docs: update the docs with cloud settings

owenrumney · owenrumney · commit 76475e36eb42 · 2025-10-27T16:25:40.000Z
diff --git a/docs/docs/references/configuration/cli/trivy_config.md b/docs/docs/references/configuration/cli/trivy_config.md
@@ -14,6 +14,12 @@ trivy config [flags] DIR
       --cf-params strings                 specify paths to override the CloudFormation parameters files
       --check-namespaces strings          Rego namespaces
       --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
+      --cloud-api-url string              API URL for Trivy Cloud platform (default "https://api.trivy.dev")
+      --cloud-download-secret-config      Download secret configurations from Trivy Cloud platform (default true)
+      --cloud-server-scanning             Use server-side image scanning in Trivy Cloud platform (default true)
+      --cloud-token string                Token used to athenticate with Trivy Cloud platform
+      --cloud-trivy-server-url string     Trivy Server URL for Trivy Cloud platform (default "https://scan.trivy.dev")
+      --cloud-upload-results              Upload results to Trivy Cloud platform (default true)
       --compliance string                 compliance report to generate
       --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
diff --git a/docs/docs/references/configuration/cli/trivy_filesystem.md b/docs/docs/references/configuration/cli/trivy_filesystem.md
@@ -24,6 +24,12 @@ trivy filesystem [flags] PATH
       --cf-params strings                 specify paths to override the CloudFormation parameters files
       --check-namespaces strings          Rego namespaces
       --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
+      --cloud-api-url string              API URL for Trivy Cloud platform (default "https://api.trivy.dev")
+      --cloud-download-secret-config      Download secret configurations from Trivy Cloud platform (default true)
+      --cloud-server-scanning             Use server-side image scanning in Trivy Cloud platform (default true)
+      --cloud-token string                Token used to athenticate with Trivy Cloud platform
+      --cloud-trivy-server-url string     Trivy Server URL for Trivy Cloud platform (default "https://scan.trivy.dev")
+      --cloud-upload-results              Upload results to Trivy Cloud platform (default true)
       --compliance string                 compliance report to generate
       --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md
@@ -39,7 +39,6 @@ trivy image [flags] IMAGE_NAME
       --check-namespaces strings          Rego namespaces
       --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
       --cloud-api-url string              API URL for Trivy Cloud platform (default "https://api.trivy.dev")
-      --cloud-download-misconfig-config   Download misconfig configurations from Trivy Cloud platform (default true)
       --cloud-download-secret-config      Download secret configurations from Trivy Cloud platform (default true)
       --cloud-server-scanning             Use server-side image scanning in Trivy Cloud platform (default true)
       --cloud-token string                Token used to athenticate with Trivy Cloud platform
diff --git a/docs/docs/references/configuration/cli/trivy_repository.md b/docs/docs/references/configuration/cli/trivy_repository.md
@@ -24,6 +24,12 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --cf-params strings                 specify paths to override the CloudFormation parameters files
       --check-namespaces strings          Rego namespaces
       --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
+      --cloud-api-url string              API URL for Trivy Cloud platform (default "https://api.trivy.dev")
+      --cloud-download-secret-config      Download secret configurations from Trivy Cloud platform (default true)
+      --cloud-server-scanning             Use server-side image scanning in Trivy Cloud platform (default true)
+      --cloud-token string                Token used to athenticate with Trivy Cloud platform
+      --cloud-trivy-server-url string     Trivy Server URL for Trivy Cloud platform (default "https://scan.trivy.dev")
+      --cloud-upload-results              Upload results to Trivy Cloud platform (default true)
       --commit string                     pass the commit hash to be scanned
       --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md
@@ -27,6 +27,12 @@ trivy rootfs [flags] ROOTDIR
       --cf-params strings                 specify paths to override the CloudFormation parameters files
       --check-namespaces strings          Rego namespaces
       --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
+      --cloud-api-url string              API URL for Trivy Cloud platform (default "https://api.trivy.dev")
+      --cloud-download-secret-config      Download secret configurations from Trivy Cloud platform (default true)
+      --cloud-server-scanning             Use server-side image scanning in Trivy Cloud platform (default true)
+      --cloud-token string                Token used to athenticate with Trivy Cloud platform
+      --cloud-trivy-server-url string     Trivy Server URL for Trivy Cloud platform (default "https://scan.trivy.dev")
+      --cloud-upload-results              Upload results to Trivy Cloud platform (default true)
       --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
diff --git a/docs/docs/references/configuration/cli/trivy_vm.md b/docs/docs/references/configuration/cli/trivy_vm.md
@@ -24,6 +24,12 @@ trivy vm [flags] VM_IMAGE
       --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration                cache TTL when using redis as cache backend
       --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
+      --cloud-api-url string              API URL for Trivy Cloud platform (default "https://api.trivy.dev")
+      --cloud-download-secret-config      Download secret configurations from Trivy Cloud platform (default true)
+      --cloud-server-scanning             Use server-side image scanning in Trivy Cloud platform (default true)
+      --cloud-token string                Token used to athenticate with Trivy Cloud platform
+      --cloud-trivy-server-url string     Trivy Server URL for Trivy Cloud platform (default "https://scan.trivy.dev")
+      --cloud-upload-results              Upload results to Trivy Cloud platform (default true)
       --compliance string                 compliance report to generate
       --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
       --custom-headers strings            custom headers in client mode
diff --git a/pkg/commands/app.go b/pkg/commands/app.go
@@ -351,6 +351,7 @@ func NewFilesystemCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		flag.NewScanFlagGroup(),
 		flag.NewSecretFlagGroup(),
 		flag.NewVulnerabilityFlagGroup(),
+		flag.NewCloudFlagGroup(),
 	}
 
 	cmd := &cobra.Command{
@@ -417,6 +418,7 @@ func NewRootfsCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		flag.NewScanFlagGroup(),
 		flag.NewSecretFlagGroup(),
 		flag.NewVulnerabilityFlagGroup(),
+		flag.NewCloudFlagGroup(),
 	}
 
 	cmd := &cobra.Command{
@@ -482,6 +484,7 @@ func NewRepositoryCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		flag.NewSecretFlagGroup(),
 		flag.NewVulnerabilityFlagGroup(),
 		flag.NewRepoFlagGroup(),
+		flag.NewCloudFlagGroup(),
 	}
 
 	cmd := &cobra.Command{
@@ -704,6 +707,7 @@ func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		flag.NewModuleFlagGroup(),
 		flag.NewRegistryFlagGroup(),
 		flag.NewRegoFlagGroup(),
+		flag.NewCloudFlagGroup(),
 		&flag.K8sFlagGroup{
 			// Keep only --k8s-version flag and disable others
 			K8sVersion: flag.K8sVersionFlag.Clone(),
@@ -1097,6 +1101,7 @@ func NewVMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		flag.NewScanFlagGroup(),
 		flag.NewSecretFlagGroup(),
 		flag.NewVulnerabilityFlagGroup(),
+		flag.NewCloudFlagGroup(),
 		&flag.AWSFlagGroup{
 			Region: &flag.Flag[string]{
 				Name:       "aws-region",
diff --git a/pkg/commands/cloud/run.go b/pkg/commands/cloud/run.go
@@ -11,6 +11,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/extension"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/types"
 )
 
 // UpdateOptsForCloudIntegration checks if the Trivy Cloud integration is enabled and configures the options accordingly
@@ -38,7 +39,7 @@ func UpdateOptsForCloudIntegration(ctx context.Context, opts *flag.Options) erro
 		opts.CustomHeaders.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
 	}
 
-	if opts.CloudOptions.SecretConfig || opts.CloudOptions.MisconfigConfig {
+	if opts.CloudOptions.SecretConfig && opts.Scanners.Enabled(types.SecretScanner) {
 		if err := cloud.GetConfigs(ctx, opts, accessToken); err != nil {
 			return xerrors.Errorf("failed to download configs: %w", err)
 		}
diff --git a/pkg/commands/cloud/run_test.go b/pkg/commands/cloud/run_test.go
@@ -0,0 +1,149 @@
+package cloud
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/flag"
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+type mockCloudServer struct {
+	server          *httptest.Server
+	configAvailable bool
+}
+
+func (m *mockCloudServer) Start() {
+	m.server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Header.Get("Authorization") != "Bearer valid-cloud-token" && r.Header.Get("Authorization") != "Bearer test-access-token" {
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+		if r.URL.Path == "/api-keys/access-tokens" {
+			w.WriteHeader(http.StatusCreated)
+			w.Write([]byte(`{"token": "test-access-token"}`))
+			return
+		}
+
+		if r.URL.Path == "/configs/secrets/secret-config.yaml" {
+			if !m.configAvailable {
+				w.WriteHeader(http.StatusNotFound)
+				return
+			}
+			if r.Header.Get("Authorization") != "Bearer test-access-token" {
+				w.WriteHeader(http.StatusUnauthorized)
+				return
+			}
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(`{"content": {"key": "value"}}`))
+			return
+		}
+
+		w.WriteHeader(http.StatusNotFound)
+	}))
+}
+
+func (m *mockCloudServer) Close() {
+	m.server.Close()
+}
+
+func TestUpdateOptsForCloudIntegration(t *testing.T) {
+	mockServer := &mockCloudServer{}
+	mockServer.Start()
+	defer mockServer.Close()
+
+	tests := []struct {
+		name            string
+		opts            *flag.Options
+		configAvailable bool
+		errorContains   string
+	}{
+		{
+			name: "valid token and config to download",
+			opts: &flag.Options{
+				CloudOptions: flag.CloudOptions{
+					CloudToken:     "valid-cloud-token",
+					ApiURL:         mockServer.server.URL,
+					TrivyServerURL: mockServer.server.URL,
+					SecretConfig:   true,
+				},
+				ScanOptions: flag.ScanOptions{
+					Scanners: types.Scanners{types.SecretScanner},
+				},
+			},
+			configAvailable: true,
+		},
+		{
+			name: "valid token but config not requested",
+			opts: &flag.Options{
+				CloudOptions: flag.CloudOptions{
+					CloudToken:     "valid-cloud-token",
+					ApiURL:         mockServer.server.URL,
+					TrivyServerURL: mockServer.server.URL,
+					SecretConfig:   false,
+				},
+				ScanOptions: flag.ScanOptions{
+					Scanners: types.Scanners{types.SecretScanner},
+				},
+			},
+			configAvailable: true,
+		},
+		{
+			name: "valid token but config not available",
+			opts: &flag.Options{
+				CloudOptions: flag.CloudOptions{
+					CloudToken:     "valid-cloud-token",
+					ApiURL:         mockServer.server.URL,
+					TrivyServerURL: mockServer.server.URL,
+					SecretConfig:   false,
+				},
+			},
+			configAvailable: false,
+		},
+		{
+			name: "invalid token 401 status code",
+			opts: &flag.Options{
+				CloudOptions: flag.CloudOptions{
+					CloudToken:     "invalid-token",
+					ApiURL:         mockServer.server.URL,
+					TrivyServerURL: mockServer.server.URL,
+					SecretConfig:   false,
+				},
+				ScanOptions: flag.ScanOptions{
+					Scanners: types.Scanners{types.SecretScanner},
+				},
+			},
+			configAvailable: true,
+			errorContains:   "failed to get access token for Trivy Cloud",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tempDir := t.TempDir()
+			t.Setenv("XDG_DATA_HOME", tempDir)
+			mockServer.configAvailable = tt.configAvailable
+
+			err := UpdateOptsForCloudIntegration(context.Background(), tt.opts)
+
+			if tt.errorContains != "" {
+				require.ErrorContains(t, err, tt.errorContains)
+				return
+			}
+
+			require.NoError(t, err)
+
+			if tt.opts.CloudOptions.SecretConfig && tt.opts.ScanOptions.Scanners.Enabled(types.SecretScanner) {
+				assert.NotEmpty(t, tt.opts.SecretOptions.SecretConfigPath)
+				assert.FileExists(t, tt.opts.SecretOptions.SecretConfigPath)
+			} else {
+				assert.Empty(t, tt.opts.SecretOptions.SecretConfigPath)
+			}
+		})
+	}
+}
diff --git a/pkg/flag/cloud_flags.go b/pkg/flag/cloud_flags.go
@@ -44,14 +44,6 @@ var (
 		TelemetrySafe: true,
 	}
 
-	CloudMisconfigConfigFlag = Flag[bool]{
-		Name:          "cloud-download-misconfig-config",
-		ConfigName:    "cloud.download-misconfig-config",
-		Default:       true,
-		Usage:         "Download misconfig configurations from Trivy Cloud platform",
-		TelemetrySafe: true,
-	}
-
 	CloudUseServerSideScanningFlag = Flag[bool]{
 		Name:          "cloud-server-scanning",
 		ConfigName:    "cloud.server-scanning",
@@ -67,7 +59,6 @@ type CloudFlagGroup struct {
 	CloudTrivyServerURL        *Flag[string]
 	CloudUploadResults         *Flag[bool]
 	CloudSecretConfig          *Flag[bool]
-	CloudMisconfigConfig       *Flag[bool]
 	CloudUseServerSideScanning *Flag[bool]
 }
 
@@ -78,7 +69,6 @@ func NewCloudFlagGroup() *CloudFlagGroup {
 		CloudTrivyServerURL:        CloudTrivyServerURLFlag.Clone(),
 		CloudUploadResults:         CloudUploadResultsFlag.Clone(),
 		CloudSecretConfig:          CloudSecretConfigFlag.Clone(),
-		CloudMisconfigConfig:       CloudMisconfigConfigFlag.Clone(),
 		CloudUseServerSideScanning: CloudUseServerSideScanningFlag.Clone(),
 	}
 }
@@ -94,7 +84,6 @@ func (f *CloudFlagGroup) Flags() []Flagger {
 		f.CloudTrivyServerURL,
 		f.CloudUploadResults,
 		f.CloudSecretConfig,
-		f.CloudMisconfigConfig,
 		f.CloudUseServerSideScanning,
 	}
 }
@@ -111,7 +100,6 @@ type CloudOptions struct {
 	TrivyServerURL        string
 	UploadResults         bool
 	SecretConfig          bool
-	MisconfigConfig       bool
 	UseServerSideScanning bool
 }
 
@@ -123,7 +111,6 @@ func (f *CloudFlagGroup) ToOptions(opts *Options) error {
 		TrivyServerURL:        f.CloudTrivyServerURL.Value(),
 		UploadResults:         f.CloudUploadResults.Value(),
 		SecretConfig:          f.CloudSecretConfig.Value(),
-		MisconfigConfig:       f.CloudMisconfigConfig.Value(),
 		UseServerSideScanning: f.CloudUseServerSideScanning.Value(),
 	}
 	return nil

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ import (`
`11`	`11`	`"github.com/aquasecurity/trivy/pkg/extension"`
`12`	`12`	`"github.com/aquasecurity/trivy/pkg/flag"`
`13`	`13`	`"github.com/aquasecurity/trivy/pkg/log"`
	`14`	`+ "github.com/aquasecurity/trivy/pkg/types"`
`14`	`15`	`)`
`15`	`16`
`16`	`17`	`// UpdateOptsForCloudIntegration checks if the Trivy Cloud integration is enabled and configures the options accordingly`
`@@ -38,7 +39,7 @@ func UpdateOptsForCloudIntegration(ctx context.Context, opts *flag.Options) erro`
`38`	`39`	`opts.CustomHeaders.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))`
`39`	`40`	`}`
`40`	`41`
`41`		`- if opts.CloudOptions.SecretConfig \|\| opts.CloudOptions.MisconfigConfig {`
	`42`	`+ if opts.CloudOptions.SecretConfig && opts.Scanners.Enabled(types.SecretScanner) {`
`42`	`43`	`if err := cloud.GetConfigs(ctx, opts, accessToken); err != nil {`
`43`	`44`	`return xerrors.Errorf("failed to download configs: %w", err)`
`44`	`45`	`}`