Usage and examples

Examples

Scan a running Kubernetes cluster and submit results to the Kubescape Cloud Platform

kubescape scan --submit

Scan a running Kubernetes cluster with `nsa` framework and submit results to the Kubescape Cloud Platform

kubescape scan framework nsa --submit

Scan a running Kubernetes cluster with `MITRE ATT&CK®` framework and submit results to the Kubescape Cloud Platform

kubescape scan framework mitre --submit

Scan a running Kubernetes cluster with a specific control using the control name or control ID. List of controls

kubescape scan control "Privileged container"

Scan specific namespaces

kubescape scan --include-namespaces development,staging,production

Scan cluster and exclude some namespaces

kubescape scan --exclude-namespaces kube-system,kube-public

Scan local `yaml`/`json` files before deploying. Take a look at the demonstration

kubescape scan *.yaml

Scan Kubernetes manifest files from a public GitHub repository

kubescape scan https://github.com/kubescape/kubescape

Display all scanned resources (including the resources that passed)

kubescape scan --verbose

Output in `json` format

kubescape scan --format json --format-version=v2 --output results.json

Output in `junit xml` format

kubescape scan --format junit --output results.xml

Output in `prometheus` metrics format - Contributed by @Joibel

kubescape scan --format prometheus

Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`

Full documentation

kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json

Offline/Air-gaped Environment Support

Video tutorial

It is possible to run Kubescape offline!

Download all artifacts

Download and save in local directory, if path not specified, will save all in ~/.kubescape

kubescape download artifacts --output path/to/local/dir

Copy the downloaded artifacts to the air-gaped/offline environment
Scan using the downloaded artifacts

kubescape scan --use-artifacts-from path/to/local/dir

Download a single artifacts

You can also download a single artifact and scan it with the --use-from flag

Download and save in a file, if the file name is not specified, it will save in ~/.kubescape/<framework name>.json

kubescape download framework nsa --output /path/nsa.json

Copy the downloaded artifacts to the air-gaped/offline environment
Scan using the downloaded framework

kubescape scan framework nsa --use-from /path/nsa.json

Examples

Scan a running Kubernetes cluster and submit results to the Kubescape Cloud Platform

Scan a running Kubernetes cluster with nsa framework and submit results to the Kubescape Cloud Platform

Scan a running Kubernetes cluster with MITRE ATT&CK® framework and submit results to the Kubescape Cloud Platform

Scan a running Kubernetes cluster with a specific control using the control name or control ID. List of controls

Scan specific namespaces

Scan cluster and exclude some namespaces

Scan local yaml/json files before deploying. Take a look at the demonstration

Scan Kubernetes manifest files from a public GitHub repository

Display all scanned resources (including the resources that passed)

Output in json format

Output in junit xml format

Output in prometheus metrics format - Contributed by @Joibel

Scan with exceptions, objects with exceptions will be presented as exclude and not fail

Offline/Air-gaped Environment Support

Download all artifacts

Download a single artifacts

Scan a running Kubernetes cluster with `nsa` framework and submit results to the Kubescape Cloud Platform

Scan a running Kubernetes cluster with `MITRE ATT&CK®` framework and submit results to the Kubescape Cloud Platform

Scan local `yaml`/`json` files before deploying. Take a look at the demonstration

Output in `json` format

Output in `junit xml` format

Output in `prometheus` metrics format - Contributed by @Joibel

Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`