{"id":30232212,"url":"https://github.com/snailsploit/kuberoast_v1","last_synced_at":"2026-05-17T17:07:51.250Z","repository":{"id":309166467,"uuid":"1035353269","full_name":"SnailSploit/KubeRoast_v1","owner":"SnailSploit","description":"From-scratch, red-team–oriented Kubernetes misconfiguration \u0026 attack-path scanner. Fast, readable, and opinionated toward real-world escalation paths.","archived":false,"fork":false,"pushed_at":"2026-05-08T16:40:04.000Z","size":165,"stargazers_count":2,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-08T18:11:31.214Z","etag":null,"topics":["cloud-security","container-security","k8s","kubernetes","kubernetes-scanner","misconfiguration-scanner","penetration-testing","privilege-escalation","python","red-teaming"],"latest_commit_sha":null,"homepage":"https://snailsploit.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SnailSploit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-08-10T07:59:47.000Z","updated_at":"2026-05-08T16:05:32.000Z","dependencies_parsed_at":"2025-08-10T10:06:11.513Z","dependency_job_id":"e0e7e1a9-6f8b-4347-98bd-10c81a1bc8b5","html_url":"https://github.com/SnailSploit/KubeRoast_v1","commit_stats":null,"previous_names":["snailsploit/kuberoast_v1"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/SnailSploit/KubeRoast_v1","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FKubeRoast_v1","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FKubeRoast_v1/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FKubeRoast_v1/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FKubeRoast_v1/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SnailSploit","download_url":"https://codeload.github.com/SnailSploit/KubeRoast_v1/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FKubeRoast_v1/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33147340,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-17T09:28:26.183Z","status":"ssl_error","status_checked_at":"2026-05-17T09:27:52.702Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-security","container-security","k8s","kubernetes","kubernetes-scanner","misconfiguration-scanner","penetration-testing","privilege-escalation","python","red-teaming"],"created_at":"2025-08-14T23:39:10.520Z","updated_at":"2026-05-17T17:07:51.243Z","avatar_url":"https://github.com/SnailSploit.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/python-3.9%2B-blue?style=flat-square\u0026logo=python\u0026logoColor=white\" alt=\"Python 3.9+\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/license-MIT-green?style=flat-square\" alt=\"MIT License\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/tests-38%20passed-brightgreen?style=flat-square\" alt=\"Tests\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/version-0.2.0-orange?style=flat-square\" alt=\"Version\"\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eKubeRoast\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eRed-team Kubernetes misconfiguration \u0026 attack-path scanner\u003c/strong\u003e\u003cbr\u003e\n  Fast, opinionated, read-only. Built for real-world escalation paths.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#what-it-finds\"\u003eWhat It Finds\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#cicd-integration\"\u003eCI/CD\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#output-formats\"\u003eOutput\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#contributing\"\u003eContributing\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n\u003e **Ethical use only.** Run KubeRoast only on clusters you own or have explicit written permission to test.\n\n## Why KubeRoast\n\nMost Kubernetes security scanners generate noise. KubeRoast focuses on **what actually gets you owned** — privilege escalation paths, exposed kubelets, over-permissioned RBAC, network services open to the internet, and secrets sitting in plain sight. It reads, never writes. Safe to run in production.\n\n## Quick Start\n\n```bash\n# Install\ngit clone https://github.com/SnailSploit/KubeRoast_v1.git\ncd KubeRoast_v1\npip install -e .\n\n# Scan your cluster\nkuberoast --report text\n```\n\nThat's it. KubeRoast picks up your current kubeconfig context automatically.\n\n## What It Finds\n\nKubeRoast runs **30+ security checks** across 7 categories. Every finding includes severity, a description, actionable remediation, and reference links.\n\n### Pod Security (11 checks)\n\n| ID | Finding | Severity |\n|---|---|---|\n| `POD-PRIV` | Privileged container | Critical |\n| `POD-ROOT` | Container runs as root (`runAsUser=0`) | High |\n| `POD-PE` | `allowPrivilegeEscalation` not disabled | High/Medium |\n| `POD-HOSTNS` | Pod uses host namespaces (network/PID/IPC) | High |\n| `POD-CAPS` | Dangerous Linux capabilities (`SYS_ADMIN`, `SYS_PTRACE`, etc.) | High |\n| `POD-HOSTPATH` | hostPath volume mounted | High |\n| `POD-RWFS` | Writable root filesystem | Medium |\n| `POD-NO-SECCOMP` | No seccomp profile configured | Medium |\n| `POD-NO-LIMITS` | No CPU/memory resource limits | Medium |\n| `POD-SATOKEN` | Service account token automount not disabled | Low |\n| `POD-NO-APPARMOR` | No AppArmor profile configured | Low |\n\n### RBAC (5 checks)\n\n| ID | Finding | Severity |\n|---|---|---|\n| `RBAC-ANON` | Anonymous or wildcard user bound | Critical |\n| `RBAC-CLUSTER-ADMIN` | `cluster-admin` granted via binding | Critical |\n| `RBAC-ESCALATION-VERB` | Escalation verbs (`bind`/`escalate`/`impersonate`) | Critical |\n| `RBAC-WILDCARD` | Wildcard `*` in role rules | High |\n| `RBAC-SENSITIVE-WRITE` | Write access to sensitive resources | High |\n\n### Attack Path Modeling (1 composite check)\n\n| ID | Finding | Severity |\n|---|---|---|\n| `AP-RBAC-ESC` | RBAC permissions enable privilege escalation | Critical |\n\nMaps every principal (especially ServiceAccounts) to concrete escalation abilities — bind, escalate, impersonate, create pods + read secrets, exec/attach, modify nodes — and links SAs back to the pods running them.\n\n### Network Exposure (5 checks)\n\n| ID | Finding | Severity |\n|---|---|---|\n| `NET-LB-OPEN` | LoadBalancer without `loadBalancerSourceRanges` | High |\n| `NET-EXTERNAL-IP` | Service with `externalIPs` | High |\n| `NET-INGRESS-NO-TLS` | Ingress without TLS | High |\n| `NET-NODEPORT` | Service exposed via NodePort | Medium |\n| `NET-INGRESS-WILDCARD` | Ingress with wildcard host | Medium |\n\n### Node Security (2 checks)\n\n| ID | Finding | Severity |\n|---|---|---|\n| `NODE-KUBELET-RO` | Kubelet read-only port 10255 reachable | Critical |\n| `NODE-KUBELET-API` | Kubelet API port 10250 reachable | Medium |\n\nNode probes run concurrently for fast scanning across large clusters.\n\n### Secrets (3 checks)\n\n| ID | Finding | Severity |\n|---|---|---|\n| `SECRET-SENSITIVE` | Opaque secret contains credential-like keys | Medium |\n| `SECRET-DOCKER-HUB` | Docker Hub credentials in secret | Medium |\n| `SECRET-TLS-MANUAL` | TLS secret not managed by cert-manager | Low |\n\n### Policy \u0026 PSS (2 checks)\n\n| ID | Finding | Severity |\n|---|---|---|\n| `POLICY-NONE` | No policy engine (Kyverno/Gatekeeper) detected | High |\n| `PSS-NOT-ENFORCED` | Namespace lacks Pod Security Admission labels | High/Info |\n\nSystem namespaces (`kube-system`, etc.) are flagged at `info` severity with tailored remediation.\n\n## Usage\n\n```\nkuberoast [OPTIONS]\n```\n\n### Flags\n\n| Flag | Default | Description |\n|---|---|---|\n| `--report {json,text,html}` | `json` | Output format |\n| `--out FILE` | — | Write report to file (required for HTML) |\n| `--kubeconfig PATH` | — | Path to kubeconfig (defaults to `~/.kube/config`) |\n| `-n, --namespace NS` | — | Limit scan to a single namespace |\n| `--min-severity {info,low,medium,high,critical}` | `info` | Filter out findings below this severity |\n| `--fail-on {info,low,medium,high,critical}` | — | Exit code 1 if any finding meets this threshold |\n| `--skip-nodes` | `false` | Skip kubelet port probes |\n| `--skip-secrets` | `false` | Skip secret inspection |\n| `--skip-attack-paths` | `false` | Skip RBAC attack-path analysis |\n| `--provider {generic,eks,aks,gke}` | `generic` | Cloud provider hint for remediation wording |\n| `-v, --verbose` | `false` | Progress logging to stderr |\n\n### Examples\n\n**Quick text scan of the default namespace:**\n```bash\nkuberoast -n default --report text\n```\n\n**Full cluster scan, only high and critical:**\n```bash\nkuberoast --min-severity high --report text\n```\n\n**HTML report for the security team:**\n```bash\nkuberoast --report html --out report.html\n```\n\n**CI gate — fail the pipeline on critical findings:**\n```bash\nkuberoast --fail-on critical --report json \u003e results.json\n```\n\n**Verbose scan, skip node probes (faster):**\n```bash\nkuberoast -v --skip-nodes --report text\n```\n\n## CI/CD Integration\n\nKubeRoast is designed to gate deployments. Use `--fail-on` to set the threshold:\n\n```yaml\n# GitHub Actions example\n- name: Security scan\n  run: |\n    pip install -e .\n    kuberoast --fail-on high --report json \u003e kuberoast-results.json\n```\n\n### Exit Codes\n\n| Code | Meaning |\n|---|---|\n| `0` | Scan completed, no findings at or above `--fail-on` threshold |\n| `1` | Findings met or exceeded `--fail-on` threshold |\n| `2` | Usage error or runtime failure |\n\n## Output Formats\n\n### JSON (default)\nMachine-readable array of findings. Pipe to `jq` for filtering:\n```bash\nkuberoast | jq '[.[] | select(.severity == \"critical\")]'\n```\n\n### Text\nGrouped by severity, with summary line and remediation per finding:\n```\n=== kuberoast scan: 12 findings (3 critical, 4 high, 5 medium) ===\n\n--- CRITICAL (3) ---\n  [CRITICAL] Privileged container\n    Resource:    pod/prod/web-0::nginx\n    Description: Container runs in privileged mode, granting broad access to the host kernel.\n    Remediation: Remove privileged=true. Grant narrow capabilities only if needed.\n```\n\n### HTML\nDark-themed report with severity badges, sortable table, and remediation guidance. Open in any browser:\n```bash\nkuberoast --report html --out report.html \u0026\u0026 open report.html\n```\n\n## Findings Schema\n\nEvery finding follows a structured format:\n\n```json\n{\n  \"id\": \"POD-PRIV\",\n  \"title\": \"Privileged container\",\n  \"description\": \"Container runs in privileged mode, granting broad access to the host kernel.\",\n  \"severity\": \"critical\",\n  \"category\": \"Pod Security\",\n  \"namespace\": \"prod\",\n  \"resource\": \"pod/web-0::nginx\",\n  \"metadata\": {},\n  \"remediation\": \"Remove privileged=true. Grant narrow capabilities only if needed.\",\n  \"references\": [\"https://kubernetes.io/docs/concepts/security/pod-security-standards/\"]\n}\n```\n\n**Severity levels:** `critical` \u003e `high` \u003e `medium` \u003e `low` \u003e `info`\n\n**Categories:** Pod Security, RBAC, AttackPath, Network, Node, Secrets, Policy\n\n## Kubernetes RBAC\n\nKubeRoast only needs **read access**. Apply this minimal ClusterRole:\n\n```yaml\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n  name: kuberoast-reader\nrules:\n  - apiGroups: [\"\"]\n    resources: [pods, secrets, nodes, namespaces, services]\n    verbs: [get, list, watch]\n  - apiGroups: [rbac.authorization.k8s.io]\n    resources: [roles, rolebindings, clusterroles, clusterrolebindings]\n    verbs: [get, list, watch]\n  - apiGroups: [networking.k8s.io]\n    resources: [ingresses]\n    verbs: [get, list, watch]\n  - apiGroups: [apiextensions.k8s.io]\n    resources: [customresourcedefinitions]\n    verbs: [get, list, watch]\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: kuberoast\n  namespace: default\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: kuberoast-reader-binding\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: kuberoast-reader\nsubjects:\n  - kind: ServiceAccount\n    name: kuberoast\n    namespace: default\n```\n\nSecrets and nodes are optional — KubeRoast continues gracefully if those APIs return 401/403.\n\n## Architecture\n\n```\nkuberoast/\n  cli.py                      # CLI entry point, arg parsing, orchestration\n  utils/\n    findings.py               # Pydantic Finding model\n    kube.py                   # K8s API clients, pagination, error handling\n  scanners/\n    pods.py                   # 11 pod-level security checks\n    rbac.py                   # 5 RBAC hygiene checks\n    network.py                # Service + Ingress exposure checks\n    nodes.py                  # Concurrent kubelet port probes\n    secrets.py                # Credential heuristics\n    policy.py                 # Policy engine (Kyverno/Gatekeeper) detection\n    pss.py                    # Pod Security Standards label checks\n    shared.py                 # Container iteration helpers\n  attackpaths/\n    rbac_escalation.py        # RBAC privilege escalation graph\n  reporting/\n    json.py                   # JSON output\n    text.py                   # Severity-grouped text output\n    html.py                   # Dark-themed HTML report\ntests/\n  test_pods.py                # Pod scanner unit tests\n  test_rbac.py                # RBAC scanner unit tests\n  test_network.py             # Network scanner unit tests\n  test_secrets.py             # Secret scanner unit tests\n  test_pss.py                 # PSS scanner unit tests\n  test_reporting.py           # Output format tests\n```\n\n## Troubleshooting\n\n| Problem | Fix |\n|---|---|\n| `403/401` on some APIs | KubeRoast continues with partial results. Add RBAC permissions above. |\n| No cluster found | Check `KUBECONFIG` or run `kubectl config get-contexts` |\n| HTML requires `--out` | `kuberoast --report html --out report.html` |\n| Slow on large clusters | Use `--skip-secrets`, `--skip-nodes`, or `-n \u003cnamespace\u003e` to scope down |\n| Node probes timing out | Kubelet ports may be firewalled. Use `--skip-nodes` |\n\n## Roadmap\n\n- CIS Kubernetes Benchmark tagging\n- Provider-specific remediation (EKS/AKS/GKE)\n- Offline manifest scanning (`--manifests`)\n- Gatekeeper/Kyverno policy inventory \u0026 drift\n- MITRE ATT\u0026CK technique tags per finding\n- Dockerfile for containerized scanning\n\n## Contributing\n\nPRs welcome. Please:\n\n1. Add/update unit tests for each new rule\n2. Ground severities in public guidance or reproducible attacker tradecraft\n3. Keep remediation text explicit and actionable\n4. Run `pytest` before submitting\n\n## License\n\nMIT — see [LICENSE](./LICENSE).\n\n---\n\n\u003cp align=\"center\"\u003e\n  Built by \u003ca href=\"https://github.com/SnailSploit\"\u003eSnailSploit\u003c/a\u003e / Kai Aizen\n\u003c/p\u003e\n\n\u003c!-- snailsploit-backlink:start --\u003e\n\n---\n\n## 📚 Documentation \u0026 Author\n\nThis project's full writeup, methodology, and related research lives at:\n\n**[https://snailsploit.com/tools](https://snailsploit.com/tools)**\n\nCreated by **Kai Aizen** — independent offensive security researcher.\n\n[snailsploit.com](https://snailsploit.com) · [Research](https://snailsploit.com/research) · [Frameworks](https://snailsploit.com/frameworks) · [GitHub](https://github.com/SnailSploit) · [LinkedIn](https://linkedin.com/in/kaiaizen) · [ResearchGate](https://www.researchgate.net/profile/Kai-Aizen-2) · [X/Twitter](https://x.com/SnailSploit)\n\n\u003e *Same attack. Different substrate.*\n\n\u003c!-- snailsploit-backlink:end --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnailsploit%2Fkuberoast_v1","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsnailsploit%2Fkuberoast_v1","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnailsploit%2Fkuberoast_v1/lists"}