Github Action Kubernetes/Helm scan - No issues found

I’m trying to run SonarCloud as a GitHub Action to analyze a Helm chart folder. However, even though SonarCloud can detect it is a Helm chart folder, it does not find any issue in the chart. By checking the Rules, at least some should fail (e.g., CPU requests should be specified), and other tools (e.g., checkov) can find many issues.

The following is my action workflow:

- name: Run SonarCloud Scan
    uses: sonarsource/sonarcloud-github-action@v3.1
    with:
      projectBaseDir: mysql/
      args: >
        -Dsonar.organization=***
        -Dsonar.projectKey=***
        -Dsonar.python.coverage.reportPaths=coverage.xml
        -Dsonar.verbose=true
    env:
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

I tested it on the MySQL chart (mysql 11.1.20 · bitnami/bitnami) and other charts and never found an issue.

What am I doing wrong?

Thank you.

Hey there.

I ran an Automatic Analysis of this repo (GitHub - colin-sonarsource/charts-charts: Bitnami Helm Charts) and got a full analysis (SonarCloud). 598 issues raised.

Then I tried CI-based analysis and while not every file parsed correctly (there are over 3000), I could see the logs that files are being analyzed.

INFO: Sensor IaC Kubernetes Sensor [iac]
INFO: 3178 source files to be parsed
ERROR: Failed to evaluate Helm file bitnami/node-exporter/templates/service.yaml: Template evaluation failed
ERROR: Failed to evaluate Helm file bitnami/redis/templates/secret.yaml: Template evaluation failed
ERROR: Failed to evaluate Helm file bitnami/nginx-ingress-controller/templates/controller-service.yaml: Template evaluation failed
ERROR: Failed to evaluate Helm file bitnami/ghost/templates/secrets.yaml: Template evaluation failed
ERROR: Failed to evaluate Helm file bitnami/harbor/templates/registry/registry-dpl.yaml: Template evaluation failed
ERROR: Failed to evaluate Helm file bitnami/opensearch/templates/data/statefulset.yaml: Template evaluation failed
ERROR: Failed to evaluate Helm file bitnami/sonarqube/templates/service.yaml: Template evaluation failed
ERROR: Failed to evaluate Helm file bitnami/opensearch/templates/coordinating/statefulset.yaml: Template evaluation failed
ERROR: Failed to evaluate Helm file bitnami/external-dns/templates/clusterrolebinding.yaml: Template evaluation failed
ERROR: Failed to evaluate Helm file bitnami/elasticsearch/templates/coordinating/statefulset.yaml: Template evaluation failed
ERROR: Failed to evaluate Helm file bitnami/mariadb-galera/templates/svc.yaml: Template evaluation failed
ERROR: Failed to evaluate Helm file template/CHART_NAME/templates/clusterrolebinding.yaml: Template evaluation failed
ERROR: Failed to evaluate Helm file bitnami/grafana-mimir/templates/gateway/deployment.yaml: Template evaluation failed
INFO: 383/3178 files parsed, current file: bitnami/zipkin/templates/tls-secret.yaml
...

What do you see in the logs?

To clarify, I do not have the Enterprise edition, I do not know whether it makes a difference.

The following are my logs:

...
INFO  Sensor IaC Kubernetes Sensor [iac]
INFO  37 source files to be parsed
INFO  37/37 source files have been parsed
INFO  37 source files to be analyzed
INFO  37/37 source files have been analyzed
INFO  37 source files to be checked
INFO  37/37 source files have been checked
INFO  Sensor IaC Kubernetes Sensor [iac] (done) | time=793ms
...

Thanks for the help.

Doesn’t make a difference.

Well, it looks like all your files are parsed.

Can you share a specific template where you expect an issue to be raised, and on what rule?

This is the chart I’m trying to analyze. I’ve downloaded and it is in my repo.

For example, at least the “Memory limits should be enforced” rule should fail.

Hi, thanks for your question!

I downloaded the Btinami MySQL chart you linked above and put it in a test repository.
This repository is using the same GitHub Action as you: sonar-community-mysql-helm/.github/workflows/build.yml at main · GabinL21/sonar-community-mysql-helm · GitHub

Multiple points:

  • We do raise some minor issues on this chart (see analysis on SonarQube Cloud), but maybe on files you don’t have in your repository.
  • There is no memory limit issue (S6864) since the limit is defined in _resources.tpl (here). When running the helm template command, we see that the memory limit is indeed present in the evaluated template (here).
  • The MySQL chart uses a Helm subchart common. Currently, our analyzer can’t correctly evaluate templates with subchart references, preventing issues from being raised. This is a known limitation, you can track our progress on the issue in the related Jira ticket: Jira

Thanks for using our products and your investment in the community. If you need any other assistance, let us know!