Skip to content

kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA (https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)

License

Notifications You must be signed in to change notification settings

dwertent/kubescape

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Version build Go Report Card Gitpod Ready-to-Code GitHub CNCF Artifact HUB FOSSA Status OpenSSF Best Practices OpenSSF Scorecard Stars Twitter Follow Slack

Kubescape

Kubescape logo

Comprehensive Kubernetes Security from Development to Runtime

Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments.

Key features of Kubescape include

  • Shift-left security: Kubescape enables developers to scan for misconfigurations as early as the manifest file submission stage, promoting a proactive approach to security.
  • IDE and CI/CD integration: The tool integrates seamlessly with popular IDEs like VSCode and Lens, as well as CI/CD platforms such as GitHub and GitLab, allowing for security checks throughout the development process.
  • Cluster scanning: Kubescape can scan active Kubernetes clusters for vulnerabilities, misconfigurations, and security issues
  • Multiple framework support: Kubescape can test against various security frameworks, including NSA, MITRE, SOC2, and more.
  • YAML and Helm chart validation: The tool checks YAML files and Helm charts for correct configuration according to the frameworks above, without requiring an active cluster.
  • Kubernetes hardening: Kubescape ensures proactive identification and rapid remediation of misconfigurations and vulnerabilities through manual, recurring, or event-triggered scans.
  • Runtime security: Kubescape extends its protection to the runtime environment, providing continuous monitoring and threat detection for deployed applications.
  • Compliance management: The tool aids in maintaining compliance with recognized frameworks and standards, simplifying the process of meeting regulatory requirements.
  • Multi-cloud support: Kubescape offers frictionless security across various cloud providers and Kubernetes distributions.

By providing this comprehensive security coverage from development to production, Kubescape enables organizations to implement a robust security posture throughout their Kubernetes deployment, addressing potential vulnerabilities and threats at every stage of the application lifecycle.

Kubescape was created by ARMO and is a Cloud Native Computing Foundation (CNCF) sandbox project.

Demo

Please star ⭐ the repo if you want us to continue developing and improving Kubescape! 😀

Getting started

Experimenting with Kubescape is as easy as:

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash

Learn more about:

Did you know you can use Kubescape in all these places?

Places you can use Kubescape: in your IDE, CI, CD, or against a running cluster.

Kubescape-operator Helm-Chart

Besides the CLI, the Kubescape operator can also be installed via a Helm chart. Installing the Helm chart is an excellent way to begin using Kubescape, as it provides extensive features such as continuous scanning, image vulnerability scanning, runtime analysis, network policy generation, and more. You can find the Helm chart in the Kubescape-operator documentation.

Kubescape GitHub Action

Kubescape can be used as a GitHub Action. This is a great way to integrate Kubescape into your CI/CD pipeline. You can find the Kubescape GitHub Action in the GitHub Action marketplace.

Under the hood

Kubescape uses Open Policy Agent to verify Kubernetes objects against a library of posture controls. For image scanning, it uses Grype. For image patching, it uses Copacetic.

By default, the results are printed in a console-friendly manner, but they can be:

  • exported to JSON, junit XML or SARIF
  • rendered to HTML or PDF
  • submitted to a cloud service

It retrieves Kubernetes objects from the API server and runs a set of Rego snippets developed by ARMO.

Architecture

kubescape

Otel collector - is not built-in, Otel endpoint spec is need to be added at setup Setting Otel

Community

Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the cloud-native community and are enhancing the project as the ecosystem develops.

We hold community meetings on Zoom, every other week, at 15:00 CET. (See that in your local time zone.

The Kubescape project follows the CNCF Code of Conduct.

Adopters

See here a list of adopters.

Contributions

Thanks to all our contributors! Check out our CONTRIBUTING file to learn how to join them.


Changelog

Kubescape changes are tracked on the release page

License

Copyright 2021-2024, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the LICENSE file for details.

Kubescape is a Cloud Native Computing Foundation (CNCF) sandbox project and was contributed by ARMO.

CNCF Sandbox Project

About

kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA (https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 99.1%
  • Other 0.9%