What Kubescape Does
Kubernetes security is a sprawling problem that spans configuration, container images, network policies, runtime behavior, and compliance. Most tools address one slice — a scanner here, a policy engine there. Kubescape attempts to cover the entire lifecycle in a single open-source tool. This review evaluates how well it delivers on that ambitious scope.
CI/CD and Image Scanning
The CI/CD scanning capabilities form the first line of defense. Kubescape scans Helm charts, Kubernetes manifests, and Dockerfiles against established security frameworks: NSA-CISA hardening guidelines, MITRE ATT&CK for containers, and CIS Kubernetes Benchmarks. Each finding includes a severity score, detailed description, and actionable remediation steps. The CLI integrates into GitHub Actions, GitLab CI, Jenkins, and other CI systems with minimal configuration.
Container image vulnerability scanning assesses images against known CVE databases, identifying packages with security issues before they reach production. The integrated SBOM (Software Bill of Materials) generation creates an inventory of all components in your images — increasingly required for supply chain security compliance. Scanning can run against local images, registry images, or images already deployed in your cluster.
Runtime Security and AI Assistant Integration
Runtime security through eBPF-based monitoring is where Kubescape 4.0 advanced significantly. eBPF hooks into the Linux kernel to monitor system calls, network connections, file operations, and process executions in real-time without modifying workloads. Anomaly detection identifies unexpected behavior — a web server suddenly making outbound connections to unknown IPs, a container writing to directories outside its expected paths, or processes attempting privilege escalation.
Kubescape documentation now includes MCP server and AI assistant integration alongside its Kubernetes security workflow. As organizations connect security tools to AI assistants, these integrations help teams inspect cluster posture and security context through controlled assistant workflows rather than relying on a version-specific agent-scanning claim.
Risk Scoring and Setup
The risk scoring system aggregates findings into a comprehensible risk posture. Each workload, namespace, and cluster receives a risk score based on the severity and quantity of findings. This prioritization helps security teams focus on the highest-risk areas first rather than being overwhelmed by hundreds of low-severity warnings — a common problem with security scanning tools.
Installation and onboarding are straightforward. The CLI installs via Homebrew, curl, or Krew (kubectl plugin). A single command scans your cluster and produces a report. The in-cluster operator (deployed via Helm chart) provides continuous monitoring with results accessible through the CLI or ARMO Platform dashboard. Getting from zero to first scan takes under 10 minutes.
ARMO Platform and Ecosystem Integration
The ARMO Platform provides a managed dashboard with historical trends, multi-cluster visibility, and team collaboration features. The free tier covers core scanning with the managed dashboard. Paid plans add advanced features like compliance reporting, custom framework definitions, and priority support. For teams that want visualization and trending without building their own dashboards, ARMO Platform adds significant value.
Integration with the broader Kubernetes ecosystem is natural. Kubescape works alongside Prometheus for metrics export, integrates with Slack for alerting, and complements other CNCF projects like Falco (runtime security) and OPA (policy enforcement). Rather than replacing existing security tools, Kubescape fills gaps in scanning and vulnerability assessment while feeding data into your existing monitoring infrastructure.
The Bottom Line
Kubescape is the right choice for Kubernetes teams wanting a single tool that covers scanning, image security, SBOM generation, and runtime monitoring. The CNCF affiliation provides governance stability. The main limitation is that depth in any single area may not match dedicated tools — Trivy for vulnerability scanning, Falco for runtime detection, or OPA for policy enforcement. But for teams wanting comprehensive coverage without managing multiple security tools, Kubescape delivers strong value from a single installation.