v0.40.0

[aqua-bot]

🚀 What's new? 🚀

🖇️ OCI Referrers 📜

When scanning an image from registry, Trivy can now discover the SBOM for the image using the new OCI 1.1 Artifacts and Referrers. To enable this, use the --sbom-sources oci flag:

trivy image myregistry.com/app:latest --sbom-sources oci         
...
2023-04-17T15:01:54.038+0300    INFO    Detected SBOM format: cyclonedx-json
2023-04-17T15:01:54.136+0300    INFO    Found SBOM (cyclonedx) in the OCI referrers

Trivy also has a new plugin to help with managing artifacts and references in OCI registry.
It can:

• push SBOM (cyclonedx/spdx) to registry as referrer
• push vulnerability report (cosign-vuln/sarif) to registry as referrer
• when pushing, trivy will automatically detect the subject image, the artifact types, and add appropriate annotations
• list image referrers for image, in various useful formats
• get contents of artifact referrer

You can find more information about the trivy referrer plugin here: https://github.com/aquasecurity/trivy-plugin-referrer/

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

🌟 Skip files/dirs by globstar

--skip-files and --skip-dirs now support globstar (**).

$ trivy fs --skip-files "**/gosu" ./

🦀 Cargo.lock v3 support

Support for generating SBOM and vulnerability scanning for Cargo.lock v3.

$ trivy fs ./Cargo.lock

📦 Signed Trivy RPM Package 🔏

Trivy's RPM package is now signed. You can verify the signature during installation by specifying the GPG key.

cat << EOF | sudo tee -a /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key
EOF

📄 Image metadata in SARIF format

When generating a SARIF report, Trivy now stores information about the image that was scanned inside the report. Image name, digest, and tags will be added to the property bag of the "Run" object.

$ trivy image --format sarif debian:11 --quiet | tail -n 20
        }
      ],
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
          "uri": "file:///"
        }
      },
      "properties": {
        "imageName": "debian:11",
        "repoDigests": [
          "debian@sha256:7b991788987ad860810df60927e1adbaf8e156520177bd4db82409f81dd3b721"
        ],
        "repoTags": [
          "debian:11"
        ]
      }
    }
  ]
}

🐙 Support for Chainguard commercial distro 🐺

Trivy now supports vulnerability scanning for Chainguard Linux, a commercial distribution based on Wolfi.
(Thanks @luhring )

---

This discussion was created from the release v0.40.0.