You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
APT repository publishes .deb packages only to the generic distribution
Container images no longer publish architecture-specific tags
🚀 What's new? 🚀
Vulnerability detection for Bottlerocket OS
Detect bundled runtime in self-contained .NET deployments
License detection for JAR packages
GitHub App token rule updated for new stateless token format
New secret-scanning rules for OpenAI API keys
CloudFront check now supports v2 logging
🏎️ Performance 🏎️
👷♂️ Notable Fixes 🛠️
⚠️ Breaking changes ⚡
APT repository publishes .deb packages only to the generic distribution
Starting with v0.72.0, the official Trivy APT repository publishes new releases only to the generic distribution. Per-codename distributions (jammy, noble, bookworm, focal, …) are no longer updated.
If your /etc/apt/sources.list.d/trivy.list points at a specific codename, switch it to generic to keep receiving updates — nothing breaks immediately, but such setups stay frozen at v0.71.2.
Container images no longer publish architecture-specific tags
Starting with v0.72.0, Trivy container images no longer publish architecture-specific tags (e.g. 0.71.0-amd64, latest-arm64) across docker.io/aquasec/trivy, ghcr.io/aquasecurity/trivy, and public.ecr.aws/aquasecurity/trivy. The release pipeline now builds and pushes the multi-arch manifest list directly via docker buildx, without separate per-arch tags.
If you use the plain tag (e.g. aquasec/trivy:0.71.0), nothing changes. If you pin a suffixed tag, switch to the plain tag, or pull by digest via docker buildx imagetools inspect - nothing breaks immediately, but suffixed tags stay frozen at v0.71.0.
Trivy can now detect vulnerabilities in Bottlerocket OS.
It matches the installed package versions from the Bottlerocket software inventory against the Bottlerocket security advisories
➜ trivy --scanners vuln bottlerocket-1.34.0
2026-06-26T16:09:28+02:00 INFO [vuln] Vulnerability scanning is enabled
2026-06-26T16:09:28+02:00 INFO Detected OS family="bottlerocket" version="1.34.0"
2026-06-26T16:09:28+02:00 INFO [bottlerocket] Detecting vulnerabilities... pkg_num=147
2026-06-26T16:09:28+02:00 INFO Number of language-specific files num=0
Report Summary
┌───────────────────────────────────────────┬──────────────┬─────────────────┐
│ Target │ Type │ Vulnerabilities │
├───────────────────────────────────────────┼──────────────┼─────────────────┤
│ bottlerocket-1.34.0 (bottlerocket 1.34.0) │ bottlerocket │ 135 │
└───────────────────────────────────────────┴──────────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
...
Detect bundled runtime in self-contained .NET deployments
Trivy now detects the .NET runtime bundled into self-contained deployments (dotnet publish --self-contained).
Previously the runtime packed into the app's own *.deps.json (a runtimepack library) was dropped, so vulnerabilities in Microsoft.NETCore.App / Microsoft.AspNetCore.App were never matched.
Self-contained apps are now consistent with framework-dependent apps — their runtime is reported (e.g. Microsoft.NETCore.App.Runtime.linux-x64) and runtime CVEs are detected.
Trivy now detects licenses for JAR packages from two sources, in this order:
Embedded POM — the <licenses> block of the embedded META-INF/maven/<groupId>/<artifactId>/pom.xml. Works for thin, uber/shaded and nested (war, Spring Boot) jars.
License files — LICENSE, LICENCE or COPYRIGHT files (including variants like LICENSE.txt) at the JAR root or under META-INF/.
Coverage is limited: many JARs declare a license only in a parent POM (not expanded in the embedded pom.xml) or ship no Maven descriptor at all.
GitHub App token rule updated for new stateless token format
The github-app-token secret-scanning rule now detects both the old and the new token format.
New secret-scanning rules for OpenAI API keys
Trivy now detects OpenAI API keys via new built-in secret-scanning rules:
Rule
Severity
Format
OpenAI Project API Key
CRITICAL
sk-proj-...
OpenAI Service Account Key
CRITICAL
sk-svcacct-...
OpenAI Admin API Key
CRITICAL
sk-admin-...
OpenAI Legacy User API Key
HIGH
sk-...
OpenAI Service API Key
HIGH
sk-service-<name>-...
OpenAI Realtime Client Secret
MEDIUM
ek_<32 hex>
CloudFront check now supports v2 logging
The CloudFront access logging check AWS-0010 now also recognizes standard logging v2 (CloudWatch vended logs delivery), in addition to the existing legacy (v1) logging support.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
📑 Table of Contents
APT repository publishes
.debpackages only to thegenericdistributionStarting with v0.72.0, the official Trivy APT repository publishes new releases only to the
genericdistribution. Per-codename distributions (jammy,noble,bookworm,focal, …) are no longer updated.If your
/etc/apt/sources.list.d/trivy.listpoints at a specific codename, switch it togenericto keep receiving updates — nothing breaks immediately, but such setups stay frozen at v0.71.2.See #10819 for details.
Container images no longer publish architecture-specific tags
Starting with v0.72.0, Trivy container images no longer publish architecture-specific tags (e.g.
0.71.0-amd64,latest-arm64) acrossdocker.io/aquasec/trivy,ghcr.io/aquasecurity/trivy, andpublic.ecr.aws/aquasecurity/trivy. The release pipeline now builds and pushes the multi-arch manifest list directly via docker buildx, without separate per-arch tags.If you use the plain tag (e.g.
aquasec/trivy:0.71.0), nothing changes. If you pin a suffixed tag, switch to the plain tag, or pull by digest viadocker buildx imagetools inspect- nothing breaks immediately, but suffixed tags stay frozen at v0.71.0.See #10824 for details.
🚀 What's new? 🚀
Vulnerability detection for Bottlerocket OS
Trivy can now detect vulnerabilities in Bottlerocket OS.
It matches the installed package versions from the Bottlerocket software inventory against the Bottlerocket security advisories
Thanks to @0intro
Detect bundled runtime in self-contained .NET deployments
Trivy now detects the .NET runtime bundled into self-contained deployments (
dotnet publish --self-contained).Previously the runtime packed into the app's own
*.deps.json(aruntimepacklibrary) was dropped, so vulnerabilities inMicrosoft.NETCore.App/Microsoft.AspNetCore.Appwere never matched.Self-contained apps are now consistent with framework-dependent apps — their runtime is reported (e.g.
Microsoft.NETCore.App.Runtime.linux-x64) and runtime CVEs are detected.Thanks to @jetersen
License detection for JAR packages
Trivy now detects licenses for JAR packages from two sources, in this order:
<licenses>block of the embeddedMETA-INF/maven/<groupId>/<artifactId>/pom.xml. Works for thin, uber/shaded and nested (war, Spring Boot) jars.LICENSE,LICENCEorCOPYRIGHTfiles (including variants likeLICENSE.txt) at the JAR root or underMETA-INF/.Coverage is limited: many JARs declare a license only in a parent POM (not expanded in the embedded pom.xml) or ship no Maven descriptor at all.
GitHub App token rule updated for new stateless token format
GitHub is rolling out a new stateless format for
ghs_GitHub App installation tokens, replacing the old fixed-lengthghs_<36 chars>token with a longer one that embeds a JWT (ghs_<APPID>_<JWT>) (see https://github.blog/changelog/2026-04-24-notice-about-upcoming-new-format-for-github-app-installation-tokens/).The
github-app-tokensecret-scanning rule now detects both the old and the new token format.New secret-scanning rules for OpenAI API keys
Trivy now detects OpenAI API keys via new built-in secret-scanning rules:
sk-proj-...sk-svcacct-...sk-admin-...sk-...sk-service-<name>-...ek_<32 hex>CloudFront check now supports v2 logging
The CloudFront access logging check
AWS-0010now also recognizes standard logging v2 (CloudWatch vended logs delivery), in addition to the existing legacy (v1) logging support.Thanks to @Aakarsh133
🏎️ Performance 🏎️
👷♂️ Notable Fixes 🛠️
Beta Was this translation helpful? Give feedback.
All reactions