Kubescape
What is Kubescape?
KubescapeAn open-source Kubernetes security platform from ARMO that scans clusters, manifests, and images for misconfigurations, vulnerabilities, and policy drift.
Kubescape was created by ARMO and accepted into the CNCF as a Sandbox project in 2022. It runs as a CLI, GitHub Action, Kubernetes operator, or hosted service to evaluate clusters against frameworks such as NSA-CISA Hardening Guidance, MITRE ATT&CK for Containers, the CIS Kubernetes Benchmark, and ARMO's own controls. Beyond posture scanning, modern Kubescape integrates image vulnerability scanning, RBAC analysis, network-policy generation, and runtime correlation. It outputs scores, control failures, and resource-level fix suggestions in JSON, PDF, or HTML. Teams typically combine Kubescape with kube-bench, Trivy, Falco, and admission controllers in a layered KSPM (Kubernetes Security Posture Management) stack.
● Examples
- 01
kubescape scan framework nsa to evaluate a cluster against NSA-CISA hardening guidance.
- 02
Failing a GitHub PR if a new manifest introduces a high-risk misconfiguration.
● Frequently asked questions
What is Kubescape?
An open-source Kubernetes security platform from ARMO that scans clusters, manifests, and images for misconfigurations, vulnerabilities, and policy drift. It belongs to the Cloud Security category of cybersecurity.
What does Kubescape mean?
An open-source Kubernetes security platform from ARMO that scans clusters, manifests, and images for misconfigurations, vulnerabilities, and policy drift.
How does Kubescape work?
Kubescape was created by ARMO and accepted into the CNCF as a Sandbox project in 2022. It runs as a CLI, GitHub Action, Kubernetes operator, or hosted service to evaluate clusters against frameworks such as NSA-CISA Hardening Guidance, MITRE ATT&CK for Containers, the CIS Kubernetes Benchmark, and ARMO's own controls. Beyond posture scanning, modern Kubescape integrates image vulnerability scanning, RBAC analysis, network-policy generation, and runtime correlation. It outputs scores, control failures, and resource-level fix suggestions in JSON, PDF, or HTML. Teams typically combine Kubescape with kube-bench, Trivy, Falco, and admission controllers in a layered KSPM (Kubernetes Security Posture Management) stack.
How do you defend against Kubescape?
Defences for Kubescape typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Kubescape?
Common alternative names include: ARMO Kubescape.
● Related terms
- cloud-security№ 600
Kubernetes Security
The protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
- cloud-security№ 596
kube-bench
An open-source tool from Aqua Security that automatically checks a Kubernetes cluster's configuration against the CIS Kubernetes Benchmark.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- cloud-security№ 1141
Tetragon
An eBPF-based Kubernetes runtime security tool from the Cilium project that observes and synchronously enforces policy on processes, files, and network activity.
- cloud-security№ 213
Container Security
The practice of securing container images, registries, orchestrators, and the runtime in which containers execute.
● See also
- № 170Cilium
- № 1012Service Account Token