DEV.co
Open-Source Security · controlplaneio

kubesec

Kubesec is a static analysis tool for scanning Kubernetes manifests and identifying security risks through rule-based scoring. It operates as a CLI tool, Docker container, or HTTP service, assigning security scores to resources based on configuration best practices.

Source: GitHub — github.com/controlplaneio/kubesec
1.5k
GitHub stars
107
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorycontrolplaneio/kubesec
Ownercontrolplaneio
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars1.5k
Forks107
Open issues27
Latest releasev2.14.2 (2024-11-22)
Last updated2026-06-29
Sourcehttps://github.com/controlplaneio/kubesec

What kubesec is

Written in Go, Kubesec analyzes Kubernetes resource YAML/JSON by applying 40+ security rules (selectors matching specific fields) and produces scored results indicating critical, advised, and informational security issues. The v2 API deprecates v1; it supports custom schema locations for airgap environments and integrates with kubeconform for manifest validation.

Quickstart

Get the kubesec source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/controlplaneio/kubesec.gitcd kubesec# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Continuous Integration/CD Pipeline Gate

Embed Kubesec HTTP mode or CLI in CI/CD to fail deployments exceeding a security score threshold before reaching production.

Kubernetes Admission Control

Deploy via kubesec-webhook to intercept and reject Kubernetes API requests that fail security rules at admission time.

Manifest Compliance Audit

Scan existing Helm charts and YAML manifests to inventory security posture and identify remediation priorities across teams.

Implementation considerations

  • v1 API is deprecated; migrate workflows to v2 before support ends.
  • Rules are opinionated and fixed; no documented way to customize or disable specific rules without forking.
  • HTTP server mode is bundled but requires separate infrastructure/orchestration if running at scale.
  • Scanning performance and rule coverage scale with Go binary; benchmarks not provided.
  • Public hosted API (v2.kubesec.io/scan) exists but README warns against submitting sensitive YAML; self-hosted deployment necessary for production secrets.

When to avoid it — and what to weigh

  • Need runtime behavior analysis — Kubesec performs static analysis only; it cannot detect exploits, misconfigurations that manifest only at runtime, or policy violations from actual pod execution.
  • Require FIPS/compliance certification — No data provided on FIPS, SOC 2, or other compliance certifications; requires review before regulated deployments.
  • Operating in complete air-gap with no schema flexibility — Requires external schema downloads or embedded schemas; airgap use possible but demands upfront environment setup.
  • Looking for a comprehensive security platform — Kubesec focuses narrowly on manifest static analysis; does not cover image scanning, RBAC audits, network policies, or supply chain security.

License & commercial use

Apache License 2.0 (Apache-2.0). Permissive OSI-approved open-source license allowing commercial use, modification, and distribution with attribution and liability disclaimers.

Apache-2.0 is a permissive open-source license compatible with commercial deployment. Kubesec may be used, modified, and integrated into proprietary products without license restrictions. However, ControlPlane's hosted service (v2.kubesec.io/scan) is a separate offering with its own terms (best-effort, not for sensitive data); self-hosting avoids dependency on third-party service terms.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Kubesec identifies misconfigurations in Kubernetes manifests (e.g., missing security contexts, privileged capabilities); it is itself a security scanning tool, not a security mechanism. No data provided on: input validation (YAML bomb risk), code audit history, dependency vulnerabilities, or its own supply chain security. Public API service warns users not to submit sensitive manifests. Self-hosted deployment isolates manifests. Scoring rules are built-in and fixed; cannot be verified as complete or accurate without independent review.

Alternatives to consider

Kube-bench

CNCF project for auditing Kubernetes cluster compliance against CIS benchmarks; focuses on runtime cluster configuration rather than manifests.

Kyverno

Kubernetes-native policy engine with admission control and CLI; more flexible rule authoring and cluster-integrated enforcement than Kubesec.

Polaris (Fairwinds)

Broader manifest and cluster auditing tool; includes workload scoring, dashboard, and hosted multi-cluster management (requires paid SaaS for some features).

Software development agency

Build on kubesec with DEV.co software developers

Download Kubesec or self-host the HTTP server to integrate security scanning into your Kubernetes workflow today.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

kubesec FAQ

Can I disable or customize specific security rules?
Not clearly documented. Rules appear to be hardcoded; customization would require code modification or forking.
Is the public v2.kubesec.io/scan service suitable for production?
No; README states it is 'best effort' and warns against submitting sensitive YAML. Use self-hosted HTTP mode for production workflows.
What Kubernetes versions are supported?
Tool supports custom schema locations and `--kubernetes-version` flag for validation; no explicit minimum/maximum version stated.
How often are rules updated and can I contribute new ones?
Latest release 2024-11-22 suggests active updates. CONTRIBUTING.md exists but not detailed in data; assume standard GitHub PR process.

Software development & web development with DEV.co

Adopting kubesec is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Scan Your Kubernetes Manifests for Security Risks

Download Kubesec or self-host the HTTP server to integrate security scanning into your Kubernetes workflow today.