Usage and examples

Examples

Scan a running Kubernetes cluster with nsa framework and submit results to the Kubescape SaaS version

kubescape scan framework nsa --submit

Scan a running Kubernetes cluster with MITRE ATT&CK® framework and submit results to the Kubescape SaaS version

kubescape scan framework mitre --submit

Scan a running Kubernetes cluster with a specific control using the control name or control ID. List of controls

kubescape scan control "Privileged container"

Scan specific namespaces

kubescape scan framework nsa --include-namespaces development,staging,production

Scan cluster and exclude some namespaces

kubescape scan framework nsa --exclude-namespaces kube-system,kube-public

Scan local yaml/json files before deploying. Take a look at the demonstration

kubescape scan framework nsa *.yaml

Scan kubernetes manifest files from a public github repository

kubescape scan framework nsa https://github.com/armosec/kubescape

Display all scanned resources (including the resources who passed)

kubescape scan framework nsa --verbose

Output in json format

kubescape scan framework nsa --format json --output results.json

Output in junit xml format

kubescape scan framework nsa --format junit --output results.xml

Output in prometheus metrics format - Contributed by @Joibel

kubescape scan framework nsa --format prometheus

Scan with exceptions, objects with exceptions will be presented as exclude and not fail

Full documentation

kubescape scan framework nsa --exceptions examples/exceptions/exclude-kube-namespaces.json

Scan Helm charts - Render the helm chart using helm template and pass to stdout

helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -

e.g.

helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -

Offline Support

Video tutorial

It is possible to run Kubescape offline!

First download the framework and then scan with --use-from flag

  1. Download and save in file, if file name not specified, will store save to ~/.kubescape/<framework name>.json
kubescape download framework nsa --output nsa.json
  1. Scan using the downloaded framework
kubescape scan framework nsa --use-from nsa.json

Did this page help you?