/helm-scanner

Open source IaC security scanner for public Helm charts

Primary LanguagePython

IaC Security Scanner for ArtifactHub

Status: Early PoC/Alpha

So far, this code has been used to generate a dataset for investigation into the current state of Helm security posture.

It needs plenty of work and we have a roadmap planned, in our issues backlog, here

You can find the written based on the data generated here, once the articles are live.

What is it?

This is a work-in-progress codebase designed to automate discovering, templating, security scanning, then recording and providing easy access to the results for publically available Helm charts.

We're currently using our static analysis tool Checkov.io for the security scan.

Currently, the scanner enumerates all Helm charts from repositories listed as containing HELM in https://artifacthub.io, for each repo, we collect all available charts, download the latest version of each and scans them with the Checkov.

Checkov already handles templating out the Helm3 charts, based on default values.yml and running te resultant Kubernetes manifests through our kubernetes checks.

I just want to scan my own HELM Charts or Kubernetes manifests

Then you can use checkov.io directly if you're not looking to collect ans analyse data across thousands of public charts.

Simply:

pip install checkov
checkov -d <path to Chart directories or K8S yaml>

For more info on Checkov, see Checkov.io

Output format

The dataset is outputted as a number of CSV's, by default in a local dir ./results. For each repository found in https://artifacthub.io, we output three CSV's:

  • checks-reponame.csv: List of all checks, passed and failed for each chart within the repo, including chart metadata.
  • summarytable-reponame.csv: Summary of passed and failed checks per Chart from the given repo.
  • deps-table-reponame.csv: Listing of all the Helm chart dependancies per Chart, and wether they were resolved prior to scanning (helm deps output metadata).

The CSV's are formatted in this way to make upload to Amazon S3 and then consumption by AWS Quicksight simple. However, we do plan to expose this data in a more consumable way, via API's and/or integrating with existing security dashboards, as easily sharing or providing public access to quicksight data is not possible. See issues backlog, here

Running

You'll need an artifacthub API token and secret token pair, provided as environment variables, then main.py can just be run, for example:

pipenv shell
ARTIFACTHUB_TOKEN=token ARTIFACTHUB_TOKEN_SECRET=secret python main.py

Kubernetes checks (from Checkov.io)

ID Policy Name Type Kubernetes Object Policy Description
570 CKV_K8S_1 resource PodSecurityPolicy Do not admit containers wishing to share the host process ID namespace
571 CKV_K8S_2 resource PodSecurityPolicy Do not admit privileged containers
572 CKV_K8S_3 resource PodSecurityPolicy Do not admit containers wishing to share the host IPC namespace
573 CKV_K8S_4 resource PodSecurityPolicy Do not admit containers wishing to share the host network namespace
574 CKV_K8S_5 resource PodSecurityPolicy Containers should not run with allowPrivilegeEscalation
575 CKV_K8S_6 resource PodSecurityPolicy Do not admit root containers
576 CKV_K8S_7 resource PodSecurityPolicy Do not admit containers with the NET_RAW capability
577 CKV_K8S_8 resource containers Liveness Probe Should be Configured
578 CKV_K8S_9 resource containers Readiness Probe Should be Configured
579 CKV_K8S_10 resource containers CPU requests should be set
580 CKV_K8S_10 resource initContainers CPU requests should be set
581 CKV_K8S_11 resource containers CPU limits should be set
582 CKV_K8S_11 resource initContainers CPU limits should be set
583 CKV_K8S_12 resource containers Memory requests should be set
584 CKV_K8S_12 resource initContainers Memory requests should be set
585 CKV_K8S_13 resource containers Memory limits should be set
586 CKV_K8S_13 resource initContainers Memory limits should be set
587 CKV_K8S_14 resource containers Image Tag should be fixed - not latest or blank
588 CKV_K8S_14 resource initContainers Image Tag should be fixed - not latest or blank
589 CKV_K8S_15 resource containers Image Pull Policy should be Always
590 CKV_K8S_15 resource initContainers Image Pull Policy should be Always
591 CKV_K8S_16 resource containers Container should not be privileged
592 CKV_K8S_16 resource initContainers Container should not be privileged
593 CKV_K8S_17 resource Pod Containers should not share the host process ID namespace
594 CKV_K8S_17 resource Deployment Containers should not share the host process ID namespace
595 CKV_K8S_17 resource DaemonSet Containers should not share the host process ID namespace
596 CKV_K8S_17 resource StatefulSet Containers should not share the host process ID namespace
597 CKV_K8S_17 resource ReplicaSet Containers should not share the host process ID namespace
598 CKV_K8S_17 resource ReplicationController Containers should not share the host process ID namespace
599 CKV_K8S_17 resource Job Containers should not share the host process ID namespace
600 CKV_K8S_17 resource CronJob Containers should not share the host process ID namespace
601 CKV_K8S_18 resource Pod Containers should not share the host IPC namespace
602 CKV_K8S_18 resource Deployment Containers should not share the host IPC namespace
603 CKV_K8S_18 resource DaemonSet Containers should not share the host IPC namespace
604 CKV_K8S_18 resource StatefulSet Containers should not share the host IPC namespace
605 CKV_K8S_18 resource ReplicaSet Containers should not share the host IPC namespace
606 CKV_K8S_18 resource ReplicationController Containers should not share the host IPC namespace
607 CKV_K8S_18 resource Job Containers should not share the host IPC namespace
608 CKV_K8S_18 resource CronJob Containers should not share the host IPC namespace
609 CKV_K8S_19 resource Pod Containers should not share the host network namespace
610 CKV_K8S_19 resource Deployment Containers should not share the host network namespace
611 CKV_K8S_19 resource DaemonSet Containers should not share the host network namespace
612 CKV_K8S_19 resource StatefulSet Containers should not share the host network namespace
613 CKV_K8S_19 resource ReplicaSet Containers should not share the host network namespace
614 CKV_K8S_19 resource ReplicationController Containers should not share the host network namespace
615 CKV_K8S_19 resource Job Containers should not share the host network namespace
616 CKV_K8S_19 resource CronJob Containers should not share the host network namespace
617 CKV_K8S_20 resource containers Containers should not run with allowPrivilegeEscalation
618 CKV_K8S_20 resource initContainers Containers should not run with allowPrivilegeEscalation
619 CKV_K8S_21 resource Service The default namespace should not be used
620 CKV_K8S_21 resource Pod The default namespace should not be used
621 CKV_K8S_21 resource Deployment The default namespace should not be used
622 CKV_K8S_21 resource DaemonSet The default namespace should not be used
623 CKV_K8S_21 resource StatefulSet The default namespace should not be used
624 CKV_K8S_21 resource ReplicaSet The default namespace should not be used
625 CKV_K8S_21 resource ReplicationController The default namespace should not be used
626 CKV_K8S_21 resource Job The default namespace should not be used
627 CKV_K8S_21 resource CronJob The default namespace should not be used
628 CKV_K8S_21 resource ServiceAccount The default namespace should not be used
629 CKV_K8S_21 resource Secret The default namespace should not be used
630 CKV_K8S_21 resource Role The default namespace should not be used
631 CKV_K8S_21 resource RoleBinding The default namespace should not be used
632 CKV_K8S_21 resource ConfigMap The default namespace should not be used
633 CKV_K8S_21 resource Ingress The default namespace should not be used
634 CKV_K8S_22 resource containers Use read-only filesystem for containers where possible
635 CKV_K8S_22 resource initContainers Use read-only filesystem for containers where possible
636 CKV_K8S_23 resource Pod Minimize the admission of root containers
637 CKV_K8S_23 resource Deployment Minimize the admission of root containers
638 CKV_K8S_23 resource DaemonSet Minimize the admission of root containers
639 CKV_K8S_23 resource StatefulSet Minimize the admission of root containers
640 CKV_K8S_23 resource ReplicaSet Minimize the admission of root containers
641 CKV_K8S_23 resource ReplicationController Minimize the admission of root containers
642 CKV_K8S_23 resource Job Minimize the admission of root containers
643 CKV_K8S_23 resource CronJob Minimize the admission of root containers
644 CKV_K8S_24 resource PodSecurityPolicy Do not allow containers with added capability
645 CKV_K8S_25 resource containers Minimize the admission of containers with added capability
646 CKV_K8S_25 resource initContainers Minimize the admission of containers with added capability
647 CKV_K8S_26 resource containers Do not specify hostPort unless absolutely necessary
648 CKV_K8S_26 resource initContainers Do not specify hostPort unless absolutely necessary
649 CKV_K8S_27 resource Pod Do not expose the docker daemon socket to containers
650 CKV_K8S_27 resource Deployment Do not expose the docker daemon socket to containers
651 CKV_K8S_27 resource DaemonSet Do not expose the docker daemon socket to containers
652 CKV_K8S_27 resource StatefulSet Do not expose the docker daemon socket to containers
653 CKV_K8S_27 resource ReplicaSet Do not expose the docker daemon socket to containers
654 CKV_K8S_27 resource ReplicationController Do not expose the docker daemon socket to containers
655 CKV_K8S_27 resource Job Do not expose the docker daemon socket to containers
656 CKV_K8S_27 resource CronJob Do not expose the docker daemon socket to containers
657 CKV_K8S_28 resource containers Minimize the admission of containers with the NET_RAW capability
658 CKV_K8S_28 resource initContainers Minimize the admission of containers with the NET_RAW capability
659 CKV_K8S_29 resource Pod Apply security context to your pods and containers
660 CKV_K8S_29 resource Deployment Apply security context to your pods and containers
661 CKV_K8S_29 resource DaemonSet Apply security context to your pods and containers
662 CKV_K8S_29 resource StatefulSet Apply security context to your pods and containers
663 CKV_K8S_29 resource ReplicaSet Apply security context to your pods and containers
664 CKV_K8S_29 resource ReplicationController Apply security context to your pods and containers
665 CKV_K8S_29 resource Job Apply security context to your pods and containers
666 CKV_K8S_29 resource CronJob Apply security context to your pods and containers
667 CKV_K8S_30 resource containers Apply security context to your pods and containers
668 CKV_K8S_30 resource initContainers Apply security context to your pods and containers
669 CKV_K8S_31 resource Pod Ensure that the seccomp profile is set to docker/default or runtime/default
670 CKV_K8S_31 resource Deployment Ensure that the seccomp profile is set to docker/default or runtime/default
671 CKV_K8S_31 resource DaemonSet Ensure that the seccomp profile is set to docker/default or runtime/default
672 CKV_K8S_31 resource StatefulSet Ensure that the seccomp profile is set to docker/default or runtime/default
673 CKV_K8S_31 resource ReplicaSet Ensure that the seccomp profile is set to docker/default or runtime/default
674 CKV_K8S_31 resource ReplicationController Ensure that the seccomp profile is set to docker/default or runtime/default
675 CKV_K8S_31 resource Job Ensure that the seccomp profile is set to docker/default or runtime/default
676 CKV_K8S_31 resource CronJob Ensure that the seccomp profile is set to docker/default or runtime/default
677 CKV_K8S_32 resource PodSecurityPolicy Ensure default seccomp profile set to docker/default or runtime/default
678 CKV_K8S_33 resource containers Ensure the Kubernetes dashboard is not deployed
679 CKV_K8S_33 resource initContainers Ensure the Kubernetes dashboard is not deployed
680 CKV_K8S_34 resource containers Ensure that Tiller (Helm v2) is not deployed
681 CKV_K8S_34 resource initContainers Ensure that Tiller (Helm v2) is not deployed
682 CKV_K8S_35 resource containers Prefer using secrets as files over secrets as environment variables
683 CKV_K8S_35 resource initContainers Prefer using secrets as files over secrets as environment variables
684 CKV_K8S_36 resource PodSecurityPolicy Minimize the admission of containers with capabilities assigned
685 CKV_K8S_37 resource containers Minimize the admission of containers with capabilities assigned
686 CKV_K8S_37 resource initContainers Minimize the admission of containers with capabilities assigned
687 CKV_K8S_38 resource Pod Ensure that Service Account Tokens are only mounted where necessary
688 CKV_K8S_38 resource Deployment Ensure that Service Account Tokens are only mounted where necessary
689 CKV_K8S_38 resource DaemonSet Ensure that Service Account Tokens are only mounted where necessary
690 CKV_K8S_38 resource StatefulSet Ensure that Service Account Tokens are only mounted where necessary
691 CKV_K8S_38 resource ReplicaSet Ensure that Service Account Tokens are only mounted where necessary
692 CKV_K8S_38 resource ReplicationController Ensure that Service Account Tokens are only mounted where necessary
693 CKV_K8S_38 resource Job Ensure that Service Account Tokens are only mounted where necessary
694 CKV_K8S_38 resource CronJob Ensure that Service Account Tokens are only mounted where necessary
695 CKV_K8S_39 resource containers Do not use the CAP_SYS_ADMIN linux capability
696 CKV_K8S_39 resource initContainers Do not use the CAP_SYS_ADMIN linux capability
697 CKV_K8S_40 resource Pod Containers should run as a high UID to avoid host conflict
698 CKV_K8S_40 resource Deployment Containers should run as a high UID to avoid host conflict
699 CKV_K8S_40 resource DaemonSet Containers should run as a high UID to avoid host conflict
700 CKV_K8S_40 resource StatefulSet Containers should run as a high UID to avoid host conflict
701 CKV_K8S_40 resource ReplicaSet Containers should run as a high UID to avoid host conflict
702 CKV_K8S_40 resource ReplicationController Containers should run as a high UID to avoid host conflict
703 CKV_K8S_40 resource Job Containers should run as a high UID to avoid host conflict
704 CKV_K8S_40 resource CronJob Containers should run as a high UID to avoid host conflict
705 CKV_K8S_41 resource ServiceAccount Ensure that default service accounts are not actively used
706 CKV_K8S_42 resource RoleBinding Ensure that default service accounts are not actively used
707 CKV_K8S_42 resource ClusterRoleBinding Ensure that default service accounts are not actively used
708 CKV_K8S_43 resource containers Image should use digest
709 CKV_K8S_43 resource initContainers Image should use digest
710 CKV_K8S_44 resource Service Ensure that the Tiller Service (Helm v2) is deleted
711 CKV_K8S_45 resource containers Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster
712 CKV_K8S_45 resource initContainers Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster
713 CKV_K8S_49 resource Role Minimize wildcard use in Roles and ClusterRoles
714 CKV_K8S_49 resource ClusterRole Minimize wildcard use in Roles and ClusterRoles
715 CKV_K8S_68 resource containers Ensure that the --anonymous-auth argument is set to false
716 CKV_K8S_69 resource containers Ensure that the --basic-auth-file argument is not set
717 CKV_K8S_70 resource containers Ensure that the --token-auth-file argument is not set
718 CKV_K8S_71 resource containers Ensure that the --kubelet-https argument is set to true
719 CKV_K8S_72 resource containers Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate
720 CKV_K8S_73 resource containers Ensure that the --kubelet-certificate-authority argument is set as appropriate
721 CKV_K8S_74 resource containers Ensure that the --authorization-mode argument is not set to AlwaysAllow
722 CKV_K8S_75 resource containers Ensure that the --authorization-mode argument includes Node
723 CKV_K8S_77 resource containers Ensure that the --authorization-mode argument includes RBAC
724 CKV_K8S_78 resource AdmissionConfiguration Ensure that the admission control plugin EventRateLimit is set
725 CKV_K8S_79 resource containers Ensure that the admission control plugin AlwaysAdmit is not set
726 CKV_K8S_80 resource containers Ensure that the admission control plugin AlwaysPullImages is set
727 CKV_K8S_81 resource containers Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
728 CKV_K8S_82 resource containers Ensure that the admission control plugin ServiceAccount is set
729 CKV_K8S_83 resource containers Ensure that the admission control plugin NamespaceLifecycle is set
730 CKV_K8S_84 resource containers Ensure that the admission control plugin PodSecurityPolicy is set
731 CKV_K8S_85 resource containers Ensure that the admission control plugin NodeRestriction is set
732 CKV_K8S_86 resource containers Ensure that the --insecure-bind-address argument is not set
733 CKV_K8S_88 resource containers Ensure that the --insecure-port argument is set to 0
734 CKV_K8S_89 resource containers Ensure that the --secure-port argument is not set to 0
735 CKV_K8S_90 resource containers Ensure that the --profiling argument is set to false
736 CKV_K8S_91 resource containers Ensure that the --audit-log-path argument is set
737 CKV_K8S_92 resource containers Ensure that the --audit-log-maxage argument is set to 30 or as appropriate
738 CKV_K8S_93 resource containers Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate
739 CKV_K8S_94 resource containers Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate
740 CKV_K8S_95 resource containers Ensure that the --request-timeout argument is set as appropriate
741 CKV_K8S_96 resource containers Ensure that the --service-account-lookup argument is set to true
742 CKV_K8S_97 resource containers Ensure that the --service-account-key-file argument is set as appropriate
743 CKV_K8S_99 resource containers Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate
744 CKV_K8S_100 resource containers Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate
745 CKV_K8S_102 resource containers Ensure that the --etcd-ca-file argument is set as appropriate
746 CKV_K8S_104 resource containers Ensure that encryption providers are appropriately configured
747 CKV_K8S_105 resource containers Ensure that the API Server only makes use of Strong Cryptographic Ciphers
748 CKV_K8S_106 resource containers Ensure that the --terminated-pod-gc-threshold argument is set as appropriate
749 CKV_K8S_107 resource containers Ensure that the --profiling argument is set to false
750 CKV_K8S_108 resource containers Ensure that the --use-service-account-credentials argument is set to true
751 CKV_K8S_110 resource containers Ensure that the --service-account-private-key-file argument is set as appropriate
752 CKV_K8S_111 resource containers Ensure that the --root-ca-file argument is set as appropriate
753 CKV_K8S_112 resource containers Ensure that the RotateKubeletServerCertificate argument is set to true
754 CKV_K8S_113 resource containers Ensure that the --bind-address argument is set to 127.0.0.1
755 CKV_K8S_114 resource containers Ensure that the --profiling argument is set to false
756 CKV_K8S_115 resource containers Ensure that the --bind-address argument is set to 127.0.0.1
757 CKV_K8S_116 resource containers Ensure that the --cert-file and --key-file arguments are set as appropriate
758 CKV_K8S_117 resource containers Ensure that the --client-cert-auth argument is set to true
759 CKV_K8S_118 resource containers Ensure that the --auto-tls argument is not set to true
760 CKV_K8S_119 resource containers Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate
761 CKV_K8S_121 resource Pod Ensure that the --peer-client-cert-auth argument is set to true
762 CKV_K8S_138 resource containers Ensure that the --anonymous-auth argument is set to false
763 CKV_K8S_139 resource containers Ensure that the --authorization-mode argument is not set to AlwaysAllow
764 CKV_K8S_140 resource containers Ensure that the --client-ca-file argument is set as appropriate
765 CKV_K8S_141 resource containers Ensure that the --read-only-port argument is set to 0
766 CKV_K8S_143 resource containers Ensure that the --streaming-connection-idle-timeout argument is not set to 0
767 CKV_K8S_144 resource containers Ensure that the --protect-kernel-defaults argument is set to true
768 CKV_K8S_145 resource containers Ensure that the --make-iptables-util-chains argument is set to true
769 CKV_K8S_146 resource containers Ensure that the --hostname-override argument is not set
770 CKV_K8S_147 resource containers Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture
771 CKV_K8S_148 resource containers Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate
772 CKV_K8S_149 resource containers Ensure that the --rotate-certificates argument is not set to false
773 CKV_K8S_150 resource containers Ensure that the RotateKubeletServerCertificate argument is set to true
774 CKV_K8S_151 resource containers Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers