macOS
brew install kube-benchlocal Homebrew formula metadata
brew
Checks Kubernetes deployment against security best practices (CIS Benchmark). Version 0.15.6 via Homebrew; verified 2026-06-01.
install
brew install kube-benchlocal Homebrew formula metadata
nix profile install nixpkgs#kube-benchnixpkgs package indexes · pkgs/by-name/ku/kube-bench/package.nix · source: api.github.com
overview
Checks Kubernetes deployment against security best practices (CIS Benchmark)
history
kube-bench is Aqua Security's Kubernetes compliance checker for the CIS Kubernetes Benchmark. It turns benchmark controls into executable YAML-configured tests and reports whether a cluster is deployed according to documented security recommendations.
The aquasecurity/kube-bench repository was created on 2017-06-19, during the period when Kubernetes security hardening was moving from ad hoc guidance into repeatable benchmark checks. The README states that kube-bench implements the CIS Kubernetes Benchmark as closely as possible and asks users to distinguish tool bugs from benchmark issues.
The project architecture deliberately keeps test definitions in YAML files so they can change as benchmark specifications evolve. That design let kube-bench follow new Kubernetes versions, managed-service variants, OpenShift profiles, k3s/RKE/RKE2 profiles, and STIG/hardening-guide sources without rewriting the executable for every control set.
kube-bench became one of the standard open source ways to run CIS checks against Kubernetes. Its README documents multiple execution modes, including running directly on a host, running inside a pod or job, and using Docker images, while package managers such as Homebrew and Nix made the binary available for local installation.
Aqua later connected the same benchmark-checking idea to Trivy and Trivy Operator. The kube-bench README states that both Trivy CLI and Trivy Operator support CIS Kubernetes Benchmark scanning, and Aqua's Starboard/Trivy-era material shows kube-bench checks being pulled into broader cloud-native security workflows.
kube-bench can run as a Kubernetes Job and inspect logs for results, but host-level checks require access to process namespaces and host configuration directories. By default it chooses a test set based on the Kubernetes version, while the documented platform matrix maps CIS, STIG, and hardening-guide sources to kube-bench config names.
For package nerds, kube-bench is the rare CLI where packaging, data files, and compliance semantics are inseparable. Shipping the right binary is not enough; the package also needs the benchmark configuration tree that maps security-control documents to concrete filesystem, API, and process checks.
security posture
infrastructure mutation or orchestration signal.
orange risk · medium confidence · infrastructure
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
/opt/kube-bench/cfg/config.yamlCredential-bearing paths to review before unattended agent runs.
$KUBECONFIG~/.kube/configexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
kube-bench | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/aquasecurity/kube-bench
install metadata
| Package key | brew:kube-bench |
|---|---|
| Version | 0.15.6 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/kube-bench |
| Homepage | https://github.com/aquasecurity/kube-bench |
| Repository | https://github.com/aquasecurity/kube-bench |
| Upstream docs | https://github.com/aquasecurity/kube-bench#readme |
| License | Apache-2.0 |
| Source archive | https://github.com/aquasecurity/kube-bench/archive/refs/tags/v0.15.6.tar.gz |
| Last updated | 2026-06-01T13:24:24Z |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | kube-bench |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
kube-bench
nix profile install nixpkgs#kube-benchsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.