KubeBench
CIS Kubernetes Benchmark — tests cluster configuration against industry-standard security controls.
Grype
Container image CVE scanning — finds known vulnerabilities in every running image.
Falco
Runtime threat detection — monitors syscalls on every node via eBPF.
Pluto
Deprecated API detection — finds workloads using removed Kubernetes APIs.
Syft (SBOM)
Software Bill of Materials — complete package inventory for supply chain compliance.
How Scanning Works
- KubeBench, Grype, Pluto, Syft run as Kubernetes CronJobs on configurable schedules
- Falco runs as a DaemonSet on every node (continuous monitoring)
- Results are pushed to the ChangeGuard backend automatically
- The dashboard aggregates findings into the CSC score and dedicated views
CSC Score Impact
| Scanner | Max Impact | Triggered By |
|---|---|---|
| KubeBench | 15 points | Failing CIS checks |
| Grype | 15 points | Critical/high CVEs |
| Falco | 10 points | Runtime alerts |
| Pluto | 5 points | Deprecated APIs |
Configuration
All scanners are configured through the ChangeGuardAgent CRD. To disable a scanner, setenabled: false — the operator tears down the corresponding resources automatically.