Application Dependencies

Trivy automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

  • Ruby
    • Gemfile.lock
  • Python
    • Pipfile.lock
    • poetry.lock
  • PHP
    • composer.lock
  • Node.js
    • package-lock.json
    • yarn.lock
  • Rust
    • Cargo.lock
  • .NET
    • packages.lock.json
  • Java
    • JAR/WAR/EAR files (.jar, .war, and *.ear)
  • Go
    • Binaries built by Go (UPX-compressed binaries don’t work)

The path of these files does not matter.

Example: https://github.com/aquasecurity/trivy-ci-test/blob/main/Dockerfile