Conda
Trivy supports the following scanners for Conda packages.
| Scanner | Supported |
|---|---|
| SBOM | ✓ |
| Vulnerability | - |
| License | ✓ |
| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position | Detection Priority |
|---|---|---|---|---|---|---|
| Conda | environment.yml | - | Include | - | ✓ | - |
<package>.json
SBOM
Trivy parses <conda-root>/envs/<env>/conda-meta/<package>.json files to find the dependencies installed in your env.
License
The <package>.json files contain package license information.
Trivy includes licenses for the packages it finds without having to parse additional files.
environment.yml1
SBOM
Trivy supports parsing environment.yml1 files to find dependency list.
environment.yml1 files supports version range. We can't be sure about versions for these dependencies.
Therefore, you need to use conda env export command to get dependency list in Conda default format before scanning environment.yml1 file.
Note
For dependencies in a non-Conda format, Trivy doesn't include a version of them.
License
Trivy parses conda-meta/<package>.json files at the prefix path.
To correctly define licenses, make sure your environment.yml1 contains prefix field and prefix directory contains package.json files.
Note
To get correct environment.yml1 file and fill prefix directory - use conda env export command.