Best Practice

Make sure your cluster configuration follows industry standards best practices

The Best Practice report on the CAST AI platform is a powerful tool for assessing the security posture of your Kubernetes clusters against industry and DevOps best practices. The report provides a detailed evaluation of your resources, ensuring compliance with the security and operational standards set by CAST AI or the CIS for Kubernetes benchmarks.

CAST AI employs a transparent scoring system that prioritizes issues based on severity, enabling you to allocate resources effectively and streamline communication with the security team. The severity score and level of each issue are determined using the CVSS v3.1 (Common Vulnerability Scoring System) standard, providing a standardized approach to assessing the criticality of security vulnerabilities.

Access the report

To access the Best practice report, follow these steps:

  1. Log in to the CAST AI console.
  2. Select Security > Best practice from the sidebar.



To receive a full assessment of your cluster, enabling the CAST AI Security feature is required. By default, the Best Practice report only provides a limited number of best practices without this feature. Please refer to the Getting started section for instructions on enabling CAST AI Security.

Inside the report

The Best Practice report presents a list of findings related to best practice violations. Each check includes detailed information, such as:

  • Description of the check
  • Severity level of the issue (based on the CVSS scoring system)
  • Number of affected resources
  • Relevant standards and configurations associated with the check
  • Remediation procedure to address the issue

The report also summarizes the number of resources and clusters that violate each best practice, along with the corresponding severity level.

Filter resources

To focus on specific resources, use the filters located above the list.

The filters allow you to narrow down the view based on various criteria, such as:

  • Resource location (cluster or namespace)
  • Resource labels
  • Severity level
  • Compliance standard

By applying the appropriate filters, you can quickly identify the resources of interest and assess their compliance with best practices.

Access detailed compliance check information

To obtain more information about a specific failed check, click on the check name.

This action will open a detailed view containing:

  • Comprehensive description of the problem
  • Severity level of the issue
  • Remediation steps to address the violation
  • Number of affected resources
  • Resources associated with the check
  • Other relevant details

Manage exceptions

In some cases, you may have resources that do not comply with best practices but are considered acceptable risks. The Best Practice report provides an exception feature that allows you to exclude such resources from the reporting.

Add an exception

To exclude specific resources from a best practice check, follow these steps:

  1. Click on the check you want to manage.
  2. Click the Exceptions button in the drawer's top right corner.
  3. In the new drawer that appears, define the exception rules by specifying the location, name, and kind of resource you want to exclude. You can create multiple exception rules as needed.
  1. Review the impacted resources in the table.
  2. If satisfied with the result, click the Apply button to save the exceptions.

To view the excluded resources for each check, select the Excepted value in the Resources filter in the Resources tab:

Remove or modify an exception

If you need to remove previously applied exceptions, follow these steps:

  1. Click on the check you want to manage.
  2. Click the Exceptions button in the drawer's top right corner.
  3. In the exception rules drawer, modify or remove the rules as needed.
  4. Review the dynamically updated list of excepted resources in the table.
  5. If satisfied with the changes, click the Apply button to save the modifications.