← Package directory
Available on winget

Install kubescape

An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters

Install with winget
winget install --id kubescape.kubescape
Upgrade
winget upgrade --id kubescape.kubescape
Uninstall
winget uninstall --id kubescape.kubescape

About kubescape

Kubescape is an open-source Kubernetes security platform. It includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources. Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including NSA-CISA, MITRE A...

What's new in 4.0.10

Changelog - 960d6ce chore(crd): remove orphan, uninstallable SecurityException CRD and its test (#2403) - 778ec11 feat(operator): add operator remediate CLI subcommand (annotate + dry-run) (#2448) - 7542e40 fix(httphandler): surface async scan failures via Results endpoint (#2339) - bef62c9 Add CEL env builder for the VAP engine (#2416) - d31fc8b Add CEL evaluator (#2443) - 695c8d1 Add encryption transformer integration tests (#2351) - 932cd5b Add offline request stub for the CEL engine (#2439) - 820fa31 Docs: add circleci integration guide (#2385) - 34f531a Emit security-severity on SARIF rules (#2398) - 1917984 Fail closed on repo metadata transformation errors (#2353) - ffc7f92 Fix nil pointer panic on image scan when ScanData is nil (#2431) - 6a44d6c Fix panic parsing image names without an organization (#2397) - 80fa300 Fix relative path and Name typo (#2343) - add18bf Integrate report encryption metadata and DEK wrapping into anonymization workflow (#2380) - ccadbba Set HTTP timeouts on the scan listener server (#2396) - f8ae044 [ LFX 2026 ] Fixes bugs found before implementation of LFX 1982 (#2366) - f2e42ca [feat] : add scan coverage score to measure and report scan co… (#2410) - 554dd66 [fix] : Fall back to bundled defaults and surface degradation when control-inputs fetch fails (#2395) - cd5dba9 anonymizer: hide service account names in pod specs (#2333) - 865b036 backend: imagescan: add missing unit tests for getMatchers and newScanServiceIntegration (#2427) - e4a8f7d backend: ksinit: add success case for CreateKsObjectConnection (#2429) - f69c88b chore: moderniz...

Read release notes

Version history

Version Updated Notes
4.0.10 Unknown Changelog - 960d6ce chore(crd): remove orphan, uninstallable SecurityException CRD and its test (#2403) - 778ec11 feat(operator): add operator remediate CLI subcommand (annotate + dry-run) (#2448) - 7542e40 fix(httphandl...
4.0.9 Unknown Changelog - ff48571 fix(resourcehandler): surface partial GVR collection failures instead of silently suppressing them - 7da1924 Accept advertised base URI format in vulnerability manifest parser - b503153 Add BoolPtrFla...
4.0.8 Unknown Changelog - 610154a Coderabbit findings - a70db61 Fix: back-propagate connector URLs to configObj in initializeCloudAPI - 70f095f Initial plan - fb367e8 Merge pull request #2021 from manmathbh/feat/vap-timeout - 48c40f2...
4.0.7 Unknown Changelog - e2a8b62 Merge pull request #1960 from kubescape/service-disco - 4895194 Merge pull request #2018 from sahitya-chandra/fix/portforwarder-trimleft-host - 3e29e64 Merge pull request #2019 from manmathbh/master -...
4.0.6 Unknown Changelog - dd1fba5 fix(opaprocessor): apply namespace filter in failedIDs pre-seed and surface rule eval errors - 4fa1084 Adding Cloud unavailable message - a14a698 CodeRabbit Suggestions - 7b65d41 Fix namespace filter...
4.0.5 Unknown Changelog - 1d5520f build(deps): update Go version and bump dependencies Released by GoReleaser.
4.0.3 Unknown Changelog - 5ffa06f Merge pull request #1945 from kubescape/dependabot/go_modules/github.com/go-git/go-git/v5-5.16.5 - 2edf348 Merge pull request #1948 from kubescape/dependabot/go_modules/go.opentelemetry.io/otel/sdk-1....
4.0.2 Unknown Changelog - 93ac65f Merge pull request #1944 from lpmi-13/pass-tag-for-runtime-version - bb2ef7d Pass tag for the runtime version - 9aba8e4 build(deps): Bump github.com/go-git/go-git/v5 from 5.16.2 to 5.16.5 Released by...
4.0.1 Unknown Changelog - 9b29321 Enhance version testing in smoke tests to extract and validate output version - b167435 Merge pull request #1941 from kubescape/semver - 466a11f fix isRuleKubescapeVersionCompatible bug with version 4...
4.0.0 Unknown Changelog - 01bb19b Add krew plugin manifest - 2759bee Fix broken README anchors - e0eeb69 Make version smoke test accept bytes and v-prefix - 222c1ec Merge pull request #1931 from Mujib-Ahasan/readmd-update - 3b4585a Me...
3.0.46 Unknown What's Changed - Bump golang.org/x/crypto from 0.41.0 to 0.45.0 in /httphandler by @dependabot[bot] in #1892 - update from Debian 12 to 13 when building container images by @pfarikrispy in #1895 - Revamp documentation by...
3.0.45 Unknown What's Changed - Bump github.com/opencontainers/selinux from 1.12.0 to 1.13.0 by @dependabot[bot] in #1890 Full Changelog: v3.0.44...v3.0.45
3.0.44 Unknown What's Changed - Bump github.com/containerd/containerd/v2 from 2.0.5 to 2.0.7 by @dependabot[bot] in #1888 - Bump github.com/containerd/containerd from 1.7.28 to 1.7.29 by @dependabot[bot] in #1889 Full Changelog: v3.0.4...
3.0.43 Unknown What's Changed - Bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 by @dependabot[bot] in #1881 - fixed "404" URL issue for command $kubescape scan. by @Mujib-Ahasan in #1884 - host-scanner daemonset installation...
3.0.42 Unknown What's Changed - fix: post release action does not take tag from GITHUB_REF env var by @amirmalka in #1879 - fix: improve error handling in hostscanner pod validation by @matthyx in #1880 Full Changelog: v3.0.41...v3.0.4...
3.0.41 Unknown What's Changed - fix post-release workflow by @amirmalka in #1873 - Fixed issue #1800 : Added parameterNotFoundAction in spec.paramRef while creating policy binding by @cx-anjali-deore in #1876 - fix: Don't run scan in i...
3.0.40 Unknown What's Changed - Bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 by @dependabot[bot] in #1868 - Issue 1817 fix: Show container name in Assisted remediation by @cx-anjali-deore in #1867 - fix(imagescan): use all target...
3.0.39 Unknown What's Changed - Issue 1284 fix: new approach implemented by @yehudahtor in #1863 - Bump github.com/hashicorp/go-getter from 1.7.8 to 1.7.9 in /httphandler by @dependabot[bot] in #1864 Full Changelog: v3.0.38...v3.0.39
3.0.38 Unknown What's Changed - return error on image when severity threshold exceeded by @matthyx in #1860 - bump helm.sh/helm/v3 to 3.18.5 by @matthyx in #1862 Full Changelog: v3.0.37...v3.0.38
3.0.37 Unknown What's Changed - Fix/update links by @yehudahtor in #1846 - added urls hub.armo --> kubescape.io by @yehudahtor in #1849 - Bump github.com/open-policy-agent/opa from 1.3.0 to 1.4.0 by @dependabot[bot] in #1833 - Bump git...