docs: add section on customizing default check data (#9114)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
2026-01-31 13:53:14 +08:00 · 2025-07-08 12:36:38 +06:00
parent 482d383974
commit 4675603c2e
1 changed files with 24 additions and 3 deletions
--- a/docs/docs/scanner/misconfiguration/custom/data.md
+++ b/docs/docs/scanner/misconfiguration/custom/data.md
@@ -1,10 +1,10 @@
 # Custom Data

-Custom checks may require additional data in order to make a resolution. You can pass arbitrary data files to Trivy to be used when evaluating rego checks using the `--data` flag. 
+Custom checks may require additional data in order to make a resolution. You can pass arbitrary data files to Trivy to be used when evaluating rego checks using the `--config-data` flag. 
 Trivy recursively searches the specified data paths for JSON (`*.json`) and YAML (`*.yaml`) files.

 For example, consider an allowed list of resources that can be created. 
-Instead of hardcoding this information inside your policy, you can maintain the list in a separate file.
+Instead of hardcoding this information inside your check, you can maintain the list in a separate file.

 Example data file:

@@ -29,5 +29,26 @@ ports := services.ports
 Example loading the data file:

 ```bash
-trivy config --config-check ./checks --data ./data --namespaces user ./configs
+trivy config --config-check ./checks --config-data ./data --namespaces user ./configs
 ```
+
+## Customizing default checks data
+
+Some checks allow you to customize the default data values. To do this, simply pass a data file via `--config-data` (see the section above).
+
+Table of supported data for customizing and their paths:
+
+| Check ID                                                                                                                                                     | Data path                    | Description                                                  |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|--------------------------------------------------------------|
+| [KSV0125](https://github.com/aquasecurity/trivy-checks/blob/db2e49de5ff5fd5c8e5cd702b7891f9d9e971a65/checks/kubernetes/uses_untrusted_registry.rego#L76-L78) | `ksv0125.trusted_registries` | List of trusted container registries                         |
+| [DS031](https://github.com/aquasecurity/trivy-checks/blob/db2e49de5ff5fd5c8e5cd702b7891f9d9e971a65/checks/docker/leaked_secrets.rego#L135)                   | `ds031.included_envs`        | List of allowed environment variables (merged with defaults) |
+
+
+Example of overriding trusted registries for `KSV0125`:
+
+```yaml
+ksv0125:
+  trusted_registries:
+    - "my-registry.example.com"
+    - "registry.internal.local"
+```