Sonar scan of Helm charts for Kubernetes security misconfigurations fails to parse files

  • Bitbucket Cloud
  • CI system used: Bitbucket cloud pipelines
  • Scanner command:
- pipe: sonarsource/sonarcloud-scan:1.4.0
- pipe: sonarsource/sonarcloud-quality-gate:0.1.6
  • Helm Charts - this is a repo with multiple helm charts in folders under the root of the repo. I can’t give you our charts, but it seems clear any Helm chart template is going to cause these types of issues.
  • Error observed: build log attached
  • Steps to reproduce: add scan pipe to pipeline for repo containing helm charts
    pipelineLog-{d6b8652a-8c70-401c-af76-1b767dceec58}.txt (88.6 KB)

Hi @jseletz ,

Thanks for the logs. I see these parse errors, which I believe you are speaking of:

INFO: Sensor IaC Kubernetes Sensor [iac]
INFO: 89 source files to be analyzed
ERROR: Unable to parse file: file:///opt/atlassian/pipelines/agent/build/adminer/templates/service.yaml. Parse error at position 11:0
ERROR: Cannot parse 'adminer/templates/service.yaml': while scanning a simple key
 in reader, line 10, column 1:
    {{- if .Values.service.annotatio ... 
    ^
could not find expected ':'
 in reader, line 11, column 3:
      annotations:
      ^

ERROR: Unable to parse file: file:///opt/atlassian/pipelines/agent/build/activemq/templates/service.yaml. Parse error at position 7:0
ERROR: Cannot parse 'activemq/templates/service.yaml': while scanning a simple key
 in reader, line 6, column 1:
    {{ include "activemq.labels" . | ... 
    ^
could not find expected ':'
 in reader, line 7, column 1:
    spec:
    ^

If so, then as of today (2 Aug 2022), we do not yet support scanning of Helm chart yaml files, only Kubernetes files. Apologies for the confusion.

Helm file analysis is in our backlog so we hope to implement it soon.

Hi @jseletz,

Indeed, this behavior is not expected. I’ve created a ticket, and we will solve this problem within the next week. Thank you for reporting this issue.

Best,

2 Likes