/kubescape

Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning.

Primary LanguageGoApache License 2.0Apache-2.0

logo

build Go Report Card

Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA, MITRE ATT&CK®), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time. It became one of the fastest-growing Kubernetes tools among developers due to its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins’ precious time, effort, and resources. Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Prometheus, and Slack, and supports multi-cloud K8s deployments like EKS, GKE, and AKS.


Kubescape CLI:


TL;DR

Install:

curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash

Install on windows

Install on macOS

Install on NixOS or Linux/macOS via nix

Install using Go

Run:

kubescape scan --submit --enable-host-scan --verbose


Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.


Click 👍 if you want us to continue to develop and improve Kubescape 😀


Being part of the team

We invite you to our team! We are excited about this project and want to return the love we get.

Want to contribute? Want to discuss something? Have an issue?

  • Feel free to pick a task from the roadmap or suggest a feature of your own. Contact us directly for more information :)
  • Open a issue, we are trying to respond within 48 hours
  • Join us in a discussion on our discord server!

logo discord

Options and examples

Kubescape docs

Playground

Tutorials

Windows

Install on Windows

Requires powershell v5.0+

iwr -useb https://raw.githubusercontent.com/armosec/kubescape/master/install.ps1 | iex

Note: if you get an error you might need to change the execution policy (i.e. enable Powershell) with

Set-ExecutionPolicy RemoteSigned -scope CurrentUser
MacOS

Install on macOS

  1.  brew tap kubescape/tap
  2.  brew install kubescape-cli
Nix/NixOS

Install on NixOS or with nix (Community)

Direct issues installing kubescape via nix through the channels mentioned here

You can use nix on Linux or macOS and on other platforms unofficially.

Try it out in an ephemeral shell: nix-shell -p kubescape

Install declarative as usual

NixOS:

  # your other config ...
  environment.systemPackages = with pkgs; [
    # your other packages ...
    kubescape
  ];

home-manager:

  # your other config ...
  home.packages = with pkgs; [
    # your other packages ...
    kubescape
  ];

Or to your profile (not preferred): nix-env --install -A nixpkgs.kubescape

Usage & Examples

Examples

Scan a running Kubernetes cluster and submit results to the Kubescape SaaS version

kubescape scan --submit --enable-host-scan  --verbose

Read here more about the enable-host-scan flag

Scan a running Kubernetes cluster with nsa framework and submit results to the Kubescape SaaS version

kubescape scan framework nsa --submit

Scan a running Kubernetes cluster with MITRE ATT&CK® framework and submit results to the Kubescape SaaS version

kubescape scan framework mitre --submit

Scan a running Kubernetes cluster with a specific control using the control name or control ID. List of controls

kubescape scan control "Privileged container"

Scan specific namespaces

kubescape scan --include-namespaces development,staging,production

Scan cluster and exclude some namespaces

kubescape scan --exclude-namespaces kube-system,kube-public

Scan local yaml/json files before deploying. Take a look at the demonstration Submit the results in case the directory is a git repo. docs

kubescape scan *.yaml --submit

Scan kubernetes manifest files from a git repository and submit the results

kubescape scan https://github.com/armosec/kubescape --submit

Display all scanned resources (including the resources who passed)

kubescape scan --verbose

Output in json format

Add the --format-version v2 flag

kubescape scan --format json --format-version v2 --output results.json

Output in junit xml format

kubescape scan --format junit --output results.xml

Output in pdf format - Contributed by @alegrey91

kubescape scan --format pdf --output results.pdf

Output in prometheus metrics format - Contributed by @Joibel

kubescape scan --format prometheus

Scan with exceptions, objects with exceptions will be presented as exclude and not fail

Full documentation

kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json

Scan Helm charts

kubescape scan </path/to/directory> --submit

Kubescape will load the default values file

Offline/Air-gaped Environment Support

Video tutorial

It is possible to run Kubescape offline!

Download all artifacts

  1. Download and save in local directory, if path not specified, will save all in ~/.kubescape
kubescape download artifacts --output path/to/local/dir
  1. Copy the downloaded artifacts to the air-gaped/offline environment

  2. Scan using the downloaded artifacts

kubescape scan --use-artifacts-from path/to/local/dir

Download a single artifacts

You can also download a single artifacts and scan with the --use-from flag

  1. Download and save in file, if file name not specified, will save in ~/.kubescape/<framework name>.json
kubescape download framework nsa --output /path/nsa.json
  1. Copy the downloaded artifacts to the air-gaped/offline environment

  2. Scan using the downloaded framework

kubescape scan framework nsa --use-from /path/nsa.json

Scan Periodically using Helm

Please follow the instructions here helm chart repo

Integrations

VS Code Extension

Visual Studio Marketplace Downloads Open VSX

Scan the YAML files while writing them using the vs code extension

Lens Extension

View Kubescape scan results directly in Lens IDE using kubescape Lens extension

Building Kubescape

Windows

Windows

  1. Install MSYS2 & build libgit (needed only for the first time)

    build.bat all
    

You can install MSYS2 separately by running build.bat install and build libgit2 separately by running build.bat build

  1. Build kubescape

    make build
    

    OR

    go build -tags=static .
    
Linux / MacOS

Linux / MacOS

  1. Install libgit2 dependency (needed only for the first time)

    make libgit2
    

cmake is required to build libgit2. You can install it by running sudo apt-get install cmake (Linux) or brew install cmake (macOS)

  1. Build kubescape

    make build
    

    OR

    go build -tags=static .
    
  2. Test

    make test
    

VS code configuration samples

You can use the samples files below to setup your VS code environment for building and debugging purposes.

.vscode/settings.json
// .vscode/settings.json
{
    "go.testTags": "static",
    "go.buildTags": "static",
    "go.toolsEnvVars": {
        "CGO_ENABLED": "1"
    }
}
.vscode/launch.json
// .vscode/launch.json
{
    "version": "0.2.0",
    "configurations": [
        {
            "name": "Launch Package",
            "type": "go",
            "request": "launch",
            "mode": "auto",
            "program": "${workspaceFolder}/main.go",
            "args": [
                "scan",
                "--logger",
                "debug"
            ],
            "buildFlags": "-tags=static"
        }
    ]
}

Under the hood

Technology

Kubescape based on OPA engine and ARMO's posture controls.

The tools retrieves Kubernetes objects from the API server and runs a set of rego's snippets developed by ARMO.

The results by default printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.

Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.

Thanks to all the contributors ❤️