This is a small helm plugin that performs vulnerability scans on container images used by charts. It was inspired by Snyk.io's helm-snyk plugin. It uses aquasec's trivy instead of Snyk.io for vulnerability scanning. To be fair, I found in my testing that Snyk had better results, but trivy isn't far (and it's free).
Just like any helm plugin, use the helm plugin subcommand:
helm plugin install https://github.com/ObjectifLibre/helm-trivyCurrently avalaible for linux and mac platforms.
Usage: helm trivy [options] <helm chart>
Example: helm trivy -json stable/mariadb
Options:
--debug
Enable debug logging
--json
Enable JSON output
--nopull
Don't pull latest trivy image
--set string
Values to set for helm chart, format: 'key1=value1,key2=value2'
--trivyargs string
CLI args to passthrough to trivy
--values string
Specify chart values in a YAML file or a URL
--version string
Specify chart versionSome examples:
Output only high and critical severity vulnerabilities:
helm trivy -trivyargs '--severity HIGH,CRITICAL' stable/mariadbGet a JSON array with scan results:
helm trivy -json stable/wordpress