A fast, CI-native Kubernetes policy engine with clean UX and GitHub Security integration
Project description
kubepolicy
A fast, CI-native Kubernetes policy engine with clean UX and GitHub Security integration.
Not "just a linter"—kubepolicy evaluates your Kubernetes YAML against security, reliability, cost, and best-practice rules, with SARIF output so findings appear in the GitHub Security tab.
Features
- Recursive YAML scanning with multi-document support
- Parallel scanning for speed
- 10 built-in rules (security, reliability, cost, best practice)
- Config file (
.kubepolicy.yaml) to disable rules or override severity - Output formats: table (default), JSON, SARIF (GitHub Code Scanning)
- Exit code control: fail CI when findings meet a severity threshold (
--fail-on)
Install
From PyPI (recommended)
pip install kubepolicy
From source
git clone https://github.com/akintunero/kube-guard.git
cd kube-guard
pip install -e .
Development setup
git clone https://github.com/akintunero/kube-guard.git
cd kube-guard
pip install -e ".[dev]"
pytest tests -v
Quick start
# Scan current directory (default: table output)
kubepolicy scan ./
# JSON output
kubepolicy scan ./ --format json
# SARIF for GitHub Security tab (e.g. in CI)
kubepolicy scan ./ --format sarif > results.sarif
# Fail CI on MEDIUM or higher
kubepolicy scan ./ --fail-on MEDIUM
# List all rules
kubepolicy list-rules
# Explain a rule
kubepolicy explain SEC001
# Create sample config
kubepolicy init
Built-in rules (10)
| ID | Title | Severity | Category |
|---|---|---|---|
| SEC001 | Privileged container | CRITICAL | security |
| SEC002 | Missing resource limits | MEDIUM | security |
| SEC003 | Use of latest tag | MEDIUM | security |
| SEC004 | hostPath usage | HIGH | security |
| SEC005 | Run as root | HIGH | security |
| SEC006 | Allow privilege escalation | HIGH | security |
| REL001 | Missing liveness probe | MEDIUM | reliability |
| REL002 | Missing readiness probe | MEDIUM | reliability |
| COST001 | No resource requests | MEDIUM | cost |
| BP001 | Image pull policy misconfig | LOW | best_practice |
Config file
Create .kubepolicy.yaml in your repo (or run kubepolicy init):
disable:
- BP001
severity_overrides:
COST001: HIGH
GitHub Security integration (SARIF)
In GitHub Actions, run kubepolicy and upload the SARIF file:
- name: Run kubepolicy
run: kubepolicy scan ./ --format sarif > kubepolicy-results.sarif || true
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: kubepolicy-results.sarif
Findings will appear under Security → Code scanning in your repository.
Pre-commit
Example hook (run kubepolicy on staged YAML):
# .pre-commit-hooks.yaml
- repo: local
hooks:
- id: kubepolicy
name: kubepolicy scan
entry: kubepolicy scan
language: system
types: [yaml]
args: [.]
Comparison with kube-linter
| kubepolicy | kube-linter | |
|---|---|---|
| SARIF / GitHub Security | ✅ Native | Via custom |
| Config file | ✅ .kubepolicy.yaml | ✅ |
| Fail-on severity | ✅ | ✅ |
| Parallel scan | ✅ | — |
| Python 3.11+ | ✅ | Go |
| Extensibility | Rule registry | Custom checks |
kubepolicy is designed to be CI-first and GitHub-native, with a small, focused rule set and minimal dependencies.
Requirements
- Python 3.11+
- Typer, ruamel.yaml, Rich (see
pyproject.toml)
Development
See CONTRIBUTING.md for guidelines on contributing to kubepolicy.
Quick start:
# Clone the repository
git clone https://github.com/akintunero/kube-guard.git
cd kube-guard
# Install in development mode with dev dependencies
pip install -e ".[dev]"
# Run tests
pytest tests -v
# Run with coverage
pytest tests --cov=kubepolicy --cov-report=html
Project Status
kubepolicy is in active development. We welcome contributions, bug reports, and feature requests!
- 🐛 Found a bug? Open an issue
- 💡 Have a feature idea? Start a discussion
- 🤝 Want to contribute? See CONTRIBUTING.md
Roadmap
- Additional security rules (network policies, RBAC, etc.)
- Custom rule support via plugins
- Integration with other CI/CD platforms (GitLab, Jenkins, etc.)
- Performance optimizations for large codebases
- Rule severity auto-tuning based on context
Changelog
See CHANGELOG.md for a list of changes and version history.
License
MIT License. See LICENSE for details.
Author
Olúmáyòwá Akinkuehinmi
- Email: akintunero101@gmail.com
- GitHub: @akintunero
Acknowledgments
- Inspired by tools like kube-linter and kube-score
- Built with Typer, ruamel.yaml, and Rich
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file kubepolicy-1.0.0.tar.gz.
File metadata
- Download URL: kubepolicy-1.0.0.tar.gz
- Upload date:
- Size: 19.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
645a1c0ecf3a46b4fc53a6f2ddff620faec2ffd3901337c068cb72fdb6431aa4
|
|
| MD5 |
96c9cfd8a26a7dde4da111bcf73b4c80
|
|
| BLAKE2b-256 |
95a06a8f9475f567f54e08e1672df3718a22c7a76b0df00771bd00a46204217d
|
File details
Details for the file kubepolicy-1.0.0-py3-none-any.whl.
File metadata
- Download URL: kubepolicy-1.0.0-py3-none-any.whl
- Upload date:
- Size: 17.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
142438fbd9a1446f17bbbe2d5e4c67f95e90419a2acaa5191a3fee562cb88a77
|
|
| MD5 |
2fa3268e089bdb6099b59674e882e38c
|
|
| BLAKE2b-256 |
9a0d937681edd443c30a1482680a0c0a20764ab877c459a11a077d9c10d2ac14
|
