refactor: move internal packages to internal/ directory

[knqyf263]

Description

• Reorganizes the codebase by moving packages not intended as public API from pkg/ to internal/
• Makes it clearer which packages are part of the public API
• Allows for more flexible internal refactoring without causing breaking changes
• This was previously attempted in PRs refactor(app): use internal and separate configurations #291 and refactor(internal): export internal packages #887 six years ago

Background

Trivy is primarily distributed as a CLI tool, and using Trivy as a library is not recommended for community users. However, Aqua Security internally imports and uses Trivy as a library in our products. This refactoring helps us:

• Clearly distinguish between the stable public API (in pkg/) that we maintain for backward compatibility
• Move internal implementation details to internal/ where we can refactor freely without worrying about breaking changes
• Make it explicit which packages are safe to import externally vs. which are internal-only

Why now?

This refactoring was previously attempted in PRs #291 and #887 six years ago but was abandoned because:

• Trivy was evolving rapidly with frequent major changes
• The development velocity was too high to maintain a stable internal/ boundary
• The codebase was still in flux and not mature enough

Now, Trivy has matured:

• The core architecture has stabilized
• Major structural changes have become less frequent than before
• We can now maintain a clearer separation between public and internal APIs

API Change Detection

We use go-apidiff to automatically detect API changes in PRs. With this refactoring:

• go-apidiff automatically excludes internal/ packages from analysis
• This means API change detection will now focus on truly important changes in pkg/
• We'll get cleaner, more actionable API change reports without noise from internal refactoring
• Breaking changes in public APIs will be more visible and easier to track

Changes

• Moved packages from pkg/ to internal/
• Updated all import paths
• Updated .golangci.yaml and magefiles to reference correct paths

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

This file appears as newly created on the GitHub UI because the proportion of import statements is high compared to the total number of lines, resulting in a low similarity to the original file, but it is correctly recognized as a rename in git.

[knqyf263]

same

[knqyf263]

ditto

[knqyf263]

ditto

[knqyf263]

ditto

[knqyf263]

ditto

[knqyf263]

same

[knqyf263]

same

[knqyf263]

same

[DmitriyLewen]

LGTM.

I left comment about aws config.
Also it looks like we can move dependency and vulnerability packages.

[DmitriyLewen]

trivy-aws uses this package - https://github.com/aquasecurity/trivy-aws/blob/6e28982904fb3a988cfdfcd41a63ac0caac6e8d4/pkg/commands/run.go#L32

[nikpivkin]

The default settings and trivial logic are used to load the AWS config, so I think it can be reimplemented in trivy-aws.

[DmitriyLewen]

We use Digest in Package.
Can we move this package into internal?

[nikpivkin]

As we discussed earlier, let's leave pkg/iac/terraform public for now.

[nikpivkin]

Ditto, let's leave pkg/iac/scanners/terraform public for now.