feat: add report summary table

[knqyf263]

This PR introduces a summary table that displays all scan results, including those with zero findings, such as vulnerabilities and misconfiguration, to improve visibility and reduce user anxiety about the scanning process.

Background

Historically, Trivy followed the Unix philosophy where "silence is golden" and didn't output anything when no vulnerabilities were found. However, this led to user confusion about whether scans were working correctly. While we previously addressed this by showing results for OS packages with zero vulnerabilities, the inconsistency between OS and language-specific package outputs has created new confusion.

Proposed Changes

This PR adds a summary table at the beginning of the output that:

• Shows all scanned targets regardless of security finding count
• Maintains the current behavior of only showing detailed tables for items with findings
• Provides a clear overview of the entire scan scope

Example output:

trivy fs . --scanners vuln,misconfig,secret --skip-dirs pkg,integration --severity CRITICAL,HIGH

Considerations

1. Aggregated Results for Individual Files

   • Currently, archive files (like JARs) and individual files (like .gemspec) show aggregated results without displaying vulnerability counts for individual files
   • Implementing per-file vulnerability counts would require significant changes
   • Proposal: Address this enhancement in a separate PR to keep the current changes focused

2. Result Aggregation Strategy

   • Current implementation shows separate rows for different finding types (e.g., vulnerabilities and secrets) in the same file
   • We could potentially aggregate these into a single row
   • However, this raises questions about:
     • How to represent multiple types in a single row
   • This PR maintains the current separation to keep the implementation straightforward

3. Default Behavior

   • Proposal: Enable summary table by default with an opt-out flag (e.g. --no-summary-table)
   • Rationale: Reduces user confusion and provides immediate feedback about scan coverage
   • Alternative: Opt-in approach with --show-summary-table

Implementation Notes

• This is a minimal PoC implementation focused on establishing the basic functionality
• Future enhancements can build upon this foundation to address the discussion points above

TODOs

• Add summary table
• Add --no-summary-table
• Error out on --no-summary-table with the formats other than --format table
• Add --table-mode flag
• Error out on -table-mode with the formats other than --format table
• Clarify 0 and - in the summary table
• Add tests
• Update documentation

Examples

➜  trivy -q image alpine:3.20.0


Report Summary

┌───────────────────────────────┬────────┬─────────────────┬─────────┐
│            Target             │  Type  │ Vulnerabilities │ Secrets │
├───────────────────────────────┼────────┼─────────────────┼─────────┤
│ alpine:3.20.0 (alpine 3.20.0) │ alpine │       20        │    -    │
└───────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


alpine:3.20.0 (alpine 3.20.0)

Total: 20 (UNKNOWN: 2, LOW: 2, MEDIUM: 14, HIGH: 2, CRITICAL: 0)

Related issues

• Summary table #6501
• Close feat: display summary table #8241

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

@DmitriyLewen @nikpivkin Before further development, I'd like to hear your thoughts.

[DmitriyLewen]

Aggregated Results for Individual Files
Proposal: Address this enhancement in a separate PR to keep the current changes focused

I agree with you. I think we need to discuss this. Initially (I may be wrong) Trivy was crippled by aggregating individual packages to avoid having too many tables in a report.
After adding summary table, we can consider removing the logic for aggregating packages entirely. This will simplify the code more and avoid difficulties when converting reports between formats.

Current implementation shows separate rows for different finding types (e.g., vulnerabilities and secrets) in the same file
This PR maintains the current separation to keep the implementation straightforward

It seems that having multiple types for a single file is rare, so I suggest using this logic and waiting for feedback from users.

Proposal: Enable summary table by default with an opt-out flag (e.g. --no-summary-table)

I prefer this way.

I also have one idea - some users don't need to see vulnerability/misconfiguration numbers (CVE etc). So we can hide other tables by default and show them only when using a new flag (--show-report-tables or something like that). Or vice versa hide them by flag if users only need summary numbers.
But I think we need to ask users about it.

---

As a future update:

• What if we check the enabled scanners and show only the required columns?
  eg by default the summary table will only include the vulnerability and secret columns.
  or for misconfig mode only the misconfigutation column.

[nikpivkin]

I like the idea, the summary table looks good. Should the results be sorted by file name or scan type?

I noticed that terraform scan results contain directories that we should get rid of.

[knqyf263]

After adding summary table, we can consider removing the logic for aggregating packages entirely. This will simplify the code more and avoid difficulties when converting reports between formats.

Exactly. It will simplify our logic. However, it will probably break something. We should carefully announce it. That's why I didn't want to add the change into this PR.

What if we check the enabled scanners and show only the required columns?

I already implemented it in this PR unless I'm making a mistake. In the screenshot, Vulnerabilities, Misconfigurations and Secrets are shown because --scanners vuln,misconfig,secret is specified.

[knqyf263]

Should the results be sorted by file name or scan type?

The current summary table is ordered by scanners, vulnerabilities -> misconfigurations -> secrets -> licenses. Do you want to sort by sub-scanners, such as terraform?

I noticed that terraform scan results contain directories that we should get rid of.

Yes, I actually saw . was detected as terraform-plan.

[DmitriyLewen]

I already implemented it in this PR unless I'm making a mistake. In the screenshot, Vulnerabilities, Misconfigurations and Secrets are shown because --scanners vuln,misconfig,secret is specified.

Great!

[itaysk]

looks great. this is very similar to the k8s summary report. Do you think we should consider reusing the experience, code or flags? (either way, new, existing or something in between)

[simar7]

Looks nice. What's the difference between a - and a 0?

I think I understand it as not evaluated and evaluated but nothing found respectively but I think we should make it explicit.

looks great. this is very similar to the k8s summary report. Do you think we should consider reusing the experience, code or flags? (either way, new, existing or something in between)

I think we should change k8s summary output to be more simpler rather than the other way around. To me the k8s summary output is a bit too much especially with so many numbers that it isn't very helpful.

[knqyf263]

Do you think we should consider reusing the experience, code or flags? (either way, new, existing or something in between)

I actually considered reusing the K8s summary table, but ultimately decided to keep them separate for several reasons:

First, as @simar7 pointed out, the K8s summary table contains much information. This isn't necessarily a negative aspect - it's designed this way because K8s doesn't display details in the summary table by default (requires --report all flag for detailed view). However, the approach is different for image and filesystem scans: we show a simple summary table first, followed by detailed result tables. Therefore, I believe the summary table should be kept as simple as possible. This represents a slightly different purpose from the K8s use case.

Second, since we plan to make a separate plugin for the K8s cluster scan similar to AWS account scanning, I wanted to avoid core dependencies on K8s. If we were to share code, having the dependency direction flow from K8s to core would be preferable, not the other way around. However, given the different purposes mentioned above, whether we should standardize these tables at all requires further discussion.

I think I understand it as not evaluated and evaluated but nothing found respectively but I think we should make it explicit.

Yes, that's correct. I made this distinction because we frequently receive user feedback asking to clarify whether something wasn't scanned at all or was scanned but returned zero findings. I'll add a note beneath the table to clarify this distinction.

[DmitriyLewen]

I added info about - and 0 into logs:

2025-01-17T14:37:53+06:00       INFO    [report] Report Summary table contains special symbols  '-'="Target didn't scanned" '0'="Target scanned, but didn't contain vulns/misconfigs/secrets/licenses"

Report Summary

┌─────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                   Target                    │   Type   │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤

But we can add info before table. e.g.:

Report Summary

Note:
- `-`: Target didn't scanned.
- `0`: Target scanned, but didn't contain vulns/misconfigs/secrets/licenses.

┌─────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                   Target                    │   Type   │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤

@aquasecurity/trivy wdyt?

[simar7]

Should we elaborate on why a certain file "didn't scan"? Is it because it was unable to get parsed, wasn't valid for the scan (then maybe we shouldn't even traverse it) or something else?

[DmitriyLewen]

I think we can wait for user feedback:

In most cases - will be used for the case when the file is scanned by another scanner.
e.g., we scanned Dockerfile, and - will be for vulnerabilities.

In case the file is invalid (e.g. wrong lock file) - the report will not include the result with this file.

[knqyf263]

I prefer putting it in the footer.

Legend:
- `-`: Not scanned
- `0`: Clean (no security findings detected)

[DmitriyLewen]

changed in e11221a

[DmitriyLewen]

I saw one case - we show log after summary table:

2025-01-29T17:51:04+06:00       INFO    Detected config files   num=0
2025-01-29T17:51:04+06:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-01-29T17:51:04+06:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌─────────────────┬──────┬─────────────────┬───────────────────┬─────────┬──────────┐
│     Target      │ Type │ Vulnerabilities │ Misconfigurations │ Secrets │ Licenses │
├─────────────────┼──────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ gson-2.11.0.jar │ jar  │        2        │         -         │    -    │    -     │
└─────────────────┴──────┴─────────────────┴───────────────────┴─────────┴──────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-01-29T17:51:04+06:00       INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌───────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬─────────────────────────────────────────────────────┐
│                        Library                        │ Vulnerability  │ Severity │ Status │ Installed Version │     Fixed Version     │                        Title                        │
├───────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼─────────────────────────────────────────────────────┤
│ com.fasterxml.jackson.core:jackson-databind           │ CVE-2022-42003 │ HIGH     │ fixed  │ 2.13.4.1          │ 2.12.7.1, 2.13.4.2    │ jackson-databind: deep wrapper array nesting wrt    │
│ (gson-2.11.0.jar)                                     │                │          │        │                   │                       │ UNWRAP_SINGLE_VALUE_ARRAYS                          │
│                                                       │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-42003          │
├───────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────────────┼─────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core (gson-2.11.0.jar) │ CVE-2021-44832 │ MEDIUM   │        │ 2.17.0            │ 2.3.2, 2.12.4, 2.17.1 │ log4j-core: remote code execution via JDBC Appender │
│                                                       │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-44832          │
└───────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴─────────────────────────────────────────────────────┘

We might want to add a header (e.g. result tables) before result tables (after the legend) to separate summary table from other tables.

but on the other hand I think it's redundant.

[knqyf263]

We may need to write the rendered output to a buffer and flush it later to stdout, like we do in each renderer.

trivy/pkg/report/table/table.go

Line 282 in 7f863b9

_, _ = fmt.Fprint(tw.Output, renderer.Render())

[DmitriyLewen]

I used Renderer interface for summary table - 878b9f4

I found that we have same problem in main branch:

2025-02-05T12:53:12+06:00       INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌─────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬─────────────────────────────────────────────────────┐
│                           Library                           │ Vulnerability  │ Severity │ Status │ Installed Version │     Fixed Version     │                        Title                        │
├─────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼─────────────────────────────────────────────────────┤
│ com.fasterxml.jackson.core:jackson-databind                 │ CVE-2022-42003 │ HIGH     │ fixed  │ 2.13.4.1          │ 2.12.7.1, 2.13.4.2    │ jackson-databind: deep wrapper array nesting wrt    │
│ (jackson-databind-2.13.4.1.jar)                             │                │          │        │                   │                       │ UNWRAP_SINGLE_VALUE_ARRAYS                          │
│                                                             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-42003          │
├─────────────────────────────────────────────────────────────┤                │          │        │                   │                       │                                                     │
│ com.fasterxml.jackson.core:jackson-databind                 │                │          │        │                   │                       │                                                     │
│ (gson-2.11.0.jar)                                           │                │          │        │                   │                       │                                                     │
│                                                             │                │          │        │                   │                       │                                                     │
├─────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────────────┼─────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core (log4j-core-2.17.0.jar) │ CVE-2021-44832 │ MEDIUM   │        │ 2.17.0            │ 2.3.2, 2.12.4, 2.17.1 │ log4j-core: remote code execution via JDBC Appender │
│                                                             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-44832          │
├─────────────────────────────────────────────────────────────┤                │          │        │                   │                       │                                                     │
│ org.apache.logging.log4j:log4j-core (gson-2.11.0.jar)       │                │          │        │                   │                       │                                                     │
│                                                             │                │          │        │                   │                       │                                                     │
└─────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴─────────────────────────────────────────────────────┘
2025-02-05T12:53:12+06:00       INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Node.js (node-pkg)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)

┌─────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬─────────────────────────────────────────────────────────────┐
│           Library           │ Vulnerability  │ Severity │ Status │ Installed Version │    Fixed Version    │                            Title                            │
├─────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼─────────────────────────────────────────────────────────────┤
│ loader-utils (package.json) │ CVE-2022-37601 │ CRITICAL │ fixed  │ 2.0.2             │ 2.0.3, 1.4.1        │ loader-utils: prototype pollution in function parseQuery in │
│                             │                │          │        │                   │                     │ parseQuery.js                                               │
│                             │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-37601                  │
│                             ├────────────────┼──────────┤        │                   ├─────────────────────┼─────────────────────────────────────────────────────────────┤
│                             │ CVE-2022-37599 │ HIGH     │        │                   │ 1.4.2, 2.0.4, 3.2.1 │ loader-utils: regular expression denial of service in       │
│                             │                │          │        │                   │                     │ interpolateName.js                                          │
│                             │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-37599                  │
│                             ├────────────────┤          │        │                   │                     ├─────────────────────────────────────────────────────────────┤
│                             │ CVE-2022-37603 │          │        │                   │                     │ loader-utils: Regular expression denial of service          │
│                             │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-37603                  │
├─────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────┼─────────────────────────────────────────────────────────────┤
│ nanoid (package.json)       │ CVE-2021-23566 │ MEDIUM   │        │ 3.1.25            │ 3.1.31              │ nanoid: Information disclosure via valueOf() function       │
│                             │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2021-23566                  │
│                             ├────────────────┤          │        │                   ├─────────────────────┼─────────────────────────────────────────────────────────────┤
│                             │ CVE-2024-55565 │          │        │                   │ 5.0.9, 3.3.8        │ nanoid: nanoid mishandles non-integer values                │
│                             │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2024-55565                  │
└─────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴─────────────────────────────────────────────────────────────┘

So i want to fix that in separate PR.

[DmitriyLewen]

@knqyf263 - #8357

[DmitriyLewen]

@knqyf263 I rebased and updated PR with updated interface

[DmitriyLewen]

The summary table contains aggregated targets.
Do we want to split them by filePath in this PR or just start working on removing the aggregation (in another PR)?
cc. @knqyf263

[knqyf263]

I didn't split aggregated results, but, actually yes, we can split them in the table writer. I think we should do that in this PR. We will not need the logic after removing the aggregation, though.

[DmitriyLewen]

Done - 84169b4 + 892d6de

[DmitriyLewen]

I have 1 more question:
for case when Report doesn't include Results (e.g. scanned only wrong file).

Do we need to show empty table?

➜  ./trivy -q fs ./pkg/fanal/analyzer/language/nodejs/npm/testdata/sad        

Report Summary

┌────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
└────────┴──────┴─────────────────┴─────────┘

Or we can hide table and write Info/warn log or something else.

[knqyf263]

Showing only the header is probably unclear for users. I'd opt for log messages.

[DmitriyLewen]

I thought we could just enable all scanners. But I think we need to use the same format(logic) for convert and other subcommands.
So i enabled --scanners that users can get summary table as for table format.

[knqyf263]

Suggested change

	var warnStrings []string
	if scanners := lo.Intersect(resultByFiles, r.scanners); len(scanners) > 0 {
	warnStrings = append(warnStrings, fmt.Sprintf("Supported files for %s scanner(s) not found.",
	strings.Join(xstrings.ToStringSlice(scanners), "/")))
	}
	if scanners := lo.Intersect(resultByFindings, r.scanners); len(scanners) > 0 {
	warnStrings = append(warnStrings, fmt.Sprintf("No results found for %s scanner(s).",
	strings.Join(xstrings.ToStringSlice(scanners), "/")))
	}
	log.WithPrefix("report").Info(strings.Join(warnStrings, " "))
	if scanners := lo.Intersect(resultByFiles, r.scanners); len(scanners) > 0 {
	r.logger.Warn("Supported files for scanner(s) not found.", log.Any("scanners", scanners))
	}
	if scanners := lo.Intersect(resultByFindings, r.scanners); len(scanners) > 0 {
	r.logger.Warn("No issues detected with scanner(s).", log.Any("scanners", scanners))
	}

[DmitriyLewen]

changed in 67a729c

[knqyf263]

Suggested change

	scanners []Scanner
	scanners []Scanner
	loggers *log.Logger

[DmitriyLewen]

changed in 67a729c

[knqyf263]

Suggested change

	scanners: ss,
	scanners: ss,
	logger: log.WithPrefix("report"),

[DmitriyLewen]

changed in 67a729c

[knqyf263]

Suggested change

	log.WithPrefix("report").Warn("No enabled scanners found. Summary table will not be displayed.")
	r.logger..Warn("No enabled scanners found. Summary table will not be displayed.")

[DmitriyLewen]

changed in 67a729c

[knqyf263]

This is a major UI change, so there might be some backlash from the community. In that case, since switching from opt-out to opt-in is possible, it might be a good idea to mark it as experimental.

Also, as @simar7 pointed out, boolean flags are not very flexible. Specifying it as something like --table summary,detail could be an alternative option. This approach would allow us to meet future requests from users who may only want to display the summary table, and by changing the default values, it would be easy to switch between opt-in and opt-out.

[DmitriyLewen]

hm... it make sense. I will update PR.

[knqyf263]

There are several options:

• --table
• --table-view
• --table-format
• --table-mode

Also,

• summary|detail
• summary|detailed
• etc.

[nikpivkin]

I think this is a good idea.
In the trivy-aws plugin, the report flag takes an enumeration:

--report string specify a report format for the output (all,summary) (default “all”)

[DmitriyLewen]

--table-mode + summary|details (with s suffix) are my favorite.

[knqyf263]

My friend :) recommended detailed, but you can decide it.

---

When deciding on terminology to distinguish between a concise summary output and a more exhaustive one, many tools and UIs use the terms “Summary” and “Detailed.” While “Detail” or “Details” might seem similar at first glance, “detailed” is often chosen for the following reasons:

1. Consistent Adjective Pairing

   • In English, it’s common to describe views or reports using adjectives. For instance, many interfaces provide a “Summary View” and a “Detailed View,” or a “Summary Report” and a “Detailed Report.” Using “detailed” as an adjective aligns naturally with “summary” in such contexts.

2. Clear Mode Indicator

   • When specifying a mode in a CLI or configuration file, saying detailed conveys that you want the more comprehensive or in-depth version of the output. An adjective like “detailed” feels more intuitive than the noun form “details,” which might be perceived as describing the objects being displayed rather than the mode or style of display.

3. Established Convention

   • Many existing tools (even if they don’t directly use the exact words “summary” and “detailed”) follow the pattern of an abbreviated or condensed output versus a more verbose output. Where explicit labels are used, it’s more common to see “Detailed” than “Details” for the extended version.

4. Smoother Documentation

   • Documentation and user guides often refer to “Detailed mode” (or a “Detailed report”), making it very clear that it’s an expanded form of the output. Conversely, “Details mode” or “Details report” can sound slightly off in English usage, as it doesn’t match the typical way we describe different presentation modes.

In short, “detailed” pairs nicely with “summary” and is more recognizable to users as the counterpart for a “deep-dive” option, while “detail” or “details” tend to read more like nouns referring to the actual data rather than the presentation style.

[knqyf263]

--table-mode also looks good to me. Then, the pairing of "summary mode" and "detailed mode" may be straightforward.

[simar7]

In the interest of not committing bike shedding... I'll vote for --table-mode flag with =detailed,summary as values. 😆

[DmitriyLewen]

Changed --no-summary-table to --table-mode - ea453d8

Perhaps you will have more ideas.

[knqyf263]

nit: It's no big deal, but the alignment looks a bit strange when - is used in all columns.

┌────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼──────┼─────────────────┼─────────┤
│ -      │  -   │        -        │    -    │
└────────┴──────┴─────────────────┴─────────┘

Suggested change

	if len(report.Results) == 0 {
	r.showEmptyResultsWarning()
	t.AddRows(slices.Repeat([]string{"-"}, len(r.scanners)+2))
	}
	if len(report.Results) == 0 {
	r.showEmptyResultsWarning()
	alignments[0] = table.AlignCenter
	t.SetAlignment(alignments...)
	t.AddRows(slices.Repeat([]string{"-"}, len(r.scanners)+2))
	}

[DmitriyLewen]

Nice catch.
I somehow didn't pay attention to it.

Updated 014e4c4

[knqyf263]

The rest looks good to me. @DmitriyLewen Feel free to merge this PR whenever you're ready (I cannot approve my PR).