RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

プロジェクト: Kubescape解除 ×

Kubescape

Security2026年6月30日

Kubescape v4.0.10 is a feature and hardening release: it closes an SSRF gap in the scan-completion webhook, tightens config.json permissions and validation, and removes a dead CRD, alongside a large batch of bug fixes and new capabilities like `operator remediate` and encrypted report decryption. No CVE-tracked vulnerabilities are disclosed in this release.

  • securitySSRF hardening on scan-completion webhook

    The scan-completion webhook callback now hardens against SSRF. Applies to users of the webhook callback feature; upgrade if you rely on it to avoid outbound requests being abused via crafted callback URLs.

  • breakingconfig.json permissions restricted to owner-only

    config.json is now written with owner-only permissions instead of broader access. Applies unconditionally; review any tooling or automation that reads this file as a different user, since it may now fail to access it.

  • breakingRemoval of orphan SecurityException CRD

    The orphan SecurityException CRD, which was never installable, has been removed. Applies only if you had references to this CRD in manifests or docs; it has no functional impact since it never worked.

  • enhancementStricter validation on --format and VAP controls

    The --format flag now rejects invalid values before a scan starts, and VAP configurable controls now require params. Applies if you script scans with an unchecked --format value or run VAP controls without required params; these calls will now fail fast instead of proceeding silently.

主な変更 (8)
  • SSRF-hardened scan-completion webhook callback closes a request-forgery gap in outbound notifications.
  • config.json permissions tightened to owner-only, changing default file access for existing installs.
  • Orphan, uninstallable SecurityException CRD removed along with its test.
  • Validation tightened in two spots: --format now rejects invalid values pre-scan, and VAP configurable controls require params.
  • New `operator remediate` CLI subcommand (annotate and dry-run modes), CEL env builder/evaluator for the VAP engine, and encrypted report decryption with DEK wrapping.
  • New scan coverage score metric penalizing silent failed GVR pulls, plus per-control evaluation timeouts in the OPA processor (timed-out controls score 0 and discard partial results).
  • Several panic fixes (nil ScanData, image names without an organization, scan execution goroutine) plus HTTP timeouts on the scan listener server.
  • Plus roughly ten smaller fixes: resource deduplication, host-sensor infoMap merging, SARIF line resolution, output overwrite prevention, orphaned RoleBinding handling, and a Go 1.26 codebase update.
原文

Kubescape

Security2026年5月29日

Kubescape v4.0.9 is a large maintenance release fixing scan accuracy bugs (partial resource collection, coverage reporting, Prometheus output), hardening data exposure in scan reports, and changing the patch command's default push behavior.

  • securityReview secret exposure fixes and new anonymization flag

    Multiple fixes landed for secret/data leakage in scan output: EnvFrom and Env[].ValueFrom are now cleared in removeContainersData (commits acc3280, 0c68cca), an IDOR in /v1/results was hardened (commit 0fe6a0f), and a new --hide/anonymization pipeline was added to scrub resource names, namespaces, labels, annotations, and container metadata from scan reports. If you share or export Kubescape reports outside your team, review the new --hide flag and confirm your CI artifacts aren't exposing secret references from container env vars.

  • breakingPatch command no longer pushes images by default

    Kubescape's `kubescape fix` command now defaults to not pushing patched images (commit b10cbb1). If your CI pipelines relied on the old default push behavior, add an explicit `--push` flag or equivalent opt-in, or your patch pipeline will silently stop pushing images after upgrading.

  • enhancementAdopt new coverage-gate and diff commands in CI

    New flags let you gate CI pipelines on scan coverage and control results: --fail-coverage-below sets a minimum coverage threshold (commit 4ae7b87), and scan coverage gaps/not-evaluated controls are now reported explicitly (commit 5876d2b). A new `kubescape diff` command compares two scan reports (commit 00682ee). Add --fail-coverage-below to CI gates where partial resource collection could previously pass silently, and use `kubescape diff` to track posture drift between scans.

主な変更 (6)
  • Partial GVR (resource type) collection failures are now surfaced instead of silently suppressed, and ScanCoverage reflects failed/not-evaluated controls
  • New --fail-coverage-below flag and kubescape diff command for CI coverage gating and report comparison
  • New --hide flag and anonymization pipeline scrub resource names, namespaces, labels, annotations, and container metadata from output
  • fix command now requires explicit opt-in to push images (previously pushed by default)
  • Multiple Prometheus output fixes: missing HELP/TYPE headers added, score/metrics writes routed to correct writer, duplicate headers deduplicated
  • K8s resource collection parallelized for performance, and a TOCTOU race in TimedCache was fixed
原文

Kubescape

Security2026年5月9日

Kubescape v4.0.8 is a focused patch release that fixes several VAP (Validating Admission Policy) bugs and adds a --timeout flag to the deploy-library command.

  • breakingVAP label selector parsing was silently wrong — verify your policies

    The old code split label selectors on '=' directly instead of using Kubernetes' label parser. DoubleEquals (==) selectors were also incorrectly accepted. If you've generated VAP policies with Kubescape and used complex label selectors, re-generate and re-validate those policies with v4.0.8. Don't assume previously generated output was correct.

  • enhancementUse --timeout with VAP deploy-library in slow clusters

    The new --timeout flag on the deploy-library command lets you tune how long Kubescape waits during VAP library deployment. If your cluster has slow API server response times or you're running in CI with strict time limits, set this explicitly rather than relying on the default. Test in staging first to find a safe value before enforcing it in pipelines.

  • enhancementConnector URL back-propagation fix matters for cloud API setups

    A bug where connector URLs weren't back-propagated to the config object during cloud API initialization is now fixed. If you use Kubescape's cloud integration and noticed inconsistent scan result submissions, this patch addresses the root cause. Upgrade and re-run a scan to confirm results are reaching your backend correctly.

主な変更 (5)
  • Added --timeout flag to the VAP deploy-library command for controlling deployment timeouts
  • Fixed label selector validation to use Kubernetes upstream label parsing instead of raw string splitting — prevents silent breakage with complex selectors
  • Fixed K8s name and namespace validation to use proper DNS label validation helpers
  • Fixed writeOutput to auto-create parent directories, preventing file write failures
  • Suppressed spurious interrupt signal log messages on graceful exit — cleaner operator experience
原文

Kubescape

Security2026年5月8日

Kubescape v4.0.7 is a broad bug-fix and usability release: better input validation, safer concurrency in the HTTP handler, a new ControlInput CRD, and service discovery without a sidecar.

  • breakingThreshold flags now fail fast — check your CI pipelines

    Severity-threshold, compliance-threshold, and fail-threshold flags are now validated before the scan starts. Scripts or CI jobs that pass invalid threshold values will now exit immediately with an error rather than completing the scan and ignoring the flag. Review your scan invocations to confirm all threshold flags are valid before upgrading.

  • enhancementDrop the sidecar for service discovery

    Service discovery now queries the Kubernetes API directly. If you've been running a sidecar specifically to support Kubescape's service discovery, you can remove it. Audit your deployments before upgrading to avoid unexpected behavior from redundant sidecars.

  • enhancementDeploy the ControlInput CRD for in-cluster tuning

    The new ControlInput CRD lets you configure control inputs directly in the cluster rather than through external files. This only activates during live cluster scans, so file-scan workflows are unaffected. Apply the CRD after upgrading if you want to centralize scan policy configuration in-cluster.

主な変更 (5)
  • New ControlInput CRD enables in-cluster control configuration — gated to live cluster scans only, not file-based scans
  • Service discovery now pulls services directly from the API, dropping the sidecar requirement entirely
  • TLS key configuration for the HTTP handler can now be set via environment variables, with a hard error on partial TLS config
  • Severity, compliance, and fail threshold flags are now validated early — before the scan runs — across all relevant subcommands
  • YAML parsing switched from byte-split to a line scanner with raised buffer limits; parse errors now surface instead of silently dropping documents
原文

Kubescape

Security2026年5月4日

v4.0.6 tackles a wave of false negatives, silent errors, and correctness bugs in scanning — namespace filters, exception matching, and OPA eval failures all get fixes that change scan results.

  • securityAudit vulnerability exception lists for case inconsistencies

    Exception matching for image scan CVE IDs was case-sensitive before this fix, meaning 'ghsa-xxxx' and 'GHSA-xxxx' were treated as different identifiers. Any exceptions defined with lowercase CVE/GHSA IDs were silently not applied. After upgrading, check that your exception lists use consistent casing and re-verify which vulnerabilities are actually being excepted.

  • securityRaw request bodies are no longer logged — review your log retention

    Kubescape's HTTP handler was logging full scan request bodies, which could include sensitive resource manifests or configuration data. That logging is now removed. If you've been collecting these logs, review and rotate any stored log data that may contain manifest content.

  • breakingExpect scan result changes after upgrading — false negatives are now real failures

    Two distinct bugs caused resources to silently disappear from scan results: OPA eval errors were swallowed, and partial GVR collection failures were suppressed. Both are fixed. If your baseline compliance scores looked suspiciously clean, re-run scans after upgrading and treat new failures as real findings that were always there, not regressions introduced by the upgrade.

主な変更 (5)
  • OPA eval errors no longer silently drop resources — failures now surface instead of producing false negatives
  • Namespace filter now correctly preserves cluster-scoped resource results when --include-namespaces is set
  • CVE exception matching is now case-insensitive, fixing missed exceptions on lowercase CVE IDs
  • Helm value overrides can now be passed through kubescape scan, and Kustomize directories with Helm dependencies render correctly
  • Raw scan request bodies are no longer logged, and concurrent exception file writes get unique temp files per request
原文

Kubescape

Security2026年4月17日

Kubescape v4.0.5 is a routine maintenance release: Go toolchain update plus dependency bumps. No new features or bug fixes.

  • securityUpgrade to pick up Go runtime and dependency CVE fixes

    Go version bumps often patch stdlib vulnerabilities (e.g., net/http, crypto) that affect compiled binaries. If you're running Kubescape as a cluster component or in CI pipelines, pull this update. Check your current version with 'kubescape version' and replace the binary or update your container image tag. Low effort, low risk.

  • enhancementPin to this patch version in your automation

    If you're using Kubescape in CI/CD security scanning pipelines, update your pinned version to v4.0.5 to stay current with the dependency graph. This is especially relevant if your org has SCA tooling that flags transitive dependency staleness in scan tooling itself — a common audit finding.

主な変更 (3)
  • Go version updated to address potential toolchain-level vulnerabilities and compatibility
  • Dependency versions bumped across go.mod/go.sum
  • No functional changes, API changes, or new features introduced
原文

Kubescape

Security2026年4月17日

v4.0.4 is a dependency maintenance release with security-relevant library bumps across gRPC, go-git, cloudflare/circl, go-jose, and hashicorp/go-getter, plus minor CLI bug fixes.

  • securityUpgrade immediately due to security-sensitive dependency updates

    Several updated libraries — hashicorp/go-getter, cloudflare/circl, go-jose, and go-git — have histories of CVEs covering path traversal, cryptographic weaknesses, and JWT attacks. While Kubescape's release notes don't call out specific CVEs, the jump from go-getter 1.7.9 to 1.8.6 and go-git 5.16.5 to 5.17.1 are both large version gaps. If you run Kubescape in CI pipelines or as part of automated scanning, update to v4.0.4 now rather than waiting for a scheduled maintenance window.

  • enhancementHelm 3.20.2 and gRPC 1.79.3 bring compatibility improvements

    The Helm SDK bump to 3.20.2 means Kubescape's chart scanning logic stays aligned with current Helm releases. If your clusters use recent Helm chart features, earlier Kubescape versions may have produced incomplete or inaccurate scan results. Rerun chart-level scans after upgrading to confirm coverage.

  • enhancementFix for duplicate flags in `scan image` — check any wrapper scripts

    If you have shell scripts or CI configs that pass flags explicitly to `kubescape scan image`, the duplicate-flag bug could have caused unexpected behavior or silent flag ignoring. After upgrading, verify your pipeline invocations still produce expected output.

主な変更 (5)
  • hashicorp/go-getter bumped from 1.7.9 to 1.8.6 — this library has a history of security CVEs around path traversal and SSRF
  • cloudflare/circl updated from 1.6.1 to 1.6.3, addressing cryptographic library fixes
  • go-jose/go-jose updated to 4.1.4, patching JWT/JWE handling issues
  • go-git bumped to 5.17.1 — prior versions had known git protocol vulnerabilities
  • Duplicate CLI flags removed from `scan image` subcommand, and error handling improved
原文

Kubescape

Security2026年3月18日

Kubescape v4.0.3 is a small patch release adding a --grype-db-url flag for offline/airgapped Grype database usage, plus a bug fix for missing host errors and dependency bumps.

  • securitygo-git updated to v5.16.5 — pull this upgrade promptly

    go-git patch releases frequently address vulnerabilities in git protocol parsing. Review the go-git v5.16.5 changelog to confirm whether any CVEs are addressed, and prioritize this upgrade if your Kubescape usage involves scanning git repositories or if you embed Kubescape as a library.

  • breakingMissing host now returns an error — check your error handling

    Previously, a missing host in scan targets silently returned nil instead of an error. If your pipelines or scripts were treating a zero-exit-code as success in these cases, they may now surface failures they were previously ignoring. Test your scan workflows after upgrading to make sure error handling behaves as expected.

  • enhancementUse --grype-db-url for airgapped or private mirror setups

    If you run Kubescape in environments without direct internet access, the new --grype-db-url flag lets you point image scans at an internal Grype DB mirror. Set this in your CI pipelines or operator configs now rather than patching environment variables or workarounds you may have hacked together previously.

主な変更 (5)
  • New --grype-db-url flag on 'kubescape scan' lets you override the default Grype vulnerability database URL
  • Fixed a bug where a missing host did not return a proper non-nil error, which could silently swallow scan failures
  • go-git bumped to v5.16.5 (likely security/bug fixes in git operations)
  • OpenTelemetry SDK bumped to 1.40.0
  • Added debug logging for scanInfo.ListingURL to aid troubleshooting Grype DB fetches
原文