v0.7.0
New Feature
Support OCI Image Format
An image directory compliant with "Open Container Image Layout Specification".
Buildah:
$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine
Skopeo:
$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
$ trivy --input /path/to/alpine
[BREAKING] Override severity with vendor score if exists
Trivy displayed a severity from NVD, which is generic, but it's more accurate to use the severity from vendor such as Red Hat and Debian. Currently, the vendor's severity is preferred than NVD's severity.
NOTE If you filter vulnerabilities with --severity option, the result may be different because v0.7.0 uses vendor severity.
Bugs
rpc: fix output to use templates when in client/server mode. (#469)
A template didn't work in client/server mode.
fix: handle a scratch/busybox/DockerSlim image gracefully (#476)
Trivy can't detect vulnerabilities of OS packages for an image based on scratch/busybox because those images don't have any package manager such as yum and apt. But it should detect vulnerabilities of library dependencies according to lock files such as package-lock.json. This commit enables it.
Changelog
09442d6 chore(ci): move integration tests to GitHub Actions (#485)
415b99d feat: support OCI Image Format (#475)
35b038e chore(github): fix issue templates (#483)
34a95c1 contrib/gitlab.tpl: Add new id field (#468)
b282142 chore(docs): add triage.md (#473)
216a33b fix: handle a scratch/busybox/DockerSlim image gracefully (#476)
ad0bb7c rpc: Fix output to use templates when in client server mode. (#469)
17b84f6 Override with Vendor score if exists (#433)
7629f7f docs: Update installation docs for pointing to Trivy Releases. (#463)
Docker images
docker pull docker.io/aquasec/trivy:0.7.0docker pull docker.io/aquasec/trivy:latest