kubescape
kubescape scan
examines charts and kubernetes files for possible issues, best practices and security vulnerabilities.
kubescape documentation
- Version in MegaLinter: 2.9.0
- Visit Official Web Site
Configuration in MegaLinter
- Enable kubescape by adding
KUBERNETES_KUBESCAPE
in ENABLE_LINTERS variable - Disable kubescape by adding
KUBERNETES_KUBESCAPE
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
KUBERNETES_KUBESCAPE_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
KUBERNETES_KUBESCAPE_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
KUBERNETES_KUBESCAPE_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file : Calls the linter for each file- list_of_files : Call the linter with the list of files as argument- project : Call the linter from the root of the project |
project |
KUBERNETES_KUBESCAPE_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
[".yml", ".yaml", ".json"] |
KUBERNETES_KUBESCAPE_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
KUBERNETES_KUBESCAPE_PRE_COMMANDS | List of bash commands to run before the linter | None |
KUBERNETES_KUBESCAPE_POST_COMMANDS | List of bash commands to run after the linter | None |
KUBERNETES_KUBESCAPE_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling KUBERNETES_KUBESCAPE and its pre/post commands | None |
KUBERNETES_KUBESCAPE_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
KUBERNETES_KUBESCAPE_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
KUBERNETES_KUBESCAPE_CLI_EXECUTABLE | Override CLI executable | ['kubescape'] |
KUBERNETES_DIRECTORY | Directory containing KUBERNETES files (use any to always activate the linter) |
`` |
IDE Integration
Use kubescape in your favorite IDE to catch errors before MegaLinter !
IDE | Extension Name | Install | |
---|---|---|---|
Visual Studio Code | Kubescape |
MegaLinter Flavors
This linter is available in the following flavors
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 124 | ||
c_cpp | Optimized for pure C/C++ projects | 54 | ||
cupcake | MegaLinter for the most commonly used languages | 83 | ||
documentation | MegaLinter for documentation projects | 49 | ||
dotnet | Optimized for C, C++, C# or VB based projects | 62 | ||
dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 71 | ||
go | Optimized for GO based projects | 51 | ||
java | Optimized for JAVA based projects | 52 | ||
javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 59 | ||
php | Optimized for PHP based projects | 54 | ||
python | Optimized for PYTHON based projects | 62 | ||
ruby | Optimized for RUBY based projects | 50 | ||
rust | Optimized for RUST based projects | 50 | ||
salesforce | Optimized for Salesforce based projects | 54 | ||
security | Optimized for security | 24 | ||
swift | Optimized for SWIFT based projects | 50 | ||
terraform | Optimized for TERRAFORM based projects | 54 |
Behind the scenes
How are identified applicable files
- Activated only if sub-directory
` is found. (directory name can be overridden with
KUBERNETES_DIRECTORY`) - Activated only if one of these files is found:
Chart.yml, Chart.yaml
- File extensions:
.yml
,.yaml
,.json
- Detected file content (regex):
apiVersion:
,kustomize\.config\.k8s\.io
,tekton
How the linting is performed
kubescape is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using kubescape configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make kubescape analyze only updated files
Example calls
kubescape scan .
Help content
Kubescape is a tool for testing Kubernetes security posture. Docs: https://hub.armosec.io/docs
Usage:
kubescape [command]
Examples:
# Scan command
kubescape scan
# List supported frameworks
kubescape list frameworks
# Download artifacts (air-gapped environment support)
kubescape download artifacts
# View cached configurations
kubescape config view
Available Commands:
completion Generate autocompletion script
config Handle cached configurations
delete Delete configurations in Kubescape SaaS version
download Download attack-tracks,controls-inputs,exceptions,control,framework,artifacts
fix Fix misconfiguration in files
help Help about any command
list List frameworks/controls will list the supported frameworks and controls
scan Scan the current running cluster or yaml files
submit Submit an object to the Kubescape SaaS version
update Update your version
version Get current version
Flags:
--cache-dir string Cache directory [$KS_CACHE_DIR] (default "/root/.kubescape")
--disable-color Disable Color output for logging
--enable-color Force enable Color output for logging
-h, --help help for kubescape
-l, --logger string Logger level. Supported: debug/info/success/warning/error/fatal [$KS_LOGGER] (default "info")
Use "kubescape [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
RUN ln -s /lib/libc.so.6 /usr/lib/libresolv.so.2 && \
curl --retry 5 --retry-delay 5 -sLv https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash -s -- -v v2.9.0
- APK packages (Linux):