Prepare for v0.68.0

[DmitriyLewen]

Draft to collaborate on v0.68.0

📑 Table of Contents

• 🚀 What's new? 🚀
  • 🗄️ Concurrent Vulnerability DB Access ⚡
  • 🧩 Report Metadata Enhancements 📊
  • 🐳 Docker Archive RepoTags Support 🏷️
  • 🧩 Change Artifact Type for Git Repositories 📁
  • 🧬 Vulnerability Fingerprint Generation 🆔
  • 🌳 Dependency tree for .NET *.deps.json files 📦
  • ⚙️ Remote repositories from settings.xml files 🫙
  • 📜 Separate SPDX IDs can be use in ignore SPDX expression 🪪
  • 🏴 New --cacert flag ⛔
  • 🪪 SPDX Attestation Support Added 🧷
  • 🧾 SBOM files wrapped in a Sigstore bundle support 🔐
  • ⚠️ Limit Rego Compile Errors 🧯
  • 🧩 More accurate YAML snippets in diagnostics ✅
• 🏎️ Performance 🏎️
• 👷‍♂️ Notable Fixes 🛠️

🚀 What's new? 🚀

🗄️ Concurrent Vulnerability DB Access ⚡

Trivy’s vulnerability database is now opened in read-only mode, allowing multiple Trivy processes to access the same database concurrently without running into lock timeouts. This is especially useful when running parallel scans or using Trivy in multi-process environments.

When using in-memory caching (e.g., fs, rootfs, config, sbom) or Redis caching, scans can run entirely in parallel without contention.

When using the filesystem cache (e.g, image, repo), cache files still involve write operations, so file locks may occur. Parallelism is therefore limited by cache writes, not the vulnerability database.

Summary

• In-memory or Redis cache: no cache write locks → fully parallel scanning
• Filesystem cache: cache writes can lock → limited parallelism
• Vulnerability DB: always opened read-only → no DB lock errors

Usage

# Run filesystem scans in parallel without DB lock errors
trivy fs /app1 &
trivy fs /app2 &
wait

🧩 Report Metadata Enhancements 📊

This release introduces new fields to the Trivy report format, improving traceability, consistency, and clarity across scan outputs.

Summary of Changes

• Added ReportID — Introduces a UUID (v7) that uniquely identifies each individual scan report, enabling correlation across
• Added ArtifactID — Provides a consistent, unique identifier for the scanned artifact (e.g., image, repository, or filesystem).
  systems.
• Added Metadata.Reference — Captures the exact image reference used during the scan (e.g., alpine:3.20), offering clearer context without ambiguity.

Together, these additions make it easier to track scan origins, correlate results in external systems, and ensure reports remain uniquely identifiable — even when multiple scans target the same artifact.

Example Output

{
  "SchemaVersion": 2,
  "ReportID": "278d4718-2366-46d0-8525-fc288c4eb5f9",
  "ArtifactID": "sha256:055936d39205...",
  "ArtifactName": "debian:11",
  "ArtifactType": "container_image",
  "Metadata": {
    "ImageID": "sha256:e7b300aee9f9b...",
    "Reference": "debian:11",
    "RepoTags": ["debian:latest", "debian:11"]
  }
}

Usage

These fields are automatically included in JSON and table outputs.
No user action is required to enable them.

🐳 Docker Archive RepoTags Support 🏷️

Trivy now preserves image repository tags when scanning Docker archives (.tar files).
This enhancement applies automatically when scanning Docker archives created via:

• docker save
• skopeo copy docker://... docker-archive:...
• etc.

Before

$ docker save alpine:3.19 -o alpine.tar
$ trivy image --input alpine.tar -f json | jq '.Metadata | {RepoTags, RepoDigests, ImageID}'
{
  "RepoTags": null,
  "RepoDigests": null,
  "ImageID": "sha256:6cf065f724d522cbb3e1898559cd88f015db8a1a4210d2d048a0853b69b57ba9"
}

After

$ docker save alpine:3.19 -o alpine.tar
$ trivy image --input alpine.tar -f json | jq '.Metadata | {RepoTags, RepoDigests, ImageID}'
{
  "RepoTags": [
    "alpine:3.19"
  ],
  "RepoDigests": null,
  "ImageID": "sha256:6cf065f724d522cbb3e1898559cd88f015db8a1a4210d2d048a0853b69b57ba9"
}

🧩 Change Artifact Type for Git Repositories 📁

When scanning a directory using trivy fs, Trivy now automatically sets the artifact type to repository if the target is a Git repository. This behavior is automatic — no configuration needed.

Summary of Changes

• Detects Git metadata (commit, branch, tags, etc.) in the target directory.
• Automatically switches ArtifactType from filesystem → repository when Git information is found.
• Non-Git directories remain filesystem.

Example

Before

{
  "ArtifactType": "filesystem",
  "Metadata": {
    "RepoURL": "https://github.com/aquasecurity/trivy-test-repo/",
    "Branch": "main",
    "Tags": ["v0.0.1"],
    "Commit": "8a19b492a589955c3e70c6ad8efd1e4ec6ae0d35",
    "CommitMsg": "Update README.md",
    "Author": "Teppei Fukuda <[email protected]>",
    "Committer": "GitHub <[email protected]>"
  }
}

After

{
  "ArtifactType": "repository",
  "Metadata": {
    "RepoURL": "https://github.com/aquasecurity/trivy-test-repo/",
    "Branch": "main",
    "Tags": ["v0.0.1"],
    "Commit": "8a19b492a589955c3e70c6ad8efd1e4ec6ae0d35",
    "CommitMsg": "Update README.md",
    "Author": "Teppei Fukuda <[email protected]>",
    "Committer": "GitHub <[email protected]>"
  }
}

🧬 Vulnerability Fingerprint Generation 🆔

Trivy now generates unique fingerprints for each detected vulnerability, enabling consistent tracking across multiple scans.

Each fingerprint is a deterministic SHA256 digest derived from:

• Artifact ID
• Target path
• Package ID (with version)
• Vulnerability ID

The resulting value uses the sha256: prefix, consistent with Docker/OCI digest notation.

Example

"Fingerprint": "sha256:c2f054e07c516fabf395ddc7b362fbe43597bc2e1d80ac46d6043a0e67968efb"

🌳 Dependency tree for .NET *.deps.json files 📦

Trivy can now build a dependency tree for .NET *.deps.json files.
It also detects the project’s package (RootRelationship), as well as direct and indirect dependencies.

Thanks to @alexinslc

⚙️ Remote repositories from settings.xml files 🫙

Trivy now uses remote repositories from settings.xml files when scanning pom.xml files.

Thanks to @ricardo-kh

📜 Separate SPDX IDs can be use in ignore SPDX expression 🪪

It’s no longer necessary to specify each SPDX expression individually to ignore them.
You can specify all included SPDX IDs, and if Trivy finds all of them in an expression, it’ll ignore that license.

For example you can use --ignored-licenses LGPLv2+,MIT to ignore MIT AND GPL-2.0-or-later expression.

Thanks to @yutatokoi

🏴 New --cacert flag ⛔

Unfortunately, the SSL_CERT_FILE environment variable works only on Unix systems other than macOS.
That’s why we added the --cacert flag, which allows you to specify the path to a PEM-encoded CA certificate file on any OS.

🪪 SPDX Attestation Support Added 🧷

Trivy now supports reading SBOM attestations in SPDX 2.3 format — specifically when wrapped as a DSSE (in-toto) envelope. This expands the input formats for SBOM scanning.

Usage

When you have an SPDX SBOM wrapped in DSSE/in-toto format, simply run:

trivy sbom your_spdx_attestation.json

The scanner will correctly parse the SPDX structure, allowing vulnerability scanning of SPDX-based SBOMs.

🧾 SBOM files wrapped in a Sigstore bundle support 🔐

Trivy can now extract and analyze SBOM files wrapped in a Sigstore bundle, as introduced in Sigstore v3+.

Thanks to @RingoDev

⚠️ Limit Rego Compile Errors 🧯

Trivy can now limit the number of Rego compile errors during policy compilation. You can control this using the --rego-error-limit flag. If the number of errors exceeds the specified limit, Trivy will stop the scan. Setting --rego-error-limit 0 enforces strict checking and disallows any compile errors.

The default value is defined internally via CompileErrorLimit.

🧩 More accurate YAML snippets in diagnostics ✅

Trivy now captures the correct start line for map nodes in YAML manifests. Previously, snippets began at the first value and did not include the key, which could make diagnostics less clear.

Before:

4 [   name: hello-host-ports

After:

3 ┌ metadata:
4 └   name: hello-host-ports

🏎️ Performance 🏎️

👷‍♂️ Notable Fixes 🛠️

• bug(license): Trivy doesn't detect all SPDX license IDs #9491
• bug(pom): Trivy incorrect inherit versions and scope from multiple dependencyManagements places #9574
• Trivy incorrectly reports "UNLICENSED" software as "Unencumbered" #9581
• fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue #9688 Thanks to @derekhjray
• bug(pnpm): Trivy doesn't detect licenses for packages when ID contains peer deps #9660
• bug(pip): Trivy doesn’t trim the end-of-range suffix when using the --detection-priority comprehensive flag. #9609 Thanks to @raghur-orca
• bug(sbom): Trivy doens't keep buildInfo for rpm packages #9682
• bug: Trivy doesn’t use context in dependency parsers to stop the run. #9417
• fix: close all opened resources if an error occurs #9665 Thanks to @fabriziosestito
• bug(license): Trivy splits licenses that include the WITH separator when determining the category. #9379
• bug(cyclonedx): Trivy panics when scanning an SBOM in CycloneDX format if the file has an empty metadata component. #9561
• fix(java): use true as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files #9751
• bug(vex): Trivy skips the rule if we check the same parent from different paths. #9757
• fix(misconf): map healthcheck start period flag to --start-period instead of --startPeriod #9837
• fix(misconf): handle unsupported experimental flags in Dockerfile #9769
• bug(misconf): Dockerfile scanner fails to parse HEALTHCHECK with --start-period flag #9836
• Dockerfile parser fails on instructions with unsupported experimental flags #9768
• bug(terraform): Trivy panics when an ignore marker value is unknown #9834
• fix(misconf): ensure boolean metadata values are correctly interpreted #9762

[sastorsl]

A gentle poke - is a new release in the making?

[DmitriyLewen]

We will try to release v0.68.0 this week.