A Helm chart isn’t just a container image. It’s a collection of Kubernetes manifests, configuration templates, optional sidecar containers, init containers, image references, and bundled resources that together define how an application runs in Kubernetes. The SBOM for a Helm release that covers only the primary container image is missing a significant portion of what was actually deployed.
This gap matters when a CVE is disclosed that affects a component in a sidecar or init container that the image-level SBOM doesn’t cover. Or when a configuration value in the Helm chart references a vulnerable resource that no SBOM captures.
What a Helm Chart SBOM Needs to Cover?
Multiple container images in a single release
Many Helm charts deploy multiple containers: the primary application container, sidecars for logging or service mesh, init containers for configuration or database migration, and potentially separate containers for background job workers.
A chart-level SBOM must account for all of these. An SBOM that covers only the primary image is complete for the primary image and silent on everything else the chart deploys. During vulnerability assessment, the silent portions are assumed-clean, which they may not be.
The practical challenge: Most SBOM tooling generates SBOMs per image, not per Helm release. Aggregating image-level SBOMs into a release-level SBOM requires tooling or process that most organizations haven’t built.
Helm-managed configuration and external references
Helm charts can reference external resources—image registries, secrets, volume mounts pointing to external storage. These references are part of the deployed application’s runtime surface even if they’re not packages in a container image.
Configuration-layer security is outside the scope of package-level SBOMs. The configuration SBOM—what the Helm chart configures at deployment time—requires different analysis than package inventory.
Image scanning tells you what’s in the containers. It doesn’t tell you what configuration those containers will run with or what external resources they’ll reference.
Building Chart-Level Component Visibility
Per-container RBOM aggregated to chart level
Container image tool runtime profiling applied to each container in a Helm release produces per-container RBOMs that can be aggregated to a release-level view. The aggregation represents the full runtime execution surface of the Helm release: which packages across all containers participate in actual execution.
This aggregated RBOM provides the chart-level visibility that image-scanning alone can’t produce. CVE assessment against the chart-level RBOM covers the full deployment, not just the primary container.
Handling sidecar and init container SBOMs
Container security software scanning integrated into the chart’s CI/CD pipeline should run against every image referenced in the chart’s values.yaml and templates. Automated detection of all image references—including conditional references that may not always deploy—provides the complete image inventory that chart-level SBOM generation requires.
For init containers that run to completion before the application starts, the SBOM captures the init container’s component inventory even though the init container’s execution is ephemeral. The packages present in the init container are still attack surface for the duration of the initialization.
Practical Steps for Helm Chart SBOM Implementation
Enumerate all container images in the Helm chart as the first step. Before generating SBOMs, create a complete list of every image reference in the chart: primary containers, sidecar containers, init containers, and conditionally-deployed containers. This inventory is the scope of the chart-level SBOM.
Automate image discovery from Helm chart templates. Helm charts use Go templates that make static analysis of image references non-trivial. Use helm template to render the chart with representative values and extract image references from the rendered output. This automation handles conditional image references that static template analysis would miss.
Generate SBOMs for each image at chart build time, not at deployment time. Chart-level SBOMs should be generated when the chart is packaged, not when it’s deployed. Deployment-time SBOM generation introduces latency and doesn’t support pre-deployment security assessment.
Track chart-level CVE counts separately from primary-image CVE counts. A chart that has a clean primary image with 5 CVEs but a sidecar with 150 CVEs has a CVE problem that image-level tracking misses. Track CVE counts at the chart level—all images combined—as the relevant metric for deployment security posture.
Include Helm chart version in SBOM metadata. Chart versions change independently of image versions. An SBOM that doesn’t capture the chart version cannot be used to reconstruct the exact deployment state for incident response. Include chart version, values file reference, and deployment timestamp in chart-level SBOM metadata.
Frequently Asked Questions
Why is image scanning alone insufficient for Helm chart SBOM coverage?
A Helm chart typically deploys multiple containers—including sidecar containers, init containers, and background job workers—alongside the primary application image. Image scanning of only the primary image leaves those additional containers unscanned, meaning CVEs in sidecar dependencies are invisible to the security assessment. A chart-level SBOM must cover every image reference in the chart to provide complete vulnerability visibility.
What does a complete SBOM for a Kubernetes Helm chart need to include?
A complete SBOM for a Helm chart must enumerate all container images in the release—primary containers, sidecars, init containers, and conditionally-deployed containers—and generate per-image SBOMs that are aggregated into a chart-level inventory. The metadata should also capture the Helm chart version, the values file used for rendering, and the deployment timestamp, so the SBOM can support incident response and deployment reconstruction.
How do you generate SBOMs for all images in a Helm chart automatically?
The practical approach is a pipeline step that runs helm template with production values to render the chart fully, extracts all image references from the rendered output (capturing conditional references that static template analysis would miss), generates SBOMs for each image, and then aggregates those image-level SBOMs into a chart-level inventory. This process should run at chart packaging time, not at deployment time, to enable pre-deployment security assessment.
What CVE risks do sidecar containers in Helm charts typically introduce?
Sidecar containers—used for logging, service mesh proxies, metrics collection, or secrets injection—often run third-party images that are updated on a different cadence than the primary application. Organizations that have implemented chart-level SBOM generation commonly find that sidecars carry significantly more CVEs than the primary application image, because they were never included in prior image-scanning workflows. Tracking CVE counts at the chart level rather than the primary-image level exposes this hidden exposure.
The Current State of Tooling
Helm chart SBOM tooling is less mature than container image SBOM tooling. Tools like Syft and Trivy generate image-level SBOMs. Chart-level aggregation requires additional process or custom tooling.
The practical approach for most organizations is a pipeline step that:
- Renders the Helm chart with production values using helm template
- Extracts all image references from the rendered output
- Generates SBOMs for each image
- Aggregates image SBOMs into a chart-level inventory
This pipeline step can be implemented with existing tools—it’s integration work, not new capability development.
Organizations that have built chart-level SBOM generation describe the same initial finding: charts that appeared clean at the primary image level had significant CVE exposure in sidecar containers that had never been scanned. The SBOM completeness improvement revealed risk that was invisible to image-only scanning.
That visibility is the argument for building chart-level SBOM generation into your release engineering process. The sidecar containers you’re not scanning are part of what you’ve deployed.