Kubescape
v4.0.6Securityv4.0.6 tackles a wave of false negatives, silent errors, and correctness bugs in scanning — namespace filters, exception matching, and OPA eval failures all get fixes that change scan results.
breakingExpect scan result changes after upgrading — false negatives are now real failures
Two distinct bugs caused resources to silently disappear from scan results: OPA eval errors were swallowed, and partial GVR collection failures were suppressed. Both are fixed. If your baseline compliance scores looked suspiciously clean, re-run scans after upgrading and treat new failures as real findings that were always there, not regressions introduced by the upgrade.
securityAudit vulnerability exception lists for case inconsistencies
Exception matching for image scan CVE IDs was case-sensitive before this fix, meaning 'ghsa-xxxx' and 'GHSA-xxxx' were treated as different identifiers. Any exceptions defined with lowercase CVE/GHSA IDs were silently not applied. After upgrading, check that your exception lists use consistent casing and re-verify which vulnerabilities are actually being excepted.
securityRaw request bodies are no longer logged — review your log retention
Kubescape's HTTP handler was logging full scan request bodies, which could include sensitive resource manifests or configuration data. That logging is now removed. If you've been collecting these logs, review and rotate any stored log data that may contain manifest content.
Key changes (5)
- OPA eval errors no longer silently drop resources — failures now surface instead of producing false negatives
- Namespace filter now correctly preserves cluster-scoped resource results when --include-namespaces is set
- CVE exception matching is now case-insensitive, fixing missed exceptions on lowercase CVE IDs
- Helm value overrides can now be passed through kubescape scan, and Kustomize directories with Helm dependencies render correctly
- Raw scan request bodies are no longer logged, and concurrent exception file writes get unique temp files per request