{"id":37787343,"url":"https://github.com/xopham/k8tlery","last_synced_at":"2026-01-16T15:13:38.309Z","repository":{"id":196636967,"uuid":"694732297","full_name":"xopham/k8tlery","owner":"xopham","description":"Dissect container images, runtimes, and orchestrators.","archived":false,"fork":false,"pushed_at":"2023-10-11T13:24:25.000Z","size":1095,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2023-10-11T18:31:21.059Z","etag":null,"topics":["docker","kubernetes","security","security-tools"],"latest_commit_sha":null,"homepage":"https://xopham.github.io/k8tlery/","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xopham.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":"audits/docker-bench-security/deployment.yaml","citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-09-21T15:22:39.000Z","updated_at":"2023-10-20T13:36:39.113Z","dependencies_parsed_at":null,"dependency_job_id":"519aa030-8273-4eae-8b8f-96888ef75417","html_url":"https://github.com/xopham/k8tlery","commit_stats":null,"previous_names":["xopham/k8tlery"],"tags_count":0,"template":null,"template_full_name":null,"purl":"pkg:github/xopham/k8tlery","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xopham%2Fk8tlery","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xopham%2Fk8tlery/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xopham%2Fk8tlery/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xopham%2Fk8tlery/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xopham","download_url":"https://codeload.github.com/xopham/k8tlery/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xopham%2Fk8tlery/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28479406,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T11:59:17.896Z","status":"ssl_error","status_checked_at":"2026-01-16T11:55:55.838Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","kubernetes","security","security-tools"],"created_at":"2026-01-16T15:13:37.497Z","updated_at":"2026-01-16T15:13:38.288Z","avatar_url":"https://github.com/xopham.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# k8tlery\n\n![](docs/assets/textlogo.png)\n![](assets/textlogo.png)\n\nDissect container images, runtimes, and orchestrators.\n\n## Inventory\n\n| tool          | scope         | description   |\n| ------------- | ------------- | ------------- |\n| [trivy](https://github.com/aquasecurity/trivy) |  | Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more. |\n| [syft](https://github.com/anchore/syft) |  | CLI tool and library for generating a Software Bill of Materials from container images and filesystems. |\n| [grype](https://github.com/anchore/grype) |  | A vulnerability scanner for container images and filesystems. |\n| [kube-bench](https://github.com/aquasecurity/kube-bench) |  | Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark. |\n| [checkov](https://github.com/bridgecrewio/checkov) |  | Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew. |\n| [kubeaudit](https://github.com/Shopify/kubeaudit) |  | kubeaudit helps you audit your Kubernetes clusters against common security controls. |\n| [cosign](https://github.com/sigstore/cosign) |  | Container Signing. |\n| [kdigger](https://github.com/quarkslab/kdigger) |  | Kubernetes focused container assessment and context discovery tool for penetration testing. |\n| [kubectl](https://kubernetes.io/docs/reference/kubectl/) |  | Kubernetes provides a command line tool for communicating with a Kubernetes cluster's control plane, using the Kubernetes API. |\n| [docker](https://github.com/docker/cli) |  | Command line interface for interacting with docker container images. |\n| [podman](https://github.com/containers/podman) |  | A tool for managing OCI containers and pods. |\n| [dive](https://github.com/wagoodman/dive) |  | A tool for exploring a docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image. |\n| [crictl](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md) |  | CLI and validation tools for Kubelet Container Runtime Interface (CRI). |\n| [KubiScan](https://github.com/cyberark/KubiScan) |  | A tool to scan Kubernetes cluster for risky permissions. |\n| [Docker Bench Security](https://github.com/docker/docker-bench-security) |  | The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. |\n| [peirates](https://github.com/inguardians/peirates) |  | Peirates, a Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service account tokens, secrets, obtain further code execution, and gain control of the cluster. |\n| [TruffleHog](https://github.com/trufflesecurity/trufflehog) |  | Find and verify credentials. |\n| [TruffleHog3](https://github.com/feeltheajf/trufflehog3) |  | This is an enhanced version of the Python-based truffleHog scanner. |\n| [Popeye](https://github.com/derailed/popeye) |  | A Kubernetes cluster resource sanitizer. |\n| [k9s](https://github.com/derailed/k9s) |  | Kubernetes CLI To Manage Your Clusters In Style. |\n| [Hadolint](https://github.com/hadolint/hadolint) |  | Dockerfile linter, validate inline bash, written in Haskell. |\n| [Conftest](https://github.com/open-policy-agent/conftest) |  | Write tests against structured configuration data using the Open Policy Agent Rego query language. |\n| [audit2rbac](https://github.com/liggitt/audit2rbac) |  | Autogenerate RBAC policies based on Kubernetes audit logs. |\n| [kubeshark](https://github.com/kubeshark/kubeshark) |  | The API traffic analyzer for Kubernetes providing real-time K8s protocol-level visibility, capturing and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters. Inspired by Wireshark, purposely built for Kubernetes. |\n| [hardeneks](https://github.com/aws-samples/hardeneks) |  | Runs checks to see if an EKS cluster follows EKS Best Practices. |\n| [amicontained](https://github.com/genuinetools/amicontained) |  | Container introspection tool. Find out what container runtime is being used as well as features available. |\n| [kubesec](https://github.com/controlplaneio/kubesec) |  | Security risk analysis for Kubernetes resources. |\n| [kubectl-who-can](https://github.com/aquasecurity/kubectl-who-can) |  | Show who has RBAC permissions to perform actions on different resources in Kubernetes. |\n| [etcdctl](https://github.com/etcd-io/etcd/tree/main/etcdctl) |  | etcdctl is a command line client for etcd. |\n| [gitleaks](https://github.com/gitleaks/gitleaks) |  | Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code. |\n| [kubeletctl](https://github.com/cyberark/kubeletctl) |  | Kubeletctl is a command line tool that implement kubelet's API. Part of kubelet's API is documented but most of it is not. This tool covers all the documented and undocumented APIs. |\n| [kube-hunter](https://github.com/aquasecurity/kube-hunter) |  | Hunt for security weaknesses in Kubernetes clusters. |\n| [netassert](https://github.com/controlplaneio/netassert) |  | Network security testing for Kubernetes DevSecOps workflows. |\n| [truffleproc](https://github.com/controlplaneio/truffleproc) |  | hunt secrets in process memory (TruffleHog \u0026 gdb mashup) |\n| [checkpointctl](https://github.com/checkpoint-restore/checkpointctl) |  | Tool to inspect Kubernetes and Podman checkpoints. |\n| [...]() |  | ... |\n\n## Build \u0026 push\n\n* build\n```bash\ndocker buildx build -t ghcr.io/xopham/k8tlery:$K8TLERY_VERSION -t ghcr.io/xopham/k8tlery:latest .\n```\n* push\n```\ndocker push ghcr.io/xopham/k8tlery --all-tags\n```\n* re-tag\n```bash\nfind ./ -type f -exec sed -i \"s%ghcr\\.io\\/xopham\\/k8tlery\\:v.*%ghcr\\.io\\/xopham\\/k8tlery\\:$K8TLERY_VERSION%g\" {} \\;\n```\n\n## Usage\n\n### nix-shell\n\n```bash\nnix-shell k8tlery.nix\n```\n\n### Docker\n\n```bash\ndocker -it --rm ghcr.io/xopham/k8tlery:\u003ctag\u003e\n```\n\n### Cluster\n\n```bash\nkubectl apply -f deployment/\n#or\nkubectl apply -f deployment/01-roles.yaml\nkubectl apply -f deployment/02-k8tlery.yaml\n#or\nkubectl apply -f deployment/01-roles.yaml\nkubectl apply -f deployment/03-k8tlery-fullaccess.yaml\n```\n\n```bash\nkubectl exec -it k8tlery -- bash\n```\n\n## Audit\n\n### Container image forensics\n\n* download and save image\n```bash\ndocker pull $IMAGE\ndocker save $IMAGE \u003e image.tar\ndocker image ls\n```\n* inspect image content\n```bash\ndocker inspect $IMAGE\ndocker history --no-trunc $IMAGE\n```\n* inspect image layers (dive)\n```bash\ndive $IMAGE\n```\n* extract file from image.tar (nix-shell custom functions)\n```bash\nlayer_list $IMAGETAR $LAYERID $FILE  #run 'layer_list' for help\nlayer_extract $IMAGETAR $LAYERID $FILE  #run 'layer_list' for help\n\n```\n* create container w/o running it\n```bash\ndocker create --name container $IMAGE  #returns container ID CONTID\ndocker container ls -a  #displays all available container IDs\n```\n* inspect container filesystems\n```bash\nmkdir $FOLDER\ndocker export $CONTID | tar -xC $FOLDER  #make sure to unpac to dedicated folder\nls -la $FOLDER\n```\n\n### Container forensics\n* create checkpoint of running container w/o interruption, e.g.:\n```bash\nsudo podman container checkpoint -e $OUTPUTFILE $CONTID --leave-running\n```\n* investigate checkpoint (checkpointctl)\n    * get info\n    ```\n    checkpointctl show $OUTPUTFILE\n    ```\n    * get full details\n    ```\n    checkpointctl inspect $OUTPUTFILE --all\n    ```\n    * parse memory\n    ```bash\n    checkpointctl memparse #OUTPUTFILE --all\n    ```\n    * inspect container drift\n    ```bash\n    tar -xf $OUTPUTFILE -C $TARGETFOLDER\n    tar -xf $TARGETFOLDER/rootfs-diff.tar $DIFFFOLDER\n    ```\n\n### Cluster information gathering\n\n* misconfiguration scan\n    * trivy\n    ```bash\n    trivy k8s --report summary cluster\n    ```\n\n### Pod/container information gathering\n\n* container runtime\n```bash\ncat /proc/self/cgroup\n```\n* container runtime sockets (might be slow)\n```bash\nfind /run -type f -name \"*.sock\"  #adjust target folder\n# also need to review '/run' folder manually\n```\n* hosts information\n```bash\ncat /etc/hosts\n```\n* mount information\n```bash\nmount\n```\n* file system\n```bash\nls -la /\nls -la /home/\nls -la /root/\nls -la /tmp/\n```\n* environment variables\n```bash\nprintenv\n```\n* k8s information\n    * kdigger\n    ```bash\n    curl -fSL -o /tmp/kdigger https://github.com/quarkslab/kdigger/releases/download/v1.5.0/kdigger-linux-amd64\n    chmod +x /tmp/kdigger\n    alias kdigger='/tmp/kdigger'\n    kdigger dig all\n    ```\n    * kube-hunter\n    ```bash\n    pip3 install kube-hunter\n    kube-hunter --pod\n    ```\n* secrets (trufflehog3)\n```bash\npip3 install trufflehog3\ntrufflehog3 /var/run  #choose relevant target folders\n```\n    * custom rule\n    ```\n    #k8s-goat.rule\n    - id: k8s-goat.flag\n      message: found k8s-goat flag\n      pattern: \"k8s-goat-\"\n      severity: HIGH\n    ```\n    ```bash\n    trufflehog3 -r k8s-goat.rule /tmp  #adjust rule and target\n    ```\n* secrets from process memory (truffleproc): _needs work_\n* vulnerable packages (trivy)\n```bash\ncurl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin\ntrivy rootfs /\n```\n* k8s APIs\n    * curl\n    ```bash\n    APISERVER=https://${KUBERNETES_SERVICE_HOST}\n    SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount\n    NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)\n    TOKEN=$(cat ${SERVICEACCOUNT}/token)\n    CACERT=${SERVICEACCOUNT}/ca.crt\n    curl --cacert ${CACERT} --header \"Authorization: Bearer ${TOKEN}\" -X GET ${APISERVER}/api\n    ```\n    * peirates\n    ```bash\n    curl -fSL -o /tmp/peirates.tar.xz https://github.com/inguardians/peirates/releases/download/v1.1.13/peirates-linux-amd64.tar.xz\n    tar -xvf /tmp/peirates.tar.xz -C /tmp\n    chmod a+x /tmp/peirates-linux-amd64/peirates\n    alias peirates='/tmp/peirates-linux-amd64/peirates'\n    peirates\n    ```\n\n### Pod exploitation\n\n* resource exhaustion (DoS)\n```bash\nstress-ng --cpu 2 --cpu-load 1 --vm 2 --vm-bytes 100m -t 100s --verify -v  #adjust to use case\n```\n* various angles (peirates)\n```bash\ncurl -fSL -o /tmp/peirates.tar.xz https://github.com/inguardians/peirates/releases/download/v1.1.13/peirates-linux-amd64.tar.xz\ntar -xvf /tmp/peirates.tar.xz -C /tmp\nchmod a+x /tmp/peirates-linux-amd64/peirates\nalias peirates='/tmp/peirates-linux-amd64/peirates'\npeirates\n```\n\n## References\n\n* [HackTricks](https://book.hacktricks.xyz/) (e.g. [pentesting docker](https://book.hacktricks.xyz/network-services-pentesting/2375-pentesting-docker), [pentesting kubernetes](https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security))\n* [Kubernetes Goat](https://madhuakula.com/kubernetes-goat/)\n* [OWASP Kubernetes Security CS](https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxopham%2Fk8tlery","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxopham%2Fk8tlery","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxopham%2Fk8tlery/lists"}