nctl scan kubernetes
nctl scan kubernetes
scan kubernetes resources
nctl scan kubernetes [flags]
Examples
# Scan a live Kubernetes cluster and use Nirmata's AI-powered services to analyze the scan result
nctl scan kubernetes --cluster --analyze
# Scan a live Kubernetes cluster and publish scan results to Nirmata Control Hub (NCH)
nctl scan kubernetes --cluster --publish
# Scan Kubernetes resources from a local file with a specific policy
nctl scan kubernetes --resources ./resource.yaml --policies ./policy.yaml
# Scan resources in a specific namespace using a policy set
nctl scan kubernetes --namespace default --policy-sets pss-baseline
# Scan a live Kubernetes cluster using cluster policies and exceptions
nctl scan kubernetes --cluster --cluster-policies --cluster-exceptions
# Scan with a specific kubeconfig and context
nctl scan kubernetes --kubeconfig /path/to/kubeconfig --kube-context my-context
# Output the scan results in JSON format with detailed violations
nctl scan kubernetes --resources ./resource.yaml --policies ./policy.yaml --details -o json
# Scan resources while allowing insecure connections (not recommended)
nctl scan kubernetes --resources ./resource.yaml --insecure
# Scan and show remediation suggestions for violating resources
nctl scan kubernetes --resources ./resource.yaml --show-remediations
Options
--analyze Analyze cluster using AI
--audit-as-warn Report violations from policies in audit mode as warnings instead of failures
--cluster Scan resources in a cluster using cluster policies and exceptions (default value false)
--cluster-exceptions Use exceptions from a cluster (default value false)
--cluster-name string Override name of cluster while publishing report to Nirmata Control Hub (NCH)
--cluster-policies Use policies from a cluster (default value false)
--cluster-resources Use resources from a cluster (default value false)
--continue-on-fail If set to true, will continue to apply policies on the next resource upon failure to apply to the current resource instead of exiting out
--details Show result details for violating resources
-e, --exceptions strings Policy exceptions to be considered when evaluating policies against resources
--file string Output file
-h, --help help for kubernetes
--insecure allow connection to an address with a self-signed or non-verifiable certificate (not recommended)
--kube-context string the kube context from configured kubeconfig. Default is the current or sole context
--kubeconfig string kubeconfig path (defaults to $HOME/.kube/kubeconfig)
-l, --label strings Label the cluster and Label selector in the format key=value for policy sets in Nirmata Control Hub (NCH)
-n, --namespace strings Namespace of the resources to scan
--no-color disable the colors for the stdout reports
-o, --output string Output format (text, sarif, json, polr, yaml, scan-report) (default "text")
-p, --policies strings Path to policy files (local path, github URL, helm URL)
--policy-sets strings Comma-separated policy set names (pss-baseline, pss-restricted, rbac-best-practices)
--policy-view Use with --details to reverse the view from resource->policy to policy->resource
--publish Publish reports
--publish-token string scan reports publish token
--remediate string Remediate resources ('show', 'patch')
--report-sourceid string Add source id for report created for local scan (is required for local scans; is the cluster id for cluster scan)
-r, --resources strings Path to resource files (local path, github URL)
--token string Nirmata API Login Key (env NIRMATA_TOKEN)
--url string Nirmata server base URL (env NIRMATA_URL)
--values-file string File containing values for policy variables
Options inherited from parent commands
-v, --v Level log level for V logs
SEE ALSO
- nctl scan - Scan resources