Key features
- Multi-framework scanning — NSA/CISA, MITRE ATT&CK, CIS Kubernetes Benchmark against APAC clusters and manifests
- CI/CD integration — scan APAC YAML and Helm charts in pipelines before deployment for shift-left security
- Risk scoring — APAC Kubernetes cluster risk score (0–100) with framework control breakdown and remediation priority
- RBAC visualisation — map APAC Kubernetes permission graph and identify privilege escalation paths
- Compliance reporting — generate APAC security audit reports for NSA/CISA and CIS framework submissions
- Helm and Terraform support — scan APAC Helm chart outputs and Kubernetes Terraform plans pre-deployment
- Operator mode — continuous APAC cluster scanning with periodic report generation via Kubescape Operator
Best for
- APAC platform engineering teams deploying Kubernetes clusters who want a comprehensive security posture baseline before going production — Kubescape's cluster scan immediately surfaces APAC security misconfigurations relative to established hardening frameworks
- APAC DevSecOps teams implementing shift-left Kubernetes security — Kubescape CI/CD integration catches APAC manifest security issues at the PR level before they reach production clusters
- APAC regulated industries (FSI, healthcare, government) that must demonstrate alignment with NSA/CISA Kubernetes hardening or CIS Kubernetes Benchmark to APAC regulators — Kubescape produces framework-specific compliance reports
- APAC security engineers conducting Kubernetes security audits who need comprehensive RBAC visualisation — Kubescape's permission graph mapping identifies overly permissive APAC Kubernetes RBAC configurations that manual review would miss
Limitations to know
- ! Control false positive rate — Kubescape flags security deviations from hardening benchmarks that may be intentional APAC architectural decisions (legitimate privileged containers, required host network access); APAC teams should tune Kubescape exception policies to suppress known-intentional APAC configurations
- ! Remediation guidance specificity — Kubescape identifies the APAC control failure and references the framework guidance, but does not always provide APAC-specific configuration examples; APAC platform teams often need to consult framework documentation to implement the specific remediation
- ! Dynamic workload coverage — Kubescape scans Kubernetes resource manifests as-written, but APAC dynamic admission mutations (from Kyverno or Istio) applied after admission are not reflected in Kubescape's pre-admission manifest analysis
- ! Enterprise features gated — some Kubescape features (continuous cluster monitoring, SaaS dashboard, policy-as-code enforcement) are available in ARMO Platform (commercial); APAC teams wanting continuous posture monitoring beyond periodic CLI scans should evaluate ARMO Platform commercial tier
About Kubescape
Kubescape is a CNCF open-source Kubernetes security posture management tool developed by ARMO that enables APAC DevSecOps and platform engineering teams to scan running APAC Kubernetes clusters, Kubernetes YAML manifests, Helm chart outputs, and Terraform Kubernetes provider configurations against multiple security frameworks — NSA/CISA Kubernetes Hardening Guidance, MITRE ATT&CK for Kubernetes, CIS Kubernetes Benchmark, and SOC2 controls — producing prioritised risk scores, affected resource lists, and framework-specific remediation guidance.
Kubescape's cluster scanning mode — where APAC platform engineering teams run `kubescape scan` against a running APAC Kubernetes cluster (with kubectl access) and Kubescape queries the Kubernetes API for all resources (pods, roles, service accounts, network policies, pod security admissions), evaluates each resource against enabled security framework controls, and produces a risk score (0–100) with a breakdown of APAC controls failed, resources at risk, and remediation priority — enables APAC platform teams to rapidly assess their APAC cluster security posture against established frameworks without manual security auditing of individual Kubernetes resources.
Kubescape's CI/CD scanning mode — where APAC DevSecOps teams run `kubescape scan yaml ./k8s/` or `kubescape scan helm ./charts/myapp` in APAC CI/CD pipelines (Tekton Tasks, GitHub Actions, Buildkite steps) and Kubescape evaluates the APAC manifest or chart output against security controls before deployment — enables APAC platform teams to catch Kubernetes security misconfigurations (containers running as root, missing resource limits, host namespace sharing, privileged containers) at the PR/commit level before deployment to APAC clusters, implementing security policy as a CI/CD gate rather than a post-deployment audit.
Kubescape's RBAC visualisation — where Kubescape maps the complete APAC Kubernetes RBAC permission graph (ClusterRoles, Roles, ClusterRoleBindings, RoleBindings, ServiceAccounts) and identifies risky permission paths (service accounts with cluster-admin access, wildcard RBAC permissions, cross-namespace role escalation paths) — enables APAC platform engineering and security teams to audit APAC Kubernetes RBAC configurations for overly permissive access that could enable privilege escalation in the event of APAC application compromise.
Kubescape's framework library — covering NSA/CISA Kubernetes Hardening (specifically referenced in the CISA/APAC agencies joint AI security guidance for APAC critical infrastructure), MITRE ATT&CK for Kubernetes (covering the 20 APAC Kubernetes-specific attack techniques from initial access to impact), CIS Kubernetes Benchmark (covering 200+ APAC configuration controls for Kubernetes control plane and worker node hardening) — enables APAC regulated industries to produce security assessment artifacts that reference the specific frameworks APAC regulators and auditors recognise.
Beyond this tool
Where this category meets practice depth.
A tool only matters in context. Browse the service pillars that operationalise it, the industries where it ships, and the Asian markets where AIMenta runs adoption programs.
Other service pillars
By industry