🔍 Comprehensive Scanning
Scan live Kubernetes clusters, YAML manifests, and Helm charts for security vulnerabilities and misconfigurations using CEL-based rules.
Spotter
🚀 Universal Kubernetes Security Engine
⚡ High Performance
Built with Go for speed and efficiency. Concurrent scanning with configurable workers and intelligent caching for optimal performance.
🛡️ 140+ Built-in Rules
Comprehensive security rules covering 10 major categories from workload security to compliance, with CIS Kubernetes Benchmark alignment.
🔧 Extensible
Create custom security rules using CEL (Common Expression Language). Easy rule development with YAML-based configuration.
📊 Multiple Output Formats
Support for table, JSON, YAML, and SARIF output formats. Perfect for CI/CD integration and security reporting.
🚀 Multiple Deployment Modes
Use as CLI tool, admission controller, or integrate into CI/CD pipelines. Docker images available for easy deployment.
Security Categories
Section titled “Security Categories”Spotter covers 10 comprehensive security categories:
- Workload Security - Container privileges, security contexts, capabilities
- Access Control - RBAC, service accounts, authorization
- Network & Traffic Security - Network policies, service exposure
- Secrets & Data Protection - Secret management, encryption
- Configuration & Resource Hygiene - Resource limits, probes, deprecated APIs
- Supply Chain & Image Security - Image scanning, registries, signatures
- CI/CD & GitOps Security - Pipeline security, shift-left policies
- Runtime Threat Detection - Anomaly detection, policy violations
- Audit, Logging & Compliance - CIS benchmarks, governance
- Platform & Infrastructure Security - Node security, control plane
Quick Example
Section titled “Quick Example”# Scan a live clusterspotter scan cluster
# Scan manifest filesspotter scan manifests ./k8s-manifests/
# Output in JSON formatspotter scan cluster --output json
# Scan with custom rulesspotter scan manifests --rules ./custom-rules/ ./manifests/Why Spotter?
Section titled “Why Spotter?”- Universal: Works with any Kubernetes distribution
- Fast: Concurrent scanning with intelligent resource matching
- Accurate: CEL-based rules provide precise security analysis
- Comprehensive: 140+ built-in rules covering all security aspects
- Flexible: Multiple deployment modes and output formats
- Open Source: Apache 2.0 licensed with active community