Kubescape
An open-source Kubernetes security platform that scans manifests, clusters, and images for misconfigurations, vulnerabilities, and runtime threats from the IDE to a running cluster.
- Category: Security & Compliance
- CNCF maturity: Incubating
- Language: Go
- License: Apache-2.0
- Repository: kubescape/kubescape
- Documented at commit:
8274975(2026-06-23, afterv4.0.9)
What it is
Kubescape checks Kubernetes workloads against published security frameworks. It evaluates YAML manifests, Helm charts, and live cluster objects against the NSA/CISA Kubernetes Hardening Guidance, MITRE ATT&CK, and CIS Benchmark, then reports a risk score and a compliance score. The control logic is not baked into the binary: it is pulled from the separate kubescape/regolibrary repository and evaluated by an Open Policy Agent engine embedded in the CLI.
This repository is the CLI and scan engine. The in-cluster operator, vulnerability scanner, and runtime node-agent live in separate repositories under the same kubescape GitHub organisation and ship through Helm charts. The CLI also performs container image scanning by wrapping Anchore Grype and Syft, and image signature checks by calling Sigstore Cosign from inside the policy language.
Kubescape was started by ARMO in 2021 and entered the CNCF Sandbox in 2022. The CNCF Technical Oversight Committee accepted it as an Incubating project on 2025-01-13.
When to use it
- You need to verify Kubernetes manifests or Helm charts against a named framework (NSA/CISA, MITRE, CIS) and gate CI on a risk or compliance score.
- You want one tool that covers posture scanning, image vulnerability scanning, and (with the in-cluster components) runtime detection.
- You want to keep control content updatable without rebuilding the scanner, including air-gapped operation with locally cached policies.
- It is a weaker fit when you only need node-level CIS Benchmark checks (kube-bench is narrower and simpler) or a single artifact scanner across many ecosystems (Trivy is broader outside Kubernetes posture).
In this deep-dive
- History: origin, milestones, and why it exists.
- Architecture: components and how a scan flows.
- Adoption & Ecosystem: who runs it and what surrounds it.
- Internals: the code paths that matter, read from source.
- Getting Started: install and a first working setup.
Sources
- kubescape/kubescape repository and GitHub API (stars, forks, license, created date, release), observed 2026-06-24.
- Kubescape on CNCF projects, observed 2026-06-24.
- Kubescape becomes a CNCF incubating project (CNCF blog), observed 2026-06-24.
- ARMO Launches Expanded Version of Kubescape (BusinessWire), observed 2026-06-24.
- Kubescape one-year anniversary & open source announcement (Medium, ARMO), observed 2026-06-24.
- Kubescape central ADOPTERS.md (kubescape/project-governance), observed 2026-06-24.
- Announcing Kubescape 4.0 (CNCF blog, Ben Hirschberg), observed 2026-06-24.
- Kubescape 4.0 Brings Runtime Security and AI Agent Scanning (InfoQ), observed 2026-06-24.
- Kubescape Self-Assessment (CNCF TAG Security), observed 2026-06-24.
- Kubescape Achieves CNCF Incubation Status (The New Stack), observed 2026-06-24.
- ARMO raises $30M (VentureBeat), observed 2026-06-24.