Language-specific Packages

Trivy automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

LanguageFileImage6Rootfs7Filesystem8Repository9Dev dependencies
RubyGemfile.lock--included
gemspec--included
PythonPipfile.lock--excluded
poetry.lock--included
requirements.txt--included
egg package1--excluded
wheel package2--excluded
PHPcomposer.lockexcluded
Node.jspackage-lock.json--excluded
yarn.lock--included
package.json--excluded
.NETpackages.lock.jsonincluded
JavaJAR/WAR/EAR34included
GoBinaries built by Go5--excluded
go.sum--included

The path of these files does not matter.

Example: Dockerfile


  1. *.egg-info, *.egg-info/PKG-INFO, *.egg and EGG-INFO/PKG-INFO

  2. .dist-info/META-DATA

  3. *.jar, *.war, and *.ear

  4. It requires the Internet access

  5. UPX-compressed binaries don’t work

  6. ✅ means “enabled” and - means “disabled” in the image scanning

  7. ✅ means “enabled” and - means “disabled” in the rootfs scanning

  8. ✅ means “enabled” and - means “disabled” in the filesystem scanning

  9. ✅ means “enabled” and - means “disabled” in the git repository scanning