Helm¶
Trivy supports two types of Helm scanning, templates and packaged charts. The following scanners are supported.
Format | Misconfiguration | Secret |
---|---|---|
Template | ✓ | ✓ |
Chart | ✓ | - |
Misconfiguration¶
Trivy recursively searches directories and scans all found Helm files.
It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks. See here for more details on the built-in checks.
Value overrides¶
There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
Setting inline value overrides¶
Overrides can be set inline on the command line
trivy config --helm-set securityContext.runAsUser=0 ./charts/mySql
Setting value file overrides¶
Overrides can be in a file that has the key=value set.
# Example override file (overrides.yaml)
securityContext:
runAsUser: 0
trivy config --helm-values overrides.yaml ./charts/mySql
Setting value as explicit string¶
the --helm-set-string
is the same as --helm-set
but explicitly retains the value as a string
trivy config --helm-set-string name=false ./infrastructure/tf
Setting specific values from files¶
Specific override values can come from specific files
trivy config --helm-set-file environment=dev.values.yaml ./charts/mySql
Secret¶
The secret scan is performed on plain text files, with no special treatment for Helm. Secret scanning is not conducted on the contents of packaged Charts, such as tar or tar.gz.