Flags

Flags for kubescape scan command.

flagdefaultdescriptionoptions
--enable-host-scandisabledDeploy ARMO K8s host-scanner daemonset in the scanned cluster. It will be deleted after collecting the data. Required to collect valuable data from cluster nodes for certain controls. Full documentation
-e/--exclude-namespacesScan all namespacesNamespaces to exclude from scanning. Recommended to exclude kube-system and kube-public namespaces
--include-namespacesScan all namespacesScan specific namespaces
-s/--silentDisplay progress messagesSilent progress messages
-t/--fail-threshold100 (do not fail)fail command (return exit code 1) if the result is above the threshold0 -> 100
-f/--formatpretty-printerOutput formatpretty-printer/json/junit/prometheus/pdf
-o/--outputprint to stdoutSave scan result in the file
--use-fromLoad local framework object from the specified path. If not used will download the latest
--use-artifacts-fromLoad artifacts (frameworks, control-config, exceptions) from a local directory. If not used will download them
--use-defaultfalseLoad local framework object from default path. If not used will download the latesttrue/false
--exceptionsPath to an exceptions obj, examples. The default will download exceptions from Kubescape Cloud Platform
--controls-configPath to a controls-config obj. If not set will download controls-config from the Kubescape Cloud Platform. docs
--severity-thresholdThe severity threshold is the severity of failed controls at which the command fails and returns exit code 1low / medium / high / critical
--submitfalseIf set, Kubescape will send the scan results to the Cloud Platform where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations, and much more. By default, the results are not senttrue/false
--keep-localfalseKubescape will not send scan results to the Cloud Platform. Use this flag if you run with the --submit flag in the past and you do not want to submit your current scan resultstrue/false
--accountCloud Platform account ID. The default will load the account ID from configMap or config file
--kube-contextcurrent-contextCluster context to scan
--verbosefalseDisplay all of the input resources and not only failed resourcestrue/false

Global Flags

flagtypedefaultdescriptionoptions
--loggerstringinfoSpecify logger level.debug/info/success/warning/error/fatal
--cache-dirstring~/.kubescapeCache directoryenv $KS_CACHE_DIR