Skip to content

banzaicloud/chartsec

Chartsec: Helm Chart security checker

CircleCI Go Report Card GoDoc

Chartsec scans a Helm chart for potential security vulnerabilities for it's user. It's especially useful to check third-party charts before even decompressing them.

Usage

Chartsec can be used both as a library and an executable.

Build the binary executable with the following command:

go get github.com/banzaicloud/chartsec/cmd/chartsec

Use it to check a chart package:

chartsec path/to/package.tgz

Or use it as a library in your project:

package main

import (
	"os"
	
	"github.com/banzaicloud/chartsec"
)

func main() {
    file, err := os.Open("path/to/package.tgz")
    if err != nil {
        panic(err)
    }

    scanner := chartsec.NewDefaultChartScanner()

    err = scanner.Scan(file)
    if err != nil {
    	panic(err)
    }
}

Security checks

  • Compressed archive does not exceed 10MB
  • Decompressed archive does not exceed 10MB
  • Markdown files do not contain malicious content (html script, etc)

Why is everything in package internal?

While we believe this package is ultimately useful for anyone who work with third-party charts, the API is not quite stable yet, the implementation might change, so we decided to expose only what's necessary to use the core functionality to prevent ossification.

License

Apache 2.0 License. Please see License File for more information.