Kubescape — Kubernetes Security Platform from CNCF

Introduction

Kubescape is a CNCF Sandbox project that gives you a full security picture of your Kubernetes estate — from manifests in Git to live clusters in production. It maps findings to NSA-CISA hardening guidelines, CIS Benchmarks, MITRE ATT&CK, and vulnerability scans via Trivy.

With over 11,000 GitHub stars and 300+ security controls, Kubescape is used by Fortune 500 companies for compliance reporting, CI/CD gating, and runtime posture management. Output integrates with IDEs, GitHub Actions, and Prometheus.

What Kubescape Does

Kubescape runs three scan types: (1) YAML scan — static analysis of manifests/Helm charts; (2) Cluster scan — live cluster posture, RBAC, network policies, runtime; (3) Image scan — vulnerabilities via Trivy integration. Results include severity, fix instructions, and control mapping.

Architecture Overview

[Inputs]
  Manifests / Helm charts
  Live cluster (kubeconfig)
  Container images
        |
   [Kubescape CLI]
        |
   [Rule Engine (Rego/OPA)]
   300+ controls
        |
   [Frameworks]
   NSA-CISA, CIS,
   MITRE ATT&CK, SOC2,
   ArmoBest, DevOpsBest
        |
   [Output]
   JSON, HTML, PDF, SARIF
   IDE extensions
   GitHub Action / PR comments
   Prometheus metrics
        |
   [Kubescape Operator] (optional)
   periodic cluster scans
   runtime threat detection

Self-Hosting & Configuration

# GitHub Action — scan manifests on every PR
name: kubescape
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: kubescape/github-action@main
        with:
          files: 'k8s/**/*.yaml'
          frameworks: nsa,mitre,devopsbest
          failureThreshold: high
          severityThreshold: medium

# In-cluster operator (Helm)
helm repo add kubescape https://kubescape.github.io/helm-charts
helm install kubescape kubescape/kubescape-cloud-operator -n kubescape --create-namespace

# Policy example — fail PR if privileged containers found
kubescape scan --policy "rule:no-privileged-container" --fail-threshold 0

Key Features

• Multi-scope — cluster live state, Git manifests, Helm charts, images
• Frameworks — NSA-CISA, CIS, MITRE ATT&CK, SOC2, DevOpsBest
• 300+ controls — Rego/OPA rules, easily extensible
• Vulnerability scanning — integrates with Trivy for CVE detection
• IDE plugins — VS Code extension shows findings inline
• CI/CD integration — GitHub Actions, GitLab, Jenkins, any CLI-capable pipeline
• Operator mode — in-cluster continuous scanning + runtime detection
• SARIF output — upload to GitHub Security, code scanning dashboards

Comparison with Similar Tools

FAQ

Q: Kubescape vs Falco? A: Different scopes. Kubescape is posture (what could go wrong). Falco is runtime (what is going wrong). Together they cover pre- and post-deployment security.

Q: Kubescape vs Trivy? A: Trivy is the industry standard for vulnerability scanning (images, filesystems, Git repos). Kubescape embeds Trivy for CVEs and adds Kubernetes-specific configuration checks. Kubescape is broader; Trivy is deeper on CVEs.

Q: Can Kubescape enforce policies at admission? A: Kubescape focuses on scanning + reporting. For admission enforcement, pair with Kyverno or OPA Gatekeeper. Many teams use Kubescape for CI gating and Kyverno for cluster admission.

Q: Do I need ARMO's cloud platform? A: No — the open source CLI and operator do everything described here. ARMO's commercial platform adds a SaaS dashboard and team features.

Sources

• GitHub: https://github.com/kubescape/kubescape
• Docs: https://kubescape.io
• Foundation: CNCF (Sandbox)
• License: Apache-2.0