Skip to content


Trivy supports Dart.

The following scanners are supported.

Package manager SBOM Vulnerability License
Dart -

The following table provides an outline of the features Trivy offers.

Package manager File Transitive dependencies Dev dependencies Dependency graph Position
Dart pubspec.lock Included -


In order to detect dependencies, Trivy searches for pubspec.lock.

Trivy marks indirect dependencies, but pubspec.lock file doesn't have options to separate root and dev transitive dependencies. So Trivy includes all dependencies in report.

SDK dependencies

Dart uses version 0.0.0 for SDK dependencies (e.g. Flutter). It is not possible to accurately determine the versions of these dependencies.

Therefore, we use the first version of the constraint for the SDK.

For example in this case the version of flutter should be 3.3.0:

  dependency: "direct main"
  description: flutter
  source: sdk
  version: "0.0.0"
  dart: ">=2.18.0 <3.0.0"
  flutter: "^3.3.0"

Dependency tree

To build dependency tree Trivy parses cache directory. Currently supported default directories and PUB_CACHE environment (absolute path only).


Make sure the cache directory contains all the dependencies installed in your application. To download missing dependencies, use dart pub get command.