Kubescape

Comprehensive Kubernetes Security from Development to Runtime

Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage, from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments.

Kubescape was created by ARMO and is a Cloud Native Computing Foundation (CNCF) incubating project.

Please star ⭐ the repo if you want us to continue developing and improving Kubescape!

---

📑 Table of Contents

• Features
• Demo
• Quick Start
• Installation
• CLI Commands
• Usage Examples
• Architecture
• In-Cluster Operator
• Integrations
• Community
• Changelog
• License

---

✨ Features

Feature	Description
🔍 Misconfiguration Scanning	Scan clusters, YAML files, and Helm charts against NSA-CISA, MITRE ATT&CK®, and CIS Benchmarks
🐳 Image Vulnerability Scanning	Detect CVEs in container images using Grype
🩹 Image Patching	Automatically patch vulnerable images using Copacetic
🔧 Auto-Remediation	Automatically fix misconfigurations in Kubernetes manifests
🛡️ Admission Control	Enforce security policies with Validating Admission Policies (VAP)
📊 Runtime Security	eBPF-based runtime monitoring via Inspektor Gadget
🤖 AI Integration	MCP server for AI assistant integration

---

🎬 Demo

---

🚀 Quick Start

1. Install Kubescape

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash

💡 See Installation for more options (Homebrew, Krew, Windows, etc.)

2. Run Your First Scan

# Scan your current cluster
kubescape scan

# Scan a specific YAML file or directory
kubescape scan /path/to/manifests/

# Scan a container image for vulnerabilities
kubescape scan image nginx:latest

3. Explore the Results

Kubescape provides a detailed security posture overview including:

• Control plane security status
• Access control risks
• Workload misconfigurations
• Network policy gaps
• Compliance scores (MITRE, NSA)

---

📦 Installation

One-Line Install (Linux/macOS)

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash

Package Managers

Platform	Command
Homebrew	brew install kubescape
Krew	kubectl krew install kubescape
Arch Linux	yay -S kubescape
Ubuntu	sudo add-apt-repository ppa:kubescape/kubescape && sudo apt install kubescape
NixOS	nix-shell -p kubescape
Chocolatey	choco install kubescape
Scoop	scoop install kubescape

Windows (PowerShell)

iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex

📖 Full Installation Guide →

---

🛠️ CLI Commands

Kubescape provides a comprehensive CLI with the following commands:

Command	Description
kubescape scan	Scan cluster, files, or images for security issues
kubescape scan image	Scan container images for vulnerabilities
kubescape fix	Auto-fix misconfigurations in manifest files
kubescape patch	Patch container images to fix vulnerabilities
kubescape list	List available frameworks and controls
kubescape download	Download artifacts for offline/air-gapped use
kubescape config	Manage cached configurations
kubescape operator	Interact with in-cluster Kubescape operator
kubescape vap	Manage Validating Admission Policies
kubescape mcpserver	Start MCP server for AI assistant integration
kubescape completion	Generate shell completion scripts
kubescape version	Display version information

---

📖 Usage Examples

Scanning

Scan a Running Cluster

# Default scan (all frameworks)
kubescape scan

# Scan with a specific framework
kubescape scan framework nsa
kubescape scan framework mitre
kubescape scan framework cis-v1.23-t1.0.1

# Scan a specific control
kubescape scan control C-0005 -v

Scan Files and Repositories

# Scan local YAML files
kubescape scan /path/to/manifests/

# Scan a Helm chart
kubescape scan /path/to/helm/chart/

# Scan a Git repository
kubescape scan https://github.com/kubescape/kubescape

# Scan with Kustomize
kubescape scan /path/to/kustomize/directory/

Scan Options

# Include/exclude namespaces
kubescape scan --include-namespaces production,staging
kubescape scan --exclude-namespaces kube-system,kube-public

# Use alternative kubeconfig
kubescape scan --kubeconfig /path/to/kubeconfig

# Set compliance threshold (exit code 1 if below threshold)
kubescape scan --compliance-threshold 80

# Set severity threshold
kubescape scan --severity-threshold high

Output Formats

# JSON output
kubescape scan --format json --output results.json

# JUnit XML (for CI/CD)
kubescape scan --format junit --output results.xml

# SARIF (for GitHub Code Scanning)
kubescape scan --format sarif --output results.sarif

# HTML report
kubescape scan --format html --output report.html

# PDF report
kubescape scan --format pdf --output report.pdf

Image Scanning

# Scan a public image
kubescape scan image nginx:1.21

# Scan with verbose output
kubescape scan image nginx:1.21 -v

# Scan a private registry image
kubescape scan image myregistry/myimage:tag --username user --password pass

Auto-Fix

Automatically fix misconfigurations in your manifest files:

# First, scan and save results to JSON
kubescape scan /path/to/manifests --format json --output results.json

# Then apply fixes
kubescape fix results.json

# Dry run (preview changes without applying)
kubescape fix results.json --dry-run

# Apply fixes without confirmation prompts
kubescape fix results.json --no-confirm

Image Patching

Patch container images to fix OS-level vulnerabilities:

# Start buildkitd (required)
sudo buildkitd &

# Patch an image
sudo kubescape patch --image docker.io/library/nginx:1.22

# Specify custom output tag
sudo kubescape patch --image nginx:1.22 --tag nginx:1.22-patched

# See detailed vulnerability report
sudo kubescape patch --image nginx:1.22 -v

📖 Full Patch Command Documentation →

List Frameworks and Controls

# List available frameworks
kubescape list frameworks

# List all controls
kubescape list controls

# Output as JSON
kubescape list controls --format json

Offline Support

Download artifacts for air-gapped environments:

# Download all artifacts
kubescape download artifacts --output /path/to/offline/dir

# Download a specific framework
kubescape download framework nsa --output /path/to/nsa.json

# Scan using downloaded artifacts
kubescape scan --use-artifacts-from /path/to/offline/dir

Configuration

# View current configuration
kubescape config view

# Set account ID
kubescape config set accountID <your-account-id>

# Delete cached configuration
kubescape config delete

Operator Commands

Interact with the in-cluster Kubescape operator:

# Trigger a configuration scan
kubescape operator scan configurations

# Trigger a vulnerability scan
kubescape operator scan vulnerabilities

Validating Admission Policies

Manage Kubernetes Validating Admission Policies:

# Deploy the Kubescape CEL admission policy library
kubescape vap deploy-library | kubectl apply -f -

# Create a policy binding
kubescape vap create-policy-binding \
  --name my-policy-binding \
  --policy c-0016 \
  --namespace my-namespace | kubectl apply -f -

MCP Server

Start an MCP (Model Context Protocol) server for AI assistant integration:

kubescape mcpserver

The MCP server exposes Kubescape's vulnerability and configuration scan data to AI assistants, enabling natural language queries about your cluster's security posture.

Available MCP Tools:

• list_vulnerability_manifests - Discover vulnerability manifests
• list_vulnerabilities_in_manifest - List CVEs in a manifest
• list_vulnerability_matches_for_cve - Get details for a specific CVE
• list_configuration_security_scan_manifests - List configuration scan results
• get_configuration_security_scan_manifest - Get configuration scan details

---

🏗️ Architecture

Kubescape can run in two modes:

CLI Mode

The CLI is a standalone tool that scans clusters, files, and images on-demand.

Key Components:

• Open Policy Agent (OPA) - Policy evaluation engine
• Regolibrary - Library of security controls
• Grype - Image vulnerability scanning
• Copacetic - Image patching

Operator Mode (In-Cluster)

For continuous monitoring, deploy the Kubescape operator via Helm.

Additional Capabilities:

• Continuous configuration scanning
• Image vulnerability scanning
• Runtime analysis with eBPF
• Network policy generation

📖 Full Architecture Documentation →

---

☸️ In-Cluster Operator

The Kubescape operator provides continuous security monitoring in your cluster:

# Add the Kubescape Helm repository
helm repo add kubescape https://kubescape.github.io/helm-charts/

# Install the operator
helm upgrade --install kubescape kubescape/kubescape-operator \
  --namespace kubescape \
  --create-namespace

Operator Features:

• 🔄 Continuous misconfiguration scanning
• 🐳 Image vulnerability scanning for all workloads
• 🔍 Runtime threat detection (eBPF-based)
• 🌐 Network policy generation
• 📈 Prometheus metrics integration

📖 Operator Installation Guide →

---

🔌 Integrations

CI/CD

Platform	Integration
GitHub Actions	kubescape/github-action
GitLab CI	Documentation
Jenkins	Documentation

IDE Extensions

IDE	Extension
VS Code	Kubescape Extension
Lens	Kubescape Lens Extension

Where You Can Use Kubescape

---

👥 Community

Kubescape is a CNCF incubating project with an active community.

Get Involved

• 💬 Slack - Users Channel - Ask questions, get help
• 💬 Slack - Developers Channel - Contribute to development
• 🐛 GitHub Issues - Report bugs and request features
• 📋 Project Board - See what we're working on
• 🗺️ Roadmap - Future plans

Contributing

We welcome contributions! Please see our:

• Contributing Guide
• Code of Conduct

Community Resources

• Community Info
• Governance
• Security Policy
• Maintainers

Contributors

---

Changelog

Kubescape changes are tracked on the releases page.

---

License

Copyright 2021-2025, the Kubescape Authors. All rights reserved.

Kubescape is released under the Apache 2.0 license.

Kubescape is a Cloud Native Computing Foundation (CNCF) incubating project and was contributed by ARMO.