Enhance Docker Compose and Helm detectors for parallel processing

[jpinz]

This pull request improves the accuracy and performance of Docker and Helm image reference detection by enhancing placeholder detection, optimizing YAML parsing, and adding safety checks for large files. It also introduces parallel processing for both Docker Compose and Helm detectors to improve scalability, and expands test coverage for these scenarios.

Enhancements to placeholder detection and parsing:

• Expanded the DockerReferenceUtility.HasUnresolvedVariables method to detect additional templating patterns, including double-underscore tokens (e.g., __IMAGE_TAG__) and hash-delimited tokens (e.g., #imageTag#), ensuring that unresolved or templated image references are correctly skipped and not reported as parse failures.
• Added comprehensive tests to verify detection of these new placeholder patterns and to ensure false positives (such as plain underscores) are avoided. Also verified that templated references do not trigger unnecessary warnings.

Performance and scalability improvements:

• Enabled parallel processing in both DockerComposeComponentDetector and HelmComponentDetector by setting EnableParallelism = true, allowing multiple files to be parsed concurrently for better performance on large repositories. [1] [2]

YAML parsing optimizations:

• Optimized file parsing in both detectors by loading YAML directly from the file stream, eliminating unnecessary string allocations and reducing GC pressure, especially under parallel workloads. [1] [2]

Safety and resource usage:

• Added a file size check in HelmComponentDetector to skip parsing of excessively large values files (over 20 MB), preventing timeouts or memory exhaustion from pathological files. [1] [2]

Code quality and maintainability:

• Improved documentation and error handling in both detectors, ensuring that failures to parse files are logged appropriately and that asynchronous methods consistently return completed tasks. [1] [2]

[Copilot]

Pull request overview

This PR improves Docker Compose and Helm image reference detection by expanding placeholder detection, reducing YAML parsing allocations, adding safety checks for oversized Helm values files, and enabling parallel processing to scale scanning across many manifests.

Changes:

• Expanded DockerReferenceUtility.HasUnresolvedVariables to treat additional templating patterns (double-underscore and #...# tokens) as unresolved so they’re skipped instead of logged as parse failures.
• Updated Docker Compose and Helm detectors to parse YAML directly from the component stream and enabled parallel processing for better throughput.
• Added Helm values file size guarding (20 MB) and expanded unit tests for the new placeholder patterns / logging behavior.

Show a summary per file

File	Description
test/Microsoft.ComponentDetection.Common.Tests/DockerReferenceUtilityTests.cs	Adds test coverage for new templating placeholder patterns and ensures templated references don’t log warnings.
src/Microsoft.ComponentDetection.Detectors/helm/HelmComponentDetector.cs	Enables parallelism, adds a max values-file size guard, and parses YAML from stream to reduce allocations.
src/Microsoft.ComponentDetection.Detectors/dockercompose/DockerComposeComponentDetector.cs	Enables parallelism and parses YAML from stream to reduce allocations.
src/Microsoft.ComponentDetection.Common/DockerReference/DockerReferenceUtility.cs	Expands placeholder detection logic to skip templated references earlier.

Copilot's findings

Comments suppressed due to low confidence (2)

src/Microsoft.ComponentDetection.Detectors/dockercompose/DockerComposeComponentDetector.cs:55

• cancellationToken is no longer used after switching to synchronous YamlStream.Load(reader). This means compose parsing will continue even after a scan is cancelled, which can waste CPU under parallelism. Add an early cancellation check before doing any work.

    protected override Task OnFileFoundAsync(ProcessRequest processRequest, IDictionary<string, string> detectorArgs, CancellationToken cancellationToken = default)
    {
        var singleFileComponentRecorder = processRequest.SingleFileComponentRecorder;
        var file = processRequest.ComponentStream;

src/Microsoft.ComponentDetection.Detectors/helm/HelmComponentDetector.cs:88

• cancellationToken is no longer used after switching to synchronous YamlStream.Load(reader). This can make scan cancellation less responsive, especially with EnableParallelism = true. Add an early cancellation check before file-size checks / parsing begins.

    protected override Task OnFileFoundAsync(ProcessRequest processRequest, IDictionary<string, string> detectorArgs, CancellationToken cancellationToken = default)
    {
        var file = processRequest.ComponentStream;

        // OnPrepareDetectionAsync has already filtered to values files co-located

• Files reviewed: 4/4 changed files
• Comments generated: 1

[github-actions]

👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:

• The detector detects more or fewer components than before
• The detector generates different parent/child graph relationships than before
• The detector generates different devDependencies values than before

If none of the above scenarios apply, feel free to ignore this comment 🙂