Kubescape can run as a command line tool on a client, as an operator inside a cluster, as part of your CI/CD process, or more.
The best way to get started with Kubescape is to download it to the machine you use to manage your Kubernetes cluster.
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
(We're a security product; please read the file before you run it!)
You can also check other installation methods
kubescape scan --enable-host-scan --verbose
You will see output like this:
Some documentation on using Kubescape is yet to move here from the ARMO Platform docs.
-
Scan a running Kubernetes cluster:
kubescape scan --enable-host-scan --verbose
-
Scan a running Kubernetes cluster with the NSA framework:
kubescape scan framework nsa
-
Scan a running Kubernetes cluster with the MITRE ATT&CK® framework:
kubescape scan framework mitre
-
Scan for a specific control, using the control name or control ID. See the list of controls.
kubescape scan control "Privileged container"
-
Use an alternative kubeconfig file:
kubescape scan --kubeconfig cluster.conf
-
Scan specific namespaces:
kubescape scan --include-namespaces development,staging,production
-
Exclude certain namespaces:
kubescape scan --exclude-namespaces kube-system,kube-public
-
Scan local YAML/JSON files before deploying:
kubescape scan *.yaml
Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI).
-
Scan Kubernetes manifest files from a Git repository:
kubescape scan https://github.com/kubescape/kubescape
-
Scan with exceptions
kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
Objects with exceptions will be presented as
exclude
and notfail
. -
Scan Helm charts
kubescape scan </path/to/directory>
Note
Kubescape will load the default VALUES file. -
Scan a Kustomize directory
kubescape scan </path/to/directory>
Note
Kubescape will generate Kubernetes YAML objects using akustomize
file and scan them for security. -
Compliance Score
We offer two important metrics to assess compliance:
- Control Compliance Score: This score measures the compliance of individual controls within a framework. It is calculated by evaluating the ratio of resources that passed to the total number of resources evaluated against that control.
kubescape scan --compliance-threshold <SCORE_VALUE[float32]>
- Framework Compliance Score: This score provides an overall assessment of your cluster's compliance with a specific framework. It is calculated by averaging the Control Compliance Scores of all controls within the framework.
Kubescape scan with compliance score
kubescape scan framework <FRAMEWORK_NAME> --compliance-threshold <SCORE_VALUE[float32]>
- Control Compliance Score: This score measures the compliance of individual controls within a framework. It is calculated by evaluating the ratio of resources that passed to the total number of resources evaluated against that control.
-
JSON:
kubescape scan --format json --format-version v2 --output results.json
Note
Add the--format-version v2
flag for maximum compatibility. -
junit XML:
kubescape scan --format junit --output results.xml
-
PDF:
kubescape scan --format pdf --output results.pdf
Contributed by @alegrey91
-
Prometheus metrics:
kubescape scan --format prometheus
Contributed by @Joibel
-
HTML
kubescape scan --format html --output results.html
-
Display all scanned resources (including the resources which passed):
kubescape scan --verbose
It is possible to run Kubescape offline! Check out our video tutorial.
-
Download the controls and save them in the local directory. If no path is specified, they will be saved in
~/.kubescape
.kubescape download artifacts --output path/to/local/dir
-
Copy the downloaded artifacts to the offline system.
-
Scan using the downloaded artifacts:
kubescape scan --use-artifacts-from path/to/local/dir
You can also download a single artifact, and scan with the --use-from
flag:
-
Download and save in a file. If no file name is specified, the artifact will be saved as
~/.kubescape/<framework name>.json
.kubescape download framework nsa --output /path/nsa.json
-
Copy the downloaded artifacts to the offline system.
-
Scan using the downloaded framework:
kubescape scan framework nsa --use-from /path/nsa.json
We publish a Helm chart for our in-cluster components. Please follow the instructions here
Scan your YAML files while writing them using our VS Code extension.
View Kubescape scan results directly in the Lens IDE using the Kubescape Lens extension.
Experiment with Kubescape in the Kubescape playground: this scenario will install a K3s cluster and Kubescape. You can start with any of the kubescape scan
commands in the examples.