← all rules
iac/helm/helm-run-as-root
Helm values run the container as root
mediumHelmiac-helm
What it detects
`runAsNonRoot: false` (or `runAsUser: 0`) lets the workload run as UID 0. Any container-escape or mounted-volume bug then becomes root on the node.
Remediation
Set `runAsNonRoot: true` and a non-zero `runAsUser`.
How it runs
Run against Helm chart values files (values.yaml / values-*.yaml), which aren't rendered manifests so the Kubernetes layer skips them. Line-based checks for insecure chart defaults that propagate into every rendered workload.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.