Language-specific Packages
Trivy
automatically detects the following files and scans vulnerabilities in the application dependencies.
Supported languages
Language | File | Image7 | Rootfs8 | Filesystem9 | Repository10 | Dev dependencies | Dependency location11 |
---|---|---|---|---|---|---|---|
Ruby | Gemfile.lock | - | - | ✅ | ✅ | included | - |
gemspec | ✅ | ✅ | - | - | included | - | |
Python | Pipfile.lock | - | - | ✅ | ✅ | excluded | ✅ |
poetry.lock | - | - | ✅ | ✅ | excluded | - | |
requirements.txt | - | - | ✅ | ✅ | included | - | |
egg package1 | ✅ | ✅ | - | - | excluded | - | |
wheel package2 | ✅ | ✅ | - | - | excluded | - | |
PHP | composer.lock | ✅ | ✅ | ✅ | ✅ | excluded | ✅ |
Node.js | package-lock.json | - | - | ✅ | ✅ | excluded | ✅ |
yarn.lock | - | - | ✅ | ✅ | included | ✅ | |
pnpm-lock.yaml | - | - | ✅ | ✅ | excluded | - | |
package.json | ✅ | ✅ | - | - | excluded | - | |
.NET | packages.lock.json | ✅ | ✅ | ✅ | ✅ | included | ✅ |
packages.config | ✅ | ✅ | ✅ | ✅ | excluded | - | |
.deps.json | ✅ | ✅ | ✅ | ✅ | excluded | ✅ | |
Java | JAR/WAR/PAR/EAR3 | ✅ | ✅ | - | - | included | - |
pom.xml4 | - | - | ✅ | ✅ | excluded | - | |
*gradle.lockfile | - | - | ✅ | ✅ | excluded | - | |
Go | Binaries built by Go5 | ✅ | ✅ | - | - | excluded | - |
go.mod6 | - | - | ✅ | ✅ | included | - | |
Rust | Cargo.lock | ✅ | ✅ | ✅ | ✅ | excluded | ✅ |
Binaries built with cargo-auditable | ✅ | ✅ | - | - | excluded | - | |
C/C++ | conan.lock12 | - | - | ✅ | ✅ | excluded | - |
Elixir | mix.lock12 | - | - | ✅ | ✅ | excluded | ✅ |
Dart | pubspec.lock | ✅ | ✅ | - | - | included | - |
The path of these files does not matter.
Example: Dockerfile
Data Sources
Language | Source | Commercial Use | Delay1 |
---|---|---|---|
PHP | PHP Security Advisories Database | ✅ | - |
GitHub Advisory Database (Composer) | ✅ | - | |
Python | GitHub Advisory Database (pip) | ✅ | - |
Open Source Vulnerabilities (PyPI) | ✅ | - | |
Ruby | Ruby Advisory Database | ✅ | - |
GitHub Advisory Database (RubyGems) | ✅ | - | |
Node.js | Ecosystem Security Working Group | ✅ | - |
GitHub Advisory Database (npm) | ✅ | - | |
Java | GitLab Advisories Community | ✅ | 1 month |
GitHub Advisory Database (Maven) | ✅ | - | |
Go | GitHub Advisory Database (Go) | ✅ | - |
The Go Vulnerability Database | ✅ | - | |
Rust | Open Source Vulnerabilities (crates.io) | ✅ | - |
.NET | GitHub Advisory Database (NuGet) | ✅ | - |
C/C++ | GitLab Advisories Community | ✅ | 1 month |
Dart | GitHub Advisory Database (Pub) | ✅ | - |
Elixir | GitHub Advisory Database (Erlang) | ✅ |
-
Intentional delay between vulnerability disclosure and registration in the DB ↩↩
-
.dist-info/META-DATA
↩ -
*.jar
,*.war
,*.par
and*.ear
↩ -
It requires Internet access when the POM doesn't exist in your local repository ↩
-
UPX-compressed binaries don't work ↩
-
If smaller than go 1.17, go.sum is also required ↩
-
✅ means "enabled" and
-
means "disabled" in the image scanning ↩ -
✅ means "enabled" and
-
means "disabled" in the rootfs scanning ↩ -
✅ means "enabled" and
-
means "disabled" in the filesystem scanning ↩ -
✅ means "enabled" and
-
means "disabled" in the git repository scanning ↩ -
✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in json and sarif formats. SARIF uses
startline == 1 and endline == 1
for unsupported file types ↩ -
To scan a filename other than the default filename use file-patterns ↩↩
-
When you scan
Cargo.lock
andCargo.toml
together. See about it here. ↩