![Gitpod Ready-to-Code](https://img.shields.io/badge/Gitpod-Ready--to--Code-blue?logo=gitpod)
😎 Want to contribute? 😇
Kubescape is an open-source Kubernetes security platform. A single pane of glass access to view risk analysis, security compliance, RBAC visualization, and image vulnerability scanning.
Kubescape scans Kubernetes clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (such as NSA-CISA, MITRE ATT&CK® and CIS Benchmark). Kubescape also helps you find software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline. It calculates your risk score instantly and shows risk trends over time.
Kubescape is one of the fastest-growing Kubernetes security tools among developers. It saves Kubernetes users and admins precious time, effort, and resources with its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.
Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Prometheus, and Slack. It supports multi-cloud Kubernetes deployments like EKS, GKE, and AKS.
Kubescape CLI:
TL;DR
Install:
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
OR:
Install on windows
Install on macOS
Install on NixOS or Linux/macOS via nix
Run:
kubescape scan --enable-host-scan --verbose
Kubescape is an open source project. We welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests more robust and complete as Kubernetes develops.
Architecture in short
Component architecture
Please star ⭐ the repo if you want us to continue developing and improving Kubescape 😀
Being a part of the team
You are in vited to our community! We are excited about this project and want to return the love we get.
We hold community meetings on Zoom on the first Tuesday of every month at 14:00 GMT! 😎
Please make sure that you follow our Code Of Conduct.
Contributions
Want to discuss something? Have an issue? Want to contribute?
- Feel free to pick a task from the issues, roadmap or suggest a feature of your own. Contact us directly for more information :)
- Open an issue , we are trying to respond within 48 hours
- Join us in the discussion on our discord server!
![discord](https://img.shields.io/discord/893048809884643379)
Options and examples
Kubescape docs
Playground
Tutorials
Install on Windows
Windows
Requires powershell v5.0+
iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex
Note: if you get an error you might need to change the execution policy (i.e. enable Powershell) with
Set-ExecutionPolicy RemoteSigned -scope CurrentUser
Install on macOS
MacOS
-
brew tap kubescape/tap
-
brew install kubescape-cli
Nix/NixOS
Direct issues installing kubescape
via nix
through the channels mentioned here
You can use nix
on Linux or macOS and on other platforms unofficially.
Try it out in an ephemeral shell: nix-shell -p kubescape
Install declarative as usual
NixOS:
# your other config ...
environment.systemPackages = with pkgs; [
# your other packages ...
kubescape
];
home-manager:
# your other config ...
home.packages = with pkgs; [
# your other packages ...
kubescape
];
Or to your profile (not preferred): nix-env --install -A nixpkgs.kubescape
Usage & Examples
Examples
Scan a running Kubernetes cluster
kubescape scan --enable-host-scan --verbose
Read here more about the enable-host-scan
flag
Scan a running Kubernetes cluster with nsa
framework
kubescape scan framework nsa
Scan a running Kubernetes cluster with MITRE ATT&CK®
framework
kubescape scan framework mitre
Scan a running Kubernetes cluster with a specific control using the control name or control ID. List of controls
kubescape scan control "Privileged container"
Scan using an alternative kubeconfig file
kubescape scan --kubeconfig cluster.conf
Scan specific namespaces
kubescape scan --include-namespaces development,staging,production
Scan cluster and exclude some namespaces
kubescape scan --exclude-namespaces kube-system,kube-public
kubescape scan *.yaml
Scan Kubernetes manifest files from a git repository
kubescape scan https://github.com/kubescape/kubescape
Display all scanned resources (including the resources which passed)
kubescape scan --verbose
Add the --format-version v2
flag
kubescape scan --format json --format-version v2 --output results.json
kubescape scan --format junit --output results.xml
kubescape scan --format pdf --output results.pdf
kubescape scan --format prometheus
kubescape scan --format html --output results.html
Scan with exceptions. Objects with exceptions will be presented as exclude
and not fail
Full documentation
kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
Scan Helm charts
kubescape scan </path/to/directory>
Kubescape will load the default value file
Scan a Kustomize Directory
kubescape scan </path/to/directory>
Kubescape will generate Kubernetes YAML objects using a 'Kustomize' file and scan them for security.
Offline/Air-gapped Environment Support
Video tutorial
It is possible to run Kubescape offline!
Download all artifacts
- Download and save in local directory, if path not specified, will save all in
~/.kubescape
kubescape download artifacts --output path/to/local/dir
-
Copy the downloaded artifacts to the air-gaped/offline environment
-
Scan using the downloaded artifacts
kubescape scan --use-artifacts-from path/to/local/dir
Download a single artifact
You can also download a single artifact and scan with the --use-from
flag
- Download and save in a file, if the file name is not specified, will save in
~/.kubescape/<framework name>.json
kubescape download framework nsa --output /path/nsa.json
-
Copy the downloaded artifacts to the air-gaped/offline environment
-
Scan using the downloaded framework
kubescape scan framework nsa --use-from /path/nsa.json
Scan Periodically using Helm
Please follow the instructions here
helm chart repo
Integrations
VS Code Extension
![Open VSX](https://img.shields.io/open-vsx/dt/kubescape/kubescape?label=openVSX&color=yellowgreen)
Scan the YAML files while writing them using the VS Code extension
Lens Extension
View Kubescape scan results directly in Lens IDE using kubescape Lens extension
Building Kubescape
Build on Windows
Windows
-
Install MSYS2 & build libgit (needed only for the first time)
build.bat all
You can install MSYS2 separately by running build.bat install
and build libgit2 separately by running build.bat build
-
Build kubescape
make build
OR
go build -tags=static .
Build on Linux/MacOS
Linux / MacOS
-
Install libgit2 dependency (needed only for the first time)
make libgit2
cmake
is required to build libgit2. You can install it by running sudo apt-get install cmake
(Linux) or brew install cmake
(macOS)
-
Build kubescape
make build
OR
go build -tags=static .
-
Test
make test
Pre-programmed actions executed by the playground
- Clone the official GitHub repository of
Kubescape
.
- Automate the build process on Linux
- The entire process involves executing multiple commands in order and it takes around 5-6 minutes to execute them all.
Instructions to use the playground
- Apply changes you wish to make to the Kubescape directory using text editors like
Vim
.
- Build on Linux
- Now, you can use Kubescape like a regular user. Instead of using
kubescape
, use ./kubescape
. Make sure you are in the Kubescape directory because the command will execute the binary named kubescape
in kubescape directory
)
VS Code configuration samples
You can use the sample files below to setup your VS Code environment for building and debugging purposes.
.vscode/settings.json
// .vscode/settings.json
{
"go.testTags": "static",
"go.buildTags": "static",
"go.toolsEnvVars": {
"CGO_ENABLED": "1"
}
}
.vscode/launch.json
// .vscode/launch.json
{
"version": "0.2.0",
"configurations": [
{
"name": "Launch Package",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "${workspaceFolder}/main.go",
"args": [
"scan",
"--logger",
"debug"
],
"buildFlags": "-tags=static"
}
]
}
Under the hood
Technology
Kubescape is based on the OPA engine and ARMO's posture controls.
The tools retrieve Kubernetes objects from the API server and runs a set of Rego snippets developed by ARMO.
The results by default are printed in a "console friendly" manner, but they can be retrieved in JSON format for further processing.
Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the Kubernetes community and aim to make the tests more robust and complete as Kubernetes develops.
Thanks to all the contributors ❤️