Kubernetes security is a sprawling problem that spans configuration, container images, network policies, runtime behavior, and compliance. Most tools address one slice — a scanner here, a policy engine there. Kubescape attempts to cover the entire lifecycle in a single open-source tool. This review evaluates how well it delivers on that ambitious scope.
The CI/CD scanning capabilities form the first line of defense. Kubescape scans Helm charts, Kubernetes manifests, and Dockerfiles against established security frameworks: NSA-CISA hardening guidelines, MITRE ATT&CK for containers, and CIS Kubernetes Benchmarks. Each finding includes a severity score, detailed description, and actionable remediation steps. The CLI integrates into GitHub Actions, GitLab CI, Jenkins, and other CI systems with minimal configuration.
Container image vulnerability scanning assesses images against known CVE databases, identifying packages with security issues before they reach production. The integrated SBOM (Software Bill of Materials) generation creates an inventory of all components in your images — increasingly required for supply chain security compliance. Scanning can run against local images, registry images, or images already deployed in your cluster.
Runtime security through eBPF-based monitoring is where Kubescape 4.0 advanced significantly. eBPF hooks into the Linux kernel to monitor system calls, network connections, file operations, and process executions in real-time without modifying workloads. Anomaly detection identifies unexpected behavior — a web server suddenly making outbound connections to unknown IPs, a container writing to directories outside its expected paths, or processes attempting privilege escalation.
The AI agent scanning capability in version 4.0 addresses an emerging attack surface. As organizations deploy AI agents with tool-calling capabilities (through MCP or function calling), these agents create new vectors for prompt injection and unauthorized access. Kubescape can scan MCP server configurations, identify overly permissive tool access, and flag potential injection points in agent architectures.
The risk scoring system aggregates findings into a comprehensible risk posture. Each workload, namespace, and cluster receives a risk score based on the severity and quantity of findings. This prioritization helps security teams focus on the highest-risk areas first rather than being overwhelmed by hundreds of low-severity warnings — a common problem with security scanning tools.
Installation and onboarding are straightforward. The CLI installs via Homebrew, curl, or Krew (kubectl plugin). A single command scans your cluster and produces a report. The in-cluster operator (deployed via Helm chart) provides continuous monitoring with results accessible through the CLI or ARMO Platform dashboard. Getting from zero to first scan takes under 10 minutes.
The ARMO Platform provides a managed dashboard with historical trends, multi-cluster visibility, and team collaboration features. The free tier covers core scanning with the managed dashboard. Paid plans add advanced features like compliance reporting, custom framework definitions, and priority support. For teams that want visualization and trending without building their own dashboards, ARMO Platform adds significant value.