Kube ShipGuard is an open-source Kubernetes release-readiness scanner for platform and DevOps teams. It checks rendered manifests before deployment and blocks risky workloads in CI.
The scanner focuses on production signals that reviewers usually look for manually: probes, resources, non-root containers, read-only filesystems, image tags, PodDisruptionBudgets, NetworkPolicies, and risky Secret/ConfigMap patterns.
Kubernetes manifests often pass syntax validation while still being unsafe to ship. Kube ShipGuard adds a release gate that answers a more useful question:
Is this workload ready to survive production traffic, disruption, and security review?
- Scans plain Kubernetes YAML and multi-document files.
- Supports
Deployment,StatefulSet,DaemonSet,Pod,Service,Secret,ConfigMap,PodDisruptionBudget, andNetworkPolicy. - Detects missing probes, missing resource requests/limits, unsafe security contexts, mutable image tags, single-replica workloads, missing PDBs, and missing NetworkPolicies.
- Emits text, JSON, and SARIF output.
- Includes an interactive terminal review mode for local manifest reviews.
- Supports release verdicts with risk scoring:
SHIP,REVIEW, orBLOCK. - Supports diff-aware PR scanning with
--changed-from. - Supports baselines for legacy findings and expiring suppressions for accepted exceptions.
- Scans rendered Helm and Kustomize output.
- Supports CI failure gates by severity.
- Ships with a reusable GitHub Action.
go run ./cmd/kube-shipguard scan examples/secure --format text --fail-on highBuild the binary:
make build
./bin/kube-shipguard scan examples/secureGenerate SARIF for GitHub code scanning:
go run ./cmd/kube-shipguard scan deploy --format sarif --output kube-shipguard.sarifScan only changed manifests in a pull request:
go run ./cmd/kube-shipguard scan deploy --changed-from origin/main --fail-on highCreate a baseline for existing findings, then fail only on new risk:
go run ./cmd/kube-shipguard baseline deploy --output .kube-shipguard-baseline.yaml
go run ./cmd/kube-shipguard scan deploy --baseline .kube-shipguard-baseline.yaml --fail-on highScan rendered manifests:
go run ./cmd/kube-shipguard scan --helm-chart charts/api --helm-values values-prod.yaml
go run ./cmd/kube-shipguard scan --kustomize overlays/prodRun the unsafe example without failing the process:
make demoOpen an interactive terminal review:
go run ./cmd/kube-shipguard review examples/unsafeReview mode shortcuts:
1,2,3,afilter high, medium, low, or all findings;/searches rule IDs, files, resources, messages, and remediation text;?opens the help overlay;j/k, arrow keys,home, andendnavigate findings;qexits.
Kube ShipGuard found 7 findings
HIGH KSG004 default/api Deployment/api container api allows privilege escalation
HIGH KSG006 default/api Deployment/api container api uses mutable image tag latest
MED KSG001 default/api Deployment/api container api has no readiness probe
--fail-on controls the minimum severity that returns a non-zero exit code:
nonenever fails;lowfails on low, medium, or high;mediumfails on medium or high;highfails only on high findings.
name: kube-shipguard
on:
pull_request:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- uses: yankawai/kube-shipguard@v1
with:
path: deploy
changed-from: origin/main
baseline: .kube-shipguard-baseline.yaml
config: .kube-shipguard.yaml
fail-on: high
format: sarif
output: kube-shipguard.sarifFor SARIF upload, add:
- uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: kube-shipguard.sarif