Home
Open-source Kubernetes Security: Practical, End-to-End Coverage
Kubescape is an open-source Kubernetes security platform designed to provide practical, end-to-end security for Kubernetes environments. It supports engineers and operators throughout the development and deployment lifecycle, offering tools for configuration scanning, vulnerability assessment, policy enforcement, network policy and seccomp validation, and runtime threat detection.
Key capabilities
- Configuration and vulnerability scanning: Kubescape analyzes Kubernetes manifests, Helm charts, and live clusters for misconfigurations and known vulnerabilities, helping teams identify and remediate issues early and continuously.
- Policy and compliance enforcement: The platform supports multiple security frameworks (including CIS Benchmarks, NSA-CISA, MITRE ATT&CK, SOC 2, and more), enabling teams to validate their clusters and workloads against industry standards and custom policies.
- Network policy and seccomp validation: Kubescape checks for the presence and correctness of network policies and seccomp profiles, helping to enforce least-privilege and reduce attack surface.
- Runtime detection: Beyond static analysis, Kubescape provides runtime monitoring and detection for suspicious activity and threats in active clusters.
- Developer and CI/CD integration: Kubescape integrates with popular IDEs (such as VSCode and Lens) and CI/CD systems (like GitHub Actions and GitLab CI), making it easy to include security checks in development workflows.
- Multi-cloud and distribution support: Kubescape works across major cloud providers and Kubernetes distributions, supporting a wide range of deployment scenarios.
By combining these features in a single open-source project, Kubescape aims to make robust Kubernetes security accessible and practical for engineering teams, from configuration to runtime.
Kubescape was created by ARMO and is a Cloud Native Computing Foundation (CNCF) incubating project.
Demo
Please star ⭐ the repo if you want us to continue developing and improving Kubescape! 😀
Getting started
Experimenting with Kubescape is as easy as:
Learn more about:
Did you know you can use Kubescape in all these places?
Under the hood
Kubescape uses Open Policy Agent to verify Kubernetes objects against a library of posture controls. For image scanning, it uses Grype. For image patching, it uses Copacetic. For eBPF, it uses Inspektor Gadet
By default, the results are printed in a console-friendly manner, but they can be:
- exported to JSON or junit XML
- rendered to HTML or PDF
- submitted to a cloud service
It retrieves Kubernetes objects from the API server and runs a set of Rego snippets developed by ARMO.
Community
Kubescape is an open source project. We welcome your feedback and ideas for improvement. We are part of the CNCF community and are evolving Kubescape in sync with the security needs of Kubernetes users. To learn more about where Kubescape is heading, please check out our ROADMAP.
If you feel inspired to contribute to Kubescape, check out our CONTRIBUTING file to learn how. You can find the issues we are working on (triage to development) on the Kubescaping board
- Feel free to pick a task from the board or suggest a feature of your own.
- Open an issueon the board. We aim to respond to all issues within 48 hours.
- Join the CNCF Slack and then our users or developers channel.
The Kubescape project follows the CNCF Code of Conduct.
For more information about the Kubescape community, please visit COMMUNITY.
We would like to take this opportunity to thank all our contibutors to date.
License
Copyright 2021-2025, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the LICENSE file for details.
Kubescape is a Cloud Native Computing Foundation (CNCF) incubating project and was contributed by ARMO.
Kubescape is a trademark owned by the Linux Foundation