Limit trivy scan to certain languages

[apollo13]

Question

Hi there, is it possible to limit a trivy scan to (for instance) solely javascript without having to explicitly target a single file via trivy filesystem yarn.lock? Ie something along the lines of trivy repository --languages javascript,python ..

Target

Git Repository

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Operating System

Fedora 42

Version

Version: 0.66.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-18 06:35:54.164322597 +0000 UTC
  NextUpdate: 2025-09-19 06:35:54.164322336 +0000 UTC
  DownloadedAt: 2025-09-18 08:09:08.461955738 +0000 UTC

[DmitriyLewen]

Hello @apollo13
Thanks for your interest to Trivy!

Currently, Trivy doesn't provide this functionality.

Regards, Dmitriy

[apollo13]

Thanks, I feared as much after reading the docs but I was still hoping for a hidden option or so :D Is that a feature that would make sense, or am I holding it wrong so to say?

[DmitriyLewen]

As far as I know, we haven’t received any requests for such functionality so far.