package helm import ( "os" "path/filepath" "strings" "github.com/aquasecurity/trivy/pkg/fanal/analyzer" "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config" "github.com/aquasecurity/trivy/pkg/misconf" ) const ( analyzerType = analyzer.TypeHelm version = 1 maxTarSize = 209_715_200 // 200MB ) var acceptedExts = []string{".tpl", ".json", ".yml", ".yaml", ".tar", ".tgz", ".tar.gz"} func init() { analyzer.RegisterPostAnalyzer(analyzerType, newHelmConfigAnalyzer) } // helmConfigAnalyzer is an analyzer for detecting misconfigurations in Helm charts. // It embeds config.Analyzer so it can implement analyzer.PostAnalyzer. type helmConfigAnalyzer struct { *config.Analyzer } func newHelmConfigAnalyzer(opts analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) { a, err := config.NewAnalyzer(analyzerType, version, misconf.NewHelmScanner, opts) if err != nil { return nil, err } return &helmConfigAnalyzer{Analyzer: a}, nil } // Required overrides config.Analyzer.Required() and checks if the given file is a Helm chart. func (*helmConfigAnalyzer) Required(filePath string, info os.FileInfo) bool { if info.Size() > maxTarSize { // tarball is too big to be Helm chart - move on return false } for _, acceptable := range acceptedExts { if strings.HasSuffix(strings.ToLower(filePath), acceptable) { return true } } name := filepath.Base(filePath) for _, acceptable := range []string{"Chart.yaml", ".helmignore"} { if strings.EqualFold(name, acceptable) { return true } } return false }