dvirlabs/helmview
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
helmview/SECURITY.md
dvirlabs bcb87093fa First commit
2026-01-19 00:31:27 +02:00

4.7 KiB
Raw Permalink Blame History

Security Policy

Supported Versions

Version Supported
1.0.x

Security Features

HelmView implements several security measures:

File Upload Security

  • File size limits (100MB default)
  • Extension validation (.tgz, .tar.gz, .zip only)
  • Zip-slip attack protection
  • Safe path traversal checks
  • Sandboxed extraction directories

Execution Security

  • No arbitrary code execution
  • Helm runs only with template and lint commands
  • No hook execution allowed
  • Command timeouts (60s default)
  • Resource limits in Docker containers

Input Validation

  • YAML syntax validation
  • Kubernetes schema validation
  • API input sanitization
  • SQL injection protection (when using database)

Isolation

  • Per-project sandboxed directories
  • Docker container isolation
  • Temporary file cleanup
  • No network access from Helm commands

Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:

DO NOT

  • Open a public GitHub issue
  • Discuss the vulnerability publicly
  • Exploit the vulnerability

DO

  1. Email: Send details to security@helmview.io (if available) or create a private security advisory on GitHub
  2. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)
  3. Wait: Allow up to 48 hours for initial response

What to Expect

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Fix Timeline: Depends on severity
    • Critical: 1-7 days
    • High: 7-30 days
    • Medium: 30-90 days
    • Low: Next release cycle

Security Best Practices for Deployment

Production Deployment

  1. Authentication: Implement user authentication (not included by default)
  2. HTTPS: Always use TLS/SSL in production
  3. Firewall: Restrict backend access to frontend only
  4. Secrets: Use environment variables or secret management
  5. Updates: Keep dependencies updated regularly
  6. Monitoring: Set up security monitoring and logging
  7. Backups: Regular backups of project data
  8. Resource Limits: Configure Docker resource limits

Network Security

# Recommended docker-compose.yml additions
services:
  backend:
    networks:
      - internal
  frontend:
    networks:
      - internal
      - external

networks:
  internal:
    internal: true
  external:

Environment Hardening

# Set restrictive file permissions
chmod 600 .env

# Use non-root user in containers
# (already implemented in Dockerfiles)

# Enable Docker security features
docker run --security-opt=no-new-privileges --cap-drop=ALL

Rate Limiting

Consider implementing rate limiting for production:

  • File uploads: 10 per hour per IP
  • API requests: 100 per minute per IP
  • Chart renders: 20 per hour per project

Database Security (when using PostgreSQL)

  • Use strong passwords
  • Enable SSL connections
  • Regular security updates
  • Principle of least privilege for DB users
  • Regular backups with encryption

Known Limitations

Current Security Limitations

  1. No Authentication: Users must implement their own auth layer
  2. No Rate Limiting: Should be added for production
  3. No Audit Logging: Consider adding for compliance
  4. Shared Resources: All users share the same backend (multi-tenancy not implemented)

Helm Security Considerations

  • Helm charts may contain malicious templates (mitigated by no hook execution)
  • Large charts may consume significant resources (mitigated by timeouts)
  • Chart dependencies are not validated (user responsibility)

Security Checklist for Production

  • Enable HTTPS/TLS
  • Implement authentication & authorization
  • Set up rate limiting
  • Configure firewall rules
  • Set resource limits
  • Enable audit logging
  • Set up monitoring & alerts
  • Regular security updates
  • Backup strategy in place
  • Incident response plan defined
  • Security review completed
  • Penetration testing performed

Compliance

HelmView does not currently provide built-in compliance features for:

  • HIPAA
  • PCI-DSS
  • SOC 2
  • GDPR (data handling must be implemented separately)

Users requiring compliance should implement additional controls.

References

License

This security policy is part of the HelmView project and follows the same MIT License.

Last Updated: January 2026