I run trivy command both root and jenkins user like below; but The results are not the same. I found 7 vulnerabilities with root user but 4 vulnerabilities with jenkins user. I checked the permisions, trivy config but not found any things.
root@yyy:~/var/lib/jenkins/jobs/xxx/branches/development/workspace# trivy fs /var/lib/jenkins/jobs/xxx/branches/development/workspace
2024-03-12T17:43:43.527+0300 INFO Vulnerability scanning is enabled
2024-03-12T17:43:43.527+0300 INFO Secret scanning is enabled
2024-03-12T17:43:43.527+0300 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-12T17:43:43.527+0300 INFO Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2024-03-12T17:43:44.634+0300 INFO Number of language-specific files: 1
2024-03-12T17:43:44.634+0300 INFO Detecting pom vulnerabilities...
pom.xml (pom)
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 2, CRITICAL: 0)
....
jenkins@yyy:~/var/lib/jenkins/jobs/xxx/branches/development/workspace# trivy fs /var/lib/jenkins/jobs/xxx/branches/development/workspace
2024-03-12T17:43:53.616+0300 INFO Vulnerability scanning is enabled
2024-03-12T17:43:53.616+0300 INFO Secret scanning is enabled
2024-03-12T17:43:53.616+0300 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-12T17:43:53.616+0300 INFO Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2024-03-12T17:43:54.112+0300 INFO Number of language-specific files: 1
2024-03-12T17:43:54.112+0300 INFO Detecting pom vulnerabilities...
pom.xml (pom)
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)
...
trivy --version output:
Version: 0.42.1
Vulnerability DB:
Version: 2
UpdatedAt: 2024-03-12 12:11:09.459246831 +0000 UTC
NextUpdate: 2024-03-12 18:11:09.459246471 +0000 UTC
DownloadedAt: 2024-03-12 14:41:57.090100001 +0000 UTC
I asked to this question to: I found the solution at github.