Kube-Scan – Kubernetes Risk Assessment Tool

Kube-Scan gives a risk score, from 0 (no risk) to 10 (high risk) for each workload. The risk is based on the runtime configuration of each workload (currently 20+ settings). The exact rules and scoring formula are part of the open-source framework KCCSS, the Kubernetes Common Configuration Scoring System.

Kube-Scan - Kubernetes Risk Assessment Tool
Kube-Scan – Kubernetes Risk Assessment Tool

The tool is a quick and easy-to-run, open source security risk assessment tool that instantly tells you the security posture of your Kubernetes clusters.

KCCSS is similar to the Common Vulnerability Scoring System (CVSS), the industry-standard for rating vulnerabilities, but instead focuses on the configurations and security settings themselves.

Vulnerabilities are always detrimental, but configuration settings can be insecure, neutral, or critical for protection or remediation. KCCSS scores both risks and remediations as separate rules, and allows users to calculate a risk for every runtime setting of a workload and then to calculate the total risk of the workload.

Please notice that kube-scan currently scans the cluster when starting and will re-scan it every 24 hours. Thus, if you want to get an up-to-date risk score (e.g. after installing a new app), you should restart the kube-scan pod.

You can read more and download this tool over here: https://github.com/octarinesec/kube-scan

Notify of
Inline Feedbacks
View all comments