v0.62.0

[aqua-bot]

📑 Table of Contents

• 🚀 What's new? 🚀
  • 🖼️ Save image layer metadata in reports 🧱
  • 🧶 Yarn workspace support 🧩
  • 🦀 Add Cargo root & workspace package relationships 🗂️
  • 🛡️ Add support for new allowed sysctls in AVD-KSV-0026 ⚙️
  • 📦 Add new check to restrict wildcard access to S3 resources ✳️
• 👷‍♂️ Notable Fixes 🛠️
• 🐟 Ecosystem Updates 🌳
  • 🕵️ Trivy Operator
  • ✨ Trivy MCP Server - Experimental

🚀 What's new? 🚀

🖼️ Save image layer metadata in reports 🧱

Trivy’s JSON scan output now includes detailed per-layer metadata—each layer’s size, digest and diff ID are exposed under a new Metadata.Layers array.

Usage

Run Trivy with JSON formatting and inspect the Layers field in the report’s metadata:

$ trivy -q image aquasecurity/trivy -f json | jq .Metadata.Layers

This will output an array of objects like:

[
  {
    "Size": 8120832,
    "Digest": "sha256:f18232174bc91741fdf3da96d85011092101a032a93a388b79e99e69c2d5c870",
    "DiffID": "sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350"
  },
  …
]

🧶 Yarn workspace support 🧩

Trivy now fully supports Yarn workspaces, improving dependency analysis for monorepo projects. Previously, Yarn workspace packages weren't individually identified, and the relationships between the root project and its workspaces were not clearly represented. With this update, Trivy explicitly recognizes both the root project and each workspace as distinct packages by extracting their respective package.json details. It also establishes clear workspace relationships between the root project and associated workspaces, accurately mapping their dependencies.

This improvement ensures a more comprehensive and precise Software Bill of Materials (SBOM), facilitating enhanced vulnerability detection and dependency management.

$ trivy -q fs /path/to/project -f json --list-all-pkgs | jq '.Results[].Packages[]'
{
  "ID": "@test/[email protected]",
  "Name": "@test/foo",
  "Version": "1.0.0",
  ...
  "Relationship": "root",
  "DependsOn": [
    "@test/[email protected]"
  ],
}
{
  "ID": "@test/[email protected]",
  "Name": "@test/bar-generators",
  "Version": "0.0.1",
  ...
  "Relationship": "workspace",
  "DependsOn": [
    "[email protected]"
  ],
}
{
  "ID": "[email protected]",
  "Name": "hoek",
  "Version": "6.1.3",
  ...
  "Relationship": "direct",
}

🦀 Add Cargo root & workspace package relationships 🗂️

Trivy’s Rust/Cargo analyzer now detects and includes Cargo workspaces as packages (relationship=workspace) and properly marks the root package with relationship=root. Workspace members are saved as packages and automatically added as dependencies of the root package, while development dependencies are excluded for both root and workspace packages.

Usage

Run a filesystem scan on a Cargo project and list all root and workspace packages:

$ trivy -q fs /path/to/rust-project -f json --list-all-pkgs | \
  jq '.Results[].Packages[] | select(.Relationship=="root" or .Relationship=="workspace")'

You’ll see entries such as:

{
  "ID": "[email protected]",
  "Name": "app",
  "Relationship": "root",
  "DependsOn": ["[email protected]"]
}

{
  "ID": "[email protected]",
  "Name": "member",
  "Relationship": "workspace",
  "DependsOn": [
    "[email protected]",
    "[email protected]",
    "[email protected]"
  ]
}

🛡️ Add support for new allowed sysctls in AVD-KSV-0026 ⚙️

Extended the check AVD-KSV-0026 to validate sysctl parameters allowed under the Kubernetes PodSecurity "baseline" policy.

The check now:

• Aligns allowed sysctls with the specified Kubernetes version, using either the --k8s-version flag or automatic detection during cluster scans. If the version is unknown, the list from the latest supported Kubernetes version is used.
• Includes parameters newly allowed in Kubernetes 1.29 and 1.32.

Based on official policy definition:
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline

Source (commit 44c230b):
https://github.com/kubernetes/kubernetes/blob/44c230bf5c321056e8bc89300b37c497f464f113/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go#L39-L51

📦 Add new check to restrict wildcard access to S3 resources ✳️

Introduced a new check AVD-AWS-0345 to disallow the creation of overly permissive IAM policies that grant unrestricted wildcard access to S3 resources. The check flags IAM policies and roles that allow dangerous S3 actions, such as s3:*, s3:g*, s3:put*, and others. It also considers the AWS managed policy AmazonS3FullAccess, which provides full access to S3 resources.

🔧 Recommended action:
Create more restrictive S3 policies to avoid broad and potentially risky access permissions.

👷‍♂️ Notable Fixes 🛠️

• fix(misconf): populate context correctly for module instances #8656
• fix(misconf): add missing variable as unknown #8683
• fix(terraform): evaluateStep to correctly set EvalContext for multiple instances of blocks #8555 Thanks @Emyrk
• fix(secret): ignore .dist-info directories during secret scanning #8646

🐟 Ecosystem Updates 🌳

🕵️ Trivy Operator

We've added some performance fixes in the upcoming release of Trivy operator. In particular we have improved the following:

1. Improved the audit report generation logic
2. Optimized the loading of the checks at runtime

Both of these improvements have resulted in a lower memory footprint of the operator. We will continue to enhance the performance of the operator going forwards.

✨ Trivy MCP Server - Experimental

We've started work on an MCP server for Trivy that can integrate with Cursor, Claude Desktop and VSCode (v1.99.0+) among others

1. Initial release scans images, filesystems and repositories
2. The MCP Server can run independent of the Trivy VSCode extension, however, it will soon be integrated to the extension for an even better experience.

For more information on how to use, check the Trivy MCP Repo. As always, we welcome feedback/suggestions and issues.