Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/snyk-labs/helm-snyk
Check images in your charts for vulnerabilities
https://github.com/snyk-labs/helm-snyk
helm-plugin snyk
Last synced: 6 days ago
JSON representation
Check images in your charts for vulnerabilities
- Host: GitHub
- URL: https://github.com/snyk-labs/helm-snyk
- Owner: snyk-labs
- License: other
- Created: 2019-10-09T19:12:48.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2023-07-08T13:46:24.000Z (over 1 year ago)
- Last Synced: 2024-04-16T11:07:51.269Z (7 months ago)
- Topics: helm-plugin, snyk
- Language: TypeScript
- Homepage: https://snyk.io
- Size: 1010 KB
- Stars: 40
- Watchers: 4
- Forks: 28
- Open Issues: 27
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
- DevSecOps - https://github.com/snyk-labs/helm-snyk - labs/helm-snyk)](https://github.com/snyk-labs/helm-snyk/stargazers) | (Kubernetes)
- awesome-k8s-security - Helm-Snyk
README
# Check your Helm chart for vulnerabilities
[![CircleCI](https://circleci.com/gh/snyk-labs/helm-snyk/tree/master.svg?style=svg)](https://circleci.com/gh/snyk-labs/helm-snyk/tree/master)
The Helm plugin for [Snyk](https://snyk.io/) provides a subcommand for testing the images in a given Helm chart for known vulnerabilities.
## Installation
Install the plugin using the built-in `helm plugin` command:
```
helm plugin install https://github.com/snyk-labs/helm-snyk
```The plugin connects to the Snyk service to lookup vulnerability information. If you don't have a Snyk account, go to [snyk.io/login](https://snyk.io/login) to sign up for free. You can then obtain an access token from [app.snyk.io/account](https://app.snyk.io/account) or for information on using service accounts, see [snyk.io/docs/service-accounts/](https://snyk.io/docs/service-accounts/).
Once you have an account, you should set the `SNYK_TOKEN` environment variable:
```
export SNYK_TOKEN=
```The plugin also requires a local Docker installation and uses this to download and test each of the images discovered in the chart.
## Usage
With the plugin installed, simply run the new `helm snyk test` command and point it to the directory of the chart. For instance:
```console
$ helm snyk test stable/redis
Image: docker.io/bitnami/redis:5.0.5-debian-9-r181
Testing docker.io/bitnami/redis:5.0.5-debian-9-r181...
✗ Low severity vulnerability found in tar
Description: CVE-2005-2541
Info: https://snyk.io/vuln/SNYK-LINUX-TAR-105079
Introduced through: meta-common-packages@meta
From: meta-common-packages@meta > [email protected]
✗ Low severity vulnerability found in systemd/libsystemd0
Description: CVE-2019-9619
Info: https://snyk.io/vuln/SNYK-LINUX-SYSTEMD-442642
Introduced through: systemd/libsystemd0@232-25+deb9u12, util-linux/bsdutils@1:2.29.2-1+deb9u1, procps@2:3.3.12-3+deb9u1, sysvinit/[email protected], systemd/libudev1@232-25+deb9u12, util-linux/[email protected]+deb9u1
From: systemd/libsystemd0@232-25+deb9u12
From: util-linux/bsdutils@1:2.29.2-1+deb9u1 > systemd/libsystemd0@232-25+deb9u12
From: procps@2:3.3.12-3+deb9u1 > procps/libprocps6@2:3.3.12-3+deb9u1 > systemd/libsystemd0@232-25+deb9u12
and 4 more...
...
```The plugin also supports the various arguments for modifying the chart, including `--set` and `--values`. So for instance you can test the same chart but override the image tag like so:
```console
helm snyk test --set image.tag=latest
```As well as the user-friendly output above the plugin also supports outputting the results as a JSON document. This can be useful for further analysis or integration with other tooling.
```console
$ helm snyk test stable/mysql --json
{
"helmChart": "[email protected]",
"images": [
{
"imageName": "dduportal/bats:0.4.0",
"results": {
"vulnerabilities": [
{
"CVSSv3": null,
"creationTime": "2019-02-06T14:40:43.295348Z",
"credit": [
""
],
"cvssScore": null,
"description": "## Overview\nCVE-2011-3374",
"disclosureTime": null,
"id": "SNYK-LINUX-APT-116518",
"identifiers": {
"ALTERNATIVE": [
"SNYK-DEBIAN8-APT-407500",
...
```For further options and features see the help instructions with the `--help` flag.