# =============================================================================
# Trivy Configuration — Container + IaC + Secret Scanning
# =============================================================================

# trivy.yaml — Project-level config
severity:
  - CRITICAL
  - HIGH

exit-code: 1
ignore-unfixed: true

# Ignore specific CVEs with justification
ignorefile: .trivyignore

# DB settings
db:
  skip-update: false

# Secret scanning
secret:
  enable: true

# Misconfiguration scanning
misconf:
  enable: true
  terraform:
    validate: true

# IaC scanning
iac:
  enable: true

# Scanners to run
scanners:
  - vuln
  - misconf
  - secret

# Report formats
format:
  - table
  - json

# Registry credentials (use IRSA in EKS)
registries:
  - name: ecr.aws
    insecure: false