fix

Update release flow

.github/workflows/00-test.yaml

@@ -1,4 +1,4 @@
-name: test
+name: 00-test
 
 on:
   workflow_call:
@@ -12,7 +12,7 @@ on:
         required: true
         type: string
 jobs:
-  build:
+  basic-tests:
     name: Create cross-platform build
     runs-on: ${{ matrix.os }}
     env:
@@ -89,12 +89,41 @@ jobs:
         env:
           RELEASE: ${{ inputs.release }} 
           KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
+        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape-${{ matrix.os }}
         if: matrix.os != 'ubuntu-20.04'
 
       - name: Smoke Testing (Linux)
         env:
           RELEASE: ${{ inputs.release }} 
           KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/ubuntu-latest/kubescape
-        if: matrix.os == 'ubuntu-20.04'        
+        run: python3 smoke_testing/init.py ${PWD}/build/ubuntu-latest/kubescape-ubuntu-latest
+        if: matrix.os == 'ubuntu-20.04'      
+
+      - name: golangci-lint
+        if: matrix.os == 'ubuntu-20.04'      
+        continue-on-error: true
+        uses: golangci/golangci-lint-action@v3
+        with:
+          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
+          version: latest
+
+          # Optional: working directory, useful for monorepos
+          # working-directory: somedir
+
+          # Optional: golangci-lint command line arguments.
+          # args: --issues-exit-code=0
+          args: --timeout 10m --build-tags=static
+          #--new-from-rev dev
+
+          # Optional: show only new issues if it's a pull request. The default value is `false`.
+          only-new-issues: true
+
+          # Optional: if set to true then the all caching functionality will be complete disabled,
+          #           takes precedence over all other caching options.
+          # skip-cache: true
+
+          # Optional: if set to true then the action don't cache or restore ~/go/pkg.
+          # skip-pkg-cache: true
+
+          # Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
+          # skip-build-cache: true

.github/workflows/01-create-release.yaml

@@ -1,4 +1,4 @@
-name: build
+name: 01-create-release
 
 on:
   workflow_call:
@@ -7,7 +7,7 @@ on:
         description: 'release'
         required: true
         type: string
-      tag_name:
+      tag:
         description: 'tag'
         required: true
         type: string
@@ -34,8 +34,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: ${{ inputs.tag_name }}
           release_name: ${{ inputs.release_name }}
+          tag_name: ${{ inputs.tag }}
           draft: ${{ inputs.draft }}
           prerelease: false
-   
+   

.github/workflows/01-golang-lint.yaml

@@ -1,64 +0,0 @@
-name: golangci-lint
-on:
-  push:
-    branches:
-      - dev
-  pull_request:
-    types: [ edited, opened, synchronize, reopened ]
-    branches: 
-      - 'master'
-      - 'main'
-      - 'dev'
-    paths-ignore:
-      - '**.yaml'
-      - '**.md'
-      - '**.sh'
-      - 'website/*'
-      - 'examples/*'
-      - 'docs/*'
-      - 'build/*'
-      - '.github/*'
-permissions:
-  contents: read
-  # Optional: allow read access to pull request. Use with `only-new-issues` option.
-  pull-requests: read
-jobs:
-  golangci:
-    name: lint
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/setup-go@v3
-        with:
-          go-version: 1.19
-      - uses: actions/checkout@v3
-        with:
-          submodules: recursive
-      - name: Install libgit2
-        run: make libgit2
-      - name: golangci-lint
-        continue-on-error: true
-        uses: golangci/golangci-lint-action@v3
-        with:
-          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: latest
-
-          # Optional: working directory, useful for monorepos
-          # working-directory: somedir
-
-          # Optional: golangci-lint command line arguments.
-          # args: --issues-exit-code=0
-          args: --timeout 10m --build-tags=static
-          #--new-from-rev dev
-
-          # Optional: show only new issues if it's a pull request. The default value is `false`.
-          only-new-issues: true
-
-          # Optional: if set to true then the all caching functionality will be complete disabled,
-          #           takes precedence over all other caching options.
-          # skip-cache: true
-
-          # Optional: if set to true then the action don't cache or restore ~/go/pkg.
-          # skip-pkg-cache: true
-
-          # Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
-          # skip-build-cache: true

.github/workflows/02-publish-artifacts.yaml

@@ -0,0 +1,75 @@
+name: publish-artifacts
+
+on:
+  workflow_call:
+    inputs:
+      upload_url:
+        description: 'upload url'
+        required: true
+        type: string
+      release:
+        description: 'release tag'
+        required: true
+        type: string
+
+jobs:
+  publish-artifacts:
+    name: Build and publish artifacts
+    runs-on: ${{ matrix.os }}
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    strategy:
+      matrix:
+        os: [ubuntu-20.04, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+
+      - name: Install MSYS2 & libgit2 (Windows)
+        shell: cmd
+        run: .\build.bat all
+        if: matrix.os == 'windows-latest'
+
+      - name: Install libgit2 (Linux/macOS)
+        run: make libgit2
+        if: matrix.os != 'windows-latest'
+
+      - name: Build
+        env:
+          RELEASE: ${{ inputs.release }}
+          CLIENT: release
+          CGO_ENABLED: 1
+        run: python3 --version && python3 build.py
+
+      - name: Upload release assets (Windows / MacOS)
+        id: upload-release-asset-win-macos
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ inputs.upload_url }}
+          asset_path: build/${{ matrix.os }}/*
+        if: matrix.os != 'ubuntu-20.04'
+
+      - name: Upload release assets (Linux)
+        id: upload-release-asset-linux
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ inputs.upload_url }}
+          asset_path: build/ubuntu-latest/*
+        if: matrix.os == 'ubuntu-20.04'
+
+  publish-krew-plugin:
+    name: Publish Krew plugin
+    runs-on: ubuntu-latest
+    steps:
+      - name: Update new version in krew-index
+        uses: rajatjindal/krew-release-bot@v0.0.43

.github/workflows/03-publish-image.yaml

@@ -1,4 +1,4 @@
-name: build
+name: 03-publish-image
 
 on:
   workflow_call:

.github/workflows/README.md

@@ -0,0 +1,52 @@
+# Kubescape workflows
+
+Tag terminology: `v<major>.<minor>.<patch>`
+
+## Developing process
+
+Kubescape's main branch is `main`, any PR will be opened against the main branch.
+
+### Opening a PR
+
+When a user opens a PR, this will trigger some basic tests (units, license, etc.)
+
+### Reviewing a PR
+
+The reviewer/maintainer of a PR will decide whether the PR introduces changes that require running the E2E system tests. If so, the reviewer will add the `trigger-integration-test` label.
+
+### Approving a PR
+
+Once a maintainer approves the PR, if the `trigger-integration-test` label was added to the PR, the GitHub actions will trigger the system test. The PR will be merged only after the system tests passed successfully. If the label was not added, the PR can be merged. 
+
+### Merging a PR
+
+The code is merged, no other actions are needed
+
+
+## Release process
+
+Every two weeks, we will create a new tag by bumping the minor version, this will create the release and publish the artifacts. 
+If we are introducing breaking changes, we will update the `major` version instead.
+
+When we wish to push a hot-fix/feature within the two weeks, we will bump the `patch`.
+
+### Creating a new tag
+Every two weeks or upon the decision of the maintainers, a maintainer can create a tag.
+
+The tag should look as follows: `v<A>.<B>.<C>-rc.D` (release candidate). 
+
+When creating a tag, GitHub will trigger the following actions:
+1. Basic tests - unit tests, license, etc.
+2. System tests (integration tests). If the tests fail, the actions will stop here.
+3. Create a new tag: `v<A>.<B>.<C>` (same tag just without the `rc` suffix)
+4. Create a release
+5. Publish artifacts
+6. Build and publish the docker image (this is meanwhile until we separate the microservice code from the LCI codebase)
+ 
+## Additional Information
+
+The "callers" have the alphabetic prefix and the "executes" have the numeric prefix
+
+## Screenshot
+
+<img width="1469" alt="image" src="https://user-images.githubusercontent.com/64066841/212532727-e82ec9e7-263d-408b-b4b0-a8c943f0109a.png">

.github/workflows/a-pr-check.yaml

@@ -18,7 +18,7 @@ on:
       - '.github/*'
 jobs:
   test:
-    uses: ./.github/workflows/test.yaml
+    uses: ./.github/workflows/00-test.yaml
     with:
-      release: "v2.0.${{ github.run_number }}"
+      release: ${{ github.ref_name}}
       client: test

.github/workflows/build.yaml

@@ -1,124 +0,0 @@
-name: build
-
-on:
-  push:
-    branches: 
-      - 'master'
-      - 'main'
-    paths-ignore:
-      - '**.yaml'
-      - '**.md'
-      - '**.sh'
-      - 'website/*'
-      - 'examples/*'
-      - 'docs/*'
-      - 'build/*'
-      - '.github/*'
-jobs:
-  test:
-    uses: ./.github/workflows/test.yaml
-    with:
-      release: "v2.0.${{ github.run_number }}"
-      client: test
-
-  create-release:
-    uses: ./.github/workflows/release.yaml
-    needs: test
-    with:
-      release_name: "Release v2.0.${{ github.run_number }}"
-      tag_name: "v2.0.${{ github.run_number }}"
-    secrets: inherit
-
-  publish-artifacts:
-    name: Build and publish artifacts
-    needs: create-release
-    runs-on: ${{ matrix.os }}
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    strategy:
-      matrix:
-        os: [ubuntu-20.04, macos-latest, windows-latest]
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          submodules: recursive
- 
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.19
-
-      - name: Install MSYS2 & libgit2 (Windows)
-        shell: cmd
-        run: .\build.bat all
-        if: matrix.os == 'windows-latest'
-
-      - name: Install libgit2 (Linux/macOS)
-        run: make libgit2
-        if: matrix.os != 'windows-latest'
-
-      - name: Build
-        env:
-          RELEASE: v2.0.${{ github.run_number }}
-          CLIENT: release
-          CGO_ENABLED: 1
-        run: python3 --version && python3 build.py
- 
-      - name: Upload release binaries (Windows / MacOS)
-        id: upload-release-asset-win-macos
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: build/${{ matrix.os }}/kubescape
-          asset_name: kubescape-${{ matrix.os }}
-          asset_content_type: application/octet-stream
-        if: matrix.os != 'ubuntu-20.04'
-
-      - name: Upload release binaries (Linux)
-        id: upload-release-asset-linux
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: build/ubuntu-latest/kubescape
-          asset_name: kubescape-ubuntu-latest
-          asset_content_type: application/octet-stream
-        if: matrix.os == 'ubuntu-20.04'
-
-      - name: Upload release hash (Windows / MacOS)
-        id: upload-release-hash-win-macos
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: build/${{ matrix.os }}/kubescape.sha256
-          asset_name: kubescape-${{ matrix.os }}-sha256
-          asset_content_type: application/octet-stream
-        if: matrix.os != 'ubuntu-20.04'
-
-      - name: Upload release hash (Linux)
-        id: upload-release-hash-linux
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: build/ubuntu-latest/kubescape.sha256
-          asset_name: kubescape-ubuntu-latest-sha256
-          asset_content_type: application/octet-stream     
-        if: matrix.os == 'ubuntu-20.04'
-
-  publish-image:
-    uses: ./.github/workflows/build-image.yaml
-    needs: create-release
-    with:
-      client: "image-release"
-      image_name: "quay.io/${{ github.repository_owner }}/kubescape"
-      image_tag: "v2.0.${{ github.run_number }}"
-      support_platforms: true
-      cosign: true
-    secrets: inherit

.github/workflows/build_dev.yaml

@@ -1,31 +0,0 @@
-name: build-dev
-
-on:
-  push:
-    branches: [ dev ]
-    paths-ignore:
-      - '**.yaml'
-      - '**.md'
-      - '**.sh'
-      - 'website/*'
-      - 'examples/*'
-      - 'docs/*'
-      - 'build/*'
-      - '.github/*'
-jobs:
-  test:
-    uses: ./.github/workflows/test.yaml
-    with:
-      release: "v2.0.${{ github.run_number }}"
-      client: test
- 
-  # publish-dev-image:
-  #   uses: ./.github/workflows/build-image.yaml
-  #   needs: test
-  #   with:
-  #     client: "image-dev"
-  #     image_name: "quay.io/${{ github.repository_owner }}/kubescape"
-  #     image_tag: "dev-v2.0.${{ github.run_number }}"
-  #     support_platforms: true
-  #     cosign: true
-  #   secrets: inherit

.github/workflows/c-release.yaml

@@ -0,0 +1,47 @@
+name: release
+
+on:
+  push:
+    tags:
+    # - 'v*.*.*-rc.*' # Comment out since the re-tagging process is not yet implemented
+    - 'v*.*.*'
+jobs:
+  test:
+    uses: ./.github/workflows/00-test.yaml
+    with:
+      release: ${{ github.ref_name}}
+      client: test
+  
+  # integration-test:
+  #   if: ${{ label == e2e-tests }}
+
+  # re-tag:
+  #   # if tests passed, create new tag without `rc`
+    
+  create-release:
+    uses: ./.github/workflows/01-create-release.yaml
+    needs: test
+    with:
+      release_name: "Release ${{ github.ref_name}}"
+      tag: ${{ github.ref_name}}
+    secrets: inherit
+
+  publish-artifacts:
+    uses: ./.github/workflows/02-publish-artifacts.yaml
+    needs: create-release
+    with:
+      upload_url: ${{ needs.create-release.outputs.upload_url }}
+      release: "${{ github.ref_name}}"
+    secrets: inherit
+       
+
+  publish-image:
+    uses: ./.github/workflows/03-publish-image.yaml
+    needs: create-release
+    with:
+      client: "image-release"
+      image_name: "quay.io/${{ github.repository_owner }}/kubescape"
+      image_tag: "${{ github.ref_name}}"
+      support_platforms: true
+      cosign: true
+    secrets: inherit

.krew.yaml

@@ -0,0 +1,36 @@
+apiVersion: krew.googlecontainertools.github.com/v1alpha2
+kind: Plugin
+metadata:
+  name: kubescape
+spec:
+  homepage: https://kubescape.io/
+  shortDescription: An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters
+  version: {{ .TagName }}
+  description: |
+    Kubescape is an open-source Kubernetes security platform.
+    It includes risk analysis, security compliance, and misconfiguration scanning.
+    Targeted at the DevSecOps practitioner or platform engineer,
+    it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.
+    It saves Kubernetes users and admins precious time, effort, and resources.
+    
+    Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository)
+    and is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/).
+  platforms:
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: amd64
+    {{ addURIAndSha "https://github.com/matthyx/kubescape/releases/download/{{ .TagName }}/kubescape-macos-latest.tar.gz" .TagName }}
+    bin: kubectl-kubescape
+  - selector:
+      matchLabels:
+        os: linux
+        arch: amd64
+    {{ addURIAndSha "https://github.com/matthyx/kubescape/releases/download/{{ .TagName }}/kubescape-ubuntu-latest.tar.gz" .TagName }}
+    bin: kubectl-kubescape
+  - selector:
+      matchLabels:
+        os: windows
+        arch: amd64
+    {{ addURIAndSha "https://github.com/matthyx/kubescape/releases/download/{{ .TagName }}/kubescape-windows-latest.tar.gz" .TagName }}
+    bin: kubectl-kubescape.exe

build.py

@@ -3,9 +3,16 @@ import sys
 import hashlib
 import platform
 import subprocess
+import tarfile
 
 BASE_GETTER_CONST = "github.com/kubescape/kubescape/v2/core/cautils/getter"
 
+platformSuffixes = {
+    "Windows": "windows-latest",
+    "Linux": "ubuntu-latest",
+    "Darwin": "macos-latest",
+}
+
 def check_status(status, msg):
     if status != 0:
         sys.stderr.write(msg)
@@ -14,20 +21,18 @@ def check_status(status, msg):
 
 def get_build_dir():
     current_platform = platform.system()
-    build_dir = ""
 
-    if current_platform == "Windows": build_dir = "windows-latest"
-    elif current_platform == "Linux": build_dir = "ubuntu-latest"
-    elif current_platform == "Darwin": build_dir = "macos-latest"
-    else: raise OSError("Platform %s is not supported!" % (current_platform))
+    if current_platform not in platformSuffixes: raise OSError("Platform %s is not supported!" % (current_platform))
 
-    return os.path.join("build", build_dir)
+    return os.path.join("build", platformSuffixes[current_platform])
 
 
 def get_package_name():
-    package_name = "kubescape"
+    current_platform = platform.system()
 
-    return package_name
+    if current_platform not in platformSuffixes: raise OSError("Platform %s is not supported!" % (current_platform))
+
+    return "kubescape-" + platformSuffixes[current_platform]
 
 
 def main():
@@ -46,6 +51,7 @@ def main():
 
     ks_file = os.path.join(build_dir, package_name)
     hash_file = ks_file + ".sha256"
+    tar_file = ks_file + ".tar.gz"
 
     if not os.path.isdir(build_dir):
         os.makedirs(build_dir)
@@ -73,6 +79,9 @@ def main():
             print("kubescape hash: {}, file: {}".format(hash, hash_file))
             kube_sha.write(sha256.hexdigest())
 
+    with tarfile.open(tar_file, 'w:gz') as archive:
+        archive.add(ks_file, "kubescape")
+
     print("Build Done")
 
 

build/Dockerfile

@@ -31,7 +31,7 @@ RUN ls -ltr build/ubuntu-latest
 WORKDIR /work
 RUN python build.py
 
-RUN /work/build/ubuntu-latest/kubescape download artifacts -o /work/artifacts
+RUN /work/build/ubuntu-latest/kubescape-ubuntu-latest download artifacts -o /work/artifacts
 
 FROM alpine:3.16.2
 
@@ -45,7 +45,7 @@ USER ks
 
 WORKDIR /home/ks
 
-COPY --from=builder /work/httphandler/build/ubuntu-latest/kubescape /usr/bin/ksserver
-COPY --from=builder /work/build/ubuntu-latest/kubescape /usr/bin/kubescape
+COPY --from=builder /work/httphandler/build/ubuntu-latest/kubescape-ubuntu-latest /usr/bin/ksserver
+COPY --from=builder /work/build/ubuntu-latest/kubescape-ubuntu-latest /usr/bin/kubescape
 
 ENTRYPOINT ["ksserver"]

cmd/completion/completion.go

@@ -1,23 +1,23 @@
 package completion
 
 import (
+	"fmt"
 	"os"
 	"strings"
 
+	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/spf13/cobra"
 )
 
-var completionCmdExamples = `
-
+var completionCmdExamples = fmt.Sprintf(`
   # Enable BASH shell autocompletion
-  $ source <(kubescape completion bash)
-  $ echo 'source <(kubescape completion bash)' >> ~/.bashrc
+  $ source <(%[1]s completion bash)
+  $ echo 'source <(%[1]s completion bash)' >> ~/.bashrc
 
   # Enable ZSH shell autocompletion
   $ source <(kubectl completion zsh)
   $ echo 'source <(kubectl completion zsh)' >> "${fpath[1]}/_kubectl"
-
-`
+`, cautils.ExecName())
 
 func GetCompletionCmd() *cobra.Command {
 	completionCmd := &cobra.Command{

cmd/config/config.go

@@ -1,34 +1,37 @@
 package config
 
 import (
+	"fmt"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/meta"
 	"github.com/spf13/cobra"
 )
 
 var (
-	configExample = `
+	configExample = fmt.Sprintf(`
   # View cached configurations 
-  kubescape config view
+  %[1]s config view
 
   # Delete cached configurations
-  kubescape config delete
+  %[1]s config delete
 
   # Set cached configurations
-  kubescape config set --help
-`
-	setConfigExample = `
+  %[1]s config set --help
+`, cautils.ExecName())
+	setConfigExample = fmt.Sprintf(`
   # Set account id
-  kubescape config set accountID <account id>
+  %[1]s config set accountID <account id>
 
   # Set client id
-  kubescape config set clientID <client id> 
+  %[1]s config set clientID <client id> 
 
   # Set access key
-  kubescape config set secretKey <access key>
+  %[1]s config set secretKey <access key>
 
   # Set cloudAPIURL
-  kubescape config set cloudAPIURL <cloud API URL>
-`
+  %[1]s config set cloudAPIURL <cloud API URL>
+`, cautils.ExecName())
 )
 
 func GetConfigCmd(ks meta.IKubescape) *cobra.Command {

cmd/delete/delete.go

@@ -1,18 +1,21 @@
 package delete
 
 import (
+	"fmt"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/meta"
 	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
 )
 
-var deleteExceptionsExamples = `
+var deleteExceptionsExamples = fmt.Sprintf(`
   # Delete single exception
-  kubescape delete exceptions "exception name"
+  %[1]s delete exceptions "exception name"
 
   # Delete multiple exceptions
-  kubescape delete exceptions "first exception;second exception;third exception"
-`
+  %[1]s delete exceptions "first exception;second exception;third exception"
+`, cautils.ExecName())
 
 func GetDeleteCmd(ks meta.IKubescape) *cobra.Command {
 	var deleteInfo v1.Delete

cmd/delete/exceptions.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/meta"
 	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
@@ -13,7 +14,7 @@ import (
 func getExceptionsCmd(ks meta.IKubescape, deleteInfo *v1.Delete) *cobra.Command {
 	return &cobra.Command{
 		Use:     "exceptions <exception name>",
-		Short:   "Delete exceptions from Kubescape SaaS version. Run 'kubescape list exceptions' for all exceptions names",
+		Short:   fmt.Sprintf("Delete exceptions from Kubescape SaaS version. Run '%[1]s list exceptions' for all exceptions names", cautils.ExecName()),
 		Example: deleteExceptionsExamples,
 		Args: func(cmd *cobra.Command, args []string) error {
 			if len(args) != 1 {

cmd/download/download.go

@@ -14,31 +14,31 @@ import (
 )
 
 var (
-	downloadExample = `
+	downloadExample = fmt.Sprintf(`
   # Download all artifacts and save them in the default path (~/.kubescape)
-  kubescape download artifacts
+  %[1]s download artifacts
   
   # Download all artifacts and save them in /tmp path
-  kubescape download artifacts --output /tmp
+  %[1]s download artifacts --output /tmp
   
-  # Download the NSA framework. Run 'kubescape list frameworks' for all frameworks names
-  kubescape download framework nsa
+  # Download the NSA framework. Run '%[1]s list frameworks' for all frameworks names
+  %[1]s download framework nsa
 
-  # Download the "C-0001" control. Run 'kubescape list controls --id' for all controls ids
-  kubescape download control "C-0001"
+  # Download the "C-0001" control. Run '%[1]s list controls --id' for all controls ids
+  %[1]s download control "C-0001"
 
-  # Download the "C-0001" control. Run 'kubescape list controls --id' for all controls ids
-  kubescape download control C-0001
+  # Download the "C-0001" control. Run '%[1]s list controls --id' for all controls ids
+  %[1]s download control C-0001
 
   # Download the configured exceptions
-  kubescape download exceptions 
+  %[1]s download exceptions 
 
   # Download the configured controls-inputs 
-  kubescape download controls-inputs 
+  %[1]s download controls-inputs 
 
   # Download the attack tracks
-  kubescape download attack-tracks
-`
+  %[1]s download attack-tracks
+`, cautils.ExecName())
 )
 
 func GeDownloadCmd(ks meta.IKubescape) *cobra.Command {

cmd/list/list.go

@@ -13,19 +13,19 @@ import (
 )
 
 var (
-	listExample = `
+	listExample = fmt.Sprintf(`
   # List default supported frameworks names
-  kubescape list frameworks
+  %[1]s list frameworks
   
   # List all supported frameworks names
-  kubescape list frameworks --account <account id>
+  %[1]s list frameworks --account <account id>
 	
   # List all supported controls names with ids
-  kubescape list controls
+  %[1]s list controls
   
   Control documentation:
   https://hub.armosec.io/docs/controls
-`
+`, cautils.ExecName())
 )
 
 func GetListCmd(ks meta.IKubescape) *cobra.Command {
@@ -65,7 +65,7 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {
 	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
 	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
 	listCmd.PersistentFlags().StringVar(&listPolicies.Format, "format", "pretty-print", "output format. supported: 'pretty-print'/'json'")
-	listCmd.PersistentFlags().MarkDeprecated("id", "Control ID's are included in list outpus")
+	listCmd.PersistentFlags().MarkDeprecated("id", "Control ID's are included in list outputs")
 
 	return listCmd
 }

cmd/root.go

@@ -26,19 +26,19 @@ import (
 
 var rootInfo cautils.RootInfo
 
-var ksExamples = `
+var ksExamples = fmt.Sprintf(`
   # Scan command
-  kubescape scan
+  %[1]s scan
 
   # List supported frameworks
-  kubescape list frameworks
+  %[1]s list frameworks
 
   # Download artifacts (air-gapped environment support)
-  kubescape download artifacts
+  %[1]s download artifacts
 
   # View cached configurations
-  kubescape config view
-`
+  %[1]s config view
+`, cautils.ExecName())
 
 func NewDefaultKubescapeCommand() *cobra.Command {
 	ks := core.NewKubescape()
@@ -53,6 +53,16 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 		Example: ksExamples,
 	}
 
+	if cautils.IsKrewPlugin() {
+		// Invoked as a kubectl plugin.
+
+		// Cobra doesn't have a way to specify a two word command (i.e. "kubectl kubescape"), so set a custom usage template
+		// with kubectl in it. Cobra will use this template for the root and all child commands.
+		oldUsageTemplate := rootCmd.UsageTemplate()
+		newUsageTemplate := strings.NewReplacer("{{.UseLine}}", "kubectl {{.UseLine}}", "{{.CommandPath}}", "kubectl {{.CommandPath}}").Replace(oldUsageTemplate)
+		rootCmd.SetUsageTemplate(newUsageTemplate)
+	}
+
 	rootCmd.PersistentFlags().StringVar(&rootInfo.KSCloudBEURLsDep, "environment", "", envFlagUsage)
 	rootCmd.PersistentFlags().StringVar(&rootInfo.KSCloudBEURLs, "env", "", envFlagUsage)
 	rootCmd.PersistentFlags().MarkDeprecated("environment", "use 'env' instead")

cmd/scan/control.go

@@ -18,28 +18,28 @@ import (
 )
 
 var (
-	controlExample = `
+	controlExample = fmt.Sprintf(`
   # Scan the 'privileged container' control
-  kubescape scan control "privileged container"
+  %[1]s scan control "privileged container"
 	
   # Scan list of controls separated with a comma
-  kubescape scan control "privileged container","HostPath mount"
+  %[1]s scan control "privileged container","HostPath mount"
   
   # Scan list of controls using the control ID separated with a comma
-  kubescape scan control C-0058,C-0057
+  %[1]s scan control C-0058,C-0057
   
-  Run 'kubescape list controls' for the list of supported controls
+  Run '%[1]s list controls' for the list of supported controls
   
   Control documentation:
   https://hub.armosec.io/docs/controls
-`
+`, cautils.ExecName())
 )
 
 // controlCmd represents the control command
 func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
 	return &cobra.Command{
 		Use:     "control <control names list>/<control ids list>",
-		Short:   "The controls you wish to use. Run 'kubescape list controls' for the list of supported controls",
+		Short:   fmt.Sprintf("The controls you wish to use. Run '%[1]s list controls' for the list of supported controls", cautils.ExecName()),
 		Example: controlExample,
 		Args: func(cmd *cobra.Command, args []string) error {
 			if len(args) > 0 {
@@ -67,7 +67,7 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 
 			if len(args) == 0 {
 				scanInfo.ScanAll = true
-			} else { // expected control or list of control sepparated by ","
+			} else { // expected control or list of control separated by ","
 
 				// Read controls from input args
 				scanInfo.SetPolicyIdentifiers(strings.Split(args[0], ","), apisv1.KindControl)

cmd/scan/framework.go

@@ -20,24 +20,24 @@ import (
 )
 
 var (
-	frameworkExample = `
+	frameworkExample = fmt.Sprintf(`
   # Scan all frameworks
-  kubescape scan framework all
+  %[1]s scan framework all
   
   # Scan the NSA framework
-  kubescape scan framework nsa
+  %[1]s scan framework nsa
   
   # Scan the NSA and MITRE framework
-  kubescape scan framework nsa,mitre
+  %[1]s scan framework nsa,mitre
   
   # Scan all frameworks
-  kubescape scan framework all
+  %[1]s scan framework all
 
   # Scan kubernetes YAML manifest files (single file or glob)
-  kubescape scan framework nsa .
+  %[1]s scan framework nsa .
 
-  Run 'kubescape list frameworks' for the list of supported frameworks
-`
+  Run '%[1]s list frameworks' for the list of supported frameworks
+`, cautils.ExecName())
 
 	ErrUnknownSeverity = errors.New("unknown severity")
 )
@@ -46,7 +46,7 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 
 	return &cobra.Command{
 		Use:     "framework <framework names list> [`<glob pattern>`/`-`] [flags]",
-		Short:   "The framework you wish to use. Run 'kubescape list frameworks' for the list of supported frameworks",
+		Short:   fmt.Sprintf("The framework you wish to use. Run '%[1]s list frameworks' for the list of supported frameworks", cautils.ExecName()),
 		Example: frameworkExample,
 		Long:    "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
 		Args: func(cmd *cobra.Command, args []string) error {

cmd/scan/scan.go

@@ -10,25 +10,24 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var scanCmdExamples = `
+var scanCmdExamples = fmt.Sprintf(`
   Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks 
   
   # Scan current cluster with all frameworks
-  kubescape scan --enable-host-scan --verbose
+  %[1]s scan --enable-host-scan --verbose
 
   # Scan kubernetes YAML manifest files
-  kubescape scan .
+  %[1]s scan .
 
   # Scan and save the results in the JSON format
-  kubescape scan --format json --output results.json --format-version=v2
+  %[1]s scan --format json --output results.json --format-version=v2
 
   # Display all resources
-  kubescape scan --verbose
+  %[1]s scan --verbose
 
   # Scan different clusters from the kubectl context 
-  kubescape scan --kube-context <kubernetes context>
-  
-`
+  %[1]s scan --kube-context <kubernetes context>
+`, cautils.ExecName())
 
 func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	var scanInfo cautils.ScanInfo

cmd/submit/rbac.go

@@ -19,13 +19,13 @@ import (
 )
 
 var (
-	rbacExamples = `
+	rbacExamples = fmt.Sprintf(`
 	# Submit cluster's Role-Based Access Control(RBAC)
-	kubescape submit rbac
+	%[1]s submit rbac
 
 	# Submit cluster's Role-Based Access Control(RBAC) with account ID 
-	kubescape submit rbac --account <account-id>
-	`
+	%[1]s submit rbac --account <account-id>
+	`, cautils.ExecName())
 )
 
 // getRBACCmd represents the RBAC command
@@ -36,7 +36,7 @@ func getRBACCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
 		Example:    rbacExamples,
 		Short:      "Submit cluster's Role-Based Access Control(RBAC)",
 		Long:       ``,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, args []string) error {
 
 			if err := flagValidationSubmit(submitInfo); err != nil {
 				return err
@@ -51,7 +51,7 @@ func getRBACCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
 			}
 
 			if clusterConfig.GetAccountID() == "" {
-				return fmt.Errorf("account ID is not set, run 'kubescape submit rbac --account <account-id>'")
+				return fmt.Errorf("account ID is not set, run '%[1]s submit rbac --account <account-id>'", cautils.ExecName())
 			}
 
 			// list RBAC

cmd/submit/results.go

@@ -6,6 +6,7 @@ import (
 	"os"
 
 	"github.com/google/uuid"
+	"github.com/kubescape/kubescape/v2/core/cautils"
 	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
 
 	logger "github.com/kubescape/go-logger"
@@ -50,7 +51,7 @@ func (resultsObject *ResultsObject) ListAllResources() (map[string]workloadinter
 
 func getResultsCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
 	var resultsCmd = &cobra.Command{
-		Use:   "results <json file>\nExample:\n$ kubescape submit results path/to/results.json --format-version v2",
+		Use:   fmt.Sprintf("results <json file>\nExample:\n$ %[1]s submit results path/to/results.json --format-version v2", cautils.ExecName()),
 		Short: "Submit a pre scanned results file. The file must be in json format",
 		Long:  ``,
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -87,7 +88,7 @@ func getResultsCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
 			return nil
 		},
 	}
-	resultsCmd.PersistentFlags().StringVar(&formatVersion, "format-version", "v1", "Output object can be differnet between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
+	resultsCmd.PersistentFlags().StringVar(&formatVersion, "format-version", "v1", "Output object can be different between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
 
 	return resultsCmd
 }

cmd/submit/submit.go

@@ -1,18 +1,21 @@
 package submit
 
 import (
+	"fmt"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/meta"
 	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
 )
 
-var submitCmdExamples = `
+var submitCmdExamples = fmt.Sprintf(`
 # Submit Kubescape scan results file
-kubescape submit results
+%[1]s submit results
 
 # Submit exceptions file to Kubescape SaaS
-kubescape submit exceptions
-`
+%[1]s submit exceptions
+`, cautils.ExecName())
 
 func GetSubmitCmd(ks meta.IKubescape) *cobra.Command {
 	var submitInfo metav1.Submit

core/cautils/getter/loadpolicy.go

@@ -160,7 +160,7 @@ func (lp *LoadPolicy) ListFrameworks() ([]string, error) {
 			continue
 		}
 
-		if framework.Name == "" || contains(frameworkNames, framework.Name) {
+		if contains(frameworkNames, framework.Name) {
 			continue
 		}
 

core/cautils/getter/loadpolicy_test.go

@@ -179,29 +179,6 @@ func TestLoadPolicy(t *testing.T) {
 			require.Equal(t, extraFramework, fws[1])
 		})
 
-		t.Run("should not return an empty framework", func(t *testing.T) {
-			t.Parallel()
-
-			const (
-				extraFramework = "NSA"
-				attackTracks   = "attack-tracks"
-				controlsInputs = "controls-inputs"
-			)
-			p := NewLoadPolicy([]string{
-				testFrameworkFile(testFramework),
-				testFrameworkFile(extraFramework),
-				testFrameworkFile(attackTracks),   // should be ignored
-				testFrameworkFile(controlsInputs), // should be ignored
-			})
-			fws, err := p.ListFrameworks()
-			require.NoError(t, err)
-			require.Len(t, fws, 2)
-			require.NotContains(t, fws, "")
-
-			require.Equal(t, testFramework, fws[0])
-			require.Equal(t, extraFramework, fws[1])
-		})
-
 		t.Run("should fail on file error", func(t *testing.T) {
 			t.Parallel()
 

core/cautils/getter/testdata/controls-inputs.json

@@ -1,125 +0,0 @@
-{
-  "publicRegistries": [],
-  "untrustedRegistries": [],
-  "listOfDangerousArtifacts": [
-    "bin/bash",
-    "sbin/sh",
-    "bin/ksh",
-    "bin/tcsh",
-    "bin/zsh",
-    "usr/bin/scsh",
-    "bin/csh",
-    "bin/busybox",
-    "usr/bin/busybox"
-  ],
-  "sensitiveKeyNames": [
-    "aws_access_key_id",
-    "aws_secret_access_key",
-    "azure_batchai_storage_account",
-    "azure_batchai_storage_key",
-    "azure_batch_account",
-    "azure_batch_key",
-    "secret",
-    "key",
-    "password",
-    "pwd",
-    "token",
-    "jwt",
-    "bearer",
-    "credential"
-  ],
-  "servicesNames": [
-    "nifi-service",
-    "argo-server",
-    "minio",
-    "postgres",
-    "workflow-controller-metrics",
-    "weave-scope-app",
-    "kubernetes-dashboard"
-  ],
-  "memory_limit_max": [],
-  "cpu_request_min": [],
-  "wlKnownNames": [
-    "coredns",
-    "kube-proxy",
-    "event-exporter-gke",
-    "kube-dns",
-    "17-default-backend",
-    "metrics-server",
-    "ca-audit",
-    "ca-dashboard-aggregator",
-    "ca-notification-server",
-    "ca-ocimage",
-    "ca-oracle",
-    "ca-posture",
-    "ca-rbac",
-    "ca-vuln-scan",
-    "ca-webhook",
-    "ca-websocket",
-    "clair-clair"
-  ],
-  "sensitiveInterfaces": [
-    "nifi",
-    "argo-server",
-    "weave-scope-app",
-    "kubeflow",
-    "kubernetes-dashboard",
-    "jenkins",
-    "prometheus-deployment"
-  ],
-  "max_high_vulnerabilities": [
-    "10"
-  ],
-  "sensitiveValues": [
-    "BEGIN \\w+ PRIVATE KEY",
-    "PRIVATE KEY",
-    "eyJhbGciO",
-    "JWT",
-    "Bearer",
-    "_key_",
-    "_secret_"
-  ],
-  "memory_request_max": [],
-  "memory_request_min": [],
-  "cpu_request_max": [],
-  "cpu_limit_max": [],
-  "cpu_limit_min": [],
-  "insecureCapabilities": [
-    "SETPCAP",
-    "NET_ADMIN",
-    "NET_RAW",
-    "SYS_MODULE",
-    "SYS_RAWIO",
-    "SYS_PTRACE",
-    "SYS_ADMIN",
-    "SYS_BOOT",
-    "MAC_OVERRIDE",
-    "MAC_ADMIN",
-    "PERFMON",
-    "ALL",
-    "BPF"
-  ],
-  "max_critical_vulnerabilities": [
-    "5"
-  ],
-  "sensitiveValuesAllowed": [],
-  "memory_limit_min": [],
-  "recommendedLabels": [
-    "app",
-    "tier",
-    "phase",
-    "version",
-    "owner",
-    "env"
-  ],
-  "k8sRecommendedLabels": [
-    "app.kubernetes.io/name",
-    "app.kubernetes.io/instance",
-    "app.kubernetes.io/version",
-    "app.kubernetes.io/component",
-    "app.kubernetes.io/part-of",
-    "app.kubernetes.io/managed-by",
-    "app.kubernetes.io/created-by"
-  ],
-  "imageRepositoryAllowList": []
-}

core/cautils/krewutils.go

@@ -0,0 +1,20 @@
+package cautils
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// ExecName returns the correct name to use in examples depending on how kubescape is invoked
+func ExecName() string {
+	n := "kubescape"
+	if IsKrewPlugin() {
+		return "kubectl " + n
+	}
+	return n
+}
+
+func IsKrewPlugin() bool {
+	return strings.HasPrefix(filepath.Base(os.Args[0]), "kubectl-")
+}