Custom compliance reports not usable from command-line

[tortoiseparrot]

Description

The documentation states that one can use custom compliance reports:

• https://trivy.dev/latest/docs/target/container_image/#compliance
• https://trivy.dev/latest/docs/target/kubernetes/#compliance

The exact invocation from the command-line is documented in https://trivy.dev/latest/docs/compliance/compliance/#custom-compliance

Once you have a compliance spec, you can select it by file path: trivy --compliance @</path/to/compliance.yaml> (note the @ indicating file path instead of report id).

Validation of the command-line flags prevents using such a custom file path.
Existing test TestComplianceSpec_LoadFromDiskBundle in code also suggest that using custom file paths should be possible.

Desired Behavior

trivy --compliance works with a custom compliance report file path

Actual Behavior

Both trivy image and trivy k8s validate the --compliance flag in a way that disallows custom file paths

Reproduction Steps

trivy image --compliance @foobar hello-world
trivy k8s --compliance=@foobar --report summary

Target

Container Image

Scanner

None

Output Format

None

Mode

Standalone

Debug Output

$ trivy image --compliance @pkg/compliance/spec/testdata/testcache/policy/content/specs/compliance/testspec.yaml hello-world --debug
2025-05-15T11:00:07Z    DEBUG   No plugins loaded
2025-05-15T11:00:07Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-05-15T11:00:07Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-05-15T11:00:07Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-05-15T11:00:07Z    FATAL   Fatal error
  - flag error:
    github.com/aquasecurity/trivy/pkg/commands.NewImageCommand.func2
        /home/runner/work/trivy/trivy/pkg/commands/app.go:325
  - unable to parse flags:
    github.com/aquasecurity/trivy/pkg/flag.(*Flags).ToOptions
        /home/runner/work/trivy/trivy/pkg/flag/options.go:656
  - unable to parse flag:
    github.com/aquasecurity/trivy/pkg/flag.parseFlags
        /home/runner/work/trivy/trivy/pkg/flag/options.go:674
  - invalid argument "@pkg/compliance/spec/testdata/testcache/policy/content/specs/compliance/testspec.yaml" for "--compliance" flag: must be one of ["docker-cis-1.6.0"]:
    github.com/aquasecurity/trivy/pkg/flag.(*Flag[...]).Parse
        /home/runner/work/trivy/trivy/pkg/flag/options.go:119

Operating System

Docker Desktop on Windows

Version

$ trivy --version
Version: 0.62.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @tortoiseparrot
Thanks for your report!

Created #8876

Regards, Dmitriy