RATATOSKRATATOSK
Sign in

Kubescape

v4.0.10Security
Jun 30, 2026

Kubescape v4.0.10 is a feature and hardening release: it closes an SSRF gap in the scan-completion webhook, tightens config.json permissions and validation, and removes a dead CRD, alongside a large batch of bug fixes and new capabilities like `operator remediate` and encrypted report decryption. No CVE-tracked vulnerabilities are disclosed in this release.

  • securitySSRF hardening on scan-completion webhook

    The scan-completion webhook callback now hardens against SSRF. Applies to users of the webhook callback feature; upgrade if you rely on it to avoid outbound requests being abused via crafted callback URLs.

  • breakingconfig.json permissions restricted to owner-only

    config.json is now written with owner-only permissions instead of broader access. Applies unconditionally; review any tooling or automation that reads this file as a different user, since it may now fail to access it.

  • breakingRemoval of orphan SecurityException CRD

    The orphan SecurityException CRD, which was never installable, has been removed. Applies only if you had references to this CRD in manifests or docs; it has no functional impact since it never worked.

  • enhancementStricter validation on --format and VAP controls

    The --format flag now rejects invalid values before a scan starts, and VAP configurable controls now require params. Applies if you script scans with an unchecked --format value or run VAP controls without required params; these calls will now fail fast instead of proceeding silently.

Key changes (8)

  • SSRF-hardened scan-completion webhook callback closes a request-forgery gap in outbound notifications.
  • config.json permissions tightened to owner-only, changing default file access for existing installs.
  • Orphan, uninstallable SecurityException CRD removed along with its test.
  • Validation tightened in two spots: --format now rejects invalid values pre-scan, and VAP configurable controls require params.
  • New `operator remediate` CLI subcommand (annotate and dry-run modes), CEL env builder/evaluator for the VAP engine, and encrypted report decryption with DEK wrapping.
  • New scan coverage score metric penalizing silent failed GVR pulls, plus per-control evaluation timeouts in the OPA processor (timed-out controls score 0 and discard partial results).
  • Several panic fixes (nil ScanData, image names without an organization, scan execution goroutine) plus HTTP timeouts on the scan listener server.
  • Plus roughly ten smaller fixes: resource deduplication, host-sensor infoMap merging, SARIF line resolution, output overwrite prevention, orphaned RoleBinding handling, and a Go 1.26 codebase update.