Skip to content

Config file

Trivy can be customized by tweaking a trivy.yaml file. The config path can be overridden by the --config flag.

An example is here.

These samples contain default values for flags.

Global options

cache:
  # Same as '--cache-dir'
  dir: "/path/to/cache"

# Same as '--debug'
debug: false

# Same as '--insecure'
insecure: false

# Same as '--quiet'
quiet: false

# Same as '--timeout'
timeout: 5m0s

Cache options

cache:
  # Same as '--cache-backend'
  backend: "fs"

  redis:
    # Same as '--redis-ca'
    ca: ""

    # Same as '--redis-cert'
    cert: ""

    # Same as '--redis-key'
    key: ""

    # Same as '--redis-tls'
    tls: false

  # Same as '--cache-ttl'
  ttl: 0s

Clean options

clean:
  # Same as '--all'
  all: false

  # Same as '--checks-bundle'
  checks-bundle: false

  # Same as '--java-db'
  java-db: false

  # Same as '--scan-cache'
  scan-cache: false

  # Same as '--vex-repo'
  vex-repo: false

  # Same as '--vuln-db'
  vuln-db: false

Client/Server options

server:
  # Same as '--server'
  addr: ""

  # Same as '--custom-headers'
  custom-headers: []

  # Same as '--listen'
  listen: "localhost:4954"

  # Same as '--token'
  token: ""

  # Same as '--token-header'
  token-header: "Trivy-Token"

DB options

db:
  # Same as '--download-java-db-only'
  download-java-only: false

  # Same as '--download-db-only'
  download-only: false

  # Same as '--java-db-repository'
  java-repository:
   - mirror.gcr.io/aquasec/trivy-java-db:1
   - ghcr.io/aquasecurity/trivy-java-db:1

  # Same as '--skip-java-db-update'
  java-skip-update: false

  # Same as '--no-progress'
  no-progress: false

  # Same as '--db-repository'
  repository:
   - mirror.gcr.io/aquasec/trivy-db:2
   - ghcr.io/aquasecurity/trivy-db:2

  # Same as '--skip-db-update'
  skip-update: false

Image options

image:
  docker:
    # Same as '--docker-host'
    host: ""

  # Same as '--image-config-scanners'
  image-config-scanners: []

  # Same as '--input'
  input: ""

  # Same as '--platform'
  platform: ""

  podman:
    # Same as '--podman-host'
    host: ""

  # Same as '--removed-pkgs'
  removed-pkgs: false

  # Same as '--image-src'
  source:
   - docker
   - containerd
   - podman
   - remote

Kubernetes options

kubernetes:
  # Same as '--burst'
  burst: 10

  # Same as '--disable-node-collector'
  disableNodeCollector: false

  exclude:
    # Same as '--exclude-nodes'
    nodes: []

    # Same as '--exclude-owned'
    owned: false

  # Same as '--exclude-kinds'
  excludeKinds: []

  # Same as '--exclude-namespaces'
  excludeNamespaces: []

  # Same as '--include-kinds'
  includeKinds: []

  # Same as '--include-namespaces'
  includeNamespaces: []

  # Same as '--k8s-version'
  k8s-version: ""

  # Same as '--kubeconfig'
  kubeconfig: ""

  node-collector:
    # Same as '--node-collector-imageref'
    imageref: "ghcr.io/aquasecurity/node-collector:0.3.1"

    # Same as '--node-collector-namespace'
    namespace: "trivy-temp"

  # Same as '--qps'
  qps: 5

  # Same as '--skip-images'
  skipImages: false

  # Same as '--tolerations'
  tolerations: []

License options

license:
  # Same as '--license-confidence-level'
  confidenceLevel: 0.9

  forbidden:
   - AGPL-1.0
   - AGPL-3.0
   - CC-BY-NC-1.0
   - CC-BY-NC-2.0
   - CC-BY-NC-2.5
   - CC-BY-NC-3.0
   - CC-BY-NC-4.0
   - CC-BY-NC-ND-1.0
   - CC-BY-NC-ND-2.0
   - CC-BY-NC-ND-2.5
   - CC-BY-NC-ND-3.0
   - CC-BY-NC-ND-4.0
   - CC-BY-NC-SA-1.0
   - CC-BY-NC-SA-2.0
   - CC-BY-NC-SA-2.5
   - CC-BY-NC-SA-3.0
   - CC-BY-NC-SA-4.0
   - Commons-Clause
   - Facebook-2-Clause
   - Facebook-3-Clause
   - Facebook-Examples
   - WTFPL

  # Same as '--license-full'
  full: false

  # Same as '--ignored-licenses'
  ignored: []

  notice:
   - AFL-1.1
   - AFL-1.2
   - AFL-2.0
   - AFL-2.1
   - AFL-3.0
   - Apache-1.0
   - Apache-1.1
   - Apache-2.0
   - Artistic-1.0-cl8
   - Artistic-1.0-Perl
   - Artistic-1.0
   - Artistic-2.0
   - BSL-1.0
   - BSD-2-Clause-FreeBSD
   - BSD-2-Clause-NetBSD
   - BSD-2-Clause
   - BSD-3-Clause-Attribution
   - BSD-3-Clause-Clear
   - BSD-3-Clause-LBNL
   - BSD-3-Clause
   - BSD-4-Clause
   - BSD-4-Clause-UC
   - BSD-Protection
   - CC-BY-1.0
   - CC-BY-2.0
   - CC-BY-2.5
   - CC-BY-3.0
   - CC-BY-4.0
   - FTL
   - ISC
   - ImageMagick
   - Libpng
   - Lil-1.0
   - Linux-OpenIB
   - LPL-1.02
   - LPL-1.0
   - MS-PL
   - MIT
   - NCSA
   - OpenSSL
   - PHP-3.01
   - PHP-3.0
   - PIL
   - Python-2.0
   - Python-2.0-complete
   - PostgreSQL
   - SGI-B-1.0
   - SGI-B-1.1
   - SGI-B-2.0
   - Unicode-DFS-2015
   - Unicode-DFS-2016
   - Unicode-TOU
   - UPL-1.0
   - W3C-19980720
   - W3C-20150513
   - W3C
   - X11
   - Xnet
   - Zend-2.0
   - zlib-acknowledgement
   - Zlib
   - ZPL-1.1
   - ZPL-2.0
   - ZPL-2.1

  permissive: []

  reciprocal:
   - APSL-1.0
   - APSL-1.1
   - APSL-1.2
   - APSL-2.0
   - CDDL-1.0
   - CDDL-1.1
   - CPL-1.0
   - EPL-1.0
   - EPL-2.0
   - FreeImage
   - IPL-1.0
   - MPL-1.0
   - MPL-1.1
   - MPL-2.0
   - Ruby

  restricted:
   - BCL
   - CC-BY-ND-1.0
   - CC-BY-ND-2.0
   - CC-BY-ND-2.5
   - CC-BY-ND-3.0
   - CC-BY-ND-4.0
   - CC-BY-SA-1.0
   - CC-BY-SA-2.0
   - CC-BY-SA-2.5
   - CC-BY-SA-3.0
   - CC-BY-SA-4.0
   - GPL-1.0
   - GPL-2.0
   - GPL-2.0-with-autoconf-exception
   - GPL-2.0-with-bison-exception
   - GPL-2.0-with-classpath-exception
   - GPL-2.0-with-font-exception
   - GPL-2.0-with-GCC-exception
   - GPL-3.0
   - GPL-3.0-with-autoconf-exception
   - GPL-3.0-with-GCC-exception
   - LGPL-2.0
   - LGPL-2.1
   - LGPL-3.0
   - NPL-1.0
   - NPL-1.1
   - OSL-1.0
   - OSL-1.1
   - OSL-2.0
   - OSL-2.1
   - OSL-3.0
   - QPL-1.0
   - Sleepycat

  unencumbered:
   - CC0-1.0
   - Unlicense
   - 0BSD

Misconfiguration options

misconfiguration:
  # Same as '--checks-bundle-repository'
  checks-bundle-repository: "mirror.gcr.io/aquasec/trivy-checks:1"

  cloudformation:
    # Same as '--cf-params'
    params: []

  # Same as '--config-file-schemas'
  config-file-schemas: []

  helm:
    # Same as '--helm-api-versions'
    api-versions: []

    # Same as '--helm-kube-version'
    kube-version: ""

    # Same as '--helm-set'
    set: []

    # Same as '--helm-set-file'
    set-file: []

    # Same as '--helm-set-string'
    set-string: []

    # Same as '--helm-values'
    values: []

  # Same as '--include-non-failures'
  include-non-failures: false

  # Same as '--misconfig-scanners'
  scanners:
   - azure-arm
   - cloudformation
   - dockerfile
   - helm
   - kubernetes
   - terraform
   - terraformplan-json
   - terraformplan-snapshot

  terraform:
    # Same as '--tf-exclude-downloaded-modules'
    exclude-downloaded-modules: false

    # Same as '--tf-vars'
    vars: []

Module options

module:
  # Same as '--module-dir'
  dir: "$HOME/.trivy/modules"

  # Same as '--enable-modules'
  enable-modules: []

Package options

pkg:
  # Same as '--include-dev-deps'
  include-dev-deps: false

  # Same as '--pkg-relationships'
  relationships:
   - unknown
   - root
   - workspace
   - direct
   - indirect

  # Same as '--pkg-types'
  types:
   - os
   - library

Registry options

registry:
  # Same as '--password'
  password: []

  # Same as '--password-stdin'
  password-stdin: false

  # Same as '--registry-token'
  token: ""

  # Same as '--username'
  username: []

Rego options

rego:
  # Same as '--config-check'
  check: []

  # Same as '--config-data'
  data: []

  # Same as '--include-deprecated-checks'
  include-deprecated-checks: false

  # Same as '--check-namespaces'
  namespaces: []

  # Same as '--skip-check-update'
  skip-check-update: false

  # Same as '--trace'
  trace: false

Report options

# Same as '--dependency-tree'
dependency-tree: false

# Same as '--exit-code'
exit-code: 0

# Same as '--exit-on-eol'
exit-on-eol: 0

# Same as '--format'
format: "table"

# Same as '--ignore-policy'
ignore-policy: ""

# Same as '--ignorefile'
ignorefile: ".trivyignore"

# Same as '--list-all-pkgs'
list-all-pkgs: false

# Same as '--output'
output: ""

# Same as '--output-plugin-arg'
output-plugin-arg: ""

# Same as '--report'
report: "all"

scan:
  # Same as '--compliance'
  compliance: ""

  # Same as '--show-suppressed'
  show-suppressed: false

# Same as '--severity'
severity:
 - UNKNOWN
 - LOW
 - MEDIUM
 - HIGH
 - CRITICAL

# Same as '--template'
template: ""

Repository options

repository:
  # Same as '--branch'
  branch: ""

  # Same as '--commit'
  commit: ""

  # Same as '--tag'
  tag: ""

Scan options

scan:
  # Same as '--detection-priority'
  detection-priority: "precise"

  # Same as '--distro'
  distro: ""

  # Same as '--file-patterns'
  file-patterns: []

  # Same as '--offline-scan'
  offline: false

  # Same as '--parallel'
  parallel: 5

  # Same as '--rekor-url'
  rekor-url: "https://rekor.sigstore.dev"

  # Same as '--sbom-sources'
  sbom-sources: []

  # Same as '--scanners'
  scanners:
   - vuln
   - secret

  # Same as '--skip-dirs'
  skip-dirs: []

  # Same as '--skip-files'
  skip-files: []

Secret options

secret:
  # Same as '--secret-config'
  config: "trivy-secret.yaml"

Vulnerability options

vulnerability:
  # Same as '--ignore-status'
  ignore-status: []

  # Same as '--ignore-unfixed'
  ignore-unfixed: false

  # Same as '--skip-vex-repo-update'
  skip-vex-repo-update: false

  # Same as '--vex'
  vex: []