Kubescape provides security for Kubernetes clusters

Kubescape provides security for Kubernetes clusters

What is Kubescape?

Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerabilities scanning.

  • Kubescape scans K8s clusters, YAML files, and HELM charts to locate software vulnerabilities, detect misconfigurations in accordance with several frameworks (such as the NSA-CISA, MITRE ATT&CK), and show RBAC (role-based-access-control) violations at the beginning of the CI/CD pipeline. It rapidly calculates risk scores and displays long-term risk patterns.
  • Due to its user-friendly CLI interface, flexible output formats, and automated scanning capabilities, it quickly became one of the most popular Kubernetes security compliance tools among developers, saving Kubernetes users and administrators valuable time, effort, and resources.
  • Kubescape seamlessly connects with other DevOps tools including Jenkins, CircleCI, GitLab workflows, Prometheus, and Slack. It also supports multi-cloud K8s deployments like EKS, GKE, and AKS.


Installation is very easy, just run the commands in your terminal for respective OS


curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash


Requires powershell v5.0+

iwr -useb https://raw.githubusercontent.com/armosec/kubescape/master/install.ps1 | iex

Note: if you get an error, you might need to change the execution policy (i.e. enable Powershell) with

Set-ExecutionPolicy RemoteSigned -scope CurrentUser


 brew tap armosec/kubescape
 brew install kubescape


With a sufficient version of go you can install and build with

go install github.com/armosec/kubescape/v2@latest

Try running kubescape to check installation is complete.

How does it work?

Kubescape is based on OPA engine (Open Policy Agent, is an open source, general purpose policy engine) and ARMO's posture controls.

OPA is purpose built for reasoning about information represented in structured documents. The data that your service and its users publish can be inspected and transformed using OPA’s native query language Rego.

The Kubernetes objects are obtained via the API server, and they are then scanned using a collection of ARMO-developed regos snippets.

Rego was inspired by Datalog, which is a well understood, decades old query language. Rego extends Datalog to support structured document models such as JSON.

It determines how closely your Kubernetes setups follow by the best practice advice provided by the various frameworks included. The output results are printed in a "console friendly" manner by default, but they can be also retrieved in JSON or JUnit format for further processing.

Scanning Your Cluster

Kubernetes connects to your cluster using standard Kubectl config files. Set the KUBECONFIG environment variable in your shell to reference the config file for the cluster you want to scan:

export KUBECONFIG=.kube/my-cluster.yaml

Kubescape will complain that it “failed to load Kubernetes config” if this variable’s not set or the specified file is invalid. Update the KUBECONFIG variable each time you execute Kubescape if you want to scan multiple clusters.

Scans are initiated with the scan command. You need to indicate the hardening framework you want to scan against. Currently, nsa is the only supported option.

kubescape scan framework nsa --exclude-namespaces kube-system,kube-public

All the resources in your cluster will be scanned by Kubescape, except those in namespaces that are excluded by the --exclude-namespaces flag. Given that you won't be able to remedy any issues discovered, it is advised that you provide the default Kubernetes namespaces here.

Your first Kubescape scan might take some time as the tool needs to download its framework definitions. These define the tests your cluster is scored against. Once the scan’s complete, you’ll see colorized output in your terminal that details any discovered issues.

Scan Results

A list of the suspect resources, an explanation of the issue, and a suggestion for a fix are all included in the report for each failed test's individual section. A table at the bottom of the report lists all tests that were run, how many resources failed them, and the overall success rate.

Kubescape checks over 20 possible weaknesses based on the NSA-identified list. The NSA’s report provides a description of the covered issues and the rationale for their inclusion. Some of the key problems which Kubescape checks for include:

  • Privilege escalation opportunities
  • Containers running in privileged mode
  • Containers running with dangerous capabilities
  • Exposed Kubernetes Dashboard
  • Containers running as root
  • Credentials contained in configuration files
  • Incorrectly secured control plane

Running Kubescape lets you check your cluster’s health against the current best practice guidelines, giving you more confidence that you’re not putting your data and workloads at risk.

Scanning Manifest Files

Kubescape can work without a cluster connection. You can scan resource manifests stored as local YAML files, letting you check their security before you apply them to your cluster. Add an extra argument after the framework name to specify the files you want to scan:

kubescape scan framework nsa k8s/*.yaml

You can use a URL as the file path to scan files stored remotely, such as in a Git repository.

It’s best to use the default cluster scanning mode when you’re conducting a comprehensive security audit. Manifest scans are ideally incorporated into CI pipelines. Used in this way, you can avoid unintentionally introducing new vulnerabilities as you update your resources and roll them out to your cluster.

Offline Scans

As the framework definitions must be downloaded before a scan can be finished, Kubescape is intended for online use. In order to enable offline scans, the framework can also be manually saved. To prevent it from becoming outdated, attempt to update the file on a regular basis.

Download the NSA framework file:

kubescape download framework nsa --output nsa.json

Now scan your cluster using the downloaded file:

kubescape scan framework nsa --use-from nsa.json

The --use-from flag instructs Kubescape to load framework definitions from the specified file. There’s also --use-default which will try to use the locally cached file in the default location when it’s available. Kubescape falls back to downloading the latest definitions from the server when no file is found.

Output Formats

Kubescape outputs to your terminal by default but can also produce reports in JSON or Junit format. Add the -f flag to specify your desired mode:

kubescape scan framework nsa -f json
kubescape scan framework nsa -f junit

The latter option emits an XML file which can be consumed by test report tools that work with the Junit format. This lets you feed Kubescape scans into your existing test reporting solutions for visualization and aggregation.

Output is emitted to your terminal’s standard output stream, irrespective of the report format you specify. Add the -o flag to supply a file path to save to:

kubescape scan framework nsa -f json -o report.json

Kubescape’s usual progress messages can be disabled with the -s flag. This is helpful in CI scenarios where you don’t want to pollute job logs with ASCII characters.


Kubescape lets you assess the safety of your Kubernetes clusters against the guidelines published by the NSA. A single command from the simple open-source tool allows you to benchmark your environment against more than 20 key checks.


Kunal Kushwaha

Thank you for a reading mate, If you find this article useful, please like, comment, and share it.

Connect with me on :

Did you find this article valuable?

Support WeMakeDevs by becoming a sponsor. Any amount is appreciated!