feat(logging): Add warning in case missing config file

[simar7]

Discussed in #7025

^{Originally posted by rkm June 26, 2024}

Description

Trivy does not produce any error or warning when --config specifies a file that does not exist.

Desired Behavior

Trivy should error when the specified config file is missing since this can contain settings which affect the scan output.

Actual Behavior

The config is silently ignored and the scan proceeds normally.

Reproduction Steps

1. Run Trivy and observe the output:

   docker run \
     --rm \
     -v /var/run/docker.sock:/var/run/docker.sock \
     -v $HOME/.cache/trivy:/root/.cache \
     -v "$(pwd)":/repo \
     ghcr.io/aquasecurity/trivy:0.52.2 \
       image \
       --config /repo/not-a-file \
       --debug \
       debian:12-slim

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2024-06-26T14:51:32Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]                                                                                                                                                                                   2024-06-26T14:51:32Z    DEBUG   Ignore statuses statuses=[]
2024-06-26T14:51:32Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2024-06-26T14:51:32Z    DEBUG   DB update was skipped because the local DB is the latest
2024-06-26T14:51:32Z    DEBUG   DB info schema=2 updated_at=2024-06-26T12:13:29.845304436Z next_update=2024-06-26T18:13:29.845304285Z downloaded_at=2024-06-26T14:40:58.687229989Z                                                                                                      2024-06-26T14:51:32Z    INFO    Vulnerability scanning is enabled
2024-06-26T14:51:32Z    DEBUG   Vulnerability type      type=[os library]
2024-06-26T14:51:32Z    INFO    Secret scanning is enabled
2024-06-26T14:51:32Z    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T14:51:32Z    INFO    Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection                                                                                                                              2024-06-26T14:51:32Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]                                                                                              2024-06-26T14:51:33Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-06-26T14:51:33Z    DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-06-26T14:51:33Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-06-26T14:51:34Z    DEBUG   [image] Detected image ID       image_id="sha256:46a63b82e4145c5eb93ce87cb6b3e6eeb89a4318b848b8e44a2ea029ccfdc157"                                                                                                                                      2024-06-26T14:51:34Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:1387079e86adf524e7e92bada71d261d9ff58f34409751ab36560385262a8386]                                                                                                                                      2024-06-26T14:51:34Z    DEBUG   [image] Detected base layers    diff_ids=[]
2024-06-26T14:51:34Z    INFO    Detected OS     family="debian" version="12.5"
2024-06-26T14:51:34Z    INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=88
2024-06-26T14:51:34Z    INFO    Number of language-specific files       num=0

debian:12-slim (debian 12.5)
...

Operating System

Rocky Linux 9.4

Version

0.52.2

Checklist

• Run trivy clean --all
• Read the troubleshooting