Usage and examples
Examples
Scan a running Kubernetes cluster and submit results to the Kubescape Cloud Platform
kubescape scan --server api.armosec.io
Scan a running Kubernetes cluster with nsa
framework and submit results to the Kubescape Cloud Platform
nsa
framework and submit results to the Kubescape Cloud Platformkubescape scan framework nsa --server api.armosec.io
Scan a running Kubernetes cluster with MITRE ATT&CK®
framework and submit results to the Kubescape Cloud Platform
MITRE ATT&CK®
framework and submit results to the Kubescape Cloud Platformkubescape scan framework mitre --server api.armosec.io
Scan a running Kubernetes cluster with a specific control using the control name or control ID. List of controls
kubescape scan control c-0001
Scan specific namespaces
kubescape scan --include-namespaces development,staging,production
Scan cluster and exclude some namespaces
kubescape scan --exclude-namespaces kube-system,kube-public
kubescape scan .
Scan Kubernetes manifest files from a public GitHub repository
kubescape scan https://github.com/kubescape/kubescape
Display all scanned resources (including the resources that passed)
kubescape scan --verbose
Output in json
format
json
formatkubescape scan --format json --output results.json
Output in junit xml
format
junit xml
formatkubescape scan --format junit --output results.xml
Scan with exceptions, objects with exceptions will be presented as exclude
and not fail
exclude
and not fail
kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
Offline/Air-gaped Environment Support
It is possible to run Kubescape offline!
Download all artifacts
- Download and save in local directory, if path not specified, will save all in
~/.kubescape
kubescape download artifacts --output path/to/local/dir
-
Copy the downloaded artifacts to the air-gaped/offline environment
-
Scan using the downloaded artifacts
kubescape scan --use-artifacts-from path/to/local/dir
Download a single artifacts
You can also download a single artifact and scan it with the --use-from
flag
- Download and save in a file, if the file name is not specified, it will save in
~/.kubescape/<framework name>.json
kubescape download framework nsa --output /path/nsa.json
-
Copy the downloaded artifacts to the air-gaped/offline environment
-
Scan using the downloaded framework
kubescape scan framework nsa --use-from /path/nsa.json
Updated 26 days ago