| # ============================================================================= | |
| # Trivy Configuration — Container + IaC + Secret Scanning | |
| # ============================================================================= | |
| # trivy.yaml — Project-level config | |
| severity: | |
| - CRITICAL | |
| - HIGH | |
| exit-code: 1 | |
| ignore-unfixed: true | |
| # Ignore specific CVEs with justification | |
| ignorefile: .trivyignore | |
| # DB settings | |
| db: | |
| skip-update: false | |
| # Secret scanning | |
| secret: | |
| enable: true | |
| # Misconfiguration scanning | |
| misconf: | |
| enable: true | |
| terraform: | |
| validate: true | |
| # IaC scanning | |
| iac: | |
| enable: true | |
| # Scanners to run | |
| scanners: | |
| - vuln | |
| - misconf | |
| - secret | |
| # Report formats | |
| format: | |
| - table | |
| - json | |
| # Registry credentials (use IRSA in EKS) | |
| registries: | |
| - name: ecr.aws | |
| insecure: false | |