You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When scanning an image from registry, Trivy can now discover the SBOM for the image using the new OCI 1.1 Artifacts and Referrers. To enable this, use the --sbom-sources oci flag:
trivy image myregistry.com/app:latest --sbom-sources oci
...
2023-04-17T15:01:54.038+0300 INFO Detected SBOM format: cyclonedx-json
2023-04-17T15:01:54.136+0300 INFO Found SBOM (cyclonedx) in the OCI referrers
Trivy also has a new plugin to help with managing artifacts and references in OCI registry.
It can:
push SBOM (cyclonedx/spdx) to registry as referrer
push vulnerability report (cosign-vuln/sarif) to registry as referrer
when pushing, trivy will automatically detect the subject image, the artifact types, and add appropriate annotations
list image referrers for image, in various useful formats
⚠️EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.
🌟 Skip files/dirs by globstar
--skip-files and --skip-dirs now support globstar (**).
$ trivy fs --skip-files "**/gosu" ./
🦀 Cargo.lock v3 support
Support for generating SBOM and vulnerability scanning for Cargo.lock v3.
$ trivy fs ./Cargo.lock
📦 Signed Trivy RPM Package 🔏
Trivy's RPM package is now signed. You can verify the signature during installation by specifying the GPG key.
cat << EOF | sudo tee -a /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key
EOF
📄 Image metadata in SARIF format
When generating a SARIF report, Trivy now stores information about the image that was scanned inside the report. Image name, digest, and tags will be added to the property bag of the "Run" object.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
🚀 What's new? 🚀
🖇️ OCI Referrers 📜
When scanning an image from registry, Trivy can now discover the SBOM for the image using the new OCI 1.1 Artifacts and Referrers. To enable this, use the
--sbom-sources oci
flag:Trivy also has a new plugin to help with managing artifacts and references in OCI registry.
It can:
You can find more information about the trivy referrer plugin here: https://github.com/aquasecurity/trivy-plugin-referrer/
🌟 Skip files/dirs by globstar
--skip-files and --skip-dirs now support globstar (
**
).🦀 Cargo.lock v3 support
Support for generating SBOM and vulnerability scanning for Cargo.lock v3.
📦 Signed Trivy RPM Package 🔏
Trivy's RPM package is now signed. You can verify the signature during installation by specifying the GPG key.
📄 Image metadata in SARIF format
When generating a SARIF report, Trivy now stores information about the image that was scanned inside the report. Image name, digest, and tags will be added to the property bag of the "Run" object.
🐙 Support for Chainguard commercial distro 🐺
Trivy now supports vulnerability scanning for Chainguard Linux, a commercial distribution based on Wolfi.
(Thanks @luhring )
This discussion was created from the release v0.40.0.
Beta Was this translation helpful? Give feedback.
All reactions