feat(cli): Capture some basic information during the update check

[owenrumney]

Discussed in #8675

^{Originally posted by itaysk April 3, 2025}

Description

Trivy has grown to be a serious product, and we need to start managing it like a product. One pillar of product management is understanding the usage patterns, user personas and use cases. Being data driven and results oriented is key to growth, and for that we need data.

This is a proposal for how it might look like:

Metrics

facts:

• count of scans
• count of errors

dimensions:

• platform (os,arch)
• trivy version
• db version
• features (flags)
• user id

PII

Every input that is user-controlled is considered PII and will not be collected. For example:

trivy image --severity HIGH --ignoefile ./secretcorp/trivyignore.yaml secretapp

part	private?
image	No
--severity	No
HIGH	No
--ignorefile	No
./secretcorp/trivyignore.yaml	Yes
secretapp	Yes

User ID

for authenticated users - the use identity
for unauthenticated users - random identifier generated from a one way hash of mac address

Impact

no impact on scan time
no impact on output
easy opt out using a flag/config/envvar
if network is unavailable, try to save to disk (cache) (log rotation)

Implementation suggestion

We had a tangential discussion about a checking for updates. It would make sense to combine the two features into a single request. When Trivy checks for updates, we can capture the necessary information as part of the netwrok request.