Cluster scanning

Cloud vendor integrations

Kubescape reads cluster information from the cloud vendors' API. There is a list of authorization required by the entity (see the SDK of the given vendor). Kubescape uses SDKs to retrieve this information. This authentication information must be available in the running environment of Kubescape

Vulnerability scanning

Private repository support

  • Private repositories are supported via ImagePullSecrets (in podSpec or serviceAccount)
  • AWS ECR authentication via IAM roles is not supported
  • Google GCR authentication is not supported
  • Azure ACR authentication is not supported

Scanning limitations

  • We do not scan the initContainers

Scanning Troubleshooting


Issue Description


  • Unable to update vulnerability database: unable to download db
  • Failed to get image descriptor from registry

the image may be deleted from the container registry, so the vulnerability scanner can't get the image manifest data and it's vulnerabilities

*## first solution suggestion:* the image need to be added to the container registry for enable to scan it
*## second solution suggestion:* update your image in the pod to the latest image that exist in the container registry

  • failed to load vulnerability db: vulnerability database is corrupt

we reach to the limit of the the process memory limited by the k8s deployment: "armo-vuln-scan"

*## first solution suggestion:* enlarge the memory limit of the deployment.
*## second solution suggestion:* reduce the number CA_MAX_VULN_SCAN_ROUTINS environment variable(the default is 4).

Did this page help you?