Skip to content
🛥️🐳 KSail

ksail workload scan

Run security scans on Kubernetes manifests using Kubescape.


This command scans manifests in the specified path against security frameworks
such as NSA-CISA, MITRE ATT&CK, and CIS Benchmarks.


If no path is provided, the path is resolved in order:
  1. spec.workload.sourceDirectory from ksail.yaml (if a config file is found and the field is set)
  2. The default source directory when spec.workload.sourceDirectory is unset ("k8s" directory)
  3. The current directory (fallback when no ksail.yaml config file is found)


Available frameworks: nsa, mitre, cis, pss (and any other framework supported by Kubescape)
Available output formats: pretty-printer, json, sarif, junit (and any other format supported by Kubescape)


For more information, see https://github.com/kubescape/kubescape


Usage:
  ksail workload scan [PATH] [flags]


Flags:
      --compliance-threshold float32   Fail if compliance score is below this threshold (0-100)
      --format string                  Output format (pretty-printer, json, sarif, junit) (default "pretty-printer")
      --framework strings              Security frameworks to scan against (e.g. nsa, mitre, cis, pss) (default [nsa])
  -o, --output string                  Output file path (stdout if empty)
      --verbose                        Show all resources in output, not just failed ones


Global Flags:
      --benchmark       Show per-activity benchmark output
      --config string   Path to config file (default: ksail.yaml found via directory traversal)