Prepare for v0.68.0

[DmitriyLewen]

Draft to collaborate on v0.68.0

📑 Table of Contents

• 🚀 What's new? 🚀
  • 🧩 Report Metadata Enhancements 📊
  • 🐳 Docker Archive RepoTags Support 🏷️
  • 🧩 Change Artifact Type for Git Repositories 📁
  • 🌳 Dependency tree for *.deps.json files 📦
  • ⚙️ Remote repositories from settings.xml files 🫙
  • 📜 Separate SPDX IDs can be use in ignore SPDX expression 🪪
  • ⚠️ Limit Rego Compile Errors 🧯
  • 🧩 More accurate YAML snippets in diagnostics ✅
• 🏎️ Performance 🏎️
• 👷‍♂️ Notable Fixes 🛠️

🚀 What's new? 🚀

🧩 Report Metadata Enhancements 📊

This release introduces new fields to the Trivy report format, improving traceability, consistency, and clarity across scan outputs.

Summary of Changes

• Added ReportID — Introduces a UUID (v4) that uniquely identifies each individual scan report, enabling correlation across
• Added ArtifactID — Provides a consistent, unique identifier for the scanned artifact (e.g., image, repository, or filesystem).
  systems.
• Added Metadata.Reference — Captures the exact image reference used during the scan (e.g., alpine:3.20), offering clearer context without ambiguity.

Together, these additions make it easier to track scan origins, correlate results in external systems, and ensure reports remain uniquely identifiable — even when multiple scans target the same artifact.

Example Output

{
  "SchemaVersion": 2,
  "ReportID": "278d4718-2366-46d0-8525-fc288c4eb5f9",
  "ArtifactID": "sha256:055936d39205...",
  "ArtifactName": "debian:11",
  "ArtifactType": "container_image",
  "Metadata": {
    "ImageID": "sha256:e7b300aee9f9b...",
    "Reference": "debian:11",
    "RepoTags": ["debian:latest", "debian:11"]
  }
}

Usage

These fields are automatically included in JSON and table outputs.
No user action is required to enable them.

🐳 Docker Archive RepoTags Support 🏷️

Trivy now preserves image repository tags when scanning Docker archives (.tar files).
This enhancement applies automatically when scanning Docker archives created via:

• docker save
• skopeo copy docker://... docker-archive:...
• etc.

Before

$ docker save alpine:3.19 -o alpine.tar
$ trivy image --input alpine.tar -f json | jq '.Metadata | {RepoTags, RepoDigests, ImageID}'
{
  "RepoTags": null,
  "RepoDigests": null,
  "ImageID": "sha256:6cf065f724d522cbb3e1898559cd88f015db8a1a4210d2d048a0853b69b57ba9"
}

After

$ docker save alpine:3.19 -o alpine.tar
$ trivy image --input alpine.tar -f json | jq '.Metadata | {RepoTags, RepoDigests, ImageID}'
{
  "RepoTags": [
    "alpine:3.19"
  ],
  "RepoDigests": null,
  "ImageID": "sha256:6cf065f724d522cbb3e1898559cd88f015db8a1a4210d2d048a0853b69b57ba9"
}

🧩 Change Artifact Type for Git Repositories 📁

When scanning a directory using trivy fs, Trivy now automatically sets the artifact type to repository if the target is a Git repository. This behavior is automatic — no configuration needed.

Summary of Changes

• Detects Git metadata (commit, branch, tags, etc.) in the target directory.
• Automatically switches ArtifactType from filesystem → repository when Git information is found.
• Non-Git directories remain filesystem.

Example

Before

{
  "ArtifactType": "filesystem",
  "Metadata": {
    "RepoURL": "https://github.com/aquasecurity/trivy-test-repo/",
    "Branch": "main",
    "Tags": ["v0.0.1"],
    "Commit": "8a19b492a589955c3e70c6ad8efd1e4ec6ae0d35",
    "CommitMsg": "Update README.md",
    "Author": "Teppei Fukuda <[email protected]>",
    "Committer": "GitHub <[email protected]>"
  }
}

After

{
  "ArtifactType": "repository",
  "Metadata": {
    "RepoURL": "https://github.com/aquasecurity/trivy-test-repo/",
    "Branch": "main",
    "Tags": ["v0.0.1"],
    "Commit": "8a19b492a589955c3e70c6ad8efd1e4ec6ae0d35",
    "CommitMsg": "Update README.md",
    "Author": "Teppei Fukuda <[email protected]>",
    "Committer": "GitHub <[email protected]>"
  }
}

🌳 Dependency tree for *.deps.json files 📦

Trivy can now build a dependency tree for .NET *.deps.json files.
It also detects the project’s package (RootRelationship), as well as direct and indirect dependencies.

Thanks to @alexinslc

⚙️ Remote repositories from settings.xml files 🫙

Trivy now uses remote repositories from settings.xml files when scanning pom.xml files.

Thanks to @ricardo-kh

📜 Separate SPDX IDs can be use in ignore SPDX expression 🪪

It’s no longer necessary to specify each SPDX expression individually to ignore them.
You can specify all included SPDX IDs, and if Trivy finds all of them in an expression, it’ll ignore that license.

For example you can use --ignored-licenses LGPLv2+,MIT to ignore MIT AND GPL-2.0-or-later expression.

Thanks to @yutatokoi

⚠️ Limit Rego Compile Errors 🧯

Trivy can now limit the number of Rego compile errors during policy compilation. You can control this using the --rego-error-limit flag. If the number of errors exceeds the specified limit, Trivy will stop the scan. Setting --rego-error-limit 0 enforces strict checking and disallows any compile errors.

The default value is defined internally via CompileErrorLimit.

🧩 More accurate YAML snippets in diagnostics ✅

Trivy now captures the correct start line for map nodes in YAML manifests. Previously, snippets began at the first value and did not include the key, which could make diagnostics less clear.

Before:

4 [   name: hello-host-ports

After:

3 ┌ metadata:
4 └   name: hello-host-ports

🏎️ Performance 🏎️

👷‍♂️ Notable Fixes 🛠️

• bug(license): Trivy doesn't detect all SPDX license IDs #9491
• bug(pom): Trivy incorrect inherit versions and scope from multiple dependencyManagements places #9574
• Trivy incorrectly reports "UNLICENSED" software as "Unencumbered" #9581
• fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue #9688 Thanks to @derekhjray
• bug(pnpm): Trivy doesn't detect licenses for packages when ID contains peer deps #9660
• bug(pip): Trivy doesn’t trim the end-of-range suffix when using the --detection-priority comprehensive flag. #9609 Thanks to @raghur-orca
• bug(sbom): Trivy doens't keep buildInfo for rpm packages #9682
• bug: Trivy doesn’t use context in dependency parsers to stop the run. #9417
• fix: close all opened resources if an error occurs #9665 Thanks to @fabriziosestito
• bug(license): Trivy splits licenses that include the WITH separator when determining the category. #9379
• bug(cyclonedx): Trivy panics when scanning an SBOM in CycloneDX format if the file has an empty metadata component. #9561