Early preview

Move from assumed mesh security to verified Istio posture.

OpenMeshGuard is a least-privilege posture scanner for upstream Istio. It verifies deployed mTLS, authorization, exposure, ownership, lifecycle, sidecar, and ambient evidence without taking over the mesh.

Least-privilege get/listSidecar + ambientEvidence-gradeUpstream Istio first
Latest scanprod-istio-east-01
74 / 100
Mesh governance score74
3 fail19 warn81 pass
mTLS posture67%Production namespaces enforcing strict mode
AuthZ coverage54%Workloads with explicit policy
API accessget/listLeast-privilege scan profile
Mesh modeSidecar + ambientUpstream Istio v1 target
FindingEvidence
Failpayments/frontend-gatewayWildcard host exposes an internal service
Failclaims-prodNo AuthorizationPolicy found for mesh-enabled namespace
Warnztunnel coverage2 scheduled nodes have missing ambient evidence

Why it exists

Istio gives you powerful controls. OpenMeshGuard verifies what is deployed, what is protected, and what evidence is missing.

OSS v1 scope

Govern the mesh without taking over the mesh.

Start with a lean Go CLI that reads Kubernetes, Istio, and Gateway API resources using explicit least-privilege RBAC. OpenMeshGuard reports confirmed risk, missing evidence, unsupported lifecycle posture, and remediation guidance without requiring write access.

Inventory

Discover namespaces, workloads, Istio resources, Gateway API routes, proxy versions, ztunnel, and waypoints.

Findings

Evaluate deployed-state mTLS, authorization, gateways, egress, EnvoyFilters, ownership, lifecycle, and ambient posture.

Evidence

Export canonical OpenMeshGuard JSON, SARIF, and static HTML reports with permission and evidence summaries.

Planned CLI

Start with a scanner practitioners can trust.

Community v1 uses typed Kubernetes, Istio, and Gateway clients where practical, normalizes findings into OpenMeshGuard JSON, exports SARIF for CI, and validates support with real Kind-based Istio sidecar and ambient deployments.

$ openmeshguard scan --context prod-cluster --all-namespaces
$ openmeshguard report --format html
$ openmeshguard export --format sarif
$ openmeshguard score --namespace payments-prod
$ openmeshguard scan --context kind-cluster1 --context kind-cluster2