Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA , MITRE ATT&CK®), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time. It became one of the fastest-growing Kubernetes tools among developers due to its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins’ precious time, effort, and resources. Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Prometheus, and Slack, and supports multi-cloud K8s deployments like EKS, GKE, and AKS.
TL;DR
Install:
curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
Run:
kubescape scan --submit --enable-host-scan
Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
👍 if you want us to continue to develop and improve Kubescape 😀
ClickBeing part of the team
We invite you to our team! We are excited about this project and want to return the love we get.
Want to contribute? Want to discuss something? Have an issue?
- Feel free to pick a task from the roadmap or suggest a feature of your own. Contact us directly for more information :)
- Open a issue, we are trying to respond within 48 hours
- Join us in a discussion on our discord server!
Options and examples
Playground
Tutorials
- Overview
- How To Secure Kubernetes Clusters With Kubescape And Armo
- Scan Kubernetes YAML files
- Scan Kubescape on an air-gapped environment (offline support)
- Managing exceptions in the Kubescape SaaS version
- Configure and run customized frameworks
- Customize controls configurations. Kubescape CLI, Kubescape SaaS
Install on Windows
Requires powershell v5.0+
iwr -useb https://raw.githubusercontent.com/armosec/kubescape/master/install.ps1 | iex
Note: if you get an error you might need to change the execution policy (i.e. enable Powershell) with
Set-ExecutionPolicy RemoteSigned -scope CurrentUser
Install on macOS
-
brew tap armosec/kubescape
-
brew install kubescape
Usage & Examples
Examples
Kubescape SaaS version
Scan a running Kubernetes cluster and submit results to thekubescape scan --submit --enable-host-scan
Read here more about the
enable-host-scan
flag
nsa
framework and submit results to the Kubescape SaaS version
Scan a running Kubernetes cluster with kubescape scan framework nsa --submit
MITRE ATT&CK®
framework and submit results to the Kubescape SaaS version
Scan a running Kubernetes cluster with kubescape scan framework mitre --submit
List of controls
Scan a running Kubernetes cluster with a specific control using the control name or control ID.kubescape scan control "Privileged container"
Scan specific namespaces
kubescape scan --include-namespaces development,staging,production
Scan cluster and exclude some namespaces
kubescape scan --exclude-namespaces kube-system,kube-public
yaml
/json
files before deploying. Take a look at the demonstration
Scan local kubescape scan *.yaml
Scan kubernetes manifest files from a public github repository
kubescape scan https://github.com/armosec/kubescape
Display all scanned resources (including the resources who passed)
kubescape scan --verbose
json
format
Output in Add the
--format-version v2
flag
kubescape scan --format json --format-version v2 --output results.json
junit xml
format
Output in kubescape scan --format junit --output results.xml
pdf
format - Contributed by @alegrey91
Output in kubescape scan --format pdf --output results.pdf
prometheus
metrics format - Contributed by @Joibel
Output in kubescape scan --format prometheus
exclude
and not fail
Scan with exceptions, objects with exceptions will be presented as
kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
helm template
and pass to stdout
Scan Helm charts - Render the helm chart using helm template [NAME] [CHART] [flags] --dry-run | kubescape scan -
e.g.
helm template bitnami/mysql --generate-name --dry-run | kubescape scan -
Offline/Air-gaped Environment Support
It is possible to run Kubescape offline!
Download all artifacts
- Download and save in local directory, if path not specified, will save all in
~/.kubescape
kubescape download artifacts --output path/to/local/dir
-
Copy the downloaded artifacts to the air-gaped/offline environment
-
Scan using the downloaded artifacts
kubescape scan --use-artifacts-from path/to/local/dir
Download a single artifacts
You can also download a single artifacts and scan with the --use-from
flag
- Download and save in file, if file name not specified, will save in
~/.kubescape/<framework name>.json
kubescape download framework nsa --output /path/nsa.json
-
Copy the downloaded artifacts to the air-gaped/offline environment
-
Scan using the downloaded framework
kubescape scan framework nsa --use-from /path/nsa.json
@yonahd
Scan Periodically using Helm - Contributed byPlease follow the instructions here helm chart repo
Scan using docker image
Official Docker image quay.io/armosec/kubescape
docker run -v "$(pwd)/example.yaml:/app/example.yaml quay.io/armosec/kubescape scan /app/example.yaml
If you wish, you can build the docker image on your own
Submit data manually
Use the submit
command if you wish to submit data manually
Submit scan results manually
Support forward compatibility by using the
--format-version v2
flag
First, scan your cluster using the json
format flag: kubescape scan framework <name> --format json --format-version v2 --output path/to/results.json
.
Now you can submit the results to the Kubescape SaaS version -
kubescape submit results path/to/results.json
Under the hood
Technology
Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO's posture controls.
The tools retrieves Kubernetes objects from the API server and runs a set of rego's snippets developed by ARMO.
The results by default printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.
Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.