k8scan

Kubernetes Security Scanner

k8scan is a read-only Kubernetes security scanner purpose-built for platform engineers, security teams, and DevOps practitioners who need to detect misconfigurations, privilege escalation paths, exposed secrets, and container escape vectors across their clusters.

123+

Security Checks

8

Scan Categories

<5s

Scan Time

What Does a Kubernetes Security Scanner Do?

A Kubernetes security scanner analyzes your cluster's configuration — RBAC policies, pod security contexts, network policies, secrets management, and control plane settings — to identify weaknesses that attackers could exploit. Unlike traditional vulnerability scanners that look at CVEs, a K8s security scanner focuses on misconfigurations: the human errors and overly permissive defaults that lead to the majority of Kubernetes breaches.

k8scan goes further than simple checklists. It implements Capability Break analysis, which correlates individual findings into structured proofs that a named security boundary (container isolation, RBAC isolation, namespace isolation) is broken. When two or more Capability Breaks chain together, k8scan surfaces a Compound Break — a complete multi-stage attack path with MITRE ATT&CK mapping and blast radius calculation.

8 Security Categories Scanned

Container Security

Privileged containers, capabilities, hostPath

RBAC

Wildcards, pod/exec, cluster-admin bindings

Secrets

Hardcoded credentials, env var leaks

Network

Missing NetworkPolicies, exposed NodePorts

Control Plane

Anonymous access, kubelet port, etcd audit

Workload

PDB, resource limits, HPA, update strategy

Image

Latest tags, untrusted registries

Runtime Threats

Crypto miners, Docker-in-Docker, SSH servers

Why k8scan Stands Out

Capability Break Engine

Correlates individual findings into structured proofs of broken security boundaries. Not a finding list — an attack model. Each break includes weighted confidence, blast radius, and validation-grade PoC commands.

Compound Attack Path Detection

Automatically chains Capability Breaks into multi-stage attack paths. For example: Container Escape + RBAC Wildcard + Secret Exposure = full cluster compromise. Each compound break includes MITRE ATT&CK mapping and interactive attack graphs.

CI/CD Native & Static Analysis

Scan Helm charts and Kubernetes manifests in your CI pipeline using k8scan lint. Output to SARIF for GitHub Advanced Security integration. Fail builds on critical findings with --fail-on CRITICAL.

Truly Read-Only

k8scan only uses get, list, and watch API calls. It never creates, modifies, or deletes any resource. Safe for production clusters.

How to Scan Your Kubernetes Cluster

Quick start
$ git clone https://github.com/alperenkesk/k8scan.git
$ cd k8scan && make build
$ ./bin/k8scan scan

# Or with Docker:
$ docker run -v ~/.kube:/root/.kube:ro ghcr.io/alperenkesk/k8scan:latest scan

# Static analysis without a cluster:
$ k8scan lint ./charts/myapp/ --helm ./charts/myapp/

Generate reports in 5 formats: terminal, JSON, HTML (dark theme), SARIF 2.1.0 (GitHub Advanced Security), and Markdown. Every HTML report includes an interactive attack graph visualization showing lateral movement paths from initial access to cluster compromise.

Start Scanning Now

No credit card required. Upload your Helm chart and get a detailed security report with Capability Break analysis in seconds.