-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathtrivy.yaml
More file actions
88 lines (76 loc) · 1.83 KB
/
trivy.yaml
File metadata and controls
88 lines (76 loc) · 1.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# =============================================================================
# Trivy Configuration File
# =============================================================================
# This configuration enforces a ZERO-TOLERANCE security policy.
# All findings at any severity level will fail the scan.
#
# Documentation: https://aquasecurity.github.io/trivy/latest/docs/configuration/
# =============================================================================
# Scan configuration
scan:
# Enable all security scanners
scanners:
- vuln # Vulnerability scanning
- secret # Secret detection
- misconfig # Misconfiguration scanning
- license # License scanning
# Severity configuration - ZERO TOLERANCE
severity:
- CRITICAL
- HIGH
- MEDIUM
- LOW
# Exit code configuration
exit:
# Exit with code 1 on ANY finding (zero-tolerance)
code: 1
# Package scanning options
pkg:
# Scan all package types
types:
- os
- library
# Secret scanning options
secret:
# Enable built-in secret detection rules
config: ""
# Misconfiguration scanning options
misconfiguration:
# Enable all IaC scanners
scanners:
- terraform
- cloudformation
- kubernetes
- dockerfile
- helm
# Cache configuration
cache:
# Use local cache for faster subsequent scans
dir: ".trivycache"
# Database configuration
db:
# Always use latest vulnerability database
skip-update: false
# Output configuration
output:
# Use table format for readable output
format: table
# Ignore configuration
ignorefile: ".trivyignore"
# File patterns to skip
skip-files:
- "**/*.md"
- "**/test/**"
- "**/tests/**"
- "**/*_test.go"
- "**/*_test.py"
# Directory patterns to skip
skip-dirs:
- ".git"
- "node_modules"
- "venv"
- ".venv"
- "__pycache__"
- ".trivycache"
- "htmlcov"
- ".pytest_cache"