Skip to main content


SSH_scan is an easy-to-use prototype SSH configuration and policy scanner, inspired by Mozilla OpenSSH Security Guide, which provides a reasonable baseline policy recommendation for SSH configuration parameters such as Ciphers, MACs, and KexAlgos and much more.

To learn more about the ssh_scan scanner itself visit ssh_scan GitHub.


The SSH_scan ScanType can be deployed via helm.

helm upgrade --install ssh-scan secureCodeBox/ssh-scan

Scanner Configuration

The following security scan configuration example are based on the ssh_scan Documentation, please take a look at the original documentation for more configuration examples.

ssh_scan v0.0.21 (

Usage: ssh_scan [options]
    -t, --target [IP/Range/Hostname] IP/Ranges/Hostname to scan
    -f, --file [FilePath]            File Path of the file containing IP/Range/Hostnames to scan
    -T, --timeout [seconds]          Timeout per connect after which ssh_scan gives up on the host
    -L, --logger [Log File Path]     Enable logger
    -O, --from_json [FilePath]       File to read JSON output from
    -o, --output [FilePath]          File to write JSON output to
    -p, --port [PORT]                Port (Default: 22)
    -P, --policy [FILE]              Custom policy file (Default: Mozilla Modern)
        --threads [NUMBER]           Number of worker threads (Default: 5)
        --fingerprint-db [FILE]      File location of fingerprint database (Default: ./fingerprints.db)
        --suppress-update-status     Do not check for updates
    -u, --unit-test [FILE]           Throw appropriate exit codes based on compliance status
    -v, --version                    Display just version info
    -h, --help                       Show this message


  ssh_scan -t
  ssh_scan -t
  ssh_scan -t ::1
  ssh_scan -t ::1 -T 5
  ssh_scan -f hosts.txt
  ssh_scan -o output.json
  ssh_scan -O output.json -o rescan_output.json
  ssh_scan -t -p 22222
  ssh_scan -t -p 22222 -L output.log -V INFO
  ssh_scan -t -P custom_policy.yml
  ssh_scan -t --unit-test -P custom_policy.yml

Chart Configuration

cascadingRules.enabledbooltrueEnables or disables the installation of the default cascading rules for this scanner
image.repositorystring"mozilla/ssh_scan"Container Image to run the scan
image.tagstring"latest@sha256:ebd76f798159844c0baca6b78cc324ba1966b11eb4f45118397a59d01f764c97"defaults to the charts appVersion
parseJob.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller:
parserImage.repositorystring""Parser image repository
parserImage.tagstringdefaults to the charts versionParser image tag
scannerJob.backoffLimitint3There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see:
scannerJob.envlist[]Optional environment variables mapped into each scanJob (see:
scannerJob.extraContainerslist[]Optional additional Containers started with each scanJob (see:
scannerJob.extraVolumeMountslist[]Optional VolumeMounts mapped into each scanJob (see:
scannerJob.extraVolumeslist[]Optional Volumes mapped into each scanJob (see:
scannerJob.resourcesobject{}CPU/memory resource requests/limits (see:,
scannerJob.securityContextobject{}Optional securityContext set on scanner container (see:
scannerJob.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller:



apiVersion: ""
kind: Scan
  name: "ssh-ssh-demo-cluster-internal"
  scanType: "ssh-scan"
    - "-t"
    - "dummy-ssh.demo-apps.svc"

apiVersion: ""
kind: Scan
  name: ""
    company: example
  scanType: "ssh-scan"
    - "-t"
    - "-p"
    - "22222"


apiVersion: ""
kind: Scan
  name: "ssh-localhost"
    company: localhost
  scanType: "ssh-scan"
    - "-t"
    - localhost