Add a new --labels-to-copy CLI flag that allows users to specify which
labels from Kubernetes workloads should be extracted and included in
scan reports. This makes it easier to tie scan results back to app
teams or repositories by including relevant labels like 'app', 'team',
or 'environment' in the report output.
Changes:
- Add LabelsToCopy field to ScanInfo and OPASessionObj structs
- Add --labels-to-copy flag to scan command
- Add ResourceLabels field to PostureReportWithSeverity for JSON output
- Implement extractResourceLabels function to extract specified labels
- Add unit tests for label extraction functionality
Fixes#1660🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: majiayu000 <1835304752@qq.com>
hey! added the default matchers option for image scanning as requested in #1838. now you can choose between stock matchers and CPE matchers when scanning images.
what's new:
- added --use-default-matchers flag to scan/image/patch commands
- true = stock matchers (default behavior)
- false = CPE matchers (more precise)
usage:
# use CPE matchers for more precise detection
kubescape scan image nginx:latest --use-default-matchers=false
# or in scan command
kubescape scan --scan-images --use-default-matchers=false
everything's backward compatible - existing code works exactly the same. just added the new option for folks who want more control over their vulnerability detection.
fixes#1838
Signed-off-by: aadarsh-nagrath <anagrath1@gmail.com>
Implemented two new tools: 'list_configuration_security_scan_manifests' for listing available configuration scan manifests and 'get_configuration_security_scan_manifest' for retrieving details of a specific manifest. Added a resource template for configuration manifests and integrated these tools into the mcpserver.
Signed-off-by: Ben <ben@armosec.io>
- Introduced a single context in main() to handle interrupt signals (os.Interrupt, syscall.SIGTERM).
- Removed repetitive context creation in the program by reusing the propagated context.
- Improved code readability and maintainability by centralizing context management.
- Ensured consistent handling of graceful shutdown across the program.
Signed-off-by: Ruslan Semagin <pixel.365.24@gmail.com>
Added initial commit to start loading image exceptions from json files.
Currently, it supports vulnerability exceptions using their CVE-IDs.
Signed-off-by: VaibhavMalik4187 <vaibhavmalik2018@gmail.com>
This commit introduces the "exceptions" flag in the scan image command.
Users can pass a list of vulnerabilities they ignore while scanning an
image using this flag. Also added tests for the same.
Fixes: https://github.com/kubescape/kubescape/issues/1564
Signed-off-by: VaibhavMalik4187 <vaibhavmalik2018@gmail.com>
