Flags

Flags for kubescape scan command.

flagdefaultdescriptionoptions
-e/--exclude-namespacesScan all namespacesNamespaces to exclude from scanning. Recommended to exclude kube-system and kube-public namespaces
--include-namespacesScan all namespacesScan specific namespaces
-t/--compliance-threshold100 (do not fail)fail command (return exit code 1) if the result is above the threshold0% -> 100%
-f/--formatpretty-printerOutput formatpretty-printer/json/junit/prometheus/pdf
-o/--outputprint to stdoutSave scan result in the file
--use-fromLoad local framework object from the specified path. If not used will download the latest
--use-artifacts-fromLoad artifacts (frameworks, control-config, exceptions) from a local directory. If not used will download them
--use-defaultfalseLoad local framework object from default path. If not used will download the latesttrue/false
--exceptionsPath to an exceptions obj, examples. The default will download exceptions from Kubescape Cloud Platform
--controls-configPath to a controls-config obj. If not set will download controls-config from the Kubescape Cloud Platform. docs
--severity-thresholdThe severity threshold is the severity of failed controls at which the command fails and returns exit code 1low / medium / high / critical
--keep-localfalseKubescape will not send scan results to the Cloud Platform. Use this flag if you run with the --account flag in the past and you do not want to submit your current scan resultstrue/false
--accountCloud Platform account ID. The default will load the account ID from configMap or config file
--kube-contextcurrent-contextCluster context to scan
--verbosefalseDisplay all of the input resources and not only failed resourcestrue/false

Global Flags

flagtypedefaultdescriptionoptions
--loggerstringinfoSpecify logger level.debug/info/success/warning/error/fatal
--cache-dirstring~/.kubescapeCache directoryenv $KS_CACHE_DIR