Initial Configuration and Setup

1 min read Security Testing & Tools

Initial Configuration and Setup

After installation, Trivy requires minimal configuration to begin scanning. The first run downloads the vulnerability database, which may take several minutes depending on network speed. Trivy caches this database locally and updates it automatically:

# Initialize Trivy and download vulnerability database
trivy image --download-db-only

# Configure custom cache directory
export TRIVY_CACHE_DIR=/custom/cache/path
trivy image alpine:latest

# Skip database update for offline scanning
trivy image --skip-db-update alpine:latest

Configuration files allow persistent settings across multiple scans. Trivy supports YAML configuration files that define default behaviors and scanning parameters:

# .trivy.yaml configuration file
quiet: false
debug: false
cache-dir: /tmp/trivy-cache
format: table
severity:
  - CRITICAL
  - HIGH
  - MEDIUM
vulnerability:
  type:
    - os
    - library
ignorefile: .trivyignore
timeout: 5m

Environment variables provide another configuration method, particularly useful in CI/CD pipelines:

# Set environment variables for Trivy configuration
export TRIVY_SEVERITY=CRITICAL,HIGH
export TRIVY_FORMAT=json
export TRIVY_OUTPUT=scan-results.json
export TRIVY_TIMEOUT=10m

# Run scan with environment configuration
trivy image myapp:latest