docs: document opt-in mechanism for experimental detectors in dockerfile, dockercompose, and helm docs

Copilot · jpinz · web-flow · commit e880b90fdf29 · 2026-05-01T19:29:35.000Z
Agent-Logs-Url: https://github.com/microsoft/component-detection/sessions/c1b52ac3-7a11-4689-b324-b61c26014208 Co-authored-by: jpinz <8357054+jpinz@users.noreply.github.com>
diff --git a/docs/detectors/dockercompose.md b/docs/detectors/dockercompose.md
@@ -6,7 +6,7 @@ Docker Compose detection depends on the following to successfully run:
 
 - One or more Docker Compose files matching the patterns: `docker-compose.yml`, `docker-compose.yaml`, `docker-compose.*.yml`, `docker-compose.*.yaml`, `compose.yml`, `compose.yaml`, `compose.*.yml`, `compose.*.yaml`
 
-The `DockerComposeComponentDetector` is an **Experimental** detector. It runs automatically during scans, but its output is not included in the final scan results.
+The `DockerComposeComponentDetector` is an **Experimental** detector. It runs automatically during scans, but its output is not included in the final scan results. To include its output, pass `--DetectorArgs DockerCompose=Enable` (the key is the detector Id `DockerCompose`, not the class name).
 
 ## Detection strategy
 
@@ -42,7 +42,7 @@ Images containing unresolved variables (e.g., `${TAG}` or `${REGISTRY:-docker.io
 
 ## Known limitations
 
-- **Experimental Status**: This detector runs automatically but its output is not included in scan results
+- **Experimental Status**: This detector runs automatically but its output is not included in scan results by default. To opt in, pass `--DetectorArgs DockerCompose=Enable`
 - **Variable Resolution**: Image references containing unresolved environment variables or template expressions are not reported, which may lead to under-reporting in compose files that heavily use variable substitution
 - **Build-Only Services**: Services that only specify a `build` directive without an `image` field are not reported
 - **No Dependency Graph**: All detected images are registered as independent components without parent-child relationships
diff --git a/docs/detectors/dockerfile.md b/docs/detectors/dockerfile.md
@@ -6,7 +6,7 @@ Dockerfile detection depends on the following to successfully run:
 
 - One or more Dockerfile files matching the patterns: `dockerfile`, `dockerfile.*`, or `*.dockerfile`
 
-The `DockerfileComponentDetector` is an **Experimental** detector. It runs automatically during scans, but its output is not included in the final scan results.
+The `DockerfileComponentDetector` is an **Experimental** detector. It runs automatically during scans, but its output is not included in the final scan results. To include its output, pass `--DetectorArgs DockerReference=Enable` (the key is the detector Id `DockerReference`, not the class name).
 
 ## Detection strategy
 
@@ -26,7 +26,7 @@ The detector attempts to resolve Dockerfile variables using the `ResolveVariable
 
 ## Known limitations
 
-- **Experimental Status**: This detector runs automatically but its output is not included in scan results
+- **Experimental Status**: This detector runs automatically but its output is not included in scan results by default. To opt in, pass `--DetectorArgs DockerReference=Enable`
 - **Variable Resolution**: Image references containing unresolved Dockerfile `ARG` or `ENV` variables are not reported, which may lead to under-reporting in Dockerfiles that heavily use build-time variables
 - **No Version Pinning Validation**: The detector does not warn about unpinned image versions (e.g., `latest` tags), which are generally discouraged in production Dockerfiles
 - **No Digest Support**: While Docker supports content-addressable image references using SHA256 digests (e.g., `ubuntu@sha256:abc...`), the parsing and reporting of these references depends on the underlying `DockerReferenceUtility.ParseFamiliarName()` implementation
diff --git a/docs/detectors/helm.md b/docs/detectors/helm.md
@@ -8,7 +8,7 @@ Helm detection depends on the following to successfully run:
 - A chart metadata file named `Chart.yaml` or `Chart.yml` must exist in the same directory for file discovery/co-location checks; only values files are parsed for image references
   - Lowercase `chart.yaml` and `chart.yml` do not satisfy this requirement; the detector requires an uppercase `Chart.*` file name.
 
-The `HelmComponentDetector` is an **Experimental** detector. It runs automatically during scans, but its output is not included in the final scan results.
+The `HelmComponentDetector` is an **Experimental** detector. It runs automatically during scans, but its output is not included in the final scan results. To include its output, pass `--DetectorArgs Helm=Enable` (the key is the detector Id `Helm`, not the class name).
 
 ## Detection strategy
 
@@ -45,7 +45,7 @@ Images containing unresolved variables (e.g., `{{ .Values.tag }}`) are skipped t
 
 ## Known limitations
 
-- **Experimental Status**: This detector runs automatically but its output is not included in scan results
+- **Experimental Status**: This detector runs automatically but its output is not included in scan results by default. To opt in, pass `--DetectorArgs Helm=Enable`
 - **Values Files Only**: Only files with `values` in the name are parsed for image references. Chart.yaml files are matched but not processed
 - **Same-Directory Co-location**: Values files are only processed when a `Chart.yaml` (or `Chart.yml`) exists in the **same directory**. Values files in subdirectories of a chart root (e.g., `mychart/subdir/values.yaml`) will not be detected, even if a `Chart.yaml` exists in the parent directory
 - **Variable Resolution**: Image references containing unresolved Helm template expressions are not reported
