kubescape
kubescape scan examines charts and kubernetes files for possible issues, best practices and security vulnerabilities.
kubescape documentation
- Version in MegaLinter: 3.0.30
- Visit Official Web Site
Configuration in MegaLinter
- Enable kubescape by adding
KUBERNETES_KUBESCAPEin ENABLE_LINTERS variable - Disable kubescape by adding
KUBERNETES_KUBESCAPEin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| KUBERNETES_KUBESCAPE_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| KUBERNETES_KUBESCAPE_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| KUBERNETES_KUBESCAPE_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file: Calls the linter for each file- list_of_files: Call the linter with the list of files as argument- project: Call the linter from the root of the project |
project |
| KUBERNETES_KUBESCAPE_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
[".yml", ".yaml", ".json"] |
| KUBERNETES_KUBESCAPE_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
| KUBERNETES_KUBESCAPE_PRE_COMMANDS | List of bash commands to run before the linter | None |
| KUBERNETES_KUBESCAPE_POST_COMMANDS | List of bash commands to run after the linter | None |
| KUBERNETES_KUBESCAPE_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling KUBERNETES_KUBESCAPE and its pre/post commands | None |
| KUBERNETES_KUBESCAPE_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| KUBERNETES_KUBESCAPE_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| KUBERNETES_KUBESCAPE_CLI_EXECUTABLE | Override CLI executable | ['kubescape'] |
| KUBERNETES_DIRECTORY | Directory containing KUBERNETES files (use any to always activate the linter) |
`` |
IDE Integration
Use kubescape in your favorite IDE to catch errors before MegaLinter !
| IDE | Extension Name | Install | |
|---|---|---|---|
| Visual Studio Code | Kubescape |  |
MegaLinter Flavors
This linter is available in the following flavors
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 125 |   |
| c_cpp | Optimized for pure C/C++ projects | 53 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 85 |   |
|
| documentation | MegaLinter for documentation projects | 48 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 61 |   |
|
| dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 70 |   |
|
| go | Optimized for GO based projects | 50 |   |
|
| java | Optimized for JAVA based projects | 52 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 58 |   |
|
| php | Optimized for PHP based projects | 53 |   |
|
| python | Optimized for PYTHON based projects | 62 |   |
|
| ruby | Optimized for RUBY based projects | 49 |   |
|
| rust | Optimized for RUST based projects | 49 |   |
|
| salesforce | Optimized for Salesforce based projects | 53 |   |
|
| security | Optimized for security | 24 |   |
|
| swift | Optimized for SWIFT based projects | 49 |   |
|
| terraform | Optimized for TERRAFORM based projects | 53 |   |
Behind the scenes
How are identified applicable files
- Activated only if sub-directory
` is found. (directory name can be overridden withKUBERNETES_DIRECTORY`) - Activated only if one of these files is found:
Chart.yml, Chart.yaml - File extensions:
.yml,.yaml,.json - Detected file content (regex):
apiVersion:,kustomize\.config\.k8s\.io,tekton
How the linting is performed
kubescape is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using kubescape configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoesn't make kubescape analyze only updated files
Example calls
kubescape scan .
Help content
Kubescape is a tool for testing Kubernetes security posture. Docs: https://hub.armosec.io/docs
Usage:
kubescape [command]
Examples:
# Scan a Kubernetes cluster or YAML files for image vulnerabilities and misconfigurations
kubescape scan
# List supported controls
kubescape list controls
# Download artifacts (air-gapped environment support)
kubescape download artifacts
# View cached configurations
kubescape config view
Available Commands:
completion Generate autocompletion script
config Handle cached configurations
download Download artifacts,attack-tracks,control,controls-inputs,exceptions,framework
fix Propose a fix for the misconfiguration found when scanning Kubernetes manifest files
help Help about any command
list List frameworks/controls will list the supported frameworks and controls
operator The operator is used to communicate with the Kubescape Operator within the cluster components.
patch Patch container images with vulnerabilities
prerequisites Check prerequisites for installing Kubescape Operator
scan Scan a Kubernetes cluster or YAML files for image vulnerabilities and misconfigurations
update Update to latest release version
vap Helper commands for managing Validating Admission Policies in a Kubernetes cluster
version Get current version
Flags:
--cache-dir string Cache directory [$KS_CACHE_DIR] (default "/root/.kubescape")
-h, --help help for kubescape
--kube-context string Kube context. Default will use the current-context
-l, --logger string Logger level. Supported: debug/info/success/warning/error/fatal [$KS_LOGGER] (default "info")
--server string Backend discovery server URL
Use "kubescape [command] --help" for more information about a command.
{"level":"info","ts":"2025-03-02T21:34:49Z","msg":"Received interrupt signal, exiting..."}
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=github-tags depName=kubescape/kubescape
ARG KUBERNETES_KUBESCAPE_VERSION=3.0.30
RUN ln -s /lib/libc.so.6 /usr/lib/libresolv.so.2 && \
curl --retry 5 --retry-delay 5 -sLv https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash -s -- -v "v${KUBERNETES_KUBESCAPE_VERSION}"