Home

Comprehensive Kubernetes Security from Development to Runtime

Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage, from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments.

Key features of Kubescape include

• Shift-left security: Kubescape enables developers to scan for misconfigurations as early as the manifest file submission stage, promoting a proactive approach to security.
• Runtime security: Kubescape extends its protection to the runtime environment, providing continuous monitoring and threat detection for deployed applications and runtime context to posture management.
• IDE and CI/CD integration: The tool integrates seamlessly with popular IDEs like VSCode and Lens, as well as CI/CD platforms such as GitHub and GitLab, allowing for security checks throughout the development process.
• Cluster scanning: Kubescape can scan active Kubernetes clusters for vulnerabilities, misconfigurations, and security issues.
• Multi-framework compliance support: Kubescape can test against many security frameworks, including NSA-CISA Kubernetes Hardening Guidance, MITRE ATT&CK , SOC 2, CIS Benchmarks and more. Thus, simplifying compliance efforts and protetcing from configuration drift.
• YAML and Helm chart validation: The tool checks YAML files and Helm charts for correct configuration according to the frameworks above, without requiring an active cluster.
• Kubernetes hardening: Kubescape ensures proactive identification and rapid remediation of misconfigurations and vulnerabilities through manual, recurring, or event-triggered scans.
• Multi-cloud support: Kubescape offers frictionless security across various cloud providers and Kubernetes distributions.

By providing this comprehensive security coverage from development to runtime, Kubescape enables organizations to ensure a robust security posture throughout their Kubernetes deployment, addressing potential vulnerabilities and threats at every stage of the application lifecycle.

Kubescape was created by ARMO and is a Cloud Native Computing Foundation (CNCF) sandbox project.

Demo

Please star ⭐ the repo if you want us to continue developing and improving Kubescape! 😀

Getting started

Experimenting with Kubescape is as easy as:

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash

Learn more about:

• Installing Kubescape
• Running your first scan
• Usage
• Architecture
• Building Kubescape from source

Did you know you can use Kubescape in all these places?

Under the hood

Kubescape uses Open Policy Agent to verify Kubernetes objects against a library of posture controls.
For image scanning, it uses Grype.
For image patching, it uses Copacetic. For eBPF, it uses Inspektor Gadet

By default, the results are printed in a console-friendly manner, but they can be:

• exported to JSON or junit XML
• rendered to HTML or PDF
• submitted to a cloud service

It retrieves Kubernetes objects from the API server and runs a set of Rego snippets developed by ARMO.

Community

Kubescape is an open source project. We welcome your feedback and ideas for improvement. We are part of the CNCF community and are evolving Kubescape in sync with the security needs of Kubernetes users. To learn more about where Kubescape is heading, please check out our ROADMAP.

If you feel inspired to contribute to Kubescape, check out our CONTRIBUTING file to learn how. You can find the issues we are working on (triage to development) on the Kubescaping board

• Feel free to pick a task from the board or suggest a feature of your own.
• Open an issueon the board. We aim to respond to all issues within 48 hours.
• Join the CNCF Slack and then our users or developers channel.

The Kubescape project follows the CNCF Code of Conduct.

For more information about the Kubescape community, please visit COMMUNITY.

We would like to take this opportunity to thank all our contibutors to date.

License

Copyright 2021-2024, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the LICENSE file for details.

Kubescape is a Cloud Native Computing Foundation (CNCF) sandbox project and was contributed by ARMO.

Kubescape is a trademark owned by the Linux Foundation