Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Kubernetes Security 2023

Kubescape: Multi-Framework Kubernetes Security Scanning

K8s Guru
5 min read
#kubescape #security-scanning #cis-benchmark #nsa #cisa #compliance
Kubescape: Multi-Framework Kubernetes Security Scanning

Table of Contents

Introduction

By mid-2023, Kubescape had emerged as a comprehensive multi-framework security scanner for Kubernetes, providing scanning based on CIS Benchmark, NSA/CISA Kubernetes Hardening Guidelines, and MITRE ATT&CK framework. Developed by ARMO (acquired by Microsoft), Kubescape addressed the need for unified security scanning that covered multiple compliance frameworks and threat models.

This mattered because security scanning had become fragmented across multiple tools and frameworks. Teams needed to run kube-bench for CIS compliance, separate tools for NSA/CISA guidelines, and additional tools for threat modeling. Kubescape unified these into a single tool that could scan clusters against multiple frameworks simultaneously.

Historical note: Kubescape was developed by ARMO and gained significant adoption in 2022-2023. Microsoft’s acquisition of ARMO in 2023 validated Kubescape’s importance in the Kubernetes security ecosystem.

Kubescape Features

Multi-Framework Scanning

  • CIS Kubernetes Benchmark: Comprehensive CIS Benchmark compliance scanning
  • NSA/CISA Guidelines: Scanning based on NSA and CISA Kubernetes Hardening Guidelines
  • MITRE ATT&CK: Threat modeling based on MITRE ATT&CK framework
  • Custom Frameworks: Support for custom security frameworks

Risk Scoring

  • Risk Prioritization: Risk scores help prioritize remediation efforts
  • Severity Levels: Categorize findings by severity (Critical, High, Medium, Low)
  • Compliance Score: Overall compliance score across frameworks
  • Trend Analysis: Track security posture over time

Comprehensive Coverage

  • Cluster Configuration: Scan cluster configuration for misconfigurations
  • Workload Security: Scan workloads (pods, deployments) for security issues
  • RBAC Analysis: Analyze RBAC configurations for security risks
  • Network Policies: Evaluate network policy coverage and effectiveness

Comparison: Kubescape vs kube-bench vs Other Scanners

CapabilityKubescapekube-benchOther Scanners
FrameworksMultiple (CIS, NSA/CISA, MITRE)CIS onlyVaries
Risk ScoringYes (prioritized)NoVaries
Workload ScanningYesLimitedVaries
RBAC AnalysisYesLimitedVaries
Network PolicyYesLimitedVaries
Ease of UseGoodGoodVaries
Best ForComprehensive scanningCIS complianceSpecific use cases

Scanning Frameworks

CIS Kubernetes Benchmark

# Scan with CIS Benchmark
kubescape scan framework cis

# Scan with specific CIS controls
kubescape scan control "C-0001"

NSA/CISA Guidelines

# Scan with NSA/CISA guidelines
kubescape scan framework nsa

# Scan with specific NSA controls
kubescape scan control "NSA-0001"

MITRE ATT&CK

# Scan with MITRE ATT&CK
kubescape scan framework mitre

# Scan specific MITRE techniques
kubescape scan control "T1005"

Risk Scoring and Prioritization

Risk Score Calculation

Kubescape calculates risk scores based on:

  • Severity: Critical, High, Medium, Low
  • Exploitability: How easy it is to exploit the vulnerability
  • Impact: Potential impact of exploitation
  • Context: Cluster-specific context (exposure, sensitivity)

Compliance Score

# Get compliance score
kubescape scan --format score

# Output:
# Compliance Score: 78/100
# Failed Controls: 12
# Passed Controls: 45

Integration and Automation

CI/CD Integration

# GitHub Actions
name: Security Scan
on: [push]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run Kubescape
        uses: kubescape/github-action@main
        with:
          framework: cis,nsa
          format: json
          output: results.json
      - name: Upload results
        uses: actions/upload-artifact@v2
        with:
          name: kubescape-results
          path: results.json

Scheduled Scanning

# Cron job for regular scanning
0 2 * * * kubescape scan framework cis,nsa --format json > /var/log/kubescape-$(date +\%Y\%m\%d).json

Remediation Guidance

Automated Remediation

Kubescape provides remediation guidance:

# Get remediation guidance
kubescape scan framework cis --format json | jq '.summaryDetails.remediation'

# Output includes:
# - Specific remediation steps
# - Configuration examples
# - Best practices

Policy Enforcement

Kubescape can generate policies for enforcement:

# Generate Kyverno policies
kubescape scan framework cis --format kyverno > cis-policies.yaml

# Generate Gatekeeper policies
kubescape scan framework cis --format gatekeeper > cis-policies.yaml

Practical Considerations

Framework Selection

  • CIS Benchmark: For compliance with CIS standards
  • NSA/CISA Guidelines: For government and critical infrastructure
  • MITRE ATT&CK: For threat modeling and attack simulation
  • Custom Frameworks: For organization-specific requirements

Risk Prioritization

  • Focus on Critical/High: Prioritize remediation of critical and high-severity findings
  • Context Matters: Consider cluster context when prioritizing (exposure, sensitivity)
  • Remediation Effort: Balance risk with remediation effort

Continuous Improvement

  • Regular Scanning: Scan clusters regularly to maintain security posture
  • Trend Analysis: Track security posture over time
  • Policy Updates: Update security policies based on scan results

Getting Started

# Install Kubescape
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash

# Scan cluster with CIS Benchmark
kubescape scan framework cis

# Scan with multiple frameworks
kubescape scan framework cis,nsa

# Generate JSON report
kubescape scan framework cis --format json > results.json

Caveats & Lessons Learned

  • Framework Updates: Frameworks updated regularly; use latest Kubescape version
  • False Positives: Some findings may be false positives; review and verify
  • Remediation Effort: Remediation takes time; prioritize based on risk
  • Policy Generation: Generated policies may need customization

Common Failure Modes

  • “Too many findings”: Overwhelming number of findings; focus on critical/high severity
  • “False positives”: Some findings may not be actual issues; verify in context
  • “Remediation complexity”: Some remediations are complex; plan carefully

Conclusion

Kubescape’s emergence in 2023 marked a significant advancement in Kubernetes security scanning. It unified multiple security frameworks into a single tool, enabling teams to scan clusters against CIS Benchmark, NSA/CISA guidelines, and MITRE ATT&CK simultaneously. While kube-bench remained popular for CIS compliance, Kubescape provided comprehensive multi-framework scanning that addressed broader security requirements.

For organizations requiring comprehensive security scanning, Kubescape became an essential security tool. It demonstrated that security scanning didn’t have to be fragmented across multiple tools—it could be unified, comprehensive, and prioritized. Kubescape proved that security scanning could be both thorough and actionable, enabling teams to identify and remediate security issues across multiple compliance frameworks and threat models.

The patterns and practices established with Kubescape would influence the development of advanced security scanning tools and set the foundation for comprehensive security scanning in Kubernetes. Kubescape demonstrated that security scanning could be both comprehensive and practical, enabling teams to maintain security posture across multiple compliance frameworks and threat models.