> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coderabbit.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Trivy

> CodeRabbit's guide to Trivy.

[Trivy](https://github.com/aquasecurity/trivy) is a security scanner that finds misconfigurations and exposed secrets in Infrastructure as Code (IaC) files.

## Files

Trivy runs only on files matching these patterns:

* **Terraform**: `*.tf`, `*.tf.json`, `*.tofu`, `*.tofu.json`
* **Docker**: `Dockerfile`, `Dockerfile.*`, `*.dockerfile`
* **Kubernetes**: `k8s/**/*.yaml`, `k8s/**/*.yml`, `kubernetes/**/*.yaml`, `kubernetes/**/*.yml`, `manifests/**/*.yaml`, `manifests/**/*.yml`
* **Helm**: `helm/**/*.yaml`, `helm/**/*.yml`, `charts/**/*.yaml`, `charts/**/*.yml`, `Chart.yaml`, `values.yaml`, `values.yml`
* **CloudFormation**: `*.template.json`, `*.template.yaml`, `*.template.yml`, `cloudformation/**/*.json`, `cloudformation/**/*.yaml`, `cloudformation/**/*.yml`
* **Azure ARM**: `azuredeploy.json`, `azuredeploy.parameters.json`, `arm/**/*.json`
* **Docker Compose**: `docker-compose.yaml`, `docker-compose.yml`, `compose.yaml`, `compose.yml`

Non-IaC files (e.g. GitHub workflows, `package.json`) are excluded.

## Configuration

* CodeRabbit will read and use the repo's `trivy.yaml` config file.

## Profile behavior

* **Chill**: `--severity CRITICAL,HIGH`
* **Assertive**: `--severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN`

## Links

* [Trivy GitHub Repository](https://github.com/aquasecurity/trivy)
* [Trivy Documentation](https://trivy.dev)