Why does trivy only scan lock-files in filesystem mode?

[mastacheata]

Hey there,

what's the reasoning behind only scanning the main package file and not the lock file in images?

Apparently you can scan lockfiles with more information in them as shown by the composer,lock file for PHP, but the same does not apply to JS and Python, I'm wondering why.

Thanks in advance