aquasecurity · knqyf263 · Sep 24, 2025 · Sep 22, 2025 · Sep 23, 2025 · Sep 23, 2025
@@ -617,19 +617,15 @@ For more details, please check [here](../plugin/user-guide.md#output-mode-suppor
 To generate multiple reports, you can generate the JSON report first and convert it to other formats with the `convert` subcommand.
 
 ```shell
-$ trivy image --format json -o result.json --list-all-pkgs debian:11
+$ trivy image --format json -o result.json debian:11
 $ trivy convert --format cyclonedx --output result.cdx result.json
 ```
 
-!!! note
-    Please note that if you want to convert to a format that requires a list of packages,
-    such as SBOM, you need to add the `--list-all-pkgs` flag when outputting in JSON.
-
 [Filtering options](./filtering.md) such as `--severity` are also available with `convert`.
 
 ```shell
 # Output all severities in JSON
-$ trivy image --format json -o result.json --list-all-pkgs debian:11
+$ trivy image --format json -o result.json debian:11
 
 # Output only critical issues in table format
 $ trivy convert --format table --severity CRITICAL result.json

@@ -10,7 +10,7 @@ trivy convert [flags] RESULT_JSON
 
 ```
   # report conversion
-  $ trivy image --format json --output result.json --list-all-pkgs debian:11
+  $ trivy image --format json --output result.json debian:11
   $ trivy convert --format cyclonedx --output result.cdx result.json
 
 ```
@@ -37,7 +37,7 @@ trivy convert [flags] RESULT_JSON
   -h, --help                       help for convert
       --ignore-policy string       specify the Rego file path to evaluate each vulnerability
       --ignorefile string          specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs              output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs              output all packages in the JSON report regardless of vulnerability (default true)
   -o, --output string              output file name
       --output-plugin-arg string   [EXPERIMENTAL] output plugin arguments
       --report string              specify a report format for the output (allowed values: all,summary) (default "all")

@@ -81,7 +81,7 @@ trivy filesystem [flags] PATH
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

@@ -99,7 +99,7 @@ trivy image [flags] IMAGE_NAME
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --max-image-size string             [EXPERIMENTAL] maximum image size to process, specified in a human-readable format (e.g., '44kB', '17MB'); an error will be returned if the image exceeds this size
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")

@@ -91,7 +91,7 @@ trivy kubernetes [flags] [CONTEXT]
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
       --kubeconfig string                 specify the kubeconfig file path to use
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --no-progress                       suppress progress bar
       --node-collector-imageref string    indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.3.1")

@@ -80,7 +80,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

@@ -83,7 +83,7 @@ trivy rootfs [flags] ROOTDIR
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

@@ -64,7 +64,7 @@ trivy sbom [flags] SBOM_PATH
       --ignored-licenses strings       specify a list of license to ignore
       --ignorefile string              specify .trivyignore file (default ".trivyignore")
       --java-db-repository strings     OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
-      --list-all-pkgs                  output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                  output all packages in the JSON report regardless of vulnerability (default true)
       --no-progress                    suppress progress bar
       --offline-scan                   do not issue API requests to identify dependencies
   -o, --output string                  output file name

@@ -75,7 +75,7 @@ trivy vm [flags] VM_IMAGE
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-non-failures              include successes, available with '--scanners misconfig'
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

@@ -530,7 +530,7 @@ ignore-policy: ""
 ignorefile: ".trivyignore"
 
 # Same as '--list-all-pkgs'
-list-all-pkgs: false
+list-all-pkgs: true
 
 # Same as '--output'
 output: ""

@@ -293,7 +293,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 </details>
 
 !!! info
-    This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation.
+    This flag filters the packages themselves, so it also affects the list of detected packages in JSON reports and SBOM generation.
 
 ### Filtering by Package Relationships
 
@@ -313,7 +313,7 @@ The available relationships may vary depending on the ecosystem.
 To see which relationships are supported for a particular project, you can use the JSON output format and check the `Relationship` field:
 
 ```
-$ trivy repo -f json --list-all-pkgs /path/to/project
+$ trivy repo -f json /path/to/project
 ```
 
 To scan only the root package and its direct dependencies, you can use the flag as follows:
@@ -325,7 +325,7 @@ $ trivy repo --pkg-relationships root,direct /path/to/project
 By default, all relationships are included in the scan.
 
 !!! info
-    This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation.
+    This flag filters the packages themselves, so it also affects the list of detected packages in JSON reports and SBOM generation.
 
 !!! warning
     As it may not provide a complete package list, `--pkg-relationships` cannot be used with `--dependency-tree`, `--vex` or SBOM generation.

@@ -679,8 +679,8 @@ func setupClient(t *testing.T, c csArgs, addr, cacheDir string) []string {
 		osArgs = append(osArgs, "--format", "json")
 	}
 
-	if c.ListAllPackages {
-		osArgs = append(osArgs, "--list-all-pkgs")
+	if !c.ListAllPackages {
+		osArgs = append(osArgs, "--list-all-pkgs=false")
 	}
 
 	if c.IgnoreUnfixed {

@@ -154,6 +154,7 @@ severity:
 			osArgs := []string{
 				"--format",
 				"json",
+				"--list-all-pkgs=false",
 				"--cache-dir",
 				cacheDir,
 				"--skip-db-update",
@@ -180,6 +181,7 @@ severity:
 
 			t.Setenv("TRIVY_OUTPUT", outputFile)
 			t.Setenv("TRIVY_FORMAT", "json")
+			t.Setenv("TRIVY_LIST_ALL_PKGS", "false")
 			t.Setenv("TRIVY_CACHE_DIR", cacheDir)
 			t.Setenv("TRIVY_SKIP_DB_UPDATE", "true")
 			t.Setenv("TRIVY_SKIP_POLICY_UPDATE", "true")
@@ -204,6 +206,7 @@ severity:
 			configFile := tt.args.configFile
 			configFile += fmt.Sprintf(`
 format: json
+list-all-pkgs: false
 output: %s
 cache:
   dir: %s

@@ -66,8 +66,8 @@ func TestConvert(t *testing.T) {
 				osArgs = append(osArgs, "--show-suppressed")
 			}
 
-			if tt.args.listAllPkgs {
-				osArgs = append(osArgs, "--list-all-pkgs")
+			if !tt.args.listAllPkgs {
+				osArgs = append(osArgs, "--list-all-pkgs=false")
 			}
 
 			// Set up the output file

@@ -247,6 +247,7 @@ func TestDockerEngine(t *testing.T) {
 				"image",
 				"--skip-update",
 				"--format=json",
+				"--list-all-pkgs=false",
 			}
 
 			if tt.ignoreUnfixed {

@@ -41,6 +41,7 @@ func TestModule(t *testing.T) {
 				"--ignore-unfixed",
 				"--format",
 				"json",
+				"--list-all-pkgs=false",
 				"--skip-db-update",
 				"--offline-scan",
 				"--quiet",

@@ -271,6 +271,7 @@ func scan(t *testing.T, imageRef name.Reference, baseDir string, opt registryOpt
 		"image",
 		"--format",
 		"json",
+		"--list-all-pkgs=false",
 		"--image-src",
 		"remote",
 		"--skip-db-update",

@@ -626,8 +626,8 @@ func buildArgs(t *testing.T, cacheDir, command string, format types.Format, test
 			"--vuln-severity-source", strings.Join(testArgs.vulnSeveritySources, ","),
 		)
 	}
-	if testArgs.listAllPkgs {
-		osArgs = append(osArgs, "--list-all-pkgs")
+	if !testArgs.listAllPkgs {
+		osArgs = append(osArgs, "--list-all-pkgs=false")
 	}
 	if testArgs.includeDevDeps {
 		osArgs = append(osArgs, "--include-dev-deps")

@@ -178,6 +178,7 @@ func TestSBOM(t *testing.T) {
 				tt.args.format,
 				"--scanners",
 				scanners,
+				"--list-all-pkgs=false",
 			}
 
 			// Set up the output file

@@ -415,6 +415,7 @@ func TestTar(t *testing.T) {
 				"--format",
 				string(tt.args.Format),
 				"--skip-db-update",
+				"--list-all-pkgs=false",
 			}
 
 			if tt.args.IgnoreUnfixed {
@@ -518,6 +519,7 @@ func TestTarWithEnv(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Setenv("TRIVY_FORMAT", tt.testArgs.Format)
+			t.Setenv("TRIVY_LIST_ALL_PKGS", "false")
 			t.Setenv("TRIVY_CACHE_DIR", cacheDir)
 			t.Setenv("TRIVY_QUIET", "true")
 			t.Setenv("TRIVY_SKIP_UPDATE", "true")
@@ -554,6 +556,7 @@ func TestTarWithConfigFile(t *testing.T) {
 			input: "testdata/fixtures/images/alpine-39.tar.gz",
 			configFile: `quiet: true
 format: json
+list-all-pkgs: false
 severity:
  - HIGH
  - CRITICAL
@@ -570,6 +573,7 @@ cache:
 			input: "testdata/fixtures/images/debian-buster.tar.gz",
 			configFile: `quiet: true
 format: json
+list-all-pkgs: false
 vulnerability:
  ignore-unfixed: true
 cache:

@@ -78,6 +78,7 @@ func TestVM(t *testing.T) {
 				"--skip-db-update",
 				"--format",
 				tt.args.format,
+				"--list-all-pkgs=false",
 			}
 
 			// Decompress the gzipped image file

@@ -540,7 +540,7 @@ func NewConvertCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		GroupID: groupUtility,
 		Short:   "Convert Trivy JSON report into a different format",
 		Example: `  # report conversion
-  $ trivy image --format json --output result.json --list-all-pkgs debian:11
+  $ trivy image --format json --output result.json debian:11
   $ trivy convert --format cyclonedx --output result.cdx result.json
 `,
 		PreRunE: func(cmd *cobra.Command, args []string) error {

@@ -60,6 +60,7 @@ var (
 	ListAllPkgsFlag = Flag[bool]{
 		Name:          "list-all-pkgs",
 		ConfigName:    "list-all-pkgs",
+		Default:       true,
 		Usage:         "output all packages in the JSON report regardless of vulnerability",
 		TelemetrySafe: true,
 	}
@@ -228,8 +229,9 @@ func (f *ReportFlagGroup) ToOptions(opts *Options) error {
 	}
 
 	// "--list-all-pkgs" option is unavailable with other than "--format json".
-	// If user specifies "--list-all-pkgs" with "--format table" or other formats, we should warn it.
-	if listAllPkgs && format != types.FormatJSON {
+	// If user explicitly specifies "--list-all-pkgs" with "--format table" or other formats, we should warn it.
+	// We check if the flag was explicitly set by the user to avoid warning when using the default value.
+	if f.ListAllPkgs.IsSet() && listAllPkgs && format != types.FormatJSON {
 		log.Warn(`"--list-all-pkgs" is only valid for the JSON format, for other formats a list of packages is automatically included.`)
 	}