{"id":26088796,"url":"https://github.com/gardener/diki","last_synced_at":"2025-04-12T04:23:21.213Z","repository":{"id":191602718,"uuid":"676520650","full_name":"gardener/diki","owner":"gardener","description":"Diki is a compliance checker that aims to enhance the security posture of your Kubernetes clusters.","archived":false,"fork":false,"pushed_at":"2025-04-10T15:23:12.000Z","size":12085,"stargazers_count":11,"open_issues_count":10,"forks_count":8,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-04-10T16:49:20.400Z","etag":null,"topics":["compliance","compliance-checklist","hardening","kubernetes","kubernetes-hardening","reporting","security","stig","stig-compliant"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gardener.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-08-09T11:43:38.000Z","updated_at":"2025-04-07T14:07:53.000Z","dependencies_parsed_at":"2023-12-07T08:26:05.472Z","dependency_job_id":"460520eb-f380-4c5d-b90a-669ed10a37bb","html_url":"https://github.com/gardener/diki","commit_stats":null,"previous_names":["gardener/diki"],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gardener%2Fdiki","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gardener%2Fdiki/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gardener%2Fdiki/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gardener%2Fdiki/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gardener","download_url":"https://codeload.github.com/gardener/diki/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248514707,"owners_count":21117013,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["compliance","compliance-checklist","hardening","kubernetes","kubernetes-hardening","reporting","security","stig","stig-compliant"],"created_at":"2025-03-09T08:13:39.881Z","updated_at":"2025-04-12T04:23:21.197Z","avatar_url":"https://github.com/gardener.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Diki\n[![REUSE status](https://api.reuse.software/badge/github.com/gardener/diki)](https://api.reuse.software/info/github.com/gardener/diki)\n\n[![gardener compliance checker](https://badgen.net/badge/gardener/compliance-checker/009f76)](https://github.com/gardener)\n[![status alpha](https://badgen.net/badge/status/alpha/d8624d)](https://badgen.net/badge/status/alpha/d8624d)\n[![license apache 2.0](https://badgen.net/badge/license/apache-2.0/8ab803)](https://opensource.org/licenses/Apache-2.0)\n\n\nDiki a \"compliance checker\" or sorts, a detective control framework with pluggable rule sets.\nIt's part of the [Gardener](https://github.com/gardener) family, but can be used also on other Kubernetes distros or even on non-Kubernetes environments, e.g. to check compliance of your hyperscaler accounts.\n\nDiki is the Greek word for \"trial\".\nYou can also memorise it as \"Detective Investigation of Key Imperatives\" or as GNU-style recursive acronym \"Diki Investigates Key Imperatives\".\nIt's colloquially known as \"Don't I Know It\", which is a nice fit as well for what it does.\n\n\u003e [!IMPORTANT]\n\u003e This repository is actively developing.\n\u003e APIs can change without any backwards compatibility.\n\n## Getting Started\n\n#### Installation\n\nIf you install via GitHub releases, you need to put the diki binary on your path.\n\nA sample install snippet for macOS can look like this:\n```bash\n# Example for macOS\n\n# set operating system and architecture\nos=darwin # choose between darwin, linux, windows\narch=amd64 # choose between amd64, arm64\n\n# Get latest version. Alternatively set your desired version\nversion=$(curl -Ls -H 'Accept: application/json' https://github.com/gardener/diki/releases/latest | jq -r '.tag_name')\n\n# Download diki\ncurl -LO \"https://github.com/gardener/diki/releases/download/${version}/diki-${os}-${arch}\"\n\n# Make the diki binary executable\nchmod +x \"./diki-${os}-${arch}\"\n\n# Move the binary in to your PATH\nsudo mv \"./diki-${os}-${arch}\" /usr/local/bin/diki\n```\n\n#### Run\n\nMost of Diki's `run` configurations are provided through its [config file](./example/config/).\nOptions depend on the different providers and rulesets.\nHere are a couple of commands to get you started:\n\n- Run all known rulesets for all known providers\n```bash\ndiki run \\\n    --config=config.yaml \\\n    --all\n```\n\n- Run all known rulesets for all known providers and create a summary json report file\n```bash\ndiki run \\\n    --config=config.yaml \\\n    --all \\\n    --output=./report.json\n```\n\n- Run a specific ruleset for a known provider\n```bash\ndiki run \\\n    --config=config.yaml \\\n    --provider=gardener \\\n    --ruleset-id=disa-kubernetes-stig \\\n    --ruleset-version=v2r2\n```\n\n- Run a specific rule defined in a ruleset for a known provider\n```bash\ndiki run \\\n    --config=config.yaml \\\n    --provider=gardener \\\n    --ruleset-id=disa-kubernetes-stig \\\n    --ruleset-version=v2r2 \\\n    --rule-id=242414\n```\n\n#### Report\n\nDiki can generate a human readable report from the output files of a `diki run` execution.\nMerged reports can be produced by setting the `distinct-by` flag.\nThe value of this flag is a list of `key=value` pairs where the keys are the IDs of the providers we want to include in the merged report and the values are the unique metadata fields to be used as distinction values between different provider runs.\n\n- Generate an html report\n```bash\ndiki report generate \\\n    --output=report.html \\\n    output.json\n```\n\n- Generate merged html report\n```bash\ndiki report generate \\\n    --distinct-by=gardener=id \\\n    --output=report.html \\\n    output1.json output2.json\n```\n\n#### Difference\n\nDiki can generate a json containing the difference between two output files of `diki run` executions.\nThis can help to identify improvements (or regressions).\nA human readable html difference report can be generated from the difference reports.\n\n- Generate json difference between two reports\n```bash\ndiki report diff \\\n    --title=Title \\\n    --old=output1.json \\\n    --new=output2.json \\\n    --output=difference.json\n```\n\n- Combine one or more json difference reports to an html report.\n```bash\ndiki report generate diff \\\n    --identity-attributes=gardener=id \\\n    --output=difference.html \\\n    difference1.json difference2.json\n```\n\n#### Unit Tests\n\nYou can manually run the tests via `make test`.\n\n## Contributing\n\nContributions are very welcome. To learn more, see the [contributor guide](https://gardener.cloud/docs/contribute).\n\n## Credits\n\nA special thank you to @vlerenc, @AleksandarSavchev and @dimityrmirchev who made significant contributions to the project before it was made available to the public.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgardener%2Fdiki","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgardener%2Fdiki","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgardener%2Fdiki/lists"}