Config file
Trivy can be customized by tweaking a trivy.yaml
file.
The config path can be overridden by the --config
flag.
An example is here.
Global Options
# Same as '--quiet'
# Default is false
quiet: false
# Same as '--debug'
# Default is false
debug: false
# Same as '--insecure'
# Default is false
insecure: false
# Same as '--timeout'
# Default is '5m'
timeout: 10m
# Same as '--cache-dir'
# Default is your system cache dir
cache:
dir: $HOME/.cache/trivy
Report Options
# Same as '--format'
# Default is 'table'
format: table
# Same as '--report' (available with 'trivy k8s')
# Default is all
report: all
# Same as '--template'
# Default is empty
template:
# Same as '--dependency-tree'
# Default is false
dependency-tree: false
# Same as '--list-all-pkgs'
# Default is false
list-all-pkgs: false
# Same as '--ignorefile'
# Default is '.trivyignore'
ignorefile: .trivyignore
# Same as '--ignore-policy'
# Default is empty
ignore-policy:
# Same as '--exit-code'
# Default is 0
exit-code: 0
# Same as '--exit-on-eol'
# Default is 0
exit-on-eol: 0
# Same as '--output'
# Default is empty (stdout)
output:
# Same as '--severity'
# Default is all severities
severity:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
# Same as '--pkg-types'
# Default is 'os,library'
pkg-types:
- os
- library
scan:
# Same as '--compliance'
# Default is empty
compliance:
# Same as '--show-suppressed'
# Default is false
show-suppressed: false
Scan Options
Available in client/server mode
scan:
# Same as '--file-patterns'
# Default is empty
file-patterns:
-
# Same as '--skip-dirs'
# Default is empty
skip-dirs:
- usr/local/
- etc/
# Same as '--skip-files'
# Default is empty
skip-files:
- package-dev.json
# Same as '--offline-scan'
# Default is false
offline: false
# Same as '--scanners'
# Default depends on subcommand
scanners:
- vuln
- misconfig
- secret
- license
-
# Same as '--parallel'
# Default is 5
parallel: 1
# Same as '--sbom-sources'
# Default is empty
sbom-sources:
- oci
- rekor
# Same as '--rekor-url'
# Default is 'https://rekor.sigstore.dev'
rekor-url: https://rekor.sigstore.dev
# Same as '--include-dev-deps'
# Default is false
include-dev-deps: false
Cache Options
cache:
# Same as '--cache-backend'
# Default is 'fs'
backend: 'fs'
# Same as '--cache-ttl'
# Default is 0 (no ttl)
ttl: 0
# Redis options
redis:
# Same as '--redis-tls'
# Default is false
tls:
# Same as '--redis-ca'
# Default is empty
ca:
# Same as '--redis-cert'
# Default is empty
cert:
# Same as '--redis-key'
# Default is empty
key:
DB Options
db:
# Same as '--no-progress'
# Default is false
no-progress: false
# Same as '--skip-db-update'
# Default is false
skip-update: false
# Same as '--db-repository'
# Default is 'ghcr.io/aquasecurity/trivy-db:2'
repository: ghcr.io/aquasecurity/trivy-db:2
# Same as '--skip-java-db-update'
# Default is false
java-skip-update: false
# Same as '--java-db-repository'
# Default is 'ghcr.io/aquasecurity/trivy-java-db:1'
java-repository: ghcr.io/aquasecurity/trivy-java-db:1
Registry Options
registry:
# Same as '--username'
# Default is empty
username:
# Same as '--password'
# Default is empty
password:
# Same as '--registry-token'
# Default is empty
registry-token:
Image Options
Available with container image scanning
image:
# Same as '--input' (available with 'trivy image')
# Default is empty
input:
# Same as '--removed-pkgs'
# Default is false
removed-pkgs: false
# Same as '--platform'
# Default is empty
platform:
# Same as '--image-src'
# Default is 'docker,containerd,podman,remote'
source:
- podman
- docker
# Same as '--image-config-scanners'
# Default is empty
image-config-scanners:
- misconfig
- secret
docker:
# Same as '--docker-host'
# Default is empty
host:
podman:
# Same as '--podman-host'
# Default is empty
host:
Vulnerability Options
Available with vulnerability scanning
vulnerability:
# Same as '--ignore-unfixed'
# Default is false
ignore-unfixed: false
# Same as '--ignore-unfixed'
# Default is empty
ignore-status:
- end_of_life
# Same as '--vex'
# Default is empty
vex:
- path/to/vex/file
- repo
# Same as '--skip-vex-repo-update'
# Default is false
skip-vex-repo-update: true
License Options
Available with license scanning
license:
# Same as '--license-full'
# Default is false
full: false
# Same as '--ignored-licenses'
# Default is empty
ignored:
- MPL-2.0
- MIT
# Same as '--license-confidence-level'
# Default is 0.9
confidenceLevel: 0.9
# Set list of forbidden licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L171
forbidden:
- AGPL-1.0
- AGPL-3.0
# Set list of restricted licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L199
restricted:
- AGPL-1.0
- AGPL-3.0
# Set list of reciprocal licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L238
reciprocal:
- AGPL-1.0
- AGPL-3.0
# Set list of notice licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L260
notice:
- AGPL-1.0
- AGPL-3.0
# Set list of permissive licenses
# Default is empty
permissive:
- AGPL-1.0
- AGPL-3.0
# Set list of unencumbered licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L334
unencumbered:
- AGPL-1.0
- AGPL-3.0
Secret Options
Available with secret scanning
secret:
# Same as '--secret-config'
# Default is 'trivy-secret.yaml'
config: config/trivy/secret.yaml
Rego Options
rego:
# Same as '--trace'
# Default is false
trace: false
# Same as '--skip-check-update'
# Default is false
skip-check-update: false
# Same as '--config-policy'
# Default is empty
policy:
- policy/repository
- policy/custom
- policy/some-policy.rego
# Same as '--config-data'
# Default is empty
data:
- data/
# Same as '--policy-namespaces'
# Default is empty
namespaces:
- opa.examples
- users
Misconfiguration Options
Available with misconfiguration scanning
misconfiguration:
# Same as '--include-non-failures'
# Default is false
include-non-failures: false
# Same as '--include-deprecated-checks'
# Default is false
include-deprecated-checks: false
# Same as '--check-bundle-repository' and '--policy-bundle-repository'
# Default is 'ghcr.io/aquasecurity/trivy-checks:0'
check-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0
# Same as '--miconfig-scanners'
# Default is all scanners
scanners:
- dockerfile
- terraform
# helm value override configurations
helm:
# set individual values
set:
- securityContext.runAsUser=10001
# set values with file
values:
- overrides.yaml
# set specific values from specific files
set-file:
- image=dev-overrides.yaml
# set as string and preserve type
set-string:
- name=true
# Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command.
api-versions:
- policy/v1/PodDisruptionBudget
- apps/v1/Deployment
# Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
kube-version: "v1.21.0"
# terraform tfvars overrrides
terraform:
vars:
- dev-terraform.tfvars
- common-terraform.tfvars
# Same as '--tf-exclude-downloaded-modules'
# Default is false
exclude-downloaded-modules: false
# Same as '--cf-params'
# Default is false
cloudformation:
params:
- params.json
Kubernetes Options
Available with Kubernetes scanning
kubernetes:
# Same as '--context'
# Default is empty
context:
# Same as '--namespace'
# Default is empty
namespace:
# Same as '--kubeconfig'
# Default is empty
kubeconfig: ~/.kube/config2
# Same as '--components'
# Default is 'workload,infra'
components:
- workload
- infra
# Same as '--k8s-version'
# Default is empty
k8s-version: 1.21.0
# Same as '--tolerations'
# Default is empty
tolerations:
- key1=value1:NoExecute
- key2=value2:NoSchedule
# Same as '--all-namespaces'
# Default is false
all-namespaces: false
node-collector:
# Same as '--node-collector-namespace'
# Default is 'trivy-temp'
namespace: ~/.kube/config2
# Same as '--node-collector-imageref'
# Default is 'ghcr.io/aquasecurity/node-collector:0.0.9'
imageref: ghcr.io/aquasecurity/node-collector:0.0.9
exclude:
# Same as '--exclude-owned'
# Default is false
owned: true
# Same as '--exclude-nodes'
# Default is empty
nodes:
- kubernetes.io/arch:arm64
- team:dev
# Same as '--qps'
# Default is 5.0
qps: 5.0
# Same as '--burst'
# Default is 10
burst: 10
Repository Options
Available with git repository scanning (trivy repo
)
repository:
# Same as '--branch'
# Default is empty
branch:
# Same as '--commit'
# Default is empty
commit:
# Same as '--tag'
# Default is empty
tag:
Client/Server Options
Available in client/server mode
server:
# Same as '--server' (available in client mode)
# Default is empty
addr: http://localhost:4954
# Same as '--token'
# Default is empty
token: "something-secret"
# Same as '--token-header'
# Default is 'Trivy-Token'
token-header: 'My-Token-Header'
# Same as '--custom-headers'
# Default is empty
custom-headers:
- scanner: trivy
- x-api-token: xxx
# Same as '--listen' (available in server mode)
# Default is 'localhost:4954'
listen: 0.0.0.0:10000
Cloud Options
Available for cloud scanning (currently only trivy aws
)
cloud:
# whether to force a cache update for every scan
update-cache: false
# how old cached results can be before being invalidated
max-cache-age: 24h
# aws-specific cloud settings
aws:
# the aws region to use
region: us-east-1
# the aws endpoint to use (not required for general use)
endpoint: https://my.custom.aws.endpoint
# the aws account to use (this will be determined from your environment when not set)
account: 123456789012
# the aws specific services
service:
- s3
- ec2
# the aws specific arn
arn: arn:aws:s3:::example-bucket
# skip the aws specific services
skip-service:
- s3
- ec2
Module Options
Available for modules
module:
# Same as '--module-dir'
# Default is '$HOME/.trivy/modules'
dir: $HOME/.trivy/modules
# Same as '--enable-modules'
# Default is empty
enable-modules:
- trivy-module-spring4shell
- trivy-module-wordpress