So far, this code has been used to generate a dataset for investigation into the current state of Helm security posture.
It needs plenty of work and we have a roadmap planned, in our issues backlog, here
You can find the written based on the data generated here, once the articles are live.
This is a work-in-progress codebase designed to automate discovering, templating, security scanning, then recording and providing easy access to the results for publically available Helm charts.
We're currently using our static analysis tool Checkov.io for the security scan.
Currently, the scanner enumerates all Helm charts from repositories listed as containing HELM in https://artifacthub.io, for each repo, we collect all available charts, download the latest version of each and scans them with the Checkov.
Checkov already handles templating out the Helm3 charts, based on default values.yml and running te resultant Kubernetes manifests through our kubernetes checks.
Then you can use checkov.io directly if you're not looking to collect ans analyse data across thousands of public charts.
Simply:
pip install checkov
checkov -d <path to Chart directories or K8S yaml>
For more info on Checkov, see Checkov.io
The dataset is outputted as a number of CSV's, by default in a local dir ./results.
For each repository found in https://artifacthub.io, we output three CSV's:
- checks-reponame.csv: List of all checks, passed and failed for each chart within the repo, including chart metadata.
- summarytable-reponame.csv: Summary of passed and failed checks per Chart from the given repo.
- deps-table-reponame.csv: Listing of all the Helm chart dependancies per Chart, and wether they were resolved prior to scanning (
helm depsoutput metadata).
The CSV's are formatted in this way to make upload to Amazon S3 and then consumption by AWS Quicksight simple. However, we do plan to expose this data in a more consumable way, via API's and/or integrating with existing security dashboards, as easily sharing or providing public access to quicksight data is not possible. See issues backlog, here
You'll need an artifacthub API token and secret token pair, provided as environment variables, then main.py can just be run, for example:
pipenv shell
ARTIFACTHUB_TOKEN=token ARTIFACTHUB_TOKEN_SECRET=secret python main.py
| ID | Policy Name | Type | Kubernetes Object | Policy Description |
|---|---|---|---|---|
| 570 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace |
| 571 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers |
| 572 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace |
| 573 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace |
| 574 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation |
| 575 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers |
| 576 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability |
| 577 | CKV_K8S_8 | resource | containers | Liveness Probe Should be Configured |
| 578 | CKV_K8S_9 | resource | containers | Readiness Probe Should be Configured |
| 579 | CKV_K8S_10 | resource | containers | CPU requests should be set |
| 580 | CKV_K8S_10 | resource | initContainers | CPU requests should be set |
| 581 | CKV_K8S_11 | resource | containers | CPU limits should be set |
| 582 | CKV_K8S_11 | resource | initContainers | CPU limits should be set |
| 583 | CKV_K8S_12 | resource | containers | Memory requests should be set |
| 584 | CKV_K8S_12 | resource | initContainers | Memory requests should be set |
| 585 | CKV_K8S_13 | resource | containers | Memory limits should be set |
| 586 | CKV_K8S_13 | resource | initContainers | Memory limits should be set |
| 587 | CKV_K8S_14 | resource | containers | Image Tag should be fixed - not latest or blank |
| 588 | CKV_K8S_14 | resource | initContainers | Image Tag should be fixed - not latest or blank |
| 589 | CKV_K8S_15 | resource | containers | Image Pull Policy should be Always |
| 590 | CKV_K8S_15 | resource | initContainers | Image Pull Policy should be Always |
| 591 | CKV_K8S_16 | resource | containers | Container should not be privileged |
| 592 | CKV_K8S_16 | resource | initContainers | Container should not be privileged |
| 593 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace |
| 594 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace |
| 595 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace |
| 596 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace |
| 597 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace |
| 598 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace |
| 599 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace |
| 600 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace |
| 601 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace |
| 602 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace |
| 603 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace |
| 604 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace |
| 605 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace |
| 606 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace |
| 607 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace |
| 608 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace |
| 609 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace |
| 610 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace |
| 611 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace |
| 612 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace |
| 613 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace |
| 614 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace |
| 615 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace |
| 616 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace |
| 617 | CKV_K8S_20 | resource | containers | Containers should not run with allowPrivilegeEscalation |
| 618 | CKV_K8S_20 | resource | initContainers | Containers should not run with allowPrivilegeEscalation |
| 619 | CKV_K8S_21 | resource | Service | The default namespace should not be used |
| 620 | CKV_K8S_21 | resource | Pod | The default namespace should not be used |
| 621 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used |
| 622 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used |
| 623 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used |
| 624 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used |
| 625 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used |
| 626 | CKV_K8S_21 | resource | Job | The default namespace should not be used |
| 627 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used |
| 628 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used |
| 629 | CKV_K8S_21 | resource | Secret | The default namespace should not be used |
| 630 | CKV_K8S_21 | resource | Role | The default namespace should not be used |
| 631 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used |
| 632 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used |
| 633 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used |
| 634 | CKV_K8S_22 | resource | containers | Use read-only filesystem for containers where possible |
| 635 | CKV_K8S_22 | resource | initContainers | Use read-only filesystem for containers where possible |
| 636 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers |
| 637 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers |
| 638 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers |
| 639 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers |
| 640 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers |
| 641 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers |
| 642 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers |
| 643 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers |
| 644 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability |
| 645 | CKV_K8S_25 | resource | containers | Minimize the admission of containers with added capability |
| 646 | CKV_K8S_25 | resource | initContainers | Minimize the admission of containers with added capability |
| 647 | CKV_K8S_26 | resource | containers | Do not specify hostPort unless absolutely necessary |
| 648 | CKV_K8S_26 | resource | initContainers | Do not specify hostPort unless absolutely necessary |
| 649 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers |
| 650 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers |
| 651 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers |
| 652 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers |
| 653 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers |
| 654 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers |
| 655 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers |
| 656 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers |
| 657 | CKV_K8S_28 | resource | containers | Minimize the admission of containers with the NET_RAW capability |
| 658 | CKV_K8S_28 | resource | initContainers | Minimize the admission of containers with the NET_RAW capability |
| 659 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers |
| 660 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers |
| 661 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers |
| 662 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers |
| 663 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers |
| 664 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers |
| 665 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers |
| 666 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers |
| 667 | CKV_K8S_30 | resource | containers | Apply security context to your pods and containers |
| 668 | CKV_K8S_30 | resource | initContainers | Apply security context to your pods and containers |
| 669 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 670 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 671 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 672 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 673 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 674 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 675 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 676 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 677 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default |
| 678 | CKV_K8S_33 | resource | containers | Ensure the Kubernetes dashboard is not deployed |
| 679 | CKV_K8S_33 | resource | initContainers | Ensure the Kubernetes dashboard is not deployed |
| 680 | CKV_K8S_34 | resource | containers | Ensure that Tiller (Helm v2) is not deployed |
| 681 | CKV_K8S_34 | resource | initContainers | Ensure that Tiller (Helm v2) is not deployed |
| 682 | CKV_K8S_35 | resource | containers | Prefer using secrets as files over secrets as environment variables |
| 683 | CKV_K8S_35 | resource | initContainers | Prefer using secrets as files over secrets as environment variables |
| 684 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned |
| 685 | CKV_K8S_37 | resource | containers | Minimize the admission of containers with capabilities assigned |
| 686 | CKV_K8S_37 | resource | initContainers | Minimize the admission of containers with capabilities assigned |
| 687 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary |
| 688 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary |
| 689 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary |
| 690 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary |
| 691 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary |
| 692 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary |
| 693 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary |
| 694 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary |
| 695 | CKV_K8S_39 | resource | containers | Do not use the CAP_SYS_ADMIN linux capability |
| 696 | CKV_K8S_39 | resource | initContainers | Do not use the CAP_SYS_ADMIN linux capability |
| 697 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict |
| 698 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict |
| 699 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict |
| 700 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict |
| 701 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict |
| 702 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict |
| 703 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict |
| 704 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict |
| 705 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used |
| 706 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used |
| 707 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used |
| 708 | CKV_K8S_43 | resource | containers | Image should use digest |
| 709 | CKV_K8S_43 | resource | initContainers | Image should use digest |
| 710 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted |
| 711 | CKV_K8S_45 | resource | containers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster |
| 712 | CKV_K8S_45 | resource | initContainers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster |
| 713 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles |
| 714 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles |
| 715 | CKV_K8S_68 | resource | containers | Ensure that the --anonymous-auth argument is set to false |
| 716 | CKV_K8S_69 | resource | containers | Ensure that the --basic-auth-file argument is not set |
| 717 | CKV_K8S_70 | resource | containers | Ensure that the --token-auth-file argument is not set |
| 718 | CKV_K8S_71 | resource | containers | Ensure that the --kubelet-https argument is set to true |
| 719 | CKV_K8S_72 | resource | containers | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate |
| 720 | CKV_K8S_73 | resource | containers | Ensure that the --kubelet-certificate-authority argument is set as appropriate |
| 721 | CKV_K8S_74 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow |
| 722 | CKV_K8S_75 | resource | containers | Ensure that the --authorization-mode argument includes Node |
| 723 | CKV_K8S_77 | resource | containers | Ensure that the --authorization-mode argument includes RBAC |
| 724 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set |
| 725 | CKV_K8S_79 | resource | containers | Ensure that the admission control plugin AlwaysAdmit is not set |
| 726 | CKV_K8S_80 | resource | containers | Ensure that the admission control plugin AlwaysPullImages is set |
| 727 | CKV_K8S_81 | resource | containers | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used |
| 728 | CKV_K8S_82 | resource | containers | Ensure that the admission control plugin ServiceAccount is set |
| 729 | CKV_K8S_83 | resource | containers | Ensure that the admission control plugin NamespaceLifecycle is set |
| 730 | CKV_K8S_84 | resource | containers | Ensure that the admission control plugin PodSecurityPolicy is set |
| 731 | CKV_K8S_85 | resource | containers | Ensure that the admission control plugin NodeRestriction is set |
| 732 | CKV_K8S_86 | resource | containers | Ensure that the --insecure-bind-address argument is not set |
| 733 | CKV_K8S_88 | resource | containers | Ensure that the --insecure-port argument is set to 0 |
| 734 | CKV_K8S_89 | resource | containers | Ensure that the --secure-port argument is not set to 0 |
| 735 | CKV_K8S_90 | resource | containers | Ensure that the --profiling argument is set to false |
| 736 | CKV_K8S_91 | resource | containers | Ensure that the --audit-log-path argument is set |
| 737 | CKV_K8S_92 | resource | containers | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate |
| 738 | CKV_K8S_93 | resource | containers | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate |
| 739 | CKV_K8S_94 | resource | containers | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate |
| 740 | CKV_K8S_95 | resource | containers | Ensure that the --request-timeout argument is set as appropriate |
| 741 | CKV_K8S_96 | resource | containers | Ensure that the --service-account-lookup argument is set to true |
| 742 | CKV_K8S_97 | resource | containers | Ensure that the --service-account-key-file argument is set as appropriate |
| 743 | CKV_K8S_99 | resource | containers | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate |
| 744 | CKV_K8S_100 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate |
| 745 | CKV_K8S_102 | resource | containers | Ensure that the --etcd-ca-file argument is set as appropriate |
| 746 | CKV_K8S_104 | resource | containers | Ensure that encryption providers are appropriately configured |
| 747 | CKV_K8S_105 | resource | containers | Ensure that the API Server only makes use of Strong Cryptographic Ciphers |
| 748 | CKV_K8S_106 | resource | containers | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate |
| 749 | CKV_K8S_107 | resource | containers | Ensure that the --profiling argument is set to false |
| 750 | CKV_K8S_108 | resource | containers | Ensure that the --use-service-account-credentials argument is set to true |
| 751 | CKV_K8S_110 | resource | containers | Ensure that the --service-account-private-key-file argument is set as appropriate |
| 752 | CKV_K8S_111 | resource | containers | Ensure that the --root-ca-file argument is set as appropriate |
| 753 | CKV_K8S_112 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true |
| 754 | CKV_K8S_113 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 |
| 755 | CKV_K8S_114 | resource | containers | Ensure that the --profiling argument is set to false |
| 756 | CKV_K8S_115 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 |
| 757 | CKV_K8S_116 | resource | containers | Ensure that the --cert-file and --key-file arguments are set as appropriate |
| 758 | CKV_K8S_117 | resource | containers | Ensure that the --client-cert-auth argument is set to true |
| 759 | CKV_K8S_118 | resource | containers | Ensure that the --auto-tls argument is not set to true |
| 760 | CKV_K8S_119 | resource | containers | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate |
| 761 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true |
| 762 | CKV_K8S_138 | resource | containers | Ensure that the --anonymous-auth argument is set to false |
| 763 | CKV_K8S_139 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow |
| 764 | CKV_K8S_140 | resource | containers | Ensure that the --client-ca-file argument is set as appropriate |
| 765 | CKV_K8S_141 | resource | containers | Ensure that the --read-only-port argument is set to 0 |
| 766 | CKV_K8S_143 | resource | containers | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 |
| 767 | CKV_K8S_144 | resource | containers | Ensure that the --protect-kernel-defaults argument is set to true |
| 768 | CKV_K8S_145 | resource | containers | Ensure that the --make-iptables-util-chains argument is set to true |
| 769 | CKV_K8S_146 | resource | containers | Ensure that the --hostname-override argument is not set |
| 770 | CKV_K8S_147 | resource | containers | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture |
| 771 | CKV_K8S_148 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate |
| 772 | CKV_K8S_149 | resource | containers | Ensure that the --rotate-certificates argument is not set to false |
| 773 | CKV_K8S_150 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true |
| 774 | CKV_K8S_151 | resource | containers | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers |
