ScriptsApr 14, 2026·3 min read

Kubescape — Kubernetes Security Platform from CNCF

Kubescape scans Kubernetes clusters, YAML manifests, and Helm charts against NSA, CIS, and MITRE frameworks. Built by ARMO and a CNCF Sandbox project, it catches misconfigurations and vulnerabilities before they reach production.

Script Depot
Script Depot · Community

Introduction

Kubescape is a CNCF Sandbox project that gives you a full security picture of your Kubernetes estate — from manifests in Git to live clusters in production. It maps findings to NSA-CISA hardening guidelines, CIS Benchmarks, MITRE ATT&CK, and vulnerability scans via Trivy.

With over 11,000 GitHub stars and 300+ security controls, Kubescape is used by Fortune 500 companies for compliance reporting, CI/CD gating, and runtime posture management. Output integrates with IDEs, GitHub Actions, and Prometheus.

What Kubescape Does

Kubescape runs three scan types: (1) YAML scan — static analysis of manifests/Helm charts; (2) Cluster scan — live cluster posture, RBAC, network policies, runtime; (3) Image scan — vulnerabilities via Trivy integration. Results include severity, fix instructions, and control mapping.

Architecture Overview

[Inputs]
  Manifests / Helm charts
  Live cluster (kubeconfig)
  Container images
        |
   [Kubescape CLI]
        |
   [Rule Engine (Rego/OPA)]
   300+ controls
        |
   [Frameworks]
   NSA-CISA, CIS,
   MITRE ATT&CK, SOC2,
   ArmoBest, DevOpsBest
        |
   [Output]
   JSON, HTML, PDF, SARIF
   IDE extensions
   GitHub Action / PR comments
   Prometheus metrics
        |
   [Kubescape Operator] (optional)
   periodic cluster scans
   runtime threat detection

Self-Hosting & Configuration

# GitHub Action — scan manifests on every PR
name: kubescape
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: kubescape/github-action@main
        with:
          files: 'k8s/**/*.yaml'
          frameworks: nsa,mitre,devopsbest
          failureThreshold: high
          severityThreshold: medium
# In-cluster operator (Helm)
helm repo add kubescape https://kubescape.github.io/helm-charts
helm install kubescape kubescape/kubescape-cloud-operator -n kubescape --create-namespace

# Policy example — fail PR if privileged containers found
kubescape scan --policy "rule:no-privileged-container" --fail-threshold 0

Key Features

  • Multi-scope — cluster live state, Git manifests, Helm charts, images
  • Frameworks — NSA-CISA, CIS, MITRE ATT&CK, SOC2, DevOpsBest
  • 300+ controls — Rego/OPA rules, easily extensible
  • Vulnerability scanning — integrates with Trivy for CVE detection
  • IDE plugins — VS Code extension shows findings inline
  • CI/CD integration — GitHub Actions, GitLab, Jenkins, any CLI-capable pipeline
  • Operator mode — in-cluster continuous scanning + runtime detection
  • SARIF output — upload to GitHub Security, code scanning dashboards

Comparison with Similar Tools

Feature Kubescape Kubesec Polaris Trivy Falco
Manifest scan Yes Yes Yes Yes No
Cluster live scan Yes No Yes Limited Yes (runtime)
Image CVE Yes (via Trivy) No No Yes (focus) No
Runtime detection Yes (operator) No No No Yes (focus)
Frameworks Most (NSA, CIS, MITRE, SOC2) Basic Basic CVE-only Custom rules
CNCF status Sandbox N/A N/A Graduated Graduated
Best For All-in-one posture Quick scoring Cluster health Vuln scanning Runtime

FAQ

Q: Kubescape vs Falco? A: Different scopes. Kubescape is posture (what could go wrong). Falco is runtime (what is going wrong). Together they cover pre- and post-deployment security.

Q: Kubescape vs Trivy? A: Trivy is the industry standard for vulnerability scanning (images, filesystems, Git repos). Kubescape embeds Trivy for CVEs and adds Kubernetes-specific configuration checks. Kubescape is broader; Trivy is deeper on CVEs.

Q: Can Kubescape enforce policies at admission? A: Kubescape focuses on scanning + reporting. For admission enforcement, pair with Kyverno or OPA Gatekeeper. Many teams use Kubescape for CI gating and Kyverno for cluster admission.

Q: Do I need ARMO's cloud platform? A: No — the open source CLI and operator do everything described here. ARMO's commercial platform adds a SaaS dashboard and team features.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Invidious — Alternative Privacy-First Frontend for YouTube

Invidious lets you watch YouTube without ads, tracking, or a Google account. It proxies video content and strips all tracking — a self-hostable frontend for YouTube that respects your privacy.

Script Depot

Zulip — Threaded Team Chat That Actually Scales to Thousands of Topics

Zulip is a team chat platform built around threaded topic conversations. It solves the Slack "firehose of channels" problem by making every message belong to a topic — so discussions stay organized, searchable, and catchable hours later.

Script Depot

PhotoPrism — AI-Powered Photo Management for the Self-Hosted Era

PhotoPrism organizes your photo library using AI-powered tagging, face recognition, and location clustering. A polished Google Photos alternative that keeps your photos on your own server.

Script Depot
Home🔍Search👤Me