Directories
¶
| Path | Synopsis |
|---|---|
|
Package analyzer orchestrates the individual security analysis modules (rbac, podsec, network, admission, secrets, serviceaccount, privesc), runs them in parallel against a snapshot, filters by severity threshold, and returns a sorted finding list.
|
Package analyzer orchestrates the individual security analysis modules (rbac, podsec, network, admission, secrets, serviceaccount, privesc), runs them in parallel against a snapshot, filters by severity threshold, and returns a sorted finding list. |
|
admission
Package admission analyzes Validating/MutatingWebhookConfigurations for common weaknesses like fail-open security webhooks, bypassable selectors, and exemptions that skip sensitive namespaces.
|
Package admission analyzes Validating/MutatingWebhookConfigurations for common weaknesses like fail-open security webhooks, bypassable selectors, and exemptions that skip sensitive namespaces. |
|
admission/mitigation
Package mitigation maps kubesplaining pod-security findings to the cluster admission controls that would block their workload at admission time.
|
Package mitigation maps kubesplaining pod-security findings to the cluster admission controls that would block their workload at admission time. |
|
network
Package network analyzes NetworkPolicy coverage and permissiveness so that unprotected namespaces, uncovered workloads, and overly-broad policies surface as findings.
|
Package network analyzes NetworkPolicy coverage and permissiveness so that unprotected namespaces, uncovered workloads, and overly-broad policies surface as findings. |
|
podsec
Package podsec analyzes pod specs (and their controlling workloads) for container-runtime security issues like privileged containers, host namespace sharing, sensitive hostPath mounts, and insecure image tags.
|
Package podsec analyzes pod specs (and their controlling workloads) for container-runtime security issues like privileged containers, host namespace sharing, sensitive hostPath mounts, and insecure image tags. |
|
privesc
Package privesc builds a privilege-escalation graph from the snapshot and searches for paths that reach sensitive sinks like cluster-admin, kube-system secrets, or node escape, turning each viable path into a Finding.
|
Package privesc builds a privilege-escalation graph from the snapshot and searches for paths that reach sensitive sinks like cluster-admin, kube-system secrets, or node escape, turning each viable path into a Finding. |
|
rbac
Package rbac analyzes Role/ClusterRole bindings and flags subjects whose effective permissions enable privilege escalation or data exfiltration.
|
Package rbac analyzes Role/ClusterRole bindings and flags subjects whose effective permissions enable privilege escalation or data exfiltration. |
|
secrets
Package secrets analyzes Secret metadata and ConfigMap contents for hygiene issues such as legacy service-account tokens, sensitive kube-system data, credential-like keys leaked into ConfigMaps, and risky CoreDNS rules.
|
Package secrets analyzes Secret metadata and ConfigMap contents for hygiene issues such as legacy service-account tokens, sensitive kube-system data, credential-like keys leaked into ConfigMaps, and risky CoreDNS rules. |
|
serviceaccount
Package serviceaccount joins RBAC permissions with workload usage to flag ServiceAccounts that are actively mounted by pods and carry dangerous rights.
|
Package serviceaccount joins RBAC permissions with workload usage to flag ServiceAccounts that are actively mounted by pods and carry dangerous rights. |
|
Package cli assembles the kubesplaining cobra commands that drive the collect → analyze → report pipeline and its supporting utilities.
|
Package cli assembles the kubesplaining cobra commands that drive the collect → analyze → report pipeline and its supporting utilities. |
|
Package collector snapshots a live Kubernetes cluster into a models.Snapshot, listing RBAC, workload, network, admission, and secret-related resources in parallel.
|
Package collector snapshots a live Kubernetes cluster into a models.Snapshot, listing RBAC, workload, network, admission, and secret-related resources in parallel. |
|
Package connection builds authenticated Kubernetes client configurations from CLI flags, supporting kubeconfig, direct API server, and in-cluster modes.
|
Package connection builds authenticated Kubernetes client configurations from CLI flags, supporting kubeconfig, direct API server, and in-cluster modes. |
|
Package exclusions loads YAML rules that mute specific findings (system namespaces, expected workloads, etc.) and applies them to analyzer output.
|
Package exclusions loads YAML rules that mute specific findings (system namespaces, expected workloads, etc.) and applies them to analyzer output. |
|
Package manifest loads Kubernetes YAML/JSON manifests from disk into a Snapshot without talking to a live cluster.
|
Package manifest loads Kubernetes YAML/JSON manifests from disk into a Snapshot without talking to a live cluster. |
|
Package models defines the shared data types produced by the collector and consumed by the analyzers, exclusions, scoring, and report packages.
|
Package models defines the shared data types produced by the collector and consumed by the analyzers, exclusions, scoring, and report packages. |
|
Package permissions resolves RBAC bindings and roles into a flat "effective permissions" view keyed by subject.
|
Package permissions resolves RBAC bindings and roles into a flat "effective permissions" view keyed by subject. |
|
Package report — attack-graph layout.
|
Package report — attack-graph layout. |
|
Package scoring centralizes the composite risk-score formula and the tiny helpers analyzers share for score clamping and severity thresholding.
|
Package scoring centralizes the composite risk-score formula and the tiny helpers analyzers share for score clamping and severity thresholding. |
Click to show internal directories.
Click to hide internal directories.