Issues with trivy.securityCheck

[mmclane]

In the values file is says this:

# Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`.
securityCheck: "vuln"

If however I try to set this value I get errors. If I set it to "vuln,secret,config" the UI says that the vulnerability results are "Unsupported." If I set it to "vuln, secret, config" or "vuln, secret" or "vuln, config" I get an error similar to this:

2024-07-08T16:08:50Z [ERROR] [/pkg/scan/job.go:294]: check scan report with mime type application/vnd.security.vulnerability.report; version=1.1: running trivy wrapper: running trivy: exit status 1: 2024-07-08T16:08:50.629Z FATAL  flag error: scan flag error: unable to parse flag: invalid argument "[vuln  config]" for "--scanners" flag: must be one of ["vuln" "misconfig" "secret" "license"]
: general response handler: unexpected status code: 500, expected: 20

If I set the value to "secret" I am able to scan but the result is "Not Scanned".

If I set the value to "config" things seem to work but it didn't find anything (which is probably good).

It doesn't seem like I can scan for more then one type at a time which is at least misleading based on what the values file says.

[zyyw]

Thank you for arising this issue!

The ["vuln" "misconfig" "secret" "license"] are the capabilities that Trivy itself supports, while Harbor sends requests to and receive responses from trivy-adapter. The implementation of trivy-adapter follows a pluggable-scanner-spec, defined here. And the pluggable-scanner-spec currently only defined vulnerability scanning vuln in spec v1.1, and introduced SBOM generation in spec v1.2. The other capabilities of Trivy itself, such as misconfig, secret, and license are in fact not implemented by the trivy-adapter yet.