← all rules
iac/helm/helm-allow-privilege-escalation
Helm values allow privilege escalation
mediumHelmiac-helm
What it detects
`allowPrivilegeEscalation: true` lets a process gain more privileges than its parent (e.g. via setuid binaries), undermining a dropped-capability security context.
Remediation
Set `allowPrivilegeEscalation: false` in the chart's securityContext values.
How it runs
Run against Helm chart values files (values.yaml / values-*.yaml), which aren't rendered manifests so the Kubernetes layer skips them. Line-based checks for insecure chart defaults that propagate into every rendered workload.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.