kubespectre — Kubernetes security posture auditor. Part of SpectreHub.
- Audits RBAC permissions, pod security standards, and network policies
- Detects stale secrets, unused service accounts, and image provenance issues
- Checks audit logging configuration and namespace isolation
- Each finding includes severity for CI/CD gating and compliance reporting
- Outputs text, JSON, SARIF, and SpectreHub formats
- Not a runtime security monitor — no eBPF, no agents
- Not a remediation tool — read-only, never modifies cluster resources
- Not a replacement for OPA/Gatekeeper — audits posture, not policy enforcement
- Not a vulnerability scanner — use Trivy/Grype for CVEs
brew tap ppiankov/tap
brew install kubespectregit clone https://github.com/ppiankov/kubespectre.git
cd kubespectre
make buildkubespectre audit --kubeconfig ~/.kube/config --format json| Command | Description |
|---|---|
kubespectre audit |
Audit cluster security posture |
kubespectre version |
Print version |
kubespectre feeds Kubernetes security findings into SpectreHub for unified visibility across your infrastructure.
spectrehub collect --tool kubespectrekubespectre operates in read-only mode. It inspects and reports — never modifies, deletes, or alters your cluster resources.
| Document | Contents |
|---|---|
| CLI Reference | Full command reference, flags, and configuration |
MIT — see LICENSE.
Built by Obsta Labs