Safeguard
Container Security

What is Helm Chart Security

Helm chart security means finding and fixing the RBAC, secrets, and supply chain risks baked into Kubernetes' most-used packaging format.

Priya Mehta
DevSecOps Engineer
7 min read

Helm chart security is the practice of finding and fixing vulnerabilities, misconfigurations, and supply chain risks inside Helm charts — the packaged, templated Kubernetes manifests that CNCF's 2023 annual survey found underlying the majority of production Kubernetes deployments. A single chart can bundle dozens of Kubernetes objects in one install: Deployments, Services, ConfigMaps, Secrets, RBAC bindings, and Ingress rules, and every one of those objects is inherited by whichever cluster runs helm install. When a popular chart ships a default of privileged: true, a hardcoded database password in values.yaml, or a ClusterRoleBinding to cluster-admin, that misconfiguration doesn't stay contained to one namespace — it propagates to every team and every environment that installs the chart without auditing the underlying templates first. Artifact Hub alone lists more than 8,000 charts across 300+ repositories, and most engineering teams pull from public chart repositories with far less scrutiny than they'd apply to a container base image or an npm dependency.

What Is a Helm Chart, and Why Does It Create Unique Attack Surface?

A Helm chart is a versioned package of Chart.yaml, values.yaml, and a templates/ directory of Go-templated YAML that Helm's client renders into raw Kubernetes manifests before kubectl apply ever runs — and that templating layer is exactly where risk concentrates, because the rendered output is often never reviewed line by line. Before Helm 3.0 shipped on November 13, 2019, Helm relied on an in-cluster component called Tiller that typically ran with cluster-admin privileges, turning any Tiller compromise into a full-cluster takeover; Helm 3 removed Tiller entirely and moved rendering client-side, which closed that specific hole but shifted the remaining risk onto chart authors' defaults. Charts also support subcharts (nested dependency charts pulled in via Chart.yaml's dependencies field) and lifecycle hooks (pre-install, post-install, pre-upgrade Jobs) that execute arbitrary container images during install — both are common paths for a compromised or typosquatted dependency to run code inside your cluster before anyone reviews the diff.

What Are the Most Common Helm Chart Security Misconfigurations?

The most common Helm chart misconfigurations are overly broad RBAC bindings, hardcoded secrets in values.yaml, privileged or root-running containers, missing resource limits, and mutable latest-style image tags baked into the chart's default values. A ClusterRoleBinding to cluster-admin is a frequent default in charts that need to manage custom resources cluster-wide (common in operator-style charts for logging, monitoring, or service mesh tooling), and teams that install with helm install --create-namespace without reading templates/rbac.yaml inherit that binding silently. values.yaml files are also a routine home for plaintext credentials — database passwords, API tokens, TLS keys — because they're the easiest place for a chart author to expose a configurable field, and unlike Kubernetes Secrets, values.yaml is frequently committed to Git in GitOps repositories (ArgoCD and Flux both work directly against chart values files). helm template output run through a static analyzer regularly turns up containers missing runAsNonRoot: true, allowPrivilegeEscalation: false, and CPU/memory limits — defaults that many upstream charts still omit because setting them can break naive installs on constrained clusters.

How Have Insecure Helm Chart Defaults Led to Real-World Cluster Compromises?

Insecure Helm chart defaults have directly enabled cluster compromise, most visibly in the Kubeflow cryptomining campaigns documented by Microsoft's Azure Security Center in an April 2020 report. Kubeflow's Helm-based installation exposed its central dashboard through Istio's ingress gateway with no authentication enabled by default; attackers scanned for exposed instances, deployed malicious TensorFlow jobs through the dashboard, and used the compute to run XMRig cryptocurrency miners across compromised clusters — Microsoft's telemetry showed multiple large-scale campaigns targeting this exact default. The root cause wasn't a code vulnerability in Kubeflow itself; it was a Helm chart shipping a permissive default (no auth on an internet-facing Ingress) that operators didn't override before exposing the service. The same pattern — a chart's default service.type: LoadBalancer or ingress.enabled: true combined with no authentication middleware — has recurred with exposed Redis, Grafana, and Kubernetes Dashboard deployments installed via Helm, because charts optimize their defaults for a fast first install, not a secure one.

What Supply Chain Risks Are Specific to Helm Charts?

Helm charts carry supply chain risk because most teams install from third-party repositories with no signature verification, and a chart's provenance is only as trustworthy as whoever last published it. Helm supports chart signing via helm package --sign and .prov files backed by a GPG keyring, and since Helm 3.8.0 (March 2022) charts can be pushed to and pulled from OCI registries — enabling Sigstore/Cosign-based signing and verification the same way container images are signed — but adoption of either mechanism remains the exception rather than the rule for public charts. The risk isn't hypothetical: in August 2024, Broadcom (which now owns Bitnami) announced that Bitnami's catalog — among the most-installed chart sets on Artifact Hub, covering images like bitnami/postgresql, bitnami/mysql, and bitnami/wordpress — would restrict free, actively patched container image tags starting in late 2025, pushing organizations that had pinned to Bitnami-maintained images toward an unmaintained legacy repository unless they migrated. Any team that had hardcoded a Bitnami chart's image reference into a values override, without tracking upstream changes, inherited that supply chain shift with no warning inside their own CI/CD pipeline.

How Do You Scan and Secure Helm Charts Before Deployment?

You secure Helm charts by rendering them with helm template and scanning the rendered output before it ever reaches kubectl apply or a GitOps controller, because scanning the raw templates alone misses everything that only appears after values substitution. Open-source tooling like helm lint catches structural chart errors, Checkov and Kubeaudit scan rendered manifests for CIS Kubernetes Benchmark violations (privileged containers, missing securityContext, host path mounts), and Trivy — integrated into Artifact Hub's security report feature since 2021 — scans the container images a chart references for known CVEs. Policy engines like OPA/Gatekeeper or Kyverno can then enforce admission-time rules (block hostNetwork: true, require resource limits, deny :latest tags) so a misconfigured chart is rejected at the cluster boundary even if it slipped past CI. The practical sequence most teams converge on is: pin chart versions and image digests (not tags) in Chart.lock, render and scan on every pull request, verify signatures for OCI-hosted charts, and gate cluster admission with policy enforcement as a final backstop.

How Safeguard Helps

Safeguard extends this pipeline with reachability analysis that tells you which CVEs flagged in a chart's referenced images are actually loaded and exploitable in your running workloads, cutting through the noise of scan results that list every base-image vulnerability regardless of whether the vulnerable package path is ever invoked. Griffin AI, Safeguard's reasoning engine, reviews rendered chart output alongside your cluster's actual RBAC and network policy context to prioritize the misconfigurations — an over-broad ClusterRoleBinding, a missing runAsNonRoot, an exposed Ingress with no auth — that translate into real attack paths rather than theoretical ones. Safeguard generates and ingests SBOMs for the container images your charts pull, so you get a verifiable inventory of every package inside a Bitnami, Bitnami-alternative, or in-house chart's dependency tree, not just what the chart's Chart.yaml claims. When a fix is available, Safeguard opens an auto-fix pull request against the chart's values.yaml or Chart.lock — pinning a patched image digest or correcting a default — so remediation lands as a reviewable diff instead of a manual hunt through templates.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.