An asterisk means personal preference/pick.
See also Scanning tools for containers and IaC in this Wiki site
| Product name | Types of input | Integrations | Comment |
|---|---|---|---|
| Kubescape by Armosec | A running cluster* | Armo portal | Run inside Kubernetes and check against best practice like NSA-CISA and the MITRE ATT&CK |
| kube-linter by Stackrox | YAML, Helm charts | Best practice focused. No seccomp check yet | |
| kube-score | Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes. | ||
| Kyverno | Cloud Native Policy Management | ||
| OPA | Open Policy Agent (OPA) is an open source, general-purpose policy engine. | ||
| Falco | Linux system calls | Runtime tool * for security events detection and reporting | |
| KICS by Checkmarx | Mainly IaC, Dockerfile* and Kubernetes (YAML). Not supporting scanning Docker images | Major CI/CD | |
| Trivy by Aqua Security | Dockerfile, Docker images* (support different arch), Kubernetes, Terraform, static application binaries/libraries | GitHub actions | Vulnerability DB focused |
| Trivy operator by Aqua Security | In-cluster Security Scans | ||
| Grype by Ancore | |||
| CIS Benchmark for K8S | |||
| Starboard by Aqua Security | A running Kubernetes | Superseded by Trivy operator It would make use of Trivy for scanning in addition to rulesets for Kubernetes | |
| Terrascan by Tenable/Accurics | Static code analysis on Terraform, Kubernetes (YAML, JSON?), Helm, Dockerfile and cloud resources. Last release 2024-Sep | Mainstream products | Best practice focused. Problem scanning AWS CF template. Seems unable to detect seccomp profile is enabled. |
| Snyk | IaC (Not supporting Ansible), some CF is not scanned. Kubernetes YAML, Docker images. Static code analysis* | Major CI/CD*, web console | Seems do not have seccomp checking |
| Polaris by FairWindsOps | Kubernetes resources file (YAML/JSON), existing namespaces/resources from cluster | GitHub actions and other CI/CD | Best practice focused. Seems do not have seccomp checking |
| ThreatMapper by Deepfence | Docker images, Kubernetes resources, Fargate serverless | Need more resources to use this tool | |
| Kubesec by controlplane | Kubernetes resources (YAML/JSON) | Not all resources are suppported. Seems unable to detect seccomp enabled in annotations | |
| RBAC tool by Rapid7 | Rapid7 | ||
| Kubeconform | A FAST Kubernetes manifests validator, with support for Custom Resources! | ||
| Krane | RBAC analysis and visualization tool | ||
| kube-bench by AquaSec | Cluster deployment and config files* | Check it against the CIS benchmark. Not (yet) supporting K3S | |
| [kube-linter] by Stackrox](https://github.com/stackrox/kube-linter) | YAML and helm charts | ||
| kube-hunter by AquaSec | Check for weakness in the cluster. Network perspective*. (Not supporting remote scan for EKS). Last release 2022-May | ||
| Popeye | Live clusters | Sanitizer*. Search for mis-configurations and unused resources | |
| OpenClarity | Workers and Nodes | OpenClarity is an open source tool for agentless detection and management of Virtual Machine Software Bill Of Materials (SBOM) and security threats such as vulnerabilities, exploits, malware, rootkits, misconfigurations and leaked secrets. Previously it is Kubei by Portshift | |
| Peirates | Pen test tool | ||
| KubiScan by Cyberark | Check for risky permissions. Last release 2023-Jun | ||
| kube-psp-advisor by Sysdig Labs | A tool for assisting to write PSP. Last release 2022-Sep | ||
| Kubestriker | Security auditing. Last release 2021-May | ||
| Kubeaudit by Shopify, archived in 2024 | Kubernetes resources (YAML)* and existing namespaces* | Repo archived in 2024-Oct-31 | |
| Datree, archived in 2024 | Kubernetes resources (YAML) and Helm charts | Repo archived in 2024-June-6 . Use of policy to avoid mis-configuration in Kubernetes |