docs/guide/scanner/misconfiguration/custom/data.md
Custom checks may require additional data in order to make a resolution. You can pass arbitrary data files to Trivy to be used when evaluating rego checks using the --config-data flag.
Trivy recursively searches the specified data paths for JSON (*.json) and YAML (*.yaml) files.
For example, consider an allowed list of resources that can be created. Instead of hardcoding this information inside your check, you can maintain the list in a separate file.
Example data file:
services:
ports:
- "20"
- "20/tcp"
- "20/udp"
- "23"
- "23/tcp"
Example usage in a Rego check:
import data.services
ports := services.ports
Example loading the data file:
trivy config --config-check ./checks --config-data ./data --namespaces user ./configs
Some checks allow you to customize the default data values. To do this, simply pass a data file via --config-data (see the section above).
Table of supported data for customizing and their paths:
| Check ID | Data path | Description |
|---|---|---|
| KSV0125 | ksv0125.trusted_registries | List of trusted container registries |
| DS031 | ds031.included_envs | List of allowed environment variables (merged with defaults) |
Example of overriding trusted registries for KSV0125:
ksv0125:
trusted_registries:
- "my-registry.example.com"
- "registry.internal.local"