Home

Awesome

Version build Go Report Card Gitpod Ready-to-Code GitHub CNCF Artifact HUB FOSSA Status OpenSSF Best Practices OpenSSF Scorecard Stars Twitter Follow Slack

Kubescape

<picture> <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/white/kubescape-stacked-white.svg" width="150"> <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150"> <img alt="Kubescape logo" align="right" src="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150"> </picture>

Comprehensive Kubernetes Security from Development to Runtime

Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments.

Key features of Kubescape include

By providing this comprehensive security coverage from development to production, Kubescape enables organizations to implement a robust security posture throughout their Kubernetes deployment, addressing potential vulnerabilities and threats at every stage of the application lifecycle.

Kubescape was created by ARMO and is a Cloud Native Computing Foundation (CNCF) sandbox project.

Please star ⭐ the repo if you want us to continue developing and improving Kubescape! 😀

Demo

Kubescape has a command line tool that you can use to quickly get a report on the security posture of a Kubernetes cluster:

<img src="docs/img/demo-v3.gif">

Getting started

Experimenting with Kubescape is as easy as:

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash

This script will automatically download the latest Kubescape CLI release and scan the Kubernetes cluster in your current kubectl context.

Learn more about:

Did you know you can use Kubescape in all these places?

<div align="center"> <img src="docs/img/ksfromcodetodeploy.png" alt="Places you can use Kubescape: in your IDE, CI, CD, or against a running cluster."> </div>

Continuous security monitoring with the Kubescape Operator

As well as a CLI, Kubescape provides an in-cluster mode, which is installed via a Helm chart. Kubescape in-cluster provides extensive features such as continuous scanning, image vulnerability scanning, runtime analysis, network policy generation, and more. Learn more about the Kubescape operator.

Using Kubescape as a GitHub Action

Kubescape can be used as a GitHub Action. This is a great way to integrate Kubescape into your CI/CD pipeline. You can find the Kubescape GitHub Action in the GitHub Action marketplace.

Under the hood

Kubescape uses Open Policy Agent to verify Kubernetes objects against a library of posture controls. Kubescape retrieves Kubernetes resources from the API server and runs a set of Rego snippets developed by ARMO.

Container image scanning is powered by Grype and image patching uses Copacetic.

By default, CLI scan results are printed in a console-friendly manner, but they can be:

In-cluster architecture

Architecture diagram

Community

We welcome user feedback and ideas for improvement.

Kubescape users and developers meet on the CNCF Slack. Join it and find us in #kubescape or #kubescape-dev.

We hold community meetings on Zoom, every second Tuesday, at 15:00 CET. (See that in your local time zone.

The Kubescape project follows the CNCF Code of Conduct.

Adopters

See here for a list of reference adopters.

Contributions

Thanks to all our contributors! Check out our CONTRIBUTING file to learn how to join them.

<br> <a href = "https://github.com/kubescape/kubescape/graphs/contributors"> <img src = "https://contrib.rocks/image?repo=kubescape/kubescape"/> </a>

Changelog

Kubescape changes are tracked on the release page.

License

Copyright 2021-2024, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the LICENSE file for details.

Kubescape is a Cloud Native Computing Foundation (CNCF) sandbox project and was contributed by ARMO.

<div align="center"> <img src="https://raw.githubusercontent.com/cncf/artwork/master/other/cncf-sandbox/horizontal/color/cncf-sandbox-horizontal-color.svg" width="300" alt="CNCF Sandbox Project"> </div>