{"id":13451639,"url":"https://github.com/aquasecurity/kube-bench","last_synced_at":"2026-02-20T12:01:48.030Z","repository":{"id":37256490,"uuid":"94779471","full_name":"aquasecurity/kube-bench","owner":"aquasecurity","description":"Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark","archived":false,"fork":false,"pushed_at":"2025-04-23T12:19:22.000Z","size":10086,"stargazers_count":7382,"open_issues_count":65,"forks_count":1267,"subscribers_count":110,"default_branch":"main","last_synced_at":"2025-04-23T15:53:31.191Z","etag":null,"topics":["cis-benchmark","cis-kubernetes-benchmark","cis-security","hacktoberfest","kube-bench","kubernetes","kubernetes-security","openshift"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aquasecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-06-19T13:27:02.000Z","updated_at":"2025-04-23T12:02:10.000Z","dependencies_parsed_at":"2022-07-13T09:20:33.066Z","dependency_job_id":"87e95815-7d30-4426-baa1-25d9ffde08eb","html_url":"https://github.com/aquasecurity/kube-bench","commit_stats":{"total_commits":870,"total_committers":160,"mean_commits":5.4375,"dds":0.7942528735632184,"last_synced_commit":"d8fc37649a239dc5e0ec22d73955aa712e1267bb"},"previous_names":[],"tags_count":90,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fkube-bench","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fkube-bench/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fkube-bench/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fkube-bench/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aquasecurity","download_url":"https://codeload.github.com/aquasecurity/kube-bench/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252524851,"owners_count":21762182,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cis-benchmark","cis-kubernetes-benchmark","cis-security","hacktoberfest","kube-bench","kubernetes","kubernetes-security","openshift"],"created_at":"2024-07-31T07:00:57.601Z","updated_at":"2026-02-20T12:01:47.986Z","avatar_url":"https://github.com/aquasecurity.png","language":"Go","funding_links":[],"categories":["Go","Tools","Scanners","Security","Kubernetes","Container Tools","Kubernetes Security","Security \u0026 Compliance","2 Defensive","Point-of-use validations","Security and Compliance","Compliance","Tools and Libraries","Repositories / Tools","Container \u0026 Kubernetes Security","Go (531)","Kubernetes cluster security","kubernetes","K8S-Tools","Инструменты","蓝队工具","Testing","0x02 工具 :hammer_and_wrench:","Tooling— Security and Policies","Companion Tools","Open Source Projects","☸️ Kubernetes e Cloud Native","Container and Kubernetes Security","Cloud Security","Container \u0026 Kubernetes","Tools \u0026 Platforms"],"sub_categories":["Kubernetes","[Jenkins](#jenkins)","MultiCloud Governance","Online resources","2.7 Tools","Vulnerability information exchange","Kubernetes security posture management","Security and Compliance","Detection","Defending","Kubernetes Security Tools","Проверка Docker / Kubernetes на соответствие","基线检测","2 云原生工具","Container and Runtime","Segurança K8s","Kubernetes Audit","Runtime Security","Open Source Platforms"],"readme":"[![GitHub Release][release-img]][release]\n[![Downloads][download]][release]\n[![Docker Pulls][docker-pull]][docker]\n[![Go Report Card][report-card-img]][report-card]\n[![Build Status](https://github.com/aquasecurity/kube-bench/workflows/Build/badge.svg?branch=main)](https://github.com/aquasecurity/kube-bench/actions)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/aquasecurity/kube-bench/blob/main/LICENSE)\n[![Coverage Status][cov-img]][cov]\n\n[download]: https://img.shields.io/github/downloads/aquasecurity/kube-bench/total?logo=github\n[release-img]: https://img.shields.io/github/release/aquasecurity/kube-bench.svg?logo=github\n[release]: https://github.com/aquasecurity/kube-bench/releases\n[docker-pull]: https://img.shields.io/docker/pulls/aquasec/kube-bench?logo=docker\u0026label=docker%20pulls%20%2F%20kube-bench\n[docker]: https://hub.docker.com/r/aquasec/kube-bench\n[cov-img]: https://codecov.io/github/aquasecurity/kube-bench/branch/main/graph/badge.svg\n[cov]: https://codecov.io/github/aquasecurity/kube-bench\n[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/kube-bench\n[report-card]: https://goreportcard.com/report/github.com/aquasecurity/kube-bench\n\n\u003cimg src=\"docs/images/kube-bench.png\" width=\"200\" alt=\"kube-bench logo\"\u003e\n\nkube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).\n\nTests are configured with YAML files, making this tool easy to update as test specifications evolve.\n\n![Kubernetes Bench for Security](/docs/images/output.png \"Kubernetes Bench for Security\")\n\n## CIS Scanning as part of Trivy and the Trivy Operator\n\n[Trivy](https://github.com/aquasecurity/trivy), the all in one cloud native security scanner, can be deployed as a [Kubernetes Operator](https://github.com/aquasecurity/trivy-operator) inside a cluster.\nBoth, the [Trivy CLI](https://github.com/aquasecurity/trivy), and the [Trivy Operator](https://github.com/aquasecurity/trivy-operator) support CIS Kubernetes Benchmark scanning among several other features.\n\n## Quick start\n\nThere are multiple ways to run kube-bench.\nYou can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.\n\nThe supplied `job.yaml` [file](job.yaml) can be applied to run the tests as a job. For example:\n\n```bash\n$ kubectl apply -f job.yaml\njob.batch/kube-bench created\n\n$ kubectl get pods\nNAME                      READY   STATUS              RESTARTS   AGE\nkube-bench-j76s9   0/1     ContainerCreating   0          3s\n\n# Wait for a few seconds for the job to complete\n$ kubectl get pods\nNAME                      READY   STATUS      RESTARTS   AGE\nkube-bench-j76s9   0/1     Completed   0          11s\n\n# The results are held in the pod's logs\nkubectl logs kube-bench-j76s9\n[INFO] 1 Master Node Security Configuration\n[INFO] 1.1 API Server\n...\n```\nFor more information and different ways to run kube-bench see [documentation](docs/running.md)\n### Please Note\n\n1. kube-bench implements the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the [CIS community](https://cisecurity.org).\n\n1. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See [CIS Kubernetes Benchmark support](docs/platforms.md#cis-kubernetes-benchmark-support) to see which releases of Kubernetes are covered by different releases of the benchmark.\n\n\nBy default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine.\n- see the following documentation on [Running kube-bench](docs/running.md#running-kube-bench) for more details.\n\n\n## Contributing\nKindly read [Contributing](CONTRIBUTING.md) before contributing. \nWe welcome PRs and issue reports.\n\n## Roadmap\n\nGoing forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Fkube-bench","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faquasecurity%2Fkube-bench","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Fkube-bench/lists"}