DmitriyLewen
DmitriyLewen
> Is it possible to skip downloading the module directly in the workflow? IIUC you can use `--tf-exclude-downloaded-modules` flag (as env or in config file)
@nikpivkin @simar7 can you take a look?
Hello @Nessaek Take a look https://github.com/aquasecurity/setup-trivy/issues/10
Hello @vazkarvishal > Why does trivy still use an insecure DB reference? Trivy doesn't transform/modify the URLs it finds. Trivy uses the URL it finds in one of the pom...
Trivy checks remote repositories while scanning the `pom.xml` file. Could you describe your situation in more detail? Perhaps I didn’t understand you correctly.
> Downloading from central: https://repo.maven.apache.org/maven2/com/vaadin/external/google/android-json/0.0.20131108.vaadin1/android-json-0.0.20131108.vaadin1.pom Downloaded from central: https://repo.maven.apache.org/maven2/com/vaadin/external/google/android-json/0.0.20131108.vaadin1/android-json-0.0.20131108.vaadin1.pom (2.8 kB at 164 kB/s) However, when we run a trivy scan it uses the below: 2025-08-28T15:22:05+01:00 DEBUG [pom] Adding repository...
Trivy (same as `mvn`) collects all repositories from upper from parents (parents field or parent for nested dependencies) pom.xml. So this repository can be added in another pom.xml e.g. In...
Trivy and `mvn` should use same logic. If you have example when Trivy and `mvn` use different repositories for **same** dependency - let me know and write me test pom.xml...
hello @vazkarvishal Sorry for the delay. Do I understand correctly that the problem is that Trivy doesn’t check the “custom-upstream” repository? If so, the issue is that Trivy didn’t use...
@BertelBB hello We added this input in one of the latest commits - https://github.com/aquasecurity/trivy-action/pull/414, but this happened after the release of `v0.28.0`. @simar7 are you planning to release `v0.28.1` or...