Vulnerability Scanning

Kupe Cloud automatically scans every workload running in your managed cluster for security issues. You don’t need to install anything — scanning is built into the platform and results appear in your console under Security.

What Gets Scanned

Category	What It Checks	Example Finding
Vulnerabilities	Known CVEs in your container images	`CVE-2024-21626` in runc (CRITICAL, CVSS 8.6)
Config Audit	Kubernetes manifest misconfigurations	Container running as root, missing resource limits
RBAC	Overly permissive role bindings	ClusterRole with wildcard verb access
Exposed Secrets	Hardcoded credentials in images	AWS access key found in `/app/config.yaml`
Infrastructure	Node and infrastructure security	Kubelet API exposed without authentication
SBOM	Software Bill of Materials per image	Full component inventory with licenses

Scans run automatically when you deploy or update a workload, and again every 6 hours.

Viewing Your Security Reports

Navigate to Security in the console sidebar. You’ll see two sections:

Vulnerabilities

Three views of CVE data across all your workloads:

CVE — Every unique vulnerability found, sorted by severity score. Shows which images and workloads are affected, whether a fix is available, and links to the CVE database.
Resources — Your workloads listed with vulnerability counts broken down by severity (critical, high, medium, low). Click any workload to see its full scan report.
Images — Your container images with aggregated vulnerability counts. Useful for identifying which base images need updating.

Compliance

Security posture checks across your cluster resources:

Infra — Infrastructure-level security assessments
Resources — Configuration audit results for your Kubernetes manifests (e.g., missing security contexts, privileged containers)
RBAC — Permission analysis showing overly broad role bindings. Toggle “Failed checks” to focus on issues that need attention.
Secrets — Exposed credentials detected in your container images, filtered to show only findings with actual issues.

How It Works

When you deploy a workload to your managed cluster:

The platform detects the new or updated pods
Container images are scanned for known vulnerabilities (CVEs)
Kubernetes manifests are checked against security best practices
Results are stored and immediately visible in the console

Scans are continuous — if a new CVE is published that affects one of your images, it will appear in your next scheduled scan (within 6 hours).

What You Should Do

Review critical and high severity findings regularly. The vulnerability table is sorted by CVSS score by default, so the most impactful issues appear first.

For each finding:

Severity	Action
Critical (CVSS 9.0+)	Update the affected image as soon as possible
High (CVSS 7.0-8.9)	Plan to update in your next release cycle
Medium (CVSS 4.0-6.9)	Review and address when practical
Low (CVSS 0.1-3.9)	Informational — no immediate action needed

If a vulnerability shows “Fixed: Yes”, check the “Fix in version” column and update your dependency or base image to that version.

Scan Configuration

The platform applies these defaults to keep scan results actionable:

Severity filter: CRITICAL and HIGH are always surfaced; MEDIUM and LOW are included but sorted lower
Unfixed CVEs: Skipped — if no fix exists yet, the finding is suppressed to reduce noise
Scan frequency: On every workload change + every 6 hours

You cannot disable scanning for your cluster. Security scanning is a platform-enforced policy.

Report Lifecycle

Reports are tied to your workloads:

Deploy a new workload → scan runs automatically, reports appear within minutes
Update a workload → new scan runs, old reports are replaced
Delete a workload → reports are automatically cleaned up

You never need to manually manage scan reports.

Cluster Policies — admission-time policy enforcement
Container Security — security context requirements
Network Isolation — egress restrictions