Options
Flags
Flags for kubescape scan command.
| flag | default | description | options |
|---|---|---|---|
--enable-host-scan | disabled | Deploy ARMO K8s host-scanner daemonset in the scanned cluster. It will be deleted after collecting the data. Required to collect valuable data from cluster nodes for certain controls. Full documentation | |
-e/--exclude-namespaces | Scan all namespaces | Namespaces to exclude from scanning. Recommended to exclude kube-system and kube-public namespaces | |
--include-namespaces | Scan all namespaces | Scan specific namespaces | |
-s/--silent | Display progress messages | Silent progress messages | |
-t/--fail-threshold | 100 (do not fail) | fail command (return exit code 1) if the result is above the threshold | 0 -> 100 |
-f/--format | pretty-printer | Output format | pretty-printer/json/junit/prometheus/pdf |
-o/--output | print to stdout | Save scan result in the file | |
--use-from | Load local framework object from the specified path. If not used will download the latest | ||
--use-artifacts-from | Load artifacts (frameworks, control-config, exceptions) from a local directory. If not used will download them | ||
--use-default | false | Load local framework object from default path. If not used will download the latest | true/false |
--exceptions | Path to an exceptions obj, examples. The default will download exceptions from Kubescape Cloud Platform | ||
--controls-config | Path to a controls-config obj. If not set will download controls-config from the Kubescape Cloud Platform. docs | ||
| --severity-threshold | The severity threshold is the severity of failed controls at which the command fails and returns exit code 1 | low / medium / high / critical | |
--submit | false | If set, Kubescape will send the scan results to the Cloud Platform where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations, and much more. By default, the results are not sent | true/false |
--keep-local | false | Kubescape will not send scan results to the Cloud Platform. Use this flag if you run with the --submit flag in the past and you do not want to submit your current scan results | true/false |
--account | Cloud Platform account ID. The default will load the account ID from configMap or config file | ||
--kube-context | current-context | Cluster context to scan | |
--verbose | false | Display all of the input resources and not only failed resources | true/false |
Global Flags
| flag | type | default | description | options |
|---|---|---|---|---|
--logger | string | info | Specify logger level. | debug/info/success/warning/error/fatal |
--cache-dir | string | ~/.kubescape | Cache directory | env $KS_CACHE_DIR |
Updated 29 days ago