The CNCF Technical Oversight Committee (TOC) has voted to accept Kubescape as a CNCF incubating project.
Kubescape is an open-source Kubernetes security project designed to offer comprehensive security coverage throughout the entire development and deployment lifecycle. It provides posture and vulnerability management and automatic hardening policies. In addition, it offers eBPF-based threat detection capabilities to detect anomalous and suspicious behavior of cloud workloads. Kubescape is available as a CLI tool and a Kubernetes operator. The CLI tool is used for manual scanning, scripting, and CI/CD integration. The Kubescape operator is a set of microservices monitoring your Kubernetes cluster from within.
Kubescape was created in 2021 by ARMO, a cybersecurity company specializing in cloud runtime security. Since its inception, Kubescape has been one of the fastest-growing open source security projects, garnering significant adoption within the cloud native community.
Kubescape is the first CNCF Kubernetes security scanner. After joining the Cloud Native Computing Foundation (CNCF) Sandbox in November 2022, Kubescape achieved numerous milestones. These include contributions from a growing community of developers and a steady increase in end users adopting the platform.
“Security is foundational in any computing environment and the CNCF is home to many amazing security projects. Projects like Kubescape provide adopters with a robust series of security capabilities that go beyond vulnerability scanning, to include all aspects of security considerations in Kubernetes environments. Kubescape’s promotion to Incubation shows not only the readiness and desire of adopters to take advantage of the solutions, such as security framework testing and hardening, but also demonstrates growing maturity and cloud native’s continued commitment to feature-rich security tools and projects which address multiple security concerns adopters have today and in the future. The Kubescape project’s incubation announcement and their commitment to simplifying security for adopters places them on a path to gain widespread traction with other adopters, accelerating contributor diversity and setting them up for success towards Graduation.” – Emily Fox, Portfolio Security Architect at Red Hat and TOC Sponsor
In its first release, Kubescape was a CLI tool verifying cluster and workload configuration (e.g. Helm, YAML, RBAC, etc) settings against the CISA-NSA Kubernetes hardening guide. The project’s popularity grew very fast and Kubescape evolved to meet the growing security needs of the Kubernetes DevOps and cybersecurity community. To this end, Kubescape introduced key features that include configuration scanning, hardening recommendations, and vulnerability scanning against additional well-known security frameworks (e.g. MITRE ATT&CK® and Kubernetes CIS Benchmark). It also added eBPF-based reachability analysis, Kubernetes network policy recommendations, as well as anomaly-based threat detection. To increase usability and adoption, Kubescape added integration with IDEs, CI/CD pipelines, and monitoring systems like Prometheus. The Kubescape community is known for its start-up and innovative mindset. This approach has transformed Kubescape from a simple compliance scanner into a comprehensive runtime security solution, complete with advanced anomaly detection capabilities.
Kubescape is deeply integrated with the CNCF ecosystem, leveraging eBPF (via Inspektor Gadget) for runtime observability and Open Policy Agent (OPA) for configuration scanning. It integrates with tools like ArgoCD, Prometheus, and Headlamp, enabling users to enhance monitoring, automate deployments, and gain real-time insights into their Kubernetes clusters. By aligning with CNCF’s vision of open collaboration, Kubescape plays a vital role in securing Kubernetes workloads while fostering innovation and interoperability within the cloud-native community.
Kubescape has always been a favorite of DevOps engineers and continues to help hundreds of teams across a wide variety of sectors improve their security. Notable examples of Kubescape adoption include:
- Intel uses Kubescape for security prioritization
- AWS using it in security educational material
- Bitnami uses Kubescape to improve Helm chart security
- ARMO uses Kubescape as the foundation for its Cloud Runtime Security Platform, ARMO Platform
- Energi Danmark used Kubescape from their early days of adopting Kubernetes, embedding it in their CI/CD pipelines
“We’re incredibly proud of the vibrant community we’ve built, growing from a small group to over 130 contributors, including many first-time open-source participants. Together, we’ve tackled tough technical challenges, advancing Kubernetes security with cutting-edge runtime detection and strong configuration scanning and vulnerability management capabilities. As we look to the future, we’re excited to welcome even more contributors, foster deeper collaboration, and work toward CNCF graduation by demonstrating sustained growth, broad adoption, and strong governance.” said Matthias Bertschy, Senior Kubernetes Developer at ARMO and core Maintainer of Kubescape.
“We decided to work with the CNCF because of its vibrant community of active contributors and users, as well as its clear pathway to project graduation. Our team members’ involvement in CNCF also played a key role in our decision” said Ben Hirschberg CTO of ARMO and Core maintainer of Kubescape. He continued: “ CNCF’s emphasis on cloud native technology and strong community made it an ideal home for Kubescape.”
Notable Milestones:
- 10.4k GitHub Stars
- 4385 pull requests
- 723 issues
- 794 contributors
- 1207 Forks
Kubescape’s roadmap reflects the project’s maturity and goes beyond simply adding more features. It currently has three focus areas:
- Core platform enhancements that aim to improve resource utilization and other performance metrics.
- User experience improvements
- Adding security features
As a CNCF-hosted project, Kubescape is part of a neutral foundation aligned with its technical interests, as well as the larger Linux Foundation, which provides governance, marketing support, and community outreach. Kubescape joins incubating technologies Artifact Hub, Backstage, Buildpacks, cert-manager, Chaos Mesh, CloudEvents, Container Network Interface (CNI), Contour, Cortex, CubeFS, Dragonfly, Emissary-Ingress, Falco, Flatcar, gRPC, in-toto, Keptn, Keycloak, Knative, Kubeflow, KubeVela, KubeVirt, Kyverno, Litmus, Longhorn, NATS, Notary, OpenCost, OpenFeature, OpenKruise, OpenMetrics, OpenTelemetry, Operator Framework, Thanos, Volcano, and wasmCloud. For more information on maturity requirements for each level, please visit the CNCF Graduation Criteria.