Skip to main content

Kubernetes Cluster Scanning

Scan a live Kubernetes cluster for misconfigurations, secrets, and container image CVEs.

Quick Start

cyscan k8s                                    # scan all namespaces
cyscan k8s --namespace production             # single namespace
cyscan k8s --scan-images                      # also scan container images for CVEs
cyscan k8s --report full -f json              # JSON output

What It Scans

Misconfigurations (708 IaC rules)

  • RBAC wildcard permissions, cluster-admin bindings
  • Privileged containers, host namespace access, SYS_ADMIN capability
  • Missing resource limits, liveness/readiness probes
  • Default namespace usage, automounted service account tokens
  • Insecure API server flags (AlwaysAllow, anonymous auth, insecure port)

Secrets

  • ConfigMaps with sensitive data (passwords, tokens, API keys)
  • Secrets exposed as environment variables
  • 296 provider-specific secret patterns across all manifests

Container Image CVEs (native)

  • Extracts OS packages from image layers (dpkg, apk, rpm, pacman)
  • Queries OSV + NVD + GitHub Advisories
  • No grype or trivy dependency required

Summary Report

The default --report summary produces a Trivy-style table:

Summary Report for my-cluster

Workload Assessment
┌───────────┬──────────────────────┬─────────────────────┬─────────────────────┬─────────────────────┐
│ Namespace │ Resource             │  Vulnerabilities    │  Misconfigurations  │      Secrets        │
│           │                      │  C  H  M  L  U     │  C  H  M  L  U     │  C  H  M  L  U     │
├───────────┼──────────────────────┼─────────────────────┼─────────────────────┼─────────────────────┤
│ default   │ Deployment/api       │     3  1            │  1  5  2            │        1            │
│ default   │ DaemonSet/agent      │  2  8  4            │     2  1            │                     │
└───────────┴──────────────────────┴─────────────────────┴─────────────────────┴─────────────────────┘

CI/CD Gate

cyscan k8s --fail-on high --report full -f sarif > results.sarif

Exit code 1 if any HIGH or CRITICAL finding is detected.

Options

FlagDescription
--namespace, -nScan a specific namespace (default: all)
--reportsummary (table) or full (detailed findings)
--format, -ftext, json, or sarif (full report mode)
--scan-imagesAlso scan container images for CVEs
--kubeconfigPath to kubeconfig file
--rules, -rCustom rule pack directory
--fail-onExit non-zero if findings at this severity or above