Inventory
Discover namespaces, workloads, Istio resources, Gateway API routes, proxy versions, ztunnel, and waypoints.
Early preview
OpenMeshGuard is a least-privilege posture scanner for upstream Istio. It verifies deployed mTLS, authorization, exposure, ownership, lifecycle, sidecar, and ambient evidence without taking over the mesh.
payments/frontend-gatewayWildcard host exposes an internal serviceclaims-prodNo AuthorizationPolicy found for mesh-enabled namespaceztunnel coverage2 scheduled nodes have missing ambient evidenceWhy it exists
OSS v1 scope
Start with a lean Go CLI that reads Kubernetes, Istio, and Gateway API resources using explicit least-privilege RBAC. OpenMeshGuard reports confirmed risk, missing evidence, unsupported lifecycle posture, and remediation guidance without requiring write access.
Discover namespaces, workloads, Istio resources, Gateway API routes, proxy versions, ztunnel, and waypoints.
Evaluate deployed-state mTLS, authorization, gateways, egress, EnvoyFilters, ownership, lifecycle, and ambient posture.
Export canonical OpenMeshGuard JSON, SARIF, and static HTML reports with permission and evidence summaries.
Planned CLI
Community v1 uses typed Kubernetes, Istio, and Gateway clients where practical, normalizes findings into OpenMeshGuard JSON, exports SARIF for CI, and validates support with real Kind-based Istio sidecar and ambient deployments.
$ openmeshguard scan --context prod-cluster --all-namespaces
$ openmeshguard report --format html
$ openmeshguard export --format sarif
$ openmeshguard score --namespace payments-prod
$ openmeshguard scan --context kind-cluster1 --context kind-cluster2