Kubernetes Security Scanner
k8scan is a read-only Kubernetes security scanner purpose-built for platform engineers, security teams, and DevOps practitioners who need to detect misconfigurations, privilege escalation paths, exposed secrets, and container escape vectors across their clusters.
123+
Security Checks
8
Scan Categories
<5s
Scan Time
What Does a Kubernetes Security Scanner Do?
A Kubernetes security scanner analyzes your cluster's configuration — RBAC policies, pod security contexts, network policies, secrets management, and control plane settings — to identify weaknesses that attackers could exploit. Unlike traditional vulnerability scanners that look at CVEs, a K8s security scanner focuses on misconfigurations: the human errors and overly permissive defaults that lead to the majority of Kubernetes breaches.
k8scan goes further than simple checklists. It implements Capability Break analysis, which correlates individual findings into structured proofs that a named security boundary (container isolation, RBAC isolation, namespace isolation) is broken. When two or more Capability Breaks chain together, k8scan surfaces a Compound Break — a complete multi-stage attack path with MITRE ATT&CK mapping and blast radius calculation.
8 Security Categories Scanned
Container Security
Privileged containers, capabilities, hostPath
RBAC
Wildcards, pod/exec, cluster-admin bindings
Secrets
Hardcoded credentials, env var leaks
Network
Missing NetworkPolicies, exposed NodePorts
Control Plane
Anonymous access, kubelet port, etcd audit
Workload
PDB, resource limits, HPA, update strategy
Image
Latest tags, untrusted registries
Runtime Threats
Crypto miners, Docker-in-Docker, SSH servers
Why k8scan Stands Out
Capability Break Engine
Correlates individual findings into structured proofs of broken security boundaries. Not a finding list — an attack model. Each break includes weighted confidence, blast radius, and validation-grade PoC commands.
Compound Attack Path Detection
Automatically chains Capability Breaks into multi-stage attack paths. For example: Container Escape + RBAC Wildcard + Secret Exposure = full cluster compromise. Each compound break includes MITRE ATT&CK mapping and interactive attack graphs.
CI/CD Native & Static Analysis
Scan Helm charts and Kubernetes manifests in your CI pipeline using k8scan lint. Output to SARIF for GitHub Advanced Security integration. Fail builds on critical findings with --fail-on CRITICAL.
Truly Read-Only
k8scan only uses get, list, and watch API calls. It never creates, modifies, or deletes any resource. Safe for production clusters.
How to Scan Your Kubernetes Cluster
$ git clone https://github.com/alperenkesk/k8scan.git $ cd k8scan && make build $ ./bin/k8scan scan # Or with Docker: $ docker run -v ~/.kube:/root/.kube:ro ghcr.io/alperenkesk/k8scan:latest scan # Static analysis without a cluster: $ k8scan lint ./charts/myapp/ --helm ./charts/myapp/
Generate reports in 5 formats: terminal, JSON, HTML (dark theme), SARIF 2.1.0 (GitHub Advanced Security), and Markdown. Every HTML report includes an interactive attack graph visualization showing lateral movement paths from initial access to cluster compromise.
Start Scanning Now
No credit card required. Upload your Helm chart and get a detailed security report with Capability Break analysis in seconds.