Helm / HelmOCI
Introduction
JFrog Xray provides security and compliance analysis for Helm Charts used in Kubernetes deployments. Helm charts reference container images; Xray scans those referenced images stored in Artifactory to provide security coverage.
Capabilities
| Capability | Source Code Scanning | Binary Scanning |
|---|---|---|
| Vulnerability Matching (CVEs) | ❌ | ✅ (via referenced images) |
| License Detection | ❌ | ✅ (via referenced images) |
| Malicious Package Detection | ❌ | ✅ (via referenced images) |
| Operational Risk | - | - |
| Smart Remediation | ❌ | ❌ |
Source Code Scanning
Source code scanning (parsing Helm chart templates for dependencies) is not currently available.
Binary Scanning
When a Helm chart is stored in an Artifactory Helm repository, Xray analyzes the chart to identify referenced Docker/OCI images. Those images (if also stored in Artifactory) are then scanned for by Xray.
Supported Package Formats
| Format | Supported |
|---|---|
| Helm Charts (.tgz) | ✅ |
| Helm OCI | 🔜 |
How It Works
- Helm chart is indexed by Xray in Artifactory
- Xray extracts referenced Docker/OCI image references from the chart
- Referenced images stored in JFrog Artifactory are scanned
- Vulnerabilities found in those images are associated with the Helm chart
Additional Information
- Helm chart scanning works by following image references – the chart itself is not scanned for code vulnerabilities
- Only images stored in JFrog Artifactory can be scanned (external image references are not followed)
- Helm OCI format is not currently supported
Updated 14 days ago