v0.28.0

[aqua-bot]

💔 BREAKING CHANGES 💔

Move trivy client to trivy image --server

See here for the detail.

🚀 What's new? 🚀

☸ Kubernetes scanning 🌌

Trivy now can scan kubernetes clusters. It reports vulnerabilities and misconfigurations when scanning a full cluster , namespace or a resource. There is a very helpful summary report to quickly visualize vulnerabilities and misconfigurations.

Eg:

Scan a full cluster: $ trivy k8s --report summary

Scan a specific resource: $ trivy k8s service/nginx

Get a json with all the vulnerabitlies and misconfigurations for the kube-system namespace:

trivy k8s --namespace kube-system --format=json -o results.json

♠️ Support SPDX 👾

Trivy now generates the SPDX report.

$ trivy image --format spdx alpine:3.15
2022-05-10T18:18:22.537+0300    INFO    Detected OS: alpine
2022-05-10T18:18:22.537+0300    INFO    Detecting Alpine vulnerabilities...
2022-05-10T18:18:22.537+0300    INFO    Number of language-specific files: 0

SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: alpine:3.15
DocumentNamespace: http://aquasecurity.github.io/trivy/container_image/alpine:3.15-bebf6b19-a94c-4e2c-af44-065f63923f48
Creator: Organization: aquasecurity
Creator: Tool: trivy
Created: 2022-04-28T07:32:57.142806Z

##### Package: apk-tools

PackageName: apk-tools
SPDXID: SPDXRef-26c274652190d87f
PackageVersion: 2.12.7-r3
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
...

SPDX-JSON format is also supported by using spdx-json with the --format option.

$ trivy image --format spdx-json --output result.spdx.json alpine:3.15

🖍️ New Misconfiguration Output Format 🖼️

The default output format now shows lots of contextual information about each detected misconfiguration, including line numbers, syntax-highlighted code snippets, annotations, and more!

🖌️ Reworked Table Output 🏓

The table output format has been reworked to make use of unicode box drawing characters and ANSI codes to improve user experience and make output consistent across detection types.

🗄️io/fs.FS-based Misconfiguration Scanning ⚙️

The engine used for detecting misconfigurations (defsec) uses the the Go io/fs.FS (filesystem) abstraction, making it possible to scan many types of media with the same code. Trivy takes advantage of this in order to scan images and local filesystems with the same underlying code. This also helps to contextualize scanning, e.g. understanding what effect one Terraform file has on another.

🪺 Embedded Rego Policies 🔒

Trivy now embeds the Rego policies it uses for misconfiguration detection. These policies are defined in defsec (formerly in appshield), and are now embedded using go:embed, meaning they don't have to be manually downloaded and managed separately.

Changelog

• afe3292 fix: remove Highlighted from json output (fix: remove Highlighted from json output #2131)
• 3d23ad8 fix: remove trivy-kubernetes replace (fix: remove trivy-kubernetes replace #2132)
• 9822b40 docs: Add Operator docs under Kubernetes section (docs: Add Operator docs under Kubernetes section #2111)
• bb6ff85 fix(k8s): security-checks panic (fix(k8s): security-checks panic #2127)
• 3bed96f ci: added k8s scope (ci: added k8s scope to semantic pr #2130)
• 4a7544c docs: Update misconfig output in examples (docs: Update misconfig output in examples #2128)
• b7fc3df fix(misconf): Fix coloured output in Goland terminal (fix(misconf): Fix coloured output in Goland terminal #2126)
• 89893a7 docs(secret): Fix default value of --security-checks in docs (docs(secret): Fix default value of --security-checks in docs #2107)
• dbba0bf refactor(report): move colorize function from trivy-db (refactor(report): move colorization function from trivy-db #2122)
• 3ef450d feat: k8s resource scanning (feat: k8s resource scanning #2118)
• f4ec4e7 chore: add CODEOWNERS (chore: add CODEOWNERS #2121)
• 96a5cb1 feat(image): add --server option for remote scans (feat(image): add --server option for remote scans #1871)
• 023e09e refactor: k8s (refactor: k8s #2116)
• b3759f5 refactor: export useful APIs (refactor: export useful APIs #2108)
• dbf4b2d docs: fix k8s doc (docs: fix k8s doc #2114)
• 2ae8faa feat(kubernetes): Add report flag for summary (feat(kubernetes): Add report flag for summary #2112)
• 5f004f0 fix: Remove problematic advanced rego policies (fix: Remove problematic advanced rego policies #2113)
• 3679bc3 feat(misconf): Add special output format for misconfigurations (feat(misconf): Add special output format for misconfigurations #2100)
• 029dd76 feat: add k8s subcommand (feat: add k8s subcommand #2065)
• a39133a chore: fix make lint version (chore: fix make lint version #2102)
• 995024f fix(java): handle relative pom modules (fix(java): handle relative pom modules #2101)
• c9f9a34 fix(misconf): Add missing links for non-rego misconfig results (fix(misconf): Add missing links for non-rego misconfig results #2094)
• 5a58e41 feat(misconf): Added fs.FS based scanning via latest defsec (feat(misconf): Added fs.FS based scanning via latest defsec #2084)
• fbb83c4 chore(deps): bump trivy-issue-action to v0.0.4 (chore(deps): bump trivy-issue-action to v0.0.4 #2091)
• 8a4b49c chore(deps): bump github.com/twitchtv/twirp (chore(deps): bump github.com/twitchtv/twirp from 8.1.1+incompatible to 8.1.2+incompatible #2077)
• 7ba773f chore(deps): bump github.com/urfave/cli/v2 from 2.4.0 to 2.5.1 (chore(deps): bump github.com/urfave/cli/v2 from 2.4.0 to 2.5.1 #2074)
• bd94618 chore(os): updated fanal version and alpine distroless test (chore(os): more general support for os-release files #2086)
• fa5dcaf chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.1 to 0.5.2 (chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.1 to 0.5.2 #2075)
• 2c57716 chore(deps): bump github.com/samber/lo from 1.16.0 to 1.19.0 (chore(deps): bump github.com/samber/lo from 1.16.0 to 1.19.0 #2076)
• 6601d29 feat(report): add support for SPDX (feat(report): add support for SPDX #2059)
• 6e2453c chore(deps): bump actions/setup-go from 2 to 3 (chore(deps): bump actions/setup-go from 2 to 3 #2073)
• 7c94df5 chore(deps): bump actions/cache from 3.0.1 to 3.0.2 (chore(deps): bump actions/cache from 3.0.1 to 3.0.2 #2071)
• 8c33bae chore(deps): bump golang from 1.18.0 to 1.18.1 (chore(deps): bump golang from 1.18.0 to 1.18.1 #2069)
• 2cdacc1 chore(deps): bump actions/stale from 4 to 5 (chore(deps): bump actions/stale from 4 to 5 #2070)
• 9acb240 chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.3.0 (chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.3.0 #2072)
• 4b193b4 chore(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0 (chore(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0 #2079)
• 79d1a01 chore: app version 0.27.0 (chore: app version 0.27.0 #2046)
• c1b4b5b fix(misconf): added to skip conf files if their scanning is not enabled (fix(misconf): added to skip conf files if their scanning is not enabled #2066)
• bbe490b docs(secret) fix rule path in docs (docs(secret): fix rule path in docs #2061)
• 78286aa docs: change from go.sum to go.mod (docs(go): change from go.sum to go.mod #2056)

---

This discussion was created from the release v0.28.0.