Get startedSign in
Main
Product
Solutions
Build Securely by DefaultAccelerate Your Path To ComplianceLower Cost & ComplexityAccelerate Kubernetes Adoption
Info
PricingDocsMarketplace
Company
AboutBlogCareersContactCommunity
Plural Menu
Get startedSign in
Back

Kubescape

Multi-cloud K8s single pane of glass for security.

Available providers

Why use Kubescape on Plural?

Plural helps you deploy and manage the lifecycle of open-source applications on Kubernetes. Our platform combines the scalability and observability benefits of managed SaaS with the data security, governance, and compliance benefits of self-hosting Kubescape.

If you need more than just Kubescape, look for other cloud-native and open-source tools in our marketplace of curated applications to leapfrog complex deployments and get started quickly.

GitHubInstalling Kubescape docs

Deploying Kubescape is a matter of executing these 3 commands:

plural bundle install kubescape kubescape-aws
plural build
plural deploy --commit "deploying kubescape"
Read the install documentation
logo

build Go Report Card Gitpod Ready-to-Code

:sunglasses: Want to contribute? :innocent:

Kubescape is a K8s open-source tool providing a Kubernetes single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerability scanning. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA, MITRE ATT&CK®), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time.

It has become one of the fastest-growing Kubernetes tools among developers due to its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins precious time, effort, and resources. Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Prometheus, and Slack, and supports multi-cloud K8s deployments like EKS, GKE, and AKS.


Kubescape CLI:


TL;DR

Install:

sh
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash

OR:

Install on windows

Install on macOS

Install on NixOS or Linux/macOS via nix

Run:

sh
kubescape scan --submit --enable-host-scan --verbose

Kubescape is an open source project. We welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests more robust and complete as Kubernetes develops.


Architecture in short

CLI

Operator

Please star ⭐ the repo if you want us to continue developing and improving Kubescape 😀


Being a part of the team

Community

We invite you to our community! We are excited about this project and want to return the love we get.

We hold community meetings in Zoom on the first Tuesday of every month at 14:00 GMT! :sunglasses:

Contributions

Want to contribute? Want to discuss something? Have an issue? Please make sure that you follow our Code Of Conduct .

  • Feel free to pick a task from the issues, roadmap or suggest a feature of your own. Contact us directly for more information :)
  • Open an issue , we are trying to respond within 48 hours
  • Join us in the discussion on our discord server!

logo discord

Options and examples

Kubescape docs

Playground

Tutorials

Install on Windows

Windows

Requires powershell v5.0+

powershell
iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex

Note: if you get an error you might need to change the execution policy (i.e. enable Powershell) with

powershell
Set-ExecutionPolicy RemoteSigned -scope CurrentUser

Install on macOS

MacOS
  1. sh
    brew tap kubescape/tap
  2. sh
    brew install kubescape-cli

Install on NixOS or with nix (Community)

Nix/NixOS

Direct issues installing kubescape via nix through the channels mentioned here

You can use nix on Linux or macOS and on other platforms unofficially.

Try it out in an ephemeral shell: nix-shell -p kubescape

Install declarative as usual

NixOS:

nix
# your other config ...
  environment.systemPackages = with pkgs; [
    # your other packages ...
    kubescape
  ];

home-manager:

nix
# your other config ...
  home.packages = with pkgs; [
    # your other packages ...
    kubescape
  ];

Or to your profile (not preferred): nix-env --install -A nixpkgs.kubescape

Usage & Examples

Examples

Scan a running Kubernetes cluster and submit results to the Kubescape SaaS version

kubescape scan --submit --enable-host-scan  --verbose

Read here more about the enable-host-scan flag

Scan a running Kubernetes cluster with nsa framework and submit results to the Kubescape SaaS version

kubescape scan framework nsa --submit

Scan a running Kubernetes cluster with MITRE ATT&CK® framework and submit results to the Kubescape SaaS version

kubescape scan framework mitre --submit

Scan a running Kubernetes cluster with a specific control using the control name or control ID. List of controls

kubescape scan control "Privileged container"

Scan using an alternative kubeconfig file

kubescape scan --kubeconfig cluster.conf

Scan specific namespaces

kubescape scan --include-namespaces development,staging,production

Scan cluster and exclude some namespaces

kubescape scan --exclude-namespaces kube-system,kube-public

Scan local yaml/json files before deploying. Take a look at the demonstration. Submit the results in case the directory is a git repo. docs

kubescape scan *.yaml --submit

Scan Kubernetes manifest files from a git repository and submit the results

kubescape scan https://github.com/kubescape/kubescape --submit

Display all scanned resources (including the resources which passed)

kubescape scan --verbose

Output in json format

Add the --format-version v2 flag

kubescape scan --format json --format-version v2 --output results.json

Output in junit xml format

kubescape scan --format junit --output results.xml

Output in pdf format - Contributed by @alegrey91

kubescape scan --format pdf --output results.pdf

Output in prometheus metrics format - Contributed by @Joibel

kubescape scan --format prometheus

Output in html format

kubescape scan --format html --output results.html

Scan with exceptions, objects with exceptions will be presented as exclude and not fail

Full documentation

kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json

Scan Helm charts

kubescape scan </path/to/directory> --submit

Kubescape will load the default value file

Scan Kustomize Directory

kubescape scan </path/to/directory> --submit

Kubescape will generate Kubernetes Yaml Objects using 'Kustomize' file and scans them for security.

Offline/Air-gaped Environment Support

Video tutorial

It is possible to run Kubescape offline!

Download all artifacts

  1. Download and save in local directory, if path not specified, will save all in ~/.kubescape
kubescape download artifacts --output path/to/local/dir

  1. Copy the downloaded artifacts to the air-gaped/offline environment

  2. Scan using the downloaded artifacts

kubescape scan --use-artifacts-from path/to/local/dir

Download a single artifact

You can also download a single artifact and scan with the --use-from flag

  1. Download and save in a file, if the file name is not specified, will save in ~/.kubescape/<framework name>.json
kubescape download framework nsa --output /path/nsa.json

  1. Copy the downloaded artifacts to the air-gaped/offline environment

  2. Scan using the downloaded framework

kubescape scan framework nsa --use-from /path/nsa.json

Scan Periodically using Helm

Please follow the instructions here helm chart repo

Integrations

VS Code Extension

Visual Studio Marketplace Downloads Open VSX

Scan the YAML files while writing them using the vs code extension

Lens Extension

View Kubescape scan results directly in Lens IDE using kubescape Lens extension

Building Kubescape

Build on Windows

Windows

  1. Install MSYS2 & build libgit (needed only for the first time)

    build.bat all

You can install MSYS2 separately by running build.bat install and build libgit2 separately by running build.bat build

  1. Build kubescape

    make build

    OR

    go build -tags=static .

Build on Linux/MacOS

Linux / MacOS

  1. Install libgit2 dependency (needed only for the first time)

    make libgit2

cmake is required to build libgit2. You can install it by running sudo apt-get install cmake (Linux) or brew install cmake (macOS)

  1. Build kubescape

    make build

    OR

    go build -tags=static .

  2. Test

    make test

Build on pre-configured killercoda's ubuntu playground

Pre-programmed actions executed by the playground
  • Clone the official GitHub repository of Kubescape.
  • Automate the build process on Linux
  • The entire process involves executing multiple commands in order and it takes around 5-6 minutes to execute them all.
Instructions to use the playground
  • Apply changes you wish to make to the kubescape directory using text editors like Vim.
  • Build on Linux
  • Now, you can use Kubescape just like a normal user. Instead of using kubescape, use ./kubescape. (Make sure you are inside kubescape directory because the command will execute the binary named kubescape in kubescape directory)

VS code configuration samples

You can use the sample files below to setup your VS code environment for building and debugging purposes.

.vscode/settings.json
json5
// .vscode/settings.json
{
    "go.testTags": "static",
    "go.buildTags": "static",
    "go.toolsEnvVars": {
        "CGO_ENABLED": "1"
    }
}
.vscode/launch.json
json5
// .vscode/launch.json
{
    "version": "0.2.0",
    "configurations": [
        {
            "name": "Launch Package",
            "type": "go",
            "request": "launch",
            "mode": "auto",
            "program": "${workspaceFolder}/main.go",
            "args": [
                "scan",
                "--logger",
                "debug"
            ],
            "buildFlags": "-tags=static"
        }
    ]
}

Under the hood

Technology

Kubescape is based on the OPA engine and ARMO's posture controls.

The tools retrieve Kubernetes objects from the API server and run a set of rego's snippets developed by ARMO.

The results by default are printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.

Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests more robust and complete as Kubernetes develops.

Thanks to all the contributors ❤️

How Plural works

We make it easy to securely deploy and manage open-source applications in your cloud.

Select from 90+ open-source applications

Get any stack you want running in minutes, and never think about upgrades again.

Securely deployed on your cloud with your git

You control everything. No need to share your cloud account, keys, or data.

Designed to be fully customizable

Built on Kubernetes and using standard infrastructure as code with Terraform and Helm.

Maintain & Scale with Plural Console

Interactive runbooks, dashboards, and Kubernetes api visualizers give an easy-to-use toolset to manage application operations.

Learn more
Screenshot of app installation in Plural app

Build your custom stack with Plural

Build your custom stack with over 90+ apps in the Plural Marketplace.

Data
Stack
Airbyte
DATA
Clickhouse
DATA
Dagster
DATA
Datahub
DATA
Growthbook
DATA
Jitsu
DATA
Lightdash
DATA
Posthog
DATA
Explore the Marketplace

Used by fast-moving teams at

  • CoachHub
  • Digitas
  • Fnatic
  • FSN Capital
  • Justos
  • Mott Mac

What companies are saying about us

We no longer needed a dedicated DevOps team; instead, we actively participated in the industrialization and deployment of our applications through Plural. Additionally, it allowed us to quickly gain proficiency in Terraform and Helm.

Walid El Bouchikhi
Data Engineer at Beamy

I have neither the patience nor the talent for DevOps/SysAdmin work, and yet I've deployed four enterprise-caliber open-source apps on Kubernetes... since 9am today. Bonkers.

Sawyer Waugh
Head of Engineering at Justifi

This is awesome. You saved me hours of further DevOps work for our v1 release. Just to say, I really love Plural.

Ismael Goulani
CTO & Data Engineer at Modeo

Wow! First of all I want to say thank you for creating Plural! It solves a lot of problems coming from a non-DevOps background. You guys are amazing!

Joey Taleño
Head of Data at Poplar Homes

We have been using Plural for complex Kubernetes deployments of Kubeflow and are excited with the possibilities it provides in making our workflows simpler and more efficient.

Jürgen Stary
Engineering Manager @ Alexander Thamm

Plural has been awesome, it’s super fast and intuitive to get going and there is zero-to-no overhead of the app management.

Richard Freling
CTO and Co-Founder at Commandbar

Case StudyHow Fnatic Deploys Their Data Stack with Plural

Fnatic is a leading global esports performance brand headquartered in London, focused on leveling up gamers. At the core of Fnatic’s success is its best-in-class data team. The Fnatic data team relies on third-party applications to serve different business functions with every member of the organization utilizing data daily. While having access to an abundance of data is great, it opens up a degree of complexity when it comes to answering critical business questions and in-game analytics for gaming members.

To answer these questions, the data team began constructing a data stack to solve these use cases. Since the team at Fnatic are big fans of open-source they elected to build their stack with popular open-source technologies.

Read full study

Fnatic’s Data Stack

Airbyte
Airflow
Clickhouse
Grafana
Metabase
PostgreSQL

FAQ

Plural is open-source and self-hosted. You retain full control over your deployments in your cloud. We perform automated testing and upgrades and provide out-of-the-box Day 2 operational workflows. Monitor, manage, and scale your configuration with ease to meet changing demands of your business. Read more.

We support deploying on all major cloud providers, including AWS, Azure, and GCP. We also support all on-prem Kubernetes clusters, including OpenShift, Tanzu, Rancher, and others.

No, Plural does not have access to any cloud environments when deployed through the CLI. We generate deployment manifests in the Plural Git repository and then use your configured cloud provider's CLI on your behalf. We cannot perform anything outside of deploying and managing the manifests that are created in your Plural Git repository. However, Plural does have access to your cloud credentials when deployed through the Cloud Shell. Read more.