{"id":23954325,"url":"https://github.com/ChristofferNissen/helmper","last_synced_at":"2025-09-12T13:31:20.714Z","repository":{"id":237347428,"uuid":"785420224","full_name":"ChristofferNissen/helmper","owner":"ChristofferNissen","description":"Import Helm Charts to OCI registries, optionally with vulnerability patching","archived":false,"fork":false,"pushed_at":"2025-07-24T06:28:44.000Z","size":43854,"stargazers_count":365,"open_issues_count":24,"forks_count":15,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-09-07T16:55:39.103Z","etag":null,"topics":["copacetic","cosign","go","helm","kubernetes","oci","oras","trivy"],"latest_commit_sha":null,"homepage":"https://christoffernissen.github.io/helmper/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ChristofferNissen.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-04-11T21:19:04.000Z","updated_at":"2025-08-22T08:44:04.000Z","dependencies_parsed_at":"2025-02-23T03:14:56.713Z","dependency_job_id":"9ead997d-db80-44a6-b8fa-1bf1a9a8dbed","html_url":"https://github.com/ChristofferNissen/helmper","commit_stats":null,"previous_names":["christoffernissen/helmper"],"tags_count":40,"template":false,"template_full_name":null,"purl":"pkg:github/ChristofferNissen/helmper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChristofferNissen%2Fhelmper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChristofferNissen%2Fhelmper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChristofferNissen%2Fhelmper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChristofferNissen%2Fhelmper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ChristofferNissen","download_url":"https://codeload.github.com/ChristofferNissen/helmper/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChristofferNissen%2Fhelmper/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274821209,"owners_count":25356235,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-12T02:00:09.324Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["copacetic","cosign","go","helm","kubernetes","oci","oras","trivy"],"created_at":"2025-01-06T15:00:43.200Z","updated_at":"2025-09-12T13:31:15.698Z","avatar_url":"https://github.com/ChristofferNissen.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/ChristofferNissen/helmper\"\u003e\n    \u003cimg src=\"docs/logo/helmper_banner.png\" alt=\"Helmper logo\"\u003e\n  \u003c/a\u003e\n\n  \u003cp align=\"center\"\u003e\n    A little helper that pushes Helm Charts and images to your registries, easily configured with a declarative spec.\n    \u003cbr\u003e\n    \u003ca href=\"https://github.com/ChristofferNissen/helmper/issues/new?template=bug.md\"\u003eReport bug\u003c/a\u003e\n    ·\n    \u003ca href=\"https://github.com/ChristofferNissen/helmper/issues/new\"\u003eRequest feature\u003c/a\u003e\n    ·\n    \u003ca href=\"https://github.com/ChristofferNissen/helmper/releases\"\u003eReleases\u003c/a\u003e\n    ·\n    \u003ca href=\"https://github.com/ChristofferNissen/helmper/releases/latest\"\u003eLatest release\u003c/a\u003e\n  \u003c/p\u003e\n\n  [![Go Report Card](https://goreportcard.com/badge/github.com/ChristofferNissen/helmper)](https://goreportcard.com/report/github.com/ChristofferNissen/helmper) \n  [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/ChristofferNissen/helmper/blob/main/LICENSE)\n\n\u003c/p\u003e\n\n## What is Helmper?\n\n_DISCLAIMER: helmper is in beta, so stuff may change._\n\n\u003cimg align=\"right\" width=\"20%\" src=\"docs/logo/helmper.svg\" alt=\"Helmper logo\"\u003e\n\n`helmper` is a go program that reads Helm Charts from remote OCI registries and pushes the charts container images to your registries with optional OS level vulnerability patching.\n\n`helmper` is built with [Helm](\u003chttps://github.com/helm/helm\u003e), [Oras](\u003chttps://github.com/oras-project/oras-go\u003e), [Trivy](https://github.com/aquasecurity/trivy), [Copacetic](https://github.com/project-copacetic/copacetic) ([Buildkit](https://github.com/moby/buildkitd)) and [Cosign](https://github.com/sigstore/cosign).\n\n\nHelmper connects via gRPC to Trivy and Buildkit so you can run `helmper` without root privileges wherever you want. \n\n`helmper` demonstrates exceptional proficiency in operating within controlled environments that might require Change Management and/or air-gapped networks. This expertise is particularly beneficial in industries subject to stringent regulations, such as Medical and Banking. `helmper` aims to ensure binary reproducibility of Helm Charts by storing all necessary artifacts in your registries.\n\n`helmper` provides an interface to reduce the maintenance burden associated with managing a large collection of Helm Charts by:\n\n- automatically detecting all enabled container images in charts\n- providing an easy way to stay up to date on new chart releases\n- providing option to only import new images, or all images\n- enabling quick patching(and re-patching) of all images\n- enabling signing of images as an integrated part of the process\n- providing a mechanism to check requirements/dependencies before deploying charts with fx GitOps\n\n### how?\n\n#### Core\n\nSimply tell `helmper` which charts to analyze and registries to use by creating a `helmper.yaml` file and run helmper from the same folder.\n\n```yaml\nk8s_version: 1.31.1\nimport:\n  enabled: true\ncharts:\n- name: prometheus\n  version: 25.8.0\n  valuesFilePath: /workspace/in/values/prometheus/values.yaml # (Optional)\n  repo:\n    name: prometheus-community\n    url: https://prometheus-community.github.io/helm-charts/\nregistries:\n- name: registry\n  url: oci://0.0.0.0:5000\n  insecure: true\n  plainHTTP: true\n```\n\nHelmper will import the charts, the charts listed as dependencies including all images specified through the Helm `values.yaml` file.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"docs/gifs/simple.gif?raw=true\"/\u003e\u003c/p\u003e\n\n**Note** Authentication\n\nHelmper utilizes well known configuration options to interact with registries. \n\nWhen using the Helm SDK, Helmper will utilize the file defined by `HELM_REGISTRY_CONFIG` for picking up authentication credentials for registries.\n\nWhen Helmper is using Oras for interacting with OCI artifacts, Oras utilizes the [Docker credentials helper](https://pkg.go.dev/oras.land/oras-go/v2@v2.5.0/registry/remote/credentials), which will look in the system keychain, `$DOCKER_CONFIG/config.json` (if set) or `$HOME/.docker/config.json` file for picking up authentication credentials for all registries.\n\nIf your registries requires authentication, simply login with the services own login command.\n\nfx for Docker:\n\n```bash\ndocker login -u user -p pass\n```\n\nAzure:\n\n```bash\naz acr login -n myregistry\n```\n\n#### Extended\n\nIn this example Helmper will also scan with Trivy, patch with Copacetic and sign with Cosign all identified images before pushing with Oras to all registries.\n\n```yaml\nk8s_version: 1.31.1\ncharts:\n- name: prometheus\n  version: 25.8.0\n  valuesFilePath: /workspace/in/values/prometheus/values.yaml # (Optional)\n  repo:\n    name: prometheus-community\n    url: https://prometheus-community.github.io/helm-charts/\nregistries:\n- name: registry # `Helmper` picks up authentication from the environment automatically.\n  url: oci://0.0.0.0:5000\n  insecure: true\n  plainHTTP: true\nimport:\n  enabled: true\n  copacetic:\n    enabled: true\n    ignoreErrors: true\n    buildkitd:\n      addr: tcp://0.0.0.0:8888\n    trivy:\n      addr: http://0.0.0.0:8887\n      insecure: true\n      ignoreUnfixed: true\n    output:\n      tars:\n        folder: /workspace/.out/tars\n        clean: true\n      reports:\n        folder: /workspace/.out/reports\n        clean: true\n  cosign:\n    enabled: true\n    keyRef: /workspace/.devcontainer/cosign.key\n    KeyRefPass: \"\"\n    allowInsecure: true\n    allowHTTPRegistry: true\n```\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"docs/gifs/full.gif?raw=true\"/\u003e\u003c/p\u003e\n\n## Documentation\n\nThe full documentation for Helmper can be found at [christoffernissen.github.io/helmper](https://christoffernissen.github.io/helmper/).\n\n## Compatibility\n\nHelmper utilizes the Helm SDK to maintain full compatibility with both Helm Repositories and OCI registries for storing Helm Charts.\n\nIn practice, Helmper currently pushes charts and images to the same destination registry, so it must be OCI compliant. \n\nHelmper utilizes `oras-go` to push OCI artifacts. Helmper utilizes the Helm SDK to push Helm Charts, as the Helm SDK sets the correct metadata attributes.\n\nOras and Helm state support all registries with OCI support, for example:\n\n- [CNCF Distribution](https://oras.land/docs/compatible_oci_registries#cncf-distribution) - local/offline verification\n- [Amazon Elastic Container Registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html)  \n- [Azure Container Registry](https://docs.microsoft.com/azure/container-registry/container-registry-helm-repos#push-chart-to-registry-as-oci-artifact)\n- [Google Artifact Registry](https://cloud.google.com/artifact-registry/docs/helm/manage-charts)\n- [Docker Hub](https://docs.docker.com/docker-hub/oci-artifacts/)\n- [Harbor](https://goharbor.io/docs/main/administration/user-defined-oci-artifact/)\n- [Zot Registry](https://zotregistry.dev/)\n- [GitHub Packages container registry](https://oras.land/docs/compatible_oci_registries#github-packages-container-registry-ghcr)\n- [IBM Cloud Container Registry](https://cloud.ibm.com/docs/Registry?topic=Registry-registry_helm_charts)\n- [JFrog Artifactory](https://jfrog.com/help/r/jfrog-artifactory-documentation/helm-oci-repositories)\n\nSources: [Helm](https://helm.sh/docs/topics/registries/#use-hosted-registries) [Oras](https://oras.land/docs/compatible_oci_registries)\n\nFor testing, Helmper is using the [CNCF Distribution]() registry.\n\n## Install\n\nSimply pick the binary for your platform from the Release section on GitHub.\n\n### Linux\n\n```bash\nVERSION=$(curl -Lso /dev/null -w %{url_effective} https://github.com/christoffernissen/helmper/releases/latest | grep -o '[^/]*$')\ncurl -LO https://github.com/christoffernissen/helmper/releases/download/$VERSION/helmper-linux-amd64\nchmod +x helmper-linux-amd64\nsudo mv helmper-linux-amd64 /usr/local/bin/helmper\n```\n\n### Mac OS\n\n```bash\nVERSION=$(curl -Lso /dev/null -w %{url_effective} https://github.com/christoffernissen/helmper/releases/latest | grep -o '[^/]*$')\ncurl -LO https://github.com/christoffernissen/helmper/releases/download/$VERSION/helmper-darwin-amd64\nchmod +x helmper-darwin-amd64\nsudo mv helmper-darwin-amd64 /usr/local/bin/helmper\n```\n\n### Windows\n\nExtract the tar and launch the exe file.\n\n## Scope\n\n### In scope\n\n* Helmper operates with OCI compliant artifacts and OCI compliant registries.\n* Helmper must remain without dependency on a container runtime daemon to work in containers without root privileges.\n\n### Out of scope\n\n* Helmper does not work with other Kubernetes package formats\n* Helmper authenticates with registries with the docker config. Therefore, Helmper will not have any proprietary libraries to facilitate authentication for any cloud providers. Simply use `docker login` or equivalent before running Helmper, and you should be authenticated for 3 hours for each registry.\n\n## Roadmap\n\n* Operator Framework to enable using Helmper with GitOps in management clusters\n* Add option to import to registries via pipeline for compliance audit trail retention\n* SBOM\n* OpenTelemetry\n\n## Code of Conduct\n\nThis project has adopted the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md). See [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) for further details.\n\n## Credits\n\nHelmper logo and banner have been kindly donated to the project by María Ruiz Garrido :heart:\n\nThe gopher's logo of Helmper is licensed under the Creative Commons 3.0 Attributions license.\n\nThe original Go gopher was designed by Renee French.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FChristofferNissen%2Fhelmper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FChristofferNissen%2Fhelmper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FChristofferNissen%2Fhelmper/lists"}