I've been looking for a set of tools that would detect wrong/missing configuration on k8s API, running workloads and unapplied manifests.

So far I've found a set of tools like for example:

Snyk iac, datree, Kube-bench, Kube-score, Kubeaudit, Kube-scan, Kubescape, Krane

Each of them has itss own specialty but often they overlap some features.

The idea is to have 3 steps of checking config:

1. github workflow that builds the kustomize manifest and use a scanner that will fail in case of bad practice was detected

2. Once a day run checks against the workloads applied on the cluster

3. Once a day run checks against the API configuration

The problem is that there are some many tools out there that I have no idea which one I should use for each step.

Better approaches are also welcome.