aquasecurity
diff --git a/‎docs/docs/references/configuration/cli/trivy_filesystem.md
+2-2 b/‎docs/docs/references/configuration/cli/trivy_filesystem.md
+2-2
diff --git a/‎docs/docs/references/configuration/cli/trivy_image.md
+2-2 b/‎docs/docs/references/configuration/cli/trivy_image.md
+2-2
diff --git a/‎docs/docs/references/configuration/cli/trivy_kubernetes.md
+2-2 b/‎docs/docs/references/configuration/cli/trivy_kubernetes.md
+2-2
diff --git a/‎docs/docs/references/configuration/cli/trivy_repository.md
+2-2 b/‎docs/docs/references/configuration/cli/trivy_repository.md
+2-2
diff --git a/‎docs/docs/references/configuration/cli/trivy_rootfs.md
+2-2 b/‎docs/docs/references/configuration/cli/trivy_rootfs.md
+2-2
diff --git a/‎docs/docs/references/configuration/cli/trivy_sbom.md
+48-48 b/‎docs/docs/references/configuration/cli/trivy_sbom.md
+48-48
diff --git a/‎docs/docs/references/configuration/cli/trivy_server.md
+1-1 b/‎docs/docs/references/configuration/cli/trivy_server.md
+1-1
@@ -29,7 +29,7 @@ trivy filesystem [flags] PATH
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --detection-priority string         specify the detection priority:
                                             - "precise": Prioritizes precise by minimizing false positives.
@@ -56,7 +56,7 @@ trivy filesystem [flags] PATH
       --include-deprecated-checks         include deprecated checks (default true)
       --include-dev-deps                  include development dependencies in the report (supported: npm, yarn)
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
       --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
 
@@ -43,7 +43,7 @@ trivy image [flags] IMAGE_NAME
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --detection-priority string         specify the detection priority:
                                             - "precise": Prioritizes precise by minimizing false positives.
@@ -74,7 +74,7 @@ trivy image [flags] IMAGE_NAME
       --include-deprecated-checks         include deprecated checks (default true)
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
       --input string                      input file path instead of image name
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
       --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
 
@@ -38,7 +38,7 @@ trivy kubernetes [flags] [CONTEXT]
       --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --detection-priority string         specify the detection priority:
                                             - "precise": Prioritizes precise by minimizing false positives.
@@ -70,7 +70,7 @@ trivy kubernetes [flags] [CONTEXT]
       --include-kinds strings             indicate the kinds included in scanning (example: node)
       --include-namespaces strings        indicate the namespaces included in scanning (example: kube-system)
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
       --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
       --kubeconfig string                 specify the kubeconfig file path to use
       --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
 
@@ -29,7 +29,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --detection-priority string         specify the detection priority:
                                             - "precise": Prioritizes precise by minimizing false positives.
@@ -56,7 +56,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --include-deprecated-checks         include deprecated checks (default true)
       --include-dev-deps                  include development dependencies in the report (supported: npm, yarn)
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
       --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
 
@@ -31,7 +31,7 @@ trivy rootfs [flags] ROOTDIR
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --detection-priority string         specify the detection priority:
                                             - "precise": Prioritizes precise by minimizing false positives.
@@ -58,7 +58,7 @@ trivy rootfs [flags] ROOTDIR
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-deprecated-checks         include deprecated checks (default true)
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
       --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
 
@@ -20,54 +20,54 @@ trivy sbom [flags] SBOM_PATH
 ### Options
 
 ```
-      --cache-backend string        [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
-      --cache-ttl duration          cache TTL when using redis as cache backend
-      --compliance string           compliance report to generate
-      --custom-headers strings      custom headers in client mode
-      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
-      --detection-priority string   specify the detection priority:
-                                      - "precise": Prioritizes precise by minimizing false positives.
-                                      - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
-                                     (precise,comprehensive) (default "precise")
-      --download-db-only            download/update vulnerability database but don't run a scan
-      --download-java-db-only       download/update Java index database but don't run a scan
-      --exit-code int               specify exit code when any security issues are found
-      --exit-on-eol int             exit with the specified code when the OS reaches end of service/life
-      --file-patterns strings       specify config file patterns
-  -f, --format string               format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-  -h, --help                        help for sbom
-      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
-      --ignore-status strings       comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
-      --ignore-unfixed              display only fixed vulnerabilities
-      --ignored-licenses strings    specify a list of license to ignore
-      --ignorefile string           specify .trivyignore file (default ".trivyignore")
-      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
-      --list-all-pkgs               output all packages in the JSON report regardless of vulnerability
-      --no-progress                 suppress progress bar
-      --offline-scan                do not issue API requests to identify dependencies
-  -o, --output string               output file name
-      --output-plugin-arg string    [EXPERIMENTAL] output plugin arguments
-      --pkg-relationships strings   list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
-      --pkg-types strings           list of package types (os,library) (default [os,library])
-      --redis-ca string             redis ca file location, if using redis as cache backend
-      --redis-cert string           redis certificate file location, if using redis as cache backend
-      --redis-key string            redis key file location, if using redis as cache backend
-      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
-      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings            comma-separated list of what security issues to detect (vuln,license) (default [vuln])
-      --server string               server address in client mode
-  -s, --severity strings            severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-      --show-suppressed             [EXPERIMENTAL] show suppressed vulnerabilities
-      --skip-db-update              skip updating vulnerability database
-      --skip-dirs strings           specify the directories or glob patterns to skip
-      --skip-files strings          specify the files or glob patterns to skip
-      --skip-java-db-update         skip updating Java index database
-      --skip-vex-repo-update        [EXPERIMENTAL] Skip VEX Repository update
-  -t, --template string             output template
-      --token string                for authentication in client/server mode
-      --token-header string         specify a header name for token in client/server mode (default "Trivy-Token")
-      --vex strings                 [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --cache-backend string         [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
+      --cache-ttl duration           cache TTL when using redis as cache backend
+      --compliance string            compliance report to generate
+      --custom-headers strings       custom headers in client mode
+      --db-repository strings        OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+      --detection-priority string    specify the detection priority:
+                                       - "precise": Prioritizes precise by minimizing false positives.
+                                       - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+                                      (precise,comprehensive) (default "precise")
+      --download-db-only             download/update vulnerability database but don't run a scan
+      --download-java-db-only        download/update Java index database but don't run a scan
+      --exit-code int                specify exit code when any security issues are found
+      --exit-on-eol int              exit with the specified code when the OS reaches end of service/life
+      --file-patterns strings        specify config file patterns
+  -f, --format string                format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+  -h, --help                         help for sbom
+      --ignore-policy string         specify the Rego file path to evaluate each vulnerability
+      --ignore-status strings        comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-unfixed               display only fixed vulnerabilities
+      --ignored-licenses strings     specify a list of license to ignore
+      --ignorefile string            specify .trivyignore file (default ".trivyignore")
+      --java-db-repository strings   OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+      --list-all-pkgs                output all packages in the JSON report regardless of vulnerability
+      --no-progress                  suppress progress bar
+      --offline-scan                 do not issue API requests to identify dependencies
+  -o, --output string                output file name
+      --output-plugin-arg string     [EXPERIMENTAL] output plugin arguments
+      --pkg-relationships strings    list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings            list of package types (os,library) (default [os,library])
+      --redis-ca string              redis ca file location, if using redis as cache backend
+      --redis-cert string            redis certificate file location, if using redis as cache backend
+      --redis-key string             redis key file location, if using redis as cache backend
+      --redis-tls                    enable redis TLS with public certificates, if using redis as cache backend
+      --rekor-url string             [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --sbom-sources strings         [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings             comma-separated list of what security issues to detect (vuln,license) (default [vuln])
+      --server string                server address in client mode
+  -s, --severity strings             severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed              [EXPERIMENTAL] show suppressed vulnerabilities
+      --skip-db-update               skip updating vulnerability database
+      --skip-dirs strings            specify the directories or glob patterns to skip
+      --skip-files strings           specify the files or glob patterns to skip
+      --skip-java-db-update          skip updating Java index database
+      --skip-vex-repo-update         [EXPERIMENTAL] Skip VEX Repository update
+  -t, --template string              output template
+      --token string                 for authentication in client/server mode
+      --token-header string          specify a header name for token in client/server mode (default "Trivy-Token")
+      --vex strings                  [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```
 
 ### Options inherited from parent commands
 
@@ -22,7 +22,7 @@ trivy server [flags]
 ```
       --cache-backend string     [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration       cache TTL when using redis as cache backend
-      --db-repository string     OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+      --db-repository strings    OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
       --download-db-only         download/update vulnerability database but don't run a scan
       --enable-modules strings   [EXPERIMENTAL] module names to enable
   -h, --help                     help for server