Kubescape

Kubescape is a comprehensive security scanner that tests Kubernetes clusters against multiple security frameworks including CIS Kubernetes Benchmark, NSA/CISA Kubernetes Hardening Guidance, and MITRE ATT&CK.

What is Kubescape?

Kubescape scans:

• Kubernetes clusters - Running cluster configurations
• Manifest files - YAML configurations before deployment
• Helm charts - Helm chart security
• Container images - Image vulnerability scanning

Installing Kubescape

Using Homebrew

brew install kubescape

Using Binary

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash

Scanning Clusters

Scan Current Context

kubescape scan

Scan Specific Framework

kubescape scan framework cis
kubescape scan framework nsa
kubescape scan framework mitre

Scan with JSON Output

kubescape scan --format json --output results.json

Scanning Files

Scan Manifest Files

kubescape scan *.yaml

Scan Directory

kubescape scan /path/to/manifests

CI/CD Integration

GitHub Actions

name: Security Scan
on: [push]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Run Kubescape
      uses: kubescape/github-action@master
      with:
        command: scan

Best Practices

1. Scan in CI/CD - Integrate into pipelines
2. Use multiple frameworks - Scan against CIS, NSA, and MITRE
3. Fix high-severity issues - Address critical findings first
4. Regular scans - Scan clusters periodically
5. Track progress - Monitor security posture over time

See Also

• Security Scanning Tools - Overview of scanning tools
• CIS Benchmarks - CIS Kubernetes Benchmark
• Audit & Compliance - Compliance and auditing