Skip to content


Kubescape: The 1st Open Source project to support VEX Generation


Vulnerability Exploitability eXchange (VEX) is a vulnerability document designed to complement a Software Bill of Materials (SBOM). It informs users of a software product about the applicability of one or more vulnerability findings.

Security scanners will detect and flag components in software that have been identified as being vulnerable. Often, software is not necessarily affected as signaled by security scanners for many reasons.

For example:

  • The vulnerable component may have been already patched,

  • The vulnerable component may not be present

  • The vulnerable code is not actually executed.

The extreme transparency brought by SBOMs into how software is composed will most likely increase the number of these kinds of false positives, requiring an automated solution to avoid an explosion in the false positive rate of security scans. Hence VEX.

Using VEX is a way to turn down the noise, and give security practitioners a good strong signal, a scanner may consume VEX data from the software supplier. However, it is time consuming to write a VEX document and since it is imperative these documents stay current, it is a never ending task. The solution to this must come via automation.

Kubescape 3.0: Introducing Workload Scanning

Kubescape 3.0 introduces workload scanning, which allows you to comprehensively report on the security posture of individual workloads running in a Kubernetes cluster. This includes both misconfiguration and vulnerability scanning. This scan results in information that gives a 360° assessment of your workload’s security posture.

Watch a short video for a demonstration of workload scanning and its benefits, or read on.

Kubescape 3.0: CLI improvements

In the latest release of Kubescape, we completely overhauled the CLI experience to make it easier and faster for you to improve the security of your clusters.

Watch a short video for a demonstration of the new CLI and its benefits, or read on.

Introducing Kubescape 3.0

We are excited to announce the preview release of Kubescape 3.0, the next generation of the CNCF Kubernetes security posture management tool.

Kubescape 3.0 will add:

  • Compliance and container scan results stored as Kubernetes resources inside the cluster
  • Scanning container images for vulnerabilities from the CLI
  • Reporting on the vulnerabilities of all the images in a cluster
  • A new overview security scan, which helps you set a baseline for cluster security
  • Highlighting of high-risk workloads: those that could do the most damage if they are compromised
  • Improved display output
  • A new capability-based Helm chart
  • Per workload, per namespace and per cluster Prometheus metrics
  • Alerting through Prometheus Alertmanager
  • Sending data outside of the cluster to hosted services

Most of these features have landed already, with some being finished over the next few weeks.

Happy second birthday, Kubescape!

What do you get a piece of software for its second birthday? A brand new blog, of course! And cake. More on the cake later.

Kubescape is an open-source Kubernetes security platform that helps you identify and fix security risks, misconfigurations and vulnerabilities in your Kubernetes clusters. It is a powerful tool that can save you time and effort, and help you keep your Kubernetes deployments secure.