ClawHub

Helm Chart Linter

Dev Tools

Lint and validate Helm charts for structure, security, dependencies, and best practices. Use when asked to lint, validate, check, or audit Helm charts, verify Chart.yaml, values.yaml, templates, or ensure Helm chart quality. Triggers on "lint helm", "validate chart", "check helm chart", "helm best practices".

Install

openclaw skills install helm-chart-linter

Helm Chart Linter

A pure Python 3 (stdlib only) linter and validator for Helm chart directories. Checks structure, security, dependencies, and best practices across 22 rules.

Commands

python3 scripts/helm_chart_linter.py <command> <chart-dir> [options]
CommandDescription
lintLint chart structure and best practices (all rules)
securityRun security-focused checks only
dependenciesValidate Chart.yaml/Chart.lock dependencies
validateFull validation: structure + security + dependencies

Options

OptionDescription
--format text|json|markdownOutput format (default: text)
--strictExit 1 on warnings as well as errors (CI mode)

Examples

# Basic lint
python3 scripts/helm_chart_linter.py lint ./my-chart

# Full validation with JSON output
python3 scripts/helm_chart_linter.py validate ./my-chart --format json

# Security audit, strict mode for CI
python3 scripts/helm_chart_linter.py security ./my-chart --strict

# Dependency check with Markdown report
python3 scripts/helm_chart_linter.py dependencies ./my-chart --format markdown

Rules

Structure (6 rules)

  1. CHART001 — Chart.yaml exists and has required fields (apiVersion, name, version, description)
  2. CHART002 — Version is valid semver
  3. CHART003 — values.yaml exists
  4. CHART004 — templates/ directory exists
  5. CHART005 — NOTES.txt exists in templates/ (warning)
  6. CHART006 — .helmignore exists (warning)

Security (6 rules)

  1. SEC001 — No hardcoded secrets in values.yaml (passwords, tokens, keys)
  2. SEC002 — No privileged containers (securityContext.privileged: true)
  3. SEC003 — No hostNetwork, hostPID, or hostIPC enabled
  4. SEC004 — Resource limits defined in templates
  5. SEC005 — No runAsRoot without explicit runAsNonRoot
  6. SEC006 — Image tags not "latest"

Dependencies (4 rules)

  1. DEP001 — Chart.lock present and matches Chart.yaml dependencies
  2. DEP002 — No wildcard version constraints
  3. DEP003 — Repository URLs use HTTPS
  4. DEP004 — No duplicate dependency names

Best Practices (6 rules)

  1. BP001 — Labels include app.kubernetes.io/name, version, managed-by
  2. BP002 — Liveness and readiness probes defined
  3. BP003 — Service account name configured
  4. BP004 — Namespace not hardcoded in templates
  5. BP005 — No deprecated API versions (extensions/v1beta1, apps/v1beta1, etc.)
  6. BP006 — Values documented with comments

Exit Codes

CodeMeaning
0No issues (or only warnings in normal mode)
1Errors found (or warnings found in --strict)
2Script/usage error
More in Dev Tools