Documentation
¶
Index ¶
- Constants
- Variables
- type AWSFlagGroup
- type AWSOptions
- type Alias
- type CacheFlagGroup
- type CacheOptions
- type CloudFlagGroup
- type CloudOptions
- type DBFlagGroup
- type DBOptions
- type Flag
- type FlagGroup
- type FlagType
- type Flagger
- type Flags
- type GlobalFlagGroup
- type GlobalOptions
- type ImageFlagGroup
- type ImageOptions
- type K8sFlagGroup
- type K8sOptions
- type LicenseFlagGroup
- type LicenseOptions
- type MisconfFlagGroup
- type MisconfOptions
- type ModuleFlagGroup
- type ModuleOptions
- type Options
- type RedisOptions
- type RegistryFlagGroup
- type RegistryOptions
- type RegoFlagGroup
- type RegoOptions
- type RemoteFlagGroup
- type RemoteOptions
- type RepoFlagGroup
- type RepoOptions
- type ReportFlagGroup
- type ReportOptions
- type SBOMFlagGroup
- type SBOMOptions
- type ScanFlagGroup
- type ScanOptions
- type SecretFlagGroup
- type SecretOptions
- type VulnerabilityFlagGroup
- type VulnerabilityOptions
Constants ¶
View Source
const (
DefaultTokenHeader = "Trivy-Token"
)
Variables ¶
View Source
var ( ClearCacheFlag = Flag[bool]{ Name: "clear-cache", ConfigName: "cache.clear", Usage: "clear image caches without scanning", } CacheBackendFlag = Flag[string]{ Name: "cache-backend", ConfigName: "cache.backend", Default: "fs", Usage: "cache backend (e.g. redis://localhost:6379)", } CacheTTLFlag = Flag[time.Duration]{ Name: "cache-ttl", ConfigName: "cache.ttl", Usage: "cache TTL when using redis as cache backend", } RedisTLSFlag = Flag[bool]{ Name: "redis-tls", ConfigName: "cache.redis.tls", Usage: "enable redis TLS with public certificates, if using redis as cache backend", } RedisCACertFlag = Flag[string]{ Name: "redis-ca", ConfigName: "cache.redis.ca", Usage: "redis ca file location, if using redis as cache backend", } RedisCertFlag = Flag[string]{ Name: "redis-cert", ConfigName: "cache.redis.cert", Usage: "redis certificate file location, if using redis as cache backend", } RedisKeyFlag = Flag[string]{ Name: "redis-key", ConfigName: "cache.redis.key", Usage: "redis key file location, if using redis as cache backend", } )
e.g. config yaml:
cache: clear: true backend: "redis://localhost:6379" redis: ca: ca-cert.pem cert: cert.pem key: key.pem
View Source
var ( ResetFlag = Flag[bool]{ Name: "reset", ConfigName: "reset", Usage: "remove all caches and database", } DownloadDBOnlyFlag = Flag[bool]{ Name: "download-db-only", ConfigName: "db.download-only", Usage: "download/update vulnerability database but don't run a scan", } SkipDBUpdateFlag = Flag[bool]{ Name: "skip-db-update", ConfigName: "db.skip-update", Usage: "skip updating vulnerability database", Aliases: []Alias{ { Name: "skip-update", Deprecated: true, }, }, } DownloadJavaDBOnlyFlag = Flag[bool]{ Name: "download-java-db-only", ConfigName: "db.download-java-only", Usage: "download/update Java index database but don't run a scan", } SkipJavaDBUpdateFlag = Flag[bool]{ Name: "skip-java-db-update", ConfigName: "db.java-skip-update", Usage: "skip updating Java index database", } NoProgressFlag = Flag[bool]{ Name: "no-progress", ConfigName: "db.no-progress", Usage: "suppress progress bar", } DBRepositoryFlag = Flag[string]{ Name: "db-repository", ConfigName: "db.repository", Default: db.DefaultRepository, Usage: "OCI repository to retrieve trivy-db from", } JavaDBRepositoryFlag = Flag[string]{ Name: "java-db-repository", ConfigName: "db.java-repository", Default: javadb.DefaultRepository, Usage: "OCI repository to retrieve trivy-java-db from", } LightFlag = Flag[bool]{ Name: "light", ConfigName: "db.light", Usage: "deprecated", Deprecated: true, } )
View Source
var ( ConfigFileFlag = Flag[string]{ Name: "config", ConfigName: "config", Shorthand: "c", Default: "trivy.yaml", Usage: "config path", Persistent: true, } ShowVersionFlag = Flag[bool]{ Name: "version", ConfigName: "version", Shorthand: "v", Usage: "show version", Persistent: true, } QuietFlag = Flag[bool]{ Name: "quiet", ConfigName: "quiet", Shorthand: "q", Usage: "suppress progress bar and log output", Persistent: true, } DebugFlag = Flag[bool]{ Name: "debug", ConfigName: "debug", Shorthand: "d", Usage: "debug mode", Persistent: true, } InsecureFlag = Flag[bool]{ Name: "insecure", ConfigName: "insecure", Usage: "allow insecure server connections", Persistent: true, } TimeoutFlag = Flag[time.Duration]{ Name: "timeout", ConfigName: "timeout", Default: time.Second * 300, Usage: "timeout", Persistent: true, } CacheDirFlag = Flag[string]{ Name: "cache-dir", ConfigName: "cache.dir", Default: fsutils.CacheDir(), Usage: "cache directory", Persistent: true, } GenerateDefaultConfigFlag = Flag[bool]{ Name: "generate-default-config", ConfigName: "generate-default-config", Usage: "write the default config to trivy-default.yaml", Persistent: true, } )
View Source
var ( ImageConfigScannersFlag = Flag[[]string]{ Name: "image-config-scanners", ConfigName: "image.image-config-scanners", Values: xstrings.ToStringSlice(types.Scanners{ types.MisconfigScanner, types.SecretScanner, }), Usage: "comma-separated list of what security issues to detect on container image configurations", } ScanRemovedPkgsFlag = Flag[bool]{ Name: "removed-pkgs", ConfigName: "image.removed-pkgs", Usage: "detect vulnerabilities of removed packages (only for Alpine)", } InputFlag = Flag[string]{ Name: "input", ConfigName: "image.input", Usage: "input file path instead of image name", } PlatformFlag = Flag[string]{ Name: "platform", ConfigName: "image.platform", Usage: "set platform in the form os/arch if image is multi-platform capable", } DockerHostFlag = Flag[string]{ Name: "docker-host", ConfigName: "image.docker.host", Default: "", Usage: "unix domain socket path to use for docker scanning", } PodmanHostFlag = Flag[string]{ Name: "podman-host", ConfigName: "image.podman.host", Default: "", Usage: "unix podman socket path to use for podman scanning", } SourceFlag = Flag[[]string]{ Name: "image-src", ConfigName: "image.source", Default: xstrings.ToStringSlice(ftypes.AllImageSources), Values: xstrings.ToStringSlice(ftypes.AllImageSources), Usage: "image source(s) to use, in priority order", } )
View Source
var ( KubeConfigFlag = Flag[string]{ Name: "kubeconfig", ConfigName: "kubernetes.kubeconfig", Usage: "specify the kubeconfig file path to use", } K8sVersionFlag = Flag[string]{ Name: "k8s-version", ConfigName: "kubernetes.k8s-version", Usage: "specify k8s version to validate outdated api by it (example: 1.21.0)", } TolerationsFlag = Flag[[]string]{ Name: "tolerations", ConfigName: "kubernetes.tolerations", Usage: "specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)", } DisableNodeCollector = Flag[bool]{ Name: "disable-node-collector", ConfigName: "kubernetes.disableNodeCollector", Usage: "When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.", } NodeCollectorNamespace = Flag[string]{ Name: "node-collector-namespace", ConfigName: "kubernetes.node-collector.namespace", Default: "trivy-temp", Usage: "specify the namespace in which the node-collector job should be deployed", } NodeCollectorImageRef = Flag[string]{ Name: "node-collector-imageref", ConfigName: "kubernetes.node-collector.imageref", Default: "ghcr.io/aquasecurity/node-collector:0.2.1", Usage: "indicate the image reference for the node-collector scan job", } ExcludeOwned = Flag[bool]{ Name: "exclude-owned", ConfigName: "kubernetes.exclude.owned", Usage: "exclude resources that have an owner reference", } SkipImages = Flag[bool]{ Name: "skip-images", ConfigName: "kubernetes.skipImages", Usage: "skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources", } ExcludeNodes = Flag[[]string]{ Name: "exclude-nodes", ConfigName: "kubernetes.exclude.nodes", Usage: "indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)", } ExcludeKinds = Flag[[]string]{ Name: "exclude-kinds", ConfigName: "kubernetes.excludeKinds", Usage: "indicate the kinds exclude from scanning (example: node)", } IncludeKinds = Flag[[]string]{ Name: "include-kinds", ConfigName: "kubernetes.includeKinds", Usage: "indicate the kinds included in scanning (example: node)", } ExcludeNamespaces = Flag[[]string]{ Name: "exclude-namespaces", ConfigName: "kubernetes.excludeNamespaces", Usage: "indicate the namespaces excluded from scanning (example: kube-system)", } IncludeNamespaces = Flag[[]string]{ Name: "include-namespaces", ConfigName: "kubernetes.includeNamespaces", Usage: "indicate the namespaces included in scanning (example: kube-system)", } QPS = Flag[float64]{ Name: "qps", ConfigName: "kubernetes.qps", Default: 5.0, Usage: "specify the maximum QPS to the master from this client", } Burst = Flag[int]{ Name: "burst", ConfigName: "kubernetes.burst", Default: 10, Usage: "specify the maximum burst for throttle", } )
View Source
var ( LicenseFull = Flag[bool]{ Name: "license-full", ConfigName: "license.full", Usage: "eagerly look for licenses in source code headers and license files", } IgnoredLicenses = Flag[[]string]{ Name: "ignored-licenses", ConfigName: "license.ignored", Usage: "specify a list of license to ignore", } LicenseConfidenceLevel = Flag[float64]{ Name: "license-confidence-level", ConfigName: "license.confidenceLevel", Default: 0.9, Usage: "specify license classifier's confidence level", } // LicenseForbidden is an option only in a config file LicenseForbidden = Flag[[]string]{ ConfigName: "license.forbidden", Default: licensing.ForbiddenLicenses, Usage: "forbidden licenses", } // LicenseRestricted is an option only in a config file LicenseRestricted = Flag[[]string]{ ConfigName: "license.restricted", Default: licensing.RestrictedLicenses, Usage: "restricted licenses", } // LicenseReciprocal is an option only in a config file LicenseReciprocal = Flag[[]string]{ ConfigName: "license.reciprocal", Default: licensing.ReciprocalLicenses, Usage: "reciprocal licenses", } // LicenseNotice is an option only in a config file LicenseNotice = Flag[[]string]{ ConfigName: "license.notice", Default: licensing.NoticeLicenses, Usage: "notice licenses", } // LicensePermissive is an option only in a config file LicensePermissive = Flag[[]string]{ ConfigName: "license.permissive", Default: licensing.PermissiveLicenses, Usage: "permissive licenses", } // LicenseUnencumbered is an option only in a config file LicenseUnencumbered = Flag[[]string]{ ConfigName: "license.unencumbered", Default: licensing.UnencumberedLicenses, Usage: "unencumbered licenses", } )
View Source
var ( ResetChecksBundleFlag = Flag[bool]{ Name: "reset-checks-bundle", ConfigName: "misconfiguration.reset-checks-bundle", Usage: "remove checks bundle", Aliases: []Alias{ { Name: "reset-policy-bundle", ConfigName: "misconfiguration.reset-policy-bundle", Deprecated: true, }, }, } IncludeNonFailuresFlag = Flag[bool]{ Name: "include-non-failures", ConfigName: "misconfiguration.include-non-failures", Usage: "include successes and exceptions, available with '--scanners misconfig'", } HelmValuesFileFlag = Flag[[]string]{ Name: "helm-values", ConfigName: "misconfiguration.helm.values", Usage: "specify paths to override the Helm values.yaml files", } HelmSetFlag = Flag[[]string]{ Name: "helm-set", ConfigName: "misconfiguration.helm.set", Usage: "specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)", } HelmSetFileFlag = Flag[[]string]{ Name: "helm-set-file", ConfigName: "misconfiguration.helm.set-file", Usage: "specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)", } HelmSetStringFlag = Flag[[]string]{ Name: "helm-set-string", ConfigName: "misconfiguration.helm.set-string", Usage: "specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)", } HelmAPIVersionsFlag = Flag[[]string]{ Name: "helm-api-versions", ConfigName: "misconfiguration.helm.api-versions", Usage: "Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)", } HelmKubeVersionFlag = Flag[string]{ Name: "helm-kube-version", ConfigName: "misconfiguration.helm.kube-version", Usage: "Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.", } TfVarsFlag = Flag[[]string]{ Name: "tf-vars", ConfigName: "misconfiguration.terraform.vars", Usage: "specify paths to override the Terraform tfvars files", } CfParamsFlag = Flag[[]string]{ Name: "cf-params", ConfigName: "misconfiguration.cloudformation.params", Default: []string{}, Usage: "specify paths to override the CloudFormation parameters files", } TerraformExcludeDownloaded = Flag[bool]{ Name: "tf-exclude-downloaded-modules", ConfigName: "misconfiguration.terraform.exclude-downloaded-modules", Usage: "exclude misconfigurations for downloaded terraform modules", } ChecksBundleRepositoryFlag = Flag[string]{ Name: "checks-bundle-repository", ConfigName: "misconfiguration.checks-bundle-repository", Default: fmt.Sprintf("%s:%d", policy.BundleRepository, policy.BundleVersion), Usage: "OCI registry URL to retrieve checks bundle from", Aliases: []Alias{ { Name: "policy-bundle-repository", ConfigName: "misconfiguration.policy-bundle-repository", Deprecated: true, }, }, } MisconfigScannersFlag = Flag[[]string]{ Name: "misconfig-scanners", ConfigName: "misconfiguration.scanners", Default: xstrings.ToStringSlice(analyzer.TypeConfigFiles), Usage: "comma-separated list of misconfig scanners to use for misconfiguration scanning", } )
e.g. config yaml:
misconfiguration: trace: true config-policy: "custom-policy/policy" policy-namespaces: "user"
View Source
var ( ModuleDirFlag = Flag[string]{ Name: "module-dir", ConfigName: "module.dir", Default: module.DefaultDir, Usage: "specify directory to the wasm modules that will be loaded", Persistent: true, } EnableModulesFlag = Flag[[]string]{ Name: "enable-modules", ConfigName: "module.enable-modules", Default: []string{}, Usage: "[EXPERIMENTAL] module names to enable", Persistent: true, } )
View Source
var ( UsernameFlag = Flag[[]string]{ Name: "username", ConfigName: "registry.username", Usage: "username. Comma-separated usernames allowed.", } PasswordFlag = Flag[[]string]{ Name: "password", ConfigName: "registry.password", Usage: "password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.", } RegistryTokenFlag = Flag[string]{ Name: "registry-token", ConfigName: "registry.token", Usage: "registry token", } )
View Source
var ( IncludeDeprecatedChecksFlag = Flag[bool]{ Name: "include-deprecated-checks", ConfigName: "rego.include-deprecated-checks", Usage: "include deprecated checks", } SkipCheckUpdateFlag = Flag[bool]{ Name: "skip-check-update", ConfigName: "rego.skip-check-update", Usage: "skip fetching rego check updates", Aliases: []Alias{ { Name: "skip-policy-update", Deprecated: true, }, }, } TraceFlag = Flag[bool]{ Name: "trace", ConfigName: "rego.trace", Usage: "enable more verbose trace output for custom queries", } ConfigCheckFlag = Flag[[]string]{ Name: "config-check", ConfigName: "rego.check", Usage: "specify the paths to the Rego check files or to the directories containing them, applying config files", Aliases: []Alias{ {Name: "policy", Deprecated: true}, {Name: "config-policy", Deprecated: true}, }, } ConfigDataFlag = Flag[[]string]{ Name: "config-data", ConfigName: "rego.data", Usage: "specify paths from which data for the Rego checks will be recursively loaded", Aliases: []Alias{ {Name: "data"}, }, } CheckNamespaceFlag = Flag[[]string]{ Name: "check-namespaces", ConfigName: "rego.namespaces", Usage: "Rego namespaces", Aliases: []Alias{ {Name: "namespaces"}, {Name: "policy-namespaces", Deprecated: true}, }, } )
e.g. config yaml:
rego: trace: true config-policy: "custom-policy/policy" policy-namespaces: "user"
View Source
var ( ServerTokenFlag = Flag[string]{ Name: "token", ConfigName: "server.token", Usage: "for authentication in client/server mode", } ServerTokenHeaderFlag = Flag[string]{ Name: "token-header", ConfigName: "server.token-header", Default: DefaultTokenHeader, Usage: "specify a header name for token in client/server mode", } ServerAddrFlag = Flag[string]{ Name: "server", ConfigName: "server.addr", Usage: "server address in client mode", } ServerCustomHeadersFlag = Flag[[]string]{ Name: "custom-headers", ConfigName: "server.custom-headers", Usage: "custom headers in client mode", } ServerListenFlag = Flag[string]{ Name: "listen", ConfigName: "server.listen", Default: "localhost:4954", Usage: "listen address in server mode", } )
View Source
var ( FetchBranchFlag = Flag[string]{ Name: "branch", ConfigName: "repository.branch", Usage: "pass the branch name to be scanned", } FetchCommitFlag = Flag[string]{ Name: "commit", ConfigName: "repository.commit", Usage: "pass the commit hash to be scanned", } FetchTagFlag = Flag[string]{ Name: "tag", ConfigName: "repository.tag", Usage: "pass the tag name to be scanned", } )
View Source
var ( FormatFlag = Flag[string]{ Name: "format", ConfigName: "format", Shorthand: "f", Default: string(types.FormatTable), Values: xstrings.ToStringSlice(types.SupportedFormats), Usage: "format", } ReportFormatFlag = Flag[string]{ Name: "report", ConfigName: "report", Default: "all", Values: []string{ "all", "summary", }, Usage: "specify a report format for the output", } TemplateFlag = Flag[string]{ Name: "template", ConfigName: "template", Shorthand: "t", Usage: "output template", } DependencyTreeFlag = Flag[bool]{ Name: "dependency-tree", ConfigName: "dependency-tree", Usage: "[EXPERIMENTAL] show dependency origin tree of vulnerable packages", } ListAllPkgsFlag = Flag[bool]{ Name: "list-all-pkgs", ConfigName: "list-all-pkgs", Usage: "output all packages in the JSON report regardless of vulnerability", } IgnoreFileFlag = Flag[string]{ Name: "ignorefile", ConfigName: "ignorefile", Default: result.DefaultIgnoreFile, Usage: "specify .trivyignore file", } IgnorePolicyFlag = Flag[string]{ Name: "ignore-policy", ConfigName: "ignore-policy", Usage: "specify the Rego file path to evaluate each vulnerability", } ExitCodeFlag = Flag[int]{ Name: "exit-code", ConfigName: "exit-code", Usage: "specify exit code when any security issues are found", } ExitOnEOLFlag = Flag[int]{ Name: "exit-on-eol", ConfigName: "exit-on-eol", Usage: "exit with the specified code when the OS reaches end of service/life", } OutputFlag = Flag[string]{ Name: "output", ConfigName: "output", Shorthand: "o", Usage: "output file name", } OutputPluginArgFlag = Flag[string]{ Name: "output-plugin-arg", ConfigName: "output-plugin-arg", Usage: "[EXPERIMENTAL] output plugin arguments", } SeverityFlag = Flag[[]string]{ Name: "severity", ConfigName: "severity", Shorthand: "s", Default: dbTypes.SeverityNames, Values: dbTypes.SeverityNames, Usage: "severities of security issues to be displayed", } ComplianceFlag = Flag[string]{ Name: "compliance", ConfigName: "scan.compliance", Usage: "compliance report to generate", } ShowSuppressedFlag = Flag[bool]{ Name: "show-suppressed", ConfigName: "scan.show-suppressed", Usage: "[EXPERIMENTAL] show suppressed vulnerabilities", } )
e.g. config yaml:
format: table dependency-tree: true severity: HIGH,CRITICAL
View Source
var ( ArtifactTypeFlag = Flag[string]{ Name: "artifact-type", ConfigName: "sbom.artifact-type", Usage: "deprecated", Deprecated: true, } SBOMFormatFlag = Flag[string]{ Name: "sbom-format", ConfigName: "sbom.format", Usage: "deprecated", Deprecated: true, } )
View Source
var ( SkipDirsFlag = Flag[[]string]{ Name: "skip-dirs", ConfigName: "scan.skip-dirs", Usage: "specify the directories or glob patterns to skip", } SkipFilesFlag = Flag[[]string]{ Name: "skip-files", ConfigName: "scan.skip-files", Default: []string{}, Usage: "specify the files or glob patterns to skip", } OfflineScanFlag = Flag[bool]{ Name: "offline-scan", ConfigName: "scan.offline", Usage: "do not issue API requests to identify dependencies", } ScannersFlag = Flag[[]string]{ Name: "scanners", ConfigName: "scan.scanners", Default: xstrings.ToStringSlice(types.Scanners{ types.VulnerabilityScanner, types.SecretScanner, }), Values: xstrings.ToStringSlice(types.Scanners{ types.VulnerabilityScanner, types.MisconfigScanner, types.SecretScanner, types.LicenseScanner, }), ValueNormalize: func(ss []string) []string { return lo.Map(ss, func(s string, _ int) string { switch s { case "vulnerability": return string(types.VulnerabilityScanner) case "misconf", "misconfiguration": return string(types.MisconfigScanner) case "config": log.Warn("'--scanners config' is deprecated. Use '--scanners misconfig' instead. See https://github.com/aquasecurity/trivy/discussions/5586 for the detail.") return string(types.MisconfigScanner) } return s }) }, Aliases: []Alias{ { Name: "security-checks", ConfigName: "scan.security-checks", Deprecated: true, }, }, Usage: "comma-separated list of what security issues to detect", } FilePatternsFlag = Flag[[]string]{ Name: "file-patterns", ConfigName: "scan.file-patterns", Usage: "specify config file patterns", } SlowFlag = Flag[bool]{ Name: "slow", ConfigName: "scan.slow", Default: false, Usage: "scan over time with lower CPU and memory utilization", Deprecated: true, } ParallelFlag = Flag[int]{ Name: "parallel", ConfigName: "scan.parallel", Default: 5, Usage: "number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism", } SBOMSourcesFlag = Flag[[]string]{ Name: "sbom-sources", ConfigName: "scan.sbom-sources", Values: []string{ "oci", "rekor", }, Usage: "[EXPERIMENTAL] try to retrieve SBOM from the specified sources", } RekorURLFlag = Flag[string]{ Name: "rekor-url", ConfigName: "scan.rekor-url", Default: "https://rekor.sigstore.dev", Usage: "[EXPERIMENTAL] address of rekor STL server", } IncludeDevDepsFlag = Flag[bool]{ Name: "include-dev-deps", ConfigName: "scan.include-dev-deps", Usage: "include development dependencies in the report (supported: npm, yarn)", } )
View Source
var ( VulnTypeFlag = Flag[[]string]{ Name: "vuln-type", ConfigName: "vulnerability.type", Default: []string{ types.VulnTypeOS, types.VulnTypeLibrary, }, Values: []string{ types.VulnTypeOS, types.VulnTypeLibrary, }, Usage: "comma-separated list of vulnerability types", } IgnoreUnfixedFlag = Flag[bool]{ Name: "ignore-unfixed", ConfigName: "vulnerability.ignore-unfixed", Usage: "display only fixed vulnerabilities", } IgnoreStatusFlag = Flag[[]string]{ Name: "ignore-status", ConfigName: "vulnerability.ignore-status", Values: dbTypes.Statuses, Usage: "comma-separated list of vulnerability status to ignore", } VEXFlag = Flag[string]{ Name: "vex", ConfigName: "vulnerability.vex", Default: "", Usage: "[EXPERIMENTAL] file path to VEX", } )
View Source
var (
SecretConfigFlag = Flag[string]{
Name: "secret-config",
ConfigName: "secret.config",
Default: "trivy-secret.yaml",
Usage: "specify a path to config file for secret scanning",
}
)
Functions ¶
This section is empty.
Types ¶
type AWSFlagGroup ¶ added in v0.31.0
type AWSFlagGroup struct {
Region *Flag[string]
Endpoint *Flag[string]
Services *Flag[[]string]
SkipServices *Flag[[]string]
Account *Flag[string]
ARN *Flag[string]
}
func NewAWSFlagGroup ¶ added in v0.31.0
func NewAWSFlagGroup() *AWSFlagGroup
func (*AWSFlagGroup) Flags ¶ added in v0.31.0
func (f *AWSFlagGroup) Flags() []Flagger
func (*AWSFlagGroup) Name ¶ added in v0.31.0
func (f *AWSFlagGroup) Name() string
func (*AWSFlagGroup) ToOptions ¶ added in v0.31.0
func (f *AWSFlagGroup) ToOptions() (AWSOptions, error)
type AWSOptions ¶ added in v0.31.0
type CacheFlagGroup ¶
type CacheFlagGroup struct {
ClearCache *Flag[bool]
CacheBackend *Flag[string]
CacheTTL *Flag[time.Duration]
RedisTLS *Flag[bool]
RedisCACert *Flag[string]
RedisCert *Flag[string]
RedisKey *Flag[string]
}
CacheFlagGroup composes common printer flag structs used for commands requiring cache logic.
func NewCacheFlagGroup ¶
func NewCacheFlagGroup() *CacheFlagGroup
NewCacheFlagGroup returns a default CacheFlagGroup
func (*CacheFlagGroup) Flags ¶
func (fg *CacheFlagGroup) Flags() []Flagger
func (*CacheFlagGroup) Name ¶
func (fg *CacheFlagGroup) Name() string
func (*CacheFlagGroup) ToOptions ¶
func (fg *CacheFlagGroup) ToOptions() (CacheOptions, error)
type CacheOptions ¶
type CacheOptions struct {
ClearCache bool
CacheBackend string
CacheTTL time.Duration
RedisTLS bool
RedisOptions
}
func (*CacheOptions) CacheBackendMasked ¶
func (o *CacheOptions) CacheBackendMasked() string
CacheBackendMasked returns the redis connection string masking credentials
type CloudFlagGroup ¶ added in v0.31.0
func NewCloudFlagGroup ¶ added in v0.31.0
func NewCloudFlagGroup() *CloudFlagGroup
func (*CloudFlagGroup) Flags ¶ added in v0.31.0
func (f *CloudFlagGroup) Flags() []Flagger
func (*CloudFlagGroup) Name ¶ added in v0.31.0
func (f *CloudFlagGroup) Name() string
func (*CloudFlagGroup) ToOptions ¶ added in v0.31.0
func (f *CloudFlagGroup) ToOptions() (CloudOptions, error)
type CloudOptions ¶ added in v0.31.0
type DBFlagGroup ¶
type DBFlagGroup struct {
Reset *Flag[bool]
DownloadDBOnly *Flag[bool]
SkipDBUpdate *Flag[bool]
DownloadJavaDBOnly *Flag[bool]
SkipJavaDBUpdate *Flag[bool]
NoProgress *Flag[bool]
DBRepository *Flag[string]
JavaDBRepository *Flag[string]
Light *Flag[bool] // deprecated
}
DBFlagGroup composes common printer flag structs used for commands requiring DB logic.
func NewDBFlagGroup ¶
func NewDBFlagGroup() *DBFlagGroup
NewDBFlagGroup returns a default DBFlagGroup
func (*DBFlagGroup) Flags ¶
func (f *DBFlagGroup) Flags() []Flagger
func (*DBFlagGroup) Name ¶
func (f *DBFlagGroup) Name() string
func (*DBFlagGroup) ToOptions ¶
func (f *DBFlagGroup) ToOptions() (DBOptions, error)
type Flag ¶
type Flag[T FlagType] struct { // Name is for CLI flag and environment variable. // If this field is empty, it will be available only in config file. Name string // ConfigName is a key in config file. It is also used as a key of viper. ConfigName string // Shorthand is a shorthand letter. Shorthand string // Default is the default value. It should be defined when the value is different from the zero value. Default T // Values is a list of allowed values. // It currently supports string flags and string slice flags only. Values []string // ValueNormalize is a function to normalize the value. // It can be used for aliases, etc. ValueNormalize func(T) T // Usage explains how to use the flag. Usage string // Persistent represents if the flag is persistent Persistent bool // Deprecated represents if the flag is deprecated Deprecated bool // Aliases represents aliases Aliases []Alias // contains filtered or unexported fields }
func (*Flag[T]) GetAliases ¶ added in v0.49.0
type Flags ¶
type Flags struct {
GlobalFlagGroup *GlobalFlagGroup
AWSFlagGroup *AWSFlagGroup
CacheFlagGroup *CacheFlagGroup
CloudFlagGroup *CloudFlagGroup
DBFlagGroup *DBFlagGroup
ImageFlagGroup *ImageFlagGroup
K8sFlagGroup *K8sFlagGroup
LicenseFlagGroup *LicenseFlagGroup
MisconfFlagGroup *MisconfFlagGroup
ModuleFlagGroup *ModuleFlagGroup
RemoteFlagGroup *RemoteFlagGroup
RegistryFlagGroup *RegistryFlagGroup
RegoFlagGroup *RegoFlagGroup
RepoFlagGroup *RepoFlagGroup
ReportFlagGroup *ReportFlagGroup
SBOMFlagGroup *SBOMFlagGroup
ScanFlagGroup *ScanFlagGroup
SecretFlagGroup *SecretFlagGroup
VulnerabilityFlagGroup *VulnerabilityFlagGroup
}
type GlobalFlagGroup ¶
type GlobalFlagGroup struct {
ConfigFile *Flag[string]
ShowVersion *Flag[bool] // spf13/cobra can't override the logic of version printing like VersionPrinter in urfave/cli. -v needs to be defined ourselves.
Quiet *Flag[bool]
Debug *Flag[bool]
Insecure *Flag[bool]
Timeout *Flag[time.Duration]
CacheDir *Flag[string]
GenerateDefaultConfig *Flag[bool]
}
GlobalFlagGroup composes global flags
func NewGlobalFlagGroup ¶
func NewGlobalFlagGroup() *GlobalFlagGroup
func (*GlobalFlagGroup) AddFlags ¶
func (f *GlobalFlagGroup) AddFlags(cmd *cobra.Command)
func (*GlobalFlagGroup) Flags ¶ added in v0.49.0
func (f *GlobalFlagGroup) Flags() []Flagger
func (*GlobalFlagGroup) Name ¶ added in v0.49.0
func (f *GlobalFlagGroup) Name() string
func (*GlobalFlagGroup) ToOptions ¶
func (f *GlobalFlagGroup) ToOptions() (GlobalOptions, error)
type GlobalOptions ¶
type GlobalOptions struct {
ConfigFile string
ShowVersion bool
Quiet bool
Debug bool
Insecure bool
Timeout time.Duration
CacheDir string
GenerateDefaultConfig bool
}
GlobalOptions defines flags and other configuration parameters for all the subcommands
type ImageFlagGroup ¶
type ImageFlagGroup struct {
Input *Flag[string] // local image archive
ImageConfigScanners *Flag[[]string]
ScanRemovedPkgs *Flag[bool]
Platform *Flag[string]
DockerHost *Flag[string]
PodmanHost *Flag[string]
ImageSources *Flag[[]string]
}
func NewImageFlagGroup ¶
func NewImageFlagGroup() *ImageFlagGroup
func (*ImageFlagGroup) Flags ¶
func (f *ImageFlagGroup) Flags() []Flagger
func (*ImageFlagGroup) Name ¶
func (f *ImageFlagGroup) Name() string
func (*ImageFlagGroup) ToOptions ¶
func (f *ImageFlagGroup) ToOptions() (ImageOptions, error)
type ImageOptions ¶
type K8sFlagGroup ¶
type K8sFlagGroup struct {
KubeConfig *Flag[string]
K8sVersion *Flag[string]
Tolerations *Flag[[]string]
DisableNodeCollector *Flag[bool]
NodeCollectorImageRef *Flag[string]
NodeCollectorNamespace *Flag[string]
ExcludeOwned *Flag[bool]
SkipImages *Flag[bool]
ExcludeNodes *Flag[[]string]
ExcludeKinds *Flag[[]string]
IncludeKinds *Flag[[]string]
ExcludeNamespaces *Flag[[]string]
IncludeNamespaces *Flag[[]string]
QPS *Flag[float64]
Burst *Flag[int]
}
func NewK8sFlagGroup ¶
func NewK8sFlagGroup() *K8sFlagGroup
func (*K8sFlagGroup) Flags ¶
func (f *K8sFlagGroup) Flags() []Flagger
func (*K8sFlagGroup) Name ¶
func (f *K8sFlagGroup) Name() string
func (*K8sFlagGroup) ToOptions ¶
func (f *K8sFlagGroup) ToOptions() (K8sOptions, error)
type K8sOptions ¶
type K8sOptions struct {
KubeConfig string
K8sVersion string
Tolerations []corev1.Toleration
NodeCollectorImageRef string
NodeCollectorNamespace string
ExcludeOwned bool
DisableNodeCollector bool
ExcludeNodes map[string]string
ExcludeKinds []string
IncludeKinds []string
ExcludeNamespaces []string
IncludeNamespaces []string
QPS float32
SkipImages bool
Burst int
}
type LicenseFlagGroup ¶
type LicenseFlagGroup struct {
LicenseFull *Flag[bool]
IgnoredLicenses *Flag[[]string]
LicenseConfidenceLevel *Flag[float64]
// License Categories
LicenseForbidden *Flag[[]string] // mapped to CRITICAL
LicenseRestricted *Flag[[]string] // mapped to HIGH
LicenseReciprocal *Flag[[]string] // mapped to MEDIUM
LicenseNotice *Flag[[]string] // mapped to LOW
LicensePermissive *Flag[[]string] // mapped to LOW
LicenseUnencumbered *Flag[[]string] // mapped to LOW
}
func NewLicenseFlagGroup ¶
func NewLicenseFlagGroup() *LicenseFlagGroup
func (*LicenseFlagGroup) Flags ¶
func (f *LicenseFlagGroup) Flags() []Flagger
func (*LicenseFlagGroup) Name ¶
func (f *LicenseFlagGroup) Name() string
func (*LicenseFlagGroup) ToOptions ¶
func (f *LicenseFlagGroup) ToOptions() (LicenseOptions, error)
type LicenseOptions ¶
type MisconfFlagGroup ¶
type MisconfFlagGroup struct {
IncludeNonFailures *Flag[bool]
ResetChecksBundle *Flag[bool]
ChecksBundleRepository *Flag[string]
// Values Files
HelmValues *Flag[[]string]
HelmValueFiles *Flag[[]string]
HelmFileValues *Flag[[]string]
HelmStringValues *Flag[[]string]
HelmAPIVersions *Flag[[]string]
HelmKubeVersion *Flag[string]
TerraformTFVars *Flag[[]string]
CloudformationParamVars *Flag[[]string]
TerraformExcludeDownloaded *Flag[bool]
MisconfigScanners *Flag[[]string]
}
MisconfFlagGroup composes common printer flag structs used for commands providing misconfiguration scanning.
func NewMisconfFlagGroup ¶
func NewMisconfFlagGroup() *MisconfFlagGroup
func (*MisconfFlagGroup) Flags ¶
func (f *MisconfFlagGroup) Flags() []Flagger
func (*MisconfFlagGroup) Name ¶
func (f *MisconfFlagGroup) Name() string
func (*MisconfFlagGroup) ToOptions ¶
func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error)
type MisconfOptions ¶
type MisconfOptions struct {
IncludeNonFailures bool
ResetChecksBundle bool
ChecksBundleRepository string
// Values Files
HelmValues []string
HelmValueFiles []string
HelmFileValues []string
HelmStringValues []string
HelmAPIVersions []string
HelmKubeVersion string
TerraformTFVars []string
CloudFormationParamVars []string
TfExcludeDownloaded bool
MisconfigScanners []analyzer.Type
}
type ModuleFlagGroup ¶ added in v0.38.0
ModuleFlagGroup defines flags for modules
func NewModuleFlagGroup ¶ added in v0.38.0
func NewModuleFlagGroup() *ModuleFlagGroup
func (*ModuleFlagGroup) Flags ¶ added in v0.38.0
func (f *ModuleFlagGroup) Flags() []Flagger
func (*ModuleFlagGroup) Name ¶ added in v0.38.0
func (f *ModuleFlagGroup) Name() string
func (*ModuleFlagGroup) ToOptions ¶ added in v0.38.0
func (f *ModuleFlagGroup) ToOptions() (ModuleOptions, error)
type ModuleOptions ¶ added in v0.38.0
type Options ¶
type Options struct {
GlobalOptions
AWSOptions
CacheOptions
CloudOptions
DBOptions
ImageOptions
K8sOptions
LicenseOptions
MisconfOptions
ModuleOptions
RegistryOptions
RegoOptions
RemoteOptions
RepoOptions
ReportOptions
SBOMOptions
ScanOptions
SecretOptions
VulnerabilityOptions
// Trivy's version, not populated via CLI flags
AppVersion string
// We don't want to allow disabled analyzers to be passed by users, but it is necessary for internal use.
DisabledAnalyzers []analyzer.Type
// contains filtered or unexported fields
}
Options holds all the runtime configuration
func (*Options) FilterOpts ¶ added in v0.42.0
func (o *Options) FilterOpts() result.FilterOption
FilterOpts returns options for filtering
func (*Options) OutputWriter ¶ added in v0.44.0
OutputWriter returns an output writer. If the output file is not specified, it returns os.Stdout.
func (*Options) RegistryOpts ¶ added in v0.42.0
func (o *Options) RegistryOpts() ftypes.RegistryOptions
RegistryOpts returns options for OCI registries
func (*Options) SetOutputWriter ¶ added in v0.48.0
SetOutputWriter sets an output writer.
type RedisOptions ¶
RedisOptions holds the options for redis cache
type RegistryFlagGroup ¶ added in v0.39.0
type RegistryFlagGroup struct {
Username *Flag[[]string]
Password *Flag[[]string]
RegistryToken *Flag[string]
}
func NewRegistryFlagGroup ¶ added in v0.39.0
func NewRegistryFlagGroup() *RegistryFlagGroup
func (*RegistryFlagGroup) Flags ¶ added in v0.39.0
func (f *RegistryFlagGroup) Flags() []Flagger
func (*RegistryFlagGroup) Name ¶ added in v0.39.0
func (f *RegistryFlagGroup) Name() string
func (*RegistryFlagGroup) ToOptions ¶ added in v0.39.0
func (f *RegistryFlagGroup) ToOptions() (RegistryOptions, error)
type RegistryOptions ¶ added in v0.39.0
type RegistryOptions struct {
Credentials []types.Credential
RegistryToken string
}
type RegoFlagGroup ¶ added in v0.33.0
type RegoFlagGroup struct {
IncludeDeprecatedChecks *Flag[bool]
SkipCheckUpdate *Flag[bool]
Trace *Flag[bool]
CheckPaths *Flag[[]string]
DataPaths *Flag[[]string]
CheckNamespaces *Flag[[]string]
}
RegoFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning.
func NewRegoFlagGroup ¶ added in v0.33.0
func NewRegoFlagGroup() *RegoFlagGroup
func (*RegoFlagGroup) Flags ¶ added in v0.33.0
func (f *RegoFlagGroup) Flags() []Flagger
func (*RegoFlagGroup) Name ¶ added in v0.33.0
func (f *RegoFlagGroup) Name() string
func (*RegoFlagGroup) ToOptions ¶ added in v0.33.0
func (f *RegoFlagGroup) ToOptions() (RegoOptions, error)
type RegoOptions ¶ added in v0.33.0
type RemoteFlagGroup ¶
type RemoteFlagGroup struct {
// for client/server
Token *Flag[string]
TokenHeader *Flag[string]
// for client
ServerAddr *Flag[string]
CustomHeaders *Flag[[]string]
// for server
Listen *Flag[string]
}
RemoteFlagGroup composes common printer flag structs used for commands requiring reporting logic.
func NewClientFlags ¶
func NewClientFlags() *RemoteFlagGroup
func NewServerFlags ¶
func NewServerFlags() *RemoteFlagGroup
func (*RemoteFlagGroup) Flags ¶
func (f *RemoteFlagGroup) Flags() []Flagger
func (*RemoteFlagGroup) Name ¶
func (f *RemoteFlagGroup) Name() string
func (*RemoteFlagGroup) ToOptions ¶
func (f *RemoteFlagGroup) ToOptions() (RemoteOptions, error)
type RemoteOptions ¶
type RepoFlagGroup ¶ added in v0.30.1
func NewRepoFlagGroup ¶ added in v0.30.1
func NewRepoFlagGroup() *RepoFlagGroup
func (*RepoFlagGroup) Flags ¶ added in v0.30.1
func (f *RepoFlagGroup) Flags() []Flagger
func (*RepoFlagGroup) Name ¶ added in v0.30.1
func (f *RepoFlagGroup) Name() string
func (*RepoFlagGroup) ToOptions ¶ added in v0.30.1
func (f *RepoFlagGroup) ToOptions() (RepoOptions, error)
type RepoOptions ¶ added in v0.30.1
type ReportFlagGroup ¶
type ReportFlagGroup struct {
Format *Flag[string]
ReportFormat *Flag[string]
Template *Flag[string]
DependencyTree *Flag[bool]
ListAllPkgs *Flag[bool]
IgnoreFile *Flag[string]
IgnorePolicy *Flag[string]
ExitCode *Flag[int]
ExitOnEOL *Flag[int]
Output *Flag[string]
OutputPluginArg *Flag[string]
Severity *Flag[[]string]
Compliance *Flag[string]
ShowSuppressed *Flag[bool]
}
ReportFlagGroup composes common printer flag structs used for commands requiring reporting logic.
func NewReportFlagGroup ¶
func NewReportFlagGroup() *ReportFlagGroup
func (*ReportFlagGroup) Flags ¶
func (f *ReportFlagGroup) Flags() []Flagger
func (*ReportFlagGroup) Name ¶
func (f *ReportFlagGroup) Name() string
func (*ReportFlagGroup) ToOptions ¶
func (f *ReportFlagGroup) ToOptions() (ReportOptions, error)
type ReportOptions ¶
type ReportOptions struct {
Format types.Format
ReportFormat string
Template string
DependencyTree bool
ListAllPkgs bool
IgnoreFile string
ExitCode int
ExitOnEOL int
IgnorePolicy string
Output string
OutputPluginArgs []string
Severities []dbTypes.Severity
Compliance spec.ComplianceSpec
ShowSuppressed bool
}
type SBOMFlagGroup ¶
type SBOMFlagGroup struct {
ArtifactType *Flag[string] // deprecated
SBOMFormat *Flag[string] // deprecated
}
func NewSBOMFlagGroup ¶
func NewSBOMFlagGroup() *SBOMFlagGroup
func (*SBOMFlagGroup) Flags ¶
func (f *SBOMFlagGroup) Flags() []Flagger
func (*SBOMFlagGroup) Name ¶
func (f *SBOMFlagGroup) Name() string
func (*SBOMFlagGroup) ToOptions ¶
func (f *SBOMFlagGroup) ToOptions() (SBOMOptions, error)
type SBOMOptions ¶
type SBOMOptions struct {
}
type ScanFlagGroup ¶
type ScanFlagGroup struct {
SkipDirs *Flag[[]string]
SkipFiles *Flag[[]string]
OfflineScan *Flag[bool]
Scanners *Flag[[]string]
FilePatterns *Flag[[]string]
Slow *Flag[bool] // deprecated
Parallel *Flag[int]
SBOMSources *Flag[[]string]
RekorURL *Flag[string]
IncludeDevDeps *Flag[bool]
}
func NewScanFlagGroup ¶
func NewScanFlagGroup() *ScanFlagGroup
func (*ScanFlagGroup) Flags ¶
func (f *ScanFlagGroup) Flags() []Flagger
func (*ScanFlagGroup) Name ¶
func (f *ScanFlagGroup) Name() string
func (*ScanFlagGroup) ToOptions ¶
func (f *ScanFlagGroup) ToOptions(args []string) (ScanOptions, error)
type ScanOptions ¶
type SecretFlagGroup ¶
func NewSecretFlagGroup ¶
func NewSecretFlagGroup() *SecretFlagGroup
func (*SecretFlagGroup) Flags ¶
func (f *SecretFlagGroup) Flags() []Flagger
func (*SecretFlagGroup) Name ¶
func (f *SecretFlagGroup) Name() string
func (*SecretFlagGroup) ToOptions ¶
func (f *SecretFlagGroup) ToOptions() (SecretOptions, error)
type SecretOptions ¶
type SecretOptions struct {
SecretConfigPath string
}
type VulnerabilityFlagGroup ¶
type VulnerabilityFlagGroup struct {
VulnType *Flag[[]string]
IgnoreUnfixed *Flag[bool]
IgnoreStatus *Flag[[]string]
VEXPath *Flag[string]
}
func NewVulnerabilityFlagGroup ¶
func NewVulnerabilityFlagGroup() *VulnerabilityFlagGroup
func (*VulnerabilityFlagGroup) Flags ¶
func (f *VulnerabilityFlagGroup) Flags() []Flagger
func (*VulnerabilityFlagGroup) Name ¶
func (f *VulnerabilityFlagGroup) Name() string
func (*VulnerabilityFlagGroup) ToOptions ¶
func (f *VulnerabilityFlagGroup) ToOptions() (VulnerabilityOptions, error)
Source Files
¶
- aws_flags.go
- cache_flags.go
- cloud_flags.go
- db_flags.go
- global_flags.go
- image_flags.go
- kubernetes_flags.go
- license_flags.go
- misconf_flags.go
- module_flags.go
- options.go
- registry_flags.go
- rego_flags.go
- remote_flags.go
- repo_flags.go
- report_flags.go
- sbom_flags.go
- scan_flags.go
- secret_flags.go
- vulnerability_flags.go
Click to show internal directories.
Click to hide internal directories.