Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add --distro flag to manually specify OS distribution for vulnerability scanning #8065

Closed
knqyf263 opened this issue Dec 6, 2024 Discussed in #8056 · 0 comments · Fixed by #8070
Closed

feat: add --distro flag to manually specify OS distribution for vulnerability scanning #8065

knqyf263 opened this issue Dec 6, 2024 Discussed in #8056 · 0 comments · Fixed by #8070
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/sbom Issues relating to SBOM scan/vulnerability Issues relating to vulnerability scanning
Milestone
v0.59.0

Comments

@knqyf263
Copy link
Collaborator

knqyf263 commented Dec 6, 2024

Background

Currently, Trivy automatically detects the OS during container image scanning and performs vulnerability detection based on that OS. However, there are use cases where manual OS specification would be beneficial.

Use Cases

  1. When scanning for vulnerabilities against a different OS version than the installed one

Some patches might be available in different versions but not in the current version like this case.

Example:

$ trivy image --distro alpine/edge alpine:3.20
  1. When OS detection fails

Some images remove /etc/os-release for size optimization.

Example:

$ trivy image --distro debian/11 my-distroless
  1. When scanning non-container artifacts

RPM archive scanning doesn't provide OS information.

Example:

$ trivy fs --distro redhat/9 ./rpms/

Proposal

Add a new --distro flag to manually specify OS information. When this flag is provided, it will override any automatically detected OS information.

Expected Format

--distro <family>/<version>

Implementation Notes

  • The flag should override any auto-detected OS information
  • Support for major Linux distributions (Alpine, Debian, RedHat, etc.)
  • Clear documentation on supported distribution formats

Discussed in #8056
@knqyf263 knqyf263 added kind/feature Categorizes issue or PR as related to a new feature. scan/vulnerability Issues relating to vulnerability scanning scan/sbom Issues relating to SBOM labels Dec 6, 2024
@knqyf263 knqyf263 added this to the v0.59.0 milestone Dec 6, 2024
@knqyf263 knqyf263 mentioned this issue Dec 9, 2024
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/sbom Issues relating to SBOM scan/vulnerability Issues relating to vulnerability scanning
Projects
Trivy Roadmap
Status: No status
Milestone
v0.59.0
1 participant
@knqyf263