Login
May 28, 2025|
Voiced by Amazon Polly |
Overview
In this blog, we have provided a comprehensive overview of how Kubescape empowers the maintenance of a secure Kubernetes environment through automated, scalable security assessments. Designed for modern DevSecOps and platform teams, Kubescape helps detect vulnerabilities and misconfigurations across clusters, configurations, and workloads. With support for leading industry benchmarks like NSA-CISA, MITRE ATT&CK, and CIS, it serves as a comprehensive tool for enhancing compliance and reducing risk across the Kubernetes lifecycle.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Introduction
Kubescape is a feature-rich, open-source security tool built to align with the fast-paced workflows of Kubernetes users. It simplifies identifying security gaps by scanning clusters, Helm charts, and YAML files and offering detailed compliance insights. With command-line, broad format support, and automated scan capabilities, Kubescape seamlessly fits into daily operations while supporting industry-recognized security frameworks. Created by ARMO and recognized under the CNCF sandbox, it is rapidly becoming a go-to resource for Kubernetes security automation.
Getting Started with Kubernetes Security Scans
Performing a general scan on running Kubernetes cluster:
Scans a running Kubernetes cluster.
|
1 |
kubescape scan –verbose |
This command inspects control plane security, access control, and secrets management. It flags insecure settings like anonymous access or open ports and provides a detailed compliance report.
NSA-CISA framework
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency(CISA)
The NSA and CISA provide recommendations to address key security challenges, urging system administrators to strengthen their Kubernetes environments. They also emphasize the importance of regularly reviewing cluster configurations and conducting vulnerability scans to manage risks and implement necessary patches.
Scans a Kubernetes cluster with the NSA framework
|
1 |
kubescape scan framework nsa |
The tool performs an in-depth evaluation of the Kubernetes cluster’s security alignment with the NSA framework. The results indicate how many security controls passed and how many failed, helping identify possible misconfigurations or vulnerabilities. Among the failed checks, four are classified by severity, high, medium, and low, highlighting critical areas that need attention to strengthen the cluster’s overall security posture.
MITRE ATT&CK framework
Kubescape utilizes the MITRE ATT&CK framework to evaluate potential threats and vulnerabilities within Kubernetes environments. Mapping findings to known attack techniques helps users detect, understand, and mitigate security risks, thereby improving the cluster’s overall defense strategy.
Scans a Kubernetes cluster with the Mitre attack framework
|
1 |
kubescape scan framework mitre |
Controls
ARMO provides a wide range of security controls that can be applied within established frameworks or tailored to meet specific requirements. Developed by security experts, these controls act as structured assessments covering different aspects of a system’s security posture. They include preventive, detective, and corrective measures designed to help identify and reduce the risk of potential security incidents.
Scan for a specific control using the control name or control ID
|
1 |
kubescape scan control "Privileged container" |
scan a specific pod
|
1 |
kubescape scan workload Pod/nginx --namespace webapp |
Kubescape generates an overview of a workload’s security posture, highlighting the relevant security controls based on its configuration and reporting the vulnerability status of the associated container image.
Scan a specific namespace
|
1 |
kubescape scan --include-namespaces test,staging,production |
Kubescape provides a summary of the cluster’s security posture, including a count of users with administrative privileges. Any non-zero results should be reviewed to assess necessity, and each is factored into the overall compliance score.
Enhancing CI/CD Security Using Kubescape
As DevOps and modern engineering practices advance, they’ve enabled faster delivery of higher-quality code by embedding guardrails and validations into automated CI/CD pipelines. Incorporating security checks into these workflows has become essential. With the rise of DevSecOps, well-defined frameworks and best practices have emerged to help seamlessly integrate security into continuous integration and deployment processes.
- Integrating Security Controls in the Coding Phase
Security measures begin at the earliest stages of development, where issues like misconfigurations and vulnerabilities in formats such as JSON, YAML, or Helm charts can be detected and resolved proactively.
command to scan local YAML/JSON files
|
1 |
kubescape scan *.yaml |
Scan Helm charts or kustomize directory
|
1 |
kubescape scan </path/to/directory> |
- Kubescape extension in Visual Studio Code
The open-source Kubescape extension for VSCode offers real-time alerts for potential security issues as we write YAML files. It highlights problematic lines directly in the manifest, allowing developers to address issues on the spot, removing the need for post-edit scans, and streamlining secure coding within the editor. - Scanning Code Repositories for Misconfigurations and Vulnerabilities
After finalizing the configuration code, it is typically pushed through the CI system, often via the CLI- and a Pull Request (PR) is created to merge into the main codebase. However, from a security perspective, it’s crucial to scan both public and private repositories and container image registries before proceeding with deployment.
Scan Kubernetes manifest files from a Git repository:
|
1 |
kubescape scan https://github.com/kubescape/kubescape |
We can also scan our repository in the ARMO platform
|
1 |
kubescape scan REPOSITORY_LOCATION --account b504efc0-da1a-4d7c-a6a3-62d5c607424a --access-key=50f58148-ad14-45a4-8980-22f85952ddc2 --server api.armosec.io |
Command to scan an image
|
1 |
kubescape scan image --verbose |
|
1 |
kubescape scan image my-image:latest --severity-threshold high |
- Continuous deployment scanning:
After deployment, we can evaluate the security of your resources by running targeted scans on specific namespaces or YAML files using the commands below.
|
1 |
kubescape scan --include-namespaces development,staging,production |
The Control Compliance Score
Measures the adherence to each control within a framework by comparing the number of resources that passed against the total number assessed for that specific control.
|
1 |
kubescape scan --compliance-threshold <SCORE_VALUE[float32]> |
The Framework Compliance Score
It provides an overall assessment of how well the cluster complies with a specific framework, calculated by averaging the compliance scores of all individual controls within that framework
|
1 |
kubescape scan framework <FRAMEWORK_NAME> --compliance-threshold <SCORE_VALUE[float32]> |
Output formats:
JSON:
|
1 |
kubescape scan --format json --format-version v2 --output results.json |
Junit XML:
|
1 |
kubescape scan --format junit --output results.xml |
PDF:
|
1 |
kubescape scan --format pdf --output results.pdf |
Prometheus metrics:
|
1 |
kubescape scan --format prometheus |
HTML:
|
1 |
kubescape scan --format html --output results.html |
Conclusion
Drop a query if you have any questions regarding Kubescape and we will get back to you quickly.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.
FAQs
1. Is Kubescape free to use?
ANS: – Yes, Kubescape is an open-source tool endorsed by the CNCF.
2. What is the difference between control and framework compliance scores?
ANS: – Control compliance scores measure adherence for specific tests, while framework scores average all related control scores for a full picture.
WRITTEN BY Abhilasha D
Abhilasha D is a Research Associate-DevOps at CloudThat. She is focused on gaining knowledge of Cloud environment and DevOps tools. She has keen interest in learning and researching on emerging technologies.
PREV
Comments