Skip to content

Language-specific Packages

Trivy automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

Language File Image8 Rootfs9 Filesystem10 Repository11 Dev dependencies Dependency location12
Ruby Gemfile.lock - - included -
gemspec - - included -
Python Pipfile.lock - - excluded
poetry.lock - - excluded -
requirements.txt - - included -
egg package1 - - excluded -
wheel package2 - - excluded -
PHP composer.lock excluded -
Node.js package-lock.json - - excluded
yarn.lock - - included
pnpm-lock.yaml - - excluded -
package.json - - excluded -
.NET packages.lock.json included
packages.config excluded -
.deps.json excluded
Java JAR/WAR/PAR/EAR34 - - included -
pom.xml5 - - excluded -
*gradle.lockfile - - excluded -
Go Binaries built by Go6 - - excluded -
go.mod7 - - included -
Rust Cargo.lock included -
Binaries built with cargo-auditable - - excluded -
C/C++ conan.lock13 - - excluded -
Elixir mix.lock13 - - excluded
Dart pubspec.lock - - included -

The path of these files does not matter.

Example: Dockerfile

  1. *.egg-info, *.egg-info/PKG-INFO, *.egg and EGG-INFO/PKG-INFO 

  2. .dist-info/META-DATA 

  3. *.jar, *.war, *.par and *.ear 

  4. It requires Internet access 

  5. It requires Internet access when the POM doesn't exist in your local repository 

  6. UPX-compressed binaries don't work 

  7. If smaller than go 1.17, go.sum is also required 

  8. ✅ means "enabled" and - means "disabled" in the image scanning 

  9. ✅ means "enabled" and - means "disabled" in the rootfs scanning 

  10. ✅ means "enabled" and - means "disabled" in the filesystem scanning 

  11. ✅ means "enabled" and - means "disabled" in the git repository scanning 

  12. ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in json and sarif formats. SARIF uses startline == 1 and endline == 1 for unsupported file types 

  13. To scan a filename other than the default filename use file-patterns