{"id":51316348,"url":"https://github.com/k8scout/k8scout","last_synced_at":"2026-07-01T08:00:34.974Z","repository":{"id":351878114,"uuid":"1171719327","full_name":"k8scout/k8scout","owner":"k8scout","description":"Drop a single binary into a compromised Kubernetes pod and instantly map every   realistic attack path to cluster-admin, node escape, secret theft, and cloud IAM takeover.","archived":false,"fork":false,"pushed_at":"2026-07-01T06:25:50.000Z","size":59309,"stargazers_count":163,"open_issues_count":0,"forks_count":21,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-07-01T07:25:08.047Z","etag":null,"topics":["cloud-security","kubernetes","kubernetes-security","pentesting-tool"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/k8scout.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-03T14:35:53.000Z","updated_at":"2026-07-01T06:00:03.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/k8scout/k8scout","commit_stats":null,"previous_names":["k8scout/k8scout"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/k8scout/k8scout","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k8scout%2Fk8scout","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k8scout%2Fk8scout/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k8scout%2Fk8scout/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k8scout%2Fk8scout/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/k8scout","download_url":"https://codeload.github.com/k8scout/k8scout/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k8scout%2Fk8scout/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34997947,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-01T02:00:05.325Z","response_time":130,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-security","kubernetes","kubernetes-security","pentesting-tool"],"created_at":"2026-07-01T08:00:24.427Z","updated_at":"2026-07-01T08:00:34.957Z","avatar_url":"https://github.com/k8scout.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg width=\"340\" alt=\"k8scout logo\" src=\"./web/img/k8scout_logo.png\" /\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"GitHub stars\" src=\"https://img.shields.io/github/stars/k8scout/k8scout?style=flat\" /\u003e\n  \u003cimg alt=\"GitHub forks\" src=\"https://img.shields.io/github/forks/k8scout/k8scout?style=flat\" /\u003e\n  \u003cimg alt=\"GitHub issues\" src=\"https://img.shields.io/github/issues/k8scout/k8scout?style=flat\" /\u003e\n  \u003cimg alt=\"GitHub license\" src=\"https://img.shields.io/github/license/k8scout/k8scout\" /\u003e\n\u003c/p\u003e\n\u003ch1 align=\"center\"\u003ek8scout\u003c/h1\u003e\n\n\u003e **Beta** — A single-binary Kubernetes attack path engine for authorized security assessments.\n\nDrop it into a compromised pod, run it, and get a map of every realistic escalation path — from your current foothold to cluster-admin, node access, secret theft, and cloud IAM roles.\n\n---\n\n## The idea\n\nYou have RCE in a Kubernetes pod. Now what?\n\nk8scout answers that question. It automatically discovers what the compromised pod's service account can do, maps out the RBAC graph, and traces multi-step attack paths from your exact foothold to high-value targets.\n\nIt works in three modes:\n\n- **Offensive mode** (default) — run from inside a compromised pod. Discovers your identity, permissions, and all reachable escalation paths from your current position.\n- **Reviewer mode** (`--reviewer-mode`) — run with a read-only SA to audit the full cluster attack surface for all identities.\n- **Recon mode** (`--recon`) — a fast, low-footprint look at just your identity, effective permissions, and which resources you can touch. No graph or pathfinding. Add `--bruteforce-ns` to discover namespaces you can't list cluster-wide.\n\n---\n\n## Demo\n\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"960\" alt=\"k8scout demo\" src=\"./web/demo/k8scout-demo.gif\" /\u003e\n\u003c/p\u003e\n\n---\n\n## What it finds\n\nk8scout builds a weighted permission graph and runs Dijkstra-based pathfinding to discover realistic multi-step attack chains:\n\n- **Pod to cluster-admin** — through RBAC bindings, workload mutation, or CRB creation\n- **Container escape to node** — via privileged containers, hostPID, hostNetwork, dangerous capabilities, or hostPath mounts\n- **Lateral movement** — exec into other pods, steal their SA tokens, pivot through their permissions\n- **Secret and credential theft** — mounted SA tokens, secrets, configmaps with leaked credentials, orphaned tokens\n- **Cloud IAM escalation** — IRSA (AWS), GKE Workload Identity, Azure Workload Identity, projected token audience abuse\n- **Impersonation chains** — SA-to-SA takeover through impersonation permissions\n- **Workload mutation** — patch a deployment to change its SA, then inherit that SA's permissions\n- **Webhook injection** — mutating webhook control to inject into future workloads\n- **GitOps operator abuse** — ArgoCD, Flux, External Secrets, and Vault operator privilege escalation\n- **Misconfiguration detection** — dangling bindings, wildcard verbs, automounted tokens, plaintext secrets in env vars\n\nEvery finding includes MITRE ATT\u0026CK technique IDs, a risk score, and step-by-step attack path with the actual graph nodes involved. 50 detection rules in total.\n\n---\n\n## Quick start\n\n### From a compromised pod (primary use case)\n\n```bash\n# Copy the binary into the pod\nkubectl cp k8scout-linux-amd64 \u003cns\u003e/\u003cpod\u003e:/tmp/k8scout\n\n# Run it\nkubectl exec -it \u003cns\u003e/\u003cpod\u003e -- chmod +x /tmp/k8scout\nkubectl exec -it \u003cns\u003e/\u003cpod\u003e -- /tmp/k8scout --out /tmp/result.json\n\n# Pull the results\nkubectl cp \u003cns\u003e/\u003cpod\u003e:/tmp/result.json ./result.json\n\n# This flow works exactly like this in you're revshell!\n```\n\nThe binary auto-detects it's running in-cluster, identifies the pod and SA, and starts pathfinding from your exact foothold.\n\n\u003e **Intended use**: Penetration testing engagements, red team operations, internal security reviews, and cluster hardening audits. Always obtain proper authorization before running against any cluster.\n\n### From your local machine\n\n```bash\n# Uses ~/.kube/config or $KUBECONFIG\nk8scout --all-namespaces --out result.json\n\n# Target a single namespace\nk8scout --namespace production --out result.json\n```\n\n### Recon mode (quick permission \u0026 resource check)\n\n```bash\n# Who am I, what can I do, and what resources can I access?\nk8scout --recon\n\n# Discover namespaces you can't list cluster-wide (built-in wordlist)\nk8scout --recon --bruteforce-ns\n\n# Bruteforce with your own namespace wordlist (one name per line)\nk8scout --recon --bruteforce-ns --ns-wordlist ./namespaces.txt\n```\n\nRecon skips graph building, inference, and AI — it's the fastest way to answer\n\"what does this token actually have?\". It reports the current identity, its\neffective permissions (SelfSubjectRulesReview), and a per-resource capability\nmatrix (SelfSubjectAccessReview). `--bruteforce-ns` confirms a namespace exists\nby reading well-known objects every namespace has (the namespace object, its\n`default` ServiceAccount, or the `kube-root-ca.crt` ConfigMap) — useful when the\nidentity can't list namespaces but may still access specific ones.\n\n### Reviewer mode (full cluster audit)\n\n```bash\n# Deploy the read-only RBAC and job\nkubectl apply -f deploy/rbac.yaml\nkubectl apply -f deploy/job.yaml\n\n# Or run directly with reviewer permissions\nk8scout --reviewer-mode --all-namespaces --out result.json\n```\n\n### With AI narrative\n\n```bash\nexport OPENAI_API_KEY=\"sk-...\"\nk8scout --all-namespaces --out result.json\n```\n\n---\n\n## Installation\n\n### Pre-built binaries\n\nDownload from the [Releases](../../releases) page. All binaries are statically linked with no dependencies.\n\n| Binary | Platform |\n|---|---|\n| `k8scout-linux-amd64` | Linux x86-64 |\n| `k8scout-linux-arm64` | Linux ARM64 |\n| `k8scout-darwin-amd64` | macOS Intel |\n| `k8scout-darwin-arm64` | macOS Apple Silicon |\n\n### Build from source\n\nRequires Go 1.22+.\n\n```bash\ngit clone https://github.com/hac01/k8scout\ncd k8scout\nmake build          # native binary\nmake build-linux    # static Linux amd64 binary\nmake build-all      # all four release targets\n```\n\n---\n\n## How it works\n\n```\nk8scout (running inside compromised pod)\n |\n ├── 1. Detect foothold\n │     Pod name (HOSTNAME), SA (TokenReview), Node (downward API)\n │\n ├── 2. Discover permissions\n │     SSRR per namespace + ~30 concurrent SSAR spot-checks\n │     (always permitted, no RBAC needed)\n │\n ├── 3. Enumerate cluster objects (graceful degradation if denied)\n │     Namespaces, RBAC, Workloads, Pods, Secrets, Nodes, Webhooks, CRDs\n │\n ├── 4. Build attack graph\n │     Nodes: pods, SAs, roles, bindings, secrets, workloads, nodes, cloud identities\n │     Edges: runs_as, mounts, authenticates_as, can_exec, can_patch,\n │            can_impersonate, runs_on, assumes_cloud_role, granted_by, ...\n │\n ├── 5. Find attack paths (Dijkstra from foothold to high-value targets)\n │     Weighted by attacker effort — cheapest (most realistic) paths first\n │     Targets: cluster-admin, nodes, SA tokens, cloud IAM, privileged workloads\n │\n ├── 6. Run inference rules (50 rules with MITRE ATT\u0026CK mapping)\n │\n ├── 7. Optional: AI risk narrative (GPT-4o)\n │\n └── 8. Output: text summary + JSON report\n```\n\nEven with a minimal SA that can't list pods or RBAC objects, the tool synthesizes the foothold graph from identity data alone and discovers what's reachable through SSRR/SSAR permissions.\n\n---\n\n## Attack graph visualization\n\nLoad the JSON report into `web/graph.html` in any browser (drag-and-drop, no server needed).\n\n- **Attack Paths tab** — ranked by risk score, each showing the full multi-hop chain from foothold to target\n- **Multi-chain view** — visualize overlapping attack paths simultaneously on a single graph\n- **Force-directed graph** — all nodes and edges with color-coded categories and risk score rings\n- **Focus mode** — dims structural noise to highlight attack-relevant nodes\n- **RBAC toggle** — hides RBAC nodes but automatically shows them when part of an active attack path\n- **Mini-map** — navigate large graphs without losing context\n- **Node detail** — click any node for metadata, connections, and related findings\n- **Export** — download a self-contained HTML pentest report\n\n---\n\n## CLI reference\n\n```\nk8scout [flags]\n\nFlags:\n  --out string            Output JSON file path (default \"k8scout-result.json\")\n  --namespace string      Enumerate a single namespace\n  --all-namespaces        Enumerate all accessible namespaces (default true)\n  --format string         Output format: text | json (default \"text\")\n  --timeout int           Per-request timeout in seconds (default 60)\n  --log-level string      debug | info | warn | error (default \"info\")\n  --kubeconfig string     Path to kubeconfig (auto-detected if not set)\n  --reviewer-mode         Full cluster RBAC audit for all identities\n  --recon                 Quick recon: identity, permissions (SSRR), accessible resources (SSAR)\n  --bruteforce-ns         Bruteforce namespace names to find ones you can't list (use with --recon)\n  --ns-wordlist string    Custom namespace wordlist for --bruteforce-ns (defaults to a built-in list)\n  --stealth               Skip SSRR/SSAR to reduce audit log footprint\n  --skip-ssar             Skip SSAR spot-checks only\n  --openai-key string     OpenAI API key (or OPENAI_API_KEY env var)\n  --openai-model string   OpenAI model (default \"gpt-4o\")\n  --skip-ai               Skip AI narrative generation\n```\n\n---\n\n## RBAC requirements\n\n**When running from a compromised pod**: No special RBAC needed. SSRR and SSAR are always permitted. The tool gracefully degrades if the SA can't list cluster objects — it still discovers permissions and generates findings from what's available.\n\n**For full enumeration** (recommended for the k8scout SA): read-only access defined in `deploy/rbac.yaml`:\n\n- `namespaces`, `nodes`: get, list\n- `serviceaccounts`, `secrets` (metadata only), `configmaps`: get, list\n- `pods`, `deployments`, `daemonsets`, `statefulsets`, `jobs`, `cronjobs`: get, list\n- `roles`, `rolebindings`, `clusterroles`, `clusterrolebindings`: get, list\n- `mutatingwebhookconfigurations`, `validatingwebhookconfigurations`: get, list\n\nSecret values are never read unless the identity has confirmed GET permission via SSAR.\n\n---\n\n## Beta feedback\n\nk8scout is in active development. If you hit a bug, false positive, or a detection gap in your cluster, please [open an issue](../../issues). False positives and missed paths are especially useful — include the anonymized finding JSON if possible.\n\n---\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk8scout%2Fk8scout","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fk8scout%2Fk8scout","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk8scout%2Fk8scout/lists"}