Kubescape v4.0.9 is a large maintenance release fixing scan accuracy bugs (partial resource collection, coverage reporting, Prometheus output), hardening data exposure in scan reports, and changing the patch command's default push behavior.
securityReview secret exposure fixes and new anonymization flag
Multiple fixes landed for secret/data leakage in scan output: EnvFrom and Env[].ValueFrom are now cleared in removeContainersData (commits acc3280, 0c68cca), an IDOR in /v1/results was hardened (commit 0fe6a0f), and a new --hide/anonymization pipeline was added to scrub resource names, namespaces, labels, annotations, and container metadata from scan reports. If you share or export Kubescape reports outside your team, review the new --hide flag and confirm your CI artifacts aren't exposing secret references from container env vars.
breakingPatch command no longer pushes images by default
Kubescape's `kubescape fix` command now defaults to not pushing patched images (commit b10cbb1). If your CI pipelines relied on the old default push behavior, add an explicit `--push` flag or equivalent opt-in, or your patch pipeline will silently stop pushing images after upgrading.
enhancementAdopt new coverage-gate and diff commands in CI
New flags let you gate CI pipelines on scan coverage and control results: --fail-coverage-below sets a minimum coverage threshold (commit 4ae7b87), and scan coverage gaps/not-evaluated controls are now reported explicitly (commit 5876d2b). A new `kubescape diff` command compares two scan reports (commit 00682ee). Add --fail-coverage-below to CI gates where partial resource collection could previously pass silently, and use `kubescape diff` to track posture drift between scans.
Key changes (6)
- Partial GVR (resource type) collection failures are now surfaced instead of silently suppressed, and ScanCoverage reflects failed/not-evaluated controls
- New --fail-coverage-below flag and kubescape diff command for CI coverage gating and report comparison
- New --hide flag and anonymization pipeline scrub resource names, namespaces, labels, annotations, and container metadata from output
- fix command now requires explicit opt-in to push images (previously pushed by default)
- Multiple Prometheus output fixes: missing HELP/TYPE headers added, score/metrics writes routed to correct writer, duplicate headers deduplicated
- K8s resource collection parallelized for performance, and a TOCTOU race in TimedCache was fixed