Programming Language
Trivy supports programming languages for
Supported languages
The files analyzed vary depending on the target. This is because Trivy primarily categorizes targets into two groups:
- Pre-build
- Post-build
If the target is a pre-build project, like a code repository, Trivy will analyze files used for building, such as lock files.
On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like .gemspec, binary files, and so on.
| Language | File | Image5 | Rootfs6 | Filesystem7 | Repository8 |
|---|---|---|---|---|---|
| Ruby | Gemfile.lock | - | - | ✅ | ✅ |
| gemspec | ✅ | ✅ | - | - | |
| Python | Pipfile.lock | - | - | ✅ | ✅ |
| poetry.lock | - | - | ✅ | ✅ | |
| requirements.txt | - | - | ✅ | ✅ | |
| egg package1 | ✅ | ✅ | - | - | |
| wheel package2 | ✅ | ✅ | - | - | |
| conda package3 | ✅ | ✅ | - | - | |
| PHP | composer.lock | - | - | ✅ | ✅ |
| installed.json | ✅ | ✅ | - | - | |
| Node.js | package-lock.json | - | - | ✅ | ✅ |
| yarn.lock | - | - | ✅ | ✅ | |
| pnpm-lock.yaml | - | - | ✅ | ✅ | |
| package.json | ✅ | ✅ | - | - | |
| .NET | packages.lock.json | ✅ | ✅ | ✅ | ✅ |
| packages.config | ✅ | ✅ | ✅ | ✅ | |
| .deps.json | ✅ | ✅ | ✅ | ✅ | |
| *Packages.props11 | ✅ | ✅ | ✅ | ✅ | |
| Java | JAR/WAR/PAR/EAR4 | ✅ | ✅ | - | - |
| pom.xml | - | - | ✅ | ✅ | |
| *gradle.lockfile | - | - | ✅ | ✅ | |
| *.sbt.lock | - | - | ✅ | ✅ | |
| Go | Binaries built by Go | ✅ | ✅ | - | - |
| go.mod | - | - | ✅ | ✅ | |
| Rust | Cargo.lock | ✅ | ✅ | ✅ | ✅ |
| Binaries built with cargo-auditable | ✅ | ✅ | - | - | |
| C/C++ | conan.lock | - | - | ✅ | ✅ |
| Elixir | mix.lock10 | - | - | ✅ | ✅ |
| Dart | pubspec.lock | - | - | ✅ | ✅ |
| Swift | Podfile.lock | - | - | ✅ | ✅ |
| Package.resolved | - | - | ✅ | ✅ | |
| Julia | Manifest.toml | ✅ | ✅ | ✅ | ✅ |
The path of these files does not matter.
Example: Dockerfile
-
*.egg-info,*.egg-info/PKG-INFO,*.eggandEGG-INFO/PKG-INFO↩ -
.dist-info/META-DATA↩ -
envs/*/conda-meta/*.json↩ -
*.jar,*.war,*.parand*.ear↩ -
✅ means "enabled" and
-means "disabled" in the image scanning ↩ -
✅ means "enabled" and
-means "disabled" in the rootfs scanning ↩ -
✅ means "enabled" and
-means "disabled" in the filesystem scanning ↩ -
✅ means "enabled" and
-means "disabled" in the git repository scanning ↩ -
✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in json and sarif formats. SARIF uses
startline == 1 and endline == 1for unsupported file types ↩ -
To scan a filename other than the default filename use file-patterns ↩
-
Directory.Packages.propsand legacyPackages.propsfile names are supported ↩