Kubescape is an open-source Kubernetes security platform. It includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources. Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including NSA-CISA, MITRE ATT&CK® and the CIS Benchmark). Kubescape was created by ARMO and is a Cloud Native Computing Foundation (CNCF) sandbox project.
Kubescape is an open-source Kubernetes security platform designed to enhance security posture management across development, deployment, and runtime environments. It provides comprehensive risk analysis, compliance checks, and misconfiguration scanning for Kubernetes clusters, YAML files, and Helm charts.
Key Features:
Comprehensive Scanning: Detects misconfigurations based on industry-leading frameworks such as NSA-CISA, MITRE ATT&CK®, and the CIS Benchmark.
Multi-Faceted Support: Scans Kubernetes clusters, YAML configurations, and Helm charts to ensure robust security across all stages of development and deployment.
Flexible Output: Supports multiple output formats (JSON, JUnit XML, SARIF) for seamless integration into CI/CD pipelines and reporting requirements.
README
Kubescape
Comprehensive Kubernetes Security from Development to Runtime
Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage, from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments. It saves Kubernetes users and admins precious time, effort, and resources.
Create and manage Google Cloud resources and services directly on the command line or via scripts using the Google Cloud CLI.
With broad platform compatibility and service coverage, perform common platform tasks faster and control your cloud resources at scale.
minikube implements a local Kubernetes cluster on macOS, Linux, and Windows. minikube's primary goals are to be the best tool for local Kubernetes application development and to support all Kubernetes features that fit.
Designed for Developers and DevOps Engineers, Lens provides an unparalleled experience for managing and troubleshooting Kubernetes workloads through one intuitive context-aware UI. For teams and organizations, Lens has proven to be the most effective way to learn Kubernetes, boost team productivity and reduce tools required for cloud native development. It's trusted by the world's best product teams; from innovative startups to iconic enterprises. Lens is the #1 choice for Kubernetes with over 1 million users globally.
Create and manage Google Cloud resources and services directly on the command line or via scripts using the Google Cloud CLI.
With broad platform compatibility and service coverage, perform common platform tasks faster and control your cloud resources at scale.
minikube implements a local Kubernetes cluster on macOS, Linux, and Windows. minikube's primary goals are to be the best tool for local Kubernetes application development and to support all Kubernetes features that fit.
Designed for Developers and DevOps Engineers, Lens provides an unparalleled experience for managing and troubleshooting Kubernetes workloads through one intuitive context-aware UI. For teams and organizations, Lens has proven to be the most effective way to learn Kubernetes, boost team productivity and reduce tools required for cloud native development. It's trusted by the world's best product teams; from innovative startups to iconic enterprises. Lens is the #1 choice for Kubernetes with over 1 million users globally.
DevSecOps Integration: Offers an easy-to-use CLI interface for developers and operators, enabling automated scans that save time and resources.
In-Cluster Capabilities: Available as a Helm chart, Kubescape provides continuous scanning, runtime analysis, network policy generation, and image vulnerability detection when deployed in-cluster.
Audience & Benefit:
Ideal for DevSecOps practitioners, platform engineers, and Kubernetes administrators seeking to streamline security processes. Kubescape empowers users to identify and remediate vulnerabilities quickly, ensuring compliance with best practices while reducing operational overhead. By automating security scans and providing actionable insights, it helps teams maintain a secure and resilient Kubernetes environment.
Kubescape can be installed via winget for easy setup on Windows systems.
Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including NSA-CISA, MITRE ATT&CK® and the CIS Benchmark).
Did you know you can use Kubescape in all these places?
Continuous security monitoring with the Kubescape Operator
As well as a CLI, Kubescape provides an in-cluster mode, which is installed via a Helm chart. Kubescape in-cluster provides extensive features such as continuous scanning, image vulnerability scanning, runtime analysis, network policy generation, and more. Learn more about the Kubescape operator.
Using Kubescape as a GitHub Action
Kubescape can be used as a GitHub Action. This is a great way to integrate Kubescape into your CI/CD pipeline. You can find the Kubescape GitHub Action in the GitHub Action marketplace.
Kubescape is an open source project. We welcome your feedback and ideas for improvement. We are part of the CNCF community and are evolving Kubescape in sync with the security needs of Kubernetes users. To learn more about where Kubescape is heading, please check out our ROADMAP.
If you feel inspired to contribute to Kubescape, check out our CONTRIBUTING file to learn how. You can find the issues we are working on (triage to development) on the Kubescaping board
Feel free to pick a task from the board or suggest a feature of your own.
Open an issue on the board. We aim to respond to all issues within 48 hours.
KWOK is a toolkit that enables setting up a cluster of thousands of Nodes in seconds. Under the scene, all Nodes are simulated to behave like real ones, so the overall approach employs a pretty low resource footprint that you can easily play around on your laptop.
KWOK is a toolkit that enables setting up a cluster of thousands of Nodes in seconds. Under the scene, all Nodes are simulated to behave like real ones, so the overall approach employs a pretty low resource footprint that you can easily play around on your laptop.
XPipe is a new type of shell connection hub and remote file manager that allows you to access your entire server infrastructure from your local machine. It works on top of your installed command-line programs and does not require any setup on your remote systems.
XPipe is a new type of shell connection hub and remote file manager that allows you to access your entire server infrastructure from your local machine. It works on top of your installed command-line programs and does not require any setup on your remote systems.
Coder is an open source platform for creating and managing developer workspaces on your preferred clouds and servers. By building on top of common development interfaces (SSH) and infrastructure tools (Terraform), Coder aims to make the process of provisioning and accessing remote workspaces approachable for organizations of various sizes and stages of cloud-native maturity.
Coder is an open source platform for creating and managing developer workspaces on your preferred clouds and servers. By building on top of common development interfaces (SSH) and infrastructure tools (Terraform), Coder aims to make the process of provisioning and accessing remote workspaces approachable for organizations of various sizes and stages of cloud-native maturity.
Coder is an open source platform for creating and managing developer workspaces on your preferred clouds and servers. By building on top of common development interfaces (SSH) and infrastructure tools (Terraform), Coder aims to make the process of provisioning and accessing remote workspaces approachable for organizations of various sizes and stages of cloud-native maturity.