NCI WEBSITE
NORMA eResearch @NCI Library

Pre-Deployment CIS Risk Assessment and Mitigation for Helm Charts Using AI

Tools

Panwar, Ajay (2025) Pre-Deployment CIS Risk Assessment and Mitigation for Helm Charts Using AI. Masters thesis, Dublin, National College of Ireland.

[thumbnail of Master of Science]
Preview
 PDF (Master of Science)
Download (989kB) | Preview
[thumbnail of Configuration Manual]
Preview
 PDF (Configuration Manual)
Download (830kB) | Preview

Abstract

The widespread adoption of Kubernetes and Helm charts has accelerated application deployment but introduced significant security risks from misconfigurations that violate Center for Internet Security (CIS) Benchmarks. Given that existing scanners overwhelm developers with unprioritized alerts and lack CIS-specific risk scoring, there is a clear need for a proactive, pre-deployment assessment. This paper presents a novel, lightweight, rule-based AI framework that parses rendered Helm templates to analyze Kubernetes manifests against 25 CIS controls. A custom risk model quantifies non-compliance with weighted severity scoring to generate actionable risk scores (0–100) and precise remediation guidance. Empirical validation on 25 popular Helm charts demonstrated a 96% remediation success rate, reduced aggregate risk from 750 to 35 points (95% reduction), and an average processing time of 0.025 seconds per chart. Comparative evaluation with Kube-Linter and post-deployment checks via Kube-bench confirmed the framework’s practical applicability. In 25 charts tested, Kube-bench failures dropped 64% (from 312 to 112), following our pre-deployment fixes. In practice, this shift-left paradigm empowers developers to address misconfigurations before production, reducing potential security incidents. Remaining challenges include extending rule coverage to network policies and improving runtime context awareness.

Item Type: Thesis (Masters)
Supervisors:
Name
Email
Sahni, Vikas
UNSPECIFIED
Subjects: Q Science > QH Natural history > QH301 Biology > Methods of research. Technique. Experimental biology > Data processing. Bioinformatics > Artificial intelligence
Q Science > Q Science (General) > Self-organizing systems. Conscious automata > Artificial intelligence
T Technology > T Technology (General) > Information Technology > Cloud computing
Q Science > QA Mathematics > Computer software > Computer Security
T Technology > T Technology (General) > Information Technology > Computer software > Computer Security
Divisions: School of Computing > Master of Science in Cloud Computing
Depositing User: Ciara O'Brien
Date Deposited: 30 Mar 2026 13:05
Last Modified: 30 Mar 2026 13:05
URI: https://norma.ncirl.ie/id/eprint/9251

Actions (login required)

View Item View Item