{"id":13533206,"url":"https://github.com/Shopify/kubeaudit","last_synced_at":"2025-04-01T21:31:56.818Z","repository":{"id":37773916,"uuid":"103579225","full_name":"Shopify/kubeaudit","owner":"Shopify","description":"kubeaudit helps you audit your Kubernetes clusters against common security controls","archived":true,"fork":false,"pushed_at":"2024-08-21T18:48:27.000Z","size":13564,"stargazers_count":1914,"open_issues_count":48,"forks_count":188,"subscribers_count":423,"default_branch":"main","last_synced_at":"2025-03-25T03:34:24.907Z","etag":null,"topics":["audit","computers","kubernetes"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Shopify.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":"auditors/all/all.go","citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-09-14T20:37:55.000Z","updated_at":"2025-03-21T14:44:11.000Z","dependencies_parsed_at":"2024-03-12T11:56:56.956Z","dependency_job_id":"f40bb7db-41e3-4a08-9825-2c18164fdc3e","html_url":"https://github.com/Shopify/kubeaudit","commit_stats":{"total_commits":274,"total_committers":54,"mean_commits":5.074074074074074,"dds":0.8467153284671532,"last_synced_commit":"7e8696a627ed647651d79ccfd75c089a32fa8b18"},"previous_names":[],"tags_count":42,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fkubeaudit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fkubeaudit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fkubeaudit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shopify%2Fkubeaudit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Shopify","download_url":"https://codeload.github.com/Shopify/kubeaudit/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246713268,"owners_count":20821864,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","computers","kubernetes"],"created_at":"2024-08-01T07:01:17.567Z","updated_at":"2025-04-01T21:31:55.700Z","avatar_url":"https://github.com/Shopify.png","language":"Go","readme":"[![Build Status](https://github.com/Shopify/kubeaudit/actions/workflows/ci.yml/badge.svg)](https://github.com/Shopify/kubeaudit/actions)\n[![Go Report Card](https://goreportcard.com/badge/github.com/Shopify/kubeaudit)](https://goreportcard.com/report/github.com/Shopify/kubeaudit)\n[![GoDoc](https://godoc.org/github.com/Shopify/kubeaudit?status.png)](https://godoc.org/github.com/Shopify/kubeaudit)\n\n\u003e It is now a requirement for clusters to run Kubernetes \u003e=1.19.\n\n\u003e override labels with unregistered `kubernetes.io` annotations will be deprecated. It'll soon be a requirement to use `kubeaudit.io` instead.\nRefer to this [discussion](https://github.com/Shopify/kubeaudit/issues/457) for additional context.\n\n# 🚨 Deprecation Notice 🚨\n\nKubeaudit is planned for deprecation by October 2024.\n\nWe are actively seeking maintainers who are interested in taking over the stewardship of this project. If you are passionate about continuing its development and maintenance, please reach out to us.\n\nFor users looking for alternatives, we recommend transitioning to Kubebench, which offers similar functionality and is actively maintained.\n\nThank you to the community for your contributions and support.\n\n# kubeaudit :cloud: :lock: :muscle:\n\n`kubeaudit` is a command line tool and a Go package to audit Kubernetes clusters for various\ndifferent security concerns, such as:\n* run as non-root\n* use a read-only root filesystem\n* drop scary capabilities, don't add new ones\n* don't run privileged\n* and more!\n\n**tldr. `kubeaudit` makes sure you deploy secure containers!**\n\n## Package\nTo use kubeaudit as a Go package, see the [package docs](https://pkg.go.dev/github.com/Shopify/kubeaudit).\n\nThe rest of this README will focus on how to use kubeaudit as a command line tool.\n\n## Command Line Interface (CLI)\n\n* [Installation](#installation)\n* [Quick Start](#quick-start)\n* [Audit Results](#audit-results)\n* [Commands](#commands)\n* [Configuration File](#configuration-file)\n* [Override Errors](#override-errors)\n* [Contributing](#contributing)\n\n## Installation\n\n### Brew\n\n```\nbrew install kubeaudit\n```\n\n### Download a binary\n\nKubeaudit has official releases that are blessed and stable:\n[Official releases](https://github.com/Shopify/kubeaudit/releases)\n\n### DIY build\n\nMain may have newer features than the stable releases. If you need a newer\nfeature not yet included in a release, make sure you're using the latest Go and run\nthe following:\n\n```sh\ngo get -v github.com/Shopify/kubeaudit\n```\n\nStart using `kubeaudit` with the [Quick Start](#quick-start) or view all the [supported commands](#commands).\n\n### Kubectl Plugin\n\nPrerequisite: kubectl v1.12.0 or later\n\nWith kubectl v1.12.0 introducing [easy pluggability](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/) of external functions, kubeaudit can be invoked as `kubectl audit` by\n\n- running `make plugin` and having `$GOPATH/bin` available in your path.\n\nor\n\n- renaming the binary to `kubectl-audit` and having it available in your path.\n\n### Docker\n\nWe no longer release images to Docker Hub (since Docker Hub sunset Free Team organizations). For the time being, [old images](https://hub.docker.com/r/shopify/kubeaudit) are still available but may stop being available at any time. We will start publishing images to the Github Container registry soon.\n\nTo run kubeaudit as a job in your cluster see [Running kubeaudit in a cluster](docs/cluster.md).\n\n## Quick Start\n\nkubeaudit has three modes:\n\n1. Manifest mode\n1. Local mode\n1. Cluster mode\n\n### Manifest Mode\n\nIf a Kubernetes manifest file is provided using the `-f/--manifest` flag, kubeaudit will audit the manifest file.\n\nExample command:\n```\nkubeaudit all -f \"/path/to/manifest.yml\"\n```\n\nExample output:\n```\n$ kubeaudit all -f \"internal/test/fixtures/all_resources/deployment-apps-v1.yml\"\n\n---------------- Results for ---------------\n\n apiVersion: apps/v1\n kind: Deployment\n metadata:\n name: deployment\n namespace: deployment-apps-v1\n\n--------------------------------------------\n\n-- [error] AppArmorAnnotationMissing\n Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container' should be added.\n Metadata:\n Container: container\n MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container\n\n-- [error] AutomountServiceAccountTokenTrueAndDefaultSA\n Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used.\n\n-- [error] CapabilityShouldDropAll\n Message: Capability not set to ALL. Ideally, you should drop ALL capabilities and add the specific ones you need to the add list.\n Metadata:\n Container: container\n Capability: AUDIT_WRITE\n...\n```\n\nIf no errors with a given minimum severity are found, the following is returned:\n\n```shell\nAll checks completed. 0 high-risk vulnerabilities found\n```\n\n#### Autofix\n\nManifest mode also supports autofixing all security issues using the `autofix` command:\n\n```\nkubeaudit autofix -f \"/path/to/manifest.yml\"\n```\n\nTo write the fixed manifest to a new file instead of modifying the source file, use the `-o/--output` flag.\n\n```\nkubeaudit autofix -f \"/path/to/manifest.yml\" -o \"/path/to/fixed\"\n```\n\nTo fix a manifest based on custom rules specified on a kubeaudit config file, use the `-k/--kconfig` flag.\n\n```\nkubeaudit autofix -k \"/path/to/kubeaudit-config.yml\" -f \"/path/to/manifest.yml\" -o \"/path/to/fixed\"\n```\n\n### Cluster Mode\n\nKubeaudit can detect if it is running within a container in a cluster. If so, it will try to audit all Kubernetes resources in that cluster:\n```\nkubeaudit all\n```\n\n### Local Mode\n\nKubeaudit will try to connect to a cluster using the local kubeconfig file (`$HOME/.kube/config`). A different kubeconfig location can be specified using the `--kubeconfig` flag. To specify a context of the kubeconfig, use the `-c/--context` flag.\n```\nkubeaudit all --kubeconfig \"/path/to/config\" --context my_cluster\n```\n\nFor more information on kubernetes config files, see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/\n\n## Audit Results\n\nKubeaudit produces results with three levels of severity:\n\n- `Error`: A security issue or invalid kubernetes configuration\n- `Warning`: A best practice recommendation\n- `Info`: Informational, no action required. This includes results that are [overridden](#override-errors)\n\nThe minimum severity level can be set using the `--minSeverity/-m` flag.\n\nBy default kubeaudit will output results in a human-readable way. If the output is intended to be further processed, it can be set to output JSON using the `--format json` flag. To output results as logs (the previous default) use `--format logrus`. Some output formats include colors to make results easier to read in a terminal. To disable colors (for example, if you are sending output to a text file), you can use the `--no-color` flag.\n\nYou can generate a kubeaudit report in [SARIF](https://docs.oasis-open.org/sarif/sarif/v2.0/sarif-v2.0.html) using the `--format sarif` flag. To write the SARIF results to a file, you can redirect the output with `\u003e`. For example:\n```\nkubeaudit all -f path-to-my-file.yaml --format=\"sarif\" \u003e example.sarif\n```\n\nIf there are results of severity level `error`, kubeaudit will exit with exit code 2. This can be changed using the `--exitcode/-e` flag.\n\nFor all the ways kubeaudit can be customized, see [Global Flags](#global-flags).\n\n## Commands\n\n| Command | Description | Documentation |\n| :-------- | :------------------------------------------------------------------------ | :---------------------- |\n| `all` | Runs all available auditors, or those specified using a kubeaudit config. | [docs](docs/all.md) |\n| `autofix` | Automatically fixes security issues. | [docs](docs/autofix.md) |\n| `version` | Prints the current kubeaudit version. | |\n\n### Auditors\n\nAuditors can also be run individually.\n\n| Command | Description | Documentation |\n| :--------------- | :------------------------------------------------------------------------------------------------------------- | :-------------------------------------- |\n| `apparmor` | Finds containers running without AppArmor. | [docs](docs/auditors/apparmor.md) |\n| `asat` | Finds pods using an automatically mounted default service account | [docs](docs/auditors/asat.md) |\n| `capabilities` | Finds containers that do not drop the recommended capabilities or add new ones. | [docs](docs/auditors/capabilities.md) |\n| `deprecatedapis` | Finds any resource defined with a deprecated API version. | [docs](docs/auditors/deprecatedapis.md) |\n| `hostns` | Finds containers that have HostPID, HostIPC or HostNetwork enabled. | [docs](docs/auditors/hostns.md) |\n| `image` | Finds containers which do not use the desired version of an image (via the tag) or use an image without a tag. | [docs](docs/auditors/image.md) |\n| `limits` | Finds containers which exceed the specified CPU and memory limits or do not specify any. | [docs](docs/auditors/limits.md) |\n| `mounts` | Finds containers that have sensitive host paths mounted. | [docs](docs/auditors/mounts.md) |\n| `netpols` | Finds namespaces that do not have a default-deny network policy. | [docs](docs/auditors/netpols.md) |\n| `nonroot` | Finds containers running as root. | [docs](docs/auditors/nonroot.md) |\n| `privesc` | Finds containers that allow privilege escalation. | [docs](docs/auditors/privesc.md) |\n| `privileged` | Finds containers running as privileged. | [docs](docs/auditors/privileged.md) |\n| `rootfs` | Finds containers which do not have a read-only filesystem. | [docs](docs/auditors/rootfs.md) |\n| `seccomp` | Finds containers running without Seccomp. | [docs](docs/auditors/seccomp.md) |\n\n### Global Flags\n\n| Short | Long | Description |\n| :---- | :----------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------- |\n| | --format | The output format to use (one of \"sarif\", \"pretty\", \"logrus\", \"json\") (default is \"pretty\") |\n| | --kubeconfig | Path to local Kubernetes config file. Only used in local mode (default is `$HOME/.kube/config`) |\n| -c | --context | The name of the kubeconfig context to use |\n| -f | --manifest | Path to the yaml configuration to audit. Only used in manifest mode. You may use `-` to read from stdin. |\n| -n | --namespace | Only audit resources in the specified namespace. Not currently supported in manifest mode. |\n| -g | --includegenerated | Include generated resources in scan (such as Pods generated by deployments). If you would like kubeaudit to produce results for generated resources (for example if you have custom resources or want to catch orphaned resources where the owner resource no longer exists) you can use this flag. |\n| -m | --minseverity | Set the lowest severity level to report (one of \"error\", \"warning\", \"info\") (default is \"info\") |\n| -e | --exitcode | Exit code to use if there are results with severity of \"error\". Conventionally, 0 is used for success and all non-zero codes for an error. (default is 2) |\n| | --no-color | Don't use colors in the output (default is false) |\n\n## Configuration File\n\nThe kubeaudit config can be used for two things:\n\n1. Enabling only some auditors\n1. Specifying configuration for auditors\n\nAny configuration that can be specified using flags for the individual auditors can be represented using the config.\n\nThe config has the following format:\n\n```yaml\nenabledAuditors:\n # Auditors are enabled by default if they are not explicitly set to \"false\"\n apparmor: false\n asat: false\n capabilities: true\n deprecatedapis: true\n hostns: true\n image: true\n limits: true\n mounts: true\n netpols: true\n nonroot: true\n privesc: true\n privileged: true\n rootfs: true\n seccomp: true\nauditors:\n capabilities:\n # add capabilities needed to the add list, so kubeaudit won't report errors\n allowAddList: ['AUDIT_WRITE', 'CHOWN']\n deprecatedapis:\n # If no versions are specified and the'deprecatedapis' auditor is enabled, WARN\n # results will be genereted for the resources defined with a deprecated API.\n currentVersion: '1.22'\n targetedVersion: '1.25'\n image:\n # If no image is specified and the 'image' auditor is enabled, WARN results\n # will be generated for containers which use an image without a tag\n image: 'myimage:mytag'\n limits:\n # If no limits are specified and the 'limits' auditor is enabled, WARN results\n # will be generated for containers which have no cpu or memory limits specified\n cpu: '750m'\n memory: '500m'\n```\n\nFor more details about each auditor, including a description of the auditor-specific configuration in the config, see the [Auditor Docs](#auditors).\n\n**Note**: The kubeaudit config is not the same as the kubeconfig file specified with the `--kubeconfig` flag, which refers to the Kubernetes config file (see [Local Mode](/README.md#local-mode)). Also note that only the `all` and `autofix` commands support using a kubeaudit config. It will not work with other commands.\n\n**Note**: If flags are used in combination with the config file, flags will take precedence.\n\n## Override Errors\n\nSecurity issues can be ignored for specific containers or pods by adding override labels. This means the auditor will produce `info` results instead of `error` results and the audit result name will have `Allowed` appended to it. The labels are documented in each auditor's documentation, but the general format for auditors that support overrides is as follows:\n\nAn override label consists of a `key` and a `value`.\n\nThe `key` is a combination of the override type (container or pod) and an `override identifier` which is unique to each auditor (see the [docs](#auditors) for the specific auditor). The `key` can take one of two forms depending on the override type:\n\n1. **Container overrides**, which override the auditor for that specific container, are formatted as follows:\n\n```yaml\ncontainer.kubeaudit.io/[container name].[override identifier]\n```\n\n2. **Pod overrides**, which override the auditor for all containers within the pod, are formatted as follows:\n\n```yaml\nkubeaudit.io/[override identifier]\n```\n\nIf the `value` is set to a non-empty string, it will be displayed in the `info` result as the `OverrideReason`:\n\n```\n$ kubeaudit asat -f \"auditors/asat/fixtures/service-account-token-true-allowed.yml\"\n\n---------------- Results for ---------------\n\n apiVersion: v1\n kind: ReplicationController\n metadata:\n name: replicationcontroller\n namespace: service-account-token-true-allowed\n\n--------------------------------------------\n\n-- [info] AutomountServiceAccountTokenTrueAndDefaultSAAllowed\n Message: Audit result overridden: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used.\n Metadata:\n OverrideReason: SomeReason\n```\n\nAs per Kubernetes spec, `value` must be 63 characters or less and must be empty or begin and end with an alphanumeric character (`[a-z0-9A-Z]`) with dashes (`-`), underscores (`_`), dots (`.`), and alphanumerics between.\n\nMultiple override labels (for multiple auditors) can be added to the same resource.\n\nSee the specific [auditor docs](#auditors) for the auditor you wish to override for examples.\n\nTo learn more about labels, see https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\n\n## Contributing\n\nIf you'd like to fix a bug, contribute a feature or just correct a typo, please feel free to do so as long as you follow our [Code of Conduct](./CODE_OF_CONDUCT.md).\n\n1. Create your own fork!\n1. Get the source: `go get github.com/Shopify/kubeaudit`\n1. Go to the source: `cd $GOPATH/src/github.com/Shopify/kubeaudit`\n1. Add your forked repo as a fork: `git remote add fork https://github.com/you-are-awesome/kubeaudit`\n1. Create your feature branch: `git checkout -b awesome-new-feature`\n1. Install [Kind](https://kind.sigs.k8s.io/#installation-and-usage)\n1. Run the tests to see everything is working as expected: `USE_KIND=true make test` (to run tests without Kind: `make test`)\n1. Commit your changes: `git commit -am 'Adds awesome feature'`\n1. Push to the branch: `git push fork`\n1. Sign the [Contributor License Agreement](https://cla.shopify.com/)\n1. Submit a PR (All PR must be labeled with :bug: (Bug fix), :sparkles: (New feature), :book: (Documentation update), or :warning: (Breaking changes) )\n1. ???\n1. Profit\n\nNote that if you didn't sign the CLA before opening your PR, you can re-run the check by adding a comment to the PR that says \"I've signed the CLA!\"!\n","funding_links":[],"categories":["Kubernetes","Audit","Repositories / Tools","Containers","Other Awesome Lists","Go","Open Source Projects","Инструменты","Security","Tools","Container and Kubernetes Security"],"sub_categories":["Defending","Kubernetes","Subdomain Takeover","Безопасность Kubernetes","[Jenkins](#jenkins)","Kubernetes Audit"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FShopify%2Fkubeaudit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FShopify%2Fkubeaudit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FShopify%2Fkubeaudit/lists"}