skill request: Kubernetes security — kubesec, kube-bench, Falco

[skyopsai]

Summary

The repository has strong container security coverage (Grype, Hadolint, Trivy) but no Kubernetes-specific skills. Kubernetes is the dominant container orchestration platform and introduces a distinct threat surface not covered by image scanning alone: misconfigured RBAC, insecure pod specs, privileged containers, network policy gaps, and runtime anomalies.

Requested Skills

1. devsecops/k8s-kubesec

Tool: kubesec
Purpose: Static risk analysis of Kubernetes manifest files (Deployments, Pods, DaemonSets)

Key capabilities to cover:

• Score manifests against security controls (securityContext, capabilities, hostPID/hostNetwork)
• Integrate into CI to block manifests with score below threshold
• Map findings to CIS Kubernetes Benchmark and NSA/CISA K8s Hardening Guide

2. devsecops/k8s-kube-bench

Tool: kube-bench
Purpose: CIS Kubernetes Benchmark compliance checks run against live cluster nodes

Key capabilities to cover:

• Run node, master, etcd, and control plane checks
• Produce JSON/JUnit output for DefectDojo import (pairs with vuln-defectdojo)
• Map to CIS Benchmark sections and NIST SP 800-190

3. devsecops/k8s-falco

Tool: Falco
Purpose: Runtime security — detects anomalous behavior in containers and K8s pods using eBPF

Key capabilities to cover:

• Write Falco rules for common K8s attack techniques (MITRE ATT&CK: T1610, T1611, T1612)
• Alert on shell spawned in container, unexpected network connections, privilege escalation
• Route alerts to Slack/PagerDuty/SIEM

Frameworks to Map

• CIS Kubernetes Benchmark v1.8
• NSA/CISA Kubernetes Hardening Guide
• MITRE ATT&CK for Containers
• NIST SP 800-190 (Application Container Security)

Why Now

• K8s is the deployment target for the majority of cloud-native applications
• Existing container-grype and container-hadolint skills cover build-time, leaving runtime and config gaps
• devsecops category currently has no K8s-specific skills