diff --git a/docs/docs/advanced/telemetry-flags.md b/docs/docs/advanced/telemetry-flags.md
index 490bccd2348e..73b84e8a5abd 100644
--- a/docs/docs/advanced/telemetry-flags.md
+++ b/docs/docs/advanced/telemetry-flags.md
@@ -1,19 +1,40 @@
 ```
+--clear-cache
 --debug
+--dependency-tree
 --detection-priority
+--distro
+--exit-code
+--exit-on-eol
 --format
 --ignore-status
+--ignore-unfixed
+--image-config-scanners
+--include-deprecated-checks
 --include-dev-deps
+--include-non-failures
 --insecure
+--license-full
 --list-all-pkgs
 --misconfig-scanners
+--offline-scan
+--parallel
+--password-stdin
 --pkg-relationships
 --pkg-types
 --quiet
+--redis-tls
+--removed-pkgs
 --report
 --scanners
 --severity
 --show-suppressed
+--skip-check-update
+--skip-version-check
+--skip-vex-repo-update
+--slow
+--tf-exclude-downloaded-modules
 --timeout
+--trace
 --vuln-severity-source
 ```
diff --git a/pkg/flag/cache_flags.go b/pkg/flag/cache_flags.go
index 0ec7053189f8..1b96ead71d17 100644
--- a/pkg/flag/cache_flags.go
+++ b/pkg/flag/cache_flags.go
@@ -16,10 +16,11 @@ import (
 var (
 	// Deprecated
 	ClearCacheFlag = Flag[bool]{
-		Name:       "clear-cache",
-		ConfigName: "cache.clear",
-		Usage:      "clear image caches without scanning",
-		Removed:    `Use "trivy clean --scan-cache" instead`,
+		Name:          "clear-cache",
+		ConfigName:    "cache.clear",
+		Usage:         "clear image caches without scanning",
+		Removed:       `Use "trivy clean --scan-cache" instead`,
+		TelemetrySafe: true,
 	}
 	CacheBackendFlag = Flag[string]{
 		Name:       "cache-backend",
@@ -33,9 +34,10 @@ var (
 		Usage:      "cache TTL when using redis as cache backend",
 	}
 	RedisTLSFlag = Flag[bool]{
-		Name:       "redis-tls",
-		ConfigName: "cache.redis.tls",
-		Usage:      "enable redis TLS with public certificates, if using redis as cache backend",
+		Name:          "redis-tls",
+		ConfigName:    "cache.redis.tls",
+		Usage:         "enable redis TLS with public certificates, if using redis as cache backend",
+		TelemetrySafe: true,
 	}
 	RedisCACertFlag = Flag[string]{
 		Name:       "redis-ca",
diff --git a/pkg/flag/image_flags.go b/pkg/flag/image_flags.go
index 93ec050d04b6..353e10c227b6 100644
--- a/pkg/flag/image_flags.go
+++ b/pkg/flag/image_flags.go
@@ -23,12 +23,14 @@ var (
 			types.MisconfigScanner,
 			types.SecretScanner,
 		}),
-		Usage: "comma-separated list of what security issues to detect on container image configurations",
+		Usage:         "comma-separated list of what security issues to detect on container image configurations",
+		TelemetrySafe: true,
 	}
 	ScanRemovedPkgsFlag = Flag[bool]{
-		Name:       "removed-pkgs",
-		ConfigName: "image.removed-pkgs",
-		Usage:      "detect vulnerabilities of removed packages (only for Alpine)",
+		Name:          "removed-pkgs",
+		ConfigName:    "image.removed-pkgs",
+		Usage:         "detect vulnerabilities of removed packages (only for Alpine)",
+		TelemetrySafe: true,
 	}
 	InputFlag = Flag[string]{
 		Name:       "input",
diff --git a/pkg/flag/license_flags.go b/pkg/flag/license_flags.go
index 1db10b68ab86..8325a8d557e5 100644
--- a/pkg/flag/license_flags.go
+++ b/pkg/flag/license_flags.go
@@ -7,9 +7,10 @@ import (
 
 var (
 	LicenseFull = Flag[bool]{
-		Name:       "license-full",
-		ConfigName: "license.full",
-		Usage:      "eagerly look for licenses in source code headers and license files",
+		Name:          "license-full",
+		ConfigName:    "license.full",
+		Usage:         "eagerly look for licenses in source code headers and license files",
+		TelemetrySafe: true,
 	}
 	IgnoredLicenses = Flag[[]string]{
 		Name:       "ignored-licenses",
diff --git a/pkg/flag/misconf_flags.go b/pkg/flag/misconf_flags.go
index 26fd842f6856..3db0fbf9ff94 100644
--- a/pkg/flag/misconf_flags.go
+++ b/pkg/flag/misconf_flags.go
@@ -33,9 +33,10 @@ var (
 		},
 	}
 	IncludeNonFailuresFlag = Flag[bool]{
-		Name:       "include-non-failures",
-		ConfigName: "misconfiguration.include-non-failures",
-		Usage:      "include successes, available with '--scanners misconfig'",
+		Name:          "include-non-failures",
+		ConfigName:    "misconfiguration.include-non-failures",
+		Usage:         "include successes, available with '--scanners misconfig'",
+		TelemetrySafe: true,
 	}
 	HelmValuesFileFlag = Flag[[]string]{
 		Name:       "helm-values",
@@ -79,9 +80,10 @@ var (
 		Usage:      "specify paths to override the CloudFormation parameters files",
 	}
 	TerraformExcludeDownloaded = Flag[bool]{
-		Name:       "tf-exclude-downloaded-modules",
-		ConfigName: "misconfiguration.terraform.exclude-downloaded-modules",
-		Usage:      "exclude misconfigurations for downloaded terraform modules",
+		Name:          "tf-exclude-downloaded-modules",
+		ConfigName:    "misconfiguration.terraform.exclude-downloaded-modules",
+		Usage:         "exclude misconfigurations for downloaded terraform modules",
+		TelemetrySafe: true,
 	}
 	ChecksBundleRepositoryFlag = Flag[string]{
 		Name:       "checks-bundle-repository",
diff --git a/pkg/flag/registry_flags.go b/pkg/flag/registry_flags.go
index 88cc2a6985d1..fef7ddd54367 100644
--- a/pkg/flag/registry_flags.go
+++ b/pkg/flag/registry_flags.go
@@ -22,9 +22,10 @@ var (
 		Usage:      "password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.",
 	}
 	PasswordStdinFlag = Flag[bool]{
-		Name:       "password-stdin",
-		ConfigName: "registry.password-stdin",
-		Usage:      "password from stdin. Comma-separated passwords are not supported.",
+		Name:          "password-stdin",
+		ConfigName:    "registry.password-stdin",
+		Usage:         "password from stdin. Comma-separated passwords are not supported.",
+		TelemetrySafe: true,
 	}
 	RegistryTokenFlag = Flag[string]{
 		Name:       "registry-token",
diff --git a/pkg/flag/rego_flags.go b/pkg/flag/rego_flags.go
index 8d75128a555f..661154af958a 100644
--- a/pkg/flag/rego_flags.go
+++ b/pkg/flag/rego_flags.go
@@ -8,9 +8,10 @@ package flag
 //	  policy-namespaces: "user"
 var (
 	IncludeDeprecatedChecksFlag = Flag[bool]{
-		Name:       "include-deprecated-checks",
-		ConfigName: "rego.include-deprecated-checks",
-		Usage:      "include deprecated checks",
+		Name:          "include-deprecated-checks",
+		ConfigName:    "rego.include-deprecated-checks",
+		Usage:         "include deprecated checks",
+		TelemetrySafe: true,
 	}
 	SkipCheckUpdateFlag = Flag[bool]{
 		Name:       "skip-check-update",
@@ -23,11 +24,13 @@ var (
 				Deprecated: true,
 			},
 		},
+		TelemetrySafe: true,
 	}
 	TraceFlag = Flag[bool]{
-		Name:       "trace",
-		ConfigName: "rego.trace",
-		Usage:      "enable more verbose trace output for custom queries",
+		Name:          "trace",
+		ConfigName:    "rego.trace",
+		Usage:         "enable more verbose trace output for custom queries",
+		TelemetrySafe: true,
 	}
 	ConfigCheckFlag = Flag[[]string]{
 		Name:       "config-check",
diff --git a/pkg/flag/report_flags.go b/pkg/flag/report_flags.go
index dc03c0b16d99..6715b691278c 100644
--- a/pkg/flag/report_flags.go
+++ b/pkg/flag/report_flags.go
@@ -52,9 +52,10 @@ var (
 		Usage:      "output template",
 	}
 	DependencyTreeFlag = Flag[bool]{
-		Name:       "dependency-tree",
-		ConfigName: "dependency-tree",
-		Usage:      "[EXPERIMENTAL] show dependency origin tree of vulnerable packages",
+		Name:          "dependency-tree",
+		ConfigName:    "dependency-tree",
+		Usage:         "[EXPERIMENTAL] show dependency origin tree of vulnerable packages",
+		TelemetrySafe: true,
 	}
 	ListAllPkgsFlag = Flag[bool]{
 		Name:          "list-all-pkgs",
@@ -74,14 +75,16 @@ var (
 		Usage:      "specify the Rego file path to evaluate each vulnerability",
 	}
 	ExitCodeFlag = Flag[int]{
-		Name:       "exit-code",
-		ConfigName: "exit-code",
-		Usage:      "specify exit code when any security issues are found",
+		Name:          "exit-code",
+		ConfigName:    "exit-code",
+		Usage:         "specify exit code when any security issues are found",
+		TelemetrySafe: true,
 	}
 	ExitOnEOLFlag = Flag[int]{
-		Name:       "exit-on-eol",
-		ConfigName: "exit-on-eol",
-		Usage:      "exit with the specified code when the OS reaches end of service/life",
+		Name:          "exit-on-eol",
+		ConfigName:    "exit-on-eol",
+		Usage:         "exit with the specified code when the OS reaches end of service/life",
+		TelemetrySafe: true,
 	}
 	OutputFlag = Flag[string]{
 		Name:       "output",
diff --git a/pkg/flag/scan_flags.go b/pkg/flag/scan_flags.go
index d26325c11d49..ef79a62636e5 100644
--- a/pkg/flag/scan_flags.go
+++ b/pkg/flag/scan_flags.go
@@ -27,9 +27,10 @@ var (
 		Usage:      "specify the files or glob patterns to skip",
 	}
 	OfflineScanFlag = Flag[bool]{
-		Name:       "offline-scan",
-		ConfigName: "scan.offline",
-		Usage:      "do not issue API requests to identify dependencies",
+		Name:          "offline-scan",
+		ConfigName:    "scan.offline",
+		Usage:         "do not issue API requests to identify dependencies",
+		TelemetrySafe: true,
 	}
 	ScannersFlag = Flag[[]string]{
 		Name:       "scanners",
@@ -74,17 +75,19 @@ var (
 		Usage:      "specify config file patterns",
 	}
 	SlowFlag = Flag[bool]{
-		Name:       "slow",
-		ConfigName: "scan.slow",
-		Default:    false,
-		Usage:      "scan over time with lower CPU and memory utilization",
-		Deprecated: `Use "--parallel 1" instead.`,
+		Name:          "slow",
+		ConfigName:    "scan.slow",
+		Default:       false,
+		Usage:         "scan over time with lower CPU and memory utilization",
+		Deprecated:    `Use "--parallel 1" instead.`,
+		TelemetrySafe: true,
 	}
 	ParallelFlag = Flag[int]{
-		Name:       "parallel",
-		ConfigName: "scan.parallel",
-		Default:    5,
-		Usage:      "number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism",
+		Name:          "parallel",
+		ConfigName:    "scan.parallel",
+		Default:       5,
+		Usage:         "number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism",
+		TelemetrySafe: true,
 	}
 	SBOMSourcesFlag = Flag[[]string]{
 		Name:       "sbom-sources",
@@ -116,14 +119,16 @@ var (
 		TelemetrySafe: true,
 	}
 	DistroFlag = Flag[string]{
-		Name:       "distro",
-		ConfigName: "scan.distro",
-		Usage:      "[EXPERIMENTAL] specify a distribution, <family>/<version>",
+		Name:          "distro",
+		ConfigName:    "scan.distro",
+		Usage:         "[EXPERIMENTAL] specify a distribution, <family>/<version>",
+		TelemetrySafe: true,
 	}
 	SkipVersionCheckFlag = Flag[bool]{
-		Name:       "skip-version-check",
-		ConfigName: "scan.skip-version-check",
-		Usage:      "suppress notices about version updates and Trivy announcements",
+		Name:          "skip-version-check",
+		ConfigName:    "scan.skip-version-check",
+		Usage:         "suppress notices about version updates and Trivy announcements",
+		TelemetrySafe: true,
 	}
 	DisableTelemetryFlag = Flag[bool]{
 		Name:       "disable-telemetry",
diff --git a/pkg/flag/vulnerability_flags.go b/pkg/flag/vulnerability_flags.go
index 588b2bc3e3c0..9b21792d4cba 100644
--- a/pkg/flag/vulnerability_flags.go
+++ b/pkg/flag/vulnerability_flags.go
@@ -12,9 +12,10 @@ import (
 
 var (
 	IgnoreUnfixedFlag = Flag[bool]{
-		Name:       "ignore-unfixed",
-		ConfigName: "vulnerability.ignore-unfixed",
-		Usage:      "display only fixed vulnerabilities",
+		Name:          "ignore-unfixed",
+		ConfigName:    "vulnerability.ignore-unfixed",
+		Usage:         "display only fixed vulnerabilities",
+		TelemetrySafe: true,
 	}
 	IgnoreStatusFlag = Flag[[]string]{
 		Name:          "ignore-status",
@@ -29,9 +30,10 @@ var (
 		Usage:      `[EXPERIMENTAL] VEX sources ("repo", "oci" or file path)`,
 	}
 	SkipVEXRepoUpdateFlag = Flag[bool]{
-		Name:       "skip-vex-repo-update",
-		ConfigName: "vulnerability.skip-vex-repo-update",
-		Usage:      `[EXPERIMENTAL] Skip VEX Repository update`,
+		Name:          "skip-vex-repo-update",
+		ConfigName:    "vulnerability.skip-vex-repo-update",
+		Usage:         `[EXPERIMENTAL] Skip VEX Repository update`,
+		TelemetrySafe: true,
 	}
 	VulnSeveritySourceFlag = Flag[[]string]{
 		Name:       "vuln-severity-source",