Description
Trivy currently allows scanning of Helm charts and other OCI artifacts as if they were regular container images, which leads to misleading results.
Current Behavior
When scanning a Helm chart using the remote image source, Trivy processes it successfully but finds no vulnerabilities, which is incorrect behavior:
$ trivy image --scanners vuln --image-src remote --skip-version-check ghcr.io/knqyf263/helm-test-chart:0.1.0
2025-06-19T12:50:40+04:00 INFO [vuln] Vulnerability scanning is enabled
2025-06-19T12:50:41+04:00 INFO Number of language-specific files num=0
2025-06-19T12:50:41+04:00 WARN [report] Supported files for scanner(s) not found. scanners=[vuln]
Report Summary
┌────────┬──────┬─────────────────┐
│ Target │ Type │ Vulnerabilities │
├────────┼──────┼─────────────────┤
│ - │ - │ - │
└────────┴──────┴─────────────────┘
Expected Behavior
Trivy should reject non-container artifacts and display a clear error message explaining that the artifact type is not supported for vulnerability scanning.
Impact
- Users may be confused by empty scan results for non-container artifacts
- No clear indication that the artifact type is not suitable for vulnerability scanning
Solution
Add validation in the remote image retrieval logic to check the ArtifactType field and reject artifacts that are not regular container images.
Description
Trivy currently allows scanning of Helm charts and other OCI artifacts as if they were regular container images, which leads to misleading results.
Current Behavior
When scanning a Helm chart using the remote image source, Trivy processes it successfully but finds no vulnerabilities, which is incorrect behavior:
$ trivy image --scanners vuln --image-src remote --skip-version-check ghcr.io/knqyf263/helm-test-chart:0.1.0 2025-06-19T12:50:40+04:00 INFO [vuln] Vulnerability scanning is enabled 2025-06-19T12:50:41+04:00 INFO Number of language-specific files num=0 2025-06-19T12:50:41+04:00 WARN [report] Supported files for scanner(s) not found. scanners=[vuln] Report Summary ┌────────┬──────┬─────────────────┐ │ Target │ Type │ Vulnerabilities │ ├────────┼──────┼─────────────────┤ │ - │ - │ - │ └────────┴──────┴─────────────────┘Expected Behavior
Trivy should reject non-container artifacts and display a clear error message explaining that the artifact type is not supported for vulnerability scanning.
Impact
Solution
Add validation in the remote image retrieval logic to check the
ArtifactTypefield and reject artifacts that are not regular container images.