Trivy seems to not expand env variables when using config file

[RyuunosukeDS3]

Description

I have trivy running in a CI environment on GitLab in order to automatically get vulnerabilities for our applications. We are using a config file (trivy.yaml) that is downloaded at runtime in order to set trivy options. Other options work, but the cache directory option seem to not be exapding the variables correctly.

trivy.yaml

cache:
  dir: "$CI_PROJECT_DIR/.cache/trivy"

This can also be observed locally

Desired Behavior

I wanted trivy to expand these variables in order to use it:

2025-02-20T17:18:53Z	DEBUG	Cache dir	dir="/buids/devops/name-of-the-project/.cache/trivy"
2025-02-20T17:18:53Z	DEBUG	Cache dir	dir="/buids/devops/name-of-the-project/.cache/trivy"

Actual Behavior

It treats the variables as a common string failing to sabe the cache in the apropriate place

2025-02-20T17:18:53Z	DEBUG	Cache dir	dir="$CI_PROJECT_DIR/.cache/trivy"
2025-02-20T17:18:53Z	DEBUG	Cache dir	dir="$CI_PROJECT_DIR/.cache/trivy"

Reproduction Steps

1. Create a trivy.yaml file containing an env variable
2. Run trivy with debug mode in order to observe if it expanded the paths
...

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2025-02-20T17:18:53Z	DEBUG	No plugins loaded
2025-02-20T17:18:53Z	INFO	Loaded	file_path="trivy.yaml"
2025-02-20T17:18:53Z	DEBUG	Cache dir	dir="$CI_PROJECT_DIR/.cache/trivy"
2025-02-20T17:18:53Z	DEBUG	Cache dir	dir="$CI_PROJECT_DIR/.cache/trivy"
2025-02-20T17:18:53Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="index.docker.io/aquasec/trivy-db:2"
2025-02-20T17:18:53Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="ghcr.io/aquasecurity/trivy-db:2"
2025-02-20T17:18:53Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="index.docker.io/aquasec/trivy-java-db:1"
2025-02-20T17:18:53Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="ghcr.io/aquasecurity/trivy-java-db:1"
2025-02-20T17:18:53Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-20T17:18:53Z	DEBUG	Ignore statuses	statuses=[0 1 2 4 5 6 7]
2025-02-20T17:18:53Z	DEBUG	[vulndb] There is no valid metadata file	err="unable to open a file: open $CI_PROJECT_DIR/.cache/trivy/db/metadata.json: no such file or directory"
2025-02-20T17:18:53Z	INFO	[vulndb] Need to update DB
2025-02-20T17:18:53Z	DEBUG	[vulndb] No metadata file
2025-02-20T17:18:53Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-20T17:18:53Z	INFO	[vulndb] Downloading artifact...	repo="index.docker.io/aquasec/trivy-db:2"
26.04 MiB / 59.33 MiB [-------------------------->__________________________________] 43.89% ? p/s ?45.11 MiB / 59.33 MiB [---------------------------------------------->______________] 76.04% ? p/s ?59.33 MiB / 59.33 MiB [----------------------------------------------------------->] 100.00% ? p/s ?59.33 MiB / 59.33 MiB [---------------------------------------------->] 100.00% 55.51 MiB p/s ETA 0s59.33 MiB / 59.33 MiB [---------------------------------------------->] 100.00% 55.51 MiB p/s ETA 0s59.33 MiB / 59.33 MiB [---------------------------------------------->] 100.00% 55.51 MiB p/s ETA 0s59.33 MiB / 59.33 MiB [---------------------------------------------->] 100.00% 51.93 MiB p/s ETA 0s59.33 MiB / 59.33 MiB [---------------------------------------------->] 100.00% 51.93 MiB p/s ETA 0s59.33 MiB / 59.33 MiB [---------------------------------------------->] 100.00% 51.93 MiB p/s ETA 0s59.33 MiB / 59.33 MiB [-------------------------------------------------] 100.00% 35.83 MiB p/s 1.9s2025-02-20T17:18:55Z	INFO	[vulndb] Artifact successfully downloaded	repo="index.docker.io/aquasec/trivy-db:2"
2025-02-20T17:18:55Z	DEBUG	Updating database metadata...
2025-02-20T17:18:55Z	DEBUG	DB info	schema=2 updated_at=2025-02-20T12:19:01.414470804Z next_update=2025-02-21T12:19:01.414470624Z downloaded_at=2025-02-20T17:18:55.731073225Z
2025-02-20T17:18:55Z	DEBUG	[pkg] Package types	types=[os library]
2025-02-20T17:18:55Z	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-02-20T17:18:55Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-20T17:18:55Z	DEBUG	Initializing scan cache...	type="memory"
2025-02-20T17:18:55Z	DEBUG	[fs] Analyzing...	root="."
2025-02-20T17:18:55Z	DEBUG	[fs] Random cache key will be used	err="repository is dirty"
2025-02-20T17:18:55Z	DEBUG	Skipping path	path=".git"
2025-02-20T17:18:55Z	DEBUG	Skipping path	path="senior-ci/.git"
2025-02-20T17:18:55Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2025-02-20T17:18:55Z	DEBUG	OS is not detected.
2025-02-20T17:18:55Z	DEBUG	Detected OS: unknown
2025-02-20T17:18:55Z	INFO	Number of language-specific files	num=7
2025-02-20T17:18:55Z	INFO	[dotnet-core] Detecting vulnerabilities...
2025-02-20T17:18:55Z	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="output/Ocorrencias.Repository.deps.json"
2025-02-20T17:18:55Z	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="output/Ocorrencias.Server.deps.json"
2025-02-20T17:18:55Z	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="output/Ocorrencias.Tests.deps.json"
2025-02-20T17:18:55Z	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="output/Ocorrencias.deps.json"
2025-02-20T17:18:55Z	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="output/coverlet.collector.deps.json"
2025-02-20T17:18:55Z	INFO	[pip] Detecting vulnerabilities...
2025-02-20T17:18:55Z	DEBUG	[pip] Scanning packages for vulnerabilities	file_path="senior-ci/requirements.txt"
2025-02-20T17:18:55Z	INFO	[pom] Detecting vulnerabilities...
2025-02-20T17:18:55Z	DEBUG	[pom] Scanning packages for vulnerabilities	file_path="senior-ci/common/default-files/pom.xml"
2025-02-20T17:18:55Z	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-02-20T17:18:55Z	DEBUG	[vex] VEX filtering is disabled
For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://aquasecurity.github.io/trivy/v0.59/docs/supply-chain/vex/repo#publishing-vex-documents
To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.

Operating System

Linux (Alpine, Ubuntu, Debian, etc)

Version

v0.59.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

AFAIK we don't extrapolate variables inside of a trivy config file.

[RyuunosukeDS3]

In docs there is a variable mentioned in the module options:

https://trivy.dev/v0.59/docs/references/configuration/config-file/#module-options

That gave me the impression i could use variables inside the config file. Also until version v0.54.0 (which was when i first visited the config file docs) it also had a variable on the cache options:

https://trivy.dev/v0.54/docs/references/configuration/config-file/#global-options

That's what might have caused the confusion.

Any reason trivy doesn't extrapolate variables on config file? In cases like mine where paths can be volatile it would be really helpful without having to set a lot flags.

Thanks for the awesome work

[simar7]

It seems to be a limitation of viper spf13/viper#315

But correct me if I'm wrong @DmitriyLewen