From 329dc3dd809a0d923e79a719f713be1a82064433 Mon Sep 17 00:00:00 2001 From: Julian Pinzer Date: Thu, 4 Jun 2026 12:46:23 -0400 Subject: [PATCH] Promote the DockerCompose, Dockerfile, and Helm detectors to default on. --- docs/detectors/dockercompose.md | 3 --- docs/detectors/dockerfile.md | 3 --- docs/detectors/helm.md | 3 --- .../dockercompose/DockerComposeComponentDetector.cs | 2 +- .../dockerfile/DockerfileComponentDetector.cs | 2 +- .../helm/HelmComponentDetector.cs | 2 +- 6 files changed, 3 insertions(+), 12 deletions(-) diff --git a/docs/detectors/dockercompose.md b/docs/detectors/dockercompose.md index 499ac671c..3de3ba5f2 100644 --- a/docs/detectors/dockercompose.md +++ b/docs/detectors/dockercompose.md @@ -6,8 +6,6 @@ Docker Compose detection depends on the following to successfully run: - One or more Docker Compose files matching the patterns: `docker-compose.yml`, `docker-compose.yaml`, `docker-compose.*.yml`, `docker-compose.*.yaml`, `compose.yml`, `compose.yaml`, `compose.*.yml`, `compose.*.yaml` -The `DockerComposeComponentDetector` is an **Experimental** detector. It runs automatically during scans, but its output is not included in the final scan results. To include its output, pass `--DetectorArgs DockerCompose=Enable` (the key is the detector Id `DockerCompose`, not the class name). - ## Detection strategy The Docker Compose detector parses YAML compose files to extract Docker image references from service definitions. @@ -42,7 +40,6 @@ Images containing unresolved variables (e.g., `${TAG}` or `${REGISTRY:-docker.io ## Known limitations -- **Experimental Status**: This detector runs automatically but its output is not included in scan results by default. To opt in, pass `--DetectorArgs DockerCompose=Enable` - **Variable Resolution**: Image references containing unresolved environment variables or template expressions are not reported, which may lead to under-reporting in compose files that heavily use variable substitution - **Build-Only Services**: Services that only specify a `build` directive without an `image` field are not reported - **No Dependency Graph**: All detected images are registered as independent components without parent-child relationships \ No newline at end of file diff --git a/docs/detectors/dockerfile.md b/docs/detectors/dockerfile.md index 2da4fa3a4..4d780e632 100644 --- a/docs/detectors/dockerfile.md +++ b/docs/detectors/dockerfile.md @@ -6,8 +6,6 @@ Dockerfile detection depends on the following to successfully run: - One or more Dockerfile files matching the patterns: `dockerfile`, `dockerfile.*`, or `*.dockerfile` -The `DockerfileComponentDetector` is an **Experimental** detector. It runs automatically during scans, but its output is not included in the final scan results. To include its output, pass `--DetectorArgs DockerReference=Enable` (the key is the detector Id `DockerReference`, not the class name). - ## Detection strategy The Dockerfile detector parses Dockerfile syntax to extract Docker image references from `FROM` and `COPY --from` instructions. It uses the [Valleysoft.DockerfileModel](https://github.com/mthalman/DockerfileModel) library to parse Dockerfile syntax. @@ -32,7 +30,6 @@ The detector supports the full Docker reference grammar via `DockerReferenceUtil ## Known limitations -- **Experimental Status**: This detector runs automatically but its output is not included in scan results by default. To opt in, pass `--DetectorArgs DockerReference=Enable` - **Variable Resolution**: Image references containing unresolved Dockerfile `ARG` or `ENV` variables are not reported, which may lead to under-reporting in Dockerfiles that heavily use build-time variables - **No Version Pinning Validation**: The detector does not warn about unpinned image versions (e.g., `latest` tags), which are generally discouraged in production Dockerfiles - **Untagged Images Skipped**: Image references with neither a tag nor a digest (e.g. `FROM nginx`) are skipped because they cannot be uniquely identified diff --git a/docs/detectors/helm.md b/docs/detectors/helm.md index c9f7bdb55..4d75573e6 100644 --- a/docs/detectors/helm.md +++ b/docs/detectors/helm.md @@ -8,8 +8,6 @@ Helm detection depends on the following to successfully run: - A chart metadata file named `Chart.yaml` or `Chart.yml` must exist in the same directory for file discovery/co-location checks; only values files are parsed for image references - Lowercase `chart.yaml` and `chart.yml` do not satisfy this requirement; the detector requires an uppercase `Chart.*` file name. -The `HelmComponentDetector` is an **Experimental** detector. It runs automatically during scans, but its output is not included in the final scan results. To include its output, pass `--DetectorArgs Helm=Enable` (the key is the detector Id `Helm`, not the class name). - ## Detection strategy The Helm detector parses Helm values YAML files to extract Docker image references. It recursively walks the YAML tree looking for `image` keys. @@ -45,7 +43,6 @@ Images containing unresolved variables (e.g., `{{ .Values.tag }}`) are skipped t ## Known limitations -- **Experimental Status**: This detector runs automatically but its output is not included in scan results by default. To opt in, pass `--DetectorArgs Helm=Enable` - **Values Files Only**: Only files with `values` in the name are parsed for image references. Chart.yaml files are matched but not processed - **Same-Directory Co-location**: Values files are only processed when a `Chart.yaml` (or `Chart.yml`) exists in the **same directory**. Values files in subdirectories of a chart root (e.g., `mychart/subdir/values.yaml`) will not be detected, even if a `Chart.yaml` exists in the parent directory - **Variable Resolution**: Image references containing unresolved Helm template expressions are not reported diff --git a/src/Microsoft.ComponentDetection.Detectors/dockercompose/DockerComposeComponentDetector.cs b/src/Microsoft.ComponentDetection.Detectors/dockercompose/DockerComposeComponentDetector.cs index 8f2c857d1..e905a4ce3 100644 --- a/src/Microsoft.ComponentDetection.Detectors/dockercompose/DockerComposeComponentDetector.cs +++ b/src/Microsoft.ComponentDetection.Detectors/dockercompose/DockerComposeComponentDetector.cs @@ -12,7 +12,7 @@ namespace Microsoft.ComponentDetection.Detectors.DockerCompose; using Microsoft.Extensions.Logging; using YamlDotNet.RepresentationModel; -public class DockerComposeComponentDetector : FileComponentDetector, IExperimentalDetector +public class DockerComposeComponentDetector : FileComponentDetector { public DockerComposeComponentDetector( IComponentStreamEnumerableFactory componentStreamEnumerableFactory, diff --git a/src/Microsoft.ComponentDetection.Detectors/dockerfile/DockerfileComponentDetector.cs b/src/Microsoft.ComponentDetection.Detectors/dockerfile/DockerfileComponentDetector.cs index 031358105..12e9ddb41 100644 --- a/src/Microsoft.ComponentDetection.Detectors/dockerfile/DockerfileComponentDetector.cs +++ b/src/Microsoft.ComponentDetection.Detectors/dockerfile/DockerfileComponentDetector.cs @@ -12,7 +12,7 @@ namespace Microsoft.ComponentDetection.Detectors.Dockerfile; using Microsoft.Extensions.Logging; using Valleysoft.DockerfileModel; -public class DockerfileComponentDetector : FileComponentDetector, IExperimentalDetector +public class DockerfileComponentDetector : FileComponentDetector { private readonly ICommandLineInvocationService commandLineInvocationService; private readonly IEnvironmentVariableService envVarService; diff --git a/src/Microsoft.ComponentDetection.Detectors/helm/HelmComponentDetector.cs b/src/Microsoft.ComponentDetection.Detectors/helm/HelmComponentDetector.cs index 9da078303..ad980837d 100644 --- a/src/Microsoft.ComponentDetection.Detectors/helm/HelmComponentDetector.cs +++ b/src/Microsoft.ComponentDetection.Detectors/helm/HelmComponentDetector.cs @@ -15,7 +15,7 @@ namespace Microsoft.ComponentDetection.Detectors.Helm; using Microsoft.Extensions.Logging; using YamlDotNet.RepresentationModel; -public class HelmComponentDetector : FileComponentDetector, IExperimentalDetector +public class HelmComponentDetector : FileComponentDetector { public HelmComponentDetector( IComponentStreamEnumerableFactory componentStreamEnumerableFactory,