Kubernetes Security Tool
k8scan is an all-in-one Kubernetes security tool designed to help platform and security teams find, understand, and fix vulnerabilities before attackers exploit them. From a single static binary, k8scan delivers comprehensive security analysis across your entire cluster with zero runtime dependencies.
Single Static Binary
No Python, no plugins, no runtime deps. ~15 MB Docker image.
5 Output Formats
Terminal, JSON, HTML, SARIF, Markdown — pick what fits your workflow.
SaaS & On-Prem
Upload charts to the cloud or deploy entirely in your own environment.
Why You Need a Kubernetes Security Tool
Kubernetes clusters are complex systems with hundreds of moving parts. A single misconfiguration — a privileged container, a wildcard RBAC rule, or an exposed cloud metadata endpoint — can give an attacker full control over your infrastructure. Traditional security tools either lack Kubernetes awareness or require complex agent deployments that interfere with cluster operations.
k8scan fills this gap as a purpose-built Kubernetes security tool that understands Kubernetes primitives deeply. It doesn't just scan for CVEs — it models attack paths. By correlating individual misconfigurations into Capability Breaks and chaining them into Compound Attack Paths, k8scan tells you not just what is wrong, but how an attacker could exploit it.
Key Capabilities
Capability Break Engine
Correlates findings into security boundary proofs with weighted confidence
Compound Break Detection
Multi-stage attack paths with MITRE ATT&CK mapping
Interactive Attack Graphs
Visual lateral movement from initial access to cluster compromise
Validation PoC Commands
Read-only kubectl commands proving each finding without cluster modification
CIS Benchmark Mapping
All findings mapped to CIS Kubernetes Benchmark v1.8 controls
Helm Template Resolution
Resolves {{ .Values }} for accurate static analysis without a cluster
SARIF Integration
GitHub Advanced Security and GitLab Security Dashboard compatible
Suppression Rules
.k8scan-ignore.yaml to silence accepted risks per resource or namespace
Compare Output Formats
| Format | Use Case | Best For |
|---|---|---|
| Terminal | Quick ad-hoc checks | CLI power users |
| JSON | Machine parsing & APIs | Automation pipelines |
| HTML | Interactive dark theme report | Security teams, management |
| SARIF 2.1.0 | GitHub Advanced Security | CI/CD, code review |
| Markdown | GitHub issues, PR comments | Developer collaboration |
CI/CD Integration
k8scan integrates natively into your DevOps pipeline. Add a single step to your GitHub Actions or GitLab CI configuration and fail builds when critical security findings are detected.
- name: k8scan security audit
run: ./bin/k8scan scan \
--output-sarif k8scan.sarif \
--fail-on HIGH
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: k8scan.sarif
Try the Kubernetes Security Tool
Upload your Helm chart and get a detailed security report with attack path analysis in seconds. No credit card required.