Running a command-line scan

You can scan a cluster using kubescape scan. These are the default options we suggest you start with:

kubescape scan --server
  • --verbose: display all resources, including those that do not trigger a security control
  • --server: creates an account and sends scan results to the ARMO Platform

If you do not specify a certain framework, all frameworks will be tested against.


The RBAC permissions required for Kubescape to scan a cluster are as follows:

kind: ClusterRole
  name: kubescape-role
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "list", "describe", "watch"]
# The host-scanner DaemonSet runs in dedicated namespace applied by kubescape at the begining of the scan. Kubescape will then remove the namespace once the scanning process is done
- apiGroups: ["apps"]
  resources: ["daemonsets"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["*"]

We are working on listing the exact permissions that Kubescape needs

What’s Next