diff --git a/README.md b/README.md
index 9e1a871..6e4b551 100644
--- a/README.md
+++ b/README.md
@@ -669,7 +669,7 @@ Following inputs can be used as `step.with` keys:
 | `severity`                   | String  | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed                                                                                                     |
 | `skip-dirs`                  | String  |                                    | Comma separated list of directories where traversal is skipped                                                                                                 |
 | `skip-files`                 | String  |                                    | Comma separated list of files where traversal is skipped                                                                                                       |
-| `cache-dir`                  | String  | `$GITHUB_WORKSPACE/.cache/trivy`   | Cache directory                                                                                                                                                |
+| `cache-dir`                  | String  | `$GITHUB_WORKSPACE/.cache/trivy`   | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`.                                                                                        |
 | `timeout`                    | String  | `5m0s`                             | Scan timeout duration                                                                                                                                          |
 | `ignore-policy`              | String  |                                    | Filter vulnerabilities with OPA rego language                                                                                                                  |
 | `hide-progress`              | String  | `false`                            | Suppress progress bar and log output                                                                                                                           |
diff --git a/action.yaml b/action.yaml
index 93aa2c9..12c9b59 100644
--- a/action.yaml
+++ b/action.yaml
@@ -132,6 +132,45 @@ runs:
       env:
         GITHUB_ACTION_PATH: ${{ github.action_path }}
 
+    - name: Set Trivy environment variables
+      shell: bash
+      run: |
+        # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
+        # This limitation affects how we handle default values and empty inputs.
+        # For more information, see: https://github.com/actions/runner/issues/924
+
+        # Function to set environment variable only if the input is provided and different from default
+        set_env_var_if_provided() {
+          local var_name="$1"
+          local input_value="$2"
+          local default_value="$3"
+        
+          if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then
+            echo "$var_name=$input_value" >> $GITHUB_ENV
+          fi
+        }
+        
+        # Set environment variables, handling those with default values
+        # cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
+        set_env_var_if_provided "TRIVY_INPUT" "${{ inputs.input }}" ""
+        set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" ""
+        set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "${{ inputs.ignore-unfixed }}" "false"
+        set_env_var_if_provided "TRIVY_PKG_TYPES" "${{ inputs.vuln-type }}" "os,library"
+        set_env_var_if_provided "TRIVY_SEVERITY" "${{ inputs.severity }}" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+        set_env_var_if_provided "TRIVY_FORMAT" "${{ inputs.format }}" "table"
+        set_env_var_if_provided "TRIVY_TEMPLATE" "${{ inputs.template }}" ""
+        set_env_var_if_provided "TRIVY_OUTPUT" "${{ inputs.output }}" ""
+        set_env_var_if_provided "TRIVY_SKIP_DIRS" "${{ inputs.skip-dirs }}" ""
+        set_env_var_if_provided "TRIVY_SKIP_FILES" "${{ inputs.skip-files }}" ""
+        set_env_var_if_provided "TRIVY_TIMEOUT" "${{ inputs.timeout }}" ""
+        set_env_var_if_provided "TRIVY_IGNORE_POLICY" "${{ inputs.ignore-policy }}" ""
+        set_env_var_if_provided "TRIVY_QUIET" "${{ inputs.hide-progress }}" ""
+        set_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "${{ inputs.list-all-pkgs }}" "false"
+        set_env_var_if_provided "TRIVY_SCANNERS" "${{ inputs.scanners }}" ""
+        set_env_var_if_provided "TRIVY_CONFIG" "${{ inputs.trivy-config }}" ""
+        set_env_var_if_provided "TRIVY_TF_VARS" "${{ inputs.tf-vars }}" ""
+        set_env_var_if_provided "TRIVY_DOCKER_HOST" "${{ inputs.docker-host }}" ""
+
     - name: Run Trivy
       shell: bash
       run: entrypoint.sh
@@ -147,23 +186,4 @@ runs:
         INPUT_LIMIT_SEVERITIES_FOR_SARIF: ${{ inputs.limit-severities-for-sarif }}
 
         # For Trivy
-        # cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
-        TRIVY_INPUT: ${{ inputs.input }}
-        TRIVY_EXIT_CODE: ${{ inputs.exit-code }}
-        TRIVY_IGNORE_UNFIXED: ${{ inputs.ignore-unfixed }}
-        TRIVY_PKG_TYPES: ${{ inputs.vuln-type }}
-        TRIVY_SEVERITY: ${{ inputs.severity }}
-        TRIVY_FORMAT: ${{ inputs.format }}
-        TRIVY_TEMPLATE: ${{ inputs.template }}
-        TRIVY_OUTPUT: ${{ inputs.output }}
-        TRIVY_SKIP_DIRS: ${{ inputs.skip-dirs }}
-        TRIVY_SKIP_FILES: ${{ inputs.skip-files }}
-        TRIVY_CACHE_DIR: ${{ inputs.cache-dir }}
-        TRIVY_TIMEOUT: ${{ inputs.timeout }}
-        TRIVY_IGNORE_POLICY: ${{ inputs.ignore-policy }}
-        TRIVY_QUIET: ${{ inputs.hide-progress }}
-        TRIVY_LIST_ALL_PKGS: ${{ inputs.list-all-pkgs }}
-        TRIVY_SCANNERS: ${{ inputs.scanners }}
-        TRIVY_CONFIG: ${{ inputs.trivy-config }}
-        TRIVY_TF_VARS: ${{ inputs.tf-vars }}
-        TRIVY_DOCKER_HOST: ${{ inputs.docker-host }}
+        TRIVY_CACHE_DIR: ${{ inputs.cache-dir }} # Always set