diff --git a/README.md b/README.md
index 34e58f03..b096f645 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,7 @@ _An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and
Kubescape is an open-source Kubernetes security platform. It includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.
Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) and the [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)).
+In addition, you can scan container images for vulnerabilities.
Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository) and is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/).
@@ -56,10 +57,11 @@ _Did you know you can use Kubescape in all these places?_
## Under the hood
Kubescape uses [Open Policy Agent](https://github.com/open-policy-agent/opa) to verify Kubernetes objects against [a library of posture controls](https://github.com/kubescape/regolibrary).
+For images scanning, it uses [Grype](https://github.com/anchore/grype).
By default, the results are printed in a console-friendly manner, but they can be:
-* exported to JSON or junit XML
+* exported to JSON, junit XML or SARIF
* rendered to HTML or PDF
* submitted to a [cloud service](docs/providers.md)
diff --git a/docs/getting-started.md b/docs/getting-started.md
index cc1932e8..da748548 100644
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -6,7 +6,7 @@ The best way to get started with Kubescape is to download it to the machine you
## Install Kubescape
-```sh
+```bash
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
```
@@ -16,175 +16,255 @@ You can also check [other installation methods](installation.md)
## Run your first scan
-```sh
-kubescape scan --verbose
+```bash
+kubescape scan
```
You will see output like this:
-
+```bash
+Kubescape security posture overview for cluster: minikube
-## Usage
+In this overview, Kubescape shows you a summary of your cluster security posture, including the number of users who can perform administrative actions. For each result greater than 0, you should evaluate its need, and then define an exception to allow it. This baseline can be used to detect drift in future.
-_Some documentation on using Kubescape is yet to move here from the [ARMO Platform docs](https://hub.armosec.io/docs?utm_source=github&utm_medium=repository)_.
+Control plane
+┌────┬─────────────────────────────────────┬────────────────────────────────────┐
+│ │ Control Name │ Docs │
+├────┼─────────────────────────────────────┼────────────────────────────────────┤
+│ ✅ │ API server insecure port is enabled │ https://hub.armosec.io/docs/c-0005 │
+│ ❌ │ Anonymous access enabled │ https://hub.armosec.io/docs/c-0262 │
+│ ❌ │ Audit logs enabled │ https://hub.armosec.io/docs/c-0067 │
+│ ✅ │ RBAC enabled │ https://hub.armosec.io/docs/c-0088 │
+│ ❌ │ Secret/etcd encryption enabled │ https://hub.armosec.io/docs/c-0066 │
+└────┴─────────────────────────────────────┴────────────────────────────────────┘
+
+Access control
+┌─────────────────────────────────────────────────┬───────────┬────────────────────────────────────┐
+│ Control Name │ Resources │ View Details │
+├─────────────────────────────────────────────────┼───────────┼────────────────────────────────────┤
+│ Cluster-admin binding │ 1 │ $ kubescape scan control C-0035 -v │
+│ Data Destruction │ 6 │ $ kubescape scan control C-0007 -v │
+│ Exec into container │ 1 │ $ kubescape scan control C-0002 -v │
+│ List Kubernetes secrets │ 6 │ $ kubescape scan control C-0015 -v │
+│ Minimize access to create pods │ 2 │ $ kubescape scan control C-0188 -v │
+│ Minimize wildcard use in Roles and ClusterRoles │ 1 │ $ kubescape scan control C-0187 -v │
+│ Portforwarding privileges │ 1 │ $ kubescape scan control C-0063 -v │
+│ Validate admission controller (mutating) │ 0 │ $ kubescape scan control C-0039 -v │
+│ Validate admission controller (validating) │ 0 │ $ kubescape scan control C-0036 -v │
+└─────────────────────────────────────────────────┴───────────┴────────────────────────────────────┘
+
+Secrets
+┌─────────────────────────────────────────────────┬───────────┬────────────────────────────────────┐
+│ Control Name │ Resources │ View Details │
+├─────────────────────────────────────────────────┼───────────┼────────────────────────────────────┤
+│ Applications credentials in configuration files │ 1 │ $ kubescape scan control C-0012 -v │
+└─────────────────────────────────────────────────┴───────────┴────────────────────────────────────┘
+
+Network
+┌────────────────────────┬───────────┬────────────────────────────────────┐
+│ Control Name │ Resources │ View Details │
+├────────────────────────┼───────────┼────────────────────────────────────┤
+│ Missing network policy │ 13 │ $ kubescape scan control C-0260 -v │
+└────────────────────────┴───────────┴────────────────────────────────────┘
+
+Workload
+┌─────────────────────────┬───────────┬────────────────────────────────────┐
+│ Control Name │ Resources │ View Details │
+├─────────────────────────┼───────────┼────────────────────────────────────┤
+│ Host PID/IPC privileges │ 2 │ $ kubescape scan control C-0038 -v │
+│ HostNetwork access │ 1 │ $ kubescape scan control C-0041 -v │
+│ HostPath mount │ 1 │ $ kubescape scan control C-0048 -v │
+│ Non-root containers │ 6 │ $ kubescape scan control C-0013 -v │
+│ Privileged container │ 1 │ $ kubescape scan control C-0057 -v │
+└─────────────────────────┴───────────┴────────────────────────────────────┘
+
+Highest-stake workloads
+────────────────────────
+High-stakes workloads are defined as those which Kubescape estimates would have the highest impact if they were to be exploited.
+
+1. namespace: gadget, name: gadget, kind: DaemonSet
+ '$ kubescape scan workload DaemonSet/gadget --namespace gadget'
+2. namespace: kafka, name: my-cluster-kafka-0, kind: Pod
+ '$ kubescape scan workload Pod/my-cluster-kafka-0 --namespace kafka'
+3. namespace: kafka, name: my-cluster-zookeeper-0, kind: Pod
+ '$ kubescape scan workload Pod/my-cluster-zookeeper-0 --namespace kafka'
+
+Compliance Score
+────────────────
+The compliance score is calculated by multiplying control failures by the number of failures against supported compliance frameworks. Remediate controls, or configure your cluster baseline with exceptions, to improve this score.
+
+* MITRE: 77.39%
+* NSA: 69.97%
+
+View a full compliance report by running '$ kubescape scan framework nsa' or '$ kubescape scan framework mitre'
+
+What now?
+─────────
+* Run one of the suggested commands to learn more about a failed control failure
+* Scan a workload with '$ kubescape scan workload' to see vulnerability information
+* Install Kubescape in your cluster for continuous monitoring and a full vulnerability report: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-operator
+
+```
+
+# Usage
+
+Capabilities
+* Scan Kubernetes clusters for misconfigurations
+* Scan Kubernetes YAML files/Helm charts for misconfigurations
+* Scan container images for vulnerabilities
+
+## Misconfigurations Scanning
+Scan Kubernetes clusters, YAML files, Helm charts for misconfigurations.
+Kubescape will highlight the misconfigurations and provide remediation steps.
+The misconfigurations are based on multiple frameworks (including [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) and the [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)).
### Examples
-* Scan a running Kubernetes cluster:
+#### Scan a running Kubernetes cluster:
- ```sh
- kubescape scan --verbose
+```bash
+kubescape scan
+```
+
+> **Note**
+> [Read more about host scanning](https://hub.armosec.io/docs/host-sensor?utm_source=github&utm_medium=repository).
+
+#### Scan NSA framework
+Scan a running Kubernetes cluster with the [NSA framework](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/):
+
+```bash
+kubescape scan framework nsa
+```
+
+#### Scan MITRE framework
+Scan a running Kubernetes cluster with the [MITRE ATT&CK® framework](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/):
+
+```bash
+kubescape scan framework mitre
+```
+
+#### Scan a control
+Scan for a specific control, using the control name or control ID. [See the list of controls](https://hub.armosec.io/docs/controls?utm_source=github&utm_medium=repository).
+
+```bash
+kubescape scan control c-0005 -v
+```
+
+#### Use an alternative kubeconfig file
+
+```bash
+kubescape scan --kubeconfig cluster.conf
+```
+
+#### Scan specific namespaces
+
+```bash
+kubescape scan --include-namespaces development,staging,production
+```
+
+#### Exclude certain namespaces
+
+```bash
+kubescape scan --exclude-namespaces kube-system,kube-public
+```
+
+#### Scan local YAML files
+```sh
+kubescape scan /path/to/directory-or-directory
+```
+
+Take a look at the [example](https://youtu.be/Ox6DaR7_4ZI).
+
+#### Scan git repository
+Scan Kubernetes manifest files from a Git repository:
+
+```bash
+kubescape scan https://github.com/kubescape/kubescape
+```
+
+#### Scan with exceptions
+
+```bash
+kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
+```
+
+Objects with exceptions will be presented as `exclude` and not `fail`.
+
+[See more examples about exceptions.](/examples/exceptions/README.md)
+
+#### Scan Helm charts
+
+```bash
+kubescape scan
+```
+
+> **Note**
+> Kubescape will load the default VALUES file.
+
+#### Scan a Kustomize directory
+
+```bash
+kubescape scan
+```
+
+> **Note**
+> Kubescape will generate Kubernetes YAML objects using a `kustomize` file and scan them for security.
+
+#### Trigger in cluster components for scanning your cluster
+
+If the [kubescape-operator](https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-operator#readme) is installed in your cluster, you can trigger scanning of the in cluster components from the kubescape CLI.
+
+Trigger configuration scanning:
+```bash
+kubescape operator scan configurations
+```
+
+Trigger vulnerabilities scanning:
+```bash
+kubescape operator scan vulnerabilities
+```
+
+#### Compliance Score
+
+We offer two important metrics to assess compliance:
+
+- Control Compliance Score: This score measures the compliance of individual controls within a framework. It is calculated by evaluating the ratio of resources that passed to the total number of resources evaluated against that control.
+ ```bash
+ kubescape scan --compliance-threshold
```
-
- > **Note**
- > [Read more about host scanning](https://hub.armosec.io/docs/host-sensor?utm_source=github&utm_medium=repository).
-
-* Scan a running Kubernetes cluster with the [NSA framework](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/):
-
- ```sh
- kubescape scan framework nsa
+- Framework Compliance Score: This score provides an overall assessment of your cluster's compliance with a specific framework. It is calculated by averaging the Control Compliance Scores of all controls within the framework.
+ ```bash
+ kubescape scan framework --compliance-threshold
```
-* Scan a running Kubernetes cluster with the [MITRE ATT&CK® framework](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/):
-
- ```sh
- kubescape scan framework mitre
- ```
-
-* Scan for a specific control, using the control name or control ID. [See the list of controls](https://hub.armosec.io/docs/controls?utm_source=github&utm_medium=repository).
-
- ```sh
- kubescape scan control "Privileged container"
- ```
-
-* Use an alternative kubeconfig file:
-
- ```sh
- kubescape scan --kubeconfig cluster.conf
- ```
-
-* Scan specific namespaces:
-
- ```sh
- kubescape scan --include-namespaces development,staging,production
- ```
-
-* Exclude certain namespaces:
-
- ```sh
- kubescape scan --exclude-namespaces kube-system,kube-public
- ```
-
-* Scan local YAML/JSON files before deploying:
- ```sh
- kubescape scan *.yaml
- ```
-
- Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI).
-
-* Scan Kubernetes manifest files from a Git repository:
-
- ```sh
- kubescape scan https://github.com/kubescape/kubescape
- ```
-
-* Scan with exceptions
-
- ```sh
- kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
- ```
-
- Objects with exceptions will be presented as `exclude` and not `fail`.
-
- [See more examples about exceptions.](/examples/exceptions/README.md)
-
-* Scan Helm charts
-
- ```sh
- kubescape scan
- ```
-
- > **Note**
- > Kubescape will load the default VALUES file.
-
-* Scan a Kustomize directory
-
- ```sh
- kubescape scan
- ```
-
- > **Note**
- > Kubescape will generate Kubernetes YAML objects using a `kustomize` file and scan them for security.
-
-* Trigger in cluster components for scanning your cluster:
-
- If kubescape helm chart is install in your cluster we can trigger scanning of the in cluster components from the kubescape CLI.
- ```sh
- kubescape operator scan config
- ```
- ```sh
- kubescape operator scan vulnerabilities
- ```
-
-* Compliance Score
-
- We offer two important metrics to assess compliance:
-
- - Control Compliance Score: This score measures the compliance of individual controls within a framework. It is calculated by evaluating the ratio of resources that passed to the total number of resources evaluated against that control.
- ```sh
- kubescape scan --compliance-threshold
- ```
- - Framework Compliance Score: This score provides an overall assessment of your cluster's compliance with a specific framework. It is calculated by averaging the Control Compliance Scores of all controls within the framework.
- ```sh
- kubescape scan framework --compliance-threshold
- ```
- Kubescape scan with compliance score
- 
-
### Output formats
-* JSON:
+#### JSON:
- ```sh
- kubescape scan --format json --format-version v2 --output results.json
- ```
+```bash
+kubescape scan --format json --output results.json
+```
- > **Note**
- > Add the `--format-version v2` flag for maximum compatibility.
+#### junit XML:
-* junit XML:
+```bash
+kubescape scan --format junit --output results.xml
+```
+#### SARIF:
- ```sh
- kubescape scan --format junit --output results.xml
- ```
+SARIF is a standard format for the output of static analysis tools. It is supported by many tools, including GitHub Code Scanning and Azure DevOps. [Read more about SARIF](https://docs.github.com/en/code-security/secure-coding/sarif-support-for-code-scanning/about-sarif-support-for-code-scanning).
-* PDF:
+```bash
+kubescape scan --format sarif --output results.sarif
+```
+> **Note**
+> SARIF format is supported only when scanning local files or git repositories, but not when scanning a running cluster.
- ```sh
- kubescape scan --format pdf --output results.pdf
- ```
+#### HTML
- _Contributed by [@alegrey91](https://github.com/alegrey91)_
-
-* Prometheus metrics:
-
- ```
- kubescape scan --format prometheus
- ```
-
- _Contributed by [@Joibel](https://github.com/Joibel)_
-
-* HTML
-
- ```
- kubescape scan --format html --output results.html
- ```
-
-* Display all scanned resources (including the resources which passed):
-
- ```sh
- kubescape scan --verbose
- ```
+```bash
+kubescape scan --format html --output results.html
+```
## Offline/air-gapped environment support
@@ -194,7 +274,7 @@ It is possible to run Kubescape offline! Check out our [video tutorial](https:/
1. Download the controls and save them in the local directory. If no path is specified, they will be saved in `~/.kubescape`.
- ```sh
+ ```bash
kubescape download artifacts --output path/to/local/dir
```
@@ -202,7 +282,7 @@ It is possible to run Kubescape offline! Check out our [video tutorial](https:/
3. Scan using the downloaded artifacts:
- ```sh
+ ```bash
kubescape scan --use-artifacts-from path/to/local/dir
```
@@ -212,7 +292,7 @@ You can also download a single artifact, and scan with the `--use-from` flag:
1. Download and save in a file. If no file name is specified, the artifact will be saved as `~/.kubescape/.json`.
- ```sh
+ ```bash
kubescape download framework nsa --output /path/nsa.json
```
@@ -220,9 +300,32 @@ You can also download a single artifact, and scan with the `--use-from` flag:
3. Scan using the downloaded framework:
- ```sh
+ ```bash
kubescape scan framework nsa --use-from /path/nsa.json
```
+## Image scanning
+
+Kubescape can scan container images for vulnerabilities. It uses [Grype]() to scan the images.
+
+### Examples
+
+#### Scan image
+
+```bash
+kubescape scan image nginx:1.19.6
+```
+
+#### Scan image from a private registry
+
+```bash
+kubescape scan image --username myuser --password mypassword myregistry/nginx:1.19.6
+```
+
+#### Scan image and see full report
+
+```bash
+kubescape scan image nginx:1.19.6 -v
+```
## Other ways to use Kubescape