Trivy supports three types of Node.js package managers:
The following table provides an outline of the features Trivy offers.
|Package manager||File||Transitive dependencies||Dev dependencies||Dependency graph||Position||License|
In addition, Trivy scans installed packages with
These may be enabled or disabled depending on the target. See here for the detail.
Trivy parses your files generated by package managers in filesystem/repository scanning.
Please make sure your lock file is up-to-date after modifying
To identify licenses, you need to download dependencies to
node_modules for licenses.
yarn.lock, which doesn't contain information about development dependencies.
To exclude devDependencies,
package.json also needs to be present next to
pnpm-lock.yaml, then finds production dependencies and builds a tree of dependencies with vulnerabilities.
Trivy parses the manifest files of installed packages in container image scanning and so on.
Trivy searches for
package.json files under
node_modules and identifies installed packages.
It only extracts package names, versions and licenses for those packages.