Usage and examples

Examples

Scan a running Kubernetes cluster and submit results to the Kubescape SaaS version

kubescape scan --submit

Scan a running Kubernetes cluster with nsa framework and submit results to the Kubescape SaaS version

kubescape scan framework nsa --submit

Scan a running Kubernetes cluster with MITRE ATT&CK® framework and submit results to the Kubescape SaaS version

kubescape scan framework mitre --submit

Scan a running Kubernetes cluster with a specific control using the control name or control ID. List of controls

kubescape scan control "Privileged container"

Scan specific namespaces

kubescape scan --include-namespaces development,staging,production

Scan cluster and exclude some namespaces

kubescape scan --exclude-namespaces kube-system,kube-public

Scan local yaml/json files before deploying. Take a look at the demonstration

kubescape scan *.yaml

Scan kubernetes manifest files from a public github repository

kubescape scan https://github.com/armosec/kubescape

Display all scanned resources (including the resources who passed)

kubescape scan --verbose

Output in json format

kubescape scan --format json --format-version=v2 --output results.json

Output in junit xml format

kubescape scan --format junit --output results.xml

Output in prometheus metrics format - Contributed by @Joibel

kubescape scan --format prometheus

Scan with exceptions, objects with exceptions will be presented as exclude and not fail

Full documentation

kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json

Scan Helm charts - Render the helm chart using helm template and pass to stdout

helm template [NAME] [CHART] [flags] --dry-run | kubescape scan -

e.g.

helm template bitnami/mysql --generate-name --dry-run | kubescape scan -

Offline/Air-gaped Environment Support

Video tutorial

It is possible to run Kubescape offline!

Download all artifacts

  1. Download and save in local directory, if path not specified, will save all in ~/.kubescape
kubescape download artifacts --output path/to/local/dir
  1. Copy the downloaded artifacts to the air-gaped/offline environment

  2. Scan using the downloaded artifacts

kubescape scan --use-artifacts-from path/to/local/dir

Download a single artifacts

You can also download a single artifact and scan it with the --use-from flag

  1. Download and save in a file, if file name not specified, will save in ~/.kubescape/<framework name>.json
kubescape download framework nsa --output /path/nsa.json
  1. Copy the downloaded artifacts to the air-gaped/offline environment

  2. Scan using the downloaded framework

kubescape scan framework nsa --use-from /path/nsa.json

Did this page help you?