Kubescape: A Kubernetes open-source platfrom providing a multi-cloud Kubernetes single pane of glass
Jul 7, 2022
Kubescape is a Kubernetes open-source platform providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerabilities scanning.
Kubescape scans K8s clusters, Kubernetes manifest files (YAML files, and HELM charts), code repositories, container registries and images, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA, MITRE ATT&CK®), finding software vulnerabilities, and showing RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline. It calculates risk scores instantly and shows risk trends over time.
It became one of the fastest-growing Kubernetes security compliance tools among developers due to its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins’ precious time, effort, and resources.
Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Gitlab, Prometheus, and Slack, and supports multi-cloud K8s deployments like EKS, GKE, and AKS.
Key security values with Kubescape
- Define and enforce security policies and best practices – according to different compliance frameworks like the NSA-CISA, MITRE, Kubernetes Best Practices, or create your own custom framework
- Detect and prevent configurations drifts – continuously, from development to production throughout the CICD pipeline
- Continuous Kuberenets tightening and attack surface reduction – and offer quick remediation, automatic recommendations, and contextual insights
What makes Kubescape unique?
- Kubescape is the only Kubernetes security assessment solution (commercial and open-source) that scans your:
- K8s Manifest files (YAML, Helm), and
- API server settings, and
- Worker node settings
across your entire SDLC (Software dev life cycle) – from configurations/development to production
- Kubescape has the largest, widest, and deepest K8s security frameworks and tests from one solution – over 100 security and DevOps controls
- Kubescape dives into K8s and checks your manifests files from the inside – most other solutions and tools check from a CSPM perspective (CSP properties to K8s and not K8s standalone)
- Kubescape is the only open source single-pane-of-glass K8s security product that looks at your K8s in a holistic view – security compliance, risk scoring, misconfigurations, image scanning, and RBAC
- Kubescape is the only product that supports custom frameworks that can be used at any stage in the SDLC (dev-> Prod)
- Kubescape is the only product that visualizes RBAC and enables you to investigate RBAC, ask smart questions, and inquiry
- Assisted remediation- Kubescape is the only product that shows you how to fix your issues with actionable recommendations
- With Kubescape you get real and actionable value in less than 3 mins
- Embed security natively into your CI/CD – from Code Repositories and Image registries up to deploying clusters
- Contextual insights – infuse image scanning with misconfigurations for better prioritization of critical findings and remediation
- Recurring scan – You can set recurring cluster scanning so you don’t miss out on new CVEs when they emerge
- Easy integration with other DevOps tools – e.g. Kubescape integrates out-of-the-box with Prometheus and others using the different embedded output formats
How does it work?
Kubescape is based on OPA engine and ARMO’s posture controls. it retrieves the Kubernetes objects from the API server and scans them by running a set of regos snippets developed by ARMO. It establishes how well your Kubernetes configurations meet the best practice recommendations from the different frameworks included.
The output results are printed in a “console friendly” manner by default, but they can be also retrieved in JSON or Junit format for further processing.
Kubescape is an open-source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.