Kubescape Adds Vulnerability Scanning Capabilities

Kubescape, an end-to-end, open source security platform built on Kubernetes technology, has added new functionality to help scan for vulnerabilities. The platform, created by Israeli software developers from Armo, has become one of the most popular security compliance tools, and the new additions mean vulnerabilities can now be identified much earlier in the development process.

Before we look at Kubescape and its new functionality in more detail, let’s recap what Kubernetes does and why it is such a popular platform. 

A Brief Introduction to Kubernetes

Kubernetes, also known as K8s, is an open source orchestration tool that uses a container system. The tool was developed by Google and helps to group and manage clusters of containerized applications.

Following the introduction of virtual machines (VMs), a virtualized technology that recreates the functionality of multiple physical servers without being resource-heavy, developers could create isolated applications with much more flexibility and added security. However, VMs still encountered issues regarding large memory usage. 

Containers, although similar to VMs, can also be easily isolated but maintain optimal performance without using as much memory. Using containers, developers can create complex application clusters. But to manage these clusters effectively, platforms such as Kubernetes are required.

Kubernetes can also deploy machine learning application clusters and integrate other growing markets. The compound annual growth rate of the machine learning industry is forecasted to be 38.8% between 2022 and 2029.

To recap, Kubernetes makes it easier to manage very complex applications while still maintaining efficient usage of resources. Kubernetes guarantees performance and removes the chance of downtime by automatically launching a new container when the current container fails a performance test (known as a health check).

Vulnerability Scanning With Kubescape

Kubescape has added code repository scanning and container image registry scanning to provide a much deeper level of security to the Kubernetes platform. As well as the introduction of the two new security functions, Armo has also promised improved integration with third-party DevOps teams. 

Some of the third-party Kubernetes tools that will be integrated with Kubescape include:

  • Civo
  • GitHub Actions
  • GitLab
  • Lens
  • Plural
  • Prometheus
  • Visual Studio

Code Repository Scanning Functionality

Thanks to the new code repository scanning functionality, YAML files and Helm charts can now be scanned early in the systems development life cycle (SDLC). Developers will be able to inspect the results of their applications on Kubescape’s cloud user interface before Kubernetes clusters have been set up. 

In addition, users can also check valuable metrics such as history, drifts and trends, as well as be able to set exclusions. Assisted remediation also allows users to identify where controls have failed and provide information on how to fix the issues. 

Container Image Registry Scanning

With container image registry scanning, users can scan container images directly from the registry before they are sent to be run within a cluster. This includes scanning Elastic Container Registry, Google Container Registry, Quay and more. 

What Does This Mean for Developers?

Thanks to the two new scanning functions, developers will be able to identify vulnerabilities much earlier during the development process or within any third-party registries. Thus, vulnerabilities can be resolved before the application reaches production. 

Kubescape also scans to detect any new vulnerabilities in the continuous integration (CI) and continuous delivery (CD) pipeline that may have emerged after the container image was created or a new container cluster was launched. 

The latest improvements will ensure vulnerability detection will be available through almost all stages of the development process, thanks to Kubescape. 

Future Kubescape Developments

The developers of Kubescape have recently confirmed that the platform will soon support the OpenAPI framework, delivered through the professional toolset Swagger. This will allow users to leverage a range of services that are available via open APIs. 

Kubescape’s in-cluster Helm component will also become open-source, and plans have been announced to open-source the entire back end of the platform’s code base and services. This will enable users to create their own Kubernetes-based cloud solutions and UI, effectively turning the platform into a DevOps-native tool. 

Finally, Kubescape intends to launch a range of collaboration features that will be integrated using a mixture of internal communication methods and external ticket systems. As a result, if users discover a new security issue in their development environment, requests can be made via Jira tickets or Slack channels (for example) to inform the appropriate parties who can provide support and resolve the issue.

What Are the Key Benefits of Kubescape?

As an open-source platform used for testing the security and compliance of Kubernetes clusters, Kubescape offers a range of features that can ensure any vulnerabilities are detected during the development of applications. Features include risk analysis, security compliance, role-based access control (RBAC) visualization and image vulnerability scanning. 

Kubescape quickly established itself as one of the most popular Kubernetes security compliance tools for developers due to its simple command-line interface, flexible output formats, and automated scanning functionality. This helps to save its users valuable time and resources during the development process.

In addition to its functionality and ease of use, Kubescape natively integrates third-party DevOps tools like Slack, GitLab, GitHub Workflows, Jenkins, CircleCI and Prometheus. Support is also provided for multi-cloud K8s deployments like AKS, EKS and GKE.

What Can Kubescape Scan?

Kubescape can check for vulnerabilities across a range of Kubernetes components. Potential vulnerabilities can come in many shapes and forms, from software vulnerabilities to misconfigurations according to popular frameworks (such as NSA-CISA and  MITRE ATT&CK) and RBAC violations early in the CI/CD pipeline. 

The platform calculates a risk score for each application and displays risk trends over a chosen period, providing developers with valuable insights in a user-friendly way.

Components that can be scanned include, but are not limited to:

  • K8s clusters
  • Code repositories
  • Kubernetes manifest files (HELM charts and YAML files)
  • Container registries
  • Container images

Wrapping Up

As an already well-established Kubernetes security compliance tool, Kubescape has improved its product offering further, with additional improvements announced for the future. The new code repository and container image registry scanning will allow developers to detect vulnerabilities much earlier in the development life cycle, as well as identify issues in third-party repositories. This means any vulnerabilities can be ironed out before applications reach the production stage. 

Nahla Davies

Nahla Davies is a technical copywriter and former software specialist and lead programmer at several major technology companies whose clients include Collibra, UpGuard and Netflix. Since 2015 Davies has worked with enterprise clients around the world developing RegTech protocols and best practices. She worked both enterprise side and with sovereign governments acting as a key contributor for notable public projects like DCOM. Since 2020 Davies has taken a less active role in compliance consulting and started sharing my insights as a technical copywriter. Visit https://nahlawrites.com to learn more.

Nahla Davies has 14 posts and counting. See all posts by Nahla Davies