Helm Chart Secrets in Values
Passwords, API keys, and other secrets are hardcoded directly in Helm values.yaml files, which get committed to version control and exposed to anyone with repository access.
How It Works
Helm charts use a values.yaml file to parameterize Kubernetes manifests. Developers frequently put database passwords, API keys, and TLS certificates directly in values.yaml because it is the easiest way to pass configuration. The problem is that values.yaml is a plain-text file that gets committed to Git. Anyone with read access to the repository can see every secret. Even if removed later, the secrets remain in Git history forever. Additionally, Helm stores release metadata including rendered templates in Kubernetes Secrets (base64-encoded, not encrypted), so the plaintext secrets are also visible to anyone with cluster access.
# BAD: secrets hardcoded in values.yaml
# values.yaml
database:
host: prod-db.example.com
username: admin
password: "SuperS3cret!Pass"
api:
stripeKey: "sk_live_abc123def456"
jwtSecret: "my-jwt-signing-key-do-not-share"# GOOD: reference external secrets, never store in values.yaml
# values.yaml
database:
host: prod-db.example.com
existingSecret: db-credentials # references a K8s Secret
existingSecretPasswordKey: password
---
# Create the secret separately (via sealed-secrets or external-secrets)
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: db-credentials
spec:
secretStoreRef:
name: vault-backend
target:
name: db-credentials
data:
- secretKey: password
remoteRef:
key: prod/database/passwordReal-World Example
In 2021, researchers from Aqua Security scanned public Helm chart repositories and found thousands of charts with hardcoded secrets in values.yaml, including AWS access keys, database passwords, and TLS private keys. Many of these charts were forks of official Bitnami charts where developers had filled in real production credentials before pushing them to public repos.
How to Prevent It
- Never put passwords, API keys, or certificates directly in values.yaml files -- use existingSecret references instead
- Use a secrets management tool like HashiCorp Vault, AWS Secrets Manager, or external-secrets-operator to inject secrets at deploy time
- Use helm-secrets plugin with Mozilla SOPS to encrypt sensitive values before committing them to Git
- Add values.yaml patterns to .gitignore and use values.yaml.example with placeholder values for documentation
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
Terraform State Exposed
criticalYour terraform.tfstate file is committed to your repository or stored in an unencrypted, publicly accessible location — it contains every secret and resource ID in your infrastructure.
Terraform Provider Credentials Hardcoded
criticalAWS, GCP, or Azure credentials are hardcoded in your .tf files instead of using environment variables or instance roles, committing cloud access keys to version control.
Kubernetes Privileged Container
highYour Kubernetes pod runs with securityContext.privileged: true, giving the container full access to the host kernel and effectively bypassing container isolation.
Kubernetes Default Service Account
mediumPods running with the default service account inherit cluster-level RBAC permissions that are often far more powerful than the workload needs, enabling lateral movement if the pod is compromised.