Skip to content

v1.0.0

Latest

Choose a tag to compare

@ugiordan ugiordan released this 07 Jul 20:39

helm-guard v1.0.0

Static security analysis for Helm chart supply chain integrity. Catches risks that Checkov, Trivy, and kube-linter miss.

40 checks across 10 categories

Category Checks Examples
Pinning HLM-PIN-001..005 SemVer ranges, Chart.lock, image tags, OLM channels, SemVer compliance
Injection HLM-INJ-001..008 tpl, lookup, env, getHostByName, shell injection, .Files.Get, hardcoded registries
Trust HLM-TRUST-001..007 Missing schema, secrets, untrusted repos, hostNetwork, HTTP URLs, NetworkPolicy, global overrides
Hooks HLM-HOOK-001..003 SecurityContext, delete policy, post-renderer scripts
OLM HLM-OLM-001..004 Auto-approval, community catalog, privileged namespace, unstable channels
Provenance HLM-PROV-001 Missing chart signature
Namespace HLM-NS-001..002 Privileged namespace, release namespace schema
Dependencies HLM-DEP-001..004 Security overrides, version conflicts, typosquatting, alias hiding
Security HLM-SEC-001..006 Path traversal (CVE-2024-25620), symlinked Chart.lock (CVE-2025-53547), valueFiles traversal (CVE-2022-24348), SA automount, .helmignore

CVEs covered

CVE-2020-11013, CVE-2023-25165, CVE-2024-25620, CVE-2025-53547, CVE-2026-35204, CVE-2022-24348

Features

  • Three-tier parser: structured YAML, text regex, rendered output (opt-in)
  • No helm CLI dependency by default
  • Render mode safety interlock
  • --explain flag for rule details
  • Pre-commit hook support
  • SARIF output for GitHub Code Scanning

Ecosystem tested

  • odh-gitops: 3 findings (tuned from 11 after real-world feedback)
  • 18 bitnami charts, 3 prometheus, 3 grafana: zero crashes
  • 149 tests

Install

pip install git+https://github.com/ugiordan/helm-guard.git@v1.0.0

Docs

https://ugiordan.github.io/helm-guard/