Skip to content
Helm

Security

Secret management

Section titled “Secret management”

Avoid inline secrets in Kubernetes Secret manifests. Use ExternalSecret or SealedSecret instead:

import { HelmExternalSecret } from "@intentius/chant-lexicon-helm";


const { externalSecret, values } = HelmExternalSecret({
  name: "app-secrets",
  secretStoreName: "vault",
  data: {
    DB_PASSWORD: "secret/data/db-password",
    API_KEY: "secret/data/api-key",
  },
});

WHM407 warns when a kind: Secret template contains inline data values without an ExternalSecret or SealedSecret in the chart.

Security context best practices

Section titled “Security context best practices”

Always set security context on pods and containers:

spec: {
  securityContext: {
    runAsNonRoot: true,
    runAsUser: 1000,
  },
  containers: [{
    securityContext: {
      readOnlyRootFilesystem: true,
      allowPrivilegeEscalation: false,
    },
  }],
}
Section titled “Related checks”
CheckSeverityDescription
WHM401warningImage uses :latest tag or no tag
WHM402warningrunAsNonRoot not set
WHM403inforeadOnlyRootFilesystem not set
WHM404errorprivileged: true detected
WHM405warningResource spec missing cpu/memory
WHM406infoCRD lifecycle limitation
WHM407warningSecret with inline data

Image pinning

Section titled “Image pinning”

Always pin container images to specific tags or digests:

// Bad — triggers WHM401
image: "nginx:latest"
image: "nginx"


// Good
image: printf("%s:%s", values.image.repository, values.image.tag)

Set a specific default tag in your values:

const valuesSchema = new Values({
  image: {
    repository: "nginx",
    tag: "1.25.0",       // Pinned version
    pullPolicy: "IfNotPresent",
  },
});