Kubernetes Compliance Automation, From Scan to Auditor-Ready Report

One command runs CIS, SOC 2, HIPAA, PCI DSS, and GCC profiles, maps findings across frameworks, and watches for drift.

Compliance Automation | kubeqa

Most teams treat Kubernetes compliance as a manual chore: run kube-bench every few weeks, paste results into a spreadsheet, map findings to SOC 2 controls by hand, and ship a PDF that is already stale by the time auditors read it. kubeqa automates the entire workflow - scan, map, monitor, and report - against the Kubernetes API read-only, with no cluster-side agents, CRDs, or Helm charts required to get an answer. It runs as a single Go CLI and, where it helps, an optional Python AI backend.

How it works

kubeqa reads your cluster state, evaluates it against built-in compliance profiles, and reports control-by-control pass/fail in seconds. Point it at a framework and run:

$ kubeqa compliance audit --framework cis-1.8
  Pass: 128/142 controls (90.1%)
  Fail: 14 controls
  Top finding: 4.2.1 - Minimize access to secrets

Need more than one framework at once? Pass a comma-separated list and kubeqa performs cross-framework mapping automatically, so a single misconfiguration is flagged everywhere it applies:

$ kubeqa compliance audit --framework cis-1.8,soc2,pci-dss
  Finding: no NetworkPolicy in namespace "payments"
    -> CIS 5.3.2 (FAIL)
    -> SOC 2 CC6.1 (FAIL) - logical access boundary controls
    -> PCI DSS 1.3.2 (FAIL) - restrict inbound/outbound traffic

One finding, three frameworks, one fix.

What it covers

kubeqa ships with built-in profiles for the standards teams actually get audited against:

  • CIS Kubernetes Benchmark (and EKS, AKS, GKE variants) - general and cloud-specific security baselines
  • NSA/CISA Kubernetes Hardening Guidance - US government security posture
  • Pod Security Standards - the Kubernetes-native security baseline
  • SOC 2 Type II - SaaS companies and their auditors
  • HIPAA Technical Safeguards - healthcare workloads
  • PCI DSS v4.0 - payment processing environments
  • NESA (UAE) and NCA ECC (Saudi) - GCC regulatory coverage

Why it matters

  • Catch drift the moment it happens, not at the next quarterly audit. A point-in-time scan is stale within hours because clusters change constantly.
  • One tool instead of four to six. Replace kube-bench plus Checkov plus manual SOC 2 and HIPAA mapping with a single audit pass.
  • Auditor-ready evidence on demand instead of screenshot-gathering sprints before every review.
  • Free and open source, so security and platform teams can adopt it without procurement.

GCC coverage: NESA and NCA

This is where kubeqa stands apart. It is one of the only open-source Kubernetes tools with native GCC compliance profiles for UAE NESA and Saudi NCA ECC, covering data sovereignty, encryption requirements, access controls, and audit logging specific to GCC regulators.

# UAE NESA compliance
$ kubeqa compliance audit --framework nesa

# Saudi NCA ECC compliance
$ kubeqa compliance audit --framework nca-ecc

Teams operating in the UAE and Saudi Arabia get regulator-aligned coverage out of the box, with no other open-source K8s tool offering the same.

Continuous audit, drift detection, and evidence

Run kubeqa on a schedule and it moves from a one-off scan to continuous compliance monitoring. When a previously passing control regresses, kubeqa fires an alert immediately:

Compliance Drift Detected
Cluster: production (EKS us-east-1)
Framework: CIS 1.8
Control: 5.1.6 - Ensure Network Policies are defined
Status: PASS -> FAIL
Namespace: payments

Every audit also collects evidence - the underlying resource configurations behind each pass or fail - alongside remediation guidance and historical trend data, so an auditor gets context, not just a verdict. Compliance PDF exports are a kubeqa Cloud feature (coming soon); the CLI gives you the full audit, mapping, drift detection, and evidence today.

Open source and pricing

The kubeqa CLI is free forever under Apache 2.0. kubeqa Cloud adds team features on top - multi-cluster dashboards, historical trends, collaboration, SSO, audit logs, and compliance PDF exports - and is coming soon. Cloud never gates OSS functionality. See pricing for details.

Install it and run your first audit in under a minute: brew install nomadx-ae/tap/kubeqa. Star kubeqa on GitHub or see pricing.

Ship Kubernetes with Confidence

Free for open-source use. No credit card required. Install kubeqa and run your first cluster scan in under 5 minutes.

Get Started Free