docs/gitlab-ci.md
Use GitLab CI to scan your Kubernetes manifests for misconfigurations with Kubescape. Scan results are published as part of your GitLab CI/CD pipeline.
stages:
- scan
scan_with_kubescape:
stage: scan
image: alpine:latest
script:
- apk add --no-cache bash curl gcompat
- curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
- export PATH=$PATH:$HOME/.kubescape/bin
- kubescape scan . --format junit --output results.xml --exclude-namespaces kube-system,kube-public
artifacts:
reports:
junit: results.xml
paths:
- results.xml
expire_in: 30 days
only:
- merge_requests
- main
Using a Security Gate To enforce a security gate, add the --compliance-threshold option
stages:
- scan
scan_with_kubescape:
stage: scan
image: alpine:latest
script:
- apk add --no-cache bash curl gcompat
- curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
- export PATH=$PATH:$HOME/.kubescape/bin
- kubescape scan framework nsa . --format junit --output results.xml --compliance-threshold 80
artifacts:
reports:
junit: results.xml
paths:
- results.xml
expire_in: 30 days
only:
- merge_requests
- main
The pipeline will fail if fewer than 80% of controls pass.
Scan a Specific Framework
To scan against a specific compliance framework:
stages:
- scan
scan_nsa_framework:
stage: scan
image: alpine:latest
script:
- apk add --no-cache bash curl gcompat
- curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
- export PATH=$PATH:$HOME/.kubescape/bin
- kubescape scan framework nsa . --format junit --output results.xml
artifacts:
reports:
junit: results.xml
Supported frameworks: nsa, mitre, cis-v1.23-t1.0.1. Run kubescape list frameworks for the full list.
Troubleshooting
kubescape: command not found This occurs when the install script runs in one shell step and kubescape is invoked in another. The solution is to export the PATH in the same script step: script:
Further Reading