LinuxCommandLibrary

k8sec

Scan Kubernetes resources for security risks

TLDR

List all secrets

$ k8sec list
copy

List a specific secret as a base64-encoded string
$ k8sec list [secret_name] --base64
copy

Set a secret's value
$ k8sec set [secret_name] [key=value]
copy

Set a base64-encoded value
$ k8sec set --base64 [secret_name] [key=encoded_value]
copy

Unset a secret
$ k8sec unset [secret_name]
copy

Load secrets from a file
$ k8sec load [[-f|--filename]] [path/to/file] [secret_name]
copy

Dump secrets to a file
$ k8sec dump [[-f|--filename]] [path/to/file] [secret_name]
copy

SYNOPSIS

k8sec audit [flags]

PARAMETERS

--benchmark
    Benchmark to use: cis-1.5, cis-1.6, etcd, or kube-apiserver-config

--file, -f
    Path to Kubernetes YAML/JSON file(s) or directory for static audit

--kubeconfig
    Path to kubeconfig file for live cluster audit

--namespace
    Namespace to audit (default: all)

--html-report
    Generate HTML report file

--json-report
    Generate JSON report file

--gauge
    Display compliance gauge

--quiet, -q
    Suppress non-essential output

--print-no-fix
    Include controls without fixes

--resolve-fqdn
    Resolve FQDN for image names

--values
    Custom values for Helm-like templating

DESCRIPTION

k8sec is a lightweight, open-source command-line tool designed to audit Kubernetes clusters and configurations for security compliance. It performs static analysis on Kubernetes YAML manifests and dynamic audits on live clusters, checking against established benchmarks such as the CIS Kubernetes Benchmark (versions 1.5, 1.6), etcd security, and kube-apiserver configurations.

It identifies misconfigurations, weak RBAC policies, exposed secrets, and other vulnerabilities that could lead to privilege escalations or unauthorized access. k8sec supports both local file scanning and remote cluster audits via kubeconfig, providing human-readable output with severity levels (PASS, WARN, FAIL) and remediation suggestions.

Ideal for DevSecOps workflows, it integrates easily into CI/CD pipelines for pre-deployment checks. Unlike heavier tools, k8sec is fast, requiring no agents, and outputs reports in plain text, JSON, or HTML formats for easy sharing and archiving. Developed with a focus on simplicity, it helps teams enforce security best practices without deep Kubernetes expertise.

CAVEATS

Requires read access to cluster API server; static mode doesn't detect runtime issues; limited to supported benchmarks.

INSTALLATION

Install via go install github.com/alcideio/k8sec@latest or download binaries from GitHub releases.

EXAMPLE USAGE

k8sec audit --kubeconfig ~/.kube/config --benchmark cis-1.6 --html-report report.html
Audits cluster and generates HTML report.

HISTORY

Originally developed by Alcide (now Cisco) in 2019 as an open-source tool. Actively maintained on GitHub with contributions focusing on new benchmarks and output formats. Widely adopted in Kubernetes security tooling ecosystems.

SEE ALSO

kubectl(1), kube-bench(1), kubescore(1)

Copied to clipboard