A practical workshop exploring threats, attack scenarios, and strategies for securing Helm charts using Cloudsmith's artifact management. Topics include verifying assets (public Helm charts, dependencies, and images), automating compliance with Trivy, and enforcing runtime OPA Gatekeeper policies to protect Kubernetes deployments. Learn to audit and manage Helm charts before distribution to prevent supply-chain attacks. Bonus: hands-on Instruqt lab analyzing insecure chart templates and demonstrating how to scan and validate Helm charts prior to production Kubernetes deployment.

This practical workshop explores common threats, attack scenarios, and proven strategies for securing Helm charts through Cloudsmith's artifact management, maintaining supply chain integrity and regulatory compliance. Topics include: verifying every asset (public Helm charts, dependencies, and images from popular OSS projects before deployment); automating compliance with Trivy and enforcing runtime OPA Gatekeeper security policies in real-time; preventing supply chain attacks by auditing and managing Helm charts before distributing through secure repositories; and acknowledging the manual overhead, as most charts are insecure-by-default and require further security checks by your team. Bonus: Hands-on Instruqt lab platform that analyzes actual insecure chart templates and demonstrates how to scan and detect vulnerabilities with open-source tools, implement security standards, and properly validate Helm charts prior to production Kubernetes deployment.

30-minute talk on the evolving threat landscape around Helm charts in public repositories. We’ll discuss real-world incidents such as the Codecov supply chain attack and hypothetical attack vectors like 'ChartSploit', highlighting how seemingly benign configurations can be exploited. Topics include anatomy of vulnerable charts, risk areas (RBAC misconfigurations, dependency vulnerabilities), and actionable strategies to secure Kubernetes environments—auditing deployments, verifying chart integrity, enforcing strict access controls, and adopting DevSecOps practices.