{"id":13521744,"url":"https://github.com/controlplaneio/kubectl-kubesec","last_synced_at":"2025-04-04T06:09:28.750Z","repository":{"id":37102699,"uuid":"132581351","full_name":"controlplaneio/kubectl-kubesec","owner":"controlplaneio","description":"Security risk analysis for Kubernetes resources","archived":false,"fork":false,"pushed_at":"2023-12-20T06:28:48.000Z","size":5254,"stargazers_count":503,"open_issues_count":11,"forks_count":37,"subscribers_count":25,"default_branch":"master","last_synced_at":"2024-05-21T10:22:41.695Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://kubesec.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/controlplaneio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security.txt","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-05-08T08:52:27.000Z","updated_at":"2024-06-18T16:48:42.631Z","dependencies_parsed_at":"2023-07-14T02:09:52.466Z","dependency_job_id":"bf5d95ad-8777-4907-aa0b-7f0f4d08cc54","html_url":"https://github.com/controlplaneio/kubectl-kubesec","commit_stats":{"total_commits":94,"total_committers":13,"mean_commits":7.230769230769231,"dds":0.4148936170212766,"last_synced_commit":"028307149cf6f4c826578e2206177f6588588b75"},"previous_names":["stefanprodan/kubectl-kubesec"],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/controlplaneio%2Fkubectl-kubesec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/controlplaneio%2Fkubectl-kubesec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/controlplaneio%2Fkubectl-kubesec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/controlplaneio%2Fkubectl-kubesec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/controlplaneio","download_url":"https://codeload.github.com/controlplaneio/kubectl-kubesec/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247128753,"owners_count":20888235,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T06:00:37.734Z","updated_at":"2025-04-04T06:09:28.735Z","avatar_url":"https://github.com/controlplaneio.png","language":"Go","funding_links":[],"categories":["Tools","others","Static Application Security Testing","Go","kubectl Plugins","Security"],"sub_categories":["Infrastructure as Code Analysis","Installing plugins via awesome-kubectl-plugins"],"readme":"# kubectl-kubesec\n\n[![Build Status](https://travis-ci.org/controlplaneio/kubectl-kubesec.svg?branch=master)](https://travis-ci.org/controlplaneio/kubectl-kubesec)\n\nThis is a kubectl plugin for scanning Kubernetes pods, deployments, daemonsets and statefulsets with [kubesec.io](https://kubesec.io). By default the plugin will send scan requests to the hosted version of [kubesec.io](https://kubesec.io). However, it is also possible to self host the scanning service and use that for scanning instead.\n\nFor the admission controller see [kubesec-webhook](https://github.com/controlplaneio/kubesec-webhook)\n\nThe latest release of this plugin is fully compatible with the API version V2 of kubesec documented at [kubesec.io](https://kubesec.io).\n\n#### Install with krew\n\n1. [Install krew](https://github.com/GoogleContainerTools/krew) plugin manager\n   for kubectl.\n2. Run `kubectl krew install kubesec-scan`.\n3. Start using by running `kubectl kubesec-scan`.\n\n#### Install with curl\n\nFor Kubernetes 1.12 or newer:\n\n```bash\nmkdir -p ~/.kube/plugins/scan \u0026\u0026 \\\ncurl -sL https://github.com/controlplaneio/kubectl-kubesec/releases/download/1.0.0/kubectl-kubesec_1.0.0_`uname -s`_amd64.tar.gz | tar xzvf - -C ~/.kube/plugins/scan\nmv ~/.kube/plugins/scan/scan ~/.kube/plugins/scan/kubectl-scan\nexport PATH=$PATH:~/.kube/plugins/scan\n```\n\nFor Kubernetes older than 1.12:\n\n```bash\nmkdir -p ~/.kube/plugins/scan \u0026\u0026 \\\ncurl -sL https://github.com/controlplaneio/kubectl-kubesec/releases/download/0.3.1/kubectl-kubesec_0.3.1_`uname -s`_amd64.tar.gz | tar xzvf - -C ~/.kube/plugins/scan\n```\n\n### Usage\n\nBy default the plugin uses the hosted version of [kubesec.io](https://kubesec.io). However, you can run the hosted service locally. For example using docker:\n\n```bash\n## \ndocker run -d -p 8080:8080 kubesec/kubesec:v2 http 8080\n```\n\nScan a Deployment:\n\n```bash\nkubectl kubesec-scan -n kube-system deployment kubernetes-dashboard\n# if you are running a self hosted version of kubese.io using docker then:\nkubectl kubesec-scan -n kube-system deployment kubernetes-dashboard --url http://localhost:8080\n```\n\nResult:\n\n```bash\nkubernetes-dashboard kubesec.io score 7\n-----------------\nAdvise\n1. containers[] .securityContext .runAsNonRoot == true\nForce the running image to run as a non-root user to ensure least privilege\n2. containers[] .securityContext .capabilities .drop\nReducing kernel capabilities available to a container limits its attack surface\n3. containers[] .securityContext .readOnlyRootFilesystem == true\nAn immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost\n4. containers[] .securityContext .runAsUser \u003e 10000\nRun as a high-UID user to avoid conflicts with the host's user table\n5. containers[] .securityContext .capabilities .drop | index(\"ALL\")\nDrop all capabilities and add only those required to reduce syscall attack surface\n```\n\nScan a DaemonSet:\n\n```bash\nkubectl kubesec-scan -n weave daemonset weave-scope-agent\n# if you are running a self hosted version of kubese.io using then:\nkubectl kubesec-scan -n weave daemonset weave-scope-agent --url http://localhost:8080\n```\n\nResult:\n\n```bash\ndaemonset/weave-scope-agent kubesec.io score -54\n-----------------\nCritical\n1. containers[] .securityContext .privileged == true\nPrivileged containers can allow almost completely unrestricted host access\n2. .spec .hostNetwork\nSharing the host's network namespace permits processes in the pod to communicate with processes bound to the host's loopback adapter\n3. .spec .hostPID\nSharing the host's PID namespace allows visibility of processes on the host, potentially leaking information such as environment variables and configuration\n4. .spec .volumes[] .hostPath .path == \"/var/run/docker.sock\"\nMounting the docker.socket leaks information about other containers and can allow container breakout\n```\n\nScan a StatefulSet:\n\n```bash\nkubectl kubesec-scan statefulset memcached\n# if you are running a self hosted version of kubese.io then:\nkubectl kubesec-scan statefulset memcached --url http://localhost:8080\n```\n\nResult:\n\n```bash\nstatefulset/memcached kubesec.io score 2\n-----------------\nAdvise\n1. .spec .volumeClaimTemplates[] .spec .accessModes | index(\"ReadWriteOnce\")\n2. containers[] .securityContext .runAsNonRoot == true\nForce the running image to run as a non-root user to ensure least privilege\n3. containers[] .securityContext .capabilities .drop\nReducing kernel capabilities available to a container limits its attack surface\n4. containers[] .securityContext .readOnlyRootFilesystem == true\nAn immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost\n5. containers[] .securityContext .runAsUser \u003e 10000\nRun as a high-UID user to avoid conflicts with the host's user table\n```\n\nScan a Pod:\n\n```bash\nkubectl kubesec-scan -n kube-system pod tiller-deploy-5c688d5f9b-ztjbt\n# if you are running a self hosted version of kubese.io then:\nkubectl kubesec-scan -n kube-system pod tiller-deploy-5c688d5f9b-ztjbt --url http://localhost:8080 \n```\n\nResult:\n\n```bash\npod/tiller-deploy-5c688d5f9b-ztjbt kubesec.io score 3\n-----------------\nAdvise\n1. containers[] .securityContext .runAsNonRoot == true\nForce the running image to run as a non-root user to ensure least privilege\n2. containers[] .securityContext .capabilities .drop\nReducing kernel capabilities available to a container limits its attack surface\n3. containers[] .securityContext .readOnlyRootFilesystem == true\nAn immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost\n4. containers[] .securityContext .runAsUser \u003e 10000\nRun as a high-UID user to avoid conflicts with the host's user table\n5. containers[] .securityContext .capabilities .drop | index(\"ALL\")\nDrop all capabilities and add only those required to reduce syscall attack surface\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrolplaneio%2Fkubectl-kubesec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontrolplaneio%2Fkubectl-kubesec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrolplaneio%2Fkubectl-kubesec/lists"}