* fixes#964
* adapted build and ci to use build tag
* fixup error messages
* report git scan skipped warning & version
* fixed CI on windows: powershell parsing args...
* fixup leftover comment
* fixup typo in test message
* resolved merge conflicts on unit tests
* fix: added gitenabled tag to Makefile target
Signed-off-by: Frederic BIDON <fredbi@yahoo.com>
* fixed flaky loop(cautils): loadpolicy getter
We should not inject pointers to the variable iterated over by the
"range" operator.
Signed-off-by: Frédéric BIDON <fredbi@yahoo.com>
* fixed more flaky pointers in loops (registryadaptors, opaprocessor)
Signed-off-by: Frédéric BIDON <fredbi@yahoo.com>
* fixed more flaky pointers in loops (resultshandling)
Signed-off-by: Frédéric BIDON <fredbi@yahoo.com>
* enabled golangci linter in CI
Signed-off-by: Frédéric BIDON <fredbi@yahoo.com>
* fixed linting issues with minimal linters config
Signed-off-by: Frédéric BIDON <fredbi@yahoo.com>
* bump go version to 1.19
* English and typos
* Support AKS parser (#994)
* support GKE parser
* update go mod
* support GKE parser
* update go mod
* update k8s-interface pkg
* Added KS desgin.drawio
* revert k8s.io to v0.25.3
* ran go mod tidy
* update sign-up url
* [wip] Adding CreateAccount support
* revert to docs URL
* update opa-utils pkg
* Print attack tree (optional, with argument) (#997)
* Print attack tree with the argument
Signed-off-by: Frédéric BIDON <fredbi@yahoo.com>
Co-authored-by: Frédéric BIDON <frederic@oneconcern.com>
Co-authored-by: Frédéric BIDON <fredbi@yahoo.com>
Co-authored-by: Oshrat Nir <45561829+Oshratn@users.noreply.github.com>
Co-authored-by: Amir Malka <amirm@armosec.io>
Co-authored-by: David Wertenteil <dwertent@armosec.io>
Prior to this change, `pretty-printer` was a special type of Printer
that wrote output to `Stdout`, unless explicitly asked to write to a
given file. Kubescape used `pretty-printer` as an output format by
default. This behavior created the following inconsistencies:
- When invoked as `kubescape scan`, Kubescape would use `pretty-printer`
by default, and it would output the scan resluts in the
`pretty-printer` format to `Stdout`.
- When invoked as `kubescape scan --format=pretty-printer`, the behavior
would be as above.
- When invoked as `kubescape scan --format=FORMAT`, where `FORMAT` is any
format except for `pretty-printer`, Kubescape would write the results
to a sensible default file for the selected format. This is in
contrast to how `--format=pretty-printer` would still output to
`os.Stdout`, and not an output file.
- When invoked as `kubescape scan --format=ANY_FORMAT --output=FILENAME`, where
`ANY_FORMAT` is any format, including `pretty-printer`, Kubescape
would write the results to the provided `FILENAME` in the given
`ANY_FORMAT`, and not write any results to `Stdout`.
The aforementioned situation complicates life for users running
Kubescape in CI, where Kubescape would skip writing the results to
`Stdout` and only write to the provided output file.
Moreover, with the addition of support for multiple output formats and,
hence, files, this introduces the following ambiguity:
- When invoked as `kubescape scan --format=json,pdf,pretty-printer
--output=FILENAME`, should Kubescape treat `pretty-printer` as a
format for the output file, or just an instruction to also print the
results to `Stdout`?
To fix these inconsistencies and ambiguities, this commit introduces the
following changes:
- Kubescape will always print results to `Stdout` using the
PrettyPrinter format.
- The `--format` CLI flag will control the format(s) in which the results
will be written to one or many *output* files. This breaks the
previous behavior that running `kubescape scan
--format=pretty-printer` would not produce an output file, and only
write to `Stdout`. After this change, the same invocation will still
write to `Stdout`, but also produce a `report.txt` file in the
PrettyPrinter format.
Before this change, we used to override a scan info `ScanningTarget` to
submit a result that is compatible with the backend for Kubescape.
However, previously we forgot to change back to the original value.
When printing scan results, if the correct order of events (Print →
Score → Submit) was not enforced, this broke the SARIF printer so that
it did not output results due to incorrect `basePath` for the results.
This change reverts to the original `ScanningTarget` value after
submitting the results and fixes the SARIF printer.
The value of allowPrivilegeEscalation followed implicit default of Kubernetes:
> AllowPrivilegeEscalation is true always when the container is:
> 1) run as Privileged
> 2) has CAP_SYS_ADMIN
For users still using PodSecurityPolicy (or a follow-up product like OPA Gatekeeper or
Kyverno), there might be mutating admission controllers which defaults this field to
`false` if unset. A value of `false` would then conflict with `privileged: true`.
Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
