Skip to main content
KubeSec is an open-source Kubernetes security scanner and analysis tool that inspects your manifests for common exploitable risks—such as privilege escalation and writable host mounts—and assigns a security score to each vulnerability found. You can feed it a single YAML file containing one or more Kubernetes resources, and it will return both a numerical score and actionable recommendations.
The image is a presentation slide about Kubesec, an open-source Kubernetes security scanner and analysis tool, detailing its features and availability. It includes a brief description of its functionality and formats in which it can be used.

Key Features

  • Security Scoring: Assigns points based on passed checks and best-practice recommendations.
  • Multi-Resource Support: Scan a single YAML with multiple objects.
  • Flexible Deployment: Use as a CLI binary, Docker image, Admission Controller, kubectl plugin, or REST API.
KubeSec supports multi-document YAML files. Separate resources with --- in the same file and scan them together.

Example: Scanning a Pod Manifest

Below is a sample Pod specification that enforces a read-only root filesystem:

Scan via Docker

Scan via REST API

If you expose the REST endpoint publicly, ensure you protect it behind authentication or a firewall to prevent misuse.

Sample JSON Response

The scanner returns a JSON object with your resource’s score and specific advisories:
  • passed: Checks that succeeded and earned points.
  • advise: Recommendations to improve the security posture, along with points you can earn.

What’s Next

Now that you’ve seen how to scan a simple Pod, let’s apply KubeSec to a more complex Deployment resource and review deeper recommendations.

Watch Video