Skip to content

kubescape

downgraded version GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

kubescape scan examines charts and kubernetes files for possible issues, best practices and security vulnerabilities.

kubescape documentation

kubescape - GitHub

Configuration in MegaLinter

Variable Description Default value
KUBERNETES_KUBESCAPE_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
KUBERNETES_KUBESCAPE_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
KUBERNETES_KUBESCAPE_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
[".yml", ".yaml", ".json"]
KUBERNETES_KUBESCAPE_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
KUBERNETES_KUBESCAPE_PRE_COMMANDS List of bash commands to run before the linter None
KUBERNETES_KUBESCAPE_POST_COMMANDS List of bash commands to run after the linter None
KUBERNETES_KUBESCAPE_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling KUBERNETES_KUBESCAPE and its pre/post commands None
KUBERNETES_KUBESCAPE_DISABLE_ERRORS Run linter but consider errors as warnings false
KUBERNETES_KUBESCAPE_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
KUBERNETES_KUBESCAPE_CLI_EXECUTABLE Override CLI executable ['kubescape']
KUBERNETES_DIRECTORY Directory containing KUBERNETES files (use any to always activate the linter) ``

IDE Integration

Use kubescape in your favorite IDE to catch errors before MegaLinter !

IDE Extension Name Install
Visual Studio Code Kubescape Install in VSCode

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 121 Docker Image Size (tag) Docker Pulls
c_cpp Optimized for pure C/C++ projects 55 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 85 Docker Image Size (tag) Docker Pulls
documentation MegaLinter for documentation projects 51 Docker Image Size (tag) Docker Pulls
dotnet Optimized for C, C++, C# or VB based projects 64 Docker Image Size (tag) Docker Pulls
dotnetweb Optimized for C, C++, C# or VB based projects with JS/TS 73 Docker Image Size (tag) Docker Pulls
go Optimized for GO based projects 53 Docker Image Size (tag) Docker Pulls
java Optimized for JAVA based projects 55 Docker Image Size (tag) Docker Pulls
javascript Optimized for JAVASCRIPT or TYPESCRIPT based projects 60 Docker Image Size (tag) Docker Pulls
php Optimized for PHP based projects 54 Docker Image Size (tag) Docker Pulls
python Optimized for PYTHON based projects 62 Docker Image Size (tag) Docker Pulls
ruby Optimized for RUBY based projects 51 Docker Image Size (tag) Docker Pulls
rust Optimized for RUST based projects 51 Docker Image Size (tag) Docker Pulls
salesforce Optimized for Salesforce based projects 55 Docker Image Size (tag) Docker Pulls
security Optimized for security 24 Docker Image Size (tag) Docker Pulls
swift Optimized for SWIFT based projects 51 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 55 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • Activated only if sub-directory ` is found. (directory name can be overridden withKUBERNETES_DIRECTORY`)
  • Activated only if one of these files is found: Chart.yml, Chart.yaml
  • File extensions: .yml, .yaml, .json
  • Detected file content (regex): apiVersion:, kustomize\.config\.k8s\.io, tekton

How the linting is performed

kubescape is called once on the whole project directory (project CLI lint mode)

  • filtering can not be done using MegaLinter configuration variables,it must be done using kubescape configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false doesn't make kubescape analyze only updated files

Example calls

kubescape scan .

Help content

Kubescape is a tool for testing Kubernetes security posture. Docs: https://hub.armosec.io/docs

Usage:
  kubescape [command]

Examples:

  # Scan command
  kubescape scan

  # List supported frameworks
  kubescape list frameworks

  # Download artifacts (air-gapped environment support)
  kubescape download artifacts

  # View cached configurations
  kubescape config view


Available Commands:
  completion  Generate autocompletion script
  config      Handle cached configurations
  delete      Delete configurations in Kubescape SaaS version
  download    Download controls-inputs,exceptions,control,framework,artifacts,attack-tracks
  fix         Fix misconfiguration in files
  help        Help about any command
  list        List frameworks/controls will list the supported frameworks and controls
  scan        Scan the current running cluster or yaml files
  submit      Submit an object to the Kubescape SaaS version
  update      Update your version
  version     Get current version

Flags:
      --cache-dir string   Cache directory [$KS_CACHE_DIR] (default "/root/.kubescape")
      --disable-color      Disable Color output for logging
      --enable-color       Force enable Color output for logging
  -h, --help               help for kubescape
  -l, --logger string      Logger level. Supported: debug/info/success/warning/error/fatal [$KS_LOGGER] (default "info")

Use "kubescape [command] --help" for more information about a command.

Installation on mega-linter Docker image

  • Dockerfile commands :
RUN ln -s /lib/libc.so.6 /usr/lib/libresolv.so.2 && \
    curl --retry 5 --retry-delay 5 -sLv https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash -s -- -v v2.9.0