Open-Source Wikis

/

Trivy

/

Reference

/

Data models

aquasecurity/trivy

Data models

This page summarizes the central types Trivy emits in JSON, RPC, and in-memory. The canonical definitions live in pkg/types/.

Report

pkg/types/report.go defines types.Report, the top-level shape of every Trivy scan output.

type Report struct {
    SchemaVersion int
    CreatedAt     time.Time
    ArtifactID    string
    ArtifactName  string
    ArtifactType  ftypes.ArtifactType
    Trivy         TrivyInfo
    ReportID      string
    Metadata      Metadata
    Results       []Result
    BOM           *core.BOM
}
Field Type Notes
SchemaVersion int Bumped on incompatible JSON shape changes.
CreatedAt time.Time Time the report was assembled.
ArtifactID string Stable hash of the artifact (image digest or repo+commit hash).
ArtifactName string The user-facing name.
ArtifactType enum container_image, filesystem, repository, vm, cyclonedx, spdx.
Trivy TrivyInfo Trivy version, server info.
ReportID string UUIDv7 generated per-scan.
Metadata Metadata Per-artifact metadata (OS, image config, repo URL, etc.).
Results []Result One per scan target (OS package set, lockfile, etc.).
BOM *core.BOM Optional BOM for SBOM generation.

Result

pkg/types/result.go defines types.Result. Every Result represents one scan target inside the artifact:

type Result struct {
    Target            string
    Class             ResultClass            // os-pkgs, lang-pkgs, config, secret, license
    Type              ftypes.TargetType
    Packages          []ftypes.Package
    Vulnerabilities   []DetectedVulnerability
    MisconfSummary    *MisconfSummary
    Misconfigurations []DetectedMisconfiguration
    Secrets           []DetectedSecret
    Licenses          []DetectedLicense
    CustomResources   []ftypes.CustomResource
}

A single image scan typically produces one Result for OS packages and one per detected lockfile.

DetectedVulnerability

pkg/types/vulnerability.go:

type DetectedVulnerability struct {
    VulnerabilityID  string
    VendorIDs        []string
    PkgID            string
    PkgName          string
    PkgPath          string
    InstalledVersion string
    FixedVersion     string
    Status           dbTypes.Status
    Layer            ftypes.Layer
    SeveritySource   dbTypes.SourceID
    PrimaryURL       string
    DataSource       *dbTypes.DataSource
    Custom           any
    *dbTypes.Vulnerability
}

The embedded dbTypes.Vulnerability carries metadata from the Trivy DB (severity, CVSS, references, description).

DetectedMisconfiguration

pkg/types/misconfiguration.go:

type DetectedMisconfiguration struct {
    Type            string             // terraform, kubernetes, dockerfile, ...
    ID              string             // AVD ID, e.g. AVD-AWS-0001
    AVDID           string
    Title           string
    Description     string
    Message         string
    Namespace       string
    Resolution      string
    Severity        string
    PrimaryURL      string
    References      []string
    Status          MisconfStatus      // PASS / FAIL / EXCEPTION
    Layer           ftypes.Layer
    CauseMetadata   ftypes.CauseMetadata // file path, line range, cause snippet
}

DetectedSecret

pkg/types/secret.go. Built on top of fanal/secret/types.

DetectedLicense

pkg/types/license.go:

type DetectedLicense struct {
    Severity   string
    Category   types.LicenseCategory  // forbidden, restricted, reciprocal, ...
    PkgName    string
    FilePath   string
    Name       string
    Confidence float64
    Link       string
}

Finding (interface)

pkg/types/finding.go defines a small Finding interface that vulnerabilities, misconfigurations, secrets, and licenses all satisfy. It is mostly used by writers and ignore-rule code.

ScanOptions and ScanResponse

pkg/types/scan.go:

  • ScanOptions — what to scan, severity filter, license-full toggle, image-config-only toggle, etc.
  • ScanResponse — the wire-format reply for Scanner.Scan (results, OS, layers, server info).

fanal types

pkg/fanal/types/ contains the lower-level data types:

Type File Purpose
BlobInfo artifact.go Per-layer analysis result.
ArtifactInfo artifact.go Per-artifact metadata.
Package package.go One installed package (OS or language).
Application application.go A detected lockfile or binary with its packages.
OS os.go Detected OS family and name.
CustomResource custom.go Free-form extension data.
Layer layer.go Image layer (digest, diff ID, created-by).

RPC parity

Each of the above types has a protobuf counterpart in rpc/common/service.proto. The conversions are in pkg/rpc/convert.go and must be kept in sync — this is the most common place a missed field shows up first.

See also

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Data models – Trivy wiki | Factory