Skip to content

Programming Language

Trivy supports programming languages for

Supported languages

The files analyzed vary depending on the target. This is because Trivy primarily categorizes targets into two groups:

  • Pre-build
  • Post-build

If the target is a pre-build project, like a code repository, Trivy will analyze files used for building, such as lock files. On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like .gemspec, binary files, and so on.

Language File Image4 Rootfs5 Filesystem6 Repository7
Ruby Gemfile.lock - -
gemspec - -
Python Pipfile.lock - -
poetry.lock - -
requirements.txt - -
egg package1 - -
wheel package2 - -
PHP composer.lock - -
installed.json - -
Node.js package-lock.json - -
yarn.lock - -
pnpm-lock.yaml - -
package.json - -
.NET packages.lock.json
packages.config
.deps.json
*Packages.props9
Java JAR/WAR/PAR/EAR3 - -
pom.xml - -
*gradle.lockfile - -
*.sbt.lock - -
Go Binaries built by Go - -
go.mod - -
Rust Cargo.lock
Binaries built with cargo-auditable - -
C/C++ conan.lock - -
Elixir mix.lock8 - -
Dart pubspec.lock - -
Swift Podfile.lock - -
Package.resolved - -
Julia Manifest.toml

The path of these files does not matter.

Example: Dockerfile


  1. *.egg-info, *.egg-info/PKG-INFO, *.egg and EGG-INFO/PKG-INFO 

  2. .dist-info/META-DATA 

  3. *.jar, *.war, *.par and *.ear 

  4. ✅ means "enabled" and - means "disabled" in the image scanning 

  5. ✅ means "enabled" and - means "disabled" in the rootfs scanning 

  6. ✅ means "enabled" and - means "disabled" in the filesystem scanning 

  7. ✅ means "enabled" and - means "disabled" in the git repository scanning 

  8. To scan a filename other than the default filename use file-patterns 

  9. Directory.Packages.props and legacy Packages.props file names are supported