Usage and examples

Examples

Scan a running Kubernetes cluster and submit results to the Kubescape Cloud Platform

kubescape scan --server api.armosec.io

Scan a running Kubernetes cluster with nsa framework and submit results to the Kubescape Cloud Platform

kubescape scan framework nsa --server api.armosec.io

Scan a running Kubernetes cluster with MITRE ATT&CK® framework and submit results to the Kubescape Cloud Platform

kubescape scan framework mitre --server api.armosec.io

Scan a running Kubernetes cluster with a specific control using the control name or control ID. List of controls

kubescape scan control c-0001

Scan specific namespaces

kubescape scan --include-namespaces development,staging,production

Scan cluster and exclude some namespaces

kubescape scan --exclude-namespaces kube-system,kube-public

Scan local yaml/json files before deploying. Take a look at the demonstration

kubescape scan .

Scan Kubernetes manifest files from a public GitHub repository

kubescape scan https://github.com/kubescape/kubescape

Display all scanned resources (including the resources that passed)

kubescape scan --verbose

Output in json format

kubescape scan --format json --output results.json

Output in junit xml format

kubescape scan --format junit --output results.xml

Scan with exceptions, objects with exceptions will be presented as exclude and not fail

Full documentation

kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json

Offline/Air-gaped Environment Support

Video tutorial

It is possible to run Kubescape offline!

Download all artifacts

  1. Download and save in local directory, if path not specified, will save all in ~/.kubescape
kubescape download artifacts --output path/to/local/dir
  1. Copy the downloaded artifacts to the air-gaped/offline environment

  2. Scan using the downloaded artifacts

kubescape scan --use-artifacts-from path/to/local/dir

Download a single artifacts

You can also download a single artifact and scan it with the --use-from flag

  1. Download and save in a file, if the file name is not specified, it will save in ~/.kubescape/<framework name>.json
kubescape download framework nsa --output /path/nsa.json
  1. Copy the downloaded artifacts to the air-gaped/offline environment

  2. Scan using the downloaded framework

kubescape scan framework nsa --use-from /path/nsa.json