aquasecurity/trivy
Configuration
Trivy reads configuration from three sources, in order of precedence:
- Command-line flags — highest priority.
- Environment variables —
TRIVY_*form. - YAML config file —
trivy.yamlin the working directory by default, or whatever--config-filepoints at.
The flag layer that ties these together lives in pkg/flag/. This page summarizes the surface; for the canonical list, run trivy <command> --help or read pkg/flag/options.go.
Global flags
Defined in pkg/flag/global_flags.go. Available on every command.
| Flag | Env var | Purpose |
|---|---|---|
--config-file |
TRIVY_CONFIG |
YAML config file path. |
--debug |
TRIVY_DEBUG |
Verbose output. |
--quiet |
TRIVY_QUIET |
Suppress info-level output. |
--cache-dir |
TRIVY_CACHE_DIR |
Cache root (default ~/.cache/trivy). |
--insecure |
TRIVY_INSECURE |
Skip TLS verification (for registries). |
--timeout |
TRIVY_TIMEOUT |
Per-scan timeout. |
--no-progress |
TRIVY_NO_PROGRESS |
Suppress progress bar. |
--show-suppressed |
TRIVY_SHOW_SUPPRESSED |
Show ignored/VEX-suppressed findings. |
Flag groups
Each subcommand composes a subset of flag groups. The groups present in pkg/flag/:
| Group | File | Used by |
|---|---|---|
| Global | global_flags.go |
All commands |
| Scan | scan_flags.go |
image, fs, repo, vm, sbom, k8s |
| Report | report_flags.go |
all scan commands |
| Image | image_flags.go |
image |
| DB | db_flags.go |
image, fs, repo, vm, sbom, server |
| Cache | cache_flags.go |
image, fs, repo, vm, sbom, server |
| Vulnerability | vulnerability_flags.go |
image, fs, repo, vm, sbom |
| Misconfiguration | misconf_flags.go |
image, fs, repo, vm, config, k8s |
| Secret | secret_flags.go |
image, fs, repo, vm |
| License | license_flags.go |
image, fs, repo, vm |
| Package | package_flags.go |
image, fs, repo, vm, sbom |
| Repo | repo_flags.go |
repo |
| Registry | registry_flags.go |
image, sbom |
| Remote | remote_flags.go |
image (for --server), client |
| AWS | aws_flags.go |
(legacy) AWS-only command |
| Module | module_flags.go |
module |
| Rego | rego_flags.go |
image, fs, repo, vm, config |
| Clean | clean_flags.go |
clean |
| Kubernetes | kubernetes_flags.go |
k8s |
Config file shape
A trivy.yaml file mirrors the flag tree:
debug: true
cache:
dir: /var/cache/trivy
db:
repository: ghcr.io/aquasecurity/trivy-db:2
skip-update: false
scan:
scanners:
- vuln
- misconfig
- secret
parallel: 4
severity:
- HIGH
- CRITICAL
ignorefile: .trivyignore
report:
format: json
output: trivy.jsonEach flag.Flag has a ConfigName field that controls the YAML path; the canonical map lives in the per-area *_flags.go files.
Environment variables
Every flag has a TRIVY_<UPPERCASE_NAME> environment variable counterpart, with hyphens replaced by underscores. Examples:
export TRIVY_SEVERITY=HIGH,CRITICAL
export TRIVY_IGNORE_UNFIXED=true
export TRIVY_CACHE_DIR=/var/cache/trivy
trivy image my-imageThe TRIVY_TOKEN and TRIVY_TOKEN_HEADER environment variables are supported for trivy server / trivy client auth.
Trivy DB and policy bundle
The DB and policy bundle have their own flags. See database for a deeper look. Most users only need:
--db-repository ghcr.io/aquasecurity/trivy-db:2
--check-bundle-repository ghcr.io/aquasecurity/trivy-checks:1
--skip-db-update
--skip-policy-update
--db-refresh-interval 6hIgnore file format
.trivyignore (or whatever --ignorefile points at) is a plain list:
CVE-2023-12345
CVE-2024-67890
secret/aws-secret-access-key
AVD-AWS-0001 exp:2025-12-31Entries can be:
- A CVE ID (drops vulnerability findings).
- An AVD ID (drops misconfig findings).
secret/<rule-id>(drops secret findings).- An optional
exp:YYYY-MM-DDclause sets an expiry.
For richer suppression rules, use VEX.
Logging
Logging is configured via --debug/--quiet. The logger is in pkg/log/. There is no separate "log level" flag; the two booleans cover info-debug-warn.
Output formatting
Selected with --format. Values: table (default), json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln. Some formats are scanner-specific (e.g., GitHub Dependency Snapshot only makes sense for vulnerability+package scans).
For Go templates pass --template <file>; the templating layer is in pkg/report/template.go.
See also
- Patterns and conventions — how flags are wired internally.
- CLI — command tree.
- Database — DB-specific configuration.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.