GithubHelp home page GithubHelp logo

Version build Go Report Card Gitpod Ready-to-Code GitHub CNCF Artifact HUB FOSSA Status OpenSSF Best Practices OpenSSF Scorecard Stars Twitter Follow Slack

Kubescape

Kubescape logo

An open-source Kubernetes security platform for your clusters, CI/CD pipelines, and IDE that seperates out the security signal from the scanner noise

Kubescape is an open-source Kubernetes security platform, built for use in your day-to-day workflow, by fitting into your clusters, CI/CD pipelines and IDE. It serves as a one-stop-shop for Kuberenetes security and includes vulnerability and misconfiguration scanning. You can run scans via the CLI, or add the Kubescape Helm chart, which gives an in-depth view of what is going on in the cluster.

Kubescape includes misconfiguration and vulnerability scanning as well as risk analysis and security compliance indicators. All results are presented in context and users get many cues on what to do based on scan results.Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.

Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including NSA-CISA, MITRE ATT&CK® and the CIS Benchmark).

Kubescape was created by ARMO and is a Cloud Native Computing Foundation (CNCF) sandbox project.

Demo

Please star ⭐ the repo if you want us to continue developing and improving Kubescape! 😀

Getting started

Experimenting with Kubescape is as easy as:

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash

Learn more about:

Did you know you can use Kubescape in all these places?

Places you can use Kubescape: in your IDE, CI, CD, or against a running cluster.

Kubescape-operator Helm-Chart

Besides the CLI, the Kubescape operator can also be installed via a Helm chart. Installing the Helm chart is an excellent way to begin using Kubescape, as it provides extensive features such as continuous scanning, image vulnerability scanning, runtime analysis, network policy generation, and more. You can find the Helm chart in the Kubescape-operator documentation.

Kubescape GitHub Action

Kubescape can be used as a GitHub Action. This is a great way to integrate Kubescape into your CI/CD pipeline. You can find the Kubescape GitHub Action in the GitHub Action marketplace.

Under the hood

Kubescape uses Open Policy Agent to verify Kubernetes objects against a library of posture controls.

By default, the results are printed in a console-friendly manner, but they can be:

  • exported to JSON or junit XML
  • rendered to HTML or PDF
  • submitted to a cloud service

It retrieves Kubernetes objects from the API server and runs a set of Rego snippets developed by ARMO.

Community

Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the Kubernetes community and are building more tests and controls as the ecosystem develops.

We hold community meetings on Zoom, every second week on Tuesdays, at 15:00 CET. (See that in your local time zone).

The Kubescape project follows the CNCF Code of Conduct.

Adopters

See here a list of adopters.

Contributions

Thanks to all our contributors! Check out our CONTRIBUTING file to learn how to join them.


Changelog

Kubescape changes are tracked on the release page

License

Copyright 2021-2023, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the LICENSE file for details.

Kubescape is a Cloud Native Computing Foundation (CNCF) sandbox project and was contributed by ARMO.

CNCF Sandbox Project

Kubescape's Projects

cel-admission-library icon cel-admission-library

This projects contains pre-made policies for Kubernetes Validating Admission Policies. This policy library is based on Kubescape controls, see here a comlete list https://hub.armosec.io/docs/controls

gateway icon gateway

Gateway is an in-cluster component of the Kubescape security platform. It broadcasts a message received to its registered clients. When a client registers itself in a Gateway it must provide a set of attributes, which will serve as identification, for message routing purposes.

go-git-url icon go-git-url

Package for parsing git url and executing git api calls

go-logger icon go-logger

Go logger package that can be a user-friendly/machine-friendly based on the initialization

helm-charts icon helm-charts

Kubescape can run as a set of microservices inside a Kubernetes cluster. This allows you to continually monitor the status of a cluster, including for compliance and vulnerability management

host-scanner icon host-scanner

Kubernetes host-sensor project. The host information provider for Kubescape

http-request icon http-request

The http-request package is meant to replace the curl command by a simple go script that runs an HTTP request

kapprofiler icon kapprofiler

Generate an application profile containing metrics/properties for Kubernetes workloads based on runtime behavior.

kollector icon kollector

Kollector is an in-cluster component of the Kubescape security platform. It Communicates with the Kubernetes API server to collect cluster information and watches for changes in the cluster.

kubescape icon kubescape

Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources.

kubevuln icon kubevuln

Kubevuln is an in-cluster component of the Kubescape security platform. It scans container images for vulnerabilities, using Grype as its engine.

kwok-bench icon kwok-bench

A toolkit to efficiently create large-scale, simulated Kubernetes clusters for testing and benchmarking applications using KWOK.

messaging icon messaging

Kubescape's messaging package - a collection of wrapper code around Pulsar to quickly and easily connect to Pulsar brokers, send and receive messages, and message queues and topics management.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.