Kubescape is an open-source Kubernetes security posture management platform by ARMO (CNCF incubating project). It provides risk analysis, compliance scanning, misconfiguration detection, and vulnerability scanning across IDE, CI/CD pipelines, and running clusters.
| Command | Description |
|---|
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | bash | Install latest version (macOS/Linux) |
brew install kubescape | Install via Homebrew (macOS) |
scoop install kubescape | Install via Scoop (Windows) |
docker run -it kubescape/kubescape:latest kubescape --help | Run Kubescape in Docker |
kubescape version | Display installed version |
kubescape download | Download frameworks and policies |
kubescape download --frameworks | Download all frameworks |
| Command | Description |
|---|
kubescape scan | Scan current cluster using kubeconfig |
kubescape scan --kubeconfig /path/to/kubeconfig | Scan cluster with specific kubeconfig |
kubescape scan -f manifest.yaml | Scan YAML manifest file |
kubescape scan -f *.yaml | Scan multiple manifest files |
kubescape scan -d ./k8s-configs/ | Scan all manifests in directory |
kubescape scan --helm /path/to/chart | Scan Helm chart before deployment |
kubescape scan --include-namespaces default,kube-system | Scan specific namespaces only |
kubescape scan --exclude-namespaces kube-node-lease | Exclude namespaces from scan |
kubescape scan --severity high,critical | Show only high/critical severity issues |
kubescape scan --pod-runtime containerd | Specify container runtime (docker, containerd, cri-o) |
| Command | Description |
|---|
kubescape scan framework nsa | Scan against NSA-CISA Kubernetes hardening guide |
kubescape scan framework cis | Scan against CIS Kubernetes Benchmark |
kubescape scan framework mitre | Scan against MITRE ATT&CK framework |
kubescape scan framework pci-dss | Scan against PCI-DSS compliance |
kubescape scan framework soc2 | Scan against SOC2 compliance |
kubescape scan framework hipaa | Scan against HIPAA compliance |
kubescape scan -f manifest.yaml -f nsa,cis,mitre | Scan manifest against multiple frameworks |
kubescape scan --list-frameworks | List all available frameworks |
| Command | Description |
|---|
kubescape scan image gcr.io/project/image:tag | Scan container image for vulnerabilities |
kubescape scan image --image-scan-concurrency 5 image1 image2 | Scan multiple images concurrently |
kubescape scan -f manifest.yaml --include-image-scanning | Scan manifests and all referenced images |
kubescape scan image --severity critical --only-vulnerabilities | Show only critical vulnerabilities |
kubescape scan image --image-registry-credentials user:pass@registry:5000 | Scan private registry images |
kubescape scan -f manifest.yaml --image-scan-cache | Cache image scans for repeated runs |
| Command | Description |
|---|
kubescape scan -o json > report.json | Output results as JSON |
kubescape scan -o pdf > report.pdf | Generate PDF report |
kubescape scan -o html > report.html | Generate HTML report |
kubescape scan -o sarif > report.sarif | Output in SARIF format (for CI/CD tools) |
kubescape scan -o pretty-json | Pretty-printed JSON output |
kubescape scan --output-file report.json -o json | Save output to file |
kubescape scan -o json | jq '.results[] | select(.severity=="critical")' | Filter JSON results with jq |
| Command | Description |
|---|
kubescape scan --fail-threshold 80 | Fail pipeline if risk score below 80 |
kubescape scan --fail-threshold 70 --severity critical | Gate pipeline on critical findings |
kubescape scan -f manifest.yaml --fail-threshold 85 -o sarif | Generate SARIF + gate in GitHub Actions |
kubescape scan --fail-on-compliance-failure | Fail if compliance frameworks fail |
kubescape scan -o json --format-by-severity | Output grouped by severity level |
- name: Run Kubescape security scan
uses: kubescape/github-action@v2
with:
kubeconfig: ${{ secrets.KUBECONFIG }}
frameworks: nsa,cis
fail-threshold: 80
output-format: sarif
output-file: kubescape-report.sarif
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: kubescape-report.sarif
kubescape_scan:
stage: security
image: kubescape/kubescape:latest
script:
- kubescape scan framework nsa --fail-threshold 80 -o sarif > report.sarif
- kubescape scan framework cis --fail-threshold 75 -o json > cis-report.json
artifacts:
reports:
sast: report.sarif
paths:
- cis-report.json
stage('Security: Kubescape') {
steps {
sh '''
kubescape scan -f k8s-manifests/ \
--fail-threshold 80 \
-o sarif > kubescape-report.sarif \
-o json > kubescape-report.json
'''
archiveArtifacts artifacts: '*-report.*'
}
}
| Command | Description |
|---|
kubescape download --output-dir ./offline-data | Download all frameworks to local directory |
kubescape download --frameworks nsa,cis --output-dir ./fw | Download specific frameworks offline |
kubescape scan -f manifest.yaml --offline --frameworks-dir ./offline-data | Scan using downloaded frameworks |
kubescape scan -d manifests/ --offline --frameworks-dir ./offline-data | Offline directory scan |
| Command | Description |
|---|
kubescape config | Show current configuration |
kubescape config set <key> <value> | Set configuration value |
kubescape config get <key> | Get configuration value |
kubescape config -p ~/.kubescape/config | Use custom config file path |
kubescape scan -c ./custom-config.yaml | Scan with custom configuration |
| Command | Description |
|---|
kubescape operator install | Install Kubescape operator in cluster |
kubescape operator install --namespace kubescape | Install operator in specific namespace |
kubescape operator uninstall | Remove Kubescape operator |
kubectl get deployment -n kubescape | Verify operator installation |
kubectl logs -n kubescape -l app=kubescape-operator | View operator logs |
kubescape operator status | Check operator status |
| Command | Description |
|---|
kubescape scan --exceptions exceptions.json | Apply exception rules to scan |
kubescape scan --enable-controls <control-id> | Enable specific controls |
kubescape scan --disable-controls <control-id> | Disable specific controls |
kubescape scan --controls <id1>,<id2> | Run only specified controls |
kubescape scan --list-controls | List all available controls |
kubescape scan --list-controls --framework nsa | List NSA framework controls |
{
"exceptions": [
{
"ruleID": "C-0001",
"namespace": "test-namespace",
"resources": ["deployment/test-app"],
"justification": "Development environment exemption"
}
]
}
| Command | Description |
|---|
kubescape scan --verbose | Show detailed debug output |
kubescape scan --log-level debug | Set logging level (debug, info, warn, error) |
kubescape scan --submit | Submit scan results to Kubescape Cloud |
kubescape scan --account <account-id> | Submit to specific cloud account |
kubescape scan --keep-local | Scan without submitting to cloud |
kubescape scan --max-workers 10 | Control parallel processing workers |
kubescape scan --timeout 300 | Set timeout in seconds |
| Practice | Description |
|---|
| Version Control Manifests | Always version control Kubernetes manifests; scan before deployment |
| Gate on Risk Score | Set --fail-threshold in CI/CD; use 75-85 depending on org risk tolerance |
| Multi-Framework Scanning | Use NSA + CIS + MITRE; address highest priority findings first |
| Regular Image Scanning | Scan container images in supply chain; catch CVEs early |
| Namespace Isolation | Use --include-namespaces to focus scans; exclude system namespaces |
| Offline in Secure Envs | Download frameworks offline for air-gapped clusters |
| Monitor Over Time | Track risk scores across scans; investigate regressions |
| Exception Justification | Document exceptions; review periodically for removal |
| Helm Pre-Deployment | Run kubescape scan --helm on charts before Helm install |
| Enable RBAC | Verify ServiceAccount has minimal required permissions |
| Use SARIF Output | Integrate SARIF reports into IDE, GitHub, and SIEM systems |
| Review Control Details | Use kubescape scan --list-controls to understand each control’s purpose |
