Infrastructure-as-Code allows engineers to scan helm charts for misconfigurations prior to actually deploying any manifests to a K8s cluster. Trivy provides us with such capabilities to detect and analyze potential misconfigurations of helm charts with its built-in policies. Additionally, with the implementation of distribution spec v1.1, Harbor supports storing oci-compliant helm charts as artifacts. This talk will introduce the integration of helm chart misconfiguration scanning by leveraging Harbor project and its built-in scanner - Trivy.

Given the extensibility of harbor pluggable scanner spec v1.2, Harbor sends a POST request to Trivy, with some additional parameters. Trivy downloads the helm chart locally from a remote Harbor registry and scans for misconfiguration. The misconfiguration report will be fetched by Harbor, saving as an accessory in it, with a download link. This offers users a better understanding of the security of their helm charts.