{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,21]],"date-time":"2026-02-21T18:35:02Z","timestamp":1771698902014,"version":"3.50.1"},"reference-count":39,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2025,7,4]],"date-time":"2025-07-04T00:00:00Z","timestamp":1751587200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,7,4]],"date-time":"2025-07-04T00:00:00Z","timestamp":1751587200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100010661","name":"Horizon 2020 Framework Programme","doi-asserted-by":"publisher","award":["101120393"],"award-info":[{"award-number":["101120393"]}],"id":[{"id":"10.13039\/100010661","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100003246","name":"Dutch Research Council","doi-asserted-by":"crossref","award":["NWA-1215.18.006"],"award-info":[{"award-number":["NWA-1215.18.006"]}],"id":[{"id":"10.13039\/501100003246","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100003246","name":"Nederlandse Organisatie voor Wetenschappelijk Onderzoek","doi-asserted-by":"publisher","award":["KICH1.VE01.20.004"],"award-info":[{"award-number":["KICH1.VE01.20.004"]}],"id":[{"id":"10.13039\/501100003246","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2025,9]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>Helm is a package manager that allows defining, installing, and upgrading applications with Kubernetes (K8s), a popular container orchestration platform. A Helm chart is a collection of files describing all dependencies, resources, and parameters required for deploying an application within a K8s cluster. This study aimed to mine and empirically evaluate the security of Helm charts, comparing the performance of existing tools in terms of misconfigurations reported by policies available by default, and measuring to what extent LLMs could be used for removing misconfigurations. For these reasons, we proposed a pipeline to mine Helm charts from Artifact Hub, a popular centralized repository, and analyze them using state-of-the-art open-source tools like Checkov and KICS. First, the pipeline runs several chart analyzers and identifies the common and unique misconfigurations reported by each tool. Secondly, it uses LLMs to suggest a mitigation for each misconfiguration. Finally, the LLM refactored chart previously generated is analyzed again by the same tools to see whether it satisfies the tool\u2019s policies. We also performed a manual analysis on a subset of charts to evaluate whether there are false positive misconfigurations from the tool\u2019s reporting and in the LLM refactoring. We found that (i) there is a significant difference between LLMs, (ii) providing a snippet of the YAML template as input might be insufficient compared to all resources, and (iii) even though LLMs can generate correct fixes, they may also delete other irrelevant configurations that break the application.<\/jats:p>","DOI":"10.1007\/s10664-025-10688-0","type":"journal-article","created":{"date-parts":[[2025,7,4]],"date-time":"2025-07-04T04:21:03Z","timestamp":1751602863000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Analyzing and mitigating (with LLMs) the security misconfigurations of Helm charts from Artifact Hub"],"prefix":"10.1007","volume":"30","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3018-044X","authenticated-orcid":false,"given":"Francesco","family":"Minna","sequence":"first","affiliation":[]},{"given":"Fabio","family":"Massacci","sequence":"additional","affiliation":[]},{"given":"Katja","family":"Tuma","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,7,4]]},"reference":[{"key":"10688_CR1","unstructured":"Anthropic (2024) Claude 3 Sonnet. https:\/\/aws.amazon.com\/bedrock\/claude\/"},{"key":"10688_CR2","unstructured":"Armo (2024) Kubescape. https:\/\/www.armosec.io\/kubescape\/"},{"key":"10688_CR3","doi-asserted-by":"publisher","first-page":"8","DOI":"10.58496\/MJCSC\/2023\/002","volume":"2023","author":"S Biswas","year":"2023","unstructured":"Biswas S (2023) Role of chatgpt in computer programming: Chatgpt in computer programming. Mesopotam J Comput Sci 2023:8\u201316. https:\/\/doi.org\/10.58496\/MJCSC\/2023\/002","journal-title":"Mesopotam J Comput Sci"},{"key":"10688_CR4","doi-asserted-by":"publisher","unstructured":"Blaise A, Rebecchi F (2022) Stay at the helm: secure kubernetes deployments via graph generation and attack reconstruction. In: 2022 CLOUD. IEEE, Barcelona, pp 59\u201369. https:\/\/doi.org\/10.1109\/CLOUD55607.2022.00022","DOI":"10.1109\/CLOUD55607.2022.00022"},{"key":"10688_CR5","doi-asserted-by":"publisher","unstructured":"Bose DB, Rahman A, Shamim SI (2021) Under-reported security defects in kubernetes manifests. In: 2021 EnCyCriS. IEEE\/ACM, Madrid, pp 9\u201312. https:\/\/doi.org\/10.1109\/EnCyCriS52570.2021.00009","DOI":"10.1109\/EnCyCriS52570.2021.00009"},{"key":"10688_CR6","unstructured":"Checkmarx (2024) KICS. https:\/\/kics.io"},{"key":"10688_CR7","unstructured":"Cloud Native Computing Foundation (2022) CNCF 2022 Annual Survey. https:\/\/www.cncf.io\/reports\/cncf-annual-survey-2022\/"},{"key":"10688_CR8","unstructured":"Datree (2024) Datree. https:\/\/www.datree.io"},{"key":"10688_CR9","unstructured":"Fairwinds (2024) Polaris. https:\/\/www.fairwinds.com\/polaris"},{"key":"10688_CR10","doi-asserted-by":"crossref","unstructured":"Fan A, Gokkaya B, Harman M, Lyubarskiy M, Sengupta S, Yoo S, Zhang JM (2023) Large language models for software engineering: survey and open problems","DOI":"10.1109\/ICSE-FoSE59343.2023.00008"},{"key":"10688_CR11","doi-asserted-by":"publisher","unstructured":"Fu M, Tantithamthavorn C, Le T, Nguyen V, Phung D (2022) Vulrepair: a t5-based automated software vulnerability repair. In: ACM joint european software engineering conference and symposium on the foundations of software engineering (ESEC\/FSE) 2022. Association for Computing Machinery, New York, NY, USA, pp 935\u2013947. https:\/\/doi.org\/10.1145\/3540250.3549098","DOI":"10.1145\/3540250.3549098"},{"key":"10688_CR12","unstructured":"Google (2024) Gemini - chat based AI tool from Google. https:\/\/gemini.google.com"},{"key":"10688_CR13","unstructured":"Hansson E, Ellreus O (2023) Code correctness and quality in the era of AI code generation: examining ChatGPT and GitHub copilot"},{"key":"10688_CR14","unstructured":"Huang L, Yu W, Ma W, Zhong W, Feng Z, Wang H, Chen Q, Peng W, Feng X, Qin B, Liu T (2023) A survey on hallucination in large language models: principles. Challenges, and Open Questions, Taxonomy"},{"key":"10688_CR15","doi-asserted-by":"publisher","unstructured":"Islam\u00a0Shamim MS, Ahamed\u00a0Bhuiyan F, Rahman A (2020) Xi commandments of kubernetes security: a systematization of knowledge related to kubernetes security practices. In: 2020 SecDev. IEEE, Virtual, pp 58\u201364. https:\/\/doi.org\/10.1109\/SecDev45635.2020.00025","DOI":"10.1109\/SecDev45635.2020.00025"},{"key":"10688_CR16","unstructured":"Johnson M (2021) Top trends from analyzing the security posture of open-source Helm charts. Technical report, Bridgecrew. https:\/\/bridgecrew.io\/blog\/open-source-helm-security-research\/"},{"key":"10688_CR17","unstructured":"Kubernetes (2024) Kubernetes Documentation. https:\/\/kubernetes.io\/docs\/home\/"},{"key":"10688_CR18","unstructured":"Meta (2024) Llama 3.1-70b. https:\/\/aws.amazon.com\/bedrock\/llama\/?sec=bcomfai&pos=5"},{"key":"10688_CR19","doi-asserted-by":"publisher","first-page":"103119","DOI":"10.1016\/j.cose.2023.103119","volume":"127","author":"F Minna","year":"2024","unstructured":"Minna F, Massacci F (2024) Sok: run-time security for cloud microservices. Are we there yet? Comput Secur 127:103119. https:\/\/doi.org\/10.1016\/j.cose.2023.103119","journal-title":"Comput Secur"},{"key":"10688_CR20","doi-asserted-by":"crossref","unstructured":"Minna F, Massacci F, Tuma K (2024) Analyzing and Mitigating (with LLMs) the security misconfigurations of helm charts from artifact hub. https:\/\/arxiv.org\/abs\/2403.09537","DOI":"10.1007\/s10664-025-10688-0"},{"key":"10688_CR21","unstructured":"NIST (2024) Confidence intervals. https:\/\/www.itl.nist.gov\/div898\/handbook\/prc\/section2\/prc241.htm"},{"key":"10688_CR22","unstructured":"OpenAI (2024) ChatGPT 4o-mini. https:\/\/platform.openai.com\/docs\/models\/gpt-4o-mini"},{"key":"10688_CR23","doi-asserted-by":"publisher","unstructured":"Pearce H, Ahmad B, Tan B, Dolan-Gavitt B, Karri R (2022) Asleep at the keyboard? assessing the security of github copilot\u2019s code contributions. In: Symposium on security and privacy (SP). IEEE, San Francisco, pp 754\u2013768. https:\/\/doi.org\/10.1109\/SP46214.2022.9833571","DOI":"10.1109\/SP46214.2022.9833571"},{"key":"10688_CR24","doi-asserted-by":"crossref","unstructured":"Pinconschi E, Bui Q-C, Abreu R, Ad\u00e3o P, Scandariato R (2022) Maestro: a platform for benchmarking automatic program repair tools on software vulnerabilities. In: 2022 International symposium on software testing and analysis (ISSTA). ACM, New York, NY, USA, pp 789\u2013792. https:\/\/doi.org\/10.1145\/3533767.3543291","DOI":"10.1145\/3533767.3543291"},{"key":"10688_CR25","unstructured":"PrismaCloud (2024) Checkov. https:\/\/www.checkov.io"},{"key":"10688_CR26","doi-asserted-by":"publisher","unstructured":"Rahman A (2018) Characteristics of defective infrastructure as code scripts in devops. In: 2018 IEEE\/ACM international conference on software engineering (ICSE). ACM, New York, NY, USA, pp 476\u2013479. https:\/\/doi.org\/10.1145\/3183440.3183452","DOI":"10.1145\/3183440.3183452"},{"issue":"3","key":"10688_CR27","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1109\/MSEC.2021.3065190","volume":"19","author":"A Rahman","year":"2021","unstructured":"Rahman A, Williams L (2021) Different kind of smells: security smells in infrastructure as code scripts. IEEE Symp Secur Priv (SP) 19(3):33\u201341. https:\/\/doi.org\/10.1109\/MSEC.2021.3065190","journal-title":"IEEE Symp Secur Priv (SP)"},{"key":"10688_CR28","doi-asserted-by":"publisher","unstructured":"Rahman A, Parnin C, Williams L (2019) The seven sins: security smells in infrastructure as code scripts. In: 2019 IEEE\/ACM international conference on software engineering (ICSE). IEEE, Montreal, pp 164\u2013175. https:\/\/doi.org\/10.1109\/ICSE.2019.00033","DOI":"10.1109\/ICSE.2019.00033"},{"key":"10688_CR29","doi-asserted-by":"publisher","unstructured":"Rahman A, Shamim SI, Bose DB, Pandita R (2024) Security misconfigurations in open source kubernetes manifests: an empirical study. ACM Trans Softw Eng Methodol 33(1). https:\/\/doi.org\/10.1145\/3579639","DOI":"10.1145\/3579639"},{"key":"10688_CR30","doi-asserted-by":"publisher","unstructured":"Rahman A, Stallings J, Williams L (2018) Defect prediction metrics for infrastructure as code scripts in devops. In: 2018 IEEE\/ACM international conference on software engineering (ICSE). Association for Computing Machinery, New York, NY, USA, pp 414\u2013415. https:\/\/doi.org\/10.1145\/3183440.3195034","DOI":"10.1145\/3183440.3195034"},{"key":"10688_CR31","unstructured":"Sandoval G, Pearce H, Nys T, Karri R, Garg S, Dolan-Gavitt B (2024) Lost at c: a user study on the security implications of large language model code assistants. In: 32nd USENIX security symposium (USENIX Security 23). USENIX Association, Anaheim, CA, pp 2205\u20132222. https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/sandoval"},{"key":"10688_CR32","unstructured":"Shopify (2024) Kubeaudit. https:\/\/github.com\/Shopify\/kubeaudit"},{"key":"10688_CR33","unstructured":"Snyk (2024) AI code, security, and trust in modern development. https:\/\/snyk.io\/de\/reports\/ai-code-security\/"},{"key":"10688_CR34","doi-asserted-by":"publisher","unstructured":"Sokolowski D, Salvaneschi G(2023) Towards reliable infrastructure as code. In: 2023 IEEE 20th international conference on software architecture companion (ICSA-C). IEEE, Italy, pp 318\u2013321. https:\/\/doi.org\/10.1109\/ICSA-C57050.2023.00072","DOI":"10.1109\/ICSA-C57050.2023.00072"},{"key":"10688_CR35","unstructured":"StackRox (2024) KubeLinter. https:\/\/github.com\/stackrox\/kube-linter"},{"key":"10688_CR36","unstructured":"Tenable (2024) Terrascan. https:\/\/runterrascan.io"},{"key":"10688_CR37","unstructured":"The Linux Foundation (2024) Artifact Hub. https:\/\/artifacthub.io"},{"key":"10688_CR38","doi-asserted-by":"publisher","unstructured":"Tjiong EL, Mechtaev S, Dirgantara HB (2022) Use of general repair tool for fixing security vulnerabilities. In: 2022 IEEE information technology research and innovation (ICITRI). IEEE, pp 135\u2013140. https:\/\/doi.org\/10.1109\/ICITRI56423.2022.9970223","DOI":"10.1109\/ICITRI56423.2022.9970223"},{"key":"10688_CR39","volume-title":"ChatGPT prompt patterns for improving code quality","author":"J White","year":"2023","unstructured":"White J, Hays S, Fu Q, Spencer-Smith J, Schmidt DC (2023) ChatGPT prompt patterns for improving code quality. Requirements Elicitation, and Software Design, Refactoring"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-025-10688-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-025-10688-0\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-025-10688-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,13]],"date-time":"2025-09-13T08:55:49Z","timestamp":1757753749000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-025-10688-0"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,4]]},"references-count":39,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2025,9]]}},"alternative-id":["10688"],"URL":"https:\/\/doi.org\/10.1007\/s10664-025-10688-0","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,7,4]]},"assertion":[{"value":"10 June 2025","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"4 July 2025","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The research did not involved human participants nor animals.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical Approval"}},{"value":"The research did not involved human participants nor animals.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Informed Consent"}},{"value":"The authors declared that they have no conflict of interest.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflicts of Interest"}}],"article-number":"132"}}