merge main

.github/DISCUSSION_TEMPLATE/bugs.yml

@@ -114,7 +114,7 @@ body:
       label: Checklist
       description: Have you tried the following?
       options:
-        - label: Run `trivy --reset`
+        - label: Run `trivy image --reset`
         - label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
   - type: markdown
     attributes:

Dockerfile.canary

@@ -1,4 +1,4 @@
-FROM alpine:3.18.0
+FROM alpine:3.18.2
 RUN apk --no-cache add ca-certificates git
 
 # binaries were created with GoReleaser

contrib/install.sh

@@ -75,6 +75,7 @@ get_binaries() {
     linux/ppc64le) BINARIES="trivy" ;;
     linux/arm64) BINARIES="trivy" ;;
     linux/armv7) BINARIES="trivy" ;;
+    linux/s390x) BINARIES="trivy" ;;
     openbsd/386) BINARIES="trivy" ;;
     openbsd/amd64) BINARIES="trivy" ;;
     openbsd/arm64) BINARIES="trivy" ;;
@@ -115,7 +116,8 @@ adjust_os() {
     amd64) OS=64bit ;;
     arm) OS=ARM ;;
     arm64) OS=ARM64 ;;
-    ppc64le) OS=PPC64LE ;;
+    ppc64le) OS=Linux ;;
+    s390x) OS=Linux ;;
     darwin) OS=macOS ;;
     dragonfly) OS=DragonFlyBSD ;;
     freebsd) OS=FreeBSD ;;
@@ -133,7 +135,8 @@ adjust_arch() {
     arm) ARCH=ARM ;;
     armv7) ARCH=ARM ;;
     arm64) ARCH=ARM64 ;;
-    ppc64le) OS=PPC64LE ;;
+    ppc64le) ARCH=PPC64LE ;;
+    s390x) ARCH=s390x ;;
     darwin) ARCH=macOS ;;
     dragonfly) ARCH=DragonFlyBSD ;;
     freebsd) ARCH=FreeBSD ;;
@@ -222,6 +225,7 @@ uname_arch() {
     armv5*) arch="armv5" ;;
     armv6*) arch="armv6" ;;
     armv7*) arch="armv7" ;;
+    s390*) arch="s390x" ;;
   esac
   echo ${arch}
 }

docs/docs/references/configuration/cli/trivy_aws.md

@@ -65,38 +65,39 @@ trivy aws [flags]
 ### Options
 
 ```
-      --account string              The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
-      --arn string                  The AWS ARN to show results for. Useful to filter results once a scan is cached.
-      --compliance string           compliance report to generate (aws-cis-1.2, aws-cis-1.4)
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --dependency-tree             [EXPERIMENTAL] show dependency origin tree of vulnerable packages
-      --endpoint string             AWS Endpoint override
-      --exit-code int               specify exit code when any security issues are found
-  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --helm-set strings            specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-set-file strings       specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
-      --helm-set-string strings     specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-values strings         specify paths to override the Helm values.yaml files
-  -h, --help                        help for aws
-      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
-      --ignorefile string           specify .trivyignore file (default ".trivyignore")
-      --include-non-failures        include successes and exceptions, available with '--scanners config'
-      --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
-      --max-cache-age duration      The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
-  -o, --output string               output file name
-      --policy-namespaces strings   Rego namespaces
-      --region string               AWS Region to scan
-      --report string               specify a report format for the output. (all,summary) (default "all")
-      --reset-policy-bundle         remove policy bundle
-      --service strings             Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
-  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-      --skip-policy-update          skip fetching rego policy updates
-      --skip-service strings        Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc.
-  -t, --template string             output template
-      --tf-vars strings             specify paths to override the Terraform tfvars files
-      --trace                       enable more verbose trace output for custom queries
-      --update-cache                Update the cache for the applicable cloud provider instead of using cached results.
+      --account string                  The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
+      --arn string                      The AWS ARN to show results for. Useful to filter results once a scan is cached.
+      --compliance string               compliance report to generate (aws-cis-1.2,aws-cis-1.4)
+      --config-data strings             specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings           specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --dependency-tree                 [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --endpoint string                 AWS Endpoint override
+      --exit-code int                   specify exit code when any security issues are found
+  -f, --format string                   format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-set strings                specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings           specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings         specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings             specify paths to override the Helm values.yaml files
+  -h, --help                            help for aws
+      --ignore-policy string            specify the Rego file path to evaluate each vulnerability
+      --ignorefile string               specify .trivyignore file (default ".trivyignore")
+      --include-non-failures            include successes and exceptions, available with '--scanners config'
+      --list-all-pkgs                   enabling the option will output all packages regardless of vulnerability
+      --max-cache-age duration          The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
+  -o, --output string                   output file name
+      --policy-namespaces strings       Rego namespaces
+      --region string                   AWS Region to scan
+      --report string                   specify a report format for the output (all,summary) (default "all")
+      --reset-policy-bundle             remove policy bundle
+      --service strings                 Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
+  -s, --severity strings                severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --skip-policy-update              skip fetching rego policy updates
+      --skip-service strings            Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc.
+  -t, --template string                 output template
+      --tf-exclude-downloaded-modules   remove results for downloaded modules in .terraform folder
+      --tf-vars strings                 specify paths to override the Terraform tfvars files
+      --trace                           enable more verbose trace output for custom queries
+      --update-cache                    Update the cache for the applicable cloud provider instead of using cached results.
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_config.md

@@ -9,43 +9,44 @@ trivy config [flags] DIR
 ### Options
 
 ```
-      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration          cache TTL when using redis as cache backend
-      --clear-cache                 clear image caches without scanning
-      --compliance string           compliance report to generate
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --enable-modules strings      [EXPERIMENTAL] module names to enable
-      --exit-code int               specify exit code when any security issues are found
-      --file-patterns strings       specify config file patterns
-  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --helm-set strings            specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-set-file strings       specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
-      --helm-set-string strings     specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-values strings         specify paths to override the Helm values.yaml files
-  -h, --help                        help for config
-      --ignorefile string           specify .trivyignore file (default ".trivyignore")
-      --include-non-failures        include successes and exceptions, available with '--scanners config'
-      --k8s-version string          specify k8s version to validate outdated api by it (example: 1.21.0)
-      --module-dir string           specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-  -o, --output string               output file name
-      --password strings            password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --policy-namespaces strings   Rego namespaces
-      --redis-ca string             redis ca file location, if using redis as cache backend
-      --redis-cert string           redis certificate file location, if using redis as cache backend
-      --redis-key string            redis key file location, if using redis as cache backend
-      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
-      --registry-token string       registry token
-      --report string               specify a compliance report format for the output. (all,summary) (default "all")
-      --reset-policy-bundle         remove policy bundle
-  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-      --skip-dirs strings           specify the directories where the traversal is skipped
-      --skip-files strings          specify the file paths to skip traversal
-      --skip-policy-update          skip fetching rego policy updates
-  -t, --template string             output template
-      --tf-vars strings             specify paths to override the Terraform tfvars files
-      --trace                       enable more verbose trace output for custom queries
-      --username strings            username. Comma-separated usernames allowed.
+      --cache-backend string            cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration              cache TTL when using redis as cache backend
+      --clear-cache                     clear image caches without scanning
+      --compliance string               compliance report to generate
+      --config-data strings             specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings           specify the paths to the Rego policy files or to the directories containing them, applying config files
+      --enable-modules strings          [EXPERIMENTAL] module names to enable
+      --exit-code int                   specify exit code when any security issues are found
+      --file-patterns strings           specify config file patterns
+  -f, --format string                   format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-set strings                specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings           specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings         specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings             specify paths to override the Helm values.yaml files
+  -h, --help                            help for config
+      --ignorefile string               specify .trivyignore file (default ".trivyignore")
+      --include-non-failures            include successes and exceptions, available with '--scanners config'
+      --k8s-version string              specify k8s version to validate outdated api by it (example: 1.21.0)
+      --module-dir string               specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+  -o, --output string                   output file name
+      --password strings                password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --policy-namespaces strings       Rego namespaces
+      --redis-ca string                 redis ca file location, if using redis as cache backend
+      --redis-cert string               redis certificate file location, if using redis as cache backend
+      --redis-key string                redis key file location, if using redis as cache backend
+      --redis-tls                       enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string           registry token
+      --report string                   specify a compliance report format for the output (all,summary) (default "all")
+      --reset-policy-bundle             remove policy bundle
+  -s, --severity strings                severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --skip-dirs strings               specify the directories where the traversal is skipped
+      --skip-files strings              specify the file paths to skip traversal
+      --skip-policy-update              skip fetching rego policy updates
+  -t, --template string                 output template
+      --tf-exclude-downloaded-modules   remove results for downloaded modules in .terraform folder
+      --tf-vars strings                 specify paths to override the Terraform tfvars files
+      --trace                           enable more verbose trace output for custom queries
+      --username strings                username. Comma-separated usernames allowed.
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_convert.md

@@ -22,14 +22,14 @@ trivy convert [flags] RESULT_JSON
       --dependency-tree        [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --exit-code int          specify exit code when any security issues are found
       --exit-on-eol int        exit with the specified code when the OS reaches end of service/life
-  -f, --format string          format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+  -f, --format string          format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
   -h, --help                   help for convert
       --ignore-policy string   specify the Rego file path to evaluate each vulnerability
       --ignorefile string      specify .trivyignore file (default ".trivyignore")
       --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
   -o, --output string          output file name
-      --report string          specify a report format for the output. (all,summary) (default "all")
-  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+      --report string          specify a report format for the output (all,summary) (default "all")
+  -s, --severity strings       severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
   -t, --template string        output template
 ```