DEV.co
Open-Source DevOps · kubescape

kubescape

Kubescape is an open-source Kubernetes security platform that scans clusters, manifests, and container images for misconfigurations, vulnerabilities, and compliance violations against NSA-CISA, MITRE ATT&CK, and CIS standards. It runs as a CLI tool, in-cluster operator, or IDE integration, providing risk analysis and auto-remediation capabilities across the development and deployment lifecycle.

Source: GitHub — github.com/kubescape/kubescape
11.5k
GitHub stars
953
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorykubescape/kubescape
Ownerkubescape
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars11.5k
Forks953
Open issues59
Latest releasev4.0.10 (2026-06-30)
Last updated2026-07-07
Sourcehttps://github.com/kubescape/kubescape

What kubescape is

Written in Go, Kubescape performs static analysis of Kubernetes YAML, Helm charts, and Kustomize templates using multiple compliance frameworks, integrates image vulnerability scanning via Grype, supports eBPF-based runtime monitoring through Inspektor Gadget, and enforces policies via Validating Admission Policies (VAP). It outputs results in multiple formats (JSON, SARIF, JUnit XML, HTML, PDF) and supports both air-gapped and online deployments.

Quickstart

Get the kubescape source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/kubescape/kubescape.gitcd kubescape# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Shift-Left Security in CI/CD Pipelines

Integrate Kubescape into build pipelines to catch misconfigurations and CVEs before deployment. Supports JUnit and SARIF output for native CI/CD tool integration.

Compliance Scanning and Audit Reporting

Generate compliance reports against NSA-CISA, MITRE ATT&CK, and CIS benchmarks. Useful for regulatory audits, security assessments, and governance frameworks.

Cluster Posture Management

Deploy the in-cluster operator for continuous runtime monitoring and automated remediation of Kubernetes security misconfigurations.

Implementation considerations

  • Kubescape requires Kubernetes API access or local manifest files; ensure kubeconfig credentials are properly scoped and rotated.
  • The in-cluster operator deployment adds resource overhead (CPU, memory). Profile for your cluster size and namespace scale.
  • Air-gapped environments require manual download of compliance frameworks and vulnerability databases using `kubescape download`.
  • Integration with image scanning (Grype) and patching (Copacetic) requires additional tool setup and maintenance.
  • Auto-remediation features may modify manifests; implement approval workflows and version control hooks to prevent unintended changes.

When to avoid it — and what to weigh

  • Requires Deep Runtime Threat Detection — While Kubescape supports eBPF runtime monitoring via Inspektor Gadget, it is primarily a configuration and vulnerability scanner. For advanced intrusion detection or behavioral anomaly analysis, dedicated runtime security tools may be better suited.
  • Needs Multi-Cluster Policy Enforcement at Scale — Kubescape is tool-centric rather than platform-centric. For large multi-cluster environments requiring centralized policy orchestration, consider managed/enterprise Kubernetes security platforms.
  • Requires Vendor Lock-In or SLA Guarantees — As an open-source project, Kubescape provides no commercial SLA or vendor support by default. If you need guaranteed uptime or priority support, seek commercial distributions or hire dedicated maintainers.
  • Limited Custom Control Development — Extending Kubescape with organization-specific controls requires Go development and framework integration. Teams without Go expertise may find custom framework authoring challenging.

License & commercial use

Kubescape is licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved open-source license. Apache-2.0 permits commercial use, modification, and distribution with proper attribution and liability disclaimers. No restriction on proprietary use of the tool itself.

Apache-2.0 permits unrestricted commercial use of Kubescape (scanning your own infrastructure, redistributing modified versions, or offering as a managed service). However, Kubescape is maintained by ARMO as a community project. Commercial support, managed hosting, and liability protection are not included in the open-source license; inquire with ARMO directly for enterprise offerings.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Kubescape performs read-only scanning of cluster API and manifests by default. The tool itself must be trusted (code review recommended for air-gapped/sensitive environments). In-cluster operator requires elevated RBAC permissions; use least-privilege service accounts. Image vulnerability scanning depends on Grype's CVE database freshness. No formal security audit data provided. Runtime eBPF monitoring via Inspektor Gadget executes kernel code; validate kernel compatibility and eBPF policy restrictions. Remediation features modify manifests; implement approval gates to prevent unintended policy drift.

Alternatives to consider

Kyverno

Policy-as-code engine for Kubernetes; focuses on admission control and policy enforcement rather than scanning. Better for organizations implementing GitOps-driven policy but lacks integrated image scanning.

Trivy (Aqua Security)

Specialized container image and file system vulnerability scanner. Lighter-weight but lacks comprehensive Kubernetes compliance framework support and misconfiguration detection.

Falco (CNCF)

Runtime security and anomaly detection via eBPF and system calls. Complementary to Kubescape; excels at behavioral monitoring but requires separate setup and lacks compliance scanning.

Software development agency

Build on kubescape with DEV.co software developers

Use Kubescape to scan your clusters and manifests for misconfigurations, vulnerabilities, and compliance violations. Start with a single CLI command today.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

kubescape FAQ

Does Kubescape phone home or send data to ARMO?
Unknown. Refer to the privacy policy and network traffic analysis in the documentation. Offline scanning is supported via `kubescape download` for air-gapped environments.
Can I use Kubescape without Internet access?
Yes. Use `kubescape download` to fetch compliance frameworks and CVE databases locally, then run scans in offline mode. Requires initial one-time download in an Internet-connected environment.
Does Kubescape modify my cluster or manifests by default?
No. By default, Kubescape reads-only. The `kubescape fix` and `kubescape patch` commands explicitly modify manifests; they do not auto-apply to your cluster unless you deploy the in-cluster operator with remediation enabled.
How do I extend Kubescape with custom controls?
Custom controls require Go development and integration with Kubescape's framework architecture. Refer to the developer documentation or contact the ARMO team for guidance on custom control authoring.

Software developers & web developers for hire

From first prototype to production, DEV.co delivers software development services around tools like kubescape. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source devops and beyond.

Secure Your Kubernetes Deployment

Use Kubescape to scan your clusters and manifests for misconfigurations, vulnerabilities, and compliance violations. Start with a single CLI command today.