pizzabits

pizzabits / secrets-snitcher

Public

300 lines eBPF tool that shows which pods are reading your K8s secrets and how often.

github.compizzabitssecrets-snitcher devsecops ebpf k8s
68
12
100% credibility
Found Feb 18, 2026 at 45 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Go
AI Summary

A monitoring tool for Kubernetes clusters that tracks how often pods access secret files to detect suspicious patterns like compromised workloads repeatedly reading tokens.

How It Works

1
🔍 Discover the Monitor

You're running apps in a shared cluster and worry about sneaky programs stealing secrets, so you find this simple watcher tool.

2
🚀 Launch with One Click

You run an easy installer script that sets up the secret watcher right inside your cluster.

3
Give It a Moment

It takes about 30 seconds to wake up and start quietly watching every time apps touch secret files.

4
👀 Peek at the Watchlist

You connect from your laptop to see a live report of which apps are reading secrets and how often.

5
🧪 Test Suspicious Behavior

You add a pretend naughty app that grabs secrets non-stop to practice spotting trouble.

6
🚨 Spot the Red Flag

The report jumps out with the bad app hammering secrets thousands of times a second, screaming 'not normal!'

Secrets Stay Safe

You've got eyes on your secrets now, catching weird access early and keeping your cluster secure.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 45 to 68 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is secrets-snitcher?

Secrets-snitcher is a 300 lines of code eBPF tool written in Python that monitors Kubernetes pods accessing secrets, tracking read frequency over a 60-second window and flagging if they cache values in memory or re-read from disk every time. Deploy it as a privileged pod—no Docker build needed—and query its HTTP API at port 9100 for JSON showing pod names, secret paths like service account tokens, reads per second, and a "cached" boolean. It catches outliers like compromised pods hammering tokens, solving the blind spot where Kubernetes doesn't reveal secret usage patterns.

Why is it gaining traction?

In 300 lines, it delivers kernel-level visibility with zero overhead on non-secret accesses, supporting common mounts like /var/run/secrets and CSI drivers, across AKS, EKS, K3s, and more. The one-liner install script, inline YAML deploy, and demo malicious pod make testing instant, while the API integrates easily with dashboards. Developers dig the eBPF simplicity over bloated alternatives, plus pod resolution from procfs for real-world pod names.

Who should use this?

Kubernetes security engineers auditing service account token abuse, SREs hunting non-caching apps that break on rotations, and platform teams validating secret hygiene in production clusters. Ideal for K3s users or anyone with kernel headers on Ubuntu nodes needing quick secret observability without agents everywhere.

Verdict

Grab it for proofs-of-concept or side projects—44 stars and 1.0% credibility score reflect its weekend-project status with solid docs, tests, and platform guides, but skip for high-scale prod until persistence and auth land. Strong start on eBPF secret monitoring. (198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.