Helm Chart Linter

A pure Python 3 (stdlib only) linter and validator for Helm chart directories. Checks structure, security, dependencies, and best practices across 22 rules.

Commands

python3 scripts/helm_chart_linter.py <command> <chart-dir> [options]

Options

Examples

# Basic lint
python3 scripts/helm_chart_linter.py lint ./my-chart

# Full validation with JSON output
python3 scripts/helm_chart_linter.py validate ./my-chart --format json

# Security audit, strict mode for CI
python3 scripts/helm_chart_linter.py security ./my-chart --strict

# Dependency check with Markdown report
python3 scripts/helm_chart_linter.py dependencies ./my-chart --format markdown

Rules

Structure (6 rules)

1. CHART001 — Chart.yaml exists and has required fields (apiVersion, name, version, description)
2. CHART002 — Version is valid semver
3. CHART003 — values.yaml exists
4. CHART004 — templates/ directory exists
5. CHART005 — NOTES.txt exists in templates/ (warning)
6. CHART006 — .helmignore exists (warning)

Security (6 rules)

1. SEC001 — No hardcoded secrets in values.yaml (passwords, tokens, keys)
2. SEC002 — No privileged containers (securityContext.privileged: true)
3. SEC003 — No hostNetwork, hostPID, or hostIPC enabled
4. SEC004 — Resource limits defined in templates
5. SEC005 — No runAsRoot without explicit runAsNonRoot
6. SEC006 — Image tags not "latest"

Dependencies (4 rules)

1. DEP001 — Chart.lock present and matches Chart.yaml dependencies
2. DEP002 — No wildcard version constraints
3. DEP003 — Repository URLs use HTTPS
4. DEP004 — No duplicate dependency names

Best Practices (6 rules)

1. BP001 — Labels include app.kubernetes.io/name, version, managed-by
2. BP002 — Liveness and readiness probes defined
3. BP003 — Service account name configured
4. BP004 — Namespace not hardcoded in templates
5. BP005 — No deprecated API versions (extensions/v1beta1, apps/v1beta1, etc.)
6. BP006 — Values documented with comments

Exit Codes