Kubescape: The first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks such as the NSA-CISA and the MITRE ATT&CK®

Aug 18, 2021

Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks such as the  NSA-CISA AND the MITRE ATT&CK® , and marks the first time that teams can test Kubernetes against multiple frameworks in one single click.

Kubescape scans Kubernetes clusters, YAML files, and HELM charts, providing hyper-accurate results and enabling the detection of misconfigurations and software vulnerabilities at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends overtime.

It became one of the fastest-growing Kubernetes security compliance tools among developers due to its easy-to-use CLI interface, flexible output formats and automated scanning capabilities, saving Kubernetes users and admins’ precious time, effort and resources.

Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Gitlab, Prometheus, Slack and supports multi cloud K8s deployments like EKS,GKE and AKS.

Key values with Kubescape

  • Detect Kubernetes misconfigurations and vulnerabilities in less than 1 min
  • Calculate Kubernetes risk score instantly, See history of past scans and risk trends overtime.
  • Identify configuration drifts in real-time
  • Includes multiple security and compliance frameworks - NSA, MITRE, Devops Best Practices – and allow to create a customized framework to meet specific needs and requirements
  • Manage Exceptions, and avoid alert fatigue
  • Integrates natively with DevOps tools, including Jenkins, CircleCI, Github workflows, Gitlab, Prometheus, Slack.
  • Easy to use CLI interface and flexible output formats like json and junit xml.
  • Super-friendly UI to test K8s posture and compliance against policy/rules
  • Personalizing control parameters. E.g.: in the control that checks the allowed container repositories, you can define which image repositories are allowed in your organization.
  • Control severity - each control has a severity which is taken into account for risk score calculation
  • Verbose mode –you can see exactly what Kubescape scanned (fail or past), even if it succeeded and not just the resources that failed. is it unique?
  • Assisted Remediation - Kubescape show you exactly where your resource have failed and what was the cause – in Kubescape SaaS version, once you click on a resource, , user will be able to see the exact and specific line which caused the resource to fail in the resource definition file (e.g. YAML).
  • Image scanning - scan images for vulnerabilities and easily see, sort and filter (which vulnerability to patch first)
  • RBAC made easy - simplifies RBAC complexity by providing an, easy-to-use and easy-to-understand, visual graph which shows the RBAC configuration in your cluster. Kubescape comes with buit-in queries of things you need to be aware of in your RBAC configuration.
  • Requires no installation in-cluster and read only privileges.

Sign up (free forever) for Kubescape SaaS (UI dashboard) - https://portal.armo.cloud/

How does it work?

Kubescape is based on OPA engine and ARMO's posture controls. it retrieves the Kubernetes objects from the API server and scan them by running a set of regos snippets developed by ARMO. It establishes how well your Kubernetes configurations meet the best practice recommendations from the different frameworks included.

The output results are printed in a “console friendly" manner by default, but they can be also retrieved in JSON or Junit format for further processing.

To learn more visit kubescape GitHub page 

Kubescape is an open-source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.

Stay up to date