Data transmitted
Full transparency about what leaves your machine. The secvalis.sh agent scans locally with Trivy and uploads only vulnerability metadata to POST /api/v1/audit. This page lists every field we send — and everything we never send.
Top-level fields
machine_label | Machine label you assigned (identity in the dashboard). |
hostname | Machine hostname. null when the agent runs with --no-hostname. |
distro | OS distribution name (e.g. ubuntu, debian, alpine). |
distro_version | Distribution version (e.g. 22.04). |
agent_version | Version of the secvalis.sh agent script. |
scan_timezone | Host time zone (IANA) — used to timestamp the scan. |
scan_status | Scan status: ok | partial | failed (drives server-side SLA logic). |
trivy_results | Slimmed Trivy scanner result — only the fields described below. |
Scan result fields (trivy_results)
The Trivy output is slimmed on your host before upload — only the fields below are kept. Package-level details never include file contents.
Metadata.DB.UpdatedAt | Trivy vulnerability DB version date (scan provenance). |
Results[].Target | Scan target, e.g. “ubuntu (ubuntu 22.04)”. |
Results[].Class / .Type | Package source class and type (os-pkgs, language, etc.). |
Results[]._sourceImage | Name of the scanned image/container — only for LXC scans (--scan-lxc). |
Vulnerabilities[].VulnerabilityID | Vulnerability identifier (CVE / GHSA). |
Vulnerabilities[].PkgName | Name of the vulnerable package (e.g. openssl). |
Vulnerabilities[].InstalledVersion | Installed package version. |
Vulnerabilities[].FixedVersion | Version containing the fix (if available). |
Vulnerabilities[].Severity | Severity per Trivy (CRITICAL…LOW). |
Vulnerabilities[].Title | Short vulnerability title. |
Vulnerabilities[].Description | Vulnerability description, truncated to 300 characters. |
Vulnerabilities[].PrimaryURL | Public reference link (e.g. Aqua AVD / NVD). |
Example payload
A representative (redacted) payload for a single machine with one finding:
{
"machine_label": "web-prod-01",
"hostname": "web-prod-01.internal",
"distro": "ubuntu",
"distro_version": "22.04",
"agent_version": "1.4.0",
"scan_timezone": "Europe/Warsaw",
"scan_status": "ok",
"trivy_results": {
"Metadata": { "DB": { "UpdatedAt": "2026-07-08T04:12:00Z" } },
"Results": [
{
"Target": "ubuntu (ubuntu 22.04)",
"Class": "os-pkgs",
"Type": "ubuntu",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2026-12345",
"PkgName": "openssl",
"InstalledVersion": "3.0.2-0ubuntu1.10",
"FixedVersion": "3.0.2-0ubuntu1.15",
"Severity": "HIGH",
"Title": "openssl: denial of service in X.509 parsing",
"Description": "A flaw was found in the way OpenSSL handled ...",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-12345"
}
]
}
]
}
}What we never send
- Contents of files on your machines
- Image layers, references and Trivy file metadata
- Environment variables
- Secrets, passwords, keys and tokens
- Configuration files
- User data and application data
Data minimisation & offline
Run the agent with --no-hostname and its real hostname never leaves the host — it is sent as null and the machine label becomes its identity. Uploads currently require an HTTPS connection to api.secvalis.eu; there is no offline / air-gapped relay mode yet — tell us if you need one.
Verify it yourself
Don't take our word for it. Run the agent with --dry-run to print the exact payload without sending anything.
See also API & integrations.

