Integrating with GitLab CI/CD

How to integrate Kubescape to GitLab CI

Use GitLab jobs to scan your YAML files for misconfigurations with Kubescape. Scan results are displayed in the jobs result log.

Add scanning YAML files to your pipeline

Add a custom YAML file to your repository that downloads and runs Kubescape, and then view the scan report in the result log.

  1. Create a YAML file in your repository named .gitlab-ci.yml.
  2. Add the following to the file:
image: bash:latest
stages:
    - scan
scan:
  stage: scan
  script:
    - apk add curl gcompat
    - curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | bash 
    - kubescape scan .

This prints the scan results to GitLab CI/CD’s Jobs page.

Fail the job if there are too many security misconfigurations

If you want to use Kubescape as a security gate in your delivery process, you can set up a failure threshold.

For example, if you want to make sure that at least 80% of your objects pass the security checks, add --compliance-threshold 80 to kubescape scan.
kubescape scan --compliance-threshold 80 .

When you add a threshold, the job passes only when 80% or more security checks pass. If less than 80% pass, the job fails.

Scan your entire cluster in your workflow

If you want to scan your entire cluster after applying a new YAML, the CI/CD worker must be able to access the target Kubernetes cluster.

Add a cluster scan

When you create the job to scan your cluster, replace the scan step in the YAML file with the following:

kubescape scan --exclude-namespaces kube-system,kube-public