Skip to content

Quickstart

Scan a chart

# JSON output (default)
helm-guard /path/to/chart

# Text output for terminal readability
helm-guard /path/to/chart --format text

# SARIF output for GitHub Code Scanning
helm-guard /path/to/chart --format sarif

Use a config file

helm-guard /path/to/chart --config .helm-guard.yaml

Filter by severity

# Only report HIGH and CRITICAL findings
helm-guard /path/to/chart --min-severity HIGH

# Only fail (exit 1) on CRITICAL findings
helm-guard /path/to/chart --fail-on CRITICAL

CI integration

# Run in CI, fail the build on HIGH+ findings
helm-guard /path/to/chart --fail-on HIGH --format sarif --output results.sarif

Example output (text format)

Helm Chart Security Scan: ./my-chart
Found 4 issue(s)

[CRITICAL] HLM-INJ-001: tpl function usage
  File: ./my-chart/templates/deployment.yaml:28
  Template uses 'tpl' function which executes input as a Go template, enabling arbitrary code execution.
  Fix: Avoid 'tpl' entirely. Use direct value interpolation instead.

[HIGH] HLM-PIN-001: Chart dependency with SemVer range
  File: ./my-chart/Chart.yaml:8
  Dependency 'redis' uses SemVer range '~17.0'. Pin to an exact version.
  Fix: Pin dependency 'redis' to an exact version (e.g., version: 1.2.3)

[HIGH] HLM-TRUST-001: No values.schema.json
  File: ./my-chart/values.yaml:1
  Chart has values.yaml but no values.schema.json. Values are not type-checked.
  Fix: Add values.schema.json with type constraints for all user-facing values

[MEDIUM] HLM-PIN-003: Mutable image tag in values.yaml
  File: ./my-chart/values.yaml:5
  Image value at 'image.tag' is 'latest' (no @sha256: digest). Pin to a digest.
  Fix: Pin images to digest (e.g., image: registry.io/repo@sha256:abc123...)