Anchore
Container security and compliance platform for scanning container images and software supply chains
Open-Source Projects
Discover top open-source software, updated regularly with real-world adoption signals.
Discover top open-source software, updated regularly with real-world adoption signals.
Unified Kubernetes security from development to runtime
Kubescape secures Kubernetes clusters, YAML, and Helm charts against NSA‑CISA, MITRE ATT&CK, and CIS benchmarks, with CLI, operator, and CI/CD integrations.
Kubescape is a comprehensive security platform for Kubernetes environments, targeting administrators, DevOps engineers, and security teams. It provides hardening, posture management, and runtime protection across the entire lifecycle, from code and configuration to live workloads.
The tool scans clusters, YAML manifests, and Helm charts using multiple compliance frameworks. It leverages Open Policy Agent for policy enforcement, Grype for image vulnerability detection, and Inspektor Gadget for eBPF‑based runtime analysis. Users can run quick scans via the CLI, deploy continuous monitoring with the in‑cluster operator (installed through a Helm chart), or embed security checks into CI/CD pipelines using the official GitHub Action. Results are exportable in JSON, JUnit XML, SARIF, HTML, or PDF, and can be sent to a cloud service for centralized reporting.
When teams consider Kubescape, these hosted platforms usually appear on the same shortlist.
Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.
Pre‑deployment compliance scan
Detects misconfigurations in Helm charts and YAML before they reach production, ensuring alignment with NSA‑CISA and CIS benchmarks.
Continuous in‑cluster monitoring
Operator continuously scans running workloads, flags drift, and generates network policies to enforce least‑privilege connectivity.
CI/CD pipeline security gate
GitHub Action aborts merges when new images contain known vulnerabilities or policy violations, automating risk mitigation.
Incident response runtime analysis
eBPF‑based inspection reveals suspicious process activity, aiding rapid investigation of potential attacks.
No, Kubescape is fully free under the Apache‑2.0 license; optional cloud services are separate.
Kubescape supports all actively maintained Kubernetes versions; the CLI works with any cluster reachable via kubectl.
Yes, you can add custom Rego policies to the OPA engine or contribute to the upstream control set.
It uses the Grype vulnerability scanner to analyze image layers for CVEs and known exploits.
Kubescape supports risk exceptions, allowing you to whitelist specific findings per cluster or workload.
Project at a glance
ActiveLast synced 4 days ago
