Lint a Helm chart against best practices: pinned image tags, security context, liveness and readiness probes, resource requests, and template hygiene.
Lints a Helm chart for common best-practice violations and produces a punch-list of fixes. Combines helm lint, helm template-then-kubeval validation, and a custom rule set focused on production readiness.
chart_dir: path to the chart directory (must contain Chart.yaml).values_file: path to a values file used for templating (default <chart_dir>/values.yaml).target_k8s_version: drives the API version checks (default 1.29).helm lint <chart_dir> and capture any errors/warnings.helm template <chart_dir> -f <values_file> > /tmp/rendered.yaml.kubeconform -strict -kubernetes-version <target_k8s_version> /tmp/rendered.yaml.image: foo:latest or untagged images.securityContext.runAsNonRoot: true and readOnlyRootFilesystem: true.livenessProbe AND readinessProbe.PodDisruptionBudget if replicas > 1.data: (only stringData: from values is fine; flag literal base64 in templates).range blocks must have a with for safe access.file:line referencing the template file (not the rendered output).blocker (kubeconform error, latest tag), warning (missing probes), suggestion (missing PDB).helm-lint.md with sections per severity, each row showing template file:line, the rule, and a one-line fix. Exit 1 if any blockers exist.
After fixes are applied, rerun helm lint, kubeconform, and the custom rules; expect zero blockers. Manually helm install --dry-run --debug the chart against a kind cluster to confirm rendered manifests are accepted by the API server. Sample three "missing probe" findings by reading the template and confirm there isn't a probe defined further down that the regex missed.
{{- if .Values.foo }}): render with both foo: true and foo: false and merge findings; missing probes in one branch is still a finding.target_k8s_version accordingly.printf: skip the latest-tag check for those; flag for human review.Other publishers' experience with this skill. Self-rating is blocked.
Ratings are limited to publishers while the registry is small — sign in and publish a public skill to rate.
No ratings yet. Be the first.
Same domains or capabilities as amitte/helm-chart-linter.
Read-only AWS surface — list/describe EC2, S3 buckets, IAM users, and Lambda functions. Auth via STS-assumed role; no mutating tools.
Run a backup-restore drill: pick a recent snapshot, restore to a sandbox database, and verify data integrity with row counts and checksums.
Read-only Cloudflare surface — list zones, DNS records, deployed Workers, and page rules. Auth via scoped API token; no mutating tools.
Identify imports and module-init code that contribute to Cloudflare Worker cold starts and propose lazy-load rewrites.
Read a list of crontab specifications and detect overlapping execution windows that risk resource contention or duplicate work.
Find dangling DNS records (CNAMEs to dead hosts, A records for retired servers) and propose deletions with risk-of-takeover notes.