v0.34.0

Changelog

• 7912f58 feat(vuln): support dependency graph for RHEL/CentOS (#3094)
• 9468056 feat(vuln): support dependency graph for dpkg and apk (#3093)
• 7cc83cc perf(license): enable license classifier only with "--license-full" (#3086)
• 5b975de feat(report): add secret scanning to ASFF template (#2860)
• b6cef12 feat: Allow override of containerd namespace (#3060)
• 0765148 fix(vuln): In alpine use Name as SrcName (#3079)
• 9e649b8 fix(secret): Alibaba AccessKey ID (#3083)

v0.33.0

Changelog

• af89249 refactor(k8s): custom reports (#3076)
• f4e970f fix(misconf): Bump in-toto-golang with correct CycloneDX predicate (#3068)
• 8ae4627 feat(image): add support for passing architecture and OS (#3012)
• 0501e70 test: disable containerd integration tests for non-amd64 arch (#3073)
• a377c8d feat(server): Add support for client/server mode to rootfs command (#3021)
• 02a73f0 feat(vuln): support non-packaged binaries (#3019)
• 18581f3 feat: compliance reports (#2951)
• 63b8e4d fix(flag): disable flag parsing for each plugin command (#3074)
• cbedd71 feat(nodejs): add support dependency location for yarn.lock files (#3016)
• b22e37e chore: Switch github.com/liamg dependencies to github.com/aquasecurity (#3069)
• 9b0e979 feat: add k8s components (#2589)
• 5e25182 fix(secret): update the regex for secrets scanning (#2964)
• 9947e51 chore(deps): bump github.com/samber/lo from 1.27.1 to 1.28.2 (#2979)
• d2a15a7 fix: bump trivy-kubernetes (#3064)
• f2efc9c docs: fix missing 'image' subcommand (#3051)
• 34653c7 chore: Patch golang x/text vulnerability (#3046)
• e252ea8 chore: add licensed project logo (#3058)
• 439d216 feat(ubuntu): set Ubuntu 22.10 EOL (#3054)
• 9f5113a refactor(analyzer): use strings.TrimSuffix instead of strings.HasSuffix (#3028)
• c1e24d5 feat(report): Use understandable value for shortDescription in SARIF reports (#3009)
• 212af07 docs(misconf): fix typo (#3043)
• 68f374a feat: add support for scanning azure ARM (#3011)
• d35c668 feat(report): add location.message to SARIF output (#3002) (#3003)
• 2150ffc chore(deps): bump github.com/aws/aws-sdk-go from 1.44.95 to 1.44.109 (#2980)
• ca434f7 feat(nodejs): add dependency line numbers for npm lock files (#2932)
• a8ff5f0 test(fs): add --skip-files, --skip-dirs (#2984)
• 561b2e7 docs: add Woodpecker CI integrations example (#2823)
• 4a3583d chore(deps): bump github.com/sigstore/rekor from 0.12.0 to 0.12.2 (#2981)
• 4be9eeb chore(deps): bump github.com/liamg/memoryfs from 1.4.2 to 1.4.3 (#2976)
• a260d35 chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 (#2975)
• 558189f chore(deps): bump github.com/caarlos0/env/v6 from 6.10.0 to 6.10.1 (#2982)
• c2eb6ee fix(sbom): ref generation if serialNumber is empty when input is cyclonedx file (#3000)
• 68f7952 fix(java): don't stop parsing jar file when wrong inner jar is found (#2989)
• be78da6 fix(sbom): use nuget purl type for dotnet-core (#2990)
• 92b5a19 perf: retrieve rekor entries in bulk (#2987)
• babd7e7 feat(aws): Custom rego policies for AWS scanning (#2994)
• 8ad9b8a docs: jq cli formatting (#2881)
• a78684c docs(repo): troubleshooting $TMPDIR customization (#2985)
• 7309ed0 chore(deps): bump actions/cache from 3.0.8 to 3.0.9 (#2969)
• 9515a5c chore(deps): bump actions/stale from 5 to 6 (#2970)
• 955aff6 chore(deps): bump sigstore/cosign-installer from 2.5.1 to 2.7.0 (#2971)
• db56d23 chore(deps): bump helm/chart-testing-action from 2.3.0 to 2.3.1 (#2972)
• 05a7232 chore(deps): bump helm/kind-action from 1.3.0 to 1.4.0 (#2973)
• 2c39d47 chore: run go fmt (#2897)
• 16a7dc1 chore(go): updates wazero to 1.0.0-pre.2 (#2955)
• ce4ba7c fix(aws): Less function for slice sorting always returns false #2967
• 4ffe746 fix(java): fix unmarshal pom exclusions (#2936)

v0.32.1

Changelog

• 8b1cee8 fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943)
• f5cbbb3 chore: expat lib and go binary deps vulns (#2940)
• 6882bdf wasm: Removes accidentally exported memory (#2950)
• 6ea9a61 fix(sbom): fix package name separation for gradle (#2906)
• 3ee4c96 docs(readme.md): fix broken integrations link (#2931)
• 5745961 fix(image): handle images with single layer in rescan mergedLayers cache (#2927)
• e01253d fix(cli): split env values with ',' for slice flags (#2926)
• 0c1a42d fix(cli): config/helm: also take into account files with .yml (#2928)
• 237b8dc fix(flag): add file-patterns flag for config subcommand (#2925)
• 047a0b3 chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.43.1 (#2902)

v0.32.0

Changelog

• 585985e docs: add Rekor SBOM attestation scanning (#2893)
• d30fa00 chore: narrow the owner scope (#2894)
• 38c1513 fix: remove a patch number from the recommendation link (#2891)
• ba29ce6 fix: enable parsing of UUID-only rekor entry ID (#2887)
• 018eda6 docs(sbom): add SPDX scanning (#2885)
• 20f1e59 docs: restructure docs and add tutorials (#2883)
• 192fd78 feat(sbom): scan sbom attestation in the rekor record (#2699)
• 597836c feat(k8s): support outdated-api (#2877)
• 6c7bd67 chore(deps): bump github.com/moby/buildkit from 0.10.3 to 0.10.4 (#2815)
• 4127043 fix(c): support revisions in Conan parser (#2878)
• b677d7e feat: dynamic links support for scan results (#2838)
• 8e03bbb chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 (#2818)
• 27005c7 docs: update archlinux commands (#2876)
• b6e394d feat(secret): add line from dockerfile where secret was added to secret result (#2780)
• 9f6680a feat(sbom): Add unmarshal for spdx (#2868)
• db0aaf1 chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#2827)
• bb3220c fix: revert asff arn and add documentation (#2852)
• c51f2b8 docs: batch-import-findings limit (#2851)
• 552732b chore(deps): bump golang from 1.19.0 to 1.19.1 (#2872)
• 3165c37 feat(sbom): Add marshal for spdx (#2867)
• dac2b4a build: checkout before setting up Go (#2873)
• 39f83af chore: bump Go to 1.19 (#2861)
• 0ce9583 docs: azure doc and trivy (#2869)
• 2f37961 fix: Scan tarr'd dependencies (#2857)
• db14ef3 chore(helm): helm test with ingress (#2630)
• acb65d5 feat(report): add secrets to sarif format (#2820)
• a18cd7c chore(deps): bump azure/setup-helm from 1.1 to 3.3 (#2807)
• 2de903c refactor: add a new interface for initializing analyzers (#2835)
• 63c3b8e chore(deps): bump github.com/aws/aws-sdk-go from 1.44.77 to 1.44.92 (#2840)
• 6717665 fix: update ProductArn with account id (#2782)
• 41a8496 feat(helm): make cache TTL configurable (#2798)
• 0f1f2c1 build(): Sign releaser artifacts, not only container manifests (#2789)
• b389a6f chore: improve doc about azure devops (#2795)
• 9ef9fce chore(deps): bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (#2804)
• 7b3225d chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.16.11 to 1.16.14 (#2828)
• 37733ed chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#2825)
• 44d7e8d docs: don't push patch versions (#2824)
• 4839075 feat: add support for conan.lock file (#2779)
• 6b4ddaa feat: cache merged layers
• a18f398 chore(deps): bump helm/chart-testing-action from 2.2.1 to 2.3.0 (#2805)
• 4dcce14 chore(deps): bump actions/cache from 3.0.5 to 3.0.8 (#2806)
• db45447 chore(deps): bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2811)
• a246d0f chore(deps): bump github.com/aquasecurity/table from 1.7.2 to 1.8.0 (#2810)
• 1800017 chore(deps): bump github.com/samber/lo from 1.27.0 to 1.27.1 (#2808)
• 218e41a chore(deps): bump github.com/alicebob/miniredis/v2 from 2.22.0 to 2.23.0 (#2814)
• a000ade feat: add support for gradle.lockfile (#2759)
• 43113bc chore(mod): updates wazero to 1.0.0-pre.1 #2791
• 5f0bf14 feat: move file patterns to a global level to be able to use it on any analyzer (#2539)
• 2580ea1 Fix url validaton failures (#2783)
• 2473b2c fix(image): add logic to detect empty layers (#2790)
• 9d018d4 feat(rust): add dependency graph from Rust binaries (#2771)

v0.31.3

Changelog

• db67f16 fix: handle empty OS family (#2768)
• 77616be fix: fix k8s summary report (#2777)
• fcccfce fix: don't skip packages that don't contain vulns, when using --list-all-pkgs flag (#2767)
• 8bc215c chore: bump trivy-kubernetes (#2770)
• d8d8e62 fix(secret): Consider secrets in rpc calls (#2753)
• b0e89d4 fix(java): check depManagement from upper pom's (#2747)
• da6f1b6 fix(php): skip composer.lock inside vendor folder (#2718)
• 2f2952c fix: fix k8s rbac filter (#2765)
• 8bc56bf feat(misconf): skipping misconfigurations by AVD ID (#2743)
• 9c1ce5a chore(deps): Upgrade Alpine to 3.16.2 to fix zlib issue (#2741)
• 3cd10b2 docs: add MacPorts install instructions (#2727)
• f369bd3 docs: typo (#2730)

v0.31.2

Changelog

• fefe7c4 fix: Correctly handle recoverable AWS scanning errors (#2726)
• 9c92e3d docs: Remove reference to SecurityAudit policy for AWS scanning (#2721)

v0.31.1

Changelog

• d343d13 fix: upgrade defsec to v0.71.7 for elb scan panic (#2720)

v0.31.0

Changelog

• 917f388 fix(flag): add error when there are no supported security checks (#2713)
• aef02aa fix(vuln): continue scanning when no vuln found in the first application (#2712)
• ed1fa89 revert: add new classes for vulnerabilities (#2701)
• a5d4f7f feat(secret): detect secrets removed or overwritten in upper layer (#2611)
• ddffb1b fix(cli): secret scanning perf link fix (#2607)
• bc85441 chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 (#2650)
• b259b25 feat: Add AWS Cloud scanning (#2493)
• f8edda8 docs: specify the type when verifying an attestation (#2697)
• 6879413 docs(sbom): improve SBOM docs by adding a description for scanning SBOM attestation (#2690)
• babfb17 fix(rpc): scanResponse rpc conversion for custom resources (#2692)
• 517d2e0 feat(rust): Add support for cargo-auditable (#2675)
• 0112385 feat: Support passing value overrides for configuration checks (#2679)
• 317a026 feat(sbom): add support for scanning a sbom attestation (#2652)
• 390c256 chore(image): skip symlinks and hardlinks from tar scan (#2634)
• 63c33bf fix(report): Update junit.tpl (#2677)
• de365c8 fix(cyclonedx): add nil check to metadata.component (#2673)
• 50db7da docs(secret): fix missing and broken links (#2674)
• e848e6d refactor(cyclonedx): implement json.Unmarshaler (#2662)
• df0b5e4 chore(deps): bump github.com/aquasecurity/table from 1.6.0 to 1.7.2 (#2643)
• 006b8a5 chore(deps): bump github.com/Azure/go-autorest/autorest (#2642)
• 8d10de8 feat(kubernetes): add option to specify kubeconfig file path (#2576)
• 169c55c docs: follow Debian's "instructions to connect to a third-party repository" (#2511)
• 9b21831 chore(deps): bump github.com/google/licenseclassifier/v2 (#2644)
• 94db37e chore(deps): bump github.com/samber/lo from 1.24.0 to 1.27.0 (#2645)
• d983805 chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#2647)
• d8a9572 chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 (#2646)
• 3ab3050 chore(deps): bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#2641)
• 75984f3 chore(deps): bump actions/cache from 3.0.4 to 3.0.5 (#2640)
• 525c253 chore(deps): bump alpine from 3.16.0 to 3.16.1 (#2639)
• 5e327e4 chore(deps): bump golang from 1.18.3 to 1.18.4 (#2638)
• 469d771 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.48 to 1.44.66 (#2648)
• 6bc8c87 chore(deps): bump github.com/open-policy-agent/opa from 0.42.0 to 0.43.0 (#2649)
• 6ab832d chore(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#2651)
• 3a10497 feat(alma): set AlmaLinux 9 EOL (#2653)
• 55825d7 fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative dirs (#2636)
• 6bb0e4b test(misconf): add tests for misconf handler for dockerfiles (#2621)
• 44d53be feat(oracle): set Oracle Linux 9 EOL (#2635)
• f396c67 BREAKING: add new classes for vulnerabilities (#2541)
• 3cd88ab fix(secret): add newline escaping for asymmetric private key (#2532)
• ea91fb9 docs: improve formatting (#2572)
• d0ca610 feat(helm): allows users to define an existing secret for tokens (#2587)
• d0ba59a docs(mariner): use tdnf in fs usage example (#2616)
• d7742b6 docs: remove unnecessary double quotation marks (#2609)
• 27027cf fix: Fix --file-patterns flag (#2625)
• c2a7ad5 feat(report): add support for Cosign vulnerability attestation (#2567)
• dfb86f4 docs(mariner): use v2.0 in examples (#2602)
• 946ce16 feat(report): add secrets template for codequality report (#2461)

v0.30.4

Changelog

• f9c17bd fix: remove the first arg when running as a plugin (#2595)
• cccfade fix: k8s controlplaner scanning (#2593)
• 5a65548 fix(vuln): GitLab report template (#2578)

v0.30.3

Changelog

• fa8a8ba fix(server): use a new db worker for hot updates (#2581)
• 769ed55 docs: add trivy with download-db-only flag to Air-Gapped Environment (#2583)
• 5f9a963 docs: split commands to download db for different versions of oras (#2582)
• d93a997 feat(report): export exitcode for license checks (#2564)
• f9be138 fix: cli can use lowercase for severities (#2565)
• c7f0bc9 fix: allow subcommands with TRIVY_RUN_AS_PLUGIN (#2577)
• c2f3731 fix: add missing types in TypeOSes and TypeLanguages in analyzer (#2569)
• 7b4f2dc fix: enable some features of the wasm runtime (#2575)
• 8467790 fix(k8s): no error logged if trivy can't get docker image in kubernetes mode (#2521)
• e1e02d7 docs(sbom): improve sbom attestation documentation (#2566)