Feature Request: Option to Ignore Transitive Maven Repositories during POM Resolution

[philippe-granet]

Description

When scanning Maven projects, Trivy attempts to resolve dependencies by following all repositories declared in the dependency tree, including those introduced transitively via pom.xml files. This behavior can lead to network issues, timeouts, and failed scans in constrained or secured environments (e.g., CI runners with restricted outbound access).

In particular, transitive dependencies may introduce remote repositories such as Sonatype snapshot repositories that are:

• Not accessible from the execution environment
• Not intended to be used (corporate proxy/mirror enforced)
• Redundant with already configured repositories in settings.xml

This results in repeated connection failures like dial tcp <ip>:443: connect: network is unreachable and ultimately causes the scan to fail due to timeout.

Expected Behavior

Trivy should provide an option to ignore remote repositories declared in transitive dependencies, and instead restrict resolution to:

• Repositories explicitly defined in the root pom.xml
• Repositories defined in the Maven settings.xml (including mirrors)

This behavior is similar to Maven CLI option --ignore-transitive-repositories:
https://maven.apache.org/ref/3.9.14/maven-embedder/cli.html
-itr,--ignore-transitive-repositories : If set, Maven will ignore remote repositories introduced by transitive dependencies.

Proposed Solution

Introduce a new CLI flag, for example --maven-ignore-transitive-repositories

When enabled:

• Trivy ignores sections found in transitive POMs
• Only repositories from the root project and/or settings.xml are used
• Resolution respects mirrors and repository policies defined in settings.xml

Use Case / Motivation

This is particularly useful in:

• Corporate environments with strict network policies
• CI/CD pipelines with limited outbound connectivity
• Partially offline scans
• Environments relying on internal artifact repositories (Nexus, Artifactory)

Current Workarounds

• Increasing timeout (not sufficient)
• Pre-populating local Maven repository (fragile)
• Blocking network calls at infrastructure level (causes scan failures)

None of these approaches provide a clean or deterministic solution.

Impact

Adding this option would:

• Improve scan reliability
• Reduce unnecessary network calls
• Align Trivy behavior more closely with Maven best practices
• Provide better control over dependency resolution

Environment

• Trivy version: v0.68+
• Maven project with SNAPSHOT dependencies
• Restricted network environment (CI runner / container)

Additional Context

Example errors encountered:

Failed to fetch https://central.sonatype.com/... dial tcp ... network is unreachable
Failed to fetch https://oss.sonatype.org/... dial tcp ... network is unreachable

These repositories are not explicitly defined in the project but are introduced transitively.

Target

Git Repository

Scanner

Vulnerability