ContextQMD
Back to Trivy

Programming Language

docs/guide/coverage/language/index.md

0.70.07.7 KB
Original Source

Programming Language

Trivy supports programming languages for

Supported languages

The files analyzed vary depending on the target. This is because Trivy primarily categorizes targets into two groups:

  • Pre-build
  • Post-build

If the target is a pre-build project, like a code repository, Trivy will analyze files used for building, such as lock files. On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like .gemspec, binary files, and so on.

LanguageFileImage1Rootfs2Filesystem3Repository4
RubyGemfile.lock--
gemspec--
PythonPipfile.lock--
poetry.lock--
uv.lock--
requirements.txt--
egg package5--
wheel package6--
PHPcomposer.lock--
installed.json--
Node.jspackage-lock.json--
yarn.lock--
pnpm-lock.yaml--
bun.lock--
package.json--
.NETpackages.lock.json
packages.config
.deps.json
*Packages.props7
JavaJAR/WAR/PAR/EAR8--
pom.xml--
*gradle.lockfile--
*.sbt.lock--
GoBinaries built by Go--
go.mod--
RustCargo.lock
Binaries built with cargo-auditable--
C/C++conan.lock--
Elixirmix.lock9--
Dartpubspec.lock--
SwiftPodfile.lock--
Package.resolved--
JuliaManifest.toml

The path of these files does not matter.

Example: Dockerfile

Footnotes

  1. ✅ means "enabled" and - means "disabled" in the image scanning

  2. ✅ means "enabled" and - means "disabled" in the rootfs scanning

  3. ✅ means "enabled" and - means "disabled" in the filesystem scanning

  4. ✅ means "enabled" and - means "disabled" in the git repository scanning

  5. *.egg-info, *.egg-info/PKG-INFO, *.egg and EGG-INFO/PKG-INFO

  6. .dist-info/METADATA

  7. Directory.Packages.props and legacy Packages.props file names are supported

  8. *.jar, *.war, *.par and *.ear

  9. To scan a filename other than the default filename use file-patterns