The CNCF Technical Steering Committee (TOC) recently announced that it has accepted Kubescape as an incubating project. Kubescape offers security coverage for the Kubernetes environment from development to deployment. It is available as a CLI tool and a Kubernetes operator.
The announcement was made to the official CNCF blog and ARMO’s blog. ARMO is Kubescape’s parent company.
From its release in 2021, Kubescape has evolved from a CLI scanning tool for compliance with NSA-CISA Kubernetes Hardening guidelines to a full-fledged security platform.
The first release of Kubescape verified the cluster and workload configuration settings (e.g., Helm, YAML, RBAC, etc.) against the NSA-CISA Kubernetes Hardening Guidelines. The project further grew and met the growing security needs of Kubernetes DevOps and the cybersecurity community.
Kubescape can now perform configuration scanning, hardening recommendations, and vulnerability scanning against popular security frameworks (e.g., MITRE ATT&CK and Kubernetes CIS benchmark). It also offers an eBPF-based reachability analysis, Kubernetes Network Policy recommendations, and anomaly-based threat detection.
Under the hood, Kubescape uses Open Policy Agent to verify Kubernetes objects against a library of posture controls. It uses Grype for image scanning and Copacetic for image patching. The Inspecktor gadget is used for eBPF. Users can render the CLI scan results to HTML or PDF, export them to JSON, JUnit XML, or SARIF, or submit them to a cloud service.
Source: Kubescape GitHub Project
Kubescape integrates with IDEs, CI/CD pipelines (e.g., Kubescape GitHub Action), and monitoring systems such as Prometheus. It also supports in-cluster installation using a Kubernetes Operator.
Speaking about the announcement, Ben Hirschberg, CTO of ARMP and Core maintainer of Kubescape, said,
We decided to work with the CNCF because of its vibrant community of active contributors and users, as well as its clear pathway to project graduation. Our team members’ involvement in CNCF also played a key role in our decision.
CNCF’s emphasis on cloud native technology and strong community made it an ideal home for Kubescape.
Some notable adoptions of Kubescape are security prioritization at Intel, inclusion in AWS security training, improvement of helm chart security at Bitnami, and integration in CI/CD pipelines at Energi Danmark.
Discussing the usefulness of these security scanners, a Former Security Products PM at GitHub provided a good summary in this comment on a Hacker News post,
…In general, I think they’re well intentioned, and can be useful, but aren’t a panacea–they aren’t going to catch anything you’re not already looking for, they’re just going to make it easier to remedy/enforce the problems you already know about.
So far, the Kubescape project on GitHub has 10.6k stars. Interested users can refer to the contribution guide and the current issues on the Kubscaping board.
