Kubescape v4.0.10 is a feature and hardening release: it closes an SSRF gap in the scan-completion webhook, tightens config.json permissions and validation, and removes a dead CRD, alongside a large batch of bug fixes and new capabilities like `operator remediate` and encrypted report decryption. No CVE-tracked vulnerabilities are disclosed in this release.
securitySSRF hardening on scan-completion webhook
The scan-completion webhook callback now hardens against SSRF. Applies to users of the webhook callback feature; upgrade if you rely on it to avoid outbound requests being abused via crafted callback URLs.
breakingconfig.json permissions restricted to owner-only
config.json is now written with owner-only permissions instead of broader access. Applies unconditionally; review any tooling or automation that reads this file as a different user, since it may now fail to access it.
breakingRemoval of orphan SecurityException CRD
The orphan SecurityException CRD, which was never installable, has been removed. Applies only if you had references to this CRD in manifests or docs; it has no functional impact since it never worked.
enhancementStricter validation on --format and VAP controls
The --format flag now rejects invalid values before a scan starts, and VAP configurable controls now require params. Applies if you script scans with an unchecked --format value or run VAP controls without required params; these calls will now fail fast instead of proceeding silently.
Key changes (8)
- SSRF-hardened scan-completion webhook callback closes a request-forgery gap in outbound notifications.
- config.json permissions tightened to owner-only, changing default file access for existing installs.
- Orphan, uninstallable SecurityException CRD removed along with its test.
- Validation tightened in two spots: --format now rejects invalid values pre-scan, and VAP configurable controls require params.
- New `operator remediate` CLI subcommand (annotate and dry-run modes), CEL env builder/evaluator for the VAP engine, and encrypted report decryption with DEK wrapping.
- New scan coverage score metric penalizing silent failed GVR pulls, plus per-control evaluation timeouts in the OPA processor (timed-out controls score 0 and discard partial results).
- Several panic fixes (nil ScanData, image names without an organization, scan execution goroutine) plus HTTP timeouts on the scan listener server.
- Plus roughly ten smaller fixes: resource deduplication, host-sensor infoMap merging, SARIF line resolution, output overwrite prevention, orphaned RoleBinding handling, and a Go 1.26 codebase update.