Secret scanning showing as "Not scanned" when results are clean

[Noclas]

Description

When performing secret scanning for containers using Trivy, if there are no detections the summary and results are shown with the legend "-" which is described as "not scanned".
This gives teams and devs a false sense of scanning, thinking the tool is not working properly.
I've tested with the same container adding dummy data and whenever it detects a secret it shows the proper legend. Whether "1" or the number of findings.

Desired Behavior

If no secrets are found within a container image, legend should be "0" as mentioned in the summary description, which refers to "Clean".

Actual Behavior

Results are shown as "-" which means "Not scanned".

Reproduction Steps

1. Execute a clean Trivy secret scan using flags --scanners secret --image-config-scanners secret
2. Results will show a summary with legend "-" which means "Not Scanned"
3. Execute another Trivy secret scan using dummy data to be found with the same flags mentioned above.
4. Result summary will show proper legends.
...

Target

Container Image

Scanner

Secret

Output Format

None

Mode

Standalone

Debug Output

trivy image myimage:latest --scanners secret --image-config-scanners secret --debug

Operating System

Oracle Linux 8

Version

Version: v0.66.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-03 12:26:02.379457012 +0000 UTC
  NextUpdate: 2025-09-04 12:26:02.379456742 +0000 UTC
  DownloadedAt: 2025-09-03 15:17:38.262046047 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-09-03 00:52:19.865939368 +0000 UTC
  NextUpdate: 2025-09-06 00:52:19.865939198 +0000 UTC
  DownloadedAt: 2025-09-03 15:19:51.637973389 +0000 UTC
Check Bundle:
  Digest: sha256:e13d31ec41e7a61a0eeb42afccd73a8e2802244c5c772764a5e2ffb30cab727c
  DownloadedAt: 2025-05-20 21:09:56.27969073 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @Noclas
Thanks for your report!

For the secret/license scanner, the Trivy report contains only findings.
Therefore, we can’t say for sure whether Trivy scanned at least one file or simply didn’t find any findings.
That’s why, for these scanners, the summary table uses “-” if no findings are found.

I created #9442 to add info about this in docs

Regards, Dmitriy