Scanning results may be inaccurate.
Trivy supports the following scanners for Bitnami packages.
The table below outlines the features offered by Trivy.
Trivy analyzes the SBOM information contained within the container images provided by Bitnami.
The SBOM files are located at
Since Bitnami has its own vulnerability database, it uses these for vulnerability detection of applications and packages distributed by Bitnami.
Trivy does not support vulnerability detection of independently compiled binaries, so even if you scan container images like
nginx:1.15.2, vulnerabilities in Nginx cannot be detected.
This is because main applications like Nginx are not installed by the package manager.
However, in the case of Bitnami images, since these SBOMs are stored within the image, scanning
bitnami/nginx:1.15.2 allows for the detection of vulnerabilities in Nginx.
Trivy refers to the Bitnami database. Please note that these may differ from the upstream fixed versions.
Similar to Fixed versions, it follows Bitnami's vulnerability database.
Trivy supports the following vulnerability statuses for Bitnami packages.
|Will Not Fix
|End of Life
If licenses are included in the SBOM distributed by Bitnami, they will be used for scanning.