Skip to content
/ kube-hound Public

Automated security smell detection for Kubernetes applications

2 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

di-unipi-socc/kube-hound

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

156 Commits
data/examples
data/examples
 
 
kube_hound
kube_hound
 
 
scripts
scripts
 
 
test_files
test_files
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
poetry.lock
poetry.lock
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

Kube-hound

Kube-hound is an automatic security smell detection tool targeting Kubernetes-based microservices applications.

Currently it is supported the detection for:

  • Insufficient Access Control in OpenAPI specfications
  • Multiple User Authentication in OpenAPI specifications
  • Unecessary privileges to microservices using Kubesec.io
  • Hardcoded Secrets in Environment Variables
  • Publicly Accessible Services using the External-IP field
  • Unencrypted Pod-to-Pod Traffic
  • Hardcoded secrets in Kubernetes
  • Hardcoded secrets in Docker and Source code
  • Data-at-Rest Encryption Not Enabled in DBMSs

The folder data/examples contains various examples of analyses on different sample applications.

Usage

Command line interface

poetry run python -m kube_hound
usage: kube-hound [-h] [-c CONTEXT] [-d] [-s] [-l ANALYSIS_LIST] [--json] [-v] [-vv] config_file

kube-hound: detect securitysmells in kubernetes based applications

positional arguments:
  config_file           path to the config file

optional arguments:
  -h, --help            show this help message and exit
  -c CONTEXT, --context CONTEXT
                        path to the application context
  -d                    run only dynamic analyses
  -s                    run only static analyses
  -l ANALYSIS_LIST      comma separated list of analysis to run (default all available)
  --json                output results in a json object
  -v                    verbose output
  -vv                   more verbose output

Other Python scripts

from pathlib import Path
from typing import List, Mapping

from kube_hound.hound import Hound
from kube_hound.analysis import AnalysisResult, StaticAnalysis
from kube_hound.applicationobject import ApplicationObject


class HelloWorldAnalysis(StaticAnalysis):
    analysis_id = 'hello_world'
    analysis_name = 'Hello World Analysis'
    analysis_description = 'This analysis prints Hello, World!'
    input_types = ['kubernetes_config', 'dockerfile']

    def run_analysis(self, input_objects: Mapping[str, List[ApplicationObject]])\
            -> List[AnalysisResult]:
        print('Hello, World!')
        return []


# instantiate the Hound object and load the Kubernetes config from the environment
hound = Hound(Path("test_files/mock-application/application"))
hound.set_config_path(Path("test_files/mock-application/mock-config.yaml"))

# acquire and parse the application
hound.aquire_application()
hound.parse_application()

# register HelloWorldAnalysis to the scheduler
hound.register_analysis(HelloWorldAnalysis)

# only run static analyses
hound.run_dynamic = False

# run the analyses and show the results
hound.run_analyses()
hound.show_results()

Dependencies

Kube-hound needs the Docker engine and kubectl installed. Additionally, to detect unencrypted Pod-to-Pod traffic, it needs ksniff installed.

To install the python dependencies run

poetry install

Testing

Preconfigured yaml config files for Online boutique and Sock shop can be found in the test_files folder. To run Kube-hound on those application run:

./scripts/run_online_boutique.sh
./scripts/run_sock_shop.sh

About

Automated security smell detection for Kubernetes applications

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

5 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages