Add a new --labels-to-copy CLI flag that allows users to specify which
labels from Kubernetes workloads should be extracted and included in
scan reports. This makes it easier to tie scan results back to app
teams or repositories by including relevant labels like 'app', 'team',
or 'environment' in the report output.
Changes:
- Add LabelsToCopy field to ScanInfo and OPASessionObj structs
- Add --labels-to-copy flag to scan command
- Add ResourceLabels field to PostureReportWithSeverity for JSON output
- Implement extractResourceLabels function to extract specified labels
- Add unit tests for label extraction functionality
Fixes#1660🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: majiayu000 <1835304752@qq.com>
hey! added the default matchers option for image scanning as requested in #1838. now you can choose between stock matchers and CPE matchers when scanning images.
what's new:
- added --use-default-matchers flag to scan/image/patch commands
- true = stock matchers (default behavior)
- false = CPE matchers (more precise)
usage:
# use CPE matchers for more precise detection
kubescape scan image nginx:latest --use-default-matchers=false
# or in scan command
kubescape scan --scan-images --use-default-matchers=false
everything's backward compatible - existing code works exactly the same. just added the new option for folks who want more control over their vulnerability detection.
fixes#1838
Signed-off-by: aadarsh-nagrath <anagrath1@gmail.com>
- Introduced a single context in main() to handle interrupt signals (os.Interrupt, syscall.SIGTERM).
- Removed repetitive context creation in the program by reusing the propagated context.
- Improved code readability and maintainability by centralizing context management.
- Ensured consistent handling of graceful shutdown across the program.
Signed-off-by: Ruslan Semagin <pixel.365.24@gmail.com>
Added initial commit to start loading image exceptions from json files.
Currently, it supports vulnerability exceptions using their CVE-IDs.
Signed-off-by: VaibhavMalik4187 <vaibhavmalik2018@gmail.com>
This commit introduces the "exceptions" flag in the scan image command.
Users can pass a list of vulnerabilities they ignore while scanning an
image using this flag. Also added tests for the same.
Fixes: https://github.com/kubescape/kubescape/issues/1564
Signed-off-by: VaibhavMalik4187 <vaibhavmalik2018@gmail.com>
Description:
This pull request introduces a new test case TestGetFrameworkCmdWithNonExistentFramework in the framework_test.go file. The purpose of this test case is to verify the behavior of the getFrameworkCmd function when it's run with a non-existent framework argument.
In this test case, we:
Create a mock Kubescape interface and a ScanInfo object
Call the getFrameworkCmd function with the mock interface and ScanInfo object
Run the command with a non-existent framework argument
Check that there is an error and the error message is "bad argument: account ID must be a valid UUID"
This test case enhances the test coverage of the getFrameworkCmd function and ensures that it correctly handles non-existent framework arguments.
Signed-off-by: Umair <58398786+Umair0343@users.noreply.github.com>
Description:
This pull request introduces a new test case TestGetControlCmdWithNonExistentControl in the control_test.go file. The purpose of this test case is to verify the behavior of the getControlCmd function when it's run with a non-existent control argument.
In this test case, we:
Create a mock Kubescape interface and a ScanInfo object
Call the getControlCmd function with the mock interface and ScanInfo object
Run the command with a non-existent control argument
Check that there is an error and the error message is "bad argument: account ID must be a valid UUID"
This test case enhances the test coverage of the getControlCmd function and ensures that it correctly handles non-existent control arguments.
Signed-off-by: Umair <58398786+Umair0343@users.noreply.github.com>
Wrote new tests for the following packages
- operator
- patch
- scan
Also fixed potential crash in the RunE function of the image subcommand
in the scan package.
Signed-off-by: VaibhavMalik4187 <vaibhavmalik2018@gmail.com>
* add access key flag to the scan command
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* support triggering ns
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* Fixed json keys
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* get k8s config
Signed-off-by: David Wertenteil <dwertent@armosec.io>
---------
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* adding corrections to cmd
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* remove decorative line
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* wip: changed results indicator
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* replace status test with icons
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* print workloads in a different line
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* update display
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* deprecate commands
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* removed unused functions
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* fixed tests
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* update cloud provider detection
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* rename column name
Signed-off-by: David Wertenteil <dwertent@armosec.io>
---------
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* code refactor
Signed-off-by: Amir Malka <amirm@armosec.io>
* use scaninfo object in resource handler
Signed-off-by: Amir Malka <amirm@armosec.io>
---------
Signed-off-by: Amir Malka <amirm@armosec.io>
