Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerabilities scanning. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA, MITRE ATT&CK®), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time.
It has become one of the fastest-growing Kubernetes tools among developers due to its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins precious time, effort, and resources. Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Prometheus, and Slack, and supports multi-cloud K8s deployments like EKS, GKE, and AKS.
curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
Install on NixOS or Linux/macOS via nix
kubescape scan --submit --enable-host-scan --verbose
Kubescape is an open source project. We welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests more robust and complete as Kubernetes develops.
Click 👍 if you want us to continue to develop and improve Kubescape 😀
We invite you to our team! We are excited about this project and want to return the love we get.
Want to contribute? Want to discuss something? Have an issue?
- Feel free to pick a task from the roadmap or suggest a feature of your own. Contact us directly for more information :)
- Open an issue, we are trying to respond within 48 hours
- Join us in the discussion on our discord server!
- Overview
- How To Secure Kubernetes Clusters With Kubescape And Armo
- Scan Kubernetes YAML files
- Scan Kubescape on an air-gapped environment (offline support)
- Managing exceptions in the Kubescape SaaS version
- Configure and run customized frameworks
- Customize control configurations. Kubescape CLI, Kubescape SaaS
Windows
Requires powershell v5.0+
iwr -useb https://raw.githubusercontent.com/armosec/kubescape/master/install.ps1 | iex
Note: if you get an error you might need to change the execution policy (i.e. enable Powershell) with
Set-ExecutionPolicy RemoteSigned -scope CurrentUser
Nix/NixOS
Direct issues installing kubescape
via nix
through the channels mentioned here
You can use nix
on Linux or macOS and on other platforms unofficially.
Try it out in an ephemeral shell: nix-shell -p kubescape
Install declarative as usual
NixOS:
# your other config ...
environment.systemPackages = with pkgs; [
# your other packages ...
kubescape
];
home-manager:
# your other config ...
home.packages = with pkgs; [
# your other packages ...
kubescape
];
Or to your profile (not preferred): nix-env --install -A nixpkgs.kubescape
Scan a running Kubernetes cluster and submit results to the Kubescape SaaS version
kubescape scan --submit --enable-host-scan --verbose
Read here more about the
enable-host-scan
flag
Scan a running Kubernetes cluster with nsa
framework and submit results to the Kubescape SaaS version
kubescape scan framework nsa --submit
Scan a running Kubernetes cluster with MITRE ATT&CK®
framework and submit results to the Kubescape SaaS version
kubescape scan framework mitre --submit
Scan a running Kubernetes cluster with a specific control using the control name or control ID. List of controls
kubescape scan control "Privileged container"
kubescape scan --include-namespaces development,staging,production
kubescape scan --exclude-namespaces kube-system,kube-public
Scan local yaml
/json
files before deploying. Take a look at the demonstration Submit the results in case the directory is a git repo. docs
kubescape scan *.yaml --submit
Scan kubernetes manifest files from a git repository and submit the results
kubescape scan https://github.com/armosec/kubescape --submit
kubescape scan --verbose
Add the
--format-version v2
flag
kubescape scan --format json --format-version v2 --output results.json
kubescape scan --format junit --output results.xml
Output in pdf
format - Contributed by @alegrey91
kubescape scan --format pdf --output results.pdf
Output in prometheus
metrics format - Contributed by @Joibel
kubescape scan --format prometheus
kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
kubescape scan </path/to/directory> --submit
Kubescape will load the default value file
It is possible to run Kubescape offline!
- Download and save in local directory, if path not specified, will save all in
~/.kubescape
kubescape download artifacts --output path/to/local/dir
-
Copy the downloaded artifacts to the air-gaped/offline environment
-
Scan using the downloaded artifacts
kubescape scan --use-artifacts-from path/to/local/dir
You can also download a single artifact and scan with the --use-from
flag
- Download and save in file, if file name is not specified, will save in
~/.kubescape/<framework name>.json
kubescape download framework nsa --output /path/nsa.json
-
Copy the downloaded artifacts to the air-gaped/offline environment
-
Scan using the downloaded framework
kubescape scan framework nsa --use-from /path/nsa.json
Please follow the instructions here helm chart repo
Scan the YAML files while writing them using the vs code extension
View Kubescape scan results directly in Lens IDE using kubescape Lens extension
Windows
-
Install MSYS2 & build libgit (needed only for the first time)
build.bat all
You can install MSYS2 separately by running
build.bat install
and build libgit2 separately by runningbuild.bat build
-
Build kubescape
make build
OR
go build -tags=static .
Linux / MacOS
-
Install libgit2 dependency (needed only for the first time)
make libgit2
cmake
is required to build libgit2. You can install it by runningsudo apt-get install cmake
(Linux) orbrew install cmake
(macOS)
-
Build kubescape
make build
OR
go build -tags=static .
-
Test
make test
You can use the sample files below to setup your VS code environment for building and debugging purposes.
.vscode/settings.json
// .vscode/settings.json
{
"go.testTags": "static",
"go.buildTags": "static",
"go.toolsEnvVars": {
"CGO_ENABLED": "1"
}
}
.vscode/launch.json
// .vscode/launch.json
{
"version": "0.2.0",
"configurations": [
{
"name": "Launch Package",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "${workspaceFolder}/main.go",
"args": [
"scan",
"--logger",
"debug"
],
"buildFlags": "-tags=static"
}
]
}
Kubescape is based on the OPA engine and ARMO's posture controls.
The tools retrieve Kubernetes objects from the API server and run a set of rego's snippets developed by ARMO.
The results by default are printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.
Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests more robust and complete as Kubernetes develops.