Summary

Add git repository metadata to Trivy scan reports. Currently, Trivy's Metadata field includes information like RepoDigest for container images, but git repositories lack similar metadata in the scan output.

Motivation

Git repository scans would benefit from including detailed repository information for enhanced traceability and other purposes.

Proposed Implementation

Metadata Fields

Add the following git repository metadata fields to Trivy JSON reports:

• Repository URL: Extract from git remotes (prefers upstream, falls back to origin)
• Branch Name: Current branch being scanned
• Tag Name: Tag pointing to current commit (if any)
• Commit Hash: Full SHA of the current commit
• Commit Message: Commit message text
• Author: Commit author information
• Committer: Commit committer information

Expected Output Format

{
  "Metadata": {
    "RepoURL": "https://github.com/example/repo",
    "Branch": "main",
    "Tag": "v1.0.0",
    "Commit": "abc123def456...",
    "CommitMsg": "Add new feature",
    "Author": "John Doe <john@example.com>",
    "Committer": "John Doe <john@example.com>"
  }
}

Compatibility

• Works with both local (trivy fs ./repo) and remote (trivy repo github.com/user/repo) repository scanning
• Metadata extraction is optional and does not break existing functionality