kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA

logo

Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

TL;DR

Installation

To install the tool locally, run this:

curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash

Run

To get a fast check of the security posture of your Kubernetes cluster, run this:

kubescape scan framework nsa --exclude-namespaces kube-system,kube-public

If you wish to scan all namespaces in your cluster, remove the --exclude-namespaces flag.

Status

build Github All Releases

How to build

  1. Clone Project
git clone [email protected]:armosec/kubescape.git kubescape && cd "$_"
  1. Build
go mod tidy && go build -o kubescape .
  1. Run
./kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
  1. Enjoy 🤪

Under the hood

Tests

Kubescape is running the following tests according to what is defined by Kubernetes Hardening Guidance by to NSA and CISA

  • Non-root containers
  • Immutable container filesystem
  • Privileged containers
  • hostPID, hostIPC privileges
  • hostNetwork access
  • allowedHostPaths field
  • Protecting pod service account tokens
  • Resource policies
  • Control plane hardening
  • Exposed dashboard
  • Allow privilege escalation
  • Applications credentials in configuration files
  • Cluster-admin binding
  • Exec into container
  • Dangerous capabilities
  • Insecure capabilities
  • Linux hardening

Technology

Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO's posture controls.

The tools retrieves Kubernetes objects from the API server and runs a set of regos snippets developed by ARMO.

The results by default printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.

Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.

Comments
  • Making image scan results available in the cluster

    Making image scan results available in the cluster

    Description Kubescape microservices scanning container images for vulnerabilities in the cluster. The results today are posted to ARMO cloud (https://cloud.armosec.io). They should be kept in the cluster to make it available for other applications as well. Even kubescape scanner could use the results locally without the need of coming through the ARMO cloud APIs.

    Describe the solution you'd like I would like Kubescape microservices to keep relevnt image scan results as CRDs in the cluster. Every new scan report should be stored (together with the SBOM) in CRDs and old results for the same workloads could be discarded (as well as reports which does not have corresponding images in the cluster anymore).

    Additional context This would enable feeding the results to Prometheus as well.

  • kubescape is not scanning Node parameters -kernel.unprivileged_userns_clone(Azure AKS)

    kubescape is not scanning Node parameters -kernel.unprivileged_userns_clone(Azure AKS)

    Regarding CVE-2022-0185

    I’m using kubescape to scan AKS worker nodes. But it is not scanning the below parameter. Does kubescape support AKS nodes scanning - Like Scanning Node Kernel Parameters like "kernel.unprivileged_userns_clone"

    I have tested the same use case in Azure AKS 1.21.7 version

    OS Image- 18.04.6 TLS Kernel-version: 5.4.0-1065-azure

    Updated the parameter by logging into each node

    sysctl-w kernel.unprivileged_userns_clone=0

    After applying remediation, i.e by updating the above parameter, kubescape should be able to scan the updated parameter and it should not show it as vulnerable.

  • Prometheus metrics server and example deployments

    Prometheus metrics server and example deployments

    #202 parts 2 and 3

    This adds a metrics command to kubescape to start a web server. It will scan in the background and update frameworks in the background, whilst serving scan results on /metrics

    Also includes an example deployment of this.

  • Scan Kustomize charts

    Scan Kustomize charts

    Description Currently, Kubescape scans YAMLs and Helm templates but not kustomize charts.

    Additional context Kubescape should generate the Kubernetes YAMLs from the Kustomize chart and scan the files. This should work similarly to the helm chart scanning mechanism

  • Default upload of scan results should be opt-in

    Default upload of scan results should be opt-in

    I want to preface this issue as, I think kubescape is a pretty nice and nifty tool. It's especially useful for finding misconfigurations in k8s clusters, pods, containers, etc. But, I also want to say that --results-locally should not be opt-in. If you want to provide a consulting tool that people can use as a pipeline for professional services, fine, but do not mask the tool behind such behavior after the fact.

    Every single person that executes this tool with kubescape scan framework nsa effectively uploads all their cluster vulnerabilities and issues to ARMO. The fact that someone has to open an issue with a poor default makes me question the actual motivations and desires of ARMO.

    The default of this tool being opt-in should be a lesson to anyone using this tool and any other future open source tools that scan systems for security.

  • panic: runtime error: index out of range [3] with length 3

    panic: runtime error: index out of range [3] with length 3

    Using the version installed today using brew on a MAC M1 (seems that brew version is not the latest)

    kubescape scan .
    [info] ARMO security scanner starting
    [warning] current version 'v2.0.166' is not updated to the latest release: 'v2.0.170'
    panic: runtime error: index out of range [3] with length 3
    
    goroutine 1 [running]:
    github.com/armosec/go-git-url/gitlabparser/v1.(*GitLabURL).Parse(0x140003fc1c0, {0x1400005bc20?, 0x1046a5ce0?})
            github.com/armosec/[email protected]/gitlabparser/v1/parser.go:89 +0x33c
    github.com/armosec/go-git-url/gitlabparser/v1.NewGitLabParserWithURL({0x1400005bc20, 0x3e})
            github.com/armosec/[email protected]/gitlabparser/v1/parser.go:28 +0x98
    github.com/armosec/go-git-url.NewGitURL({0x1400005bc20, 0x3e})
            github.com/armosec/[email protected]/init.go:28 +0x1b0
    github.com/armosec/kubescape/v2/core/cautils.metadataGitLocal({0x16d837657?, 0x3?})
            github.com/armosec/kubescape/v2/core/cautils/scaninfo.go:405 +0xe8
    github.com/armosec/kubescape/v2/core/cautils.setContextMetadata(0x14000c3d3f0, {0x16d837657, 0x3})
            github.com/armosec/kubescape/v2/core/cautils/scaninfo.go:358 +0x364
    github.com/armosec/kubescape/v2/core/cautils.scanInfoToScanMetadata(0x140002fc4e0)
            github.com/armosec/kubescape/v2/core/cautils/scaninfo.go:289 +0x328
    github.com/armosec/kubescape/v2/core/cautils.NewOPASessionObj({0x0, 0x0, 0x0}, 0x0, 0x140002fc4e0)
            github.com/armosec/kubescape/v2/core/cautils/datastructures.go:43 +0x5c
    github.com/armosec/kubescape/v2/core/pkg/policyhandler.(*PolicyHandler).CollectResources(0x14000b9b808, {0x14000611500, 0x5, 0x8}, 0x140002fc4e0)
            github.com/armosec/kubescape/v2/core/pkg/policyhandler/handlenotification.go:26 +0x40
    github.com/armosec/kubescape/v2/core/core.(*Kubescape).Scan(0x103f05b60?, 0x140002fc4e0)
            github.com/armosec/kubescape/v2/core/core/scan.go:142 +0x618
    github.com/armosec/kubescape/v2/cmd/scan.getFrameworkCmd.func2(0x1045bd120?, {0x14000427680, 0x2, 0x140006b1560?})
            github.com/armosec/kubescape/v2/cmd/scan/framework.go:102 +0x3ac
    github.com/armosec/kubescape/v2/cmd/scan.GetScanCommand.func1(0x140000ff680?, {0x140006b1560, 0x1, 0x1?})
            github.com/armosec/kubescape/v2/cmd/scan/scan.go:45 +0x180
    github.com/spf13/cobra.(*Command).ValidateArgs(...)
            github.com/spf13/[email protected]/command.go:1018
    github.com/spf13/cobra.(*Command).execute(0x140000ff680?, {0x140006b1540?, 0x1?, 0x1?})
            github.com/spf13/[email protected]/command.go:841 +0x3a4
    github.com/spf13/cobra.(*Command).ExecuteC(0x140000ff400)
            github.com/spf13/[email protected]/command.go:990 +0x354
    github.com/spf13/cobra.(*Command).Execute(...)
            github.com/spf13/[email protected]/command.go:918
    github.com/armosec/kubescape/v2/cmd.Execute()
            github.com/armosec/kubescape/v2/cmd/root.go:84 +0x34
    main.main()
            github.com/armosec/kubescape/v2/main.go:9 +0x1c
    
  • Kubescape reports HTTP 400 with a malformed account ID

    Kubescape reports HTTP 400 with a malformed account ID

    Describe the problem

    When a user runs a Kubescape command and specifies an account ID that is not a valid UUID, Kubescape reports an HTTP 400 Bad Request status code.

    Environment

    OS: Ubuntu 22.04 LTS

    Kubescape version (kubescape version):

    Your current version is:
    

    Steps to Reproduce

    1. Install Kubescape
    2. Ensure that an accessible Kubernetes cluster is running.
    3. Run Kubescape via kubescape scan --account=invalidID
    4. Observe the resutls

    Expected Result

    Kubescape reports that a given account ID is not a valid ID (UUID) and does not proceed with performing the operation.

    Actual Result

    Kubescape proceeds as expected and briefly mentions that an error occurred while loading exceptions.

    CLI output:

    $ ./kubescape scan --account=invalidID --submit
    [info] ARMO security scanner starting
    [warning] unknown build number, this might affect your scan results. Please make sure you are updated to latest version
    [warning] Kubernetes cluster nodes scanning is disabled. This is required to collect valuable data for certain controls. You can enable it using  the --enable-host-scan flag
    [info] Downloading/Loading policy definitions
    ◓[error] failed to load exceptions. error: http-error: '400 Bad Request', reason: 'invalid customerGUID: invalid UUID length: 6'
    [success] Downloaded/Loaded policy
    [info] Accessing Kubernetes objects
    [warning] failed to collect image vulnerabilities. error: credentials are not configured for any registry adaptor
    [success] Accessed to Kubernetes objects
    [info] Scanning. Cluster: minikube
    [success] Done scanning. Cluster: minikube
    
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    
    Controls: 58 (Failed: 39, Excluded: 0, Skipped: 5)
    [SNIPPED]
    
  • Mutated release binaries

    Mutated release binaries

    I'm checking SHASUMs as part of my process which pulls in the kubescape tool for testing of one of my clusters, and I've noticed they seem to be changing.

    Would it be possible to update the release process to not mutate release binaries?

    image

  • Killercoda KubeScape Playground fails to load

    Killercoda KubeScape Playground fails to load

    Describe the bug

    The KubeScape playground mentioned in the README.md file fails to load the scenario. The Killercoda Screen failing to load KubeScape Scenario

    Environment

    The playground runs on KillerCoda's Website

    Steps To Reproduce

    Steps to reproduce the behaviour:

    1. Go to 'https://killercoda.com/saiyampathak/scenario/kubescape'
    2. Click on 'Start Icon on the left'
    3. See error in the terminal on right side of the screen.

    Expected behaviour

    An ubuntu terminal with KubeScape installed.

    Actual Behavior

    The Scenario tries to run VERSION=$(curl --silent "https://api.github.com/repos/armosec/kubescape/releases/latest" | jq -r .tag_name) command, but the Command jq is not found which gives the error. The error that occurs after running the command

    Additional context

    After manually installing jq through apt install jq as suggested in the terminal, and manually running the command VERSION=$(curl --silent "https://api.github.com/repos/armosec/kubescape/releases/latest" | jq -r .tag_name) fails to store the latest version of KubeScape in VERSION which breaks the scenario as VERSION is required by subsequent commands.

  • Ability to force colored output for CI environments that are not a real TTY

    Ability to force colored output for CI environments that are not a real TTY

    I know that there is the option to specifically disable colors in the output of kubescape, but it would also be nice to be able to force-enable colored output. This is especially important for CI tools like GitHub Actions, that don't have a real TTY but still have the ability to show ANSI colors correctly.

  • Using --use-artifacts-from flag

    Using --use-artifacts-from flag

    Describe the bug

    Kubescape results are different when running with the --use-artifacts-from flag

    Environment

    OS: Ubuntu 20.04.4 LTS

    kubescape version:

    Your current version is: v2.0.167
    

    Steps To Reproduce

    Steps to reproduce the behavior:

    1. Install Kubescape
    2. Set up a cluster using Minikube via minikube start
    3. Run Kubescape via kubescape scan
    4. Download all artifacts
    5. Run Kubescape via kubescape scan --use-artifacts-from path/to/local/dir
    6. Observe the difference between the results

    Expected behavior

    That the 2 results will match

    Actual Behavior

    Some of the results are different between the 2 runs.

    Regular scan:

    +----------+----------------------------------------------------+------------------+--------------------+---------------+--------------+
    | SEVERITY |                    CONTROL NAME                    | FAILED RESOURCES | EXCLUDED RESOURCES | ALL RESOURCES | % RISK-SCORE |
    +----------+----------------------------------------------------+------------------+--------------------+---------------+--------------+
    | Critical | Data Destruction                                   |        18        |         0          |      70       |     26%      |
    | Critical | Disable anonymous access to Kubelet service        |        0         |         0          |       0       |   skipped*   |
    | Critical | Enforce Kubelet client TLS authentication          |        0         |         0          |       0       |   skipped*   |
    | High     | Applications credentials in configuration files    |        1         |         0          |      18       |      6%      |
    | High     | Cluster-admin binding                              |        2         |         0          |      70       |      3%      |
    | High     | List Kubernetes secrets                            |        11        |         0          |      70       |     16%      |
    | High     | Privileged container                               |        1         |         0          |       7       |     14%      |
    | High     | Resources CPU limit and request                    |        7         |         0          |       7       |     100%     |
    | High     | Resources memory limit and request                 |        6         |         0          |       7       |     86%      |
    | High     | Workloads with excessive amount of vulnerabilities |        1         |         0          |       3       |     33%      |
    | High     | Writable hostPath mount                            |        4         |         0          |       7       |     57%      |
    | Medium   | Access container service account                   |        41        |         0          |      41       |     100%     |
    | Medium   | Allow privilege escalation                         |        6         |         0          |       7       |     86%      |
    | Medium   | Allowed hostPath                                   |        4         |         0          |       7       |     57%      |
    | Medium   | Automatic mapping of service account               |        46        |         0          |      46       |     100%     |
    | Medium   | CVE-2022-0492-cgroups-container-escape             |        2         |         0          |       7       |     29%      |
    | Medium   | Cluster internal networking                        |        4         |         0          |       4       |     100%     |
    | Medium   | Configured liveness probe                          |        2         |         0          |       7       |     29%      |
    | Medium   | CoreDNS poisoning                                  |        4         |         0          |      70       |      6%      |
    | Medium   | Delete Kubernetes events                           |        4         |         0          |      70       |      6%      |
    | Medium   | Exec into container                                |        2         |         0          |      70       |      3%      |
    | Medium   | HostNetwork access                                 |        6         |         0          |       7       |     86%      |
    | Medium   | HostPath mount                                     |        4         |         0          |       7       |     57%      |
    | Medium   | Images from allowed registry                       |        1         |         0          |       7       |     14%      |
    | Medium   | Ingress and Egress blocked                         |        7         |         0          |       7       |     100%     |
    | Medium   | Linux hardening                                    |        2         |         0          |       7       |     29%      |
    | Medium   | Mount service principal                            |        4         |         0          |       7       |     57%      |
    | Medium   | Namespace without service accounts                 |        3         |         0          |      43       |      7%      |
    | Medium   | Network mapping                                    |        4         |         0          |       4       |     100%     |
    | Medium   | No impersonation                                   |        2         |         0          |      70       |      3%      |
    | Medium   | Non-root containers                                |        7         |         0          |       7       |     100%     |
    | Medium   | Portforwarding privileges                          |        2         |         0          |      70       |      3%      |
    | Low      | Audit logs enabled                                 |        1         |         0          |       1       |     100%     |
    | Low      | Configured readiness probe                         |        5         |         0          |       7       |     71%      |
    | Low      | Immutable container filesystem                     |        6         |         0          |       7       |     86%      |
    | Low      | K8s common labels usage                            |        7         |         0          |       7       |     100%     |
    | Low      | Label usage for resources                          |        3         |         0          |       7       |     43%      |
    | Low      | Naked PODs                                         |        1         |         0          |       7       |     14%      |
    | Low      | PSP enabled                                        |        1         |         0          |       1       |     100%     |
    | Low      | Resource policies                                  |        7         |         0          |       7       |     100%     |
    | Low      | Secret/ETCD encryption enabled                     |        1         |         0          |       1       |     100%     |
    +----------+----------------------------------------------------+------------------+--------------------+---------------+--------------+
    |          |                  RESOURCE SUMMARY                  |        96        |         0          |      140      |    23.73%    |
    +----------+----------------------------------------------------+------------------+--------------------+---------------+--------------+
    
    

    Scan from local artifacts:

    +----------+----------------------------------------------------+------------------+--------------------+---------------+--------------+
    | SEVERITY |                    CONTROL NAME                    | FAILED RESOURCES | EXCLUDED RESOURCES | ALL RESOURCES | % RISK-SCORE |
    +----------+----------------------------------------------------+------------------+--------------------+---------------+--------------+
    | Critical | Data Destruction                                   |        18        |         0          |      70       |     26%      |
    | Critical | Disable anonymous access to Kubelet service        |        0         |         0          |       0       |   skipped*   |
    | Critical | Enforce Kubelet client TLS authentication          |        0         |         0          |       0       |   skipped*   |
    | High     | Applications credentials in configuration files    |        1         |         0          |      18       |      6%      |
    | High     | Cluster-admin binding                              |        2         |         0          |      70       |      3%      |
    | High     | List Kubernetes secrets                            |        11        |         0          |      70       |     16%      |
    | High     | Privileged container                               |        1         |         0          |       7       |     14%      |
    | High     | Resources CPU limit and request                    |        7         |         0          |       7       |     100%     |
    | High     | Resources memory limit and request                 |        6         |         0          |       7       |     86%      |
    | High     | Workloads with excessive amount of vulnerabilities |        1         |         0          |       3       |     33%      |
    | High     | Writable hostPath mount                            |        4         |         0          |       7       |     57%      |
    | Medium   | Access container service account                   |        41        |         0          |      41       |     100%     |
    | Medium   | Allow privilege escalation                         |        6         |         0          |       7       |     86%      |
    | Medium   | Allowed hostPath                                   |        4         |         0          |       7       |     57%      |
    | Medium   | Automatic mapping of service account               |        46        |         0          |      46       |     100%     |
    | Medium   | CVE-2022-0492-cgroups-container-escape             |        2         |         0          |      10       |     20%      |
    | Medium   | Cluster internal networking                        |        4         |         0          |       4       |     100%     |
    | Medium   | Configured liveness probe                          |        2         |         0          |       7       |     29%      |
    | Medium   | CoreDNS poisoning                                  |        4         |         0          |      70       |      6%      |
    | Medium   | Delete Kubernetes events                           |        4         |         0          |      70       |      6%      |
    | Medium   | Exec into container                                |        2         |         0          |      70       |      3%      |
    | Medium   | HostNetwork access                                 |        6         |         0          |       7       |     86%      |
    | Medium   | HostPath mount                                     |        4         |         0          |       7       |     57%      |
    | Medium   | Images from allowed registry                       |        1         |         0          |       7       |     14%      |
    | Medium   | Ingress and Egress blocked                         |        7         |         0          |       7       |     100%     |
    | Medium   | Linux hardening                                    |        2         |         0          |       7       |     29%      |
    | Medium   | Mount service principal                            |        4         |         0          |       7       |     57%      |
    | Medium   | Namespace without service accounts                 |        3         |         0          |      43       |      7%      |
    | Medium   | Network mapping                                    |        4         |         0          |       4       |     100%     |
    | Medium   | No impersonation                                   |        2         |         0          |      70       |      3%      |
    | Medium   | Non-root containers                                |        7         |         0          |       7       |     100%     |
    | Medium   | Portforwarding privileges                          |        2         |         0          |      70       |      3%      |
    | Low      | Audit logs enabled                                 |        1         |         0          |       1       |     100%     |
    | Low      | Configured readiness probe                         |        5         |         0          |       7       |     71%      |
    | Low      | Immutable container filesystem                     |        6         |         0          |       7       |     86%      |
    | Low      | K8s common labels usage                            |        7         |         0          |       7       |     100%     |
    | Low      | Label usage for resources                          |        3         |         0          |       7       |     43%      |
    | Low      | Naked PODs                                         |        1         |         0          |       7       |     14%      |
    | Low      | PSP enabled                                        |        1         |         0          |       1       |     100%     |
    | Low      | Resource policies                                  |        7         |         0          |       7       |     100%     |
    | Low      | Secret/ETCD encryption enabled                     |        1         |         0          |       1       |     100%     |
    +----------+----------------------------------------------------+------------------+--------------------+---------------+--------------+
    |          |                  RESOURCE SUMMARY                  |        96        |         0          |      143      |    23.60%    |
    +----------+----------------------------------------------------+------------------+--------------------+---------------+--------------+
    
    
  • Support AKS parser

    Support AKS parser

    Describe your changes

    In this PR we support parsing the kube/config for detecting if the cluster is hosted by AKS.

    Dependatnd PRs:

    • https://github.com/kubescape/k8s-interface/pull/14
    • https://github.com/kubescape/opa-utils/pull/61
  • Wrong `Fixes` are constructed when `Sequence type` is involved

    Wrong `Fixes` are constructed when `Sequence type` is involved

    Currently, Kubescape is not accounting for the Sequences when constructing fixes for auto-fixing files or displaying in Assistant Remediation.

    Example while auto-fixing files:

    • One of the basic fixes is to drop "NET_RAW" capability.
    • Fix Constructed: spec.containers[0].securityContext.capabilities.drop |= NET_RAW.
    • Right fix : spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"]
    // Fix Applied with the constructed path
    capabilities:
         drop: NET_RAW
    
    // Right Fix:
    capabilities:
         drop: ["NET_RAW"]
    
    // OR
    capabilities:
         drop:
         - NET_RAW
    

    TLDR

    Fixes should be constructed differently for mapping and sequence types.

    Possible Solution

    • Add another field PathType to FixPath in armosec/armoapi-go https://github.com/armosec/armoapi-go/blob/392cab84a55ee919cd1559da112c00b00af11d06/armotypes/posturetypes.go#L287

    • The PathType field takes either Mapping or Sequence as values. The fixes can be constructed accordingly knowing the type of Path.

  • R&D: investigate SaaS integration with kube-bind

    R&D: investigate SaaS integration with kube-bind

    https://github.com/kube-bind/kube-bind https://kccncna2022.sched.com/event/182Hm/towards-something-better-than-crds-in-a-post-operator-world-stefan-schimanski-red-hat

  • Proposal: introducing linting to the kubescape codebase

    Proposal: introducing linting to the kubescape codebase

    Is your feature request related to a problem? Please describe.

    A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

    When a code base grows, code readability becomes paramount. There are quite a few places where the kubescape codebase departs from widely adopted go practice. We have all been there and this is perfectly understandable at this stage. Pure style notwithstanding, this results in some components being harder to grasp than strictly needed.

    Describe the solution you'd like.

    A clear and concise description of what you want to happen.

    I propose to introduce linting to the kubescape git repository and gradually address issues.

    • Existing linting issues should not block PRs unless they introduce offending code.
    • Enabling linting rules is a gradual process: we'd start with a few rules only and gradually raise our enforcement of coding standards.
    • We won't introduce rules that would break existing interfaces because of some styling issues (e.g. initialisms, etc.)
    • Linting fixes are not always trivial. We should limit the scope of such fixes to a series of rather small, reviewable PRs.

    Describe alternatives you've considered.

    A clear and concise description of any alternative solutions or features you've considered.

    I've also tried to run some static analysis linters manually, detect some issues, and fix them individually. This is the approach followed by #982.

    Additional context.

    Add any other context or screenshots about the feature request here.

  • Chore/introduce linting

    Chore/introduce linting

    Describe your changes

    • Introduced minimal linters configuration, with a new github action to enforce linting rules.
    • Fixed linting issues with this minimal config

    NOTE: this PR also relates to #982, which already addresses a few linting issues (suspicious loops).

    Screenshots - If Any (Optional)

    This PR fixes:

    • Resolved #985

    Checklist before requesting a review

    • [ ] My code follows the style guidelines of this project
    • [ ] I have commented on my code, particularly in hard-to-understand areas
    • [ ] I have performed a self-review of my code
    • [ ] If it is a core feature, I have added thorough tests.
    • [ ] New and existing unit tests pass locally with my changes

    Please open the PR against the dev branch (Unless the PR contains only documentation changes)

Declarative penetration testing orchestration framework

Decker - Penetration Testing Orchestration Framework Purpose Decker is a penetration testing orchestration framework. It leverages HashiCorp Configura

Nov 10, 2022
A web-based testing platform for WAF (Web Application Firewall)'s correctness

WAFLab ?? WAFLab is a web-based platform for testing WAFs. Live Demo https://waflab.org/ Architecture WAFLab contains 2 parts: Name Description Langua

Oct 25, 2022
A vulnerable graphQL application, for testing purposes

Vulnerable-GoQL Vulnerable-GoQL is an web API which implements main security breach.

Jul 31, 2021
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age age is a simple, modern and secure file encryption tool, format, and library. It features small explicit keys, no config options, and UNIX-style c

Dec 28, 2022
Static binary analysis tool to compute shared strings references between binaries and output in JSON, YAML and YARA

StrTwins StrTwins is a binary analysis tool, powered by radare, that is capable to find shared code string references between executables and output i

May 3, 2022
mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.
mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.

mesh-kridik Enhance your Kubernetes service mesh security !! mesh-kridik is an open-source security scanner that performs various security checks on a

Dec 14, 2022
DirDar is a tool that searches for (403-Forbidden) directories to break it and get dir listing on it
DirDar is a tool that searches for (403-Forbidden) directories to break it and get dir listing on it

DirDar v1.0 Description ??‍☠️ bypass forbidden directories - find and identify dir listing - you can use it as directory brute-forcer as well Compatab

Jan 1, 2023
A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).
A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

proxylogscan This tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and imperson

Dec 26, 2022
A scalable overlay networking tool with a focus on performance, simplicity and security

What is Nebula? Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect comp

Dec 29, 2022
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptograp

Dec 10, 2022
Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.
Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.

Fast and customisable vulnerability scanner based on simple YAML based DSL. How • Install • For Security Engineers • For Developers • Documentation •

Dec 30, 2022
A tool for secrets management, encryption as a service, and privileged access management
A tool for secrets management, encryption as a service, and privileged access management

Vault Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please respo

Jan 2, 2023
🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang
🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang

Finder Of XSS, and Dal(달) is the Korean pronunciation of moon. What is DalFox ?? ?? DalFox is a fast, powerful parameter analysis and XSS scanner, bas

Jan 5, 2023
A modern tool for the Windows kernel exploration and tracing
A modern tool for the Windows kernel exploration and tracing

Fibratus A modern tool for the Windows kernel exploration and observability Get Started » Docs • Filaments • Download • Discussions What is Fibratus?

Dec 30, 2022
🌀 Dismap - Asset discovery and identification tool
 🌀 Dismap - Asset discovery and identification tool

?? Dismap - Asset discovery and identification tool [English readme Click Me] Dismap 定位是一个资产发现和识别工具;其特色功能在于快速识别 Web 指纹信息,定位资产类型。辅助红队快速定位目标资产信息,辅助蓝队发现疑

Jan 3, 2023
A pledge(2) and unveil(2)'d tool for verifying GnuPG signatures.

ogvt A pledge(2) and unveil(2)'d tool for verifying GnuPG signatures. Success ./ogvt -file test/uptime.txt -sig test/uptime.txt.asc -pub test/adent.p

Nov 25, 2021
A GREAT GUI Offline Tool for manipulating/seeking resolver list of repique and dnscrypt proxy.
A GREAT GUI Offline Tool for manipulating/seeking resolver list of repique and dnscrypt proxy.

Intro A GUI Offline Tool for decrypting and manipulating *.md files used by repique and dnscrypt proxy It's targeted for creating your own DoT, DoH an

Nov 27, 2022
Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner
Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT scans on the host/list of hosts and lists all ports that return a reply.

Jan 2, 2022
Velociraptor - Endpoint visibility and collection tool.

Velociraptor - Endpoint visibility and collection tool. Velociraptor is a tool for collecting host based state information using The Velociraptor Quer

Dec 7, 2022