Secure Helm Charts with cnspec
Scan Helm charts for security misconfigurations before installing them in your Kubernetes clusters.
import IacScanOptions from './_iac-scan-options.mdx';
Catch insecure Kubernetes configurations before installing a chart. cnspec parses Chart.yaml, values, templates, and the rendered Kubernetes resources, exposing chart metadata, dependencies, maintainers, and resources as queryable MQL resources. The Kubernetes Security policy applies to the rendered resources, and you can use the Helm provider inside your own policies to enforce chart-level standards.
Prerequisites
To scan Helm charts with cnspec, you must have:
- cnspec installed on your workstation
- A Helm chart directory or
.tgzarchive to scan
Scan Helm charts
Scan a Helm chart directory:
cnspec scan helm ./my-chartScan a packaged chart archive:
cnspec scan helm my-chart-1.2.3.tgzExample checks
Run cnspec shell helm ./my-chart to open the interactive shell. From there you can make checks like the examples below.
List chart metadata
helm.charts { name version appVersion type }Find deprecated charts
helm.charts.where(deprecated == true) { name version }Inspect chart dependencies
helm.charts { dependencies { name version repository } }Confirm every chart has a maintainer
helm.charts.all(maintainers.length > 0)List all rendered Kubernetes resources
helm.charts { resources { kind name namespace } }Check that no container runs as root
helm.charts {
resources.where(kind == "Deployment").all(
manifest["spec"]["template"]["spec"]["securityContext"]["runAsNonRoot"] == true
)
}Find templates that use Go template directives
helm.charts { templates { path directives { name } } }Learn more
-
For the full MQL resource reference, see the MQL Helm provider documentation.
-
To learn more about how the MQL query language works, read Write Effective MQL.