# Install kube-bench with Homebrew, Nix

Checks Kubernetes deployment against security best practices (CIS Benchmark). Version 0.15.6 via Homebrew; verified 2026-06-01.

## Install

```sh
sudo av install brew:kube-bench
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install kube-bench
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#kube-bench
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ku/kube-bench/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:kube-bench
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/kube-bench>
- **Version:** 0.15.6
- **Source summary:** Checks Kubernetes deployment against security best practices (CIS Benchmark)
- **Homepage:** <https://github.com/aquasecurity/kube-bench>
- **Repository:** <https://github.com/aquasecurity/kube-bench>
- **Upstream docs:** <https://github.com/aquasecurity/kube-bench#readme>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/aquasecurity/kube-bench/archive/refs/tags/v0.15.6.tar.gz>
- **Last updated:** 2026-06-01T13:24:24Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- kube-bench (cli)
- kube-bench (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.15.6
- Package-manager updated: 2026-06-01
- Local data: ok
- Upstream repository: https://github.com/aquasecurity/kube-bench
- Upstream latest detected: v0.15.6 (current)
## Project history and usage

kube-bench is Aqua Security's Kubernetes compliance checker for the CIS Kubernetes Benchmark. It turns benchmark controls into executable YAML-configured tests and reports whether a cluster is deployed according to documented security recommendations.

### Project history

The aquasecurity/kube-bench repository was created on 2017-06-19, during the period when Kubernetes security hardening was moving from ad hoc guidance into repeatable benchmark checks. The README states that kube-bench implements the CIS Kubernetes Benchmark as closely as possible and asks users to distinguish tool bugs from benchmark issues.

The project architecture deliberately keeps test definitions in YAML files so they can change as benchmark specifications evolve. That design let kube-bench follow new Kubernetes versions, managed-service variants, OpenShift profiles, k3s/RKE/RKE2 profiles, and STIG/hardening-guide sources without rewriting the executable for every control set.

### Adoption history

kube-bench became one of the standard open source ways to run CIS checks against Kubernetes. Its README documents multiple execution modes, including running directly on a host, running inside a pod or job, and using Docker images, while package managers such as Homebrew and Nix made the binary available for local installation.

Aqua later connected the same benchmark-checking idea to Trivy and Trivy Operator. The kube-bench README states that both Trivy CLI and Trivy Operator support CIS Kubernetes Benchmark scanning, and Aqua's Starboard/Trivy-era material shows kube-bench checks being pulled into broader cloud-native security workflows.

### How it is used

kube-bench can run as a Kubernetes Job and inspect logs for results, but host-level checks require access to process namespaces and host configuration directories. By default it chooses a test set based on the Kubernetes version, while the documented platform matrix maps CIS, STIG, and hardening-guide sources to kube-bench config names.

### Why package nerds care

For package nerds, kube-bench is the rare CLI where packaging, data files, and compliance semantics are inseparable. Shipping the right binary is not enough; the package also needs the benchmark configuration tree that maps security-control documents to concrete filesystem, API, and process checks.

### Timeline

- 2017-06-19: aquasecurity/kube-bench repository created on GitHub.
- 2022-10-16: kube-bench v0.6.10 announcement listed EKS Benchmark v1.1.0 and k3s CIS-1.6 support.
- 2023-04-29: Aqua announced Kubernetes CIS benchmark scanning availability in Trivy in a kube-bench GitHub discussion.
- 2025-2026: kube-bench docs mapped CIS Kubernetes Benchmark configs through 1.12, plus GKE, EKS, AKS, ACK, OpenShift, k3s, RKE, RKE2, TKGI, and STIG profiles.

### Related projects

- kube-bench is related to the CIS Kubernetes Benchmark, CIS Workbench, Aqua Trivy, Trivy Operator, Starboard Operator, Kubernetes hardening guides, managed Kubernetes service benchmarks, and OpenShift security baselines.

### Sources

- <https://api.github.com/repos/aquasecurity/kube-bench>
- <https://github.com/aquasecurity/kube-bench>
- <https://github.com/aquasecurity/kube-bench/discussions/1307>
- <https://github.com/aquasecurity/kube-bench/discussions/1432>
- <https://raw.githubusercontent.com/aquasecurity/kube-bench/main/README.md>
- <https://raw.githubusercontent.com/aquasecurity/kube-bench/main/docs/platforms.md>
- <https://www.aquasec.com/blog/automate-kubernetes-compliance/>
- <https://www.cisecurity.org/benchmark/kubernetes/>


## Security Notes

infrastructure mutation or orchestration signal.

- **Geiger risk:** orange / medium
- infrastructure mutation or orchestration signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: /opt/kube-bench/cfg/config.yaml

## Credential files

- Unix: $KUBECONFIG, ~/.kube/config
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** kube-bench
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - kube-bench: normalized package name match | nixpkgs package indexes: pkgs/by-name/ku/kube-bench/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [kubescape](https://www.automicvault.com/pkg/brew/kubescape/) - Shares av.db curated category or tags: cli, compliance, kubernetes, security.
- [gator](https://www.automicvault.com/pkg/brew/gator/) - Shares av.db curated category or tags: cli, kubernetes, security.
- [kubehound](https://www.automicvault.com/pkg/brew/kubehound/) - Shares av.db curated category or tags: cli, kubernetes, security.
- [checkov](https://www.automicvault.com/pkg/brew/checkov/) - Shares av.db curated category or tags: cli, compliance, kubernetes, security.
- [ksops](https://www.automicvault.com/pkg/brew/ksops/) - Shares av.db curated category or tags: cli, kubernetes, security.
- [kubeseal](https://www.automicvault.com/pkg/brew/kubeseal/) - Shares av.db curated category or tags: cli, kubernetes, security.
- [saf-cli](https://www.automicvault.com/pkg/brew/saf-cli/) - Shares av.db curated category or tags: cli, compliance, security.
- [terrascan](https://www.automicvault.com/pkg/brew/terrascan/) - Shares av.db curated category or tags: cli, compliance, kubernetes, security.
- [chain-bench](https://www.automicvault.com/pkg/brew/chain-bench/) - Security-sensitive metadata or terminology overlaps. Shared terms: bench, benchmark, cis, cis-benchmark, cli.
- [terraform-iam-policy-validator](https://www.automicvault.com/pkg/brew/terraform-iam-policy-validator/) - Security-sensitive metadata or terminology overlaps. Shared terms: best, cli, compliance, practices, security.

## Combined YAML source

View the package source record on GitHub. [combined/kube-bench.yml](https://github.com/automic-vault/db/blob/main/combined/kube-bench.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
