Trivy Config ignored in latest version

[Frituurpanda]

We are currently running Trivy with the latest version:

name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 #0.19.0
with:
  image-ref: '$ref'
  scan-type: 'image'
  scan-ref: '.'
  severity: "HIGH,CRITICAL"
  scanners: "vuln,config"
  vuln-type: 'library'
  format: 'sarif'
  exit-code: '0'
  output: 'trivy-results.sarif'

Subsequent uploading works perfectly fine with:

name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
  sarif_file: 'trivy-results.sarif'

And want to start using Trivy in more actions, thus looking at using Trivy with a config file. When we take this exact set, and place it in a .trivy.yml at the root of our repository:

severity: HIGH,CRITICAL
scanners: vuln,config
vuln-type: library
format: sarif
exit-code: 0
output: trivy-results.sarif
ignore-unfixed: false
list-all-pkgs: false

And modifying the action to use trivy-config:

name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 #0.19.0
with:
  image-ref: '$ref'
  scan-type: 'image'
  scan-ref: '.'
  trivy-config: '.trivy.yml'

fails as the action reports that:

INFO	Secret scanning is enabled

and that should not be the case, as with our previous version. The upload also fails the output does not exist: Path does not exist: trivy-results.sarif

Anything we can do here to resolve this issue? Happy to test and provide more data.