01Overview
Kubernetes Security Posture Management (KSPM) Scanner is an agentless, single-file Python tool that connects to a live cluster through your existing kubeconfig or in-cluster service account and runs a comprehensive security posture assessment against the Kubernetes API. There are no agents, sidecars, or DaemonSets to deploy — it reads the cluster read-only and needs only the `kubernetes` Python client, with every other dependency degrading gracefully when absent.
Under the hood it ships roughly 146 discrete rules organized into 19 check groups spanning RBAC, workload/pod hardening, images, network policy, namespaces, secrets, service accounts, control-plane configuration, storage, admission control, nodes, availability (PDB/HPA), service mesh, deprecated APIs, runtime/ephemeral containers, advanced graph-based RBAC, supply chain, and Kyverno policy health. A v2.0.0 policy engine layers a custom YAML policy DSL, OPA/Rego execution (via the `opa` binary), and Kyverno validation on top of the built-in checks, so teams can codify their own guardrails without forking the scanner.
It is built for platform and security engineers who need CI/CD-friendly, benchmark-aligned cluster assessments. Every finding is mapped across six compliance frameworks — CIS Kubernetes Benchmark, NSA/CISA Hardening Guide, MITRE ATT&CK for Containers, SOC 2, PCI-DSS v4.0, and NIST SP 800-190 — and results export to five formats including SARIF v2.1.0 for the GitHub Security tab and PDF executive summaries. Baseline profiles (dev/staging/production), an exception allow-list, RBAC baseline drift tracking, scan-to-scan diffing, multi-cluster runs, and Slack/Teams webhooks make it practical to wire directly into pipeline gates, where a non-zero exit code on CRITICAL/HIGH findings fails the build.
What makes it notable is the depth beyond a static config linter: graph-based RBAC escalation-path analysis, supply-chain checks that drive Trivy/Grype CVE scans plus cosign signature verification and SBOM generation, and managed-cluster awareness that degrades control-plane checks to informational findings on EKS/GKE/AKS where the API server is not a visible pod.
02Key Capabilities
Agentless live-cluster scanning
Assesses posture by querying the Kubernetes API through kubeconfig or in-cluster config — no pods, sidecars, or DaemonSets required, and all checks are strictly read-only.
~150 checks across 19 groups
Roughly 146 rules covering RBAC, pod/workload hardening, images, network, namespaces, secrets, service accounts, cluster config, storage, admission, nodes, availability, mesh, deprecated APIs, and runtime security.
v2.0.0 policy engine
Define custom checks in a YAML policy DSL, run OPA/Rego policies via the opa binary, and validate Kyverno policy health — all pluggable via --policy-dir, --rego-dir, and cluster detection.
Graph-based advanced RBAC analysis
Builds a SA→RoleBinding→Role permission graph to surface multi-hop escalation paths, dormant service accounts, orphaned bindings, and overly broad roles beyond simple wildcard matching.
Supply chain & image security
Drives Trivy/Grype CVE scanning, cosign signature verification, SBOM generation, EOL/insecure base-image detection, and registry allow-list enforcement via --trusted-registries.
Six compliance frameworks
Every finding is mapped to CIS, NSA/CISA, MITRE ATT&CK for Containers, SOC 2, PCI-DSS v4.0, and NIST 800-190, with a per-framework coverage dashboard in the HTML report.
Baseline profiles & exceptions
Built-in dev/staging/production profiles tune severity thresholds and suppressions, while a YAML/JSON exception file allow-lists accepted findings using glob matching on rule ID and resource.
RBAC drift & scan diffing
Save an RBAC baseline and compare later to detect permission drift, and diff two scan JSONs to see new, resolved, and persistent findings with severity deltas.
Multi-cluster scanning
Scan several contexts in a single run with --contexts, producing consolidated summaries and per-cluster reports.
Five output formats
Colored console, machine-readable JSON, interactive dark-themed HTML, SARIF v2.1.0 for GitHub Security, and PDF executive summaries (reportlab with a stdlib fallback).
CI/CD gating & notifications
Returns exit code 1 on CRITICAL/HIGH findings for pipeline gates, and pushes severity summaries to Slack and Microsoft Teams webhooks.
Managed-cluster awareness
Gracefully handles EKS/GKE/AKS where the API server is not a visible pod, downgrading control-plane checks to informational findings instead of failing.
03Architecture
A single-file Python scanner (kspm_scanner.py, ~5,600 LOC) built around a Finding class and a KSPMScanner class that connects to the Kubernetes API, runs ~20 grouped `_check_*` methods, applies the v2.0.0 policy engine and profile/exception filters, then serializes results through five reporter methods. Data flows from live API collection to per-group rule evaluation to compliance-mapping enrichment to multi-format export.
04Project Structure
kspm_scanner.pyThe entire scanner — Finding class, KSPMScanner engine, all check groups, policy engine, compliance maps, and all reporters (~5,600 LOC, single file by design).README.mdFull documentation: feature list, 19 check-group table, policy-engine DSL examples, CIS/compliance mappings, CLI reference, and required RBAC.CLAUDE.mdArchitecture and contributor guide — core pattern, rule-ID convention table, severity model, output formats, and versioned roadmap (v1.1.0→v2.0.0).test_data/test_kspm_scanner.pyUnittest suite (82 tests in TestKSPMScanner) exercising rule logic against mocked Kubernetes objects.test_data/run_test.pyIntegration harness that mocks the kubernetes client with a deliberately insecure fake cluster to drive every check group end-to-end.banner.svgProject banner rendered at the top of the README.LICENSEMIT license..gitignoreExcludes IDE and local artifact files from the repo.05Security Controls
06Technology Stack
- Language
- Python 3.8+ (single-file scanner)
- Required dependency
- kubernetes (official Python client)
- Optional dependencies
- reportlab (PDF), PyYAML (policies/exceptions), opa binary (Rego)
- External tools (supply chain)
- Trivy / Grype (CVE), cosign (signatures), Syft/Trivy (SBOM)
- Testing
- unittest — 82 tests in test_kspm_scanner.py plus a mock-cluster integration harness (run_test.py)
- Output formats
- Console, JSON, HTML, SARIF v2.1.0, PDF
- Deployment
- Run directly via python kspm_scanner.py using kubeconfig or in-cluster config; no build step
07Quick Start
$ pip install kubernetes # only required dependency (reportlab, pyyaml, opa are optional) $ python kspm_scanner.py --html report.html --json scan.json # scan default kubeconfig, write reports $ python kspm_scanner.py --profile production --severity HIGH # strict CI gate, exit 1 on CRITICAL/HIGH $ python kspm_scanner.py --sarif results.sarif # SARIF v2.1.0 for the GitHub Security tab $ python kspm_scanner.py --policy-dir ./policies/ --rego-dir ./rego/ --exceptions exceptions.yaml # custom policy engine $ python kspm_scanner.py --contexts dev,staging,prod --baseline-compare rbac-baseline.json # multi-cluster + RBAC drift
08Compliance & Frameworks
09Integrations & Outputs
Explore Kubernetes KSPM
Full source, documentation, and deployment guides live on GitHub.