Skip to main content

66. Helm Chart Security Risk Acceptance

Date: 2025-11-29

Status

Accepted

Category

Security & Compliance

Context

The MCP Server LangGraph Helm chart depends on upstream Helm subcharts from canonical providers. Security scanning with Trivy identifies findings in these upstream charts that represent either:
  1. False positives: Static analysis limitations (e.g., variable references detected as secrets)
  2. Intentional design: Required functionality (e.g., node-exporter host access)
  3. Upstream patterns: Standard practices from trusted maintainers (e.g., Bitnami UID/GID)

Subcharts and Providers

ChartVersionProviderStatus
openfga0.2.49openfga.github.io ✅Official OpenFGA
postgresql18.1.11charts.bitnami.com ✅Official Bitnami
redis24.0.0charts.bitnami.com ✅Official Bitnami
keycloak25.2.0charts.bitnami.com ✅Official Bitnami
grafana12.1.8charts.bitnami.com ✅Official Bitnami
jaeger3.4.1jaegertracing.github.io ✅Official Jaeger
kube-prometheus-stack79.9.0prometheus-community ✅Official Prometheus
All charts use official/canonical providers with security-focused release processes.

Bitnami Licensing Note

Beginning August 28, 2025, Bitnami will transition to “Bitnami Secure Images” model:
  • Non-hardened Debian-based images deprecated in free tier
  • Gradual removal of non-latest tags from public catalog
  • Migration strategy required before August 2025

Decision

Accept documented security findings in upstream Helm subcharts with the following risk mitigation strategy:

1. Severity-Based Triage

SeverityAction
CRITICAL/HIGHInvestigate and remediate or document with compensating controls
MEDIUMEvaluate impact, suppress with justification if false positive
LOW/NOTESuppress with documentation, review quarterly

2. Accepted Findings Categories

A. kube-prometheus-stack RBAC (Required for Cluster Monitoring)

FindingJustification
KSV041 (Manage secrets)Required for scrape configurations and TLS
KSV045 (Wildcard verbs)Required for CRD management
KSV048/049 (Workload management)Required for monitoring resources
KSV056 (Network management)Required for ServiceMonitor/PodMonitor
KSV113 (Namespace secrets)Required for multi-namespace monitoring
KSV114 (Webhook admission)Required for CRD validation
Compensating Controls: NetworkPolicies restrict prometheus-operator access.

B. Node Exporter (Required for Node Metrics)

FindingJustification
KSV009 (Host network)Required for node-level metrics
KSV010 (Host PID)Required for process metrics
KSV023/121 (hostPath)Required for /proc, /sys access
Compensating Controls: DaemonSet runs only on designated monitoring nodes.

C. Keycloak (Quarkus JIT Requirements)

FindingJustification
AVD-KSV-0014 (readOnlyRootFilesystem)Quarkus JIT compilation requires write access
Compensating Controls: runAsNonRoot, allowPrivilegeEscalation=false, capabilities.drop=ALL.

D. False Positives

FindingReason
AVD-KSV-0109 (ConfigMap secrets)Variable references ($REDIS_PASSWORD), not secrets
AVD-KSV-01010 (Sensitive content)LLM token limits, not auth tokens
KSV013 (Latest tag)Development only; production pins versions
KSV020/021 (UID/GID < 10000)Bitnami standard (UID 1001), still non-root
KSV0125 (Untrusted registry)Bitnami is trusted, widely used registry

3. Suppression Documentation

All accepted findings are documented in deployments/helm/mcp-server-langgraph/.trivyignore with:
  • Affected component
  • Justification
  • Compensating controls
  • Review expiration date

4. Review Schedule

ActivityFrequency
.trivyignore reviewQuarterly
Subchart version updatesMonthly
Security advisory reviewWeekly
Full security auditAnnually

Consequences

Positive

  • Clear documentation of security posture
  • Reduced noise in security scans
  • Focused attention on genuine issues
  • Transparent risk acceptance process

Negative

  • Maintenance burden for .trivyignore
  • Risk of accepting genuine issues as false positives
  • Quarterly review overhead

Mitigations

  • Automated CI checks flag new findings
  • Expiration dates force periodic review
  • Defense-in-depth with multiple security layers

References