Skip to content

Programming Language

Trivy supports programming languages for

Supported languages

The files analyzed vary depending on the target. This is because Trivy primarily categorizes targets into two groups:

  • Pre-build
  • Post-build

If the target is a pre-build project, like a code repository, Trivy will analyze files used for building, such as lock files. On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like .gemspec, binary files, and so on.

Language File Image5 Rootfs6 Filesystem7 Repository8
Ruby Gemfile.lock - -
gemspec - -
Python Pipfile.lock - -
poetry.lock - -
requirements.txt - -
egg package1 - -
wheel package2 - -
conda package3 - -
PHP composer.lock
Node.js package-lock.json - -
yarn.lock - -
pnpm-lock.yaml - -
package.json - -
.NET packages.lock.json
packages.config
.deps.json
Java JAR/WAR/PAR/EAR4 - -
pom.xml - -
*gradle.lockfile - -
Go Binaries built by Go - -
go.mod - -
Rust Cargo.lock
Binaries built with cargo-auditable - -
C/C++ conan.lock - -
Elixir mix.lock10 - -
Dart pubspec.lock - -
Swift Podfile.lock - -
Package.resolved - -

The path of these files does not matter.

Example: Dockerfile

  1. *.egg-info, *.egg-info/PKG-INFO, *.egg and EGG-INFO/PKG-INFO 

  2. .dist-info/META-DATA 

  3. envs/*/conda-meta/*.json 

  4. *.jar, *.war, *.par and *.ear 

  5. ✅ means "enabled" and - means "disabled" in the image scanning 

  6. ✅ means "enabled" and - means "disabled" in the rootfs scanning 

  7. ✅ means "enabled" and - means "disabled" in the filesystem scanning 

  8. ✅ means "enabled" and - means "disabled" in the git repository scanning 

  9. ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in json and sarif formats. SARIF uses startline == 1 and endline == 1 for unsupported file types 

  10. To scan a filename other than the default filename use file-patterns