Support for K8s CIS v1.10+ and GKE scans

[danyloKazakovRadicant]

Question

Hi people,

I'm new to CIS benchmark scanning and have been evaluating Trivy for auditing my current Kubernetes setup. I’ve gone through the documentation but couldn’t find a clear summary regarding support for newer Kubernetes versions.

From what I understand, Trivy currently supports the k8s-cis-1.23 profile and targets Kubernetes v1.23. My cluster is running Kubernetes v1.32, and I couldn’t find any information on whether Trivy supports this version or if there are plans to add support for newer CIS benchmarks like v1.11.1, which is designed for Kubernetes v1.29–1.32.

I’ve tried other tools:

• kube-bench: supports CIS v1.11.1, but lacks resource-level insights, which is a major drawback for my use case.
• Kubescape: also supports newer benchmarks, but requires operator deployment for full functionality, which I’d prefer to avoid.

Additionally, I’m curious whether Trivy plans to support GKE-specific CIS checks, similar to what kube-bench offers. Is there any roadmap?

Thanks in advance for any insights or updates!

Target

Kubernetes

Scanner

Misconfiguration

Output Format

JSON

Mode

Standalone

Operating System

GCP Cloud Run Job

Version

0.65.0

[itaysk]

Hi, our intentions are for Trivy to cover all the relevant tests eventually, but we had other priorities and didn't get around to maintain the content. We will try to reprioritize but until we do, any community help in updating the specs would be appreciated.