Hello everybody! In this article, we want to show a small tool that Ilya(@typecookie) and I built to monitor vulnerabilities in Docker images and Helm charts across container registries — primarily Azure Container Registry.

There are already plenty of great open-source tools in this space. But occasionally you need something more focused for your research or day-to-day work. You've likely implemented image-scanning tooling such as Grype, Anchore, or even more advanced solutions to secure your container images.

However, this control is incomplete if Helm charts are not tracked and validated as well. A Helm chart can introduce new images or modify existing ones, including public images that are not part of your internal registries and therefore bypass your standard security scanning and approval processes.

As a result, even with robust image-scanning in place, untracked or modified Helm charts can silently deploy images that do not meet the same security requirements as your internally managed images.

That's exactly where HITrack comes in.

https://github.com/malchikserega/HITrack.git

Just to be clear — HITrack was built for our specific workflow and tailored to our environment. It's not guaranteed to work well for everyone, and plenty of things are likely rough or imperfect.

We not claiming that this is the next big security product — it's simply something that helped us. Feedback, fixes, and contributions are very welcome.

We built HITrack to:

• Automatically discover new images/charts and their tags published in our registries (Azure Conrainer Registry, JFrog, etc.)
• Provide visibility into vulnerabilities and 3rd party components details for each image or Helm chart
• Highlight differences between tags from a 3rd party components perspective
• Generate vulnerability reports for images, Helm charts or grouped releases
• Consolidate security information into a single, searchable view

Under the hood, HITrack relies on tools we already trust. Syft generates SBOMs, and Grype scans them for vulnerabilities — familiar, reliable, and well-maintained. Instead of reinventing the scanning layer, we built a platform around it.

HITrack helps us answer questions like:

• Which images contain OpenSSL 3.0.2?

• Which third-party components or images were affected by CVE-ID across your charts and registries?

• Are any vulnerable components used in production?

• What has changed between Helm chart tags v1 and v2?

• What are the trends in vulnerability for specific repository tags?

• How do security metrics vary across different repositories and their tags?

HITrack stores:

• Component metadata (name, ecosystem, type)
• SBOM, Grype

• Versions
• Vulnerability metadata (CVE, severity, fix availability)

• EPSS percentiles

• File paths and layer locations

We enrich vulnerability data from:

• CISA Known Exploited Vulnerabilities (KEV)
• Exploit-DB
• NVD feeds
• FIRST API

A consolidated vulnerability report is available for selected images or for a specific release via Report Generator tab.

Conclusion

Helm charts are a key part of your delivery setup, and if you don't pay attention to them, you'll miss important details that image-only scanning can't catch. HITrack is here to fill that gap by automatically finding, analyzing, and showing everything in one place. It's not meant to replace the tools you already use, but to make them even better and help you see the bigger picture they might not be showing. If this tool helps you find hidden images, understand what's actually being deployed, and give you better control over what gets to your clusters, just like it did for us when we were building application security, then it has done its job.