Scanning files with the Visual Studio Code extension

ARMO provides a Visual Studio Code extension for Kubescape that you can download through the Visual Studio Marketplace.

The extension installs Kubescape extension, adds Kubscape commands to the Command Palette, and allows you to configure your scanning option using the extension’s built-in GUI.

By default, files are scanned after they’re saved. Scan results are displayed in the Problems tab in Visual Studio Code. You can also hover over errors in the editor and view details.


Before you begin

While the extension installs Kubescape, we recommend adding Kubscape to your PATH variable. For example:

export PATH=$PATH:/Users/<USER>/.kubescape/bin

Download and install the extension

You can download the extension from the following:

Using the extension

Open the Command Palette and type a command, such as scan. You can type Kubescape to view available commands.

Customize your scans

The Kubescape extension allows you to configure common options using the GUI.

  1. In the Extensions menu, select Kubescape, and click on the gear icon.
  2. Click Extension Settings.

Kubescape: Dir Path

By default the extension downloads a Kubescape binary file to run.

If you want to use a different or custom Kubescape executable, you can use the Dir Path option to point to the other binary file.

Kubescape: Scan On Save

A Kubescape scan can take some time to complete, so you might want to change when Kubescape scans your files.

By default a scan runs after a file is saved. You can restrict this to YAML files only or disable automatic scanning entirely.

If you choose none, you must run a scan manually using the command palette.


Frameworks are collections of controls - preventative, detective, or corrective measures that can be taken to avoid, or contain, a security breach.

There are some built-in controls that kubescape can use by default. The extension downloads the controls locally for offline scanning and to increase scanning speed.

For a list of frameworks you can use with Kubescape, see the Kubescape documentation.

Choosing required frameworks

You can choose which frameworks are necessary by adding their names into the Required Frameworks configuration. This list only ensures that the frameworks in it are available. This list does not determine which frameworks are used to scan your files.

Default: Empty. All available frameworks are downloaded.

View the list of frameworks currently supported by ARMO Platform on the Frameworks page.

Overriding the framework directory

By default, the frameworks are downloaded to the kubescape directory. You can copy or download any framework to this directory.

Alternatively, you can use the Custom Frameworks Dir configuration to choose a
different directory.

Default: Not set. Uses the kubescape binary directory.

Specify frameworks for scanning

To specify which frameworks to use for scanning, enter them in the Scan Frameworks configuration.

If the frameworks aren’t downloaded to the frameworks directory, they are downloaded automatically.

Default: Not set. Uses frameworks from the framework directory.

Kubescape: Version Tier

By default, a stable version of Kubescape that has been tested with this extension is downloaded and installed.

If you want to use the latest version, you can set the Version Tier option to latest.