README
ΒΆ
π‘οΈ K8s Security Linter
Static analysis tool for Kubernetes YAML manifests β detects security misconfigurations (privileged containers, root user, missing memory limits, latest image tags, etc.) using OPA/Rego.
β¨ Features
- π 5 builtβin security rules (easily extensible via Rego)
- π³ Works with Pod, Deployment, StatefulSet, DaemonSet, Job, CronJob
- π JSON output for CI integration
- β Exit code 1 on violation β fails CI pipelines
- 𧩠Rego policy engine β add custom rules without recompiling
- π³ Docker image available
π Quick start
Local binary
git clone https://github.com/DevSpecOps/k8s-security-linter.git
cd k8s-security-linter
go build -o k8s-security-linter ./cmd/k8s-security-linter
./k8s-security-linter --path ./test/fixtures/bad
Docker
bash
docker run --rm -v $(pwd):/workspace ghcr.io/devspecops/k8s-security-linter --path /workspace
GitHub Action
yaml
- uses: DevSpecOps/k8s-security-linter@v0.1.0
with:
path: './deploy'
json: 'false'
Pre-commit
Add to .pre-commit-config.yaml:
yaml
- repo: https://github.com/DevSpecOps/k8s-security-linter
rev: v0.1.0
hooks:
- id: k8s-security-linter
π Rules (default)
Rule ID Description
PRIVILEGED privileged: true not allowed
RUN_AS_NON_ROOT runAsNonRoot must be true
READONLY_ROOT readOnlyRootFilesystem must be true
NO_MEMORY_LIMITS resources.limits.memory required
LATEST_TAG Image tag must not be latest or implicit
π§ͺ Custom rules
Add your own Rego policies by modifying pkg/engine/rules.rego β the tool uses embedded policies.
π Development
bash
make test # run unit tests
make build # compile binary
make docker # build Docker image
π License
Apache 2.0
Star β if you find it useful!
Directories
Click to show internal directories.
Click to hide internal directories.