Skip to content
Latchkey

trivy config: Scan IaC and Dockerfiles

trivy config scans infrastructure-as-code (Terraform, Kubernetes, Dockerfile, Helm) for security misconfigurations.

Misconfigured infrastructure is as risky as a vulnerable package. trivy config runs the built-in misconfiguration checks against IaC files so insecure defaults fail the build.

What it does

trivy config evaluates IaC files against Trivy built-in policies (sourced from the misconfiguration checks). It understands Terraform, CloudFormation, Kubernetes manifests, Dockerfiles, Helm charts, and more, reporting each failed check with a severity and remediation hint.

Common usage

Terminal
trivy config .
trivy config --severity HIGH,CRITICAL ./deploy
# scan a single Dockerfile
trivy config Dockerfile

Options

FlagWhat it does
--severity <list>Severities to report
--exit-code <n>Exit code when misconfigurations are found
--config-check <dir>Load additional custom Rego policy directories
--skip-dirs <dir>Exclude paths from the scan
--format <fmt>table, json, sarif
--include-non-failuresAlso show checks that passed

In CI

Gate IaC changes with trivy config --exit-code 1 --severity HIGH,CRITICAL on the directory holding your manifests. Pair it with trivy fs in the same job to cover both dependencies and infrastructure in one pass.

Common errors in CI

"no results" on a directory you expected findings in usually means trivy did not recognize the file type; confirm the extension and that the files are valid (a Terraform parse error silently skips the file). "failed to load custom policies" with --config-check means the Rego path is wrong or the policy has a syntax error.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →