Abstract

We propose a unified “shift-left” security validation framework that integrates static vulnerability scanning, SBOM generation, image signature verification, policy-as-code enforcement, and best-practice scoring into a single Kubernetes admission-control webhook invoked within the CI/CD pipeline. By atomically intercepting container admission requests, the system produces a Software Bill of Materials, cross-references CVE feeds, validates digital signatures, applies dynamically loaded JSON/YAML policies, and computes a weighted KubeScore for Pod specifications prior to deployment. Evaluation on realistic workloads demonstrates end-to-end processing latency below 200 ms and detection rates exceeding 95 % for critical vulnerabilities and misconfigurations. This consolidated approach eliminates post-deployment scans, accelerates feedback loops, strengthens compliance auditability with immutable logs, and lays the foundation for future AI-driven remediation and multi-cluster policy synchronization.   Index Terms – Admission-Control Webhook, SBOM (Software Bill of Materials), Static Vulnerability Analysis, CVE (Common Vulnerabilities and Exposures), Image Signature Verification, Cosign, Notary v2, Policy-as-Code, Open Policy Agent, Kyverno, KubeScore, kube-bench, Dynamic Policy Loading, Hot-Reload, Automated Remediation, Self-Healing, Immutable Audit Logs, CI/CD Pipeline Integration, Kubernetes Best Practices, SBOM Formats: CycloneDX, SPDX, Threat Modeling, Compliance Automation.