Skip to content

Language-specific Packages

Trivy automatically detects the following files and scans vulnerabilities in the application dependencies.

Supported languages

Language File Image7 Rootfs8 Filesystem9 Repository10 Dev dependencies Dependency location11
Ruby Gemfile.lock - - included -
gemspec - - included -
Python Pipfile.lock - - excluded
poetry.lock - - excluded -
requirements.txt - - included -
egg package1 - - excluded -
wheel package2 - - excluded -
PHP composer.lock excluded
Node.js package-lock.json - - excluded
yarn.lock - - included
pnpm-lock.yaml - - excluded -
package.json - - excluded -
.NET packages.lock.json included
packages.config excluded -
.deps.json excluded
Java JAR/WAR/PAR/EAR3 - - included -
pom.xml4 - - excluded -
*gradle.lockfile - - excluded -
Go Binaries built by Go5 - - excluded -
go.mod6 - - included -
Rust Cargo.lock excluded
Binaries built with cargo-auditable - - excluded -
C/C++ conan.lock12 - - excluded -
Elixir mix.lock12 - - excluded
Dart pubspec.lock - - included -

The path of these files does not matter.

Example: Dockerfile

Data Sources

Language Source Commercial Use Delay1
PHP PHP Security Advisories Database -
GitHub Advisory Database (Composer) -
Python GitHub Advisory Database (pip) -
Open Source Vulnerabilities (PyPI) -
Ruby Ruby Advisory Database -
GitHub Advisory Database (RubyGems) -
Node.js Ecosystem Security Working Group -
GitHub Advisory Database (npm) -
Java GitLab Advisories Community 1 month
GitHub Advisory Database (Maven) -
Go GitHub Advisory Database (Go) -
The Go Vulnerability Database -
Rust Open Source Vulnerabilities (crates.io) -
.NET GitHub Advisory Database (NuGet) -
C/C++ GitLab Advisories Community 1 month
Dart GitHub Advisory Database (Pub) -
Elixir GitHub Advisory Database (Erlang)

  1. Intentional delay between vulnerability disclosure and registration in the DB 

  2. .dist-info/META-DATA 

  3. *.jar, *.war, *.par and *.ear 

  4. It requires Internet access when the POM doesn't exist in your local repository 

  5. UPX-compressed binaries don't work 

  6. If smaller than go 1.17, go.sum is also required 

  7. ✅ means "enabled" and - means "disabled" in the image scanning 

  8. ✅ means "enabled" and - means "disabled" in the rootfs scanning 

  9. ✅ means "enabled" and - means "disabled" in the filesystem scanning 

  10. ✅ means "enabled" and - means "disabled" in the git repository scanning 

  11. ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in json and sarif formats. SARIF uses startline == 1 and endline == 1 for unsupported file types 

  12. To scan a filename other than the default filename use file-patterns 

  13. When you scan Cargo.lock and Cargo.toml together. See about it here