docs/cli-reference.md
This document provides a complete reference for all Kubescape CLI commands and options.
These options are available for all commands:
| Option | Description |
|---|---|
--cache-dir <path> | Cache directory (default: ~/.kubescape) |
--kube-context <context> | Kubernetes context to use (default: current-context) |
-l, --logger <level> | Log level: debug, info, warning, error, fatal |
--server <url> | Backend discovery server URL |
-h, --help | Help for any command |
Scan Kubernetes clusters, files, or images for security issues.
kubescape scan [target] [flags]
| Flag | Description | Default |
|---|---|---|
--account <id> | Kubescape SaaS account ID | from cache |
--access-key <key> | Kubescape SaaS access key | from cache |
--compliance-threshold <float> | Fail if compliance score is below threshold | 0 |
--controls-config <path> | Path to controls configuration file | - |
-e, --exclude-namespaces <ns> | Namespaces to exclude (comma-separated) | - |
--exceptions <path> | Path to exceptions file | - |
-f, --format <format> | Output format: pretty-printer, json, junit, sarif, html, pdf, prometheus | pretty-printer |
--include-namespaces <ns> | Namespaces to include (comma-separated) | - |
--keep-local | Don't report results to backend | false |
--kubeconfig <path> | Path to kubeconfig file | - |
-o, --output <path> | Output file path | stdout |
--scan-images | Also scan container images for vulnerabilities | false |
--severity-threshold <sev> | Fail if findings at or above severity: low, medium, high, critical | - |
--submit | Submit results to Kubescape SaaS | false |
--use-artifacts-from <path> | Load artifacts from local directory (offline mode) | - |
--use-from <path> | Load specific policy from path | - |
-v, --verbose | Display all resources, not just failed ones | false |
--view <type> | View type: security, control, resource | security |
# Scan current cluster
kubescape scan
# Scan with specific framework
kubescape scan framework nsa
kubescape scan framework mitre
kubescape scan framework cis-v1.23-t1.0.1
# Scan specific control
kubescape scan control C-0005 -v
# Scan local files
kubescape scan /path/to/manifests/
# Scan Git repository
kubescape scan https://github.com/org/repo
# Output to JSON file
kubescape scan --format json --output results.json
# Set compliance threshold (exit 1 if below)
kubescape scan --compliance-threshold 80
# Exclude namespaces
kubescape scan --exclude-namespaces kube-system,kube-public
Scan against a specific security framework.
kubescape scan framework <framework-name> [target] [flags]
| Framework | Description |
|---|---|
nsa | NSA-CISA Kubernetes Hardening Guidance |
mitre | MITRE ATT&CK® for Kubernetes |
cis-v1.23-t1.0.1 | CIS Kubernetes Benchmark |
soc2 | SOC 2 compliance |
pci-dss | PCI DSS compliance |
hipaa | HIPAA compliance |
kubescape scan framework nsa
kubescape scan framework mitre --include-namespaces production
kubescape scan framework cis-v1.23-t1.0.1 /path/to/manifests
Scan for a specific control.
kubescape scan control <control-id> [target] [flags]
# Scan for privileged containers
kubescape scan control C-0057 -v
# Scan specific files for a control
kubescape scan control C-0013 /path/to/deployment.yaml
Scan a specific workload.
kubescape scan workload <kind>/<name> [flags]
| Flag | Description |
|---|---|
--namespace <ns> | Namespace of the workload |
kubescape scan workload Deployment/nginx --namespace default
kubescape scan workload DaemonSet/fluentd --namespace logging
Scan a container image for vulnerabilities.
kubescape scan image <image>:<tag> [flags]
| Flag | Description |
|---|---|
--exceptions <path> | Path to exceptions file |
-p, --password <pass> | Registry password |
-u, --username <user> | Registry username |
--use-default-matchers | Use default vulnerability matchers |
# Scan public image
kubescape scan image nginx:1.21
# Scan with verbose output
kubescape scan image nginx:1.21 -v
# Scan private registry image
kubescape scan image myregistry.io/myimage:tag -u myuser -p mypass
Auto-fix misconfigurations in Kubernetes manifest files.
kubescape fix <report-file> [flags]
| Flag | Description | Default |
|---|---|---|
--dry-run | Preview changes without applying | false |
--no-confirm | Apply without confirmation | false |
--skip-user-values | Skip changes requiring user values | true |
# Generate scan results
kubescape scan /path/to/manifests --format json --output results.json
# Apply fixes
kubescape fix results.json
# Preview fixes
kubescape fix results.json --dry-run
# Apply without prompts
kubescape fix results.json --no-confirm
Patch container images to fix OS-level vulnerabilities.
kubescape patch [flags]
| Flag | Description | Default |
|---|---|---|
-i, --image <image> | Image to patch (required) | - |
-t, --tag <tag> | Output image tag | <image>-patched |
-a, --addr <addr> | BuildKit daemon address | unix:///run/buildkit/buildkitd.sock |
--timeout <duration> | Patching timeout | 5m |
--ignore-errors | Continue on errors | false |
-u, --username <user> | Registry username | - |
-p, --password <pass> | Registry password | - |
-f, --format <format> | Output format | - |
-o, --output <path> | Output file | stdout |
-v, --verbose | Verbose output | false |
# Start buildkitd first
sudo buildkitd &
# Patch an image
sudo kubescape patch --image nginx:1.22
# Custom output tag
sudo kubescape patch --image nginx:1.22 --tag nginx:1.22-fixed
# Verbose output
sudo kubescape patch --image nginx:1.22 -v
List available frameworks and controls.
kubescape list <type> [flags]
| Type | Description |
|---|---|
frameworks | List available security frameworks |
controls | List available security controls |
| Flag | Description | Default |
|---|---|---|
--account <id> | Account ID for custom frameworks | - |
--access-key <key> | Access key | - |
--format <format> | Output format: pretty-print, json | pretty-print |
kubescape list frameworks
kubescape list controls
kubescape list controls --format json
Download artifacts for offline/air-gapped use.
kubescape download <type> [name] [flags]
| Type | Description |
|---|---|
artifacts | Download all artifacts (frameworks, controls, config) |
framework | Download a specific framework |
control | Download a specific control |
| Flag | Description | Default |
|---|---|---|
-o, --output <path> | Output path | ~/.kubescape |
--account <id> | Account ID | - |
--access-key <key> | Access key | - |
# Download all artifacts
kubescape download artifacts --output /path/to/offline
# Download specific framework
kubescape download framework nsa --output /path/to/nsa.json
# Use downloaded artifacts
kubescape scan --use-artifacts-from /path/to/offline
Manage Kubescape configuration.
| Subcommand | Description |
|---|---|
view | View current configuration |
set | Set configuration value |
delete | Delete cached configuration |
# View configuration
kubescape config view
# Set account ID
kubescape config set accountID <account-id>
# Set cloud report URL
kubescape config set cloudReportURL https://api.example.com
# Delete configuration
kubescape config delete
Interact with the in-cluster Kubescape operator.
kubescape operator scan <type> [flags]
| Type | Description |
|---|---|
configurations | Trigger configuration scan |
vulnerabilities | Trigger vulnerability scan |
kubescape operator scan configurations
kubescape operator scan vulnerabilities
Manage Kubernetes Validating Admission Policies.
Deploy the Kubescape CEL admission policy library.
kubescape vap deploy-library | kubectl apply -f -
Create a ValidatingAdmissionPolicyBinding.
kubescape vap create-policy-binding [flags]
Flags:
| Flag | Description | Required |
|---|---|---|
-n, --name <name> | Binding name | Yes |
-p, --policy <id> | Policy/control ID | Yes |
--namespace <ns> | Namespace selector (repeatable) | No |
--label <k=v> | Label selector (repeatable) | No |
-a, --action <action> | Action: Deny, Audit, Warn | No (default: Deny) |
-r, --parameter-reference <name> | Parameter reference | No |
# Deploy policy library
kubescape vap deploy-library | kubectl apply -f -
# Create binding
kubescape vap create-policy-binding \
--name deny-privileged \
--policy c-0057 \
--namespace production \
--action Deny | kubectl apply -f -
Start the MCP (Model Context Protocol) server for AI assistant integration.
kubescape mcpserver
Starts an MCP server that exposes Kubescape data to AI assistants. The server communicates via stdio.
# Start MCP server
kubescape mcpserver
{
"mcpServers": {
"kubescape": {
"command": "kubescape",
"args": ["mcpserver"]
}
}
}
Display version information.
kubescape version
Generate shell completion scripts.
kubescape completion <shell>
bashzshfishpowershell# Bash
kubescape completion bash > /etc/bash_completion.d/kubescape
# Zsh
kubescape completion zsh > "${fpath[1]}/_kubescape"
# Fish
kubescape completion fish > ~/.config/fish/completions/kubescape.fish
Kubescape respects the following environment variables:
| Variable | Description |
|---|---|
KS_ACCOUNT | Default account ID |
KS_CACHE_DIR | Cache directory path |
KS_EXCLUDE_NAMESPACES | Default namespaces to exclude |
KS_INCLUDE_NAMESPACES | Default namespaces to include |
KS_FORMAT | Default output format |
KS_LOGGER | Log level |
KS_LOGGER_NAME | Logger name |
KUBECONFIG | Path to kubeconfig file |
HTTPS_PROXY | HTTPS proxy URL |
HTTP_PROXY | HTTP proxy URL |
NO_PROXY | Hosts to exclude from proxy |
| Code | Description |
|---|---|
0 | Success |
1 | Failure (threshold exceeded, scan failed, etc.) |