NIST SP 800-207 Zero TrustIstio 1.23Linkerd 2.16Kubernetes NetworkPolicySPIFFE/SPIREDeep Prototype
ServiceMeshAudit — Sidecar mTLS + Zero-Trust Network Policy Coverage
22 services × Istio/Linkerd sidecar mTLS coverage, zero-trust NetworkPolicy presence, deny-by-default verification, JWT-on-request enforcement, mesh-version. Surfaces 4 services without mTLS in mesh + 2 with permissive NetworkPolicy + 1 with mesh outdated (Istio 1.18 EOL).
Open live →
What it is
The zero-trust audit at the service-mesh layer. Most teams enable mTLS in PERMISSIVE mode + never flip to STRICT. ServiceMeshAudit surfaces the gap.
What’s in it
- 22 services × 5-axis check (sidecar injected, mTLS strict, NetworkPolicy present, NetworkPolicy posture, JWT-on-request)
- Worst-offender: SM-017 legacy-mongo-svc with no mesh + no policy (cross-references CodeOwnersAudit R22 + RetentionPolicy R035 + AttestChain AC-009); SM-016 data-warehouse-conf with allow-all-egress; SM-011 ml-recommendation on Istio 1.18 (EOL Mar 2024)
Why this shape
NIST SP 800-207 (Zero Trust) makes mTLS + per-request authz the baseline. Istio + Linkerd + SPIFFE/SPIRE are the implementations. The audit gap most teams have: PERMISSIVE mTLS that allows cleartext fallback.
How it ships
Single HTML file, ~12KB. Zero dependencies. 22 services × 5-axis check in 100 lines of vanilla JavaScript.