trivy repository command scans the wrong commit when a commit is specified for a local repository

[pacaroha]

Description

When I run a trivy scan against a local repository, e.g., something like:

trivy repository /path/to/repo --commit de578759e4f10827554d4293e0f8099148c921a1

I see results from commits after the given commit. Indeed, it looks like only the tryRemoteRepo function actually does anything with those artifactOpts when it calls cloneRepo; the tryLocalRepo function doesn't touch them.

This is frustrating in CI contexts because sometimes I want to see if a patch or PR introduces new vulns. Using --commit against a local checkout with the appropriate SHA from the relevant CI environment variables would be a natural fit here, but it doesn't work.

(There is a workaround: I can hit the remote code path by specifying a prepending file:// to the repo path I want to target. But this fails with an unclear error message on only some of the repos I work with.)

Desired Behavior

trivy repository ... should always honor --commit, --branch, --tag

Actual Behavior

trivy repository ... silently ignores --commit, --branch, and --tag for local repositories

Reproduction Steps

1. Create a repo with an empty initial commit
2. Add a package.json file with a known-vulnerable dependency. Commit it.
3. Run a scan with `--commit <initial commit hash>` with the local repository path, e.g., `trivy repository .`.
4. Observe that the results reported are not actually present at the specified commit.
...

Target

Git Repository

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

~/S/trivial-nodejs on  adds-known-vulns:main [?⇡] is 📦 v0.0.1 via  v22.14.0 
󰈺  ❯ nix run nixpkgs#trivy -- --debug repository (realpath .) --scanners vuln --commit de578759e4f10827054d4293e0f8099148c921a1 --format cyclonedx
2025-07-07T12:52:58-07:00	DEBUG	No plugins loaded
2025-07-07T12:52:58-07:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-07-07T12:52:58-07:00	DEBUG	Cache dir	dir="/Users/patcal04/Library/Caches/trivy"
2025-07-07T12:52:58-07:00	DEBUG	Cache dir	dir="/Users/patcal04/Library/Caches/trivy"
2025-07-07T12:52:58-07:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-07-07T12:52:58-07:00	DEBUG	Ignore statuses	statuses=[]
2025-07-07T12:52:58-07:00	DEBUG	DB update was skipped because the local DB is the latest
2025-07-07T12:52:58-07:00	DEBUG	DB info	schema=2 updated_at=2025-07-07T12:27:18.260975436Z next_update=2025-07-08T12:27:18.260975246Z downloaded_at=2025-07-07T15:39:11.914805Z
2025-07-07T12:52:58-07:00	DEBUG	[pkg] Package types	types=[library]
2025-07-07T12:52:58-07:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-07-07T12:52:58-07:00	INFO	[vuln] Vulnerability scanning is enabled
2025-07-07T12:52:58-07:00	DEBUG	Initializing scan cache...	type="fs"
2025-07-07T12:52:58-07:00	DEBUG	[notification] Running version check
2025-07-07T12:52:58-07:00	DEBUG	[repo] Analyzing...	root="/Users/patcal04/Sandbox/trivial-nodejs"
2025-07-07T12:52:58-07:00	DEBUG	[repo] Random cache key will be used	err="repository is dirty"
2025-07-07T12:52:58-07:00	DEBUG	Skipping path	path=".git"
2025-07-07T12:52:58-07:00	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="node_modules"
2025-07-07T12:52:58-07:00	DEBUG	OS is not detected.
2025-07-07T12:52:58-07:00	INFO	Number of language-specific files	num=1
2025-07-07T12:52:58-07:00	INFO	[npm] Detecting vulnerabilities...
2025-07-07T12:52:58-07:00	DEBUG	[npm] Scanning packages for vulnerabilities	file_path="package-lock.json"
2025-07-07T12:52:58-07:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-07-07T12:52:58-07:00	DEBUG	[vex] VEX filtering is disabled
{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:05674985-5b2b-4306-bd51-cf398a97d1db",
  "version": 1,
  "metadata": {
    "timestamp": "2025-07-07T19:52:58+00:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "group": "aquasecurity",
          "name": "trivy",
          "version": "0.63.0"
        }
      ]
    },
    "component": {
      "bom-ref": "55cbd22b-aeee-4398-83d4-9116f88e7617",
      "type": "application",
      "name": "/Users/patcal04/Sandbox/trivial-nodejs",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "1ce85bbf-9e1a-493d-8f33-a167f0871683",
      "type": "application",
      "name": "package-lock.json",
      "properties": [
        {
          "name": "aquasecurity:trivy:Class",
          "value": "lang-pkgs"
        },
        {
          "name": "aquasecurity:trivy:Type",
          "value": "npm"
        }
      ]
    },
    {
      "bom-ref": "pkg:npm/[email protected]",
      "type": "library",
      "name": "centra",
      "version": "2.7.0",
      "purl": "pkg:npm/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "[email protected]"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "npm"
        }
      ]
    },
    {
      "bom-ref": "pkg:npm/[email protected]",
      "type": "library",
      "name": "follow-redirects",
      "version": "1.15.9",
      "purl": "pkg:npm/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "[email protected]"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "npm"
        }
      ]
    },
    {
      "bom-ref": "pkg:npm/[email protected]",
      "type": "library",
      "name": "phin",
      "version": "3.7.0",
      "purl": "pkg:npm/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "[email protected]"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "npm"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "1ce85bbf-9e1a-493d-8f33-a167f0871683",
      "dependsOn": [
        "pkg:npm/[email protected]"
      ]
    },
    {
      "ref": "55cbd22b-aeee-4398-83d4-9116f88e7617",
      "dependsOn": [
        "1ce85bbf-9e1a-493d-8f33-a167f0871683"
      ]
    },
    {
      "ref": "pkg:npm/[email protected]",
      "dependsOn": [
        "pkg:npm/[email protected]"
      ]
    },
    {
      "ref": "pkg:npm/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:npm/[email protected]",
      "dependsOn": [
        "pkg:npm/[email protected]"
      ]
    }
  ],
  "vulnerabilities": [
    {
      "id": "GHSA-x565-32qp-m3vf",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 4.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"
        }
      ],
      "description": "### Impact\n\nUsers may be impacted if sending requests including sensitive data in specific headers with `followRedirects` enabled.\n\n### Patches\n\nThe [follow-redirects](https://github.com/follow-redirects/follow-redirects) library is now being used for redirects and removes some headers that may contain sensitive information in some situations.\n\n### Workarounds\n\nN/A. Please update to resolve the issue.",
      "recommendation": "Upgrade phin to version 3.7.1",
      "advisories": [
        {
          "url": "https://github.com/advisories/GHSA-x565-32qp-m3vf"
        },
        {
          "url": "https://github.com/ethanent/phin"
        },
        {
          "url": "https://github.com/ethanent/phin/commit/c071f95336a987dad9332fd388adeb249925cc57"
        },
        {
          "url": "https://github.com/ethanent/phin/security/advisories/GHSA-x565-32qp-m3vf"
        }
      ],
      "published": "2024-04-11T21:30:30+00:00",
      "updated": "2024-04-11T21:30:31+00:00",
      "affects": [
        {
          "ref": "pkg:npm/[email protected]",
          "versions": [
            {
              "version": "3.7.0",
              "status": "affected"
            }
          ]
        }
      ]
    }
  ]
}

~/S/trivial-nodejs on  adds-known-vulns:main [?⇡] is 📦 v0.0.1 via  v22.14.0 
󰈺  ❯ nix run nixpkgs#trivy -- --debug repository file://(realpath .) --scanners vuln --commit de578759e4f10827054d4293e0f8099148c921a1 --format cyclonedx
2025-07-07T12:53:05-07:00	DEBUG	No plugins loaded
2025-07-07T12:53:05-07:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-07-07T12:53:05-07:00	DEBUG	Cache dir	dir="/Users/patcal04/Library/Caches/trivy"
2025-07-07T12:53:05-07:00	DEBUG	Cache dir	dir="/Users/patcal04/Library/Caches/trivy"
2025-07-07T12:53:05-07:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-07-07T12:53:05-07:00	DEBUG	Ignore statuses	statuses=[]
2025-07-07T12:53:05-07:00	DEBUG	DB update was skipped because the local DB is the latest
2025-07-07T12:53:05-07:00	DEBUG	DB info	schema=2 updated_at=2025-07-07T12:27:18.260975436Z next_update=2025-07-08T12:27:18.260975246Z downloaded_at=2025-07-07T15:39:11.914805Z
2025-07-07T12:53:05-07:00	DEBUG	[pkg] Package types	types=[library]
2025-07-07T12:53:05-07:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-07-07T12:53:05-07:00	INFO	[vuln] Vulnerability scanning is enabled
2025-07-07T12:53:05-07:00	DEBUG	Initializing scan cache...	type="fs"
2025-07-07T12:53:05-07:00	DEBUG	[notification] Running version check
Enumerating objects: 27, done.
Counting objects: 100% (27/27), done.
Compressing objects: 100% (27/27), done.
Total 27 (delta 14), reused 0 (delta 0), pack-reused 0 (from 0)
2025-07-07T12:53:05-07:00	DEBUG	[repo] Analyzing...	root="/tmp/trivy-remote-repo2429845942" original="file:///Users/patcal04/Sandbox/trivial-nodejs"
2025-07-07T12:53:05-07:00	DEBUG	[repo] Using the latest commit hash for calculating cache key	commit_hash="de578759e4f10827054d4293e0f8099148c921a1"
2025-07-07T12:53:05-07:00	DEBUG	[repo] Cache hit	key="sha256:fe453a77382d4a5d1755a468fe3571d6cdb48ed363e9d8556bf79a55c0fded03"
2025-07-07T12:53:05-07:00	DEBUG	OS is not detected.
2025-07-07T12:53:05-07:00	INFO	Number of language-specific files	num=0
2025-07-07T12:53:05-07:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-07-07T12:53:05-07:00	DEBUG	[vex] VEX filtering is disabled
{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:6aef9b36-5ef0-4071-8092-3b604516f169",
  "version": 1,
  "metadata": {
    "timestamp": "2025-07-07T19:53:05+00:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "group": "aquasecurity",
          "name": "trivy",
          "version": "0.63.0"
        }
      ]
    },
    "component": {
      "bom-ref": "30102918-8be1-411f-9092-7d20153bd9f7",
      "type": "application",
      "name": "file:///Users/patcal04/Sandbox/trivial-nodejs",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [],
  "dependencies": [
    {
      "ref": "30102918-8be1-411f-9092-7d20153bd9f7",
      "dependsOn": []
    }
  ],
  "vulnerabilities": []
}

~/S/trivial-nodejs on  adds-known-vulns:main [?⇡] is 📦 v0.0.1 via  v22.14.0 
󰈺  ❯ 

### Operating System

macOS Sequoia

### Version

```bash
Version: 0.63.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-07-07 18:28:03.75312422 +0000 UTC
  NextUpdate: 2025-07-08 18:28:03.75312405 +0000 UTC
  DownloadedAt: 2025-07-07 19:54:17.575422 +0000 UTC

this affects many versions; afaict it's been present since local repository support was introduced

### Checklist

- [X] Run `trivy clean --all`
- [X] Read [the troubleshooting](https://trivy.dev/latest/docs/references/troubleshooting/)