CNCF accepts Kubescape as its first security and compliance scanner project
ARMO’s open source security project Kubescape is now part of the Cloud Native Computing Foundation’s (CNCF) sandbox in an attempt to “become that free, open source, end-to-end security platform,” according to Craig Box, VP of open source at ARMO.
It was always part of the plan to donate the open source security scanner to the CNCF, he said, citing the difference between DevOps teams’ ideal use of software and code – in an open, transparent way as part of a community – and the way most security vendors design proprietary solutions.
Box dove into the details of the Kubescape project and what it means to be the first security scanner donned by the CNCF over an email-conducted interview.
SDxCentral: How does Kubescape work, and what problems does it aim to solve?
Box: Kubescape is an open source Kubernetes security solution. It scans for misconfigurations inside manifest files like YAML and Helm throughout the CI/CD[[continuous integration/continuous delivery]pipeline and inside Kubernetes clusters. It also scans for vulnerabilities (CVEs) in container image registries (e.g. docker.io. Quay.io, ECR, etc.) and images inside clusters.
It helps DevOps/DevSecOps to understand their Kubernetes security posture, evaluate their security risks, and suggest fixes and remediation paths to harden the environment.
Kubescape can easily be integrated into different CI/CD tools like Jenkins, CircleCI, GitHub Actions, GitLab, IDEs (i.e. Visual Studio Code) Prometheus, Lens, Docker, and others to provide security insights where and when the user needs them. It can help companies achieve security compliance like SOC2 using different industry frameworks like CIS, NSA, and MITRE.
Kubescape aims to solve two big problems:
- Security vs. agility: Gartner predicts that through 2025, more than 99% of cloud breaches will originate from preventable misconfigurations or mistakes by end users. But…a recent survey by Red Hat showed that 55% had to delay or slow down application development into production due to container or Kubernetes security concerns.
- Open source vs. proprietary: Organizations either have to choose costly, black-box, inflexible, proprietary security platforms for Kubernetes, or they try to cobble together multiple open source security tools to give them enough coverage. There is no complete open source security solution. Kubescape is working to become that free, open source, end-to-end security platform.
SDxCentral: What is the significance of Kubescape being the first security scanner to become a CNCF-accepted project?
Box: Security companies have created open source security scanning tools before. These tools, though, are usually made by vendors who don’t have an interest in building a community around these tools, as they would potentially compete with their commercial business.
These vendors are trying to be everything to everyone, and they are not focused 100% on Kubernetes like ARMO is. We have made a bet that cloud native is the future, and while we will integrate with the full security ecosystem, our engineering focus is totally on building a best-of-breed product for Kubernetes users.
The CNCF is the leading forum for managing open source projects in the Kubernetes space: for the community by the community. CNCF has a set of rules, procedures, processes, and teams that can help a project like Kubescape scale and thrive.
It also provides certainty to enterprises, who know they can use and contribute to Kubescape safely because there is a well-known body behind it and that it is governed in an open and fair way. Many companies consider CNCF membership either a shorthand demonstrating good governance, or even a “must have” to adopt an open source project.
SDxCentral: What is next for the platform following CNCF acceptance?
Box: ARMO will continue leading development for Kubescape even though the project is technically now ‘owned’ by the CNCF, and there’s a roadmap with new features on the way. We plan to build support and integrate with other CNCF projects. We also want to invest in a broad community of contributors.
As a company, ARMO’s commercial offering — ARMO platform — is powered by Kubescape, and offers full enterprise-grade support, maintenance, and additional features.