kubesec
Kubesec is a static analysis tool for scanning Kubernetes manifests and identifying security risks through rule-based scoring. It operates as a CLI tool, Docker container, or HTTP service, assigning security scores to resources based on configuration best practices.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | controlplaneio/kubesec |
| Owner | controlplaneio |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.5k |
| Forks | 107 |
| Open issues | 27 |
| Latest release | v2.14.2 (2024-11-22) |
| Last updated | 2026-06-29 |
| Source | https://github.com/controlplaneio/kubesec |
What kubesec is
Written in Go, Kubesec analyzes Kubernetes resource YAML/JSON by applying 40+ security rules (selectors matching specific fields) and produces scored results indicating critical, advised, and informational security issues. The v2 API deprecates v1; it supports custom schema locations for airgap environments and integrates with kubeconform for manifest validation.
Get the kubesec source
Clone the repository and explore it locally.
git clone https://github.com/controlplaneio/kubesec.gitcd kubesec# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- v1 API is deprecated; migrate workflows to v2 before support ends.
- Rules are opinionated and fixed; no documented way to customize or disable specific rules without forking.
- HTTP server mode is bundled but requires separate infrastructure/orchestration if running at scale.
- Scanning performance and rule coverage scale with Go binary; benchmarks not provided.
- Public hosted API (v2.kubesec.io/scan) exists but README warns against submitting sensitive YAML; self-hosted deployment necessary for production secrets.
When to avoid it — and what to weigh
- Need runtime behavior analysis — Kubesec performs static analysis only; it cannot detect exploits, misconfigurations that manifest only at runtime, or policy violations from actual pod execution.
- Require FIPS/compliance certification — No data provided on FIPS, SOC 2, or other compliance certifications; requires review before regulated deployments.
- Operating in complete air-gap with no schema flexibility — Requires external schema downloads or embedded schemas; airgap use possible but demands upfront environment setup.
- Looking for a comprehensive security platform — Kubesec focuses narrowly on manifest static analysis; does not cover image scanning, RBAC audits, network policies, or supply chain security.
License & commercial use
Apache License 2.0 (Apache-2.0). Permissive OSI-approved open-source license allowing commercial use, modification, and distribution with attribution and liability disclaimers.
Apache-2.0 is a permissive open-source license compatible with commercial deployment. Kubesec may be used, modified, and integrated into proprietary products without license restrictions. However, ControlPlane's hosted service (v2.kubesec.io/scan) is a separate offering with its own terms (best-effort, not for sensitive data); self-hosting avoids dependency on third-party service terms.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Kubesec identifies misconfigurations in Kubernetes manifests (e.g., missing security contexts, privileged capabilities); it is itself a security scanning tool, not a security mechanism. No data provided on: input validation (YAML bomb risk), code audit history, dependency vulnerabilities, or its own supply chain security. Public API service warns users not to submit sensitive manifests. Self-hosted deployment isolates manifests. Scoring rules are built-in and fixed; cannot be verified as complete or accurate without independent review.
Alternatives to consider
Kube-bench
CNCF project for auditing Kubernetes cluster compliance against CIS benchmarks; focuses on runtime cluster configuration rather than manifests.
Kyverno
Kubernetes-native policy engine with admission control and CLI; more flexible rule authoring and cluster-integrated enforcement than Kubesec.
Polaris (Fairwinds)
Broader manifest and cluster auditing tool; includes workload scoring, dashboard, and hosted multi-cluster management (requires paid SaaS for some features).
Build on kubesec with DEV.co software developers
Download Kubesec or self-host the HTTP server to integrate security scanning into your Kubernetes workflow today.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
kubesec FAQ
Can I disable or customize specific security rules?
Is the public v2.kubesec.io/scan service suitable for production?
What Kubernetes versions are supported?
How often are rules updated and can I contribute new ones?
Software development & web development with DEV.co
Adopting kubesec is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Scan Your Kubernetes Manifests for Security Risks
Download Kubesec or self-host the HTTP server to integrate security scanning into your Kubernetes workflow today.