Getting Started
Verified against the
v4.0.9release line. Commands assume macOS or Linux with a shell and, for the cluster scan, a workingkubectlcontext.
Prerequisites
- A shell on macOS or Linux (the install script and Homebrew formula target these).
- For scanning manifests or Helm charts: a local directory of YAML files. No cluster needed.
- For scanning a live cluster: a kubeconfig with read access to the target cluster.
- Network access on the first run so the engine can download policy content from GitHub releases. For air-gapped use, cache policies and pass
--use-from/--keep-local.
Install
The official install script puts the kubescape binary on the path:
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bashHomebrew works too:
brew install kubescapeConfirm the binary runs:
kubescape versionA first working setup
The core job is a framework scan. The steps below scan local manifests against the NSA framework, then gate on a compliance score.
Create a manifest to scan.
bashcat > deployment.yaml <<'EOF' apiVersion: apps/v1 kind: Deployment metadata: name: demo spec: replicas: 1 selector: matchLabels: app: demo template: metadata: labels: app: demo spec: containers: - name: demo image: nginx:1.27 EOFScan it against the NSA framework.
bashkubescape scan framework nsa deployment.yaml
The output prints per-control pass/fail rows, a resource summary, and a risk score and compliance score at the end.
Scan a live cluster instead of a file.
bashkubescape scan framework nsa
With no path argument the engine collects objects from the current kubeconfig context.
Turn the scan into a CI gate. This fails the command when compliance drops below 80.
bashkubescape scan framework nsa deployment.yaml --compliance-threshold 80
Verify it works
A healthy run ends with a summary table and a non-empty compliance score. The process exit code reflects the gates: with --compliance-threshold set, the command exits non-zero when the compliance score is below the threshold, which is the signal CI keys on. Running kubescape list frameworks confirms the engine downloaded policy content and can see the available frameworks.
Where to go next
- The in-cluster operator, vulnerability scanner, and node-agent install through the project's Helm charts; see the Kubescape repository and its docs for continuous, in-cluster scanning, runtime detection, and production hardening.
- For air-gapped operation, the CLI flags
--use-fromand--keep-local(see Architecture) point the engine at locally cached policy content instead of GitHub releases.