DevOps | Nov 17, 2020

Helm, meet Terrascan for Policy as Code

Terrascan for Helm

Kubernetes is a huge part of the cloud-native journey for many teams, with a recent CNCF survey determining that more than 78% of responding organizations use Kubernetes in production. While each team has their own reasons for using it, all will agree that it provides a powerful and flexible platform for deploying and managing sophisticated cloud native systems. Unfortunately, that power and flexibility has a downside: building and managing these systems can require a lot of effort and expertise. That is especially true when you consider how these systems evolve over their lifecycle through development, pre-prod and production phases.

As systems get more complex, the Kubernetes configurations can get unwieldy. Building systems of systems is even more complicated, and teams struggle to package and share the components that comprise these complex systems. Helm helps solve this challenge, as a package manager for Kubernetes. Components such as database servers, monitoring agents, and other standard technologies and configurations, can be packaged into a Helm chart and easily added to your system.

Given the popularity of Helm — it is regularly downloaded millions of times each month — we’re excited to include support for Helm in release 1.2.0 of Terrascan. By recognizing Helm charts, Terrascan is able to assess the actual configuration that will be used when the Kubernetes system is deployed.

Terrascan has provided an easy, extensible way to enforce policies and compliance in Kubernetes configurations for a while, and this improved understanding of the system allows us to deliver more accurate and relevant results in apps that leverage Helm. It’s never been easier to establish Policy as Code guardrails that ensure security best practices are followed in high-velocity, complex Kubernetes systems that leverage Helm.

Helm and Terrascan: Getting started

Terrascan is available as a portable Go binary and a Docker container. To use it, simply run terrascan from a directory where your Helm project resides. The command line interface is easy to run from a terminal, a script, from within a pipeline, and numerous other contexts. The Helm support leverages Terrascan’s extensible architecture, and was added with a new IaC provider that complements the existing Kubernetes support.

To run Terrascan on your Helm project, just use the -i option to indicate that you are using Helm:

$ terrascan scan -i helm 

Terrascan defaults to scanning YAML and JSON files in the current directory and subdirectories. If your project spans multiple directories, you can use the -d option one or more times to specify which directories to scan.


By default, the output is sent to the terminal in YAML format and includes a summary of the results as well as the details needed to prioritize and fix the findings. It’s suitable for humans to read, and for programmatic processing.

We’re excited about the opportunity to help teams secure their cloud native apps and infrastructure. If you’d like to see support for a particular provider or framework, or have any other feedback, please let us know in the community forums, open an issue, or submit a pull request.

Accurics and GitLab: Contextualizing Risk for Effective DevSecOps

GitOps Security: Same tool, same policies, one Terrascan

Terraform Security: Terrascan in Atlantis Workflows

We use cookies to ensure you get the best experience on our website. By continuing to browse this site, you acknowledge the use of cookies.