helm-chart-auditor

Audit Helm charts for security, best practices, template correctness, and production readiness — check values, templates, hooks, dependencies, and RBAC.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "helm-chart-auditor" with this command: npx skills add charlie-morrison/helm-chart-auditor

Helm Chart Auditor

Audit Helm charts for security vulnerabilities, best practices, template correctness, and production readiness. Reviews Chart.yaml, values.yaml, templates, hooks, RBAC, and dependency management.

Usage

"Audit my Helm chart for issues"
"Check Helm templates for security"
"Review values.yaml for best practices"
"Validate Helm chart before publishing"

How It Works

1. Chart Discovery

cat Chart.yaml 2>/dev/null
cat values.yaml 2>/dev/null | head -50
ls templates/ 2>/dev/null
helm lint . 2>&1

2. Security Audit

  • Containers running as root (no securityContext)
  • Missing resource limits (CPU/memory)
  • Privileged containers
  • Host network/PID access
  • Missing NetworkPolicies
  • Service accounts with excessive permissions
  • Secrets stored as plain text in values.yaml

3. Template Quality

  • Required values without defaults
  • Missing helper templates (_helpers.tpl)
  • Hardcoded values that should be in values.yaml
  • Missing labels (app.kubernetes.io standard)
  • Template rendering errors
  • Proper use of include vs template
  • .Release.Namespace for namespace scoping

4. Production Readiness

  • Health probes (liveness, readiness, startup)
  • PodDisruptionBudgets defined
  • Horizontal Pod Autoscaler configured
  • Anti-affinity rules for HA
  • Rolling update strategy configured
  • Proper image tag (no latest)
  • Image pull policy appropriate

5. Values Schema

  • JSON Schema defined (values.schema.json)?
  • Default values sensible for development
  • Production overlay documented
  • Sensitive values clearly marked
  • Environment-specific examples provided

Output

## Helm Chart Audit

**Chart:** my-app v1.2.0 | **Templates:** 8

### 🔴 Critical (2)
1. **Running as root** — templates/deployment.yaml
   No securityContext set → runs as root by default
   → Add: runAsNonRoot: true, runAsUser: 1000

2. **No resource limits** — templates/deployment.yaml
   Missing resources.limits → can consume all node resources
   → Add CPU/memory limits appropriate for workload

### 🟡 Improvements (4)
3. Image tag `latest` in values.yaml default
4. Missing PodDisruptionBudget template
5. No values.schema.json for validation
6. Missing anti-affinity for multi-replica deployments

### ✅ Good Practices
- Health probes configured (liveness + readiness)
- Standard labels applied via _helpers.tpl
- HPA template included with sensible defaults
- Chart.yaml has proper appVersion and description

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Cloudflare Tunnel Manager

Create and manage secure Cloudflare Tunnels using cloudflared. Expose local services to the internet safely, configure DNS routing, set up zero-trust access...

Registry SourceRecently Updated
2670Profile unavailable
Security

Otc Confirmation

One-Time Confirmation code security mechanism for sensitive agent operations. Generates a cryptographically secure single-use code, delivers it via a private...

Registry SourceRecently Updated
3990Profile unavailable
Security

Preflyt

Scan deployed web apps for security misconfigurations after every deploy. Checks for exposed .env files, databases, source code, open ports, missing security...

Registry SourceRecently Updated
3190Profile unavailable
Security

Claw Soul Backup

Store encrypted OpenClaw workspace backups and restore them via token-secured API using claw-vault.com with local encryption and credential management.

Registry SourceRecently Updated
4600Profile unavailable