Helm is becoming a popular way to manage Kubernetes manifests with reusable components. Public repositories like ArtifactHub have made Helm charts even more shareable and, consequently, even more susceptible to violating security best practices and introducing risk to your environment.
Several months ago, we showed you how to scan Helm charts’ outputted Kubernetes manifests with Checkov and the
helm template command. Since then, we’ve received lots of feedback and requests for native Checkov Helm scanning that requires less manual setup. We’re excited to make those requests a reality with the addition of Helm chart detection and automated templating and scanning in Checkov!
This update is made possible by the new Helm framework, which is enabled by default as of Checkov v0.182, or can be called explicitly with the
—framework helm command. You can try it out for yourself by pointing Checkov at a directory containing Helm 3 compatible charts.
Checkov will automatically check your charts against 150+ out-of-the-box checks for Kubernetes deployments. For example, in the image above, you can see Checkov running against the Helm chart within Kubernetes Goat, and finding an issue.
If the Helm scanning feature is useful for you, please let us know by shouting out @bridgecrewio!
Checkov contributor? Read on!
Challenges with enabling frameworks with external dependencies
When adding Helm scanning, we ran into some interesting challenges brought about by the lack of API bindings for the Helm 3 binary. (Annoyingly, previous Helm versions did enable this)
That led us to the broader challenge of supporting frameworks with external, non-Pythonic dependencies. And doing so without breaking the user experience for existing Checkov users who may be automatically retrieving the latest version of Checkov via Github Actions or a Docker container.
To solve both of those challenges, we added a new
—skip-framework option within Checkov and an optional
system_deps = True flag for each Checkov framework, which accompanies an optional
This flag now allows Checkov to optionally run the dependency check function against any framework that states it needs dependencies and automatically adds any framework failing these checks to the —skip-framework option at runtime.
Any existing frameworks that do not declare
system_deps = True will continue to function as expected.