kube-bench
CIS Kubernetes benchmark checker: run checks against nodes, control plane, etcd, and policies with readable reports.
Why it is included
Simple open gate for cluster baseline posture tied to CIS guidance.
Best for
Platform teams proving CIS alignment in audits and pipelines.
Strengths
- CIS mapping
- DaemonSet/job patterns
- Aqua maintenance
Limitations
- Point-in-time; not full CNAPP
Good alternatives
Polaris · commercial KSPM
Related tools
Security & Privacy
Trivy
All-in-one scanner for container images, IaC, Kubernetes manifests, SBOMs, and VM OS packages with CI integrations.
Security & Privacy
Falco
Cloud-native runtime security for Linux/Kubernetes: syscall and K8s audit rules with Falcoctl and ecosystem outputs.
Security & Privacy
Kyverno
Kubernetes-native policy engine using YAML (no Rego) for validate, mutate, generate, and image verification rules.
Security & Privacy
Lynis
Host-based security auditing for Unix: misconfigurations, packages, SSH, kernel hardening hints.
Security & Privacy
OpenSCAP
SCAP toolkit for compliance scanning: Oval, XCCDF, tailoring files, and remediation snippets (e.g. DISA STIG workflows).
Security & Privacy
Kubescape
Kubernetes security scanner for misconfigurations, RBAC, compliance frameworks (NSA/CIS), and image vulnerabilities.