feat(alinux): add support for Alibaba Cloud Linux

[shiloong]

Description

It would be interesting to add support for the Alibaba Cloud Linux Linux distribution.

Alibaba Cloud Linux (short for Alinux) is a next-generation Linux distribution released by Alibaba Cloud. It includes advanced features developed by the Linux community, and provides a stable and reliable environment for applications running on the cloud.

The Alinux Security Team provides a publicly available Alinux Security Center, which serves as the official channel for publishing product vulnerability databases and security advisories. We request community support to enable vulnerability scanning for Alinux and facilitate the provision of machine-readable security data in OVAL and CSAF_VEX standard formats.

Trivy is widely used by customers on Alibaba Cloud for Linux container image scanning, but currently does not support Alinux vulnerability scanning. Hope this support can be added soon.

Related issues

• Close Add support for Alibaba Cloud Linux #10182

Related PRs

• #630
• #405

Remove this section if you don't have related PRs.

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[shiloong]

Hi, @DmitriyLewen @knqyf263:
Cloud you please help to review this PR for Alibaba Cloud Linux?
Looking forward to your comments.

[DmitriyLewen]

Hi, @shiloong
Right now we're busy with other tasks.
When we have time, we'll review your PR.

[itaysk]

Hi @shiloong , thanks for your contribution and interest in Trivy. There are two main criteria for adding support in a new OS in Trivy: 1) Is the OS open source? if no, then we first need to establish agreement via our partners program. if it's open source, then no need for agreement. 2) Then, prioritizing the work which considers: community interest, maturity of the OS, complexity of the work, and most importantly team capacity and existing commitments.
Regarding Alibaba Linux: 1) from my research it appears to be open source and freely available to users, can you please confirm? 2) we have not received many requests for this. also there are other OS contributions which we want to support and are awaiting longer.

[shiloong]

Hi, @shiloong Right now we're busy with other tasks. When we have time, we'll review your PR.

Thanks for your reply, waiting for your time.

[shiloong]

Hi @shiloong , thanks for your contribution and interest in Trivy. There are two main criteria for adding support in a new OS in Trivy: 1) Is the OS open source? if no, then we first need to establish agreement via our partners program. if it's open source, then no need for agreement. 2) Then, prioritizing the work which considers: community interest, maturity of the OS, complexity of the work, and most importantly team capacity and existing commitments. Regarding Alibaba Linux: 1) from my research it appears to be open source and freely available to users, can you please confirm? 2) we have not received many requests for this. also there are other OS contributions which we want to support and are awaiting longer.

Thank you for outlining the criteria for adding new OS support.

1. Yes, Alibaba Cloud Linux (Alinux) is fully open source and free.
2. While direct GitHub requests seem low, there is a massive user base on Alibaba Cloud (especially ACK users) who rely on Trivy. These users typically report issues to Alibaba Cloud support rather than upstream, masking the true demand. This PR aims to bridge that gap and enable accurate scanning for thousands of active cloud-native workloads.

We hope this clarifies the urgency and value of this contribution.

[github-actions]

This PR is stale because it has been labeled with inactivity.