Options
Flags
Flags for kubescape scan command.
| flag | default | description | options |
|---|---|---|---|
--enable-host-scan | disabled | Deploy ARMO K8s host-scanner daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valueable data from cluster nodes for certain controls. Full documentation | |
-e/--exclude-namespaces | Scan all namespaces | Namespaces to exclude from scanning. Recommended to exclude kube-system and kube-public namespaces | |
--include-namespaces | Scan all namespaces | Scan specific namespaces | |
-s/--silent | Display progress messages | Silent progress messages | |
-t/--fail-threshold | 100 (do not fail) | fail command (return exit code 1) if result is above threshold | 0 -> 100 |
-f/--format | pretty-printer | Output format | pretty-printer/json/junit/prometheus/pdf |
-o/--output | print to stdout | Save scan result in file | |
--use-from | Load local framework object from specified path. If not used will download latest | ||
--use-artifacts-from | Load artifacts (frameworks, control-config, exceptions) from local directory. If not used will download them | ||
--use-default | false | Load local framework object from default path. If not used will download latest | true/false |
--exceptions | Path to an exceptions obj, examples. Default will download exceptions from Kubescape SaaS | ||
--controls-config | Path to a controls-config obj. If not set will download controls-config from ARMO management portal. docs | ||
--submit | false | If set, Kubescape will send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not sent | true/false |
--keep-local | false | Kubescape will not send scan results to Armo management portal. Use this flag if you ran with the --submit flag in the past and you do not want to submit your current scan results | true/false |
--account | Armo portal account ID. Default will load account ID from configMap or config file | ||
--kube-context | current-context | Cluster context to scan | |
--verbose | false | Display all of the input resources and not only failed resources | true/false |
Global Flags
| flag | type | default | description | options |
|---|---|---|---|---|
--logger | string | info | Specify logger level. | debug/info/success/warning/error/fatal |
--cache-dir | string | ~/.kubescape | Cache directory | env $KS_CACHE_DIR |
Updated about 1 month ago
Did this page help you?