pith. sign in

arxiv: 2606.24438 · v1 · pith:FLSUVQAYnew · submitted 2026-06-23 · 💻 cs.CR

A Comparison of Kubernetes Compliance Standards and Configuration Scanners

Michael Krieger , Markus Gierlinger , Farooq Shaikh , Mario Kahlhofer This is my paper

Pith reviewed 2026-06-25 23:23 UTC · model grok-4.3

classification 💻 cs.CR
keywords Kubernetessecurityhardening guidelinesconfiguration scannerscompliance standardsrisk assessmentcontainer securitystatic analysis
0
0 comments X

The pith

Kubernetes hardening guidelines and scanners differ substantially in which issues they cover and how they score risks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper compares eight commonly used Kubernetes hardening guidelines and derives a benchmark of 79 configuration recommendations by incorporating additional best practices. It then evaluates ten popular static configuration scanning tools against this benchmark to measure coverage and scoring consistency. The evaluation shows that the guidelines address overlapping but distinct sets of issues and that scanners detect different subsets while assigning inconsistent severity rankings to the same problems. These differences can produce conflicting configuration priorities depending on the chosen guideline or scanner. The work concludes that more standardized and transparent methods for assessing Kubernetes configuration risks are needed.

Core claim

Through systematic comparison of eight commonly used Kubernetes hardening guidelines and the inclusion of best practices to form a benchmark of 79 recommendations, followed by structured empirical evaluation of ten popular static configuration scanning tools and their scoring outputs, the findings reveal substantial disparities in the coverage of configuration issues across hardening guidelines and scanners, as well as inconsistencies in how configuration issues are scored and ranked by different scanners.

What carries the argument

The benchmark of 79 Kubernetes configuration recommendations created by merging eight hardening guidelines with best practices, serving as the reference set for measuring scanner coverage and scoring differences.

If this is right

  • Different hardening guidelines recommend different sets of configuration changes for securing clusters.
  • Individual scanners detect only partial subsets of the 79 benchmark issues.
  • Scanners assign varying severity scores and priority rankings to identical configuration problems.
  • Security decisions about which issues to address first can change depending on the guideline or scanner selected.
  • Standardized and transparent approaches to risk assessment would reduce variability in configuration decisions.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Teams relying on a single scanner may miss issues flagged by other tools or guidelines.
  • A shared reference benchmark could help align future guideline updates and scanner development.
  • Users combining outputs from multiple scanners would encounter conflicting remediation priorities that require manual reconciliation.
  • Automated tools that aggregate recommendations across several guidelines could reduce the observed inconsistencies.

Load-bearing premise

The eight selected hardening guidelines are representative of commonly used standards and the derived set of 79 recommendations accurately captures the relevant space of configuration issues.

What would settle it

A larger or differently chosen collection of hardening guidelines that produces consistent coverage and uniform scoring across the ten scanners would falsify the reported disparities.

Figures

Figures reproduced from arXiv: 2606.24438 by Farooq Shaikh, Mario Kahlhofer, Markus Gierlinger, Michael Krieger.

Figure 1
Figure 1. Figure 1: Typical components of a Kubernetes cluster. – Actionable insights for practitioners: We highlight substantial dispari￾ties in scanner coverage and scoring behavior, providing guidance for practi￾tioners selecting tools to identify configuration issues in Kubernetes deploy￾ments. 2 Kubernetes Architecture, Hardening Guidelines, and Scanners This section provides an overview of the architecture of Kubernetes… view at source ↗
Figure 2
Figure 2. Figure 2: Timeline of first releases of K8s security standards. load balancing, and stable network endpoints. Each worker node runs a kubelet agent that manages the lifecycle of workloads assigned to that node [31]. 2.2 Compliance and Security Guidelines The Kubernetes Policy Working Group emphasizes the importance of adher￾ing to both internal and external regulatory standards, as well as security best practices, p… view at source ↗
Figure 3
Figure 3. Figure 3: Timeline of first releases of K8s security scanners. line materials such as blog posts and industry reports. We used targeted search terms—including “Kubernetes”, “k8s”, “security”, “misconfiguration”, “compliance”, and “scanner” — to ensure broad coverage. In addition, we reviewed industry analyses such as the Gartner Application Security Testing Magic Quadrant [21], the Forrester Wave Software Compositio… view at source ↗
read the original abstract

Kubernetes has become the industry standard for orchestrating containers in microservice-based software architectures. While several hardening guidelines and scanning tools for securing Kubernetes clusters and deployments have emerged in recent years, their differing guidance and outputs often lead to inconsistent configuration and prioritization decisions. This work presents a systematic comparison of eight commonly used Kubernetes hardening guidelines. Through this comparison and the inclusion of best practices, we established a benchmark of 79 Kubernetes configuration recommendations and conducted the a structured empirical evaluation of ten popular static configuration scanning tools and their scoring outputs. Our findings reveal substantial disparities in the coverage of configuration issues across hardening guidelines and scanners, as well as inconsistencies in how configuration issues are scored and ranked by different scanners. These results highlight the need for more standardized, transparent, and consistent approaches to risk and severity assessment of Kubernetes configuration issues.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper claims to systematically compare eight commonly used Kubernetes hardening guidelines, merge them with best practices to form a benchmark of 79 configuration recommendations, and then empirically evaluate ten static configuration scanners on coverage of the benchmark as well as inconsistencies in their scoring and ranking of issues. The central finding is substantial disparities in coverage across guidelines and scanners plus scoring inconsistencies, motivating calls for more standardized approaches to Kubernetes configuration security.

Significance. If the benchmark construction is shown to be representative and the evaluation methods are fully documented with raw data, the results would be significant for cloud security practice: Kubernetes is the dominant container orchestrator, and documented inconsistencies in hardening guidance and scanner outputs directly affect real-world risk prioritization. The structured empirical comparison of multiple guidelines and tools is a strength, as is the explicit call for transparency in severity assessment.

major comments (1)
  1. [§3] §3 (Benchmark construction): The abstract states that the 79-recommendation benchmark was formed by comparing eight guidelines plus best practices, but the manuscript provides no selection criteria for the eight guidelines, no enumeration of the initial pool of standards considered, and no description of the deduplication or merging rules that produced exactly 79 items. This is load-bearing for the central claim of 'substantial disparities,' because without these details the observed coverage gaps and scoring inconsistencies could be artifacts of ad-hoc selection rather than intrinsic properties of the Kubernetes hardening landscape.
minor comments (1)
  1. [Abstract] Abstract: the phrase 'conducted the a structured empirical evaluation' contains a typographical error.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback. The major comment highlights a genuine gap in the documentation of our benchmark construction process. We agree that additional details are required to support the central claims and will revise the manuscript accordingly.

read point-by-point responses

  1. Referee: [§3] §3 (Benchmark construction): The abstract states that the 79-recommendation benchmark was formed by comparing eight guidelines plus best practices, but the manuscript provides no selection criteria for the eight guidelines, no enumeration of the initial pool of standards considered, and no description of the deduplication or merging rules that produced exactly 79 items. This is load-bearing for the central claim of 'substantial disparities,' because without these details the observed coverage gaps and scoring inconsistencies could be artifacts of ad-hoc selection rather than intrinsic properties of the Kubernetes hardening landscape.

    Authors: We agree that the current manuscript does not provide explicit selection criteria for the eight guidelines, an enumeration of the initial pool of standards considered, or a detailed description of the deduplication and merging rules used to arrive at the final 79 recommendations. These omissions limit the ability to fully assess whether the observed disparities are intrinsic or selection-dependent. In the revised manuscript we will expand §3 with: (1) explicit inclusion criteria (e.g., public availability, industry adoption, and focus on configuration hardening); (2) the initial pool of 12 standards that were reviewed before selecting the final eight; and (3) the step-by-step deduplication protocol, including how overlapping recommendations were merged or retained. We will also release the full mapping table as supplementary material. These additions will directly address the concern that the findings could be artifacts of ad-hoc selection. revision: yes

Circularity Check

0 steps flagged

Empirical comparison study with no derivations or self-referential reductions

full rationale

The paper performs a direct empirical comparison of eight hardening guidelines and ten scanners against a manually constructed benchmark of 79 recommendations. No equations, fitted parameters, predictions, or mathematical derivations appear in the provided text. The benchmark construction is presented as a methodological step (comparing guidelines plus best practices) without any reduction to self-definition, fitted inputs renamed as predictions, or load-bearing self-citations. All patterns for circularity require explicit self-referential equivalence (e.g., X defined in terms of Y or a fit called a prediction); none are present. The study is therefore self-contained against external benchmarks and receives score 0.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The study rests on domain assumptions that the chosen guidelines and scanners are representative and that the benchmark construction process is neutral; no free parameters or invented entities are introduced.

axioms (2)
  • domain assumption The eight hardening guidelines are commonly used and representative.
    Abstract states 'eight commonly used Kubernetes hardening guidelines' without further justification of selection.
  • domain assumption The ten scanners are popular and their outputs are comparable on a shared benchmark.
    Abstract refers to 'ten popular static configuration scanning tools' and assumes their scoring outputs can be directly contrasted.

pith-pipeline@v0.9.1-grok · 5666 in / 1100 out tokens · 25686 ms · 2026-06-25T23:23:53.185042+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

55 extracted references · 20 canonical work pages

  1. [1]

    Agency, D.I.S.: Kubernetes stig (Sep 2025), https://ncp.nist.gov/checklist/996

    2025

  2. [2]

    Akula, M.: Kubernetes goat: A kubernetes security learning playground (2026), https://github.com/madhuakula/kubernetes-goat

    2026

  3. [3]

    ACM Transactions on Information and System Security17(1), 1–20 (Aug 2014)

    Allodi, L., Massacci, F.: Comparing vulnerability severity and exploits using case- control studies. ACM Transactions on Information and System Security17(1), 1–20 (Aug 2014). https://doi.org/10.1145/2630069

    work page doi:10.1145/2630069 2014

  4. [4]

    Authors, K.: Kubescape (Dec 2025), https://github.com/kubescape/kubescape/

    2025

  5. [5]

    Authors, T.K.: Application security checklist (Nov 2024), https://kubernetes.io/ docs/concepts/security/application-security-checklist/

    2024

  6. [6]

    Authors, T.K.: Security checklist (Feb 2025), https://kubernetes.io/docs/ concepts/security/security-checklist/

    2025

  7. [7]

    In: 2021 IEEE/ACM 2nd International Workshop on En- gineering and Cybersecurity of Critical Systems (EnCyCriS)

    Bose, D.B., Rahman, A., Shamim, S.I.: ‘under-reported’ security defects in ku- bernetes manifests. In: 2021 IEEE/ACM 2nd International Workshop on En- gineering and Cybersecurity of Critical Systems (EnCyCriS). p. 9–12. IEEE, Madrid, Spain (Jun 2021). https://doi.org/10.1109/EnCyCriS52570.2021.00009, https://ieeexplore.ieee.org/document/9476056/ 20 M. Kri...

    work page doi:10.1109/encycris52570.2021.00009 2021

  8. [8]

    Journal of Grid Computing20(4), 42 (Dec 2022)

    Carrión, C.: Kubernetes as a standard container orchestrator - a bibliometric anal- ysis. Journal of Grid Computing20(4), 42 (Dec 2022). https://doi.org/10.1007/ s10723-022-09629-8

    2022

  9. [9]

    Checkmarx: Kics (Dec 2025), https://github.com/Checkmarx/kics

    2025

  10. [10]

    CIS Benchmarks (Sep 2025), https: //www.cisecurity.org/benchmark/kubernetes

    CIS: CIS Kubernetes Benchmark v.1.12.0. CIS Benchmarks (Sep 2025), https: //www.cisecurity.org/benchmark/kubernetes

    2025

  11. [11]

    Cloud, P.: Checkov (Dec 2025), https://github.com/bridgecrewio/checkov

    2025

  12. [12]

    cncf.io/

    Cloud Native Computing Foundation: Cncf landscape (2026), https://landscape. cncf.io/

    2026

  13. [13]

    for Container Orchestration Special Interest Group, B.P.: Guidance for containers and container orchestration tools (Sep 2022), https://docs-prv.pcisecuritystandards.org/Guidance% 20Document/Containers%20and%20Container%20Orchestration%20Tools/ Guidance-for-Containers-and-Container-Ochestration-Tools-v1_0.pdf

    2022

  14. [14]

    ControlPlane: kubesec (Dec 2025), https://github.com/controlplaneio/kubesec/

    2025

  15. [15]

    Future Internet15(7), 228 (Jun 2023)

    Dell’Immagine, G., Soldani, J., Brogi, A.: Kubehound: Detecting microservices’ security smells in kubernetes deployments. Future Internet15(7), 228 (Jun 2023). https://doi.org/10.3390/fi15070228

    work page doi:10.3390/fi15070228 2023

  16. [16]

    In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

    Dietrich, C., Krombholz, K., Borgolte, K., Fiebig, T.: Investigating system opera- tors’ perspective on security misconfigurations. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. p. 1272–1289. ACM, Toronto Canada (Oct 2018). https://doi.org/10.1145/3243734.3243794, https://dl.acm.org/doi/10.1145/3243734.3243794

    work page doi:10.1145/3243734.3243794 2018

  17. [17]

    Fairwinds: polaris (Dec 2025), https://github.com/FairwindsOps/polaris

    2025

  18. [18]

    https://www.first.org/cvss/v4.0/specification-document (Nov 2023), Ac- cessed: 2025-12-16

    FIRST.Org, Inc.: Common Vulnerability Scoring System v4.0: Specification Doc- ument. https://www.first.org/cvss/v4.0/specification-document (Nov 2023), Ac- cessed: 2025-12-16

    2023

  19. [19]

    Forrester Research, Inc.: The forrester wave™: Software composi- tion analysis software (Nov 2024), https://www.forrester.com/report/ the-forrester-wave-tm-software-composition-analysis-software-q4-2024/ RES181655

    2024

  20. [20]

    Forrester Research, Inc.: The forrester wave™: Static application se- curity testing solutions (Sep 2025), https://www.forrester.com/report/ the-forrester-wave-tm-static-application-security-testing-solutions-q3-2025/ RES185613

    2025

  21. [21]

    Gartner, Inc.: Gartner magic quadrant for application security testing (Oct 2025), https://www.gartner.com/en/documents/7027498

    arXiv 2025

  22. [22]

    Hamon, Y.: kubeconform (Dec 2025), https://github.com/yannh/kubeconform

    2025

  23. [23]

    Hat, R.: Kubelinter (Dec 2025), https://github.com/stackrox/kube-linter

    2025

  24. [24]

    In: 2015IEEE8thInternationalConferenceonCloudComputing.p.1081–1084.IEEE, New York City, NY, USA (Jun 2015)

    Hendre, A., Joshi, K.P.: A semantic approach to cloud security and compliance. In: 2015IEEE8thInternationalConferenceonCloudComputing.p.1081–1084.IEEE, New York City, NY, USA (Jun 2015). https://doi.org/10.1109/CLOUD.2015.157, http://ieeexplore.ieee.org/document/7214167/

    work page doi:10.1109/cloud.2015.157 2015

  25. [25]

    für Sicherheit in der Informationstechnik, B.: App.4.4 kubernetes (edi- tion 2023) (Feb 2023), https://www.bsi.bund.de/SharedDocs/Downloads/ DE/BSI/Grundschutz/IT-GS-Kompendium_Einzel_PDFs_2023/06_APP_ Anwendungen/APP_4_4_Kubernetes_Edition_2023.html

    2023

  26. [26]

    für Sicherheit in der Informationstechnik, B.: Sys.1.6 containerisierung (edition

  27. [27]

    (Feb 2023), https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/ Grundschutz/IT-GS-Kompendium_Einzel_PDFs_2023/07_SYS_IT_Systeme/ SYS_1_6_Containerisierung_Edition_2023.html Kubernetes Compliance Standards and Scanners 21

    2023

  28. [28]

    In: 2024 International Wireless Communications and Mo- bile Computing (IWCMC)

    Kamieniarz, K., Mazurczyk, W.: A comparative study on the security of ku- bernetes deployments. In: 2024 International Wireless Communications and Mo- bile Computing (IWCMC). p. 0718–0723. IEEE, Ayia Napa, Cyprus (May 2024). https://doi.org/10.1109/IWCMC61514.2024.10592468, https://ieeexplore. ieee.org/document/10592468/

    work page doi:10.1109/iwcmc61514.2024.10592468 2024

  29. [29]

    An evaluation of commonly used Kubernetes security scanning tools,

    Kapetanidou, I.A., Nizamis, A., Votis, K.: An evaluation of commonly used ku- bernetes security scanning tools. In: Proceedings of the 2nd International Work- shop on MetaOS for the Cloud-Edge-IoT Continuum. p. 20–25. ACM, Rotter- dam Netherlands (Mar 2025). https://doi.org/10.1145/3721889.3721924, https: //dl.acm.org/doi/10.1145/3721889.3721924

    work page doi:10.1145/3721889.3721924 2025

  30. [30]

    In: Proceedings of the 2025 ACM SIGSAC Conference on Computer and Com- munications Security

    Koscinski, V., Nelson, M., Okutan, A., Falso, R., Mirakhorli, M.: Conflicting scores, confusing signals: An empirical study of vulnerability scoring systems. In: Proceed- ings of the 2025 ACM SIGSAC Conference on Computer and Communications Se- curity. p. 1904–1918. ACM, Taipei Taiwan (Nov 2025). https://doi.org/10.1145/ 3719027.3765210, https://dl.acm.or...

    work page doi:10.1145/3719027.3765210 2025

  31. [31]

    LeMay, E., Scarfone, K., Mell, P.: The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities. No. NIST IR 7864, Gaithers- burg, MD, 0 edn. (Jul 2012). https://doi.org/10.6028/NIST.IR.7864, https:// nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7864.pdf

    work page doi:10.6028/nist.ir.7864 2012

  32. [32]

    O’Reilly Media, Inc., 1st edition edn

    Martin, A., Hausenblas, M.: Hacking Kubernetes. O’Reilly Media, Inc., 1st edition edn. (2021)

    2021

  33. [33]

    https://doi

    Mell, P., Scarfone, K.: The common configuration scoring system (ccss): Metrics for software security configuration vulnerabilities (2010-12-27 2010). https://doi. org/https://doi.org/10.6028/NIST.IR.7502

    work page doi:10.6028/nist.ir.7502 2010

  34. [34]

    In: Proceedings of the 19th International Conference on Availability, Reliability and Security

    Milousi, K., Kiriakidis, P., Mengidis, N., Rizos, G., Mazi, M.S., Voulgaridis, A., Votis,K.,Tzovaras,D.:Evaluatingcybersecurityrisk:Acomprehensivecomparison of vulnerability scoring methodologies. In: Proceedings of the 19th International Conference on Availability, Reliability and Security. p. 1–11. ACM, Vienna Austria (Jul 2024). https://doi.org/10.1145...

    work page doi:10.1145/3664476.3670915 2024

  35. [35]

    In: 2022 22nd IEEE International Symposium on Cluster, Cloud and Internet Computing (CCGrid)

    Minna, F., Massacci, F.: An open-source cloud testbed for security experimenta- tion. In: 2022 22nd IEEE International Symposium on Cluster, Cloud and Internet Computing (CCGrid). p. 756–759. IEEE, Taormina, Italy (May 2022). https:// doi.org/10.1109/CCGrid54584.2022.00086, https://ieeexplore.ieee.org/document/ 9826094/

    work page doi:10.1109/ccgrid54584.2022.00086 2022

  36. [36]

    National Institute of Standards and Technology: Common configuration enumera- tion (cce) (2026), https://ncp.nist.gov/cce

    2026

  37. [37]

    Cybersecurity Technical Report (aug 2022), https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_ KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF

    NSA/CISA: Kubernetes Hardening Guide. Cybersecurity Technical Report (aug 2022), https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_ KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF

    2022

  38. [38]

    https://doi.org/10.1016/j.jss.2022.111393

    Ponce,F.,Soldani,J.,Astudillo,H.,Brogi,A.:Smellsandrefactoringsformicroser- vicessecurity:Amultivocalliteraturereview.JournalofSystemsandSoftware192, 111393 (Oct 2022). https://doi.org/10.1016/j.jss.2022.111393

    work page doi:10.1016/j.jss.2022.111393 2022

  39. [39]

    In: 2019 Global Conference for Advancement in Technology (GCAT)

    Pothula, D.R., Kumar, K.M., Kumar, S.: Run time container security harden- ing using a proposed model of security control map. In: 2019 Global Conference for Advancement in Technology (GCAT). p. 1–6. IEEE, Bangalore, India (Oct 2019). https://doi.org/10.1109/GCAT47503.2019.8978433, https://ieeexplore.ieee. org/document/8978433/

    work page doi:10.1109/gcat47503.2019.8978433 2019

  40. [40]

    Krieger et al

    cdk8s Project Authors: cdk8s (Dec 2025), https://github.com/cdk8s-team/cdk8s 22 M. Krieger et al

    2025

  41. [41]

    ACM Transactions on Software Engineering and Methodology32(4), 1–36 (Oct 2023)

    Rahman, A., Shamim, S.I., Bose, D.B., Pandita, R.: Security misconfigurations in open source kubernetes manifests: An empirical study. ACM Transactions on Software Engineering and Methodology32(4), 1–36 (Oct 2023). https://doi.org/ 10.1145/3579639

    work page doi:10.1145/3579639 2023

  42. [42]

    Policy GRC (oct 2023), https://github.com/kubernetes/sig-security/blob/main/sig-security-docs/ papers/policy_grc/Kubernetes_Policy_WG_Paper_v1_101123.pdf

    Ramanathan, J., Bugwadia, J., Krishnamurthy, R., Parvin, G., Lamba, P., Watanabe, Y., Suderman, A., Keller, B., Sailer, A., Ficcaglia, R., Ze- olla, J.: Kubernetes Governance, Risk, and Compliance. Policy GRC (oct 2023), https://github.com/kubernetes/sig-security/blob/main/sig-security-docs/ papers/policy_grc/Kubernetes_Policy_WG_Paper_v1_101123.pdf

    2023

  43. [43]

    Ruiz, Y.: Harnessing the potential of 5g with kubernetes (Feb 2023), https:// ubuntu.com/blog/harnessing-the-potential-of-5g-with-kubernetes

    2023

  44. [44]

    In: Proceedings of the 4th ACM workshop on Quality of protection

    Scarfone, K., Mell, P.: Vulnerability scoring for security configuration settings. In: Proceedings of the 4th ACM workshop on Quality of protection. p. 3–8. ACM, Alexandria Virginia USA (Oct 2008). https://doi.org/10.1145/1456362.1456365, https://dl.acm.org/doi/10.1145/1456362.1456365

    work page doi:10.1145/1456362.1456365 2008

  45. [45]

    Security, A.: trivy (Dec 2025), https://github.com/aquasecurity/trivy

    2025

  46. [46]

    ATZelectronics worldwide18(12), 58–58 (Dec 2023)

    Shamim, A.: Containerization for the software-defined vehicle. ATZelectronics worldwide18(12), 58–58 (Dec 2023). https://doi.org/10.1007/s38314-023-1560-7

    work page doi:10.1007/s38314-023-1560-7 2023

  47. [47]

    Shamim, M.S.I., Bhuiyan, F.A., Rahman, A.: Kubernetes security best practices (May 2020), https://figshare.com/s/548f0f90a0f2744cf33a

    2020

  48. [48]

    In: 2020 IEEE Secure Development (SecDev)

    Shamim, M.S.I., Bhuiyan, F.A., Rahman, A.: Xi commandments of kubernetes security: A systematization of knowledge related to kubernetes security practices. In: 2020 IEEE Secure Development (SecDev). p. 58–64. IEEE, Atlanta, GA, USA (Sep 2020). https://doi.org/10.1109/SecDev45635.2020.00025, https://ieeexplore. ieee.org/document/9230176/

    work page doi:10.1109/secdev45635.2020.00025 2020

  49. [49]

    Snyk: Snyk (Dec 2025), https://snyk.io/

    2025

  50. [50]

    Team, C.S.S.: Kubernetes security cheat sheet (Nov 2025), https:// cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html

    2025

  51. [51]

    Tenable: Terrascan (Nov 2025), https://github.com/tenable/terrascan

    2025

  52. [52]

    Journal of Cybersecurity and Privacy3(4), 758–793 (Oct 2023)

    Theodoropoulos, T., Rosa, L., Benzaid, C., Gray, P., Marin, E., Makris, A., Cordeiro, L., Diego, F., Sorokin, P., Girolamo, M.D., Barone, P., Taleb, T., Tser- pes, K.: Security in cloud-native services: A survey. Journal of Cybersecurity and Privacy3(4), 758–793 (Oct 2023). https://doi.org/10.3390/jcp3040034

    work page doi:10.3390/jcp3040034 2023

  53. [53]

    Weizman, Y., Patrich, D., Pliskin, R.: Threat matrix for kubernetes (Jan 2023), https://microsoft.github.io/Threat-Matrix-for-Kubernetes/

    2023

  54. [54]

    Westling, G.: kube-score (Dec 2025), https://github.com/zegl/kube-score

    2025

  55. [55]

    Springer Berlin Heidelberg, Berlin, Heidelberg (2024)

    Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A.: Exper- imentation in Software Engineering. Springer Berlin Heidelberg, Berlin, Heidelberg (2024). https://doi.org/10.1007/978-3-662-69306-3, https://link.springer.com/10. 1007/978-3-662-69306-3

    work page doi:10.1007/978-3-662-69306-3 2024