Anthropic-Cybersecurity-Skills/skills/securing-helm-chart-deployments/references/api-reference.md

API Reference: Securing Helm Chart Deployments

Helm Security Commands

Command	Description
helm lint ./chart --strict	Lint chart with strict mode
helm template release ./chart	Render templates locally
helm verify chart.tgz	Verify chart signature
helm package ./chart --sign --key <key>	Package and sign
helm pull repo/chart --verify	Pull with verification

Security Context Fields

Field	Recommended	Description
runAsNonRoot	true	Prevent root execution
readOnlyRootFilesystem	true	Immutable filesystem
allowPrivilegeEscalation	false	Block privilege escalation
capabilities.drop	[ALL]	Drop all Linux capabilities
seccompProfile.type	RuntimeDefault	Syscall filtering

Security Checks

Check	Severity	Risk
Privileged container	High	Full host access
hostNetwork enabled	High	Network namespace escape
hostPID enabled	High	Process namespace escape
:latest image tag	Medium	Non-reproducible builds
Missing resource limits	Medium	Resource exhaustion DoS
Missing readOnlyRootFilesystem	Medium	Writable filesystem

Template Scanning Tools

Tool	Command
kubesec	kubesec scan rendered.yaml
checkov	checkov -f rendered.yaml --framework kubernetes
trivy	trivy config rendered.yaml
kube-linter	kube-linter lint rendered.yaml

Python Libraries

Library	Version	Purpose
subprocess	stdlib	Execute helm/kubesec CLI
re	stdlib	Pattern matching in rendered YAML
yaml	PyYAML >=6.0	Parse YAML content
json	stdlib	Report generation

References

• Helm Security: https://helm.sh/docs/topics/provenance/
• Helm Secrets Plugin: https://github.com/jkroepke/helm-secrets
• Kubesec: https://kubesec.io/