Language-specific Packages
Trivy
automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
Language | File | Image6 | Rootfs7 | Filesystem8 | Repository9 | Dev dependencies |
---|---|---|---|---|---|---|
Ruby | Gemfile.lock | - | - | ✅ | ✅ | included |
gemspec | ✅ | ✅ | - | - | included | |
Python | Pipfile.lock | - | - | ✅ | ✅ | excluded |
poetry.lock | - | - | ✅ | ✅ | included | |
requirements.txt | - | - | ✅ | ✅ | included | |
egg package1 | ✅ | ✅ | - | - | excluded | |
wheel package2 | ✅ | ✅ | - | - | excluded | |
PHP | composer.lock | ✅ | ✅ | ✅ | ✅ | excluded |
Node.js | package-lock.json | - | - | ✅ | ✅ | excluded |
yarn.lock | - | - | ✅ | ✅ | included | |
package.json | ✅ | ✅ | - | - | excluded | |
.NET | packages.lock.json | ✅ | ✅ | ✅ | ✅ | included |
Java | JAR/WAR/EAR34 | ✅ | ✅ | ✅ | ✅ | included |
Go | Binaries built by Go5 | ✅ | ✅ | - | - | excluded |
go.sum | - | - | ✅ | ✅ | included |
The path of these files does not matter.
Example: Dockerfile
*.egg-info
,*.egg-info/PKG-INFO
,*.egg
andEGG-INFO/PKG-INFO
↩.dist-info/META-DATA
↩*.jar
,*.war
, and*.ear
↩It requires the Internet access ↩
UPX-compressed binaries don’t work ↩
✅ means “enabled” and
-
means “disabled” in the image scanning ↩✅ means “enabled” and
-
means “disabled” in the rootfs scanning ↩✅ means “enabled” and
-
means “disabled” in the filesystem scanning ↩✅ means “enabled” and
-
means “disabled” in the git repository scanning ↩