Skip to content

Trivy

Language-specific Packages

Trivy

HOME
Getting started
Getting started
- Overview
- Installation
- Quick Start
- Troubleshooting
- Further Reading
- Credits
- Reference
  Reference
  - CLI
    CLI
    
    Overview
    
    Image
    
    Config
    
    Filesystem
    
    Repository
    
    Client
    
    Server
Vulnerability
Vulnerability
- Scanning
  Scanning
- Detection
  Detection
- Examples
  Examples
Misconfiguration
Misconfiguration
- Scanning
  Scanning
- Policy
  Policy
  - Built-in Policies
  - Exceptions
- Custom Policies
  Custom Policies
  - Overview
  - Data
  - Combine
  - Testing
  - Debugging Policies
  - Examples
- Options
  Options
- Comparison
  Comparison
  - vs Conftest
  - vs tfsec
Advanced
Advanced
- Overview
- Plugins
- Air-Gapped Environment
- Integrations
  Integrations
- Container Image
  Container Image
  - Embed in Dockerfile
  - Unpacked container image filesystem
  - OCI Image
  - Podman
  - Private Docker Registries
    Private Docker Registries
    
    Overview
    
    Docker Hub
    
    AWS ECR (Elastic Container Registry)
    
    GCR (Google Container Registry)
    
    Self-Hosted
- Modes
  Modes
  - Standalone
  - Client/Server
- Maintainer
  Maintainer
  - Help Wanted
  - Triage

Language-specific Packages

Trivy automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

Language	File	Dev dependencies
Ruby	Gemfile.lock	included
Python	Pipfile.lock	excluded
	poetry.lock	included
PHP	composer.lock	excluded
Node.js	package-lock.json	excluded
	yarn.lock	included
.NET	packages.lock.json	included
Java	JAR/WAR/EAR (`.jar`, `.war`, and `*.ear`)¹	included
Go	Binaries built by Go²	excluded
	go.sum	included

The path of these files does not matter.

Example: Dockerfile

It requires the Internet access ↩
UPX-compressed binaries don't work ↩