Paste a Pod, Deployment, StatefulSet, or DaemonSet manifest. We run 20 checks from NIST SP 800-190, Pod Security Standards (restricted), and the CIS Kubernetes Benchmark — catching privileged, hostPath, hostNetwork, and missing security contexts.
Most security failures in Kubernetes do not come from Kubernetes bugs — they come from manifests that were written in a hurry and never reviewed. A single privileged: true on a Pod effectively disables every isolation guarantee the kernel provides. A hostPath mount of /var/run/docker.sock is a container-escape on a platter. This scanner catches those classes before they land.
SF-K8S-001 – privileged: true (disables almost all isolation)SF-K8S-002 – hostNetwork: true (container shares the host's network namespace)SF-K8S-003 – hostPID: true (can see and signal host processes)SF-K8S-004 – hostIPC: true (shares host IPC — rarely justified)SF-K8S-005 – runAsUser: 0 or missing (container runs as root)SF-K8S-006 – allowPrivilegeEscalation: true or missingSF-K8S-007 – readOnlyRootFilesystem not set to trueSF-K8S-008 – capabilities.add includes dangerous caps (SYS_ADMIN, NET_ADMIN, ALL)SF-K8S-009 – No capabilities.drop: [ALL] (principle of least privilege)SF-K8S-010 – Any hostPath volumeSF-K8S-011 – hostPath mounts /, /etc, /var/run/docker.sock, or the Kubernetes API cert dirSF-K8S-012 – Missing resources.limits (runaway pods can exhaust nodes)SF-K8S-013 – Missing resources.requestsSF-K8S-014 – Image uses :latest or has no tagSF-K8S-015 – imagePullPolicy: Always with a pinned tag (inefficient) or missingSF-K8S-016 – Uses the default ServiceAccountSF-K8S-017 – automountServiceAccountToken not explicitly set to falseSF-K8S-018 – Secret inline in env (env: - name: PASSWORD value: hardcoded)SF-K8S-019 – Missing livenessProbe / readinessProbeSF-K8S-020 – Missing explicit securityContext (informational)This tool is a static YAML linter. It does not check your cluster's posture (RBAC, audit logs, admission controllers, NetworkPolicies, CNI settings), nor does it validate against a live Kubernetes API. For continuous, cluster-aware scanning across your organization, you need Security Factor 365's IaC Engine, which runs these rules plus 40+ others against every PR and posts a comment with blocking/non-blocking findings.
SF365's IaC Engine runs these 20 rules plus 40 more against every Terraform, Helm, Ansible, and raw Kubernetes YAML change — posting blocking findings as PR comments. Fail the build on critical, warn on medium.
Start Free Trial →