The ultimate Helm chart linter, validator & security scanner
Project description
๐ฅ helm-doctor
The Ultimate Helm Chart Linter, Validator & Security Scanner
Stop deploying broken Helm charts.
helm-doctorcatches 75+ issues across 11 categories โ from hardcoded secrets to missing health probes โ before they hit your cluster.
_ _ _ ____ _
| | | | ___| |_ __ ___ | _ \ ___ ___| |_ ___ _ __
| |_| |/ _ \ | '_ ` _ \ | | | |/ _ \ / __| __/ _ \| '__|
| _ | __/ | | | | | | | |_| | (_) | (__| || (_) | |
|_| |_|\___|_|_| |_| |_| |____/ \___/ \___|\__\___/|_|
๐ Features
| Feature | Description |
|---|---|
| ๐ฆ Chart Structure Validation | Validates Chart.yaml, values.yaml, templates/, and directory structure |
| ๐ Deep Security Scanning | Detects privileged containers, hostPath mounts, RBAC wildcards, hardcoded secrets |
| โ๏ธ Values Best Practices | Checks image config, resource limits, security contexts, probe configuration |
| ๐ Template Linting | Finds hardcoded namespaces, deprecated functions, orphaned templates |
| ๐ Dependency Analysis | Validates chart dependencies, version constraints, lock files |
| ๐ Health Scoring | A+ to F grading with detailed score breakdown |
| ๐จ Beautiful Terminal Output | Rich, colorful reports with severity icons and progress bars |
| ๐ค Multiple Export Formats | JSON for CI/CD integration, HTML for interactive dashboards |
| ๐ช Demo Mode | Try it instantly with a built-in sample chart |
| ๐ฆ CI/CD Integration | --fail-on flag for pipeline gates |
๐ฆ Installation
pip install helm-doctor
From source:
git clone https://github.com/ssan/helm-doctor.git
cd helm-doctor
pip install -e .
โก Quick Start
# Scan a Helm chart
helm-doctor scan ./my-chart
# Try the demo (no chart needed!)
helm-doctor demo
# Verbose mode with suggestions
helm-doctor scan ./my-chart --verbose
# Export as JSON for CI/CD
helm-doctor scan ./my-chart --export json
# Export interactive HTML dashboard
helm-doctor scan ./my-chart --export html
# Scan only security rules
helm-doctor scan ./my-chart --category security
# Fail in CI if critical issues found
helm-doctor scan ./my-chart --fail-on critical
# List all 75+ rules
helm-doctor rules
๐ฅ Demo Mode
Don't have a Helm chart handy? No problem!
helm-doctor demo
This creates a sample chart with intentional issues and runs the full analysis โ perfect for seeing what helm-doctor can do.
๐ Rule Categories (75+ Rules)
| Category | Icon | Rules | What It Checks |
|---|---|---|---|
| Chart Structure | ๐ฆ | 10 | Chart.yaml existence, YAML validity, required files |
| Metadata | ๐ท๏ธ | 12 | apiVersion, name conventions, SemVer, kubeVersion |
| Values | โ๏ธ | 11 | Image config, naming conventions, empty values |
| Templates | ๐ | 8 | Hardcoded namespaces, deprecated functions, orphans |
| Security | ๐ | 18 | Privileged containers, RBAC, secrets, TLS, hostPath |
| Best Practices | โ | 6 | Labels, image tags, hooks, CRD placement |
| Dependencies | ๐ | 6 | Version constraints, lock files, conditions |
| Resource Mgmt | ๐ | 5 | CPU/memory limits, requests, workload resources |
| Networking | ๐ | 3 | Service type, ingress config, NetworkPolicy |
| Reliability | ๐ก๏ธ | 7 | Health probes, PDB, replicas, scheduling |
| Documentation | ๐ | 6 | README, NOTES.txt, comments, maintainers |
๐ Security Rules Highlights
helm-doctor performs deep security scanning that catches issues other linters miss:
- HD-S001 โ Weak/default credentials in values (password, admin, changeme)
- HD-S002 โ Privileged containers (
privileged: true) - HD-S003 โ Host namespace sharing (hostNetwork, hostPID, hostIPC)
- HD-S004 โ hostPath volume mounts (host filesystem access)
- HD-S005 โ Running as root (UID 0)
- HD-S006 โ Dangerous Linux capabilities (SYS_ADMIN, NET_ADMIN, ALL)
- HD-S007 โ Wildcard RBAC permissions (
*on resources/verbs) - HD-V019 โ Ingress without TLS
- HD-V023 โ Privileged security context in values
- HD-V032 โ Hardcoded secrets/passwords/API keys
- HD-X005 โ Sensitive files (.pem, .key, .env) in chart
๐ฆ CI/CD Integration
GitHub Actions
- name: Lint Helm Chart
run: |
pip install helm-doctor
helm-doctor scan ./charts/my-app --fail-on high --export json -o report.json
- name: Upload Report
uses: actions/upload-artifact@v4
with:
name: helm-doctor-report
path: report.json
Azure DevOps
- script: |
pip install helm-doctor
helm-doctor scan ./charts/my-app --fail-on critical
displayName: 'Helm Chart Security Scan'
GitLab CI
helm-lint:
script:
- pip install helm-doctor
- helm-doctor scan ./charts/my-app --fail-on high --export json -o report.json
artifacts:
paths:
- report.json
๐ Grading System
| Grade | Score | Status |
|---|---|---|
| A+ | 95-100 | Excellent โ production ready |
| A | 90-94 | Great โ minor improvements possible |
| A- | 85-89 | Good โ few recommendations |
| B+ | 80-84 | Above average |
| B | 75-79 | Average โ several issues |
| B- | 70-74 | Below average |
| C+ | 65-69 | Needs improvement |
| C | 60-64 | Significant issues |
| C- | 55-59 | Many issues |
| D | 40-54 | Poor โ major rework needed |
| F | <40 | Failing โ critical issues present |
๐ ๏ธ CLI Reference
Usage: helm-doctor [OPTIONS] COMMAND [ARGS]...
Commands:
scan Scan a Helm chart for issues
demo Run on a demo chart with intentional issues
rules List all available lint rules
Scan Options:
-v, --verbose Show detailed suggestions
-e, --export [json|html] Export report format
-o, --output PATH Output file path
-c, --category TEXT Run specific analyzers (chart/values/templates/security/dependencies/structure)
-s, --min-severity Minimum severity to report
-f, --fail-on Exit non-zero if issues at this severity found
๐ค Contributing
Contributions welcome! Please open an issue or PR.
๐ License
MIT License โ see LICENSE for details.
Made with โค๏ธ for the Helm community by Sai Sandeep
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
helm_doctor-1.0.0.tar.gz
(39.3 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file helm_doctor-1.0.0.tar.gz.
File metadata
- Download URL: helm_doctor-1.0.0.tar.gz
- Upload date:
- Size: 39.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4c62f4555022e637cf896564bd11ddebe4f965a5872d229602bc6fd703823ddc
|
|
| MD5 |
bea279680b45acc16ee8a8a578f85a3b
|
|
| BLAKE2b-256 |
1bfa9c76393f84aa1dcc46bb3e42733096faee36e903bc6f892c5ed4f2d1ac54
|
File details
Details for the file helm_doctor-1.0.0-py3-none-any.whl.
File metadata
- Download URL: helm_doctor-1.0.0-py3-none-any.whl
- Upload date:
- Size: 40.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e4e1f854b7f36354fbb19cb3a5159bdbb014670d0aba1d9aa12fd2591a7256a5
|
|
| MD5 |
5f32392d9f63bcf8613c3465af249bfd
|
|
| BLAKE2b-256 |
5d8d80320c1ad8643310dcb98d792cd4b0bd71be3d8cae8a34b17598053f003f
|
