Run Security Scan on Cluster
Atmosly provides two types of security scanning to assess the security health of your infrastructure:
- Kubescape — Kubernetes cluster-level security scanning
- Prowler — AWS account-level security assessment
Kubescape (Cluster Security Scan)
Kubescape is an open-source Kubernetes security scanner that evaluates your cluster against security best practices and compliance frameworks.
Key Features
- Security Score: A numeric score (0-100) indicating the overall security posture of your cluster
- Compliance Score: Measures how well your cluster adheres to security policies and best practices
- Category Summary: Breakdown of findings by security category
- Trend Analysis: Track how your security posture changes over time with historical scan data
- Control-level Details: Drill down into individual security controls to see specific failures and remediation steps
What is Evaluated
- Access control configurations
- Control plane security
- Secrets management
- Workload security settings
- Network policies
- Pod security standards
- Resource limits and requests
How to Run a Kubescape Scan
- Navigate to the Clusters section from the main dashboard.
- Click on the cluster you wish to scan.
- In the top-right corner, click the Cluster Actions dropdown.
- Select Run Security Scan.
- Wait for the scan to complete.
Viewing Results
Once the scan completes, review:
- Security Score and Compliance Score displayed prominently
- Category Summary — breakdown of findings by area (access control, networking, workload security, etc.)
- Controls — detailed list of security checks with pass/fail status
- Severity Levels — each finding is tagged with severity (Low, Medium, High, Critical)
- Remediation Recommendations — specific guidance to fix failed controls
- Trend Charts — filter by time period to view security score trends over multiple scans
Scans can be run on both Atmosly-provisioned and imported clusters (including token-imported clusters).
Prowler (AWS Account Security Assessment)
Prowler provides a comprehensive security assessment at the AWS account level — not a specific cluster. It evaluates the security posture of your entire cloud account, covering IAM, networking, storage, and other AWS services.
Key Features
- Account-wide scanning: Evaluates security across your entire AWS account, not just Kubernetes
- Multiple scan types: Different scan profiles for various compliance frameworks
- S3 report storage: Scan reports are stored in S3 for historical reference
- Detailed findings: Categorized by AWS service, severity, and compliance framework
- Rate limited: Maximum 3 scans per account per day
How to Run a Prowler Scan
- Navigate to the Security section.
- Select Prowler Scan.
- Choose the AWS Cloud Account to scan.
- Select the Scan Type based on the compliance framework you need.
- Wait for the scan to complete (this may take several minutes depending on account size).
Viewing Results
- Scan reports are accessible from the Prowler section
- Results include pass/fail status for each security check
- Findings are categorized by AWS service and severity
Prowler scans are only available for AWS accounts and scan the entire account (not individual clusters). For cluster-specific security scanning, use Kubescape.
Best Practices
- Run scans regularly to maintain continuous compliance and catch drift
- Address critical findings immediately — prioritize High and Critical severity issues
- Monitor trends to ensure your security posture improves over time
- Combine both scan types for comprehensive coverage (Kubescape for K8s, Prowler for AWS)
Permissions
To run security scans, your Atmosly user role must have the Security Scan permission enabled. Contact your organization admin if you are unable to initiate or view scan results.