trivy/docs/vulnerability/detection/language.md

# Language-specific Packages

`Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

| Language | File                     | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] |Dev dependencies |
|----------|--------------------------|:---------:|:----------:|:--------------:|:--------------:|-----------------|
| Ruby     | Gemfile.lock             | -         | -          |       ✅        |       ✅        | included        |
|          | gemspec                  | ✅        | ✅         |       -        |       -        | included        |
| Python   | Pipfile.lock             | -         | -          |       ✅        |       ✅        | excluded        |
|          | poetry.lock              | -         | -          |       ✅        |       ✅        | included        |
|          | requirements.txt         | -         | -          |       ✅        |       ✅        | included        |
|          | egg package[^1]          | ✅        | ✅         |       -        |       -        | excluded        |
|          | wheel package[^2]        | ✅        | ✅         |       -        |       -        | excluded        |
| PHP      | composer.lock            | ✅        | ✅         |       ✅        |       ✅        | excluded        |
| Node.js  | package-lock.json        | -         | -          |       ✅        |       ✅        | excluded        |
|          | yarn.lock                | -         | -          |       ✅        |       ✅        | included        |
|          | package.json             | ✅        | ✅         |       -        |       -        | excluded        |
| .NET     | packages.lock.json       | ✅        | ✅         |       ✅        |       ✅        | included        |
| Java     | JAR/WAR/PAR/EAR[^3][^4]  | ✅        | ✅         |       -        |       -        | included        |
|          | pom.xml[^5]              | -         | -          |       ✅        |       ✅        | excluded        |
| Go       | Binaries built by Go[^6] | ✅        | ✅         |       -        |       -        | excluded        |
|          | go.sum                   | -         | -          |       ✅        |       ✅        | included        |
| Rust     | Cargo.lock               | ✅        | ✅         |       ✅        |       ✅        | included        |

The path of these files does not matter.

Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Dockerfile)

[^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
[^2]: `.dist-info/META-DATA`
[^3]: `*.jar`, `*.war`, `*.par` and `*.ear`
[^4]: It requires Internet access
[^5]: It requires Internet access when the POM doesn't exist in your local repository
[^6]: UPX-compressed binaries don't work
[^7]: ✅ means "enabled" and `-` means "disabled" in the image scanning
[^8]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
[^9]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
[^10]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning