rancher
/
security-scan
mirror of https://github.com/rancher/security-scan.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Tests Kubernetes clusters for adherence to security best practices using kube-bench.
709 Commits 9 Branches 182 Tags 18 MiB
Go 52%
Shell 30.7%
Makefile 9.7%
Dockerfile 7.6%
Go to file
Swastik Gour 92e8cac16c
Merge pull request #502 from krunalhinguu/backport-r5-cis-1.10 
[Backport][v0.5] Add k3s-cis-1.10 profiles
 		2025-08-14 15:13:12 +05:30
.github build: Update Renovate workflow 2025-04-04 20:11:06 +05:30
cmd/kb-summarizer build: Refactor project to remove Dapper 2024-01-12 17:17:12 +00:00
hack Add cis-1.10 generic and update configmap 2025-08-07 13:01:47 +05:30
package Fix check for 5.2.9 using sh syntax 2025-08-14 10:26:34 +05:30
pkg/kb-summarizer validate: fixes errcheck - from r.Close() to ensure proper resource cleanup 2025-04-04 20:11:03 +05:30
tests
.gitignore build: Refactor Makefile logic 2024-01-12 17:47:31 +00:00
.golangci.yaml Bump golangci-lint to v2.0.2 and migrate .golangci.yaml to v2 format 2025-04-04 20:10:46 +05:30
.yamllint.yaml
CODEOWNERS fix order of ownership in codeowners 2025-01-08 16:03:49 +05:30
LICENSE
Makefile validate: improve golangci-lint provisioning and remove validate-go script 2025-04-04 20:10:41 +05:30
README.md added branch strategy reference in readme 2024-10-08 20:10:47 +05:30
go.mod chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.3.0 [security] 2025-07-01 04:46:23 +00:00
go.sum chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.3.0 [security] 2025-07-01 04:46:23 +00:00

README.md

security-scan

NOTE: This repo is currently being merged with the cis-operator repo to track security scanned and CIS related issues. Please submit any new inquiries in the cis-operator repo. For the current branch strategy related to the security-scan, please refer to Branches and Releases

This repo has all the stuff needed for running CIS scan on RKE clusters.

Multi-purpose repo:

  • Packaging for all the components needed for CIS scan (sonobuoy, kube-bench)
  • kube-bench-summarizer
  • plugin script for sonobuoy tool (a different script is passed using command)

The corresponding docker image (rancher/security-scan) is used in the system charts.

Building

make

Tag the image to personal docker hub repo

docker tag rancher/security-scan:<MAKE TAG OUTPUT> <DOCKER_HUB_USER>/security-scan:dev

Push docker tag

docker push <DOCKER_HUB_USER>/security-scan:dev

On Rancher install CIS Benchmark app, changing the Values YAML to point to your image

image:
...
    securityScan:
        repository: <DOCKER_HUB_USER>/security-scan
        tag: dev

License

Copyright (c) 2019 Rancher Labs, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.