Skip to content

Releases: aquasecurity/trivy

v0.38.2

08 Mar 11:22
@aqua-bot aqua-bot
v0.38.2
800473a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.38.2

Changelog

  • 800473a chore(deps): bump github.com/moby/buildkit from 0.11.0 to 0.11.4 (#3789)
  • e6ab389 chore(deps): bump actions/add-to-project from 0.4.0 to 0.4.1 (#3724)
  • 6614398 fix(license): disable jar analyzer for licence scan only (#3780)
  • 1dc6fee bump trivy-issue-action to v0.0.0; skip pkg dir (#3781)
  • 3357ed0 fix: skip checking dirs for required post-analyzers (#3773)
  • 1064636 docs: add information about plugin format (#3749)
  • 60b7ef5 fix(sbom): add trivy version to spdx creators tool field (#3756)
Assets 75
0 Join discussion

v0.38.1

02 Mar 16:30
@aqua-bot aqua-bot
v0.38.1
497c955
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.38.1

Changelog

  • 497c955 feat(misconf): Add support to show policy bundle version (#3743)
  • 5d54310 fix(python): fix error with optional dependencies in pyproject.toml (#3741)
  • 44cf1e2 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.210 to 1.44.212 (#3740)
  • 743b4b0 add id for package.json files (#3750)
  • 6de4385 chore(deps): bump github.com/containerd/containerd from 1.6.18 to 1.6.19 (#3738)
  • 9a0ceef chore(deps): bump actions/cache from 3.2.4 to 3.2.6 (#3725)
  • 0501b46 chore(deps): bump github.com/google/go-containerregistry (#3731)
  • ee3004d chore(deps): bump go.etcd.io/bbolt from 1.3.6 to 1.3.7 (#3732)
  • 5c8e604 chore(deps): bump alpine from 3.17.1 to 3.17.2 (#3723)
Assets 75
2 Join discussion

v0.38.0

01 Mar 11:44
@aqua-bot aqua-bot
v0.38.0
bc08366
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.38.0

⚡Release highlights and summary⚡

👉 #3719

Changelog

  • bc08366 fix(cli): pass integer to exit-on-eol (#3716)
  • 23cdac0 feat: add kubernetes pss compliance (#3498)
  • 302c8ae feat: Adding --module-dir and --enable-modules (#3677)
  • 34120f4 feat: add special IDs for filtering secrets (#3702)
  • e399ed8 chore(deps): Update defsec (#3713)
  • ef7b762 docs(misconf): Add guide on input schema (#3692)
  • 00daebc feat(go): support dependency graph and show only direct dependencies in the tree (#3691)
  • 98d1031 feat: docker multi credential support (#3631)
  • b791362 feat: summarize vulnerabilities in compliance reports (#3651)
  • 719fdb1 feat(python): parse pyproject.toml alongside poetry.lock (#3695)
  • 3ff5699 feat(python): add dependency tree for poetry lock file (#3665)
  • 33909d9 fix(cyclonedx): incompliant affect ref (#3679)
  • d85a3e0 chore(helm): update skip-db-update environment variable (#3657)
  • 551899c fix(spdx): change CreationInfo timestamp format RFC3336Nano to RFC3336 (#3675)
  • 3aaa2cf fix(sbom): export empty dependencies in CycloneDX (#3664)
  • 9d1300c docs: java-db air-gap doc tweaks (#3561)
  • 793cc43 feat(go): license support (#3683)
  • 6a3294e feat(ruby): add dependency tree/location support for Gemfile.lock (#3669)
  • e9dc21d fix(k8s): k8s label size (#3678)
  • 12976d4 fix(cyclondx): fix array empty value, null to [] (#3676)
  • 1dc2b34 refactor: rewrite gomod analyzer as post-analyzer (#3674)
  • 92eaf63 feat: config outdated-api result filtered by k8s version (#3578)
  • 9af436b fix: Update to Alpine 3.17.2 (#3655)
  • 88ee68d feat: add support for virtual files (#3654)
  • 75c96bd feat: add post-analyzers (#3640)
  • baea399 chore(deps): updates wazero to 1.0.0-pre.9 (#3653)
  • 7ca0db1 chore(deps): bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#3528)
  • 866999e chore(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 (#3633)
  • b7bfb9a feat(python): add dependency locations for Pipfile.lock (#3614)
  • 9badef2 chore(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 (#3648)
  • d856595 fix(java): fix groupID selection by ArtifactID for jar files. (#3644)
  • fe7c26a chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.63.1 to 1.85.0 (#3607)
  • f251dfc fix(aws): Adding a fix for update-cache flag that is not applied on AWS scans. (#3619)
  • 9be8062 feat(cli): add command completion (#3061)
  • 370098d docs(misconf): update dockerfile link (#3627)
  • 32acd29 feat(flag): add exit-on-eosl option (#3423)
  • aa8e185 chore(deps): bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.2 (#3533)
  • 86603bb fix(cli): make java db repository configurable (#3595)
  • 7b1e173 chore: bump trivy-kubernetes (#3613)
Assets 75
0 Join discussion

v0.37.3

14 Feb 12:28
@aqua-bot aqua-bot
v0.37.3
85d5d61
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.37.3

Changelog

  • 85d5d61 chore(helm): update Trivy from v0.36.1 to v0.37.2 (#3574)
  • 2c17260 chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#3536)
  • c54f1aa chore(deps): bump golang/x/mod to v0.8.0 (#3606)
  • 625ea58 chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.5.0 (#3529)
  • 623c7f9 chore(deps): bump helm.sh/helm/v3 from 3.10.3 to 3.11.1 (#3580)
  • d291c34 ci: quote pros in c++ for semantic pr (#3605)
  • 6cac6c9 fix(image): check proxy settings from env for remote images (#3604)
Assets 75
1 Join discussion

v0.37.2

10 Feb 01:21
@aqua-bot aqua-bot
v0.37.2
12b563b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.37.2

💔Breaking Change💔

Java DB

Added breaking change to Trivy Java DB.
Users who are using Trivy v0.37.0 or v0.37.1 for Java scanning need to remove the local cached Java DB with trivy image --reset and update Trivy to v0.37.2.

Changelog

  • 12b563b BREAKING: use normalized trivy-java-db (#3583)
  • 72a14c6 fix(image): add timeout for remote images (#3582)
  • 4c01d73 chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#3532)
  • 10dd5d1 chore(deps): bump golang.org/x/text from 0.5.0 to 0.6.0 (#3534)
  • 439c541 fix(misconf): handle dot files better (#3550)
  • 200e04a chore: bump Go to 1.19 (#3551)
  • a533ca8 chore(deps): bump alpine from 3.17.0 to 3.17.1 (#3522)
  • 4bccbe6 chore(deps): bump docker/build-push-action from 3 to 4 (#3523)
  • d056208 chore(deps): bump actions/cache from 3.2.2 to 3.2.4 (#3524)
  • f5e6574 chore(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.4.0 (#3525)
  • d3da459 chore(deps): bump aquaproj/aqua-installer from 1.2.0 to 2.0.2 (#3526)
Assets 75
2 Join discussion

v0.37.1

01 Feb 16:37
@aqua-bot aqua-bot
v0.37.1
7f8868b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.37.1

Changelog

Assets 75
0 Join discussion

v0.37.0

01 Feb 12:43
@aqua-bot aqua-bot
v0.37.0
e9d2af9
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.37.0

Changelog

  • e9d2af9 fix(image): close layers (#3517)
  • b169424 refactor: db client changed (#3515)
  • 7bf1e19 feat(java): use trivy-java-db to get GAV (#3484)
  • 023e45b docs: add note about the limitation in Rekor (#3494)
  • 0fe62a9 docs: aggregate targets (#3503)
  • 0373e08 deps: updates wazero to 1.0.0-pre.8 (#3510)
  • a2e21f9 docs: add alma 9 and rocky 9 to supported os (#3513)
  • 7d778b7 chore(deps): bump defsec to v0.82.9 (#3512)
  • 9e9dbea chore: add missing target labels (#3504)
  • d99a7b8 docs: add java vulnerability page (#3429)
  • cb5af0b feat(image): add support for Docker CIS Benchmark (#3496)
  • 6eec9ac feat(image): secret scanning on container image config (#3495)
  • 1eca973 chore(deps): Upgrade defsec to v0.82.8 (#3488)
  • fb0d8f3 feat(image): scan misconfigurations in image config (#3437)
  • 501d424 chore(helm): update Trivy from v0.30.4 to v0.36.1 (#3489)
  • 475dc17 feat(k8s): add node info resource (#3482)
  • ed173b8 perf(secret): optimize secret scanning memory usage (#3453)
  • 1b368be feat: support aliases in CLI flag, env and config (#3481)
  • 66a83d5 fix(k8s): migrate rbac k8s (#3459)
  • 81bee0f feat(java): add implementationVendor and specificationVendor fields to detect GroupID from MANIFEST.MF (#3480)
  • e107608 refactor: rename security-checks to scanners (#3467)
  • aaf845d chore: display the troubleshooting URL for the DB denial error (#3474)
  • ed5bb0b docs: yaml tabs to spaces, auto create namespace (#3469)
  • 3158bfe docs: adding show-and-tell template to GH discussions (#3391)
  • 85b6c4a fix: Fix a temporary file leak in case of error (#3465)
  • 60bddae fix(test): sort cyclonedx components (#3468)
  • e0bb04c docs: fixing spelling mistakes (#3462)
  • c25e826 ci: set paths triggering VM tests in PR (#3438)
  • 07ddc85 docs: typo in --skip-files (#3454)
  • e88507c feat(custom-forward): Extended advisory data (#3444)
  • e2dfee2 docs: fix spelling error (#3436)
  • c575d6f refactor(image): extend image config analyzer (#3434)
  • 036d5a8 fix(nodejs): add ignore protocols to yarn parser (#3433)
  • e6d7f15 fix(db): check proxy settings when using insecure flag (#3435)
  • a1d4427 feat(misconf): Fetch policies from OCI registry (#3015)
  • 682351a ci: downgrade Go to 1.18 and use stable and oldstable go versions for unit tests (#3413)
  • ff0c451 ci: store URLs to Github Releases in RPM repository (#3414)
  • ee12442 feat(server): add support of skip-db-update flag for hot db update (#3416)
  • 2033e05 chore(deps): bump github.com/moby/buildkit from v0.10.6 to v0.11.0 (#3411)
  • 6bc564e fix(image): handle wrong empty layer detection (#3375)
  • b3b8d4d test: fix integration tests for spdx and cycloneDX (#3412)
  • b88bcca feat(python): Include Conda packages in SBOMs (#3379)
  • fbd8a13 feat: add support pubspec.lock files for dart (#3344)
  • 0f545cf fix(image): parsePlatform is failing with UNAUTHORIZED error (#3326)
  • 76c883d fix(license): change normalize for GPL-3+-WITH-BISON-EXCEPTION (#3405)
  • a8b671b feat(server): log errors on server side (#3397)
  • a5919ca chore(deps): bump defsec to address helm vulnerabilities (#3399)
  • 89016da docs: rewrite installation docs and general improvements (#3368)
  • c3759c6 chore: update code owners (#3393)
  • 044fb97 chore: test docs separately from code (#3392)
  • ad2e648 docs: use the formula maintained by Homebrew (#3389)
  • ad25a77 docs: add Security Management section with SonarQube plugin
Assets 75
4 Join discussion

v0.36.1

05 Jan 11:23
@aqua-bot aqua-bot
v0.36.1
9039df4
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.36.1

Changelog

  • 9039df4 fix(deps): fix errors on yarn.lock files that contain local file reference (#3384)
  • 60cf4fe feat(flag): early fail when the format is invalid (#3370)
  • 9470e3c chore(deps): bump github.com/aws/aws-sdk-go from 1.44.136 to 1.44.171 (#3366)
  • d274d15 docs(aws): fix broken links (#3374)
  • 2a870f8 chore(deps): bump actions/stale from 6 to 7 (#3360)
  • 5974023 chore(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#3359)
  • 02aa8c2 chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.6.0 to 0.7.0 (#2974)
  • 6e6171f chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#3358)
  • 066f277 chore(deps): bump github.com/moby/buildkit from 0.10.4 to 0.10.6 (#3173)
  • 8cc3284 chore(deps): bump goreleaser/goreleaser-action from 3 to 4 (#3357)
  • 8d71346 chore(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.14 (#3367)
  • 5b944d2 chore(go): updates wazero to v1.0.0-pre.7 (#3355)
  • 9c645b9 chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#3362)
  • e2cd782 chore(deps): bump actions/cache from 3.0.11 to 3.2.2 (#3356)
Assets 75
0 Join discussion

v0.36.0

30 Dec 13:00
@aqua-bot aqua-bot
v0.36.0
4813cf5
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.36.0

Changelog

  • 4813cf5 docs: improve compliance docs (#3340)
  • 025e509 feat(deps): add yarn lock dependency tree (#3348)
  • 4d59a1e fix: compliance change id and title naming (#3349)
  • eaa5bcf feat: add support for mix.lock files for elixir language (#3328)
  • a888440 feat: add k8s cis bench (#3315)
  • 62b369e test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322)
  • c110c4e revert: cache merged layers (#3334)
  • bc759ef feat(cyclonedx): add recommendation (#3336)
  • fe3831e feat(ubuntu): added support ubuntu ESM versions (#1893)
  • b0cebec fix: change logic to build relative paths for skip-dirs and skip-files (#3331)
  • a66d3fe chore(deps): bump github.com/hashicorp/golang-lru from 0.5.4 to 2.0.1 (#3265)
  • 5190f95 feat: Adding support for Windows testing (#3037)
  • b00f3c6 feat: add support for Alpine 3.17 (#3319)
  • a70f885 docs: change PodFile.lock to Podfile.lock (#3318)
  • 1ec1fe6 fix(sbom): support for the detection of old CycloneDX predicate type (#3316)
  • 68eda79 feat(secret): Use .trivyignore for filtering secret scanning result (#3312)
  • b95d435 chore(go): remove experimental FS API usage in Wasm (#3299)
  • ac6b7c3 ci: add workflow to add issues to roadmap project (#3292)
  • cfabdf9 fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275)
  • 56e3d8d chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#3250)
  • bbccb44 feat(sbom): better support for third-party SBOMs (#3262)
  • e879b06 docs: add information about languages with support for dependency locations (#3306)
  • e92266f feat(vm): add region option to vm scan to be able to scan any region's ami and ebs snapshots (#3284)
  • 01c7fb1 chore(deps): bump github.com/Azure/azure-sdk-for-go from 66.0.0+incompatible to 67.1.0+incompatible (#3251)
  • 23d0613 fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255)
  • 407c240 docs: remove comparisons (#3289)
  • 93c5d2d feat: add support for Wolfi Linux (#3215)
  • 2809794 ci: add go.mod to canary workflow (#3288)
  • 08b55c3 feat(python): skip dev dependencies (#3282)
  • 52300e6 chore: update ubuntu version for Github action runnners (#3257)
  • a7ac6ac fix(go): skip dep without Path for go-binaries (#3254)
  • 4436a20 feat(rust): add ID for cargo pgks (#3256)
  • 34d505a chore(deps): bump github.com/samber/lo from 1.33.0 to 1.36.0 (#3263)
  • ea95602 chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#3253)
  • aea298b feat: add support for swift cocoapods lock files (#2956)
  • c67fe17 fix(sbom): use proper constants (#3286)
  • f907255 chore(deps): bump golang.org/x/term from 0.1.0 to 0.3.0 (#3278)
  • 8f95743 test(vm): import relevant analyzers (#3285)
  • 8744534 feat: support scan remote repository (#3131)
  • c278d86 docs: fix typo in fluxcd (#3268)
  • fa2281f docs: fix broken "ecosystem" link in readme (#3280)
  • a3eece4 feat(misconf): Add compliance check support (#3130)
  • 7a6cf5a docs: Adding Concourse resource for trivy (#3224)
  • dd26bd2 chore(deps): change golang from 1.19.2 to 1.19 (#3249)
  • cbba6d1 fix(sbom): duplicate dependson (#3261)
  • fa2e3ac chore(deps): bump alpine from 3.16.2 to 3.17.0 (#3247)
  • 5c43475 chore(go): updates wazero to 1.0.0-pre.4 (#3242)
  • d29b0ed feat(report): add dependency locations to sarif format (#3210)
  • 967e32f fix(rpm): add rocky to osVendors (#3241)
  • 9477416 docs: fix a typo (#3236)
  • 97ce61e feat(dotnet): add dependency parsing for nuget lock files (#3222)
  • 17e13c4 docs: add pre-commit hook to community tools (#3203)
  • b1a2c4e feat(helm): pass arbitrary env vars to trivy (#3208)
Assets 75
0 Join discussion

v0.35.0

27 Nov 16:59
@aqua-bot aqua-bot
v0.35.0
bd30e98
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.35.0

Changelog

  • bd30e98 chore(vm): update xfs filesystem parser for change log (#3230)
  • 22d92e4 feat: add virtual machine scan command (#2910)
  • 531eaa8 docs: reorganize index and readme (#3026)
  • 8569d43 fix: slowSizeThreshold should be less than defaultSizeThreshold (#3225)
  • 604a73d feat: Export functions for trivy plugin (#3204)
  • 7594b1f feat(image): add support wildcard for platform os (#3196)
  • fd5cafb fix: load compliance report from file system (#3161)
  • 6ab9380 fix(suse): use package name to get advisories (#3199)
  • 4a5d643 docs(image): space issues during image scan (#3190)
  • 2206e00 feat(containerd): scan image by digest (#3075)
  • 861bc03 fix(vuln): add package name to title (#3183)
  • f115895 fix: present control status instead of compliance percentage in compliance report (#3181)
  • cc8cef1 perf(license): remove go-enry/go-license-detector. (#3187)
  • a0033f6 fix: workdir command as empty layer (#3087)
  • cb5744d docs: reorganize ecosystem section (#3025)
  • 1ddd6d3 feat(dotnet): add support dependency location for dotnet-core files (#3095)
  • 30c8d75 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.114 to 1.44.136 (#3174)
  • 8e7b44f chore(deps): bump github.com/testcontainers/testcontainers-go from 0.13.0 to 0.15.0 (#3109)
  • dfff371 feat(dotnet): add support dependency location for nuget lock files (#3032)
  • eb571fd chore: update code owners for misconfigurations (#3176)
  • 7571783 feat: add slow mode (#3084)
  • 01df475 docs: fix typo in enable-builin-rules mentions (#3118)
  • 6b3be15 feat: Add maintainer field to OS packages (#3149)
  • 9ebdc51 docs: fix some typo (#3171)
  • 42e81ad chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.17.8 to 1.18.0 (#3175)
  • 55ec898 chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#3112)
  • 0644ceb docs: fix links on Built-in Policies page (#3124)
  • 50af7a2 chore(deps): bump github.com/go-openapi/runtime from 0.24.1 to 0.24.2 (#3117)
  • c455d14 chore(deps): bump github.com/samber/lo from 1.28.2 to 1.33.0 (#3116)
  • 8fb9d31 fix: Perform filepath.Clean first and then filepath.ToSlash for skipFile/skipDirs settings (#3144)
  • 8562b8c chore: use newline for semantic pr (#3172)
  • aff9a3e chore(deps): bump azure/setup-helm from 3.3 to 3.4 (#3107)
  • 001671e chore(deps): bump sigstore/cosign-installer from 2.7.0 to 2.8.1 (#3106)
  • 4e7ab48 chore(deps): bump amannn/action-semantic-pull-request from 4 to 5 (#3105)
  • a6091a7 chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (#3104)
  • 6da148c fix(spdx): rename describes field in spdx (#3102)
  • df9cf88 chore: handle GOPATH with several paths in make file (#3092)
  • 32fe108 docs(flag): add "rego" configuration file options (#3165)
  • 8fcca9c chore(go): updates wazero to 1.0.0-pre.3 (#3090)
  • 02f77bc chore(deps): bump actions/cache from 3.0.9 to 3.0.11 (#3108)
  • aa3ff09 docs(license): fix typo inside quick start (#3134)
  • f26b452 chore: update codeowners for docs (#3135)
  • 3b6d7d8 fix(cli): exclude --compliance flag from non supported sub-commands (#3158)
  • e9a2549 fix: remove --security-checks none from image help (#3156)
  • 3aa1912 fix: compliance flag description (#3160)
  • fc82057 docs(k8s): fix a typo (#3163)
  • 3a1f05e chore(deps): bump golang from 1.19.1 to 1.19.2 (#3103)
Assets 72
0 Join discussion