Skip to content
kube-scan: Octarine k8s cluster risk assessment tool
Go CSS JavaScript TypeScript Other
Branch: master
Clone or download
Latest commit 5462e95 Jan 24, 2020
Type Name Latest commit message Commit time
Failed to load latest commit information.
client Update packages Jan 22, 2020
images Octarine Logo Nov 18, 2019
server track on runAsNonRoot property Jan 23, 2020
.gitignore Add ds store to git ignore Jan 20, 2020
LICENSE Create LICENSE Jan 23, 2020 Update Jan 22, 2020
kube-scan.yaml Updating yamls back to 20.0 Jan 22, 2020


Try our free Kubernetes risk assessment tool today.
Run it on any cluster at any time. No data leaves your cluster. We do not collect any information.
For more information on Octarine see

Get the risk score of your workloads

Kube-Scan gives a risk score, from 0 (no risk) to 10 (high risk) for each workload. The risk is based on the runtime configuration of each workload (currently 20+ settings). The exact rules and scoring formula are part of the open-source framework KCCSS, the Kubernetes Common Configuration Scoring System.

KCCSS is similar to the Common Vulnerability Scoring System (CVSS), the industry-standard for rating vulnerabilities, but instead focuses on the configurations and security settings themselves. Vulnerabilities are always detrimental, but configuration settings can be insecure, neutral, or critical for protection or remediation. KCCSS scores both risks and remediations as separate rules, and allows users to calculate a risk for every runtime setting of a workload and then to calculate the total risk of the workload.


kubectl apply -f
kubectl port-forward --namespace kube-scan svc/kube-scan-ui 8080:80

Then set your browser to http://localhost:8080.

Using a load-balancer service

  • This method assumes you are using a cloud provider that provides load balancers.
kubectl apply -f

Then get the load-balancer address by

kubectl -n kube-scan get service kube-scan-ui -o jsonpath={..ip}


kubectl -n kube-scan get service kube-scan-ui -o jsonpath={..hostname}

depending on the load-balancer type.

Then set your browser to that address.

Building from source code

Build the server image (from root folder)

cd server
docker build -t SERVER_TAG_NAME .
docker push SERVER_TAG_NAME

Build the client image (from root folder)

cd client
docker build -t CLIENT_TAG_NAME .
docker push CLIENT_TAG_NAME

Set kube-scan containers images on the desired yaml (from root folder) kube-scan container with SERVER_TAG_NAME kube-scan-ui container with CLIENT_TAG_NAME

Apply the desired yaml and use "quick start" or "using load-balancer" instructions


kubectl delete -f kube-scan.yaml

In case of using a load-balancer:

kubectl delete -f kube-scan-lb.yaml


Risk score

Risk details

You can’t perform that action at this time.