{"id":13509337,"url":"https://github.com/controlplaneio/kubesec","last_synced_at":"2025-05-13T00:34:20.788Z","repository":{"id":35261280,"uuid":"106386673","full_name":"controlplaneio/kubesec","owner":"controlplaneio","description":"Security risk analysis for Kubernetes resources","archived":false,"fork":false,"pushed_at":"2025-05-09T21:44:06.000Z","size":54918,"stargazers_count":1321,"open_issues_count":27,"forks_count":105,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-05-09T22:29:43.208Z","etag":null,"topics":["hacktoberfest"],"latest_commit_sha":null,"homepage":"https://kubesec.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/controlplaneio.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-10-10T08:00:35.000Z","updated_at":"2025-05-09T21:44:11.000Z","dependencies_parsed_at":"2023-10-04T15:11:30.654Z","dependency_job_id":"9ae6389f-9dc2-418e-89e0-892aad3bfb36","html_url":"https://github.com/controlplaneio/kubesec","commit_stats":{"total_commits":586,"total_committers":27,"mean_commits":"21.703703703703702","dds":0.6126279863481229,"last_synced_commit":"2d31e51659470451e6c51cb47be1df9e103fb49d"},"previous_names":["sublimino/kubesec"],"tags_count":26,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/controlplaneio%2Fkubesec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/controlplaneio%2Fkubesec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/controlplaneio%2Fkubesec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/controlplaneio%2Fkubesec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/controlplaneio","download_url":"https://codeload.github.com/controlplaneio/kubesec/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253850334,"owners_count":21973661,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest"],"created_at":"2024-08-01T02:01:06.353Z","updated_at":"2025-05-13T00:34:20.759Z","avatar_url":"https://github.com/controlplaneio.png","language":"Go","readme":"# Kubesec\n\n[![Testing Workflow][testing_workflow_badge]][testing_workflow_badge]\n[![Security Analysis Workflow][security_workflow_badge]][security_workflow_badge]\n[![Release Workflow][release_workflow_badge]][release_workflow_badge]\n\n[![Go Report Card][goreportcard_badge]][goreportcard]\n[![PkgGoDev][go_dev_badge]][go_dev]\n\n\u003c!-- markdownlint-disable no-inline-html header-increment --\u003e\n\u003c!-- markdownlint-disable line-length --\u003e\n\n#### \u003ccenter\u003e🚨 v1 API is deprecated, please read the \u003ca href=\"https://github.com/controlplaneio/kubesec/blob/master/README.md#release-notes\" target=\"_blank\"\u003erelease notes\u003c/a\u003e 🚨\u003c/center\u003e\n\n\u003c!-- markdownlint-enable line-length --\u003e\n\n### Security risk analysis for Kubernetes resources\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"https://casual-hosting.s3.amazonaws.com/kubesec-logo.png\"\u003e\n\u003c/p\u003e\n\n## Live demo\n\n[Visit Kubesec.io](https://kubesec.io)\n\nThis uses ControlPlane's hosted API at [v2.kubesec.io/scan](https://v2.kubesec.io/scan)\n\n---\n\n- [Download Kubesec](#download-kubesec)\n - [Command line usage](#command-line-usage)\n - [Usage example](#usage-example)\n - [Docker usage](#docker-usage)\n- [Kubesec HTTP Server](#kubesec-http-server)\n - [CLI usage example](#cli-usage-example)\n - [Docker usage example](#docker-usage-example)\n- [Kubesec-as-a-Service](#kubesec-as-a-service)\n - [Command line usage](#command-line-usage-1)\n - [Usage example](#usage-example-1)\n- [Example output](#example-output)\n- [Contributors](#contributors)\n- [Getting Help](#getting-help)\n- [Contributing](/CONTRIBUTING.md)\n- [Changelog](/CHANGELOG.md)\n\n## Download Kubesec\n\nKubesec is available as a:\n\n- [Docker container image](https://hub.docker.com/r/kubesec/kubesec/tags) at `docker.io/kubesec/kubesec:v2`\n- Linux/MacOS/Win binary (get the [latest release](https://github.com/controlplaneio/kubesec/releases))\n- [Kubernetes Admission Controller](https://github.com/controlplaneio/kubesec-webhook)\n- [Kubectl plugin](https://github.com/controlplaneio/kubectl-kubesec)\n\nOr install the latest commit from GitHub with:\n\n#### Go 1.16+\n\n```bash\n$ go install github.com/controlplaneio/kubesec/v2@latest\n```\n\n#### Go version \u003c 1.16\n\n```bash\n$ GO111MODULE=\"on\" go get github.com/controlplaneio/kubesec/v2\n```\n\n#### Command line usage:\n\n```bash\n$ kubesec scan k8s-deployment.yaml\n```\n\n#### Usage example:\n\n```bash\n$ cat \u003c\u003cEOF \u003e kubesec-test.yaml\napiVersion: v1\nkind: Pod\nmetadata:\n name: kubesec-demo\nspec:\n containers:\n - name: kubesec-demo\n image: gcr.io/google-samples/node-hello:1.0\n securityContext:\n readOnlyRootFilesystem: true\nEOF\n$ kubesec scan kubesec-test.yaml\n```\n\n#### Docker usage:\n\nRun the same command in Docker:\n\n```bash\n$ docker run -i kubesec/kubesec:v2 scan /dev/stdin \u003c kubesec-test.yaml\n```\n\n#### Specify custom schema\n\nKubesec leverages kubeconform (thanks @yannh) to validate the manifests to scan.\nThis implies that specifying different schema locations follows the rules as\ndescribed in [the kubeconform README](https://github.com/yannh/kubeconform#overriding-schemas-location).\n\nHere is a quick overview on how this work for scanning a pod manifest:\n\n- I want to use the latest available schema from upstream.\n\n```bash\nkubesec [scan|http]\n```\n\nSchema will be fetched from: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master-standalone-strict/pod-v1.json\n\n- I want to use a specific schema version from upstream. (Formatted x.y.z with no v prefix)\n\n```bash\nkubesec [scan|http] --kubernetes-version \u003cversion\u003e\n```\n\nSchema will be fetched from: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.25.3-standalone-strict/pod-v1.json\n\n- I want to use a specific schema version in an airgap environment over HTTP.\n\n```bash\nkubesec [scan|http] --kubernetes-version \u003cversion\u003e --schema-location https://host.server\n```\n\nSchema will be fetched from: `https://host.server/v\u003cversion\u003e-standalone-strict/pod-v1.json`\n\n- I want to use a specific schema version in an airgap environment with local files:\n\n```bash\nkubesec [scan|http] --kubernetes-version \u003cversion\u003e --schema-location /opt/schemas\n```\n\nSchema will be read from: `/opt/schemas/v\u003cversion\u003e-standalone-strict/pod-v1.json`\n\n**Note:** in order to limit external network calls and allow usage in airgap\nenvironments, the `kubesec` image embeds schemas. If you are looking to change\nthe schema location, you'll need to change the `K8S_SCHEMA_VER` and `SCHEMA_LOCATION`\nenvironment variables at runtime.\n\n#### Print the scanning rules with their associated scores\n\nAll the scanning rules can be printed in in different formats (json (default),\nyaml and table). This is useful to easily get the point associated with\neach rule:\n\n```bash\nkubesec print-rules\n```\n\nwhich produces the following output:\n\n```json\n[\n {\n \"id\": \"AllowPrivilegeEscalation\",\n \"selector\": \"containers[] .securityContext .allowPrivilegeEscalation == true\",\n \"reason\": \"Ensure a non-root process can not gain more privileges\",\n \"kinds\": [\n \"Pod\",\n \"Deployment\",\n \"StatefulSet\",\n \"DaemonSet\"\n ],\n \"points\": -7,\n \"advise\": 0\n },\n...\n]\n```\n\n## Kubesec HTTP Server\n\nKubesec includes a bundled HTTP server\n\nThe listen address for the HTTP server can be configured by setting\n`KUBESEC_ADDR` environment variable. The value can be a single port\nsuch as `8080` or an address in the form of `ip:port` or `[ipv6]:port`.\n\n#### CLI usage example:\n\nStart the HTTP server in the background\n\n\u003c!-- markdownlint-disable line-length --\u003e\n\n```bash\n$ kubesec http 8080 \u0026\n[1] 12345\n{\"severity\":\"info\",\"timestamp\":\"2019-05-12T11:58:34.662+0100\",\"caller\":\"server/server.go:69\",\"message\":\"Starting HTTP server on port 8080\"}\n```\n\n\u003c!-- markdownlint-enable line-length --\u003e\n\nUse curl to POST a file to the server\n\n```bash\n$ curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml http://localhost:8080/scan\n[\n {\n \"object\": \"Pod/security-context-demo.default\",\n \"valid\": true,\n \"message\": \"Failed with a score of -30 points\",\n \"score\": -30,\n \"scoring\": {\n \"critical\": [\n {\n \"selector\": \"containers[] .securityContext .capabilities .add == SYS_ADMIN\",\n \"reason\": \"CAP_SYS_ADMIN is the most privileged capability and should always be avoided\",\n \"points\": -30\n },\n {\n \"selector\": \"containers[] .securityContext .runAsNonRoot == true\",\n \"reason\": \"Force the running image to run as a non-root user to ensure least privilege\",\n \"points\": 1\n },\n // ...\n```\n\nFinally, stop the Kubesec server by killing the background process\n\n```bash\n$ kill %\n```\n\n#### Docker usage example:\n\nStart the HTTP server using Docker\n\n```bash\n$ docker run -d -p 8080:8080 kubesec/kubesec:v2 http 8080\n```\n\nUse curl to POST a file to the server\n\n```bash\n$ curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml http://localhost:8080/scan\n...\n```\n\nDon't forget to stop the server.\n\n## Kubesec-as-a-Service\n\nKubesec is also available via HTTPS at [v2.kubesec.io/scan](https://v2.kubesec.io/scan)\n\nPlease do not submit sensitive YAML to this service.\n\nThe service is ran on a good faith best effort basis.\n\n#### Command line usage:\n\n```bash\n$ curl -sSX POST --data-binary @\"k8s-deployment.yaml\" https://v2.kubesec.io/scan\n```\n\n#### Usage example:\n\nDefine a BASH function\n\n```bash\n$ kubesec ()\n{\n local FILE=\"${1:-}\";\n [[ ! -e \"${FILE}\" ]] \u0026\u0026 {\n echo \"kubesec: ${FILE}: No such file\" \u003e\u00262;\n return 1\n };\n curl --silent \\\n --compressed \\\n --connect-timeout 5 \\\n -sSX POST \\\n --data-binary=@\"${FILE}\" \\\n https://v2.kubesec.io/scan\n}\n```\n\nPOST a Kubernetes resource to v2.kubesec.io/scan\n\n```bash\n$ kubesec ./deployment.yml\n```\n\nReturn non-zero status code is the score is not greater than 10\n\n```bash\n$ kubesec ./score-9-deployment.yml | jq --exit-status '.score \u003e 10' \u003e/dev/null\n# status code 1\n```\n\n## Example output\n\nKubesec returns a returns a JSON array, and can scan multiple YAML documents in a single input file.\n\n```json\n[\n {\n \"object\": \"Pod/security-context-demo.default\",\n \"valid\": true,\n \"message\": \"Failed with a score of -30 points\",\n \"score\": -30,\n \"scoring\": {\n \"critical\": [\n {\n \"selector\": \"containers[] .securityContext .capabilities .add == SYS_ADMIN\",\n \"reason\": \"CAP_SYS_ADMIN is the most privileged capability and should always be avoided\",\n \"points\": -30\n }\n ],\n \"advise\": [\n {\n \"selector\": \"containers[] .securityContext .runAsNonRoot == true\",\n \"reason\": \"Force the running image to run as a non-root user to ensure least privilege\",\n \"points\": 1\n },\n {\n // ...\n }\n ]\n }\n }\n]\n```\n\n---\n\n## Contributors\n\nThanks to our awesome contributors!\n\n- [Andrew Martin](@sublimino)\n- [Stefan Prodan](@stefanprodan)\n- [Jack Kelly](@06kellyjac)\n\n## Getting Help\n\nIf you have any questions about Kubesec and Kubernetes security:\n\n- Read the Kubesec docs\n- Reach out on Twitter to [@sublimino](https://twitter.com/sublimino) or [@controlplaneio](https://twitter.com/controlplaneio)\n- File an issue\n\nYour feedback is always welcome!\n\n[testing_workflow]: https://github.com/controlplaneio/kubesec/actions?query=workflow%3ATesting\n[testing_workflow_badge]: https://github.com/controlplaneio/kubesec/workflows/Testing/badge.svg\n[security_workflow]: https://github.com/controlplaneio/kubesec/actions?query=workflow%3A%22Security+Analysis%22\n[security_workflow_badge]: https://github.com/controlplaneio/kubesec/workflows/Security%20Analysis/badge.svg\n[release_workflow]: https://github.com/controlplaneio/kubesec/actions?query=workflow%3ARelease\n[release_workflow_badge]: https://github.com/controlplaneio/kubesec/workflows/Release/badge.svg\n[goreportcard]: https://goreportcard.com/report/github.com/controlplaneio/kubesec\n[goreportcard_badge]: https://goreportcard.com/badge/github.com/controlplaneio/kubesec\n[go_dev]: https://pkg.go.dev/github.com/controlplaneio/kubesec/v2\n[go_dev_badge]: https://pkg.go.dev/badge/github.com/controlplaneio/kubesec/v2\n","funding_links":[],"categories":["Go","Kubernetes","Security \u0026 Compliance","Security and Compliance","Tools","Repositories / Tools","hacktoberfest","文章","Инструменты","Security"],"sub_categories":["Detection","Defending","Безопасность Kubernetes"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrolplaneio%2Fkubesec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontrolplaneio%2Fkubesec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrolplaneio%2Fkubesec/lists"}