HEXL
Catalog/security-k8s-manifest

Security

Kubernetes manifest hardening scorer API

Scores a PROVIDED parsed Kubernetes manifest (Pod/Deployment/etc. JSON) against Pod Security Standard style controls per container: privileged, allowPrivilegeEscalation, runAsNonRoot/UID-0, readOnlyRootFilesystem, dropped capabilities (ALL/SYS_ADMIN/NET_RAW), hostNetwork/hostPID/hostIPC, hostPath volumes, missing resource limits, and mutable :latest tags, returning findings + severity + remediation and a 0-100 hardening score. Answers 'Is this pod running as root?','Does this manifest meet the restricted PSS?'.

Price$0.01per request
MethodPOST
Route/v1/security/k8s-manifest
StatusLive
MIME typeapplication/json
Rate limit120/minute
CacheNo cache
securitykubernetesk8spsscontainerhardeningmanifestscoring
API URLhttps://x402.hexl.dev/v1/security/k8s-manifest
Integration docs
Example request
{
  "manifest": {
    "kind": "Pod",
    "metadata": {
      "name": "web"
    },
    "spec": {
      "hostNetwork": true,
      "containers": [
        {
          "name": "app",
          "image": "nginx:latest",
          "securityContext": {
            "privileged": true
          }
        }
      ]
    }
  }
}
Example response
{
  "score": 17,
  "kind": "Pod",
  "containersAnalyzed": 1,
  "findingsCount": 8,
  "criticalFindings": 1,
  "findings": [
    {
      "id": "host-network",
      "severity": "high",
      "title": "Pod uses hostNetwork: true",
      "remediation": "Remove hostNetwork; it exposes the node's network namespace."
    },
    {
      "id": "app-privileged",
      "severity": "critical",
      "title": "Container 'app' runs privileged",
      "remediation": "Set securityContext.privileged: false; privileged containers have full host access."
    },
    {
      "id": "app-root",
      "severity": "high",
      "title": "Container 'app' may run as root (runAsNonRoot not true)",
      "remediation": "Set runAsNonRoot: true and a non-zero runAsUser."
    },
    {
      "id": "app-latest-tag",
      "severity": "low",
      "title": "Container 'app' uses a mutable/:latest image tag",
      "remediation": "Pin the image to an immutable digest or specific version tag."
    }
  ]
}
Input schema
{
  "type": "object",
  "required": [
    "manifest"
  ],
  "properties": {
    "manifest": {
      "type": "object",
      "additionalProperties": true,
      "description": "Parsed Kubernetes object.",
      "examples": [
        {
          "kind": "Pod",
          "metadata": {
            "name": "web"
          },
          "spec": {
            "hostNetwork": true,
            "containers": [
              {
                "name": "app",
                "image": "nginx:latest",
                "securityContext": {
                  "privileged": true
                }
              }
            ]
          }
        }
      ]
    }
  }
}
Output schema
{
  "type": "object",
  "additionalProperties": true
}