docs: add coverage (#4954)

* docs: add coverage

* add more pages

* add dart, dotnet, elixir languages.

* add C, ruby, cocoapods. Update links

* rename headers for dart and elixir

* docs: add Google Distroless and Photon OS

* docs: add IaC

* docs: put vulnerability into a single page

* fixed broken links

* docs: add coverage overview

* update some links

* add note about arch for Rocky linux

* docs: fix typo

* fix typo

* docs: add footnotes

* docs: add a link to coverage in the license section

* docs: add a conversion table

* docs: get aligned

---------

Co-authored-by: DmitriyLewen <[email protected]>

Author: knqyf263

docs/docs/advanced/air-gap.md

@@ -139,4 +139,4 @@ $ trivy conf --skip-policy-update /path/to/conf
 [allowlist]: ../references/troubleshooting.md
 [oras]: https://oras.land/cli/
 
-[^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../scanner/vulnerability/language/java.md)
+[^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../coverage/language/java.md)

docs/docs/configuration/db.md

@@ -8,7 +8,7 @@
 |     License      |           |
 
 The vulnerability database and the Java index database are needed only for vulnerability scanning.
-See [here](../scanner/vulnerability/index.md) for the detail.
+See [here](../scanner/vulnerability.md) for the detail.
 
 ## Vulnerability Database
 

docs/docs/coverage/iac/azure-arm.md

@@ -0,0 +1,33 @@
+# Azure ARM Template
+Trivy supports the scanners listed in the table below.
+
+|      Scanner       | Supported |
+| :----------------: | :-------: |
+| [Misconfiguration] |     ✓     |
+|      [Secret]      |     ✓     |
+
+It supports the following configurations:
+
+|    Format    | Supported |
+| :----------: | :-------: |
+| ARM template |     ✓     |
+|    Bicep     |   ✓[^1]   |
+
+To scan Bicep codes, you need to convert them into ARM templates first.
+
+```
+az bicep build -f main.bicep
+or
+bicep build main.bicep
+```
+
+## Misconfiguration
+Trivy recursively searches directories and scans all found Azure ARM templates.
+
+## Secret
+The secret scan is performed on plain text files, with no special treatment for Azure ARM templates.
+
+[Misconfiguration]: ../../scanner/misconfiguration/index.md
+[Secret]: ../../scanner/secret.md
+
+[^1]: Bicep is not natively supported. It needs to be converted into Azure ARM templates.

docs/docs/coverage/iac/cloudformation.md

@@ -0,0 +1,24 @@
+# CloudFormation
+Trivy supports the scanners listed in the table below.
+
+|      Scanner       | Supported |
+| :----------------: | :-------: |
+| [Misconfiguration] |     ✓     |
+|      [Secret]      |     ✓     |
+
+It supports the following formats.
+
+| Format | Supported |
+| :----: | :-------: |
+|  JSON  |     ✓     |
+|  YAML  |     ✓     |
+
+## Misconfiguration
+Trivy recursively searches directories and scans all found CloudFormation files.
+It evaluates properties, functions, and other elements within CloudFormation files to detect misconfigurations.
+
+## Secret
+The secret scan is performed on plain text files, with no special treatment for CloudFormation.
+
+[Misconfiguration]: ../../scanner/misconfiguration/index.md
+[Secret]: ../../scanner/secret.md

docs/docs/coverage/iac/docker.md

@@ -0,0 +1,24 @@
+# Docker
+Trivy supports the scanners listed in the table below.
+
+|      Scanner       | Supported |
+| :----------------: | :-------: |
+| [Misconfiguration] |     ✓     |
+|      [Secret]      |     ✓     |
+
+It supports the following configurations.
+
+|    Config     | Supported |
+| :-----------: | :-------: |
+|  Dockerfile   |     ✓     |
+| Containerfile |     ✓     |
+|    Compose    |     -     |
+
+## Misconfiguration
+Trivy recursively searches directories and scans all found Docker files.
+
+## Secret
+The secret scan is performed on plain text files, with no special treatment for Dockerfile.
+
+[Misconfiguration]: ../../scanner/misconfiguration/index.md
+[Secret]: ../../scanner/secret.md

docs/docs/coverage/iac/helm.md

@@ -0,0 +1,60 @@
+# Helm
+Trivy supports two types of Helm scanning, templates and packaged charts.
+The following scanners are supported.
+
+| Format   | [Misconfiguration] | [Secret] |
+| -------- | :----------------: | :------: |
+| Template |         ✓          |    ✓     |
+| Chart    |         ✓          |    -     |
+
+## Misconfiguration
+Trivy recursively searches directories and scans all found Helm files.
+
+It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks.
+See [here](../../scanner/misconfiguration/policy/builtin.md) for more details on the built-in policies.
+
+### Value overrides
+There are a number of options for overriding values in Helm charts.
+When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
+
+#### Setting inline value overrides
+Overrides can be set inline on the command line
+
+```bash
+trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
+```
+
+#### Setting value file overrides
+Overrides can be in a file that has the key=value set.
+
+```yaml
+# Example override file (overrides.yaml)
+
+securityContext:
+  runAsUser: 0
+```
+
+```bash
+trivy conf --helm-values overrides.yaml ./charts/mySql
+``` 
+
+#### Setting value as explicit string
+the `--helm-set-string` is the same as `--helm-set` but explicitly retains the value as a string
+
+```bash
+trivy config --helm-set-string name=false ./infrastructure/tf
+```
+
+#### Setting specific values from files
+Specific override values can come from specific files
+
+```bash
+trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
+```
+
+## Secret
+The secret scan is performed on plain text files, with no special treatment for Helm.
+Secret scanning is not conducted on the contents of packaged Charts, such as tar or tar.gz.
+
+[Misconfiguration]: ../../scanner/misconfiguration/index.md
+[Secret]: ../../scanner/secret.md

docs/docs/coverage/iac/index.md

@@ -0,0 +1,21 @@
+# Infrastructure as Code
+
+## Scanner
+Trivy scans Infrastructure as Code (IaC) files for 
+
+- [Misconfigurations][misconf]
+- [Secrets][secret]
+
+## Supported configurations
+
+| Config type                         | File patterns                 |
+| ----------------------------------- | ----------------------------- |
+| [Kubernetes](kubernetes.md)         | *.yml, *.yaml, *.json         |
+| [Docker](docker.md)                 | Dockerfile, Containerfile     |
+| [Terraform](terraform.md)           | *.tf, *.tf.json, *.tfvars,    |
+| [CloudFormation](cloudformation.md) | *.yml, *.yaml, *.json         |
+| [Azure ARM Template](azure-arm.md)  | *.json                        |
+| [Helm](helm.md)                     | *.yaml, *.tpl, *.tar.gz, etc. |
+
+[misconf]: ../../scanner/misconfiguration/index.md
+[secret]: ../../scanner/secret.md

docs/docs/coverage/iac/kubernetes.md

@@ -0,0 +1,31 @@
+# Kubernetes
+Trivy supports the scanners listed in the table below.
+
+|      Scanner       | Supported |
+| :----------------: | :-------: |
+| [Misconfiguration] |     ✓     |
+|      [Secret]      |     ✓     |
+
+In addition to raw YAML and JSON, it supports the following templates:
+
+|    Template     | Supported |
+| :-------------: | :-------: |
+| [Helm](helm.md) |     ✓     |
+|    Kustomize    |   ✓[^1]   |
+
+!!! note
+    Trivy does not support Kustomize overlays, so it scans files defined in the base.
+    Or, you can scan the output of `kustomize build`.
+
+## Misconfiguration
+Trivy recursively searches directories and scans all found Kubernetes files.
+
+## Secret
+The secret scan is performed on plain text files, with no special treatment for Kubernetes.
+This means that Base64 encoded secrets are not scanned, and only secrets written in plain text are detected.
+
+
+[Misconfiguration]: ../../scanner/misconfiguration/index.md
+[Secret]: ../../scanner/secret.md
+
+[^1]: Kustomize is not natively supported.

docs/docs/coverage/iac/terraform.md

@@ -0,0 +1,45 @@
+# Terraform
+Trivy supports the scanners listed in the table below.
+
+|     Scanner      | Supported |
+| :--------------: | :-------: |
+| Misconfiguration |     ✓     |
+|      Secret      |     ✓     |
+
+It supports the following formats:
+
+|  Format   | Supported |
+| :-------: | :-------: |
+|   JSON    |     ✓     |
+|    HCL    |     ✓     |
+| Plan JSON |     ✓     |
+
+Trivy can scan the results of `terraform plan`.
+You can scan by passing the file generated as shown below to Trivy:
+
+```
+$ terraform plan --out tfplan.binary
+$ terraform show -json tfplan.binary > tfplan.json
+```
+
+## Misconfiguration
+Trivy recursively searches directories and scans all found Terraform files.
+It also evaluates variables, imports, and other elements within Terraform files to detect misconfigurations.
+
+### Value Overrides
+You can provide `tf-vars` files to Trivy to override default values specified in the Terraform HCL code.
+
+```bash
+trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
+```
+
+### Exclude Downloaded Terraform Modules
+By default, downloaded modules are also scanned.
+If you don't want to scan modules downloaded into the `.terraform` directory, you can use the `--tf-exclude-downloaded-modules` flag.
+
+```bash
+trivy conf --tf-exclude-downloaded-modules ./configs
+```
+
+## Secret
+The secret scan is performed on plain text files, with no special treatment for Terraform.

docs/docs/coverage/index.md

@@ -0,0 +1,8 @@
+# Scanning Coverage
+Trivy can detect security issues in many different platforms, languages and configuration files.
+This section gives a general overview of that coverage, and can help answer the frequently asked question "Does Trivy support X?".
+For more detailed information about the specific platforms and languages, check the relevant documentation.
+
+- [OS Packages](os/index.md)
+- [Language-specific Packages](language/index.md)
+- [IaC files](iac/index.md)