Options
Flags
Flags for kubescape scan command.
| Flag | Default | Description | Options |
|---|---|---|---|
--enable-host-scan | disabled | Deploy ARMO Kubernetes host-scanner daemonset in the scanned cluster. It is deleted after collecting the data. This is required to collect data from cluster nodes for certain controls. Full documentation | |
-e/--exclude-namespaces | Scan all namespaces | Namespaces to exclude from scanning. We recommend that you exclude the kube-system and kube-public namespaces. | |
--include-namespaces | Scan all namespaces | Scan specific namespaces. | |
-s/--silent | Display progress messages | Show silent progress messages. | |
-t/--compliance-threshold | 100 (do not fail) | Fail command (return exit code 1) if the result is above the threshold. | 0 -> 100 |
-f/--format | pretty-printer | The output format. | pretty-printer/json/junit/prometheus/pdf |
-o/--output | print to stdout | Save scan result in the file. | |
--use-from | Load local framework object from the specified path. If not used, it downloads the latest. | ||
--use-artifacts-from | Load artifacts (frameworks, control-config, exceptions) from a local directory. If the flag is not specified, it downloads the artifacts. | ||
--use-default | false | Load local framework object from default path. If the flag is not used, it downloads the latest. | true/false |
--exceptions | Path to an exceptions obj, examples. The default downloads exceptions from ARMO Platform. | ||
--controls-config | Path to a controls-config obj. If not specified, it downloads controls-config from ARMO Platform. Docs | ||
| --severity-threshold | The severity threshold is the severity of failed controls at which the command fails and returns exit code 1. | low / medium / high / critical | |
--submit | false | If set, Kubescape sends the scan results to ARMO Platform. By default, the results are not sent. | true/false |
--keep-local | false | Kubescape doesn't send scan results to ARMO Platform. Use this flag if you run with the --submit flag in the past and you do not want to submit your current scan results. | true/false |
--account | Your ARMO Platform account ID. The default loads the account ID from configMap or a config file. | ||
--kube-context | current-context | The cluster context to scan. | |
--verbose | false | Display all of the input resources in addition to failed resources. | true/false |
Global Flags
| Flag | Type | Default | Description | Options |
|---|---|---|---|---|
--logger | string | info | Specify logger level. | debug/info/success/warning/error/fatal |
--cache-dir | string | ~/.kubescape | Cache directory | env $KS_CACHE_DIR |
Updated 9 months ago