Skip to content

Pull Requests

Thank you for taking interest in contributing to Trivy!

  1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
  2. Please add the associated Issue link in the PR description.
  3. Your PR is more likely to be accepted if it focuses on just one change.
  4. There's no need to add or tag reviewers.
  5. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
  6. Please include a comment with the results before and after your change.
  7. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
  8. If your PR affects the user experience in some way, please update the and the CLI help accordingly.


Install the necessary tools for development by following their respective installation instructions.


After making changes to the Go source code, build the project with the following command:

$ mage build
$ ./trivy -h


You must pass the linter checks:

$ mage lint:run

Additionally, you need to have run go mod tidy, so execute the following command as well:

$ mage tidy

To autofix linters use the following command:

$ mage lint:fix

Unit tests

Your PR must pass all the unit tests. You can test it as below.

$ mage test:unit

Integration tests

Your PR must pass all the integration tests. You can test it as below.

$ mage test:integration


If you update CLI flags, you need to generate the CLI references. The test will fail if they are not up-to-date.

$ mage docs:generate

You can build the documents as below and view it at http://localhost:8000.

$ mage docs:serve


It is not that strict, but we use the title conventions in this repository. Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.

Format of the title

<type>(<scope>): <subject>

The type and scope should always be lowercase as shown below.

Allowed <type> values:

  • feat for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
  • fix for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
  • perf for performance improvements. Such commit will trigger a release bumping a PATCH version.
  • docs for changes to the documentation.
  • style for formatting changes, missing semicolons, etc.
  • refactor for refactoring production code, e.g. renaming a variable.
  • test for adding missing tests, refactoring tests; no production code change.
  • build for updating build configuration, development tools or other changes irrelevant to the user.
  • chore for updates that do not apply to the above, such as dependency updates.
  • ci for changes to CI configuration files and scripts
  • revert for revert to a previous commit

Allowed <scope> values:


  • vuln
  • misconf
  • secret
  • license


  • image
  • fs
  • repo
  • sbom
  • k8s
  • server
  • aws
  • vm
  • plugin


  • alpine
  • redhat
  • alma
  • rocky
  • mariner
  • oracle
  • debian
  • ubuntu
  • amazon
  • suse
  • photon
  • distroless


  • ruby
  • php
  • python
  • nodejs
  • rust
  • dotnet
  • java
  • go
  • elixir
  • dart
  • julia


  • os
  • lang


  • kubernetes
  • dockerfile
  • terraform
  • cloudformation


  • docker
  • podman
  • containerd
  • oci


  • cli
  • flag


  • cyclonedx
  • spdx
  • purl


  • helm
  • report
  • db
  • parser
  • deps

The <scope> can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.

Breaking changes

A PR, introducing a breaking API change, needs to append a ! after the type/scope.

Example titles

feat(alma): add support for AlmaLinux
feat(vuln)!: delete the existing CLI flag
fix(oracle): handle advisories with ksplice versions
docs(misconf): add comparison with Conftest and TFsec
chore(deps): bump from 1.19.1 to 1.20.0

NOTE: please do not use chore(deps): update fanal and something like that if you add new features or fix bugs in Trivy-related projects. The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.


Understand where your pull request belongs

Trivy is composed of several repositories that work together:

  • Trivy is the client-side, user-facing, command line tool.
  • vuln-list is a vulnerability database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. There should be no pull requests to this repo
  • vuln-list-update is the code that maintains the vuln-list database.
  • trivy-db maintains the vulnerability database pulled by Trivy CLI.
  • go-dep-parser is a library for parsing lock files such as package-lock.json and Gemfile.lock.