helm charts security

Checking Helm Charts for security misconfigurations

June 3, 2020 | in Container Security
| By Gareth Rushgrove

Our new Kubernetes configuration feature in Snyk, which checks your configuration files for misconfigurations, now supports Helm Charts. You can now find potential security issues in your Helm charts at the same time as identifying vulnerabilities in the application source code.

Helm Charts and templating Kubernetes configuration

Helm is a popular tool for packaging up applications for Kubernetes. It’s an active CNCF project which hosts both the package management tools and a repository of Charts for a wide range of popular software. Helm uses templates to define the Kubernetes configs, rendering the final configuration based on the templates and on external and default values.

But the configuration in your Helm Chart may result in a less-than-secure application running in your cluster. It’s easy to leave your applications running as root, with the full set of Linux capabilities and without resource limits, all of which can raise the risk of the running application being compromised. With Snyk’s new functionality we want to help catch those issues early, directly from your source code.

Seeing Helm Charts in Snyk

Let’s have a look at what happens today if you import a Git repository into Snyk.

In this example, we have a Node.js application that we have packaged up using Helm. When imported into Snyk we see the following:

So we show each of the templates in your Helm Chart, identifying issues in each. This makes it easy to get straight to the problem.

For each of the templates, we show the issues identified and the line in the template which they relate to. You can also choose to ignore specific issues as well, if they aren’t of concern, either for a specific period of time or indefinitely if you prefer.

Next steps

If you’d like to try this feature out you can head over to our documentation to see all of the details. We’ll be enabling this by default for everyone soon, but if it’s not already enabled on your account you can flip the switch yourself in the settings.

We have lots of ideas to build on our new configuration functionality and we’d love to hear what you think as well. In the future, we’ll be making the same functionality available via CLI and CI/CD, expanding the types of issues we detect, and adding support for additional configuration formats as well. All in pursuit of making it even easier to develop secure software.