Webhook reporting is not working when alternative storage is used

[vmax]

What steps did you take and what happened:

1. Install trivy-operator onto the cluster with the following values set:

operator:
  webhookBroadcastURL: "..." # any webhook here
alternateReportStorage:
  enabled: true

What did you expect to happen:

All types of reports (VulnerabilityReport,ExposedSecretReport,ConfigAuditReport,InfraAssessmentReport,ClusterComplianceReport,RbacAssessmentReport,ClusterRbacAssessmentReport,ClusterConfigAuditReport,ClusterInfraAssessmentReport,SbomReport) being sent to the webhook

Instead, the webhook is only getting ClusterComplianceReport

Anything else you would like to add:

The issue occurs because:

1. When AltReportStorageEnabled is false (default):

• Reports are written as Kubernetes Custom Resources (CRs) in etcd
• The webhook reconciler watches these CRDs and sends webhook notifications when they change
• WebhookBroadcastURL receives notifications

2. When AltReportStorageEnabled is true:

• Reports are written to the filesystem as JSON files
• No CRs are created/updated
• The webhook reconciler has nothing to watch since no CRs are created
• WebhookBroadcastURL receives no notifications

Environment:

• Trivy-Operator version (use trivy-operator version): {"Version":"0.27.3","Commit":"a086c84b3f20ed1fe670c3c29621c4de32e57468","Date":"2025-07-10T22:29:22Z"}
• Kubernetes version (use kubectl version):

Client Version: v1.33.3
Kustomize Version: v5.6.0
Server Version: v1.32.1

• OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): host k8s node is Ubuntu 20