Kubernetes Security Scanner

A comprehensive security scanner that checks for misconfigurations against CIS Kubernetes Benchmark and NIST SP 800-190 standards

Get Started View on GitHub

🔐 Security Features

CIS Kubernetes Benchmark

Implements security controls from the Center for Internet Security with comprehensive cluster-admin role usage, privileged container admission, and privilege escalation prevention.

NIST SP 800-190

Follows NIST Application Container Security Guide with image vulnerability management, container runtime security, and network segmentation controls.

Enhanced Terminal UI

Progress bars, typing effects, and colored output for better user experience with vulnerability aggregation and executive summary mode.

Multiple Output Formats

Text, JSON, YAML, and HTML reporting with interactive filtering, detailed findings, and professional styling suitable for presentations.

JSON-Based Rules

External rule definitions in JSON format for easy customization and maintenance without code changes. Supports complex field evaluation and custom operators.

Configurable Rules

Enable/disable specific rules and customize severity levels with extensible architecture for adding new rules and standards.

Namespace Filtering

Scan specific namespaces or exclude system namespaces with support for multiple authentication methods and cloud providers.

🛡️ Security Standards

CIS Kubernetes Benchmark

Implements key security controls from the Center for Internet Security:

CIS-5.1.1: Cluster-admin role usage
CIS-5.1.2: Privileged container admission
CIS-5.1.3: Privilege escalation prevention
CIS-5.1.4: Capabilities management
CIS-5.1.5: Host network restrictions
CIS-5.1.6: Host PID restrictions
CIS-5.1.7: Host IPC restrictions
CIS-5.1.8: Seccomp profile requirements
CIS-5.1.9: AppArmor profile requirements
CIS-5.1.10: Service account token management

NIST SP 800-190

Follows NIST Application Container Security Guide controls:

NIST-4.1.1: Image vulnerability management
NIST-4.2.1: Container runtime security
NIST-4.3.1: Network segmentation
NIST-4.4.1: Resource limits and quotas
NIST-4.5.1: Secret management
NIST-4.6.1: Access control and RBAC
NIST-4.7.1: Logging and monitoring
NIST-4.8.1: Image signing and verification

⚡ Quick Installation

From Source

                git clone https://github.com/rohit-kaundal/k8s-scanner.git cd
                k8s-scanner go build -o k8s-scanner
              

Using Go Install

go install github.com/rohit-kaundal/k8s-scanner@latest

🚀 Quick Start Commands

Basic Scan

./k8s-scanner scan

JSON Output

./k8s-scanner scan --output json --file results.json

HTML Report

./k8s-scanner scan --output html --file security-report.html

Namespace Scan

./k8s-scanner scan --namespace production

Custom Rules

./k8s-scanner scan --rules-dir /path/to/custom/rules

Specific Standards

./k8s-scanner scan --standards cis,nist

🛠️ JSON-Based Rules Customization

K8s Security Scanner uses external JSON files to define security rules, making it easy to customize and maintain without code changes.

Rule Structure

                { "id": "CIS-5.1.2", "title": "Minimize privileged containers",
                "description": "Check for privileged containers", "standard":
                "cis", "severity": "high", "check": { "type": "pod",
                "conditions": [{ "field":
                "spec.containers[*].securityContext.privileged", "operator":
                "equals", "value": true, "expected_result": "fail" }] },
                "remediation": "Set privileged: false", "references":
                ["https://kubernetes.io/docs/..."] }
              

Rule Directories

                config/rules/ ├── schema.json # JSON schema for validation ├──
                cis.json # CIS Kubernetes Benchmark rules ├── nist.json # NIST
                SP 800-190 rules └── custom.json # Your custom rules
              

🔧 Supported Field Operators

Value Matching

                  equals / not_equals contains / not_contains matches /
                  not_matches (regex) greater_than / less_than
                

Field Presence

                  exists / not_exists # Example: Check if field exists "field":
                  "spec.securityContext.runAsNonRoot", "operator": "exists",
                  "expected_result": "pass"
                

Array Access

                  # Access array elements with [*] "field":
                  "spec.containers[*].securityContext.privileged" # Nested array
                  access "field": "spec.containers[*].env[*].value"
                

Labels & Annotations

                  # Access labels "field":
                  "metadata.labels['app.kubernetes.io/name']" # Access
                  annotations "field":
                  "metadata.annotations['security.custom/enabled']"
                

✨ Adding Custom Rules

Create Rule File

                  # Create custom-rules.json { "version": "1.0.0", "rules": [ {
                  "id": "CUSTOM-1.0.1", "title": "Custom security check",
                  "standard": "custom", "severity": "medium", "enabled": true,
                  "check": { ... } } ] }
                

Use Custom Rules

                  # Test with custom rules directory ./k8s-scanner scan
                  --rules-dir /path/to/custom/rules # Or place in default
                  location mkdir -p config/rules cp custom-rules.json
                  config/rules/
                

📊 Example Output

K8s Security Scanner

✅ Scan completed successfully! 📊 Total findings: 42 ⏱️ Duration: 5.2s 🔐 KUBERNETES SECURITY SCAN REPORT ════════════════════════════════════════════════════════════════════════════════ 📅 SCAN METADATA ──────────────────────────────────────── Scan Time: 2025-01-15T10:30:00Z 📋 SCAN SUMMARY ──────────────────────────────────────── Total Checks: 42 ✅ Passed: 12 (28.6%) ❌ Failed: 8 (19.0%) ⚠️ Warnings: 22 (52.4%) ⚠️ Some warnings found. Consider reviewing them. 🔍 VULNERABILITY ANALYSIS SUMMARY ════════════════════════════════════════════════════════════════════════════════ 📊 OVERALL STATISTICS ────────────────────────────────────────────────── Total Security Checks: 42 ✅ Passed: 12 ❌ Failed: 8 ⚠️ Warnings: 22 Pass Rate: 28.6% 🎯 SEVERITY DISTRIBUTION ────────────────────────────────────────────────── 🟠 HIGH: 12 (40.0%) [████████████░░░░░░░░░░░░░░░░░░] 🟡 MEDIUM: 15 (50.0%) [███████████████░░░░░░░░░░░░░░░] 🔵 LOW: 3 (10.0%) [███░░░░░░░░░░░░░░░░░░░░░░░░░░░] 🔥 TOP VULNERABILITIES ────────────────────────────────────────────────── 1. Minimize the admission of containers with allowPrivilegeEscalation Standard: CIS | Severity: 🟠 HIGH | Count: 6 Affected: Pod/production/web-app, Pod/production/api-server... and 4 more Container allows privilege escalation 2. Image signing and verification Standard: NIST | Severity: 🟡 MEDIUM | Count: 5 Affected: Pod/production/web-app, Pod/production/api-server... and 3 more Container uses image from untrusted registry