Trivy tab shows "No reports found" on Azure DevOps Server despite successful scan and artifact publication

[Quent1OK]

Describe the bug

The Trivy tab in Azure DevOps Server shows "No reports found for this build" despite the task successfully generating and publishing reports. The build artifacts are created correctly (JSON, HTML, SARIF, JUnit formats), and test results are published separately, but the visual Trivy dashboard remains empty.

Agent details

• Type: Self-Hosted Agent
• OS: Linux Ubuntu 22
• Version: Azure DevOps Server 2025 H2 (AzureDevopsServer_20251119.1)

Task Version

Extension version: 1.20.2

Task Inputs

  - task: trivy@2
    name: TrivyCurrent
    displayName: 'Scan current repository as filesystem'
    inputs:
      version: "latest"
      type: "image"
      target: 'nginx:1.29.5-perl'
      scanners: 'misconfig,vuln,secret'
      ignoreUnfixed: true
      ignoreScanErrors: true
      reports: 'html, junit'
      publish: true

Error message

No error in the build logs. The task completes successfully with the following output:

2026-02-11T16:08:32.9650381Z ##[section]Démarrage : Scan nginx image
2026-02-11T16:08:32.9687276Z ==============================================================================
2026-02-11T16:08:32.9688230Z Task         : Trivy
2026-02-11T16:08:32.9688679Z Description  : Trivy is the world's most popular open source vulnerability and misconfiguration scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.
2026-02-11T16:08:32.9689900Z Version      : 2.7.96
2026-02-11T16:08:32.9690335Z Author       : Aqua Security
2026-02-11T16:08:32.9690799Z Help         : https://github.com/aquasecurity/trivy-azure-pipelines-task/docs/trivyv2.md
2026-02-11T16:08:32.9691596Z ==============================================================================
2026-02-11T16:08:33.6138326Z ##[section]Starting Trivy task...
2026-02-11T16:08:33.6274824Z Requested Trivy version to install: latest
2026-02-11T16:08:34.1006503Z Resolved version: v0.69.1
2026-02-11T16:08:34.1035037Z Outil trouvé dans le cache : trivy 0.69.1 x64
2026-02-11T16:08:34.1041336Z Préfixation de la variable d’environnement PATH avec le répertoire : /azp/_work/_tool/trivy/0.69.1/x64
2026-02-11T16:08:34.1057579Z Configuring options for image scan...
2026-02-11T16:08:34.1106312Z [command]/azp/_work/_tool/trivy/0.69.1/x64/trivy image --exit-code 2 --format json --scanners misconfig,vuln,secret --list-all-pkgs --ignore-unfixed --output /azp/_work/_temp/trivy/trivy-results-fd0eaba6-031c-43bf-942b-c1b75d3355a6.json nginx:1.29.5-perl
2026-02-11T16:08:39.2271221Z 2026-02-11T16:08:34Z	INFO	[vuln] Vulnerability scanning is enabled
2026-02-11T16:08:39.2272721Z 2026-02-11T16:08:34Z	INFO	[misconfig] Misconfiguration scanning is enabled
2026-02-11T16:08:39.2274109Z 2026-02-11T16:08:34Z	INFO	[checks-client] Using existing checks from cache	path="/root/.cache/trivy/policy/content"
2026-02-11T16:08:39.2275030Z 2026-02-11T16:08:37Z	INFO	[secret] Secret scanning is enabled
2026-02-11T16:08:39.2276040Z 2026-02-11T16:08:37Z	INFO	[secret] If your scanning is slow, please try '--scanners misconfig,vuln' to disable secret scanning
2026-02-11T16:08:39.2277362Z 2026-02-11T16:08:37Z	INFO	[secret] Please see https://trivy.dev/docs/v0.69/guide/scanner/secret#recommendation for faster secret detection
2026-02-11T16:08:39.2278330Z 2026-02-11T16:08:39Z	INFO	Detected OS	family="debian" version="13.3"
2026-02-11T16:08:39.2279218Z 2026-02-11T16:08:39Z	INFO	[debian] Detecting vulnerabilities...	os_version="13" pkg_num=157
2026-02-11T16:08:39.2280108Z 2026-02-11T16:08:39Z	INFO	Number of language-specific files	num=0
2026-02-11T16:08:39.2280855Z 2026-02-11T16:08:39Z	INFO	Detected config files	num=0
2026-02-11T16:08:39.2282066Z 2026-02-11T16:08:39Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/docs/v0.69/guide/scanner/vulnerability#severity-selection for details.
2026-02-11T16:08:39.2288544Z ##[section]Generating reports...
2026-02-11T16:08:39.3939242Z [command]/azp/_work/_tool/trivy/0.69.1/x64/trivy convert --format template --template @/azp/_work/_tool/trivy/0.69.1/x64/contrib/html.tpl --output /azp/_work/_temp/trivy/trivy-results-fd0eaba6-031c-43bf-942b-c1b75d3355a6.html.html /azp/_work/_temp/trivy/trivy-results-fd0eaba6-031c-43bf-942b-c1b75d3355a6.json
2026-02-11T16:08:39.6144525Z [command]/azp/_work/_tool/trivy/0.69.1/x64/trivy convert --format template --template @/azp/_work/_tool/trivy/0.69.1/x64/contrib/junit.tpl --output /azp/_work/_temp/trivy/trivy-results-fd0eaba6-031c-43bf-942b-c1b75d3355a6.junit.xml /azp/_work/_temp/trivy/trivy-results-fd0eaba6-031c-43bf-942b-c1b75d3355a6.json
2026-02-11T16:08:39.8850249Z ##[section]Async Command Start: Charger l’artefact
2026-02-11T16:08:39.8854798Z Chargement de 1 fichiers
2026-02-11T16:08:39.8855171Z Fichier chargé.
2026-02-11T16:08:39.8855807Z Charger « /azp/_work/_temp/trivy/trivy-results-fd0eaba6-031c-43bf-942b-c1b75d3355a6.json » dans le conteneur de fichiers : « #/149902/trivy-results-fd0eaba6-031c-43bf-942b-c1b75d3355a6 »
2026-02-11T16:08:40.3206850Z 34769 d’artefacts associés à 45222de build
2026-02-11T16:08:40.3208571Z ##[section]Async Command End: Charger l’artefact
2026-02-11T16:08:40.3210447Z ##[section]Async Command Start: Charger l’artefact
2026-02-11T16:08:40.3210946Z Chargement de 1 fichiers
2026-02-11T16:08:40.3211234Z Fichier chargé.
2026-02-11T16:08:40.3211758Z Charger « /azp/_work/_temp/trivy/trivy-results-fd0eaba6-031c-43bf-942b-c1b75d3355a6.html.html » dans le conteneur de fichiers : « #/149902/trivy-results-fd0eaba6-031c-43bf-942b-c1b75d3355a6 »
2026-02-11T16:08:40.3212421Z 34769 d’artefacts associés à 45222de build
2026-02-11T16:08:40.3212839Z ##[section]Async Command End: Charger l’artefact
2026-02-11T16:08:40.3214570Z ##[section]Async Command Start: Charger l’artefact
2026-02-11T16:08:40.3215251Z Chargement de 1 fichiers
2026-02-11T16:08:40.3215536Z Fichier chargé.
2026-02-11T16:08:40.3216056Z Charger « /azp/_work/_temp/trivy/trivy-results-fd0eaba6-031c-43bf-942b-c1b75d3355a6.junit.xml » dans le conteneur de fichiers : « #/149902/trivy-results-fd0eaba6-031c-43bf-942b-c1b75d3355a6 »
2026-02-11T16:08:40.3216700Z 34769 d’artefacts associés à 45222de build
2026-02-11T16:08:40.3217047Z ##[section]Async Command End: Charger l’artefact
2026-02-11T16:08:40.3218953Z ##[section]Fin : Scan nginx image

Expected behavior

The Trivy tab should display the visual dashboard with vulnerability statistics, graphs, and detailed findings as shown in the marketplace screenshots.

Actual behavior

The Trivy tab shows the message: "No reports found for this build. Add Trivy to your pipeline configuration or check the build logs for more information."

[rkazak07]

Hello,

I encountered this issue on Azure DevOps Server 2022. The root cause was a version incompatibility with the Azure DevOps API.

I resolved the problem by updating the versions of azure-devops-extension-api and azure-devops-extension-sdk, then rebuilding a custom VSIX package.

For now, this workaround solves my issue.

if you need:trivy-custom-1.20.0.vsix