Using polaris - SethBodine/audit-tools GitHub Wiki

Using Polaris

Polaris is a Kubernetes workload validation tool that checks deployments, pods, and other workloads against a set of security and reliability best practices. It covers security contexts, resource limits, image tag pinning, health checks, and more. Unlike framework-based tools like kubescape, Polaris focuses on workload configuration quality and is designed to produce results that are actionable for developers as well as security teams.

  • Validates Kubernetes workloads against security and reliability best practices
  • Checks security contexts, resource limits, liveness/readiness probes, image tags, and more
  • Scans live clusters or local manifest files and Helm charts
  • Outputs to table, JSON, and HTML
  • Severity levels: danger, warning, and ignore — configurable per check

Prepare the Environment

No setup required. Run from the shell.

For live cluster scanning, ensure kubectl is configured and connected. See Cloud Authentication via CLI for AKS and EKS setup.

Gather Data

Scan a Live Cluster

polaris audit --format=pretty
polaris audit --format=json > /output/polaris-results.json
polaris audit --format=html > /output/polaris-report.html

Scan Local Manifest Files

polaris audit --audit-path <path-to-manifests>
polaris audit --audit-path . --format=json > /output/polaris-results.json

Scan a Helm Chart

polaris audit --helm-chart <chart-directory> \
    --helm-values <values.yaml>

Filter by Severity

# Only report danger-level findings
polaris audit --format=pretty --only-show-failed-tests

Set a Minimum Score Threshold

Polaris produces an overall score out of 100. You can fail a scan below a threshold:

polaris audit --format=json --passing-threshold 80
# Exit code is non-zero if score is below threshold

Check What Polaris Tests For

polaris audit --list-checks

Use a Custom Config

Polaris is configurable via a YAML file. To adjust severities or disable specific checks:

polaris audit --config <path-to-config.yaml>

A starter config can be generated from the Polaris documentation.

Known Issues

  • Polaris does not scan CronJob or Job workloads by default in some versions — check the release notes for the version installed.
  • Resource limit checks will flag workloads that intentionally have no limits set (e.g. DaemonSets). Review findings in context before reporting.

Additional Information