Language-specific Packages
Trivy
automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
Language | File | Image8 | Rootfs9 | Filesystem10 | Repository11 | Dev dependencies |
---|---|---|---|---|---|---|
Ruby | Gemfile.lock | - | - | ✅ | ✅ | included |
gemspec | ✅ | ✅ | - | - | included | |
Python | Pipfile.lock | - | - | ✅ | ✅ | excluded |
poetry.lock | - | - | ✅ | ✅ | included | |
requirements.txt | - | - | ✅ | ✅ | included | |
egg package1 | ✅ | ✅ | - | - | excluded | |
wheel package2 | ✅ | ✅ | - | - | excluded | |
PHP | composer.lock | ✅ | ✅ | ✅ | ✅ | excluded |
Node.js | package-lock.json | - | - | ✅ | ✅ | excluded |
yarn.lock | - | - | ✅ | ✅ | included | |
pnpm-lock.yaml | - | - | ✅ | ✅ | excluded | |
package.json | ✅ | ✅ | - | - | excluded | |
.NET | packages.lock.json | ✅ | ✅ | ✅ | ✅ | included |
packages.config | ✅ | ✅ | ✅ | ✅ | excluded | |
.deps.json | ✅ | ✅ | ✅ | ✅ | excluded | |
Java | JAR/WAR/PAR/EAR34 | ✅ | ✅ | - | - | included |
pom.xml5 | - | - | ✅ | ✅ | excluded | |
*gradle.lockfile | - | - | ✅ | ✅ | excluded | |
Go | Binaries built by Go6 | ✅ | ✅ | - | - | excluded |
go.mod7 | - | - | ✅ | ✅ | included | |
Rust | Cargo.lock | ✅ | ✅ | ✅ | ✅ | included |
Binaries built with cargo-auditable | ✅ | ✅ | - | - | excluded | |
C/C++ | conan.lock12 | - | - | ✅ | ✅ | excluded |
The path of these files does not matter.
Example: Dockerfile
-
*.egg-info
,*.egg-info/PKG-INFO
,*.egg
andEGG-INFO/PKG-INFO
↩ -
.dist-info/META-DATA
↩ -
*.jar
,*.war
,*.par
and*.ear
↩ -
It requires Internet access ↩
-
It requires Internet access when the POM doesn't exist in your local repository ↩
-
UPX-compressed binaries don't work ↩
-
If smaller than go 1.17, go.sum is also required ↩
-
✅ means "enabled" and
-
means "disabled" in the image scanning ↩ -
✅ means "enabled" and
-
means "disabled" in the rootfs scanning ↩ -
✅ means "enabled" and
-
means "disabled" in the filesystem scanning ↩ -
✅ means "enabled" and
-
means "disabled" in the git repository scanning ↩ -
To scan a filename other than the default filename(
conan.lock
) use file-patterns ↩