Skip to content

Custom Data

Custom checks may require additional data in order to make a resolution. You can pass arbitrary data files to Trivy to be used when evaluating rego checks using the --config-data flag. Trivy recursively searches the specified data paths for JSON (*.json) and YAML (*.yaml) files.

For example, consider an allowed list of resources that can be created. Instead of hardcoding this information inside your check, you can maintain the list in a separate file.

Example data file:

services:
  ports:
    - "20"
    - "20/tcp"
    - "20/udp"
    - "23"
    - "23/tcp"

Example usage in a Rego check:

import data.services

ports := services.ports

Example loading the data file:

trivy config --config-check ./checks --config-data ./data --namespaces user ./configs

Customizing default checks data

Some checks allow you to customize the default data values. To do this, simply pass a data file via --config-data (see the section above).

Table of supported data for customizing and their paths:

Check ID Data path Description
KSV0125 ksv0125.trusted_registries List of trusted container registries
DS031 ds031.included_envs List of allowed environment variables (merged with defaults)

Example of overriding trusted registries for KSV0125:

ksv0125:
  trusted_registries:
    - "my-registry.example.com"
    - "registry.internal.local"