Flags

Flags for kubescape scan command.

flagdefaultdescriptionoptions
--enable-host-scandisabledDeploy ARMO K8s host-scanner daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valueable data from cluster nodes for certain controls. Full documentation
-e/--exclude-namespacesScan all namespacesNamespaces to exclude from scanning. Recommended to exclude kube-system and kube-public namespaces
--include-namespacesScan all namespacesScan specific namespaces
-s/--silentDisplay progress messagesSilent progress messages
-t/--fail-threshold100 (do not fail)fail command (return exit code 1) if result is above threshold0 -> 100
-f/--formatpretty-printerOutput formatpretty-printer/json/junit/prometheus/pdf
-o/--outputprint to stdoutSave scan result in file
--use-fromLoad local framework object from specified path. If not used will download latest
--use-artifacts-fromLoad artifacts (frameworks, control-config, exceptions) from local directory. If not used will download them
--use-defaultfalseLoad local framework object from default path. If not used will download latesttrue/false
--exceptionsPath to an exceptions obj, examples. Default will download exceptions from Kubescape SaaS
--controls-configPath to a controls-config obj. If not set will download controls-config from ARMO management portal. docs
--submitfalseIf set, Kubescape will send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not senttrue/false
--keep-localfalseKubescape will not send scan results to Armo management portal. Use this flag if you ran with the --submit flag in the past and you do not want to submit your current scan resultstrue/false
--accountArmo portal account ID. Default will load account ID from configMap or config file
--kube-contextcurrent-contextCluster context to scan
--verbosefalseDisplay all of the input resources and not only failed resourcestrue/false

Global Flags

flagtypedefaultdescriptionoptions
--loggerstringinfoSpecify logger level.debug/info/success/warning/error/fatal
--cache-dirstring~/.kubescapeCache directoryenv $KS_CACHE_DIR

Did this page help you?