Kubescape - An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters
Kubescape is an open-source Kubernetes security platform. It includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.
Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including NSA-CISA, MITRE ATT&CK and the CIS Benchmark).
Kubescape uses Open Policy Agent to verify Kubernetes objects against a library of posture controls. By default, the results are printed in a console but they can be exported to JSON and PDF.
Kubescape is running the following tests according to what is defined by Kubernetes Hardening Guidance by NSA and CISA.
- Non-root containers
- Immutable container filesystem
- Privileged containers
- hostPID, hostIPC privileges
- hostNetwork access
- allowedHostPaths field
- Protecting pod service account tokens
- Resource policies
- Control plane hardening
- Exposed dashboard
- Allow privilege escalation
- Applications credentials in configuration files
- Cluster-admin binding
- Exec into container
- Dangerous capabilities
- Insecure capabilities
- Linux hardening