Kubescape
Kubescape Kubescape is the open-source policy engine that scans Kubernetes YAML and clusters for misconfigs using CIS benchmarks and custom rules, generating reports for compliance gaps in deployments. Run its CLI on manifests or live clusters for risk scores, integrating with CI for pre-merge checks. From ARMO, it's the policy pioneer for K8s admins templating secure configs from the start.
Explore →Falco
Falco Falco is the runtime security tool that monitors syscalls in containers with YAML rules for anomaly detection like privilege escalations or crypto mining in K8s. Deploy via eBPF or kernel modules, streaming alerts to Slack or Kafka for incident response. Open-source from Sysdig, it's the syscall sentinel for ops templating behavioral guards around workloads.
Explore →Kube-bench
Kube-bench Kube-bench audits clusters against CIS benchmarks, checking etcd configs and RBAC for misconfigs with YAML outputs for remediation in security baselines. Run its Go binary on nodes for scored reports, scripting for automated compliance. Open-source from Aqua Security, it's the benchmark barker for K8s teams enforcing standards systematically.
Explore →KubeLinter
KubeLinter KubeLinter is the YAML linter for K8s manifests, flagging issues like missing limits or privileged containers with 50+ rules for pre-deploy security. Integrate via Helm or kubectl plugin for PR scans, outputting SARIF for GitHub. Open-source from StackRox, it's the lint locksmith for devs locking down configs early.
Explore →Kyverno
Kyverno Kyverno enforces custom YAML policies in K8s via admission webhooks, validating or mutating resources like adding labels for compliance without Rego complexity. Define policies in CRDs, apply via kubectl for cluster-wide guards. Open-source from Nirmata, it's the policy puppeteer for admins templating declarative security.
Explore →Gatekeeper
Gatekeeper Gatekeeper is the OPA-based admission controller for K8s, templating Rego policies as CRDs to block non-compliant pods or secrets at the gate. Install via Helm, author constraints for RBAC or image policies, and audit violations. Open-source from open-policy-agent, it's the gate guardian for K8s enforcers templating policy as code.
Explore →Kube-hunter
Kube-hunter Kube-hunter is the active scanner that probes clusters for attack paths like RBAC escalations or kubelet exposures, simulating threats with YAML reports for hardening. Run its Python CLI on remotes for node hunts, customizing scopes for focus. Open-source from Aqua Security, it's the hunter hound for red-teamers templating K8s vuln paths.
Explore →Kubeaudit
Kubeaudit Kubeaudit audits YAML manifests for RBAC gaps and policy violations, generating SARIF for IDE integration in pre-commit security reviews. Run its Go CLI on files for categorized warnings, suppressing false positives with comments. Open-source from Shopify, it's the YAML yardstick for K8s devs measuring access risks statically.
Explore →Trivy
Trivy Trivy's K8s scanner probes pods and nodes for CVEs in images or configs, using YAML policies for misconfig detection in container security audits. Run its Go binary on clusters for layered reports with fixes. Open-source from Aqua Security, it's the vuln verifier for ops templating runtime checks in K8s.
Explore →Kube-score