Kubescape: A Kubernetes open-source tool providing a multi-cloud K8s single pane of glass

Aug 18, 2021

Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerabilities scanning.

Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the  NSA-CISAMITRE ATT&CK®), finding software vulnerabilities, and showing RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline. It calculates risk scores instantly and shows risk trends over time.

It became one of the fastest-growing Kubernetes security compliance tools among developers due to its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins’ precious time, effort, and resources.

Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Gitlab, Prometheus, Slack and supports multi-cloud K8s deployments like EKS, GKE, and AKS.

Key values with Kubescape

  • Detect Kubernetes misconfigurations and vulnerabilities in less than 1 min
  • Calculate Kubernetes risk score instantly, See history of past scans and risk trends overtime
  • Identify configuration drifts in real-time
  • Includes multiple security and compliance frameworks - NSA, MITRE, Devops Best Practices – and allow to create a customized framework to meet specific needs and requirements
  • Manage Exceptions to avoid alert fatigue
  • Integrates natively with DevOps tools, including Jenkins, CircleCI, Github workflows, Gitlab, Prometheus, Slack
  • Easy to use CLI interface and flexible output formats like json and junit xml
  • Super-friendly UI to test K8s posture and compliance against policy rules
  • Assisted Remediation - Kubescape show you exactly where your resource have failed and what was the cause – in Kubescape SaaS version, once you click on a resource, , user will be able to see the exact and specific line which caused the resource to fail in the resource definition file (e.g. YAML)
  • Image scanning - scan images for vulnerabilities and easily see, sort and filter (which vulnerability to patch first)
  • RBAC made easy - simplifies RBAC complexity by providing an, easy-to-use and easy-to-understand, visual graph which shows the RBAC configuration in your cluster. Kubescape comes with buit-in queries of things you need to be aware of in your RBAC configuration

Sign up (free forever) for Kubescape SaaS (UI dashboard) - https://portal.armo.cloud/

How does it work?

Kubescape is based on OPA engine and ARMO's posture controls. it retrieves the Kubernetes objects from the API server and scan them by running a set of regos snippets developed by ARMO. It establishes how well your Kubernetes configurations meet the best practice recommendations from the different frameworks included.

The output results are printed in a “console friendly" manner by default, but they can be also retrieved in JSON or Junit format for further processing.

To learn more visit kubescape GitHub page 

Kubescape is an open-source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.

Stay up to date