nctl scan kubernetes

nctl scan kubernetes

scan kubernetes resources

nctl scan kubernetes [flags]

Examples


  # Scan a Kubernetes cluster and analyze the scan results
  nctl scan kubernetes --cluster --analyze

  # Scan a Kubernetes cluster and publish scan results
  nctl scan kubernetes --cluster --publish

  # Scan Kubernetes resources from a local file with a specific policy
  nctl scan kubernetes --resources ./resource.yaml --policies ./policy.yaml

  # Scan resources in a specific namespace using a policy set
  nctl scan kubernetes --namespace default --policy-sets pss-baseline

  # Scan a Kubernetes cluster using cluster policies and exceptions
  nctl scan kubernetes --cluster --cluster-policies --cluster-exceptions

  # Scan Kubernetes resources and output results to console in JSON format
  nctl scan kubernetes --cluster -o json

  # Specify output format and save results to a file with default name (scan-report.json)
  nctl scan kubernetes --cluster -o json --file

  # Specify output format and save results to a file with user defined name
  nctl scan kubernetes --cluster -o json --file=user-defined-name.json

  # Scan with a specific kubeconfig and context
  nctl scan kubernetes --kubeconfig /path/to/kubeconfig --kube-context my-context

  # Output the scan results in JSON format with detailed violations
  nctl scan kubernetes --resources ./resource.yaml --policies ./policy.yaml --details -o json

  # Scan resources while allowing insecure connections (not recommended)
  nctl scan kubernetes --resources ./resource.yaml --insecure

  # Scan and show remediation suggestions for violating resources
  nctl scan kubernetes --resources ./resource.yaml --remediate

Options

      --analyze                       Analyze cluster using AI
      --audit-as-warn                 Report violations from policies in audit mode as warnings instead of failures
      --cluster                       Scan resources in a cluster using cluster policies and exceptions (default value false)
      --cluster-exceptions            Use exceptions from a cluster (default value false)
      --cluster-name string           Override name of cluster while publishing report to Nirmata Control Hub (NCH)
      --cluster-policies              Use policies from a cluster (default value false)
      --cluster-resources             Use resources from a cluster (default value false)
      --continue-on-fail              If set to true, will continue to apply policies on the next resource upon failure to apply to the current resource instead of exiting out
      --details                       Show result details for violating resources (default true)
  -e, --exceptions strings            Policy exceptions to be considered when evaluating policies against resources
      --file string[="scan-report"]   Output file (if --file is used without a value, defaults to 'scan-report')
  -h, --help                          help for kubernetes
      --insecure                      allow connection to an address with a self-signed or non-verifiable certificate (not recommended)
      --kube-context string           the kube context from configured kubeconfig. Default is the current or sole context
      --kubeconfig string             kubeconfig path (defaults to $HOME/.kube/kubeconfig)
  -l, --label strings                 Label the cluster and Label selector in the format key=value for policy sets in Nirmata Control Hub (NCH)
  -n, --namespace strings             Namespace of the resources to scan
      --no-color                      disable the colors for the stdout reports
  -o, --output string                 Output format (text, json, yaml, scan-report) (default "text")
  -p, --policies strings              Path to policy files (local path, github URL, helm URL)
      --policy-sets strings           Comma-separated policy set names (pss-baseline, pss-restricted, rbac-best-practices)
      --policy-view                   Use with --details to reverse the view from resource->policy to policy->resource
      --publish                       Publish reports
      --publish-token string          scan reports publish token
      --remediate string              Remediate resources ('show', 'patch')
      --report-sourceid string        Add source id for report created for local scan (is required for local scans; is the cluster id for cluster scan)
  -r, --resources strings             Path to resource files (local path, github URL)
      --token string                  Nirmata API Login Key (env NIRMATA_TOKEN)
      --url string                    Nirmata server base URL (env NIRMATA_URL)
      --values-file string            File containing values for policy variables

Options inherited from parent commands

  -v, --v Level   log level for V logs

SEE ALSO