Trivy provides multiple ways to ignore directories, files, and vulnerabilities during scanning. This guide covers all correct and updated methods, including command-line options, configuration files, and post-processing techniques.

---

1️⃣ Ignore Directories & Files Using Command-Line Options (Recommended for Quick Exclusions)

Trivy supports --skip-dirs and --skip-files flags to exclude directories and files while scanning.

Examples:

✅ Ignore specific directories

trivy image --skip-dirs "/var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13" \
            --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" \
            quay.io/fluentd_elasticsearch/fluentd:v2.9.0

✅ Ignore directories when scanning a local filesystem

trivy fs --skip-dirs "./testdata/*" .

✅ Ignore Terraform-related files and directories

trivy config --skip-dirs "**/.terraform" .

✅ Ignore specific files during image scanning

trivy image --skip-files "/Gemfile.lock" --skip-files "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0

✅ Ignore all foo directories in any subdirectory

trivy image --skip-files "**/foo" image:tag

✅ Use --file-patterns to ignore files based on type

trivy fs --file-patterns "dockerfile:.*.docker" --file-patterns "kubernetes:*.tpl" --file-patterns "pip:requirements-.*\.txt" .

📌 Use Case: Best when you want to exclude files or directories temporarily without modifying any configuration files.

---

2️⃣ Use trivy.yaml Configuration File for Persistent Directory/File Skipping

For a permanent solution, create a trivy.yaml file in the root of your project.

Example trivy.yaml

scan:
  skip-dirs:
    - "**/examples/**"
    - "**/.terraform/**"
    - "node_modules"
    - "vendor"
  skip-files:
    - "**/*.log"
    - "**/Gemfile.lock"

✅ Run Trivy with the configuration file:

trivy fs --config trivy.yaml .

📌 Use Case: Best for consistent exclusions across multiple runs without needing CLI options.

---

3️⃣ Ignore Specific Vulnerabilities Using .trivyignore

You can ignore specific vulnerabilities by their IDs using a .trivyignore file.

Example .trivyignore

AVD-KSV-0014
CVE-2023-1234

✅ Run Trivy and apply .trivyignore:

trivy fs --ignorefile .trivyignore .

📌 Use Case: When you want to exclude false positives or known vulnerabilities without ignoring entire files or directories.

---

4️⃣ Use find to Dynamically Exclude Directories Before Running Trivy

If you don’t want to modify your Trivy configurations, you can manually exclude directories before scanning.

✅ Find and exclude examples and node_modules directories

find . -type d \( -name "examples" -o -name "node_modules" \) -prune -o -print | trivy fs .

📌 Use Case: When you cannot modify project files but need to exclude directories.

---

5️⃣ Use grep -v to Filter Out Results After Scanning

If Trivy scans everything but you want to remove unwanted results from the output:

✅ Remove results from examples/ directories

trivy fs . | grep -v "examples/"

📌 Use Case: Quick fix when Trivy outputs unwanted directories but scanning time is not a concern.

---

Final Comparison: Best Method to Use

Method	Best For	Permanent?	Performance Impact?
--skip-dirs / --skip-files	Quick exclusions	❌ No	✅ Improves
trivy.yaml (skip-dirs, skip-files)	Persistent exclusions	✅ Yes	✅ Improves
.trivyignore (Ignore CVEs)	Ignoring vulnerabilities	✅ Yes	⚠️ No impact
find -prune	Excluding before scanning	❌ No	✅ Improves
grep -v	Filtering after scanning	❌ No	⚠️ No impact

---

Conclusion

🚀 Best method → Use --skip-dirs and --skip-files in the CLI for quick fixes.
⚡ For permanent exclusions → Use trivy.yaml.
🔎 To ignore vulnerabilities only → Use .trivyignore.
⏳ If you can’t modify configurations → Use find or grep.

This is the correct, updated, and complete guide to ignoring directories and files in Trivy. ✅ Let me know if you need further clarification! 🚀