Kubescape
v4.0.7SecurityKubescape v4.0.7 is a broad bug-fix and usability release: better input validation, safer concurrency in the HTTP handler, a new ControlInput CRD, and service discovery without a sidecar.
enhancementDrop the sidecar for service discovery
Service discovery now queries the Kubernetes API directly. If you've been running a sidecar specifically to support Kubescape's service discovery, you can remove it. Audit your deployments before upgrading to avoid unexpected behavior from redundant sidecars.
enhancementDeploy the ControlInput CRD for in-cluster tuning
The new ControlInput CRD lets you configure control inputs directly in the cluster rather than through external files. This only activates during live cluster scans, so file-scan workflows are unaffected. Apply the CRD after upgrading if you want to centralize scan policy configuration in-cluster.
breakingThreshold flags now fail fast — check your CI pipelines
Severity-threshold, compliance-threshold, and fail-threshold flags are now validated before the scan starts. Scripts or CI jobs that pass invalid threshold values will now exit immediately with an error rather than completing the scan and ignoring the flag. Review your scan invocations to confirm all threshold flags are valid before upgrading.
Key changes (5)
- New ControlInput CRD enables in-cluster control configuration — gated to live cluster scans only, not file-based scans
- Service discovery now pulls services directly from the API, dropping the sidecar requirement entirely
- TLS key configuration for the HTTP handler can now be set via environment variables, with a hard error on partial TLS config
- Severity, compliance, and fail threshold flags are now validated early — before the scan runs — across all relevant subcommands
- YAML parsing switched from byte-split to a line scanner with raised buffer limits; parse errors now surface instead of silently dropping documents