Kubescape

Kubescape is a Kubernetes security posture management platform designed to scan clusters, manifests, and images for misconfigurations, vulnerabilities, and compliance risks. It functions as a comprehensive security suite incorporating a compliance scanner, a container image vulnerability scanner, an admission controller for policy enforcement, and a runtime security monitor.

The platform distinguishes itself through runtime-aware vulnerability filtering, which maps libraries loaded in memory to determine if vulnerabilities are actually reachable. It also integrates with AI assistants via a Model Context Protocol server to enable natural language security querying and real-time streaming of findings.

The system covers a broad range of security domains, including compliance auditing against industry benchmarks, runtime threat detection using eBPF and system probes, and the automated generation of network policies. It further provides risk quantification for prioritization, infrastructure-as-code auditing, and automated remediation through image patching and manifest fixes.

The project is deployed using a Kubernetes operator to automate the lifecycle of its security components and provides specific support for air-gapped environments through offline scanning and manual framework provisioning.

Features

Kubernetes Posture Scanning - Provides a comprehensive platform for scanning Kubernetes clusters, manifests, and images for misconfigurations and vulnerabilities.

Host Security Agents - Deploys node-level agents via DaemonSets to perform runtime threat detection and host scanning.

Security Agent Orchestration - Runs node agents as DaemonSets to ensure comprehensive host scanning and runtime vulnerability analysis across the cluster.

Admission-Based Policy Enforcement - Uses admission controllers to validate resource configurations and block insecure deployments before they enter the cluster.

Kubernetes Cluster Management - Uses a Kubernetes operator to automate the deployment and lifecycle of security scanning components across the cluster.

Runtime Reachability Analysis - Maps libraries loaded in memory at runtime against static scans to filter unreachable vulnerabilities.

Admission Webhooks - Intercepts resource creation requests via validating admission webhooks to block non-compliant configurations.

Behavioral Threat Detection - Establishes baselines of normal workload behavior and alerts when activities deviate from that profile.

Compliance & Audit Tools - Evaluates cluster state against a library of security controls for regulatory and security compliance.

Security Benchmarking - Checks cluster configurations against industry-standard benchmarks like CIS and STIG.

Runtime Threat Detection - Detects behavioral anomalies and active threats within a cluster using system probes and signature-based rules.

Orchestration Admission Controllers - Enforces security policies by validating and blocking non-compliant resources before they enter a cluster.

Kubernetes Compliance Monitoring - Evaluates cluster configurations against industry security benchmarks and regulatory frameworks to ensure adherence to hardening guides.

Node-Level Security Probes - Deploys node-level agents to perform low-level system probes for runtime threat detection and host-specific security scanning.

Security Standard Enforcers - Employs a standardized engine to scan cluster settings for security flaws and ensure compliance with established benchmarks.

Signature-Based Threat Detectors - Monitors system calls and network traffic using signature-based rules to identify malicious activity.

Container Image Vulnerability Scanners - Identifies known security flaws in container images and determines if vulnerabilities are reachable at runtime.

Expression Languages - Evaluates cluster state using a custom expression language for compliance auditing.

Runtime Event Signature Matching - Matches runtime events against known attack patterns using a customizable rule engine to identify threats.

Manifest Scanning - Statically analyzes Kubernetes manifest files to ensure compliance with security best practices before deployment.

eBPF Runtime Security Monitors - Uses eBPF-based monitoring to detect active threats and analyze system behavior in a running environment.

Container Image Patching - Updates packages within container images to fixed versions to remediate identified vulnerabilities.

IDE Real-time Feedback - Provides real-time analysis and remediation guidance for configuration files directly within the code editor during development.

Security Scanning Integrations - Integrates security scanning into CI/CD pipelines to detect risks within pull requests.

Operator-Based Lifecycles - Automates the deployment and lifecycle management of security components using a Kubernetes operator.

Synchronized Scan Scheduling - Coordinates the timing of security scans between internal cluster state and external service providers.

Automated Security Fixes - Applies automatic fixes to manifest files to resolve detected security misconfigurations.

Selector-Based Rule Filtering - Assigns security rules to specific namespaces or workloads using label and namespace selectors.

Recurring Job Scheduling - Automates periodic security checks for configurations, images, and registries using a recurring job scheduling system.

Security Rule Sandboxes - Simulates security policies in an isolated sandbox to verify behavior before production deployment.

External Alert Escalations - Forwards security threat notifications to external platforms via APIs or HTTP endpoints.

Security Risk Assessments - Evaluates the security posture of deployments to quantify risk and prioritize remediation tasks.

Custom Detection Rules - Provides a framework for defining custom security rules using an expression language to trigger alerts.

Malware Scanning - Integrates an antivirus engine to scan files and volumes on cluster nodes for malicious software.

Security Frameworks - Organizes security checks into structured frameworks to monitor compliance coverage across the organization.

Infrastructure as Code Security - Performs automated security scanning of infrastructure configuration files and manifests.

Network Policy Generation - Analyzes cluster traffic and workload requirements to automatically generate network isolation policies.

Multi-Format Vulnerability Reports - Generates security reports in multiple standardized formats like JSON and SARIF for delivery pipelines.

Node Configuration Auditing - Performs technical auditing of host-level system settings and directories to verify security hardening on nodes.

Remote Security Audits - Executes scheduled scans and administrative actions through a controller that accepts remote security audit commands.

Software Bill of Materials Scanners - Processes software bill of materials files embedded within image filesystems to enhance vulnerability analysis.

Security Baselines - Identifies resources with excessive permissions to establish a secure configuration baseline.

Hardening Framework Validations - Validates clusters and workloads against hardening frameworks to identify security risks.

VEX Document Generation - Produces vulnerability exchange documents by determining if a vulnerable package is loaded into memory.

Offline Vulnerability Analysis - Performs vulnerability lookups in environments without internet access using an offline database.

Automated Security Scan Triggers - Automatically initiates security scans triggered by external providers and infrastructure changes.

Cluster Monitoring - Watches the cluster API for real-time changes to trigger security actions and track health.

Security Metrics Exports - Sends real-time scan results and security telemetry to external monitoring systems for observability.

Security Findings Visualizations - Displays compliance results and workload vulnerabilities through a graphical user interface.

kubescapekubescape

Features

Star history