Installation
Spotter can be installed using multiple methods to suit different environments and preferences. Choose the method that works best for your setup.
Installation Methods
Section titled “Installation Methods”1. Go Install (Recommended)
Section titled “1. Go Install (Recommended)”If you have Go installed, this is the quickest way to get the latest version:
go install github.com/madhuakula/spotter@latestVerify the installation:
spotter version2. Download Binary
Section titled “2. Download Binary”Download pre-compiled binaries from the GitHub Releases page.
Linux (x86_64)
Section titled “Linux (x86_64)”# Download the latest releasewget https://github.com/madhuakula/spotter/releases/latest/download/spotter-linux-amd64.tar.gz
# Extract and installtar -xzf spotter-linux-amd64.tar.gzsudo mv spotter /usr/local/bin/
# Verify installationspotter versionmacOS (Intel)
Section titled “macOS (Intel)”# Download the latest releasewget https://github.com/madhuakula/spotter/releases/latest/download/spotter-darwin-amd64.tar.gz
# Extract and installtar -xzf spotter-darwin-amd64.tar.gzsudo mv spotter /usr/local/bin/
# Verify installationspotter versionmacOS (Apple Silicon)
Section titled “macOS (Apple Silicon)”# Download the latest releasewget https://github.com/madhuakula/spotter/releases/latest/download/spotter-darwin-arm64.tar.gz
# Extract and installtar -xzf spotter-darwin-arm64.tar.gzsudo mv spotter /usr/local/bin/
# Verify installationspotter versionWindows
Section titled “Windows”- Download
spotter-windows-amd64.zipfrom the releases page - Extract the ZIP file
- Add the extracted directory to your PATH environment variable
- Open a new command prompt and verify:
spotter version
3. Docker
Section titled “3. Docker”Run Spotter using Docker without installing it locally:
# Pull the latest imagedocker pull madhuakula/spotter:latest
# Run Spotter (example: scan manifests)docker run --rm -v $(pwd):/workspace madhuakula/spotter:latest scan manifests /workspace
# For cluster scanning, mount kubeconfigdocker run --rm -v ~/.kube:/root/.kube madhuakula/spotter:latest scan clusterDocker Compose
Section titled “Docker Compose”Create a docker-compose.yml file:
version: '3.8'services: spotter: image: madhuakula/spotter:latest volumes: - ~/.kube:/root/.kube:ro - ./manifests:/workspace:ro command: ["scan", "manifests", "/workspace"]Run with:
docker-compose run --rm spotter4. Build from Source
Section titled “4. Build from Source”For the latest development version or custom builds:
# Clone the repositorygit clone https://github.com/madhuakula/spotter.gitcd spotter
# Build the binarymake build
# Install to system PATHsudo cp bin/spotter /usr/local/bin/
# Verify installationspotter versionKubernetes RBAC Setup
Section titled “Kubernetes RBAC Setup”For cluster scanning, Spotter needs appropriate permissions. Create the following RBAC resources:
apiVersion: v1kind: ServiceAccountmetadata: name: spotter namespace: default---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata: name: spotter-readerrules:- apiGroups: [""] resources: ["*"] verbs: ["get", "list"]- apiGroups: ["apps"] resources: ["*"] verbs: ["get", "list"]- apiGroups: ["networking.k8s.io"] resources: ["*"] verbs: ["get", "list"]- apiGroups: ["policy"] resources: ["*"] verbs: ["get", "list"]- apiGroups: ["rbac.authorization.k8s.io"] resources: ["*"] verbs: ["get", "list"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata: name: spotter-bindingroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: spotter-readersubjects:- kind: ServiceAccount name: spotter namespace: defaultApply the RBAC configuration:
kubectl apply -f spotter-rbac.yamlConfiguration
Section titled “Configuration”Spotter can be configured using:
- Command-line flags: Override specific settings
- Configuration file: Use
spotter.yamlfor persistent settings - Environment variables: Set
SPOTTER_*variables
Basic Configuration File
Section titled “Basic Configuration File”Create a spotter.yaml file:
# Spotter Configurationlogging: level: info format: text
scanner: workers: 10 timeout: 30s
rules: builtin: enabled: true custom: paths: - "./custom-rules"
output: format: table file: "" no-color: false
kubernetes: kubeconfig: "" context: "" namespace: ""
performance: max-concurrent-scans: 50 rule-cache-size: 1000Verification
Section titled “Verification”After installation, verify Spotter is working correctly:
# Check versionspotter version
# List available commandsspotter --help
# Test with a simple manifest scanecho 'apiVersion: v1kind: Podmetadata: name: test-podspec: containers: - name: test image: nginx securityContext: privileged: true' | spotter scan manifests -You should see security findings related to the privileged container.
Next Steps
Section titled “Next Steps”- Quick Start: Try the Quick Start Guide for hands-on examples
- Configuration: Learn about Configuration Options
- CLI Usage: Explore CLI Commands
- Security Rules: Understand Built-in Rules
Troubleshooting
Section titled “Troubleshooting”Common Issues
Section titled “Common Issues”Permission Denied (Cluster Scanning)
# Check your kubeconfigkubectl config current-context
# Test cluster accesskubectl get nodesBinary Not Found
# Check if binary is in PATHwhich spotter
# Add to PATH if needed (Linux/macOS)export PATH=$PATH:/usr/local/binDocker Permission Issues
# Add user to docker group (Linux)sudo usermod -aG docker $USER
# Restart shell or logout/loginFor more help, check the GitHub Issues or create a new issue.