trivy prints line numbers wrongly for helm chart scans. #8395

dstubked · 2025-02-13T08:06:09Z

dstubked
Feb 13, 2025

Description

I am getting some weird results scanning helm charts.
If you look at the scan results below, it shows the problem exist from line 11 to 17.

However, in the actual source code, the number exist in line 17 to 23.

Desired Behavior

We should print the right line numbers according to the contents of the file.

Actual Behavior

I am getting some weird results scanning helm charts.
If you look at the scan results below, it shows the problem exist from line 11 to 17.

However, in the actual source code, the number exist in line 17 to 23.

Reproduction Steps

You can replicate the problem by pulling from https://github.com/hashicorp/vault-helm.git 
Use the following trivy command: trivy fs --scanners misconfig --severity CRITICAL .
You should be able to replicate it.

Target

Filesystem

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Debug Output

$ trivy fs --scanners misconfig --severity CRITICAL --debug .
2025-02-13T19:04:02+11:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-13T19:04:02+11:00	DEBUG	Cache dir	dir="/Users/zhihao/Library/Caches/trivy"
2025-02-13T19:04:02+11:00	DEBUG	Cache dir	dir="/Users/zhihao/Library/Caches/trivy"
2025-02-13T19:04:02+11:00	DEBUG	Parsed severities	severities=[CRITICAL]
2025-02-13T19:04:02+11:00	DEBUG	Ignore statuses	statuses=[]
2025-02-13T19:04:02+11:00	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-13T19:04:02+11:00	DEBUG	[misconfig] Checks successfully loaded from disk
2025-02-13T19:04:02+11:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-02-13T19:04:02+11:00	DEBUG	Initializing scan cache...	type="memory"
2025-02-13T19:04:02+11:00	DEBUG	[fs] Analyzing...	root="."
2025-02-13T19:04:02+11:00	DEBUG	[fs] Random cache key will be used	err="repository is dirty"
2025-02-13T19:04:02+11:00	DEBUG	Skipping path	path=".git"
2025-02-13T19:04:02+11:00	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Helm"
2025-02-13T19:04:02+11:00	DEBUG	[rego] Overriding filesystem for checks
2025-02-13T19:04:02+11:00	DEBUG	[rego] Embedded libraries are loaded	count=17
2025-02-13T19:04:02+11:00	DEBUG	[rego] Embedded checks are loaded	count=517
2025-02-13T19:04:02+11:00	DEBUG	[rego] Checks from disk are loaded	count=534
2025-02-13T19:04:02+11:00	DEBUG	[rego] Overriding filesystem for data
2025-02-13T19:04:02+11:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/injector-serviceaccount.yaml"
2025-02-13T19:04:02+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:02+11:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/server-serviceaccount.yaml"
2025-02-13T19:04:02+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:03+11:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/server-config-configmap.yaml"
2025-02-13T19:04:03+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:03+11:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/injector-clusterrole.yaml"
2025-02-13T19:04:03+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:03+11:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/injector-clusterrolebinding.yaml"
2025-02-13T19:04:03+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:03+11:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/server-clusterrolebinding.yaml"
2025-02-13T19:04:03+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:03+11:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/injector-service.yaml"
2025-02-13T19:04:03+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:03+11:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/server-headless-service.yaml"
2025-02-13T19:04:03+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:03+11:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/server-service.yaml"
2025-02-13T19:04:03+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:03+11:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/injector-deployment.yaml"
2025-02-13T19:04:03+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:03+11:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/server-statefulset.yaml"
2025-02-13T19:04:03+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:03+11:00	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/injector-mutating-webhook.yaml"
2025-02-13T19:04:03+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:03+11:00	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Terraform"
2025-02-13T19:04:03+11:00	DEBUG	[terraform scanner] Scanning directory	file_path="."
2025-02-13T19:04:03+11:00	DEBUG	[rego] Overriding filesystem for checks
2025-02-13T19:04:03+11:00	DEBUG	[rego] Embedded libraries are loaded	count=17
2025-02-13T19:04:03+11:00	DEBUG	[rego] Embedded checks are loaded	count=517
2025-02-13T19:04:03+11:00	DEBUG	[rego] Checks from disk are loaded	count=534
2025-02-13T19:04:03+11:00	DEBUG	[rego] Overriding filesystem for data
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Setting project/module root	module="root" file_path="test/terraform"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Parsing FS	module="root" file_path="test/terraform"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Parsing	module="root" file_path="test/terraform/main.tf"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Added file	module="root" file_path="test/terraform/main.tf"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Parsing	module="root" file_path="test/terraform/outputs.tf"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Added file	module="root" file_path="test/terraform/outputs.tf"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Parsing	module="root" file_path="test/terraform/variables.tf"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Added file	module="root" file_path="test/terraform/variables.tf"
2025-02-13T19:04:03+11:00	INFO	[terraform scanner] Scanning root module	file_path="test/terraform"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Setting project/module root	module="root" file_path="test/terraform"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Parsing FS	module="root" file_path="test/terraform"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Parsing	module="root" file_path="test/terraform/main.tf"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Added file	module="root" file_path="test/terraform/main.tf"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Parsing	module="root" file_path="test/terraform/outputs.tf"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Added file	module="root" file_path="test/terraform/outputs.tf"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Parsing	module="root" file_path="test/terraform/variables.tf"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Added file	module="root" file_path="test/terraform/variables.tf"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Loading module	module="root" module="root"
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Read block(s) and ignore(s)	module="root" blocks=12 ignores=0
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Added input variables from tfvars	module="root" count=0
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Working directory for module evaluation	module="root" file_path="/Users/zhihao/Aqua/Demo/repos/vault-helm"
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting module evaluation...	path="test/terraform"
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=0
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=1
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=2
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=3
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=4
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=5
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=6
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=7
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=8
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=9
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=10
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=11
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=12
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=13
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=14
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=15
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=16
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=17
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=18
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=19
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=20
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=21
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=22
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=23
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=24
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=25
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=26
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=27
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=28
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=29
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=30
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=31
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Expanded block into clones via 'count' attribute.	block="null_resource.kubectl" clones=1
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting post-submodules evaluation...
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=0
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=1
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=2
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=3
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=4
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=5
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=6
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=7
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=8
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=9
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=10
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=11
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=12
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=13
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=14
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=15
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=16
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=17
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=18
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=19
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=20
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=21
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=22
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=23
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=24
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=25
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=26
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=27
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=28
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=29
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=30
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Starting iteration	iteration=31
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Module evaluation complete.
2025-02-13T19:04:03+11:00	DEBUG	[terraform parser] Finished parsing module	module="root"
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Added module output	block="cluster_id" value="cty.StringVal(\"f2e52fe9-ffa3-41cd-b8df-d59048db798f\")"
2025-02-13T19:04:03+11:00	DEBUG	[terraform evaluator] Added module output	block="cluster_name" value="cty.StringVal(\"vault-helm-dev-feeafee8-6da2-462e-9f77-5d4ed930a8f5\")"
2025-02-13T19:04:03+11:00	DEBUG	[terraform executor] Adapting modules...
2025-02-13T19:04:03+11:00	DEBUG	[terraform executor] Adapted module(s) into state data.	count=1
2025-02-13T19:04:03+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:03+11:00	DEBUG	[terraform executor] Finished applying rules.
2025-02-13T19:04:03+11:00	DEBUG	[terraform executor] Applying ignores...
2025-02-13T19:04:03+11:00	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Dockerfile"
2025-02-13T19:04:03+11:00	DEBUG	[rego] Overriding filesystem for checks
2025-02-13T19:04:03+11:00	DEBUG	[rego] Embedded libraries are loaded	count=17
2025-02-13T19:04:03+11:00	DEBUG	[rego] Embedded checks are loaded	count=517
2025-02-13T19:04:03+11:00	DEBUG	[rego] Checks from disk are loaded	count=534
2025-02-13T19:04:03+11:00	DEBUG	[rego] Overriding filesystem for data
2025-02-13T19:04:03+11:00	DEBUG	[dockerfile scanner] Scanning files...	count=1
2025-02-13T19:04:03+11:00	DEBUG	[rego] Scanning inputs	count=1
2025-02-13T19:04:03+11:00	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Kubernetes"
2025-02-13T19:04:03+11:00	DEBUG	[rego] Overriding filesystem for checks
2025-02-13T19:04:03+11:00	DEBUG	[rego] Embedded libraries are loaded	count=17
2025-02-13T19:04:03+11:00	DEBUG	[rego] Embedded checks are loaded	count=517
2025-02-13T19:04:04+11:00	DEBUG	[rego] Checks from disk are loaded	count=534
2025-02-13T19:04:04+11:00	DEBUG	[rego] Overriding filesystem for data
2025-02-13T19:04:04+11:00	DEBUG	[kubernetes scanner] Scanning files...	count=8
2025-02-13T19:04:04+11:00	DEBUG	[rego] Scanning inputs	count=8
2025-02-13T19:04:04+11:00	DEBUG	OS is not detected.
2025-02-13T19:04:04+11:00	INFO	Detected config files	num=19
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="test/docker/Test.dockerfile"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="test/acceptance/csi-test/nginx.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="test/acceptance/csi-test/vault-kv-secretproviderclass.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="test/acceptance/injector-test/job.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="test/acceptance/injector-test/pg-deployment.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="test/terraform/main.tf"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="test/terraform"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="templates/injector-serviceaccount.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="templates/server-headless-service.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="templates/injector-clusterrolebinding.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="templates/injector-mutating-webhook.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="templates/injector-service.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="templates/server-config-configmap.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="templates/server-service.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="templates/server-serviceaccount.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="templates/server-statefulset.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="templates/injector-clusterrole.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="templates/injector-deployment.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Scanned config file	file_path="templates/server-clusterrolebinding.yaml"
2025-02-13T19:04:04+11:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-02-13T19:04:04+11:00	DEBUG	[vex] VEX filtering is disabled

templates/injector-clusterrole.yaml (helm)

Tests: 9 (SUCCESSES: 8, FAILURES: 1)
Failures: 1 (CRITICAL: 1)

AVD-KSV-0114 (CRITICAL): ClusterRole 'vault-agent-injector-clusterrole' should not have access to resources ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"]
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Webhooks can silently intercept or actively mutate/block resources as they are being created or updated. This includes secrets and pod specs.

See https://avd.aquasec.com/misconfig/ksv114
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 templates/injector-clusterrole.yaml:11-17
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  11 ┌ - apiGroups: ["admissionregistration.k8s.io"]
  12 │   resources: ["mutatingwebhookconfigurations"]
  13 │   verbs:
  14 │     - "get"
  15 │     - "list"
  16 │     - "watch"
  17 └     - "patch"
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Operating System

Mac Sequoia

Version

$ trivy -v
Version: 0.59.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-13 00:22:33.41090833 +0000 UTC
  NextUpdate: 2025-02-14 00:22:33.41090807 +0000 UTC
  DownloadedAt: 2025-02-13 04:43:08.909646 +0000 UTC
Check Bundle:
  Digest: sha256:8c65dc8da180c175514774007559f6e468b6adc414fc0cb8409c9d14a558d957
  DownloadedAt: 2025-02-13 04:43:10.171177 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

nikpivkin · 2025-02-14T07:13:14Z

nikpivkin
Feb 14, 2025
Maintainer

Hi @dstubked !
We render the templates to yaml files, so the position information in the source file is lost.

2 replies

dstubked Feb 17, 2025
Author

Thanks for replying. Is there anything we can do about this? Having accurate line numbers does help to enable us find the issue faster.

dstubked Feb 17, 2025
Author

on the other hand, I believe the files are already in yaml format? Am I missing something here?

simar7 · 2025-02-19T21:50:51Z

simar7
Feb 19, 2025
Maintainer

@dstubked as we discussed offline - today we use helm package to render templates in yaml, so we lose the ability to match the positions of the resulting file with the original file. When scanning helm configuration, reports already contains content of rendered templates.

This is because a template is without the extrapolated (rendered) values. A template, by itself, has no "misconfigurations" unless it is rendered based on some logic.

While I think I understand your comment about line numbers not matching up, we are limited based on the above comments. IMHO the line numbers we show vs what the unrendered chart has are pretty close enough for the user to realize the misconfiguration.

We could investigate to see if we can keep the positional information from source files (charts), when misconfigurations in renders are found. This would add logical complexity to Trivy, something at this point I'm not sure if, is worth the effort.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

trivy prints line numbers wrongly for helm chart scans. #8395

{{title}}

Replies: 2 comments 2 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

trivy prints line numbers wrongly for helm chart scans. #8395

dstubked Feb 13, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 2 replies

nikpivkin Feb 14, 2025 Maintainer

dstubked Feb 17, 2025 Author

dstubked Feb 17, 2025 Author

simar7 Feb 19, 2025 Maintainer

dstubked
Feb 13, 2025

Replies: 2 comments 2 replies

nikpivkin
Feb 14, 2025
Maintainer

dstubked Feb 17, 2025
Author

dstubked Feb 17, 2025
Author

simar7
Feb 19, 2025
Maintainer