# Kubescape — Kubernetes Security Platform from CNCF

> Kubescape scans Kubernetes clusters, YAML manifests, and Helm charts against NSA, CIS, and MITRE frameworks. Built by ARMO and a CNCF Sandbox project, it catches misconfigurations and vulnerabilities before they reach production.

## Install

Save as a script file and run:

# Kubescape — Kubernetes Security Scanning

## Quick Use
```bash
# Install
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash

# Scan a running cluster
kubescape scan --enable-host-scan --verbose

# Scan manifests locally
kubescape scan *.yaml
kubescape scan --file ./charts/my-app

# Target specific frameworks
kubescape scan framework nsa,mitre
kubescape scan framework cis-eks-t1.2.0
```

## Introduction
Kubescape is a CNCF Sandbox project that gives you a full security picture of your Kubernetes estate — from manifests in Git to live clusters in production. It maps findings to NSA-CISA hardening guidelines, CIS Benchmarks, MITRE ATT&CK, and vulnerability scans via Trivy.

With over 11,000 GitHub stars and 300+ security controls, Kubescape is used by Fortune 500 companies for compliance reporting, CI/CD gating, and runtime posture management. Output integrates with IDEs, GitHub Actions, and Prometheus.

## What Kubescape Does
Kubescape runs three scan types: (1) **YAML scan** — static analysis of manifests/Helm charts; (2) **Cluster scan** — live cluster posture, RBAC, network policies, runtime; (3) **Image scan** — vulnerabilities via Trivy integration. Results include severity, fix instructions, and control mapping.

## Architecture Overview
```
[Inputs]
  Manifests / Helm charts
  Live cluster (kubeconfig)
  Container images
        |
   [Kubescape CLI]
        |
   [Rule Engine (Rego/OPA)]
   300+ controls
        |
   [Frameworks]
   NSA-CISA, CIS,
   MITRE ATT&CK, SOC2,
   ArmoBest, DevOpsBest
        |
   [Output]
   JSON, HTML, PDF, SARIF
   IDE extensions
   GitHub Action / PR comments
   Prometheus metrics
        |
   [Kubescape Operator] (optional)
   periodic cluster scans
   runtime threat detection
```

## Self-Hosting & Configuration
```yaml
# GitHub Action — scan manifests on every PR
name: kubescape
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: kubescape/github-action@main
        with:
          files: 'k8s/**/*.yaml'
          frameworks: nsa,mitre,devopsbest
          failureThreshold: high
          severityThreshold: medium
```

```bash
# In-cluster operator (Helm)
helm repo add kubescape https://kubescape.github.io/helm-charts
helm install kubescape kubescape/kubescape-cloud-operator -n kubescape --create-namespace

# Policy example — fail PR if privileged containers found
kubescape scan --policy "rule:no-privileged-container" --fail-threshold 0
```

## Key Features
- **Multi-scope** — cluster live state, Git manifests, Helm charts, images
- **Frameworks** — NSA-CISA, CIS, MITRE ATT&CK, SOC2, DevOpsBest
- **300+ controls** — Rego/OPA rules, easily extensible
- **Vulnerability scanning** — integrates with Trivy for CVE detection
- **IDE plugins** — VS Code extension shows findings inline
- **CI/CD integration** — GitHub Actions, GitLab, Jenkins, any CLI-capable pipeline
- **Operator mode** — in-cluster continuous scanning + runtime detection
- **SARIF output** — upload to GitHub Security, code scanning dashboards

## Comparison with Similar Tools
| Feature | Kubescape | Kubesec | Polaris | Trivy | Falco |
|---|---|---|---|---|---|
| Manifest scan | Yes | Yes | Yes | Yes | No |
| Cluster live scan | Yes | No | Yes | Limited | Yes (runtime) |
| Image CVE | Yes (via Trivy) | No | No | Yes (focus) | No |
| Runtime detection | Yes (operator) | No | No | No | Yes (focus) |
| Frameworks | Most (NSA, CIS, MITRE, SOC2) | Basic | Basic | CVE-only | Custom rules |
| CNCF status | Sandbox | N/A | N/A | Graduated | Graduated |
| Best For | All-in-one posture | Quick scoring | Cluster health | Vuln scanning | Runtime |

## FAQ
**Q: Kubescape vs Falco?**
A: Different scopes. Kubescape is posture (what could go wrong). Falco is runtime (what is going wrong). Together they cover pre- and post-deployment security.

**Q: Kubescape vs Trivy?**
A: Trivy is the industry standard for vulnerability scanning (images, filesystems, Git repos). Kubescape embeds Trivy for CVEs and adds Kubernetes-specific configuration checks. Kubescape is broader; Trivy is deeper on CVEs.

**Q: Can Kubescape enforce policies at admission?**
A: Kubescape focuses on scanning + reporting. For admission enforcement, pair with Kyverno or OPA Gatekeeper. Many teams use Kubescape for CI gating and Kyverno for cluster admission.

**Q: Do I need ARMO's cloud platform?**
A: No — the open source CLI and operator do everything described here. ARMO's commercial platform adds a SaaS dashboard and team features.

## Sources
- GitHub: https://github.com/kubescape/kubescape
- Docs: https://kubescape.io
- Foundation: CNCF (Sandbox)
- License: Apache-2.0

---
Source: https://tokrepo.com/en/workflows/645c71dd-37c8-11f1-9bc6-00163e2b0d79
Author: Script Depot