docs: update info about config file (#6547)

Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>

docs/docs/references/configuration/cli/trivy_aws.md

@@ -87,7 +87,7 @@ trivy aws [flags]
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
-      --max-cache-age duration            The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
+      --max-cache-age duration            The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this. (default 24h0m0s)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
   -o, --output string                     output file name
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments

docs/docs/references/configuration/config-file.md

@@ -81,6 +81,15 @@ severity:
   - MEDIUM
   - HIGH
   - CRITICAL
+
+scan:
+  # Same as '--compliance'
+  # Default is empty  
+  compliance:
+
+  # Same as '--show-suppressed'
+  # Default is false  
+  show-suppressed: false
 ```
 
 ## Scan Options
@@ -106,7 +115,7 @@ scan:
 
   # Same as '--offline-scan'
   # Default is false
-  offline-scan: false
+  offline: false
 
   # Same as '--scanners'
   # Default depends on subcommand
@@ -115,6 +124,24 @@ scan:
     - misconfig
     - secret
     - license
+    - 
+  # Same as '--parallel'
+  # Default is 5
+  parallel: 1
+
+  # Same as '--sbom-sources'
+  # Default is empty
+  sbom-sources: 
+    - oci
+    - rekor
+
+  # Same as '--rekor-url'
+  # Default is 'https://rekor.sigstore.dev'
+  rekor-url: https://rekor.sigstore.dev
+
+  # Same as '--include-dev-deps'
+  # Default is false
+  include-dev-deps: false
 ```
 
 ## Cache Options
@@ -131,6 +158,9 @@ cache:
 
   # Redis options
   redis:
+    # Same as '--redis-tls'
+    # Default is false
+    tls:    
     # Same as '--redis-ca'
     # Default is empty
     ca:
@@ -148,21 +178,25 @@ cache:
 
 ```yaml
 db:
-  # Same as '--skip-db-update'
-  # Default is false
-  skip-update: false
-
   # Same as '--no-progress'
   # Default is false
   no-progress: false
   
+  # Same as '--skip-db-update'
+  # Default is false
+  skip-update: false
+
   # Same as '--db-repository'
-  # Default is 'ghcr.io/aquasecurity/trivy-db'
+  # Default is 'ghcr.io/aquasecurity/trivy-db:2'
-  repository: ghcr.io/aquasecurity/trivy-db
+  repository: ghcr.io/aquasecurity/trivy-db:2
+
+  # Same as '--skip-java-db-update'
+  # Default is false
+  java-skip-update: false  
 
   # Same as '--java-db-repository'
-  # Default is 'ghcr.io/aquasecurity/trivy-java-db'
+  # Default is 'ghcr.io/aquasecurity/trivy-java-db:1'
-  java-repository: ghcr.io/aquasecurity/trivy-java-db
+  java-repository: ghcr.io/aquasecurity/trivy-java-db:1
 ```
 
 ## Registry Options
@@ -199,6 +233,18 @@ image:
   # Default is empty
   platform:
 
+  # Same as '--image-src'
+  # Default is 'docker,containerd,podman,remote'
+  source:
+    - podman
+    - docker
+      
+  # Same as '--image-config-scanners'
+  # Default is empty
+  image-config-scanners:
+    - misconfig
+    - secret      
+  
   docker:
     # Same as '--docker-host'
     # Default is empty
@@ -224,6 +270,67 @@ vulnerability:
   # Same as '--ignore-unfixed'
   # Default is false
   ignore-unfixed: false
+
+  # Same as '--ignore-unfixed'
+  # Default is empty
+  ignore-status: 
+    - end_of_life
+```
+
+## License Options
+Available with license scanning
+
+```yaml
+license:
+  # Same as '--license-full'
+  # Default is false
+  full: false
+
+  # Same as '--ignored-licenses'
+  # Default is empty
+  ignored:
+    - MPL-2.0
+    - MIT
+
+  # Same as '--license-confidence-level'
+  # Default is 0.9
+  confidenceLevel: 0.9
+
+  # Set list of forbidden licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L171
+  forbidden:
+    - AGPL-1.0
+    - AGPL-3.0
+
+  # Set list of restricted licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L199
+  restricted:
+    - AGPL-1.0
+    - AGPL-3.0
+
+  # Set list of reciprocal licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L238
+  reciprocal:
+    - AGPL-1.0
+    - AGPL-3.0
+
+  # Set list of notice licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L260
+  notice:
+    - AGPL-1.0
+    - AGPL-3.0  
+
+  # Set list of permissive licenses
+  # Default is empty
+  permissive:
+    - AGPL-1.0
+    - AGPL-3.0  
+
+  # Set list of unencumbered licenses
+  # Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L334
+  unencumbered:
+    - AGPL-1.0
+    - AGPL-3.0    
 ```
 
 ## Secret Options
@@ -239,11 +346,15 @@ secret:
 ## Rego Options
 
 ```yaml
-rego
+rego:
   # Same as '--trace'
   # Default is false
   trace: false
 
+  # Same as '--skip-policy-update'
+  # Default is false
+  skip-policy-update: false
+
   # Same as '--config-policy'
   # Default is empty
   policy:
@@ -272,6 +383,10 @@ misconfiguration:
   # Default is false
   include-non-failures: false
 
+  # Same as '--policy-bundle-repository'
+  # Default is 'ghcr.io/aquasecurity/trivy-checks:0'
+  policy-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0  
+  
   # Same as '--miconfig-scanners'
   # Default is all scanners
   scanners:
@@ -313,6 +428,12 @@ misconfiguration:
     # Same as '--tf-exclude-downloaded-modules'
     # Default is false
     exclude-downloaded-modules: false
+
+    # Same as '--cf-params'
+    # Default is false
+  cloudformation:
+    params:
+      - params.json
 ```
 
 ## Kubernetes Options
@@ -327,6 +448,58 @@ kubernetes:
   # Same as '--namespace'
   # Default is empty
   namespace:
+
+  # Same as '--kubeconfig'
+  # Default is empty
+  kubeconfig: ~/.kube/config2
+
+  # Same as '--components'
+  # Default is 'workload,infra'
+  components: 
+    - workload
+    - infra
+
+  # Same as '--k8s-version'
+  # Default is empty
+  k8s-version: 1.21.0
+
+  # Same as '--tolerations'
+  # Default is empty
+  tolerations:
+    - key1=value1:NoExecute
+    - key2=value2:NoSchedule
+
+  # Same as '--all-namespaces'
+  # Default is false
+  all-namespaces: false
+
+  node-collector:
+    # Same as '--node-collector-namespace'
+    # Default is 'trivy-temp'
+    namespace: ~/.kube/config2
+
+    # Same as '--node-collector-imageref'
+    # Default is 'ghcr.io/aquasecurity/node-collector:0.0.9'
+    imageref: ghcr.io/aquasecurity/node-collector:0.0.9
+
+  exclude:
+    # Same as '--exclude-owned'
+    # Default is false
+    owned: true
+
+    # Same as '--exclude-nodes'
+    # Default is empty
+    nodes:
+      - kubernetes.io/arch:arm64
+      - team:dev
+
+  # Same as '--qps'
+  # Default is 5.0
+  qps: 5.0
+
+  # Same as '--burst'
+  # Default is 10
+  burst: 10
 ```
 
 ## Repository Options
@@ -397,6 +570,35 @@ cloud:
 
     # the aws account to use (this will be determined from your environment when not set)
     account: 123456789012
+
+    # the aws specific services
+    service: 
+      - s3
+      - ec2
+        
+    # the aws specific arn
+    arn: arn:aws:s3:::example-bucket      
+
+    # skip the aws specific services
+    skip-service:
+      - s3
+      - ec2 
+```
+
+## Module Options
+Available for modules
+
+```yaml
+module:
+  # Same as '--module-dir'
+  # Default is '$HOME/.trivy/modules'
+  dir: $HOME/.trivy/modules
+
+  # Same as '--enable-modules'
+  # Default is empty
+  enable-modules: 
+    - trivy-module-spring4shell
+    - trivy-module-wordpress
 ```
 
 [example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml

pkg/flag/cloud_flags.go

@@ -12,7 +12,7 @@ var (
 		Name:       "max-cache-age",
 		ConfigName: "cloud.max-cache-age",
 		Default:    time.Hour * 24,
-		Usage:      "The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this.",
+		Usage:      "The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this.",
 	}
 )
 

pkg/flag/kubernetes_flags.go

@@ -44,7 +44,7 @@ var (
 	}
 	K8sVersionFlag = Flag[string]{
 		Name:       "k8s-version",
-		ConfigName: "kubernetes.k8s.version",
+		ConfigName: "kubernetes.k8s-version",
 		Usage:      "specify k8s version to validate outdated api by it (example: 1.21.0)",
 	}
 	TolerationsFlag = Flag[[]string]{
@@ -54,16 +54,22 @@ var (
 	}
 	AllNamespaces = Flag[bool]{
 		Name:       "all-namespaces",
-		ConfigName: "kubernetes.all.namespaces",
+		ConfigName: "kubernetes.all-namespaces",
 		Shorthand:  "A",
 		Usage:      "fetch resources from all cluster namespaces",
 	}
 	NodeCollectorNamespace = Flag[string]{
 		Name:       "node-collector-namespace",
-		ConfigName: "node.collector.namespace",
+		ConfigName: "kubernetes.node-collector.namespace",
 		Default:    "trivy-temp",
 		Usage:      "specify the namespace in which the node-collector job should be deployed",
 	}
+	NodeCollectorImageRef = Flag[string]{
+		Name:       "node-collector-imageref",
+		ConfigName: "kubernetes.node-collector.imageref",
+		Default:    "ghcr.io/aquasecurity/node-collector:0.0.9",
+		Usage:      "indicate the image reference for the node-collector scan job",
+	}
 	ExcludeOwned = Flag[bool]{
 		Name:       "exclude-owned",
 		ConfigName: "kubernetes.exclude.owned",
@@ -74,12 +80,6 @@ var (
 		ConfigName: "kubernetes.exclude.nodes",
 		Usage:      "indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)",
 	}
-	NodeCollectorImageRef = Flag[string]{
-		Name:       "node-collector-imageref",
-		ConfigName: "kubernetes.node.collector.imageref",
-		Default:    "ghcr.io/aquasecurity/node-collector:0.0.9",
-		Usage:      "indicate the image reference for the node-collector scan job",
-	}
 	QPS = Flag[float64]{
 		Name:       "qps",
 		ConfigName: "kubernetes.qps",

pkg/flag/scan_flags.go

@@ -98,7 +98,7 @@ var (
 	}
 	IncludeDevDepsFlag = Flag[bool]{
 		Name:       "include-dev-deps",
-		ConfigName: "include-dev-deps",
+		ConfigName: "scan.include-dev-deps",
 		Usage:      "include development dependencies in the report (supported: npm, yarn)",
 	}
 )