nctl scan kubernetes

Scan Command

With nctl, scan any Kubernetes cluster without deploying anything on the cluster. Just point the kubeconfig file and it will scan the cluster and generate a full fledged scan report.

nctl scan kubernetes [flags]

By default, nctl scans the cluster referenced by the kubeconfig file located at ~/.kube/config. If the kubeconfig is in a different location, use the --kubeconfig argument to point to that location. The cluster is scanned for these Nirmata curated policysets -

It is also possible to scan a Kubernetes cluster against custom Policies using the --policies or --policy-sets flag which are describe below.

Once the scan is complete, nctl provides a summary report on the policy status for different resources in the cluster grouped by Policy Category and also by namespaces. To view detailed reports, use the --expand flag.

Scan Options

Flag Shorthand Description
--cluster scan resources across the whole cluster (default value false)
--audit-as-warn report violations from policies in audit mode as warnings instead of failures
--help -h help for kubernetes command
--details see details of a scan to get info about violating resources and violated policies
--file <string> mention the file name to store scan result
--namespace <string> -n scan for only specific namespaces in the cluster. It is possible to provide a list of comma separated namespaces
--output <string> -o choose the output format of scan result. Available options are: json, text,yaml and sarif with the default option being text
--policies <strings> -p specify path to policy files (local path, github URL, helm URL) to scan against custom policies
--policy-sets <string> scan against different policy sets in one command, use this flag to provide a comma-separated list of policy sets to scan the resources(pss-baseline, pss-restricted, rbac-best-practices)
--policy-view to see which policy got violated in the detailed scan results, use this flag combined with the --details flag
--resources <strings> -r path to resource files (local path, github URL). scan specific resource files instead of all resources in a cluster, use this flag to point to a local path or gitHub URL containing the resource files. When combined with the --policies flag, this command can be used in a CI pipeline to check for misconfigurations in Kubernetes manifests
values-file <string> Use this flag followed by the file path to extract values of policy variables