ClawHub

Helm Chart Auditor

v1.0.0

Audit Helm charts for security, best practices, template correctness, and production readiness — check values, templates, hooks, dependencies, and RBAC.

0· 18· 1 versions· 0 current· 0 all-time· Updated 4h ago· MIT-0
by@charlie-morrison

Security Scans

VirusTotalPendingClawScanBenignStatic analysisBenign

Install

openclaw skills install helm-chart-auditor

Helm Chart Auditor

Audit Helm charts for security vulnerabilities, best practices, template correctness, and production readiness. Reviews Chart.yaml, values.yaml, templates, hooks, RBAC, and dependency management.

Usage

"Audit my Helm chart for issues"
"Check Helm templates for security"
"Review values.yaml for best practices"
"Validate Helm chart before publishing"

How It Works

1. Chart Discovery

cat Chart.yaml 2>/dev/null
cat values.yaml 2>/dev/null | head -50
ls templates/ 2>/dev/null
helm lint . 2>&1

2. Security Audit

  • Containers running as root (no securityContext)
  • Missing resource limits (CPU/memory)
  • Privileged containers
  • Host network/PID access
  • Missing NetworkPolicies
  • Service accounts with excessive permissions
  • Secrets stored as plain text in values.yaml

3. Template Quality

  • Required values without defaults
  • Missing helper templates (_helpers.tpl)
  • Hardcoded values that should be in values.yaml
  • Missing labels (app.kubernetes.io standard)
  • Template rendering errors
  • Proper use of include vs template
  • .Release.Namespace for namespace scoping

4. Production Readiness

  • Health probes (liveness, readiness, startup)
  • PodDisruptionBudgets defined
  • Horizontal Pod Autoscaler configured
  • Anti-affinity rules for HA
  • Rolling update strategy configured
  • Proper image tag (no latest)
  • Image pull policy appropriate

5. Values Schema

  • JSON Schema defined (values.schema.json)?
  • Default values sensible for development
  • Production overlay documented
  • Sensitive values clearly marked
  • Environment-specific examples provided

Output

## Helm Chart Audit

**Chart:** my-app v1.2.0 | **Templates:** 8

### 🔴 Critical (2)
1. **Running as root** — templates/deployment.yaml
   No securityContext set → runs as root by default
   → Add: runAsNonRoot: true, runAsUser: 1000

2. **No resource limits** — templates/deployment.yaml
   Missing resources.limits → can consume all node resources
   → Add CPU/memory limits appropriate for workload

### 🟡 Improvements (4)
3. Image tag `latest` in values.yaml default
4. Missing PodDisruptionBudget template
5. No values.schema.json for validation
6. Missing anti-affinity for multi-replica deployments

### ✅ Good Practices
- Health probes configured (liveness + readiness)
- Standard labels applied via _helpers.tpl
- HPA template included with sensible defaults
- Chart.yaml has proper appVersion and description

Version tags

latestvk97b4v7t6n7g4136pwdegc0dc985xxm1