Open-Source Wikis

/

Trivy

/

Reference

/

Configuration

aquasecurity/trivy

Configuration

Trivy reads configuration from three sources, in order of precedence:

  1. Command-line flags — highest priority.
  2. Environment variablesTRIVY_* form.
  3. YAML config filetrivy.yaml in the working directory by default, or whatever --config-file points at.

The flag layer that ties these together lives in pkg/flag/. This page summarizes the surface; for the canonical list, run trivy <command> --help or read pkg/flag/options.go.

Global flags

Defined in pkg/flag/global_flags.go. Available on every command.

Flag Env var Purpose
--config-file TRIVY_CONFIG YAML config file path.
--debug TRIVY_DEBUG Verbose output.
--quiet TRIVY_QUIET Suppress info-level output.
--cache-dir TRIVY_CACHE_DIR Cache root (default ~/.cache/trivy).
--insecure TRIVY_INSECURE Skip TLS verification (for registries).
--timeout TRIVY_TIMEOUT Per-scan timeout.
--no-progress TRIVY_NO_PROGRESS Suppress progress bar.
--show-suppressed TRIVY_SHOW_SUPPRESSED Show ignored/VEX-suppressed findings.

Flag groups

Each subcommand composes a subset of flag groups. The groups present in pkg/flag/:

Group File Used by
Global global_flags.go All commands
Scan scan_flags.go image, fs, repo, vm, sbom, k8s
Report report_flags.go all scan commands
Image image_flags.go image
DB db_flags.go image, fs, repo, vm, sbom, server
Cache cache_flags.go image, fs, repo, vm, sbom, server
Vulnerability vulnerability_flags.go image, fs, repo, vm, sbom
Misconfiguration misconf_flags.go image, fs, repo, vm, config, k8s
Secret secret_flags.go image, fs, repo, vm
License license_flags.go image, fs, repo, vm
Package package_flags.go image, fs, repo, vm, sbom
Repo repo_flags.go repo
Registry registry_flags.go image, sbom
Remote remote_flags.go image (for --server), client
AWS aws_flags.go (legacy) AWS-only command
Module module_flags.go module
Rego rego_flags.go image, fs, repo, vm, config
Clean clean_flags.go clean
Kubernetes kubernetes_flags.go k8s

Config file shape

A trivy.yaml file mirrors the flag tree:

debug: true
cache:
  dir: /var/cache/trivy
db:
  repository: ghcr.io/aquasecurity/trivy-db:2
  skip-update: false
scan:
  scanners:
    - vuln
    - misconfig
    - secret
  parallel: 4
severity:
  - HIGH
  - CRITICAL
ignorefile: .trivyignore
report:
  format: json
  output: trivy.json

Each flag.Flag has a ConfigName field that controls the YAML path; the canonical map lives in the per-area *_flags.go files.

Environment variables

Every flag has a TRIVY_<UPPERCASE_NAME> environment variable counterpart, with hyphens replaced by underscores. Examples:

export TRIVY_SEVERITY=HIGH,CRITICAL
export TRIVY_IGNORE_UNFIXED=true
export TRIVY_CACHE_DIR=/var/cache/trivy
trivy image my-image

The TRIVY_TOKEN and TRIVY_TOKEN_HEADER environment variables are supported for trivy server / trivy client auth.

Trivy DB and policy bundle

The DB and policy bundle have their own flags. See database for a deeper look. Most users only need:

--db-repository ghcr.io/aquasecurity/trivy-db:2
--check-bundle-repository ghcr.io/aquasecurity/trivy-checks:1
--skip-db-update
--skip-policy-update
--db-refresh-interval 6h

Ignore file format

.trivyignore (or whatever --ignorefile points at) is a plain list:

CVE-2023-12345
CVE-2024-67890
secret/aws-secret-access-key
AVD-AWS-0001 exp:2025-12-31

Entries can be:

  • A CVE ID (drops vulnerability findings).
  • An AVD ID (drops misconfig findings).
  • secret/<rule-id> (drops secret findings).
  • An optional exp:YYYY-MM-DD clause sets an expiry.

For richer suppression rules, use VEX.

Logging

Logging is configured via --debug/--quiet. The logger is in pkg/log/. There is no separate "log level" flag; the two booleans cover info-debug-warn.

Output formatting

Selected with --format. Values: table (default), json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln. Some formats are scanner-specific (e.g., GitHub Dependency Snapshot only makes sense for vulnerability+package scans).

For Go templates pass --template <file>; the templating layer is in pkg/report/template.go.

See also

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Configuration – Trivy wiki | Factory