During the task of enabling Orchestrator by default in the RHDH chart, a Snyk Infrastructure-as-Code scan was performed.
The scan reported multiple low and medium-severity issues related to missing Kubernetes best practices (e.g., securityContext settings, resource limits, imagePullPolicy).

Scope:

• Review Snyk findings in charts/backstage templates.

• Apply secure-by-default configurations

• Validate Helm rendering after changes.

• Validate chart deploys successfully.

How to:

# Clone repo and setup
git clone https://github.com/redhat-developer/rhdh-chart.git
cd rhdh-chart

# Ensure dependencies are installed
helm dependency build charts/backstage

# Render templates
helm template charts/backstage --output-dir output/backstage

# render with orch enabled
helm template charts/backstage --set orchestrator.enabled=true --output-dir output/backstage-orchestrator

# Run Snyk IaC scan
snyk iac test output/backstage

# Make sure you are logged into Snyk CLI or export your SNYK_TOKEN
 export SNYK_TOKEN=your_token_here

..and resolve severities

Acceptance Criteria:

• All high, medium, and low severity Snyk IaC issues are addressed where reasonable.

• Templates include recommended Kubernetes security best practices.

• Helm chart continues to render and deploy successfully.

• Snyk IaC scan returns no new critical or high severity issues.

• PR is created with fixes and linked to this JIRA.