Docker Image and Helm Chart CVE comparison tool
This tool allows you to scan and compare Docker images or Helm charts and analyze their CVE (Common Vulnerabilities and Exposures) reports.
There are three main ways to use this tool:
- Command-line arguments
- Interactive menu system
- Single artifact scanning
You can run the tool with command-line arguments to compare two artifacts:
./helmscan --compare [--report] [--json] <artifact1> <artifact2>
Flags:
--compare
: Enable comparison mode--report
: Generate a Markdown report file (optional)--json
: Generate a JSON report file (optional)<artifact1>
: The URL of the "before" image or Helm chart reference<artifact2>
: The URL of the "after" image or Helm chart reference
Examples:
# Compare Docker images and generate both JSON and Markdown reports
./helmscan --compare --report --json docker.io/library/ubuntu:20.04 docker.io/library/ubuntu:22.04
# Compare Helm charts with only JSON output
./helmscan --compare --json myrepo/[email protected] myrepo/[email protected]
To use the interactive menu system, simply run the executable without any arguments:
./helmscan
Follow the on-screen prompts to:
- Scan a single image or Helm chart
- Compare two images or Helm charts
- Exit
To scan a single artifact, provide its reference as an argument:
./helmscan <artifact_reference>
Example:
# Scan a Docker image
./helmscan docker.io/library/ubuntu:22.04
# Scan a Helm chart
./helmscan myrepo/[email protected]
The tool will provide information about:
- CVE severity levels and counts
- Added CVEs: New vulnerabilities in the second artifact
- Removed CVEs: Vulnerabilities that were present in the first artifact but addressed in the second
- Unchanged CVEs: Vulnerabilities present in both artifacts
When using the --report
flag, the output will be saved to the working-files
directory.
- Make sure you have the necessary permissions to pull the Docker images or access the Helm charts you want to analyze
- For Helm charts, use the format
repo/chart@version
- The tool requires Trivy to be installed and accessible in your PATH