Usage and examples
Examples
The following are common commands used with Kubescape.
Scan a running Kubernetes cluster and submit results to the ARMO Platform
kubescape scan --create-account
Scan a running Kubernetes cluster with nsa
framework and submit results to the ARMOPlatform
nsa
framework and submit results to the ARMOPlatformkubescape scan framework nsa --create-account
Scan a running Kubernetes cluster with MITRE ATT&CK®
framework and submit results to the ARMO Platform
MITRE ATT&CK®
framework and submit results to the ARMO Platformkubescape scan framework mitre --create-account
Scan a running Kubernetes cluster with a specific control using the control name or control ID
View a list of controls
kubescape scan control "Privileged container"
Scan specific namespaces
kubescape scan --include-namespaces development,staging,production
Scan cluster and exclude some namespaces
kubescape scan --exclude-namespaces kube-system,kube-public
Scan local yaml
/json
files before deploying
yaml
/json
files before deployingView a demo on YouTube.
kubescape scan .
Scan Kubernetes manifest files from a public GitHub repository
kubescape scan https://github.com/kubescape/kubescape
Display all scanned resources
This command includes the resources that passed.
kubescape scan --verbose
Output in json
format
json
formatkubescape scan --format json --output results.json
Output in junit xml
format
junit xml
formatkubescape scan --format junit --output results.xml
Output in prometheus
metrics format
prometheus
metrics formatkubescape scan --format prometheus
Scan with exceptions
Objects with exceptions are presented as exclude
and not fail
.
kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
Offline/Air-gapped Environment Support
You can scan your clusters offline, in an air-gapped environment.
Download all artifacts
- Download and save Kubescape to a local directory. If the path is not specified, everything is saved in
~/.kubescape
kubescape download artifacts --output path/to/local/dir
-
Copy the downloaded artifacts to the air-gapped/offline environment.
-
Scan using the downloaded artifacts.
kubescape scan --use-artifacts-from path/to/local/dir
Download a single artifacts
You can also download a single artifact and use it to scan your cluster with the --use-from
flag.
- Download and save to a file. If the file name is not specified, it saves as
~/.kubescape/<framework name>.json
kubescape download framework nsa --output /path/nsa.json
-
Copy the downloaded artifacts to the air-gapped/offline environment.
-
Scan using the downloaded framework.
kubescape scan framework nsa --use-from /path/nsa.json
Updated 10 months ago