Kubescape is an open-source Kubernetes security platform that scans clusters, manifests, and container images for security risks. With 11.2k GitHub stars, 151 contributors, and 208 releases, it has become a leading Kubernetes security solution.
Created by ARMO and now a CNCF incubating project, it is trusted by over 25,000 organizations including Intel, AWS, and Bitnami.
Kubescape covers the full Kubernetes security lifecycle from development to runtime.
What is Kubescape?
Kubescape provides end-to-end Kubernetes security through misconfiguration scanning, vulnerability detection, and compliance checking.
It validates Kubernetes manifests and Helm charts against security frameworks like CIS Benchmarks, NSA-CISA hardening guidance, and the MITRE ATT&CK framework for containers.
What makes Kubescape stand out is its integration depth.
Beyond static scanning, it can run as an in-cluster operator providing runtime threat detection, network policy recommendations, and continuous compliance monitoring.
The CLI tool handles pre-deployment scanning while the operator extends security into production.
Key Features
Multi-Framework Compliance
Kubescape validates configurations against multiple security frameworks simultaneously.
CIS Kubernetes Benchmark checks ensure baseline hardening, while NSA-CISA guidance covers government security standards.
The MITRE ATT&CK framework mappings help teams understand potential attack vectors.
SOC 2 compliance checks are also available, along with support for custom policies.
Technical Architecture
Kubescape leverages several proven technologies:
- Open Policy Agent (OPA) for policy verification
- Grype for container image vulnerability scanning
- Copacetic for automated patching
- Inspektor Gadget for eBPF-based runtime analysis
Container Image Scanning
Integrated vulnerability scanning checks container images for known CVEs.
Kubescape generates SBOMs (Software Bill of Materials) and tracks vulnerabilities in base images and application dependencies.
This combines IaC security with software composition analysis.
Runtime Security
When deployed as an in-cluster operator, Kubescape provides runtime threat detection using eBPF technology.
It monitors workload behavior, detects anomalies, and generates security alerts.
The operator also tracks configuration drift between scanned manifests and deployed resources.
Network Policy Generation
Kubescape analyzes actual network traffic patterns in your cluster and recommends NetworkPolicy resources to implement least-privilege network segmentation.
This automates one of the most tedious aspects of Kubernetes hardening.
IDE and CI/CD Integration
Plugins for VS Code and IntelliJ bring security feedback directly into the editor.
CI/CD integrations with GitHub Actions, GitLab, Jenkins, and CircleCI enable automated scanning in pipelines.
Installation
Install the Kubescape CLI for local and CI/CD scanning:
# Install via script (Linux/macOS)
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
# Install via Homebrew (macOS)
brew install kubescape
# Install via Chocolatey (Windows)
choco install kubescape
# Install via Krew (kubectl plugin)
kubectl krew install kubescape
Run basic scans from the command line:
# Scan current Kubernetes context
kubescape scan
# Scan with specific framework
kubescape scan framework nsa
# Scan Helm chart
kubescape scan helm ./my-chart/
# Scan YAML manifest files
kubescape scan ./manifests/
# Scan container image for vulnerabilities
kubescape scan image nginx:latest
# Output in JSON format
kubescape scan --format json --output results.json
In-Cluster Operator Installation
Deploy Kubescape as an operator for continuous monitoring:
# Install using Helm
helm repo add kubescape https://kubescape.github.io/helm-charts/
helm repo update
helm install kubescape kubescape/kubescape-operator \
--namespace kubescape \
--create-namespace \
--set capabilities.continuousScan=enable \
--set capabilities.vulnerabilityScanning=enable \
--set capabilities.networkPolicy=enable
CI/CD Integration
GitHub Actions
name: Kubescape Security Scan
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Kubescape Scan
uses: kubescape/github-action@main
with:
files: "manifests/*.yaml"
frameworks: "nsa,mitre"
threshold: 50
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
GitLab CI
kubescape:
image: quay.io/kubescape/kubescape:latest
stage: security
script:
- kubescape scan framework cis-v1.23
--controls-config controls-config.yaml
-f gitlab
manifests/
artifacts:
reports:
sast: gl-kubescape-report.json
Pre-Commit Hook
# .pre-commit-config.yaml
repos:
- repo: https://github.com/kubescape/kubescape
rev: v3.0.0
hooks:
- id: kubescape
args: ["scan", "--severity-threshold", "high"]
Configuration
Create a controls configuration file to customize scanning:
# controls-config.yaml
excludedControls:
- C-0009 # Exclude specific control
- C-0034
controlConfigurations:
- controlID: C-0013
parameters:
max-critical-vulnerabilities: 0
max-high-vulnerabilities: 5
When to Use Kubescape
Kubescape is the go-to choice for teams focused on Kubernetes security from development through production.
Its CNCF backing ensures long-term maintenance and community support.
The combination of static scanning and runtime monitoring in a single tool reduces tooling sprawl.
Choose Kubescape when you need compliance validation against multiple frameworks, especially for regulated environments requiring CIS or NSA-CISA compliance.
The runtime operator features suit teams wanting continuous security monitoring beyond pre-deployment scanning.
For broader IaC coverage including Terraform and CloudFormation alongside Kubernetes, consider Checkov or Terrascan.
If you need a commercial platform with enterprise support, Snyk IaC provides similar Kubernetes scanning within a larger security suite.