v0.7.0

New Feature

Support OCI Image Format

An image directory compliant with "Open Container Image Layout Specification".

Buildah:

$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine

Skopeo:

$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine

[BREAKING] Override severity with vendor score if exists

Trivy displayed a severity from NVD, which is generic, but it's more accurate to use the severity from vendor such as Red Hat and Debian. Currently, the vendor's severity is preferred than NVD's severity.

NOTE If you filter vulnerabilities with --severity option, the result may be different because v0.7.0 uses vendor severity.

Bugs

rpc: fix output to use templates when in client/server mode. (#469)

A template didn't work in client/server mode.

fix: handle a scratch/busybox/DockerSlim image gracefully (#476)

Trivy can't detect vulnerabilities of OS packages for an image based on scratch/busybox because those images don't have any package manager such as yum and apt. But it should detect vulnerabilities of library dependencies according to lock files such as package-lock.json. This commit enables it.

Changelog

09442d6 chore(ci): move integration tests to GitHub Actions (#485)
415b99d feat: support OCI Image Format (#475)
35b038e chore(github): fix issue templates (#483)
34a95c1 contrib/gitlab.tpl: Add new id field (#468)
b282142 chore(docs): add triage.md (#473)
216a33b fix: handle a scratch/busybox/DockerSlim image gracefully (#476)
ad0bb7c rpc: Fix output to use templates when in client server mode. (#469)
17b84f6 Override with Vendor score if exists (#433)
7629f7f docs: Update installation docs for pointing to Trivy Releases. (#463)

Docker images

• docker pull docker.io/aquasec/trivy:0.7.0
• docker pull docker.io/aquasec/trivy:latest

v0.6.0

Changelog

ac5f313 feat(db): store metadata as a file (#464)
329f245 fix: replace containers/image with google/go-containerregistry (#456)
d6595ad add ubuntu 20.04 (#460)
114df7a using STDIN for docker login command (#458)

Docker images

• docker pull docker.io/aquasec/trivy:0.6.0
• docker pull docker.io/aquasec/trivy:latest

v0.5.4

Bug fixes

Crash following interrupted DB download (#288)

Changelog

e5ff5ec Fix CircleCI example in README.md (#451)
1bc02f9 fix(db): retry downloading the database if it is broken (#452)
05fa779 chore(release): add all supported versions (#445)

Docker images

• docker pull docker.io/aquasec/trivy:0.5.4
• docker pull docker.io/aquasec/trivy:latest

v0.5.3

Changelog

6fbdec6 app: Fix a few edge cases with version flag (#443)
94eb7cc Expose Trivy and VulnDB version through --version (#435)
b847e57 feat: show origin layer for vulnerabilities (#439)
07a731c Fix filepath separators on Windows (#414)
4ee7a1e fix circleci example (#431)
ede778f Merge pull request #434 from aquasecurity/license
64a07da Merge branch 'master' into license
623eb79 Remove outdated license section from README
51b8fd8 Change license to Apache 2.0, continued
6f7776e Change license to Apache 2.0
a70cee9 chore(ci): add cross-compile test (#425)

Docker images

• docker pull docker.io/aquasec/trivy:0.5.3
• docker pull docker.io/aquasec/trivy:latest

v0.5.2

Changelog

5e36cb9 fix(rpm): make it possible to scan non-RHEL images without rpm (#429)

Docker images

• docker pull docker.io/aquasec/trivy:0.5.2
• docker pull docker.io/aquasec/trivy:latest

v0.5.1

Changelog

74bf99b fix(token): use the credential from enviroment variable (#427)

Docker images

• docker pull docker.io/aquasec/trivy:0.5.1
• docker pull docker.io/aquasec/trivy:latest

v0.5.0

Changelog

3ed0cfb chore(goreleaser): drop BSD support temporarily (#424)
aca31df detector: Add LayerID to detect vulns (#419)
18b80e3 feat(cache): based on JSON (#398)
b83174f chore(README): add explanation for self-compiled binaries/packages (#413)
80bbe47 fix(gitlab): fix json generation on loop (#409)
7726963 fix(scanner): pass docker options as an argument (#408)
db2136b doc: Add Alpine Linux 3.11 to supported OS docs (#407)

Docker images

• docker pull docker.io/aquasec/trivy:0.5.0
• docker pull docker.io/aquasec/trivy:latest

v0.4.4

Changelog

42043a0 fix(client): add image name and build time (#402)
246793e fix(redhat): use binary package name for OVAL (#393)
692b0f1 cli: append warning when --template option is ignored (#391)
0629e1d fix(cli): reject multiple images (#392)
9707c7b Initial GitLab CI template to deeply integrated with GitLab Container Scanning (#376)
194fbef feat(): include GitLab template inside the docker container (#388)
f7db00c Modify template for GitLab Container Scanning (#387)
2f4b31e chore(goreleaser): bump up to 0.124.1 (#383)
9289624 doc: Update GitLab CI example documentation (#375)

Docker images

• docker pull docker.io/aquasec/trivy:0.4.4
• docker pull docker.io/aquasec/trivy:latest

v0.4.3

New Feature

Save the results using a template

$ trivy --format template --template "@/path/to/template" golang:1.12-alpine

See here for an example

Changelog

5a8749c chore: add install script (#370)
4a7fb52 fix typo in example of .gitlab-ci.yml (#373)
8888fca chore(goreleaser): change name_template to file_name_template (#369)
63a8c6d Integrate with Gitlab Container Scanning (#367)
fc222be chore: change a licence in goreleaser.yml (#365)
6132ff9 template: Load template from paths (#202)
87556aa Dockerfile: Update to alpine 3.11 (#361)

Docker images

• docker pull docker.io/aquasec/trivy:0.4.3
• docker pull docker.io/aquasec/trivy:latest

v0.4.2

Bug fixes

• Infinite loop when resolving dependencies of packages in Alpine #363
• Memory monster #362

Changelog

43362b2 Fix inifinite loop when resolving dependencies of packages in Alpine (#364)
db2d0c2 docker_engine_test: Add more OSes (#358)
922d493 Add EOL Date for alpine 3.11 (#359)

Docker images

• docker pull docker.io/aquasec/trivy:0.4.2
• docker pull docker.io/aquasec/trivy:latest