flag

package
v3.9.0-2850 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 1, 2024 License: Apache-2.0 Imports: 34 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DefaultTokenHeader = "Trivy-Token"
)

Variables

View Source
var (
	ClearCacheFlag = Flag{
		Name:       "clear-cache",
		ConfigName: "cache.clear",
		Default:    false,
		Usage:      "clear image caches without scanning",
	}
	CacheBackendFlag = Flag{
		Name:       "cache-backend",
		ConfigName: "cache.backend",
		Default:    "fs",
		Usage:      "cache backend (e.g. redis://localhost:6379)",
	}
	CacheTTLFlag = Flag{
		Name:       "cache-ttl",
		ConfigName: "cache.ttl",
		Default:    time.Duration(0),
		Usage:      "cache TTL when using redis as cache backend",
	}
	RedisTLSFlag = Flag{
		Name:       "redis-tls",
		ConfigName: "cache.redis.tls",
		Default:    false,
		Usage:      "enable redis TLS with public certificates, if using redis as cache backend",
	}
	RedisCACertFlag = Flag{
		Name:       "redis-ca",
		ConfigName: "cache.redis.ca",
		Default:    "",
		Usage:      "redis ca file location, if using redis as cache backend",
	}
	RedisCertFlag = Flag{
		Name:       "redis-cert",
		ConfigName: "cache.redis.cert",
		Default:    "",
		Usage:      "redis certificate file location, if using redis as cache backend",
	}
	RedisKeyFlag = Flag{
		Name:       "redis-key",
		ConfigName: "cache.redis.key",
		Default:    "",
		Usage:      "redis key file location, if using redis as cache backend",
	}
)

e.g. config yaml:

cache:
  clear: true
  backend: "redis://localhost:6379"
redis:
  ca: ca-cert.pem
  cert: cert.pem
  key: key.pem
View Source
var (
	ResetFlag = Flag{
		Name:       "reset",
		ConfigName: "reset",
		Default:    false,
		Usage:      "remove all caches and database",
	}
	DownloadDBOnlyFlag = Flag{
		Name:       "download-db-only",
		ConfigName: "db.download-only",
		Default:    false,
		Usage:      "download/update vulnerability database but don't run a scan",
	}
	SkipDBUpdateFlag = Flag{
		Name:       "skip-db-update",
		ConfigName: "db.skip-update",
		Default:    false,
		Usage:      "skip updating vulnerability database",
		Aliases: []Alias{
			{
				Name:       "skip-update",
				Deprecated: true,
			},
		},
	}
	DownloadJavaDBOnlyFlag = Flag{
		Name:       "download-java-db-only",
		ConfigName: "db.download-java-only",
		Default:    false,
		Usage:      "download/update Java index database but don't run a scan",
	}
	SkipJavaDBUpdateFlag = Flag{
		Name:       "skip-java-db-update",
		ConfigName: "db.java-skip-update",
		Default:    false,
		Usage:      "skip updating Java index database",
	}
	NoProgressFlag = Flag{
		Name:       "no-progress",
		ConfigName: "db.no-progress",
		Default:    false,
		Usage:      "suppress progress bar",
	}
	DBRepositoryFlag = Flag{
		Name:       "db-repository",
		ConfigName: "db.repository",
		Default:    defaultDBRepository,
		Usage:      "OCI repository to retrieve trivy-db from",
	}
	JavaDBRepositoryFlag = Flag{
		Name:       "java-db-repository",
		ConfigName: "db.java-repository",
		Default:    defaultJavaDBRepository,
		Usage:      "OCI repository to retrieve trivy-java-db from",
	}
	LightFlag = Flag{
		Name:       "light",
		ConfigName: "db.light",
		Default:    false,
		Usage:      "deprecated",
		Deprecated: true,
	}
)
View Source
var (
	ConfigFileFlag = Flag{
		Name:       "config",
		ConfigName: "config",
		Shorthand:  "c",
		Default:    "trivy.yaml",
		Usage:      "config path",
		Persistent: true,
	}
	ShowVersionFlag = Flag{
		Name:       "version",
		ConfigName: "version",
		Shorthand:  "v",
		Default:    false,
		Usage:      "show version",
		Persistent: true,
	}
	QuietFlag = Flag{
		Name:       "quiet",
		ConfigName: "quiet",
		Shorthand:  "q",
		Default:    false,
		Usage:      "suppress progress bar and log output",
		Persistent: true,
	}
	DebugFlag = Flag{
		Name:       "debug",
		ConfigName: "debug",
		Shorthand:  "d",
		Default:    false,
		Usage:      "debug mode",
		Persistent: true,
	}
	InsecureFlag = Flag{
		Name:       "insecure",
		ConfigName: "insecure",
		Default:    false,
		Usage:      "allow insecure server connections",
		Persistent: true,
	}
	TimeoutFlag = Flag{
		Name:       "timeout",
		ConfigName: "timeout",
		Default:    time.Second * 300,
		Usage:      "timeout",
		Persistent: true,
	}
	CacheDirFlag = Flag{
		Name:       "cache-dir",
		ConfigName: "cache.dir",
		Default:    fsutils.CacheDir(),
		Usage:      "cache directory",
		Persistent: true,
	}
	GenerateDefaultConfigFlag = Flag{
		Name:       "generate-default-config",
		ConfigName: "generate-default-config",
		Default:    false,
		Usage:      "write the default config to trivy-default.yaml",
		Persistent: true,
	}
)
View Source
var (
	ImageConfigScannersFlag = Flag{
		Name:       "image-config-scanners",
		ConfigName: "image.image-config-scanners",
		Default:    []string{},
		Values: xstrings.ToStringSlice(types.Scanners{
			types.MisconfigScanner,
			types.SecretScanner,
		}),
		Usage: "comma-separated list of what security issues to detect on container image configurations",
	}
	ScanRemovedPkgsFlag = Flag{
		Name:       "removed-pkgs",
		ConfigName: "image.removed-pkgs",
		Default:    false,
		Usage:      "detect vulnerabilities of removed packages (only for Alpine)",
	}
	InputFlag = Flag{
		Name:       "input",
		ConfigName: "image.input",
		Default:    "",
		Usage:      "input file path instead of image name",
	}
	PlatformFlag = Flag{
		Name:       "platform",
		ConfigName: "image.platform",
		Default:    "",
		Usage:      "set platform in the form os/arch if image is multi-platform capable",
	}
	DockerHostFlag = Flag{
		Name:       "docker-host",
		ConfigName: "image.docker.host",
		Default:    "",
		Usage:      "unix domain socket path to use for docker scanning",
	}
	SourceFlag = Flag{
		Name:       "image-src",
		ConfigName: "image.source",
		Default:    xstrings.ToStringSlice(ftypes.AllImageSources),
		Values:     xstrings.ToStringSlice(ftypes.AllImageSources),
		Usage:      "image source(s) to use, in priority order",
	}
)
View Source
var (
	ClusterContextFlag = Flag{
		Name:       "context",
		ConfigName: "kubernetes.context",
		Default:    "",
		Usage:      "specify a context to scan",
		Aliases: []Alias{
			{Name: "ctx"},
		},
	}
	K8sNamespaceFlag = Flag{
		Name:       "namespace",
		ConfigName: "kubernetes.namespace",
		Shorthand:  "n",
		Default:    "",
		Usage:      "specify a namespace to scan",
	}
	KubeConfigFlag = Flag{
		Name:       "kubeconfig",
		ConfigName: "kubernetes.kubeconfig",
		Default:    "",
		Usage:      "specify the kubeconfig file path to use",
	}
	ComponentsFlag = Flag{
		Name:       "components",
		ConfigName: "kubernetes.components",
		Default: []string{
			"workload",
			"infra",
		},
		Values: []string{
			"workload",
			"infra",
		},
		Usage: "specify which components to scan",
	}
	K8sVersionFlag = Flag{
		Name:       "k8s-version",
		ConfigName: "kubernetes.k8s.version",
		Default:    "",
		Usage:      "specify k8s version to validate outdated api by it (example: 1.21.0)",
	}
	TolerationsFlag = Flag{
		Name:       "tolerations",
		ConfigName: "kubernetes.tolerations",
		Default:    []string{},
		Usage:      "specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)",
	}
	AllNamespaces = Flag{
		Name:       "all-namespaces",
		ConfigName: "kubernetes.all.namespaces",
		Shorthand:  "A",
		Default:    false,
		Usage:      "fetch resources from all cluster namespaces",
	}
	NodeCollectorNamespace = Flag{
		Name:       "node-collector-namespace",
		ConfigName: "node.collector.namespace",
		Default:    "trivy-temp",
		Usage:      "specify the namespace in which the node-collector job should be deployed",
	}
	ExcludeOwned = Flag{
		Name:       "exclude-owned",
		ConfigName: "kubernetes.exclude.owned",
		Default:    false,
		Usage:      "exclude resources that have an owner reference",
	}
	ExcludeNodes = Flag{
		Name:       "exclude-nodes",
		ConfigName: "exclude.nodes",
		Default:    []string{},
		Usage:      "indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)",
	}
	NodeCollectorImageRef = Flag{
		Name:       "node-collector-imageref",
		ConfigName: "node.collector.imageref",
		Default:    "ghcr.io/aquasecurity/node-collector:0.0.9",
		Usage:      "indicate the image reference for the node-collector scan job",
	}
)
View Source
var (
	LicenseFull = Flag{
		Name:       "license-full",
		ConfigName: "license.full",
		Default:    false,
		Usage:      "eagerly look for licenses in source code headers and license files",
	}
	IgnoredLicenses = Flag{
		Name:       "ignored-licenses",
		ConfigName: "license.ignored",
		Default:    []string{},
		Usage:      "specify a list of license to ignore",
	}
	LicenseConfidenceLevel = Flag{
		Name:       "license-confidence-level",
		ConfigName: "license.confidenceLevel",
		Default:    0.9,
		Usage:      "specify license classifier's confidence level",
	}

	// LicenseForbidden is an option only in a config file
	LicenseForbidden = Flag{
		ConfigName: "license.forbidden",
		Default:    licensing.ForbiddenLicenses,
		Usage:      "forbidden licenses",
	}
	// LicenseRestricted is an option only in a config file
	LicenseRestricted = Flag{
		ConfigName: "license.restricted",
		Default:    licensing.RestrictedLicenses,
		Usage:      "restricted licenses",
	}
	// LicenseReciprocal is an option only in a config file
	LicenseReciprocal = Flag{
		ConfigName: "license.reciprocal",
		Default:    licensing.ReciprocalLicenses,
		Usage:      "reciprocal licenses",
	}
	// LicenseNotice is an option only in a config file
	LicenseNotice = Flag{
		ConfigName: "license.notice",
		Default:    licensing.NoticeLicenses,
		Usage:      "notice licenses",
	}
	// LicensePermissive is an option only in a config file
	LicensePermissive = Flag{
		ConfigName: "license.permissive",
		Default:    licensing.PermissiveLicenses,
		Usage:      "permissive licenses",
	}
	// LicenseUnencumbered is an option only in a config file
	LicenseUnencumbered = Flag{
		ConfigName: "license.unencumbered",
		Default:    licensing.UnencumberedLicenses,
		Usage:      "unencumbered licenses",
	}
)
View Source
var (
	ResetPolicyBundleFlag = Flag{
		Name:       "reset-policy-bundle",
		ConfigName: "misconfiguration.reset-policy-bundle",
		Default:    false,
		Usage:      "remove policy bundle",
	}
	IncludeNonFailuresFlag = Flag{
		Name:       "include-non-failures",
		ConfigName: "misconfiguration.include-non-failures",
		Default:    false,
		Usage:      "include successes and exceptions, available with '--scanners misconfig'",
	}
	HelmValuesFileFlag = Flag{
		Name:       "helm-values",
		ConfigName: "misconfiguration.helm.values",
		Default:    []string{},
		Usage:      "specify paths to override the Helm values.yaml files",
	}
	HelmSetFlag = Flag{
		Name:       "helm-set",
		ConfigName: "misconfiguration.helm.set",
		Default:    []string{},
		Usage:      "specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)",
	}
	HelmSetFileFlag = Flag{
		Name:       "helm-set-file",
		ConfigName: "misconfiguration.helm.set-file",
		Default:    []string{},
		Usage:      "specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)",
	}
	HelmSetStringFlag = Flag{
		Name:       "helm-set-string",
		ConfigName: "misconfiguration.helm.set-string",
		Default:    []string{},
		Usage:      "specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)",
	}
	TfVarsFlag = Flag{
		Name:       "tf-vars",
		ConfigName: "misconfiguration.terraform.vars",
		Default:    []string{},
		Usage:      "specify paths to override the Terraform tfvars files",
	}
	CfParamsFlag = Flag{
		Name:       "cf-params",
		ConfigName: "misconfiguration.cloudformation.params",
		Default:    []string{},
		Usage:      "specify paths to override the CloudFormation parameters files",
	}
	TerraformExcludeDownloaded = Flag{
		Name:       "tf-exclude-downloaded-modules",
		ConfigName: "misconfiguration.terraform.exclude-downloaded-modules",
		Default:    false,
		Usage:      "exclude misconfigurations for downloaded terraform modules",
	}
	PolicyBundleRepositoryFlag = Flag{
		Name:       "policy-bundle-repository",
		ConfigName: "misconfiguration.policy-bundle-repository",
		Default:    fmt.Sprintf("%s:%d", policy.BundleRepository, policy.BundleVersion),
		Usage:      "OCI registry URL to retrieve policy bundle from",
	}
	MisconfigScannersFlag = Flag{
		Name:       "misconfig-scanners",
		ConfigName: "misconfiguration.scanners",
		Default:    xstrings.ToStringSlice(analyzer.TypeConfigFiles),
		Usage:      "comma-separated list of misconfig scanners to use for misconfiguration scanning",
	}
)

e.g. config yaml:

misconfiguration:
  trace: true
  config-policy: "custom-policy/policy"
  policy-namespaces: "user"
View Source
var (
	ModuleDirFlag = Flag{
		Name:       "module-dir",
		ConfigName: "module.dir",
		Default:    module.DefaultDir,
		Usage:      "specify directory to the wasm modules that will be loaded",
		Persistent: true,
	}
	EnableModulesFlag = Flag{
		Name:       "enable-modules",
		ConfigName: "module.enable-modules",
		Default:    []string{},
		Usage:      "[EXPERIMENTAL] module names to enable",
		Persistent: true,
	}
)
View Source
var (
	UsernameFlag = Flag{
		Name:       "username",
		ConfigName: "registry.username",
		Default:    []string{},
		Usage:      "username. Comma-separated usernames allowed.",
	}
	PasswordFlag = Flag{
		Name:       "password",
		ConfigName: "registry.password",
		Default:    []string{},
		Usage:      "password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.",
	}
	RegistryTokenFlag = Flag{
		Name:       "registry-token",
		ConfigName: "registry.token",
		Default:    "",
		Usage:      "registry token",
	}
)
View Source
var (
	SkipPolicyUpdateFlag = Flag{
		Name:       "skip-policy-update",
		ConfigName: "rego.skip-policy-update",
		Default:    false,
		Usage:      "skip fetching rego policy updates",
	}
	TraceFlag = Flag{
		Name:       "trace",
		ConfigName: "rego.trace",
		Default:    false,
		Usage:      "enable more verbose trace output for custom queries",
	}
	ConfigPolicyFlag = Flag{
		Name:       "config-policy",
		ConfigName: "rego.policy",
		Default:    []string{},
		Usage:      "specify the paths to the Rego policy files or to the directories containing them, applying config files",
		Aliases: []Alias{
			{Name: "policy"},
		},
	}
	ConfigDataFlag = Flag{
		Name:       "config-data",
		ConfigName: "rego.data",
		Default:    []string{},
		Usage:      "specify paths from which data for the Rego policies will be recursively loaded",
		Aliases: []Alias{
			{Name: "data"},
		},
	}
	PolicyNamespaceFlag = Flag{
		Name:       "policy-namespaces",
		ConfigName: "rego.namespaces",
		Default:    []string{},
		Usage:      "Rego namespaces",
		Aliases: []Alias{
			{Name: "namespaces"},
		},
	}
)

e.g. config yaml:

rego:
  trace: true
  config-policy: "custom-policy/policy"
  policy-namespaces: "user"
View Source
var (
	ServerTokenFlag = Flag{
		Name:       "token",
		ConfigName: "server.token",
		Default:    "",
		Usage:      "for authentication in client/server mode",
	}
	ServerTokenHeaderFlag = Flag{
		Name:       "token-header",
		ConfigName: "server.token-header",
		Default:    DefaultTokenHeader,
		Usage:      "specify a header name for token in client/server mode",
	}
	ServerAddrFlag = Flag{
		Name:       "server",
		ConfigName: "server.addr",
		Default:    "",
		Usage:      "server address in client mode",
	}
	ServerCustomHeadersFlag = Flag{
		Name:       "custom-headers",
		ConfigName: "server.custom-headers",
		Default:    []string{},
		Usage:      "custom headers in client mode",
	}
	ServerListenFlag = Flag{
		Name:       "listen",
		ConfigName: "server.listen",
		Default:    "localhost:4954",
		Usage:      "listen address in server mode",
	}
)
View Source
var (
	FetchBranchFlag = Flag{
		Name:       "branch",
		ConfigName: "repository.branch",
		Default:    "",
		Usage:      "pass the branch name to be scanned",
	}
	FetchCommitFlag = Flag{
		Name:       "commit",
		ConfigName: "repository.commit",
		Default:    "",
		Usage:      "pass the commit hash to be scanned",
	}
	FetchTagFlag = Flag{
		Name:       "tag",
		ConfigName: "repository.tag",
		Default:    "",
		Usage:      "pass the tag name to be scanned",
	}
)
View Source
var (
	FormatFlag = Flag{
		Name:       "format",
		ConfigName: "format",
		Shorthand:  "f",
		Default:    string(types.FormatTable),
		Values:     xstrings.ToStringSlice(types.SupportedFormats),
		Usage:      "format",
	}
	ReportFormatFlag = Flag{
		Name:       "report",
		ConfigName: "report",
		Default:    "all",
		Values:     []string{"all", "summary"},
		Usage:      "specify a report format for the output",
	}
	TemplateFlag = Flag{
		Name:       "template",
		ConfigName: "template",
		Shorthand:  "t",
		Default:    "",
		Usage:      "output template",
	}
	DependencyTreeFlag = Flag{
		Name:       "dependency-tree",
		ConfigName: "dependency-tree",
		Default:    false,
		Usage:      "[EXPERIMENTAL] show dependency origin tree of vulnerable packages",
	}
	ListAllPkgsFlag = Flag{
		Name:       "list-all-pkgs",
		ConfigName: "list-all-pkgs",
		Default:    false,
		Usage:      "enabling the option will output all packages regardless of vulnerability",
	}
	IgnoreFileFlag = Flag{
		Name:       "ignorefile",
		ConfigName: "ignorefile",
		Default:    result.DefaultIgnoreFile,
		Usage:      "specify .trivyignore file",
	}
	IgnorePolicyFlag = Flag{
		Name:       "ignore-policy",
		ConfigName: "ignore-policy",
		Default:    "",
		Usage:      "specify the Rego file path to evaluate each vulnerability",
	}
	ExitCodeFlag = Flag{
		Name:       "exit-code",
		ConfigName: "exit-code",
		Default:    0,
		Usage:      "specify exit code when any security issues are found",
	}
	ExitOnEOLFlag = Flag{
		Name:       "exit-on-eol",
		ConfigName: "exit-on-eol",
		Default:    0,
		Usage:      "exit with the specified code when the OS reaches end of service/life",
	}
	OutputFlag = Flag{
		Name:       "output",
		ConfigName: "output",
		Shorthand:  "o",
		Default:    "",
		Usage:      "output file name",
	}
	OutputPluginArgFlag = Flag{
		Name:       "output-plugin-arg",
		ConfigName: "output-plugin-arg",
		Default:    "",
		Usage:      "[EXPERIMENTAL] output plugin arguments",
	}
	SeverityFlag = Flag{
		Name:       "severity",
		ConfigName: "severity",
		Shorthand:  "s",
		Default:    dbTypes.SeverityNames,
		Values:     dbTypes.SeverityNames,
		Usage:      "severities of security issues to be displayed",
	}
	ComplianceFlag = Flag{
		Name:       "compliance",
		ConfigName: "scan.compliance",
		Default:    "",
		Usage:      "compliance report to generate",
	}
)

e.g. config yaml:

format: table
dependency-tree: true
severity: HIGH,CRITICAL
View Source
var (
	ArtifactTypeFlag = Flag{
		Name:       "artifact-type",
		ConfigName: "sbom.artifact-type",
		Default:    "",
		Usage:      "deprecated",
		Deprecated: true,
	}
	SBOMFormatFlag = Flag{
		Name:       "sbom-format",
		ConfigName: "sbom.format",
		Default:    "",
		Usage:      "deprecated",
		Deprecated: true,
	}
	VEXFlag = Flag{
		Name:       "vex",
		ConfigName: "sbom.vex",
		Default:    "",
		Usage:      "[EXPERIMENTAL] file path to VEX",
	}
)
View Source
var (
	SkipDirsFlag = Flag{
		Name:       "skip-dirs",
		ConfigName: "scan.skip-dirs",
		Default:    []string{},
		Usage:      "specify the directories or glob patterns to skip",
	}
	SkipFilesFlag = Flag{
		Name:       "skip-files",
		ConfigName: "scan.skip-files",
		Default:    []string{},
		Usage:      "specify the files or glob patterns to skip",
	}
	OfflineScanFlag = Flag{
		Name:       "offline-scan",
		ConfigName: "scan.offline",
		Default:    false,
		Usage:      "do not issue API requests to identify dependencies",
	}
	ScannersFlag = Flag{
		Name:       "scanners",
		ConfigName: "scan.scanners",
		Default: xstrings.ToStringSlice(types.Scanners{
			types.VulnerabilityScanner,
			types.SecretScanner,
		}),
		Values: xstrings.ToStringSlice(types.Scanners{
			types.VulnerabilityScanner,
			types.MisconfigScanner,
			types.SecretScanner,
			types.LicenseScanner,
		}),
		ValueNormalize: func(s string) string {
			switch s {
			case "vulnerability":
				return string(types.VulnerabilityScanner)
			case "misconf", "misconfiguration":
				return string(types.MisconfigScanner)
			case "config":
				log.Logger.Warn("'--scanner config' is deprecated. Use '--scanner misconfig' instead. See https://github.com/aquasecurity/trivy/discussions/5586 for the detail.")
				return string(types.MisconfigScanner)
			}
			return s
		},
		Aliases: []Alias{
			{
				Name:       "security-checks",
				ConfigName: "scan.security-checks",
				Deprecated: true,
			},
		},
		Usage: "comma-separated list of what security issues to detect",
	}
	FilePatternsFlag = Flag{
		Name:       "file-patterns",
		ConfigName: "scan.file-patterns",
		Default:    []string{},
		Usage:      "specify config file patterns",
	}
	SlowFlag = Flag{
		Name:       "slow",
		ConfigName: "scan.slow",
		Default:    false,
		Usage:      "scan over time with lower CPU and memory utilization",
		Deprecated: true,
	}
	ParallelFlag = Flag{
		Name:       "parallel",
		ConfigName: "scan.parallel",
		Default:    5,
		Usage:      "number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism",
	}
	SBOMSourcesFlag = Flag{
		Name:       "sbom-sources",
		ConfigName: "scan.sbom-sources",
		Default:    []string{},
		Values:     []string{"oci", "rekor"},
		Usage:      "[EXPERIMENTAL] try to retrieve SBOM from the specified sources",
	}
	RekorURLFlag = Flag{
		Name:       "rekor-url",
		ConfigName: "scan.rekor-url",
		Default:    "https://rekor.sigstore.dev",
		Usage:      "[EXPERIMENTAL] address of rekor STL server",
	}
	IncludeDevDepsFlag = Flag{
		Name:       "include-dev-deps",
		ConfigName: "include-dev-deps",
		Default:    false,
		Usage:      "include development dependencies in the report (supported: npm, yarn)",
	}
)
View Source
var (
	VulnTypeFlag = Flag{
		Name:       "vuln-type",
		ConfigName: "vulnerability.type",
		Default: []string{
			types.VulnTypeOS,
			types.VulnTypeLibrary,
		},
		Values: []string{
			types.VulnTypeOS,
			types.VulnTypeLibrary,
		},
		Usage: "comma-separated list of vulnerability types",
	}
	IgnoreUnfixedFlag = Flag{
		Name:       "ignore-unfixed",
		ConfigName: "vulnerability.ignore-unfixed",
		Default:    false,
		Usage:      "display only fixed vulnerabilities",
	}
	IgnoreStatusFlag = Flag{
		Name:       "ignore-status",
		ConfigName: "vulnerability.ignore-status",
		Default:    []string{},
		Values:     dbTypes.Statuses,
		Usage:      "comma-separated list of vulnerability status to ignore",
	}
)
View Source
var (
	SecretConfigFlag = Flag{
		Name:       "secret-config",
		ConfigName: "secret.config",
		Default:    "trivy-secret.yaml",
		Usage:      "specify a path to config file for secret scanning",
	}
)

Functions

This section is empty.

Types

type AWSFlagGroup

type AWSFlagGroup struct {
	Region       *Flag
	Endpoint     *Flag
	Services     *Flag
	SkipServices *Flag
	Account      *Flag
	ARN          *Flag
}

func NewAWSFlagGroup

func NewAWSFlagGroup() *AWSFlagGroup

func (*AWSFlagGroup) Flags

func (f *AWSFlagGroup) Flags() []*Flag

func (*AWSFlagGroup) Name

func (f *AWSFlagGroup) Name() string

func (*AWSFlagGroup) ToOptions

func (f *AWSFlagGroup) ToOptions() AWSOptions

type AWSOptions

type AWSOptions struct {
	Region       string
	Endpoint     string
	Services     []string
	SkipServices []string
	Account      string
	ARN          string
}

type Alias

type Alias struct {
	Name       string
	ConfigName string
	Deprecated bool
}

type CacheFlagGroup

type CacheFlagGroup struct {
	ClearCache   *Flag
	CacheBackend *Flag
	CacheTTL     *Flag

	RedisTLS    *Flag
	RedisCACert *Flag
	RedisCert   *Flag
	RedisKey    *Flag
}

CacheFlagGroup composes common printer flag structs used for commands requiring cache logic.

func NewCacheFlagGroup

func NewCacheFlagGroup() *CacheFlagGroup

NewCacheFlagGroup returns a default CacheFlagGroup

func (*CacheFlagGroup) Flags

func (fg *CacheFlagGroup) Flags() []*Flag

func (*CacheFlagGroup) Name

func (fg *CacheFlagGroup) Name() string

func (*CacheFlagGroup) ToOptions

func (fg *CacheFlagGroup) ToOptions() (CacheOptions, error)

type CacheOptions

type CacheOptions struct {
	ClearCache   bool
	CacheBackend string
	CacheTTL     time.Duration
	RedisTLS     bool
	RedisOptions
}

func (*CacheOptions) CacheBackendMasked

func (o *CacheOptions) CacheBackendMasked() string

CacheBackendMasked returns the redis connection string masking credentials

type CloudFlagGroup

type CloudFlagGroup struct {
	UpdateCache *Flag
	MaxCacheAge *Flag
}

func NewCloudFlagGroup

func NewCloudFlagGroup() *CloudFlagGroup

func (*CloudFlagGroup) Flags

func (f *CloudFlagGroup) Flags() []*Flag

func (*CloudFlagGroup) Name

func (f *CloudFlagGroup) Name() string

func (*CloudFlagGroup) ToOptions

func (f *CloudFlagGroup) ToOptions() CloudOptions

type CloudOptions

type CloudOptions struct {
	MaxCacheAge time.Duration
	UpdateCache bool
}

type DBFlagGroup

type DBFlagGroup struct {
	Reset              *Flag
	DownloadDBOnly     *Flag
	SkipDBUpdate       *Flag
	DownloadJavaDBOnly *Flag
	SkipJavaDBUpdate   *Flag
	NoProgress         *Flag
	DBRepository       *Flag
	JavaDBRepository   *Flag
	Light              *Flag // deprecated
}

DBFlagGroup composes common printer flag structs used for commands requiring DB logic.

func NewDBFlagGroup

func NewDBFlagGroup() *DBFlagGroup

NewDBFlagGroup returns a default DBFlagGroup

func (*DBFlagGroup) Flags

func (f *DBFlagGroup) Flags() []*Flag

func (*DBFlagGroup) Name

func (f *DBFlagGroup) Name() string

func (*DBFlagGroup) ToOptions

func (f *DBFlagGroup) ToOptions() (DBOptions, error)

type DBOptions

type DBOptions struct {
	Reset              bool
	DownloadDBOnly     bool
	SkipDBUpdate       bool
	DownloadJavaDBOnly bool
	SkipJavaDBUpdate   bool
	NoProgress         bool
	DBRepository       string
	JavaDBRepository   string
	Light              bool // deprecated
}

type Flag

type Flag struct {
	// Name is for CLI flag and environment variable.
	// If this field is empty, it will be available only in config file.
	Name string

	// ConfigName is a key in config file. It is also used as a key of viper.
	ConfigName string

	// Shorthand is a shorthand letter.
	Shorthand string

	// Default is the default value. It must be filled to determine the flag type.
	Default any

	// Values is a list of allowed values.
	// It currently supports string flags and string slice flags only.
	Values []string

	// ValueNormalize is a function to normalize the value.
	// It can be used for aliases, etc.
	ValueNormalize func(string) string

	// Usage explains how to use the flag.
	Usage string

	// Persistent represents if the flag is persistent
	Persistent bool

	// Deprecated represents if the flag is deprecated
	Deprecated bool

	// Aliases represents aliases
	Aliases []Alias
}

type FlagGroup

type FlagGroup interface {
	Name() string
	Flags() []*Flag
}

type Flags

type Flags struct {
	AWSFlagGroup           *AWSFlagGroup
	CacheFlagGroup         *CacheFlagGroup
	CloudFlagGroup         *CloudFlagGroup
	DBFlagGroup            *DBFlagGroup
	ImageFlagGroup         *ImageFlagGroup
	K8sFlagGroup           *K8sFlagGroup
	LicenseFlagGroup       *LicenseFlagGroup
	MisconfFlagGroup       *MisconfFlagGroup
	ModuleFlagGroup        *ModuleFlagGroup
	RemoteFlagGroup        *RemoteFlagGroup
	RegistryFlagGroup      *RegistryFlagGroup
	RegoFlagGroup          *RegoFlagGroup
	RepoFlagGroup          *RepoFlagGroup
	ReportFlagGroup        *ReportFlagGroup
	SBOMFlagGroup          *SBOMFlagGroup
	ScanFlagGroup          *ScanFlagGroup
	SecretFlagGroup        *SecretFlagGroup
	VulnerabilityFlagGroup *VulnerabilityFlagGroup
}

func (*Flags) AddFlags

func (f *Flags) AddFlags(cmd *cobra.Command)

func (*Flags) Bind

func (f *Flags) Bind(cmd *cobra.Command) error

func (*Flags) ToOptions

func (f *Flags) ToOptions(args []string, globalFlags *GlobalFlagGroup) (Options, error)

nolint: gocyclo

func (*Flags) Usages

func (f *Flags) Usages(cmd *cobra.Command) string

type GlobalFlagGroup

type GlobalFlagGroup struct {
	ConfigFile            *Flag
	ShowVersion           *Flag // spf13/cobra can't override the logic of version printing like VersionPrinter in urfave/cli. -v needs to be defined ourselves.
	Quiet                 *Flag
	Debug                 *Flag
	Insecure              *Flag
	Timeout               *Flag
	CacheDir              *Flag
	GenerateDefaultConfig *Flag
}

GlobalFlagGroup composes global flags

func NewGlobalFlagGroup

func NewGlobalFlagGroup() *GlobalFlagGroup

func (*GlobalFlagGroup) AddFlags

func (f *GlobalFlagGroup) AddFlags(cmd *cobra.Command)

func (*GlobalFlagGroup) Bind

func (f *GlobalFlagGroup) Bind(cmd *cobra.Command) error

func (*GlobalFlagGroup) ToOptions

func (f *GlobalFlagGroup) ToOptions() GlobalOptions

type GlobalOptions

type GlobalOptions struct {
	ConfigFile            string
	ShowVersion           bool
	Quiet                 bool
	Debug                 bool
	Insecure              bool
	Timeout               time.Duration
	CacheDir              string
	GenerateDefaultConfig bool
}

GlobalOptions defines flags and other configuration parameters for all the subcommands

type ImageFlagGroup

type ImageFlagGroup struct {
	Input               *Flag // local image archive
	ImageConfigScanners *Flag
	ScanRemovedPkgs     *Flag
	Platform            *Flag
	DockerHost          *Flag
	ImageSources        *Flag
}

func NewImageFlagGroup

func NewImageFlagGroup() *ImageFlagGroup

func (*ImageFlagGroup) Flags

func (f *ImageFlagGroup) Flags() []*Flag

func (*ImageFlagGroup) Name

func (f *ImageFlagGroup) Name() string

func (*ImageFlagGroup) ToOptions

func (f *ImageFlagGroup) ToOptions() (ImageOptions, error)

type ImageOptions

type ImageOptions struct {
	Input               string
	ImageConfigScanners types.Scanners
	ScanRemovedPkgs     bool
	Platform            ftypes.Platform
	DockerHost          string
	ImageSources        ftypes.ImageSources
}

type K8sFlagGroup

type K8sFlagGroup struct {
	ClusterContext         *Flag
	Namespace              *Flag
	KubeConfig             *Flag
	Components             *Flag
	K8sVersion             *Flag
	Tolerations            *Flag
	NodeCollectorImageRef  *Flag
	AllNamespaces          *Flag
	NodeCollectorNamespace *Flag
	ExcludeOwned           *Flag
	ExcludeNodes           *Flag
}

func NewK8sFlagGroup

func NewK8sFlagGroup() *K8sFlagGroup

func (*K8sFlagGroup) Flags

func (f *K8sFlagGroup) Flags() []*Flag

func (*K8sFlagGroup) Name

func (f *K8sFlagGroup) Name() string

func (*K8sFlagGroup) ToOptions

func (f *K8sFlagGroup) ToOptions() (K8sOptions, error)

type K8sOptions

type K8sOptions struct {
	ClusterContext         string
	Namespace              string
	KubeConfig             string
	Components             []string
	K8sVersion             string
	Tolerations            []corev1.Toleration
	NodeCollectorImageRef  string
	AllNamespaces          bool
	NodeCollectorNamespace string
	ExcludeOwned           bool
	ExcludeNodes           map[string]string
}

type LicenseFlagGroup

type LicenseFlagGroup struct {
	LicenseFull            *Flag
	IgnoredLicenses        *Flag
	LicenseConfidenceLevel *Flag

	// License Categories
	LicenseForbidden    *Flag // mapped to CRITICAL
	LicenseRestricted   *Flag // mapped to HIGH
	LicenseReciprocal   *Flag // mapped to MEDIUM
	LicenseNotice       *Flag // mapped to LOW
	LicensePermissive   *Flag // mapped to LOW
	LicenseUnencumbered *Flag // mapped to LOW
}

func NewLicenseFlagGroup

func NewLicenseFlagGroup() *LicenseFlagGroup

func (*LicenseFlagGroup) Flags

func (f *LicenseFlagGroup) Flags() []*Flag

func (*LicenseFlagGroup) Name

func (f *LicenseFlagGroup) Name() string

func (*LicenseFlagGroup) ToOptions

func (f *LicenseFlagGroup) ToOptions() LicenseOptions

type LicenseOptions

type LicenseOptions struct {
	LicenseFull            bool
	IgnoredLicenses        []string
	LicenseConfidenceLevel float64
	LicenseRiskThreshold   int
	LicenseCategories      map[types.LicenseCategory][]string
}

type MisconfFlagGroup

type MisconfFlagGroup struct {
	IncludeNonFailures     *Flag
	ResetPolicyBundle      *Flag
	PolicyBundleRepository *Flag

	// Values Files
	HelmValues                 *Flag
	HelmValueFiles             *Flag
	HelmFileValues             *Flag
	HelmStringValues           *Flag
	TerraformTFVars            *Flag
	CloudformationParamVars    *Flag
	TerraformExcludeDownloaded *Flag
	MisconfigScanners          *Flag
}

MisconfFlagGroup composes common printer flag structs used for commands providing misconfiguration scanning.

func NewMisconfFlagGroup

func NewMisconfFlagGroup() *MisconfFlagGroup

func (*MisconfFlagGroup) Flags

func (f *MisconfFlagGroup) Flags() []*Flag

func (*MisconfFlagGroup) Name

func (f *MisconfFlagGroup) Name() string

func (*MisconfFlagGroup) ToOptions

func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error)

type MisconfOptions

type MisconfOptions struct {
	IncludeNonFailures     bool
	ResetPolicyBundle      bool
	PolicyBundleRepository string

	// Values Files
	HelmValues              []string
	HelmValueFiles          []string
	HelmFileValues          []string
	HelmStringValues        []string
	TerraformTFVars         []string
	CloudFormationParamVars []string
	TfExcludeDownloaded     bool
	MisconfigScanners       []analyzer.Type
}

type ModuleFlagGroup

type ModuleFlagGroup struct {
	Dir            *Flag
	EnabledModules *Flag
}

ModuleFlagGroup defines flags for modules

func NewModuleFlagGroup

func NewModuleFlagGroup() *ModuleFlagGroup

func (*ModuleFlagGroup) Flags

func (f *ModuleFlagGroup) Flags() []*Flag

func (*ModuleFlagGroup) Name

func (f *ModuleFlagGroup) Name() string

func (*ModuleFlagGroup) ToOptions

func (f *ModuleFlagGroup) ToOptions() ModuleOptions

type ModuleOptions

type ModuleOptions struct {
	ModuleDir      string
	EnabledModules []string
}

type Options

type Options struct {
	GlobalOptions
	AWSOptions
	CacheOptions
	CloudOptions
	DBOptions
	ImageOptions
	K8sOptions
	LicenseOptions
	MisconfOptions
	ModuleOptions
	RegistryOptions
	RegoOptions
	RemoteOptions
	RepoOptions
	ReportOptions
	SBOMOptions
	ScanOptions
	SecretOptions
	VulnerabilityOptions

	// Trivy's version, not populated via CLI flags
	AppVersion string

	// Deepfactor dfctl version
	DfctlVersion string

	// Deepfactor dfctl image url
	DfctlImage string

	OnlyFetchDFScanRegistrationMeta bool // fetch only basic metadata required to register df static scan

	OnlyInspectArtifact bool // only inspect/validate artifact as part of scan and return metadata

	// We don't want to allow disabled analyzers to be passed by users, but it is necessary for internal use.
	DisabledAnalyzers []analyzer.Type
	// contains filtered or unexported fields
}

Options holds all the runtime configuration

func (*Options) Align

func (o *Options) Align()

Align takes consistency of options

func (*Options) FilterOpts

func (o *Options) FilterOpts() result.FilterOption

FilterOpts returns options for filtering

func (*Options) OutputWriter

func (o *Options) OutputWriter(ctx context.Context) (io.Writer, func() error, error)

OutputWriter returns an output writer. If the output file is not specified, it returns os.Stdout.

func (*Options) RegistryOpts

func (o *Options) RegistryOpts() ftypes.RegistryOptions

RegistryOpts returns options for OCI registries

func (*Options) SetOutputWriter

func (o *Options) SetOutputWriter(w io.Writer)

SetOutputWriter sets an output writer.

type RedisOptions

type RedisOptions struct {
	RedisCACert string
	RedisCert   string
	RedisKey    string
}

RedisOptions holds the options for redis cache

type RegistryFlagGroup

type RegistryFlagGroup struct {
	Username      *Flag
	Password      *Flag
	RegistryToken *Flag
}

func NewRegistryFlagGroup

func NewRegistryFlagGroup() *RegistryFlagGroup

func (*RegistryFlagGroup) Flags

func (f *RegistryFlagGroup) Flags() []*Flag

func (*RegistryFlagGroup) Name

func (f *RegistryFlagGroup) Name() string

func (*RegistryFlagGroup) ToOptions

func (f *RegistryFlagGroup) ToOptions() (RegistryOptions, error)

type RegistryOptions

type RegistryOptions struct {
	Credentials   []types.Credential
	RegistryToken string
}

type RegoFlagGroup

type RegoFlagGroup struct {
	SkipPolicyUpdate *Flag
	Trace            *Flag
	PolicyPaths      *Flag
	DataPaths        *Flag
	PolicyNamespaces *Flag
}

RegoFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning.

func NewRegoFlagGroup

func NewRegoFlagGroup() *RegoFlagGroup

func (*RegoFlagGroup) Flags

func (f *RegoFlagGroup) Flags() []*Flag

func (*RegoFlagGroup) Name

func (f *RegoFlagGroup) Name() string

func (*RegoFlagGroup) ToOptions

func (f *RegoFlagGroup) ToOptions() (RegoOptions, error)

type RegoOptions

type RegoOptions struct {
	SkipPolicyUpdate bool
	Trace            bool
	PolicyPaths      []string
	DataPaths        []string
	PolicyNamespaces []string
}

type RemoteFlagGroup

type RemoteFlagGroup struct {
	// for client/server
	Token       *Flag
	TokenHeader *Flag

	// for client
	ServerAddr    *Flag
	CustomHeaders *Flag

	// for server
	Listen *Flag
}

RemoteFlagGroup composes common printer flag structs used for commands requiring reporting logic.

func NewClientFlags

func NewClientFlags() *RemoteFlagGroup

func NewServerFlags

func NewServerFlags() *RemoteFlagGroup

func (*RemoteFlagGroup) Flags

func (f *RemoteFlagGroup) Flags() []*Flag

func (*RemoteFlagGroup) Name

func (f *RemoteFlagGroup) Name() string

func (*RemoteFlagGroup) ToOptions

func (f *RemoteFlagGroup) ToOptions() RemoteOptions

type RemoteOptions

type RemoteOptions struct {
	Token       string
	TokenHeader string

	ServerAddr    string
	Listen        string
	CustomHeaders http.Header
}

type RepoFlagGroup

type RepoFlagGroup struct {
	Branch *Flag
	Commit *Flag
	Tag    *Flag
}

func NewRepoFlagGroup

func NewRepoFlagGroup() *RepoFlagGroup

func (*RepoFlagGroup) Flags

func (f *RepoFlagGroup) Flags() []*Flag

func (*RepoFlagGroup) Name

func (f *RepoFlagGroup) Name() string

func (*RepoFlagGroup) ToOptions

func (f *RepoFlagGroup) ToOptions() RepoOptions

type RepoOptions

type RepoOptions struct {
	RepoBranch string
	RepoCommit string
	RepoTag    string
}

type ReportFlagGroup

type ReportFlagGroup struct {
	Format          *Flag
	ReportFormat    *Flag
	Template        *Flag
	DependencyTree  *Flag
	ListAllPkgs     *Flag
	IgnoreFile      *Flag
	IgnorePolicy    *Flag
	ExitCode        *Flag
	ExitOnEOL       *Flag
	Output          *Flag
	OutputPluginArg *Flag
	Severity        *Flag
	Compliance      *Flag
}

ReportFlagGroup composes common printer flag structs used for commands requiring reporting logic.

func NewReportFlagGroup

func NewReportFlagGroup() *ReportFlagGroup

func (*ReportFlagGroup) Flags

func (f *ReportFlagGroup) Flags() []*Flag

func (*ReportFlagGroup) Name

func (f *ReportFlagGroup) Name() string

func (*ReportFlagGroup) ToOptions

func (f *ReportFlagGroup) ToOptions() (ReportOptions, error)

type ReportOptions

type ReportOptions struct {
	Format           types.Format
	ReportFormat     string
	Template         string
	DependencyTree   bool
	ListAllPkgs      bool
	IgnoreFile       string
	ExitCode         int
	ExitOnEOL        int
	IgnorePolicy     string
	Output           string
	OutputPluginArgs []string
	Severities       []dbTypes.Severity
	Compliance       spec.ComplianceSpec
}

type SBOMFlagGroup

type SBOMFlagGroup struct {
	ArtifactType *Flag // deprecated
	SBOMFormat   *Flag // deprecated
	VEXPath      *Flag
}

func NewSBOMFlagGroup

func NewSBOMFlagGroup() *SBOMFlagGroup

func (*SBOMFlagGroup) Flags

func (f *SBOMFlagGroup) Flags() []*Flag

func (*SBOMFlagGroup) Name

func (f *SBOMFlagGroup) Name() string

func (*SBOMFlagGroup) ToOptions

func (f *SBOMFlagGroup) ToOptions() (SBOMOptions, error)

type SBOMOptions

type SBOMOptions struct {
	VEXPath string
}

type ScanFlagGroup

type ScanFlagGroup struct {
	SkipDirs       *Flag
	SkipFiles      *Flag
	OfflineScan    *Flag
	Scanners       *Flag
	FilePatterns   *Flag
	Slow           *Flag // deprecated
	Parallel       *Flag
	SBOMSources    *Flag
	RekorURL       *Flag
	IncludeDevDeps *Flag
}

func NewScanFlagGroup

func NewScanFlagGroup() *ScanFlagGroup

func (*ScanFlagGroup) Flags

func (f *ScanFlagGroup) Flags() []*Flag

func (*ScanFlagGroup) Name

func (f *ScanFlagGroup) Name() string

func (*ScanFlagGroup) ToOptions

func (f *ScanFlagGroup) ToOptions(args []string) (ScanOptions, error)

type ScanOptions

type ScanOptions struct {
	Target         string
	SkipDirs       []string
	SkipFiles      []string
	OfflineScan    bool
	Scanners       types.Scanners
	FilePatterns   []string
	ArtifactType   ftypes.ArtifactType
	Parallel       int
	SBOMSources    []string
	RekorURL       string
	IncludeDevDeps bool
}

type SecretFlagGroup

type SecretFlagGroup struct {
	SecretConfig *Flag
}

func NewSecretFlagGroup

func NewSecretFlagGroup() *SecretFlagGroup

func (*SecretFlagGroup) Flags

func (f *SecretFlagGroup) Flags() []*Flag

func (*SecretFlagGroup) Name

func (f *SecretFlagGroup) Name() string

func (*SecretFlagGroup) ToOptions

func (f *SecretFlagGroup) ToOptions() SecretOptions

type SecretOptions

type SecretOptions struct {
	SecretConfigPath string
}

type ValueNormalizeFunc

type ValueNormalizeFunc func(string) string

type VulnerabilityFlagGroup

type VulnerabilityFlagGroup struct {
	VulnType      *Flag
	IgnoreUnfixed *Flag
	IgnoreStatus  *Flag
}

func NewVulnerabilityFlagGroup

func NewVulnerabilityFlagGroup() *VulnerabilityFlagGroup

func (*VulnerabilityFlagGroup) Flags

func (f *VulnerabilityFlagGroup) Flags() []*Flag

func (*VulnerabilityFlagGroup) Name

func (f *VulnerabilityFlagGroup) Name() string

func (*VulnerabilityFlagGroup) ToOptions

type VulnerabilityOptions

type VulnerabilityOptions struct {
	VulnType       []string
	IgnoreStatuses []dbTypes.Status
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL