Advanced Trivy Configuration Techniques
Advanced Trivy Configuration Techniques
Trivy's configuration flexibility extends far beyond basic command-line options. Understanding and leveraging advanced configurations enables precise control over scanning behavior, performance optimization, and integration with complex environments.
# .trivy.yaml - Advanced configuration file
global:
timeout: 10m
cache-dir: /opt/trivy-cache
db-repository: ghcr.io/aquasecurity/trivy-db:2
scan:
security-checks:
- vuln
- config
- secret
- license
scanners:
- os
- library
- dockerfile
- terraform
- cloudformation
- kubernetes
skip-dirs:
- "**/test"
- "**/tests"
- "**/testing"
- "**/__pycache__"
- "**/node_modules"
skip-files:
- "*.test.js"
- "*.spec.ts"
- "Dockerfile.dev"
vulnerability:
# Custom vulnerability database sources
db-repositories:
- ghcr.io/aquasecurity/trivy-db
- mirror.company.com/trivy-db
# Vulnerability filtering
ignore-unfixed: false
# Custom severity mapping
severity-map:
CVSS_V3:
0.0-3.9: LOW
4.0-6.9: MEDIUM
7.0-8.9: HIGH
9.0-10.0: CRITICAL
# Vulnerability ignore rules with expiration
ignore:
- id: CVE-2023-12345
paths:
- "usr/lib/python*/site-packages/urllib3/*"
expired-at: 2024-12-31
reason: "False positive - not exploitable in our configuration"
- id: CVE-2023-23456
package: "openssl"
version: "1.1.1*"
reason: "Accepted risk - migrating to new version in Q2"
secret:
# Custom secret detection rules
config: /etc/trivy/secret-config.yaml
# Additional secret patterns
custom-patterns:
- name: "Company API Key"
pattern: 'COMP_API_KEY\s*=\s*["'']?([A-Za-z0-9+/]{40})["'']?'
- name: "Internal Token"
pattern: 'x-internal-token:\s*([a-f0-9]{64})'
# Exclude patterns
exclude-patterns:
- 'example\.com'
- 'localhost'
- '127\.0\.0\.1'
license:
# License scanning configuration
full: true
# Forbidden licenses
forbidden:
- AGPL-3.0
- GPL-3.0
- LGPL-3.0
# License exceptions
ignored:
- name: "test-package"
reason: "Development only dependency"
misconfiguration:
# Policy paths for custom checks
policy-paths:
- /etc/trivy/policies
- ./security-policies
# Policy namespaces to include
policy-namespaces:
- company.security
- compliance.pci
- compliance.hipaa
# Trace output for policy debugging
trace: false
cache:
# Redis cache backend for distributed scanning
backend: redis
redis:
host: redis.cache.local
port: 6379
password: ${REDIS_PASSWORD}
db: 0
ttl: 3600
report:
# Report format configurations
format: table
# Template for custom reports
template: |
{{ range . }}
Image: {{ .Target }}
Vulnerabilities: {{ len .Vulnerabilities }}
{{ range .Vulnerabilities }}
- {{ .VulnerabilityID }}: {{ .PkgName }} ({{ .Severity }})
{{ end }}
{{ end }}
# Dependency tree settings
dependency-tree: true
list-all-pkgs: false
# Exit codes
exit-code: 1
exit-on-eol: true