This guide explains how to read and interpret the vulnerability scan reports generated by the Published Images Vulnerability Scanning workflow. It is intended for support, sales, and other non-developer audiences.
The workflow performs three types of scans on each published Docker image:
| Scan Type | What It Checks | Scanner |
|---|---|---|
| OS & Application Libraries | Operating system packages (Debian/Ubuntu) and top-level Java libraries | Trivy |
| Nested JAR Dependencies | Libraries bundled inside Liquibase JARs (Spring Boot fat JARs, extensions) | Trivy |
| SBOM-based Scan | Software Bill of Materials - a complete inventory of all components | Grype |
| Term | Definition |
|---|---|
| CVE | Common Vulnerabilities and Exposures - a unique identifier for a security vulnerability (e.g., CVE-2025-12345) |
| CVSS | Common Vulnerability Scoring System - a numeric score (0.0-10.0) that measures vulnerability severity. Scores: 0.0 = None, 0.1-3.9 = Low, 4.0-6.9 = Medium, 7.0-8.9 = High, 9.0-10.0 = Critical |
| NVD | National Vulnerability Database - the U.S. government's repository of vulnerability data, managed by NIST |
| GHSA | GitHub Security Advisory - GitHub's database of security vulnerabilities |
| Trivy | An open-source vulnerability scanner by Aqua Security |
| Grype | An open-source vulnerability scanner by Anchore |
| SBOM | Software Bill of Materials - a complete list of all software components in an image |
| HIGH/CRITICAL | Severity ratings indicating vulnerabilities that should be prioritized for remediation |
| Parent JAR | The main Liquibase JAR file that contains nested dependencies |
| Nested JAR | A library bundled inside another JAR file (common in Spring Boot applications) |
| Column | Description |
|---|---|
| Package | The name of the vulnerable software component |
| Parent JAR | Which Liquibase JAR contains this vulnerable dependency |
| NVD | Link to the vulnerability details in the National Vulnerability Database |
| GitHub Advisories | Link to search for related security advisories on GitHub |
| CVE Published | Date the vulnerability was publicly disclosed |
| Trivy Severity | Trivy's assessment of the vulnerability severity (HIGH or CRITICAL) |
| CVSS | The CVSS v3 numeric score (0.0-10.0) from NVD or vendor database. Higher scores indicate more severe vulnerabilities |
| Trivy Vendor Data | Severity rating from the software vendor's security team (may differ from Trivy's assessment) |
| Grype Severity | Grype scanner's assessment of vulnerability severity |
| Installed | The version currently installed in the image |
| Fixed | The version that contains the fix (if available) |
| Fix? | Whether a fix is available: ✅ = yes, ❌ = no (must wait for upstream fix) |
The "Trivy Vendor Data" column shows severity ratings from different security databases:
| Prefix | Source | Description |
|---|---|---|
nvd |
NVD | National Vulnerability Database (U.S. government) |
ghsa |
GHSA | GitHub Security Advisories |
rh |
Red Hat | Red Hat Product Security |
amz |
Amazon | Amazon Linux Security Center |
ora |
Oracle | Oracle Linux Security |
bit |
Bitnami | Bitnami Vulnerability Database |
alma |
AlmaLinux | AlmaLinux Errata |
rky |
Rocky | Rocky Linux Errata |
Note: Vendor severity ratings come from Trivy's database and may occasionally differ from the current assessment on the vendor's website.
| Level | Code | Description |
|---|---|---|
| LOW | L | Minor impact, low priority |
| MEDIUM | M | Moderate impact, should be addressed |
| HIGH | H | Significant impact, prioritize remediation |
| CRITICAL | C | Severe impact, address immediately |
After each scan, the following artifact is available for download:
vulnerability-report-{community|secure}-{version}- Detailed markdown report with all vulnerability information
To download: Go to the workflow run > scroll to "Artifacts" section > click the download icon.
- No vulnerabilities found - The image passed all scans with no HIGH/CRITICAL issues
- Vulnerabilities with fixes available (✅) - These can be resolved by updating dependencies
- Vulnerabilities without fixes (❌) - Must wait for upstream maintainers to release patches
- Same CVE in multiple scanners - Normal; different scanners may detect the same issue
Q: Why do Trivy and Grype sometimes show different results? A: Each scanner uses different vulnerability databases and detection methods. Having multiple scanners provides more comprehensive coverage.
Q: What does "Parent JAR: (internal)" mean? A: The vulnerable component is part of Liquibase's core libraries, not a nested dependency from an extension.
Q: Why is the vendor severity different from what I see on their website? A: Trivy's database may not always be synchronized with the latest vendor assessments. The linked vendor URL shows the current rating.
Q: How often are published images scanned? A: The workflow runs Monday-Friday at 10 AM UTC, scanning the most recent tags of each image.
Q: Where can I view the scan results? A: There are two ways to view scan results:
- Security Dashboard (recommended) — Visit Liquibase Security for an interactive view of all scan results across all versions. You can browse vulnerabilities by version, compare versions, filter by severity or component type, and export reports.
- GitHub Actions — Go to the repository's Actions tab > "Published Images Vulnerability Scanning" workflow > select a run > view the summary or download artifacts.
Q: Can I compare vulnerabilities between two versions? A: Yes. The Version Compare page on Liquibase Security lets you select any two versions of the same image and shows which CVEs were fixed, which are new, and which are shared between them.
Q: How do I know if upgrading will fix a specific CVE? A: Each version detail page on Liquibase Security includes an "Upgrade Recommendations" section that groups fixable vulnerabilities by package and shows which upgrades would resolve the most CVEs.
Scan results from published image scans are persisted to the scan-results branch in this repository. This enables historical tracking and powers the interactive Security Dashboard.
The scan-results branch contains:
scan-results/
manifest.json # Index of all scanned images and versions
liquibase/liquibase/<version>/
trivy-surface.json # OS and top-level library scan (Trivy)
trivy-deep.json # Nested JAR dependency scan (Trivy)
grype-results.json # SBOM-based scan (Grype)
metadata.json # Scan timestamp, image digest, workflow run ID
liquibase/liquibase-secure/<version>/
...
The manifest.json file is an index of all available scan data:
{
"lastUpdated": "2026-03-10T10:00:00Z",
"images": {
"liquibase/liquibase": ["5.0.1", "5.0.0", "4.31.0"],
"liquibase/liquibase-secure": ["5.0.1", "5.0.0"]
}
}Vulnerabilities are classified by component type to help identify the source:
| Component | Description | Examples |
|---|---|---|
| OS | Operating system packages from the base image | libc, openssl, curl |
| JRE | Java Runtime Environment libraries | openjdk, java-runtime |
| JAR | Java application dependencies | Spring, Jackson, Log4j |
| Driver | JDBC database drivers | PostgreSQL, MySQL, MSSQL |
| Other | Components that don't fit the above categories | Python packages, misc |
| Schedule | Time | Description |
|---|---|---|
| Weekdays | 10:00 AM UTC | Automatic scan of published images |
| Manual | On-demand | Can be triggered manually via "Run workflow" button |
- Vulnerability Scanning Scripts - Technical documentation for developers
- Trivy Documentation - Official Trivy scanner documentation
- Grype Documentation - Official Grype scanner documentation
- NVD - National Vulnerability Database