Programming Language¶
Trivy supports programming languages for
Supported languages¶
The files analyzed vary depending on the target. This is because Trivy primarily categorizes targets into two groups:
- Pre-build
- Post-build
If the target is a pre-build project, like a code repository, Trivy will analyze files used for building, such as lock files.
On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like .gemspec
, binary files, and so on.
Language | File | Image4 | Rootfs5 | Filesystem6 | Repository7 |
---|---|---|---|---|---|
Ruby | Gemfile.lock | - | - | ✅ | ✅ |
gemspec | ✅ | ✅ | - | - | |
Python | Pipfile.lock | - | - | ✅ | ✅ |
poetry.lock | - | - | ✅ | ✅ | |
requirements.txt | - | - | ✅ | ✅ | |
egg package1 | ✅ | ✅ | - | - | |
wheel package2 | ✅ | ✅ | - | - | |
PHP | composer.lock | - | - | ✅ | ✅ |
installed.json | ✅ | ✅ | - | - | |
Node.js | package-lock.json | - | - | ✅ | ✅ |
yarn.lock | - | - | ✅ | ✅ | |
pnpm-lock.yaml | - | - | ✅ | ✅ | |
package.json | ✅ | ✅ | - | - | |
.NET | packages.lock.json | ✅ | ✅ | ✅ | ✅ |
packages.config | ✅ | ✅ | ✅ | ✅ | |
.deps.json | ✅ | ✅ | ✅ | ✅ | |
*Packages.props9 | ✅ | ✅ | ✅ | ✅ | |
Java | JAR/WAR/PAR/EAR3 | ✅ | ✅ | - | - |
pom.xml | - | - | ✅ | ✅ | |
*gradle.lockfile | - | - | ✅ | ✅ | |
*.sbt.lock | - | - | ✅ | ✅ | |
Go | Binaries built by Go | ✅ | ✅ | - | - |
go.mod | - | - | ✅ | ✅ | |
Rust | Cargo.lock | ✅ | ✅ | ✅ | ✅ |
Binaries built with cargo-auditable | ✅ | ✅ | - | - | |
C/C++ | conan.lock | - | - | ✅ | ✅ |
Elixir | mix.lock8 | - | - | ✅ | ✅ |
Dart | pubspec.lock | - | - | ✅ | ✅ |
Swift | Podfile.lock | - | - | ✅ | ✅ |
Package.resolved | - | - | ✅ | ✅ | |
Julia | Manifest.toml | ✅ | ✅ | ✅ | ✅ |
The path of these files does not matter.
Example: Dockerfile
-
*.egg-info
,*.egg-info/PKG-INFO
,*.egg
andEGG-INFO/PKG-INFO
↩ -
.dist-info/META-DATA
↩ -
*.jar
,*.war
,*.par
and*.ear
↩ -
✅ means "enabled" and
-
means "disabled" in the image scanning ↩ -
✅ means "enabled" and
-
means "disabled" in the rootfs scanning ↩ -
✅ means "enabled" and
-
means "disabled" in the filesystem scanning ↩ -
✅ means "enabled" and
-
means "disabled" in the git repository scanning ↩ -
To scan a filename other than the default filename use file-patterns ↩
-
Directory.Packages.props
and legacyPackages.props
file names are supported ↩