Go
Features
Trivy supports two types of Go scanning, Go Modules and binaries built by Go. The following table provides an outline of the features Trivy offers.
Artifact | Offline1 | Dev dependencies |
---|---|---|
Modules | ✓ | Include |
Binaries | ✓ | Exclude |
Note
Trivy scans only dependencies of the Go project. Let's say you scan the Docker binary, Trivy doesn't detect vulnerabilities of Docker itself. Also, when you scan go.mod in Kubernetes, the Kubernetes vulnerabilities will not be found.
Go Modules
Depending on Go versions, the required files are different.
Version | Required files | Offline | License |
---|---|---|---|
>=1.17 | go.mod | ✓ | - |
<1.17 | go.mod, go.sum | ✓ | - |
In Go 1.17+ projects, Trivy uses go.mod
for direct/indirect dependencies.
On the other hand, it uses go.mod
for direct dependencies and go.sum
for indirect dependencies in Go 1.16 or less.
Go 1.17+ holds actually needed indirect dependencies in go.mod
, and it reduces false detection.
go.sum
in Go 1.16 or less contains all indirect dependencies that are even not needed for compiling.
If you want to have better detection, please consider updating the Go version in your project.
Note
The Go version doesn't mean your CLI version, but the Go version in your go.mod.
module github.com/aquasecurity/trivy
go 1.18
require (
github.com/CycloneDX/cyclonedx-go v0.5.0
...
)
To update the Go version in your project, you need to run the following command.
$ go mod tidy -go=1.18
Go binaries
Trivy scans binaries built by Go. If there is a Go binary in your container image, Trivy automatically finds and scans it.
Also, you can scan your local binaries.
$ trivy fs ./your_binary
-
It doesn't require the Internet access. ↩