Skip to content

Releases: aquasecurity/trivy

v0.40.0

16 Apr 13:30
@aqua-bot aqua-bot
v0.40.0
b43b19b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.40.0

⚡Release highlights and summary⚡

👉 #4074

Changelog

  • b43b19b feat(flag): Support globstar for --skip-files and --skip-directories (#4026)
  • 1480500 chore(deps): bump actions/stale from 7 to 8 (#3955)
  • 83bb97a fix: return insecure option to download javadb (#4064)
  • 79a1ba3 fix(nodejs): don't stop parsing when unsupported yarn.lock protocols are found (#4052)
  • ff1c43a ci: add gpg signing for RPM packages (#4056)
  • b608b11 fix(k8s): current context title (#4055)
  • 2c3b60f fix(k8s): quit support on k8s progress bar (#4021)
  • a6b8642 chore: add a note about Dockerfile.canary (#4050)
  • 90b8066 ci: fix path to canary binaries (#4045)
  • dcefc6b fix(vuln): report architecture for debian packages (#4032)
  • 601e25f feat: add support for Chainguard's commercial distro (#3641)
  • 0bebec1 ci: bump goreleaser for Github Action from 1.4.1 to 1.16.2 (#3979)
  • 707ea94 fix(vuln): fix error message for remote scanners (#4031)
  • 8e1fe76 feat(report): add image metadata to SARIF (#4020)
  • 4b36e97 docs: fix broken cache link on Installation page (#3999)
  • f0df725 fix: lock downloading policies and database (#4017)
  • 009675c fix: avoid concurrent access to the global map (#4014)
  • 3ed86aa feat(rust): add Cargo.lock v3 support (#4012)
  • f31dea4 feat: auth support oci download server subcommand (#4008)
  • d37c50a chore(deps): bump github.com/docker/docker (#4009)
  • 693d205 chore: install.sh support for armv7 (#3985)
  • 65d89b9 chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#3961)
Assets 75
Loading
0 Join discussion

v0.39.1

09 Apr 13:47
@aqua-bot aqua-bot
v0.39.1
a119ef8
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.39.1

Changelog

  • a119ef8 fix(rust): fix panic when 'dependencies' field is not used in cargo.toml (#3997)
  • c8283ce fix(sbom): fix infinite loop for cyclonedx (#3998)
  • 6c8b042 chore(deps): bump helm/chart-testing-action from 2.3.1 to 2.4.0 (#3954)
  • c42f360 fix: use warning for errors from enrichment files for post-analyzers (#3972)
  • 20c21ca chore(deps): bump github.com/docker/docker (#3963)
  • 54388ff fix(helm): added annotation to psp configurable from values (#3893)
  • 99a2519 chore(deps): bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.1 (#3962)
  • d113b93 fix(secret): update built-in rule tests (#3855)
  • 5ab6d25 chore(deps): bump github.com/alicebob/miniredis/v2 from 2.23.0 to 2.30.1 (#3957)
  • 0767cb8 test: rewrite scripts in Go (#3968)
  • 428ee19 docs(cli): Improve glob documentation (#3945)
  • 3e00dc3 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#3959)
  • cf2f0b2 ci: check CLI references (#3967)
  • 70f507e chore(deps): bump alpine from 3.17.2 to 3.17.3 (#3951)
  • befabc6 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.212 to 1.44.234 (#3956)
  • ee69abb chore(deps): bump github.com/moby/buildkit from 0.11.4 to 0.11.5 (#3958)
  • 8901f7b chore(deps): bump actions/setup-go from 3 to 4 (#3953)
  • 4e6bbbc chore(deps): bump actions/cache from 3.2.6 to 3.3.1 (#3950)
  • d70f346 chore(deps): bump github.com/containerd/containerd from 1.6.19 to 1.7.0 (#3965)
  • 3efb2fd chore(deps): bump github.com/sigstore/rekor from 1.0.1 to 1.1.0 (#3964)
Assets 75
Loading
0 Join discussion

v0.39.0

01 Apr 08:40
@aqua-bot aqua-bot
v0.39.0
ed59096
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.39.0

⚡Release highlights and summary⚡

👉 #3949

Changelog

  • ed59096 docs(cli): added makefile and go file to create docs (#3930)
  • a2f39a3 chore: Revert "ci: add gpg signing for RPM packages (#3612)" (#3946)
  • 5a10631 chore: ignore gpg key (#3943)
  • 4072115 feat(cyclonedx): support dependency graph (#3177)
  • 7cad265 chore(deps): Bump defsec to v0.85.0 (#3940)
  • f8b5733 feat(rust): remove dev deps and find direct deps for Cargo.lock (#3919)
  • 10796a2 feat(server): redis with public TLS certs support (#3783)
  • abff139 feat(flag): Add glob support to --skip-dirs and --skip-files (#3866)
  • b40f60c chore: replace make with mage (#3932)
  • 67236f6 fix(sbom): add checksum to files (#3888)
  • 00de24b chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#3928)
  • 5976d1f chore: remove unused mount volumes (#3927)
  • f14bed4 feat: add auth support for downloading OCI artifacts (#3915)
  • 1ee0518 refactor(purl): use epoch in qualifier (#3913)
  • 0000252 chore(deps): bump github.com/in-toto/in-toto-golang from 0.5.0 to 0.7.0 (#3727)
  • ca0d972 feat(image): add registry options (#3906)
  • 0336555 feat(rust): dependency tree and line numbers support for cargo lock file (#3746)
  • dd9cd95 chore(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1 (#3905)
  • edb0682 feat(php): add support for location, licenses and graph for composer.lock files (#3873)
  • c02b15b chore(deps): updates wazero to 1.0.0 (#3904)
  • 63ef760 feat(image): discover SBOM in OCI referrers (#3768)
  • 3fa703c docs: change cache-dir key in config file (#3897)
  • 4d78747 fix(sbom): use release and epoch for SPDX package version (#3896)
  • 67572df ci: add gpg signing for RPM packages (#3612)
  • e76d5ff docs: Update incorrect comment for skip-update flag (#3878)
  • 011ea60 refactor(misconf): simplify policy filesystem (#3875)
  • 6445309 feat(nodejs): parse package.json alongside yarn.lock (#3757)
  • 6e9c2c3 fix(spdx): add PkgDownloadLocation field (#3879)
  • 18eeea2 fix(report): try to guess direct deps for dependency tree (#3852)
  • 02b6914 chore(amazon): update EOL (#3876)
  • 79096e1 fix(nodejs): improvement logic for package-lock.json v2-v3 (#3877)
  • fc2e80c feat(amazon): add al2023 support (#3854)
  • 5f8d69d chore(deps): bump github.com/cheggaaa/pb/v3 from 3.1.0 to 3.1.2 (#3736)
  • 7916aaf docs(misconf): Add information about selectors (#3703)
  • 1b1ed39 docs(cli): update CLI docs with cobra (#3815)
  • 234a360 feat: k8s parallel processing (#3693)
  • b864b3b docs: add DefectDojo in the Security Management section (#3871)
  • ad34c98 chore(deps): updates wazero to 1.0.0-rc.2 (#3853)
  • 7148de3 refactor: add pipeline (#3868)
  • 927acf9 feat(cli): add javadb metadata to version info (#3835)
  • 33074cf chore(deps): Move compliance types to defsec (#3842)
  • ba9b041 feat(sbom): add support for CycloneDX JSON Attestation of the correct specification (#3849)
  • a754a04 feat: add node toleration option (#3823)
  • 9e4b57f fix: allow mapfs to open dirs (#3867)
  • 09fd299 fix(report): update uri only for os class targets (#3846)
  • 09e1302 feat(nodejs): Add v3 npm lock file support (#3826)
  • 52cbfeb feat(nodejs): parse package.json files alongside package-lock.json (#2916)
  • d6a2d63 docs(misconf): Fix links to built in policies (#3841)
Assets 75
Loading
0 Join discussion

v0.38.3

14 Mar 10:57
@aqua-bot aqua-bot
v0.38.3
a12f58b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.38.3

Changelog

  • a12f58b chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.86.1 to 1.89.1 (#3827)
  • ee51835 fix(java): skip empty files for jar post analyzer (#3832)
  • 3987a67 fix(docker): build healthcheck command for line without /bin/sh prefix (#3831)
  • 2bb25e7 refactor(license): use goyacc for license parser (#3824)
  • 00c763b chore(deps): bump github.com/docker/docker from 23.0.0-rc.1+incompatible to 23.0.1+incompatible (#3586)
  • cac5881 fix: populate timeout context to node-collector (#3766)
  • bd9c6e6 fix: exclude node collector scanning (#3771)
  • 20f1067 fix: display correct flag in error message when skipping java db update #3808
  • 1fac7bf fix: disable jar analyzer for scanners other than vuln (#3810)
  • aaf2658 fix(sbom): fix incompliant license format for spdx (#3335)
  • f830763 fix(java): the project props take precedence over the parent's props (#3320)
  • 1aa3b7d docs: add canary build info to README.md (#3799)
  • 57904c0 docs: adding link to gh token generation (#3784)
  • bdccf72 docs: changing docs in accordance with #3460 (#3787)
Assets 75
Loading
0 Join discussion

v0.38.2

08 Mar 11:22
@aqua-bot aqua-bot
v0.38.2
800473a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.38.2

Changelog

  • 800473a chore(deps): bump github.com/moby/buildkit from 0.11.0 to 0.11.4 (#3789)
  • e6ab389 chore(deps): bump actions/add-to-project from 0.4.0 to 0.4.1 (#3724)
  • 6614398 fix(license): disable jar analyzer for licence scan only (#3780)
  • 1dc6fee bump trivy-issue-action to v0.0.0; skip pkg dir (#3781)
  • 3357ed0 fix: skip checking dirs for required post-analyzers (#3773)
  • 1064636 docs: add information about plugin format (#3749)
  • 60b7ef5 fix(sbom): add trivy version to spdx creators tool field (#3756)
Assets 75
Loading
0 Join discussion

v0.38.1

02 Mar 16:30
@aqua-bot aqua-bot
v0.38.1
497c955
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.38.1

Changelog

  • 497c955 feat(misconf): Add support to show policy bundle version (#3743)
  • 5d54310 fix(python): fix error with optional dependencies in pyproject.toml (#3741)
  • 44cf1e2 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.210 to 1.44.212 (#3740)
  • 743b4b0 add id for package.json files (#3750)
  • 6de4385 chore(deps): bump github.com/containerd/containerd from 1.6.18 to 1.6.19 (#3738)
  • 9a0ceef chore(deps): bump actions/cache from 3.2.4 to 3.2.6 (#3725)
  • 0501b46 chore(deps): bump github.com/google/go-containerregistry (#3731)
  • ee3004d chore(deps): bump go.etcd.io/bbolt from 1.3.6 to 1.3.7 (#3732)
  • 5c8e604 chore(deps): bump alpine from 3.17.1 to 3.17.2 (#3723)
Assets 75
Loading
2 Join discussion

v0.38.0

01 Mar 11:44
@aqua-bot aqua-bot
v0.38.0
bc08366
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.38.0

⚡Release highlights and summary⚡

👉 #3719

Changelog

  • bc08366 fix(cli): pass integer to exit-on-eol (#3716)
  • 23cdac0 feat: add kubernetes pss compliance (#3498)
  • 302c8ae feat: Adding --module-dir and --enable-modules (#3677)
  • 34120f4 feat: add special IDs for filtering secrets (#3702)
  • e399ed8 chore(deps): Update defsec (#3713)
  • ef7b762 docs(misconf): Add guide on input schema (#3692)
  • 00daebc feat(go): support dependency graph and show only direct dependencies in the tree (#3691)
  • 98d1031 feat: docker multi credential support (#3631)
  • b791362 feat: summarize vulnerabilities in compliance reports (#3651)
  • 719fdb1 feat(python): parse pyproject.toml alongside poetry.lock (#3695)
  • 3ff5699 feat(python): add dependency tree for poetry lock file (#3665)
  • 33909d9 fix(cyclonedx): incompliant affect ref (#3679)
  • d85a3e0 chore(helm): update skip-db-update environment variable (#3657)
  • 551899c fix(spdx): change CreationInfo timestamp format RFC3336Nano to RFC3336 (#3675)
  • 3aaa2cf fix(sbom): export empty dependencies in CycloneDX (#3664)
  • 9d1300c docs: java-db air-gap doc tweaks (#3561)
  • 793cc43 feat(go): license support (#3683)
  • 6a3294e feat(ruby): add dependency tree/location support for Gemfile.lock (#3669)
  • e9dc21d fix(k8s): k8s label size (#3678)
  • 12976d4 fix(cyclondx): fix array empty value, null to [] (#3676)
  • 1dc2b34 refactor: rewrite gomod analyzer as post-analyzer (#3674)
  • 92eaf63 feat: config outdated-api result filtered by k8s version (#3578)
  • 9af436b fix: Update to Alpine 3.17.2 (#3655)
  • 88ee68d feat: add support for virtual files (#3654)
  • 75c96bd feat: add post-analyzers (#3640)
  • baea399 chore(deps): updates wazero to 1.0.0-pre.9 (#3653)
  • 7ca0db1 chore(deps): bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#3528)
  • 866999e chore(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 (#3633)
  • b7bfb9a feat(python): add dependency locations for Pipfile.lock (#3614)
  • 9badef2 chore(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 (#3648)
  • d856595 fix(java): fix groupID selection by ArtifactID for jar files. (#3644)
  • fe7c26a chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.63.1 to 1.85.0 (#3607)
  • f251dfc fix(aws): Adding a fix for update-cache flag that is not applied on AWS scans. (#3619)
  • 9be8062 feat(cli): add command completion (#3061)
  • 370098d docs(misconf): update dockerfile link (#3627)
  • 32acd29 feat(flag): add exit-on-eosl option (#3423)
  • aa8e185 chore(deps): bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.2 (#3533)
  • 86603bb fix(cli): make java db repository configurable (#3595)
  • 7b1e173 chore: bump trivy-kubernetes (#3613)
Assets 75
Loading
0 Join discussion

v0.37.3

14 Feb 12:28
@aqua-bot aqua-bot
v0.37.3
85d5d61
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.37.3

Changelog

  • 85d5d61 chore(helm): update Trivy from v0.36.1 to v0.37.2 (#3574)
  • 2c17260 chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#3536)
  • c54f1aa chore(deps): bump golang/x/mod to v0.8.0 (#3606)
  • 625ea58 chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.5.0 (#3529)
  • 623c7f9 chore(deps): bump helm.sh/helm/v3 from 3.10.3 to 3.11.1 (#3580)
  • d291c34 ci: quote pros in c++ for semantic pr (#3605)
  • 6cac6c9 fix(image): check proxy settings from env for remote images (#3604)
Assets 75
Loading
1 Join discussion

v0.37.2

10 Feb 01:21
@aqua-bot aqua-bot
v0.37.2
12b563b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.37.2

💔Breaking Change💔

Java DB

Added breaking change to Trivy Java DB.
Users who are using Trivy v0.37.0 or v0.37.1 for Java scanning need to remove the local cached Java DB with trivy image --reset and update Trivy to v0.37.2.

Changelog

  • 12b563b BREAKING: use normalized trivy-java-db (#3583)
  • 72a14c6 fix(image): add timeout for remote images (#3582)
  • 4c01d73 chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#3532)
  • 10dd5d1 chore(deps): bump golang.org/x/text from 0.5.0 to 0.6.0 (#3534)
  • 439c541 fix(misconf): handle dot files better (#3550)
  • 200e04a chore: bump Go to 1.19 (#3551)
  • a533ca8 chore(deps): bump alpine from 3.17.0 to 3.17.1 (#3522)
  • 4bccbe6 chore(deps): bump docker/build-push-action from 3 to 4 (#3523)
  • d056208 chore(deps): bump actions/cache from 3.2.2 to 3.2.4 (#3524)
  • f5e6574 chore(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.4.0 (#3525)
  • d3da459 chore(deps): bump aquaproj/aqua-installer from 1.2.0 to 2.0.2 (#3526)
Assets 75
Loading
2 Join discussion

v0.37.1

01 Feb 16:37
@aqua-bot aqua-bot
v0.37.1
7f8868b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.37.1

Changelog

Assets 75
Loading
0 Join discussion