v0.61.0

[aqua-bot]

📑 Table of Contents

• 🚀 What's new? 🚀
  • 📶 Optimize vulnerability scanning 👣
  • 🧩 Trivy Modules support native Go WASM 🔲
  • 👛 Support Kubernetes controller components 🧦
  • 🪖 Scanning Amazon AMIs for misconfigurations 🪼
• 🐟 Ecosystem Updates 🌳
• 👷‍♂️ Notable Fixes 🛠️

🚀 What's new? 🚀

📶 Optimize vulnerability scanning 👣

When scanning for vulnerabilities, Trivy no longer scans all files in the filesystem if the file paths of enabled analyzers are known.
For example, trivy image --pkg-types os --scanners vuln alpine will look for the relevant, well known pakage manager files directly.

See #8481 for more details.

🧩 Trivy Modules support native Go WASM 🔲

Trivy no longer relies on TinyGo for Trivy Modules, and instead migrated to the newly improved native WASM support in Go 1.24.
This makes the development experience of Trivy Modules much easier, and also remove challanges with TinyGo incompatibilities, such as JSON encoding.

For more info see here

👛 Support Kubernetes controller components 🧦

When scanning Kubernetes clusters, Trivy is now able to identify (in KBOM) and scan (for vulnerabilities) controller components.

$ trivy k8s --report summary --scanners vuln

Summary Report for minikube
Workload Assessment
┌────────────────────┬─────────────────────────────────────────────┬──────────────────────┐
│     Namespace      │                  Resource                   │   Vulnerabilities    │
│                    │                                             ├───┬────┬────┬────┬───┤
│                    │                                             │ C │ H  │ M  │ L  │ U │
├────────────────────┼─────────────────────────────────────────────┼───┼────┼────┼────┼───┤
│ local-path-storage │ Deployment/local-path-provisioner           │ 1 │    │ 14 │ 11 │ 2 │
│ ingress-nginx      │ Job/ingress-nginx-admission-create          │ 1 │ 2  │ 9  │    │ 2 │
│ ingress-nginx      │ Job/ingress-nginx-admission-patch           │ 1 │ 2  │ 9  │    │ 2 │
│ ingress-nginx      │ Deployment/ingress-nginx-controller         │   │ 11 │ 38 │ 7  │ 2 │
│ ingress-nginx      │ ControlPlaneComponents/k8s.io/ingress-nginx │ 1 │ 4  │ 1  │    │   │
└────────────────────┴─────────────────────────────────────────────┴───┴────┴────┴────┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

🪖Scanning Amazon AMIs for misconfigurations 🪼

Trivy now supports scanning for misconfigurations in AMI resources.

AVD-AWS-0344 (LOW): AWS AMI data source should specify owners to ensure AMIs come from trusted sources
═══════════════════════════════════════════════════════════════════════════════════════
AWS AMI data source should specify owners to avoid using unverified AMIs.
The owners field helps ensure you're using AMIs from known and trusted sources.


See https://avd.aquasec.com/misconfig/avd-aws-0344
───────────────────────────────────────────────────────────────────────────────────────
 bad.tf:6-12
───────────────────────────────────────────────────────────────────────────────────────
   6 ┌ data "aws_ami" "example_ami" {
   7 │   most_recent = true
   8 │   filter {
   9 │     name   = "name"
  10 │     values = ["my-custom-ami"] 
  11 │   }
  12 └ }
─────────

🐟 Ecosystem Updates 🌳

IDE Extensions

The Aqua Trivy extension for VSCode and Jetbrains have been updated:

• Uses recent version of Trivy
• Automatic installation and update of Trivy (VSCode only)
• Easier configuration of scanning through UI
• Showing issues in the built-in Problems pane
• Support for Aqua Platform
• Various fixes and usability improvements

Aqua Trivy Extension for VSCode

Aqua Trivy Extension for JetBrains

Azure Pipelines Task

The Aqua Trivy extension for Azure Pipelines has been updated:

• Uses recent version of Trivy
• Tasks are now easier to configure with clearer options for inputs.
• The UI has been updated to allow for switching between Trivy runs and download reports in different formats

Aqua Trivy Task for Azure Pipelines

👷‍♂️ Notable Fixes 🛠️

• bug(spdx): Trivy can't parse text licenses with 2 consecutive tokens #8465
• bug(scan): --file-patterns doesn't work for some post-analyzers #6962
• bug(k8s): --report=all yields no results even when results are present #8616
• bug(dpkg): packages may include empty license strings #8621
• fix(fs): check postAnalyzers for StaticPaths #8543
• fix(misconf): resolve unknown values without panic  #8603
• fix(misconf): handle Terraform blocks and attributes safely #8589
• fix(misconf): skip Azure CreateUiDefinition #8500