The following scanners are supported.
The following table provides an outline of the features Trivy offers.
|Package manager||File||Transitive dependencies||Dev dependencies||Dependency graph||Position|
These may be enabled or disabled depending on the target. See here for the detail.
Trivy parses Package.resolved file to find dependencies.
Don't forget to update (
swift package update command) this file before scanning.
Since GHSA holds only Git URLs, such as github.com/apple/swift-nio,
Trivy can't identify affected submodules, and detect all submodules maintained by the same URL.
For example, SwiftNIOHTTP1 and SwiftNIOWebSocket both are maintained under
and Trivy detect CVE-2022-3215 for both of them, even though only SwiftNIOHTTP1 is actually affected.