Deepce vs kube-hunter
GitHub Stats
About Deepce
Deepce (Docker Enumeration, Escalation of Privileges, and Container Escapes) is a tool designed to help identify vulnerable Docker installations and find potential container escape routes. Written as a portable shell script with no dependencies, it runs inside Docker containers to assess the security posture from the inside out. Deepce checks for dangerous capabilities (SYS_ADMIN, SYS_PTRACE, DAC_READ_SEARCH), mounted Docker sockets, writable host mounts, misconfigured namespaces, and known kernel vulnerabilities that enable container escapes. It also fingerprints the container environment, identifies the container runtime (Docker, Podman, LXC), checks network configuration, and enumerates neighboring containers. Its zero-dependency design makes it ideal for quick assessments during penetration tests where you land inside a container and need to assess your options.
About kube-hunter
kube-hunter is an open-source tool from Aqua Security that hunts for security weaknesses in Kubernetes clusters. It can run from outside the cluster (remote scanning), from a machine inside the network, or as a pod within the cluster itself to simulate different attacker perspectives. kube-hunter checks for a wide range of vulnerabilities including exposed API servers, kubelet API access, etcd access, privilege escalation paths, container escape vectors, and misconfigurations in RBAC, network policies, and pod security. Each finding includes a severity rating, description, and remediation guidance. The tool generates reports in JSON, YAML, or human-readable formats, making it easy to integrate into CI/CD pipelines or compliance workflows. kube-hunter is particularly valuable for security teams validating the hardening of their Kubernetes deployments.
Platform Support
Tags
Deepce only
kube-hunter only