Container Image and Helm Chart CVE comparison tool
This tool allows you to scan and compare Container images or Helm charts and analyze their CVE (Common Vulnerabilities and Exposures) reports. When comparing Helm charts, the tool will download the charts and scan every container image in the chart.
brew tap cliffcolvin/tap
brew install helmscanThis will automatically install all required dependencies.
The following tools are required and will be automatically installed via Homebrew:
- Trivy - for vulnerability scanning
- Helm - for chart operations
- yq - for YAML processing
- jq - for JSON processing
The tool supports two main operations:
- Single artifact scanning
- Artifact comparison
helmscan [--json] [--report] <artifact>Examples:
# Scan a Docker image
helmscan --json --report docker.io/library/ubuntu:22.04
# Scan a Helm chart
helmscan --report myrepo/[email protected]helmscan --compare [--json] [--report] <artifact1> <artifact2>Examples:
# Compare Docker images
helmscan --compare --json --report docker.io/library/ubuntu:20.04 docker.io/library/ubuntu:22.04
# Compare Helm charts
helmscan --compare --report myrepo/[email protected] myrepo/[email protected]--compare: Enable comparison mode--report: Generate a report file (optional)--json: Output in JSON format (optional, defaults to markdown)
Reports are automatically saved in the working-files directory when using --report:
working-files/
scans/
{scan-name}/
scan_report.{md,json}
tmp/
trivy_output/
{image}_trivy_output.json