Kubescape is a Kubernetes security scanner that checks manifests, Helm charts, and live clusters against hardening frameworks including the NSA/CISA Kubernetes Hardening Guide, MITRE ATT&CK, and the CIS Kubernetes Benchmark. It was created by ARMO and donated to the CNCF, where it is now an incubating project.
The scanner runs as a CLI for CI pipelines and as an in-cluster operator that continuously evaluates resources. Controls are written in Rego and executed by the OPA engine, so rules are portable and auditable. Beyond static checks, Kubescape ships an eBPF-based node agent that records syscalls and network activity to build application profiles, then flags runtime deviations and generates tailored seccomp profiles and network policies from observed behaviour. It also pulls SBOMs and matches them against Grype’s vulnerability database to correlate CVEs with the workloads that actually load the affected files.
Results surface through a CLI, a Prometheus exporter, VS Code and Lens integrations, and the hosted ARMO Platform. In the CNCF landscape Kubescape overlaps with kube-bench (CIS-only), Trivy (image-first), and Falco (runtime-only), combining posture scanning, vulnerability management, and runtime detection in a single agent.