7820](https://github.com/aquasecurity/trivy/issues/7820)) ([b661d68](https://github.com/aquasecurity/trivy/commit/b661d680ff0372c8e4beea0db13bf69d6a2203a8))
* **db:** fix javadb downloading error handling ([#7642](https://github.com/aquasecurity/trivy/issues/7642)) ([2c87f0c](https://github.com/aquasecurity/trivy/commit/2c87f0cb794acd77446a273582ba1a45b9f18980))
* enable usestdlibvars linter ([#7770](https://github.com/aquasecurity/trivy/issues/7770)) ([57e24aa](https://github.com/aquasecurity/trivy/commit/57e24aa85382f749df7f673e241caaf3fcbb45cb))
* **go:** Do not trim v prefix from versions in Go Mod Analyzer ([#7733](https://github.com/aquasecurity/trivy/issues/7733)) ([e872ec0](https://github.com/aquasecurity/trivy/commit/e872ec006c0745a5a142728af0096c6d6bb9ddf3))
* **helm:** properly handle multiple archived dependencies ([#7782](https://github.com/aquasecurity/trivy/issues/7782)) ([6fab88d](https://github.com/aquasecurity/trivy/commit/6fab88dd56c257ef2cc63b617c2a5decb1c4cf98))
* **java:** correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents ([#7541](https://github.com/aquasecurity/trivy/issues/7541)) ([778df82](https://github.com/aquasecurity/trivy/commit/778df828eaad9827cb833c6285058a33aa2b83ca))
* **k8s:** skip resources without misconfigs ([#7797](https://github.com/aquasecurity/trivy/issues/7797)) ([7882776](https://github.com/aquasecurity/trivy/commit/78827768a612ab305bf9c55409ce76d6774302a5))
* **k8s:** support k8s multi container ([#7444](https://github.com/aquasecurity/trivy/issues/7444)) ([c434775](https://github.com/aquasecurity/trivy/commit/c4347759234dcb5f372b07f92fb4230ef391d710))
* **k8s:** support kubernetes v1.31 ([#7810](https://github.com/aquasecurity/trivy/issues/7810)) ([7a4f4d8](https://github.com/aquasecurity/trivy/commit/7a4f4d8b12996687f3095a2042cdf2f5985332c9))
* **license:** fix license normalization for Universal Permissive License ([#7766](https://github.com/aquasecurity/trivy/issues/7766)) ([f6acdf7](https://github.com/aquasecurity/trivy/commit/f6acdf713991f8ffdbe765178fcb8a9cde433cba))
* **misconf:** change default ACL of digitalocean_spaces_bucket to private ([#7577](https://github.com/aquasecurity/trivy/issues/7577)) ([9da84f5](https://github.com/aquasecurity/trivy/commit/9da84f54fadbe6ad0d73983952e945ed63b666f3))
* **misconf:** check if property is not nil before conversion ([#7578](https://github.com/aquasecurity/trivy/issues/7578)) ([c8c14d3](https://github.com/aquasecurity/trivy/commit/c8c14d36245623019f29d258f813d2325f7490f7))
* **misconf:** fix for Azure Storage Account network acls adaptation ([#7602](https://github.com/aquasecurity/trivy/issues/7602)) ([35fd018](https://github.com/aquasecurity/trivy/commit/35fd018ae7ad86823f114f0ac2f1376726aee444))
* **misconf:** properly expand dynamic blocks ([#7612](https://github.com/aquasecurity/trivy/issues/7612)) ([8d5dbc9](https://github.com/aquasecurity/trivy/commit/8d5dbc9fec3569b22ed81a03c40eaf732768718b))
* **redhat:** include arch in PURL qualifiers ([#7654](https://github.com/aquasecurity/trivy/issues/7654)) ([a585e95](https://github.com/aquasecurity/trivy/commit/a585e95f3398631d9ad10505c5ff642fde21aef7))
* **repo:** `git clone` output to Stderr ([#7561](https://github.com/aquasecurity/trivy/issues/7561)) ([fdf203c](https://github.com/aquasecurity/trivy/commit/fdf203cd209aeb40f454bd12d121a54d6ed7a542))
* **report:** Fix invalid URI in SARIF report ([#7645](https://github.com/aquasecurity/trivy/issues/7645)) ([015bb88](https://github.com/aquasecurity/trivy/commit/015bb885ac414b91201fa9791eead395d878149c))
* **sbom:** add options for DBs in private registries ([#7660](https://github.com/aquasecurity/trivy/issues/7660)) ([1f2e91b](https://github.com/aquasecurity/trivy/commit/1f2e91b02b3606dd11963002a8cfac7962f3478f))
* **sbom:** use `Annotation` instead of `AttributionTexts` for `SPDX` formats ([#7811](https://github.com/aquasecurity/trivy/issues/7811)) ([f2bb9c6](https://github.com/aquasecurity/trivy/commit/f2bb9c6227743dd61f44eb591d4b15192fe110c6))
* **db:** fix javadb downloading error handling [backport: release/v0.56] ([#7646](https://github.com/aquasecurity/trivy/issues/7646)) ([5dbdadf](https://github.com/aquasecurity/trivy/commit/5dbdadfe4578288d5c3f2a5b625fff4a3580f8c5))
## [0.56.0](https://github.com/aquasecurity/trivy/compare/v0.55.0...v0.56.0) (2024-10-03)

2
CONTRIBUTING.md
View File

@@ -1 +1 @@
See [Issues](https://trivy.dev/docs/latest/community/contribute/issue/) and [Pull Requests](https://trivy.dev/docs/latest/community/contribute/pr/)
See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM alpine:3.23.0
FROM alpine:3.20.3
RUN apk --no-cache add ca-certificates git
COPY trivy /usr/local/bin/trivy
COPY contrib/*.tpl contrib/

2
Dockerfile.canary
View File

@@ -1,4 +1,4 @@
FROM alpine:3.23.0
FROM alpine:3.20.0
RUN apk --no-cache add ca-certificates git
# binaries were created with GoReleaser

20
Dockerfile.protoc Normal file
View File

@@ -0,0 +1,20 @@
FROM --platform=linux/amd64 golang:1.22
# Set environment variable for protoc
ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
# Install unzip for protoc installation and clean up cache
RUN apt-get update && apt-get install -y unzip && rm -rf /var/lib/apt/lists/*
# Download and install protoc
RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
&& unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
&& unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \
&& rm -f $PROTOC_ZIP
# Install Go tools
RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.0
RUN go install github.com/magefile/mage@v1.15.0
ENV TRIVY_PROTOC_CONTAINER=true

17
README.md
View File

@@ -21,6 +21,7 @@ Targets (what Trivy can scan):
- Git Repository (remote)
- Virtual Machine Image
- Kubernetes
- AWS
Scanners (what Trivy can find there):
@@ -53,9 +54,9 @@ Trivy is integrated with many popular platforms and applications. The complete l
- See [Ecosystem] for more
### Canary builds
There are canary builds ([Docker Hub](https://hub.docker.com/r/aquasec/trivy/tags?page=1&name=canary), [GitHub](https://github.com/aquasecurity/trivy/pkgs/container/trivy/75776514?tag=canary), [ECR](https://gallery.ecr.aws/aquasecurity/trivy#canary) images and [binaries](https://github.com/aquasecurity/trivy/actions/workflows/canary.yaml)) generated with every push to the main branch.
There are canary builds ([Docker Hub](https://hub.docker.com/r/aquasec/trivy/tags?page=1&name=canary), [GitHub](https://github.com/aquasecurity/trivy/pkgs/container/trivy/75776514?tag=canary), [ECR](https://gallery.ecr.aws/aquasecurity/trivy#canary) images and [binaries](https://github.com/aquasecurity/trivy/actions/workflows/canary.yaml)) as generated every push to main branch.
Please be aware: canary builds might have critical bugs, so they are not recommended for use in production.
Please be aware: canary builds might have critical bugs, it's not recommended for use in production.
### General usage
@@ -107,7 +108,7 @@ trivy k8s --report summary cluster
## Want more? Check out Aqua
If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
You can find a high level comparison table specific to Trivy users [here](https://trivy.dev/docs/latest/commercial/compare/).
You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).
In addition check out the <https://aquasec.com> website for more information about our products and services.
If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>
@@ -116,6 +117,7 @@ If you'd like to contact Aqua or request a demo, please use this form: <https://
Trivy is an [Aqua Security][aquasec] open source project.
Learn about our open source work and portfolio [here][oss].
Contact us about any matter by opening a GitHub Discussion [here][discussions]
Join our [Slack community][slack] to stay up to date with community efforts.
Please ensure to abide by our [Code of Conduct][code-of-conduct] during all interactions.
@@ -130,13 +132,14 @@ Please ensure to abide by our [Code of Conduct][code-of-conduct] during all inte
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
[license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
[homepage]: https://trivy.dev
[docs]: https://trivy.dev/docs/latest/
[docs]: https://aquasecurity.github.io/trivy
[pronunciation]: #how-to-pronounce-the-name-trivy
[slack]: https://slack.aquasec.com
[code-of-conduct]: https://github.com/aquasecurity/community/blob/main/CODE_OF_CONDUCT.md
[Installation]:https://trivy.dev/docs/latest/getting-started/installation/
[Ecosystem]: https://trivy.dev/docs/latest/ecosystem/
[Scanning Coverage]: https://trivy.dev/docs/latest/coverage/
[Installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
[Ecosystem]: https://aquasecurity.github.io/trivy/latest/ecosystem/
[Scanning Coverage]: https://aquasecurity.github.io/trivy/latest/docs/coverage/
[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
[rego]: https://www.openpolicyagent.org/docs/latest/#rego

11
SECURITY.md
View File

@@ -2,16 +2,9 @@
## Supported Versions
This is an open source project that is provided as-is without warranty or liability.
As such, there is no supportability commitment. The maintainers will do the best they can to address any report promptly and responsibly.
This is an open source project that is provided as-is without warrenty or liability.
As such no supportability commitment. The maintainers will do the best they can to address any report promptly and responsibly.
## Reporting a Vulnerability
Please use the "Private vulnerability reporting" feature in the GitHub repository (under the "Security" tab).
⚠️ **Important:**
This policy is intended for vulnerabilities in **Trivy itself** (e.g., core functionality, scanning logic, or security features).
If you discover a vulnerability in a **dependency module** (e.g., a third-party library used by Trivy), please **do not report it here**.
Instead, open a ticket in [GitHub Discussions](https://github.com/aquasecurity/trivy/discussions) so that the maintainers and community can evaluate and address it appropriately.

10
aqua.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# aqua - Declarative CLI Version Manager
# https://aquaproj.github.io/
registries:
- type: standard
ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
packages:
- name: tinygo-org/tinygo@v0.31.1
- name: WebAssembly/binaryen@version_112
- name: magefile/mage@v1.14.0

13
buf.gen.yaml
View File

@@ -1,13 +0,0 @@
version: v2
plugins:
- remote: buf.build/protocolbuffers/go:v1.34.0
out: .
opt:
- paths=source_relative
# Using local protoc-gen-twirp since the remote twirp plugin is not available on buf.build
- local: protoc-gen-twirp
out: .
opt:
- paths=source_relative
inputs:
- directory: .

10
buf.yaml
View File

@@ -1,10 +0,0 @@
version: v2
modules:
- path: .
name: buf.build/aquasecurity/trivy
lint:
use:
- STANDARD
breaking:
use:
- FILE

4
ci/deploy-rpm.sh
View File

@@ -16,7 +16,7 @@ function create_common_rpm_repo () {
mkdir -p $rpm_path/$arch
cp ../dist/*${prefix}.rpm ${rpm_path}/$arch/
createrepo_c -u https://get.trivy.dev/rpm/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path/$arch
createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path/$arch
rm ${rpm_path}/$arch/*${prefix}.rpm
done
}
@@ -28,7 +28,7 @@ function create_rpm_repo () {
mkdir -p $rpm_path
cp ../dist/*64bit.rpm ${rpm_path}/
createrepo_c -u https://get.trivy.dev/rpm/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path
createrepo_c -u https://github.com/aquasecurity/trivy/releases/download/ --location-prefix="v"$TRIVY_VERSION --update $rpm_path
rm ${rpm_path}/*64bit.rpm
}

18
cmd/trivy/main.go
View File

@@ -21,12 +21,6 @@ func main() {
if errors.As(err, &exitError) {
os.Exit(exitError.Code)
}
var userErr *types.UserError
if errors.As(err, &userErr) {
log.Fatal("Error", log.Err(userErr))
}
log.Fatal("Fatal error", log.Err(err))
}
}
@@ -41,11 +35,9 @@ func run() error {
return nil
}
// Ensure cleanup on exit
defer commands.Cleanup()
// Set up signal handling for graceful shutdown
ctx := commands.NotifyContext(context.Background())
return commands.Run(ctx)
app := commands.NewApp()
if err := app.Execute(); err != nil {
return err
}
return nil
}

2
contrib/Trivy.gitlab-ci.yml
View File

@@ -12,9 +12,9 @@ Trivy_container_scanning:
before_script:
- export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
- apk add --no-cache curl docker-cli
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
- curl -sSL -o /tmp/trivy-gitlab.tpl https://github.com/aquasecurity/trivy/raw/${TRIVY_VERSION}/contrib/gitlab.tpl
- trivy registry login --username "$CI_REGISTRY_USER" --password "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script:
- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
cache:

0
examples/ignore-policies/advanced.rego → contrib/example_policy/advanced.rego
View File

0
examples/ignore-policies/basic.rego → contrib/example_policy/basic.rego
View File

13
contrib/gitlab.tpl
View File

@@ -24,18 +24,11 @@
"status": "success",
"type": "container_scanning"
},
{{- $image := "Unknown" -}}
{{- $os := "Unknown" -}}
{{- range . }}
{{- if eq .Class "os-pkgs" -}}
{{- $target := .Target }}
{{- $image = $target | regexFind "[^\\s]+" }}
{{- $os = $target | splitList "(" | last | trimSuffix ")" }}
{{- end }}
{{- end }}
"vulnerabilities": [
{{- $t_first := true }}
{{- range . }}
{{- $target := .Target }}
{{- $image := $target | regexFind "[^\\s]+" }}
{{- range .Vulnerabilities -}}
{{- if $t_first -}}
{{- $t_first = false -}}
@@ -72,7 +65,7 @@
"version": "{{ .InstalledVersion }}"
},
{{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
"operating_system": "{{ $os }}",
"operating_system": "Unknown",
"image": "{{ $image }}"
},
"identifiers": [

31
contrib/junit.tpl
View File

@@ -15,9 +15,8 @@
{{- end }}
</testsuite>
{{- $target := .Target }}
{{- if .MisconfSummary }}
<testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{ .Target }}" errors="0" time="">
<testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{ .Target }}" errors="0" skipped="{{ .MisconfSummary.Exceptions }}" time="">
{{- else }}
<testsuite tests="0" failures="0" name="{{ .Target }}" errors="0" skipped="0" time="">
{{- end }}
@@ -29,23 +28,7 @@
{{ range .Misconfigurations }}
<testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
{{- if (eq .Status "FAIL") }}
<failure message="{{ escapeXML .Title }}" type="description">&#xA;
{{- $target }}:
{{- with .CauseMetadata }}
{{- .StartLine }}
{{- if lt .StartLine .EndLine }}:{{ .EndLine }}{{ end }}:&#xA;&#xA;Occurrences:&#xA;
{{- range $i := .Occurrences -}}
via {{ .Filename }}:
{{- .Location.StartLine }}
{{- if lt .Location.StartLine .Location.EndLine }}:{{ .Location.EndLine }}{{ end }} ({{ .Resource }})&#xA;
{{- end -}}
&#xA;Code:&#xA;
{{- range .Code.Lines }}
{{- if .IsCause }}{{ escapeXML .Content }}&#xA;{{- end }}
{{- end }}&#xA;
{{- end }}
{{- escapeXML .Description }}
</failure>
<failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
{{- end }}
</testcase>
{{- end }}
@@ -61,15 +44,5 @@
</testsuite>
{{- end }}
{{- if .Secrets }}
{{- $secrets := len .Secrets }}
<testsuite tests="{{ $secrets }}" failures="{{ $secrets }}" name="{{ .Target }}" time="0">{{ range .Secrets }}
<testcase classname="{{ .RuleID }}" name="[{{ .Severity }}] {{ .Title }}">
<failure message="{{ .Title }}" type="description">{{ escapeXML .Match }}</failure>
</testcase>
{{- end }}
</testsuite>
{{- end }}
{{- end }}
</testsuites>

8
docs/build/Dockerfile vendored
View File

@@ -1,6 +1,10 @@
FROM squidfunk/mkdocs-material:9.5.44
FROM squidfunk/mkdocs-material:9.4.6
# https://squidfunk.github.io/mkdocs-material/getting-started/?h=macros#with-docker-material-for-mkdocs
## If you want to see exactly the same version as is published to GitHub pages
## use a private image for insiders, which requires authentication.
# docker login -u ${GITHUB_USERNAME} -p ${GITHUB_TOKEN} ghcr.io
# FROM ghcr.io/squidfunk/mkdocs-material-insiders
COPY requirements.txt .
RUN pip install -r requirements.txt

3
docs/build/requirements.in vendored
View File

@@ -1,3 +0,0 @@
mkdocs-material==9.5.44
mkdocs-macros-plugin
mike

136
docs/build/requirements.txt vendored
View File

@@ -1,114 +1,30 @@
#
# This file is autogenerated by pip-compile with Python 3.13
# by the following command:
#
# pip-compile --output-file=docs/build/requirements.txt docs/build/requirements.in
#
babel==2.16.0
# via mkdocs-material
certifi==2024.8.30
# via requests
charset-normalizer==3.4.0
# via requests
click==8.1.7
# via mkdocs
colorama==0.4.6
# via mkdocs-material
ghp-import==2.1.0
# via mkdocs
hjson==3.1.0
# via
# mkdocs-macros-plugin
# super-collections
idna==3.10
# via requests
importlib-metadata==8.5.0
# via mike
importlib-resources==6.4.5
# via mike
jinja2==3.1.4
# via
# mike
# mkdocs
# mkdocs-macros-plugin
# mkdocs-material
markdown==3.7
# via
# mkdocs
# mkdocs-material
# pymdown-extensions
markupsafe==3.0.2
# via
# jinja2
# mkdocs
click==8.1.2
csscompressor==0.9.5
ghp-import==2.0.2
htmlmin==0.1.12
importlib-metadata==4.11.3
Jinja2==3.1.1
jsmin==3.0.1
Markdown==3.3.6
MarkupSafe==2.1.1
mergedeep==1.3.4
# via
# mkdocs
# mkdocs-get-deps
mike==2.1.3
# via -r docs/build/requirements.in
mkdocs==1.6.1
# via
# mike
# mkdocs-macros-plugin
# mkdocs-material
mkdocs-get-deps==0.2.0
# via mkdocs
mkdocs-macros-plugin==1.3.7
# via -r docs/build/requirements.in
mkdocs-material==9.5.44
# via -r docs/build/requirements.in
mkdocs-material-extensions==1.3.1
# via mkdocs-material
packaging==24.2
# via
# mkdocs
# mkdocs-macros-plugin
paginate==0.5.7
# via mkdocs-material
pathspec==0.12.1
# via
# mkdocs
# mkdocs-macros-plugin
platformdirs==4.3.6
# via mkdocs-get-deps
pygments==2.19.2
# via mkdocs-material
pymdown-extensions==10.12
# via mkdocs-material
pyparsing==3.2.0
# via mike
python-dateutil==2.9.0.post0
# via
# ghp-import
# mkdocs-macros-plugin
pyyaml==6.0.2
# via
# mike
# mkdocs
# mkdocs-get-deps
# mkdocs-macros-plugin
# pymdown-extensions
# pyyaml-env-tag
mike==1.1.2
mkdocs==1.3.0
mkdocs-macros-plugin==0.7.0
mkdocs-material==8.3.9
mkdocs-material-extensions==1.0.3
mkdocs-minify-plugin==0.5.0
mkdocs-redirects==1.0.4
packaging==21.3
Pygments==2.12.0
pymdown-extensions==9.5
pyparsing==3.0.8
python-dateutil==2.8.2
PyYAML==6.0.1
pyyaml-env-tag==0.1
# via
# mike
# mkdocs
regex==2024.11.6
# via mkdocs-material
requests==2.32.3
# via mkdocs-material
six==1.16.0
# via python-dateutil
super-collections==0.5.3
# via mkdocs-macros-plugin
termcolor==2.5.0
# via mkdocs-macros-plugin
urllib3==2.2.3
# via requests
termcolor==1.1.0
verspec==0.1.0
# via mike
watchdog==6.0.0
# via mkdocs
zipp==3.21.0
# via importlib-metadata
watchdog==2.1.7
zipp==3.8.0

86
docs/commercial/compare.md
View File

@@ -1,86 +0,0 @@
# Aqua Security is the home of Trivy
Trivy is proudly maintained by [Aqua Security](https://aquasec.com).
If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
In this page you can find a high level comparison between Trivy Open Source and Aqua's commercial product.
If you'd like to learn more or request a demo, [click here to contact us](./contact.md).
## User experience
| Feature | Trivy OSS | Aqua |
| --- | --- | --- |
| Interface | CLI tool | CLI tool <br> Enterprise-grade web application <br> SaaS or on-prem |
| Search & Discover | - | Easily search for security issues across all workloads and infrastructure in your organization <br> Visually discover risks across your organization |
| User management | - | Multi account <br> Granular permissions (RBAC) <br> Single Sign On (SSO) |
| Support | Some skills required for setup and integration <br> Best effort community support | Personal onboarding by Aqua Customer Success <br> SLA backed professional support |
| Scalability & Availability | Single scan at a time | Centralized scanning service supports concurrent scans efficiently <br> Highly available production grade architecture |
| Rate limiting | Assets hosted on public free infrastructure and could be rate limited | Assets hosted on Aqua infrastructure and does not have limitations |
## Vulnerability scanning
| Feature | Trivy OSS | Aqua |
| --- | --- | --- |
| Vulnerabilities sources | Based on open source vulnerability feeds | Based on open source and commercial vulnerability feeds |
| New Vulnerabilities SLA | No SLA | Commercial level SLA |
| Package managers | Find packages in lock files | Find packages in lock files or reconstructed lock files |
| Vulnerability management | Manually ignore specific vulnerabilities by ID or property | Advanced vulnerability management solution <br> Vulnerability tracking and suppression <br> Incident lifecycle management |
| Vulnerability prioritization | Manually triage by severity | Multiple prioritization tools: <br> Accessibility of the affected resources <br> Exploitability of the vulnerability <br> Open Source packages health and trustworthiness score <br> Affected image layers |
| Reachability analysis | - | Analyze source code to eliminate vulnerabilities of unused dependencies |
| Contextual vulnerabilities | - | Reduce irrelevant vulnerabilities based on environmental factors (e.g. Spring4Shell not relevant due to JDK version) |
| Compiled binaries | Find embedded dependencies in Go and Rust binaries <br> Find SBOM by hash in public Sigstore | In addition, identify popular applications |
## Container scanning
| Feature | Trivy OSS | Aqua |
| --- | --- | --- |
| Windows containers | - | Support scanning windows containers |
| Scan container registries | - | Connect to any container registries and automatically scan it |
| Private registries | Standard registry authenticationCloud authentication with ECR, GCR, ACR | Supports registry specific authentication schemes |
| Layer cache | Local cache directory | Scalable Cloud cache |
## Advanced scanning
| Feature | Trivy OSS | Aqua |
| --- | --- | --- |
| Malware scanning | - | Scan container images for malware |
| Sandbox scanning | - | Use DTA (Dynamic threat analysis) to run and test container images' behavior to detect sophisticated threats |
| SAST (code scanning) | - | Analyze source code for security issues and vulnerabilities |
## Policy and enforcement
| Feature | Trivy OSS | Aqua |
| --- | --- | --- |
| Kubernetes admission | - | Validating Kubernetes Admission based on automatic or user defined policy |
| CI/CD policies | Can fail the entire build on any finding | Granular policies to fail builds based on custom criteria |
| Container engine | - | Block incompliant images from running at container engine level |
| Block vulnerable packages | - | vShield monitor and block usage of vulnerable packages |
## Secrets scanning
| Feature | Trivy OSS | Aqua |
| --- | --- | --- |
| Detected patterns | Basic patterns | Advanced patterns |
| Leaked secrets validation | - | Automatically checks if leaked secrets are valid and usable |
## IaC/CSPM scanning
| Feature | Trivy OSS | Aqua |
| --- | --- | --- |
| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://trivy.dev/docs/latest/scanner/misconfiguration/check/builtin/) | In addition, Build Pipeline configuration scanning |
| Checks customization | Create custom checks with Rego | Create custom checks in no-code interface <br> Customize existing checks with organizational preferences |
| Cloud scanning | AWS (subset of services) | AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud |
| Compliance frameworks | CIS, NSA, vendor guides | More than 25 compliance programs |
| Custom compliance | Create in YAML | Create in a web UI |
| Remediation advice | Basic | AI powered specialized remediation guides |
## Kubernetes scanning
| Feature | Trivy OSS | Aqua |
| --- | --- | --- |
Scan initiation | CLI / Kubernetes Operator | Kubernetes Operator / Management web application |
Results consumption | kubectl / CRD / Prometheus exporter | In addition, Advanced UI dashboards, Automatic notifications and incident management flows |
Cluster discovery | Kubeconfig | Automatic discovery thorough cloud onboarding |
Workload image scanning | Scanning in cluster, requires capacity planning | Scanning offloaded to Aqua service, little impact on scanned clusters |
| Cluster scanning | CIS, NSA, PSS | More than 25 compliance programs |
| Scope | Single cluster | Multi cluster, Cloud relationship |
| Scalability | Reports limited by in-cluster etcd storage (size and number of reports) | Cloud-based storage (unlimited scalability) |

17
docs/commercial/contact.md
View File

@@ -1,17 +0,0 @@
<style>
.md-content .md-content__inner a, h1 {
display:none;
}
input.hs-input, textarea.hs-input {
border: silver solid 1px !important;
font-size: 0.8em;
padding: 5px;
}
</style>
<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script>
<script>
hbspt.forms.create({
portalId: "1665891",
formId: "a1d0c098-3b3a-40d8-afb4-e04ddb697afe"
});
</script>

8
docs/community/contribute/checks/overview.md
View File

@@ -80,7 +80,7 @@ The package name should be in the format `builtin.PROVIDER.SERVICE.ID`, e.g. `bu
## Generating an ID
Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribute your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID.
Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribue your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID.
Running `make id` in the root of the trivy-checks repository will provide you with the next available _ID_ for your rule.
@@ -88,13 +88,13 @@ Running `make id` in the root of the trivy-checks repository will provide you wi
Rego Checks for Trivy can utilise Schemas to map the input to specific objects. The schemas available are listed [here.](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas).
More information on using the builtin schemas is provided in the [main documentation.](../../../guide/scanner/misconfiguration/custom/schema.md)
More information on using the builtin schemas is provided in the [main documentation.](../../../docs/scanner/misconfiguration/custom/schema.md)
## Check Metadata
The metadata is the top section that starts with `# METADATA`, and has to be placed on top of the check. You can copy and paste from another check as a starting point. This format is effectively _yaml_ within a Rego comment, and is [defined as part of Rego itself](https://www.openpolicyagent.org/docs/latest/policy-language/#metadata).
For detailed information on each component of the Check Metadata, please refer to the [main documentation.](../../../guide/scanner/misconfiguration/custom/index.md)
For detailed information on each component of the Check Metadata, please refer to the [main documentation.](../../../docs/scanner/misconfiguration/custom/index.md)
Note that while the Metadata is optional in your own custom checks for Trivy, if you are contributing your check to the Trivy builtin checks, the Metadata section will be required.
@@ -123,7 +123,7 @@ Finally, you'll want to generate documentation for your newly added rule. Please
## Adding Tests
All Rego checks need to have tests. There are many examples of these in the `checks` directory for each check ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). More information on how to write tests for Rego checks is provided in the [custom misconfiguration](../../../guide/scanner/misconfiguration/custom/testing.md) section of the docs.
All Rego checks need to have tests. There are many examples of these in the `checks` directory for each check ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). More information on how to write tests for Rego checks is provided in the [custom misconfiguration](../../../docs/scanner/misconfiguration/custom/testing.md) section of the docs.
## Example PR

2
docs/community/contribute/checks/service-support.md
View File

@@ -57,7 +57,7 @@ type AWS struct {
### Update Adapters
Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adapter as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).
Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adatper as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).
Another example for updating the adapters is provided in the [following PR.](https://github.com/aquasecurity/defsec/pull/1000/files) Additionally, please refer to the respective Terraform documentation on the provider to which you are adding the service. For instance, the Terraform documentation for AWS CodeBuild is provided [here.](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project)

4
docs/community/contribute/discussion.md
View File

@@ -24,7 +24,7 @@ There are 4 categories:
If you find any false positives or false negatives, please make sure to report them under the "False Detection" category, not "Bugs".
## False detection
Trivy depends on [multiple data sources](https://trivy.dev/docs/latest/scanner/vulnerability/#data-sources).
Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#data-sources).
Sometime these databases contain mistakes.
If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
@@ -42,7 +42,7 @@ If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub s
### GitLab Advisory Database
Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues)
If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
### Red Hat CVE Database
Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.

17
docs/community/contribute/pr.md
View File

@@ -3,7 +3,7 @@ Thank you for taking interest in contributing to Trivy!
1. Every Pull Request should have an associated GitHub issue link in the PR description. Note that issues are created by Trivy maintainers based on feedback provided in a GitHub discussion. Please refer to the [issue](./issue.md) and [discussion](./discussion.md) pages for explanation about this process. If you think your change is trivial enough, you can skip the issue and instead add justification and explanation in the PR description.
1. Your PR is more likely to be accepted if it focuses on just one change.
1. There's no need to add or tag reviewers.
1. If a reviewer commented on your code or asked for changes, please remember to respond with a comment. Do not mark the discussion as resolved. It's up to the reviewer to mark it resolved (in case the suggested fix addresses the problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
1. Please include a comment with the results before and after your change.
1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
@@ -54,21 +54,6 @@ Your PR must pass all the integration tests. You can test it as below.
$ mage test:integration
```
### Protocol Buffers
If you update protobuf files (`.proto`), you need to regenerate the Go code:
```shell
$ mage protoc:generate
```
You can also format and lint protobuf files:
```shell
$ mage protoc:fmt # Format protobuf files
$ mage protoc:lint # Lint protobuf files
$ mage protoc:breaking # Check for breaking changes against main branch
```
### Documentation
If you update CLI flags, you need to generate the CLI references.
The test will fail if they are not up-to-date.

144
docs/community/contribute/vulnerability-database/add-vulnerability-source.md
View File

@@ -1,144 +0,0 @@
# Add Vulnerability Advisory Source
This guide walks through the process of adding a new vulnerability advisory source to Trivy.
!!! info
For an overview of how Trivy's vulnerability database works, see the [Overview](overview.md) page.
## Prerequisites
Before starting, ensure you have:
1. Identified the upstream advisory source and its API/format
2. Checked that the data source doesn't already exist in Trivy
3. Created a GitHub discussion or issue to discuss the addition
## Required Changes
To add a new vulnerability advisory source, you'll need to make changes across three repositories. Below we'll use the Echo OS support as an example.
### Step 1: Add Fetcher Script (vuln-list-update)
!!! note
Skip this step if your advisory source is already managed in a Git repository (e.g., GitHub, GitLab).
Create a fetcher script in [vuln-list-update] to collect advisories from the upstream source.
**Key tasks:**
- Fetch advisories from the upstream API or source
- Validate the advisory format and data
- Save advisories as JSON files in the [vuln-list] directory structure
- **Store original data as-is where possible**: Avoid preprocessing or modifying advisory fields. Save the raw data exactly as provided by the upstream source (format conversion like YAML to JSON is acceptable for consistency)
- Include all necessary metadata (CVE ID, affected versions, severity, etc.)
**Example PR:**
- [feat(echo): Add Echo Support (vuln-list-update#350)](https://github.com/aquasecurity/vuln-list-update/pull/350)
### Step 2: Add Parser (trivy-db)
Create a parser in [trivy-db] to transform raw advisories into Trivy's database format.
**Key tasks:**
- Create a new vulnerability source in `pkg/vulnsrc/`
- Implement the advisory parsing logic
- Map advisory fields to Trivy's vulnerability schema
- Handle version ranges and affected packages correctly
- Store CVE mappings if available
- Add unit tests for the parser
**Example PR:**
- [feat(echo): Add Echo Support (trivy-db#528)](https://github.com/aquasecurity/trivy-db/pull/528)
### Step 3: Add OS/Ecosystem Support (Trivy)
Update [trivy] to support the new operating system or package ecosystem.
**Key tasks:**
- Add OS analyzer in `pkg/fanal/analyzer/os/` to detect the OS
- Implement vulnerability detection logic if special handling is needed
- Add integration tests with test data
- Update documentation to include the new data source
**Example PR:**
- [feat(echo): Add Echo Support (trivy#8833)](https://github.com/aquasecurity/trivy/pull/8833)
## Complete Example: Echo OS Support
The Echo OS support was added through three coordinated PRs:
1. **vuln-list-update**: Fetches Echo advisories from `https://advisory.echohq.com/data.json`
- PR: https://github.com/aquasecurity/vuln-list-update/pull/350
2. **trivy-db**: Parses Echo advisories and stores them in the database
- PR: https://github.com/aquasecurity/trivy-db/pull/528
3. **Trivy**: Detects Echo OS and scans for vulnerabilities
- PR: https://github.com/aquasecurity/trivy/pull/8833
## Testing Your Changes
### Test vuln-list-update
First, fetch all existing advisories (required for building the database):
```bash
cd vuln-list-update
go run main.go -vuln-list-dir /path/to/vuln-list
```
Then, test your new data source by fetching only your target:
```bash
go run main.go -target your-source -vuln-list-dir /path/to/vuln-list
```
Verify that advisories are correctly saved in the vuln-list directory.
### Test trivy-db
```bash
cd trivy-db
make db-build CACHE_DIR=/path/to/cache
```
Check that the database is built without errors and contains your advisories.
!!! note
The `CACHE_DIR` should point to the parent directory of your vuln-list directory. For example, if your vuln-list is at `/tmp/test/vuln-list`, set `CACHE_DIR=/tmp/test`.
You can inspect the built database using BoltDB viewer tools like [boltwiz](https://github.com/Moniseeta/boltwiz):
```bash
# Open the database
boltwiz out/trivy.db
```
This allows you to verify that your vulnerabilities are correctly stored in the database.
### Test Trivy
```bash
# Build Trivy with your changes
mage build
# Use your local database
./trivy image --skip-db-update --cache-dir /path/to/cache your-test-image
```
Verify that vulnerabilities from your new data source are detected correctly.
## Getting Help
If you have questions or need help:
1. Check existing data sources for reference implementations
2. [Start a discussion](https://github.com/aquasecurity/trivy/discussions/new) in the Trivy repository
[vuln-list]: https://github.com/aquasecurity/vuln-list
[vuln-list-update]: https://github.com/aquasecurity/vuln-list-update
[trivy-db]: https://github.com/aquasecurity/trivy-db
[trivy]: https://github.com/aquasecurity/trivy

86
docs/community/contribute/vulnerability-database/overview.md
View File

@@ -1,86 +0,0 @@
# Vulnerability Data Sources
This section explains how Trivy's vulnerability database works and how to contribute new advisory data sources.
## Overview
Trivy's vulnerability database is built through a multi-repository workflow involving three main repositories:
```mermaid
graph LR
A[Advisory Sources] -->|vuln-list-update| B[vuln-list]
B --> C["trivy-db<br/>(Trivy DB)"]
C --> D["trivy<br/>(Trivy CLI)"]
E[GitHub-managed<br/>Advisories] --> C
```
### Workflow Steps
1. **Advisory Collection** ([vuln-list-update])
- Fetch raw advisories from upstream sources
- Store them in [vuln-list] repository
- Run periodically via cron to keep advisories up-to-date
- This step can be skipped if advisories are already managed in a Git repository (e.g., GitHub Security Advisories)
2. **Database Build** ([trivy-db])
- Parse advisories from [vuln-list] or directly from Git-managed sources
- Transform them into Trivy's database format
- Publish the built database periodically via cron
3. **Database Consumption** ([trivy])
- Download the latest vulnerability database at scan time
- Use it to detect vulnerabilities in scan targets
## Why Store Advisories in vuln-list?
For data sources that are not already Git-managed, storing advisories in the [vuln-list] repository provides several benefits:
- **Transparency**: Easy to track changes and differences between advisory versions
- **Web UI**: Browse advisories directly on GitHub with a user-friendly interface
- **Stability**: Mitigate issues when upstream advisory servers are unstable or unavailable
- **Shareability**: Provide stable URLs to reference specific advisories
- **Data Quality**: Validate advisory data before committing to vuln-list, preventing malformed data or unexpected format changes from breaking Trivy DB
- **Historical Data**: Preserve past advisories when upstream formats change
## Repository Overview
### [vuln-list-update]
This repository contains scripts that fetch advisories from various upstream sources. Each data source has its own package that handles:
- Fetching advisories from APIs or web sources
- Validating the advisory format and data
- Saving them to the [vuln-list] repository
### [vuln-list]
This repository serves as a data storage for raw advisories fetched by [vuln-list-update]. Key characteristics:
- Contains raw advisory data in JSON format
- Updated automatically by [vuln-list-update] scripts via cron
- **Not for manual contributions**: Direct pull requests to this repository are not accepted
- Used as the source for [trivy-db] to build the vulnerability database
### [trivy-db]
This repository contains parsers that transform raw advisories into Trivy's database format. Each data source has its own vulnerability source handler that:
- Reads advisory files from [vuln-list] or directly from Git-managed sources (e.g., GitHub Security Advisories)
- Maps advisory fields to Trivy's schema
- Stores vulnerability information in the database
### [trivy]
The main Trivy repository contains:
- OS and package analyzers to detect what's installed
- Vulnerability detection logic
## Next Steps
Ready to add a new vulnerability advisory source? See the [Add Vulnerability Advisory Source](add-vulnerability-source.md) guide for detailed steps.
[vuln-list]: https://github.com/aquasecurity/vuln-list
[vuln-list-update]: https://github.com/aquasecurity/vuln-list-update
[trivy-db]: https://github.com/aquasecurity/trivy-db
[trivy]: https://github.com/aquasecurity/trivy

24
docs/community/maintainer/pr-review.md
View File

@@ -1,24 +0,0 @@
# Pull Request Review Policy
This document outlines the review policy for pull requests in the Trivy project.
## Core Principles
### 1. All Changes Through Pull Requests
All changes to the `main` branch must be made through pull requests.
Direct commits to `main` are not allowed.
### 2. Required Approvals
Every pull request requires approval from at least one CODEOWNER before merging.
For changes that span multiple domains (e.g., both vulnerability and misconfiguration scanning), approval from at least one code owner from each affected domain is required.
When a pull request is created by the only code owner of a domain, approval from any other maintainer is required.
When a code owner wants additional input from other owners or maintainers, they should comment requesting feedback and wait for others to approve before providing their own approval.
This prevents accidental merging by the PR author.
### 3. Merge Responsibility
- **General Rule**: The pull request author should click the merge button after receiving required approvals
- **Exception**: For urgent fixes (hotfixes), a CODEOWNER may merge the PR directly
- **External Contributors**: Pull requests from external contributors should be merged by a CODEOWNER

19
docs/community/maintainer/release-flow.md
View File

@@ -10,12 +10,7 @@ For detailed behavior, please refer to [the GitHub Actions configuration][workfl
!!! note
Commits with prefixes like `chore` or `build` are not considered releasable, and no release PR is created.
To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release-pr-creation).
!!! tip
It's a good idea to check if there are any outstanding vulnerability updates created by dependabot waiting for your review.
They can be found in the "Security" tab of the repository.
If there are any, please review and merge them before creating a release. This will help to ensure that the release includes the latest security patches.
To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release).
## Flow
The release flow consists of the following main steps:
@@ -79,18 +74,8 @@ Replace URLs with appropriate ones.
Example: https://github.com/aquasecurity/trivy/releases/tag/v0.52.0
### Merging the auto-generated Helm chart update PR
Once the release PR is merged, there will be an auto-generated PR that bumps the Trivy version for the Trivy Helm Chart. An example can be seen [here](https://github.com/aquasecurity/trivy/pull/8638).
> [!NOTE]
> It is possible that the release action takes a while to finish and the Helm chart action runs prior. In such a case the Helm chart action will fail as it will not be able to find the latest Trivy container image.
> In such a case, it is advised to manually restart the Helm chart action, once the release action is finished.
If things look good, approve and merge this PR to further trigger the publishing of the Helm Chart.
The release is now complete 🍻
The release is now complete.
[conventional-commits]: https://www.conventionalcommits.org/en/v1.0.0/
[release-please]: https://github.com/googleapis/release-please

2
docs/community/maintainer/triage.md
View File

@@ -188,7 +188,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
to identify issues that have been specially groomed for new contributors.
We have specific [guidelines](./help-wanted.md)
We have specific [guidelines](/docs/community/maintainer/help-wanted.md)
for how to use these labels. If you see an issue that satisfies these
guidelines, you can add the `help wanted` label and the `good first issue` label.
Please note that adding the `good first issue` label must also

2
docs/community/principles.md
View File

@@ -48,6 +48,6 @@ As mentioned in [the Core Principles](#detecting-unintended-states), detection o
### User Interface
Trivy primarily operates via CLI for displaying results, with a richer UI available in [the commercial version][aqua].
[trivy-aqua]: ../commercial/compare.md
[trivy-aqua]: https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md
[tracee]: https://github.com/aquasecurity/tracee
[aqua]: https://www.aquasec.com/

162
docs/docs/advanced/air-gap.md Normal file
View File

@@ -0,0 +1,162 @@
# Advanced Network Scenarios
Trivy needs to connect to the internet occasionally in order to download relevant content. This document explains the network connectivity requirements of Trivy and setting up Trivy in particular scenarios.
## Network requirements
Trivy's databases are distributed as OCI images via GitHub Container registry (GHCR):
- <https://ghcr.io/aquasecurity/trivy-db>
- <https://ghcr.io/aquasecurity/trivy-java-db>
- <https://ghcr.io/aquasecurity/trivy-checks>
The following hosts are required in order to fetch them:
- `ghcr.io`
- `pkg-containers.githubusercontent.com`
The databases are pulled by Trivy using the [OCI Distribution](https://github.com/opencontainers/distribution-spec) specification, which is a simple HTTPS-based protocol.
[VEX Hub](https://github.com/aquasecurity/vexhub) is distributed from GitHub over HTTPS.
The following hosts are required in order to fetch it:
- `api.github.com`
- `codeload.github.com`
## Running Trivy in air-gapped environment
An air-gapped environment refers to situations where the network connectivity from the machine Trivy runs on is blocked or restricted.
In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis.
## Offline Mode
By default, Trivy will attempt to download latest databases. If it fails, the scan might fail. To avoid this behavior, you can tell Trivy to not attempt to download database files:
- `--skip-db-update` to skip updating the main vulnerability database.
- `--skip-java-db-update` to skip updating the Java vulnerability database.
- `--skip-check-update` to skip updating the misconfiguration database.
```shell
trivy image --skip-db-update --skip-java-db-update --offline-scan --skip-check-update myimage
```
## Self-Hosting
### OCI Databases
You can host the databases on your own local OCI registry.
First, make a copy of the databases in a container registry that is accessible to Trivy. The databases are in:
- `ghcr.io/aquasecurity/trivy-db:2`
- `ghcr.io/aquasecurity/trivy-java-db:1`
- `ghcr.io/aquasecurity/trivy-checks:0`
Then, tell Trivy to use the local registry:
```shell
trivy image \
--db-repository myregistry.local/trivy-db \
--java-db-repository myregistry.local/trivy-java-db \
--checks-bundle-repository myregistry.local/trivy-checks \
myimage
```
#### Authentication
If the registry requires authentication, you can configure it as described in the [private registry authentication document](../advanced/private-registries/index.md).
### VEX Hub
You can host a copy of VEX Hub on your own internal server.
First, make a copy of VEX Hub in a location that is accessible to Trivy.
1. Download the [VEX Hub](https://github.com/aquasecurity/vexhub) archive from: <https://github.com/aquasecurity/vexhub/archive/refs/heads/main.zip>.
1. Download the [VEX Hub Repository Manifest](https://github.com/aquasecurity/vex-repo-spec#2-repository-manifest) file from: <https://github.com/aquasecurity/vexhub/blob/main/vex-repository.json>.
1. Create or identify an internal HTTP server that can serve the VEX Hub repository in your environment (e.g `https://server.local`).
1. Make the downloaded archive file available for serving from your server (e.g `https://server.local/main.zip`).
1. Modify the downloaded manifest file's [Location URL](https://github.com/aquasecurity/vex-repo-spec?tab=readme-ov-file#locations-subfields) field to the URL of the archive file on your server (e.g `url: https://server.local/main.zip`).
1. Make the manifest file available for serving from your server under the `/.well-known` path (e.g `https://server.local/.well-known/vex-repository.json`).
Then, tell Trivy to use the local VEX Repository:
1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo/#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
1. Disable the default VEX Hub repo (`enabled: false`)
1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo/#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
#### Authentication
If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo/#authentication).
## Manual cache population
You can also download the databases files manually and surgically populate the Trivy cache directory with them.
### Downloading the DB files
On a machine with internet access, pull the database container archive from the public registry into your local workspace:
Note that these examples operate in the current working directory.
=== "Using ORAS"
This example uses [ORAS](https://oras.land), but you can use any other container registry manipulation tool.
```shell
oras pull ghcr.io/aquasecurity/trivy-db:2
```
You should now have a file called `db.tar.gz`. Next, extract it to reveal the db files:
```shell
tar -xzf db.tar.gz
```
You should now have 2 new files, `metadata.json` and `trivy.db`. These are the Trivy DB files.
=== "Using Trivy"
This example uses Trivy to pull the database container archive. The `--cache-dir` flag makes Trivy download the database files into our current working directory. The `--download-db-only` flag tells Trivy to only download the database files, not to scan any images.
```shell
trivy image --cache-dir . --download-db-only
```
You should now have 2 new files, `metadata.json` and `trivy.db`. These are the Trivy DB files, copy them over to the air-gapped environment.
### Populating the Trivy Cache
In order to populate the cache, you need to identify the location of the cache directory. If it is under the default location, you can run the following command to find it:
```shell
trivy -h | grep cache
```
For the example, we will assume the `TRIVY_CACHE_DIR` variable holds the cache location:
```shell
TRIVY_CACHE_DIR=/home/user/.cache/trivy
```
Put the Trivy DB files in the Trivy cache directory under a `db` subdirectory:
```shell
# ensure cache db directory exists
mkdir -p ${TRIVY_CACHE_DIR}/db
# copy the db files
cp /path/to/trivy.db /path/to/metadata.json ${TRIVY_CACHE_DIR}/db/
```
### Java DB
For Java DB the process is the same, except for the following:
1. Image location is `ghcr.io/aquasecurity/trivy-java-db:1`
2. Archive file name is `javadb.tar.gz`
3. DB file name is `trivy-java.db`
## Misconfigurations scanning
Note that the misconfigurations checks bundle is also embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the Checks from the time of the Trivy release you are using.
The misconfiguration scanner can be configured to load checks from a local directory, using the `--config-check` flag. In an air-gapped scenario you can copy the checks library from [Trivy checks repository](https://github.com/aquasecurity/trivy-checks) into a local directory, and load it with this flag. See more in the [Misconfiguration scanner documentation](../scanner/misconfiguration/index.md).

0
docs/guide/advanced/container/embed-in-dockerfile.md → docs/docs/advanced/container/embed-in-dockerfile.md
View File

0
docs/guide/advanced/container/unpacked-filesystem.md → docs/docs/advanced/container/unpacked-filesystem.md
View File

36
docs/guide/advanced/modules.md → docs/docs/advanced/modules.md
View File

@@ -12,7 +12,7 @@ They provide a way to extend the core feature set of Trivy, but without updating
- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
- They can be written in any programming language supporting WebAssembly.
- It supports only Go at the moment.
- It supports only [TinyGo][tinygo] at the moment.
You can write your own detection logic.
@@ -47,8 +47,8 @@ Trivy adheres to the XDG specification, so the location depends on whether XDG_D
Trivy will now search XDG_DATA_HOME for the location of the Trivy modules cache.
The preference order is as follows:
- XDG_DATA_HOME if set and .trivy/modules exists within the XDG_DATA_HOME dir
- $HOME/.trivy/modules
- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
- $HOME/.trivy/plugins
For example, to download the WebAssembly module, you can execute the following command:
@@ -94,9 +94,9 @@ $ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell
```
## Building Modules
It supports Go only at the moment.
It supports TinyGo only at the moment.
### Go
### TinyGo
Trivy provides Go SDK including three interfaces.
Your own module needs to implement either or both `Analyzer` and `PostScanner` in addition to `Module`.
@@ -113,7 +113,7 @@ type Analyzer interface {
type PostScanner interface {
PostScanSpec() serialize.PostScanSpec
PostScan(types.Results) (types.Results, error)
PostScan(serialize.Results) (serialize.Results, error)
}
```
@@ -137,22 +137,11 @@ $ go mod init github.com/aquasecurity/trivy-module-wordpress
```go
package main
import (
"github.com/aquasecurity/trivy/pkg/module/wasm"
)
const (
version = 1
name = "wordpress-module"
)
// main is required for Go to compile the Wasm module
func main() {}
func init() {
wasm.RegisterModule(WordpressModule{})
}
type WordpressModule struct{
// Cannot define fields as modules can't keep state.
}
@@ -214,7 +203,7 @@ func (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, erro
}
return &serialize.AnalysisResult{
CustomResources: []ftypes.CustomResource{
CustomResources: []serialize.CustomResource{
{
Type: typeWPVersion,
FilePath: filePath,
@@ -257,7 +246,7 @@ func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
}
}
func (WordpressModule) PostScan(results types.Results) (types.Results, error) {
func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
// e.g. results
// [
// {
@@ -299,7 +288,7 @@ func (WordpressModule) PostScan(results types.Results) (types.Results, error) {
if vulnerable {
// Add CVE-2020-36326
results = append(results, types.Result{
results = append(results, serialize.Result{
Target: wpPath,
Class: types.ClassLangPkg,
Type: "wordpress",
@@ -329,10 +318,10 @@ In the `Delete` action, `PostScan` needs to return results you want to delete.
If `PostScan` returns an empty, Trivy will not delete anything.
#### Build
Follow [the install guide][go-installation] and install Go.
Follow [the install guide][tinygo-installation] and install TinyGo.
```bash
$ GOOS=wasip1 GOARCH=wasm go build -o wordpress.wasm -buildmode=c-shared wordpress.go
$ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go
```
Put the built binary to the module directory that is under the home directory by default.
@@ -358,11 +347,12 @@ Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f
[regexp]: https://github.com/google/re2/wiki/Syntax
[tinygo]: https://tinygo.org/
[spring4shell]: https://blog.aquasec.com/zero-day-rce-vulnerability-spring4shell
[wazero]: https://github.com/tetratelabs/wazero
[trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
[trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress
[go-installation]: https://go.dev/doc/install
[tinygo-installation]: https://tinygo.org/getting-started/install/
[oras]: https://oras.land/cli/

0
docs/guide/advanced/private-registries/acr.md → docs/docs/advanced/private-registries/acr.md
View File

0
docs/guide/advanced/private-registries/docker-hub.md → docs/docs/advanced/private-registries/docker-hub.md
View File

0
docs/guide/advanced/private-registries/ecr.md → docs/docs/advanced/private-registries/ecr.md
View File

0
docs/guide/advanced/private-registries/gcr.md → docs/docs/advanced/private-registries/gcr.md
View File

34
docs/guide/advanced/private-registries/index.md → docs/docs/advanced/private-registries/index.md
View File

@@ -1,30 +1,13 @@
Trivy can download images from a private registry without the need for installing Docker or any other 3rd party tools.
This makes it easy to run within a CI process.
## Login
You can log in to a private registry using the `trivy registry login` command.
It uses the Docker configuration file (`~/.docker/config.json`) to store the credentials under the hood, and the configuration file path can be configured by `DOCKER_CONFIG` environment variable.
```shell
$ cat ~/my_password.txt | trivy registry login --username foo --password-stdin ghcr.io
$ trivy image ghcr.io/your/private_image
```
## Passing Credentials
You can also provide your credentials when scanning.
## Credential
To use Trivy with private images, simply install it and provide your credentials:
```shell
$ TRIVY_USERNAME=YOUR_USERNAME TRIVY_PASSWORD=YOUR_PASSWORD trivy image YOUR_PRIVATE_IMAGE
```
!!! warning
When passing credentials via environment variables or CLI flags, Trivy will attempt to use these credentials for all registries encountered during scanning, regardless of the target registry.
This can potentially lead to unintended credential exposure.
To mitigate this risk:
1. Set credentials cautiously and only when necessary.
2. Prefer using `trivy registry login` to pre-configure credentials with specific registries, which ensures credentials are only sent to appropriate registries.
Trivy also supports providing credentials through CLI flags:
```shell
@@ -34,7 +17,6 @@ $ TRIVY_PASSWORD=YOUR_PASSWORD trivy image --username YOUR_USERNAME YOUR_PRIVATE
!!! warning
The CLI flag `--password` is available, but its use is not recommended for security reasons.
You can also store your credentials in `trivy.yaml`.
For more information, please refer to [the documentation](../../references/configuration/config-file.md).
@@ -53,5 +35,15 @@ In the example above, Trivy attempts to use two pairs of credentials:
Please note that the number of usernames and passwords must be the same.
## docker login
If you have Docker configured locally and have set up the credentials, Trivy can access them.
```shell
$ docker login ghcr.io
Username:
Password:
$ trivy image ghcr.io/your/private_image
```
!!! note
`--password-stdin` doesn't support comma-separated passwords.
`docker login` can be used with any container runtime, such as Podman.

0
docs/guide/advanced/private-registries/self.md → docs/docs/advanced/private-registries/self.md
View File

18
docs/guide/compliance/compliance.md → docs/docs/compliance/compliance.md
View File

@@ -10,14 +10,15 @@ Trivys compliance flag lets you curate a specific set of checks into a report
Compliance report is currently supported in the following targets (trivy sub-commands):
- `trivy image`
- `trivy aws`
- `trivy k8s`
Add the `--compliance` flag to the command line, and set its value to the desired report.
Add the `--compliance` flag to the command line, and set it's value to desired report.
For example: `trivy k8s cluster --compliance k8s-nsa` (see below for built-in and custom reports)
### Options
The following flags are compatible with the `--compliance` flag and allow customizing its output:
The following flags are compatible with `--compliance` flag and allows customizing it's output:
| flag | effect |
|--------------------|--------------------------------------------------------------------------------------|
@@ -28,13 +29,14 @@ The following flags are compatible with the `--compliance` flag and allow custom
## Built-in compliance
Trivy has a number of built-in compliance reports that you can assess right out of the box.
To specify a built-in compliance report, select it by ID like `trivy --compliance <compliance_id>`.
Trivy has a number of built-in compliance reports that you can asses right out of the box.
to specify a built-in compliance report, select it by ID like `trivy --compliance <compliance_id>`.
For the list of built-in compliance reports, please see the relevant section:
- [Docker compliance](../target/container_image.md#compliance)
- [Kubernetes compliance](../target/kubernetes.md#compliance)
- [AWS compliance](../target/aws.md#compliance)
## Contribute a Built-in Compliance Report
@@ -165,7 +167,7 @@ Example of how to define command data under [commands folder](https://github.com
title: kubelet.conf file permissions
nodeType: worker
audit: stat -c %a $kubelet.kubeconfig
platforms:
platfroms:
- k8s
- aks
```
@@ -180,7 +182,7 @@ make command-id
#### Command Key
- Re-use an existing key or specify a new one (make sure key name has no spaces)
- Re-use an existing key or specifiy a new one (make sure key name has no spaces)
Note: The key value should match the key name evaluated by the Rego check.
@@ -197,7 +199,7 @@ Specify the node type on which the command is supposed to run.
### Command Audit
Specify here the shell command to be used please make sure to add error suppression (2>/dev/null)
Specify here the shell command to be used please make sure to add error supression (2>/dev/null)
### Command Platforms
@@ -264,7 +266,7 @@ You can create your own custom compliance report. A compliance report is a simpl
```yaml
spec:
id: "k8s-myreport" # report unique identifier. this should not contain spaces.
id: "k8s-myreport" # report unique identifier. this should not container spaces.
title: "My custom Kubernetes report" # report title. Any one-line title.
description: "Describe your report" # description of the report. Any text.
relatedResources :

14
docs/guide/compliance/contrib-compliance.md → docs/docs/compliance/contrib-compliance.md
View File

@@ -1,9 +1,9 @@
# Custom Compliance Spec
Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../guide/compliance/compliance.md).
All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)).
Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md).
All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance)).
New checks are based on the custom compliance report detailed in the [main documentation.](./compliance.md#custom-compliance)
New checks are based on the custom compliance report detailed in the [main documentation.](../../docs/compliance/compliance/#custom-compliance)
If you would like to create your custom compliance report, please reference the information in the main documentation. This section details how community members can contribute new Compliance Specs to Trivy.
All compliance specs in Trivy are based on formal compliance reports such as CIS Benchmarks.
@@ -14,13 +14,13 @@ Compliance specs can be based on new compliance reports becoming available e.g.
### Create a new Compliance Spec
The existing compliance specs in Trivy are located under the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)).
The existing compliance specs in Trivy are located under the `trivy-checks/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance)).
Create a new file under `trivy-checks/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. Note that if the compliance spec is not specific to a provider, the `provider` field can be ignored.
### Minimum spec structure
The structure of the compliance spec is detailed in the [main documentation](./compliance.md#custom-compliance).
The structure of the compliance spec is detailed in the [main documentation](./compliance/#custom-compliance).
The first section in the spec is focused on the metadata of the spec. Replace all the fields of the metadata with the information relevant to the compliance spec that will be added. This information can be taken from the official report e.g. the CIS Benchmark report.
@@ -37,7 +37,7 @@ Additional information is provided below.
Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-checks/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.
Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance) available.
Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance) available.
For example, the following check is detailed in the AWS EKS CIS v1.4 Benchmark:
`3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)`
@@ -56,7 +56,7 @@ Thus, we can use the information already present:
```
- The `ID`, `name`, and `description` is taken directly from the AWS EKS CIS Benchmarks
- The `check` and `severity` are taken from the existing compliance check in the `k8s-cis-1.23.yaml`
- The `check` and `severity` are taken from the existing complaince check in the `k8s-cis-1.23.yaml`
#### 2. Referencing a check manually that is not part of the Trivy default checks

14
docs/guide/configuration/cache.md → docs/docs/configuration/cache.md
View File

@@ -51,7 +51,9 @@ It supports three types of backends for this cache:
- TTL can be configured via `--cache-ttl`
### Local File System
The local file system backend is the default choice for container image, VM image and repository scans.
The local file system backend is the default choice for container and VM image scans.
When scanning container images, it stores analysis results on a per-layer basis, using layer IDs as keys.
This approach enables faster scans of the same container image or different images that share layers.
!!! note
Internally, this backend uses [BoltDB][boltdb], which has an important limitation: only one process can access the cache at a time.
@@ -61,7 +63,7 @@ The local file system backend is the default choice for container image, VM imag
### Memory
The memory backend stores analysis results in memory, which means the cache is discarded when the process ends.
This makes it useful in scenarios where caching is not required or desired.
It serves as the default for filesystem and SBOM scans and can also be employed for container image scans when caching is unnecessary.
It serves as the default for repository, filesystem and SBOM scans and can also be employed for container image scans when caching is unnecessary.
To use the memory backend for a container image scan, you can use the following command:
@@ -86,7 +88,7 @@ If you want to use TLS with Redis, you can enable it by specifying the `--redis-
$ trivy server --cache-backend redis://localhost:6379 --redis-tls
```
Trivy also supports connecting to Redis with your certificates.
Trivy also supports for connecting to Redis with your certificates.
You need to specify `--redis-ca` , `--redis-cert` , and `--redis-key` options.
```
@@ -96,11 +98,11 @@ $ trivy server --cache-backend redis://localhost:6379 \
--redis-key /path/to/key.pem
```
[trivy-db]: ./db.md
[trivy-java-db]: ./db.md
[trivy-db]: ./db.md#vulnerability-database
[trivy-java-db]: ./db.md#java-index-database
[misconf-checks]: ../scanner/misconfiguration/check/builtin.md
[boltdb]: https://github.com/etcd-io/bbolt
[parallel-run]: https://trivy.dev/docs/{{ git.tag}}/guide/references/troubleshooting/#running-in-parallel-takes-same-time-as-series-run
[parallel-run]: https://aquasecurity.github.io/trivy/v0.52/docs/references/troubleshooting/#running-in-parallel-takes-same-time-as-series-run
[^1]: Downloaded when scanning for vulnerabilities
[^2]: Downloaded when scanning `jar/war/par/ear` files

126
docs/docs/configuration/db.md Normal file
View File

@@ -0,0 +1,126 @@
# DB
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | |
| Secret | |
| License | |
The vulnerability database and the Java index database are needed only for vulnerability scanning.
See [here](../scanner/vulnerability.md) for the detail.
## Vulnerability Database
### Skip update of vulnerability DB
If you want to skip downloading the vulnerability database, use the `--skip-db-update` option.
```
$ trivy image --skip-db-update python:3.4-alpine3.9
```
<details>
<summary>Result</summary>
```
2019-05-16T12:48:08.703+0900 INFO Detecting Alpine vulnerabilities...
python:3.4-alpine3.9 (alpine 3.9.2)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
| | | | | | with long nonces |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
```
</details>
### Only download vulnerability database
You can also ask `Trivy` to simply retrieve the vulnerability database.
This is useful to initialize workers in Continuous Integration systems.
```
$ trivy image --download-db-only
```
### DB Repository
`Trivy` could also download the vulnerability database from an external OCI registry by using `--db-repository` option.
```
$ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db
```
The media type of the OCI layer must be `application/vnd.aquasec.trivy.db.layer.v1.tar+gzip`.
You can reference the OCI manifest of [trivy-db].
<details>
<summary>Manifest</summary>
```shell
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.aquasec.trivy.config.v1+json",
"digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
"size": 2
},
"layers": [
{
"mediaType": "application/vnd.aquasec.trivy.db.layer.v1.tar+gzip",
"digest": "sha256:29ad6505b8957c7cd4c367e7c705c641a9020d2be256812c5f4cc2fc099f4f02",
"size": 55474933,
"annotations": {
"org.opencontainers.image.title": "db.tar.gz"
}
}
],
"annotations": {
"org.opencontainers.image.created": "2024-09-11T06:14:51Z"
}
}
```
</details>
!!!note
Trivy automatically adds the `trivy-db` schema version as a tag if the tag is not used:
`trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`.
## Java Index Database
The same options are also available for the Java index DB, which is used for scanning Java applications.
Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB.
!!! Note
In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side.
Downloading the Java index DB from an external OCI registry can be done by using the `--java-db-repository` option.
```
$ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db --download-java-db-only
```
The media type of the OCI layer must be `application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip`.
You can reference the OCI manifest of [trivy-java-db].
!!!note
Trivy automatically adds the `trivy-java-db` schema version as a tag if the tag is not used:
`java-db-registry:latest` => `java-db-registry:latest`, but `java-db-registry` => `java-db-registry:1`.
## Remove DBs
"trivy clean" command removes caches and databases.
```
$ trivy clean --vuln-db --java-db
2024-06-24T11:42:31+06:00 INFO Removing vulnerability database...
2024-06-24T11:42:31+06:00 INFO Removing Java database...
```
[trivy-db]: https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db
[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db

50
docs/guide/configuration/filtering.md → docs/docs/configuration/filtering.md
View File

@@ -112,7 +112,7 @@ trivy config --severity HIGH,CRITICAL examples/misconf/mixed
Dockerfile (dockerfile)
=======================
Tests: 17 (SUCCESSES: 16, FAILURES: 1)
Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
HIGH: Last USER command in Dockerfile should not be 'root'
@@ -130,13 +130,13 @@ See https://avd.aquasec.com/misconfig/ds002
deployment.yaml (kubernetes)
============================
Tests: 8 (SUCCESSES: 8, FAILURES: 0)
Tests: 8 (SUCCESSES: 8, FAILURES: 0, EXCEPTIONS: 0)
Failures: 0 (HIGH: 0, CRITICAL: 0)
main.tf (terraform)
===================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)
CRITICAL: Classic resources should not be used.
@@ -280,7 +280,8 @@ Trivy supports the [.trivyignore](#trivyignore) and [.trivyignore.yaml](#trivyig
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
| License | |
| License | |
```bash
$ cat .trivyignore
@@ -299,10 +300,6 @@ AVD-DS-0002
# Ignore secrets
generic-unwanted-rule
aws-account-id
# Ignore licenses
GPL-3.0
Apache-2.0 WITH LLVM-exception
```
```bash
@@ -327,7 +324,7 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
#### .trivyignore.yaml
| Scanner | Supported |
| :--------------: | :-------: |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
@@ -381,24 +378,8 @@ licenses:
- id: GPL-3.0 # License name is used as ID
paths:
- "usr/share/gcc/python/libstdcxx/v6/__init__.py"
- id: MIT AND GPL-2.0-or-later # Compound license expressions are supported
- id: Apache-2.0 WITH LLVM-exception # License expressions with exceptions are supported
- id: LLVM-exception # Individual license components or exceptions can be ignored
```
!!! info "Enhanced License Expression Support"
Trivy supports filtering complex SPDX license expressions including:
- **Compound expressions** with AND/OR operators: `MIT AND GPL-2.0-or-later`
- **License exceptions** with WITH operator: `Apache-2.0 WITH LLVM-exception`
- **Individual components**: You can ignore specific license components or exceptions from compound expressions
When filtering compound expressions:
- **AND/OR expressions**: All individual license components must be explicitly ignored for the entire expression to be ignored
- **WITH expressions**: License expressions with exceptions are treated as single entities and can be ignored as a whole
- **Component matching**: You can also ignore individual license names or exception names to filter specific parts of compound expressions
Since this feature is experimental, you must explicitly specify the YAML file path using the `--ignorefile` flag.
Once this functionality is stable, the YAML file will be loaded automatically.
@@ -413,7 +394,7 @@ $ trivy image --ignorefile ./.trivyignore.yaml python:3.9.16-alpine3.16
2023-08-31T11:10:27.155+0600 INFO Vulnerability scanning is enabled
2023-08-31T11:10:27.155+0600 INFO Secret scanning is enabled
2023-08-31T11:10:27.155+0600 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-31T11:10:27.155+0600 INFO Please see also https://trivy.dev/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-08-31T11:10:27.155+0600 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-08-31T11:10:29.164+0600 INFO Detected OS: alpine
2023-08-31T11:10:29.164+0600 INFO Detecting Alpine vulnerabilities...
2023-08-31T11:10:29.169+0600 INFO Number of language-specific files: 1
@@ -496,26 +477,13 @@ ignore {
```
```bash
trivy image --ignore-policy examples/ignore-policies/basic.rego centos:7
```
To filter findings of a specific type based on a field that may exist in multiple structures (for example, `PkgName` in both `DetectedVulnerability` and `DetectedLicense`), you can use the `Type` field. This field is automatically added when exporting findings to Rego and indicates the kind of finding. Possible values are: `vulnerability`, `misconfiguration`, `secret`, and `license`.
For example, the following policy ignores vulnerabilities with a specific package name without affecting other finding types:
```rego
package trivy
ignore {
input.Type == "vulnerability"
input.PkgName == "foo"
}
trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
```
For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`.
More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go).
You can create a whitelist of checks using Rego, see the detailed [example](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/ignore-policies/whitelist.rego). Additional examples are available [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/ignore-policies).
You can find more example checks [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go)
### By Vulnerability Exploitability Exchange (VEX)
| Scanner | Supported |

31
docs/docs/configuration/index.md Normal file
View File

@@ -0,0 +1,31 @@
# Configuration
Trivy can be configured using the following ways. Each item takes precedence over the item below it:
- CLI flags
- Environment variables
- Configuration file
## CLI Flags
You can view the list of available flags using the `--help` option.
For more details, please refer to [the CLI reference](../references/configuration/cli/trivy.md).
## Environment Variables
Trivy can be customized by environment variables.
The environment variable key is the flag name converted by the following procedure.
- Add `TRIVY_` prefix
- Make it all uppercase
- Replace `-` with `_`
For example,
- `--debug` => `TRIVY_DEBUG`
- `--cache-dir` => `TRIVY_CACHE_DIR`
```
$ TRIVY_DEBUG=true TRIVY_SEVERITY=CRITICAL trivy image alpine:3.15
```
## Configuration File
By default, Trivy reads the `trivy.yaml` file.
For more details, please refer to [the page](../references/configuration/config-file.md).

54
docs/guide/configuration/others.md → docs/docs/configuration/others.md
View File

@@ -117,57 +117,3 @@ The following example will fail when a critical vulnerability is found or the OS
```
$ trivy image --exit-code 1 --exit-on-eol 1 --severity CRITICAL alpine:3.16.3
```
## Mirror Registries
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Trivy supports mirrors for [remote container images](../target/container_image.md#container-registry) and [databases](./db.md).
To configure them, add a list of mirrors along with the host to the [trivy config file](../references/configuration/config-file.md#registry-options).
!!! note
Use the `index.docker.io` host for images from `Docker Hub`, even if you don't use that prefix.
Example for `index.docker.io`:
```yaml
registry:
mirrors:
index.docker.io:
- mirror.gcr.io
```
### Registry check procedure
Trivy uses the following registry order to get the image:
- mirrors in the same order as they are specified in the configuration file
- source registry
In cases where we can't get the image from the mirror registry (e.g. when authentication fails, image doesn't exist, etc.) - Trivy will check other mirrors (or the source registry if all mirrors have already been checked).
Example:
```yaml
registry:
mirrors:
index.docker.io:
- mirror.with.bad.auth // We don't have credentials for this registry
- mirror.without.image // Registry doesn't have this image
```
When we want to get the image `alpine` with the settings above. The logic will be as follows:
1. Try to get the image from `mirror.with.bad.auth/library/alpine`, but we get an error because there are no credentials for this registry.
2. Try to get the image from `mirror.without.image/library/alpine`, but we get an error because this registry doesn't have this image (but most likely it will be an error about authorization).
3. Get the image from `index.docker.io` (the original registry).
## Check for updates
Trivy periodically checks for updates and notices, and displays a message to the user with recommendations.
Updates checking is non-blocking and has no impact on scanning time, performance, results, or any user experience aspect besides displaying the message.
You can disable updates checking by specifying the `--skip-version-check` flag.
## Telemetry
Trivy collected usage data for product improvement. More details in the [Telemetry document](../advanced/telemetry.md).
You can disable telemetry collection using the `--disable-telemetry` flag.

453
docs/docs/configuration/reporting.md Normal file
View File

@@ -0,0 +1,453 @@
# Reporting
## Format
Trivy supports the following formats:
- Table
- JSON
- [SARIF](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)
- Template
- SBOM
- GitHub dependency snapshot
### Table (Default)
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
| License | ✓ |
```
$ trivy image -f table golang:1.12-alpine
```
#### Show origins of vulnerable dependencies
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | |
| Secret | |
| License | |
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Modern software development relies on the use of third-party libraries.
Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph.
In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree.
To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
This flag is only available with the `--format table` flag.
The following OS package managers are currently supported:
| OS Package Managers |
|---------------------|
| apk |
| dpkg |
| rpm |
The following languages are currently supported:
| Language | File |
|----------|--------------------------------------------|
| Node.js | [package-lock.json][nodejs-package-lock] |
| | [pnpm-lock.yaml][pnpm-lock] |
| | [yarn.lock][yarn-lock] |
| .NET | [packages.lock.json][dotnet-packages-lock] |
| Python | [poetry.lock][poetry-lock] |
| Ruby | [Gemfile.lock][gemfile-lock] |
| Rust | [cargo-auditable binaries][cargo-binaries] |
| Go | [go.mod][go-mod] |
| PHP | [composer.lock][composer-lock] |
| Java | [pom.xml][pom-xml] |
| | [*gradle.lockfile][gradle-lockfile] |
| | [*.sbt.lock][sbt-lockfile] |
| Dart | [pubspec.lock][pubspec-lock] |
This tree is the reverse of the dependency graph.
However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
In table output, it looks like:
```sh
$ trivy fs --severity HIGH,CRITICAL --dependency-tree /path/to/your_node_project
package-lock.json (npm)
=======================
Total: 2 (HIGH: 1, CRITICAL: 1)
┌──────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ follow-redirects │ CVE-2022-0155 │ HIGH │ 1.14.6 │ 1.14.7 │ follow-redirects: Exposure of Private Personal Information │
│ │ │ │ │ │ to an Unauthorized Actor │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0155 │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ glob-parent │ CVE-2020-28469 │ CRITICAL │ 3.1.0 │ 5.1.2 │ nodejs-glob-parent: Regular expression denial of service │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-28469 │
└──────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
Dependency Origin Tree (Reversed)
=================================
package-lock.json
├── follow-redirects@1.14.6, (HIGH: 1, CRITICAL: 0)
│ └── axios@0.21.4
└── glob-parent@3.1.0, (HIGH: 0, CRITICAL: 1)
└── chokidar@2.1.8
└── watchpack-chokidar2@2.0.1
└── watchpack@1.7.5
└── webpack@4.46.0
└── cra-append-sw@2.7.0
```
Vulnerable dependencies are shown in the top level of the tree.
Lower levels show how those vulnerabilities are introduced.
In the example above **axios@0.21.4** included in the project directly depends on the vulnerable **follow-redirects@1.14.6**.
Also, **glob-parent@3.1.0** with some vulnerabilities is included through chain of dependencies that is added by **cra-append-sw@2.7.0**.
Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to resolve vulnerabilities in **follow-redirects@1.14.6** and **glob-parent@3.1.0**.
### JSON
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
| License | ✓ |
```
$ trivy image -f json -o results.json golang:1.12-alpine
```
<details>
<summary>Result</summary>
```
2019-05-16T01:46:31.777+0900 INFO Updating vulnerability database...
2019-05-16T01:47:03.007+0900 INFO Detecting Alpine vulnerabilities...
```
</details>
<details>
<summary>JSON</summary>
```
[
{
"Target": "php-app/composer.lock",
"Vulnerabilities": null
},
{
"Target": "node-app/package-lock.json",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2018-16487",
"PkgName": "lodash",
"InstalledVersion": "4.17.4",
"FixedVersion": "\u003e=4.17.11",
"Title": "lodash: Prototype pollution in utilities function",
"Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.",
"Severity": "HIGH",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487",
]
}
]
},
{
"Target": "trivy-ci-test (alpine 3.7.1)",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2018-16840",
"PkgName": "curl",
"InstalledVersion": "7.61.0-r0",
"FixedVersion": "7.61.1-r1",
"Title": "curl: Use-after-free when closing \"easy\" handle in Curl_close()",
"Description": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. ",
"Severity": "HIGH",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840",
]
},
{
"VulnerabilityID": "CVE-2019-3822",
"PkgName": "curl",
"InstalledVersion": "7.61.0-r0",
"FixedVersion": "7.61.1-r2",
"Title": "curl: NTLMv2 type-3 header stack buffer overflow",
"Description": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. ",
"Severity": "HIGH",
"References": [
"https://curl.haxx.se/docs/CVE-2019-3822.html",
"https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E"
]
},
{
"VulnerabilityID": "CVE-2018-16839",
"PkgName": "curl",
"InstalledVersion": "7.61.0-r0",
"FixedVersion": "7.61.1-r1",
"Title": "curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()",
"Description": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
"Severity": "HIGH",
"References": [
"https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5",
]
},
{
"VulnerabilityID": "CVE-2018-19486",
"PkgName": "git",
"InstalledVersion": "2.15.2-r0",
"FixedVersion": "2.15.3-r0",
"Title": "git: Improper handling of PATH allows for commands to be executed from the current directory",
"Description": "Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.",
"Severity": "HIGH",
"References": [
"https://usn.ubuntu.com/3829-1/",
]
},
{
"VulnerabilityID": "CVE-2018-17456",
"PkgName": "git",
"InstalledVersion": "2.15.2-r0",
"FixedVersion": "2.15.3-r0",
"Title": "git: arbitrary code execution via .gitmodules",
"Description": "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.",
"Severity": "HIGH",
"References": [
"http://www.securitytracker.com/id/1041811",
]
}
]
},
{
"Target": "python-app/Pipfile.lock",
"Vulnerabilities": null
},
{
"Target": "ruby-app/Gemfile.lock",
"Vulnerabilities": null
},
{
"Target": "rust-app/Cargo.lock",
"Vulnerabilities": null
}
]
```
</details>
`VulnerabilityID`, `PkgName`, `InstalledVersion`, and `Severity` in `Vulnerabilities` are always filled with values, but other fields might be empty.
### SARIF
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
| License | ✓ |
[SARIF][sarif] can be generated with the `--format sarif` flag.
```
$ trivy image --format sarif -o report.sarif golang:1.12-alpine
```
This SARIF file can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action][action] for automating this process.
### GitHub dependency snapshot
Trivy supports the following packages.
- [OS packages][os_packages]
- [Language-specific packages][language_packages]
[GitHub dependency snapshots][github-sbom] can be generated with the `--format github` flag.
```
$ trivy image --format github -o report.gsbom alpine
```
This snapshot file can be [submitted][github-sbom-submit] to your GitHub repository.
### Template
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
| License | ✓ |
#### Custom Template
{% raw %}
```
$ trivy image --format template --template "{{ range . }} {{ .Target }} {{ end }}" golang:1.12-alpine
```
{% endraw %}
<details>
<summary>Result</summary>
```
2020-01-02T18:02:32.856+0100 INFO Detecting Alpine vulnerabilities...
golang:1.12-alpine (alpine 3.10.2)
```
</details>
You can compute different figures within the template using [sprig][sprig] functions.
As an example you can summarize the different classes of issues:
{% raw %}
```
$ trivy image --format template --template '{{- $critical := 0 }}{{- $high := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- if eq .Severity "CRITICAL" }}{{- $critical = add $critical 1 }}{{- end }}{{- if eq .Severity "HIGH" }}{{- $high = add $high 1 }}{{- end }}{{- end }}{{- end }}Critical: {{ $critical }}, High: {{ $high }}' golang:1.12-alpine
```
{% endraw %}
<details>
<summary>Result</summary>
```
Critical: 0, High: 2
```
</details>
For other features of sprig, see the official [sprig][sprig] documentation.
#### Load templates from a file
You can load templates from a file prefixing the template path with an @.
```
$ trivy image --format template --template "@/path/to/template" golang:1.12-alpine
```
#### Default Templates
If Trivy is installed using rpm then default templates can be found at `/usr/local/share/trivy/templates`.
##### JUnit
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | |
| License | |
In the following example using the template `junit.tpl` XML can be generated.
```
$ trivy image --format template --template "@contrib/junit.tpl" -o junit-report.xml golang:1.12-alpine
```
##### ASFF
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
| License | |
Trivy also supports an [ASFF template for reporting findings to AWS Security Hub][asff]
##### HTML
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | |
| License | |
```
$ trivy image --format template --template "@contrib/html.tpl" -o report.html golang:1.12-alpine
```
The following example shows use of default HTML template when Trivy is installed using rpm.
```
$ trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine
```
### SBOM
See [here](../supply-chain/sbom.md) for details.
## Output
Trivy supports the following output destinations:
- File
- Plugin
### File
By specifying `--output <file_path>`, you can output the results to a file.
Here is an example:
```
$ trivy image --format json --output result.json debian:12
```
### Plugin
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Plugins capable of receiving Trivy's results via standard input, called "output plugin", can be seamlessly invoked using the `--output` flag.
```
$ trivy <target> [--format <format>] --output plugin=<plugin_name> [--output-plugin-arg <plugin_flags>] <target_name>
```
This is useful for cases where you want to convert the output into a custom format, or when you want to send the output somewhere.
For more details, please check [here](../plugin/user-guide.md#output-mode-support).
## Converting
To generate multiple reports, you can generate the JSON report first and convert it to other formats with the `convert` subcommand.
```shell
$ trivy image --format json -o result.json --list-all-pkgs debian:11
$ trivy convert --format cyclonedx --output result.cdx result.json
```
!!! note
Please note that if you want to convert to a format that requires a list of packages,
such as SBOM, you need to add the `--list-all-pkgs` flag when outputting in JSON.
[Filtering options](./filtering.md) such as `--severity` are also available with `convert`.
```shell
# Output all severities in JSON
$ trivy image --format json -o result.json --list-all-pkgs debian:11
# Output only critical issues in table format
$ trivy convert --format table --severity CRITICAL result.json
```
!!! note
JSON reports from "trivy aws" and "trivy k8s" are not yet supported.
[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
[action]: https://github.com/aquasecurity/trivy-action
[asff]: ../../tutorials/integrations/aws-security-hub.md
[sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
[sprig]: http://masterminds.github.io/sprig/
[github-sbom]: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#about-dependency-submissions
[github-sbom-submit]: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#create-a-snapshot-of-dependencies-for-a-repository
[os_packages]: ../scanner/vulnerability.md#os-packages
[language_packages]: ../scanner/vulnerability.md#language-specific-packages
[nodejs-package-lock]: ../coverage/language/nodejs.md#npm
[pnpm-lock]: ../coverage/language/nodejs.md#pnpm
[yarn-lock]: ../coverage/language/nodejs.md#yarn
[dotnet-packages-lock]: ../coverage/language/dotnet.md#packageslockjson
[poetry-lock]: ../coverage/language/python.md#poetry
[gemfile-lock]: ../coverage/language/ruby.md#bundler
[go-mod]: ../coverage/language/golang.md#go-modules
[composer-lock]: ../coverage/language/php.md#composer
[pom-xml]: ../coverage/language/java.md#pomxml
[gradle-lockfile]: ../coverage/language/java.md#gradlelock
[sbt-lockfile]: ../coverage/language/java.md#sbt
[pubspec-lock]: ../coverage/language/dart.md#dart
[cargo-binaries]: ../coverage/language/rust.md#binaries

119
docs/docs/configuration/skipping.md Normal file
View File

@@ -0,0 +1,119 @@
# Skipping Files and Directories
This section details ways to specify the files and directories that Trivy should not scan.
## Skip Files
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
| License | ✓ |
By default, Trivy traverses directories and searches for all necessary files for scanning.
You can skip files that you don't maintain using the `--skip-files` flag, or the equivalent Trivy YAML config option.
Using the `--skip-files` flag:
```bash
$ trivy image --skip-files "/Gemfile.lock" --skip-files "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
Using the Trivy YAML configuration:
```yaml
image:
skip-files:
- foo
- "testdata/*/bar"
```
It's possible to specify globs as part of the value.
```bash
$ trivy image --skip-files "./testdata/*/bar" .
```
This will skip any file named `bar` in the subdirectories of testdata.
```bash
$ trivy config --skip-files "./foo/**/*.tf" .
```
This will skip any files with the extension `.tf` in subdirectories of foo at any depth.
## Skip Directories
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
| License | ✓ |
By default, Trivy traverses directories and searches for all necessary files for scanning.
You can skip directories that you don't maintain using the `--skip-dirs` flag, or the equivalent Trivy YAML config option.
Using the `--skip-dirs` flag:
```bash
$ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
Using the Trivy YAML configuration:
```yaml
image:
skip-dirs:
- foo/bar/
- "**/.terraform"
```
It's possible to specify globs as part of the value.
```bash
$ trivy image --skip-dirs "./testdata/*" .
```
This will skip all subdirectories of the testdata directory.
```bash
$ trivy config --skip-dirs "**/.terraform" .
```
This will skip subdirectories at any depth named `.terraform/`. (Note: this will match `./foo/.terraform` or
`./foo/bar/.terraform`, but not `./.terraform`.)
!!! tip
Glob patterns work with any trivy subcommand (image, config, etc.) and can be specified to skip both directories (with `--skip-dirs`) and files (with `--skip-files`).
### Advanced globbing
Trivy also supports bash style [extended](https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Pattern-Matching) glob pattern matching.
```bash
$ trivy image --skip-files "**/foo" image:tag
```
This will skip the file `foo` that happens to be nested under any parent(s).
## File patterns
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | |
| License | ✓[^1] |
When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
The default file patterns are [here](../scanner/misconfiguration/custom/index.md).
In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
This can be repeated for specifying multiple file patterns.
A file pattern contains the analyzer it is used for, and the pattern itself, joined by a semicolon. For example:
```
--file-patterns "dockerfile:.*.docker" --file-patterns "kubernetes:*.tpl" --file-patterns "pip:requirements-.*\.txt"
```
The prefixes are listed [here](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/pkg/fanal/analyzer/const.go)
[^1]: Only work with the [license-full](../scanner/license.md) flag)

0
docs/guide/coverage/iac/azure-arm.md → docs/docs/coverage/iac/azure-arm.md
View File

0
docs/guide/coverage/iac/cloudformation.md → docs/docs/coverage/iac/cloudformation.md
View File

0
docs/guide/coverage/iac/docker.md → docs/docs/coverage/iac/docker.md
View File

0
docs/guide/coverage/iac/helm.md → docs/docs/coverage/iac/helm.md
View File

2
docs/guide/coverage/iac/index.md → docs/docs/coverage/iac/index.md
View File

@@ -22,4 +22,4 @@ Trivy scans Infrastructure as Code (IaC) files for
[misconf]: ../../scanner/misconfiguration/index.md
[secret]: ../../scanner/secret.md
[json-and-yaml]: ../../scanner/misconfiguration/config/config.md#scan-arbitrary-json-and-yaml-configurations
[json-and-yaml]: ../../scanner/misconfiguration/index.md#scan-arbitrary-json-and-yaml-configurations

0
docs/guide/coverage/iac/kubernetes.md → docs/docs/coverage/iac/kubernetes.md
View File

0
docs/guide/coverage/iac/terraform.md → docs/docs/coverage/iac/terraform.md
View File

0
docs/guide/coverage/index.md → docs/docs/coverage/index.md
View File

2
docs/guide/coverage/kubernetes.md → docs/docs/coverage/kubernetes.md
View File

@@ -17,7 +17,7 @@ Container image is scanned for:
Kubernetes resource definition is scanned for:
- Vulnerabilities - partially supported through [KBOM scanning](../target/kubernetes.md#kbom)
- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
- Misconfigurations
- Exposed secrets

Some files were not shown because too many files have changed in this diff Show More