diff --git a/.build_ignore b/.build_ignore
index 3c018013e5..632be85174 100644
--- a/.build_ignore
+++ b/.build_ignore
@@ -19,6 +19,7 @@ lefthook.yml
 log/
 README.md
 test/
+trivy.yaml
 lib/tasks/bump_version.rb
 lib/tasks/coverage_report.rb
 lib/tasks/multiverse.rake
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 12fa7a36d5..ed4ee03a84 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -30,11 +30,10 @@ jobs:
         uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # tag v0.28.0
         with:
           scan-type: fs
+          scan-ref: .
+          trivy-config: trivy.yaml
           format: table
           exit-code: 1
-          ignore-unfixed: true
-          severity: CRITICAL,HIGH,MEDIUM,LOW
-          cache: false
 
       - name: Run Trivy in report mode
         # Only generate sarif when running nightly on the dev branch.
@@ -42,11 +41,10 @@ jobs:
         uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # tag v0.28.0
         with:
           scan-type: fs
+          scan-ref: .
+          trivy-config: trivy.yaml
           format: sarif
           output: trivy-results.sarif
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
-          cache: false
 
       - name: Upload Trivy scan results to GitHub Security tab
         # Only upload sarif when running nightly on the dev branch.
diff --git a/trivy.yaml b/trivy.yaml
new file mode 100644
index 0000000000..1b4f3e2711
--- /dev/null
+++ b/trivy.yaml
@@ -0,0 +1,12 @@
+db:
+  repository:
+    - mirror.gcr.io/aquasec/trivy-db:2
+
+severities:
+  - CRITICAL
+  - HIGH
+  - MEDIUM
+  - LOW
+
+vulnerability:
+  ignore-unfixed: true