kube-bench 2026: CIS Kubernetes Benchmark Scanner

kube-bench is an open-source security auditing tool by Aqua Security that checks Kubernetes clusters against CIS Benchmarks. Written in Go with 7.9k GitHub stars and 172 contributors, it automates the configuration security checks that would otherwise require manual inspection of every cluster component.

kube-bench scan results showing CIS Benchmark pass/fail output with remediation guidance

The latest release is v0.14.1 (December 2025). kube-bench integrates with Trivy and the Trivy Operator for broader cloud-native security scanning.

What is kube-bench?

kube-bench runs tests defined in YAML files that correspond to specific CIS Benchmark versions. Each test specifies commands to run, expected outputs, and remediation steps for failures. The YAML structure makes updates straightforward as benchmark standards evolve.

You can run kube-bench as a standalone binary on nodes, as a Kubernetes Job for in-cluster execution, or through the aquasec/kube-bench container image. Cloud-specific Job manifests are included for EKS, AKS, and GKE.

Checks cover API server configuration, etcd security, kubelet settings, RBAC policies, pod security standards, and network policies across both control plane and worker nodes.

CIS Automation

Automatically executes hundreds of CIS Benchmark checks that would take hours to perform manually, providing immediate security posture visibility

Distribution Support

Includes test configurations for multiple Kubernetes distributions including vanilla, EKS, GKE, AKS, and OpenShift

Actionable Remediation

Each failed check includes specific remediation guidance explaining how to fix the configuration issue

Key Features

Feature	Details
Benchmark standard	CIS Kubernetes Benchmark (multiple versions)
Execution modes	Standalone binary, Kubernetes Job, container image (`aquasec/kube-bench`)
Cloud distributions	EKS, GKE, AKS, OpenShift, vanilla Kubernetes
Output formats	Text, JSON, JUnit XML
Check domains	API server, etcd, kubelet, RBAC, pod security, network policies
Test definitions	YAML-based, version-specific, customizable
Language	Go (96% of codebase)
License	Apache 2.0

Version-Specific Tests

kube-bench maintains test configurations for different Kubernetes and CIS Benchmark versions. The tool selects the appropriate tests based on the detected Kubernetes version, so checks match the actual cluster.

Execution Modes

Run kube-bench as a binary directly on nodes, as a Kubernetes Job for in-cluster execution, or via the aquasec/kube-bench container image. The Job mode deploys pods to each node type (control plane and worker), runs checks, and aggregates results. Cloud-specific Job manifests (job-eks.yaml, job-aks.yaml, job-gke.yaml) handle provider differences.

Output and Integration

Results export in text, JSON, or JUnit XML. JSON output works with security dashboards and SIEM systems. JUnit format plugs into CI/CD pipelines that expect test-style reporting. kube-bench integrates with Trivy and the Trivy Operator for combined vulnerability and compliance scanning.

Benchmark execution workflow

kube-bench determines the Kubernetes version running on the target node and selects matching test definitions. For each test, it executes shell commands to inspect configuration files or query API endpoints. The tool compares actual values against expected secure configurations defined in the test YAML.

Tests are organized into numbered sections matching the CIS Benchmark structure. Section 1 covers control plane components, section 2 covers etcd, section 3 covers control plane configuration files, and section 4 covers worker nodes. Each section contains individual checks with pass/fail criteria.

When a test fails, kube-bench includes remediation instructions in the output. These instructions specify exactly what configuration changes are needed, such as adding a specific API server flag or modifying file permissions. This guidance accelerates remediation by eliminating guesswork.

The tool supports running specific sections rather than the full benchmark. This capability is useful when focusing on particular security domains or when time constraints prevent complete audits.

Getting Started

Deploy as a Kubernetes Job — Apply the appropriate Job manifest for your cluster type: job.yaml for standard clusters, job-eks.yaml for EKS, job-aks.yaml for AKS, or job-gke.yaml for GKE.

Check results — View output with kubectl logs kube-bench-<pod-id>. Results show pass/fail status for each CIS check with remediation instructions for failures.

Export results — Use --json or --junit flags for structured output. Pipe JSON results to security dashboards or SIEM systems.

Remediate failures — Each failed check includes specific remediation guidance explaining the required configuration change, like adding an API server flag or modifying file permissions.

When to Use kube-bench

Strengths:

Automates tedious manual CIS Benchmark compliance checks
Well-maintained by Aqua Security with active development
Comprehensive coverage of Kubernetes security domains
Clear remediation guidance for failed checks
Supports major Kubernetes distributions and cloud providers
Integrates easily into security workflows and CI/CD pipelines

Limitations:

Point-in-time checks don’t detect configuration drift after execution
Some checks require root access or privileged containers
Managed Kubernetes services may restrict access to control plane components
Does not validate runtime behavior (only configuration)
False positives possible in custom or heavily modified distributions

Best for

Security teams and platform engineers who need to verify Kubernetes clusters meet CIS security standards. Essential for compliance audits, security assessments, and establishing baseline security posture before production deployment.

kube-bench complements other IaC security tools by focusing specifically on cluster configuration hardening. While tools like Kyverno and OPA Gatekeeper enforce policies on workloads, kube-bench audits the cluster infrastructure itself. Combining kube-bench configuration audits with runtime security from Falco and admission control policies provides comprehensive Kubernetes security coverage.

Frequently Asked Questions

What is kube-bench?

kube-bench is an open-source Go application developed by Aqua Security that checks whether Kubernetes clusters are deployed securely according to the CIS Kubernetes Benchmark. It automates the manual checks documented in the CIS standards and provides actionable remediation guidance.

What are CIS Benchmarks?

CIS (Center for Internet Security) Benchmarks are consensus-driven security configuration guidelines developed by cybersecurity experts. The Kubernetes benchmark defines best practices for securing control plane components, worker nodes, RBAC, and network policies.

How often should kube-bench be run?

Run kube-bench after initial cluster setup, after upgrades, and periodically as part of security audits. Many organizations run it weekly or monthly to detect configuration drift. Integrating it into CI/CD pipelines ensures new clusters meet security standards before production deployment.

Does kube-bench work with managed Kubernetes services?

Yes, kube-bench supports major managed services including EKS, GKE, and AKS. However, some control plane checks may not apply or be accessible in managed environments where the cloud provider manages control plane components.

Resource Hubs

Learn AppSec

Tool Comparisons

Alternatives & Roundups

Tool Reviews

Free Security Tools

kube-bench

What is kube-bench?

Key Features

Version-Specific Tests

Execution Modes

Output and Integration

Benchmark execution workflow

Getting Started

When to Use kube-bench

Frequently Asked Questions

Other IaC Security Tools

Complement with SCA

Learn More

Comments