--enable-host-scan | disabled | Deploy ARMO Kubernetes host-scanner daemonset in the scanned cluster. It is deleted after collecting the data. This is required to collect data from cluster nodes for certain controls. Full documentation | |
-e/--exclude-namespaces | Scan all namespaces | Namespaces to exclude from scanning. We recommend that you exclude the kube-system and kube-public namespaces. | |
--include-namespaces | Scan all namespaces | Scan specific namespaces. | |
-s/--silent | Display progress messages | Show silent progress messages. | |
-t/--compliance-threshold | 100 (do not fail) | Fail command (return exit code 1) if the result is above the threshold. | 0 -> 100 |
-f/--format | pretty-printer | The output format. | pretty-printer/json/junit/prometheus/pdf |
-o/--output | print to stdout | Save scan result in the file. | |
--use-from | | Load local framework object from the specified path. If not used, it downloads the latest. | |
--use-artifacts-from | | Load artifacts (frameworks, control-config, exceptions) from a local directory. If the flag is not specified, it downloads the artifacts. | |
--use-default | false | Load local framework object from default path. If the flag is not used, it downloads the latest. | true/false |
--exceptions | | Path to an exceptions obj, examples. The default downloads exceptions from ARMO Platform. | |
--controls-config | | Path to a controls-config obj. If not specified, it downloads controls-config from ARMO Platform. Docs | |
| --severity-threshold | | The severity threshold is the severity of failed controls at which the command fails and returns exit code 1. | low / medium / high / critical |
--submit | false | If set, Kubescape sends the scan results to ARMO Platform. By default, the results are not sent. | true/false |
--keep-local | false | Kubescape doesn't send scan results to ARMO Platform. Use this flag if you run with the --submit flag in the past and you do not want to submit your current scan results. | true/false |
--account | | Your ARMO Platform account ID. The default loads the account ID from configMap or a config file. | |
--kube-context | current-context | The cluster context to scan. | |
--verbose | false | Display all of the input resources in addition to failed resources. | true/false |
