aquasecurity
fix(cli): Add support for telemetry from the config file
At this time, only flags that have been explicitly set in the environment or the cli flags are included in the telemetry requests.
trivy-operator uses a config file (along with others), we should find a way to include explicitly set values from the trivy config.
[!Warning] Be aware that there is a potential issue with viper where default values are treated as having been explicitly set
I think it’s worth clarifying a few details, since there seems to be some confusion among users.
This issue only affects parameters that can be set exclusively via the config file — for example, license rules (license-forbidden, license-notice). These flags do not have a name field, which is the root of the difference in behavior.
For all other flags, everything works as expected:
- Using the config file, you can correctly disable version checks and turn off telemetry.
➜ cat trivy.yaml scan: disable-telemetry: true skip-version-check: true ➜ trivy -d image alpine 2025-10-07T15:58:37+06:00 INFO Loaded file_path="trivy.yaml" ... 2025-10-07T15:58:37+06:00 DEBUG [notification] Skipping update check and metric ping - The telemetry package does not handle the flags for config file only. This is because we cannot determine whether the values are set using a config file or whether this is a default value.
- For all remaining flags, telemetry picks up the correct values.
➜ cat trivy.yaml pkg: types: - os ➜ ./trivy -d image alpine 2025-10-07T16:00:28+06:00 INFO Loaded file_path="trivy.yaml" ... --debug=true --pkg-types=os // added for test ...
