aquasecurity · knqyf263 · Jul 10, 2022 · Jul 10, 2022 · Jul 10, 2022 · Jul 10, 2022
@@ -1,32 +1,69 @@
 # Client
 
 ```bash
-NAME:
-   trivy client - DEPRECATED client mode, use `trivy image` with `--server` option for remote scans now.
-
-USAGE:
-   trivy image --server value
-
-   trivy client [deprecated command options] image_name
-
-DEPRECATED OPTIONS:
-   --template value, -t value  output template [$TRIVY_TEMPLATE]
-   --format value, -f value    format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
-   --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value    output file name [$TRIVY_OUTPUT]
-   --exit-code value           Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --ignore-unfixed            display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --removed-pkgs              detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
-   --vuln-type value           comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --ignorefile value          specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --token value               for authentication [$TRIVY_TOKEN]
-   --token-header value        specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --remote value              server address (default: "http://localhost:4954") [$TRIVY_REMOTE]
-   --custom-headers value      custom headers [$TRIVY_CUSTOM_HEADERS]
-   --help, -h                  show help (default: false)
+Usage:
+  [DEPRECATED] trivy client [flags] IMAGE_NAME
+
+Aliases:
+  client, c
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs string         specify the directories where the traversal is skipped
+      --skip-files string        specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+      --report string          specify a report format for the output. (all,summary) (default "all")
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --remote string            server address (default "http://localhost:4954")
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
 ```
@@ -1,29 +1,52 @@
 # Config
 
 ``` bash
-NAME:
-   trivy config - scan config files
-
-USAGE:
-   trivy config [command options] dir
-
-OPTIONS:
-   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value                       output file name [$TRIVY_OUTPUT]
-   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --reset                                        remove all caches and database (default: false) [$TRIVY_RESET]
-   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
-   --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
-   --policy value, --config-policy value          specify paths to the Rego policy files directory, applying config files [$TRIVY_POLICY]
-   --data value, --config-data value              specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_DATA]
-   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
-   --file-patterns value                          specify file patterns [$TRIVY_FILE_PATTERNS]
-   --include-successes                            include successes of misconfigurations (default: false) [$TRIVY_INCLUDE_SUCCESSES]
-   --help, -h                                     show help (default: false)
+Scan config files for misconfigurations
+
+Usage:
+  trivy config [flags] DIR
+
+Aliases:
+  config, conf
+
+Scan Flags
+      --skip-dirs string    specify the directories where the traversal is skipped
+      --skip-files string   specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Global Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
+
 ```
@@ -1,42 +1,80 @@
 # Filesystem
 
 ```bash
-NAME:
-   trivy filesystem - scan local filesystem for language-specific dependencies and config files
-
-USAGE:
-   trivy filesystem [command options] path
-
-OPTIONS:
-   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
-   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
-   --output value, -o value                       output file name [$TRIVY_OUTPUT]
-   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
-   --skip-db-update, --skip-update                skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
-   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
-   --insecure                                     allow insecure server connections when using SSL (default: false) [$TRIVY_INSECURE]
-   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
-   --ignore-unfixed                               display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --vuln-type value                              comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
-   --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
-   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
-   --cache-backend value                          cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
-   --cache-ttl value                              cache TTL when using redis as cache backend (default: 0s) [$TRIVY_CACHE_TTL]
-   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
-   --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
-   --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
-   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
-   --db-repository value                          OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
-   --skip-files value                             specify the file paths to skip traversal                                        (accepts multiple inputs) [$TRIVY_SKIP_FILES]
-   --skip-dirs value                              specify the directories where the traversal is skipped                          (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
-   --config-policy value                          specify paths to the Rego policy files directory, applying config files         (accepts multiple inputs) [$TRIVY_CONFIG_POLICY]
-   --config-data value                            specify paths from which data for the Rego policies will be recursively loaded  (accepts multiple inputs) [$TRIVY_CONFIG_DATA]
-   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users")                                              (accepts multiple inputs) [$TRIVY_POLICY_NAMESPACES]
-   --server value                                 server address [$TRIVY_SERVER]
-   --token value                                  for authentication in client/server mode [$TRIVY_TOKEN]
-   --token-header value                           specify a header name for token in client/server mode (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
-   --custom-headers value                         custom headers in client/server mode  (accepts multiple inputs) [$TRIVY_CUSTOM_HEADERS]
-   --help, -h                                     show help (default: false)
+Scan local filesystem
+
+Usage:
+  trivy filesystem [flags] PATH
+
+Aliases:
+  filesystem, fs
+
+Examples:
+  # Scan a local project including language-specific files
+  $ trivy fs /path/to/your_project
+
+  # Scan a single file
+  $ trivy fs ./trivy-ci-test/Pipfile.lock
+
+Scan Flags
+      --offline-scan             do not issue API requests to identify dependencies
+      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --skip-dirs string         specify the directories where the traversal is skipped
+      --skip-files string        specify the file paths to skip traversal
+
+Report Flags
+      --dependency-tree        show dependency origin tree (EXPERIMENTAL)
+      --exit-code int          specify exit code when any security issues are found
+  -f, --format string          format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github) (default "table")
+      --ignore-policy string   specify the Rego file path to evaluate each vulnerability
+      --ignorefile string      specify .trivyignore file (default ".trivyignore")
+      --list-all-pkgs          enabling the option will output all packages regardless of vulnerability
+  -o, --output string          output file name
+  -s, --severity string        severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+  -t, --template string        output template
+
+Cache Flags
+      --cache-backend string   cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration     cache TTL when using redis as cache backend
+      --clear-cache            clear image caches without scanning
+      --redis-ca string        redis ca file location, if using redis as cache backend
+      --redis-cert string      redis certificate file location, if using redis as cache backend
+      --redis-key string       redis key file location, if using redis as cache backend
+
+DB Flags
+      --db-repository string   OCI repository to retrieve trivy-db from" (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only       download/update vulnerability database but don't run a scan
+      --no-progress            suppress progress bar
+      --reset                  remove all caches and database
+      --skip-db-update         skip updating vulnerability database
+
+Vulnerability Flags
+      --ignore-unfixed     display only fixed vulnerabilities
+      --vuln-type string   comma-separated list of vulnerability types (os,library) (default "os,library")
+
+Misconfiguration Flags
+      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings       specify paths to the Rego policy files directory, applying config files
+      --file-patterns strings       specify config file patterns, available with '--security-checks config'
+      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --policy-namespaces strings   Rego namespaces
+      --trace                       enable more verbose trace output for custom queries
+
+Secret Flags
+      --secret-config string   specify a path to config file for secret scanning (default "trivy-secret.yaml")
+
+Client/Server Flags
+      --custom-headers strings   custom headers in client mode
+      --server string            server address in client mode
+      --token string             for authentication in client/server mode
+      --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")
+
+Global Flags:
+      --cache-dir string   cache directory (default "/Users/teppei/Library/Caches/trivy")
+  -c, --config string      config path (default "trivy.yaml")
+  -d, --debug              debug mode
+      --insecure           allow insecure server connections when using TLS
+  -q, --quiet              suppress progress bar and log output
+      --timeout duration   timeout (default 5m0s)
+  -v, --version            show version
 ```