Trivy supports two types of Helm scanning, templates and packaged charts. The following scanners are supported.
Trivy recursively searches directories and scans all found Helm files.
It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks. See here for more details on the built-in policies.
There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
Setting inline value overrides
Overrides can be set inline on the command line
trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
Setting value file overrides
Overrides can be in a file that has the key=value set.
# Example override file (overrides.yaml)
trivy conf --helm-values overrides.yaml ./charts/mySql
Setting value as explicit string
--helm-set-string is the same as
--helm-set but explicitly retains the value as a string
trivy config --helm-set-string name=false ./infrastructure/tf
Setting specific values from files
Specific override values can come from specific files
trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
The secret scan is performed on plain text files, with no special treatment for Helm. Secret scanning is not conducted on the contents of packaged Charts, such as tar or tar.gz.