admin/aquasecurity-trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2026-02-12 11:43:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
2bd6ac6bb6895dbda93e15cae3602ebb8036613e
aquasecurity-trivy/dev/docs/scanner/vulnerability/index.html

8939 lines
164 KiB
HTML
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Trivy - All-in-one open source security scanner">
<link rel="canonical" href="https://trivy.dev/dev/docs/scanner/vulnerability/">
<link rel="prev" href="../../target/sbom/">
<link rel="next" href="../misconfiguration/">
<link rel="icon" href="../../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.5.44+insiders-4.53.14">
<title>Vulnerability - Trivy</title>
<link rel="stylesheet" href="../../../assets/stylesheets/main.12320a83.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Inter:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Inter";--md-code-font:"Roboto Mono"}</style>
<script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
<script id="__analytics">function __md_analytics(){function e(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],e("js",new Date),e("config","G-V9LJGFH7GX"),document.addEventListener("DOMContentLoaded",(function(){document.forms.search&&document.forms.search.query.addEventListener("blur",(function(){this.value&&e("event","search",{search_term:this.value})}));document$.subscribe((function(){var t=document.forms.feedback;if(void 0!==t)for(var a of t.querySelectorAll("[type=submit]"))a.addEventListener("click",(function(a){a.preventDefault();var n=document.location.pathname,d=this.getAttribute("data-md-value");e("event","feedback",{page:n,data:d}),t.firstElementChild.disabled=!0;var r=t.querySelector(".md-feedback__note [data-md-value='"+d+"']");r&&(r.hidden=!1)})),t.hidden=!1})),location$.subscribe((function(t){e("config","G-V9LJGFH7GX",{page_path:t.pathname})}))}));var t=document.createElement("script");t.async=!0,t.src="https://www.googletagmanager.com/gtag/js?id=G-V9LJGFH7GX",document.getElementById("__analytics").insertAdjacentElement("afterEnd",t)}</script>
<script>"undefined"!=typeof __md_analytics&&__md_analytics()</script>
<meta property="og:type" content="website" />
<meta property="og:title" content="Trivy - Vulnerability" />
<meta property="og:description" content="Trivy - All-in-one open source security scanner" />
<meta property="og:url" content="https://trivy.dev/dev/docs/scanner/vulnerability/" />
<meta property="og:image" content="https://trivy.dev/devassets/images/illustrations/banner.png" />
<meta property="og:image:type" content="image/png" />
<meta property="og:image:width" content="1080" />
<meta property="og:image:height" content="568" />
<style>
:root{
--md-primary-fg-color:#0a0b23;
}
.md-typeset a{
color:#10147e;
}
</style>
</head>
<body dir="ltr">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#vulnerability-scanning" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-color-scheme="default" data-md-component="outdated" hidden>
<aside class="md-banner md-banner--warning">
<div class="md-banner__inner md-grid md-typeset">
You're not viewing the latest version of the documentation.
<a href="../../../..">
<strong>Click here to go to latest.</strong>
</a>
</div>
<script>var el=document.querySelector("[data-md-component=outdated]"),outdated=__md_get("__outdated",sessionStorage);!0===outdated&&el&&(el.hidden=!1)</script>
</aside>
</div>
<header class="md-header md-header--shadow md-header--lifted" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../../.." title="Trivy" class="md-header__button md-logo" aria-label="Trivy" data-md-component="logo">
<img src="../../../imgs/logo-white.svg" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Trivy
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Vulnerability
</span>
</div>
</div>
</div>
<script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/trivy" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
<div class="md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../../.." class="md-tabs__link">
Home
</a>
</li>
<li class="md-tabs__item">
<a href="../../../getting-started/" class="md-tabs__link">
Getting Started
</a>
</li>
<li class="md-tabs__item">
<a href="../../../tutorials/overview/" class="md-tabs__link">
Tutorials
</a>
</li>
<li class="md-tabs__item md-tabs__item--active">
<a href="../../" class="md-tabs__link">
Docs
</a>
</li>
<li class="md-tabs__item">
<a href="../../../ecosystem/" class="md-tabs__link">
Ecosystem
</a>
</li>
<li class="md-tabs__item">
<a href="../../../community/principles/" class="md-tabs__link">
Contributing
</a>
</li>
<li class="md-tabs__item">
<a href="../../../commercial/compare/" class="md-tabs__link">
Enterprise
</a>
</li>
</ul>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../../.." title="Trivy" class="md-nav__button md-logo" aria-label="Trivy" data-md-component="logo">
<img src="../../../imgs/logo-white.svg" alt="logo">
</a>
Trivy
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/trivy" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../.." class="md-nav__link">
<span class="md-ellipsis">
Home
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
<span class="md-ellipsis">
Getting Started
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../getting-started/" class="md-nav__link">
<span class="md-ellipsis">
First steps
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../getting-started/installation/" class="md-nav__link">
<span class="md-ellipsis">
Installation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../getting-started/signature-verification/" class="md-nav__link">
<span class="md-ellipsis">
Signature Verification
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../getting-started/faq/" class="md-nav__link">
<span class="md-ellipsis">
FAQ
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
Tutorials
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Tutorials
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/overview/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3_2" >
<label class="md-nav__link" for="__nav_3_2" id="__nav_3_2_label" tabindex="0">
<span class="md-ellipsis">
CI/CD
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3_2">
<span class="md-nav__icon md-icon"></span>
CI/CD
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/github-actions/" class="md-nav__link">
<span class="md-ellipsis">
GitHub Actions
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/circleci/" class="md-nav__link">
<span class="md-ellipsis">
CircleCI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/travis-ci/" class="md-nav__link">
<span class="md-ellipsis">
Travis CI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/gitlab-ci/" class="md-nav__link">
<span class="md-ellipsis">
GitLab CI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/bitbucket/" class="md-nav__link">
<span class="md-ellipsis">
Bitbucket Pipelines
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/aws-codepipeline/" class="md-nav__link">
<span class="md-ellipsis">
AWS CodePipeline
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/aws-security-hub/" class="md-nav__link">
<span class="md-ellipsis">
AWS Security Hub
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/integrations/azure-devops/" class="md-nav__link">
<span class="md-ellipsis">
Azure
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3_3" >
<label class="md-nav__link" for="__nav_3_3" id="__nav_3_3_label" tabindex="0">
<span class="md-ellipsis">
Kubernetes
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3_3">
<span class="md-nav__icon md-icon"></span>
Kubernetes
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/kubernetes/cluster-scanning/" class="md-nav__link">
<span class="md-ellipsis">
Cluster Scanning
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/kubernetes/kyverno/" class="md-nav__link">
<span class="md-ellipsis">
Kyverno
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/kubernetes/gitops/" class="md-nav__link">
<span class="md-ellipsis">
GitOps
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3_4" >
<label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
<span class="md-ellipsis">
Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3_4">
<span class="md-nav__icon md-icon"></span>
Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/misconfiguration/terraform/" class="md-nav__link">
<span class="md-ellipsis">
Terraform scanning
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/misconfiguration/custom-checks/" class="md-nav__link">
<span class="md-ellipsis">
Custom Checks with Rego
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3_5" >
<label class="md-nav__link" for="__nav_3_5" id="__nav_3_5_label" tabindex="0">
<span class="md-ellipsis">
Signing
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3_5">
<span class="md-nav__icon md-icon"></span>
Signing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/signing/vuln-attestation/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Scan Record Attestation
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3_6" >
<label class="md-nav__link" for="__nav_3_6" id="__nav_3_6_label" tabindex="0">
<span class="md-ellipsis">
Shell
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3_6">
<span class="md-nav__icon md-icon"></span>
Shell
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/shell/shell-completion/" class="md-nav__link">
<span class="md-ellipsis">
Completion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3_7" >
<label class="md-nav__link" for="__nav_3_7" id="__nav_3_7_label" tabindex="0">
<span class="md-ellipsis">
Additional Resources
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3_7">
<span class="md-nav__icon md-icon"></span>
Additional Resources
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../tutorials/additional-resources/references/" class="md-nav__link">
<span class="md-ellipsis">
Additional Resources
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/additional-resources/community/" class="md-nav__link">
<span class="md-ellipsis">
Community References
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../tutorials/additional-resources/cks/" class="md-nav__link">
<span class="md-ellipsis">
CKS Reference
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="">
<span class="md-ellipsis">
Docs
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Docs
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_2" >
<label class="md-nav__link" for="__nav_4_2" id="__nav_4_2_label" tabindex="">
<span class="md-ellipsis">
Target
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_2">
<span class="md-nav__icon md-icon"></span>
Target
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../target/container_image/" class="md-nav__link">
<span class="md-ellipsis">
Container Image
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../target/filesystem/" class="md-nav__link">
<span class="md-ellipsis">
Filesystem
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../target/rootfs/" class="md-nav__link">
<span class="md-ellipsis">
Rootfs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../target/repository/" class="md-nav__link">
<span class="md-ellipsis">
Code Repository
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../target/vm/" class="md-nav__link">
<span class="md-ellipsis">
Virtual Machine Image
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../target/kubernetes/" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../target/sbom/" class="md-nav__link">
<span class="md-ellipsis">
SBOM
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_3" checked>
<label class="md-nav__link" for="__nav_4_3" id="__nav_4_3_label" tabindex="">
<span class="md-ellipsis">
Scanner
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_3_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_4_3">
<span class="md-nav__icon md-icon"></span>
Scanner
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
Vulnerability
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
Vulnerability
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#os-packages" class="md-nav__link">
<span class="md-ellipsis">
OS Packages
</span>
</a>
<nav class="md-nav" aria-label="OS Packages">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#supported-os" class="md-nav__link">
<span class="md-ellipsis">
Supported OS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#data-sources" class="md-nav__link">
<span class="md-ellipsis">
Data Sources
</span>
</a>
<nav class="md-nav" aria-label="Data Sources">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#data-source-selection" class="md-nav__link">
<span class="md-ellipsis">
Data Source Selection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#severity-selection" class="md-nav__link">
<span class="md-ellipsis">
Severity Selection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#unfixed-vulnerabilities" class="md-nav__link">
<span class="md-ellipsis">
Unfixed Vulnerabilities
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#language-specific-packages" class="md-nav__link">
<span class="md-ellipsis">
Language-specific Packages
</span>
</a>
<nav class="md-nav" aria-label="Language-specific Packages">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#supported-languages" class="md-nav__link">
<span class="md-ellipsis">
Supported Languages
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#langpkg-data-sources" class="md-nav__link">
<span class="md-ellipsis">
Data Sources
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#non-packaged-software" class="md-nav__link">
<span class="md-ellipsis">
Non-packaged software
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#kubernetes" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes
</span>
</a>
<nav class="md-nav" aria-label="Kubernetes">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#data-sources_1" class="md-nav__link">
<span class="md-ellipsis">
Data Sources
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#databases" class="md-nav__link">
<span class="md-ellipsis">
Databases
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#detection-behavior" class="md-nav__link">
<span class="md-ellipsis">
Detection Behavior
</span>
</a>
<nav class="md-nav" aria-label="Detection Behavior">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#handling-software-installed-via-os-packages" class="md-nav__link">
<span class="md-ellipsis">
Handling Software Installed via OS Packages
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#handling-packages-with-unspecified-versions" class="md-nav__link">
<span class="md-ellipsis">
Handling Packages with Unspecified Versions
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#configuration" class="md-nav__link">
<span class="md-ellipsis">
Configuration
</span>
</a>
<nav class="md-nav" aria-label="Configuration">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#enabling-a-subset-of-package-types" class="md-nav__link">
<span class="md-ellipsis">
Enabling a Subset of Package Types
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#filtering-by-package-relationships" class="md-nav__link">
<span class="md-ellipsis">
Filtering by Package Relationships
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#detection-priority" class="md-nav__link">
<span class="md-ellipsis">
Detection Priority
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#overriding-os-version" class="md-nav__link">
<span class="md-ellipsis">
Overriding OS version
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#severity-selection_1" class="md-nav__link">
<span class="md-ellipsis">
Severity selection
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_3_2" >
<label class="md-nav__link" for="__nav_4_3_2" id="__nav_4_3_2_label" tabindex="0">
<span class="md-ellipsis">
Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_3_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_3_2">
<span class="md-nav__icon md-icon"></span>
Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_3_2_2" >
<label class="md-nav__link" for="__nav_4_3_2_2" id="__nav_4_3_2_2_label" tabindex="0">
<span class="md-ellipsis">
Policy
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="4" aria-labelledby="__nav_4_3_2_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_3_2_2">
<span class="md-nav__icon md-icon"></span>
Policy
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../misconfiguration/check/builtin/" class="md-nav__link">
<span class="md-ellipsis">
Built-in Checks
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_3_2_3" >
<label class="md-nav__link" for="__nav_4_3_2_3" id="__nav_4_3_2_3_label" tabindex="0">
<span class="md-ellipsis">
Custom Checks
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="4" aria-labelledby="__nav_4_3_2_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_3_2_3">
<span class="md-nav__icon md-icon"></span>
Custom Checks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../misconfiguration/custom/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../misconfiguration/custom/data/" class="md-nav__link">
<span class="md-ellipsis">
Data
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../misconfiguration/custom/combine/" class="md-nav__link">
<span class="md-ellipsis">
Combine
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../misconfiguration/custom/selectors/" class="md-nav__link">
<span class="md-ellipsis">
Selectors
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../misconfiguration/custom/schema/" class="md-nav__link">
<span class="md-ellipsis">
Schemas
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../misconfiguration/custom/testing/" class="md-nav__link">
<span class="md-ellipsis">
Testing
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../misconfiguration/custom/debug/" class="md-nav__link">
<span class="md-ellipsis">
Debugging Policies
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../misconfiguration/custom/contribute-checks/" class="md-nav__link">
<span class="md-ellipsis">
Contribute Checks
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../secret/" class="md-nav__link">
<span class="md-ellipsis">
Secret
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../license/" class="md-nav__link">
<span class="md-ellipsis">
License
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_4" >
<label class="md-nav__link" for="__nav_4_4" id="__nav_4_4_label" tabindex="">
<span class="md-ellipsis">
Coverage
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_4">
<span class="md-nav__icon md-icon"></span>
Coverage
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../coverage/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_4_2" >
<label class="md-nav__link" for="__nav_4_4_2" id="__nav_4_4_2_label" tabindex="0">
<span class="md-ellipsis">
OS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_4_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_4_2">
<span class="md-nav__icon md-icon"></span>
OS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../coverage/os/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/alma/" class="md-nav__link">
<span class="md-ellipsis">
AlmaLinux
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/alpine/" class="md-nav__link">
<span class="md-ellipsis">
Alpine Linux
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/amazon/" class="md-nav__link">
<span class="md-ellipsis">
Amazon Linux
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/azure/" class="md-nav__link">
<span class="md-ellipsis">
Azure Linux (CBL-Mariner)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/centos/" class="md-nav__link">
<span class="md-ellipsis">
CentOS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/chainguard/" class="md-nav__link">
<span class="md-ellipsis">
Chainguard
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/debian/" class="md-nav__link">
<span class="md-ellipsis">
Debian
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/oracle/" class="md-nav__link">
<span class="md-ellipsis">
Oracle Linux
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/photon/" class="md-nav__link">
<span class="md-ellipsis">
Photon OS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/rhel/" class="md-nav__link">
<span class="md-ellipsis">
Red Hat
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/rocky/" class="md-nav__link">
<span class="md-ellipsis">
Rocky Linux
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/suse/" class="md-nav__link">
<span class="md-ellipsis">
SUSE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/ubuntu/" class="md-nav__link">
<span class="md-ellipsis">
Ubuntu
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/wolfi/" class="md-nav__link">
<span class="md-ellipsis">
Wolfi
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/os/google-distroless/" class="md-nav__link">
<span class="md-ellipsis">
Google Distroless (Images)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_4_3" >
<label class="md-nav__link" for="__nav_4_4_3" id="__nav_4_4_3_label" tabindex="0">
<span class="md-ellipsis">
Language
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_4_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_4_3">
<span class="md-nav__icon md-icon"></span>
Language
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../coverage/language/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/c/" class="md-nav__link">
<span class="md-ellipsis">
C/C++
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/dart/" class="md-nav__link">
<span class="md-ellipsis">
Dart
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/dotnet/" class="md-nav__link">
<span class="md-ellipsis">
.NET
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/elixir/" class="md-nav__link">
<span class="md-ellipsis">
Elixir
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/golang/" class="md-nav__link">
<span class="md-ellipsis">
Go
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/java/" class="md-nav__link">
<span class="md-ellipsis">
Java
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/nodejs/" class="md-nav__link">
<span class="md-ellipsis">
Node.js
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/php/" class="md-nav__link">
<span class="md-ellipsis">
PHP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/python/" class="md-nav__link">
<span class="md-ellipsis">
Python
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/ruby/" class="md-nav__link">
<span class="md-ellipsis">
Ruby
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/rust/" class="md-nav__link">
<span class="md-ellipsis">
Rust
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/swift/" class="md-nav__link">
<span class="md-ellipsis">
Swift
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/language/julia/" class="md-nav__link">
<span class="md-ellipsis">
Julia
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_4_4" >
<label class="md-nav__link" for="__nav_4_4_4" id="__nav_4_4_4_label" tabindex="0">
<span class="md-ellipsis">
IaC
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_4_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_4_4">
<span class="md-nav__icon md-icon"></span>
IaC
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../coverage/iac/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/iac/azure-arm/" class="md-nav__link">
<span class="md-ellipsis">
Azure ARM Template
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/iac/cloudformation/" class="md-nav__link">
<span class="md-ellipsis">
CloudFormation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/iac/docker/" class="md-nav__link">
<span class="md-ellipsis">
Docker
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/iac/helm/" class="md-nav__link">
<span class="md-ellipsis">
Helm
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/iac/kubernetes/" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/iac/terraform/" class="md-nav__link">
<span class="md-ellipsis">
Terraform
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_4_5" >
<label class="md-nav__link" for="__nav_4_4_5" id="__nav_4_4_5_label" tabindex="0">
<span class="md-ellipsis">
Others
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_4_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_4_5">
<span class="md-nav__icon md-icon"></span>
Others
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../coverage/others/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/others/bitnami/" class="md-nav__link">
<span class="md-ellipsis">
Bitnami Images
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/others/conda/" class="md-nav__link">
<span class="md-ellipsis">
Conda
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../coverage/others/rpm/" class="md-nav__link">
<span class="md-ellipsis">
RPM Archives
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../coverage/kubernetes/" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_5" >
<label class="md-nav__link" for="__nav_4_5" id="__nav_4_5_label" tabindex="">
<span class="md-ellipsis">
Configuration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_5">
<span class="md-nav__icon md-icon"></span>
Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../configuration/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../configuration/filtering/" class="md-nav__link">
<span class="md-ellipsis">
Filtering
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../configuration/skipping/" class="md-nav__link">
<span class="md-ellipsis">
Skipping Files
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../configuration/reporting/" class="md-nav__link">
<span class="md-ellipsis">
Reporting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../configuration/cache/" class="md-nav__link">
<span class="md-ellipsis">
Cache
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../configuration/db/" class="md-nav__link">
<span class="md-ellipsis">
Databases
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../configuration/others/" class="md-nav__link">
<span class="md-ellipsis">
Others
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_6" >
<label class="md-nav__link" for="__nav_4_6" id="__nav_4_6_label" tabindex="">
<span class="md-ellipsis">
Supply Chain
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_6">
<span class="md-nav__icon md-icon"></span>
Supply Chain
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../supply-chain/sbom/" class="md-nav__link">
<span class="md-ellipsis">
SBOM
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_6_2" >
<label class="md-nav__link" for="__nav_4_6_2" id="__nav_4_6_2_label" tabindex="0">
<span class="md-ellipsis">
Attestation
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_6_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_6_2">
<span class="md-nav__icon md-icon"></span>
Attestation
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../supply-chain/attestation/sbom/" class="md-nav__link">
<span class="md-ellipsis">
SBOM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../supply-chain/attestation/vuln/" class="md-nav__link">
<span class="md-ellipsis">
Cosign Vulnerability Scan Record
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../supply-chain/attestation/rekor/" class="md-nav__link">
<span class="md-ellipsis">
SBOM Attestation in Rekor
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_6_3" >
<label class="md-nav__link" for="__nav_4_6_3" id="__nav_4_6_3_label" tabindex="0">
<span class="md-ellipsis">
VEX
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_6_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_6_3">
<span class="md-nav__icon md-icon"></span>
VEX
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../supply-chain/vex/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../supply-chain/vex/repo/" class="md-nav__link">
<span class="md-ellipsis">
VEX Repository
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../supply-chain/vex/file/" class="md-nav__link">
<span class="md-ellipsis">
Local VEX Files
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../supply-chain/vex/sbom-ref/" class="md-nav__link">
<span class="md-ellipsis">
VEX SBOM Reference
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../supply-chain/vex/oci/" class="md-nav__link">
<span class="md-ellipsis">
VEX Attestation
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_7" >
<label class="md-nav__link" for="__nav_4_7" id="__nav_4_7_label" tabindex="">
<span class="md-ellipsis">
Compliance
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_7">
<span class="md-nav__icon md-icon"></span>
Compliance
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../compliance/compliance/" class="md-nav__link">
<span class="md-ellipsis">
Built-in Compliance
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../compliance/contrib-compliance/" class="md-nav__link">
<span class="md-ellipsis">
Custom Compliance
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_8" >
<label class="md-nav__link" for="__nav_4_8" id="__nav_4_8_label" tabindex="">
<span class="md-ellipsis">
Plugins
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_8">
<span class="md-nav__icon md-icon"></span>
Plugins
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../plugin/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../plugin/user-guide/" class="md-nav__link">
<span class="md-ellipsis">
User guide
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../plugin/developer-guide/" class="md-nav__link">
<span class="md-ellipsis">
Developer guide
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_9" >
<label class="md-nav__link" for="__nav_4_9" id="__nav_4_9_label" tabindex="">
<span class="md-ellipsis">
Advanced
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_9">
<span class="md-nav__icon md-icon"></span>
Advanced
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../advanced/modules/" class="md-nav__link">
<span class="md-ellipsis">
Modules
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/air-gap/" class="md-nav__link">
<span class="md-ellipsis">
Connectivity and Network considerations
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/self-hosting/" class="md-nav__link">
<span class="md-ellipsis">
Self-Hosting Trivy's Databases
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_9_4" >
<label class="md-nav__link" for="__nav_4_9_4" id="__nav_4_9_4_label" tabindex="0">
<span class="md-ellipsis">
Container Image
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_9_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_9_4">
<span class="md-nav__icon md-icon"></span>
Container Image
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../advanced/container/embed-in-dockerfile/" class="md-nav__link">
<span class="md-ellipsis">
Embed in Dockerfile
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/container/unpacked-filesystem/" class="md-nav__link">
<span class="md-ellipsis">
Unpacked container image filesystem
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_9_4_3" >
<label class="md-nav__link" for="__nav_4_9_4_3" id="__nav_4_9_4_3_label" tabindex="0">
<span class="md-ellipsis">
Private Docker Registries
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="4" aria-labelledby="__nav_4_9_4_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_9_4_3">
<span class="md-nav__icon md-icon"></span>
Private Docker Registries
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../advanced/private-registries/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/docker-hub/" class="md-nav__link">
<span class="md-ellipsis">
Docker Hub
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/ecr/" class="md-nav__link">
<span class="md-ellipsis">
AWS ECR (Elastic Container Registry)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/gcr/" class="md-nav__link">
<span class="md-ellipsis">
GCR (Google Container Registry)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/acr/" class="md-nav__link">
<span class="md-ellipsis">
ACR (Azure Container Registry)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/self/" class="md-nav__link">
<span class="md-ellipsis">
Self-Hosted
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_10" >
<label class="md-nav__link" for="__nav_4_10" id="__nav_4_10_label" tabindex="">
<span class="md-ellipsis">
References
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_10_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_10">
<span class="md-nav__icon md-icon"></span>
References
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_10_1" >
<label class="md-nav__link" for="__nav_4_10_1" id="__nav_4_10_1_label" tabindex="0">
<span class="md-ellipsis">
Configuration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_10_1_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_10_1">
<span class="md-nav__icon md-icon"></span>
Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_10_1_1" >
<label class="md-nav__link" for="__nav_4_10_1_1" id="__nav_4_10_1_1_label" tabindex="0">
<span class="md-ellipsis">
CLI
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="4" aria-labelledby="__nav_4_10_1_1_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_10_1_1">
<span class="md-nav__icon md-icon"></span>
CLI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_clean/" class="md-nav__link">
<span class="md-ellipsis">
Clean
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_config/" class="md-nav__link">
<span class="md-ellipsis">
Config
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_convert/" class="md-nav__link">
<span class="md-ellipsis">
Convert
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_filesystem/" class="md-nav__link">
<span class="md-ellipsis">
Filesystem
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_image/" class="md-nav__link">
<span class="md-ellipsis">
Image
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_kubernetes/" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_10_1_1_8" >
<label class="md-nav__link" for="__nav_4_10_1_1_8" id="__nav_4_10_1_1_8_label" tabindex="0">
<span class="md-ellipsis">
Module
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="5" aria-labelledby="__nav_4_10_1_1_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_10_1_1_8">
<span class="md-nav__icon md-icon"></span>
Module
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_module/" class="md-nav__link">
<span class="md-ellipsis">
Module
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_module_install/" class="md-nav__link">
<span class="md-ellipsis">
Module Install
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_module_uninstall/" class="md-nav__link">
<span class="md-ellipsis">
Module Uninstall
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_10_1_1_9" >
<label class="md-nav__link" for="__nav_4_10_1_1_9" id="__nav_4_10_1_1_9_label" tabindex="0">
<span class="md-ellipsis">
Plugin
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="5" aria-labelledby="__nav_4_10_1_1_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_10_1_1_9">
<span class="md-nav__icon md-icon"></span>
Plugin
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin/" class="md-nav__link">
<span class="md-ellipsis">
Plugin
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_info/" class="md-nav__link">
<span class="md-ellipsis">
Plugin Info
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_install/" class="md-nav__link">
<span class="md-ellipsis">
Plugin Install
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_list/" class="md-nav__link">
<span class="md-ellipsis">
Plugin List
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_run/" class="md-nav__link">
<span class="md-ellipsis">
Plugin Run
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_uninstall/" class="md-nav__link">
<span class="md-ellipsis">
Plugin Uninstall
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_update/" class="md-nav__link">
<span class="md-ellipsis">
Plugin Update
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_upgrade/" class="md-nav__link">
<span class="md-ellipsis">
Plugin Upgrade
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_plugin_search/" class="md-nav__link">
<span class="md-ellipsis">
Plugin Search
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_10_1_1_10" >
<label class="md-nav__link" for="__nav_4_10_1_1_10" id="__nav_4_10_1_1_10_label" tabindex="0">
<span class="md-ellipsis">
Registry
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="5" aria-labelledby="__nav_4_10_1_1_10_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_10_1_1_10">
<span class="md-nav__icon md-icon"></span>
Registry
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_registry/" class="md-nav__link">
<span class="md-ellipsis">
Registry
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_registry_login/" class="md-nav__link">
<span class="md-ellipsis">
Registry Login
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_registry_logout/" class="md-nav__link">
<span class="md-ellipsis">
Registry Logout
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_repository/" class="md-nav__link">
<span class="md-ellipsis">
Repository
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_rootfs/" class="md-nav__link">
<span class="md-ellipsis">
Rootfs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_sbom/" class="md-nav__link">
<span class="md-ellipsis">
SBOM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_server/" class="md-nav__link">
<span class="md-ellipsis">
Server
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_version/" class="md-nav__link">
<span class="md-ellipsis">
Version
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_10_1_1_16" >
<label class="md-nav__link" for="__nav_4_10_1_1_16" id="__nav_4_10_1_1_16_label" tabindex="0">
<span class="md-ellipsis">
VEX
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="5" aria-labelledby="__nav_4_10_1_1_16_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_10_1_1_16">
<span class="md-nav__icon md-icon"></span>
VEX
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_vex/" class="md-nav__link">
<span class="md-ellipsis">
VEX
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_vex_repo_download/" class="md-nav__link">
<span class="md-ellipsis">
VEX Download
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_vex_repo_init/" class="md-nav__link">
<span class="md-ellipsis">
VEX Init
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_vex_repo_list/" class="md-nav__link">
<span class="md-ellipsis">
VEX List
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_vex_repo/" class="md-nav__link">
<span class="md-ellipsis">
VEX Repo
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/cli/trivy_vm/" class="md-nav__link">
<span class="md-ellipsis">
VM
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../references/configuration/config-file/" class="md-nav__link">
<span class="md-ellipsis">
Config file
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_10_2" >
<label class="md-nav__link" for="__nav_4_10_2" id="__nav_4_10_2_label" tabindex="0">
<span class="md-ellipsis">
Modes
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_10_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_10_2">
<span class="md-nav__icon md-icon"></span>
Modes
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../references/modes/standalone/" class="md-nav__link">
<span class="md-ellipsis">
Standalone
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/modes/client-server/" class="md-nav__link">
<span class="md-ellipsis">
Client/Server
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../references/troubleshooting/" class="md-nav__link">
<span class="md-ellipsis">
Troubleshooting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/terminology/" class="md-nav__link">
<span class="md-ellipsis">
Terminology
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/abbreviations/" class="md-nav__link">
<span class="md-ellipsis">
Abbreviations
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Ecosystem
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Ecosystem
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../ecosystem/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../ecosystem/cicd/" class="md-nav__link">
<span class="md-ellipsis">
CI/CD
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../ecosystem/ide/" class="md-nav__link">
<span class="md-ellipsis">
IDE and Dev tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../ecosystem/prod/" class="md-nav__link">
<span class="md-ellipsis">
Production and Clouds
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../ecosystem/reporting/" class="md-nav__link">
<span class="md-ellipsis">
Reporting
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Contributing
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Contributing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../community/principles/" class="md-nav__link">
<span class="md-ellipsis">
Principles
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6_2" >
<label class="md-nav__link" for="__nav_6_2" id="__nav_6_2_label" tabindex="0">
<span class="md-ellipsis">
How to contribute
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6_2">
<span class="md-nav__icon md-icon"></span>
How to contribute
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../community/contribute/issue/" class="md-nav__link">
<span class="md-ellipsis">
Issues
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/contribute/discussion/" class="md-nav__link">
<span class="md-ellipsis">
Discussions
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/contribute/pr/" class="md-nav__link">
<span class="md-ellipsis">
Pull Requests
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6_3" >
<label class="md-nav__link" for="__nav_6_3" id="__nav_6_3_label" tabindex="0">
<span class="md-ellipsis">
Contribute Rego Checks
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6_3">
<span class="md-nav__icon md-icon"></span>
Contribute Rego Checks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../community/contribute/checks/overview/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/contribute/checks/service-support/" class="md-nav__link">
<span class="md-ellipsis">
Add Service Support
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6_4" >
<label class="md-nav__link" for="__nav_6_4" id="__nav_6_4_label" tabindex="0">
<span class="md-ellipsis">
Maintainer
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6_4">
<span class="md-nav__icon md-icon"></span>
Maintainer
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../community/maintainer/release-flow/" class="md-nav__link">
<span class="md-ellipsis">
Release Flow
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/maintainer/backporting/" class="md-nav__link">
<span class="md-ellipsis">
Backporting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/maintainer/help-wanted/" class="md-nav__link">
<span class="md-ellipsis">
Help Wanted
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/maintainer/triage/" class="md-nav__link">
<span class="md-ellipsis">
Triage
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
Enterprise
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Enterprise
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../commercial/compare/" class="md-nav__link">
<span class="md-ellipsis">
Comparison
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../commercial/contact/" class="md-nav__link">
<span class="md-ellipsis">
Contact Us
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#os-packages" class="md-nav__link">
<span class="md-ellipsis">
OS Packages
</span>
</a>
<nav class="md-nav" aria-label="OS Packages">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#supported-os" class="md-nav__link">
<span class="md-ellipsis">
Supported OS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#data-sources" class="md-nav__link">
<span class="md-ellipsis">
Data Sources
</span>
</a>
<nav class="md-nav" aria-label="Data Sources">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#data-source-selection" class="md-nav__link">
<span class="md-ellipsis">
Data Source Selection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#severity-selection" class="md-nav__link">
<span class="md-ellipsis">
Severity Selection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#unfixed-vulnerabilities" class="md-nav__link">
<span class="md-ellipsis">
Unfixed Vulnerabilities
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#language-specific-packages" class="md-nav__link">
<span class="md-ellipsis">
Language-specific Packages
</span>
</a>
<nav class="md-nav" aria-label="Language-specific Packages">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#supported-languages" class="md-nav__link">
<span class="md-ellipsis">
Supported Languages
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#langpkg-data-sources" class="md-nav__link">
<span class="md-ellipsis">
Data Sources
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#non-packaged-software" class="md-nav__link">
<span class="md-ellipsis">
Non-packaged software
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#kubernetes" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes
</span>
</a>
<nav class="md-nav" aria-label="Kubernetes">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#data-sources_1" class="md-nav__link">
<span class="md-ellipsis">
Data Sources
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#databases" class="md-nav__link">
<span class="md-ellipsis">
Databases
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#detection-behavior" class="md-nav__link">
<span class="md-ellipsis">
Detection Behavior
</span>
</a>
<nav class="md-nav" aria-label="Detection Behavior">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#handling-software-installed-via-os-packages" class="md-nav__link">
<span class="md-ellipsis">
Handling Software Installed via OS Packages
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#handling-packages-with-unspecified-versions" class="md-nav__link">
<span class="md-ellipsis">
Handling Packages with Unspecified Versions
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#configuration" class="md-nav__link">
<span class="md-ellipsis">
Configuration
</span>
</a>
<nav class="md-nav" aria-label="Configuration">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#enabling-a-subset-of-package-types" class="md-nav__link">
<span class="md-ellipsis">
Enabling a Subset of Package Types
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#filtering-by-package-relationships" class="md-nav__link">
<span class="md-ellipsis">
Filtering by Package Relationships
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#detection-priority" class="md-nav__link">
<span class="md-ellipsis">
Detection Priority
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#overriding-os-version" class="md-nav__link">
<span class="md-ellipsis">
Overriding OS version
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#severity-selection_1" class="md-nav__link">
<span class="md-ellipsis">
Severity selection
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/aquasecurity/trivy/blob/main/docs/docs/scanner/vulnerability.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg>
</a>
<h1 id="vulnerability-scanning">Vulnerability Scanning<a class="headerlink" href="#vulnerability-scanning" title="Permanent link">&para;</a></h1>
<p>Trivy detects known vulnerabilities in software components that it finds in the scan target.</p>
<p>The following are supported:</p>
<ul>
<li><a href="#os-packages">OS packages</a></li>
<li><a href="#language-specific-packages">Language-specific packages</a></li>
<li><a href="#non-packaged-software">Non-packaged software</a></li>
<li><a href="#kubernetes">Kubernetes components</a></li>
</ul>
<h2 id="os-packages">OS Packages<a class="headerlink" href="#os-packages" title="Permanent link">&para;</a></h2>
<p>Trivy is capable of automatically detecting installed OS packages when scanning container images, VM images and running hosts.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Trivy doesn't support third-party/self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.</p>
</div>
<h3 id="supported-os">Supported OS<a class="headerlink" href="#supported-os" title="Permanent link">&para;</a></h3>
<p>See <a href="../../coverage/os/#supported-os">here</a> for the supported OSes.</p>
<h3 id="data-sources">Data Sources<a class="headerlink" href="#data-sources" title="Permanent link">&para;</a></h3>
<table>
<thead>
<tr>
<th>OS</th>
<th>Source</th>
</tr>
</thead>
<tbody>
<tr>
<td>Arch Linux</td>
<td><a href="https://security.archlinux.org/">Vulnerable Issues</a></td>
</tr>
<tr>
<td>Alpine Linux</td>
<td><a href="https://secdb.alpinelinux.org/">secdb</a></td>
</tr>
<tr>
<td>Wolfi Linux</td>
<td><a href="https://packages.wolfi.dev/os/security.json">secdb</a></td>
</tr>
<tr>
<td>Chainguard</td>
<td><a href="https://packages.cgr.dev/chainguard/security.json">secdb</a></td>
</tr>
<tr>
<td>Amazon Linux</td>
<td><a href="https://alas.aws.amazon.com/">Amazon Linux Security Center</a></td>
</tr>
<tr>
<td>Debian</td>
<td><a href="https://security-tracker.debian.org/tracker/">Security Bug Tracker</a> / <a href="https://www.debian.org/security/oval/">OVAL</a></td>
</tr>
<tr>
<td>Ubuntu</td>
<td><a href="https://ubuntu.com/security/cve">Ubuntu CVE Tracker</a></td>
</tr>
<tr>
<td>RHEL/CentOS</td>
<td><a href="https://www.redhat.com/security/data/oval/v2/">OVAL</a> / <a href="https://www.redhat.com/security/data/metrics/">Security Data</a></td>
</tr>
<tr>
<td>AlmaLinux</td>
<td><a href="https://errata.almalinux.org/">AlmaLinux Product Errata</a></td>
</tr>
<tr>
<td>Rocky Linux</td>
<td><a href="https://download.rockylinux.org/pub/rocky/">Rocky Linux UpdateInfo</a></td>
</tr>
<tr>
<td>Oracle Linux</td>
<td><a href="https://linux.oracle.com/security/oval/">OVAL</a></td>
</tr>
<tr>
<td>Azure Linux (CBL-Mariner)</td>
<td><a href="https://github.com/microsoft/AzureLinuxVulnerabilityData/">OVAL</a></td>
</tr>
<tr>
<td>OpenSUSE/SLES</td>
<td><a href="http://ftp.suse.com/pub/projects/security/cvrf/">CVRF</a></td>
</tr>
<tr>
<td>Photon OS</td>
<td><a href="https://packages.vmware.com/photon/photon_cve_metadata/">Photon Security Advisory</a></td>
</tr>
</tbody>
</table>
<h4 id="data-source-selection">Data Source Selection<a class="headerlink" href="#data-source-selection" title="Permanent link">&para;</a></h4>
<p>Trivy <strong>only</strong> consumes security advisories from the sources listed in the above table.</p>
<p>As for packages installed from OS package managers (<code>dpkg</code>, <code>yum</code>, <code>apk</code>, etc.), Trivy uses the advisory database from the appropriate <strong>OS vendor</strong>.</p>
<p>For example: for a python package installed from <code>yum</code> (Amazon linux), Trivy will only get advisories from <a href="https://alas.aws.amazon.com/">ALAS</a>.
But for a python package installed from another source (e.g. <code>pip</code>), Trivy will get advisories from the <code>GitLab</code> and <code>GitHub</code> databases.</p>
<p>This advisory selection is essential to avoid getting false positives because OS vendors usually backport upstream fixes, and the fixed version can be different from the upstream fixed version.</p>
<h4 id="severity-selection">Severity Selection<a class="headerlink" href="#severity-selection" title="Permanent link">&para;</a></h4>
<p>The severity is taken from the selected data source since the severity from vendors is more accurate.
Using CVE-2023-0464 as an example, while it is <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-0464">rated as "HIGH" in NVD</a>, Red Hat has marked its 'Impact' as <a href="https://access.redhat.com/security/cve/cve-2023-0464">"Low"</a>.
As a result, Trivy will display it as "Low".</p>
<p>The severity depends on the compile option, the default configuration, etc.
NVD doesn't know how the vendor distributes the software.
Red Hat evaluates the severity more accurately.
That's why Trivy prefers vendor scores over NVD.</p>
<p>If the data source does not provide a severity, the severity is determined based on the CVSS score as follows:</p>
<table>
<thead>
<tr>
<th>Base Score Range</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td>0.1-3.9</td>
<td>Low</td>
</tr>
<tr>
<td>4.0-6.9</td>
<td>Medium</td>
</tr>
<tr>
<td>7.0-8.9</td>
<td>High</td>
</tr>
<tr>
<td>9.0-10.0</td>
<td>Critical</td>
</tr>
</tbody>
</table>
<p>If the CVSS score is also not provided, it falls back to <a href="https://nvd.nist.gov/vuln">NVD</a>.</p>
<p>NVD and some vendors may delay severity analysis, while other vendors, such as Red Hat, are able to quickly evaluate and announce the severity of vulnerabilities.
To avoid marking too many vulnerabilities as "UNKNOWN" severity, Trivy uses severity ratings from other vendors when the NVD information is not yet available.
The order of preference for vendor severity data can be found <a href="https://github.com/aquasecurity/trivy-db/blob/79d0fbd1e246f3c77eef4b9826fe4bf65940b221/pkg/vulnsrc/vulnerability/vulnerability.go#L17-L19">here</a>.</p>
<p>You can reference <code>SeveritySource</code> in the <a href="../../configuration/reporting/#json">JSON reporting format</a> to see from where the severity is taken for a given vulnerability.</p>
<div class="highlight"><pre><span></span><code><span class="s2">&quot;SeveritySource&quot;</span>:<span class="w"> </span><span class="s2">&quot;debian&quot;</span>,
</code></pre></div>
<p>In addition, you can see all the vendor severity ratings.</p>
<div class="highlight"><pre><span></span><code><span class="nt">&quot;VendorSeverity&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;amazon&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;cbl-mariner&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">4</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;ghsa&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">4</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;nvd&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">4</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;photon&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">4</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;redhat&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;ubuntu&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span>
<span class="p">}</span>
</code></pre></div>
<p>Here is the severity mapping in Trivy:</p>
<table>
<thead>
<tr>
<th style="text-align: center;">Number</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center;">0</td>
<td>Unknown</td>
</tr>
<tr>
<td style="text-align: center;">1</td>
<td>Low</td>
</tr>
<tr>
<td style="text-align: center;">2</td>
<td>Medium</td>
</tr>
<tr>
<td style="text-align: center;">3</td>
<td>High</td>
</tr>
<tr>
<td style="text-align: center;">4</td>
<td>Critical</td>
</tr>
</tbody>
</table>
<p>If no vendor has a severity, the <code>UNKNOWN</code> severity will be used.</p>
<h3 id="unfixed-vulnerabilities">Unfixed Vulnerabilities<a class="headerlink" href="#unfixed-vulnerabilities" title="Permanent link">&para;</a></h3>
<p>The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution.
To hide unfixed/unfixable vulnerabilities, you can use the <code>--ignore-unfixed</code> flag.</p>
<h2 id="language-specific-packages">Language-specific Packages<a class="headerlink" href="#language-specific-packages" title="Permanent link">&para;</a></h2>
<h3 id="supported-languages">Supported Languages<a class="headerlink" href="#supported-languages" title="Permanent link">&para;</a></h3>
<p>See <a href="../../coverage/language/#supported-languages">here</a> for the supported languages.</p>
<h3 id="langpkg-data-sources">Data Sources<a class="headerlink" href="#langpkg-data-sources" title="Permanent link">&para;</a></h3>
<table>
<thead>
<tr>
<th>Language</th>
<th>Source</th>
<th style="text-align: center;">Commercial Use</th>
<th style="text-align: center;">Delay<sup id="fnref2:1"><a class="footnote-ref" href="#fn:1">1</a></sup></th>
</tr>
</thead>
<tbody>
<tr>
<td>PHP</td>
<td><a href="https://github.com/FriendsOfPHP/security-advisories">PHP Security Advisories Database</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td></td>
<td><a href="https://github.com/advisories?query=ecosystem%3Acomposer">GitHub Advisory Database (Composer)</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td>Python</td>
<td><a href="https://github.com/advisories?query=ecosystem%3Apip">GitHub Advisory Database (pip)</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td></td>
<td><a href="https://osv.dev/list?q=&amp;ecosystem=PyPI">Open Source Vulnerabilities (PyPI)</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td>Ruby</td>
<td><a href="https://github.com/rubysec/ruby-advisory-db">Ruby Advisory Database</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td></td>
<td><a href="https://github.com/advisories?query=ecosystem%3Arubygems">GitHub Advisory Database (RubyGems)</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td>Node.js</td>
<td><a href="https://github.com/nodejs/security-wg">Ecosystem Security Working Group</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td></td>
<td><a href="https://github.com/advisories?query=ecosystem%3Anpm">GitHub Advisory Database (npm)</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td>Java</td>
<td><a href="https://github.com/advisories?query=ecosystem%3Amaven">GitHub Advisory Database (Maven)</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td>Go</td>
<td><a href="https://github.com/advisories?query=ecosystem%3Ago">GitHub Advisory Database (Go)</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td></td>
<td><a href="https://pkg.go.dev/vuln/">Go Vulnerability Database</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td>Rust</td>
<td><a href="https://osv.dev/list?q=&amp;ecosystem=crates.io">Open Source Vulnerabilities (crates.io)</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td>.NET</td>
<td><a href="https://github.com/advisories?query=ecosystem%3Anuget">GitHub Advisory Database (NuGet)</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td>C/C++</td>
<td><a href="https://gitlab.com/gitlab-org/advisories-community">GitLab Advisories Community</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">1 month</td>
</tr>
<tr>
<td>Dart</td>
<td><a href="https://github.com/advisories?query=ecosystem%3Apub">GitHub Advisory Database (Pub)</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td>Elixir</td>
<td><a href="https://github.com/advisories?query=ecosystem%3Aerlang">GitHub Advisory Database (Erlang)</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
<tr>
<td>Swift</td>
<td><a href="https://github.com/advisories?query=ecosystem%3Aswift">GitHub Advisory Database (Swift)</a></td>
<td style="text-align: center;"></td>
<td style="text-align: center;">-</td>
</tr>
</tbody>
</table>
<h2 id="non-packaged-software">Non-packaged software<a class="headerlink" href="#non-packaged-software" title="Permanent link">&para;</a></h2>
<p>If you have software that is not managed by a package manager, Trivy can still detect vulnerabilities in it in some cases:</p>
<ul>
<li><a href="../../supply-chain/attestation/rekor/#non-packaged-binaries">Using SBOM from Sigstore Rekor</a></li>
<li><a href="../../coverage/language/golang/#go-binary">Go Binaries with embedded module information</a></li>
<li><a href="../../coverage/language/rust/#binaries">Rust Binaries with embedded information</a></li>
<li><a href="../../supply-chain/sbom/#sbom-detection-inside-targets">SBOM embedded in container images</a></li>
</ul>
<h2 id="kubernetes">Kubernetes<a class="headerlink" href="#kubernetes" title="Permanent link">&para;</a></h2>
<p>Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the <a href="../../target/kubernetes/">documentation for Kubernetes scanning</a>.</p>
<h3 id="data-sources_1">Data Sources<a class="headerlink" href="#data-sources_1" title="Permanent link">&para;</a></h3>
<table>
<thead>
<tr>
<th>Vendor</th>
<th>Source</th>
</tr>
</thead>
<tbody>
<tr>
<td>Kubernetes</td>
<td><a href="https://kubernetes.io/docs/reference/issues-security/official-cve-feed/">Kubernetes Official CVE feed</a><sup id="fnref:1"><a class="footnote-ref" href="#fn:1">1</a></sup></td>
</tr>
</tbody>
</table>
<h2 id="databases">Databases<a class="headerlink" href="#databases" title="Permanent link">&para;</a></h2>
<p>The information from the above sources is collected and stored in databases that Trivy uses for vulnerability scanning. Trivy automatically fetches, maintains, and caches the relevant databases when performing a vulnerability scan
For more information about Trivy's Databases mechanism and configurations, refer to the <a href="../../configuration/db/">Databases document</a>.</p>
<h2 id="detection-behavior">Detection Behavior<a class="headerlink" href="#detection-behavior" title="Permanent link">&para;</a></h2>
<p>Trivy prioritizes precision in vulnerability detection, aiming to minimize false positives while potentially accepting some false negatives.
This approach is particularly relevant in two key areas:</p>
<ul>
<li>Handling Software Installed via OS Packages</li>
<li>Handling Packages with Unspecified Versions</li>
</ul>
<h3 id="handling-software-installed-via-os-packages">Handling Software Installed via OS Packages<a class="headerlink" href="#handling-software-installed-via-os-packages" title="Permanent link">&para;</a></h3>
<p>For files installed by OS package managers, such as <code>apt</code>, Trivy exclusively uses advisories from the OS vendor.
This means that even if a JAR file is present in a container image, if it was installed via an OS package manager (e.g., <code>apt</code>), Trivy will not analyze the JAR file itself and use upstream security advisories.</p>
<p>For example, consider the Python <code>requests</code> package in Red Hat Universal Base Image 8:</p>
<div class="highlight"><pre><span></span><code><span class="o">[</span>root@987ee49dc93d<span class="w"> </span>/<span class="o">]</span><span class="c1"># head -n 3 /usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO</span>
Metadata-Version:<span class="w"> </span><span class="m">2</span>.1
Name:<span class="w"> </span>requests
Version:<span class="w"> </span><span class="m">2</span>.20.0
</code></pre></div>
<p>Version 2.20.0 is installed, and this package is installed by <code>dnf</code>.</p>
<div class="highlight"><pre><span></span><code><span class="o">[</span>root@987ee49dc93d<span class="w"> </span>/<span class="o">]</span><span class="c1"># rpm -ql python3-requests | grep PKG-INFO</span>
/usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO
</code></pre></div>
<p>At first glance, this might seem vulnerable to <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-32681">CVE-2023-32681</a>, which affects versions of requests prior to v2.31.0.
However, Red Hat backported the fix to v2.20.0-3 in <a href="https://access.redhat.com/errata/RHSA-2023:4520">RHSA-2023:4520</a>, and the package is not vulnerable.</p>
<ul>
<li>Upstream (PyPI <a href="https://pypi.org/project/requests/">requests</a>): Fixed in v2.31.0</li>
<li>Red Hat (<code>python-requests</code>): Backported fix applied in v2.20.0-3 (RHSA-2023:4520)</li>
</ul>
<p>If Trivy were to detect CVE-2023-32681 in this case, it would be a false positive.
This illustrates why using the correct security advisory is crucial to avoid false detections.
To minimize false positives, Trivy trusts the OS vendor's advisory for software installed via OS package managers and does not use upstream advisories for these packages.</p>
<p>However, this approach may lead to false negatives if the OS vendor's advisories are delayed or missing.
In such cases, using <a href="#detection-priority">--detection-priority comprehensive</a> allows Trivy to consider upstream advisories (e.g., <a href="https://github.com/advisories">GitHub Advisory Database</a>), potentially increasing false positives but reducing false negatives.</p>
<h3 id="handling-packages-with-unspecified-versions">Handling Packages with Unspecified Versions<a class="headerlink" href="#handling-packages-with-unspecified-versions" title="Permanent link">&para;</a></h3>
<p>When a package version cannot be uniquely determined (e.g., <code>package-a: "&gt;=3.0"</code>), Trivy typically skips vulnerability detection for that package to avoid false positives.
If a lock file is present with fixed versions, Trivy will use those for detection.</p>
<p>To detect potential vulnerabilities even with unspecified versions, use <a href="#detection-priority">--detection-priority comprehensive</a>.
This option makes Trivy use the minimum version in the specified range for vulnerability detection.
While this may increase false positives if the actual version used is not the minimum, it helps reduce false negatives.</p>
<h2 id="configuration">Configuration<a class="headerlink" href="#configuration" title="Permanent link">&para;</a></h2>
<p>This section describes vulnerability-specific configuration.
Other common options are documented <a href="../../configuration/">here</a>.</p>
<h3 id="enabling-a-subset-of-package-types">Enabling a Subset of Package Types<a class="headerlink" href="#enabling-a-subset-of-package-types" title="Permanent link">&para;</a></h3>
<p>It's possible to only enable certain package types if you prefer.
You can do so by passing the <code>--pkg-types</code> option.
This flag takes a comma-separated list of package types.</p>
<p>Available values:</p>
<ul>
<li>os<ul>
<li>Scan OS packages managed by the OS package manager (e.g. <code>dpkg</code>, <code>yum</code>, <code>apk</code>).</li>
</ul>
</li>
<li>library<ul>
<li>Scan language-specific packages (e.g. packages installed by <code>pip</code>, <code>npm</code>, or <code>gem</code>).</li>
</ul>
</li>
</ul>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>trivy<span class="w"> </span>image<span class="w"> </span>--pkg-types<span class="w"> </span>os<span class="w"> </span>ruby:2.4.0
</code></pre></div>
<details>
<summary>Result</summary>
<div class="highlight"><pre><span></span><code><span class="m">2019</span>-05-22T19:36:50.530+0200<span class="w"> </span><span class="o">[</span>34mINFO<span class="o">[</span>0m<span class="w"> </span>Updating<span class="w"> </span>vulnerability<span class="w"> </span>database...
<span class="m">2019</span>-05-22T19:36:51.681+0200<span class="w"> </span><span class="o">[</span>34mINFO<span class="o">[</span>0m<span class="w"> </span>Detecting<span class="w"> </span>Alpine<span class="w"> </span>vulnerabilities...
<span class="m">2019</span>-05-22T19:36:51.685+0200<span class="w"> </span><span class="o">[</span>34mINFO<span class="o">[</span>0m<span class="w"> </span>Updating<span class="w"> </span>npm<span class="w"> </span>Security<span class="w"> </span>DB...
<span class="m">2019</span>-05-22T19:36:52.389+0200<span class="w"> </span><span class="o">[</span>34mINFO<span class="o">[</span>0m<span class="w"> </span>Detecting<span class="w"> </span>npm<span class="w"> </span>vulnerabilities...
<span class="m">2019</span>-05-22T19:36:52.390+0200<span class="w"> </span><span class="o">[</span>34mINFO<span class="o">[</span>0m<span class="w"> </span>Updating<span class="w"> </span>pipenv<span class="w"> </span>Security<span class="w"> </span>DB...
<span class="m">2019</span>-05-22T19:36:53.406+0200<span class="w"> </span><span class="o">[</span>34mINFO<span class="o">[</span>0m<span class="w"> </span>Detecting<span class="w"> </span>pipenv<span class="w"> </span>vulnerabilities...
ruby:2.4.0<span class="w"> </span><span class="o">(</span>debian<span class="w"> </span><span class="m">8</span>.7<span class="o">)</span>
<span class="o">=======================</span>
Total:<span class="w"> </span><span class="m">7</span><span class="w"> </span><span class="o">(</span>UNKNOWN:<span class="w"> </span><span class="m">0</span>,<span class="w"> </span>LOW:<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>MEDIUM:<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>HIGH:<span class="w"> </span><span class="m">3</span>,<span class="w"> </span>CRITICAL:<span class="w"> </span><span class="m">2</span><span class="o">)</span>
+---------+------------------+----------+-------------------+---------------+----------------------------------+
<span class="p">|</span><span class="w"> </span>LIBRARY<span class="w"> </span><span class="p">|</span><span class="w"> </span>VULNERABILITY<span class="w"> </span>ID<span class="w"> </span><span class="p">|</span><span class="w"> </span>SEVERITY<span class="w"> </span><span class="p">|</span><span class="w"> </span>INSTALLED<span class="w"> </span>VERSION<span class="w"> </span><span class="p">|</span><span class="w"> </span>FIXED<span class="w"> </span>VERSION<span class="w"> </span><span class="p">|</span><span class="w"> </span>TITLE<span class="w"> </span><span class="p">|</span>
+---------+------------------+----------+-------------------+---------------+----------------------------------+
<span class="p">|</span><span class="w"> </span>curl<span class="w"> </span><span class="p">|</span><span class="w"> </span>CVE-2018-14618<span class="w"> </span><span class="p">|</span><span class="w"> </span>CRITICAL<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="m">7</span>.61.0-r0<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="m">7</span>.61.1-r0<span class="w"> </span><span class="p">|</span><span class="w"> </span>curl:<span class="w"> </span>NTLM<span class="w"> </span>password<span class="w"> </span>overflow<span class="w"> </span><span class="p">|</span>
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>via<span class="w"> </span>integer<span class="w"> </span>overflow<span class="w"> </span><span class="p">|</span>
+<span class="w"> </span>+------------------+----------+<span class="w"> </span>+---------------+----------------------------------+
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>CVE-2018-16839<span class="w"> </span><span class="p">|</span><span class="w"> </span>HIGH<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="m">7</span>.61.1-r1<span class="w"> </span><span class="p">|</span><span class="w"> </span>curl:<span class="w"> </span>Integer<span class="w"> </span>overflow<span class="w"> </span>leading<span class="w"> </span><span class="p">|</span>
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>to<span class="w"> </span>heap-based<span class="w"> </span>buffer<span class="w"> </span>overflow<span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="p">|</span>
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>Curl_sasl_create_plain_message<span class="o">()</span><span class="w"> </span><span class="p">|</span>
+---------+------------------+----------+-------------------+---------------+----------------------------------+
<span class="p">|</span><span class="w"> </span>git<span class="w"> </span><span class="p">|</span><span class="w"> </span>CVE-2018-17456<span class="w"> </span><span class="p">|</span><span class="w"> </span>HIGH<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="m">2</span>.15.2-r0<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="m">2</span>.15.3-r0<span class="w"> </span><span class="p">|</span><span class="w"> </span>git:<span class="w"> </span>arbitrary<span class="w"> </span>code<span class="w"> </span>execution<span class="w"> </span><span class="p">|</span>
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>via<span class="w"> </span>.gitmodules<span class="w"> </span><span class="p">|</span>
+<span class="w"> </span>+------------------+<span class="w"> </span>+<span class="w"> </span>+<span class="w"> </span>+----------------------------------+
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>CVE-2018-19486<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>git:<span class="w"> </span>Improper<span class="w"> </span>handling<span class="w"> </span>of<span class="w"> </span><span class="p">|</span>
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>PATH<span class="w"> </span>allows<span class="w"> </span><span class="k">for</span><span class="w"> </span>commands<span class="w"> </span>to<span class="w"> </span>be<span class="w"> </span><span class="p">|</span>
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>executed<span class="w"> </span>from...<span class="w"> </span><span class="p">|</span>
+---------+------------------+----------+-------------------+---------------+----------------------------------+
<span class="p">|</span><span class="w"> </span>libssh2<span class="w"> </span><span class="p">|</span><span class="w"> </span>CVE-2019-3855<span class="w"> </span><span class="p">|</span><span class="w"> </span>CRITICAL<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="m">1</span>.8.0-r2<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="m">1</span>.8.1-r0<span class="w"> </span><span class="p">|</span><span class="w"> </span>libssh2:<span class="w"> </span>Integer<span class="w"> </span>overflow<span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="p">|</span>
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>transport<span class="w"> </span><span class="nb">read</span><span class="w"> </span>resulting<span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="p">|</span>
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>out<span class="w"> </span>of<span class="w"> </span>bounds<span class="w"> </span>write...<span class="w"> </span><span class="p">|</span>
+---------+------------------+----------+-------------------+---------------+----------------------------------+
<span class="p">|</span><span class="w"> </span>sqlite<span class="w"> </span><span class="p">|</span><span class="w"> </span>CVE-2018-20346<span class="w"> </span><span class="p">|</span><span class="w"> </span>MEDIUM<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="m">3</span>.21.0-r1<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="m">3</span>.25.3-r0<span class="w"> </span><span class="p">|</span><span class="w"> </span>CVE-2018-20505<span class="w"> </span>CVE-2018-20506<span class="w"> </span><span class="p">|</span>
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>sqlite:<span class="w"> </span>Multiple<span class="w"> </span>flaws<span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="p">|</span>
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>sqlite<span class="w"> </span>which<span class="w"> </span>can<span class="w"> </span>be<span class="w"> </span>triggered<span class="w"> </span><span class="p">|</span>
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>via...<span class="w"> </span><span class="p">|</span>
+---------+------------------+----------+-------------------+---------------+----------------------------------+
<span class="p">|</span><span class="w"> </span>tar<span class="w"> </span><span class="p">|</span><span class="w"> </span>CVE-2018-20482<span class="w"> </span><span class="p">|</span><span class="w"> </span>LOW<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="m">1</span>.29-r1<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="m">1</span>.31-r0<span class="w"> </span><span class="p">|</span><span class="w"> </span>tar:<span class="w"> </span>Infinite<span class="w"> </span><span class="nb">read</span><span class="w"> </span>loop<span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="p">|</span>
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>sparse_dump_region<span class="w"> </span><span class="k">function</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="p">|</span>
<span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>sparse.c<span class="w"> </span><span class="p">|</span>
+---------+------------------+----------+-------------------+---------------+----------------------------------+
</code></pre></div>
</details>
<div class="admonition info">
<p class="admonition-title">Info</p>
<p>This flag filters the packages themselves, so it also affects the <code>--list-all-pkgs</code> option and SBOM generation.</p>
</div>
<h3 id="filtering-by-package-relationships">Filtering by Package Relationships<a class="headerlink" href="#filtering-by-package-relationships" title="Permanent link">&para;</a></h3>
<p>Trivy supports filtering vulnerabilities based on the relationship of packages within a project.
This is achieved through the <code>--pkg-relationships</code> flag.
This feature allows you to focus on vulnerabilities in specific types of dependencies, such as only those in direct dependencies.</p>
<p>In Trivy, there are four types of package relationships:</p>
<ol>
<li><code>root</code>: The root package being scanned</li>
<li><code>direct</code>: Direct dependencies of the root package</li>
<li><code>indirect</code>: Transitive dependencies</li>
<li><code>unknown</code>: Packages whose relationship cannot be determined</li>
</ol>
<p>The available relationships may vary depending on the ecosystem.
To see which relationships are supported for a particular project, you can use the JSON output format and check the <code>Relationship</code> field:</p>
<div class="highlight"><pre><span></span><code>$ trivy repo -f json --list-all-pkgs /path/to/project
</code></pre></div>
<p>To scan only the root package and its direct dependencies, you can use the flag as follows:</p>
<div class="highlight"><pre><span></span><code>$ trivy repo --pkg-relationships root,direct /path/to/project
</code></pre></div>
<p>By default, all relationships are included in the scan.</p>
<div class="admonition info">
<p class="admonition-title">Info</p>
<p>This flag filters the packages themselves, so it also affects the <code>--list-all-pkgs</code> option and SBOM generation.</p>
</div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>As it may not provide a complete package list, <code>--pkg-relationships</code> cannot be used with <code>--dependency-tree</code>, <code>--vex</code> or SBOM generation.</p>
</div>
<h3 id="detection-priority">Detection Priority<a class="headerlink" href="#detection-priority" title="Permanent link">&para;</a></h3>
<p>Trivy provides a <code>--detection-priority</code> flag to control the balance between false positives and false negatives in vulnerability detection.
This concept is similar to the relationship between <a href="https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall">precision and recall</a> in machine learning evaluation.</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>trivy<span class="w"> </span>image<span class="w"> </span>--detection-priority<span class="w"> </span><span class="o">{</span>precise<span class="p">|</span>comprehensive<span class="o">}</span><span class="w"> </span>alpine:3.15
</code></pre></div>
<ul>
<li><code>precise</code>: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.</li>
<li><code>comprehensive</code>: This mode aims to detect more vulnerabilities, potentially including some that might be false positives.
It provides broader coverage but may increase the noise in the results.</li>
</ul>
<p>The default value is <code>precise</code>. Also refer to the <a href="#detection-behavior">detection behavior</a> section for more information.</p>
<p>Regardless of the chosen mode, user review of detected vulnerabilities is crucial:</p>
<ul>
<li><code>precise</code>: Review thoroughly, considering potential missed vulnerabilities.</li>
<li><code>comprehensive</code>: Carefully investigate each reported vulnerability due to increased false positive possibility.</li>
</ul>
<h3 id="overriding-os-version">Overriding OS version<a class="headerlink" href="#overriding-os-version" title="Permanent link">&para;</a></h3>
<p>By default, Trivy automatically detects the OS during container image scanning and performs vulnerability detection based on that OS.
However, in some cases, you may want to scan an image with a different OS version than the one detected.
Also, you may want to specify the OS version when OS is not detected.
For these cases, Trivy supports a <code>--distro</code> flag using the <code>&lt;family&gt;/&lt;version&gt;</code> format (e.g. <code>alpine/3.20</code>) to set the desired OS version.</p>
<h3 id="severity-selection_1">Severity selection<a class="headerlink" href="#severity-selection_1" title="Permanent link">&para;</a></h3>
<p>By default, Trivy automatically detects severity (as described <a href="#severity-selection">here</a>).
But there are cases when you may want to use your own source priority. Trivy supports the <code>--vuln-severity-source</code> flag for this.</p>
<p>Fill in a list of required sources, and Trivy will check the sources in that order until it finds an existing severity.
If no source has the severity - Trivy will use the <code>UNKNOWN</code> severity.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>To use the default logic in combination with your sources - use the <code>auto</code> value.</p>
</div>
<p>Example logic for the following vendor severity levels when scanning an Alpine image:</p>
<div class="highlight"><pre><span></span><code><span class="nt">&quot;VendorSeverity&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;ghsa&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;nvd&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">4</span><span class="p">,</span>
<span class="p">}</span>
</code></pre></div>
<ul>
<li><code>--vuln-severity-source auto,nvd</code> - severity is <code>CRITICAL</code>, got from <code>auto</code>.</li>
<li><code>--vuln-severity-source alpine,auto</code> - severity is <code>CRITICAL</code>, got from <code>auto</code>.</li>
<li><code>--vuln-severity-source alpine,ghsa</code> - severity is <code>HIGH</code>, got from <code>ghsa</code>.</li>
<li><code>--vuln-severity-source alpine,alma</code> - severity is <code>UNKNOWN</code>.</li>
</ul>
<div class="footnote">
<hr />
<ol>
<li id="fn:1">
<p><a href="https://github.com/GoogleContainerTools/distroless">https://github.com/GoogleContainerTools/distroless</a>&#160;<a class="footnote-backref" href="#fnref:1" title="Jump back to footnote 1 in the text">&#8617;</a><a class="footnote-backref" href="#fnref2:1" title="Jump back to footnote 1 in the text">&#8617;</a></p>
</li>
</ol>
</div>
</article>
</div>
<script>var tabs=__md_get("__tabs");if(Array.isArray(tabs))e:for(var set of document.querySelectorAll(".tabbed-set")){var labels=set.querySelector(".tabbed-labels");for(var tab of tabs)for(var label of labels.getElementsByTagName("label"))if(label.innerText.trim()===tab){var input=document.getElementById(label.htmlFor);input.checked=!0;continue e}}</script>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer" >
<a href="../../target/sbom/" class="md-footer__link md-footer__link--prev" aria-label="Previous: SBOM">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</div>
<div class="md-footer__title">
<span class="md-footer__direction">
Previous
</span>
<div class="md-ellipsis">
SBOM
</div>
</div>
</a>
<a href="../misconfiguration/" class="md-footer__link md-footer__link--next" aria-label="Next: Overview">
<div class="md-footer__title">
<span class="md-footer__direction">
Next
</span>
<div class="md-ellipsis">
Overview
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
<div class="md-social">
<a href="https://twitter.com/AquaTrivy" target="_blank" rel="noopener" title="twitter.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M389.2 48h70.6L305.6 224.2 487 464H345L233.7 318.6 106.5 464H35.8l164.9-188.5L26.8 48h145.6l100.5 132.9zm-24.8 373.8h39.1L151.1 88h-42z"/></svg>
</a>
<a href="https://github.com/aquasecurity/trivy" target="_blank" rel="noopener" title="github.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</a>
<a href="https://github.com/aquasecurity/trivy" target="_blank" rel="noopener" title="github.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M94.12 315.1c0 25.9-21.16 47.06-47.06 47.06S0 341 0 315.1s21.16-47.06 47.06-47.06h47.06zm23.72 0c0-25.9 21.16-47.06 47.06-47.06s47.06 21.16 47.06 47.06v117.84c0 25.9-21.16 47.06-47.06 47.06s-47.06-21.16-47.06-47.06zm47.06-188.98c-25.9 0-47.06-21.16-47.06-47.06S139 32 164.9 32s47.06 21.16 47.06 47.06v47.06zm0 23.72c25.9 0 47.06 21.16 47.06 47.06s-21.16 47.06-47.06 47.06H47.06C21.16 243.96 0 222.8 0 196.9s21.16-47.06 47.06-47.06zm188.98 47.06c0-25.9 21.16-47.06 47.06-47.06S448 171 448 196.9s-21.16 47.06-47.06 47.06h-47.06zm-23.72 0c0 25.9-21.16 47.06-47.06 47.06s-47.06-21.16-47.06-47.06V79.06c0-25.9 21.16-47.06 47.06-47.06s47.06 21.16 47.06 47.06zM283.1 385.88c25.9 0 47.06 21.16 47.06 47.06S309 480 283.1 480s-47.06-21.16-47.06-47.06v-47.06zm0-23.72c-25.9 0-47.06-21.16-47.06-47.06s21.16-47.06 47.06-47.06h117.84c25.9 0 47.06 21.16 47.06 47.06s-21.16 47.06-47.06 47.06z"/></svg>
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../../..", "features": ["navigation.tabs", "navigation.tabs.sticky", "navigation.sections", "navigation.footer", "content.action.edit", "content.tabs.link", "content.code.annotate", "content.code.copy"], "search": "../../../assets/javascripts/workers/search.c7c1ca2c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"default": "latest", "method": "mike", "provider": "mike"}}</script>
<script src="../../../assets/javascripts/bundle.203fd0bc.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink