aquasecurity · simar7 · Nov 26, 2024 · Nov 26, 2024
@@ -10,7 +10,7 @@ For detailed behavior, please refer to [the GitHub Actions configuration][workfl
 
 !!! note
     Commits with prefixes like `chore` or `build` are not considered releasable, and no release PR is created.
-    To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release).
+    To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release-pr-creation).
 
 ## Flow
 The release flow consists of the following main steps:

@@ -188,7 +188,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i
 and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
 to identify issues that have been specially groomed for new contributors.
 
-We have specific [guidelines](/docs/community/maintainer/help-wanted.md)
+We have specific [guidelines](./help-wanted.md)
 for how to use these labels. If you see an issue that satisfies these
 guidelines, you can add the `help wanted` label and the `good first issue` label.
 Please note that adding the `good first issue` label must also 

@@ -3,7 +3,7 @@
 Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md).
 All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)).
 
-New checks are based on the custom compliance report detailed in the [main documentation.](../../docs/compliance/compliance/#custom-compliance)
+New checks are based on the custom compliance report detailed in the [main documentation.](./compliance.md#custom-compliance)
 If you would like to create your custom compliance report, please reference the information in the main documentation. This section details how community members can contribute new Compliance Specs to Trivy.
 
 All compliance specs in Trivy are based on formal compliance reports such as CIS Benchmarks.
@@ -20,7 +20,7 @@ Create a new file under `trivy-checks/specs/compliance/` and name the file in th
 
 ### Minimum spec structure
 
-The structure of the compliance spec is detailed in the [main documentation](./compliance/#custom-compliance).
+The structure of the compliance spec is detailed in the [main documentation](./compliance.md#custom-compliance).
 
 The first section in the spec is focused on the metadata of the spec. Replace all the fields of the metadata with the information relevant to the compliance spec that will be added. This information can be taken from the official report e.g. the CIS Benchmark report.
 

@@ -450,8 +450,8 @@ $ trivy convert --format table --severity CRITICAL result.json
 [dotnet-packages-lock]: ../coverage/language/dotnet.md#packageslockjson
 [poetry-lock]: ../coverage/language/python.md#poetry
 [gemfile-lock]: ../coverage/language/ruby.md#bundler
-[go-mod]: ../coverage/language/golang.md#go-modules
-[composer-lock]: ../coverage/language/php.md#composer
+[go-mod]: ../coverage/language/golang.md#go-module
+[composer-lock]: ../coverage/language/php.md#composerlock
 [pom-xml]: ../coverage/language/java.md#pomxml
 [gradle-lockfile]: ../coverage/language/java.md#gradlelock
 [sbt-lockfile]: ../coverage/language/java.md#sbt

@@ -17,7 +17,7 @@ Container image is scanned for:
 
 Kubernetes resource definition is scanned for:
 
-- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
+- Vulnerabilities - partially supported through [KBOM scanning](../target/kubernetes.md#kbom)
 - Misconfigurations
 - Exposed secrets
 

@@ -12,17 +12,17 @@ The following scanners are supported.
 
 The table below provides an outline of the features Trivy offers.
 
-| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] |          Stdlib          | [Detection Priority][detection-priority] |
-|----------|:-----------:|:-----------------|:------------------------------------:|:------------------------:|:----------------------------------------:|
-| Modules  |      ✅      | Include          |        [✅](#dependency-graph)        |  [✅](#standard-library)  |          [✅](#standard-library)          |
-| Binaries |      ✅      | Exclude          |                  -                   | [✅](#standard-library-1) |                Not needed                |
+| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] |         Stdlib         | [Detection Priority][detection-priority] |
+|----------|:-----------:|:-----------------|:------------------------------------:|:----------------------:|:----------------------------------------:|
+| Modules  |      ✅      | Include          |        [✅](#dependency-graph)        |   [✅](#gomod-stdlib)   |            [✅](#gomod-stdlib)            |
+| Binaries |      ✅      | Exclude          |                  -                   | [✅](#go-binary-stdlib) |                Not needed                |
 
 !!! note
     When scanning Go projects (go.mod or binaries built with Go), Trivy scans only dependencies of the project, and does not detect vulnerabilities of application itself. 
     For example, when scanning the Docker project (Docker's source code with go.mod or the Docker binary), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself. Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.
 
 ## Data Sources
-The data sources are listed [here](../../scanner/vulnerability.md#data-sources-1).
+The data sources are listed [here](../../scanner/vulnerability.md#langpkg-data-sources).
 Trivy uses Go Vulnerability Database for [standard library](https://pkg.go.dev/std) and uses GitHub Advisory Database for other Go modules.
 
 ## Go Module
@@ -60,12 +60,12 @@ If you want to have better detection, please consider updating the Go version in
     $ go mod tidy -go=1.18
     ```
 
-### Main Module
+### Main Module { #gomod-main }
 Trivy scans only dependencies of the project, and does not detect vulnerabilities of the main module. 
 For example, when scanning the Docker project (Docker's source code with go.mod), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself.
 Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.
 
-### Standard Library
+### Standard Library { #gomod-stdlib }
 Detecting the version of Go used in the project can be tricky.
 The go.mod file include hints that allows Trivy to guess the Go version but it eventually depends on the Go tool version in the build environment.
 Since this strategy is not fully deterministic and accurate, it is enabled only in [--detection-priority comprehensive][detection-priority] mode.
@@ -105,7 +105,7 @@ In other cases, Go uses the `(devel)` version[^2].
 In this case, Trivy will attempt to parse any `-ldflags` as it's a common practice to pass versions this way.
 If unsuccessful, the version will be empty[^3].
 
-### Standard Library
+### Standard Library { #go-binary-stdlib }
 Trivy detects the Go version used to compile the binary and detects its vulnerabilities in the standard libraries.
 It possibly produces false positives.
 See [the caveat](#stdlib-vulnerabilities) for details.
@@ -120,7 +120,7 @@ There are a few ways to mitigate this:
 2. Suppress non-applicable vulnerabilities using either [ignore file](../../configuration/filtering.md) for self-use or [VEX Hub](../../supply-chain/vex/repo.md) for public use.
 
 ### Empty Version
-As described in the [Main Module](#main-module-1) section, the main module of Go binaries might have an empty version.
+As described in the [Main Module](#gomod-main) section, the main module of Go binaries might have an empty version.
 Also, dependencies replaced with local ones will have an empty version.
 
 [^1]: It doesn't require the Internet access.

@@ -34,7 +34,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [.NET](dotnet.md)    | packages.lock.json                                                                         |     ✅     |     ✅      |       ✅        |       ✅        |
 |                      | packages.config                                                                            |     ✅     |     ✅      |       ✅        |       ✅        |
 |                      | .deps.json                                                                                 |     ✅     |     ✅      |       ✅        |       ✅        |
-|                      | *Packages.props[^10]                                                                       |     ✅     |     ✅      |       ✅        |       ✅        |
+|                      | *Packages.props[^9]                                                                        |     ✅     |     ✅      |       ✅        |       ✅        |
 | [Java](java.md)      | JAR/WAR/PAR/EAR[^3]                                                                        |     ✅     |     ✅      |       -        |       -        |
 |                      | pom.xml                                                                                    |     -     |     -      |       ✅        |       ✅        |
 |                      | *gradle.lockfile                                                                           |     -     |     -      |       ✅        |       ✅        |
@@ -44,7 +44,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [Rust](rust.md)      | Cargo.lock                                                                                 |     ✅     |     ✅      |       ✅        |       ✅        |
 |                      | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |       -        |       -        |
 | [C/C++](c.md)        | conan.lock                                                                                 |     -     |     -      |       ✅        |       ✅        |
-| [Elixir](elixir.md)  | mix.lock[^9]                                                                               |     -     |     -      |       ✅        |       ✅        |
+| [Elixir](elixir.md)  | mix.lock[^8]                                                                               |     -     |     -      |       ✅        |       ✅        |
 | [Dart](dart.md)      | pubspec.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 | [Swift](swift.md)    | Podfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | Package.resolved                                                                           |     -     |     -      |       ✅        |       ✅        |
@@ -65,6 +65,5 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 [^5]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
 [^6]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
 [^7]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
-[^8]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../../configuration/reporting.md#json) and [sarif](../../configuration/reporting.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types
-[^9]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns)
-[^10]: `Directory.Packages.props` and  legacy `Packages.props` file names are supported
+[^8]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns)
+[^9]: `Directory.Packages.props` and  legacy `Packages.props` file names are supported
@@ -60,7 +60,7 @@ Trivy reproduces Maven's repository selection and priority:
 
 !!! Note
     Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`.
-    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources-1).
+    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#langpkg-data-sources).
 
 You can disable connecting to the maven repository with the `--offline-scan` flag.
 The `--offline-scan` flag does not affect the Trivy database.

@@ -44,7 +44,7 @@ Trivy parses your files generated by package managers in filesystem/repository s
 #### Dependency detection
 By default, Trivy only parses [version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/#id5) with `==` comparison operator and without `.*`.
 
-Using the [--detection-priority comprehensive](#detection-priority) option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging. 
+Using the [--detection-priority comprehensive][detection-priority] option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging. 
 In such case Trivy parses specifiers `>=`,`~=` and a trailing `.*`.
 
 ```

@@ -269,4 +269,4 @@ $ trivy clean --all
 
 [air-gapped]: ../advanced/air-gap.md
 [network]: ../advanced/air-gap.md#network-requirements
-[redis-cache]: ../../vulnerability/examples/cache/#cache-backend
+[redis-cache]: ../configuration/cache.md#redis
@@ -9,7 +9,7 @@ See [here](../../../coverage/iac/index.md) for the list of supported config type
 When performing a misconfiguration scan, Trivy will automatically download the relevant Checks bundle. The bundle is cached locally and Trivy will reuse it for subsequent scans on the same machine. Trivy takes care of updating the cache automatically, so normally users can be oblivious to it.
 
 ## Checks Distribution
-Trivy checks are distributed as an [OPA bundle](opa-bundle) hosted in the following GitHub Container Registry: <https://ghcr.io/aquasecurity/trivy-checks>.  
+Trivy checks are distributed as an [OPA bundle][opa-bundle] hosted in the following GitHub Container Registry: <https://ghcr.io/aquasecurity/trivy-checks>.  
 Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
 
 ### External connectivity

@@ -113,7 +113,7 @@ To hide unfixed/unfixable vulnerabilities, you can use the `--ignore-unfixed` fl
 ### Supported Languages
 See [here](../coverage/language/index.md#supported-languages) for the supported languages.
 
-### Data Sources
+### Data Sources { #langpkg-data-sources }
 
 | Language | Source                                              | Commercial Use | Delay[^1] |
 |----------|-----------------------------------------------------|:--------------:|:---------:|
@@ -141,20 +141,20 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 
 If you have software that is not managed by a package manager, Trivy can still detect vulnerabilities in it in some cases:
 
-- [Using SBOM from Sigstore Rekor](../supply-chain/attestation/rekor/#non-packaged-binaries)
-- [Go Binaries with embedded module information](../coverage/language/golang/#go-binaries)
-- [Rust Binaries with embedded information](../coverage/language/rust/#binaries)
-- [SBOM embedded in container images](../supply-chain/container-image/#sbom-embedded-in-container-images)
+- [Using SBOM from Sigstore Rekor](../supply-chain/attestation/rekor.md#non-packaged-binaries)
+- [Go Binaries with embedded module information](../coverage/language/golang.md#go-binary)
+- [Rust Binaries with embedded information](../coverage/language/rust.md#binaries)
+- [SBOM embedded in container images](../supply-chain/sbom.md#sbom-detection-inside-targets)
 
 ## Kubernetes
 
 Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md).
 
 ### Data Sources
 
-| Vendor        | Source                                      |
-| ------------- |---------------------------------------------|
-| Kubernetes    | [Kubernetes Official CVE feed][k8s-cve][^1] |
+| Vendor     | Source                                      |
+|------------|---------------------------------------------|
+| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] |
 
 [^1]: Some manual triage and correction has been made.
 

@@ -738,6 +738,7 @@ See [here](../target/sbom.md) for more details.
 
 ### SBOM Detection inside Targets
 Trivy searches for SBOM files in container images with the following extensions:
+
 - `.spdx`
 - `.spdx.json`
 - `.cdx`

@@ -6,7 +6,7 @@ Trivy can take the following SBOM formats as an input and scan for vulnerabiliti
 - SPDX
 - SPDX JSON
 - CycloneDX-type attestation
-- [KBOM](./kubernetes.md#KBOM) in CycloneDX format
+- [KBOM](./kubernetes.md#kbom) in CycloneDX format
 
 To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
 The input format is automatically detected.
@@ -118,7 +118,7 @@ Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
 
 ## KBOM
 
-To read more about KBOM, see the [documentation for Kubernetes scanning](./kubernetes.md#KBOM).
+To read more about KBOM, see the [documentation for Kubernetes scanning](./kubernetes.md#kbom).
 
 The supported Kubernetes distributions for core components vulnerability scanning are:
 

@@ -59,7 +59,7 @@ This has several benefits:
 
 - The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator. 
 
-There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/target/kubernetes.md#trivy-operator)
+There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation.
 
 Please follow the Trivy Operator documentation for further information on: