GitHub - VahidR/helmsniff: A Go CLI tool that scans rendered Kubernetes/Helm manifests and produces a CSV & JSON report of security misconfigurations. · GitHub
/" data-turbo-transient="true" />
Skip to content
Search or jump to...
Search code, repositories, users, issues, pull requests...
-->
Search
Clear
Search syntax tips
Provide feedback
--><br>We read every piece of feedback, and take your input very seriously.
Include my email address so I can be contacted
Cancel
Submit feedback
Saved searches
Use saved searches to filter your results more quickly
-->
Name
Query
To see all available qualifiers, see our documentation.
Cancel
Create saved search
Sign in
/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up
Appearance settings
Resetting focus
You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.
Dismiss alert
{{ message }}
VahidR
helmsniff
Public
Notifications<br>You must be signed in to change notification settings
Fork
Star
main
BranchesTags
Go to file
CodeOpen more actions menu
Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit
History<br>12 Commits<br>12 Commits
cmd
cmd
internal
internal
.gitignore
.gitignore
LICENSE
LICENSE
Makefile
Makefile
README.md
README.md
go.mod
go.mod
go.sum
go.sum
View all files
Repository files navigation
helmsniff
A Go CLI tool that scans rendered Kubernetes/Helm manifests and produces a CSV or JSON report of security misconfigurations.
Security Checks
Every output row begins with two context columns, followed by one column per<br>check. Check columns are binary integers (1 = violation/detected, 0 = ok),<br>while K8S_STATUS and HELM_STATUS are booleans (true/false).
Column<br>Type<br>Description
DIR<br>string<br>Parent directory (chart) path, or input label for stdin mode
YAML_FULL_PATH<br>string<br>Full path to the analyzed YAML file, or input label for stdin mode
WITHIN_MANIFEST_SECRET<br>int<br>Document is a Secret with non-empty data/stringData
VALID_TAINT_SECRET<br>int<br>Reserved for taint-based secret detection (always 0; not yet implemented)
SEC_CONT_OVER_PRIVIL<br>int<br>Container running in privileged mode
INSECURE_HTTP<br>int<br>A plaintext http:// URL found anywhere in the document
NO_SECU_CONTEXT<br>int<br>No securityContext at pod level or on any container
NO_DEFAULT_NSPACE<br>int<br>No namespace specified in resource metadata
NO_RESO<br>int<br>A container is missing both resource requests and limits
NO_ROLLING_UPDATE<br>int<br>Deployment uses Recreate or lacks a rollingUpdate strategy
NO_NETWORK_POLICY<br>int<br>Chart contains no NetworkPolicy resource
TRUE_HOST_PID<br>int<br>hostPID: true
TRUE_HOST_IPC<br>int<br>hostIPC: true
DOCKERSOCK_PATH<br>int<br>/var/run/docker.sock mounted via hostPath
TRUE_HOST_NET<br>int<br>hostNetwork: true
CAP_SYS_ADMIN<br>int<br>SYS_ADMIN capability added to a container
HOST_ALIAS<br>int<br>hostAliases present in the pod spec
ALLOW_PRIVI<br>int<br>allowPrivilegeEscalation: true
SECCOMP_UNCONFINED<br>int<br>seccompProfile.type set to Unconfined
CAP_SYS_MODULE<br>int<br>SYS_MODULE capability added to a container
K8S_STATUS<br>bool<br>Document is a valid Kubernetes resource (has apiVersion and kind)
HELM_STATUS<br>bool<br>Document is managed by Helm (managed-by: Helm label or helm.sh/chart label)
Prerequisites
Go 1.22+
GNU Make
Build
make build
The binary is compiled to bin/helmsniff.
Usage
--out [--format csv|json]">./bin/helmsniff --root rendered_dir|-> --out output_path|-> [--format csv|json]
Flags:
Flag<br>Description
--root<br>Path to directory containing rendered Kubernetes manifests, or - to read from stdin
--out<br>Path to output file, or - to write to stdout
--format<br>Output format: csv (default) or json
Batch processing
Scan multiple charts in parallel using GNU parallel:
parallel ./bin/helmsniff --root {} --out reports/{/}.csv ::: datasets/rendered/*/
JSON output
Generate a JSON report instead of CSV:
./bin/helmsniff --root datasets/rendered/mychart --out report.json --format json
Stdin pipe
Pipe helm template output directly without writing intermediate files:
helm template mychart ./charts/mychart | ./bin/helmsniff --root - --out - --format json
Or save to a file:
helm template mychart ./charts/mychart | ./bin/helmsniff --root - --out report.csv
Makefile Targets
Target<br>Description
make build<br>Compile the binary
make clean<br>Remove bin/ directory
make tidy<br>Run go mod tidy
make vet<br>Run go vet ./...
make lint<br>Run golangci-lint (must be installed)
make test<br>Run tests with race detector
Project Structure
helmsniff/<br>├── cmd/main.go # CLI entry point (flags, walking, CSV/JSON output)<br>├── internal/<br>│ ├── config/constants.go # CSV header definition<br>│ ├── parser/<br>│ │ ├── parser.go # YAML document loader (file & reader)<br>│ │ └── parser_test.go<br>│ └── scanner/<br>│ ├── scanner.go # File walking & analysis orchestration<br>│ ├── security_checks.go # Individual check implementations<br>│ ├──...