core/README.md
The core package provides the main Kubescape scanning engine as a Go library, allowing you to integrate Kubescape security scanning directly into your applications.
go get github.com/kubescape/kubescape/v3/core
package main
import (
"context"
"fmt"
"log"
"github.com/kubescape/kubescape/v3/core"
"github.com/kubescape/kubescape/v3/core/cautils"
)
func main() {
ctx := context.Background()
// Initialize Kubescape
ks := core.NewKubescape(ctx)
// Configure scan
scanInfo := &cautils.ScanInfo{
// Scan the current cluster
ScanAll: true,
}
// Run scan
results, err := ks.Scan(scanInfo)
if err != nil {
log.Fatalf("Scan failed: %v", err)
}
// Convert results to JSON
jsonRes, err := results.ToJson()
if err != nil {
log.Fatalf("Failed to convert results: %v", err)
}
fmt.Println(string(jsonRes))
}
// Create with context
ks := core.NewKubescape(ctx)
// Scan with configuration
results, err := ks.Scan(scanInfo)
// List available policies
err := ks.List(listPolicies)
// Download for offline use
err := ks.Download(downloadInfo)
// Scan container image
exceedsSeverity, err := ks.ScanImage(imgScanInfo, scanInfo)
// Apply fixes to manifests
err := ks.Fix(fixInfo)
scanInfo := &cautils.ScanInfo{}
scanInfo.SetPolicyIdentifiers([]string{"nsa"}, "framework")
results, err := ks.Scan(scanInfo)
scanInfo := &cautils.ScanInfo{
IncludeNamespaces: "production,staging",
}
results, err := ks.Scan(scanInfo)
scanInfo := &cautils.ScanInfo{
InputPatterns: []string{"/path/to/manifests"},
}
scanInfo.SetScanType(cautils.ScanTypeRepo)
results, err := ks.Scan(scanInfo)
results, _ := ks.Scan(scanInfo)
// JSON
jsonData, _ := results.ToJson()
// Get summary
summary := results.GetData().Report.SummaryDetails
fmt.Printf("Compliance Score: %.2f%%\n", summary.ComplianceScore)
scanInfo := &cautils.ScanInfo{
ComplianceThreshold: 80.0, // Fail if below 80%
}
results, err := ks.Scan(scanInfo)
if err != nil {
// Handle scan failure
}
// Check if threshold was exceeded
if results.GetData().Report.SummaryDetails.ComplianceScore < scanInfo.ComplianceThreshold {
log.Fatal("Compliance score below threshold")
}
| Field | Type | Description |
|---|---|---|
AccountID | string | Kubescape SaaS account ID |
AccessKey | string | Kubescape SaaS access key |
InputPatterns | []string | Paths to scan (files, directories, URLs) |
ExcludedNamespaces | string | Comma-separated namespaces to exclude |
IncludeNamespaces | string | Comma-separated namespaces to include |
Format | string | Output format (json, junit, sarif, etc.) |
Output | string | Output file path |
VerboseMode | bool | Show all resources in output |
FailThreshold | float32 | Fail threshold percentage |
ComplianceThreshold | float32 | Compliance threshold percentage |
UseExceptions | string | Path to exceptions file |
UseArtifactsFrom | string | Path to offline artifacts |
Submit | bool | Submit results to SaaS |
Local | bool | Keep results local (don't submit) |
results, err := ks.Scan(scanInfo)
if err != nil {
switch {
case errors.Is(err, context.DeadlineExceeded):
log.Fatal("Scan timed out")
case errors.Is(err, context.Canceled):
log.Fatal("Scan was canceled")
default:
log.Fatalf("Scan error: %v", err)
}
}
The Kubescape instance is safe for concurrent use. You can run multiple scans in parallel:
var wg sync.WaitGroup
for _, ns := range namespaces {
wg.Add(1)
go func(namespace string) {
defer wg.Done()
scanInfo := &cautils.ScanInfo{
IncludeNamespaces: namespace,
}
results, _ := ks.Scan(scanInfo)
// Process results...
}(ns)
}
wg.Wait()