mirror of https://github.com/kubescape/kubescape.git synced 2025-12-13 01:35:50 +00:00

Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources.

best-practice devops kubernetes mitre-attack nsa security vulnerability-detection

Find a file

Matthias Bertschy be250ff090 Add debug listing and adjust JUnit report options		2025-12-12 22:50:32 +01:00
.github	Add debug listing and adjust JUnit report options	2025-12-12 22:50:32 +01:00
build	Add skip flag and collect system test results	2025-12-12 22:24:30 +01:00
cmd	use grype v0.99.1	2025-09-17 10:11:19 +02:00
core	Address code review feedback: Extract helper function and improve comments	2025-12-11 09:16:12 +00:00
docs	use goreleaser for all builds and release publication	2025-12-10 07:43:21 +01:00
downloader	Refactor: propagate context from main to avoid redundant context creation	2025-02-11 19:52:48 +03:00
examples	Revamp documentation and reduce host sensor workers	2025-11-30 11:47:00 +01:00
httphandler	fix go mod tidy	2025-12-12 15:36:56 +01:00
internal/testutils	use go 1.24	2025-06-24 16:31:45 +02:00
pkg	use grype v0.99.1	2025-09-17 10:11:19 +02:00
smoke_testing	fix: update test_command and test_scan to remove deprecated scan commands and adjust file paths	2025-12-12 14:39:11 +01:00
.gitattributes	chore: keep CRLF in fixhandler test data file	2023-01-13 12:03:12 +02:00
.gitignore	fix: add cosign.key to .gitignore	2025-12-10 18:41:39 +01:00
.golangci.yml	update golangci-lint config	2025-09-16 13:54:23 +02:00
.goreleaser.yaml	fix: update post-build hook to conditionally execute script for amd64 architecture	2025-12-12 14:56:03 +01:00
ADOPTERS.md	Update ADOPTERS.md	2024-11-26 11:39:16 +02:00
CODE_OF_CONDUCT.md	Update CODE_OF_CONDUCT.md	2024-11-26 11:39:18 +02:00
COMMUNITY.md	Add COMMUNITY.md	2024-11-26 11:39:20 +02:00
CONTRIBUTING.md	Update CONTRIBUTING.md	2024-11-26 11:39:21 +02:00
go.mod	Update go-git-url to v0.0.31 for improved URL parsing	2025-12-11 16:59:59 +00:00
go.sum	Update go-git-url to v0.0.31 for improved URL parsing	2025-12-11 16:59:59 +00:00
GOVERNANCE.md	Update GOVERNANCE.md	2024-11-26 11:39:23 +02:00
install.ps1	Error Fixed when downloading on azure cloud vm environment (#720 )	2023-09-01 08:03:12 +03:00
install.sh	fix: Don't run scan in installation script	2025-09-12 19:54:31 +02:00
LICENSE	start using cobra pkg for cli flags	2021-08-24 17:35:57 +03:00
main.go	Make a second sigint terminate immediately	2025-06-02 19:12:45 +02:00
MAINTAINERS.md	Update MAINTAINERS.md	2024-11-26 11:39:24 +02:00
Makefile	remove libgit files and dependencies	2024-01-20 10:24:21 +01:00
README.md	Revamp documentation and reduce host sensor workers	2025-11-30 11:47:00 +01:00
SECURITY-INSIGHTS.yml	Update maintainers in SECURITY-INSIGHTS.yml (#1774 )	2024-12-11 17:58:13 +02:00
SECURITY.md	Update SECURITY.md	2024-11-26 11:39:26 +02:00

README.md

Kubescape

Comprehensive Kubernetes Security from Development to Runtime

Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage, from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments.

Kubescape was created by ARMO and is a Cloud Native Computing Foundation (CNCF) incubating project.

Please star ⭐ the repo if you want us to continue developing and improving Kubescape!

✨ Features

Feature	Description
🔍 Misconfiguration Scanning	Scan clusters, YAML files, and Helm charts against NSA-CISA, MITRE ATT&CK®, and CIS Benchmarks
🐳 Image Vulnerability Scanning	Detect CVEs in container images using Grype
🩹 Image Patching	Automatically patch vulnerable images using Copacetic
🔧 Auto-Remediation	Automatically fix misconfigurations in Kubernetes manifests
🛡️ Admission Control	Enforce security policies with Validating Admission Policies (VAP)
📊 Runtime Security	eBPF-based runtime monitoring via Inspektor Gadget
🤖 AI Integration	MCP server for AI assistant integration

🎬 Demo

🚀 Quick Start

1. Install Kubescape

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash

💡 See Installation for more options (Homebrew, Krew, Windows, etc.)

2. Run Your First Scan

# Scan your current cluster
kubescape scan

# Scan a specific YAML file or directory
kubescape scan /path/to/manifests/

# Scan a container image for vulnerabilities
kubescape scan image nginx:latest

3. Explore the Results

Kubescape provides a detailed security posture overview including:

Control plane security status
Access control risks
Workload misconfigurations
Network policy gaps
Compliance scores (MITRE, NSA)

📦 Installation

One-Line Install (Linux/macOS)

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash

Package Managers

Platform	Command
Homebrew	`brew install kubescape`
Krew	`kubectl krew install kubescape`
Arch Linux	`yay -S kubescape`
Ubuntu	`sudo add-apt-repository ppa:kubescape/kubescape && sudo apt install kubescape`
NixOS	`nix-shell -p kubescape`
Chocolatey	`choco install kubescape`
Scoop	`scoop install kubescape`

Windows (PowerShell)

iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex

📖 Full Installation Guide →

🛠️ CLI Commands

Kubescape provides a comprehensive CLI with the following commands:

Command	Description
`kubescape scan`	Scan cluster, files, or images for security issues
`kubescape scan image`	Scan container images for vulnerabilities
`kubescape fix`	Auto-fix misconfigurations in manifest files
`kubescape patch`	Patch container images to fix vulnerabilities
`kubescape list`	List available frameworks and controls
`kubescape download`	Download artifacts for offline/air-gapped use
`kubescape config`	Manage cached configurations
`kubescape operator`	Interact with in-cluster Kubescape operator
`kubescape vap`	Manage Validating Admission Policies
`kubescape mcpserver`	Start MCP server for AI assistant integration
`kubescape completion`	Generate shell completion scripts
`kubescape version`	Display version information

📖 Usage Examples

Scanning

Scan a Running Cluster

# Default scan (all frameworks)
kubescape scan

# Scan with a specific framework
kubescape scan framework nsa
kubescape scan framework mitre
kubescape scan framework cis-v1.23-t1.0.1

# Scan a specific control
kubescape scan control C-0005 -v

Scan Files and Repositories

# Scan local YAML files
kubescape scan /path/to/manifests/

# Scan a Helm chart
kubescape scan /path/to/helm/chart/

# Scan a Git repository
kubescape scan https://github.com/kubescape/kubescape

# Scan with Kustomize
kubescape scan /path/to/kustomize/directory/

Scan Options

# Include/exclude namespaces
kubescape scan --include-namespaces production,staging
kubescape scan --exclude-namespaces kube-system,kube-public

# Use alternative kubeconfig
kubescape scan --kubeconfig /path/to/kubeconfig

# Set compliance threshold (exit code 1 if below threshold)
kubescape scan --compliance-threshold 80

# Set severity threshold
kubescape scan --severity-threshold high

Output Formats

# JSON output
kubescape scan --format json --output results.json

# JUnit XML (for CI/CD)
kubescape scan --format junit --output results.xml

# SARIF (for GitHub Code Scanning)
kubescape scan --format sarif --output results.sarif

# HTML report
kubescape scan --format html --output report.html

# PDF report
kubescape scan --format pdf --output report.pdf

Image Scanning

# Scan a public image
kubescape scan image nginx:1.21

# Scan with verbose output
kubescape scan image nginx:1.21 -v

# Scan a private registry image
kubescape scan image myregistry/myimage:tag --username user --password pass

Auto-Fix

Automatically fix misconfigurations in your manifest files:

# First, scan and save results to JSON
kubescape scan /path/to/manifests --format json --output results.json

# Then apply fixes
kubescape fix results.json

# Dry run (preview changes without applying)
kubescape fix results.json --dry-run

# Apply fixes without confirmation prompts
kubescape fix results.json --no-confirm

Image Patching

Patch container images to fix OS-level vulnerabilities:

# Start buildkitd (required)
sudo buildkitd &

# Patch an image
sudo kubescape patch --image docker.io/library/nginx:1.22

# Specify custom output tag
sudo kubescape patch --image nginx:1.22 --tag nginx:1.22-patched

# See detailed vulnerability report
sudo kubescape patch --image nginx:1.22 -v

📖 Full Patch Command Documentation →

List Frameworks and Controls

# List available frameworks
kubescape list frameworks

# List all controls
kubescape list controls

# Output as JSON
kubescape list controls --format json

Offline Support

Download artifacts for air-gapped environments:

# Download all artifacts
kubescape download artifacts --output /path/to/offline/dir

# Download a specific framework
kubescape download framework nsa --output /path/to/nsa.json

# Scan using downloaded artifacts
kubescape scan --use-artifacts-from /path/to/offline/dir

Configuration

# View current configuration
kubescape config view

# Set account ID
kubescape config set accountID <your-account-id>

# Delete cached configuration
kubescape config delete

Operator Commands

Interact with the in-cluster Kubescape operator:

# Trigger a configuration scan
kubescape operator scan configurations

# Trigger a vulnerability scan
kubescape operator scan vulnerabilities

Validating Admission Policies

Manage Kubernetes Validating Admission Policies:

# Deploy the Kubescape CEL admission policy library
kubescape vap deploy-library | kubectl apply -f -

# Create a policy binding
kubescape vap create-policy-binding \
  --name my-policy-binding \
  --policy c-0016 \
  --namespace my-namespace | kubectl apply -f -

MCP Server

Start an MCP (Model Context Protocol) server for AI assistant integration:

kubescape mcpserver

The MCP server exposes Kubescape's vulnerability and configuration scan data to AI assistants, enabling natural language queries about your cluster's security posture.

Available MCP Tools:

list_vulnerability_manifests - Discover vulnerability manifests
list_vulnerabilities_in_manifest - List CVEs in a manifest
list_vulnerability_matches_for_cve - Get details for a specific CVE
list_configuration_security_scan_manifests - List configuration scan results
get_configuration_security_scan_manifest - Get configuration scan details

🏗️ Architecture

Kubescape can run in two modes:

CLI Mode

The CLI is a standalone tool that scans clusters, files, and images on-demand.

Key Components:

Open Policy Agent (OPA) - Policy evaluation engine
Regolibrary - Library of security controls
Grype - Image vulnerability scanning
Copacetic - Image patching

Operator Mode (In-Cluster)

For continuous monitoring, deploy the Kubescape operator via Helm.

Additional Capabilities:

Continuous configuration scanning
Image vulnerability scanning
Runtime analysis with eBPF
Network policy generation

📖 Full Architecture Documentation →

☸️ In-Cluster Operator

The Kubescape operator provides continuous security monitoring in your cluster:

# Add the Kubescape Helm repository
helm repo add kubescape https://kubescape.github.io/helm-charts/

# Install the operator
helm upgrade --install kubescape kubescape/kubescape-operator \
  --namespace kubescape \
  --create-namespace

Operator Features: