{"id":13530924,"url":"https://github.com/zegl/kube-score","last_synced_at":"2025-05-14T02:06:33.038Z","repository":{"id":37458372,"uuid":"148997603","full_name":"zegl/kube-score","owner":"zegl","description":"Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.","archived":false,"fork":false,"pushed_at":"2025-04-07T11:41:46.000Z","size":1032,"stargazers_count":2883,"open_issues_count":47,"forks_count":183,"subscribers_count":24,"default_branch":"master","last_synced_at":"2025-04-23T18:43:46.936Z","etag":null,"topics":["analysis","automation","charts","ci","go","hacktoberfest","helm","k8s","kube-score","kubernetes","kubernetes-manifests","kubernetes-monitoring","linter","security","security-scanner","static-code-analysis","static-code-analyzer"],"latest_commit_sha":null,"homepage":"https://kube-score.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zegl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"polar":"zegl"}},"created_at":"2018-09-16T13:19:19.000Z","updated_at":"2025-04-21T15:16:49.000Z","dependencies_parsed_at":"2024-01-05T09:27:54.430Z","dependency_job_id":"8bb72484-d110-4364-98be-6fdb61dc74b5","html_url":"https://github.com/zegl/kube-score","commit_stats":{"total_commits":532,"total_committers":47,"mean_commits":"11.319148936170214","dds":0.7067669172932332,"last_synced_commit":"1c6127f567d7289ba3e39e4b935c6cb9dd2a5649"},"previous_names":[],"tags_count":40,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zegl%2Fkube-score","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zegl%2Fkube-score/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zegl%2Fkube-score/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zegl%2Fkube-score/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zegl","download_url":"https://codeload.github.com/zegl/kube-score/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254052701,"owners_count":22006716,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","automation","charts","ci","go","hacktoberfest","helm","k8s","kube-score","kubernetes","kubernetes-manifests","kubernetes-monitoring","linter","security","security-scanner","static-code-analysis","static-code-analyzer"],"created_at":"2024-08-01T07:00:57.886Z","updated_at":"2025-05-14T02:06:28.026Z","avatar_url":"https://github.com/zegl.png","language":"Go","funding_links":["https://polar.sh/zegl","https://polar.sh/zegl/subscriptions"],"categories":["Static Analysis","Kubernetes","Tools","Go","Repositories","Tools and Libraries","Security and Governance 🏯","Инструменты","Configuration Management","automation","security","Validation","Security"],"sub_categories":["[Jenkins](#jenkins)","Infrastructure as Code Analysis","Testing and Troubleshooting","IAC Security","Variables (example workarounds)"],"readme":"# kube-score\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/47952/56085330-6c0a2480-5e41-11e9-89ba-0cfddd7714a8.png\" height=\"200\"\u003e\u003c/p\u003e\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/zegl/kube-score?)](https://goreportcard.com/report/github.com/zegl/kube-score)\n[![Test Go](https://github.com/zegl/kube-score/actions/workflows/test.yaml/badge.svg)](https://github.com/zegl/kube-score/actions/workflows/test.yaml)\n[![Releases](https://img.shields.io/github/release-pre/zegl/kube-score.svg)](https://github.com/zegl/kube-score/releases)\n![GitHub stars](https://img.shields.io/github/stars/zegl/kube-score.svg?label=github%20stars)\n![Downloads](https://img.shields.io/github/downloads/zegl/kube-score/total.svg)\n[![License](https://img.shields.io/badge/License-MIT-blue.svg)](https://github.com/zegl/kube-score/blob/master/LICENSE)\n\n---\n\n`kube-score` is a tool that performs static code analysis of your Kubernetes object definitions.\n\nThe output is a list of recommendations of what you can improve to make your application more secure and resilient.\n\nYou can test kube-score out in the browser with the [online demo](https://kube-score.com) ([source](https://github.com/kube-score/web)).\n\n## Installation\n\nkube-score is easy to install, and is available from the following sources:\n\n| Distribution                                        | Command / Link                                                                          |\n|-----------------------------------------------------|-----------------------------------------------------------------------------------------|\n| Pre-built binaries for macOS, Linux, and Windows    | [GitHub releases](https://github.com/zegl/kube-score/releases)                          |\n| Docker                                              | `docker pull zegl/kube-score` ([Docker Hub)](https://hub.docker.com/r/zegl/kube-score/) |\n| Homebrew  (macOS and Linux)                         | `brew install kube-score`                                                |\n| [Krew](https://krew.sigs.k8s.io/) (macOS and Linux) | `kubectl krew install score`                                                            |\n\n## Sponsors\n\n[_Your company here?_ ](https://polar.sh/zegl/subscriptions)\n\n## Checks\n\nFor a full list of checks, see [README_CHECKS.md](README_CHECKS.md).\n\n* Container limits (should be set)\n* Pod is targeted by a `NetworkPolicy`, both egress and ingress rules are recommended\n* Deployments and StatefulSets should have a `PodDisruptionPolicy`\n* Deployments and StatefulSets should have host PodAntiAffinity configured\n* Container probes, a readiness should be configured, and should not be identical to the liveness probe. Read more in  [README_PROBES.md](README_PROBES.md).\n* Container securityContext, run as high number user/group, do not run as root or with privileged root fs. Read more in [README_SECURITYCONTEXT.md](README_SECURITYCONTEXT.md).\n* Stable APIs, use a stable API if available (supported: Deployments, StatefulSets, DaemonSet)\n\n## Example output\n\n![](https://user-images.githubusercontent.com/47952/63225706-5b90fe80-c1d3-11e9-8b9d-fad7e723afad.png)\n\n## Usage in CI\n\n`kube-score` can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found.\nThe trigger level can be changed to warning with the `--exit-one-on-warning` argument.\n\nThe input to `kube-score` should be all applications that you deploy to the same namespace for the best result.\n\n### Example with Helm\n\n```bash\nhelm template my-app | kube-score score -\n```\n\n### Example with Kustomize\n\n```bash\nkustomize build . | kube-score score -\n```\n\n### Example with static YAMLs\n\n```bash\nkube-score score my-app/*.yaml\n```\n\n```bash\nkube-score score my-app/deployment.yaml my-app/service.yaml\n```\n\n### Example with an existing cluster\n\n```bash\nkubectl api-resources --verbs=list --namespaced -o name \\\n  | xargs -n1 -I{} bash -c \"kubectl get {} --all-namespaces -oyaml \u0026\u0026 echo ---\" \\\n  | kube-score score -\n```\n\n### Example with Docker\n\n```bash\ndocker run -v $(pwd):/project zegl/kube-score:latest score my-app/*.yaml\n```\n\n## Configuration\n\n```\nUsage of kube-score:\nkube-score [action] --flags\n\nActions:\n\tscore\tChecks all files in the input, and gives them a score and recommendations\n\tlist\tPrints a CSV list of all available score checks\n\tversion\tPrint the version of kube-score\n\thelp\tPrint this message\n\nFlags for score:\n      --disable-ignore-checks-annotations   Set to true to disable the effect of the 'kube-score/ignore' annotations\n      --disable-optional-checks-annotations Set to true to disable the effect of the 'kube-score/enable' annotations\n      --enable-optional-test strings        Enable an optional test, can be set multiple times\n      --exit-one-on-warning                 Exit with code 1 in case of warnings\n      --help                                Print help\n      --ignore-container-cpu-limit          Disables the requirement of setting a container CPU limit\n      --ignore-container-memory-limit       Disables the requirement of setting a container memory limit\n      --ignore-test strings                 Disable a test, can be set multiple times\n      --kubernetes-version string           Setting the kubernetes-version will affect the checks ran against the manifests. Set this to the version of Kubernetes that you're using in production for the best results. (default \"v1.18\")\n  -o, --output-format string                Set to 'human', 'json', 'ci' or 'sarif'. If set to ci, kube-score will output the program in a format that is easier to parse by other programs. Sarif output allows for easier integration with CI platforms. (default \"human\")\n      --output-version string               Changes the version of the --output-format. The 'json' format has version 'v2' (default) and 'v1' (deprecated, will be removed in v1.7.0). The 'human' and 'ci' formats has only version 'v1' (default). If not explicitly set, the default version for that particular output format will be used.\n  -v, --verbose count                       Enable verbose output, can be set multiple times for increased verbosity.\n```\n\n### Ignoring a test\n\nTests can be ignored in the whole run of the program, with the `--ignore-test` flag.\n\nA test can also be ignored on a per-object basis, by adding the annotation `kube-score/ignore` to the object.\nThe value should be a comma-separated string of the [test IDs](README_CHECKS.md).\n\nExample:\n\nTesting this object will temporarily disable the `service-type` test, which warns against using services of type NodePort.\n\n```yaml\napiVersion: v1\nkind: Service\nmetadata:\n  name: node-port-service-with-ignore\n  namespace: foospace\n  annotations:\n    kube-score/ignore: service-type\nspec:\n  selector:\n    app: my-app\n  ports:\n  - protocol: TCP\n    port: 80\n    targetPort: 8080\n  type: NodePort\n```\n\n### Enabling an optional test\n\nOptional tests can be enabled in the whole run of the program, with the `--enable-optional-test` flag.\n\nA test can also be enabled on a per-object basis, by adding the annotation `kube-score/enable` to the object.\nThe value should be a comma-separated string of the [test IDs](README_CHECKS.md).\n\nExample:\n\nTesting this object will enable the `container-seccomp-profile` test.\nAlso, multiple tests defined by `kube-score/ignore` are also ignored at the same.\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n  name: optional-test-manifest-deployment\n  labels:\n    app: optional-test-manifest\n  annotations:\n    kube-score/ignore: pod-networkpolicy,container-resources,container-image-pull-policy,container-security-context-privileged,container-security-context-user-group-id,container-security-context-readonlyrootfilesystem,container-ephemeral-storage-request-and-limit\n    kube-score/enable: container-seccomp-profile\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: optional-test-manifest\n  template:\n    metadata:\n      labels:\n        app: optional-test-manifest\n    spec:\n      containers:\n      - name: optional-test-manifest\n        image: busybox:1.34\n        command:\n        - /bin/sh\n        - -c\n        - date; env; tail -f /dev/null\n```\n\n## Building from source\n\n`kube-score` requires [Go](https://golang.org/) `1.21` or later to build. Clone this repository, and then:\n\n```bash\n# Build the project\ngo build ./cmd/kube-score\n\n# Run all tests\ngo test -v ./...\n```\n\n## Contributing?\n\nDo you want to help out? Take a look at the [Contributing Guidelines](./.github/CONTRIBUTING.md) for more info. 🤩\n\n## Dependencies\n\n| Project             | Version |\n|---------------------|---------|\n| go.dev              | ^1.21   | \n\n## Made by\n\n\u003ca href=\"https://github.com/zegl/kube-score/graphs/contributors\"\u003e\n  \u003cimg src=\"https://contrib.rocks/image?repo=zegl/kube-score\" /\u003e\n\u003c/a\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzegl%2Fkube-score","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzegl%2Fkube-score","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzegl%2Fkube-score/lists"}