feat(seal): add seal support

.github/workflows/semantic-pr.yaml

@@ -68,6 +68,7 @@ jobs:
             windows
             minimos
             rootio
+            seal
 
             # Languages
             ruby

docs/docs/coverage/others/index.md

@@ -16,6 +16,7 @@ Trivy supports them for
 | [Conda](conda.md)              | `<conda-root>/envs/<env>/conda-meta/<package>.json` |     ✅     |     ✅      |       -        |       -        |
 |                                | `environment.yml`                                   |     -     |     -      |       ✅        |       ✅        |
 | [Root.io images](rootio.md)    | -                                                   |     ✅     |     ✅      |       -        |       -        |
+| [Seal Security](seal.md)       | -                                                   |     ✅     |     ✅      |       -        |       -        |
 | [RPM Archives](rpm.md)         | `*.rpm`                                             |   ✅[^5]   |   ✅[^5]    |     ✅[^5]      |     ✅[^5]      |
 
 [sbom]: ../../supply-chain/sbom.md

docs/docs/coverage/others/seal.md

@@ -0,0 +1,27 @@
+# Seal Security
+
+!!! warning "EXPERIMENTAL"
+    Scanning results may be inaccurate.
+
+While it is not an OS, this page describes the details of the [Seal Security]( https://sealsecurity.io/) vulnerability feed.
+Seal provides security advisories and patched versions for multiple Linux distributions, including [Debian](../os/debian.md), [Ubuntu](../os/ubuntu.md), [Alpine](../os/alpine.md), [Red Hat Enterprise Linux](../os/rhel.md), [CentOS](../os/centos.md), [Oracle Linux](../os/oracle.md), and [Azure Linux (CBL‑Mariner)](../os/azure.md).
+
+Seal advisories are used when Trivy finds packages that indicate Seal-provided components:
+
+- Packages whose name or source name starts with `seal-` (for example, `seal-wget`, `seal-zlib`).
+
+When such Seal packages are detected, Trivy automatically enables Seal scanning for those packages while continuing to use the base OS scanner for the rest.
+
+!!! note
+    For vulnerabilities, Trivy prefers severity from the base OS vendor when available.
+
+For details on supported scanners, features, and behavior for each base OS, refer to their respective pages:
+
+- [Debian](../os/debian.md)
+- [Ubuntu](../os/ubuntu.md)
+- [Alpine](../os/alpine.md)
+- [Red Hat Enterprise Linux](../os/rhel.md)
+- [CentOS](../os/centos.md)
+- [Oracle Linux](../os/oracle.md)
+- [Azure Linux (CBL‑Mariner)](../os/azure.md)
+

docs/docs/scanner/vulnerability.md

@@ -38,6 +38,7 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes.
 | OpenSUSE/SLES             | [CVRF][suse]                                                 |
 | Photon OS                 | [Photon Security Advisory][photon]                           |
 | Root.io                   | [Root.io Patch Feed][rootio]                                 |
+| Seal Security             | [Seal Security vulnerability feed][seal]                     |
 
 #### Data Source Selection
 Trivy **only** consumes security advisories from the sources listed in the above table.
@@ -404,6 +405,7 @@ Example logic for the following vendor severity levels when scanning an Alpine i
 [photon]: https://packages.vmware.com/photon/photon_cve_metadata/
 [azure]: https://github.com/microsoft/AzureLinuxVulnerabilityData/
 [rootio]: https://api.root.io/external/patch_feed
+[seal]: http://vulnfeed.sealsecurity.io/v1/osv/renamed/vulnerabilities.zip
 
 [php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
 [python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip
@@ -433,4 +435,4 @@ Example logic for the following vendor severity levels when scanning an Alpine i
 [RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520 
 [ghsa]: https://github.com/advisories
 [requests]: https://pypi.org/project/requests/
-[precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall
+[precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall

go.mod

@@ -24,7 +24,7 @@ require (
 	github.com/aquasecurity/testdocker v0.0.0-20250616060700-ba6845ac6d17
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169
-	github.com/aquasecurity/trivy-db v0.0.0-20250912085155-990a6528209a
+	github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
 	github.com/aquasecurity/trivy-kubernetes v0.9.1
 	github.com/aws/aws-sdk-go-v2 v1.39.0
@@ -369,6 +369,7 @@ require (
 	github.com/opencontainers/selinux v1.12.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/owenrumney/squealer v1.2.11 // indirect
+	github.com/pandatix/go-cvss v0.6.2 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect

go.sum

@@ -219,8 +219,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
 github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169 h1:TckzIxUX7lZaU9f2lNxCN0noYYP8fzmSQf6a4JdV83w=
 github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169/go.mod h1:nT69xgRcBD4NlHwTBpWMYirpK5/Zpl8M+XDOgmjMn2k=
-github.com/aquasecurity/trivy-db v0.0.0-20250912085155-990a6528209a h1:mcPk1ovUuUFnJwbRMRKtSIe3j0BQfJ33RQdB/kB5QZY=
-github.com/aquasecurity/trivy-db v0.0.0-20250912085155-990a6528209a/go.mod h1:upAJqDQkN5FdIJbtJMpokncGNhYAPGkpoCbaGciWPt4=
+github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a h1:Wmvjq3zQGsZ8Wlqh75zvujh7LZNTXU4YoEf8tyL1LoM=
+github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a/go.mod h1:upAJqDQkN5FdIJbtJMpokncGNhYAPGkpoCbaGciWPt4=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.9.1 h1:bSErQcavKXDh7XMwbGX7Vy//jR5+xhe/bOgfn9G+9lQ=
@@ -1027,6 +1027,8 @@ github.com/owenrumney/squealer v1.2.11 h1:vMudrj70VeOzY+t7Phz9Yo0wAgm4kXes9DcTLB
 github.com/owenrumney/squealer v1.2.11/go.mod h1:8KOuitfOfmS/OtzgxQbxnnrbngAGopfgKB/BiGGpqGA=
 github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs=
 github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=
+github.com/pandatix/go-cvss v0.6.2 h1:TFiHlzUkT67s6UkelHmK6s1INKVUG7nlKYiWWDTITGI=
+github.com/pandatix/go-cvss v0.6.2/go.mod h1:jDXYlQBZrc8nvrMUVVvTG8PhmuShOnKrxP53nOFkt8Q=
 github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
 github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
 github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=

mkdocs.yml

@@ -119,6 +119,7 @@ nav:
               - Bitnami Images: docs/coverage/others/bitnami.md
               - Conda: docs/coverage/others/conda.md
               - Root.io Images: docs/coverage/others/rootio.md
+              - Seal Security: docs/coverage/others/seal.md
               - RPM Archives: docs/coverage/others/rpm.md
           - Kubernetes: docs/coverage/kubernetes.md
       - Configuration:
@@ -291,4 +292,3 @@ extra:
 plugins:
   - search
   - macros
-

pkg/detector/library/driver.go

@@ -8,6 +8,7 @@ import (
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy-db/pkg/db"
+	"github.com/aquasecurity/trivy-db/pkg/ecosystem"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
 	"github.com/aquasecurity/trivy/pkg/detector/library/compare"
@@ -23,63 +24,63 @@ import (
 
 // NewDriver returns a driver according to the library type
 func NewDriver(libType ftypes.LangType) (Driver, bool) {
-	var ecosystem dbTypes.Ecosystem
+	var eco ecosystem.Type
 	var comparer compare.Comparer
 
 	switch libType {
 	case ftypes.Bundler, ftypes.GemSpec:
-		ecosystem = vulnerability.RubyGems
+		eco = ecosystem.RubyGems
 		comparer = rubygems.Comparer{}
 	case ftypes.RustBinary, ftypes.Cargo:
-		ecosystem = vulnerability.Cargo
+		eco = ecosystem.Cargo
 		comparer = compare.GenericComparer{}
 	case ftypes.Composer, ftypes.ComposerVendor:
-		ecosystem = vulnerability.Composer
+		eco = ecosystem.Composer
 		comparer = compare.GenericComparer{}
 	case ftypes.GoBinary, ftypes.GoModule:
-		ecosystem = vulnerability.Go
+		eco = ecosystem.Go
 		comparer = compare.GenericComparer{}
 	case ftypes.Jar, ftypes.Pom, ftypes.Gradle, ftypes.Sbt:
-		ecosystem = vulnerability.Maven
+		eco = ecosystem.Maven
 		comparer = maven.Comparer{}
 	case ftypes.Npm, ftypes.Yarn, ftypes.Pnpm, ftypes.Bun, ftypes.NodePkg, ftypes.JavaScript:
-		ecosystem = vulnerability.Npm
+		eco = ecosystem.Npm
 		comparer = npm.Comparer{}
 	case ftypes.NuGet, ftypes.DotNetCore, ftypes.PackagesProps:
-		ecosystem = vulnerability.NuGet
+		eco = ecosystem.NuGet
 		comparer = compare.GenericComparer{}
 	case ftypes.Pipenv, ftypes.Poetry, ftypes.Pip, ftypes.PythonPkg, ftypes.Uv:
-		ecosystem = vulnerability.Pip
+		eco = ecosystem.Pip
 		comparer = pep440.Comparer{}
 	case ftypes.Pub:
-		ecosystem = vulnerability.Pub
+		eco = ecosystem.Pub
 		comparer = compare.GenericComparer{}
 	case ftypes.Hex:
-		ecosystem = vulnerability.Erlang
+		eco = ecosystem.Erlang
 		comparer = compare.GenericComparer{}
 	case ftypes.Conan:
-		ecosystem = vulnerability.Conan
+		eco = ecosystem.Conan
 		// Only semver can be used for version ranges
 		// https://docs.conan.io/en/latest/versioning/version_ranges.html
 		comparer = compare.GenericComparer{}
 	case ftypes.Swift:
 		// Swift uses semver
 		// https://www.swift.org/package-manager/#importing-dependencies
-		ecosystem = vulnerability.Swift
+		eco = ecosystem.Swift
 		comparer = compare.GenericComparer{}
 	case ftypes.Cocoapods:
 		// CocoaPods uses RubyGems version specifiers
 		// https://guides.cocoapods.org/making/making-a-cocoapod.html#cocoapods-versioning-specifics
-		ecosystem = vulnerability.Cocoapods
+		eco = ecosystem.Cocoapods
 		comparer = rubygems.Comparer{}
 	case ftypes.CondaPkg, ftypes.CondaEnv:
 		log.Warn("Conda package is supported for SBOM, not for vulnerability scanning")
 		return Driver{}, false
 	case ftypes.Bitnami:
-		ecosystem = vulnerability.Bitnami
+		eco = ecosystem.Bitnami
 		comparer = bitnami.Comparer{}
 	case ftypes.K8sUpstream:
-		ecosystem = vulnerability.Kubernetes
+		eco = ecosystem.Kubernetes
 		comparer = compare.GenericComparer{}
 	case ftypes.Julia:
 		log.Warn("Julia is supported for SBOM, not for vulnerability scanning")
@@ -90,15 +91,15 @@ func NewDriver(libType ftypes.LangType) (Driver, bool) {
 		return Driver{}, false
 	}
 	return Driver{
-		ecosystem: ecosystem,
+		ecosystem: eco,
 		comparer:  comparer,
 		dbc:       db.Config{},
 	}, true
 }
 
 // Driver represents security advisories for each programming language
 type Driver struct {
-	ecosystem dbTypes.Ecosystem
+	ecosystem ecosystem.Type
 	comparer  compare.Comparer
 	dbc       db.Config
 }

pkg/detector/ospkg/detect.go

@@ -22,6 +22,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/rocky"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/rootio"
+	"github.com/aquasecurity/trivy/pkg/detector/ospkg/seal"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/suse"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/ubuntu"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/wolfi"
@@ -63,6 +64,7 @@ var (
 	// and environment detection. They are tried before standard OS-specific drivers.
 	providers = []driver.Provider{
 		rootio.Provider,
+		seal.Provider,
 	}
 )
 

pkg/detector/ospkg/seal/provider.go

@@ -0,0 +1,29 @@
+package seal
+
+import (
+	"slices"
+
+	"github.com/aquasecurity/trivy/pkg/detector/ospkg/driver"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/set"
+)
+
+var (
+	supportedOSFamilies = set.New(
+		ftypes.Alpine,
+		ftypes.CBLMariner,
+		ftypes.CentOS,
+		ftypes.RedHat,
+		ftypes.Debian,
+		ftypes.Oracle,
+		ftypes.Ubuntu,
+	)
+)
+
+// Provider creates a Root.io driver if Root.io packages are detected
+func Provider(osFamily ftypes.OSType, pkgs []ftypes.Package) driver.Driver {
+	if supportedOSFamilies.Contains(osFamily) && slices.ContainsFunc(pkgs, sealPkg) {
+		return NewScanner(osFamily)
+	}
+	return nil
+}

pkg/detector/ospkg/seal/provider_test.go

@@ -0,0 +1,81 @@
+package seal_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/detector/ospkg/seal"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+)
+
+func TestProvider(t *testing.T) {
+	tests := []struct {
+		name     string
+		osFamily ftypes.OSType
+		pkgs     []ftypes.Package
+		want     bool // true if driver should be returned, false if nil
+	}{
+		{
+			name:     "returns driver when package name starts with seal",
+			osFamily: ftypes.Debian,
+			pkgs: []ftypes.Package{
+				{Name: "seal-agent", Version: "1.0.0"},
+				{Name: "bash", Version: "5.1"},
+			},
+			want: true,
+		},
+		{
+			name:     "returns driver when src name starts with seal",
+			osFamily: ftypes.Ubuntu,
+			pkgs: []ftypes.Package{
+				{Name: "libssl", SrcName: "seal-ssl", Version: "1.2.3"},
+				{Name: "curl", Version: "7.81.0"},
+			},
+			want: true,
+		},
+		{
+			name:     "returns nil when no seal packages present",
+			osFamily: ftypes.Alpine,
+			pkgs: []ftypes.Package{
+				{Name: "musl", Version: "1.2.3"},
+				{Name: "busybox", Version: "1.36.1"},
+			},
+			want: false,
+		},
+		{
+			name:     "returns nil for empty package list",
+			osFamily: ftypes.Debian,
+			pkgs:     []ftypes.Package{},
+			want:     false,
+		},
+		{
+			name:     "case-insensitive: Seal prefix matched",
+			osFamily: ftypes.Ubuntu,
+			pkgs: []ftypes.Package{
+				{Name: "Seal-agent", Version: "2.0.0"},
+			},
+			want: true,
+		},
+		{
+			name:     "returns nil for unsupported OS family even with seal package",
+			osFamily: ftypes.Fedora,
+			pkgs: []ftypes.Package{
+				{Name: "seal-agent", Version: "1.0.0"},
+			},
+			want: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			d := seal.Provider(tt.osFamily, tt.pkgs)
+			if tt.want {
+				require.NotNil(t, d, "expected a non-nil driver when seal package is present")
+			} else {
+				assert.Nil(t, d, "expected nil driver when no seal package is present")
+			}
+		})
+	}
+}