[HN Gopher] Show HN: Kexa.io - Open-Source IT Security and Compl...
___________________________________________________________________
Show HN: Kexa.io - Open-Source IT Security and Compliance
Verification
Hi HN, We're building Kexa.io (https://github.com/kexa-io/Kexa),
an open-source tool developed in France (incubated at Euratech
Cyber Campus) to help teams automate the often tedious process of
verifying IT security and compliance. Keeping track of
configurations across diverse assets (servers, K8s, cloud
resources) and ensuring they meet security baselines (like CIS
benchmarks, etc.) manually is challenging and error-prone. Our
goal with the open-source core is to provide a straightforward way
to define checks, scan your assets, and get clear reports on your
security posture. You can define your own rules or use common
standards. We are now actively developing our SaaS offering,
planned for a beta release around June 2025. The key feature will
be an AI-powered security administration agent specifically
designed for cloud environments (initially targeting AWS, GCP,
Azure). Instead of just reporting issues, this agent will aim to
provide proactive, actionable recommendations and potentially
automate certain remediation tasks to simplify cloud security
management and hardening. We'd love for the HN community to check
out the open-source project on GitHub. Feedback on the concept or
the current tool is highly welcome, and a star if you find it
interesting helps others discover the project! If the upcoming AI-
powered cloud security agent sounds interesting, we'd be
particularly keen to hear your thoughts or if you might be
interested in joining the beta (~June 2025). thank you !!
Author : patrick4urcloud
Score : 58 points
Date : 2025-04-30 13:04 UTC (9 hours ago)
| mrbluecoat wrote:
| An admittedly superficial comment: what is your logo supposed to
| be? A mouse? Reminds me of that famous young/old optical
| illusion: https://www.braingle.com/brainteasers/26745/old-or-
| young-wom...
|
| Great job on the tool, by the way. Anything to improve the
| security posture of companies is a good thing!
| patrick4urcloud wrote:
| thanks ! yes it's a mouse looking everywhere :-) ( small,
| cheap, fast ) see more articles how to use kexa on medium (
| kexa ): https://medium.com/@contact_52772
| gitroom wrote:
| this kinda stuff is right up my alley, love when folks make it
| easier to cut through all the security noise
| shooker435 wrote:
| Wow, very cool. Would this replace a Vanta or complement it?
| patrick4urcloud wrote:
| We have to look and study this solution but maybe. We can
| define in a yaml a set of rules for a project and verify that
| no changes has been made cross platform with a cicd, docker,
| kub, script for compliance. we can discuss further on slack if
| you want.
| szarapka wrote:
| At best it would compliment Vanta.
|
| Vanta handles/automates(ish) the compliance process for actual
| regulatory frameworks/programs (SOC2, ISO27001, GDPR, etc).
| From looking at their site/repo for Kexa, they don't have
| anything specific to this type of compliance.
|
| In theory you could use Kexa to set up rules to help you
| achieve compliance, but you'd still need a Vanta or something
| else to help you understand if you're actually compliant with a
| given framework.
| stego-tech wrote:
| I'm always a fan of automated compliance and vulnerability
| management tooling - looking forward to giving this a spin at
| some point.
|
| One bit of UX feedback: your "Offers" page isn't rendering
| correctly on my iPhone (14 Pro) device. The text isn't wrapping,
| graphics don't seem to be scaling, and the columns are
| misaligned.
|
| Once the current network rebuild is done, I'm looking forward to
| rolling this and Wazuh to try out both.
| zufallsheld wrote:
| Does this work without your SaaS component? Can I run it air-
| gapped?
| sontek wrote:
| Can you give a brief explanation of the benefits of your policy
| engine over using cloud custodian?
| patrick4urcloud wrote:
| In kexa policies all cloud properties are json like and
| mixeable. we can add all addon possible as we use typescript.
| kexa is based on cloud sdk so properties have same name as
| cloud provider. Your can easily add addon in typescript in
| kexa. If you'r wallmart you can create an addon for your on
| premise cash service mix with your backend in cloud provider
| and create visualisation in grafana. you can output to webhook
| , database and ollama (llm) maybe further ?
| ziddoap wrote:
| Looks interesting, and I'll be diving into it a bit deeper, but I
| just wanted to mention that this quote:
|
| " _even non-experts can guarantee the security of their cloud
| environments_ "
|
| Even though I understand that this is part of a marketing blurb,
| not a literal guarantee, it was an immediate yellow-flag for me.
| No tool can possibly _guarantee_ the security of my cloud
| environment, so please don 't imply/say your tool can. It reminds
| me of shady VPN companies guaranteeing my security by providing
| me with "military-grade encryption".
|
| To be abundantly clear, I am _not_ saying that this product is
| shady or anything -- I have not had the time to evaluate it in
| the depth needed -- but statements like that make the rest of the
| pitch an uphill battle. For me, at least.
| patrick4urcloud wrote:
| we provide yaml predefined rules based on CIS benchmark. We
| will try to upgrade public rules offer to upgrade the security
| of your cloud environment. maybe this is too much marketing to
| explain we can check all settings we want in all cloud
| providers. All the parameters of cloud providers are json like
| so you can check it different operators and mix them. again
| we'll be available on slack to discuss further.
| edoceo wrote:
| You're not even responding to the points raised. You're
| doubling down on the wrong answer.
___________________________________________________________________
(page generated 2025-04-30 23:01 UTC)