kubestriker VS cfn_nag

TerraScan - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure. klum - Kubernetes Lazy User Manager Kyverno - Kubernetes Native Policy Management https://kyverno.io kiosk - kiosk office Multi-Tenancy Extension For Kubernetes - Secure Cluster Sharing & Self-Service Namespace Provisioning kube-bench - CIS Kubernetes Benchmark tool kube-hunter - Pentesting tool - Hunts for security weaknesses in Kubernetes clusters kube-who-can - Show who has RBAC permissions to perform actions on different resources in Kubernetes starboard - Kubernetes-native security toolkit Simulator - Kubernetes Security Training Platform - Focussing on security mitigation RBAC Lookup - Easily find roles and cluster roles attached to any user, service account, or group name in your Kubernetes cluster https://fairwinds.com Kubeaudit - kubeaudit helps you audit your Kubernetes clusters against common security controls Gangway - An application that can be used to easily enable authentication flows via OIDC for a kubernetes cluster Audit2rbac - Autogenerate RBAC policies based on Kubernetes audit logs Chartsec - Helm Chart security scanner kubestriker - Security Auditing tool Datree - CLI tool to prevent K8s misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organization’s policies Krane - Kubernetes RBAC static Analysis & visualisation tool Flaco - The Falco Project - Cloud-Native runtime security Clair - Vulnerability Static Analysis for Containers Anchore Cli - Coomand Line Interface built on top of anchore engine to manage and inspect images, policies, subscriptions and registries Project Quay - Container image registry designed to boost the security of your repositories via vulnerability scanning and tight access control Kubescape - Tool to test if Kubernetes is deployed securely according to multiple frameworks: regulatory, customized company policies and DevSecOps best practices, such as the NSA-CISA and the MITRE ATT&CK®

Other tools you can use are linux-bench, docker-bench, kube-bench, kube-hunter, kube-striker, Cloud Custodian, OVAL, and OS Query.

# Create python virtual environment $ python3 -m venv env # Activate python virtual environment $ source env/bin/activate # Clone this repository $ git clone https://github.com/vchinnipilli/kubestriker.git # Go into the repository $ cd kubestriker # Install dependencies $ pip install -r requirements.txt # Incase of prompt toolkit or selectmenu errors $ pip install prompt-toolkit==1.0.15 $ pip install -r requirements.txt # Gearing up Kubestriker $ python -m kubestriker # Result will be generated in the current working directory with the name of the target

.pre-commit-config.yaml – contains the cfn-lint and cfn_nag pre-commit hooks.

For generic CloudFormation templates, check CFN-NAG.

If you use CDK, you should implement CDK nag; otherwise, use cfn-nag.

cfn_nag

CodeBuild will run a linting check against the CloudFormation Template using cfn-lint and will then run cfn-nag to check for patterns that indicate insecure resources within the CloudFormation template.

Security checks for the Cloudformation stack using cfn-nag

cdk-nag contains several Aspects to check your applications for best practices. It is especially useful if you need to be HIPAA-compliant or have other compliance requirements. It is inspired by cfn_nag which is a a tool checking for patterns in your CloudFormation templates.

cfn-lint and cfn_nag or other tools of that nature to check as you write so you don't need to continually try to deploy only to find that you've done something dumb.

There is another tool called cfn_nag that can check your code for potentially any insecure infrastructure. When you read the documentation around this tool, the author says it can check for things such as:

I recently wanted to use the cfn-nag tool on some templates I was writing but couldn't find any instructions to install on Windows, but I have found a way to do it.