Security researchers go deep on Helm’s code under CNCF audit process

The Helm project has passed its mandatory CNCF security audit status, apparently with flying colours.

As a member of the CNCF’s incubator programme, Helm is required to undergo an indepth security audit before it can be considered for graduation, joining the likes of Kubernetes, Envoy and Prometheus.

The audit of the Kubernetes package manager was carried out by Cure53, which put six team members on the case. Berlin-based Cure53 has carried out audits of other CNCF projects including Prometheus, Envoy, Jaeger and Notary.

The researchers spent 18 days “examining the Helm software, its infrastructure and process implementation.”

The results of the assessment of “the general security posture and selected code of the Helm project are excellent” it declared. “This project, which was notably sponsored by CNCF and completed in October 2019, have clearly demonstrated that the Helm software is sound and mature.”

The report did throw up some “recommendations”, with the report saying “integrated unit and regression testing leave room for minor criticisms”. The level of logging details “would benefit from some streamlining.”

While the documentation was assessed as appearing complete, “not all of the content was up-to-date during the project with respect to the upcoming release.

Security incident reporting and vuln fix handling were generally given the thumbs up, but “the fix handling could still benefit from some more carefully formulated commit messages”.

Overall, the team concluded, “Cure53 can only state the Helm project projects the impression of being highly mature.”

The security audit alone will not qualify Helm for CNCF graduate status. It must jump through a range of other hoops, including having committers from more than two organisations, achieving a Core Infrastructure initiative best practices badge, and define a governance and committer process, amongst others.