kspect — Linux kernel security auditing & drift detection
A single static Go binary that audits the running kernel's security posture — sysctls, boot parameters, kernel config, loaded modules, CPU vulnerability mitigations, LSMs, lockdown state — and detects drift against saved baselines.
- 50 built-in checks, each with a rationale (what an attacker gains) and an exact remediation command.
- CI-native: stable exit codes, JSON, and SARIF output for GitHub code scanning;
--fail-onseverity gates. - Three-state results (pass / fail / unknown) so missing data is never reported as a failure — the core false-positive control.
- Zero dependencies: pure Go stdlib,
FROM scratchcontainer. - Found and fixed a real CI bug involving volatile sysctl keys before the v0.1.0 release — the tool caught a class of flakiness its own test pipeline was suffering from.
$ kspect scan --format sarif > k.sarif $ kspect scan --fail-on high $ kspect baseline golden.json $ kspect diff golden.json exit codes: 0 clean · 1 gated failures 2 drift · 3 error