Skip to content

Config file

Trivy can be customized by tweaking a trivy.yaml file. The config path can be overridden by the --config flag.

An example is here.

Global Options

# Same as '--quiet'
# Default is false
quiet: false

# Same as '--debug'
# Default is false
debug: false

# Same as '--insecure'
# Default is false
insecure: false

# Same as '--timeout'
# Default is '5m'
timeout: 10m

# Same as '--cache-dir'
# Default is your system cache dir
cache:
  dir: $HOME/.cache/trivy

Report Options

# Same as '--format'
# Default is 'table'
format: table

# Same as '--report' (available with 'trivy k8s')
# Default is all
report: all

# Same as '--template'
# Default is empty
template:

# Same as '--dependency-tree'
# Default is false
dependency-tree: false

# Same as '--list-all-pkgs'
# Default is false
list-all-pkgs: false

# Same as '--ignorefile'
# Default is '.trivyignore'
ignorefile: .trivyignore

# Same as '--ignore-policy'
# Default is empty
ignore-policy:

# Same as '--exit-code'
# Default is 0
exit-code: 0

# Same as '--exit-on-eol'
# Default is 0
exit-on-eol: 0

# Same as '--output'
# Default is empty (stdout)
output:

# Same as '--severity'
# Default is all severities
severity:
  - UNKNOWN
  - LOW
  - MEDIUM
  - HIGH
  - CRITICAL

Scan Options

Available in client/server mode

scan:
  # Same as '--file-patterns'
  # Default is empty
  file-patterns:
    -

  # Same as '--skip-dirs'
  # Default is empty
  skip-dirs:
    - usr/local/
    - etc/

  # Same as '--skip-files'
  # Default is empty
  skip-files:
    - package-dev.json

  # Same as '--offline-scan'
  # Default is false
  offline-scan: false

  # Same as '--scanners'
  # Default depends on subcommand
  scanners:
    - vuln
    - misconfig
    - secret
    - license

Cache Options

cache:
  # Same as '--cache-backend'
  # Default is 'fs'
  backend: 'fs'

  # Same as '--cache-ttl'
  # Default is 0 (no ttl)
  ttl: 0

  # Redis options
  redis:
    # Same as '--redis-ca'
    # Default is empty
    ca:

    # Same as '--redis-cert'
    # Default is empty
    cert:

    # Same as '--redis-key'
    # Default is empty
    key:

DB Options

db:
  # Same as '--skip-db-update'
  # Default is false
  skip-update: false

  # Same as '--no-progress'
  # Default is false
  no-progress: false

  # Same as '--db-repository'
  # Default is 'ghcr.io/aquasecurity/trivy-db'
  repository: ghcr.io/aquasecurity/trivy-db

  # Same as '--java-db-repository'
  # Default is 'ghcr.io/aquasecurity/trivy-java-db'
  java-repository: ghcr.io/aquasecurity/trivy-java-db

Registry Options

registry:
  # Same as '--username'
  # Default is empty
  username:

  # Same as '--password'
  # Default is empty
  password:

  # Same as '--registry-token'
  # Default is empty
  registry-token:

Image Options

Available with container image scanning

image:
  # Same as '--input' (available with 'trivy image')
  # Default is empty
  input:

  # Same as '--removed-pkgs'
  # Default is false
  removed-pkgs: false

  # Same as '--platform'
  # Default is empty
  platform: 

  docker:
    # Same as '--docker-host'
    # Default is empty
    host: 

  podman:
    # Same as '--podman-host'
    # Default is empty
    host: 

Vulnerability Options

Available with vulnerability scanning

vulnerability:
  # Same as '--vuln-type'
  # Default is 'os,library'
  type:
    - os
    - library

  # Same as '--ignore-unfixed'
  # Default is false
  ignore-unfixed: false

Secret Options

Available with secret scanning

secret:
  # Same as '--secret-config'
  # Default is 'trivy-secret.yaml'
  config: config/trivy/secret.yaml

Rego Options

rego
  # Same as '--trace'
  # Default is false
  trace: false

  # Same as '--config-policy'
  # Default is empty
  policy:
    - policy/repository
    - policy/custom
    - policy/some-policy.rego

  # Same as '--config-data'
  # Default is empty
  data:
    - data/

  # Same as '--policy-namespaces'
  # Default is empty
  namespaces:
    - opa.examples
    - users

Misconfiguration Options

Available with misconfiguration scanning

misconfiguration:
  # Same as '--include-non-failures'
  # Default is false
  include-non-failures: false

  # Same as '--miconfig-scanners'
  # Default is all scanners
  scanners:
    - dockerfile
    - terraform

  # helm value override configurations
  # set individual values
  helm:
    set:
      - securityContext.runAsUser=10001

  # set values with file
  helm:
    values:
      - overrides.yaml

  # set specific values from specific files
  helm:
    set-file:
      - image=dev-overrides.yaml

  # set as string and preserve type
  helm:
    set-string:
      - name=true

  # terraform tfvars overrrides
  terraform:
    vars:
      - dev-terraform.tfvars
      - common-terraform.tfvars

  # Same as '--tf-exclude-downloaded-modules'
  # Default is false
  terraform:
    exclude-downloaded-modules: false

Kubernetes Options

Available with Kubernetes scanning

kubernetes:
  # Same as '--context'
  # Default is empty
  context:

  # Same as '--namespace'
  # Default is empty
  namespace:

Repository Options

Available with git repository scanning (trivy repo)

repository:
  # Same as '--branch'
  # Default is empty
  branch:

  # Same as '--commit'
  # Default is empty
  commit:

  # Same as '--tag'
  # Default is empty
  tag:

Client/Server Options

Available in client/server mode

server:
  # Same as '--server' (available in client mode)
  # Default is empty
  addr: http://localhost:4954

  # Same as '--token'
  # Default is empty
  token: "something-secret"

  # Same as '--token-header'
  # Default is 'Trivy-Token'
  token-header: 'My-Token-Header'

  # Same as '--custom-headers'
  # Default is empty
  custom-headers:
    - scanner: trivy
    - x-api-token: xxx

  # Same as '--listen' (available in server mode)
  # Default is 'localhost:4954'
  listen: 0.0.0.0:10000

Cloud Options

Available for cloud scanning (currently only trivy aws)

cloud:
  # whether to force a cache update for every scan
  update-cache: false

  # how old cached results can be before being invalidated
  max-cache-age: 24h

  # aws-specific cloud settings
  aws:
    # the aws region to use
    region: us-east-1

    # the aws endpoint to use (not required for general use)
    endpoint: https://my.custom.aws.endpoint

    # the aws account to use (this will be determined from your environment when not set)
    account: 123456789012