by octarinesec

octarinesec / kube-scan

kube-scan: Octarine k8s cluster risk assessment tool

517 Stars 51 Forks Last release: Not found MIT License 136 Commits 3 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:


Try our free Kubernetes risk assessment tool today.
Run it on any cluster at any time. No data leaves your cluster. We do not collect any information.
For more information on Octarine see https://www.octarinesec.com.

Get the risk score of your workloads

Kube-Scan gives a risk score, from 0 (no risk) to 10 (high risk) for each workload. The risk is based on the runtime configuration of each workload (currently 20+ settings). The exact rules and scoring formula are part of the open-source framework KCCSS, the Kubernetes Common Configuration Scoring System.

KCCSS is similar to the Common Vulnerability Scoring System (CVSS), the industry-standard for rating vulnerabilities, but instead focuses on the configurations and security settings themselves. Vulnerabilities are always detrimental, but configuration settings can be insecure, neutral, or critical for protection or remediation. KCCSS scores both risks and remediations as separate rules, and allows users to calculate a risk for every runtime setting of a workload and then to calculate the total risk of the workload.

Please notice that kube-scan currently scans the cluster when starting and will re-scan it every 24 hours. Thus, if you want to get an up-to-date risk score (e.g. after installing a new app), you should restart the kube-scan pod.


kubectl apply -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan.yaml
kubectl port-forward --namespace kube-scan svc/kube-scan-ui 8080:80

Then set your browser to


Using a load-balancer service

  • This method assumes you are using a cloud provider that provides load balancers.
    kubectl apply -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan-lb.yaml
    Then get the load-balancer address by
    kubectl -n kube-scan get service kube-scan-ui -o jsonpath={..ip}
    kubectl -n kube-scan get service kube-scan-ui -o jsonpath={..hostname}
    depending on the load-balancer type.

Then set your browser to that address.

Using the API

If you applied kube-scan to your cluster with the load balancer service:

"HOST" refers to the external ip of the service.

If you used port-forward:

"HOST" refers to "localhost:8080"

Getting all of the risks in your cluster:

GET http://HOST/api/risks

Requesting the kube-scan service to calculate again the risks (in case a resource was changed):

POST http://HOST/api/refresh

This might be a long operation - depending on the cluster size, so you can pull the refresh operation status:

GET http://HOST/api/refreshing_status

Building from source code

Build the server image (from root folder)

cd server
docker build -t SERVER_TAG_NAME .
docker push SERVER_TAG_NAME

Build the client image (from root folder)

cd client
docker build -t CLIENT_TAG_NAME .
docker push CLIENT_TAG_NAME

Set kube-scan containers images on the desired yaml (from root folder) kube-scan container with SERVERTAGNAME kube-scan-ui container with CLIENTTAGNAME

Apply the desired yaml and use "quick start" or "using load-balancer" instructions


kubectl delete -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan.yaml

In case of using a load-balancer:

kubectl delete -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan-lb.yaml


Risk score

Risk details

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.