k8s-unused-secret-detector

Find unused Kubernetes secrets in your cluster

TLDR

Detect unused secrets

$ k8s-unused-secret-detector

Detect unused secrets in a specific namespace

$ k8s-unused-secret-detector [[-n|--namespace]] [namespace]

Delete unused secrets in a specific namespace

$ k8s-unused-secret-detector [[-n|--namespace]] [namespace] | kubectl delete secrets [[-n|--namespace]] [namespace]

SYNOPSIS

k8s-unused-secret-detector [OPTIONS]

--all-namespaces, -A
    Scan all namespaces (default false)

--namespace, -n stringArray
    Namespaces to scan (comma-separated)

--kubeconfig, -k string
    Path to kubeconfig file

--context string
    Kubernetes context to use

--output, -o string
    Output format: table|json|yaml (default table)

--label-selector string
    Label selector for resources to consider

--ignore-labels stringArray
    Labels to ignore on secrets (comma-separated)

--dry-run
    Simulate scan without reporting

--help, -h
    Show help

--version, -v
    Print version

DESCRIPTION

The k8s-unused-secret-detector is a lightweight CLI tool for identifying unused Kubernetes secrets across namespaces.

It scans pods, deployments, statefulsets, daemonsets, and jobs to determine if secrets are mounted as volumes or referenced via environment variables. Unused secrets are flagged for potential cleanup, helping reduce security risks from lingering sensitive data like API keys, passwords, or tokens.

Designed for security audits and cluster hygiene, it supports multi-namespace scans and various output formats. The tool uses the Kubernetes API to fetch resources without direct cluster modifications, making it safe for production use.

Key features include label-based filtering, dry-run mode for verification, and JSON/YAML exports for integration with CI/CD pipelines or reporting tools.

k8s-unused-secret-detector

Find unused Kubernetes secrets in your cluster

TLDR

SYNOPSIS

PARAMETERS

DESCRIPTION

CAVEATS

INSTALLATION

EXAMPLE USAGE

HISTORY

SEE ALSO