zegl / Kube Score
Licence: mit
Kubernetes object analysis with recommendations for improved reliability and security
Stars: ✭ 1,128
Programming Languages
go
31211 projects - #10 most used programming language
Labels
Projects that are alternatives of or similar to Kube Score
Android-CICD
This repo demonstrates how to work on CI/CD for Mobile Apps 📱 using Github Actions 💊 + Firebase Distribution 🎉
Stars: ✭ 37 (-96.72%)
Mutual labels: static-code-analysis, ci, linter
Static Analysis
⚙️ A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.
Stars: ✭ 9,310 (+725.35%)
Mutual labels: linter, static-code-analysis, analysis
Bandit
Bandit is a tool designed to find common security issues in Python code.
Stars: ✭ 3,763 (+233.6%)
Mutual labels: linter, security-scanner, static-code-analysis
lints
Lint all your JavaScript, CSS, HTML, Markdown and Dockerfiles with a single command
Stars: ✭ 14 (-98.76%)
Mutual labels: analysis, static-code-analysis, linter
Reviewdog
🐶 Automated code review tool integrated with any code analysis tools regardless of programming language
Stars: ✭ 4,541 (+302.57%)
Mutual labels: linter, ci, static-code-analysis
Jackhammer
Jackhammer - One Security vulnerability assessment/management tool to solve all the security team problems.
Stars: ✭ 633 (-43.88%)
Mutual labels: security-scanner, static-code-analysis
Shipjs
Take control of what is going to be your next release.
Stars: ✭ 668 (-40.78%)
Mutual labels: automation, ci
Explorer
Data Explorer by Keen - point-and-click interface for analyzing and visualizing event data.
Stars: ✭ 725 (-35.73%)
Mutual labels: analysis, charts
Super Linter
Combination of multiple linters to install as a GitHub Action
Stars: ✭ 7,445 (+560.02%)
Mutual labels: linter, ci
Pep8speaks
A GitHub app to automatically review Python code style over Pull Requests
Stars: ✭ 546 (-51.6%)
Mutual labels: linter, static-code-analysis
Sonar Java
☕️ SonarSource Static Analyzer for Java Code Quality and Security
Stars: ✭ 745 (-33.95%)
Mutual labels: analysis, static-code-analysis
Sooty
The SOC Analysts all-in-one CLI tool to automate and speed up workflow.
Stars: ✭ 867 (-23.14%)
Mutual labels: automation, analysis
Keen Js
https://keen.io/ JavaScript SDKs. Track users and visualise the results. Demo http://keen.github.io/keen-dataviz.js/
Stars: ✭ 588 (-47.87%)
Mutual labels: analysis, charts
Phan
Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.
Stars: ✭ 5,194 (+360.46%)
Mutual labels: analysis, static-code-analysis
Standard
🌟 JavaScript Style Guide, with linter & automatic code fixer
Stars: ✭ 26,433 (+2243.35%)
Mutual labels: linter, static-code-analysis
Security Code Scan
Vulnerability Patterns Detector for C# and VB.NET
Stars: ✭ 550 (-51.24%)
Mutual labels: analysis, static-code-analysis
Webhook
webhook is a lightweight incoming webhook server to run shell commands
Stars: ✭ 7,201 (+538.39%)
Mutual labels: automation, ci
Devreplay
A linter that replay your developing style
Stars: ✭ 39 (-96.54%)
Mutual labels: linter, static-code-analysis
kube-score
kube-score is a tool that performs static code analysis of your Kubernetes object definitions.
The output is a list of recommendations of what you can improve to make your application more secure and resilient.
You can test kube-score out in the browser with the online demo (source).
Installation
kube-score is easy to install, and is available from the following sources:
| Distribution | Command / Link |
|---|---|
| Pre-built binaries for macOS, Linux, and Windows | GitHub releases |
| Docker |
docker pull zegl/kube-score (Docker Hub)
|
| Homebrew (macOS and Linux) | brew install kube-score/tap/kube-score |
| Krew (macOS and Linux) | kubectl krew install score |
Checks
For a full list of checks, see README_CHECKS.md.
- Container limits (should be set)
- Pod is targeted by a
NetworkPolicy, both egress and ingress rules are recommended - Deployments and StatefulSets should have a
PodDisruptionPolicy - Deployments and StatefulSets should have host PodAntiAffinity configured
- Container probes, a readiness should be configured, and should not be identical to the liveness probe. Read more in README_PROBES.md.
- Container securityContext, run as high number user/group, do not run as root or with privileged root fs. Read more in README_SECURITYCONTEXT.md.
- Stable APIs, use a stable API if available (supported: Deployments, StatefulSets, DaemonSet)
Example output
Usage in CI
kube-score can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found.
The trigger level can be changed to warning with the --exit-one-on-warning argument.
The input to kube-score should be all applications that you deploy to the same namespace for the best result.
Example with Helm
helm template my-app | kube-score score -
Example with Kustomize
kustomize build . | kube-score score -
Example with static YAMLs
kube-score score my-app/*.yaml
kube-score score my-app/deployment.yaml my-app/service.yaml
Example with an existing cluster
kubectl api-resources --verbs=list --namespaced -o name \
| xargs -n1 -I{} bash -c "kubectl get {} --all-namespaces -oyaml && echo ---" \
| kube-score score -
Example with Docker
docker run -v $(pwd):/project zegl/kube-score:v1.10.0 score my-app/*.yaml
Configuration
Usage of kube-score:
kube-score [action] --flags
Actions:
score Checks all files in the input, and gives them a score and recommendations
list Prints a CSV list of all available score checks
version Print the version of kube-score
help Print this message
Flags for score:
--disable-ignore-checks-annotations Set to true to disable the effect of the 'kube-score/ignore' annotations
--enable-optional-test strings Enable an optional test, can be set multiple times
--exit-one-on-warning Exit with code 1 in case of warnings
--help Print help
--ignore-container-cpu-limit Disables the requirement of setting a container CPU limit
--ignore-container-memory-limit Disables the requirement of setting a container memory limit
--ignore-test strings Disable a test, can be set multiple times
--kubernetes-version string Setting the kubernetes-version will affect the checks ran against the manifests. Set this to the version of Kubernetes that you're using in production for the best results. (default "v1.18")
-o, --output-format string Set to 'human', 'json' or 'ci'. If set to ci, kube-score will output the program in a format that is easier to parse by other programs. (default "human")
--output-version string Changes the version of the --output-format. The 'json' format has version 'v2' (default) and 'v1' (deprecated, will be removed in v1.7.0). The 'human' and 'ci' formats has only version 'v1' (default). If not explicitly set, the default version for that particular output format will be used.
-v, --verbose count Enable verbose output, can be set multiple times for increased verbosity.
Ignoring a test
Tests can be ignored in the whole run of the program, with the --ignore-test flag.
A test can also be ignored on a per-object basis, by adding the annotation kube-score/ignore to the object.
The value should be a comma separated string of the test IDs.
Example:
Testing this object will temporarily disable the service-type test, which warns against using services of type NodePort.
apiVersion: v1
kind: Service
metadata:
name: node-port-service-with-ignore
namespace: foospace
annotations:
kube-score/ignore: service-type
spec:
selector:
app: my-app
ports:
- protocol: TCP
port: 80
targetPort: 8080
type: NodePort
Building from source
kube-score requires Go 1.11 or later to build. Clone this repository, and then:
# Build the project
go build github.com/zegl/kube-score/cmd/kube-score
# Run all tests
go test -v github.com/zegl/kube-score/...
Contributing?
Do you want to help out? Take a look at the Contributing Guidelines for more info. 🤩
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].