← all rules

iac/helm/helm-privileged

Helm values enable privileged containers

highHelmiac-helm

What it detects

`privileged: true` in chart values renders a container with full host access — it can escape to the node. This is rarely required outside of node-level agents.

Remediation

Set `privileged: false` and grant only the specific Linux capabilities the workload needs.

How it runs

Run against Helm chart values files (values.yaml / values-*.yaml), which aren't rendered manifests so the Kubernetes layer skips them. Line-based checks for insecure chart defaults that propagate into every rendered workload.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.