Skip to content

Supported frameworks

Kubescape comes with support for the following frameworks:


The nsa framework is built on the Kubernetes Hardening Guide released by the published by the United States National Security Agency and Cybersecurity and Infrastructure Security Agency. Controls in this framework will validate adherence to these best practices.


The mitre framework is based on the MITRE ATT&CKĀ® framework, a knowledge base of known tactics, techniques and procedures (TTP) that are involved in cyberattacks. The Threat Matrix for Kubernetes was inspired from MITRE ATT&CK, and contains mitigations specific to Kubernetes environments and attack techniques. Controls in this framework map to the various TTP in the threat matrix.


The CIS family of frameworks are derived from the CIS Kubernetes Benchmarks, a set of secure configuration guidelines developed for Kubernetes.

The frameworks are:

  • cis-v1.23-t1.0.1, for default Kubernetes clusters
  • cis-aks-t1.2.0, for Azure Kubernetes Service
  • cis-eks-t1.2.0, for Amazon Elastic Kubernetes Service

Scanning using a framework

To scan a cluster using a particular framework, use the command kubescape scan framework <framework>. You can specify more than one framework by providing a comma-separated list, such as kubescape scan framework nsa,mitre.

To get a full list of frameworks that kubescape supports run the command kubescape list frameworks.


Before Kubescape 3.0, the default behaviour of kubescape scan was to scan the NSA and MITRE frameworks.

Learn more about scanning.

Using frameworks for compliance

Kubescape uses two metrics to help you use frameworks for validating the compliance of an environment.

The control compliance score measures the compliance of individual controls within a framework. It is calculated by evaluating the ratio of resources that passed to the total number of resources evaluated against that control.

The framework compliance score provides an overall assessment of your cluster's compliance with a specific framework. It is calculated by averaging the Control Compliance Scores of all controls within the framework.

In scan results, you may see the control compliance score listed as Action Required. Some controls require configuration before they can be evaluated; for example, the list of allowed container registries. See Customizing control configuration.

Downloading frameworks

To learn how to download the framework data, see the documentation for installing in an air-gapped environment.

Custom frameworks

To learn how to create and use your own custom framework, see the Contributing section of the regolibrary

You can use a locally defined framework