refactor: rename security-checks to scanners (#3467)

README.md

@@ -54,7 +54,7 @@ Trivy is integrated with many popular platforms and applications. The complete l
 ### General usage
 
 ```bash
-trivy <target> [--security-checks <scanner1,scanner2>] <subject>
+trivy <target> [--scanners <scanner1,scanner2>] <subject>
 ```
 
 Examples:
@@ -71,7 +71,7 @@ https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-a
 </details>
 
 ```bash
-trivy fs --security-checks vuln,secret,config myproject/
+trivy fs --scanners vuln,secret,config myproject/
 ```
 
 <details>

docs/docs/attestation/rekor.md

@@ -21,7 +21,7 @@ You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attesta
 $ trivy image --sbom-sources rekor otms61/alpine:3.7.3                                                                            [~/src/github.com/aquasecurity/trivy]
 2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
 2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
-2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
 2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
 2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
 2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
@@ -105,7 +105,7 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 Also, it is applied to non-packaged binaries even in container images.
 
 ```bash
-$ trivy image --sbom-sources rekor --security-checks vuln alpine-with-bat
+$ trivy image --sbom-sources rekor --scanners vuln alpine-with-bat
 2022-10-25T13:40:14.920+0300    INFO    Vulnerability scanning is enabled
 2022-10-25T13:40:18.047+0300    INFO    Found SBOM attestation in Rekor: bat
 2022-10-25T13:40:18.186+0300    INFO    Detected OS: alpine

docs/docs/kubernetes/cli/scanning.md

@@ -27,12 +27,12 @@ Filter by severity:
 $ trivy k8s --severity=CRITICAL --report=all cluster
 ```
 
-Filter by security check (Vulnerabilities, Secrets or Misconfigurations):
+Filter by scanners (Vulnerabilities, Secrets or Misconfigurations):
 
 ```
-$ trivy k8s --security-checks=secret --report=summary cluster
+$ trivy k8s --scanners=secret --report=summary cluster
 # or
-$ trivy k8s --security-checks=config --report=summary cluster
+$ trivy k8s --scanners=config --report=summary cluster
 ```
 
 Scan a specific namespace:
@@ -263,16 +263,16 @@ Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
 The infra checks are based on CIS Benchmarks recommendations for kubernetes.
 
 
-If you want filter only for the infra checks, you can use the flag `--components` along with the `--security-checks=config`
+If you want filter only for the infra checks, you can use the flag `--components` along with the `--scanners=config`
 
 ```
-$ trivy k8s cluster --report summary --components=infra --security-checks=config # scan only infra
+$ trivy k8s cluster --report summary --components=infra --scanners=config # scan only infra
 ```
 
 Or, to filter for all other checks besides the infra checks, you can:
 
 ```
-$ trivy k8s cluster --report summary --components=workload --security-checks=config # scan all components besides infra
+$ trivy k8s cluster --report summary --components=workload --scanners=config # scan all components besides infra
 ```
 
 

docs/docs/licenses/scanning.md

@@ -47,10 +47,10 @@ License checking classifies the identified licenses and map the classification t
 This section shows how to scan license in container image and filesystem.
 
 ### Standard scanning
-Specify an image name with `--security-checks license`.
+Specify an image name with `--scanners license`.
 
 ``` shell
-$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
+$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
 2022-07-13T17:28:39.526+0300    INFO    License scanning is enabled
 
 OS Packages (license)
@@ -78,7 +78,7 @@ Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
 Specify `--license-full`
 
 ``` shell
-$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
+$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
 2022-07-13T17:48:40.905+0300    INFO    Full license scanning is enabled
 
 OS Packages (license)
@@ -141,7 +141,7 @@ Trivy has number of configuration flags for use with license scanning;
 Trivy license scanning can ignore licenses that are identified to explicitly remove them from the results using the `--ignored-licenses` flag;
 
 ```shell
-$ trivy image --security-checks license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
+$ trivy image --scanners license --ignored-licenses MPL-2.0,MIT --severity LOW grafana/grafana:latest
 2022-07-13T18:15:28.605Z        INFO    License scanning is enabled
 
 OS Packages (license)

docs/docs/misconfiguration/scanning.md

@@ -37,28 +37,28 @@ $ trivy config [YOUR_IaC_DIRECTORY]
     ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     ```
 
-You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--security-checks config`.
+You can also enable misconfiguration detection in container image, filesystem and git repository scanning via `--scanners config`.
 
 ```bash
-$ trivy image --security-checks config IMAGE_NAME
+$ trivy image --scanners config IMAGE_NAME
 ```
 
 ```bash
-$ trivy fs --security-checks config /path/to/dir
+$ trivy fs --scanners config /path/to/dir
 ```
 
 !!! note
     Misconfiguration detection is not enabled by default in `image`, `fs` and `repo` subcommands.
 
 Unlike the `config` subcommand, `image`, `fs` and `repo` subcommands can also scan for vulnerabilities and secrets at the same time. 
-You can specify `--security-checks vuln,config,secret` to enable vulnerability and secret detection as well as misconfiguration detection.
+You can specify `--scanners vuln,config,secret` to enable vulnerability and secret detection as well as misconfiguration detection.
 
 
 !!! example
     ``` bash
     $ ls myapp/
     Dockerfile Pipfile.lock
-    $ trivy fs --security-checks vuln,config,secret --severity HIGH,CRITICAL myapp/
+    $ trivy fs --scanners vuln,config,secret --severity HIGH,CRITICAL myapp/
     2022-05-16T13:42:21.440+0100	INFO	Number of language-specific files: 1
     2022-05-16T13:42:21.440+0100	INFO	Detecting pipenv vulnerabilities...
     2022-05-16T13:42:21.440+0100	INFO	Detected config files: 1

docs/docs/references/cli/client.md

@@ -9,7 +9,7 @@ Aliases:
 
 Scan Flags
       --offline-scan             do not issue API requests to identify dependencies
-      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
       --skip-dirs strings        specify the directories where the traversal is skipped
       --skip-files strings       specify the file paths to skip traversal
 
@@ -47,8 +47,8 @@ Vulnerability Flags
 Misconfiguration Flags
       --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--security-checks config'
-      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
       --policy-namespaces strings   Rego namespaces
       --trace                       enable more verbose trace output for custom queries
 

docs/docs/references/cli/config.md

@@ -32,8 +32,8 @@ Cache Flags
 Misconfiguration Flags
       --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--security-checks config'
-      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
       --policy-namespaces strings   Rego namespaces
       --trace                       enable more verbose trace output for custom queries
 

docs/docs/references/cli/fs.md

@@ -18,7 +18,7 @@ Examples:
 
 Scan Flags
       --offline-scan             do not issue API requests to identify dependencies
-      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
       --skip-dirs strings        specify the directories where the traversal is skipped
       --skip-files strings       specify the file paths to skip traversal
 
@@ -55,8 +55,8 @@ Vulnerability Flags
 Misconfiguration Flags
       --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--security-checks config'
-      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
       --policy-namespaces strings   Rego namespaces
       --trace                       enable more verbose trace output for custom queries
 

docs/docs/references/cli/image.md

@@ -33,7 +33,7 @@ Examples:
 
 Scan Flags
       --offline-scan             do not issue API requests to identify dependencies
-      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
       --skip-dirs strings        specify the directories where the traversal is skipped
       --skip-files strings       specify the file paths to skip traversal
 
@@ -73,8 +73,8 @@ Vulnerability Flags
 Misconfiguration Flags
       --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--security-checks config'
-      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
       --policy-namespaces strings   Rego namespaces
       --trace                       enable more verbose trace output for custom queries
 

docs/docs/references/cli/repo.md

@@ -15,7 +15,7 @@ Examples:
 
 Scan Flags
       --offline-scan             do not issue API requests to identify dependencies
-      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
       --skip-dirs strings        specify the directories where the traversal is skipped
       --skip-files strings       specify the file paths to skip traversal
 
@@ -52,8 +52,8 @@ Vulnerability Flags
 Misconfiguration Flags
       --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --file-patterns strings       specify config file patterns, available with '--security-checks config'
-      --include-non-failures        include successes and exceptions, available with '--security-checks config'
+      --file-patterns strings       specify config file patterns, available with '--scanners config'
+      --include-non-failures        include successes and exceptions, available with '--scanners config'
       --policy-namespaces strings   Rego namespaces
       --trace                       enable more verbose trace output for custom queries
 

docs/docs/references/cli/rootfs.md

@@ -21,7 +21,7 @@ Scan Flags
       --offline-scan              do not issue API requests to identify dependencies
       --rekor-url string          [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --sbom-sources strings      [EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)
-      --security-checks strings   comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
+      --scanners strings          comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
       --skip-dirs strings         specify the directories where the traversal is skipped
       --skip-files strings        specify the file paths to skip traversal
 
@@ -60,7 +60,7 @@ Misconfiguration Flags
       --helm-set-file strings     specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings   specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-values strings       specify paths to override the Helm values.yaml files
-      --include-non-failures      include successes and exceptions, available with '--security-checks config'
+      --include-non-failures      include successes and exceptions, available with '--scanners config'
       --tf-vars strings           specify paths to override the Terraform tfvars files
 
 Secret Flags

docs/docs/references/cli/sbom.md

@@ -19,7 +19,7 @@ Examples:
 
 Scan Flags
       --offline-scan             do not issue API requests to identify dependencies
-      --security-checks string   comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
+      --scanners string          comma-separated list of what security issues to detect (vuln,config,secret) (default "vuln,secret")
       --skip-dirs strings        specify the directories where the traversal is skipped
       --skip-files strings       specify the file paths to skip traversal
 

docs/docs/references/customization/config-file.md

@@ -102,9 +102,9 @@ scan:
   # Default is false
   offline-scan: false
 
-  # Same as '--security-checks'
+  # Same as '--scanners'
   # Default depends on subcommand
-  security-checks:
+  scanners:
     - vuln
     - config
     - secret

docs/docs/sbom/cyclonedx.md

@@ -15,7 +15,7 @@ By default, `--format cyclonedx` represents SBOM and doesn't include vulnerabili
 
 ```
 $ trivy image --format cyclonedx --output result.json alpine:3.15
-2022-07-19T07:47:27.624Z        INFO    "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
+2022-07-19T07:47:27.624Z        INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
 ```
 
 <details>
@@ -239,10 +239,10 @@ $ cat result.json | jq .
 
 </details>
 
-If you want to include vulnerabilities, you can enable vulnerability scanning via `--security-checks vuln`.
+If you want to include vulnerabilities, you can enable vulnerability scanning via `--scanners vuln`.
 
 ```
-$ trivy image --security-checks vuln --format cyclonedx --output result.json alpine:3.15
+$ trivy image --scanners vuln --format cyclonedx --output result.json alpine:3.15
 ```
 
 ## Scanning

docs/docs/secret/examples.md

@@ -48,10 +48,10 @@ aws-account-id
 ```
 
 ## Disable secret scanning
-If you need vulnerability scanning only, you can disable secret scanning via the `--security-checks` flag.
+If you need vulnerability scanning only, you can disable secret scanning via the `--scanners` flag.
 
 ``` shell
-$ trivy image --security-checks vuln alpine:3.15
+$ trivy image --scanners vuln alpine:3.15
 ```
 
 ## With configuration file

docs/docs/secret/scanning.md

@@ -106,10 +106,10 @@ All rules are disabled except for the ones you specify, so it runs very fast.
 On the other hand, you should use `disable-rules` if you just want to disable some built-in rules.
 See the [enable-rules][enable-rules] and [disable-rules][disable-rules] sections for the detail.
 
-If you don't need secret scanning, you can disable it via the `--security-checks` flag.
+If you don't need secret scanning, you can disable it via the `--scanners` flag.
 
 ```shell
-$ trivy image --security-checks vuln alpine:3.15
+$ trivy image --scanners vuln alpine:3.15
 ```
 
 

docs/docs/vm/aws.md

@@ -19,11 +19,11 @@ $ trivy vm ami:${your_ami_id}
 ### Example
 
 ```shell
-$ trivy vm --security-checks vuln ami:ami-0123456789abcdefg
+$ trivy vm --scanners vuln ami:ami-0123456789abcdefg
 ```
 
 !!! tip
-    The scanning could be faster if you enable only vulnerability scanning (`--security-checks vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
+    The scanning could be faster if you enable only vulnerability scanning (`--scanners vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
 
 If you want to scan a AMI of non-default setting region, you can set any region via `--aws-region` option.
 
@@ -52,11 +52,11 @@ $ trivy vm ebs:${your_ebs_snapshot_id}
 
 ### Example
 ```shell
-$ trivy vm --security-checks vuln ebs:snap-0123456789abcdefg
+$ trivy vm --scanners vuln ebs:snap-0123456789abcdefg
 ```
 
 !!! tip
-The scanning could be faster if you enable only vulnerability scanning (`--security-checks vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
+The scanning could be faster if you enable only vulnerability scanning (`--scanners vuln`) because Trivy tries to download only necessary blocks for vulnerability detection.
 
 If you want to scan an EBS Snapshot of non-default setting region, you can set any region via `--aws-region` option.
 

docs/docs/vm/index.md

@@ -16,7 +16,7 @@ To scan VM images, you can use the `vm` subcommand.
 Pass the path to your local VM image file.
 
 ```bash
-$ trivy vm --security-checks vuln disk.vmdk
+$ trivy vm --scanners vuln disk.vmdk
 ```
 
 <details>

docs/docs/vulnerability/distributions.md

@@ -40,7 +40,7 @@ The following table provides an outline of the features Trivy offers.
     33.25 MiB / 33.25 MiB [------------------------------] 100.00% 4.20 MiB p/s 8.1s
     2022-07-27T09:30:21.756Z	INFO	Vulnerability scanning is enabled
     2022-07-27T09:30:21.756Z	INFO	Secret scanning is enabled
-    2022-07-27T09:30:21.756Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+    2022-07-27T09:30:21.756Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
     2022-07-27T09:30:21.756Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection
     2022-07-27T09:30:22.205Z	INFO	Detected OS: cbl-mariner
     2022-07-27T09:30:22.205Z	INFO	Detecting CBL-Mariner vulnerabilities...