Skip to content

Trivy incorrectly scans Helm charts and other OCI artifacts as container images #9053

Description

@knqyf263

Description

Trivy currently allows scanning of Helm charts and other OCI artifacts as if they were regular container images, which leads to misleading results.

Current Behavior

When scanning a Helm chart using the remote image source, Trivy processes it successfully but finds no vulnerabilities, which is incorrect behavior:

$ trivy image --scanners vuln --image-src remote --skip-version-check ghcr.io/knqyf263/helm-test-chart:0.1.0
2025-06-19T12:50:40+04:00    INFO    [vuln] Vulnerability scanning is enabled
2025-06-19T12:50:41+04:00    INFO    Number of language-specific files    num=0
2025-06-19T12:50:41+04:00    WARN    [report] Supported files for scanner(s) not found.    scanners=[vuln]

Report Summary

┌────────┬──────┬─────────────────┐
│ Target │ Type │ Vulnerabilities │
├────────┼──────┼─────────────────┤
│   -    │  -   │        -        │
└────────┴──────┴─────────────────┘

Expected Behavior

Trivy should reject non-container artifacts and display a clear error message explaining that the artifact type is not supported for vulnerability scanning.

Impact

  • Users may be confused by empty scan results for non-container artifacts
  • No clear indication that the artifact type is not suitable for vulnerability scanning

Solution

Add validation in the remote image retrieval logic to check the ArtifactType field and reject artifacts that are not regular container images.

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.

Type

Fields

No fields configured for Bug.

Projects

Status
No status

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions