aicoolies logo
Kubescape logo

Kubescape

Open-source Kubernetes security platform for risk analysis and compliance

Share
open-sourceOpen Source
Visit Website →

Kubescape is a CNCF-backed open-source Kubernetes security platform that scans clusters, manifests, and container images for vulnerabilities, misconfigurations, and compliance violations. It checks against NSA-CISA, MITRE ATT&CK, and CIS benchmarks, integrates into CI/CD pipelines, and provides runtime threat detection via eBPF. Supports SBOM generation and vulnerability scanning. Used by ARMO with growing enterprise adoption in cloud-native security.

We have a review for this tool

A detailed review by the aicoolies team — click to read

Kubescape provides comprehensive Kubernetes security coverage across the entire development lifecycle. In CI/CD, it scans Helm charts, Kubernetes manifests, and Dockerfiles against security frameworks including NSA-CISA hardening guidelines, MITRE ATT&CK for containers, and CIS Kubernetes Benchmarks. Each finding includes severity scoring and actionable remediation steps, enabling teams to catch misconfigurations before they reach production.

At runtime, Kubescape uses eBPF-based monitoring to detect anomalous behavior in running workloads — unexpected network connections, file system modifications, process executions, and privilege escalation attempts. The integrated vulnerability scanner assesses container images against known CVE databases and generates Software Bill of Materials (SBOM) for supply chain compliance. Results aggregate into a risk score per workload, namespace, and cluster.

Kubescape is Apache 2.0 licensed and maintained within the CNCF ecosystem alongside projects like Falco and OPA. It integrates with Prometheus for metrics, Slack for alerts, and popular CI systems including GitHub Actions, GitLab CI, and Jenkins. For teams needing a managed experience, ARMO Platform provides a SaaS dashboard with historical trends and multi-cluster visibility. The CLI can be installed via Homebrew, curl, or Krew kubectl plugin.

Pricing

Free open-source; ARMO Platform managed plans available

Platforms

CLI, CI/CD plugins, Kubernetes operator, ARMO SaaS

Categories

Tags

Use Cases

Alternatives

Related Tools

KubeAI

Kubernetes operator for serving AI inference workloads

KubeAI is an Apache-2.0 Kubernetes operator for deploying and scaling AI inference workloads, including LLMs, embeddings, reranking, and speech-to-text. It gives platform teams OpenAI-compatible endpoints, model proxy/controller primitives, model caching, scale-from-zero behavior, and cluster-native resource management for self-hosted inference on Kubernetes.

open-sourceOpen Source

kubectl-ai

Google’s open-source Kubernetes assistant that translates natural-language intent into precise cluster operations.

kubectl-ai is an AI-powered Kubernetes assistant from Google Cloud Platform. It acts as an intelligent interface for cluster work, translating operator intent into Kubernetes commands and workflows. The key distinction from reactive diagnosis tools is that kubectl-ai is designed as an interactive natural-language interface for planning and executing Kubernetes operations, with provider configuration and MCP-oriented workflows around the CLI.

open-sourceOpen SourceTelemetry
Agent Governance Toolkit logo

Agent Governance Toolkit

Microsoft’s public-preview runtime governance toolkit for policy, identity, sandboxing, audit, and MCP security around AI agents.

Agent Governance Toolkit is Microsoft’s MIT-licensed public-preview toolkit for governing AI agent runtimes. It adds policy enforcement, zero-trust identity, execution sandboxing, audit, reliability, and MCP security-gateway patterns around tool calls and autonomous actions, helping platform teams move beyond prompt-only guardrails while preserving architecture review requirements.

open-sourceOpen SourceTelemetry
Baz logo

Baz

Telemetry-aware AI code reviewer that checks how pull requests may affect real services.

Baz is an AI code-review platform focused on production-aware pull requests. Instead of only reading the diff, Baz connects code changes to application telemetry so reviewers can understand what endpoints, services, and runtime behavior may be affected. That makes it a useful complement to existing AI PR bots when the question is not just whether a change looks correct, but whether it could break a live system.

freemiumTelemetry
rampart

Rampart

Microsoft’s pytest-native red teaming framework for turning AI agent safety findings into CI tests.

RAMPART is an open-source Microsoft framework for safety and security testing of agentic AI applications. It brings red-team findings into a pytest-native workflow so teams can turn prompt injection, unsafe tool use, and behavioral boundary failures into repeatable regression tests. The strongest aicoolies angle is developer workflow: RAMPART makes agent safety part of CI/CD instead of a one-off security review.

open-sourceOpen Source
Statewright logo

Statewright

State-machine guardrails for controlling which tools AI coding agents can use at each phase.

Statewright is a guardrail layer for AI coding agents that uses explicit state machines to control what an agent can do at each stage of a workflow. Instead of relying only on prompt instructions, teams can model phases such as plan, implement, test, and review, then constrain tool access for clients like Claude Code, Codex, Cursor, opencode, and related MCP workflows.

open-sourceOpen Source

Used in Stacks