What Kubescape Does
Kubernetes security is a sprawling problem that spans configuration, container images, network policies, runtime behavior, and compliance. Most tools address one slice — a scanner here, a policy engine there. Kubescape attempts to cover the entire lifecycle in a single open-source tool. This review evaluates how well it delivers on that ambitious scope.
CI/CD and Image Scanning
The CI/CD scanning capabilities form the first line of defense. Kubescape scans Helm charts, Kubernetes manifests, and Dockerfiles against established security frameworks: NSA-CISA hardening guidelines, MITRE ATT&CK for containers, and CIS Kubernetes Benchmarks. Each finding includes a severity score, detailed description, and actionable remediation steps. The CLI integrates into GitHub Actions, GitLab CI, Jenkins, and other CI systems with minimal configuration.
Container image vulnerability scanning assesses images against known CVE databases, identifying packages with security issues before they reach production. The integrated SBOM (Software Bill of Materials) generation creates an inventory of all components in your images — increasingly required for supply chain security compliance. Scanning can run against local images, registry images, or images already deployed in your cluster.
Runtime Security and AI Agent Scanning
Runtime security through eBPF-based monitoring is where Kubescape 4.0 advanced significantly. eBPF hooks into the Linux kernel to monitor system calls, network connections, file operations, and process executions in real-time without modifying workloads. Anomaly detection identifies unexpected behavior — a web server suddenly making outbound connections to unknown IPs, a container writing to directories outside its expected paths, or processes attempting privilege escalation.
The AI agent scanning capability in version 4.0 addresses an emerging attack surface. As organizations deploy AI agents with tool-calling capabilities (through MCP or function calling), these agents create new vectors for prompt injection and unauthorized access. Kubescape can scan MCP server configurations, identify overly permissive tool access, and flag potential injection points in agent architectures.
Risk Scoring and Setup
The risk scoring system aggregates findings into a comprehensible risk posture. Each workload, namespace, and cluster receives a risk score based on the severity and quantity of findings. This prioritization helps security teams focus on the highest-risk areas first rather than being overwhelmed by hundreds of low-severity warnings — a common problem with security scanning tools.
Installation and onboarding are straightforward. The CLI installs via Homebrew, curl, or Krew (kubectl plugin). A single command scans your cluster and produces a report. The in-cluster operator (deployed via Helm chart) provides continuous monitoring with results accessible through the CLI or ARMO Platform dashboard. Getting from zero to first scan takes under 10 minutes.