aquasecurity · knqyf263 · Dec 25, 2024 · Jan 16, 2025 · Jan 16, 2025 · Jan 16, 2025
@@ -19,10 +19,81 @@ Trivy supports the following formats:
 |      Secret      |     ✓     |
 |     License      |     ✓     |
 
+```bash
+$ trivy image -f table golang:1.22.11-alpine3.21
 ```
-$ trivy image -f table golang:1.12-alpine
+
+<details>
+<summary>Result</summary>
+
+```
+...
+
+
+Report Summary
+
+┌─────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
+│                   Target                    │   Type   │ Vulnerabilities │ Secrets │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ golang:1.22.11-alpine3.21 (alpine 3.21.2)   │  alpine  │        0        │    -    │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ Node.js                                     │ node-pkg │        0        │    -    │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ usr/local/go/bin/go                         │ gobinary │        0        │    -    │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ usr/local/go/bin/gofmt                      │ gobinary │        0        │    -    │
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+...
+├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ usr/local/go/pkg/tool/linux_amd64/vet       │ gobinary │        0        │    -    │
+└─────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
+
+golang:1.22.11-alpine3.21 (alpine 3.21.2)
+
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
 ```
 
+</details>
+
+#### Summary table
+Before result tables Trivy shows summary table.
+
+<details>
+<summary>Report Summary</summary>
+
+```
+┌───────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┬──────────┐
+│        Target         │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │ Licenses │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ test (alpine 3.20.3)  │   alpine   │        2        │         -         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ Java                  │    jar     │        2        │         -         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ app/Dockerfile        │ dockerfile │        -        │         2         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ requirements.txt      │    text    │        0        │         -         │    -    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ requirements.txt      │    text    │        -        │         -         │    1    │    -     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ OS Packages           │     -      │        -        │         -         │    -    │    1     │
+├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ Java                  │     -      │        -        │         -         │    -    │    0     │
+└───────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┴──────────┘
+```
+
+</details>
+
+This table:
+
+- include columns for enabled [scanners](../references/terminology.md#scanner) only.
+- Contains separate lines for the same targets but different scanners.
+- `-` means that Trivy didn't scan this target.
+- `0` means that Trivy scanned this target, but found no vulns/misconfigs.
+
+!!! note 
+    Use `--no-summary-table` flag to hide summary table.
+
 #### Show origins of vulnerable dependencies
 
 |     Scanner      | Supported |

@@ -36,6 +36,7 @@ trivy config [flags] DIR
       --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
+      --no-summary-table                  hide summary table
   -o, --output string                     output file name
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.

@@ -27,6 +27,7 @@ trivy convert [flags] RESULT_JSON
       --ignore-policy string       specify the Rego file path to evaluate each vulnerability
       --ignorefile string          specify .trivyignore file (default ".trivyignore")
       --list-all-pkgs              output all packages in the JSON report regardless of vulnerability
+      --no-summary-table           hide summary table
   -o, --output string              output file name
       --output-plugin-arg string   [EXPERIMENTAL] output plugin arguments
       --report string              specify a report format for the output (all,summary) (default "all")

@@ -64,6 +64,7 @@ trivy filesystem [flags] PATH
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
+      --no-summary-table                  hide summary table
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments

@@ -82,6 +82,7 @@ trivy image [flags] IMAGE_NAME
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
+      --no-summary-table                  hide summary table
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments

@@ -77,6 +77,7 @@ trivy kubernetes [flags] [CONTEXT]
       --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --no-progress                       suppress progress bar
+      --no-summary-table                  hide summary table
       --node-collector-imageref string    indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.3.1")
       --node-collector-namespace string   specify the namespace in which the node-collector job should be deployed (default "trivy-temp")
       --offline-scan                      do not issue API requests to identify dependencies

@@ -63,6 +63,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
+      --no-summary-table                  hide summary table
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments

@@ -66,6 +66,7 @@ trivy rootfs [flags] ROOTDIR
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
+      --no-summary-table                  hide summary table
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments

@@ -45,6 +45,7 @@ trivy sbom [flags] SBOM_PATH
       --java-db-repository strings   OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --list-all-pkgs                output all packages in the JSON report regardless of vulnerability
       --no-progress                  suppress progress bar
+      --no-summary-table             hide summary table
       --offline-scan                 do not issue API requests to identify dependencies
   -o, --output string                output file name
       --output-plugin-arg string     [EXPERIMENTAL] output plugin arguments

@@ -58,6 +58,7 @@ trivy vm [flags] VM_IMAGE
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
+      --no-summary-table                  hide summary table
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments

@@ -521,6 +521,9 @@ ignorefile: ".trivyignore"
 # Same as '--list-all-pkgs'
 list-all-pkgs: false
 
+# Same as '--no-summary-table'
+no-summary-table: false
+
 # Same as '--output'
 output: ""
 

@@ -109,6 +109,11 @@ var (
 		ConfigName: "scan.show-suppressed",
 		Usage:      "[EXPERIMENTAL] show suppressed vulnerabilities",
 	}
+	NoSummaryTableFlag = Flag[bool]{
+		Name:       "no-summary-table",
+		ConfigName: "no-summary-table",
+		Usage:      "hide summary table",
+	}
 )
 
 // ReportFlagGroup composes common printer flag structs
@@ -128,6 +133,7 @@ type ReportFlagGroup struct {
 	Severity        *Flag[[]string]
 	Compliance      *Flag[string]
 	ShowSuppressed  *Flag[bool]
+	NoSummaryTable  *Flag[bool]
 }
 
 type ReportOptions struct {
@@ -145,6 +151,7 @@ type ReportOptions struct {
 	Severities       []dbTypes.Severity
 	Compliance       spec.ComplianceSpec
 	ShowSuppressed   bool
+	NoSummaryTable   bool
 }
 
 func NewReportFlagGroup() *ReportFlagGroup {
@@ -163,6 +170,7 @@ func NewReportFlagGroup() *ReportFlagGroup {
 		Severity:        SeverityFlag.Clone(),
 		Compliance:      ComplianceFlag.Clone(),
 		ShowSuppressed:  ShowSuppressedFlag.Clone(),
+		NoSummaryTable:  NoSummaryTableFlag.Clone(),
 	}
 }
 
@@ -186,6 +194,7 @@ func (f *ReportFlagGroup) Flags() []Flagger {
 		f.Severity,
 		f.Compliance,
 		f.ShowSuppressed,
+		f.NoSummaryTable,
 	}
 }
 
@@ -198,6 +207,7 @@ func (f *ReportFlagGroup) ToOptions() (ReportOptions, error) {
 	template := f.Template.Value()
 	dependencyTree := f.DependencyTree.Value()
 	listAllPkgs := f.ListAllPkgs.Value()
+	noSummaryTable := f.NoSummaryTable.Value()
 
 	if template != "" {
 		if format == "" {
@@ -227,6 +237,12 @@ func (f *ReportFlagGroup) ToOptions() (ReportOptions, error) {
 		}
 	}
 
+	// "--so-summary" option is available only with "--format table".
+	if noSummaryTable && format != types.FormatTable {
+		noSummaryTable = false
+		log.Warn(`"--no-summary-table" can be used only with "--format table".`)
-		log.Warn(`"--no-summary-table" can be used only with "--format table".`)
+		return xerrors.New(`"--no-summary-table" can be used only with "--format table".`)
-		log.Warn(`"--no-summary-table" can be used only with "--format table".`)
+		return xerrors.New(`"--no-summary-table" can be used only with "--format table".`)
+	}
+
 	cs, err := loadComplianceTypes(f.Compliance.Value())
 	if err != nil {
 		return ReportOptions{}, xerrors.Errorf("unable to load compliance spec: %w", err)
@@ -259,6 +275,7 @@ func (f *ReportFlagGroup) ToOptions() (ReportOptions, error) {
 		Severities:       toSeverity(f.Severity.Value()),
 		Compliance:       cs,
 		ShowSuppressed:   f.ShowSuppressed.Value(),
+		NoSummaryTable:   noSummaryTable,
 	}, nil
 }
 

@@ -32,6 +32,7 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 		compliance       string
 		debug            bool
 		pkgTypes         string
+		noSummaryTable   bool
 	}
 	tests := []struct {
 		name     string
@@ -115,6 +116,20 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 				ListAllPkgs: true,
 			},
 		},
+		{
+			name: "invalid option combination: --no-summary-table with --format json",
+			fields: fields{
+				format:         "json",
+				noSummaryTable: true,
+			},
+			wantLogs: []string{
+				`"--no-summary-table" can be used only with "--format table".`,
+			},
+			want: flag.ReportOptions{
+				Format:         "json",
+				NoSummaryTable: false,
+			},
+		},
 		{
 			name: "happy path with output plugin args",
 			fields: fields{
@@ -184,6 +199,7 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 			setValue(flag.OutputPluginArgFlag.ConfigName, tt.fields.outputPluginArgs)
 			setValue(flag.SeverityFlag.ConfigName, tt.fields.severities)
 			setValue(flag.ComplianceFlag.ConfigName, tt.fields.compliance)
+			setValue(flag.NoSummaryTableFlag.ConfigName, tt.fields.noSummaryTable)
 
 			// Assert options
 			f := &flag.ReportFlagGroup{
@@ -199,6 +215,7 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 				OutputPluginArg: flag.OutputPluginArgFlag.Clone(),
 				Severity:        flag.SeverityFlag.Clone(),
 				Compliance:      flag.ComplianceFlag.Clone(),
+				NoSummaryTable:  flag.NoSummaryTableFlag.Clone(),
 			}
 
 			got, err := f.ToOptions()

@@ -0,0 +1,86 @@
+package table
+
+import (
+	"github.com/aquasecurity/table"
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+type Scanner interface {
+	Header() string
+	Alignment() table.Alignment
+
+	// Count returns the number of findings, but -1 if the scanner is not applicable
+	Count(result types.Result) int
+}
+
+func NewScanner(scanner types.Scanner) Scanner {
+	switch scanner {
+	case types.VulnerabilityScanner:
+		return VulnerabilityScanner{}
+	case types.MisconfigScanner:
+		return MisconfigScanner{}
+	case types.SecretScanner:
+		return SecretScanner{}
+	case types.LicenseScanner:
+		return LicenseScanner{}
+	}
+	return nil
+}
+
+type scannerAlignment struct{}
+
+func (s scannerAlignment) Alignment() table.Alignment {
+	return table.AlignCenter
+}
+
+type VulnerabilityScanner struct{ scannerAlignment }
+
+func (s VulnerabilityScanner) Header() string {
+	return "Vulnerabilities"
+}
+
+func (s VulnerabilityScanner) Count(result types.Result) int {
+	if result.Class == types.ClassOSPkg || result.Class == types.ClassLangPkg {
+		return len(result.Vulnerabilities)
+	}
+	return -1
+}
+
+type MisconfigScanner struct{ scannerAlignment }
+
+func (s MisconfigScanner) Header() string {
+	return "Misconfigurations"
+}
+
+func (s MisconfigScanner) Count(result types.Result) int {
+	if result.Class == types.ClassConfig {
+		return len(result.Misconfigurations)
+	}
+	return -1
+}
+
+type SecretScanner struct{ scannerAlignment }
+
+func (s SecretScanner) Header() string {
+	return "Secrets"
+}
+
+func (s SecretScanner) Count(result types.Result) int {
+	if result.Class == types.ClassSecret {
+		return len(result.Secrets)
+	}
+	return -1
+}
+
+type LicenseScanner struct{ scannerAlignment }
+
+func (s LicenseScanner) Header() string {
+	return "Licenses"
+}
+
+func (s LicenseScanner) Count(result types.Result) int {
+	if result.Class == types.ClassLicense {
+		return len(result.Licenses)
+	}
+	return -1
+}