Kube Secure Scanner

Release Preview v0.90

This is an ongoing joint community research effort and is currently at Release Preview (v0.90). Some examples, automation, pipelines, and scripts are still in the process of being fully tested and validated. We'll be releasing updates in v0.9.x versions as we work toward a stable v1.0.0 release.

View Project on GitHub ↗

Overview

A flexible, security-focused framework for scanning containers in Kubernetes environments with multiple scanning engines. Initially built with CINC Auditor (open source InSpec), the platform provides secure RBAC configurations, multiple scanning approaches, and comprehensive CI/CD integration.

Key Features: - Multiple scanner engine support (extensible framework) - Three container scanning approaches for all Kubernetes environments - Specialized security controls with least-privilege design - Comprehensive documentation and integration examples - CI/CD pipeline integration for GitHub Actions and GitLab

Quick Links: Quick Start Guide Approach Comparison GitHub Actions Integration GitLab CI Integration

[CINC]: CINC Is Not Chef [SAF]: Security Automation Framework [RBAC]: Role-Based Access Control [K8s]: Kubernetes *[API]: Application Programming Interface

Choose Your Path

• Security Leader / Decision Maker

  ---

  Resources for security leaders making technology decisions:

  • Executive Summary
  • Security Analysis
  • Compliance Documentation
  • Enterprise Integration Analysis

• Security Professional / Compliance Officer

  ---

  Detailed security guidance and compliance information:

  • Security Overview
  • Security Principles
  • Approach Security Comparison
  • Compliance Frameworks

• DevOps Engineer / Implementer

  ---

  Implementation guidance and CI/CD integration examples:

  • Quick Start Guide
  • Approach Comparison
  • GitHub Actions Integration
  • GitLab CI Integration

• Solution Architect

  ---

  Technical architecture and design documentation:

  • Technical Overview
  • Architecture Diagrams
  • Workflow Processes
  • Approach Decision Matrix

Scanning Approaches

This project offers three distinct approaches for container scanning, designed to accommodate various container types and Kubernetes environments:

Kubernetes API Approach (Recommended)Debug Container ApproachSidecar Container Approach

Direct API-based scanning approach. Most scalable solution with seamless integration.

• Works with standard containers now
• Universal solution once distroless support is complete
• No configuration changes to existing pods
• Flexible scanner engine support (roadmap)

Learn More

Uses ephemeral debug containers with chroot-based scanning for distroless containers.

• Requires Kubernetes 1.16+ with ephemeral containers
• Works with existing deployed containers
• Good for testing environments
• Compatible with multiple scanner engines

Learn More

Scanner sidecar container with shared process namespace for any container type.

• Works with any Kubernetes cluster
• Universal compatibility
• Must be deployed alongside target container
• Supports pluggable scanner engines

Learn More

Key Security Benefits

• Least Privilege Access
  Restrict scanning to specific containers only

• Dynamic Access Control
  Create temporary, targeted access for scanning

• Time-limited Tokens
  Default 15-minute lifetime for security

• Namespace Isolation
  Contain permissions within specific namespaces

• SAF CLI Integration
  Validate scan results against compliance thresholds

Getting Started

The fastest way to get started is with our Quick Start guide, which walks you through: - Setting up a testing environment - Deploying the scanning infrastructure - Running container scans - Validating compliance results

Quick Start Guide Site Index

Security Overview Documentation Map

Project Roadmap

Our active roadmap includes the following key initiatives for the path to v1.0:

• NSA/CISA Kubernetes Hardening Guide

  ---

  Incorporate analysis and recommendations from the NSA/CISA Kubernetes Hardening Guide.

  • Analyze official guidance
  • Reference KubeArmor implementation examples
  • Map hardening requirements to our implementation

• :material-container-outline:{ .lg .middle } Enhanced Container Support

  ---

  Expand scanning capabilities to new container types.

  • Complete API-based direct scanning approach
  • Improve scan performance for specialized containers
  • Add universal distroless container support

• Multi-Scanner Engine Architecture

  ---

  Implement framework for integrating multiple scanning engines:

  • Scanner engine plugin interface
  • Results normalization layer
  • Support for vulnerability scanners and SBOM generators
  • Scanner configuration standardization

Core Documentation

• Approach Comparison

  ---

  Compare the three scanning approaches side-by-side

  View comparison

• Workflow Diagrams

  ---

  Visual workflows for all scanning approaches

  View diagrams

• Security Analysis

  ---

  Comprehensive security analysis with risk mitigation

  View analysis

• Decision Matrix

  ---

  Selection guide for the right approach

  View matrix