kubescape
Kubescape is an open-source Kubernetes security platform that scans clusters, manifests, and container images for misconfigurations, vulnerabilities, and compliance violations against NSA-CISA, MITRE ATT&CK, and CIS standards. It runs as a CLI tool, in-cluster operator, or IDE integration, providing risk analysis and auto-remediation capabilities across the development and deployment lifecycle.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | kubescape/kubescape |
| Owner | kubescape |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 11.5k |
| Forks | 953 |
| Open issues | 59 |
| Latest release | v4.0.10 (2026-06-30) |
| Last updated | 2026-07-07 |
| Source | https://github.com/kubescape/kubescape |
What kubescape is
Written in Go, Kubescape performs static analysis of Kubernetes YAML, Helm charts, and Kustomize templates using multiple compliance frameworks, integrates image vulnerability scanning via Grype, supports eBPF-based runtime monitoring through Inspektor Gadget, and enforces policies via Validating Admission Policies (VAP). It outputs results in multiple formats (JSON, SARIF, JUnit XML, HTML, PDF) and supports both air-gapped and online deployments.
Get the kubescape source
Clone the repository and explore it locally.
git clone https://github.com/kubescape/kubescape.gitcd kubescape# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Kubescape requires Kubernetes API access or local manifest files; ensure kubeconfig credentials are properly scoped and rotated.
- The in-cluster operator deployment adds resource overhead (CPU, memory). Profile for your cluster size and namespace scale.
- Air-gapped environments require manual download of compliance frameworks and vulnerability databases using `kubescape download`.
- Integration with image scanning (Grype) and patching (Copacetic) requires additional tool setup and maintenance.
- Auto-remediation features may modify manifests; implement approval workflows and version control hooks to prevent unintended changes.
When to avoid it — and what to weigh
- Requires Deep Runtime Threat Detection — While Kubescape supports eBPF runtime monitoring via Inspektor Gadget, it is primarily a configuration and vulnerability scanner. For advanced intrusion detection or behavioral anomaly analysis, dedicated runtime security tools may be better suited.
- Needs Multi-Cluster Policy Enforcement at Scale — Kubescape is tool-centric rather than platform-centric. For large multi-cluster environments requiring centralized policy orchestration, consider managed/enterprise Kubernetes security platforms.
- Requires Vendor Lock-In or SLA Guarantees — As an open-source project, Kubescape provides no commercial SLA or vendor support by default. If you need guaranteed uptime or priority support, seek commercial distributions or hire dedicated maintainers.
- Limited Custom Control Development — Extending Kubescape with organization-specific controls requires Go development and framework integration. Teams without Go expertise may find custom framework authoring challenging.
License & commercial use
Kubescape is licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved open-source license. Apache-2.0 permits commercial use, modification, and distribution with proper attribution and liability disclaimers. No restriction on proprietary use of the tool itself.
Apache-2.0 permits unrestricted commercial use of Kubescape (scanning your own infrastructure, redistributing modified versions, or offering as a managed service). However, Kubescape is maintained by ARMO as a community project. Commercial support, managed hosting, and liability protection are not included in the open-source license; inquire with ARMO directly for enterprise offerings.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Kubescape performs read-only scanning of cluster API and manifests by default. The tool itself must be trusted (code review recommended for air-gapped/sensitive environments). In-cluster operator requires elevated RBAC permissions; use least-privilege service accounts. Image vulnerability scanning depends on Grype's CVE database freshness. No formal security audit data provided. Runtime eBPF monitoring via Inspektor Gadget executes kernel code; validate kernel compatibility and eBPF policy restrictions. Remediation features modify manifests; implement approval gates to prevent unintended policy drift.
Alternatives to consider
Kyverno
Policy-as-code engine for Kubernetes; focuses on admission control and policy enforcement rather than scanning. Better for organizations implementing GitOps-driven policy but lacks integrated image scanning.
Trivy (Aqua Security)
Specialized container image and file system vulnerability scanner. Lighter-weight but lacks comprehensive Kubernetes compliance framework support and misconfiguration detection.
Falco (CNCF)
Runtime security and anomaly detection via eBPF and system calls. Complementary to Kubescape; excels at behavioral monitoring but requires separate setup and lacks compliance scanning.
Build on kubescape with DEV.co software developers
Use Kubescape to scan your clusters and manifests for misconfigurations, vulnerabilities, and compliance violations. Start with a single CLI command today.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
kubescape FAQ
Does Kubescape phone home or send data to ARMO?
Can I use Kubescape without Internet access?
Does Kubescape modify my cluster or manifests by default?
How do I extend Kubescape with custom controls?
Software developers & web developers for hire
From first prototype to production, DEV.co delivers software development services around tools like kubescape. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source devops and beyond.
Secure Your Kubernetes Deployment
Use Kubescape to scan your clusters and manifests for misconfigurations, vulnerabilities, and compliance violations. Start with a single CLI command today.