Trivy automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
- package-lock.json (dev dependencies are excluded)
- JAR/WAR/EAR files (.jar, .war, and *.ear)
- Binaries built by Go (UPX-compressed binaries don't work)
The path of these files does not matter.