Kubescape
Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources.
Install / Use
/learn @kubescape/KubescapeREADME
Kubescape
<picture> <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/white/kubescape-stacked-white.svg" width="150"> <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150"> <img alt="Kubescape logo" align="right" src="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150"> </picture>Comprehensive Kubernetes Security from Development to Runtime
Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage, from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments.
Kubescape was created by ARMO and is a Cloud Native Computing Foundation (CNCF) incubating project.
Please star ⭐ the repo if you want us to continue developing and improving Kubescape!
📑 Table of Contents
- Features
- Demo
- Quick Start
- Installation
- CLI Commands
- Usage Examples
- Architecture
- In-Cluster Operator
- Integrations
- Community
- Changelog
- License
✨ Features
| Feature | Description | |---------|-------------| | 🔍 Misconfiguration Scanning | Scan clusters, YAML files, and Helm charts against NSA-CISA, MITRE ATT&CK®, and CIS Benchmarks | | 🐳 Image Vulnerability Scanning | Detect CVEs in container images using Grype | | 🩹 Image Patching | Automatically patch vulnerable images using Copacetic | | 🔧 Auto-Remediation | Automatically fix misconfigurations in Kubernetes manifests | | 🛡️ Admission Control | Enforce security policies with Validating Admission Policies (VAP) | | 📊 Runtime Security | eBPF-based runtime monitoring via Inspektor Gadget | | 🤖 AI Integration | MCP server for AI assistant integration |
🎬 Demo
<img src="docs/img/demo-v3.gif" alt="Kubescape CLI demo">🚀 Quick Start
1. Install Kubescape
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
💡 See Installation for more options (Homebrew, Krew, Windows, etc.)
2. Run Your First Scan
# Scan your current cluster
kubescape scan
# Scan a specific YAML file or directory
kubescape scan /path/to/manifests/
# Scan a container image for vulnerabilities
kubescape scan image nginx:latest
3. Explore the Results
Kubescape provides a detailed security posture overview including:
- Control plane security status
- Access control risks
- Workload misconfigurations
- Network policy gaps
- Compliance scores (MITRE, NSA)
📦 Installation
One-Line Install (Linux/macOS)
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
Package Managers
| Platform | Command |
|----------|---------|
| Homebrew | brew install kubescape |
| Krew | kubectl krew install kubescape |
| Arch Linux | yay -S kubescape |
| Ubuntu | sudo add-apt-repository ppa:kubescape/kubescape && sudo apt install kubescape |
| NixOS | nix-shell -p kubescape |
| Chocolatey | choco install kubescape |
| Scoop | scoop install kubescape |
Windows (PowerShell)
iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex
🛠️ CLI Commands
Kubescape provides a comprehensive CLI with the following commands:
| Command | Description |
|---------|-------------|
| kubescape scan | Scan cluster, files, or images for security issues |
| kubescape scan image | Scan container images for vulnerabilities |
| kubescape fix | Auto-fix misconfigurations in manifest files |
| kubescape patch | Patch container images to fix vulnerabilities |
| kubescape list | List available frameworks and controls |
| kubescape download | Download artifacts for offline/air-gapped use |
| kubescape config | Manage cached configurations |
| kubescape operator | Interact with in-cluster Kubescape operator |
| kubescape vap | Manage Validating Admission Policies |
| kubescape mcpserver | Start MCP server for AI assistant integration |
| kubescape completion | Generate shell completion scripts |
| kubescape version | Display version information |
📖 Usage Examples
Scanning
Scan a Running Cluster
# Default scan (all frameworks)
kubescape scan
# Scan with a specific framework
kubescape scan framework nsa
kubescape scan framework mitre
kubescape scan framework cis-v1.23-t1.0.1
# Scan a specific control
kubescape scan control C-0005 -v
Scan Files and Repositories
# Scan local YAML files
kubescape scan /path/to/manifests/
# Scan a Helm chart
kubescape scan /path/to/helm/chart/
# Scan a Git repository
kubescape scan https://github.com/kubescape/kubescape
# Scan with Kustomize
kubescape scan /path/to/kustomize/directory/
Scan Options
# Include/exclude namespaces
kubescape scan --include-namespaces production,staging
kubescape scan --exclude-namespaces kube-system,kube-public
# Use alternative kubeconfig
kubescape scan --kubeconfig /path/to/kubeconfig
# Set compliance threshold (exit code 1 if below threshold)
kubescape scan --compliance-threshold 80
# Set severity threshold
kubescape scan --severity-threshold high
Output Formats
# JSON output
kubescape scan --format json --output results.json
# JUnit XML (for CI/CD)
kubescape scan --format junit --output results.xml
# SARIF (for GitHub Code Scanning)
kubescape scan --format sarif --output results.sarif
# HTML report
kubescape scan --format html --output report.html
# PDF report
kubescape scan --format pdf --output report.pdf
Image Scanning
# Scan a public image
kubescape scan image nginx:1.21
# Scan with verbose output
kubescape scan image nginx:1.21 -v
# Scan a private registry image
kubescape scan image myregistry/myimage:tag --username user --password pass
Using an Offline Grype Database
# Start the offline Grype-DB server (using docker)
docker run --rm -p8080:8080 quay.io/kubescape/grype-offline-db:v6-latest
# Scan an image using the offline database:
kubescape scan image --grype-db-url http://localhost:8080/databases/ nginx:latest
Auto-Fix
Automatically fix misconfigurations in your manifest files:
# First, scan and save results to JSON
kubescape scan /path/to/manifests --format json --output results.json
# Then apply fixes
kubescape fix results.json
# Dry run (preview changes without applying)
kubescape fix results.json --dry-run
# Apply fixes without confirmation prompts
kubescape fix results.json --no-confirm
Image Patching
Patch container images to fix OS-level vulnerabilities:
# Start buildkitd (required)
sudo buildkitd &
# Patch an image
sudo kubescape patch --image docker.io/library/nginx:1.22
Related Skills
healthcheck
325.6kHost security hardening and risk-tolerance configuration for OpenClaw deployments
node-connect
325.6kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
prose
325.6kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
frontend-design
80.2kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
