Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA , MITRE ATT&CK®), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time. It became one of the fastest-growing Kubernetes tools among developers due to its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins’ precious time, effort, and resources. Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Prometheus, and Slack, and supports multi-cloud K8s deployments like EKS, GKE, and AKS.

curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash

Install on windows

Install on macOS

kubescape scan --submit --enable-host-scan --verbose

Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.

We invite you to our team! We are excited about this project and want to return the love we get.

Want to contribute? Want to discuss something? Have an issue?

• Feel free to pick a task from the roadmap or suggest a feature of your own. Contact us directly for more information :)
• Open a issue, we are trying to respond within 48 hours
• Join us in a discussion on our discord server!

Kubescape docs

• Kubescape playground

• Overview
• How To Secure Kubernetes Clusters With Kubescape And Armo
• Scan Kubernetes YAML files
• Scan Kubescape on an air-gapped environment (offline support)
• Managing exceptions in the Kubescape SaaS version
• Configure and run customized frameworks
• Customize controls configurations. Kubescape CLI, Kubescape SaaS

Requires powershell v5.0+

iwr -useb https://raw.githubusercontent.com/armosec/kubescape/master/install.ps1 | iex

Note: if you get an error you might need to change the execution policy (i.e. enable Powershell) with

Set-ExecutionPolicy RemoteSigned -scope CurrentUser

1.  brew tap armosec/kubescape
   

2.  brew install kubescape
   

kubescape scan --submit --enable-host-scan  --verbose

Read here more about the enable-host-scan flag

kubescape scan framework nsa --submit

kubescape scan framework mitre --submit

kubescape scan control "Privileged container"

kubescape scan --include-namespaces development,staging,production

kubescape scan --exclude-namespaces kube-system,kube-public

kubescape scan *.yaml

kubescape scan https://github.com/armosec/kubescape

kubescape scan --verbose

Add the --format-version v2 flag

kubescape scan --format json --format-version v2 --output results.json

kubescape scan --format junit --output results.xml

kubescape scan --format pdf --output results.pdf

kubescape scan --format prometheus

Full documentation

kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json

helm template [NAME] [CHART] [flags] --dry-run | kubescape scan -

e.g.

helm template bitnami/mysql --generate-name --dry-run | kubescape scan -

Video tutorial

It is possible to run Kubescape offline!

1. Download and save in local directory, if path not specified, will save all in ~/.kubescape

kubescape download artifacts --output path/to/local/dir

2. Copy the downloaded artifacts to the air-gaped/offline environment

3. Scan using the downloaded artifacts

kubescape scan --use-artifacts-from path/to/local/dir

You can also download a single artifacts and scan with the --use-from flag

1. Download and save in file, if file name not specified, will save in ~/.kubescape/<framework name>.json

kubescape download framework nsa --output /path/nsa.json

2. Copy the downloaded artifacts to the air-gaped/offline environment

3. Scan using the downloaded framework

kubescape scan framework nsa --use-from /path/nsa.json

Please follow the instructions here helm chart repo

Official Docker image quay.io/armosec/kubescape

docker run -v "$(pwd)/example.yaml:/app/example.yaml  quay.io/armosec/kubescape scan /app/example.yaml

If you wish, you can build the docker image on your own

Use the submit command if you wish to submit data manually

Support forward compatibility by using the --format-version v2 flag

First, scan your cluster using the json format flag: kubescape scan framework <name> --format json --format-version v2 --output path/to/results.json.

Now you can submit the results to the Kubescape SaaS version -

kubescape submit results path/to/results.json

Scan the YAML files while writing them using the vs code extension

View Kubescape scan results directly in Lens IDE using kubescape Lens extension

Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO's posture controls.

The tools retrieves Kubernetes objects from the API server and runs a set of rego's snippets developed by ARMO.

The results by default printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.

Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.