Trivy supports Dart.
The following scanners are supported.
The following table provides an outline of the features Trivy offers.
In order to detect dependencies, Trivy searches for
Trivy marks indirect dependencies, but
pubspec.lock file doesn't have options to separate root and dev transitive dependencies.
So Trivy includes all dependencies in report.
dependency tree Trivy parses cache directory. Currently supported default directories and
PUB_CACHE environment (absolute path only).
Make sure the cache directory contains all the dependencies installed in your application. To download missing dependencies, use
dart pub get command.