# Marketplace, Actions, Images, Helm, and Public Component Review > **Intro:** The core review question is simple: what does this component get to read, write, or execute once we adopt it? > > **What this page includes** > > * how to review public actions, container images, Helm charts, and shared components > * supply-chain questions that matter to engineers > * what to pin, mirror, or vendor > * what to log and monitor after adoption ## Review checklist * Who maintains it, and is that ownership credible? * Is the version pinned or floating? * Does it execute arbitrary scripts, network calls, or package installs? * What secrets, tokens, or mounted volumes will it see? * Can it change deployment outputs or only analyze inputs? ## Safer defaults * pin versions or digests; * prefer reviewed internal mirrors for high-value dependencies; * separate read-only review jobs from deploy-capable jobs; * keep untrusted public components away from the highest-privilege runners. ## Helm and image specifics Review charts for privileged pods, host mounts, service account assumptions, ingress defaults, and hidden sidecars. Review images for update cadence, provenance, root behavior, package sprawl, and default entrypoint behavior. ## Related pages * [Trusted Images, Harbor, and Signing](/cloud-kubernetes-and-infrastructure-security/index-1/trusted-images-harbor-and-signing.md) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/devsecops-cicd-and-supply-chain/index-2/marketplace-actions-images-helm-and-public-component-review.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.