Kubescape

Kubernetes security compliance scanner that checks clusters and manifests against security frameworks (NSA/CISA Kubernetes Hardening Guide, MITRE ATT&CK, CIS Kubernetes Benchmark, SOC2, PCI-DSS). Kubescape scans live clusters or YAML manifests pre-deployment and generates risk scores with remediation guidance. CLI, REST API, and operator (continuous in-cluster scanning) modes. CNCF sandbox project. Produces JSON/JUnit/HTML reports suitable for CI/CD pipeline integration and agent-driven compliance workflows.

Evaluated Mar 06, 2026 (0d ago) v3.x
Homepage ↗ Repo ↗ Security kubernetes security compliance nsa mitre cis scanning open-source cncf
⚙ Agent Friendliness
62
/ 100
Can an agent use this?
🔒 Security
85
/ 100
Is it safe for agents?
⚡ Reliability
76
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
80
Error Messages
78
Auth Simplicity
90
Rate Limits
88

🔒 Security

TLS Enforcement
95
Auth Strength
82
Scope Granularity
80
Dep. Hygiene
85
Secret Handling
82

Apache 2.0 CNCF sandbox. Scanning is read-only — no cluster modifications. Uses Kubernetes RBAC for cluster read access. Framework definitions from community-maintained repositories. No credentials stored by CLI. ARMO Platform stores scan results with data retention controls.

⚡ Reliability

Uptime/SLA
75
Version Stability
78
Breaking Changes
75
Error Recovery
78
AF Security Reliability

Best When

You need automated Kubernetes security compliance scanning against established frameworks (CIS, NSA, MITRE) integrated into CI/CD pipelines or continuous cluster monitoring.

Avoid When

You already have Checkov or kube-bench covering your Kubernetes security compliance needs — don't add redundant scanning tools without clear differentiation.

Use Cases

  • Scan Kubernetes manifests in CI/CD pipelines before deployment — block agent deployments that violate NSA hardening or CIS benchmark controls
  • Assess running cluster security posture via Kubescape operator REST API — agent security workflows query cluster risk scores and control failures for compliance dashboards
  • Generate CIS Kubernetes Benchmark compliance reports from agent audit pipelines — structured JSON output includes pass/fail per control with remediation steps
  • Check agent workload YAML against MITRE ATT&CK framework controls before committing to git — integrate into pre-commit hooks or PR checks
  • Monitor cluster security drift over time via Kubescape operator — get alerts when cluster configuration deviates from security baseline after passing initial compliance checks

Not For

  • Runtime threat detection — Kubescape scans configuration compliance, not runtime behavior; use Falco or Tetragon for runtime threat detection
  • Container image vulnerability scanning — Kubescape checks Kubernetes configuration, not image CVEs; use Trivy or Grype for image scanning
  • Application-layer security testing — Kubescape is infrastructure/configuration focused; use DAST/SAST tools for application security testing

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
No
Webhooks
No

Authentication

Methods: api_key
OAuth: No Scopes: No

Kubescape CLI scans use kubeconfig for cluster access. ARMO Platform (hosted service) uses API keys. Kubescape operator runs with Kubernetes RBAC ServiceAccount. No authentication for local CLI scanning.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Apache 2.0 CNCF sandbox project. CLI and operator are completely free. ARMO Platform provides managed Kubescape with UI, historical reports, and team features. Framework definitions (CIS, NSA) updated by community.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • Kubescape scan results change as cluster configuration changes — don't cache scan results; always run fresh scans for current compliance state in agent reporting pipelines
  • Framework control definitions are versioned — control IDs and pass/fail criteria change between Kubescape versions; pin Kubescape version in CI and update deliberately
  • kubeconfig must have read access to all scanned resources — service accounts with limited RBAC may get incomplete results (partial scan appears to pass controls it can't read)
  • JSON output structure varies between Kubescape versions — parse defensively and handle missing fields in agent consumers; use --format json and validate output schema
  • Risk score calculation weights controls differently — a passing risk score doesn't mean zero critical failures; always check individual critical control failures, not just overall score
  • In-cluster operator (Kubescape operator) requires privileged RBAC to read all cluster resources — review operator permissions carefully before deploying in security-sensitive environments
  • Offline/air-gapped scanning requires pre-downloading framework definitions — Kubescape fetches framework definitions from network by default; configure artifact hub URL or local path for air-gapped environments

Alternatives

checkov-api trivy-api kyverno-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Kubescape.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5215
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered