Usage and examples

Examples

The following are common commands used with Kubescape.

Scan a running Kubernetes cluster and submit results to the ARMO Platform

kubescape scan --create-account

Scan a running Kubernetes cluster with nsa framework and submit results to the ARMOPlatform

kubescape scan framework nsa --create-account

Scan a running Kubernetes cluster with MITRE ATT&CK® framework and submit results to the ARMO Platform

kubescape scan framework mitre --create-account

Scan a running Kubernetes cluster with a specific control using the control name or control ID

View a list of controls

kubescape scan control "Privileged container"

Scan specific namespaces

kubescape scan --include-namespaces development,staging,production

Scan cluster and exclude some namespaces

kubescape scan --exclude-namespaces kube-system,kube-public

Scan local yaml/json files before deploying

View a demo on YouTube.

kubescape scan .

Scan Kubernetes manifest files from a public GitHub repository

kubescape scan https://github.com/kubescape/kubescape

Display all scanned resources

This command includes the resources that passed.

kubescape scan --verbose

Output in json format

kubescape scan --format json --output results.json

Output in junit xml format

kubescape scan --format junit --output results.xml

Output in prometheus metrics format

kubescape scan --format prometheus

Scan with exceptions

Objects with exceptions are presented as exclude and not fail.

kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json

Offline/Air-gapped Environment Support

Video tutorial

You can scan your clusters offline, in an air-gapped environment.

Download all artifacts

  1. Download and save Kubescape to a local directory. If the path is not specified, everything is saved in ~/.kubescape
kubescape download artifacts --output path/to/local/dir
  1. Copy the downloaded artifacts to the air-gapped/offline environment.

  2. Scan using the downloaded artifacts.

kubescape scan --use-artifacts-from path/to/local/dir

Download a single artifacts

You can also download a single artifact and use it to scan your cluster with the --use-from flag.

  1. Download and save to a file. If the file name is not specified, it saves as ~/.kubescape/<framework name>.json
kubescape download framework nsa --output /path/nsa.json
  1. Copy the downloaded artifacts to the air-gapped/offline environment.

  2. Scan using the downloaded framework.

kubescape scan framework nsa --use-from /path/nsa.json