Announcements

Introducing a Visual Way to Explore Kubernetes Security: the Kubescape Plugin for Headlamp

Managing security in Kubernetes can feel like navigating a maze. With countless vulnerabilities, policies, and best practices to juggle, it’s easy for developers to get overwhelmed and hard to know where to start. Reporting on your security posture adds another layer of complexity-especially when many open-source tools are highly technical and not user-friendly for the average Kubernetes user.

That’s where Headlamp comes in. Headlamp is an open-source Kubernetes UI that provides an intuitive, visual way to explore and manage your clusters. It helps users of all experience levels understand what’s happening in their environments, surfacing insights that would otherwise require deep command-line expertise.

Announcing the Kubescape Plugin for Headlamp

We’re excited to share the new Kubescape plugin for Headlamp, a game-changer for anyone looking to simplify Kubernetes security management! As Viktor Farcic noted at KubeCon NA 2024, “What Kubescape needs is a GUI.”

This plugin bridges the gap between robust security scanning and accessible, actionable insights. By reading reports from Kubescape, it brings security and compliance data directly into the Headlamp interface. Now, you can view and manage your cluster’s security posture without switching between tools or deciphering command-line outputs.

What Can You Do with the Kubescape Plugin?

The Kubescape plugin enhances Headlamp with dedicated pages and features for:

Configuration Scanning: Instantly see compliance and configuration scan results, making it easier to spot and address misconfigurations.
Vulnerability Scanning: Get clear insights into vulnerabilities and CVEs (Common Vulnerabilities and Exposures) affecting your clusters and images.
Network Policies Viewer: Visualize and manage network policies to strengthen your cluster’s security boundaries.
Admission Policies Playground: Test and validate admission policies as recommended by Kubescape. The playground leverages WASM to evaluate CEL expressions in real-time, empowering you to experiment safely.
Multi-Tenant Support: Enjoy namespace-specific views for multi-tenant clusters, so teams can focus on what matters to them.

Source: Kubescape plugin for Headlamp PoC

Getting Started: How to Install the Kubescape Plugin

Ready to try it out? Here’s a quick guide to getting the Kubescape plugin up and running in Headlamp.

Kubescape

Follow the Kubescape operator installation procedure and make sure you enable continuousScan --set capabilities.continuousScan=enable and network observability --set capabilities.networkPolicyService=enable.

Headlamp Desktop App

If you are using Headlamp as a desktop app (Windows, Mac, or Linux), go to the Plugin Catalog (available from the sidebar when in the home view), then look for the Kubescape plugin from the list, click it to see its details, and then click the install button. After the plugin is installed, use the notification to reload Headlamp.

Headlamp Web app

If you are deploying Headlamp as a web app (running in-cluster), you need to add the plugin files to the plugins folder of the headlamp-server. The Helm chart of Headlamp allows you to add an init container that will download the plugin. Please check the instructions at Kubescape plugin for Headlamp.

Acknowledgements & Future

A huge thanks to the Headlamp team for providing an extensible multi-cluster K8s dashboard experience, and Kubescape team for building such a powerful tool for security posture management.

The Kubescape plugin for Headlamp is currently in beta and ready for you to test. We’re eager to hear your feedback and ideas let us know what you think!

With this new integration, Kubernetes security is more accessible than ever. Dive in, explore your clusters visually, and take control of your security posture today!

April 30, 2025
in Announcements, Project
3 min read

Kubescape Now Supports CIS Kubernetes Benchmark v1.10

We're happy to announce that Kubescape has upgraded it's securiy controls to align with the latest CIS Kubernetes Benchmark v1.10. Thus, helping you strengthen your cluster security posture with industry-recognized standards.

What's New in CIS Kubernetes Benchmark v1.10?

The CIS Kubernetes Benchmark v1.10.0 delivers significant enhancements to address the evolving security landscape:

Comprehensive security recommendations tailored to counter emerging threats
Broader component coverage across your Kubernetes infrastructure
Clearer control documentation to improve implementation accuracy

Key Improvements Include:

Automated Assessment Content (AAC): Full integration with AAC and expanded compatibility with Kubernetes versions 1.30 and 1.31, streamlining your compliance verification process.

Enhanced Recommendations: 27 recommendations have undergone thorough revision to their audit and remediation procedures.

Upgraded Cryptographic Standards: Modernized cipher specifications that enforce more robust encryption requirements

Refined Security Context Variables: Updated terminology around 'securityContext' variables to facilitate proper security configuration

How Kubescape Empowers Your Compliance Journey

With Kubescape's implementation of CIS v1.10, you can:

Perform detailed compliance assessments against the latest benchmark
Quickly identify compliance gaps between previous and current requirements
Follow clear, practical remediation guidance to address vulnerabilities

Take Action Today

Ready to strengthen your Kubernetes security posture? Try Kubescape now to run your first CIS v1.10 compliance scan. See how your clusters measure up against the latest security standards.

Our community forums and documentation are available to support your implementation journey. Join us in making Kubernetes environments more secure, one cluster at a time.

Join the Kubescape community

We welcome your feedback and ideas for improvement. We hold community meetings on Zoom, on the first Tuesday of every month, at 14:00 GMT.

Thanks to all our contributors! Check out our CONTRIBUTING file to learn how to join them.

Feel free to pick a task from the good first issue list and suggest a design
Open an issue: we aim to respond to all issues within 48 hours
Join the CNCF Slack and then our users or developers channel
Don’t forget to leave a star on our repository: it means the world to us!

The Kubescape project follows the CNCF Code of Conduct.

March 6, 2025
in Announcements, Project
2 min read

Kubescape's Journey to Incubation: Celebrating our Community and a Secure Kubernetes Future

We are thrilled to share that Kubescape has officially been accepted as a CNCF Incubating project. This milestone is a significant achievement for the project. Kubescape began in 2021 as a fun project to scan for compliance with NSA-CISA Kubernetes hardening guidelines. What started as a security scanner, helping Devlopers and DevOps teams implement better Kubernetes security practices, evolved into a full security platform. Still helping security Kubernetes environments 😉

From the very beginning, Kubescape was built with the cloud-native community in mind. It started as a simple CLI tool designed to check cluster configurations against NSA-CISA Kubernetes Hardening Guidance. Over time, with the support of a rapidly growing community, Kubescape has evolved into one of the most complete open-source solutions for Kubernetes security. We are proud to have contributed to its development alongside contributors in the Kubescape community, and to see so many adopters leveraging Kubescape in their day-to-day workflows.

The Kubescape community has been a driving force behind this success. It’s not just the maintainers and contributors that we celebrate but the many users who have adopted and integrated Kubescape into their environments. Companies like Intel, AWS, Bitnami, ARMO, and Energi Danmark are just a few of the organizations using Kubescape. Some use Kubescape to secure their Kubernetes clusters. Others leverage it for educational purposes. Other use cases that go beyond what we imagined when we made our first commit. We are grateful for the trust that these adopters, along with hundreds of others, have shown in Kubescape.

As we look toward the future, the Kubescape project is poised for even greater growth. Our roadmap is not just about adding more features, but about continuing to improve usability and optimizing the performance of the platform. We are excited to welcome new contributors and users into the fold as we continue on the hamster-wheel of Kubernetes security.

The Kubescape community is our foundation, and we are committed to fostering a collaborative and inclusive environment where all contributions are valued. With the incredible support of the Cloud Native Computing Foundation (CNCF) and the broader Kubernetes community, we are determined to demonstrate sustained growth, strong governance, and broad adoption on our journey toward CNCF graduation. We believe that this is just the beginning, and we are eager to see where the future takes us.

Together, with the support of these vibrant communities, Kubescape will continue to evolve and grow, offering better security, deeper insights, and an ever-expanding set of features. We invite everyone - whether you are an adopter, contributor, or newcomer - to join us in shaping the future of Kubernetes security.

Join the Kubescape community

We welcome your feedback and ideas for improvement. We hold community meetings on Zoom, on the first Tuesday of every month, at 14:00 GMT.

Thanks to all our contributors! Check out our CONTRIBUTING file to learn how to join them.

Feel free to pick a task from the good first issue list and suggest a design
Open an issue: we aim to respond to all issues within 48 hours
Join the CNCF Slack and then our users or developers channel
Don’t forget to leave a star on our repository: it means the world to us!

The Kubescape project follows the CNCF Code of Conduct.

February 25, 2025
in Announcements, Project
3 min read

Patching Image Vulnerabilities with Kubescape & Copa

In this article, we’ll learn how can we patch vulnerabilities in our container images using Kubescape & Copa.

July 14, 2024
in Announcements, Project
5 min read

Kubescape: The 1st Open Source project to support VEX Generation

Introduction

Vulnerability Exploitability eXchange (VEX) is a vulnerability document designed to complement a Software Bill of Materials (SBOM). It informs users of a software product about the applicability of one or more vulnerability findings.

Security scanners will detect and flag components in software that have been identified as being vulnerable. Often, software is not necessarily affected as signaled by security scanners for many reasons.

For example:

The vulnerable component may have been already patched,
The vulnerable component may not be present
The vulnerable code is not actually executed.

The extreme transparency brought by SBOMs into how software is composed will most likely increase the number of these kinds of false positives, requiring an automated solution to avoid an explosion in the false positive rate of security scans. Hence VEX.

Using VEX is a way to turn down the noise, and give security practitioners a good strong signal, a scanner may consume VEX data from the software supplier. However, it is time-consuming to write a VEX document and since it is imperative these documents stay current, it is a never ending task. The solution to this must come via automation.

Are you running Kubescape? Want to help us get to incubation in the CNCF? Please help us by filling in our three-question survey!

December 7, 2023
in Announcements, Project
8 min read

Kubescape 3.0: The Capabilties System & Continuous Scanning

Kubescape 3.0 is laden with new functionality. In this blog post, we will introduce you to two new and complementary features.

The new Capabilities system
The Continuous Scanning feature

Watch a short video for a demonstration of these features in action, or read on.

November 6, 2023
in Announcements, Project
3 min read

Kubescape 3.0: Introducing Workload Scanning

Kubescape 3.0 introduces workload scanning, which allows you to comprehensively report on the security posture of individual workloads running in a Kubernetes cluster. This includes both misconfiguration and vulnerability scanning. This scan results in information that gives a 360° assessment of your workload’s security posture.

Watch a short video for a demonstration of workload scanning and its benefits, or read on.

October 23, 2023
in Announcements, Project
3 min read

Kubescape 3.0: Introducing Image Scanning

In previous versions, Kubescape supported vulnerability scanning inside a cluster. We’ve brought this feature to the Kubescape command line in 3.0.

Watch a short video for a demonstration of image scanning from the Kubescape CLI and its benefits, or read on.

October 12, 2023
in Announcements, Project
2 min read

Kubescape 3.0: CLI improvements

In the latest release of Kubescape, we completely overhauled the CLI experience to make it easier and faster for you to improve the security of your clusters.

Watch a short video for a demonstration of the new CLI and its benefits, or read on.

October 1, 2023
in Announcements, Project
3 min read

Introducing Kubescape 3.0

We are excited to announce the preview release of Kubescape 3.0, the next generation of the CNCF Kubernetes security posture management tool.

Kubescape 3.0 will add:

Compliance and container scan results stored as Kubernetes resources inside the cluster
Scanning container images for vulnerabilities from the CLI
Reporting on the vulnerabilities of all the images in a cluster
A new overview security scan, which helps you set a baseline for cluster security
Highlighting of high-risk workloads: those that could do the most damage if they are compromised
Improved display output
A new capability-based Helm chart
Per workload, per namespace and per cluster Prometheus metrics
Alerting through Prometheus Alertmanager
Sending data outside the cluster to hosted services

Most of these features have landed already, with some being finished over the next few weeks.

Are you running Kubescape? Want to help us get to incubation in the CNCF? Please help us by filling in our three-question survey!

September 19, 2023
in Announcements, Project
6 min read