Back to Home

🚀 Get the Package

👉 https://www.npmjs.com/package/k8s-av

Global Install

bash
npm install -g k8s-av
 npx k8s-av start

1. Project Overview

1.1 What is K8s-AV?

K8s-AV (Kubernetes Attack Path Visualizer) is an open-source, local-first security analysis tool that maps, visualizes, and explains the complete attack surface of a Kubernetes cluster.

Instead of producing isolated vulnerability lists, K8s-AV models your cluster as a property graph and computes real exploitable attack paths — from entry points to critical resources (crown jewels).

🔒

Privacy-first: All processing happens locally. No cluster data is transmitted externally.

1.2 Problem Statement

Traditional tools answer:
“What is vulnerable?”

But they fail to answer:
“How can an attacker actually exploit this?”

This leads to:

  • Alert fatigue
  • Poor prioritization
  • Lack of actionable insight

👉 K8s-AV shifts the focus to:
“How can an attacker move through my system?”

1.3 Core Questions Answered

  • Where can an attacker enter the cluster?
  • How can they move laterally?
  • Which assets are most critical?
  • What are the complete attack chains?
  • What should be fixed first?

1.4 Key Capabilities

🔍

Cluster Scanning

Extracts Kubernetes resources via kubectl (live or mock)

🔗

Attack Path Detection

Uses BFS + Dijkstra algorithms

⚠️

Vulnerability Analysis

CVE enrichment with NVD + CVSS scoring

📊

Graph Visualization

Interactive local UI

🧾

Kill-Chain Reports

Readable attack narratives

🔒

Local-First Security

No telemetry or external data sharing

2. Architecture

2.1 System Layers

LayerResponsibility
CLICommand execution + orchestration
ScannerExtracts cluster resources
Graph BuilderConverts data into nodes + edges
Neo4j + GDSGraph storage + algorithms
Backend + UIAPI + visualization

2.2 Data Flow

text
Kubernetes Cluster
            ↓
    CLI (kubectl scan)
            ↓
    CVE Enrichment (NVD)
            ↓
    Graph Transformation
            ↓
    Neo4j (Graph DB)
            ↓
    GDS Algorithms (BFS, Dijkstra, PageRank)
            ↓
    Backend APIs
            ↓
    React UI

2.3 Graph Model

Node Types

  • Pod
  • ServiceAccount
  • Secret
  • ConfigMap
  • Role / ClusterRole
  • RoleBinding / ClusterRoleBinding
  • Deployment
  • Service
  • Namespace

Edge Types

  • BOUND_TOPod → ServiceAccount
  • HAS_ROLEServiceAccount → Role
  • CAN_READ_SECRETRole → Secret
  • CAN_EXECRole → Pod
  • MOUNT...(and more...)

2.4 Tech Stack

Node.jsNeo4jNeo4j GDSkubectlNVD APIExpress.jsReactDocker

3. Installation

3.1 Prerequisites

  • Node.js ≥ 18
  • npm ≥ 9
  • Docker
  • kubectl
  • kubeconfig

⚠️ Only read access required

3.2 Install Options

Zero Install (Recommended)

bash
npx k8s-av start

3.3 First Run

Automatically:

  • Starts Docker
  • Launches Neo4j
  • Starts backend (3001)
  • Starts UI (3000)
  • Opens browser

4. CLI Reference

bash
k8s-av <command> [options]

Start

bash
k8s-av start --source live

Scan

bash
k8s-av scan --output data.json

Ingest

bash
k8s-av ingest --source live --wipe

Report

bash
k8s-av report --format json --output report.json

5. Workflows

Quick Start

bash
npx k8s-av start

Offline Mode

bash
k8s-av scan --mock

Live Cluster

bash
k8s-av start --source live
k8s-av ingest --source live --wipe
k8s-av report --crown-jewels

6. Use Cases

Privilege escalation detectionRBAC misconfigurationsEntry point discoveryCrown jewel analysisSecurity auditsDeveloper testing

7. Configuration

env
NEO4J_URI=bolt://localhost:7687
NEO4J_PASSWORD=yourpassword
API_PORT=3001
UI_PORT=3000
NVD_API_KEY=optional

8. Troubleshooting

bash
docker ps
kubectl config get-contexts
docker restart k8sav-neo4j

🛡️ Security & Privacy

  • No telemetry
  • No external data transfer
  • Uses kubeconfig
  • Read-only access

🤝 Contributing

bash
git clone <repo>
npm install
npm run dev

MIT License © 2025 K8s-AV Contributors