Implement Phases 1-3 of the performance optimization plan to address
issue #1793 - reduce CPU and memory consumption for system-constrained
environments.
Phase 1 - OPA Module Caching:
- Add compiledModules cache to OPAProcessor with thread-safe access
- Cache compiled OPA rules to eliminate redundant compilation
- Reuse compiled modules with double-checked locking pattern
- Expected CPU savings: 30-40%
Phase 2 - Map Pre-sizing:
- Add estimateClusterSize() to calculate resource count
- Pre-size AllResources, ResourcesResult, and related maps
- Reduce memory reallocations and GC pressure
- Expected memory savings: 10-20%
Phase 3 - Set-based Deduplication:
- Add thread-safe StringSet utility in core/pkg/utils
- Replace O(n) slices.Contains() with O(1) map operations
- Use StringSet for image scanning and related resources deduplication
- 100% test coverage for new utility
- Expected CPU savings: 5-10% for large clusters
Full optimization plan documented in optimization-plan.md
Related: #1793
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
Add a new --labels-to-copy CLI flag that allows users to specify which
labels from Kubernetes workloads should be extracted and included in
scan reports. This makes it easier to tie scan results back to app
teams or repositories by including relevant labels like 'app', 'team',
or 'environment' in the report output.
Changes:
- Add LabelsToCopy field to ScanInfo and OPASessionObj structs
- Add --labels-to-copy flag to scan command
- Add ResourceLabels field to PostureReportWithSeverity for JSON output
- Implement extractResourceLabels function to extract specified labels
- Add unit tests for label extraction functionality
Fixes#1660🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: majiayu000 <1835304752@qq.com>
Fixes#1617. The kustomize build was failing for overlays that reference
base configurations in parent directories (e.g., ../../base). This was
because krusty.MakeDefaultOptions() defaults to LoadRestrictionsRootOnly,
which prevents loading resources from outside the kustomize directory.
Changed LoadRestrictions to LoadRestrictionsNone to allow overlays to
properly resolve and merge base configurations during scanning.
Added tests to verify:
- Overlay directories can successfully load resources from base directories
- Base directories continue to work as before
- The merged configuration includes resources from both base and overlay
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: majiayu000 <1835304752@qq.com>
- Add isHTTPURL helper function for better code reusability
- Improve comments to clarify why ContextDir is returned
- Enhance error message for unrecognized git repositories
Co-authored-by: matthyx <20683409+matthyx@users.noreply.github.com>
- Add URL detection (http:// and https://) in getScanningContext
- Prevent URLs from being joined with current working directory
- Add test cases for self-hosted GitLab URLs
- Ensure proper error handling when git clone fails
Co-authored-by: matthyx <20683409+matthyx@users.noreply.github.com>
Ensure getter functions handle nil downloadReleasedPolicy correctly by creating a new instance when needed, maintaining backward compatibility with existing code while supporting air-gapped mode.
Co-authored-by: matthyx <20683409+matthyx@users.noreply.github.com>
- Fix string field checks in isAirGappedMode (use != "" instead of len() > 0)
- Use centralized isAirGappedMode function in getResourceHandler
- Improve comment clarity to reflect all air-gapped conditions
Co-authored-by: matthyx <20683409+matthyx@users.noreply.github.com>
Extract complex boolean condition into a dedicated helper function for better readability and maintainability.
Co-authored-by: matthyx <20683409+matthyx@users.noreply.github.com>
- Skip version check when --keep-local flag is set
- Skip DownloadReleasedPolicy initialization when in air-gapped mode
- Skip KSCloudAPIConnector initialization when --keep-local is set
Co-authored-by: matthyx <20683409+matthyx@users.noreply.github.com>
