k8scan

Kubernetes Security Tool

k8scan is an all-in-one Kubernetes security tool designed to help platform and security teams find, understand, and fix vulnerabilities before attackers exploit them. From a single static binary, k8scan delivers comprehensive security analysis across your entire cluster with zero runtime dependencies.

Single Static Binary

No Python, no plugins, no runtime deps. ~15 MB Docker image.

5 Output Formats

Terminal, JSON, HTML, SARIF, Markdown — pick what fits your workflow.

SaaS & On-Prem

Upload charts to the cloud or deploy entirely in your own environment.

Why You Need a Kubernetes Security Tool

Kubernetes clusters are complex systems with hundreds of moving parts. A single misconfiguration — a privileged container, a wildcard RBAC rule, or an exposed cloud metadata endpoint — can give an attacker full control over your infrastructure. Traditional security tools either lack Kubernetes awareness or require complex agent deployments that interfere with cluster operations.

k8scan fills this gap as a purpose-built Kubernetes security tool that understands Kubernetes primitives deeply. It doesn't just scan for CVEs — it models attack paths. By correlating individual misconfigurations into Capability Breaks and chaining them into Compound Attack Paths, k8scan tells you not just what is wrong, but how an attacker could exploit it.

Key Capabilities

Capability Break Engine

Correlates findings into security boundary proofs with weighted confidence

Compound Break Detection

Multi-stage attack paths with MITRE ATT&CK mapping

Interactive Attack Graphs

Visual lateral movement from initial access to cluster compromise

Validation PoC Commands

Read-only kubectl commands proving each finding without cluster modification

CIS Benchmark Mapping

All findings mapped to CIS Kubernetes Benchmark v1.8 controls

Helm Template Resolution

Resolves {{ .Values }} for accurate static analysis without a cluster

SARIF Integration

GitHub Advanced Security and GitLab Security Dashboard compatible

Suppression Rules

.k8scan-ignore.yaml to silence accepted risks per resource or namespace

Compare Output Formats

Format Use Case Best For
TerminalQuick ad-hoc checksCLI power users
JSONMachine parsing & APIsAutomation pipelines
HTMLInteractive dark theme reportSecurity teams, management
SARIF 2.1.0GitHub Advanced SecurityCI/CD, code review
MarkdownGitHub issues, PR commentsDeveloper collaboration

CI/CD Integration

k8scan integrates natively into your DevOps pipeline. Add a single step to your GitHub Actions or GitLab CI configuration and fail builds when critical security findings are detected.

GitHub Actions example
- name: k8scan security audit
  run: ./bin/k8scan scan \
    --output-sarif k8scan.sarif \
    --fail-on HIGH

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: k8scan.sarif

Try the Kubernetes Security Tool

Upload your Helm chart and get a detailed security report with attack path analysis in seconds. No credit card required.