Flags for kubescape scan command.

--enable-host-scandisabledDeploy ARMO Kubernetes host-scanner daemonset in the scanned cluster. It is deleted after collecting the data. This is required to collect data from cluster nodes for certain controls. Full documentation
-e/--exclude-namespacesScan all namespacesNamespaces to exclude from scanning. We recommend that you exclude the kube-system and kube-public namespaces.
--include-namespacesScan all namespacesScan specific namespaces.
-s/--silentDisplay progress messagesShow silent progress messages.
-t/--fail-threshold100 (do not fail)Fail command (return exit code 1) if the result is above the threshold.0 -> 100
-f/--formatpretty-printerThe output format.pretty-printer/json/junit/prometheus/pdf
-o/--outputprint to stdoutSave scan result in the file.
--use-fromLoad local framework object from the specified path. If not used, it downloads the latest.
--use-artifacts-fromLoad artifacts (frameworks, control-config, exceptions) from a local directory. If the flag is not specified, it downloads the artifacts.
--use-defaultfalseLoad local framework object from default path. If the flag is not used, it downloads the latest.true/false
--exceptionsPath to an exceptions obj, examples. The default downloads exceptions from ARMO Platform.
--controls-configPath to a controls-config obj. If not specified, it downloads controls-config from ARMO Platform. Docs
--severity-thresholdThe severity threshold is the severity of failed controls at which the command fails and returns exit code 1.low / medium / high / critical
--submitfalseIf set, Kubescape sends the scan results to ARMO Platform. By default, the results are not sent.true/false
--keep-localfalseKubescape doesn't send scan results to ARMO Platform. Use this flag if you run with the --submit flag in the past and you do not want to submit your current scan results.true/false
--accountYour ARMO Platform account ID. The default loads the account ID from configMap or a config file.
--kube-contextcurrent-contextThe cluster context to scan.
--verbosefalseDisplay all of the input resources in addition to failed resources.true/false

Global Flags

--loggerstringinfoSpecify logger level.debug/info/success/warning/error/fatal
--cache-dirstring~/.kubescapeCache directoryenv $KS_CACHE_DIR