hey! added the default matchers option for image scanning as requested in #1838. now you can choose between stock matchers and CPE matchers when scanning images.
what's new:
- added --use-default-matchers flag to scan/image/patch commands
- true = stock matchers (default behavior)
- false = CPE matchers (more precise)
usage:
# use CPE matchers for more precise detection
kubescape scan image nginx:latest --use-default-matchers=false
# or in scan command
kubescape scan --scan-images --use-default-matchers=false
everything's backward compatible - existing code works exactly the same. just added the new option for folks who want more control over their vulnerability detection.
fixes#1838
Signed-off-by: aadarsh-nagrath <anagrath1@gmail.com>
- Introduced a single context in main() to handle interrupt signals (os.Interrupt, syscall.SIGTERM).
- Removed repetitive context creation in the program by reusing the propagated context.
- Improved code readability and maintainability by centralizing context management.
- Ensured consistent handling of graceful shutdown across the program.
Signed-off-by: Ruslan Semagin <pixel.365.24@gmail.com>
Added initial commit to start loading image exceptions from json files.
Currently, it supports vulnerability exceptions using their CVE-IDs.
Signed-off-by: VaibhavMalik4187 <vaibhavmalik2018@gmail.com>
This commit introduces the "exceptions" flag in the scan image command.
Users can pass a list of vulnerabilities they ignore while scanning an
image using this flag. Also added tests for the same.
Fixes: https://github.com/kubescape/kubescape/issues/1564
Signed-off-by: VaibhavMalik4187 <vaibhavmalik2018@gmail.com>
Description:
This pull request introduces a new test case TestGetFrameworkCmdWithNonExistentFramework in the framework_test.go file. The purpose of this test case is to verify the behavior of the getFrameworkCmd function when it's run with a non-existent framework argument.
In this test case, we:
Create a mock Kubescape interface and a ScanInfo object
Call the getFrameworkCmd function with the mock interface and ScanInfo object
Run the command with a non-existent framework argument
Check that there is an error and the error message is "bad argument: account ID must be a valid UUID"
This test case enhances the test coverage of the getFrameworkCmd function and ensures that it correctly handles non-existent framework arguments.
Signed-off-by: Umair <58398786+Umair0343@users.noreply.github.com>
Description:
This pull request introduces a new test case TestGetControlCmdWithNonExistentControl in the control_test.go file. The purpose of this test case is to verify the behavior of the getControlCmd function when it's run with a non-existent control argument.
In this test case, we:
Create a mock Kubescape interface and a ScanInfo object
Call the getControlCmd function with the mock interface and ScanInfo object
Run the command with a non-existent control argument
Check that there is an error and the error message is "bad argument: account ID must be a valid UUID"
This test case enhances the test coverage of the getControlCmd function and ensures that it correctly handles non-existent control arguments.
Signed-off-by: Umair <58398786+Umair0343@users.noreply.github.com>
Wrote new tests for the following packages
- operator
- patch
- scan
Also fixed potential crash in the RunE function of the image subcommand
in the scan package.
Signed-off-by: VaibhavMalik4187 <vaibhavmalik2018@gmail.com>
* add access key flag to the scan command
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* support triggering ns
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* Fixed json keys
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* get k8s config
Signed-off-by: David Wertenteil <dwertent@armosec.io>
---------
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* adding corrections to cmd
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* remove decorative line
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* wip: changed results indicator
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* replace status test with icons
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* print workloads in a different line
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* update display
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* deprecate commands
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* removed unused functions
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* fixed tests
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* update cloud provider detection
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* rename column name
Signed-off-by: David Wertenteil <dwertent@armosec.io>
---------
Signed-off-by: David Wertenteil <dwertent@armosec.io>
* code refactor
Signed-off-by: Amir Malka <amirm@armosec.io>
* use scaninfo object in resource handler
Signed-off-by: Amir Malka <amirm@armosec.io>
---------
Signed-off-by: Amir Malka <amirm@armosec.io>
This commit adds a CLI command and an associated package that scan
images for vulnerabilities.
Signed-off-by: Vlad Klokun <vklokun@protonmail.ch>
feat(imagescan): fail on exceeding the severity threshold
Signed-off-by: Vlad Klokun <vklokun@protonmail.ch>
* add cmd
Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io>
* support single workload scan
Signed-off-by: Amir Malka <amirm@armosec.io>
* fix conflict
Signed-off-by: Amir Malka <amirm@armosec.io>
* added unit tests
Signed-off-by: Amir Malka <amirm@armosec.io>
* added unit tests
Signed-off-by: Amir Malka <amirm@armosec.io>
* more refactoring
Signed-off-by: Amir Malka <amirm@armosec.io>
* add scanned workload reference to opasessionobj
Signed-off-by: Amir Malka <amirm@armosec.io>
* fix GetWorkloadParentKind
Signed-off-by: Amir Malka <amirm@armosec.io>
* remove namespace argument from pullSingleResource, using field selector instead
Signed-off-by: Amir Malka <amirm@armosec.io>
* removed designators (unused) field from PolicyIdentifier, and designators argument from GetResources function
Signed-off-by: Amir Malka <amirm@armosec.io>
* fix tests
Signed-off-by: Amir Malka <amirm@armosec.io>
* use ScanObject instead of workload identifier
Signed-off-by: Amir Malka <amirm@armosec.io>
* refactor logic after CR
Signed-off-by: Amir Malka <amirm@armosec.io>
---------
Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io>
Signed-off-by: Amir Malka <amirm@armosec.io>
Co-authored-by: Daniel Grunberger <danielgrunberger@armosec.io>
