admin/aquasecurity-trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2026-01-31 13:53:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat(flag): add JSON Schema for trivy.yaml configuration file (#9971)

Browse Source
This commit is contained in:
Teppei Fukuda
2025-12-23 18:05:17 +09:00
committed by GitHub
parent 517365caa3
commit 4caf7312b6
7 changed files with 1116 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/guide/references/configuration/config-file.md
View File

@@ -3,7 +3,7 @@
Trivy can be customized by tweaking a `trivy.yaml` file.
The config path can be overridden by the `--config` flag.
An example is [here][example].
An example is [here][example] and a [JSON Schema][schema] is also available.
These samples contain default values for flags.
## Global options
@@ -668,4 +668,5 @@ vulnerability:
vex: []
```
[example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml
[example]: https://github.com/aquasecurity/trivy/blob/{{ git.tag }}/examples/trivy-conf/trivy.yaml
[schema]: https://github.com/aquasecurity/trivy/blob/{{ git.tag }}/schema/trivy-config.json

5
go.mod
View File

@@ -135,6 +135,7 @@ require (
require (
github.com/go-ini/ini v1.67.0
github.com/invopop/jsonschema v0.13.0
github.com/nikolalohinski/gonja/v2 v2.4.2
)
@@ -203,6 +204,7 @@ require (
github.com/aws/aws-sdk-go-v2/service/sso v1.30.4 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.8 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.41.1 // indirect
github.com/bahlo/generic-list-go v0.2.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
@@ -211,6 +213,7 @@ require (
github.com/bufbuild/buf v1.56.0 // indirect
github.com/bufbuild/protocompile v0.14.1 // indirect
github.com/bufbuild/protoplugin v0.0.0-20250218205857-750e09ce93e1 // indirect
github.com/buger/jsonparser v1.1.1 // indirect
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
@@ -341,6 +344,7 @@ require (
github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a // indirect
github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect
github.com/magiconair/properties v1.8.10 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-colorable v0.1.14 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-runewidth v0.0.16 // indirect
@@ -432,6 +436,7 @@ require (
github.com/vektah/gqlparser/v2 v2.5.31 // indirect
github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
github.com/x448/float16 v0.8.4 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect

11
go.sum
View File

@@ -286,6 +286,8 @@ github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM=
github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M=
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c=
github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk=
github.com/bahlo/generic-list-go v0.2.0/go.mod h1:2KvAjgMlE5NNynlg/5iLrrCCZ2+5xWbdbCW3pNTGyYg=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas=
@@ -310,6 +312,8 @@ github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/
github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c=
github.com/bufbuild/protoplugin v0.0.0-20250218205857-750e09ce93e1 h1:V1xulAoqLqVg44rY97xOR+mQpD2N+GzhMHVwJ030WEU=
github.com/bufbuild/protoplugin v0.0.0-20250218205857-750e09ce93e1/go.mod h1:c5D8gWRIZ2HLWO3gXYTtUfw/hbJyD8xikv2ooPxnklQ=
github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
github.com/buildkite/agent/v3 v3.62.0 h1:yvzSjI8Lgifw883I8m9u8/L/Thxt4cLFd5aWPn3gg70=
github.com/buildkite/agent/v3 v3.62.0/go.mod h1:jN6SokGXrVNNIpI0BGQ+j5aWeI3gin8F+3zwA5Q6gqM=
github.com/buildkite/go-pipeline v0.3.2 h1:SW4EaXNwfjow7xDRPGgX0Rcx+dPj5C1kV9LKCLjWGtM=
@@ -766,6 +770,8 @@ github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
github.com/invopop/jsonschema v0.13.0 h1:KvpoAJWEjR3uD9Kbm2HWJmqsEaHt8lBUpd0qHcIi21E=
github.com/invopop/jsonschema v0.13.0/go.mod h1:ffZ5Km5SWWRAIN6wbDXItl95euhFz2uON45H2qjYt+0=
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
github.com/jdx/go-netrc v1.0.0 h1:QbLMLyCZGj0NA8glAhxUpf1zDg6cxnWgMBbjq40W0gQ=
@@ -786,6 +792,7 @@ github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
github.com/josephburnett/jd/v2 v2.3.0 h1:AyNT0zSStJ2j28zutWDO4fkc95JoICryWQRmDTRzPTQ=
github.com/josephburnett/jd/v2 v2.3.0/go.mod h1:0I5+gbo7y8diuajJjm79AF44eqTheSJy1K7DSbIUFAQ=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
@@ -856,6 +863,8 @@ github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
github.com/masahiro331/go-disk v0.0.0-20240625071113-56c933208fee h1:cgm8mE25x5XXX2oyvJDlyJ72K+rDu/4ZCYce2worNb8=
github.com/masahiro331/go-disk v0.0.0-20240625071113-56c933208fee/go.mod h1:rojbW5tVhH1cuVYFKZS+QX+VGXK45JVsRO+jW92kkKM=
github.com/masahiro331/go-ebs-file v0.0.0-20240917043618-e6d2bea5c32e h1:nCgF1JEYIS8KNuJtIeUrmjjhktIMKWNmASZqwK2ynu0=
@@ -1238,6 +1247,8 @@ github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21
github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
github.com/xanzy/go-gitlab v0.102.0 h1:ExHuJ1OTQ2yt25zBMMj0G96ChBirGYv8U7HyUiYkZ+4=

148
magefiles/config_schema.go Normal file
View File

@@ -0,0 +1,148 @@
//go:build mage_docs
package main
import (
"encoding/json"
"fmt"
"os"
"strings"
"time"
"github.com/invopop/jsonschema"
"github.com/aquasecurity/trivy/pkg/flag"
)
// JSON Schema type constants
const (
schemaTypeString = "string"
schemaTypeBoolean = "boolean"
schemaTypeInteger = "integer"
schemaTypeNumber = "number"
schemaTypeArray = "array"
schemaTypeObject = "object"
)
const configSchemaPath = "schema/trivy-config.json"
// generateConfigSchema generates a JSON schema for trivy.yaml configuration file.
func generateConfigSchema(outputPath string, allFlagGroups []flag.FlagGroup) error {
root := &jsonschema.Schema{
Version: jsonschema.Version,
Type: schemaTypeObject,
Title: "Trivy Configuration",
Description: "Configuration file for Trivy security scanner (trivy.yaml)",
Properties: jsonschema.NewProperties(),
}
for _, group := range allFlagGroups {
for _, f := range group.Flags() {
configName := f.GetConfigName()
if configName == "" || f.Hidden() {
continue
}
if err := addFlagToSchema(root, f); err != nil {
return err
}
}
}
data, err := json.MarshalIndent(root, "", " ")
if err != nil {
return err
}
// Ensure directory exists
if err := os.MkdirAll("schema", 0755); err != nil {
return err
}
return os.WriteFile(outputPath, data, 0644)
}
// addFlagToSchema adds a flag to the schema, creating nested objects as needed.
func addFlagToSchema(root *jsonschema.Schema, f flag.Flagger) error {
configName := f.GetConfigName()
parts := strings.Split(configName, ".")
// Split into parent path and leaf name
parentParts, leafName := parts[:len(parts)-1], parts[len(parts)-1]
// Navigate/create intermediate objects
current := root
for _, part := range parentParts {
if existing, ok := current.Properties.Get(part); ok {
current = existing
} else {
newSchema := &jsonschema.Schema{
Type: schemaTypeObject,
Properties: jsonschema.NewProperties(),
}
current.Properties.Set(part, newSchema)
current = newSchema
}
}
// Add the leaf property
schema, err := schemaFromFlag(f)
if err != nil {
return err
}
current.Properties.Set(leafName, schema)
return nil
}
// schemaFromFlag creates a JSON schema based on the flag's type, description, and allowed values.
func schemaFromFlag(f flag.Flagger) (*jsonschema.Schema, error) {
schema, err := schemaFromFlagValue(f.GetDefaultValue())
if err != nil {
return nil, fmt.Errorf("flag %q: %w", f.GetConfigName(), err)
}
// Add description from Usage
if usage := f.GetUsage(); usage != "" {
schema.Description = usage
}
// Add enum if Values is set
if values := f.GetValues(); len(values) > 0 {
schema.Enum = make([]any, len(values))
for i, v := range values {
schema.Enum[i] = v
}
}
return schema, nil
}
// schemaFromFlagValue creates a JSON schema based on the flag's default value type.
func schemaFromFlagValue(val any) (*jsonschema.Schema, error) {
switch val.(type) {
case string:
return &jsonschema.Schema{Type: schemaTypeString}, nil
case bool:
return &jsonschema.Schema{Type: schemaTypeBoolean}, nil
case int:
return &jsonschema.Schema{Type: schemaTypeInteger}, nil
case float64:
return &jsonschema.Schema{Type: schemaTypeNumber}, nil
case []string:
return &jsonschema.Schema{
Type: schemaTypeArray,
Items: &jsonschema.Schema{Type: schemaTypeString},
}, nil
case time.Duration:
return &jsonschema.Schema{Type: schemaTypeString}, nil
case map[string][]string:
return &jsonschema.Schema{
Type: schemaTypeObject,
AdditionalProperties: &jsonschema.Schema{
Type: schemaTypeArray,
Items: &jsonschema.Schema{Type: schemaTypeString},
},
}, nil
default:
return nil, fmt.Errorf("unknown type %T, please update schemaFromFlagValue()", val)
}
}

8
magefiles/docs.go
View File

@@ -20,9 +20,10 @@ const (
title = "Config file"
description = "Trivy can be customized by tweaking a `trivy.yaml` file.\n" +
"The config path can be overridden by the `--config` flag.\n\n" +
"An example is [here][example].\n\n" +
"An example is [here][example] and a [JSON Schema][schema] is also available.\n\n" +
"These samples contain default values for flags."
footer = "[example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml"
footer = "[example]: https://github.com/aquasecurity/trivy/blob/{{ git.tag }}/examples/trivy-conf/trivy.yaml\n" +
"[schema]: https://github.com/aquasecurity/trivy/blob/{{ git.tag }}/schema/trivy-config.json"
)
// Generate CLI references
@@ -47,6 +48,9 @@ func main() {
if err := generateTelemetryFlagDocs("./docs/guide/advanced/telemetry-flags.md", allFlagGroups); err != nil {
log.Fatal("Fatal error in telemetry docs generation", log.Err(err))
}
if err := generateConfigSchema(configSchemaPath, allFlagGroups); err != nil {
log.Fatal("Fatal error in config schema generation", log.Err(err))
}
}
// generateTelemetryFlagDocs updates the telemetry section in the documentation file

10
pkg/flag/options.go
View File

@@ -233,6 +233,14 @@ func (f *Flag[T]) GetAliases() []Alias {
return f.Aliases
}
func (f *Flag[T]) GetUsage() string {
return f.Usage
}
func (f *Flag[T]) GetValues() []string {
return f.Values
}
func (f *Flag[T]) IsTelemetrySafe() bool {
return f.TelemetrySafe
}
@@ -377,6 +385,8 @@ type Flagger interface {
GetConfigName() string
GetDefaultValue() any
GetAliases() []Alias
GetUsage() string
GetValues() []string
Hidden() bool
IsTelemetrySafe() bool
IsSet() bool

933
schema/trivy-config.json Normal file
View File

@@ -0,0 +1,933 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"properties": {
"quiet": {
"type": "boolean",
"description": "suppress progress bar and log output"
},
"debug": {
"type": "boolean",
"description": "debug mode"
},
"insecure": {
"type": "boolean",
"description": "allow insecure server connections"
},
"cacert": {
"type": "string",
"description": "Path to PEM-encoded CA certificate file"
},
"timeout": {
"type": "string",
"description": "timeout"
},
"cache": {
"properties": {
"dir": {
"type": "string",
"description": "cache directory"
},
"backend": {
"type": "string",
"description": "[EXPERIMENTAL] cache backend (e.g. redis://localhost:6379)"
},
"ttl": {
"type": "string",
"description": "cache TTL when using redis as cache backend"
},
"redis": {
"properties": {
"tls": {
"type": "boolean",
"description": "enable redis TLS with public certificates, if using redis as cache backend"
},
"ca": {
"type": "string",
"description": "redis ca file location, if using redis as cache backend"
},
"cert": {
"type": "string",
"description": "redis certificate file location, if using redis as cache backend"
},
"key": {
"type": "string",
"description": "redis key file location, if using redis as cache backend"
}
},
"type": "object"
}
},
"type": "object"
},
"clean": {
"properties": {
"all": {
"type": "boolean",
"description": "remove all caches"
},
"scan-cache": {
"type": "boolean",
"description": "remove scan cache (container and VM image analysis results)"
},
"vuln-db": {
"type": "boolean",
"description": "remove vulnerability database"
},
"java-db": {
"type": "boolean",
"description": "remove Java database"
},
"checks-bundle": {
"type": "boolean",
"description": "remove checks bundle"
},
"vex-repo": {
"type": "boolean",
"description": "remove VEX repositories"
}
},
"type": "object"
},
"server": {
"properties": {
"token": {
"type": "string",
"description": "for authentication in client/server mode"
},
"token-header": {
"type": "string",
"description": "specify a header name for token in client/server mode"
},
"addr": {
"type": "string",
"description": "server address in client mode"
},
"custom-headers": {
"items": {
"type": "string"
},
"type": "array",
"description": "custom headers in client mode"
},
"listen": {
"type": "string",
"description": "listen address in server mode"
}
},
"type": "object"
},
"db": {
"properties": {
"download-only": {
"type": "boolean",
"description": "download/update vulnerability database but don't run a scan"
},
"skip-update": {
"type": "boolean",
"description": "skip updating vulnerability database"
},
"download-java-only": {
"type": "boolean",
"description": "download/update Java index database but don't run a scan"
},
"java-skip-update": {
"type": "boolean",
"description": "skip updating Java index database"
},
"no-progress": {
"type": "boolean",
"description": "suppress progress bar"
},
"repository": {
"items": {
"type": "string"
},
"type": "array",
"description": "OCI repository(ies) to retrieve trivy-db in order of priority"
},
"java-repository": {
"items": {
"type": "string"
},
"type": "array",
"description": "OCI repository(ies) to retrieve trivy-java-db in order of priority"
}
},
"type": "object"
},
"image": {
"properties": {
"input": {
"type": "string",
"description": "input file path instead of image name"
},
"image-config-scanners": {
"items": {
"type": "string"
},
"type": "array",
"enum": [
"misconfig",
"secret"
],
"description": "comma-separated list of what security issues to detect on container image configurations"
},
"removed-pkgs": {
"type": "boolean",
"description": "detect vulnerabilities of removed packages (only for Alpine)"
},
"platform": {
"type": "string",
"description": "set platform in the form os/arch if image is multi-platform capable"
},
"docker": {
"properties": {
"host": {
"type": "string",
"description": "unix domain socket path to use for docker scanning"
}
},
"type": "object"
},
"podman": {
"properties": {
"host": {
"type": "string",
"description": "unix podman socket path to use for podman scanning"
}
},
"type": "object"
},
"source": {
"items": {
"type": "string"
},
"type": "array",
"enum": [
"docker",
"containerd",
"podman",
"remote"
],
"description": "image source(s) to use, in priority order"
},
"max-size": {
"type": "string",
"description": "[EXPERIMENTAL] maximum image size to process, specified in a human-readable format (e.g., '44kB', '17MB'); an error will be returned if the image exceeds this size"
}
},
"type": "object"
},
"kubernetes": {
"properties": {
"kubeconfig": {
"type": "string",
"description": "specify the kubeconfig file path to use"
},
"k8s-version": {
"type": "string",
"description": "specify k8s version to validate outdated api by it (example: 1.21.0)"
},
"disableNodeCollector": {
"type": "boolean",
"description": "When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node."
},
"tolerations": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)"
},
"node-collector": {
"properties": {
"namespace": {
"type": "string",
"description": "specify the namespace in which the node-collector job should be deployed"
},
"imageref": {
"type": "string",
"description": "indicate the image reference for the node-collector scan job"
}
},
"type": "object"
},
"exclude": {
"properties": {
"owned": {
"type": "boolean",
"description": "exclude resources that have an owner reference"
},
"nodes": {
"items": {
"type": "string"
},
"type": "array",
"description": "indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)"
}
},
"type": "object"
},
"excludeKinds": {
"items": {
"type": "string"
},
"type": "array",
"description": "indicate the kinds exclude from scanning (example: node)"
},
"includeKinds": {
"items": {
"type": "string"
},
"type": "array",
"description": "indicate the kinds included in scanning (example: node)"
},
"excludeNamespaces": {
"items": {
"type": "string"
},
"type": "array",
"description": "indicate the namespaces excluded from scanning (example: kube-system)"
},
"includeNamespaces": {
"items": {
"type": "string"
},
"type": "array",
"description": "indicate the namespaces included in scanning (example: kube-system)"
},
"qps": {
"type": "number",
"description": "specify the maximum QPS to the master from this client"
},
"skipImages": {
"type": "boolean",
"description": "skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources"
},
"burst": {
"type": "integer",
"description": "specify the maximum burst for throttle"
}
},
"type": "object"
},
"license": {
"properties": {
"full": {
"type": "boolean",
"description": "eagerly look for licenses in source code headers and license files"
},
"ignored": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify a list of license to ignore"
},
"forbidden": {
"items": {
"type": "string"
},
"type": "array",
"description": "forbidden licenses"
},
"restricted": {
"items": {
"type": "string"
},
"type": "array",
"description": "restricted licenses"
},
"reciprocal": {
"items": {
"type": "string"
},
"type": "array",
"description": "reciprocal licenses"
},
"notice": {
"items": {
"type": "string"
},
"type": "array",
"description": "notice licenses"
},
"permissive": {
"items": {
"type": "string"
},
"type": "array",
"description": "permissive licenses"
},
"unencumbered": {
"items": {
"type": "string"
},
"type": "array",
"description": "unencumbered licenses"
},
"confidenceLevel": {
"type": "number",
"description": "specify license classifier's confidence level"
}
},
"type": "object"
},
"misconfiguration": {
"properties": {
"include-non-failures": {
"type": "boolean",
"description": "include successes, available with '--scanners misconfig'"
},
"checks-bundle-repository": {
"type": "string",
"description": "OCI registry URL to retrieve checks bundle from"
},
"helm": {
"properties": {
"set": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)"
},
"values": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify paths to override the Helm values.yaml files"
},
"set-file": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)"
},
"set-string": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)"
},
"api-versions": {
"items": {
"type": "string"
},
"type": "array",
"description": "Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)"
},
"kube-version": {
"type": "string",
"description": "Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command."
}
},
"type": "object"
},
"terraform": {
"properties": {
"vars": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify paths to override the Terraform tfvars files"
},
"exclude-downloaded-modules": {
"type": "boolean",
"description": "exclude misconfigurations for downloaded terraform modules"
}
},
"type": "object"
},
"cloudformation": {
"properties": {
"params": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify paths to override the CloudFormation parameters files"
}
},
"type": "object"
},
"scanners": {
"items": {
"type": "string"
},
"type": "array",
"description": "comma-separated list of misconfig scanners to use for misconfiguration scanning"
},
"config-file-schemas": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking"
},
"render-cause": {
"items": {
"type": "string"
},
"type": "array",
"enum": [
"terraform",
"ansible"
],
"description": "specify configuration types for which the rendered causes will be shown in the table report"
},
"raw-config-scanners": {
"items": {
"type": "string"
},
"type": "array",
"enum": [
"terraform"
],
"description": "specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state"
}
},
"type": "object"
},
"ansible": {
"properties": {
"playbooks": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify playbook file path(s) to scan"
},
"inventories": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify inventory host path or comma separated host list"
},
"extra-vars": {
"items": {
"type": "string"
},
"type": "array",
"description": "set additional variables as key=value or @file (YAML/JSON)"
}
},
"type": "object"
},
"module": {
"properties": {
"dir": {
"type": "string",
"description": "specify directory to the wasm modules that will be loaded"
},
"enable-modules": {
"items": {
"type": "string"
},
"type": "array",
"description": "[EXPERIMENTAL] module names to enable"
}
},
"type": "object"
},
"pkg": {
"properties": {
"include-dev-deps": {
"type": "boolean",
"description": "include development dependencies in the report (supported: npm, yarn, gradle)"
},
"types": {
"items": {
"type": "string"
},
"type": "array",
"enum": [
"os",
"library"
],
"description": "list of package types"
},
"relationships": {
"items": {
"type": "string"
},
"type": "array",
"enum": [
"unknown",
"root",
"workspace",
"direct",
"indirect"
],
"description": "list of package relationships"
}
},
"type": "object"
},
"registry": {
"properties": {
"username": {
"items": {
"type": "string"
},
"type": "array",
"description": "username. Comma-separated usernames allowed."
},
"password": {
"items": {
"type": "string"
},
"type": "array",
"description": "password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons."
},
"password-stdin": {
"type": "boolean",
"description": "password from stdin. Comma-separated passwords are not supported."
},
"token": {
"type": "string",
"description": "registry token"
},
"mirrors": {
"additionalProperties": {
"items": {
"type": "string"
},
"type": "array"
},
"type": "object",
"description": "map of hosts and registries for them."
}
},
"type": "object"
},
"rego": {
"properties": {
"include-deprecated-checks": {
"type": "boolean",
"description": "include deprecated checks"
},
"skip-check-update": {
"type": "boolean",
"description": "skip fetching rego check updates"
},
"trace": {
"type": "boolean",
"description": "enable more verbose trace output for custom queries"
},
"check": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify the paths to the Rego check files or to the directories containing them, applying config files"
},
"data": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify paths from which data for the Rego checks will be recursively loaded"
},
"namespaces": {
"items": {
"type": "string"
},
"type": "array",
"description": "Rego namespaces"
},
"error-limit": {
"type": "integer",
"description": "maximum number of compile errors allowed during Rego policy evaluation"
}
},
"type": "object"
},
"format": {
"type": "string",
"enum": [
"table",
"json",
"template",
"sarif",
"cyclonedx",
"spdx",
"spdx-json",
"github",
"cosign-vuln"
],
"description": "format"
},
"report": {
"type": "string",
"enum": [
"all",
"summary"
],
"description": "specify a report format for the output"
},
"template": {
"type": "string",
"description": "output template"
},
"dependency-tree": {
"type": "boolean",
"description": "[EXPERIMENTAL] show dependency origin tree of vulnerable packages"
},
"list-all-pkgs": {
"type": "boolean",
"description": "output all packages in the JSON report regardless of vulnerability"
},
"ignorefile": {
"type": "string",
"description": "specify .trivyignore file"
},
"ignore-policy": {
"type": "string",
"description": "specify the Rego file path to evaluate each vulnerability"
},
"exit-code": {
"type": "integer",
"description": "specify exit code when any security issues are found"
},
"exit-on-eol": {
"type": "integer",
"description": "exit with the specified code when the OS reaches end of service/life"
},
"output": {
"type": "string",
"description": "output file name"
},
"output-plugin-arg": {
"type": "string",
"description": "[EXPERIMENTAL] output plugin arguments"
},
"severity": {
"items": {
"type": "string"
},
"type": "array",
"enum": [
"UNKNOWN",
"LOW",
"MEDIUM",
"HIGH",
"CRITICAL"
],
"description": "severities of security issues to be displayed"
},
"scan": {
"properties": {
"compliance": {
"type": "string",
"description": "compliance report to generate"
},
"show-suppressed": {
"type": "boolean",
"description": "[EXPERIMENTAL] show suppressed vulnerabilities"
},
"skip-dirs": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify the directories or glob patterns to skip"
},
"skip-files": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify the files or glob patterns to skip"
},
"offline": {
"type": "boolean",
"description": "do not issue API requests to identify dependencies"
},
"scanners": {
"items": {
"type": "string"
},
"type": "array",
"enum": [
"vuln",
"misconfig",
"secret",
"license"
],
"description": "comma-separated list of what security issues to detect"
},
"file-patterns": {
"items": {
"type": "string"
},
"type": "array",
"description": "specify config file patterns"
},
"parallel": {
"type": "integer",
"description": "number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism"
},
"sbom-sources": {
"items": {
"type": "string"
},
"type": "array",
"enum": [
"oci",
"rekor"
],
"description": "[EXPERIMENTAL] try to retrieve SBOM from the specified sources"
},
"rekor-url": {
"type": "string",
"description": "[EXPERIMENTAL] address of rekor STL server"
},
"detection-priority": {
"type": "string",
"enum": [
"precise",
"comprehensive"
],
"description": "specify the detection priority:\n - \"precise\": Prioritizes precise by minimizing false positives.\n - \"comprehensive\": Aims to detect more security findings at the cost of potential false positives.\n"
},
"distro": {
"type": "string",
"description": "[EXPERIMENTAL] specify a distribution, \u003cfamily\u003e/\u003cversion\u003e"
},
"skip-version-check": {
"type": "boolean",
"description": "suppress notices about version updates and Trivy announcements"
},
"disable-telemetry": {
"type": "boolean",
"description": "disable sending anonymous usage data to Aqua"
}
},
"type": "object"
},
"table-mode": {
"items": {
"type": "string"
},
"type": "array",
"enum": [
"summary",
"detailed"
],
"description": "[EXPERIMENTAL] tables that will be displayed in 'table' format"
},
"repository": {
"properties": {
"branch": {
"type": "string",
"description": "pass the branch name to be scanned"
},
"commit": {
"type": "string",
"description": "pass the commit hash to be scanned"
},
"tag": {
"type": "string",
"description": "pass the tag name to be scanned"
}
},
"type": "object"
},
"secret": {
"properties": {
"config": {
"type": "string",
"description": "specify a path to config file for secret scanning"
}
},
"type": "object"
},
"vulnerability": {
"properties": {
"ignore-unfixed": {
"type": "boolean",
"description": "display only fixed vulnerabilities"
},
"ignore-status": {
"items": {
"type": "string"
},
"type": "array",
"enum": [
"unknown",
"not_affected",
"affected",
"fixed",
"under_investigation",
"will_not_fix",
"fix_deferred",
"end_of_life"
],
"description": "comma-separated list of vulnerability status to ignore"
},
"vex": {
"items": {
"type": "string"
},
"type": "array",
"description": "[EXPERIMENTAL] VEX sources (\"repo\", \"oci\" or file path)"
},
"skip-vex-repo-update": {
"type": "boolean",
"description": "[EXPERIMENTAL] Skip VEX Repository update"
},
"severity-source": {
"items": {
"type": "string"
},
"type": "array",
"enum": [
"nvd",
"redhat",
"redhat-oval",
"debian",
"ubuntu",
"alpine",
"amazon",
"oracle-oval",
"suse-cvrf",
"photon",
"arch-linux",
"alma",
"rocky",
"cbl-mariner",
"azure",
"ruby-advisory-db",
"php-security-advisories",
"nodejs-security-wg",
"ghsa",
"glad",
"aqua",
"osv",
"k8s",
"wolfi",
"chainguard",
"bitnami",
"govulndb",
"julia",
"echo",
"minimos",
"rootio",
"auto"
],
"description": "order of data sources for selecting vulnerability severity level"
}
},
"type": "object"
}
},
"type": "object",
"title": "Trivy Configuration",
"description": "Configuration file for Trivy security scanner (trivy.yaml)"
}