
k8scan — Kubernetes security scanner with 123+ checks, read-only, production-safe (HTML/SARIF/JSON output)
A friend of mine recently built an interesting open-source project called **k8scan**, a read-only Kubernetes security scanner written in Go.
It's designed for security engineers and DevOps teams who want to understand their cluster's security posture without introducing risk to production environments.
→ Repo: https://github.com/alperenkesk/k8scan
→ Web: https://k8scan.com
Some highlights:
* 123+ security checks across 8 categories (containers, RBAC, secrets, networking, control plane, workloads, images, and runtime threats)
* Detects misconfigurations, privilege-escalation paths, exposed secrets, and potential container escape vectors
* Supports 5 output formats: terminal, JSON, HTML, SARIF 2.1.0, and Markdown
* CIS Benchmark mapping for every finding
* Read-only PoC validation commands to help verify findings safely
* Static analysis support for YAML manifests, Helm charts, and Kustomize overlays
What I found particularly interesting:
* Read-only by design (only get/list/watch permissions)
* Single static binary with no external dependencies
* A "Capability Break" engine that correlates findings into actual security boundary violations
* CI/CD-friendly with SARIF support and fail-on-severity options
* Can run locally with kubectl or directly inside a cluster as a Job/CronJob
The HTML report is also quite polished and includes an attack graph to visualize possible lateral movement paths.
Thought some people here might find it useful. Feedback, bug reports, and feature requests are always appreciated.