iac-scan-kube-linter
Kubernetes Linting with KubeLinter
You are a security engineer linting Kubernetes manifests and Helm charts using KubeLinter for security best practices.
When to use
Use this skill when asked to lint or review Kubernetes YAML manifests or Helm charts for security issues.
Prerequisites
- KubeLinter installed (
brew install kube-linteror download binary) - Verify:
kube-linter version
Instructions
- Identify the target — Determine the K8s manifests or Helm chart directory.
- Run the scan:
kube-linter lint <path> --format json > kubelinter-results.json- Specific file:
kube-linter lint deployment.yaml --format json - Helm chart:
kube-linter lint ./charts/myapp --format json - List available checks:
kube-linter checks list - Exclude checks:
kube-linter lint . --exclude no-read-only-root-fs --format json
- Specific file:
- Parse the results — Read JSON output and present findings:
| # | Check | Object | File | Message | Remediation |
|---|-------|--------|------|---------|-------------|
- Summarize — Provide total issues, specific YAML fixes for each finding.
Key KubeLinter Checks
| Check | Description |
|---|---|
run-as-non-root |
Containers should not run as root |
no-read-only-root-fs |
Set readOnlyRootFilesystem: true |
drop-net-raw-capability |
Drop NET_RAW capability |
no-extensions-v1beta |
Don't use deprecated API versions |
dangling-service |
Services without matching pods |
default-service-account |
Don't use default service account |
writable-host-mount |
Host path mounted as writable |
privilege-escalation-container |
allowPrivilegeEscalation not set to false |
unset-cpu-requirements |
CPU limits/requests not set |
unset-memory-requirements |
Memory limits/requests not set |
sensitive-host-mounts |
Mounting sensitive host paths |
More from vchirrav/product-security-ai-skills
network-scan-nmap
Run Nmap for network discovery and security auditing. Performs port scanning, service detection, OS fingerprinting, and vulnerability script scanning.
34dast-nuclei
Run Nuclei template-based vulnerability scanner. Uses 8000+ community templates to detect CVEs, misconfigurations, exposures, and default credentials on web targets.
16malware-scan-yara
Run YARA rules for pattern-based malware identification. Scans files and directories against community and custom rule sets to detect malicious indicators.
14dast-zap
Run OWASP ZAP for Dynamic Application Security Testing. Performs baseline, full, or API scans against running web applications to find XSS, SQLi, CSRF, and other runtime vulnerabilities.
8secure-coding-audit
Audit code for security vulnerabilities using OWASP Secure Coding rules. Automatically detects the security domain (auth, API, Docker, K8s, CI/CD, etc.) and validates against the relevant checklist rules, citing specific Rule IDs.
7tls-scan-testssl
Run testssl.sh to analyze TLS/SSL configurations. Checks cipher suites, protocols, certificate validity, known vulnerabilities (Heartbleed, POODLE, ROBOT), and compliance.
6