feat(misconf): Scan multiple Helm Charts at once

[simar7]

Discussed in #7404

^{Originally posted by yannispgs August 27, 2024}

Question

Hi,

I am having some trouble adapting the Trivy CLI to easily scan all my Helm Charts in a single command. The repository I am scanning has the following structure :

• .helm/:
  • microservice1/:
    • templates/: all the Kubernetes manifests
    • values.yaml: values common to all environments
    • values-env.yaml: values specific to an environment
  • microservice2/: same as microservice1
  • ...
• services/: the source code for every microservice

I have only managed to scan each Helm Chart one-by-one because the helm-values option asks for relative path from Shell current directory. Thus, I need 1 Trivy command per Helm Chart.

Is there a way to tell Trivy to look for values.yaml and values-env.yaml files at the root folder of every Helm Chart ?

Otherwise, I can render the Helm templates one by one in an output dir and then Trivy will be able to scan them all at once, but I was wondering if there could be a direct workaround.

Target

Git Repository

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Operating System

macOS Sonoma 14.5

Version

2024/08/27 11:06:26 INFO Loaded file_path=trivy.yaml
Version: 0.54.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-08-27 06:12:05.011405225 +0000 UTC
  NextUpdate: 2024-08-27 12:12:05.011404834 +0000 UTC
  DownloadedAt: 2024-08-27 08:09:34.000391 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-08-27 08:41:07.606058 +0000 UTC

[simar7]

Closing until we determine the needs for it in the discussion #7404