trivy-image-scan

--debugdebug mode

--quietsuppress progress bar and log output

--resetremove all caches and database

--tokenfor authentication in client/server mode

--traceenable more verbose trace output for custom queries

--configconfig path (default trivy.yaml)

--formatformat (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default table)

--serverserver address in client mode

--tf-varsspecify paths to override the Terraform tfvars files

--timeouttimeout (default: 5m0s)

--helm-setspecify Helm values (can separate values with commas: key1=val1,key2=val2)

--insecureallow insecure server connections when using TLS

--platformset platform in the form os/arch if image is multi-platform capable

--redis-caredis ca file location, if using redis as cache backend

--severityseverities of vulnerabilities to be displayed (comma separated) (default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)

--templateoutput template

--cache-ttlcache TTL when using redis as cache backend

--exit-codeExit code when vulnerabilities are found

--redis-keyredis key file location, if using redis as cache backend

--rekor-url[EXPERIMENTAL] address of rekor STL server (default https://rekor.sigstore.dev)

--skip-dirsspecify the directories where the traversal is skipped

--vuln-typecomma-separated list of vulnerability types (os,library)

--compliancecomma-separated list of what compliance reports to generate (nsa)

--ignorefilespecify .trivyignore file (default .trivyignore)

List of images line by line to be scanned

--redis-certredis certificate file location, if using redis as cache backend

--skip-filesspecify the file paths to skip traversal

--clear-cacheclear image caches without scanning

--config-dataspecify paths from which data for the Rego policies will be recursively loaded

--helm-valuesspecify paths to override the Helm values.yaml files

--license-fulleagerly look for licenses in source code headers and license files

--offline-scando not issue API requests to identify dependencies

--removed-pkgsdetect vulnerabilities of removed packages (only for Alpine)

--sbom-sources[EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)

--token-headerspecify a header name for token in client/server mode (default Trivy-Token)

--cache-backendcache backend (e.g. redis://localhost:6379) (default fs)

--config-policyspecify paths to the Rego policy files directory, applying config files

--db-repositoryOCI repository to retrieve trivy-db from (default ghcr.io/aquasecurity/trivy-db)

--file-patternsspecify config file patterns

--ignore-policyspecify the Rego file to evaluate each vulnerability

--list-all-pkgsenabling the option will output all packages regardless of vulnerability

--secret-configspecify a path to config file for secret scanning (default trivy-secret.yaml)

--no-progresssuppress progress bar

--custom-headerscustom headers in client mode

--ignore-unfixeddisplay only fixed vulnerabilities

--skip-db-updateskip updating vulnerability database

--dependency-tree[EXPERIMENTAL] show dependency origin tree of vulnerable packages

--helm-set-stringspecify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

--security-checkscomma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])

--download-db-onlydownload/update vulnerability database but don't run a scan

--ignored-licensesspecify a list of license to ignore

--policy-namespacesRego namespaces

Username and password for Docker Hub registry (format username:password)

--include-non-failuresinclude successes and exceptions, available with '--security-checks config'