helm misconfiguration scanning ignores files with 'yml' extension

[prezha]

Description

helm misconfiguration scan ignores the files with yml extension in templates directory

Desired Behavior

helm misconfiguration should also scan the files with yml extension in templates directory

i think that the bug/solution might be here:

git diff | more
diff --git a/pkg/iac/detection/detect.go b/pkg/iac/detection/detect.go
index d866ccd1c..3484349e7 100644
--- a/pkg/iac/detection/detect.go
+++ b/pkg/iac/detection/detect.go
@@ -191,7 +191,7 @@ func init() {
 				return true
 			}
 		}
-		helmFileExtensions := []string{".yaml", ".tpl"}
+		helmFileExtensions := []string{".yaml", ".yml", ".tpl"}
 		ext := filepath.Ext(filepath.Base(name))
 		for _, expected := range helmFileExtensions {
 			if strings.EqualFold(ext, expected) {

please also note that the matchers[FileTypeHelm] is overridden - first defined here, then redefined here

Actual Behavior

helm misconfiguration scan skips the files with yml extension in templates directory

Reproduction Steps

using trivy's testsdata test chart:

$ tree pkg/iac/scanners/helm/test/testdata/testchart
pkg/iac/scanners/helm/test/testdata/testchart
├── Chart.yaml
├── templates
│   ├── deployment.yaml
│   ├── _helpers.tpl
│   ├── hpa.yaml
│   ├── ingress.yaml
│   ├── NOTES.txt
│   ├── serviceaccount.yaml
│   ├── service.yaml
│   └── tests
│       └── test-connection.yaml
└── values.yaml

3 directories, 10 files

scan correctly detects all *.yaml files that are used (deployment.yaml, service.yaml, and serviceaccount.yaml):

$ trivy config --debug pkg/iac/scanners/helm/test/testdata/testchart >/dev/null
2025-12-06T16:14:51Z	DEBUG	No plugins loaded
2025-12-06T16:14:51Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-12-06T16:14:51Z	DEBUG	Cache dir	dir="/home/prezha/.cache/trivy"
2025-12-06T16:14:51Z	DEBUG	Cache dir	dir="/home/prezha/.cache/trivy"
2025-12-06T16:14:51Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-12-06T16:14:51Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-12-06T16:14:51Z	DEBUG	[notification] Running version check
2025-12-06T16:14:51Z	DEBUG	[misconfig] Checks successfully loaded from disk
2025-12-06T16:14:51Z	DEBUG	[notification] Version check completed	latest_version="0.68.1"
2025-12-06T16:14:52Z	DEBUG	[rego] Overriding filesystem for checks
2025-12-06T16:14:52Z	DEBUG	[rego] Embedded libraries are loaded	count=17
2025-12-06T16:14:53Z	DEBUG	[rego] Embedded checks are loaded	count=519
2025-12-06T16:14:53Z	DEBUG	[rego] Checks from disk are loaded	count=536
2025-12-06T16:14:53Z	DEBUG	[rego] Overriding filesystem for data
2025-12-06T16:14:53Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-12-06T16:14:53Z	DEBUG	Initializing scan cache...	type="memory"
2025-12-06T16:14:53Z	DEBUG	[fs] Analyzing...	root="pkg/iac/scanners/helm/test/testdata/testchart"
2025-12-06T16:14:53Z	DEBUG	Created process-specific temp directory	path="/tmp/trivy-171556"
2025-12-06T16:14:53Z	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Helm"
2025-12-06T16:14:53Z	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/serviceaccount.yaml"
2025-12-06T16:14:53Z	DEBUG	[rego] Scanning inputs	count=1
2025-12-06T16:14:53Z	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/service.yaml"
2025-12-06T16:14:53Z	DEBUG	[rego] Scanning inputs	count=1
2025-12-06T16:14:53Z	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/deployment.yaml"
2025-12-06T16:14:53Z	DEBUG	[rego] Scanning inputs	count=1
2025-12-06T16:14:53Z	DEBUG	OS is not detected.
2025-12-06T16:14:53Z	INFO	Detected config files	num=3
2025-12-06T16:14:53Z	DEBUG	Scanned config file	file_path="templates/deployment.yaml"
2025-12-06T16:14:53Z	DEBUG	Scanned config file	file_path="templates/service.yaml"
2025-12-06T16:14:53Z	DEBUG	Scanned config file	file_path="templates/serviceaccount.yaml"
2025-12-06T16:14:53Z	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-12-06T16:14:53Z	DEBUG	[vex] VEX filtering is disabled
2025-12-06T16:14:53Z	DEBUG	Cleaning up temp directory	path="/tmp/trivy-171556"

if we change the extension of eg, deployment and serviceaccount to yml, those files will be ignored - ie, scan will incorrectly skip all '*.yml' files that are required (deployment.yml and serviceaccount.yml in this example) and only detect service.yaml:

$ git mv pkg/iac/scanners/helm/test/testdata/testchart/templates/deployment.yaml pkg/iac/scanners/helm/test/testdata/testchart/templates/deployment.yml

$ git mv pkg/iac/scanners/helm/test/testdata/testchart/templates/serviceaccount.yaml pkg/iac/scanners/helm/test/testdata/testchart/templates/serviceaccount.yml

$ git status
On branch main
Your branch is up to date with 'origin/main'.

Changes to be committed:
  (use "git restore --staged <file>..." to unstage)
	renamed:    pkg/iac/scanners/helm/test/testdata/testchart/templates/deployment.yaml -> pkg/iac/scanners/helm/test/testdata/testchart/templates/deployment.yml
	renamed:    pkg/iac/scanners/helm/test/testdata/testchart/templates/serviceaccount.yaml -> pkg/iac/scanners/helm/test/testdata/testchart/templates/serviceaccount.yml

$ tree pkg/iac/scanners/helm/test/testdata/testchart
pkg/iac/scanners/helm/test/testdata/testchart
├── Chart.yaml
├── templates
│   ├── deployment.yml
│   ├── _helpers.tpl
│   ├── hpa.yaml
│   ├── ingress.yaml
│   ├── NOTES.txt
│   ├── serviceaccount.yml
│   ├── service.yaml
│   └── tests
│       └── test-connection.yaml
└── values.yaml

3 directories, 10 files

$ trivy config --debug pkg/iac/scanners/helm/test/testdata/testchart >/dev/null
2025-12-06T16:16:19Z	DEBUG	No plugins loaded
2025-12-06T16:16:19Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-12-06T16:16:19Z	DEBUG	Cache dir	dir="/home/prezha/.cache/trivy"
2025-12-06T16:16:19Z	DEBUG	Cache dir	dir="/home/prezha/.cache/trivy"
2025-12-06T16:16:19Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-12-06T16:16:19Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-12-06T16:16:19Z	DEBUG	[notification] Running version check
2025-12-06T16:16:19Z	DEBUG	[misconfig] Checks successfully loaded from disk
2025-12-06T16:16:19Z	DEBUG	[notification] Version check completed	latest_version="0.68.1"
2025-12-06T16:16:20Z	DEBUG	[rego] Overriding filesystem for checks
2025-12-06T16:16:20Z	DEBUG	[rego] Embedded libraries are loaded	count=17
2025-12-06T16:16:21Z	DEBUG	[rego] Embedded checks are loaded	count=519
2025-12-06T16:16:21Z	DEBUG	[rego] Checks from disk are loaded	count=536
2025-12-06T16:16:21Z	DEBUG	[rego] Overriding filesystem for data
2025-12-06T16:16:21Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-12-06T16:16:21Z	DEBUG	Initializing scan cache...	type="memory"
2025-12-06T16:16:21Z	DEBUG	[fs] Analyzing...	root="pkg/iac/scanners/helm/test/testdata/testchart"
2025-12-06T16:16:21Z	DEBUG	Created process-specific temp directory	path="/tmp/trivy-176425"
2025-12-06T16:16:21Z	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Helm"
2025-12-06T16:16:21Z	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/service.yaml"
2025-12-06T16:16:21Z	DEBUG	[rego] Scanning inputs	count=1
2025-12-06T16:16:21Z	DEBUG	OS is not detected.
2025-12-06T16:16:21Z	INFO	Detected config files	num=1
2025-12-06T16:16:21Z	DEBUG	Scanned config file	file_path="templates/service.yaml"
2025-12-06T16:16:21Z	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-12-06T16:16:21Z	DEBUG	[vex] VEX filtering is disabled
2025-12-06T16:16:21Z	DEBUG	Cleaning up temp directory	path="/tmp/trivy-176425"

Target

Filesystem

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Debug Output

before yaml to yml file extension change:

$ trivy config --debug pkg/iac/scanners/helm/test/testdata/testchart >/dev/null
2025-12-06T16:14:51Z	DEBUG	No plugins loaded
2025-12-06T16:14:51Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-12-06T16:14:51Z	DEBUG	Cache dir	dir="/home/prezha/.cache/trivy"
2025-12-06T16:14:51Z	DEBUG	Cache dir	dir="/home/prezha/.cache/trivy"
2025-12-06T16:14:51Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-12-06T16:14:51Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-12-06T16:14:51Z	DEBUG	[notification] Running version check
2025-12-06T16:14:51Z	DEBUG	[misconfig] Checks successfully loaded from disk
2025-12-06T16:14:51Z	DEBUG	[notification] Version check completed	latest_version="0.68.1"
2025-12-06T16:14:52Z	DEBUG	[rego] Overriding filesystem for checks
2025-12-06T16:14:52Z	DEBUG	[rego] Embedded libraries are loaded	count=17
2025-12-06T16:14:53Z	DEBUG	[rego] Embedded checks are loaded	count=519
2025-12-06T16:14:53Z	DEBUG	[rego] Checks from disk are loaded	count=536
2025-12-06T16:14:53Z	DEBUG	[rego] Overriding filesystem for data
2025-12-06T16:14:53Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-12-06T16:14:53Z	DEBUG	Initializing scan cache...	type="memory"
2025-12-06T16:14:53Z	DEBUG	[fs] Analyzing...	root="pkg/iac/scanners/helm/test/testdata/testchart"
2025-12-06T16:14:53Z	DEBUG	Created process-specific temp directory	path="/tmp/trivy-171556"
2025-12-06T16:14:53Z	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Helm"
2025-12-06T16:14:53Z	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/serviceaccount.yaml"
2025-12-06T16:14:53Z	DEBUG	[rego] Scanning inputs	count=1
2025-12-06T16:14:53Z	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/service.yaml"
2025-12-06T16:14:53Z	DEBUG	[rego] Scanning inputs	count=1
2025-12-06T16:14:53Z	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/deployment.yaml"
2025-12-06T16:14:53Z	DEBUG	[rego] Scanning inputs	count=1
2025-12-06T16:14:53Z	DEBUG	OS is not detected.
2025-12-06T16:14:53Z	INFO	Detected config files	num=3
2025-12-06T16:14:53Z	DEBUG	Scanned config file	file_path="templates/deployment.yaml"
2025-12-06T16:14:53Z	DEBUG	Scanned config file	file_path="templates/service.yaml"
2025-12-06T16:14:53Z	DEBUG	Scanned config file	file_path="templates/serviceaccount.yaml"
2025-12-06T16:14:53Z	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-12-06T16:14:53Z	DEBUG	[vex] VEX filtering is disabled
2025-12-06T16:14:53Z	DEBUG	Cleaning up temp directory	path="/tmp/trivy-171556"

after yaml to yml file extension change:

$ trivy config --debug pkg/iac/scanners/helm/test/testdata/testchart >/dev/null
2025-12-06T16:16:19Z	DEBUG	No plugins loaded
2025-12-06T16:16:19Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-12-06T16:16:19Z	DEBUG	Cache dir	dir="/home/prezha/.cache/trivy"
2025-12-06T16:16:19Z	DEBUG	Cache dir	dir="/home/prezha/.cache/trivy"
2025-12-06T16:16:19Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-12-06T16:16:19Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-12-06T16:16:19Z	DEBUG	[notification] Running version check
2025-12-06T16:16:19Z	DEBUG	[misconfig] Checks successfully loaded from disk
2025-12-06T16:16:19Z	DEBUG	[notification] Version check completed	latest_version="0.68.1"
2025-12-06T16:16:20Z	DEBUG	[rego] Overriding filesystem for checks
2025-12-06T16:16:20Z	DEBUG	[rego] Embedded libraries are loaded	count=17
2025-12-06T16:16:21Z	DEBUG	[rego] Embedded checks are loaded	count=519
2025-12-06T16:16:21Z	DEBUG	[rego] Checks from disk are loaded	count=536
2025-12-06T16:16:21Z	DEBUG	[rego] Overriding filesystem for data
2025-12-06T16:16:21Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-12-06T16:16:21Z	DEBUG	Initializing scan cache...	type="memory"
2025-12-06T16:16:21Z	DEBUG	[fs] Analyzing...	root="pkg/iac/scanners/helm/test/testdata/testchart"
2025-12-06T16:16:21Z	DEBUG	Created process-specific temp directory	path="/tmp/trivy-176425"
2025-12-06T16:16:21Z	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Helm"
2025-12-06T16:16:21Z	DEBUG	[helm scanner] Processing rendered chart file	file_path="templates/service.yaml"
2025-12-06T16:16:21Z	DEBUG	[rego] Scanning inputs	count=1
2025-12-06T16:16:21Z	DEBUG	OS is not detected.
2025-12-06T16:16:21Z	INFO	Detected config files	num=1
2025-12-06T16:16:21Z	DEBUG	Scanned config file	file_path="templates/service.yaml"
2025-12-06T16:16:21Z	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-12-06T16:16:21Z	DEBUG	[vex] VEX filtering is disabled
2025-12-06T16:16:21Z	DEBUG	Cleaning up temp directory	path="/tmp/trivy-176425"

Operating System

openSUSE Tumbleweed

Version

$ trivy --version
Version: 0.68.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-12-06 12:24:16.602493819 +0000 UTC
  NextUpdate: 2025-12-07 12:24:16.602493549 +0000 UTC
  DownloadedAt: 2025-12-06 17:38:09.712610003 +0000 UTC
Check Bundle:
  Digest: sha256:0491169789b867ae5a7353381220c1d4d97b3a0d6d9dfd84a25d06f0ba68aa93
  DownloadedAt: 2025-12-06 17:37:51.126691811 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

Seems like a reasonable ask, wdyt @nikpivkin?

[nikpivkin]

Track #9911