Skip to content

Usage Telemetry

Trivy collects anonymous usage data in order to help us improve the product. This document explains what is collected and how you can control it.

Data collected

The following information could be collected:

  • Environmental information:
    • Installation identifier
    • Trivy version
    • Operating system
  • Scan:
    • Non-revealing scan options (see below for comprehensive list)

Captured scan options

The following flags will be included with their value:

--clear-cache
--debug
--dependency-tree
--detection-priority
--distro
--exit-code
--exit-on-eol
--format
--ignore-status
--ignore-unfixed
--image-config-scanners
--include-deprecated-checks
--include-dev-deps
--include-non-failures
--insecure
--license-full
--list-all-pkgs
--misconfig-scanners
--offline-scan
--parallel
--password-stdin
--pkg-relationships
--pkg-types
--quiet
--redis-tls
--removed-pkgs
--report
--scanners
--severity
--show-suppressed
--skip-check-update
--skip-version-check
--skip-vex-repo-update
--slow
--tf-exclude-downloaded-modules
--timeout
--trace
--vuln-severity-source

Privacy

No personal information, scan results, or sensitive data is specifically collected. We take the following measures to ensure that:

  • Installation identifier: one-way hash of machine fingerprint, resulting in opaque ID.
  • Scan: any option that is user-controlled is omitted (never collected). For example, file paths, image names, etc are never collected.

Trivy is an Aqua Security product and adheres to the company's privacy policy: https://aquasec.com/privacy.

Disabling telemetry

You can disable telemetry altogether using the --disable-telemetry flag. Like other Trivy flags, this can be set on the command line, YAML configuration file, or environment variable. For more details see here.

For example:

trivy image --disable-telemetry alpine