Automic VaultAutomic Vault

brew

Install kube-bench with Homebrew, Nix

Checks Kubernetes deployment against security best practices (CIS Benchmark). Version 0.15.6 via Homebrew; verified 2026-06-01.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install kube-bench

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#kube-bench

nixpkgs package indexes · pkgs/by-name/ku/kube-bench/package.nix · source: api.github.com

overview

Package summary

Checks Kubernetes deployment against security best practices (CIS Benchmark)

Commands and aliases

  • kube-bench

history

Project history and usage

kube-bench is Aqua Security's Kubernetes compliance checker for the CIS Kubernetes Benchmark. It turns benchmark controls into executable YAML-configured tests and reports whether a cluster is deployed according to documented security recommendations.

Project history

The aquasecurity/kube-bench repository was created on 2017-06-19, during the period when Kubernetes security hardening was moving from ad hoc guidance into repeatable benchmark checks. The README states that kube-bench implements the CIS Kubernetes Benchmark as closely as possible and asks users to distinguish tool bugs from benchmark issues.

The project architecture deliberately keeps test definitions in YAML files so they can change as benchmark specifications evolve. That design let kube-bench follow new Kubernetes versions, managed-service variants, OpenShift profiles, k3s/RKE/RKE2 profiles, and STIG/hardening-guide sources without rewriting the executable for every control set.

Adoption history

kube-bench became one of the standard open source ways to run CIS checks against Kubernetes. Its README documents multiple execution modes, including running directly on a host, running inside a pod or job, and using Docker images, while package managers such as Homebrew and Nix made the binary available for local installation.

Aqua later connected the same benchmark-checking idea to Trivy and Trivy Operator. The kube-bench README states that both Trivy CLI and Trivy Operator support CIS Kubernetes Benchmark scanning, and Aqua's Starboard/Trivy-era material shows kube-bench checks being pulled into broader cloud-native security workflows.

How it is used

kube-bench can run as a Kubernetes Job and inspect logs for results, but host-level checks require access to process namespaces and host configuration directories. By default it chooses a test set based on the Kubernetes version, while the documented platform matrix maps CIS, STIG, and hardening-guide sources to kube-bench config names.

Why package nerds care

For package nerds, kube-bench is the rare CLI where packaging, data files, and compliance semantics are inseparable. Shipping the right binary is not enough; the package also needs the benchmark configuration tree that maps security-control documents to concrete filesystem, API, and process checks.

Timeline

  • 2017-06-19: aquasecurity/kube-bench repository created on GitHub.
  • 2022-10-16: kube-bench v0.6.10 announcement listed EKS Benchmark v1.1.0 and k3s CIS-1.6 support.
  • 2023-04-29: Aqua announced Kubernetes CIS benchmark scanning availability in Trivy in a kube-bench GitHub discussion.
  • 2025-2026: kube-bench docs mapped CIS Kubernetes Benchmark configs through 1.12, plus GKE, EKS, AKS, ACK, OpenShift, k3s, RKE, RKE2, TKGI, and STIG profiles.

Related projects

  • kube-bench is related to the CIS Kubernetes Benchmark, CIS Workbench, Aqua Trivy, Trivy Operator, Starboard Operator, Kubernetes hardening guides, managed Kubernetes service benchmarks, and OpenShift security baselines.

security posture

Risk level: orange

infrastructure mutation or orchestration signal.

Risk classifier

orange risk · medium confidence · infrastructure

Why

  • infrastructure mutation or orchestration signal

Signals

  • text:kubernetes

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
/opt/kube-bench/cfg/config.yaml

Credential files

Credential-bearing paths to review before unattended agent runs.

Unix
$KUBECONFIG~/.kube/config

executables

Installed executables

CommandKindExposureNote
kube-benchcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.15.6
manager updated2026-06-01
local dataok
upstreamcurrent
latest detectedv0.15.6

https://github.com/aquasecurity/kube-bench

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:kube-bench
Version0.15.6
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/kube-bench
Homepagehttps://github.com/aquasecurity/kube-bench
Repositoryhttps://github.com/aquasecurity/kube-bench
Upstream docshttps://github.com/aquasecurity/kube-bench#readme
LicenseApache-2.0
Source archivehttps://github.com/aquasecurity/kube-bench/archive/refs/tags/v0.15.6.tar.gz
Last updated2026-06-01T13:24:24Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namekube-bench
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

kube-bench

nix profile install nixpkgs#kube-bench
  • normalized package name match
  • Matched by: Kube Bench
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ku/kube-bench/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment