release: v0.69.0 [release/v0.68]

[aqua-bot]

🤖 I have created a release beep boop

0.69.0 (2025-12-16)

Features

• add --vuln-severity-source flag (#8269) (d464807)
• add ArtifactID field to uniquely identify scan targets (#9663) (84a7d9a)
• add Bottlerocket OS package analyzer (#8653) (07ef63b)
• add documentation URL for database lock errors (#9531) (eba48af)
• add graceful shutdown with signal handling (#9242) (2c05882)
• add HTTP request/response tracing support (#9125) (aa5b32a)
• add JSONC support for comments and trailing commas (#8862) (0b0e406)
• add report summary table (#8177) (dd54f80)
• add ReportID field to scan reports (#9670) (fc976be)
• add timeout handling for cache database operations (#9307) (235c24e)
• allow ignoring findings by type in Rego (#9578) (c638fc6)
• alma: add AlmaLinux 10 support (#9207) (861d51e)
• alpine: add maintainer field extraction for APK packages (#8930) (104bbc1)
• aws: Add support for dualstack ECR endpoints (#9862) (e74e2b1)
• cli: Add available version checking (#8553) (5a0bf9e)
• cli: Add trivy cloud suppport (#9637) (8e6a7ff)
• cli: add version constraints to annoucements (#9023) (19efa9f)
• cli: change --list-all-pkgs default to true (#9510) (7b663d8)
• cloudformation: support default values and list results in Fn::FindInMap (#9515) (42b3bf3)
• cyclonedx: Add initial support for loading external VEX files from SBOM references (#8254) (4820eb7)
• cyclonedx: preserve SBOM structure when scanning SBOM files with vulnerability updates (#9439) (aff03eb)
• db: enable concurrent access to vulnerability database (#9750) (d70d994)
• dotnet: add dependency graph support for .deps.json files (#9726) (18c0ee8)
• echo: Add Echo Support (#8833) (c7b8cc3)
• flag: add --cacert flag (#9781) (6048173)
• flag: add schema validation for --server flag (#9270) (ed4640e)
• fs: change artifact type to repository when git info is detected (#9613) (cff91ac)
• fs: optimize scanning performance by direct file access for known paths (#8525) (8bf6caf)
• go: fix parsing main module version for go >= 1.24 (#8433) (e58dcfc)
• go: support license scanning in both GOPATH and vendor (#8843) (26437be)
• image: add Docker context resolution (#9166) (99cd4e7)
• image: add RepoTags support for Docker archives (#9690) (a9a3031)
• image: add Sigstore bundle SBOM support (#9516) (e1f3f28)
• image: pass global context to docker/podman image save func (#9733) (2690ac9)
• image: save layers metadata into report (#8394) (a95cab0)
• include registry and repository in artifact ID calculation (#9689) (758f271)
• java: add support remote repositories from settings.xml files (#9708) (eff52eb)
• java: dereference all maven settings.xml env placeholders (#9024) (5aade69)
• k8s: add support for controllers (#8614) (1bf0117)
• k8s: get components from namespaced resources (#8918) (4f1ab23)
• license: improve work text licenses with custom classification (#8888) (ee52230)
• license: improve work with custom classification of licenses from config file (#8861) (c321fdf)
• license: observe pkg types option in license scanner (#9091) (d44af8c)
• license: scan vendor directory for license for go.mod files (#8689) (dd6a6e5)
• license: Support compound licenses (licenses using SPDX operators) (#8816) (39f9ed1)
• license: use separate SPDX ids to ignore SPDX expressions (#9087) (012f3d7)
• minimos: Add support for MinimOS (#8792) (c2dde33)
• misconf: adapt aws_default_security_group (#8538) (b57eccb)
• misconf: adapt aws_opensearch_domain (#8550) (9913465)
• misconf: adapt AWS::DynamoDB::Table (#8529) (8112cdf)
• misconf: adapt AWS::EC2::VPC (#8534) (0d9865f)
• misconf: add agentpools to azure container schema (#9714) (69f400c)
• misconf: add misconfiguration location to junit template (#8793) (a516775)
• misconf: add OpenTofu file extension support (#8747) (57801d0)
• misconf: add option to pass Rego scanner to IaC scanner (#8369) (890a360)
• misconf: add private ip google access attribute to subnetwork (#9199) (263845c)
• misconf: Add RoleAssignments attribute (#9396) (3fb8703)
• misconf: Add support for Minimum Trivy Version (#8880) (3b2a397)
• misconf: Add support for aws_ami (#8499) (573502e)
• misconf: Add support for configurable Rego error limit (#9657) (445cd2b)
• misconf: added audit config attribute (#9249) (4d4a244)
• misconf: added logging and versioning to the gcp storage bucket (#9226) (110f80e)
• misconf: convert AWS managed policy to document (#8757) (7abf5f0)
• misconf: export raw Terraform data to Rego (#8741) (aaecc29)
• misconf: include map key in manifest snippet for diagnostics (#9681) (197c9e1)
• misconf: normalize CreatedBy for buildah and legacy docker builder (#8953) (65e155f)
• misconf: render causes for Terraform (#8360) (a99498c)
• misconf: support auto_provisioning_defaults in google_container_cluster (#8705) (9792611)
• misconf: support https_traffic_only_enabled in Az storage account (#9784) (c8d5ab7)
• misconf: Update AppService schema (#9792) (c6d95d7)
• misconf: Update Azure Compute schema (#9675) (cb58bf6)
• misconf: Update Azure Container Schema (#9673) (43a7546)
• misconf: Update Azure network schema for new checks (#9791) (ea2dc58)
• misconf: Update azure storage schema (#9728) (c3bfecf)
• misconf: Update SecurityCenter schema (#9674) (58819c5)
• nodejs: add a bun.lock analyzer (#8897) (7ca656d)
• nodejs: add bun.lock parser (#8851) (1dcf816)
• nodejs: add root and workspace for yarn packages (#8535) (bf4cd4f)
• redhat: Add EOL date for RHEL 10. (#8910) (48258a7)
• redhat: add os-release detection for RHEL-based images (#9458) (cb25a07)
• reject unsupported artifact types in remote image retrieval (#9052) (1e1e1b5)
• replace TinyGo with standard Go for WebAssembly modules (#8496) (529957e)
• repo: add git repository metadata to reports (#9252) (f4b2cf1)
• report: add CVSS vectors in sarif report (#9157) (60723e6)
• report: add fingerprint generation for vulnerabilities (#9794) (cbad9ca)
• report: add image reference to report metadata (#9729) (d020f26)
• report: switch ReportID from UUIDv4 to UUIDv7 (#9749) (6fb3fde)
• rust: add root and workspace relationships/package for cargo lock files (#8676) (93efe07)
• sbom: add manufacturer field to CycloneDX tools metadata (#9019) (41d0f94)
• sbom: add SHA-512 hash support for CycloneDX SBOM (#9126) (12d6706)
• sbom: add support for SPDX attestations (#9829) (d8eaaeb)
• sbom: added support for CoreOS (#9448) (6d562a3)
• sbom: use SPDX license IDs list to validate SPDX IDs (#9569) (35db88c)
• seal: add seal support (#9370) (e4af279)
• secret: implement streaming secret scanner with byte offset tracking (#9264) (5a5e097)
• suse: Add new openSUSE, Micro and SLES releases end of life dates (#9788) (019af7f)
• terraform parser option to set current working directory (#8909) (8939451)
• terraform: add partial evaluation for policy templates (#8967) (a9f7dcd)
• terraform: use .terraform cache for remote modules in plan scanning (#9277) (298a994)
• ubuntu: add end of life date for Ubuntu 25.04 (#9077) (367564a)
• ubuntu: add eol date for 20.04-ESM (#8981) (87118a0)
• vuln: add Root.io support for container image scanning (#9073) (3a0ec0f)

Bug Fixes

• add buildInfo for BlobInfo in rpc package (#9608) (6def66e)
• Add missing version check flags (#8951) (ef5f8de)
• alma: parse epochs from rpmqa file (#9101) (82db2fc)
• also check filepath when removing duplicate packages (#9142) (4d10a81)
• aws: update amazon linux 2 EOL date (#9176) (0ecfed6)
• aws: use BuildableClient insead of xhttp.Client (#9436) (fa6f1bf)
• check post-analyzers for StaticPaths (#8904) (93e6680)
• cli: Add more non-sensitive flags to telemetry (#9110) (7041a39)
• cli: add some values to the telemetry call (#9056) (fd2bc91)
• cli: disable --skip-dir and --skip-files flags for sbom command (#8886) (69a5fa1)
• cli: don't use allow values for --compliance flag (#8881) (35e8889)
• cli: ensure correct command is picked by telemetry (#9260) (b4ad00f)
• cli: panic: attempt to get os.Args[1] when len(os.Args) < 2 (#9206) (adfa879)
• close all opened resources if an error occurs (#9665) (fa6f779)
• close file descriptors and pipes on error paths (#9536) (a4cbd6a)
• conda: memory leak by adding closure method for package.json file (#9349) (03d039f)
• Correctly check for semver versions for trivy version check (#8948) (b813527)
• create temp file under composite fs dir (#9387) (ce22f54)
• cyclonedx: handle multiple license types (#9378) (46ab76a)
• db: Dowload database when missing but metadata still exists (#9393) (92ebc7e)
• db: fix case when 2 trivy-db were copied at the same time (#8452) (bb3cca6)
• debian: don't include empty licenses for dpkgs (#8623) (346f5b3)
• don't show corrupted trivy-db warning for first run (#8991) (4ed78e3)
• early-return, indent-error-flow and superfluous-else rules from revive (#8796) (43350dd)
• filter all files when processing files installed from package managers (#8842) (6ebde88)
• flag: remove viper.SetDefault to fix IsSet() for config-only flags (#9732) (bf43629)
• fs: avoid shadowing errors in file.glob (#9286) (b51c789)
• fs: check postAnalyzers for StaticPaths (#8543) (c228307)
• image: disable AVD-DS-0007 for history scanning (#8366) (a3cd693)
• image: use standardized HTTP client for ECR authentication (#9322) (84fbf86)
• java: exclude dev dependencies in gradle lockfile (#8803) (8995838)
• java: update order for resolving package fields from multiple demManagement (#9575) (e286c5e)
• java: use true as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files (#9751) (d87d9b9)
• julia parser panicing (#8883) (be8c7b7)
• julia: add Relationship field support (#8939) (22f040f)
• k8s: add missed option PkgRelationships (#8442) (f987e41)
• k8s: correct compare artifact versions (#8682) (cc47711)
• k8s: disable parallel traversal with fs cache for k8s images (#9534) (c0c7a6b)
• k8s: remove using last-applied-configuration (#8791) (7a58ccb)
• k8s: show report for --report all (#8613) (dbb6f28)
• k8s: skip passed misconfigs for the summary report (#8684) (bff0e9b)
• k8s: use in-memory cache backend during misconfig scanning (#8873) (fe12771)
• license: add missed GFDL-NIV-1.1 and GFDL-NIV-1.2 into Trivy mapping (#9116) (a692f29)
• license: don't normalize unlicensed licenses into unlicense (#9611) (09162e5)
• license: handle SPDX WITH exceptions as single license in category detection (#9380) (212f078)
• license: handle WITH operator for LaxSplitLicenses (#9232) (b4193d0)
• migrate from *.list to *.md5sums files for dpkg (#9131) (f224de3)
• misconf: .Config.User always takes precedence over USER in .History (#9050) (371b8cc)
• misconf: add ephemeral block type to config schema (#8513) (41512f8)
• misconf: add missing variable as unknown (#8683) (9dcd06f)
• misconf: check if for-each is known when expanding dyn block (#8808) (5706603)
• misconf: check if metadata is not nil (#8647) (b7dfd64)
• misconf: Check values wholly prior to evalution (#8604) (ad58cf4)
• misconf: correct Azure value-to-time conversion in AsTimeValue (#9015) (40d017b)
• misconf: correctly adapt azure storage account (#9138) (51aa022)
• misconf: correctly parse empty port ranges in google_compute_firewall (#9237) (77bab7b)
• misconf: do not skip loading documents from subdirectories (#8526) (de7eb13)
• misconf: do not use cty.NilVal for non-nil values (#8567) (400a79c)
• misconf: ensure boolean metadata values are correctly interpreted (#9770) (a6ceff7)
• misconf: ensure ignore rules respect subdirectory chart paths (#9324) (d3cd101)
• misconf: ensure module source is known (#9404) (81d9425)
• misconf: ensure value used as ignore marker is non-null and known (#9835) (7aca801)
• misconf: filter null nodes when parsing json manifest (#8785) (e10929a)
• misconf: fix incorrect k8s locations due to JSON to YAML conversion (#8073) (a994453)
• misconf: fix log bucket in schema (#9235) (7ebc129)
• misconf: handle tofu files in module detection (#9486) (bfd2f6b)
• misconf: handle unsupported experimental flags in Dockerfile (#9769) (08d51a8)
• misconf: identify the chart file exactly by name (#8590) (ba77dbe)
• misconf: Improve logging for unsupported checks (#8634) (5b7704d)
• misconf: map healthcheck start period flag to --start-period instead of --startPeriod (#9837) (7b2b4d4)
• misconf: move disabled checks filtering after analyzer scan (#9002) (a58c36d)
• misconf: perform operations on attribute safely (#8774) (3ce7d59)
• misconf: populate context correctly for module instances (#8656) (efd177b)
• misconf: preserve original paths of remote submodules from .terraform (#9294) (1319d8d)
• misconf: reduce log noise on incompatible check (#9029) (99c5151)
• misconf: set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548) (1f05b45)
• misconf: skip Azure CreateUiDefinition (#8503) (c7814f1)
• misconf: skip rewriting expr if attr is nil (#9113) (42ccd3d)
• misconf: strip build metadata suffixes from image history (#9498) (c938806)
• misconf: unmark cty values before access (#9495) (8e40d27)
• misconf: use argument value in WithIncludeDeprecatedChecks (#8942) (7e9a54c)
• misconf: use correct field log_bucket instead of target_bucket in gcp bucket (#9296) (04ad0c4)
• misconf: wrap legacy ENV values in quotes to preserve spaces (#9497) (267a970)
• more revive rules (#8814) (3ab459e)
• nodejs: correctly parse packages array of bun.lock file (#8998) (875ec3a)
• nodejs: don't use prerelease logic for compare npm constraints (#9208) (fe96436)
• nodejs: fix npmjs parser.pkgNameFromPath() panic issue (#9688) (231492d)
• nodejs: parse workspaces as objects for package-lock.json files (#9518) (404abb3)
• nodejs: use snapshot string as Package.ID for pnpm packages (#9330) (4517e8c)
• nodejs: use the default ID format to match licenses in pnpm packages. (#9661) (804ea4a)
• octalLiteral from go-critic (#8811) (a19e0aa)
• os: add mapping OS aliases (#8466) (6b4cebe)
• os: Add photon 5.0 in supported OS (#9724) (29f0347)
• persistent flag option typo (#9374) (6e99dd3)
• plugin: don't remove plugins when updating index.yaml file (#9358) (5f067ac)
• prevent graceful shutdown message on normal exit (#9244) (6095984)
• python: impove package name normalization (#9290) (1473e88)
• redhat: Also try to find buildinfo in root layer (layer 0) (#8924) (906b037)
• redhat: save contentSets for OS packages in fs/vm modes (#8820) (9256804)
• redhat: trim invalid suffix from content_sets in manifest parsing (#8818) (fa1077b)
• repo: preserve RepoMetadata on FS cache hit (#9389) (4f2a44e)
• report: clean buffer after flushing (#8725) (9a5383e)
• report: correct field order in SARIF license results (#9712) (d20216e)
• report: don't panic when report contains vulns, but doesn't contain packages for table format (#8549) (87fda76)
• repo: sanitize git repo URL before inserting into report metadata (#9391) (1ac9b1f)
• restore compatibility for google.protobuf.Value (#9559) (aeeb2a1)
• rootio: check full version to detect root.io packages (#9117) (c2ddd44)
• rootio: fix severity selection (#9181) (6fafbeb)
• sbom: add buildInfo info as properties (#9683) (2c43425)
• sbom: add SBOM file's filePath as Application FilePath if we can't detect its path (#8346) (ecc01bb)
• sbom: add support for file component type of CycloneDX (#9372) (aa7cf43)
• sbom: don’t panic on SBOM format if scanned CycloneDX file has empty metadata (#9562) (fb0593b)
• sbom: improve logic for binding direct dependency to parent component (#8489) (85cca8c)
• sbom: merge in-graph and out-of-graph OS packages in scan results (#9194) (aa944cc)
• sbom: remove unnecessary OS detection check in SBOM decoding (#9034) (198789a)
• sbom: use correct field for licenses in CycloneDX reports (#9057) (143da88)
• secret: add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#9253) (54832a7)
• secret: fix line numbers for multiple-line secrets (#9104) (e579746)
• secret: ignore .dist-info directories during secret scanning (#8646) (a032ad6)
• server: add HTTP transport setup to server mode (#9217) (1163b04)
• server: add missed Relationship field for rpc (#8872) (38f17c9)
• server: fix redis key when trying to delete blob (#8649) (36f8d0f)
• server: secrets inspectation for the config analyzer in client server mode (#8418) (a1c4bd7)
• spdx: init pkgFilePaths map for all formats (#8380) (72ea4b0)
• spdx: save text licenses into otherLicenses without normalize (#8502) (e5072f1)
• supporting .egg-info/METADATA in python.Packaging analyzer (#9151) (e306e2d)
• suppress debug log for context cancellation errors (#9298) (2458d5e)
• terraform: evaluateStep to correctly set EvalContext for multiple instances of blocks (#8555) (e25de25)
• terraform: for_each on a map returns a resource for every key (#9156) (153318f)
• terraform: hcl object expressions to return references (#8271) (0d3efa5)
• testifylint last issues (#8768) (ee4f7dc)
• Trim the end-of-range suffix (#9618) (e18b038)
• unused-parameter rule from revive (#8794) (6562082)
• update all documentation links (#8045) (49456ba)
• update all documentation links (#9777) (738b2b4)
• update cosing settings for GoReleaser after bumping cosing to v3 [backport: release/v0.68] (#9870) (cdd7e97)
• use --file-patterns flag for all post analyzers (#7365) (8b88238)
• Use fetch-level: 1 to check out trivy-repo in the release workflow (#9636) (6e53686)
• use context for analyzers (#9538) (b885d3a)
• use-any from revive (#8810) (883c63b)
• using SrcVersion instead of Version for echo detector (#9552) (66479f0)
• validate backport branch name (#9548) (f0fd432)
• vex: don't suppress vulns for packages with infinity loop (#9465) (78f0d4a)
• vex: don't use reused BOM (#9604) (7422cc7)
• vex: use lo.IsNil to check VEX from OCI artifact (#8858) (e97af98)
• vex: use a separate visited set for each DFS path (#9760) (c274f5b)
• vuln: compare nuget package names in lower case (#9456) (1ff9ac7)
• wolfi: support new APK database location (#8937) (b15d9a6)

Performance Improvements

• misconf: parse input for Rego once (#8483) (0e5e909)
• misconf: retrieve check metadata from annotations once (#8478) (7b96351)
• secret: only match secrets of meaningful length, allow example strings to not be matched (#8602) (60fef1b)

---

This PR was generated with Release Please. See documentation.