k8scan
Source Available Helm & Manifest Support On-Prem Ready

Kubernetes Security
Scanner.

Upload your Helm charts or Kubernetes manifests and k8scan scans for misconfigurations, exposed secrets, RBAC flaws, and container escape vectors—then correlates findings into Capability Breaks and multi-stage attack paths with validation-grade PoC commands.

Starting at $9/mo • Cancel anytime

k8scan — Capability Break Analysis

Simple, Transparent Pricing

Pay as you grow. No hidden fees. Cancel anytime.

Starter

$9 /mo
  • 3 scans / month
  • Charts up to 10 MB
  • HTML report download
  • 123+ security checks
  • Full PoC commands
  • 1 user
  • Scan history
  • Scheduled scanning
  • API access
Get Started
Most Popular

Pro

$29 /mo
  • 20 scans / month
  • Charts up to 100 MB
  • HTML, JSON & SARIF reports
  • Full PoC commands
  • 5 team members
  • Scan history (90 days)
  • Scheduled scanning
  • Slack notifications
  • API access
Start Pro

Enterprise

Custom
  • Unlimited scans
  • Unlimited chart size
  • All report formats
  • Full PoC commands
  • Unlimited team members
  • Unlimited scan history
  • Scheduled scanning
  • API access
  • SSO / SAML
  • On-prem deployment
  • SLA + Priority support
Contact Sales
Enterprise / On-Prem

Your data never leaves your infrastructure.

For organizations with strict data sovereignty requirements — government agencies, financial institutions, and critical infrastructure operators — k8scan deploys entirely within your own environment. No telemetry, no external API calls, no cloud dependency.

Get in Touch

start@k8scan.com

Zero Data Egress

All scan data, findings, and reports stay inside your cluster. Nothing is sent to external servers.

Helm-Based Deployment

Deploy as a Kubernetes Job or CronJob using the provided Helm chart. Runs in air-gapped environments.

Compliance Ready

Meets data residency and sovereignty requirements. Suitable for public sector procurement processes.

SLA-Backed Support

Dedicated installation support, documented deployment process, and ongoing SLA for enterprise customers.

Everything you need to secure Kubernetes

123+ checks across 8 categories—from misconfiguration detection to full attack chain modeling.

Capability Break Engine

Correlates individual findings into structured proofs that a named security boundary—container isolation, RBAC, namespace isolation—is broken. Not a finding list. An attack model.

Compound Attack Paths

When two or more Capability Breaks chain together, k8scan surfaces a Compound Break—a complete multi-stage attack path with MITRE ATT&CK mapping and blast radius.

Validation-Grade PoC Commands

Every Capability Break includes read-only kubectl commands that confirm the misconfiguration exists without modifying cluster state.

Helm & Manifest Static Analysis

Scan .tgz chart packages, ZIP archives of YAML dumps, or raw manifests—without a live cluster. Integrates with GitHub Actions, GitLab CI, and any CI pipeline.

123+ Checks, 8 Categories

Container security, RBAC, secrets, network policy, control plane, workload hygiene, image integrity, and runtime threats—all CIS Benchmark mapped.

SaaS & On-Prem Deployment

Use the cloud platform or deploy entirely on your own infrastructure. On-prem mode keeps all data in-house—no telemetry, no external calls.

See It In Action

Real output from k8scan running against a production Kubernetes cluster.

k8scan Kubernetes Security Scanner - HTML Security Report with severity findings

HTML Report

Color-coded findings with severity, location, and remediation guidance.

k8scan Capability Break Analysis - Kubernetes security boundary violation detection

Capability Break Analysis

Structured proof that a named security boundary is broken, with weighted confidence scores.

k8scan Interactive Attack Graph - Kubernetes lateral movement path visualization

Interactive Attack Graph

Visual lateral movement path from initial access to final target.

k8scan Proof-of-Concept Commands - Read-only kubectl security validation commands

Proof-of-Concept Commands

Read-only kubectl commands that validate each finding without modifying cluster state.

How It Works

From upload to attack chain report in seconds.

1

Upload Your Chart or Manifest

Provide a Helm .tgz, a ZIP of YAML manifests, or point k8scan at a live cluster. Files are encrypted at rest.

2

Capability Break Analysis

123+ checks across 8 categories run instantly. The engine then correlates findings into Capability Breaks and chains them into multi-stage attack paths.

3

Get Your Report

Download HTML, JSON, SARIF, or Markdown reports. Every Capability Break includes a validated PoC command and attack graph.

See a Real Report

This is what a k8scan report looks like for a real-world Helm chart deployment with vulnerabilities.

app.k8scan.io/scan/nginx-ingress-4.9.1

k8scan — Security Report

nginx-ingress-4.9.1.tgz • Scanned Apr 12 2025 • 8 templates analyzed

Completed

Risk Score

72

/ 100

Critical

2

High

3

Medium

4

Low

2

Findings

CRITICAL Privileged Container Detected

Container ingress-nginx runs with privileged: true, granting full host access. This allows a container breakout to the underlying node.

Remediation: Set securityContext.privileged: false and use specific Linux capabilities instead.

Proof-of-Concept Command

kubectl exec -it ingress-nginx-controller -- nsenter -t 1 -m -u -n -i sh

For authorized testing only.

CVSS: 9.8 • Check ID: K8S-001

CRITICAL Wildcard ClusterRole Permission

ClusterRole uses verbs: ["*"] and resources: ["*"], granting unrestricted access to all Kubernetes resources.

Remediation: Replace wildcards with explicit resource/verb lists following the principle of least privilege.

CVSS: 9.1 • Check ID: K8S-020

HIGH No NetworkPolicy Defined

No NetworkPolicy resource found in the chart. All pods can freely communicate with each other and reach the internet, violating network segmentation best practices.

Remediation: Define NetworkPolicy resources to enforce least-privilege network segmentation per namespace.

CVSS: 7.0 • Check ID: K8S-050

MEDIUM No Resource Limits Defined
MEDIUM Privilege Escalation Not Disabled
+ 6 more findings hidden in this preview View Full Sample Report
Scan Your Own Charts

Frequently Asked Questions