HelmΒΆ
Trivy supports two types of Helm scanning, templates and packaged charts. The following scanners are supported.
| Format | Misconfiguration | Secret |
|---|---|---|
| Template | β | β |
| Chart | β | - |
MisconfigurationΒΆ
Trivy recursively searches directories and scans all found Helm files.
It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks. See here for more details on the built-in checks.
Value overridesΒΆ
There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
Setting inline value overridesΒΆ
Overrides can be set inline on the command line
trivy config --helm-set securityContext.runAsUser=0 ./charts/mySql
Setting value file overridesΒΆ
Overrides can be in a file that has the key=value set.
# Example override file (overrides.yaml)
securityContext:
runAsUser: 0
trivy config --helm-values overrides.yaml ./charts/mySql
Setting value as explicit stringΒΆ
the --helm-set-string is the same as --helm-set but explicitly retains the value as a string
trivy config --helm-set-string name=false ./infrastructure/tf
Setting specific values from filesΒΆ
Specific override values can come from specific files
trivy config --helm-set-file environment=dev.values.yaml ./charts/mySql
SecretΒΆ
The secret scan is performed on plain text files, with no special treatment for Helm. Secret scanning is not conducted on the contents of packaged Charts, such as tar or tar.gz.