Assess Helm Chart Security with cnspec

Use cnspec to scan Helm charts for security misconfigurations and policy violations before installing them in your Kubernetes clusters. cnspec parses Chart.yaml, values, templates, and the rendered Kubernetes resources, exposing chart metadata, dependencies, maintainers, and resources as queryable MQL resources.

Prerequisites

To scan Helm charts with cnspec, you must have:

• cnspec installed on your workstation
• A Helm chart directory or .tgz archive to scan

Scan Helm charts

Scan a Helm chart directory:

cnspec scan helm ./my-chart

Scan a packaged chart archive:

cnspec scan helm my-chart-1.2.3.tgz

Scan options

Example checks

Run cnspec shell helm ./my-chart to open the interactive shell. From there you can make checks like the examples below.

List chart metadata

helm.charts { name version appVersion type }

Find deprecated charts

helm.charts.where(deprecated == true) { name version }

Inspect chart dependencies

helm.charts { dependencies { name version repository } }

Confirm every chart has a maintainer

helm.charts.all(maintainers.length > 0)

List all rendered Kubernetes resources

helm.charts { resources { kind name namespace } }

Check that no container runs as root

helm.charts {
  resources.where(kind == "Deployment").all(
    manifest["spec"]["template"]["spec"]["securityContext"]["runAsNonRoot"] == true
  )
}

Find templates that use Go template directives

helm.charts { templates { path directives { name } } }

Learn more

• For the full MQL resource reference, see the MQL Helm provider documentation.

• To learn more about how the MQL query language works, read Write Effective MQL.