mirror of
https://github.com/kubescape/kubescape.git
synced 2026-02-26 15:53:52 +00:00
Compare commits
22 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
2779cb4e25 | ||
|
|
f46ee93539 | ||
|
|
3eb087e5c1 | ||
|
|
59c935e723 | ||
|
|
bae45d277f | ||
|
|
0b6dfa9cd0 | ||
|
|
1ff3a6c92c | ||
|
|
f75cee0d78 | ||
|
|
229f16cb01 | ||
|
|
2c6b1a440f | ||
|
|
37afc1352f | ||
|
|
9943119033 | ||
|
|
41457ff551 | ||
|
|
82b64b5828 | ||
|
|
229e8acc74 | ||
|
30324e1c01 | ||
|
|
8ca356eae7 | ||
|
|
29f4ae368d | ||
|
|
409080f51b | ||
|
|
0b24c46279 | ||
|
|
49596c5ac1 | ||
|
|
9bf79db8f8 |
39
README.md
39
README.md
@@ -28,17 +28,20 @@ If you wish to scan all namespaces in your cluster, remove the `--exclude-namesp
|
||||
<img src="docs/summary.png">
|
||||
|
||||
|
||||
### Flags
|
||||
|
||||
| flag | default | description | options |
|
||||
| --- | --- | --- | --- |
|
||||
| `-e`/`--exclude-namespaces` | Scan all namespaces | Namespaces to exclude from scanning, Recommended to exclude `kube-system` and `kube-public` namespaces |
|
||||
| `-s`/`--silent` | Display progress messages | Silent progress messages |
|
||||
| `-f`/`--format` | `pretty-printer` | Output format | `pretty-printer`/`json`/`junit` |
|
||||
| `-o`/`--output` | print to stdout | Save scan result in file |
|
||||
|
||||
## Usage & Examples
|
||||
|
||||
|
||||
### Pre-Deployment Testing
|
||||
Check your YAML files before you're deploying, simply add them at the end of command line:
|
||||
```
|
||||
kubescape scan framework nsa *.yaml
|
||||
```
|
||||
|
||||
### Integration with other tools
|
||||
|
||||
Kubescape can produce output fitting for later processing:
|
||||
* JSON (`-f json`)
|
||||
* JUnit XML (`-f junit`)
|
||||
|
||||
### Examples
|
||||
|
||||
* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework
|
||||
@@ -46,32 +49,32 @@ If you wish to scan all namespaces in your cluster, remove the `--exclude-namesp
|
||||
kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
|
||||
```
|
||||
|
||||
* Scan local `yaml`/`json` files before deploying <img src="docs/new-feature.svg">
|
||||
* Scan local `yaml`/`json` files
|
||||
```
|
||||
kubescape scan framework nsa *.yaml
|
||||
kubescape scan framework nsa examples/online-boutique/*
|
||||
```
|
||||
|
||||
|
||||
* Scan `yaml`/`json` files from url <img src="docs/new-feature.svg">
|
||||
* Scan `yaml`/`json` files from url
|
||||
```
|
||||
kubescape scan framework nsa https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml
|
||||
```
|
||||
|
||||
* Output in `json` format <img src="docs/new-feature.svg">
|
||||
* Output in `json` format
|
||||
```
|
||||
kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format json --output results.json
|
||||
```
|
||||
|
||||
* Output in `junit xml` format <img src="docs/new-feature.svg">
|
||||
* Output in `junit xml` format
|
||||
```
|
||||
kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml
|
||||
```
|
||||
|
||||
### Helm Support
|
||||
|
||||
* Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout <img src="docs/new-feature.svg">
|
||||
Render the helm template and pass as stdout
|
||||
```
|
||||
helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
|
||||
helm template [CHART] [flags] --generate-name --dry-run | kubescape scan framework nsa -
|
||||
```
|
||||
|
||||
for example:
|
||||
@@ -123,7 +126,7 @@ Kubescape is running the following tests according to what is defined by [Kubern
|
||||
* Linux hardening
|
||||
* Ingress and Egress blocked
|
||||
* Container hostPort
|
||||
|
||||
* Anonymous requests
|
||||
|
||||
|
||||
## Technology
|
||||
|
||||
@@ -75,10 +75,10 @@ func isValidFramework(framework string) bool {
|
||||
func init() {
|
||||
scanCmd.AddCommand(frameworkCmd)
|
||||
scanInfo = opapolicy.ScanInfo{}
|
||||
frameworkCmd.Flags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from check")
|
||||
frameworkCmd.Flags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. supported formats: "pretty-printer"/"json"/"junit"`)
|
||||
frameworkCmd.Flags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. print output to file and not stdout")
|
||||
frameworkCmd.Flags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "Silent progress messages")
|
||||
frameworkCmd.Flags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "namespaces to exclude from check")
|
||||
frameworkCmd.Flags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `output format. supported formats: "pretty-printer"/"json"/"junit"`)
|
||||
frameworkCmd.Flags().StringVarP(&scanInfo.Output, "output", "o", "", "output file. print output to file and not stdout")
|
||||
frameworkCmd.Flags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "silent progress output")
|
||||
}
|
||||
|
||||
func CliSetup() error {
|
||||
|
||||
@@ -9,7 +9,7 @@ var cfgFile string
|
||||
var rootCmd = &cobra.Command{
|
||||
Use: "kubescape",
|
||||
Short: "Kubescape is a tool for testing Kubernetes security posture",
|
||||
Long: `Kubescape is a tool for testing Kubernetes security posture based on NSA specifications.`,
|
||||
Long: `Kubescape is a tool for testing Kubernetes security posture based on NSA and MITRE specifications.`,
|
||||
}
|
||||
|
||||
func Execute() {
|
||||
|
||||
Reference in New Issue
Block a user