Bridgecrew.io
  • About Bridgecrew by Prisma Cloud
Checkov home
  • Docs
    • Quick start
    • Overview
    • Integrations
  • Download
  • Try Bridgecrew
  • Docs
    • Quick start
    • Overview
    • Integrations

Checkov Documentation

  • 1.Welcome
    • What is Checkov?
    • Terms and Concepts
    • Quick Start
    • Feature Descriptions
  • 2.Basics
    • Installing Checkov
    • CLI Command Reference
    • Suppressing and Skipping Policies
    • Hard and soft fail
    • Scanning Credentials and Secrets
    • Reviewing Scan Results
    • Visualizing Checkov Output
    • Handling Variables
  • 3.Custom Policies
    • Custom Policies Overview
    • Python Custom Policies
    • YAML Custom Policies
    • Custom YAML Policies Examples
    • Sharing Custom Policies
  • 4.Integrations
    • Jenkins
    • Bitbucket Cloud Pipelines
    • GitHub Actions
    • GitLab CI
    • Kubernetes
    • Pre-Commit
    • Docker
  • 5.Policy Index
    • all resource scans
    • ansible resource scans
    • argo_workflows resource scans
    • arm resource scans
    • azure_pipelines resource scans
    • bicep resource scans
    • bitbucket_configuration resource scans
    • bitbucket_pipelines resource scans
    • circleci_pipelines resource scans
    • cloudformation resource scans
    • dockerfile resource scans
    • github_actions resource scans
    • github_configuration resource scans
    • gitlab_ci resource scans
    • gitlab_configuration resource scans
    • kubernetes resource scans
    • openapi resource scans
    • secrets resource scans
    • serverless resource scans
    • terraform resource scans
  • 6.Contribution
    • Checkov Runner Contribution Guide
    • Implementing CI Metadata extractor
    • Implementing ImageReferencer
    • Contribution Overview
    • Contribute Python-Based Policies
    • Contribute YAML-based Policies
    • Contribute New Terraform Provider
    • Contribute New Argo Workflows configuration policy
    • Contribute New Azure Pipelines configuration policy
    • Contribute New Bitbucket configuration policy
    • Contribute New GitHub configuration policy
    • Contribute New Gitlab configuration policy
  • 7.Scan Examples
    • Terraform Plan Scanning
    • Terraform Scanning
    • Scan Helm charts with Checkov
    • Third party Helm charts
      • Scan Helm values.yaml files without a locally developed chart with Checkov
    • Kustomize
    • AWS SAM configuration scanning
    • Ansible configuration scanning
    • Argo Workflows configuration scanning
    • Azure ARM templates configuration scanning
    • Azure Pipelines configuration scanning
    • Azure Bicep configuration scanning
    • Bitbucket configuration scanning
    • AWS CDK configuration scanning
    • Cloudformation configuration scanning
    • Dockerfile configuration scanning
    • GitHub configuration scanning
    • Gitlab configuration scanning
    • Kubernetes configuration scanning
    • OpenAPI configuration scanning
    • SCA scanning
    • Serverless framework configuration scanning
  • 8.Outputs
    • CSV
    • CycloneDX BOM
    • GitLab SAST
    • JUnit XML
    • SARIF
  • 9.Level up
    • Upgrade from Checkov to Bridgecrew
  • Docs
  • 7.scan examples
  • Helm
Edit on GitHub

Scan Helm charts with Checkov

Checkov is able to autodetect helm charts by the presence of a Chart.yaml file, if found, the helm framework will automatically be used to template out the helm chart (with it’s default values) into resulting Kubernetes manifests, which will then be scanned by all Checkovs’ Kubernetes policies.

       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By bridgecrew.io | version: 2.0.587

helm scan results:

Passed checks: 370, Failed checks: 90, Skipped checks: 0

Check: CKV_K8S_27: "Do not expose the docker daemon socket to containers"
	PASSED for resource: Deployment.RELEASE-NAME-nextcloud.default
	File: /nextcloud/templates/deployment.yaml:3-107
	Guide: https://docs.bridgecrew.io/docs/bc_k8s_26


...

To do this, we use the helm binary, if the helm binary (v3) is not available via the users $PATH for Checkov, Checkov will automatically skip the helm framework, with a message informing the user as below. Checkov will then run with exactly the same behaviour as if running with checkov --skip-framework helm.

The following frameworks will automatically be disabled due to missing system dependencies: helm

This auto-detection behaviour is to protect existing CI pipelines which pull the latest version of Checkov, which may not have the helm binary available.

If you have custom value files, and scanning a Chart (a directory containing a Chart.yaml file), you can tell checkov to use your values while creating the kubernetes manifests from the chart, to do this, use the following (for example, scanning a gocd chart directory):

checkov -d ./testdir/gocd --framework helm --var-file ./testdir/gocd.yaml

in the example below, we can see the difference between the default gocd version 1.39.4 Helm chart scan, compared to a scan using the following gocd.yaml variables file:

checkov -d ./testdir/gocd --framework helm --no-guide --quiet --compact -c CKV_K8S_15

helm scan results:

Passed checks: 0, Failed checks: 3, Skipped checks: 0

Check: CKV_K8S_15: "Image Pull Policy should be Always"
        FAILED for resource: Deployment.default.RELEASE-NAME-gocd-agent
        File: /gocd/templates/gocd-agent-deployment.yaml:3-46

Check: CKV_K8S_15: "Image Pull Policy should be Always"
        FAILED for resource: Deployment.default.RELEASE-NAME-gocd-server
        File: /gocd/templates/gocd-server-deployment.yaml:3-90

Check: CKV_K8S_15: "Image Pull Policy should be Always"
        FAILED for resource: Pod.default.RELEASE-NAME-gocd-test-ku4xn
        File: /gocd/templates/tests/gocd-test.yaml:3-44
checkov -d ./testdir/gocd --framework helm --no-guide --quiet --compact --var-file ./testdir/gocd.yaml -c CKV_K8S_15

helm scan results:

Passed checks: 2, Failed checks: 1, Skipped checks: 0

Check: CKV_K8S_15: "Image Pull Policy should be Always"
        FAILED for resource: Pod.default.RELEASE-NAME-gocd-test-o6jdi
        File: /gocd/templates/tests/gocd-test.yaml:3-44

Third party Helm charts

Scan Helm values.yaml files without a locally developed chart with Checkov

If you are consuming third party charts, it is unlikley you will have a Chart.yaml file for Checkov to auto-detect.

For example, you may have run:

helm repo add gocd https://gocd.github.io/helm-chart
helm inspect values gocd/gocd > gocd.yaml

Then edited your custom values in gocd.yaml to suit your deployment needs.

In this case, you can use your custom values from your values file (gocd.yml in this case) to generate kubernetes output with Helm, and pass the templated output to checkov to receive the same policy information. This would also be trivial to set up in CI for automated scanning of this scenario:

helm template gocd/gocd -f gocd.yaml > k8s-template.yaml
checkov -f k8s-template.yaml --framework kubernetes --skip-check CKV_K8S_21

Note we skip check CKV_K8S_21 for this process, which alerts on default namespace usage within Kubernetes manifests. Since helm manages our namespaces, we always skip this internally when using the helm framework, so we want to replicate the same behaviour here.

Powered By

  • Slack Community
  • About Bridgecrew
  • Platform
  • Terms of use
  • GitHub
  • Docs
  • Contact Us
  • Privacy policy