Skip to content

aquasecurity/kube-bench

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
10 branches 74 tags
Code

Latest commit

@dependabot @chen-keinan
dependabot[bot] and chen-keinan build(deps): bump docker/setup-buildx-action from 2 to 3 (#1497)
1393449 Dec 10, 2023
build(deps): bump docker/setup-buildx-action from 2 to 3 (#1497) 
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2 to 3.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@v2...v3)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
1393449

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github
build(deps): bump docker/setup-buildx-action from 2 to 3 (#1497)
December 10, 2023 14:07
cfg
fix wrong use of flag in test_items found in 4.13 and 4.14 (#1528)
December 3, 2023 09:06
check
chore: remove refs to deprecated io/ioutil (#1504)
December 5, 2023 10:52
cmd
chore: remove refs to deprecated io/ioutil (#1504)
December 5, 2023 10:52
docs
support CIS Kubernetes Benchmark v1.8.0 (#1527)
December 2, 2023 09:59
hack
Adding eks-stig-kubernetes-v1r6 (#1266)
September 14, 2022 17:40
hooks
adds kube-bench version to docker build hook (#524)
November 27, 2019 20:06
integration/testdata
fix wrong use of flag in test_items found in 4.13 and 4.14 (#1528)
December 3, 2023 09:06
internal/findings
Migrate to aws-sdk-go-v2 (#1268)
October 3, 2022 08:52
.gitignore
release: prepare v0.6.7-rc1 (#1136)
April 3, 2022 12:00
.golangci.yaml
chore(lint): setup golangci-lint (#1144)
April 5, 2022 16:25
.goreleaser.yml
add darwin builds (#1428)
April 18, 2023 21:15
.yamllint.yaml
Support Linting YAML as part of Travis CI build (#554)
January 6, 2020 09:18
CONTRIBUTING.md
Adding eks-stig-kubernetes-v1r6 (#1266)
September 14, 2022 17:40
Dockerfile
build(deps): bump golang from 1.21.1 to 1.21.3 (#1507)
November 3, 2023 18:33
Dockerfile.fips.ubi
build(deps): bump golang from 1.21.1 to 1.21.3 (#1507)
November 3, 2023 18:33
Dockerfile.ubi
build(deps): bump golang from 1.21.1 to 1.21.3 (#1507)
November 3, 2023 18:33
LICENSE
Initial commit
June 19, 2017 17:01
NOTICE
Create NOTICE (#199)
January 16, 2019 10:53
OWNERS
Create OWNERS
August 11, 2017 16:06
README.md
updates to the readme
October 2, 2023 12:39
codecov.yml
Improve Proxykubeconfig tests (#708)
October 7, 2020 21:53
entrypoint.sh
Set -e to fail fast
May 11, 2018 13:44
fipsonly.go
chore: add fips compliant images (#1473)
July 24, 2023 10:02
go.mod
build(deps): bump github.com/spf13/cobra from 1.6.1 to 1.8.0 (#1530)
December 8, 2023 08:07
go.sum
build(deps): bump github.com/spf13/cobra from 1.6.1 to 1.8.0 (#1530)
December 8, 2023 08:07
job-ack.yaml
fix: fully qualified image names (#1206)
June 17, 2022 18:01
job-aks.yaml
fix: fully qualified image names (#1206)
June 17, 2022 18:01
job-eks-asff.yaml
support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0 (#…
May 21, 2023 17:53
job-eks-stig.yaml
Adding eks-stig-kubernetes-v1r6 (#1266)
September 14, 2022 17:40
job-eks.yaml
support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0 (#…
May 21, 2023 17:53
job-gke.yaml
fix: fully qualified image names (#1206)
June 17, 2022 18:01
job-iks.yaml
fix: fully qualified image names (#1206)
June 17, 2022 18:01
job-master.yaml
Update job-master.yaml for K8s 1.24.x labels/tolerations (#1250) (#1251)
August 21, 2022 09:25
job-node.yaml
fix: fully qualified image names (#1206)
June 17, 2022 18:01
job-tkgi.yaml
add support VMware Tanzu(TKGI) Benchmarks v1.2.53 (#1452)
June 1, 2023 16:37
job.yaml
release: prepare-0.6.19 (#1511)
October 23, 2023 10:03
main.go
Fix issue #16 about supporting verbosity.
July 7, 2017 17:01
makefile
chore: add fips compliant images (#1473)
July 24, 2023 10:02
mkdocs.yml
Fixing typos (#899)
June 9, 2021 15:11
CIS Scanning as part of Trivy and the Trivy Operator Quick start Please Note Contributing Roadmap

README.md

GitHub Release Downloads Docker Pulls Go Report Card Build Status License Coverage Status

kube-bench logo

kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

Kubernetes Bench for Security

CIS Scanning as part of Trivy and the Trivy Operator

Trivy, the all in one cloud native security scanner, can be deployed as a Kubernetes Operator inside a cluster. Both, the Trivy CLI, and the Trivy Operator support CIS Kubernetes Benchmark scanning among several other features.

Quick start

There are multiple ways to run kube-bench. You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.

The supplied job.yaml file can be applied to run the tests as a job. For example:

$ kubectl apply -f job.yaml
job.batch/kube-bench created

$ kubectl get pods
NAME                      READY   STATUS              RESTARTS   AGE
kube-bench-j76s9   0/1     ContainerCreating   0          3s

# Wait for a few seconds for the job to complete
$ kubectl get pods
NAME                      READY   STATUS      RESTARTS   AGE
kube-bench-j76s9   0/1     Completed   0          11s

# The results are held in the pod's logs
kubectl logs kube-bench-j76s9
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
...

For more information and different ways to run kube-bench see documentation

Please Note

  1. kube-bench implements the CIS Kubernetes Benchmark as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.

  2. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See CIS Kubernetes Benchmark support to see which releases of Kubernetes are covered by different releases of the benchmark.

By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine.

Contributing

Kindly read Contributing before contributing. We welcome PRs and issue reports.

Roadmap

Going forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases.

About

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark

Topics

kubernetes openshift hacktoberfest cis-benchmark kube-bench kubernetes-security cis-kubernetes-benchmark cis-security

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity

Stars

6.3k stars

Watchers

105 watching

Forks

1.1k forks
Report repository

Releases 63

v0.6.19 Latest
Oct 23, 2023
+ 62 releases

Packages

No packages published

Contributors 147

+ 133 contributors

Languages