spotter
by madhuakula
Spotter is a versatile Kubernetes security scanner that detects vulnerabilities, misconfigurations, and compliance issues using CEL-based rules.
Spotter is a comprehensive Kubernetes security scanner that uses CEL-based rules to identify security vulnerabilities, misconfigurations, and compliance violations across your Kubernetes clusters, manifests, and CI/CD pipelines.
Primary Use Case
Spotter is designed for DevOps and security teams to enhance the security posture of Kubernetes environments. It scans Kubernetes clusters, manifests, and CI/CD pipelines to identify and address security vulnerabilities and compliance violations.
- CEL-based rule definitions for flexible security scanning
- Supports multiple output formats including JSON and SARIF
- Scans both Kubernetes manifests and live clusters
- Custom rule management and validation
- Extensible and performance-oriented architecture
Installation
- go install github.com/madhuakula/spotter@latest
- docker pull ghcr.io/madhuakula/spotter:latest
- Download the latest release from GitHub Releases
Usage
>_ spotter scan manifests --path deployment.yamlScan a single Kubernetes manifest file for security issues.
>_ spotter scan clusterScan the current Kubernetes cluster context for security vulnerabilities.
>_ spotter rules listList all available security rules.
>_ spotter rules validate --path ./custom-rules/Validate custom security rules.
>_ spotter scan manifests --path ./manifests/ --output jsonScan manifests and output results in JSON format.
- Repurposing: Spotter can be adapted to scan non-Kubernetes environments by converting configurations into Kubernetes-like manifests, allowing it to identify misconfigurations in other cloud services.
- Chaining: Combine Spotter with a tool like Falco for real-time threat detection and alerting, leveraging Spotter's scanning capabilities to preemptively identify vulnerabilities that Falco can then monitor for exploitation attempts.
- Evasion/Detection: Attackers might bypass Spotter by using obfuscated or encrypted configurations. To detect such attempts, integrate Spotter with a decryption tool or a configuration management system that logs changes.
- Data Fusion: Correlate Spotter's output with network traffic analysis tools like Zeek to identify anomalous patterns that coincide with detected misconfigurations, enhancing threat detection capabilities.
- Automation: Integrate Spotter into a CI/CD pipeline using tools like Jenkins to automatically scan Kubernetes manifests before deployment, ensuring vulnerabilities are caught early and reducing the risk of deploying insecure configurations.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about spotter. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
portainer
portainer/portainer
Making Docker and Kubernetes management easy.
slim
slimtoolkit/slim
Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
kubescape
kubescape/kubescape
Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources.
kube-bench
aquasecurity/kube-bench
Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
kubernetes-learning-path
techiescamp/kubernetes-learning-path
A roadmap to learn Kubernetes from scratch (Beginner to Advanced level)
kata-containers
kata-containers/kata-containers
Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/