Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/snyk-labs/helm-snyk

Check images in your charts for vulnerabilities
https://github.com/snyk-labs/helm-snyk

helm-plugin snyk

Last synced: 6 days ago
JSON representation

Check images in your charts for vulnerabilities

Awesome Lists containing this project

README 

        
# Check your Helm chart for vulnerabilities



[![CircleCI](https://circleci.com/gh/snyk-labs/helm-snyk/tree/master.svg?style=svg)](https://circleci.com/gh/snyk-labs/helm-snyk/tree/master)



The Helm plugin for [Snyk](https://snyk.io/) provides a subcommand for testing the images in a given Helm chart for known vulnerabilities.



## Installation



Install the plugin using the built-in `helm plugin` command:



```

helm plugin install https://github.com/snyk-labs/helm-snyk

```



The plugin connects to the Snyk service to lookup vulnerability information. If you don't have a Snyk account, go to [snyk.io/login](https://snyk.io/login) to sign up for free. You can then obtain an access token from [app.snyk.io/account](https://app.snyk.io/account) or for information on using service accounts, see [snyk.io/docs/service-accounts/](https://snyk.io/docs/service-accounts/).



Once you have an account, you should set the `SNYK_TOKEN` environment variable:



```

export SNYK_TOKEN=

```



The plugin also requires a local Docker installation and uses this to download and test each of the images discovered in the chart.



## Usage



With the plugin installed, simply run the new `helm snyk test` command and point it to the directory of the chart. For instance:



```console

$ helm snyk test stable/redis

Image: docker.io/bitnami/redis:5.0.5-debian-9-r181

Testing docker.io/bitnami/redis:5.0.5-debian-9-r181...

✗ Low severity vulnerability found in tar

  Description: CVE-2005-2541

  Info: https://snyk.io/vuln/SNYK-LINUX-TAR-105079

  Introduced through: meta-common-packages@meta

  From: meta-common-packages@meta > [email protected]

✗ Low severity vulnerability found in systemd/libsystemd0

  Description: CVE-2019-9619

  Info: https://snyk.io/vuln/SNYK-LINUX-SYSTEMD-442642

  Introduced through: systemd/libsystemd0@232-25+deb9u12, util-linux/bsdutils@1:2.29.2-1+deb9u1, procps@2:3.3.12-3+deb9u1, sysvinit/[email protected], systemd/libudev1@232-25+deb9u12, util-linux/[email protected]+deb9u1

  From: systemd/libsystemd0@232-25+deb9u12

  From: util-linux/bsdutils@1:2.29.2-1+deb9u1 > systemd/libsystemd0@232-25+deb9u12

  From: procps@2:3.3.12-3+deb9u1 > procps/libprocps6@2:3.3.12-3+deb9u1 > systemd/libsystemd0@232-25+deb9u12

  and 4 more...

...

```



The plugin also supports the various arguments for modifying the chart, including `--set` and `--values`. So for instance you can test the same chart but override the image tag like so: 



```console

helm snyk test --set image.tag=latest

```



As well as the user-friendly output above the plugin also supports outputting the results as a JSON document. This can be useful for further analysis or integration with other tooling.



```console

$ helm snyk test stable/mysql --json

{

  "helmChart": "[email protected]",

  "images": [

    {

      "imageName": "dduportal/bats:0.4.0",

      "results": {

        "vulnerabilities": [

          {

            "CVSSv3": null,

            "creationTime": "2019-02-06T14:40:43.295348Z",

            "credit": [

              ""

            ],

            "cvssScore": null,

            "description": "## Overview\nCVE-2011-3374",

            "disclosureTime": null,

            "id": "SNYK-LINUX-APT-116518",

            "identifiers": {

              "ALTERNATIVE": [

                "SNYK-DEBIAN8-APT-407500",

...

```



For further options and features see the help instructions with the `--help` flag.