go lint

Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io>

.dockerignore

@@ -0,0 +1,2 @@
+git2go
+kubescape

.gitattributes

@@ -0,0 +1,2 @@
+# Keep CRLF newlines in appropriate test files to have reproducible tests
+core/pkg/fixhandler/testdata/inserts/*-crlf-newlines.yaml text eol=crlf

.github/ISSUE_TEMPLATE/bug_report.md

@@ -2,33 +2,32 @@
 name: Bug report
 about: Create a report to help us improve
 title: ''
-labels: ''
+labels: 'bug'
 assignees: ''
 
 ---
 
-# Describe the bug
-A clear and concise description of what the bug is.
+# Description
+<!-- A clear and concise description of what the bug is. -->
 
 # Environment
-OS: the OS + version you’re running Kubescape on, e.g Ubuntu 22.04 LTS
-Version: the version that Kubescape reports when you run `kubescape version`
-```
-Your current version is:
-```
-
+OS: ` ` <!-- the OS + version you’re running Kubescape on, e.g Ubuntu 22.04 LTS  -->
+Version: ` ` <!-- the version that Kubescape reports when you run `kubescape version`  -->
+ 
 # Steps To Reproduce
+<!--
 Steps to reproduce the behavior:
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
 4. See error
+-->
 
 # Expected behavior
-A clear and concise description of what you expected to happen.
+<!-- A clear and concise description of what you expected to happen. -->
 
 # Actual Behavior
-A clear and concise description of what happened. If applicable, add screenshots to help explain your problem.
+<!-- A clear and concise description of what happened. If applicable, add screenshots to help explain your  problem. -->
 
 # Additional context
-Add any other context about the problem here.
+<!-- Add any other context about the problem here. -->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -2,18 +2,23 @@
 name: Feature request
 about: Suggest an idea for this project
 title: ''
-labels: ''
+labels: 'feature'
 assignees: ''
 
 ---
-**Is your feature request related to a problem? Please describe.**</br>
- > A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 
-**Describe the solution you'd like.**</br>
- > A clear and concise description of what you want to happen.
+## Overview
+<!-- A brief overview of the related current state -->
 
-**Describe alternatives you've considered.**</br>
- > A clear and concise description of any alternative solutions or features you've considered.
+## Problem
+<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
 
-**Additional context.**</br>
- > Add any other context or screenshots about the feature request here.
+## Solution
+<!-- A clear and concise description of what you want to happen. -->
+
+## Alternatives
+<!-- A clear and concise description of any alternative solutions or features you've considered. -->
+
+## Additional context
+<!-- Add any other context or screenshots about the feature request here. -->
+ 

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,13 +1,39 @@
-## Describe your changes
+## Overview
+<!-- Please provide a brief overview of the changes made in this pull request. e.g. current behavior/future behavior -->
 
-## Screenshots - If Any (Optional)
+<!-- 
+## Additional Information
 
-## This PR fixes:
+> Any additional information that may be useful for reviewers to know 
+-->
 
-* Resolved #
+<!--
+## How to Test
 
+> Please provide instructions on how to test the changes made in this pull request
+-->
+
+<!--
+## Examples/Screenshots
+
+> Here you add related screenshots 
+-->
+
+<!-- 
+## Related issues/PRs:
+
+Here you add related issues and PRs.
+If this resolved an issue, write "Resolved #<issue number>
+
+e.g. If this PR resolves issues 1 and 2, it should look as follows:
+* Resolved #1
+* Resolved #2
+-->
+
+<!--
 ## Checklist before requesting a review
-<!-- put an [x] in the box to get it checked -->
+
+put an [x] in the box to get it checked 
 
 - [ ] My code follows the style guidelines of this project
 - [ ] I have commented on my code, particularly in hard-to-understand areas
@@ -15,4 +41,4 @@
 - [ ] If it is a core feature, I have added thorough tests.
 - [ ] New and existing unit tests pass locally with my changes
 
-**Please open the PR against the `dev` branch (Unless the PR contains only documentation changes)**
+--> 

.github/actions/tag-action/action.yaml

@@ -0,0 +1,44 @@
+name: 'Tag validator and retag'
+description: 'This action will check if the tag is rc and create a new tag for release'
+inputs:
+  ORIGINAL_TAG:  # id of input
+    description: 'Original tag'
+    required: true
+    default: ${{ github.ref_name }}
+  SUB_STRING: 
+    description: 'Sub string for rc tag'
+    required: true
+    default: "-rc"
+outputs:
+  NEW_TAG:
+    description: "The new tag for release"
+    value: ${{ steps.retag.outputs.NEW_TAG }}
+runs:
+  using: "composite"
+  steps:
+    - run: |
+        if [[ -z "${{ inputs.ORIGINAL_TAG }}" ]]; then
+          echo "The value of ORIGINAL_TAG is ${{ inputs.ORIGINAL_TAG }}"
+          echo "Setting the value of ORIGINAL_TAG to ${{ github.ref_name }}"
+          echo ORIGINAL_TAG="${{ github.ref_name }}" >> $GITHUB_ENV
+        fi
+      shell: bash
+
+    - run: |
+        if [[ "${{ inputs.ORIGINAL_TAG }}" == *"${{ inputs.SUB_STRING }}"* ]]; then
+            echo "Release candidate tag found."
+        else
+            echo "Release candidate tag not found."
+            exit 1
+        fi
+      shell: bash
+
+
+    - id: retag
+      run: | 
+          NEW_TAG=
+          echo "Original tag: ${{ inputs.ORIGINAL_TAG }}"
+          NEW_TAG=$(echo ${{ inputs.ORIGINAL_TAG }} | awk -F '-rc' '{print $1}')
+          echo "New tag: $NEW_TAG"
+          echo "NEW_TAG=$NEW_TAG" >> $GITHUB_OUTPUT
+      shell: bash

.github/dependabot.yaml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

.github/workflows/00-pr-scanner.yaml

@@ -0,0 +1,41 @@
+name: 00-pr_scanner
+on:
+  pull_request:
+    types: [opened, reopened, synchronize, ready_for_review]
+    paths-ignore:
+      - '**.yaml'
+      - '**.yml'
+      - '**.md'
+      - '**.sh'
+      - 'website/*'
+      - 'examples/*'
+      - 'docs/*'
+      - 'build/*'
+      - '.github/*'
+      
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pr-scanner:
+    permissions:
+      pull-requests: write
+    uses: ./.github/workflows/a-pr-scanner.yaml
+    with:
+      RELEASE: ""
+      CLIENT: test
+    secrets: inherit
+ 
+  binary-build:
+    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
+    with:
+      COMPONENT_NAME: kubescape
+      CGO_ENABLED: 1
+      GO111MODULE: ""
+      GO_VERSION: "1.20"
+      RELEASE: ""
+      CLIENT: test
+      ARCH_MATRIX: '[ "" ]'
+      OS_MATRIX: '[ "ubuntu-20.04" ]'
+    secrets: inherit

.github/workflows/02-release.yaml

@@ -0,0 +1,51 @@
+name: 02-create_release
+on:
+  push:
+    tags:
+      - 'v*.*.*-rc.*'
+jobs:
+  retag:
+    outputs:
+      NEW_TAG: ${{ steps.tag-calculator.outputs.NEW_TAG }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+      - id: tag-calculator
+        uses: ./.github/actions/tag-action
+        with:
+          SUB_STRING: "-rc"
+  binary-build:
+    needs: [retag]
+    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
+    with:
+      COMPONENT_NAME: kubescape
+      CGO_ENABLED: 1
+      GO111MODULE: ""
+      GO_VERSION: "1.20"
+      RELEASE: ${{ needs.retag.outputs.NEW_TAG }}
+      CLIENT: release
+    secrets: inherit
+  create-release:
+    permissions:
+      contents: write
+    needs: [retag, binary-build]
+    uses: ./.github/workflows/c-create-release.yaml
+    with:
+      RELEASE_NAME: "Release ${{ needs.retag.outputs.NEW_TAG }}"
+      TAG: ${{ needs.retag.outputs.NEW_TAG }}
+      DRAFT: false
+    secrets: inherit
+  publish-image:
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+    uses: ./.github/workflows/d-publish-image.yaml
+    needs: [create-release, retag]
+    with:
+      client: "image-release"
+      image_name: "quay.io/${{ github.repository_owner }}/kubescape"
+      image_tag: ${{ needs.retag.outputs.NEW_TAG }}
+      support_platforms: true
+      cosign: true
+    secrets: inherit

.github/workflows/03-post-release.yaml

@@ -0,0 +1,41 @@
+name: 03-post_release
+on:
+  release:
+    types: [published]
+    branches:
+      - 'master'
+      - 'main'
+jobs:
+  post_release:
+    name: Post release jobs
+    runs-on: ubuntu-latest
+    steps:
+      - name: Digest
+        uses: MCJack123/ghaction-generate-release-hashes@c03f3111b39432dde3edebe401c5a8d1ffbbf917 # ratchet:MCJack123/ghaction-generate-release-hashes@v1
+        with:
+          hash-type: sha1
+          file-name: kubescape-release-digests
+      - name: Invoke workflow to update packaging
+        uses: benc-uk/workflow-dispatch@v1
+        if: github.repository_owner == 'kubescape'
+        with:
+          workflow: release.yml
+          repo: kubescape/packaging
+          ref: refs/heads/main
+          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+      - name: Invoke workflow to update homebrew tap
+        uses: benc-uk/workflow-dispatch@v1
+        if: github.repository_owner == 'kubescape'
+        with:
+          workflow: release.yml
+          repo: kubescape/homebrew-tap
+          ref: refs/heads/main
+          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+      - name: Invoke workflow to update github action
+        uses: benc-uk/workflow-dispatch@v1
+        if: github.repository_owner == 'kubescape'
+        with:
+          workflow: release.yaml
+          repo: kubescape/github-action
+          ref: refs/heads/main
+          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}

.github/workflows/04-publish-krew-plugin.yaml

@@ -0,0 +1,16 @@
+name: 04-publish_krew_plugin
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+jobs:
+  publish_krew_plugin:
+    name: Publish Krew plugin
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'kubescape'
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+        with:
+          submodules: recursive
+      - name: Update new version in krew-index
+        uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # ratchet:rajatjindal/krew-release-bot@v0.0.43

.github/workflows/README.md

@@ -0,0 +1,52 @@
+# Kubescape workflows
+
+Tag terminology: `v<major>.<minor>.<patch>`
+
+## Developing process
+
+Kubescape's main branch is `main`, any PR will be opened against the main branch.
+
+### Opening a PR
+
+When a user opens a PR, this will trigger some basic tests (units, license, etc.)
+
+### Reviewing a PR
+
+The reviewer/maintainer of a PR will decide whether the PR introduces changes that require running the E2E system tests. If so, the reviewer will add the `trigger-integration-test` label.
+
+### Approving a PR
+
+Once a maintainer approves the PR, if the `trigger-integration-test` label was added to the PR, the GitHub actions will trigger the system test. The PR will be merged only after the system tests passed successfully. If the label was not added, the PR can be merged. 
+
+### Merging a PR
+
+The code is merged, no other actions are needed
+
+
+## Release process
+
+Every two weeks, we will create a new tag by bumping the minor version, this will create the release and publish the artifacts. 
+If we are introducing breaking changes, we will update the `major` version instead.
+
+When we wish to push a hot-fix/feature within the two weeks, we will bump the `patch`.
+
+### Creating a new tag
+Every two weeks or upon the decision of the maintainers, a maintainer can create a tag.
+
+The tag should look as follows: `v<A>.<B>.<C>-rc.D` (release candidate). 
+
+When creating a tag, GitHub will trigger the following actions:
+1. Basic tests - unit tests, license, etc.
+2. System tests (integration tests). If the tests fail, the actions will stop here.
+3. Create a new tag: `v<A>.<B>.<C>` (same tag just without the `rc` suffix)
+4. Create a release
+5. Publish artifacts
+6. Build and publish the docker image (this is meanwhile until we separate the microservice code from the LCI codebase)
+ 
+## Additional Information
+
+The "callers" have the alphabetic prefix and the "executes" have the numeric prefix
+
+## Screenshot
+
+<img width="1469" alt="image" src="https://user-images.githubusercontent.com/64066841/212532727-e82ec9e7-263d-408b-b4b0-a8c943f0109a.png">

.github/workflows/a-pr-scanner.yaml

@@ -0,0 +1,89 @@
+name: a-pr-scanner
+on:
+  workflow_call:
+    inputs:
+      RELEASE:
+        description: 'release'
+        required: true
+        type: string
+      CLIENT:
+        description: 'Client name'
+        required: true
+        type: string
+      UNIT_TESTS_PATH:
+        required: false
+        type: string
+        default: "./..."
+jobs:
+  scanners:
+    env:
+      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+    name: PR Scanner
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+        with:
+          fetch-depth: 0
+          submodules: recursive
+      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # Install go because go-licenses use it ratchet:actions/setup-go@v3
+        name: Installing go
+        with:
+          go-version: '1.20'
+          cache: true
+      - name: Scanning - Forbidden Licenses (go-licenses)
+        id: licenses-scan
+        continue-on-error: true
+        run: |
+          echo "## Installing go-licenses tool"
+          go install github.com/google/go-licenses@latest
+          echo "## Scanning for forbiden licenses ##"
+          go-licenses check .
+      - name: Scanning - Credentials (GitGuardian)
+        if: ${{ env.GITGUARDIAN_API_KEY }}
+        continue-on-error: true
+        id: credentials-scan
+        uses: GitGuardian/ggshield-action@4ab2994172fadab959240525e6b833d9ae3aca61 # ratchet:GitGuardian/ggshield-action@master
+        with:
+          args: -v --all-policies
+        env:
+          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
+          GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
+          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+      - name: Scanning - Vulnerabilities (Snyk)
+        if: ${{ env.SNYK_TOKEN }}
+        id: vulnerabilities-scan
+        continue-on-error: true
+        uses: snyk/actions/golang@806182742461562b67788a64410098c9d9b96adb # ratchet:snyk/actions/golang@master
+        with:
+          command: test --all-projects
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Test coverage
+        id: unit-test
+        run: go test -v ${{ inputs.UNIT_TESTS_PATH }} -covermode=count -coverprofile=coverage.out
+
+      - name: Convert coverage count to lcov format
+        uses: jandelgado/gcov2lcov-action@v1
+        
+      - name: Submit coverage tests to Coveralls
+        continue-on-error: true
+        uses: coverallsapp/github-action@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          path-to-lcov: coverage.lcov
+
+      - name: Comment results to PR
+        continue-on-error: true # Warning: This might break opening PRs from forks
+        uses: peter-evans/create-or-update-comment@5adcb0bb0f9fb3f95ef05400558bdb3f329ee808 # ratchet:peter-evans/create-or-update-comment@v2.1.0
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            Scan results:
+            - License scan: ${{ steps.licenses-scan.outcome }}
+            - Credentials scan: ${{ steps.credentials-scan.outcome }}
+            - Vulnerabilities scan: ${{ steps.vulnerabilities-scan.outcome }}
+          reactions: 'eyes'

.github/workflows/b-binary-build-and-e2e-tests.yaml

@@ -0,0 +1,347 @@
+name: b-binary-build-and-e2e-tests
+
+on:
+  workflow_dispatch:
+    inputs:
+      COMPONENT_NAME:
+        required: false
+        type: string
+        default: "kubescape"
+      RELEASE:
+        required: false
+        type: string
+        default: ""
+      CLIENT:
+        required: false
+        type: string
+        default: "test"
+      GO_VERSION:
+        required: false
+        type: string
+        default: "1.20"
+      GO111MODULE:
+        required: false
+        type: string
+        default: ""
+      CGO_ENABLED:
+        type: number
+        default: 1
+        required: false
+      OS_MATRIX:
+        type: string
+        required: false
+        default: '[ "ubuntu-20.04", "macos-latest", "windows-latest"]'
+      ARCH_MATRIX:
+        type: string
+        required: false
+        default: '[ "", "arm64"]'
+      BINARY_TESTS:
+        type: string
+        required: false
+        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score" ]'
+
+  workflow_call:
+    inputs:
+      COMPONENT_NAME:
+        required: true
+        type: string
+      RELEASE:
+        required: true
+        type: string
+      CLIENT:
+        required: true
+        type: string
+      GO_VERSION:
+        type: string
+        default: "1.20"
+      GO111MODULE:
+        required: true
+        type: string
+      CGO_ENABLED:
+        type: number
+        default: 1
+      BINARY_TESTS:
+        type: string
+        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score", "scan_custom_framework_scanning_file_scope_testing", "scan_custom_framework_scanning_cluster_scope_testing", "scan_custom_framework_scanning_cluster_and_file_scope_testing", "unified_configuration_config_view", "unified_configuration_config_set", "unified_configuration_config_delete" ]'
+      OS_MATRIX:
+        type: string
+        required: false
+        default: '[ "ubuntu-20.04", "macos-latest", "windows-latest"]'
+      ARCH_MATRIX:
+        type: string
+        required: false
+        default: '[ "", "arm64"]'
+  
+jobs:
+  wf-preparation:
+    name: secret-validator
+    runs-on: ubuntu-latest
+    outputs:
+      TEST_NAMES: ${{ steps.export_tests_to_env.outputs.TEST_NAMES }}
+      OS_MATRIX: ${{ steps.export_os_to_env.outputs.OS_MATRIX }}
+      ARCH_MATRIX: ${{ steps.export_arch_to_env.outputs.ARCH_MATRIX }}
+      is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
+
+    steps:
+      - name: check if the necessary secrets are set in github secrets
+        id: check-secret-set
+        env:
+          CUSTOMER: ${{ secrets.CUSTOMER }}
+          USERNAME: ${{ secrets.USERNAME }}
+          PASSWORD: ${{ secrets.PASSWORD }}
+          CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
+          SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: "echo \"is-secret-set=${{ env.CUSTOMER != '' && \n                        env.USERNAME != '' &&\n                        env.PASSWORD != '' &&\n                        env.CLIENT_ID != '' &&\n                        env.SECRET_KEY != '' &&\n                        env.REGISTRY_USERNAME != '' &&\n                        env.REGISTRY_PASSWORD != ''\n                      }}\" >> $GITHUB_OUTPUT\n"
+
+      - id: export_os_to_env
+        name: set test name
+        run: |
+          echo "OS_MATRIX=$input" >> $GITHUB_OUTPUT
+        env:
+          input: ${{ inputs.OS_MATRIX }}
+
+      - id: export_tests_to_env
+        name: set test name
+        run: |
+          echo "TEST_NAMES=$input" >> $GITHUB_OUTPUT
+        env:
+          input: ${{ inputs.BINARY_TESTS }}
+
+      - id: export_arch_to_env
+        name: set test name
+        run: |
+          echo "ARCH_MATRIX=$input" >> $GITHUB_OUTPUT
+        env:
+          input: ${{ inputs.ARCH_MATRIX }}
+      
+
+  binary-build:
+    name: Create cross-platform build
+    needs: wf-preparation
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GOARCH: ${{ matrix.arch }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: ${{ fromJson(needs.wf-preparation.outputs.OS_MATRIX) }}
+        arch: ${{ fromJson(needs.wf-preparation.outputs.ARCH_MATRIX) }}
+        exclude:
+        - os: windows-latest
+          arch: arm64
+    steps:
+
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - name: Cache Go modules (Linux)
+        if: matrix.os == 'ubuntu-20.04'
+        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Cache Go modules (macOS)
+        if: matrix.os == 'macos-latest'
+        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
+        with:
+          path: |
+            ~/Library/Caches/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Cache Go modules (Windows)
+        if: matrix.os == 'windows-latest'
+        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
+        with:
+          path: |
+            ~\AppData\Local\go-build
+            ~\go\pkg\mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3
+        name: Installing go
+        with:
+          go-version: ${{ inputs.GO_VERSION }}
+          cache: true
+
+      - name: start ${{ matrix.arch }} environment in container
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y binfmt-support qemu-user-static
+          sudo docker run --platform linux/${{ matrix.arch }} -e RELEASE=${{ inputs.RELEASE }} \
+          -e CLIENT=${{ inputs.CLIENT }} -e CGO_ENABLED=${{ inputs.CGO_ENABLED }} \
+          -e KUBESCAPE_SKIP_UPDATE_CHECK=true -e GOARCH=${{ matrix.arch }} -v ${PWD}:/work \
+          -w /work -v ~/go/pkg/mod:/root/go/pkg/mod -v ~/.cache/go-build:/root/.cache/go-build \
+          -d --name build golang:${{ inputs.GO_VERSION }}-bullseye sleep 21600
+          sudo docker ps
+          DOCKER_CMD="sudo docker exec build"
+          ${DOCKER_CMD} apt update
+          ${DOCKER_CMD} apt install -y cmake python3
+          ${DOCKER_CMD} git config --global --add safe.directory '*'
+          echo "DOCKER_CMD=${DOCKER_CMD}" >> $GITHUB_ENV;
+        if: matrix.os == 'ubuntu-20.04' && matrix.arch != ''
+
+      - name: Install MSYS2 & libgit2 (Windows)
+        shell: pwsh
+        run: .\build.ps1 all
+        if: matrix.os == 'windows-latest'
+
+      - name: Install pkg-config (macOS)
+        run: brew install pkg-config
+        if: matrix.os == 'macos-latest'
+
+      - name: Install libgit2 (Linux/macOS)
+        run: ${{ env.DOCKER_CMD }} make libgit2${{ matrix.arch }}
+        if: matrix.os != 'windows-latest'
+
+      - name: Test core pkg
+        run: ${{ env.DOCKER_CMD }} go test "-tags=static,gitenabled" -v ./...
+        if: "!startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch == '' || startsWith(github.ref, 'refs/tags') && (matrix.os != 'macos-latest' || matrix.arch != 'arm64')"
+
+      - name: Test httphandler pkg
+        run: ${{ env.DOCKER_CMD }} sh -c 'cd httphandler && go test "-tags=static,gitenabled" -v ./...'
+        if: "!startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch == '' || startsWith(github.ref, 'refs/tags') && (matrix.os != 'macos-latest' || matrix.arch != 'arm64')"
+
+      - name: Build
+        env:
+          RELEASE: ${{ inputs.RELEASE }}
+          CLIENT: ${{ inputs.CLIENT }}
+          CGO_ENABLED: ${{ inputs.CGO_ENABLED }}
+        run: ${{ env.DOCKER_CMD }} python3 --version && ${{ env.DOCKER_CMD }} python3 build.py
+
+      - name: Smoke Testing (Windows / MacOS)
+        env:
+          RELEASE: ${{ inputs.RELEASE }}
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: python3 smoke_testing/init.py ${PWD}/build/kubescape-${{ matrix.os }}
+        if: startsWith(github.ref, 'refs/tags') && matrix.os != 'ubuntu-20.04' && matrix.arch == ''
+
+      - name: Smoke Testing (Linux amd64)
+        env:
+          RELEASE: ${{ inputs.RELEASE }}
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ${PWD}/build/kubescape-ubuntu-latest
+        if: matrix.os == 'ubuntu-20.04' && matrix.arch == ''
+
+      - name: Smoke Testing (Linux ${{ matrix.arch }})
+        env:
+          RELEASE: ${{ inputs.RELEASE }}
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ./build/kubescape-${{ matrix.arch }}-ubuntu-latest
+        if: startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch != ''
+
+      - name: golangci-lint
+        if: matrix.os == 'ubuntu-20.04'
+        continue-on-error: true
+        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # ratchet:golangci/golangci-lint-action@v3
+        with:
+          version: latest
+          args: --timeout 10m --build-tags=static
+          only-new-issues: true
+
+      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1
+        name: Upload artifact (Linux)
+        if: matrix.os == 'ubuntu-20.04'
+        with:
+          name: kubescape${{ matrix.arch }}-ubuntu-latest
+          path: build/
+          if-no-files-found: error
+
+      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1
+        name: Upload artifact (MacOS, Win)
+        if: matrix.os != 'ubuntu-20.04'
+        with:
+          name: kubescape${{ matrix.arch }}-${{ matrix.os }}
+          path: build/
+          if-no-files-found: error
+
+  run-tests:
+    strategy:
+      fail-fast: false
+      matrix:
+        TEST: ${{ fromJson(needs.wf-preparation.outputs.TEST_NAMES) }}
+    needs: [wf-preparation, binary-build]
+    if: ${{ (needs.wf-preparation.outputs.is-secret-set == 'true') && (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }}
+    runs-on: ubuntu-latest # This cannot change
+    steps:
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
+        id: download-artifact
+        with:
+          name: kubescape-ubuntu-latest
+          path: "~"
+
+      - run: ls -laR
+
+      - name: chmod +x
+        run: chmod +x -R ${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest
+
+      - name: Checkout systests repo
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+        with:
+          repository: armosec/system-tests
+          ref: remove-urls
+          path: .
+
+      - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # ratchet:actions/setup-python@v4
+        with:
+          python-version: '3.8.13'
+          cache: 'pip'
+
+      - name: create env
+        run: ./create_env.sh
+
+      - name: Generate uuid
+        id: uuid
+        run: |
+          echo "RANDOM_UUID=$(uuidgen)" >> $GITHUB_OUTPUT
+
+      - name: Create k8s Kind Cluster
+        id: kind-cluster-install
+        uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d # ratchet:helm/kind-action@v1.3.0
+        with:
+          cluster_name: ${{ steps.uuid.outputs.RANDOM_UUID }}
+
+      - name: run-tests-on-local-built-kubescape
+        env:
+          CUSTOMER: ${{ secrets.CUSTOMER }}
+          USERNAME: ${{ secrets.USERNAME }}
+          PASSWORD: ${{ secrets.PASSWORD }}
+          CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
+          SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: |
+          echo "Test history:"
+          echo " ${{ matrix.TEST }} " >/tmp/testhistory
+          cat /tmp/testhistory
+          source systests_python_env/bin/activate
+
+          python3 systest-cli.py             \
+            -t ${{ matrix.TEST }}            \
+            -b production                    \
+            -c CyberArmorTests               \
+            --duration 3                     \
+            --logger DEBUG                   \
+            --kwargs kubescape=${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest
+
+          deactivate
+
+      - name: Test Report
+        uses: mikepenz/action-junit-report@6e9933f4a97f4d2b99acef4d7b97924466037882 # ratchet:mikepenz/action-junit-report@v3.6.1
+        if: always() # always run even if the previous step fails
+        with:
+          report_paths: '**/results_xml_format/**.xml'
+          commit: ${{github.event.workflow_run.head_sha}}

.github/workflows/build-image.yaml

@@ -1,80 +1,34 @@
-name: build
+name: build-image
 
 on:
-  workflow_call:
-    inputs:
-      client:
-        description: 'client name'
-        required: true
-        type: string
-      image_tag:
-        description: 'image tag'
-        required: true
-        type: string
-      image_name:
-        description: 'image registry and name'
-        required: true
-        type: string
-      cosign:
-        required: false
-        default: false
-        type: boolean
-        description: 'run cosign on released image'
-      support_platforms:
-        required: false
-        default: true
-        type: boolean
-        description: 'support amd64/arm64'
-
-    secrets:
-      QUAYIO_REGISTRY_USERNAME:
-        required: true
-      QUAYIO_REGISTRY_PASSWORD:
-        required: true
-
+    workflow_dispatch:
+      inputs:
+        CLIENT:
+          required: false
+          type: string
+          default: "test"
+        IMAGE_TAG:
+          required: true
+          type: string
+        CO_SIGN:
+          type: boolean
+          required: false
+          default: false
+        PLATFORMS:
+            type: boolean
+            required: false
+            default: false
 jobs:
-  build-image:
-    name: Build image and upload to registry
-    runs-on: ubuntu-latest
+  publish-image:
     permissions:
       id-token: write
       packages: write
       contents: read
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          submodules: recursive
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Login to Quay.io
-        env:
-          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-
-      - name: Build and push image
-        if: ${{ inputs.support_platforms }}
-        run: docker buildx build . --file build/Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push --platform linux/amd64,linux/arm64
-     
-      - name: Build and push image without amd64/arm64 support
-        if: ${{ !inputs.support_platforms }}
-        run: docker buildx build . --file build/Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: 'v1.12.0'
-      - name: sign kubescape container image
-        if: ${{ inputs.cosign }}
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-            cosign sign --force ${{ inputs.image_name }}:latest
-            cosign sign --force ${{ inputs.image_name }}:${{ inputs.image_tag }}
-
+    uses: ./.github/workflows/d-publish-image.yaml
+    with:
+      client: ${{ inputs.CLIENT }}
+      image_name: "quay.io/${{ github.repository_owner }}/kubescape"
+      image_tag: ${{ inputs.IMAGE_TAG }}
+      support_platforms: ${{ inputs.PLATFORMS }}
+      cosign: ${{ inputs.CO_SIGN }}
+    secrets: inherit

.github/workflows/build.yaml

@@ -1,91 +0,0 @@
-name: build
-
-on:
-  push:
-    branches: [ master ]
-    paths-ignore:
-      # Do not run the pipeline if only Markdown files changed
-      - '**.md'
-jobs:
-  test:
-    uses: ./.github/workflows/test.yaml
-    with:
-      release: "v2.0.${{ github.run_number }}"
-      client: test
-
-  create-release:
-    uses: ./.github/workflows/release.yaml
-    needs: test
-    with:
-      release_name: "Release v2.0.${{ github.run_number }}"
-      tag_name: "v2.0.${{ github.run_number }}"
-    secrets: inherit
-
-  publish-artifacts:
-    name: Build and publish artifacts
-    needs: create-release
-    runs-on: ${{ matrix.os }}
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          submodules: recursive
- 
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.18
-
-      - name: Install MSYS2 & libgit2 (Windows)
-        shell: cmd
-        run: .\build.bat all
-        if: matrix.os == 'windows-latest'
-
-      - name: Install libgit2 (Linux/macOS)
-        run: make libgit2
-        if: matrix.os != 'windows-latest'
-
-      - name: Build
-        env:
-          RELEASE: v2.0.${{ github.run_number }}
-          CLIENT: release
-          CGO_ENABLED: 1
-        run: python3 --version && python3 build.py
- 
-      - name: Upload release binaries
-        id: upload-release-asset
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: build/${{ matrix.os }}/kubescape
-          asset_name: kubescape-${{ matrix.os }}
-          asset_content_type: application/octet-stream
-
-      - name: Upload release hash
-        id: upload-release-hash
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: build/${{ matrix.os }}/kubescape.sha256
-          asset_name: kubescape-${{ matrix.os }}-sha256
-          asset_content_type: application/octet-stream
-  
-  publish-image:
-    if: ${{ github.repository == 'kubescape/kubescape' }} # TODO
-    uses: ./.github/workflows/build-image.yaml
-    needs: create-release
-    with:
-      client: "image-release"
-      image_name: "quay.io/${{ github.repository_owner }}/kubescape"
-      image_tag: "v2.0.${{ github.run_number }}"
-      support_platforms: false
-      cosign: true
-    secrets: inherit

.github/workflows/build_dev.yaml

@@ -1,26 +0,0 @@
-name: build-dev
-
-on:
-  push:
-    branches: [ dev ]
-    paths-ignore:
-      # Do not run the pipeline if only Markdown files changed
-      - '**.md'
-jobs:
-  test:
-    uses: ./.github/workflows/test.yaml
-    with:
-      release: "v2.0.${{ github.run_number }}"
-      client: test
- 
-  publish-dev-image:
-    if: ${{ github.repository == 'kubescape/kubescape' }} # TODO
-    uses: ./.github/workflows/build-image.yaml
-    needs: test
-    with:
-      client: "image-dev"
-      image_name: "quay.io/${{ github.repository_owner }}/kubescape"
-      image_tag: "dev-v2.0.${{ github.run_number }}"
-      support_platforms: false
-      cosign: true
-    secrets: inherit

.github/workflows/c-create-release.yaml

@@ -0,0 +1,72 @@
+name: c-create_release
+on:
+  workflow_call:
+    inputs:
+      RELEASE_NAME:
+        description: 'Release name'
+        required: true
+        type: string
+      TAG:
+        description: 'Tag name'
+        required: true
+        type: string
+      DRAFT:
+        description: 'Create draft release'
+        required: false
+        type: boolean
+        default: false
+jobs:
+  create-release:
+    name: create-release
+    runs-on: ubuntu-latest
+    env:
+      MAC_OS: macos-latest
+      UBUNTU_OS: ubuntu-latest
+      WINDOWS_OS: windows-latest
+    # permissions:
+    #   contents: write
+    steps:
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
+        id: download-artifact
+        with:
+          path: .
+
+      # TODO: kubescape-windows-latest is deprecated and should be removed
+      - name: Get kubescape.exe from kubescape-windows-latest
+        run: cp ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }} ./kubescape-${{ env.WINDOWS_OS }}/kubescape.exe
+
+      - name: Set release token
+        run: |
+          if [ "${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" != "" ]; then
+            echo "TOKEN=${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" >> $GITHUB_ENV;
+          else
+            echo "TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV;
+          fi
+      - name: Release
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # ratchet:softprops/action-gh-release@v1
+        with:
+          token: ${{ env.TOKEN }}
+          name: ${{ inputs.RELEASE_NAME }}
+          tag_name: ${{ inputs.TAG }}
+          body: ${{ github.event.pull_request.body }}
+          draft: ${{ inputs.DRAFT }}
+          fail_on_unmatched_files: true
+          prerelease: false
+          # TODO: kubescape-windows-latest is deprecated and should be removed
+          files: |
+            ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }}
+            ./kubescape-${{ env.MAC_OS }}/kubescape-${{ env.MAC_OS }}
+            ./kubescape-${{ env.MAC_OS }}/kubescape-${{ env.MAC_OS }}.sha256
+            ./kubescape-${{ env.MAC_OS }}/kubescape-${{ env.MAC_OS }}.tar.gz
+            ./kubescape-${{ env.UBUNTU_OS }}/kubescape-${{ env.UBUNTU_OS }}
+            ./kubescape-${{ env.UBUNTU_OS }}/kubescape-${{ env.UBUNTU_OS }}.sha256
+            ./kubescape-${{ env.UBUNTU_OS }}/kubescape-${{ env.UBUNTU_OS }}.tar.gz
+            ./kubescape-${{ env.WINDOWS_OS }}/kubescape.exe
+            ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }}.sha256
+            ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }}.tar.gz
+            ./kubescapearm64-${{ env.MAC_OS }}/kubescape-arm64-${{ env.MAC_OS }}
+            ./kubescapearm64-${{ env.MAC_OS }}/kubescape-arm64-${{ env.MAC_OS }}.sha256
+            ./kubescapearm64-${{ env.MAC_OS }}/kubescape-arm64-${{ env.MAC_OS }}.tar.gz
+            ./kubescapearm64-${{ env.UBUNTU_OS }}/kubescape-arm64-${{ env.UBUNTU_OS }}
+            ./kubescapearm64-${{ env.UBUNTU_OS }}/kubescape-arm64-${{ env.UBUNTU_OS }}.sha256
+            ./kubescapearm64-${{ env.UBUNTU_OS }}/kubescape-arm64-${{ env.UBUNTU_OS }}.tar.gz

.github/workflows/codesee-arch-diagram.yml

@@ -0,0 +1,30 @@
+# This workflow was added by CodeSee. Learn more at https://codesee.io/
+# This is v2.0 of this workflow file
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+    paths-ignore:
+    - '**.yaml'
+    - '**.yml'
+    - '**.md'
+    - '**.sh'
+    - 'website/*'
+    - 'examples/*'
+    - 'docs/*'
+    - 'build/*'
+    - '.github/*'  
+
+name: CodeSee
+
+permissions: read-all
+
+jobs:
+  codesee:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    name: Analyze the repo with CodeSee
+    steps:
+      - uses: Codesee-io/codesee-action@v2
+        with:
+          codesee-token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
+          codesee-url: https://app.codesee.io

.github/workflows/comments.yaml

@@ -0,0 +1,23 @@
+name: pr-agent
+
+on:
+  issue_comment:
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  pr_agent:
+    runs-on: ubuntu-latest
+    name: Run pr agent on every pull request, respond to user comments
+    steps:
+      - name: PR Agent action step
+        continue-on-error: true
+        id: pragent
+        uses: Codium-ai/pr-agent@main
+        env:
+          OPENAI_KEY: ${{ secrets.OPENAI_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+   
+

.github/workflows/community.yml

@@ -1,22 +0,0 @@
-on:
-  fork:
-  issues:
-    types: [opened]
-  issue_comment:
-    types: [created]
-  pull_request_target:
-    types: [opened]
-  pull_request_review_comment:
-    types: [created]
-
-jobs:
-  welcome:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v1
-      - uses: EddieHubCommunity/gh-action-community/src/welcome@main
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          issue-message: '<h3>Hi! Welcome to Kubescape. Thank you for taking the time and reporting an issue</h3>'
-          pr-message: '<h3>Hi! Welcome to Kubescape. Thank you for taking the time and contributing to the open source community</h3>'
-          footer: '<h4>We will try to review as soon as possible!</h4>'

.github/workflows/d-publish-image.yaml

@@ -0,0 +1,74 @@
+name: d-publish-image
+on:
+  workflow_call:
+    inputs:
+      client:
+        description: 'client name'
+        required: true
+        type: string
+      image_tag:
+        description: 'image tag'
+        required: true
+        type: string
+      image_name:
+        description: 'image registry and name'
+        required: true
+        type: string
+      cosign:
+        required: false
+        default: false
+        type: boolean
+        description: 'run cosign on released image'
+      support_platforms:
+        required: false
+        default: true
+        type: boolean
+        description: 'support amd64/arm64'
+jobs:
+  check-secret:
+    name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
+    runs-on: ubuntu-latest
+    outputs:
+      is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
+    steps:
+      - name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
+        id: check-secret-set
+        env:
+          QUAYIO_REGISTRY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+          QUAYIO_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+        run: |
+          echo "is-secret-set=${{ env.QUAYIO_REGISTRY_USERNAME != '' && env.QUAYIO_REGISTRY_PASSWORD != '' }}" >> $GITHUB_OUTPUT
+  build-image:
+    needs: [check-secret]
+    if: needs.check-secret.outputs.is-secret-set == 'true'
+    name: Build image and upload to registry
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+        with:
+          submodules: recursive
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # ratchet:docker/setup-buildx-action@v2
+      - name: Login to Quay.io
+        env:
+          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
+      - name: Build and push image
+        if: ${{ inputs.support_platforms }}
+        run: docker buildx build . --file build/Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push --platform linux/amd64,linux/arm64
+      - name: Build and push image without amd64/arm64 support
+        if: ${{ !inputs.support_platforms }}
+        run: docker buildx build . --file build/Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push
+      - name: Install cosign
+        uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 # ratchet:sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.12.0'
+      - name: sign kubescape container image
+        if: ${{ inputs.cosign }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: |
+          cosign sign --force ${{ inputs.image_name }}

.github/workflows/post-release.yaml

@@ -1,17 +0,0 @@
-name: create release digests
-
-on:
-  release:
-    types: [ published]
-    branches: [ master ]
-  
-jobs:
-  once:
-    name: Creating digests
-    runs-on: ubuntu-latest
-    steps:
-      - name: Digest
-        uses: MCJack123/ghaction-generate-release-hashes@v1
-        with:
-          hash-type: sha1
-          file-name: kubescape-release-digests

.github/workflows/pr_checks.yaml

@@ -1,16 +0,0 @@
-name: pr-checks
-
-on:
-  pull_request:
-    branches: [ master, dev ]
-    types: [ edited, opened, synchronize, reopened ]
-    paths-ignore:
-      # Do not run the pipeline if only Markdown files changed
-      - '**.yaml'
-      - '**.md'
-jobs:
-  test:
-    uses: ./.github/workflows/test.yaml
-    with:
-      release: "v2.0.${{ github.run_number }}"
-      client: test

.github/workflows/release.yaml

@@ -1,41 +0,0 @@
-name: build
-
-on:
-  workflow_call:
-    inputs:
-      release_name:
-        description: 'release'
-        required: true
-        type: string
-      tag_name:
-        description: 'tag'
-        required: true
-        type: string
-      draft:
-        description: 'create draft release'
-        required: false
-        type: boolean
-        default: false
-    outputs:
-      upload_url:
-        description: "The first output string"
-        value: ${{ jobs.release.outputs.upload_url }}
-
-jobs:
-  release:
-    name: Create release
-    runs-on: ubuntu-latest
-    outputs:
-      upload_url: ${{ steps.create_release.outputs.upload_url }}
-    steps:
-      - name: Create a release
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ inputs.tag_name }}
-          release_name: ${{ inputs.release_name }}
-          draft: ${{ inputs.draft }}
-          prerelease: false
-   

.github/workflows/test.yaml

@@ -1,93 +0,0 @@
-name: test
-
-on:
-  workflow_call:
-    inputs:
-      release:
-        description: 'release'
-        required: true
-        type: string
-      client:
-        description: 'Client name'
-        required: true
-        type: string
-jobs:
-  build:
-    name: Create cross-platform build
-    runs-on: ${{ matrix.os }}
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          submodules: recursive
-
-      - name: Cache Go modules (Linux)
-        if: matrix.os == 'ubuntu-latest' 
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Cache Go modules (macOS)
-        if: matrix.os == 'macos-latest' 
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/Library/Caches/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Cache Go modules (Windows)
-        if: matrix.os == 'windows-latest'
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.18
-
-      - name: Install MSYS2 & libgit2 (Windows)
-        shell: cmd
-        run: .\build.bat all
-        if: matrix.os == 'windows-latest'
-
-      - name: Install libgit2 (Linux/macOS)
-        run: make libgit2
-        if: matrix.os != 'windows-latest'
- 
-      - name: Test core pkg
-        run: go test -tags=static -v ./...
-
-      - name: Test httphandler pkg
-        run: cd httphandler && go test -tags=static -v ./...
-
-      - name: Build
-        env:
-          RELEASE: ${{ inputs.release }}
-          CLIENT: test
-          CGO_ENABLED: 1
-        run: python3 --version && python3 build.py
-
-      - name: Smoke Testing
-        env:
-          RELEASE: ${{ inputs.release }} 
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
-        

.github/workflows/z-close-typos-issues.yaml

@@ -1,23 +1,19 @@
 on:
   issues:
     types: [opened, labeled]
-
 jobs:
   open_PR_message:
     if: github.event.label.name == 'typo'
     runs-on: ubuntu-latest
     steps:
-      - uses: ben-z/actions-comment-on-issue@1.0.2
+      - uses: ben-z/actions-comment-on-issue@10be23f9c43ac792663043420fda29dde07e2f0f # ratchet:ben-z/actions-comment-on-issue@1.0.2
         with:
           message: "Hello! :wave:\n\nThis issue is being automatically closed, Please open a PR with a relevant fix."
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-          
-          
   auto_close_issues:
     runs-on: ubuntu-latest
     steps:
-      - uses: lee-dohm/close-matching-issues@v2
+      - uses: lee-dohm/close-matching-issues@e9e43aad2fa6f06a058cedfd8fb975fd93b56d8f # ratchet:lee-dohm/close-matching-issues@v2
         with:
           query: 'label:typo'
           token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -5,4 +5,6 @@
 *.pyc*
 .idea
 .history
-ca.srl
+ca.srl
+*.out
+ks

.golangci.yml

@@ -0,0 +1,57 @@
+linters-settings:
+  govet:
+    check-shadowing: true
+  dupl:
+    threshold: 200
+  goconst:
+    min-len: 3
+    min-occurrences: 2
+  gocognit:
+    min-complexity: 65
+
+linters:
+  enable:
+    - gosec
+    - staticcheck
+    - nolintlint
+    - gofmt
+    - unused
+    - govet
+    - bodyclose
+    - typecheck
+    - goimports
+    - ineffassign
+    - gosimple
+  disable:
+    # temporarily disabled
+    - varcheck
+    - errcheck
+    - dupl
+    - gocritic
+    - gocognit
+    - nakedret
+    - revive
+    - stylecheck
+    - unconvert
+    - unparam
+    #- forbidigo # <- see later
+    # should remain disabled
+    - deadcode   # deprecated linter
+    - maligned
+    - lll
+    - gochecknoinits
+    - gochecknoglobals
+issues:
+  exclude-rules:
+    - linters:
+      - revive
+      text: "var-naming"
+    - linters:
+      - revive
+      text: "type name will be used as (.+?) by other packages, and that stutters"
+    - linters:
+      - stylecheck
+      text: "ST1003"
+run:
+  skip-dirs:
+    - git2go

.krew.yaml

@@ -0,0 +1,42 @@
+apiVersion: krew.googlecontainertools.github.com/v1alpha2
+kind: Plugin
+metadata:
+  name: kubescape
+spec:
+  homepage: https://github.com/kubescape/kubescape/
+  shortDescription: Scan resources and cluster configs against security frameworks.
+  version: {{ .TagName }}
+  description: |
+    It includes risk analysis, security compliance, and misconfiguration scanning
+    with an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.
+  platforms:
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: amd64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-macos-latest.tar.gz" .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: arm64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-arm64-macos-latest.tar.gz" .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: linux
+        arch: amd64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-ubuntu-latest.tar.gz" .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: linux
+        arch: arm64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-arm64-ubuntu-latest.tar.gz" .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: windows
+        arch: amd64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-windows-latest.tar.gz" .TagName }}
+    bin: kubescape.exe

CODE_OF_CONDUCT.md

@@ -1,127 +1,3 @@
-# Contributor Covenant Code of Conduct
+## Code of Conduct
 
-## Our Pledge
-
-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, religion, or sexual identity
-and orientation.
-
-We pledge to act and interact in ways that contribute to an open, welcoming,
-diverse, inclusive, and healthy community.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment for our
-community include:
-
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the
-  overall community
-
-Examples of unacceptable behavior include:
-
-* The use of sexualized language or imagery, and sexual attention or
-  advances of any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email
-  address, without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Enforcement Responsibilities
-
-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
-
-Community leaders have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are
-not aligned to this Code of Conduct, and will communicate reasons for moderation
-decisions when appropriate.
-
-## Scope
-
-This Code of Conduct applies within all community spaces, and also applies when
-an individual is officially representing the community in public spaces.
-Examples of representing our community include using an official e-mail address,
-posting via an official social media account, or acting as an appointed
-representative at an online or offline event.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement [here](mailto:ben@armosec.io).
-All complaints will be reviewed and investigated promptly and fairly.
-
-All community leaders are obligated to respect the privacy and security of the
-reporter of any incident.
-
-## Enforcement Guidelines
-
-Community leaders will follow these Community Impact Guidelines in determining
-the consequences for any action they deem in violation of this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior deemed
-unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders, providing
-clarity around the nature of the violation and an explanation of why the
-behavior was inappropriate. A public apology may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series
-of actions.
-
-**Consequence**: A warning with consequences for continued behavior. No
-interaction with the people involved, including unsolicited interaction with
-those enforcing the Code of Conduct, for a specified period of time. This
-includes avoiding interactions in community spaces as well as external channels
-like social media. Violating these terms may lead to a temporary or
-permanent ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards, including
-sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or public
-communication with the community for a specified period of time. No public or
-private interaction with the people involved, including unsolicited interaction
-with those enforcing the Code of Conduct, is allowed during this period.
-Violating these terms may lead to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior,  harassment of an
-individual, or aggression toward or disparagement of classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction within
-the community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.0, available at
-https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
-
-Community Impact Guidelines were inspired by [Mozilla's code of conduct
-enforcement ladder](https://github.com/mozilla/diversity).
-
-[homepage]: https://www.contributor-covenant.org
-
-For answers to common questions about this code of conduct, see the FAQ at
-https://www.contributor-covenant.org/faq. Translations are available at
-https://www.contributor-covenant.org/translations.
+The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).

CONTRIBUTING.md

@@ -4,14 +4,20 @@ First, it is awesome that you are considering contributing to Kubescape! Contrib
 
 When contributing, we categorize contributions into two:
 * Small code changes or fixes, whose scope is limited to a single or two files
-* Complex features and improvements, that are not limited
+* Complex features and improvements, with potentially unlimited scope
 
 If you have a small change, feel free to fire up a Pull Request.
 
-When planning a bigger change, please first discuss the change you wish to make via issue,
-email, or any other method with the owners of this repository before making a change. Most likely your changes or features are great, but sometimes we might be already going in this direction (or the exact opposite ;-) ) and we don't want to waste your time.
+When planning a bigger change, please first discuss the change you wish to make via an issue,
+so the maintainers are able to help guide you and let you know if you are going in the right direction.
 
-Please note we have a code of conduct, please follow it in all your interactions with the project.
+## Code of Conduct
+
+Please follow our [code of conduct](CODE_OF_CONDUCT.md) in all of your interactions within the project.
+
+## Build and test locally
+
+Please follow the [instructions here](https://github.com/kubescape/kubescape/wiki/Building).
 
 ## Pull Request Process
 
@@ -19,82 +25,74 @@ Please note we have a code of conduct, please follow it in all your interactions
    build.
 2. Update the README.md with details of changes to the interface, this includes new environment 
    variables, exposed ports, useful file locations and container parameters.
-3. Open Pull Request to `dev` branch - we test the component before merging into the `master` branch
+3. Open Pull Request to the `master` branch.
 4. We will merge the Pull Request once you have the sign-off.
 
-## Code of Conduct
+## Developer Certificate of Origin
 
-### Our Pledge
+All commits to the project must be "signed off", which states that you agree to the terms of the [Developer Certificate of Origin](https://developercertificate.org/).  This is done by adding a "Signed-off-by:" line in the commit message, with your name and email address.
 
-In the interest of fostering an open and welcoming environment, we as
-contributors and maintainers pledge to make participation in our project and
-our community a harassment-free experience for everyone, regardless of age, body
-size, disability, ethnicity, gender identity and expression, level of experience,
-nationality, personal appearance, race, religion, or sexual identity and
-orientation.
+Commits made through the GitHub web application are automatically signed off.
 
-### Our Standards
+### Configuring Git to sign off commits
 
-Examples of behavior that contributes to creating a positive environment
-include:
+First, configure your name and email address in Git global settings:
 
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
+```
+$ git config --global user.name "John Doe" 
+$ git config --global user.email johndoe@example.com
+```
 
-Examples of unacceptable behavior by participants include:
+You can now sign off per-commit, or configure Git to always sign off commits per repository.
 
-* The use of sexualized language or imagery and unwelcome sexual attention or
-advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
-  address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
+### Sign off per-commit
 
-We will distance those who constantly adhere to unacceptable behavior.
+Add [`-s`](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) to your Git command line. For example:
 
-### Our Responsibilities
+```git commit -s -m "Fix issue 64738"```
 
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective actions in
-response to any instances of unacceptable behavior.
+This is tedious, and if you forget, you'll have to [amend your commit](#fixing-a-commit-where-the-dco-failed).
 
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct, or to ban temporarily or
-permanently any contributor for other behaviors that they deem inappropriate,
-threatening, offensive, or harmful.
+### Configure a repository to always include sign off
 
-### Scope
+There are many ways to achieve this with Git hooks, but the simplest is to do the following:
 
-This Code of Conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community. Examples of
-representing a project or community include using an official project e-mail
-address, posting via an official social media account, or acting as an appointed
-representative at an online or offline event. Representation of a project may be
-further defined and clarified by project maintainers.
+```
+cd your-repo
+curl -Ls https://gist.githubusercontent.com/dixudx/7d7edea35b4d91e1a2a8fbf41d0954fa/raw/prepare-commit-msg -o .git/hooks/prepare-commit-msg
+chmod +x .git/hooks/prepare-commit-msg
+```
 
-### Enforcement
+### Use semantic commit messages (optional)
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at [INSERT EMAIL ADDRESS]. All
-complaints will be reviewed and investigated and will result in a response that
-is deemed necessary and appropriate to the circumstances. The project team is
-obligated to maintain confidentiality with regard to the reporter of an incident.
-Further details of specific enforcement policies may be posted separately.
+When contributing, you could consider using [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/), in order to improve logs readability and help us to automatically generate `CHANGELOG`s.
 
-Project maintainers who do not follow or enforce the Code of Conduct in good
-faith may face temporary or permanent repercussions as determined by other
-members of the project's leadership.
+Format: `<type>(<scope>): <subject>`
 
-### Attribution
+`<scope>` is optional
 
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
-available at [http://contributor-covenant.org/version/1/4][version]
+#### Example
 
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+```
+feat(cmd): add kubectl plugin
+^--^ ^-^   ^----------------^
+|    |     |
+|    |     +-> subject: summary in present tense.
+|    |
+|    +-------> scope: point of interest
+|
++-------> type: chore, docs, feat, fix, refactor, style, or test.
+```
+
+More Examples:
+* `feat`: new feature for the user, not a new feature for build script
+* `fix`: bug fix for the user, not a fix to a build script
+* `docs`: changes to the documentation
+* `style`: formatting, missing semi colons, etc; no production code change
+* `refactor`: refactoring production code, eg. renaming a variable
+* `test`: adding missing tests, refactoring tests; no production code change
+* `chore`: updating grunt tasks etc; no production code change
+
+## Fixing a commit where the DCO failed
+
+Check out [this guide](https://github.com/src-d/guide/blob/master/developer-community/fix-DCO.md).

MAINTAINERS.md

@@ -1,10 +1,11 @@
 # Maintainers
 
-The following table lists Kubescape project maintainers 
+The following table lists the Kubescape project maintainers:
 
-| Name | GitHub | Email | Organization | Role | Added/Renewed On |
-| --- | --- | --- | --- | --- | --- |
-| [Ben Hirschberg](https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890) | [@slashben](https://github.com/slashben) | ben@armosec.io | [ARMO](https://www.armosec.io/) | VP R&D | 2021-09-01 |
-| [Rotem Refael](https://www.linkedin.com/in/rotem-refael) | [@rotemamsa](https://github.com/rotemamsa) | rrefael@armosec.io | [ARMO](https://www.armosec.io/) | Team Leader | 2021-10-11 |
-| [David Wertenteil](https://www.linkedin.com/in/david-wertenteil-0ba277b9) | [@dwertent](https://github.com/dwertent) | dwertent@armosec.io | [ARMO](https://www.armosec.io/) | Kubescape CLI Developer | 2021-09-01 |
-| [Bezalel Brandwine](https://www.linkedin.com/in/bezalel-brandwine) | [@Bezbran](https://github.com/Bezbran) | bbrandwine@armosec.io | [ARMO](https://www.armosec.io/) | Kubescape SaaS Developer | 2021-09-01 |
+| Name | GitHub | Organization | Added/Renewed On |
+| --- | --- | --- | --- |
+| [Ben Hirschberg](https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890) | [@slashben](https://github.com/slashben) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
+| [Rotem Refael](https://www.linkedin.com/in/rotem-refael) | [@rotemamsa](https://github.com/rotemamsa) | [ARMO](https://www.armosec.io/) | 2021-10-11 |
+| [David Wertenteil](https://www.linkedin.com/in/david-wertenteil-0ba277b9) | [@dwertent](https://github.com/dwertent) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
+| [Bezalel Brandwine](https://www.linkedin.com/in/bezalel-brandwine) | [@Bezbran](https://github.com/Bezbran) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
+| [Craig Box](https://www.linkedin.com/in/crbnz/) | [@craigbox](https://github.com/craigbox) | [ARMO](https://www.armosec.io/) | 2022-10-31 |

Makefile

@@ -10,8 +10,16 @@ libgit2:
 	-git submodule update --init --recursive
 	cd git2go; make install-static
 
+# build and install libgit2 for macOS m1
+libgit2arm64:
+	git submodule update --init --recursive
+	if [ "$(shell uname -s)" = "Darwin" ]; then \
+		sed -i '' 's/cmake -D/cmake -DCMAKE_OSX_ARCHITECTURES="arm64" -D/' git2go/script/build-libgit2.sh; \
+	fi
+	cd git2go; make install-static
+
 # go build tags
-TAGS = "static"
+TAGS = "gitenabled,static"
 
 build:
 	go build -v -tags=$(TAGS) .

README.md

@@ -1,471 +1,94 @@
-<div align="center">
-    <img src="docs/kubescape.png" width="300" alt="logo">
-</div>
-
----
-
-[![build](https://github.com/kubescape/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/kubescape/kubescape/actions/workflows/build.yaml)
+[![Version](https://img.shields.io/github/v/release/kubescape/kubescape)](https://github.com/kubescape/kubescape/releases)
+[![build](https://github.com/kubescape/kubescape/actions/workflows/02-release.yaml/badge.svg)](https://github.com/kubescape/kubescape/actions/workflows/02-release.yaml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubescape/kubescape)](https://goreportcard.com/report/github.com/kubescape/kubescape)
 [![Gitpod Ready-to-Code](https://img.shields.io/badge/Gitpod-Ready--to--Code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/kubescape/kubescape)
+[![GitHub](https://img.shields.io/github/license/kubescape/kubescape)](https://github.com/kubescape/kubescape/blob/master/LICENSE)
+[![CNCF](https://shields.io/badge/CNCF-Sandbox%20project-blue?logo=linux-foundation&style=flat)](https://landscape.cncf.io/card-mode?project=sandbox&selected=kubescape)
+[![Twitter Follow](https://img.shields.io/twitter/follow/kubescape?style=social)](https://twitter.com/kubescape)
 
-:sunglasses: [Want to contribute?](#being-a-part-of-the-team) :innocent: 
+# Kubescape
 
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/white/kubescape-stacked-white.svg" width="150">
+  <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
+  <img alt="Kubescape logo" align="right" src="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
+</picture>
 
-Kubescape is a K8s open-source tool providing a Kubernetes single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerability scanning. 
-Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/)), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time.
+_An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters_
 
-It has become one of the fastest-growing Kubernetes tools among developers due to its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins precious time, effort, and resources.
-Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Prometheus, and Slack, and supports multi-cloud K8s deployments like EKS, GKE, and AKS.
+Kubescape is an open-source Kubernetes security platform. It includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.
 
-</br>
+Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) and the [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)).
 
-# Kubescape CLI:
-<img src="docs/demo.gif">
+Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository) and is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/).
 
-</br>
+## Demo
+<img src="docs/img/demo.gif">
+
+_Please [star ⭐](https://github.com/kubescape/kubescape/stargazers) the repo if you want us to continue developing and improving Kubescape! 😀_
+
+## Getting started
+
+Experimenting with Kubescape is as easy as:
 
-# TL;DR
-## Install:
 ```sh
 curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
 ```
 
-*OR:*
+Learn more about:
 
-[Install on windows](#install-on-windows)
+* [Installing Kubescape](docs/installation.md)
+* [Running your first scan](docs/getting-started.md#run-your-first-scan)
+* [Usage](docs/getting-started.md#examples)
+* [Architecture](docs/architecture.md)
+* [Building Kubescape from source](https://github.com/kubescape/kubescape/wiki/Building)
 
-[Install on macOS](#install-on-macos)
+_Did you know you can use Kubescape in all these places?_
 
-[Install on NixOS or Linux/macOS via nix](#install-on-nixos-or-with-nix-community)
-
-## Run:
-```sh
-kubescape scan --enable-host-scan --verbose
-```
-
-<img src="docs/summary.png">
-
-</br>
-
-> Kubescape is an open source project. We welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests more robust and complete as Kubernetes develops.
-
-</br>
-
-## Architecture in short
-### [CLI](#kubescape-cli)
 <div align="center">
-    <img src="docs/ks-cli-arch.png" width="300" alt="cli-diagram">
+    <img src="docs/img/ksfromcodetodeploy.png" alt="Places you can use Kubescape: in your IDE, CI, CD, or against a running cluster.">
 </div>
 
-### [Operator](https://github.com/kubescape/helm-charts#readme)
-<div align="center">
-    <img src="docs/ks-operator-arch.png" width="300" alt="operator-diagram">
-</div>
+## Under the hood
 
-### Please [star ⭐](https://github.com/kubescape/kubescape/stargazers) the repo if you want us to continue developing and improving Kubescape 😀
+Kubescape uses [Open Policy Agent](https://github.com/open-policy-agent/opa) to verify Kubernetes objects against [a library of posture controls](https://github.com/kubescape/regolibrary).
 
-</br>
+By default, the results are printed in a console-friendly manner, but they can be:
 
-# Being a part of the team
+* exported to JSON or junit XML
+* rendered to HTML or PDF
+* submitted to a [cloud service](docs/providers.md)
+
+It retrieves Kubernetes objects from the API server and runs a set of [Rego snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io?utm_source=github&utm_medium=repository).
 
 ## Community
-We invite you to our community! We are excited about this project and want to return the love we get.
 
-We hold community meetings in [Zoom](https://us02web.zoom.us/j/84020231442) on the first Tuesday of every month at 14:00 GMT! :sunglasses:
+Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the Kubernetes community and are building more tests and controls as the ecosystem develops.
+
+We hold [community meetings](https://zoom.us/j/95174063585) on Zoom, on the first Tuesday of every month, at 14:00 GMT. ([See that in your local time zone](https://time.is/compare/1400_in_GMT)).
+
+The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
 
 ## Contributions 
-[Want to contribute?](https://github.com/kubescape/kubescape/blob/master/CONTRIBUTING.md) Want to discuss something? Have an issue? Please make sure that you follow our [Code Of Conduct](https://github.com/kubescape/kubescape/blob/master/CODE_OF_CONDUCT.md) . 
 
-* Feel free to pick a task from the [issues](https://github.com/kubescape/kubescape/issues?q=is%3Aissue+is%3Aopen+label%3A%22open+for+contribution%22), [roadmap](docs/roadmap.md) or suggest a feature of your own. [Contact us](MAINTAINERS.md) directly for more information :) 
-* [Open an issue](https://github.com/kubescape/kubescape/issues/new/choose) , we are trying to respond within 48 hours
-* [Join us](https://discord.com/invite/WKZRaCtBxN) in the discussion on our discord server!
+Thanks to all our contributors!  Check out our [CONTRIBUTING](CONTRIBUTING.md) file to learn how to join them.
 
-[<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://discord.com/invite/WKZRaCtBxN)
-![discord](https://img.shields.io/discord/893048809884643379)
+* Feel free to pick a task from the [issues](https://github.com/kubescape/kubescape/issues?q=is%3Aissue+is%3Aopen+label%3A%22open+for+contribution%22), [roadmap](docs/roadmap.md) or suggest a feature of your own.
+* [Open an issue](https://github.com/kubescape/kubescape/issues/new/choose): we aim to respond to all issues within 48 hours.
+* [Join the CNCF Slack](https://slack.cncf.io/) and then our [users](https://cloud-native.slack.com/archives/C04EY3ZF9GE) or [developers](https://cloud-native.slack.com/archives/C04GY6H082K) channel.
 
+<br>
 
-# Options and examples
-
-[Kubescape docs](https://hub.armosec.io/docs?utm_source=github&utm_medium=repository)
-
-## Playground
-* [Kubescape playground](https://killercoda.com/saiyampathak/scenario/kubescape)
-
-## Tutorials
-
-* [Overview](https://youtu.be/wdBkt_0Qhbg)
-* [How To Secure Kubernetes Clusters With Kubescape And Armo](https://youtu.be/ZATGiDIDBQk)
-* [Scan Kubernetes YAML files](https://youtu.be/Ox6DaR7_4ZI)
-* [Scan container image registry](https://youtu.be/iQ_k8EnK-3s)
-* [Scan Kubescape on an air-gapped environment (offline support)](https://youtu.be/IGXL9s37smM)
-* [Managing exceptions in the Kubescape SaaS version](https://youtu.be/OzpvxGmCR80)
-* [Configure and run customized frameworks](https://youtu.be/12Sanq_rEhs)
-* Customize control configurations: 
-  - [Kubescape CLI](https://youtu.be/955psg6TVu4) 
-  - [Kubescape SaaS](https://youtu.be/lIMVSVhH33o)
-
-## Install on Windows
-
-<details><summary>Windows</summary>
-
-**Requires powershell v5.0+**
-
-``` powershell
-iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex
-```
-
-Note: if you get an error you might need to change the execution policy (i.e. enable Powershell) with
-
-``` powershell
-Set-ExecutionPolicy RemoteSigned -scope CurrentUser
-```
-</details>
-
-
-## Install on macOS
-
-<details><summary>MacOS</summary>
-
-1. ```sh
-    brew tap kubescape/tap
-    ```
-2. ```sh
-    brew install kubescape-cli
-    ```
-</details>
-
-## Install on NixOS or with nix (Community)
-
-<details><summary>Nix/NixOS</summary>
-
-Direct issues installing `kubescape` via `nix` through the channels mentioned [here](https://nixos.wiki/wiki/Support)
-
-You can use `nix` on Linux or macOS and on other platforms unofficially.
-
-Try it out in an ephemeral shell: `nix-shell -p kubescape`
-
-Install declarative as usual
-
-NixOS:
-
-```nix
-  # your other config ...
-  environment.systemPackages = with pkgs; [
-    # your other packages ...
-    kubescape
-  ];
-```
-
-home-manager:
-
-```nix
-  # your other config ...
-  home.packages = with pkgs; [
-    # your other packages ...
-    kubescape
-  ];
-```
-
-Or to your profile (not preferred): `nix-env --install -A nixpkgs.kubescape`
-
-</details>
-
-## Usage & Examples
-
-### Examples
-
-
-#### Scan a running Kubernetes cluster
-```
-kubescape scan --enable-host-scan  --verbose
-```
-
-> Read [here](https://hub.armosec.io/docs/host-sensor?utm_source=github&utm_medium=repository) more about the `enable-host-scan` flag
-
-#### Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework
-```
-kubescape scan framework nsa
-```
-
-
-#### Scan a running Kubernetes cluster with [`MITRE ATT&CK®`](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) framework
-```
-kubescape scan framework mitre
-```
-
-
-#### Scan a running Kubernetes cluster with a specific control using the control name or control ID. [List of controls](https://hub.armosec.io/docs/controls?utm_source=github&utm_medium=repository) 
-```
-kubescape scan control "Privileged container"
-```
-
-#### Scan using an alternative kubeconfig file
-```
-kubescape scan --kubeconfig cluster.conf
-```
-
-#### Scan specific namespaces
-```
-kubescape scan --include-namespaces development,staging,production
-```
-
-#### Scan cluster and exclude some namespaces
-```
-kubescape scan --exclude-namespaces kube-system,kube-public
-```
-
-#### Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI).
-```
-kubescape scan *.yaml
-```
-
-#### Scan Kubernetes manifest files from a git repository 
-kubescape scan https://github.com/kubescape/kubescape
-```
-
-#### Display all scanned resources (including the resources which passed) 
-```
-kubescape scan --verbose
-```
-
-#### Output in `json` format
-
-> Add the `--format-version v2` flag 
-
-```
-kubescape scan --format json --format-version v2 --output results.json
-```
-
-#### Output in `junit xml` format
-```
-kubescape scan --format junit --output results.xml
-```
-
-#### Output in `pdf` format - Contributed by [@alegrey91](https://github.com/alegrey91)
-
-```
-kubescape scan --format pdf --output results.pdf
-```
-
-#### Output in `prometheus` metrics format - Contributed by [@Joibel](https://github.com/Joibel)
-
-```
-kubescape scan --format prometheus
-```
-
-#### Output in `html` format
-
-```
-kubescape scan --format html --output results.html
-```
-
-#### Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`
-[Full documentation](examples/exceptions/README.md)
-```
-kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
-```
-
-#### Scan Helm charts 
-```
-kubescape scan </path/to/directory>
-```
-> Kubescape will load the default value file
-
-#### Scan Kustomize Directory 
-```
-kubescape scan </path/to/directory>
-```
-> Kubescape will generate Kubernetes Yaml Objects using 'Kustomize' file and scans them for security.
-
-### Offline/Air-gaped Environment Support
-
-[Video tutorial](https://youtu.be/IGXL9s37smM)
-
-It is possible to run Kubescape offline!
-#### Download all artifacts
-
-1. Download and save in local directory, if path not specified, will save all in `~/.kubescape`
-```
-kubescape download artifacts --output path/to/local/dir
-```
-2. Copy the downloaded artifacts to the air-gaped/offline environment
-
-3. Scan using the downloaded artifacts
-```
-kubescape scan --use-artifacts-from path/to/local/dir
-```
-
-#### Download a single artifact
-
-You can also download a single artifact and scan with the `--use-from` flag
-
-1. Download and save in a file, if the file name is not specified, will save in `~/.kubescape/<framework name>.json`
-```
-kubescape download framework nsa --output /path/nsa.json
-```
-2. Copy the downloaded artifacts to the air-gaped/offline environment
-
-3. Scan using the downloaded framework
-```
-kubescape scan framework nsa --use-from /path/nsa.json
-```
-
-
-## Scan Periodically using Helm 
-[Please follow the instructions here](https://hub.armosec.io/docs/installation-of-armo-in-cluster?utm_source=github&utm_medium=repository)
-[helm chart repo](https://github.com/armosec/armo-helm)
-
-# Integrations
-
-## VS Code Extension 
-
-![Visual Studio Marketplace Downloads](https://img.shields.io/visual-studio-marketplace/d/kubescape.kubescape?label=VScode) ![Open VSX](https://img.shields.io/open-vsx/dt/kubescape/kubescape?label=openVSX&color=yellowgreen)
-
-Scan the YAML files while writing them using the [vs code extension](https://github.com/armosec/vscode-kubescape/blob/master/README.md) 
-
-## Lens Extension
-
-View Kubescape scan results directly in [Lens IDE](https://k8slens.dev/) using kubescape [Lens extension](https://github.com/armosec/lens-kubescape/blob/master/README.md)
-
-
-# Building Kubescape
-
-## Build on Windows
-
-<details><summary>Windows</summary>
-
-1. Install MSYS2 & build libgit _(needed only for the first time)_
-
-    ```
-    build.bat all
-    ```
-
-> You can install MSYS2 separately by running `build.bat install` and build libgit2 separately by running `build.bat build`
-
-2. Build kubescape
-
-    ```
-    make build
-    ```
-
-    OR 
-
-    ```
-    go build -tags=static .
-    ```
-</details>
-
-## Build on Linux/MacOS
-
-<details><summary>Linux / MacOS</summary>
-
-1. Install libgit2 dependency _(needed only for the first time)_
-   
-    ```
-    make libgit2
-    ```
-
-> `cmake` is required to build libgit2. You can install it by running `sudo apt-get install cmake` (Linux) or `brew install cmake` (macOS)
-
-2. Build kubescape
-
-    ```
-    make build
-    ```
-
-    OR 
-
-    ```
-    go build -tags=static .
-    ```
-
-3. Test
-
-    ```
-    make test
-    ```
-
-</details>
-
-## Build on pre-configured killercoda's ubuntu playground
-
-* [Pre-configured Killercoda's Ubuntu Playground](https://killercoda.com/suhas-gumma/scenario/kubescape-build-for-development)
-
-<details><summary> Pre-programmed actions executed by the playground </summary>
-
-
-* Clone the official GitHub repository of `Kubescape`.
-* [Automate the build process on Linux](https://github.com/kubescape/kubescape#build-on-linuxmacos)
-* The entire process involves executing multiple commands in order and it takes around 5-6 minutes to execute them all.
-
-</details>
-
-<details>
-<summary>Instructions to use the playground</summary>
-
-* Apply changes you wish to make to the kubescape directory using text editors like `Vim`.
-* [Build on Linux](https://github.com/kubescape/kubescape#build-on-linuxmacos)
-* Now, you can use Kubescape just like a normal user. Instead of using `kubescape`, use `./kubescape`. (Make sure you are inside kubescape directory because the command will execute the binary named `kubescape` in `kubescape directory`)
-
-</details>
-
-## VS code configuration samples
-
-You can use the sample files below to setup your VS code environment for building and debugging purposes.
-
-
-<details><summary>.vscode/settings.json</summary>
-
-```json5
-// .vscode/settings.json
-{
-    "go.testTags": "static",
-    "go.buildTags": "static",
-    "go.toolsEnvVars": {
-        "CGO_ENABLED": "1"
-    }
-}
-```
-</details>
-
-<details><summary>.vscode/launch.json</summary>
-
-```json5
-// .vscode/launch.json
-{
-    "version": "0.2.0",
-    "configurations": [
-        {
-            "name": "Launch Package",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/main.go",
-            "args": [
-                "scan",
-                "--logger",
-                "debug"
-            ],
-            "buildFlags": "-tags=static"
-        }
-    ]
-}
-```
-</details>
-
-# Under the hood
-
-## Technology
-Kubescape is based on the [OPA engine](https://github.com/open-policy-agent/opa) and ARMO's posture controls.
-
-The tools retrieve Kubernetes objects from the API server and run a set of [rego's snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io?utm_source=github&utm_medium=repository).
-
-The results by default are printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.
-
-Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests more robust and complete as Kubernetes develops.
-
-## Thanks to all the contributors ❤️
 <a href = "https://github.com/kubescape/kubescape/graphs/contributors">
   <img src = "https://contrib.rocks/image?repo=kubescape/kubescape"/>
 </a>
 
+## License
+
+Copyright 2021-2023, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.
+
+Kubescape is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/) and was contributed by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository).
+
+<div align="center">
+    <img src="https://raw.githubusercontent.com/cncf/artwork/master/other/cncf-sandbox/horizontal/color/cncf-sandbox-horizontal-color.svg" width="300" alt="CNCF Sandbox Project">
+</div>

build.bat

@@ -1,51 +0,0 @@
-@ECHO OFF
-
-IF "%1"=="install" goto Install
-IF "%1"=="build" goto Build
-IF "%1"=="all" goto All
-IF "%1"=="" goto Error ELSE goto Error
-
-:Install
-
-if exist C:\MSYS64\ (
-    echo "MSYS2 already installed"
-) else (
-    mkdir temp_install & cd temp_install
-
-    echo "Downloading MSYS2..."
-    curl -L https://github.com/msys2/msys2-installer/releases/download/2022-06-03/msys2-x86_64-20220603.exe > msys2-x86_64-20220603.exe
-
-    echo "Installing MSYS2..."
-    msys2-x86_64-20220603.exe install --root C:\MSYS64 --confirm-command
-
-    cd .. && rmdir /s /q temp_install
-)
-
-
-echo "Adding MSYS2 to path..."
-SET "PATH=C:\MSYS64\mingw64\bin;C:\MSYS64\usr\bin;%PATH%"
-echo %PATH%
-
-echo "Installing MSYS2 packages..."
-pacman -S --needed --noconfirm make
-pacman -S --needed --noconfirm mingw-w64-x86_64-cmake
-pacman -S --needed --noconfirm mingw-w64-x86_64-gcc
-pacman -S --needed --noconfirm mingw-w64-x86_64-pkg-config
-pacman -S --needed --noconfirm msys2-w32api-runtime
-
-IF "%1"=="all" GOTO Build
-GOTO End
-
-:Build
-SET "PATH=C:\MSYS2\mingw64\bin;C:\MSYS2\usr\bin;%PATH%"
-make libgit2
-GOTO End
-
-:All
-GOTO Install
-
-:Error
-echo "Error: Unknown option"
-GOTO End
-
-:End

build.ps1

@@ -0,0 +1,78 @@
+# Defining input params
+param (
+    [string]$mode = "error"
+)
+
+# Function to install MSYS
+function Install {
+    Write-Host "Starting install..." -ForegroundColor Cyan
+
+    # Check to see if already installed
+    if (Test-Path "C:\MSYS64\") {
+        Write-Host "MSYS2 already installed" -ForegroundColor Green
+    } else {
+        # Create a temp directory
+        New-Item -Path "$PSScriptRoot\temp_install" -ItemType Directory > $null
+        
+        # Download MSYS
+        Write-Host "Downloading MSYS2..." -ForegroundColor Cyan
+        $bitsJobObj = Start-BitsTransfer "https://github.com/msys2/msys2-installer/releases/download/2022-06-03/msys2-x86_64-20220603.exe" -Destination "$PSScriptRoot\temp_install\msys2-x86_64-20220603.exe"
+        switch ($bitsJobObj.JobState) {
+            "Transferred" {
+                Complete-BitsTransfer -BitsJob $bitsJobObj
+                break
+            }
+            "Error" {
+                throw "Error downloading"
+            }
+        }
+        Write-Host "MSYS2 download complete" -ForegroundColor Green
+
+        # Install MSYS
+        Write-Host "Installing MSYS2..." -ForegroundColor Cyan
+        Start-Process -Filepath "$PSScriptRoot\temp_install\msys2-x86_64-20220603.exe" -ArgumentList @("install", "--root", "C:\MSYS64", "--confirm-command") -Wait
+        Write-Host "MSYS2 install complete" -ForegroundColor Green
+
+        # Remove temp directory
+        Remove-Item "$PSScriptRoot\temp_install" -Recurse
+    }
+
+    # Set PATH
+    $env:Path = "C:\MSYS64\mingw64\bin;C:\MSYS64\usr\bin;" + $env:Path
+
+    # Install MSYS packages
+    Write-Host "Installing MSYS2 packages..." -ForegroundColor Cyan
+    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "make") -Wait
+    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "mingw-w64-x86_64-cmake") -Wait
+    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "mingw-w64-x86_64-gcc") -Wait
+    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "mingw-w64-x86_64-pkg-config") -Wait
+    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "msys2-w32api-runtime") -Wait
+    Write-Host "MSYS2 packages install complete" -ForegroundColor Green
+
+    Write-Host "Install complete" -ForegroundColor Green
+}
+
+# Function to build libgit2
+function Build {
+    Write-Host "Starting build..." -ForegroundColor Cyan
+
+    # Set PATH
+    $env:Path = "C:\MSYS64\mingw64\bin;C:\MSYS64\usr\bin;" + $env:Path
+
+    # Build
+    Start-Process -Filepath "make" -ArgumentList @("libgit2") -Wait -NoNewWindow
+
+    Write-Host "Build complete" -ForegroundColor Green
+}
+
+# Check user call mode
+if ($mode -eq "all") {
+    Install
+    Build
+} elseif ($mode -eq "install") {
+    Install
+} elseif ($mode -eq "build") {
+    Build
+} else {
+    Write-Host "Error: -mode should be one of (all|install|build)" -ForegroundColor Red
+}

build.py

@@ -3,8 +3,16 @@ import sys
 import hashlib
 import platform
 import subprocess
+import tarfile
 
 BASE_GETTER_CONST = "github.com/kubescape/kubescape/v2/core/cautils/getter"
+CURRENT_PLATFORM = platform.system()
+
+platformSuffixes = {
+    "Windows": "windows-latest",
+    "Linux": "ubuntu-latest",
+    "Darwin": "macos-latest",
+}
 
 def check_status(status, msg):
     if status != 0:
@@ -13,21 +21,19 @@ def check_status(status, msg):
 
 
 def get_build_dir():
-    current_platform = platform.system()
-    build_dir = ""
-
-    if current_platform == "Windows": build_dir = "windows-latest"
-    elif current_platform == "Linux": build_dir = "ubuntu-latest"
-    elif current_platform == "Darwin": build_dir = "macos-latest"
-    else: raise OSError("Platform %s is not supported!" % (current_platform))
-
-    return os.path.join("build", build_dir)
+    return "build"
 
 
 def get_package_name():
-    package_name = "kubescape"
+    if CURRENT_PLATFORM not in platformSuffixes: raise OSError("Platform %s is not supported!" % (CURRENT_PLATFORM))
 
-    return package_name
+    # # TODO: kubescape-windows-latest is deprecated and should be removed
+    # if CURRENT_PLATFORM == "Windows": return "kubescape.exe"
+
+    package_name = "kubescape-"
+    if os.getenv("GOARCH"):
+        package_name += os.getenv("GOARCH") + "-"
+    return package_name + platformSuffixes[CURRENT_PLATFORM]
 
 
 def main():
@@ -40,12 +46,13 @@ def main():
 
     client_var = "github.com/kubescape/kubescape/v2/core/cautils.Client"
     client_name = os.getenv("CLIENT")
-    
+
     # Create build directory
     build_dir = get_build_dir()
 
     ks_file = os.path.join(build_dir, package_name)
     hash_file = ks_file + ".sha256"
+    tar_file = ks_file + ".tar.gz"
 
     if not os.path.isdir(build_dir):
         os.makedirs(build_dir)
@@ -56,15 +63,15 @@ def main():
         ldflags += " -X {}={}".format(build_url, release_version)
     if client_name:
         ldflags += " -X {}={}".format(client_var, client_name)
- 
-    build_command = ["go", "build", "-tags=static", "-o", ks_file, "-ldflags" ,ldflags]
+
+    build_command = ["go", "build", "-buildmode=pie", "-tags=static,gitenabled", "-o", ks_file, "-ldflags" ,ldflags]
 
     print("Building kubescape and saving here: {}".format(ks_file))
     print("Build command: {}".format(" ".join(build_command)))
 
     status = subprocess.call(build_command)
     check_status(status, "Failed to build kubescape")
-    
+
     sha256 = hashlib.sha256()
     with open(ks_file, "rb") as kube:
         sha256.update(kube.read())
@@ -73,8 +80,15 @@ def main():
             print("kubescape hash: {}, file: {}".format(hash, hash_file))
             kube_sha.write(sha256.hexdigest())
 
+    with tarfile.open(tar_file, 'w:gz') as archive:
+        name = "kubescape"
+        if CURRENT_PLATFORM == "Windows":
+            name += ".exe"
+        archive.add(ks_file, name)
+        archive.add("LICENSE", "LICENSE")
+
     print("Build Done")
- 
- 
+
+
 if __name__ == "__main__":
     main()

build/Dockerfile

@@ -1,51 +1,39 @@
-FROM golang:1.18-alpine as builder
-
-ARG image_version
-ARG client
-
-ENV RELEASE=$image_version
-ENV CLIENT=$client
-
-ENV GO111MODULE=
-
-ENV CGO_ENABLED=1
+FROM golang:1.20-bullseye as builder
+ARG image_version client
+ENV GO111MODULE=on CGO_ENABLED=1 PYTHONUNBUFFERED=1 RELEASE=$image_version CLIENT=$client
 
 # Install required python/pip
-ENV PYTHONUNBUFFERED=1
-RUN apk add --update --no-cache python3 git openssl-dev musl-dev gcc make cmake pkgconfig && ln -sf python3 /usr/bin/python
-RUN python3 -m ensurepip
+RUN apt update
+RUN apt install -y cmake python3-pip
 RUN pip3 install --no-cache --upgrade pip setuptools
 
 WORKDIR /work
 ADD . .
 
 # install libgit2
-RUN rm -rf git2go && make libgit2
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    make libgit2
 
 # build kubescape server
 WORKDIR /work/httphandler
-RUN python build.py
-RUN ls -ltr build/ubuntu-latest
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    python3 build.py
+RUN ls -ltr build/
 
 # build kubescape cmd
 WORKDIR /work
-RUN python build.py
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    python3 build.py
 
-RUN /work/build/ubuntu-latest/kubescape download artifacts -o /work/artifacts
+RUN /work/build/kubescape-ubuntu-latest download artifacts -o /work/artifacts
 
-FROM alpine:3.16.2
+FROM gcr.io/distroless/base-debian11:nonroot
 
-RUN addgroup -S ks && adduser -S ks -G ks
-
-COPY --from=builder /work/artifacts/ /home/ks/.kubescape
-
-RUN chown -R ks:ks /home/ks/.kubescape
-
-USER ks
-
-WORKDIR /home/ks
-
-COPY --from=builder /work/httphandler/build/ubuntu-latest/kubescape /usr/bin/ksserver
-COPY --from=builder /work/build/ubuntu-latest/kubescape /usr/bin/kubescape
+COPY --from=builder /work/artifacts/ /home/nonroot/.kubescape
+COPY --from=builder /work/httphandler/build/kubescape-ubuntu-latest /usr/bin/ksserver
+COPY --from=builder /work/build/kubescape-ubuntu-latest /usr/bin/kubescape
 
 ENTRYPOINT ["ksserver"]

cmd/completion/completion.go

@@ -1,23 +1,23 @@
 package completion
 
 import (
+	"fmt"
 	"os"
 	"strings"
 
+	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/spf13/cobra"
 )
 
-var completionCmdExamples = `
+var completionCmdExamples = fmt.Sprintf(`
+  # Enable BASH shell autocompletion
+  $ source <(%[1]s completion bash)
+  $ echo 'source <(%[1]s completion bash)' >> ~/.bashrc
 
-  # Enable BASH shell autocompletion 
-  $ source <(kubescape completion bash) 
-  $ echo 'source <(kubescape completion bash)' >> ~/.bashrc
-
-  # Enable ZSH shell autocompletion 
-  $ source <(kubectl completion zsh)
-  $ echo 'source <(kubectl completion zsh)' >> "${fpath[1]}/_kubectl"
-
-`
+  # Enable ZSH shell autocompletion
+  $ source <(%[1]s completion zsh)
+  $ echo 'source <(%[1]s completion zsh)' >> "${fpath[1]}/_%[1]s"
+`, cautils.ExecName())
 
 func GetCompletionCmd() *cobra.Command {
 	completionCmd := &cobra.Command{
@@ -27,7 +27,7 @@ func GetCompletionCmd() *cobra.Command {
 		Example:               completionCmdExamples,
 		DisableFlagsInUseLine: true,
 		ValidArgs:             []string{"bash", "zsh", "fish", "powershell"},
-		Args:                  cobra.ExactValidArgs(1),
+		Args:                  cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs),
 		Run: func(cmd *cobra.Command, args []string) {
 			switch strings.ToLower(args[0]) {
 			case "bash":

cmd/config/config.go

@@ -1,34 +1,31 @@
 package config
 
 import (
+	"fmt"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/meta"
 	"github.com/spf13/cobra"
 )
 
 var (
-	configExample = `
+	configExample = fmt.Sprintf(`
   # View cached configurations 
-  kubescape config view
+  %[1]s config view
 
   # Delete cached configurations
-  kubescape config delete
+  %[1]s config delete
 
   # Set cached configurations
-  kubescape config set --help
-`
-	setConfigExample = `
+  %[1]s config set --help
+`, cautils.ExecName())
+	setConfigExample = fmt.Sprintf(`
   # Set account id
-  kubescape config set accountID <account id>
+  %[1]s config set accountID <account id>
 
-  # Set client id
-  kubescape config set clientID <client id> 
-
-  # Set access key
-  kubescape config set secretKey <access key>
-
-  # Set cloudAPIURL
-  kubescape config set cloudAPIURL <cloud API URL>
-`
+  # Set cloud report URL
+  %[1]s config set cloudReportURL <cloud Report URL>
+`, cautils.ExecName())
 )
 
 func GetConfigCmd(ks meta.IKubescape) *cobra.Command {

cmd/config/delete.go

@@ -1,6 +1,8 @@
 package config
 
 import (
+	"context"
+
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v2/core/meta"
 	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
@@ -13,7 +15,7 @@ func getDeleteCmd(ks meta.IKubescape) *cobra.Command {
 		Short: "Delete cached configurations",
 		Long:  ``,
 		Run: func(cmd *cobra.Command, args []string) {
-			if err := ks.DeleteCachedConfig(&v1.DeleteConfig{}); err != nil {
+			if err := ks.DeleteCachedConfig(context.TODO(), &v1.DeleteConfig{}); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 		},

cmd/config/set.go

@@ -34,12 +34,8 @@ func getSetCmd(ks meta.IKubescape) *cobra.Command {
 
 var supportConfigSet = map[string]func(*metav1.SetConfig, string){
 	"accountID":      func(s *metav1.SetConfig, account string) { s.Account = account },
-	"clientID":       func(s *metav1.SetConfig, clientID string) { s.ClientID = clientID },
-	"secretKey":      func(s *metav1.SetConfig, secretKey string) { s.SecretKey = secretKey },
 	"cloudAPIURL":    func(s *metav1.SetConfig, cloudAPIURL string) { s.CloudAPIURL = cloudAPIURL },
-	"cloudAuthURL":   func(s *metav1.SetConfig, cloudAuthURL string) { s.CloudAuthURL = cloudAuthURL },
 	"cloudReportURL": func(s *metav1.SetConfig, cloudReportURL string) { s.CloudReportURL = cloudReportURL },
-	"cloudUIURL":     func(s *metav1.SetConfig, cloudUIURL string) { s.CloudUIURL = cloudUIURL },
 }
 
 func stringKeysToSlice(m map[string]func(*metav1.SetConfig, string)) []string {

cmd/delete/delete.go

@@ -1,34 +0,0 @@
-package delete
-
-import (
-	"github.com/kubescape/kubescape/v2/core/meta"
-	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-	"github.com/spf13/cobra"
-)
-
-var deleteExceptionsExamples = `
-  # Delete single exception
-  kubescape delete exceptions "exception name"
-
-  # Delete multiple exceptions
-  kubescape delete exceptions "first exception;second exception;third exception"
-`
-
-func GetDeleteCmd(ks meta.IKubescape) *cobra.Command {
-	var deleteInfo v1.Delete
-
-	var deleteCmd = &cobra.Command{
-		Use:   "delete <command>",
-		Short: "Delete configurations in Kubescape SaaS version",
-		Long:  ``,
-		Run: func(cmd *cobra.Command, args []string) {
-		},
-	}
-	deleteCmd.PersistentFlags().StringVarP(&deleteInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
-	deleteCmd.PersistentFlags().StringVarP(&deleteInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
-	deleteCmd.PersistentFlags().StringVarP(&deleteInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
-
-	deleteCmd.AddCommand(getExceptionsCmd(ks, &deleteInfo))
-
-	return deleteCmd
-}

cmd/delete/exceptions.go

@@ -1,46 +0,0 @@
-package delete
-
-import (
-	"fmt"
-	"strings"
-
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-	"github.com/spf13/cobra"
-)
-
-func getExceptionsCmd(ks meta.IKubescape, deleteInfo *v1.Delete) *cobra.Command {
-	return &cobra.Command{
-		Use:     "exceptions <exception name>",
-		Short:   "Delete exceptions from Kubescape SaaS version. Run 'kubescape list exceptions' for all exceptions names",
-		Example: deleteExceptionsExamples,
-		Args: func(cmd *cobra.Command, args []string) error {
-			if len(args) != 1 {
-				return fmt.Errorf("missing exceptions names")
-			}
-			return nil
-		},
-		Run: func(cmd *cobra.Command, args []string) {
-
-			if err := flagValidationDelete(deleteInfo); err != nil {
-				logger.L().Fatal(err.Error())
-			}
-
-			exceptionsNames := strings.Split(args[0], ";")
-			if len(exceptionsNames) == 0 {
-				logger.L().Fatal("missing exceptions names")
-			}
-			if err := ks.DeleteExceptions(&v1.DeleteExceptions{Credentials: deleteInfo.Credentials, Exceptions: exceptionsNames}); err != nil {
-				logger.L().Fatal(err.Error())
-			}
-		},
-	}
-}
-
-// Check if the flag entered are valid
-func flagValidationDelete(deleteInfo *v1.Delete) error {
-
-	// Validate the user's credentials
-	return deleteInfo.Credentials.Validate()
-}

cmd/download/download.go

@@ -1,6 +1,7 @@
 package download
 
 import (
+	"context"
 	"fmt"
 	"path/filepath"
 	"strings"
@@ -11,35 +12,38 @@ import (
 	"github.com/kubescape/kubescape/v2/core/meta"
 	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
 )
 
 var (
-	downloadExample = `
+	downloadExample = fmt.Sprintf(`
   # Download all artifacts and save them in the default path (~/.kubescape)
-  kubescape download artifacts
+  %[1]s download artifacts
   
   # Download all artifacts and save them in /tmp path
-  kubescape download artifacts --output /tmp
+  %[1]s download artifacts --output /tmp
   
-  # Download the NSA framework. Run 'kubescape list frameworks' for all frameworks names
-  kubescape download framework nsa
+  # Download the NSA framework. Run '%[1]s list frameworks' for all frameworks names
+  %[1]s download framework nsa
 
-  # Download the "Allowed hostPath" control. Run 'kubescape list controls' for all controls names
-  kubescape download control "Allowed hostPath"
+  # Download the "C-0001" control. Run '%[1]s list controls --id' for all controls ids
+  %[1]s download control "C-0001"
 
-  # Download the "C-0001" control. Run 'kubescape list controls --id' for all controls ids
-  kubescape download control C-0001
+  # Download the "C-0001" control. Run '%[1]s list controls --id' for all controls ids
+  %[1]s download control C-0001
 
   # Download the configured exceptions
-  kubescape download exceptions 
+  %[1]s download exceptions 
 
   # Download the configured controls-inputs 
-  kubescape download controls-inputs 
+  %[1]s download controls-inputs 
 
-`
+  # Download the attack tracks
+  %[1]s download attack-tracks
+`, cautils.ExecName())
 )
 
-func GeDownloadCmd(ks meta.IKubescape) *cobra.Command {
+func GetDownloadCmd(ks meta.IKubescape) *cobra.Command {
 	var downloadInfo = v1.DownloadInfo{}
 
 	downloadCmd := &cobra.Command{
@@ -52,7 +56,7 @@ func GeDownloadCmd(ks meta.IKubescape) *cobra.Command {
 			if len(args) < 1 {
 				return fmt.Errorf("policy type required, supported: %v", supported)
 			}
-			if cautils.StringInSlice(core.DownloadSupportCommands(), args[0]) == cautils.ValueNotFound {
+			if !slices.Contains(core.DownloadSupportCommands(), args[0]) {
 				return fmt.Errorf("invalid parameter '%s'. Supported parameters: %s", args[0], supported)
 			}
 			return nil
@@ -68,18 +72,20 @@ func GeDownloadCmd(ks meta.IKubescape) *cobra.Command {
 			}
 			downloadInfo.Target = args[0]
 			if len(args) >= 2 {
-				downloadInfo.Name = args[1]
+
+				downloadInfo.Identifier = args[1]
+
 			}
-			if err := ks.Download(&downloadInfo); err != nil {
+			if err := ks.Download(context.TODO(), &downloadInfo); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 			return nil
 		},
 	}
 
-	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
-	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
-	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
+	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.AccountID, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	downloadCmd.PersistentFlags().MarkDeprecated("client-id", "Client ID is no longer supported. Feel free to contact the Kubescape maintainers for more information.")
+	downloadCmd.PersistentFlags().MarkDeprecated("secret-key", "Secret Key is no longer supported. Feel free to contact the Kubescape maintainers for more information.")
 	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If not specified, will save in `~/.kubescape/<policy name>.json`")
 
 	return downloadCmd
@@ -89,5 +95,5 @@ func GeDownloadCmd(ks meta.IKubescape) *cobra.Command {
 func flagValidationDownload(downloadInfo *v1.DownloadInfo) error {
 
 	// Validate the user's credentials
-	return downloadInfo.Credentials.Validate()
+	return cautils.ValidateAccountID(downloadInfo.AccountID)
 }

cmd/fix/fix.go

@@ -0,0 +1,48 @@
+package fix
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+
+	"github.com/spf13/cobra"
+)
+
+var fixCmdExamples = fmt.Sprintf(`
+  Fix command is for fixing kubernetes manifest files based on a scan command output.
+  Use with caution, this command will change your files in-place.
+
+  # Fix kubernetes YAML manifest files based on a scan command output (output.json)
+  1) %[1]s scan . --format json --output output.json
+  2) %[1]s fix output.json
+
+`, cautils.ExecName())
+
+func GetFixCmd(ks meta.IKubescape) *cobra.Command {
+	var fixInfo metav1.FixInfo
+
+	fixCmd := &cobra.Command{
+		Use:     "fix <report output file>",
+		Short:   "Propose a fix for the misconfiguration found when scanning Kubernetes manifest files",
+		Long:    ``,
+		Example: fixCmdExamples,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) < 1 {
+				return errors.New("report output file is required")
+			}
+			fixInfo.ReportFile = args[0]
+
+			return ks.Fix(context.TODO(), &fixInfo)
+		},
+	}
+
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.NoConfirm, "no-confirm", false, "No confirmation will be given to the user before applying the fix (default false)")
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.DryRun, "dry-run", false, "No changes will be applied (default false)")
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.SkipUserValues, "skip-user-values", true, "Changes which involve user-defined values will be skipped")
+
+	return fixCmd
+}

cmd/image/README.md

@@ -0,0 +1,231 @@
+# Scan Command
+
+The scan command is used for scanning container images for vulnerabilities.
+It uses [grype](https://github.com/anchore/grype) under the hood for scanning the images.
+
+## Usage
+
+
+```bash
+kubescape image scan <image:tag> [flags]
+```
+
+### Flags
+| Flag                      | Description                                            | Required | Default |
+| ------------------------- | ------------------------------------------------------ |--------- | --------|
+| -u, --username            | Username for the image registry login                  | No       |         |
+| -p, --password            | Password for the image registry login                  | No       |         |
+| -f, --format              | Output file format.                                    | No       |         |
+| -o, --output              | Output file. Print output to file and not stdout       | No       |         |
+| -v, --verbose             | Display full report                                    | No       |  false  |
+| -s, --severity-threshold  | Maximum severity of a vulnerability                    | No       |         |
+| -h, --help                | help for scan                                          | No       |         |
+
+
+## Example
+
+We will demonstrate how to use the scan command with an example of [nginx](https://www.nginx.com/) image.
+
+### Steps
+
+1. In a terminal, run the `kubescape image scan` command: 
+    
+    ```bash
+    kubescape image scan nginx:1.22
+    ```
+
+2. You will get an output like below:
+
+    ```bash
+    ✅  Successfully scanned image: nginx:1.22
+    | Severity | Vulnerability  | Component     | Version                 | Fixed In |
+    | -------- | -------------- | ------------- | ----------------------- | -------- |
+    | Critical | CVE-2023-23914 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | Critical | CVE-2019-8457  | libdb5.3      | 5.3.28+dfsg1-0.8        | wont-fix |
+    | High     | CVE-2022-42916 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-1304  | libext2fs2    | 1.46.2-2                | wont-fix |
+    | High     | CVE-2022-42916 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-1304  | e2fsprogs     | 1.46.2-2                | wont-fix |
+    | High     | CVE-2022-1304  | libcom-err2   | 1.46.2-2                | wont-fix |
+    | High     | CVE-2023-27533 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2023-27534 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2023-27533 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-43551 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-3715  | bash          | 5.1-2+deb11u1           | wont-fix |
+    | High     | CVE-2023-27534 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-43551 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2021-33560 | libgcrypt20   | 1.8.7-6                 | wont-fix |
+    | High     | CVE-2023-2953  | libldap-2.4-2 | 2.4.57+dfsg-3+deb11u1   | wont-fix |
+    | High     | CVE-2022-1304  | libss2        | 1.46.2-2                | wont-fix |
+    | High     | CVE-2020-22218 | libssh2-1     | 1.9.0-2                 | wont-fix |
+    | High     | CVE-2023-29491 | libtinfo6     | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2022-2309  | libxml2       | 2.9.10+dfsg-6.7+deb11u4 | wont-fix |
+    | High     | CVE-2022-4899  | libzstd1      | 1.4.8+dfsg-2.1          | wont-fix |
+    | High     | CVE-2022-1304  | logsave       | 1.46.2-2                | wont-fix |
+    | High     | CVE-2023-29491 | ncurses-base  | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2023-29491 | ncurses-bin   | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2023-31484 | perl-base     | 5.32.1-4+deb11u2        | wont-fix |
+    | High     | CVE-2020-16156 | perl-base     | 5.32.1-4+deb11u2        | wont-fix |
+    
+    Vulnerability summary - 184 vulnerabilities found:
+    ──────────────────────────────────────────────────
+    Image: nginx:1.22
+    * 3 Critical
+    * 35 High
+    * 43 Medium
+    * 103 Other
+
+    Most vulnerable components:
+    * curl (7.74.0-1.3+deb11u7) - 1 Critical, 4 High, 5 Medium, 1 Low, 3 Negligible
+    * libcurl4 (7.74.0-1.3+deb11u7) - 1 Critical, 4 High, 5 Medium, 1 Low, 3 Negligible
+    * libtiff5 (4.2.0-1+deb11u4) - 7 Medium, 10 Negligible, 2 Unknown
+    * libssl1.1 (1.1.1n-0+deb11u4) - 1 High, 5 Medium, 2 Negligible
+    * openssl (1.1.1n-0+deb11u4) - 1 High, 5 Medium, 2 Negligible
+    
+    What now?
+    ─────────
+    * Run with '--verbose'/'-v' flag for detailed vulnerabilities view
+    * Install Kubescape in your cluster for continuous monitoring and a full vulnerability report: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-operator
+    ```
+
+
+# Patch Command
+
+The patch command is used for patching container images with vulnerabilities.  
+It uses [copa](https://github.com/project-copacetic/copacetic) and [buildkit](https://github.com/moby/buildkit) under the hood for patching the container images, and [grype](https://github.com/anchore/grype) as the engine for scanning the images.
+
+## Usage
+
+```bash
+kubescape image patch <image:tag> [flags]
+```
+### Pre-requisites
+
+- [docker](https://docs.docker.com/desktop/install/linux-install/#generic-installation-steps) daemon must be installed and running.
+- [buildkit](https://github.com/moby/buildkit) daemon must be installed
+
+### Running the patch command
+
+The patch command can be run in 2 ways:
+1. **With sudo privileges**
+
+    You will need to start `buildkitd` if it is not already running
+
+    ```bash
+    sudo buildkitd & 
+    sudo kubescape image patch <image>
+    ```
+
+2. **Without sudo privileges**
+   ```bash
+    export BUILDKIT_VERSION=v0.11.4
+    export BUILDKIT_PORT=8888
+
+    docker run \
+        --detach \
+        --rm \
+        --privileged \
+        -p 127.0.0.1:$BUILDKIT_PORT:$BUILDKIT_PORT/tcp \
+        --name buildkitd \
+        --entrypoint buildkitd \
+        "moby/buildkit:$BUILDKIT_VERSION" \
+        --addr tcp://0.0.0.0:$BUILDKIT_PORT
+
+    kubescape image patch <image-name> \
+        -a tcp://0.0.0.0:$BUILDKIT_PORT
+   ```
+
+### Flags
+
+| Flag           | Description                                            | Required | Default                             |
+| -------------- | ------------------------------------------------------ | -------- | ----------------------------------- |
+| -a, --addr     | Address of the buildkitd service                       | No       | unix:///run/buildkit/buildkitd.sock |
+| -t, --tag      | Tag of the resultant patched image                     | No       | image_name-patched                  |
+| --timeout      | Timeout for the patching process                       | No       | 5m                                  |
+| -u, --username | Username for the image registry login                  | No       |                                     |
+| -p, --password | Password for the image registry login                  | No       |                                     |
+| -f, --format   | Output file format.                                    | No       |                                     |
+| -o, --output   | Output file. Print output to file and not stdout       | No       |                                     |
+| -v, --verbose  | Display full report. Default to false                  | No       |                                     |
+| -h, --help     | help for patch                                         | No       |                                     |
+
+
+## Example
+
+We will demonstrate how to use the patch command with an example of [nginx](https://www.nginx.com/) image.
+
+### Steps
+
+1. Run `buildkitd` service:
+
+    ```bash
+    sudo buildkitd
+    ```
+
+2. In a seperate terminal, run the `kubescape image patch` command: 
+    
+    ```bash
+    sudo kubescape image patch docker.io/library/nginx:1.22
+    ```
+
+3. You will get an output like below:
+
+    ```bash
+    ✅  Successfully scanned image: docker.io/library/nginx:1.22
+    ✅  Patched image successfully. Loaded image: nginx:1.22-patched
+    ✅  Successfully re-scanned image: nginx:1.22-patched
+
+    | Severity | Vulnerability  | Component     | Version                 | Fixed In |
+    | -------- | -------------- | ------------- | ----------------------- | -------- |
+    | Critical | CVE-2023-23914 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | Critical | CVE-2019-8457  | libdb5.3      | 5.3.28+dfsg1-0.8        | wont-fix |
+    | High     | CVE-2022-42916 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-1304  | libext2fs2    | 1.46.2-2                | wont-fix |
+    | High     | CVE-2022-42916 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-1304  | e2fsprogs     | 1.46.2-2                | wont-fix |
+    | High     | CVE-2022-1304  | libcom-err2   | 1.46.2-2                | wont-fix |
+    | High     | CVE-2023-27533 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2023-27534 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2023-27533 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-43551 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-3715  | bash          | 5.1-2+deb11u1           | wont-fix |
+    | High     | CVE-2023-27534 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-43551 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2021-33560 | libgcrypt20   | 1.8.7-6                 | wont-fix |
+    | High     | CVE-2023-2953  | libldap-2.4-2 | 2.4.57+dfsg-3+deb11u1   | wont-fix |
+    | High     | CVE-2022-1304  | libss2        | 1.46.2-2                | wont-fix |
+    | High     | CVE-2020-22218 | libssh2-1     | 1.9.0-2                 | wont-fix |
+    | High     | CVE-2023-29491 | libtinfo6     | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2022-2309  | libxml2       | 2.9.10+dfsg-6.7+deb11u4 | wont-fix |
+    | High     | CVE-2022-4899  | libzstd1      | 1.4.8+dfsg-2.1          | wont-fix |
+    | High     | CVE-2022-1304  | logsave       | 1.46.2-2                | wont-fix |
+    | High     | CVE-2023-29491 | ncurses-base  | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2023-29491 | ncurses-bin   | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2023-31484 | perl-base     | 5.32.1-4+deb11u2        | wont-fix |
+    | High     | CVE-2020-16156 | perl-base     | 5.32.1-4+deb11u2        | wont-fix |
+    
+    Vulnerability summary - 161 vulnerabilities found:
+    Image: nginx:1.22-patched
+      * 3 Critical
+      * 24 High
+      * 31 Medium
+      * 103 Other
+
+    Most vulnerable components:
+      * curl (7.74.0-1.3+deb11u7) - 1 Critical, 4 High, 5 Medium, 1 Low, 3 Negligible
+      * libcurl4 (7.74.0-1.3+deb11u7) - 1 Critical, 4 High, 5 Medium, 1 Low, 3 Negligible
+      * libtiff5 (4.2.0-1+deb11u4) - 7 Medium, 10 Negligible, 2 Unknown
+      * libxml2 (2.9.10+dfsg-6.7+deb11u4) - 1 High, 2 Medium
+      * perl-base (5.32.1-4+deb11u2) - 2 High, 2 Negligible
+    
+    What now?
+    ─────────
+    * Run with '--verbose'/'-v' flag for detailed vulnerabilities view
+    * Install Kubescape in your cluster for continuous monitoring and a full vulnerability report: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator
+    ```
+
+## Limitations
+
+- The patch command can only fix OS-level vulnerability. It cannot fix application-level vulnerabilities. This is a limitation of copa. The reason behind this is that application level vulnerabilities are best suited to be fixed by the developers of the application.
+Hence, this is not really a limitation but a design decision.
+- No support for windows containers given the dependency on buildkit.

cmd/image/image.go

@@ -0,0 +1,61 @@
+package image
+
+import (
+	"fmt"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	"github.com/spf13/cobra"
+)
+
+type imageCredentials struct {
+	Username string
+	Password string
+}
+
+var imageCmdExamples = fmt.Sprintf(`
+# Scan an image
+%[1]s image scan <image>:<tag>
+
+# Patch an image
+%[1]s image patch  <image>:<tag>
+`, cautils.ExecName())
+
+func GetImageCmd(ks meta.IKubescape) *cobra.Command {
+	var scanInfo cautils.ScanInfo
+	var imgCredentials imageCredentials
+
+	imageCmd := &cobra.Command{
+		Use:     "image",
+		Short:   "Scan or patch an image",
+		Example: imageCmdExamples,
+	}
+
+	imageCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "", `Output file format. Supported formats: "pretty-printer", "json", "sarif"`)
+	imageCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
+	imageCmd.PersistentFlags().BoolVarP(&scanInfo.VerboseMode, "verbose", "v", false, "Display full report. Default to false")
+
+	imageCmd.PersistentFlags().StringVarP(&scanInfo.FailThresholdSeverity, "severity-threshold", "s", "", "Severity threshold is the severity of a vulnerability at which the command fails and returns exit code 1")
+
+	imageCmd.PersistentFlags().StringVarP(&imgCredentials.Username, "username", "u", "", "Username for registry login")
+	imageCmd.PersistentFlags().StringVarP(&imgCredentials.Password, "password", "p", "", "Password for registry login")
+
+	imageCmd.AddCommand(getScanCmd(ks, &scanInfo, &imgCredentials))
+	imageCmd.AddCommand(getPatchCmd(ks, &scanInfo, &imgCredentials))
+
+	imageCmd.SetHelpFunc(func(command *cobra.Command, strings []string) {
+		// hide kube-context and server flags
+		command.Flags().MarkHidden("kube-context")
+		command.Flags().MarkHidden("server")
+
+		// this will prevent an infinite recursive call for the sub-commands of 'image'
+		if parent := command.Parent().Parent(); parent != nil {
+			parent.HelpFunc()(command, strings)
+			return
+		}
+
+		command.Parent().HelpFunc()(command, strings)
+	})
+
+	return imageCmd
+}

cmd/image/patch.go

@@ -0,0 +1,138 @@
+package image
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	ref "github.com/distribution/distribution/reference"
+	"github.com/docker/distribution/reference"
+
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/cmd/utils"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/kubescape/kubescape/v2/pkg/imagescan"
+
+	"github.com/spf13/cobra"
+)
+
+var patchCmdExamples = fmt.Sprintf(`
+  # Patch the nginx:1.22 image
+  1) sudo buildkitd        # start buildkitd service, run in seperate terminal
+  2) sudo %[1]s patch nginx:1.22   # patch the image
+
+  # The patch command can also be run without sudo privileges
+  # Documentation: https://github.com/kubescape/kubescape/tree/master/cmd/image/README.md
+`, cautils.ExecName())
+
+func getPatchCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo, imgCredentials *imageCredentials) *cobra.Command {
+
+	var patchInfo metav1.PatchInfo
+	patchCmd := &cobra.Command{
+		Use:     "patch <image>:<tag> [flags]",
+		Short:   "Patch container images with vulnerabilities ",
+		Long:    `Automatically patch container images with vulnerabilities`,
+		Example: patchCmdExamples,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("the command takes exactly one image name as an argument")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := validateImageScanInfo(scanInfo); err != nil {
+				return err
+			}
+
+			patchInfo.Username = imgCredentials.Username
+			patchInfo.Password = imgCredentials.Password
+			patchInfo.Image = args[0]
+
+			if err := validateImagePatchInfo(&patchInfo); err != nil {
+				return err
+			}
+
+			results, err := ks.Patch(context.Background(), &patchInfo, scanInfo)
+			if err != nil {
+				return err
+			}
+
+			if imagescan.ExceedsSeverityThreshold(results, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)) {
+				utils.TerminateOnExceedingSeverity(scanInfo, logger.L())
+			}
+
+			return nil
+		},
+	}
+
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.PatchedImageTag, "tag", "t", "", "Tag for the patched image. Defaults to '<image-tag>-patched' ")
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.BuildkitAddress, "address", "a", "unix:///run/buildkit/buildkitd.sock", "Address of buildkitd service, defaults to local buildkitd.sock")
+	patchCmd.PersistentFlags().DurationVar(&patchInfo.Timeout, "timeout", 5*time.Minute, "Timeout for the operation, defaults to '5m'")
+
+	return patchCmd
+}
+
+// validateImagePatchInfo validates the image patch info for the `patch` command
+func validateImagePatchInfo(patchInfo *metav1.PatchInfo) error {
+
+	if patchInfo.Image == "" {
+		return errors.New("image tag is required")
+	}
+
+	// Convert image to canonical format (required by copacetic for patching images)
+	patchInfoImage, err := cautils.NormalizeImageName(patchInfo.Image)
+	if err != nil {
+		return nil
+	}
+
+	// Parse the image full name to get image name and tag
+	named, err := ref.ParseNamed(patchInfoImage)
+	if err != nil {
+		return err
+	}
+
+	// If no tag or digest is provided, default to 'latest'
+	if ref.IsNameOnly(named) {
+		logger.L().Warning("Image name has no tag or digest, using latest as tag")
+		named = ref.TagNameOnly(named)
+	}
+	patchInfo.Image = named.String()
+
+	// If no patched image tag is provided, default to '<image-tag>-patched'
+	if patchInfo.PatchedImageTag == "" {
+
+		taggedName, ok := named.(ref.Tagged)
+		if !ok {
+			return errors.New("unexpected error while parsing image tag")
+		}
+
+		patchInfo.ImageTag = taggedName.Tag()
+
+		if patchInfo.ImageTag == "" {
+			logger.L().Warning("No tag provided, defaulting to 'patched'")
+			patchInfo.PatchedImageTag = "patched"
+		} else {
+			patchInfo.PatchedImageTag = fmt.Sprintf("%s-%s", patchInfo.ImageTag, "patched")
+		}
+
+	}
+
+	// Extract the "image" name from the canonical Image URL
+	// If it's an official docker image, we store just the "image-name". Else if a docker repo then we store as "repo/image". Else complete URL
+	ref, _ := reference.ParseNormalizedNamed(patchInfo.Image)
+	imageName := named.Name()
+	if strings.Contains(imageName, "docker.io/library/") {
+		imageName = reference.Path(ref)
+		imageName = imageName[strings.LastIndex(imageName, "/")+1:]
+	} else if strings.Contains(imageName, "docker.io/") {
+		imageName = reference.Path(ref)
+	}
+	patchInfo.ImageName = imageName
+
+	return nil
+}

cmd/image/scan.go

@@ -0,0 +1,73 @@
+package image
+
+import (
+	"context"
+	"fmt"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/cmd/utils"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/kubescape/kubescape/v2/pkg/imagescan"
+	"github.com/spf13/cobra"
+)
+
+// TODO(vladklokun): document image scanning on the Kubescape Docs Hub?
+var (
+	imageExample = fmt.Sprintf(`
+  Scan an image for vulnerabilities. 
+
+  # Scan the 'nginx' image
+  %[1]s image scan "nginx"
+`, cautils.ExecName())
+)
+
+// imageCmd represents the image command
+func getScanCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo, imgCredentials *imageCredentials) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "scan <image>:<tag> [flags]",
+		Short:   "Scan container images for vulnerabilities",
+		Example: imageExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("the command takes exactly one image name as an argument")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := validateImageScanInfo(scanInfo); err != nil {
+				return err
+			}
+
+			imgScanInfo := &metav1.ImageScanInfo{
+				Image:    args[0],
+				Username: imgCredentials.Username,
+				Password: imgCredentials.Password,
+			}
+
+			results, err := ks.ScanImage(context.Background(), imgScanInfo, scanInfo)
+			if err != nil {
+				return err
+			}
+
+			if imagescan.ExceedsSeverityThreshold(results, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)) {
+				utils.TerminateOnExceedingSeverity(scanInfo, logger.L())
+			}
+
+			return nil
+		},
+	}
+
+	return cmd
+}
+
+// validateImageScanInfo validates the ScanInfo struct for the `image` command
+func validateImageScanInfo(scanInfo *cautils.ScanInfo) error {
+	severity := scanInfo.FailThresholdSeverity
+
+	if err := utils.ValidateSeverity(severity); severity != "" && err != nil {
+		return err
+	}
+	return nil
+}

cmd/list/list.go

@@ -1,6 +1,7 @@
 package list
 
 import (
+	"context"
 	"fmt"
 	"strings"
 
@@ -10,25 +11,23 @@ import (
 	"github.com/kubescape/kubescape/v2/core/meta"
 	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
 )
 
 var (
-	listExample = `
+	listExample = fmt.Sprintf(`
   # List default supported frameworks names
-  kubescape list frameworks
+  %[1]s list frameworks
   
   # List all supported frameworks names
-  kubescape list frameworks --account <account id>
+  %[1]s list frameworks --account <account id>
 	
-  # List all supported controls names
-  kubescape list controls
-
-  # List all supported controls ids
-  kubescape list controls --id 
+  # List all supported controls names with ids
+  %[1]s list controls
   
   Control documentation:
   https://hub.armosec.io/docs/controls
-`
+`, cautils.ExecName())
 )
 
 func GetListCmd(ks meta.IKubescape) *cobra.Command {
@@ -45,7 +44,7 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {
 			if len(args) < 1 {
 				return fmt.Errorf("policy type requeued, supported: %s", supported)
 			}
-			if cautils.StringInSlice(core.ListSupportActions(), args[0]) == cautils.ValueNotFound {
+			if !slices.Contains(core.ListSupportActions(), args[0]) {
 				return fmt.Errorf("invalid parameter '%s'. Supported parameters: %s", args[0], supported)
 			}
 			return nil
@@ -58,17 +57,15 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {
 
 			listPolicies.Target = args[0]
 
-			if err := ks.List(&listPolicies); err != nil {
+			if err := ks.List(context.TODO(), &listPolicies); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 			return nil
 		},
 	}
-	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
-	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
-	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
-	listCmd.PersistentFlags().StringVar(&listPolicies.Format, "format", "pretty-print", "output format. supported: 'pretty-printer'/'json'")
-	listCmd.PersistentFlags().BoolVarP(&listPolicies.ListIDs, "id", "", false, "List control ID's instead of controls names")
+	listCmd.PersistentFlags().StringVarP(&listPolicies.AccountID, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	listCmd.PersistentFlags().StringVar(&listPolicies.Format, "format", "pretty-print", "output format. supported: 'pretty-print'/'json'")
+	listCmd.PersistentFlags().MarkDeprecated("id", "Control ID's are included in list outputs")
 
 	return listCmd
 }
@@ -77,5 +74,5 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {
 func flagValidationList(listPolicies *v1.ListPolicies) error {
 
 	// Validate the user's credentials
-	return listPolicies.Credentials.Validate()
+	return cautils.ValidateAccountID(listPolicies.AccountID)
 }

cmd/root.go

@@ -6,13 +6,14 @@ import (
 
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/kubescape/v2/cmd/completion"
 	"github.com/kubescape/kubescape/v2/cmd/config"
-	"github.com/kubescape/kubescape/v2/cmd/delete"
 	"github.com/kubescape/kubescape/v2/cmd/download"
+	"github.com/kubescape/kubescape/v2/cmd/fix"
+	"github.com/kubescape/kubescape/v2/cmd/image"
 	"github.com/kubescape/kubescape/v2/cmd/list"
 	"github.com/kubescape/kubescape/v2/cmd/scan"
-	"github.com/kubescape/kubescape/v2/cmd/submit"
 	"github.com/kubescape/kubescape/v2/cmd/update"
 	"github.com/kubescape/kubescape/v2/cmd/version"
 	"github.com/kubescape/kubescape/v2/core/cautils"
@@ -25,19 +26,19 @@ import (
 
 var rootInfo cautils.RootInfo
 
-var ksExamples = `
-  # Scan command
-  kubescape scan --submit
+var ksExamples = fmt.Sprintf(`
+  # Scan a Kubernetes cluster or YAML files for image vulnerabilities and misconfigurations
+  %[1]s scan
 
-  # List supported frameworks
-  kubescape list frameworks
+  # List supported controls
+  %[1]s list controls
 
   # Download artifacts (air-gapped environment support)
-  kubescape download artifacts
+  %[1]s download artifacts
 
   # View cached configurations
-  kubescape config view
-`
+  %[1]s config view
+`, cautils.ExecName())
 
 func NewDefaultKubescapeCommand() *cobra.Command {
 	ks := core.NewKubescape()
@@ -50,11 +51,29 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 		Use:     "kubescape",
 		Short:   "Kubescape is a tool for testing Kubernetes security posture. Docs: https://hub.armosec.io/docs",
 		Example: ksExamples,
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+			k8sinterface.SetClusterContextName(rootInfo.KubeContext)
+			initLogger()
+			initLoggerLevel()
+			initEnvironment()
+			initCacheDir()
+		},
 	}
 
-	rootCmd.PersistentFlags().StringVar(&rootInfo.KSCloudBEURLsDep, "environment", "", envFlagUsage)
-	rootCmd.PersistentFlags().StringVar(&rootInfo.KSCloudBEURLs, "env", "", envFlagUsage)
-	rootCmd.PersistentFlags().MarkDeprecated("environment", "use 'env' instead")
+	if cautils.IsKrewPlugin() {
+		// Invoked as a kubectl plugin.
+
+		// Cobra doesn't have a way to specify a two word command (i.e. "kubectl kubescape"), so set a custom usage template
+		// with kubectl in it. Cobra will use this template for the root and all child commands.
+		oldUsageTemplate := rootCmd.UsageTemplate()
+		newUsageTemplate := strings.NewReplacer("{{.UseLine}}", "kubectl {{.UseLine}}", "{{.CommandPath}}", "kubectl {{.CommandPath}}").Replace(oldUsageTemplate)
+		rootCmd.SetUsageTemplate(newUsageTemplate)
+	}
+
+	rootCmd.PersistentFlags().StringVar(&rootInfo.DiscoveryServerURL, "server", "api.armosec.io", "Backend discovery server URL") // TODO: remove default value
+
+	rootCmd.PersistentFlags().MarkDeprecated("environment", "'environment' is no longer supported, Use 'server' instead. Feel free to contact the Kubescape maintainers for more information.")
+	rootCmd.PersistentFlags().MarkDeprecated("env", "'env' is no longer supported, Use 'server' instead. Feel free to contact the Kubescape maintainers for more information.")
 	rootCmd.PersistentFlags().MarkHidden("environment")
 	rootCmd.PersistentFlags().MarkHidden("env")
 
@@ -63,21 +82,30 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 
 	rootCmd.PersistentFlags().StringVarP(&rootInfo.Logger, "logger", "l", helpers.InfoLevel.String(), fmt.Sprintf("Logger level. Supported: %s [$KS_LOGGER]", strings.Join(helpers.SupportedLevels(), "/")))
 	rootCmd.PersistentFlags().StringVar(&rootInfo.CacheDir, "cache-dir", getter.DefaultLocalStore, "Cache directory [$KS_CACHE_DIR]")
-	rootCmd.PersistentFlags().BoolVarP(&rootInfo.DisableColor, "disable-color", "", false, "Disable Color output for logging")
-	rootCmd.PersistentFlags().BoolVarP(&rootInfo.EnableColor, "enable-color", "", false, "Force enable Color output for logging")
-
-	cobra.OnInitialize(initLogger, initLoggerLevel, initEnvironment, initCacheDir)
+	rootCmd.PersistentFlags().BoolVarP(&rootInfo.DisableColor, "disable-color", "", false, "Disable color output for logging")
+	rootCmd.PersistentFlags().BoolVarP(&rootInfo.EnableColor, "enable-color", "", false, "Force enable color output for logging")
 
+	rootCmd.PersistentFlags().StringVarP(&rootInfo.KubeContext, "kube-context", "", "", "Kube context. Default will use the current-context")
 	// Supported commands
 	rootCmd.AddCommand(scan.GetScanCommand(ks))
-	rootCmd.AddCommand(download.GeDownloadCmd(ks))
-	rootCmd.AddCommand(delete.GetDeleteCmd(ks))
+	rootCmd.AddCommand(download.GetDownloadCmd(ks))
 	rootCmd.AddCommand(list.GetListCmd(ks))
-	rootCmd.AddCommand(submit.GetSubmitCmd(ks))
 	rootCmd.AddCommand(completion.GetCompletionCmd())
 	rootCmd.AddCommand(version.GetVersionCmd())
 	rootCmd.AddCommand(config.GetConfigCmd(ks))
 	rootCmd.AddCommand(update.GetUpdateCmd())
+	rootCmd.AddCommand(fix.GetFixCmd(ks))
+	rootCmd.AddCommand(image.GetImageCmd(ks))
+
+	// deprecated commands
+	rootCmd.AddCommand(&cobra.Command{
+		Use:        "submit",
+		Deprecated: "This command is deprecated. Contact Kubescape maintainers for more information.",
+	})
+	rootCmd.AddCommand(&cobra.Command{
+		Use:        "delete",
+		Deprecated: "This command is deprecated. Contact Kubescape maintainers for more information.",
+	})
 
 	return rootCmd
 }

cmd/rootutils.go

@@ -5,15 +5,19 @@ import (
 	"os"
 	"strings"
 
+	v1 "github.com/kubescape/backend/pkg/client/v1"
+	"github.com/kubescape/backend/pkg/servicediscovery"
+	sdClientV1 "github.com/kubescape/backend/pkg/servicediscovery/v1"
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/go-logger/iconlogger"
+	"github.com/kubescape/go-logger/zaplogger"
+	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/cautils/getter"
 
 	"github.com/mattn/go-isatty"
 )
 
-const envFlagUsage = "Send report results to specific URL. Format:<ReportReceiver>,<Backend>,<Frontend>.\n\t\tExample:report.armo.cloud,api.armo.cloud,portal.armo.cloud"
-
 func initLogger() {
 	logger.DisableColor(rootInfo.DisableColor)
 	logger.EnableColor(rootInfo.EnableColor)
@@ -23,9 +27,9 @@ func initLogger() {
 			rootInfo.LoggerName = l
 		} else {
 			if isatty.IsTerminal(os.Stdout.Fd()) {
-				rootInfo.LoggerName = "pretty"
+				rootInfo.LoggerName = iconlogger.LoggerName
 			} else {
-				rootInfo.LoggerName = "zap"
+				rootInfo.LoggerName = zaplogger.LoggerName
 			}
 		}
 	}
@@ -56,35 +60,50 @@ func initCacheDir() {
 	logger.L().Debug("cache dir updated", helpers.String("path", getter.DefaultLocalStore))
 }
 func initEnvironment() {
-	if rootInfo.KSCloudBEURLs == "" {
-		rootInfo.KSCloudBEURLs = rootInfo.KSCloudBEURLsDep
+	if rootInfo.DiscoveryServerURL == "" {
+		return
 	}
-	urlSlices := strings.Split(rootInfo.KSCloudBEURLs, ",")
-	if len(urlSlices) != 1 && len(urlSlices) < 3 {
-		logger.L().Fatal("expected at least 3 URLs (report, api, frontend, auth)")
+
+	logger.L().Debug("fetching URLs from service discovery server", helpers.String("server", rootInfo.DiscoveryServerURL))
+
+	client, err := sdClientV1.NewServiceDiscoveryClientV1(rootInfo.DiscoveryServerURL)
+	if err != nil {
+		logger.L().Fatal("failed to create service discovery client", helpers.Error(err), helpers.String("server", rootInfo.DiscoveryServerURL))
+		return
 	}
-	switch len(urlSlices) {
-	case 1:
-		switch urlSlices[0] {
-		case "dev", "development":
-			getter.SetKSCloudAPIConnector(getter.NewKSCloudAPIDev())
-		case "stage", "staging":
-			getter.SetKSCloudAPIConnector(getter.NewKSCloudAPIStaging())
-		case "":
-			getter.SetKSCloudAPIConnector(getter.NewKSCloudAPIProd())
-		default:
-			logger.L().Fatal("--environment flag usage: " + envFlagUsage)
-		}
-	case 2:
-		logger.L().Fatal("--environment flag usage: " + envFlagUsage)
-	case 3, 4:
-		var ksAuthURL string
-		ksEventReceiverURL := urlSlices[0] // mandatory
-		ksBackendURL := urlSlices[1]       // mandatory
-		ksFrontendURL := urlSlices[2]      // mandatory
-		if len(urlSlices) >= 4 {
-			ksAuthURL = urlSlices[3]
-		}
-		getter.SetKSCloudAPIConnector(getter.NewKSCloudAPICustomized(ksEventReceiverURL, ksBackendURL, ksFrontendURL, ksAuthURL))
+
+	services, err := servicediscovery.GetServices(
+		client,
+	)
+
+	if err != nil {
+		logger.L().Fatal("failed to to get services from server", helpers.Error(err), helpers.String("server", rootInfo.DiscoveryServerURL))
+		return
 	}
+
+	logger.L().Debug("configuring service discovery URLs", helpers.String("cloudAPIURL", services.GetApiServerUrl()), helpers.String("cloudReportURL", services.GetReportReceiverHttpUrl()))
+
+	tenant := cautils.GetTenantConfig("", "", "", nil)
+	if services.GetApiServerUrl() != "" {
+		tenant.GetConfigObj().CloudAPIURL = services.GetApiServerUrl()
+	}
+	if services.GetReportReceiverHttpUrl() != "" {
+		tenant.GetConfigObj().CloudReportURL = services.GetReportReceiverHttpUrl()
+	}
+
+	if err = tenant.UpdateCachedConfig(); err != nil {
+		logger.L().Error("failed to update cached config", helpers.Error(err))
+	}
+
+	ksCloud, err := v1.NewKSCloudAPI(
+		services.GetApiServerUrl(),
+		services.GetReportReceiverHttpUrl(),
+		"",
+	)
+	if err != nil {
+		logger.L().Fatal("failed to create KS Cloud client", helpers.Error(err))
+		return
+	}
+
+	getter.SetKSCloudAPIConnector(ksCloud)
 }

cmd/scan/control.go

@@ -1,6 +1,7 @@
 package scan
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"os"
@@ -10,36 +11,36 @@ import (
 
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/cmd/utils"
 	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/meta"
 
-	"github.com/enescakir/emoji"
 	"github.com/spf13/cobra"
 )
 
 var (
-	controlExample = `
+	controlExample = fmt.Sprintf(`
   # Scan the 'privileged container' control
-  kubescape scan control "privileged container"
+  %[1]s scan control "privileged container"
 	
   # Scan list of controls separated with a comma
-  kubescape scan control "privileged container","allowed hostpath"
+  %[1]s scan control "privileged container","HostPath mount"
   
   # Scan list of controls using the control ID separated with a comma
-  kubescape scan control C-0058,C-0057
+  %[1]s scan control C-0058,C-0057
   
-  Run 'kubescape list controls' for the list of supported controls
+  Run '%[1]s list controls' for the list of supported controls
   
   Control documentation:
   https://hub.armosec.io/docs/controls
-`
+`, cautils.ExecName())
 )
 
 // controlCmd represents the control command
 func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
 	return &cobra.Command{
 		Use:     "control <control names list>/<control ids list>",
-		Short:   "The controls you wish to use. Run 'kubescape list controls' for the list of supported controls",
+		Short:   fmt.Sprintf("The controls you wish to use. Run '%[1]s list controls' for the list of supported controls", cautils.ExecName()),
 		Example: controlExample,
 		Args: func(cmd *cobra.Command, args []string) error {
 			if len(args) > 0 {
@@ -61,13 +62,13 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 			if err := validateFrameworkScanInfo(scanInfo); err != nil {
 				return err
 			}
-			
+
 			// flagValidationControl(scanInfo)
 			scanInfo.PolicyIdentifier = []cautils.PolicyIdentifier{}
 
 			if len(args) == 0 {
 				scanInfo.ScanAll = true
-			} else { // expected control or list of control sepparated by ","
+			} else { // expected control or list of control separated by ","
 
 				// Read controls from input args
 				scanInfo.SetPolicyIdentifiers(strings.Split(args[0], ","), apisv1.KindControl)
@@ -91,25 +92,30 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 			}
 
 			scanInfo.FrameworkScan = false
+			scanInfo.SetScanType(cautils.ScanTypeControl)
 
 			if err := validateControlScanInfo(scanInfo); err != nil {
 				return err
 			}
 
-			results, err := ks.Scan(scanInfo)
+			ctx := context.TODO()
+			results, err := ks.Scan(ctx, scanInfo)
 			if err != nil {
 				logger.L().Fatal(err.Error())
 			}
-			if err := results.HandleResults(); err != nil {
+			if err := results.HandleResults(ctx); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 			if !scanInfo.VerboseMode {
-				cautils.SimpleDisplay(os.Stderr, "%s  Run with '--verbose'/'-v' flag for detailed resources view\n\n", emoji.Detective)
+				logger.L().Info("Run with '--verbose'/'-v' flag for detailed resources view\n")
 			}
 			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
 				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
 			}
-			enforceSeverityThresholds(&results.GetResults().SummaryDetails.SeverityCounters, scanInfo, terminateOnExceedingSeverity)
+			if results.GetComplianceScore() < float32(scanInfo.ComplianceThreshold) {
+				logger.L().Fatal("scan compliance-score is below permitted threshold", helpers.String("compliance score", fmt.Sprintf("%.2f", results.GetComplianceScore())), helpers.String("compliance-threshold", fmt.Sprintf("%.2f", scanInfo.ComplianceThreshold)))
+			}
+			enforceSeverityThresholds(results.GetResults().SummaryDetails.GetResourcesSeverityCounters(), scanInfo, utils.TerminateOnExceedingSeverity)
 
 			return nil
 		},
@@ -120,7 +126,11 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 func validateControlScanInfo(scanInfo *cautils.ScanInfo) error {
 	severity := scanInfo.FailThresholdSeverity
 
-	if err := validateSeverity(severity); severity != "" && err != nil {
+	if scanInfo.Submit && scanInfo.OmitRawResources {
+		return fmt.Errorf("you can use `omit-raw-resources` or `submit`, but not both")
+	}
+
+	if err := utils.ValidateSeverity(severity); severity != "" && err != nil {
 		return err
 	}
 	return nil

cmd/scan/framework.go

@@ -1,6 +1,7 @@
 package scan
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"io"
@@ -10,44 +11,49 @@ import (
 	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
+	"golang.org/x/exp/slices"
 
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/cmd/utils"
 	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/cautils/getter"
 	"github.com/kubescape/kubescape/v2/core/meta"
 
-	"github.com/enescakir/emoji"
 	"github.com/spf13/cobra"
 )
 
 var (
-	frameworkExample = `
-  # Scan all frameworks and submit the results
-  kubescape scan framework all --submit
+	frameworkExample = fmt.Sprintf(`
+  # Scan all frameworks
+  %[1]s scan framework all
   
   # Scan the NSA framework
-  kubescape scan framework nsa
+  %[1]s scan framework nsa
   
   # Scan the NSA and MITRE framework
-  kubescape scan framework nsa,mitre
+  %[1]s scan framework nsa,mitre
   
   # Scan all frameworks
-  kubescape scan framework all
+  %[1]s scan framework all
 
   # Scan kubernetes YAML manifest files (single file or glob)
-  kubescape scan framework nsa *.yaml
+  %[1]s scan framework nsa .
 
-  Run 'kubescape list frameworks' for the list of supported frameworks
-`
+  Run '%[1]s list frameworks' for the list of supported frameworks
+`, cautils.ExecName())
 
-	ErrUnknownSeverity = errors.New("unknown severity")
+	ErrSecurityViewNotSupported = errors.New("security view is not supported for framework scan")
+	ErrBadThreshold             = errors.New("bad argument: out of range threshold")
+	ErrKeepLocalOrSubmit        = errors.New("you can use `keep-local` or `submit`, but not both")
+	ErrOmitRawResourcesOrSubmit = errors.New("you can use `omit-raw-resources` or `submit`, but not both")
 )
 
 func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
 
 	return &cobra.Command{
 		Use:     "framework <framework names list> [`<glob pattern>`/`-`] [flags]",
-		Short:   "The framework you wish to use. Run 'kubescape list frameworks' for the list of supported frameworks",
+		Short:   fmt.Sprintf("The framework you wish to use. Run '%[1]s list frameworks' for the list of supported frameworks", cautils.ExecName()),
 		Example: frameworkExample,
 		Long:    "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
 		Args: func(cmd *cobra.Command, args []string) error {
@@ -72,20 +78,25 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 			}
 			scanInfo.FrameworkScan = true
 
+			// We do not scan all frameworks by default when triggering scan from the CLI
+			scanInfo.ScanAll = false
+
 			var frameworks []string
 
-			if len(args) == 0 { // scan all frameworks
+			if len(args) == 0 {
 				scanInfo.ScanAll = true
 			} else {
 				// Read frameworks from input args
 				frameworks = strings.Split(args[0], ",")
-				if cautils.StringInSlice(frameworks, "all") != cautils.ValueNotFound {
+				if slices.Contains(frameworks, "all") {
 					scanInfo.ScanAll = true
-					frameworks = []string{}
+					frameworks = getter.NativeFrameworks
+
 				}
 				if len(args) > 1 {
 					if len(args[1:]) == 0 || args[1] != "-" {
 						scanInfo.InputPatterns = args[1:]
+						logger.L().Debug("List of input files", helpers.Interface("patterns", scanInfo.InputPatterns))
 					} else { // store stdin to file - do NOT move to separate function !!
 						tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
 						if err != nil {
@@ -100,26 +111,32 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 					}
 				}
 			}
+			scanInfo.SetScanType(cautils.ScanTypeFramework)
 			scanInfo.FrameworkScan = true
 
 			scanInfo.SetPolicyIdentifiers(frameworks, apisv1.KindFramework)
 
-			results, err := ks.Scan(scanInfo)
+			ctx := context.TODO()
+			results, err := ks.Scan(ctx, scanInfo)
 			if err != nil {
 				logger.L().Fatal(err.Error())
 			}
 
-			if err = results.HandleResults(); err != nil {
+			if err = results.HandleResults(ctx); err != nil {
 				logger.L().Fatal(err.Error())
 			}
-			if !scanInfo.VerboseMode {
-				cautils.SimpleDisplay(os.Stderr, "%s  Run with '--verbose'/'-v' flag for detailed resources view\n\n", emoji.Detective)
+
+			if !scanInfo.VerboseMode && scanInfo.ScanType == cautils.ScanTypeFramework {
+				logger.L().Info("Run with '--verbose'/'-v' flag for detailed resources view\n")
 			}
 			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
 				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
 			}
+			if results.GetComplianceScore() < float32(scanInfo.ComplianceThreshold) {
+				logger.L().Fatal("scan compliance-score is below permitted threshold", helpers.String("compliance-score", fmt.Sprintf("%.2f", results.GetComplianceScore())), helpers.String("compliance-threshold", fmt.Sprintf("%.2f", scanInfo.ComplianceThreshold)))
+			}
 
-			enforceSeverityThresholds(&results.GetData().Report.SummaryDetails.SeverityCounters, scanInfo, terminateOnExceedingSeverity)
+			enforceSeverityThresholds(results.GetData().Report.SummaryDetails.GetResourcesSeverityCounters(), scanInfo, utils.TerminateOnExceedingSeverity)
 			return nil
 		},
 	}
@@ -128,7 +145,7 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 // countersExceedSeverityThreshold returns true if severity of failed controls exceed the set severity threshold, else returns false
 func countersExceedSeverityThreshold(severityCounters reportsummary.ISeverityCounters, scanInfo *cautils.ScanInfo) (bool, error) {
 	targetSeverity := scanInfo.FailThresholdSeverity
-	if err := validateSeverity(targetSeverity); err != nil {
+	if err := utils.ValidateSeverity(targetSeverity); err != nil {
 		return false, err
 	}
 
@@ -136,10 +153,10 @@ func countersExceedSeverityThreshold(severityCounters reportsummary.ISeverityCou
 		SeverityName       string
 		GetFailedResources func() int
 	}{
-		{reporthandlingapis.SeverityLowString, severityCounters.NumberOfResourcesWithLowSeverity},
-		{reporthandlingapis.SeverityMediumString, severityCounters.NumberOfResourcesWithMediumSeverity},
-		{reporthandlingapis.SeverityHighString, severityCounters.NumberOfResourcesWithHighSeverity},
-		{reporthandlingapis.SeverityCriticalString, severityCounters.NumberOfResourcesWithCriticalSeverity},
+		{reporthandlingapis.SeverityLowString, severityCounters.NumberOfLowSeverity},
+		{reporthandlingapis.SeverityMediumString, severityCounters.NumberOfMediumSeverity},
+		{reporthandlingapis.SeverityHighString, severityCounters.NumberOfHighSeverity},
+		{reporthandlingapis.SeverityCriticalString, severityCounters.NumberOfCriticalSeverity},
 	}
 
 	targetSeverityIdx := 0
@@ -161,15 +178,10 @@ func countersExceedSeverityThreshold(severityCounters reportsummary.ISeverityCou
 
 }
 
-// terminateOnExceedingSeverity terminates the application on exceeding severity
-func terminateOnExceedingSeverity(scanInfo *cautils.ScanInfo, l logger.ILogger) {
-	l.Fatal("result exceeds severity threshold", helpers.String("set severity threshold", scanInfo.FailThresholdSeverity))
-}
-
 // enforceSeverityThresholds ensures that the scan results are below the defined severity threshold
 //
 // The function forces the application to terminate with an exit code 1 if at least one control failed control that exceeds the set severity threshold
-func enforceSeverityThresholds(severityCounters reportsummary.ISeverityCounters, scanInfo *cautils.ScanInfo, onExceed func(*cautils.ScanInfo, logger.ILogger)) {
+func enforceSeverityThresholds(severityCounters reportsummary.ISeverityCounters, scanInfo *cautils.ScanInfo, onExceed func(*cautils.ScanInfo, helpers.ILogger)) {
 	// If a severity threshold is not set, we don’t need to enforce it
 	if scanInfo.FailThresholdSeverity == "" {
 		return
@@ -182,31 +194,29 @@ func enforceSeverityThresholds(severityCounters reportsummary.ISeverityCounters,
 	}
 }
 
-// validateSeverity returns an error if a given severity is not known, nil otherwise
-func validateSeverity(severity string) error {
-	for _, val := range reporthandlingapis.GetSupportedSeverities() {
-		if strings.EqualFold(severity, val) {
-			return nil
-		}
-	}
-	return ErrUnknownSeverity
-
-}
-
 // validateFrameworkScanInfo validates the scan info struct for the `scan framework` command
 func validateFrameworkScanInfo(scanInfo *cautils.ScanInfo) error {
-	if scanInfo.Submit && scanInfo.Local {
-		return fmt.Errorf("you can use `keep-local` or `submit`, but not both")
-	}
-	if 100 < scanInfo.FailThreshold || 0 > scanInfo.FailThreshold {
-		return fmt.Errorf("bad argument: out of range threshold")
+	if scanInfo.View == string(cautils.SecurityViewType) {
+		return ErrSecurityViewNotSupported
 	}
 
+	if scanInfo.Submit && scanInfo.Local {
+		return ErrKeepLocalOrSubmit
+	}
+	if 100 < scanInfo.ComplianceThreshold || 0 > scanInfo.ComplianceThreshold {
+		return ErrBadThreshold
+	}
+	if 100 < scanInfo.FailThreshold || 0 > scanInfo.FailThreshold {
+		return ErrBadThreshold
+	}
+	if scanInfo.Submit && scanInfo.OmitRawResources {
+		return ErrOmitRawResourcesOrSubmit
+	}
 	severity := scanInfo.FailThresholdSeverity
-	if err := validateSeverity(severity); severity != "" && err != nil {
+	if err := utils.ValidateSeverity(severity); severity != "" && err != nil {
 		return err
 	}
 
 	// Validate the user's credentials
-	return scanInfo.Credentials.Validate()
+	return cautils.ValidateAccountID(scanInfo.AccountID)
 }

cmd/scan/scan.go

@@ -1,34 +1,37 @@
 package scan
 
 import (
+	"context"
 	"flag"
 	"fmt"
+	"strings"
 
-	"github.com/kubescape/k8s-interface/k8sinterface"
+	"github.com/kubescape/kubescape/v2/cmd/utils"
 	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/cautils/getter"
 	"github.com/kubescape/kubescape/v2/core/meta"
+	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/spf13/cobra"
 )
 
-var scanCmdExamples = `
+var scanCmdExamples = fmt.Sprintf(`
   Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks 
   
-  # Scan current cluster with all frameworks
-  kubescape scan --enable-host-scan --verbose
+  # Scan current cluster
+  %[1]s scan
 
-  # Scan kubernetes YAML manifest files
-  kubescape scan *.yaml
+  # Scan kubernetes manifest files 
+  %[1]s scan .
 
   # Scan and save the results in the JSON format
-  kubescape scan --format json --output results.json
+  %[1]s scan --format json --output results.json
 
   # Display all resources
-  kubescape scan --verbose
+  %[1]s scan --verbose
 
   # Scan different clusters from the kubectl context 
-  kubescape scan --kube-context <kubernetes context>
-  
-`
+  %[1]s scan --kube-context <kubernetes context>
+`, cautils.ExecName())
 
 func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	var scanInfo cautils.ScanInfo
@@ -36,63 +39,62 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	// scanCmd represents the scan command
 	scanCmd := &cobra.Command{
 		Use:     "scan",
-		Short:   "Scan the current running cluster or yaml files",
+		Short:   "Scan a Kubernetes cluster or YAML files for image vulnerabilities and misconfigurations",
 		Long:    `The action you want to perform`,
 		Example: scanCmdExamples,
-		Args: func(cmd *cobra.Command, args []string) error {
-			if len(args) > 0 {
-				if args[0] != "framework" && args[0] != "control" {
-					scanInfo.ScanAll = true
-					return getFrameworkCmd(ks, &scanInfo).RunE(cmd, append([]string{"all"}, args...))
-				}
-			}
-			return nil
-		},
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if scanInfo.View == string(cautils.SecurityViewType) {
+				setSecurityViewScanInfo(args, &scanInfo)
 
-			if len(args) == 0 {
-				scanInfo.ScanAll = true
-				return getFrameworkCmd(ks, &scanInfo).RunE(cmd, []string{"all"})
+				return securityScan(scanInfo, ks)
+			}
+
+			if len(args) == 0 || (args[0] != "framework" && args[0] != "control") {
+				return getFrameworkCmd(ks, &scanInfo).RunE(cmd, append([]string{strings.Join(getter.NativeFrameworks, ",")}, args...))
 			}
 			return nil
 		},
-		PreRun: func(cmd *cobra.Command, args []string) {
-			k8sinterface.SetClusterContextName(scanInfo.KubeContext)
-		},
 		PostRun: func(cmd *cobra.Command, args []string) {
 			// TODO - revert context
 		},
 	}
 
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.KubeContext, "kube-context", "", "", "Kube context. Default will use the current-context")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.AccountID, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseArtifactsFrom, "use-artifacts-from", "", "Load artifacts from local directory. If not used will download them")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Notice, when running with `exclude-namespace` kubescape does not scan cluster-scoped objects.")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. e.g: --exclude-namespaces ns-a,ns-b. Notice, when running with `exclude-namespace` kubescape does not scan cluster-scoped objects.")
 
 	scanCmd.PersistentFlags().Float32VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 100, "Failure threshold is the percent above which the command fails and returns exit code 1")
+	scanCmd.PersistentFlags().Float32VarP(&scanInfo.ComplianceThreshold, "compliance-threshold", "", 0, "Compliance threshold is the percent below which the command fails and returns exit code 1")
 
 	scanCmd.PersistentFlags().StringVar(&scanInfo.FailThresholdSeverity, "severity-threshold", "", "Severity threshold is the severity of failed controls at which the command fails and returns exit code 1")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer", "json", "junit", "prometheus", "pdf", "html", "sarif"`)
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "", `Output file format. Supported formats: "pretty-printer", "json", "junit", "prometheus", "pdf", "html", "sarif"`)
 	scanCmd.PersistentFlags().StringVar(&scanInfo.IncludeNamespaces, "include-namespaces", "", "scan specific namespaces. e.g: --include-namespaces ns-a,ns-b")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to configured backend.")
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.VerboseMode, "verbose", "v", false, "Display all of the input resources and not only failed resources")
-	scanCmd.PersistentFlags().StringVar(&scanInfo.View, "view", string(cautils.ResourceViewType), fmt.Sprintf("View results based on the %s/%s. default is --view=%s", cautils.ResourceViewType, cautils.ControlViewType, cautils.ResourceViewType))
+	scanCmd.PersistentFlags().StringVar(&scanInfo.View, "view", string(cautils.ResourceViewType), fmt.Sprintf("View results based on the %s/%s/%s. default is --view=%s", cautils.ResourceViewType, cautils.ControlViewType, cautils.SecurityViewType, cautils.ResourceViewType))
 	scanCmd.PersistentFlags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local policy object from default path. If not used will download latest")
 	scanCmd.PersistentFlags().StringSliceVar(&scanInfo.UseFrom, "use-from", nil, "Load local policy object from specified path. If not used will download latest")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.HostSensorYamlPath, "host-scan-yaml", "", "Override default host scanner DaemonSet. Use this flag cautiously")
-	scanCmd.PersistentFlags().StringVar(&scanInfo.FormatVersion, "format-version", "v1", "Output object can be different between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.FormatVersion, "format-version", "v2", "Output object can be different between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.CustomClusterName, "cluster-name", "", "Set the custom name of the cluster. Not same as the kube-context flag")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Submit the scan results to Kubescape SaaS where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.OmitRawResources, "omit-raw-resources", "", false, "Omit raw resources from the output. By default the raw resources are included in the output")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.PrintAttackTree, "print-attack-tree", "", false, "Print attack tree")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.ScanImages, "scan-images", "", false, "Scan resources images")
 
 	scanCmd.PersistentFlags().MarkDeprecated("silent", "use '--logger' flag instead. Flag will be removed at 1.May.2022")
+	scanCmd.PersistentFlags().MarkDeprecated("fail-threshold", "use '--compliance-threshold' flag instead. Flag will be removed at 1.Dec.2023")
+
+	scanCmd.PersistentFlags().MarkDeprecated("client-id", "Client ID is no longer supported. Feel free to contact the Kubescape maintainers for more information.")
+	scanCmd.PersistentFlags().MarkDeprecated("create-account", "Create account is no longer supported. In case of a missing Account ID and a configured backend server, a new account id will be generated automatically by Kubescape. Feel free to contact the Kubescape maintainers for more information.")
+	scanCmd.PersistentFlags().MarkDeprecated("secret-key", "Secret Key is no longer supported. Feel free to contact the Kubescape maintainers for more information.")
 
 	// hidden flags
-	scanCmd.PersistentFlags().MarkHidden("host-scan-yaml") // this flag should be used very cautiously. We prefer users will not use it at all unless the DaemonSet can not run pods on the nodes
+	scanCmd.PersistentFlags().MarkHidden("omit-raw-resources")
+	scanCmd.PersistentFlags().MarkHidden("print-attack-tree")
 
 	// Retrieve --kubeconfig flag from https://github.com/kubernetes/kubectl/blob/master/pkg/cmd/cmd.go
 	scanCmd.PersistentFlags().AddGoFlag(flag.Lookup("kubeconfig"))
@@ -100,9 +102,43 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	hostF := scanCmd.PersistentFlags().VarPF(&scanInfo.HostSensorEnabled, "enable-host-scan", "", "Deploy Kubescape host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valuable data from cluster nodes for certain controls. Yaml file: https://github.com/kubescape/kubescape/blob/master/core/pkg/hostsensorutils/hostsensor.yaml")
 	hostF.NoOptDefVal = "true"
 	hostF.DefValue = "false, for no TTY in stdin"
+	scanCmd.PersistentFlags().MarkHidden("enable-host-scan")
+	scanCmd.PersistentFlags().MarkDeprecated("enable-host-scan", "To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator. The flag will be removed at 1.Dec.2023")
+
+	scanCmd.PersistentFlags().MarkHidden("host-scan-yaml") // this flag should be used very cautiously. We prefer users will not use it at all unless the DaemonSet can not run pods on the nodes
+	scanCmd.PersistentFlags().MarkDeprecated("host-scan-yaml", "To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator. The flag will be removed at 1.Dec.2023")
 
 	scanCmd.AddCommand(getControlCmd(ks, &scanInfo))
 	scanCmd.AddCommand(getFrameworkCmd(ks, &scanInfo))
+	scanCmd.AddCommand(getWorkloadCmd(ks, &scanInfo))
 
 	return scanCmd
 }
+
+func setSecurityViewScanInfo(args []string, scanInfo *cautils.ScanInfo) {
+	if len(args) > 0 {
+		scanInfo.SetScanType(cautils.ScanTypeRepo)
+		scanInfo.InputPatterns = args
+	} else {
+		scanInfo.SetScanType(cautils.ScanTypeCluster)
+	}
+	scanInfo.SetPolicyIdentifiers([]string{"clusterscan", "mitre", "nsa"}, v1.KindFramework)
+}
+
+func securityScan(scanInfo cautils.ScanInfo, ks meta.IKubescape) error {
+
+	ctx := context.TODO()
+
+	results, err := ks.Scan(ctx, &scanInfo)
+	if err != nil {
+		return err
+	}
+
+	if err = results.HandleResults(ctx); err != nil {
+		return err
+	}
+
+	enforceSeverityThresholds(results.GetData().Report.SummaryDetails.GetResourcesSeverityCounters(), &scanInfo, utils.TerminateOnExceedingSeverity)
+
+	return nil
+}

cmd/scan/scan_test.go

@@ -1,15 +1,14 @@
 package scan
 
 import (
-	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 
+	"github.com/kubescape/kubescape/v2/cmd/utils"
 	"github.com/kubescape/kubescape/v2/core/cautils"
+	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/kubescape/opa-utils/reporthandling/apis"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
 
-	"os"
-	"reflect"
 	"testing"
 )
 
@@ -24,93 +23,93 @@ func TestExceedsSeverity(t *testing.T) {
 		{
 			Description:      "Critical failed resource should exceed Critical threshold",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "critical"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{CriticalSeverityCounter: 1},
 			Want:             true,
 		},
 		{
 			Description:      "Critical failed resource should exceed Critical threshold set as constant",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: apis.SeverityCriticalString},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{CriticalSeverityCounter: 1},
 			Want:             true,
 		},
 		{
 			Description:      "High failed resource should not exceed Critical threshold",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "critical"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithHighSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{HighSeverityCounter: 1},
 			Want:             false,
 		},
 		{
 			Description:      "Critical failed resource exceeds High threshold",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "high"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{CriticalSeverityCounter: 1},
 			Want:             true,
 		},
 		{
 			Description:      "High failed resource exceeds High threshold",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "high"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithHighSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{HighSeverityCounter: 1},
 			Want:             true,
 		},
 		{
 			Description:      "Medium failed resource does not exceed High threshold",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "high"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithMediumSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{MediumSeverityCounter: 1},
 			Want:             false,
 		},
 		{
 			Description:      "Critical failed resource exceeds Medium threshold",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{CriticalSeverityCounter: 1},
 			Want:             true,
 		},
 		{
 			Description:      "High failed resource exceeds Medium threshold",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithHighSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{HighSeverityCounter: 1},
 			Want:             true,
 		},
 		{
 			Description:      "Medium failed resource exceeds Medium threshold",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithMediumSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{MediumSeverityCounter: 1},
 			Want:             true,
 		},
 		{
 			Description:      "Low failed resource does not exceed Medium threshold",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithLowSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{LowSeverityCounter: 1},
 			Want:             false,
 		},
 		{
 			Description:      "Critical failed resource exceeds Low threshold",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{CriticalSeverityCounter: 1},
 			Want:             true,
 		},
 		{
 			Description:      "High failed resource exceeds Low threshold",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithHighSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{HighSeverityCounter: 1},
 			Want:             true,
 		},
 		{
 			Description:      "Medium failed resource exceeds Low threshold",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithMediumSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{MediumSeverityCounter: 1},
 			Want:             true,
 		},
 		{
 			Description:      "Low failed resource exceeds Low threshold",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithLowSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{LowSeverityCounter: 1},
 			Want:             true,
 		},
 		{
 			Description:      "Unknown severity returns an error",
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "unknown"},
-			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithLowSeverityCounter: 1},
+			SeverityCounters: &reportsummary.SeverityCounters{LowSeverityCounter: 1},
 			Want:             false,
-			Error:            ErrUnknownSeverity,
+			Error:            utils.ErrUnknownSeverity,
 		},
 	}
 
@@ -139,7 +138,7 @@ func Test_enforceSeverityThresholds(t *testing.T) {
 	}{
 		{
 			"Exceeding Critical severity counter should call the terminating function",
-			&reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			&reportsummary.SeverityCounters{CriticalSeverityCounter: 1},
 			&cautils.ScanInfo{FailThresholdSeverity: apis.SeverityCriticalString},
 			true,
 		},
@@ -160,7 +159,7 @@ func Test_enforceSeverityThresholds(t *testing.T) {
 				want := tc.Want
 
 				got := false
-				onExceed := func(*cautils.ScanInfo, logger.ILogger) {
+				onExceed := func(*cautils.ScanInfo, helpers.ILogger) {
 					got = true
 				}
 
@@ -174,81 +173,105 @@ func Test_enforceSeverityThresholds(t *testing.T) {
 	}
 }
 
-type spyLogMessage struct {
-	Message string
-	Details map[string]string
-}
-
-type spyLogger struct {
-	setItems []spyLogMessage
-}
-
-func (l *spyLogger) Error(msg string, details ...helpers.IDetails)   {}
-func (l *spyLogger) Success(msg string, details ...helpers.IDetails) {}
-func (l *spyLogger) Warning(msg string, details ...helpers.IDetails) {}
-func (l *spyLogger) Info(msg string, details ...helpers.IDetails)    {}
-func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)   {}
-func (l *spyLogger) SetLevel(level string) error                     { return nil }
-func (l *spyLogger) GetLevel() string                                { return "" }
-func (l *spyLogger) SetWriter(w *os.File)                            {}
-func (l *spyLogger) GetWriter() *os.File                             { return &os.File{} }
-func (l *spyLogger) LoggerName() string                              { return "" }
-
-func (l *spyLogger) Fatal(msg string, details ...helpers.IDetails) {
-	firstDetail := details[0]
-	detailsMap := map[string]string{firstDetail.Key(): firstDetail.Value().(string)}
-
-	newMsg := spyLogMessage{msg, detailsMap}
-	l.setItems = append(l.setItems, newMsg)
-}
-
-func (l *spyLogger) GetSpiedItems() []spyLogMessage {
-	return l.setItems
-}
-
-func Test_terminateOnExceedingSeverity(t *testing.T) {
-	expectedMessage := "result exceeds severity threshold"
-	expectedKey := "set severity threshold"
-
-	testCases := []struct {
-		Description     string
-		ExpectedMessage string
-		ExpectedKey     string
-		ExpectedValue   string
-		Logger          *spyLogger
+func TestSetSecurityViewScanInfo(t *testing.T) {
+	tests := []struct {
+		name string
+		args []string
+		want *cautils.ScanInfo
 	}{
 		{
-			"Should log the Critical threshold that was set in scan info",
-			expectedMessage,
-			expectedKey,
-			apis.SeverityCriticalString,
-			&spyLogger{},
+			name: "no args",
+			args: []string{},
+			want: &cautils.ScanInfo{
+				InputPatterns: []string{},
+				ScanType:      cautils.ScanTypeCluster,
+				PolicyIdentifier: []cautils.PolicyIdentifier{
+					{
+						Kind:       v1.KindFramework,
+						Identifier: "clusterscan",
+					},
+					{
+						Kind:       v1.KindFramework,
+						Identifier: "mitre",
+					},
+					{
+						Kind:       v1.KindFramework,
+						Identifier: "nsa",
+					},
+				},
+			},
 		},
 		{
-			"Should log the High threshold that was set in scan info",
-			expectedMessage,
-			expectedKey,
-			apis.SeverityHighString,
-			&spyLogger{},
+			name: "with args",
+			args: []string{
+				"file.yaml",
+				"file2.yaml",
+			},
+			want: &cautils.ScanInfo{
+				ScanType: cautils.ScanTypeRepo,
+				InputPatterns: []string{
+					"file.yaml",
+					"file2.yaml",
+				},
+				PolicyIdentifier: []cautils.PolicyIdentifier{
+					{
+						Kind:       v1.KindFramework,
+						Identifier: "clusterscan",
+					},
+					{
+						Kind:       v1.KindFramework,
+						Identifier: "mitre",
+					},
+					{
+						Kind:       v1.KindFramework,
+						Identifier: "nsa",
+					},
+				},
+			},
 		},
 	}
 
-	for _, tc := range testCases {
-		t.Run(
-			tc.Description,
-			func(t *testing.T) {
-				want := []spyLogMessage{
-					{tc.ExpectedMessage, map[string]string{tc.ExpectedKey: tc.ExpectedValue}},
-				}
-				scanInfo := &cautils.ScanInfo{FailThresholdSeverity: tc.ExpectedValue}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := &cautils.ScanInfo{
+				View: string(cautils.SecurityViewType),
+			}
+			setSecurityViewScanInfo(tt.args, got)
 
-				terminateOnExceedingSeverity(scanInfo, tc.Logger)
+			if len(tt.want.InputPatterns) != len(got.InputPatterns) {
+				t.Errorf("in test: %s, got: %v, want: %v", tt.name, got.InputPatterns, tt.want.InputPatterns)
+			}
 
-				got := tc.Logger.GetSpiedItems()
-				if !reflect.DeepEqual(got, want) {
-					t.Errorf("got: %v, want: %v", got, want)
+			if tt.want.ScanType != got.ScanType {
+				t.Errorf("in test: %s, got: %v, want: %v", tt.name, got.ScanType, tt.want.ScanType)
+			}
+
+			for i := range tt.want.InputPatterns {
+				found := false
+				for j := range tt.want.InputPatterns[i] {
+					if tt.want.InputPatterns[i][j] == got.InputPatterns[i][j] {
+						found = true
+						break
+					}
 				}
-			},
-		)
+				if !found {
+					t.Errorf("in test: %s, got: %v, want: %v", tt.name, got.InputPatterns, tt.want.InputPatterns)
+				}
+			}
+
+			for i := range tt.want.PolicyIdentifier {
+				found := false
+				for j := range got.PolicyIdentifier {
+					if tt.want.PolicyIdentifier[i].Kind == got.PolicyIdentifier[j].Kind && tt.want.PolicyIdentifier[i].Identifier == got.PolicyIdentifier[j].Identifier {
+						found = true
+						break
+					}
+				}
+				if !found {
+					t.Errorf("in test: %s, got: %v, want: %v", tt.name, got.PolicyIdentifier, tt.want.PolicyIdentifier)
+				}
+			}
+		})
 	}
+
 }

cmd/scan/validators_test.go

@@ -1,8 +1,10 @@
 package scan
 
 import (
-	"github.com/kubescape/kubescape/v2/core/cautils"
 	"testing"
+
+	"github.com/kubescape/kubescape/v2/cmd/utils"
+	"github.com/kubescape/kubescape/v2/core/cautils"
 )
 
 // Test_validateControlScanInfo tests how scan info is validated for the `scan control` command
@@ -25,7 +27,7 @@ func Test_validateControlScanInfo(t *testing.T) {
 		{
 			"Unknown severity should be invalid for scan info",
 			&cautils.ScanInfo{FailThresholdSeverity: "Unknown"},
-			ErrUnknownSeverity,
+			utils.ErrUnknownSeverity,
 		},
 	}
 
@@ -65,7 +67,17 @@ func Test_validateFrameworkScanInfo(t *testing.T) {
 		{
 			"Unknown severity should be invalid for scan info",
 			&cautils.ScanInfo{FailThresholdSeverity: "Unknown"},
-			ErrUnknownSeverity,
+			utils.ErrUnknownSeverity,
+		},
+		{
+			"Security view should be invalid for scan info",
+			&cautils.ScanInfo{View: string(cautils.SecurityViewType)},
+			ErrSecurityViewNotSupported,
+		},
+		{
+			"Empty view should be valid for scan info",
+			&cautils.ScanInfo{},
+			nil,
 		},
 	}
 
@@ -85,27 +97,22 @@ func Test_validateFrameworkScanInfo(t *testing.T) {
 	}
 }
 
-func Test_validateSeverity(t *testing.T) {
+func Test_validateWorkloadIdentifier(t *testing.T) {
 	testCases := []struct {
 		Description string
 		Input       string
 		Want        error
 	}{
-		{"low should be a valid severity", "low", nil},
-		{"Low should be a valid severity", "Low", nil},
-		{"medium should be a valid severity", "medium", nil},
-		{"Medium should be a valid severity", "Medium", nil},
-		{"high should be a valid severity", "high", nil},
-		{"Critical should be a valid severity", "Critical", nil},
-		{"critical should be a valid severity", "critical", nil},
-		{"Unknown should be an invalid severity", "Unknown", ErrUnknownSeverity},
+		{"valid workload identifier should be valid", "deployment/test", nil},
+		{"invalid workload identifier missing kind", "deployment", ErrInvalidWorkloadIdentifier},
+		{"invalid workload identifier with namespace", "ns/deployment/name", ErrInvalidWorkloadIdentifier},
 	}
 
 	for _, testCase := range testCases {
 		t.Run(testCase.Description, func(t *testing.T) {
 			input := testCase.Input
 			want := testCase.Want
-			got := validateSeverity(input)
+			got := validateWorkloadIdentifier(input)
 
 			if got != want {
 				t.Errorf("got: %v, want: %v", got, want)

cmd/scan/workload.go

@@ -0,0 +1,126 @@
+package scan
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+	"github.com/kubescape/opa-utils/objectsenvelopes"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	workloadExample = fmt.Sprintf(`
+  This command is still in BETA. Feel free to contact the Kubescape maintainers for more information.
+
+  Scan a workload for misconfigurations and image vulnerabilities.
+
+  # Scan an workload
+  %[1]s scan workload <kind>/<name>
+	
+  # Scan an workload in a specific namespace
+  %[1]s scan workload <kind>/<name> --namespace <namespace>
+
+  # Scan an workload from a file path
+  %[1]s scan workload <kind>/<name> --file-path <file path>
+  
+  # Scan an workload from a helm-chart template
+  %[1]s scan workload <kind>/<name> --chart-path <chart path> --file-path <file path>
+
+
+`, cautils.ExecName())
+
+	ErrInvalidWorkloadIdentifier = errors.New("invalid workload identifier")
+)
+
+var namespace string
+
+// controlCmd represents the control command
+func getWorkloadCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
+	workloadCmd := &cobra.Command{
+		Use:     "workload <kind>/<name> [`<glob pattern>`/`-`] [flags]",
+		Short:   "Scan a workload for misconfigurations and image vulnerabilities",
+		Example: workloadExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("usage: <kind>/<name> [`<glob pattern>`/`-`] [flags]")
+			}
+
+			if scanInfo.ChartPath != "" && scanInfo.FilePath == "" {
+				return fmt.Errorf("usage: --chart-path <chart path> --file-path <file path>")
+			}
+
+			return validateWorkloadIdentifier(args[0])
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			kind, name, err := parseWorkloadIdentifierString(args[0])
+			if err != nil {
+				return fmt.Errorf("invalid input: %s", err.Error())
+			}
+
+			setWorkloadScanInfo(scanInfo, kind, name)
+
+			// todo: add api version if provided
+			ctx := context.TODO()
+			results, err := ks.Scan(ctx, scanInfo)
+			if err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
+			if err = results.HandleResults(ctx); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
+			return nil
+		},
+	}
+	workloadCmd.PersistentFlags().StringVarP(&namespace, "namespace", "n", "", "Namespace of the workload. Default will be empty.")
+	workloadCmd.PersistentFlags().StringVar(&scanInfo.FilePath, "file-path", "", "Path to the workload file.")
+	workloadCmd.PersistentFlags().StringVar(&scanInfo.ChartPath, "chart-path", "", "Path to the helm chart the workload is part of. Must be used with --file-path.")
+
+	return workloadCmd
+}
+
+func setWorkloadScanInfo(scanInfo *cautils.ScanInfo, kind string, name string) {
+	scanInfo.SetScanType(cautils.ScanTypeWorkload)
+	scanInfo.ScanImages = true
+
+	scanInfo.ScanObject = &objectsenvelopes.ScanObject{}
+	scanInfo.ScanObject.SetNamespace(namespace)
+	scanInfo.ScanObject.SetKind(kind)
+	scanInfo.ScanObject.SetName(name)
+
+	scanInfo.SetPolicyIdentifiers([]string{"workloadscan"}, v1.KindFramework)
+
+	if scanInfo.FilePath != "" {
+		scanInfo.InputPatterns = []string{scanInfo.FilePath}
+	}
+}
+
+func validateWorkloadIdentifier(workloadIdentifier string) error {
+	// workloadIdentifier is in the form of kind/name
+	x := strings.Split(workloadIdentifier, "/")
+	if len(x) != 2 || x[0] == "" || x[1] == "" {
+		return ErrInvalidWorkloadIdentifier
+	}
+
+	return nil
+}
+
+func parseWorkloadIdentifierString(workloadIdentifier string) (kind, name string, err error) {
+	// workloadIdentifier is in the form of namespace/kind/name
+	// example: default/Deployment/nginx-deployment
+	x := strings.Split(workloadIdentifier, "/")
+	if len(x) != 2 {
+		return "", "", ErrInvalidWorkloadIdentifier
+	}
+
+	return x[0], x[1], nil
+}

cmd/scan/workload_test.go

@@ -0,0 +1,69 @@
+package scan
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+	"github.com/kubescape/opa-utils/objectsenvelopes"
+)
+
+func TestSetWorkloadScanInfo(t *testing.T) {
+	test := []struct {
+		Description string
+		kind        string
+		name        string
+		want        *cautils.ScanInfo
+	}{
+		{
+			Description: "Set workload scan info",
+			kind:        "Deployment",
+			name:        "test",
+			want: &cautils.ScanInfo{
+				PolicyIdentifier: []cautils.PolicyIdentifier{
+					{
+						Identifier: "workloadscan",
+						Kind:       v1.KindFramework,
+					},
+				},
+				ScanType: cautils.ScanTypeWorkload,
+				ScanObject: &objectsenvelopes.ScanObject{
+					Kind: "Deployment",
+					Metadata: objectsenvelopes.ScanObjectMetadata{
+						Name: "test",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range test {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				scanInfo := &cautils.ScanInfo{}
+				setWorkloadScanInfo(scanInfo, tc.kind, tc.name)
+
+				if scanInfo.ScanType != tc.want.ScanType {
+					t.Errorf("got: %v, want: %v", scanInfo.ScanType, tc.want.ScanType)
+				}
+
+				if scanInfo.ScanObject.Kind != tc.want.ScanObject.Kind {
+					t.Errorf("got: %v, want: %v", scanInfo.ScanObject.Kind, tc.want.ScanObject.Kind)
+				}
+
+				if scanInfo.ScanObject.Metadata.Name != tc.want.ScanObject.Metadata.Name {
+					t.Errorf("got: %v, want: %v", scanInfo.ScanObject.Metadata.Name, tc.want.ScanObject.Metadata.Name)
+				}
+
+				if len(scanInfo.PolicyIdentifier) != 1 {
+					t.Errorf("got: %v, want: %v", len(scanInfo.PolicyIdentifier), 1)
+				}
+
+				if scanInfo.PolicyIdentifier[0].Identifier != tc.want.PolicyIdentifier[0].Identifier {
+					t.Errorf("got: %v, want: %v", scanInfo.PolicyIdentifier[0].Identifier, tc.want.PolicyIdentifier[0].Identifier)
+				}
+			},
+		)
+	}
+}

cmd/submit/exceptions.go

@@ -1,34 +0,0 @@
-package submit
-
-import (
-	"fmt"
-
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-
-	"github.com/spf13/cobra"
-)
-
-func getExceptionsCmd(ks meta.IKubescape, submitInfo *metav1.Submit) *cobra.Command {
-	return &cobra.Command{
-		Use:   "exceptions <full path to exceptions file>",
-		Short: "Submit exceptions to the Kubescape SaaS version",
-		Args: func(cmd *cobra.Command, args []string) error {
-			if len(args) != 1 {
-				return fmt.Errorf("missing full path to exceptions file")
-			}
-			return nil
-		},
-		Run: func(cmd *cobra.Command, args []string) {
-
-			if err := flagValidationSubmit(submitInfo); err != nil {
-				logger.L().Fatal(err.Error())
-			}
-
-			if err := ks.SubmitExceptions(&submitInfo.Credentials, args[0]); err != nil {
-				logger.L().Fatal(err.Error())
-			}
-		},
-	}
-}

cmd/submit/rbac.go

@@ -1,96 +0,0 @@
-package submit
-
-import (
-	"fmt"
-
-	"github.com/google/uuid"
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/go-logger/helpers"
-	"github.com/kubescape/k8s-interface/k8sinterface"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/cautils/getter"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	"github.com/kubescape/kubescape/v2/core/meta/cliinterfaces"
-	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-	reporterv2 "github.com/kubescape/kubescape/v2/core/pkg/resultshandling/reporter/v2"
-
-	"github.com/kubescape/rbac-utils/rbacscanner"
-	"github.com/spf13/cobra"
-)
-
-var (
-	rbacExamples = `
-	# Submit cluster's Role-Based Access Control(RBAC)
-	kubescape submit rbac
-
-	# Submit cluster's Role-Based Access Control(RBAC) with account ID 
-	kubescape submit rbac --account <account-id>
-	`
-)
-
-// getRBACCmd represents the RBAC command
-func getRBACCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
-	return &cobra.Command{
-		Use:     "rbac",
-		Example: rbacExamples,
-		Short:   "Submit cluster's Role-Based Access Control(RBAC)",
-		Long:    ``,
-		RunE: func(cmd *cobra.Command, args []string) error {
-
-			if err := flagValidationSubmit(submitInfo); err != nil {
-				return err
-			}
-
-			k8s := k8sinterface.NewKubernetesApi()
-
-			// get config
-			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", "", k8s)
-			if err := clusterConfig.SetTenant(); err != nil {
-				logger.L().Error("failed setting account ID", helpers.Error(err))
-			}
-
-			if clusterConfig.GetAccountID() == "" {
-				return fmt.Errorf("account ID is not set, run 'kubescape submit rbac --account <account-id>'")
-			}
-
-			// list RBAC
-			rbacObjects := cautils.NewRBACObjects(rbacscanner.NewRbacScannerFromK8sAPI(k8s, clusterConfig.GetAccountID(), clusterConfig.GetContextName()))
-
-			// submit resources
-			r := reporterv2.NewReportEventReceiver(clusterConfig.GetConfigObj(), uuid.NewString(), reporterv2.SubmitContextRBAC)
-
-			submitInterfaces := cliinterfaces.SubmitInterfaces{
-				ClusterConfig: clusterConfig,
-				SubmitObjects: rbacObjects,
-				Reporter:      r,
-			}
-
-			if err := ks.Submit(submitInterfaces); err != nil {
-				logger.L().Fatal(err.Error())
-			}
-			return nil
-		},
-	}
-
-}
-
-// getKubernetesApi
-func getKubernetesApi() *k8sinterface.KubernetesApi {
-	if !k8sinterface.IsConnectedToCluster() {
-		return nil
-	}
-	return k8sinterface.NewKubernetesApi()
-}
-func getTenantConfig(credentials *cautils.Credentials, clusterName string, customClusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
-	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
-		return cautils.NewLocalConfig(getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
-	}
-	return cautils.NewClusterConfig(k8s, getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
-}
-
-// Check if the flag entered are valid
-func flagValidationSubmit(submitInfo *v1.Submit) error {
-
-	// Validate the user's credentials
-	return submitInfo.Credentials.Validate()
-}

cmd/submit/results.go

@@ -1,104 +0,0 @@
-package submit
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-
-	"github.com/google/uuid"
-	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
-
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/go-logger/helpers"
-	"github.com/kubescape/k8s-interface/workloadinterface"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	"github.com/kubescape/kubescape/v2/core/meta/cliinterfaces"
-	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-	reporterv2 "github.com/kubescape/kubescape/v2/core/pkg/resultshandling/reporter/v2"
-
-	"github.com/spf13/cobra"
-)
-
-var formatVersion string
-
-type ResultsObject struct {
-	filePath     string
-	customerGUID string
-	clusterName  string
-}
-
-func NewResultsObject(customerGUID, clusterName, filePath string) *ResultsObject {
-	return &ResultsObject{
-		filePath:     filePath,
-		customerGUID: customerGUID,
-		clusterName:  clusterName,
-	}
-}
-
-func (resultsObject *ResultsObject) SetResourcesReport() (*reporthandlingv2.PostureReport, error) {
-	// load framework results from json file
-	report, err := loadResultsFromFile(resultsObject.filePath)
-	if err != nil {
-		return nil, err
-	}
-	return report, nil
-}
-
-func (resultsObject *ResultsObject) ListAllResources() (map[string]workloadinterface.IMetadata, error) {
-	return map[string]workloadinterface.IMetadata{}, nil
-}
-
-func getResultsCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
-	var resultsCmd = &cobra.Command{
-		Use:   "results <json file>\nExample:\n$ kubescape submit results path/to/results.json --format-version v2",
-		Short: "Submit a pre scanned results file. The file must be in json format",
-		Long:  ``,
-		RunE: func(cmd *cobra.Command, args []string) error {
-
-			if err := flagValidationSubmit(submitInfo); err != nil {
-				return err
-			}
-
-			if len(args) == 0 {
-				return fmt.Errorf("missing results file")
-			}
-
-			k8s := getKubernetesApi()
-
-			// get config
-			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", "", k8s)
-			if err := clusterConfig.SetTenant(); err != nil {
-				logger.L().Error("failed setting account ID", helpers.Error(err))
-			}
-
-			resultsObjects := NewResultsObject(clusterConfig.GetAccountID(), clusterConfig.GetContextName(), args[0])
-
-			r := reporterv2.NewReportEventReceiver(clusterConfig.GetConfigObj(), uuid.NewString(), reporterv2.SubmitContextScan)
-
-			submitInterfaces := cliinterfaces.SubmitInterfaces{
-				ClusterConfig: clusterConfig,
-				SubmitObjects: resultsObjects,
-				Reporter:      r,
-			}
-
-			if err := ks.Submit(submitInterfaces); err != nil {
-				logger.L().Fatal(err.Error())
-			}
-			return nil
-		},
-	}
-	resultsCmd.PersistentFlags().StringVar(&formatVersion, "format-version", "v1", "Output object can be differnet between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
-
-	return resultsCmd
-}
-func loadResultsFromFile(filePath string) (*reporthandlingv2.PostureReport, error) {
-	report := &reporthandlingv2.PostureReport{}
-	f, err := os.ReadFile(filePath)
-	if err != nil {
-		return nil, err
-	}
-	if err = json.Unmarshal(f, report); err != nil {
-		return report, fmt.Errorf("failed to unmarshal results file: %s, make sure you run kubescape with '--format=json --format-version=v2'", err.Error())
-	}
-	return report, nil
-}

cmd/submit/submit.go

@@ -1,32 +0,0 @@
-package submit
-
-import (
-	"github.com/kubescape/kubescape/v2/core/meta"
-	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-	"github.com/spf13/cobra"
-)
-
-var submitCmdExamples = `
-
-`
-
-func GetSubmitCmd(ks meta.IKubescape) *cobra.Command {
-	var submitInfo metav1.Submit
-
-	submitCmd := &cobra.Command{
-		Use:   "submit <command>",
-		Short: "Submit an object to the Kubescape SaaS version",
-		Long:  ``,
-		Run: func(cmd *cobra.Command, args []string) {
-		},
-	}
-	submitCmd.PersistentFlags().StringVarP(&submitInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
-	submitCmd.PersistentFlags().StringVarP(&submitInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
-	submitCmd.PersistentFlags().StringVarP(&submitInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
-
-	submitCmd.AddCommand(getExceptionsCmd(ks, &submitInfo))
-	submitCmd.AddCommand(getResultsCmd(ks, &submitInfo))
-	submitCmd.AddCommand(getRBACCmd(ks, &submitInfo))
-
-	return submitCmd
-}

cmd/update/update.go

@@ -5,52 +5,36 @@ package update
 //          kubescape update
 
 import (
-	"os/exec"
-	"runtime"
+	"fmt"
 
 	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/spf13/cobra"
 )
 
+const (
+	installationLink string = "https://github.com/kubescape/kubescape/blob/master/docs/installation.md"
+)
+
+var updateCmdExamples = fmt.Sprintf(`
+  # Update to the latest kubescape release
+  %[1]s update
+`, cautils.ExecName())
+
 func GetUpdateCmd() *cobra.Command {
 	updateCmd := &cobra.Command{
-		Use:   "update",
-		Short: "Update your version",
-		Long:  ``,
+		Use:     "update",
+		Short:   "Update to latest release version",
+		Long:    ``,
+		Example: updateCmdExamples,
 		RunE: func(_ *cobra.Command, args []string) error {
 			//Checking the user's version of kubescape to the latest release
 			if cautils.BuildNumber == cautils.LatestReleaseVersion {
 				//your version == latest version
-				logger.L().Info(("You are in the latest version"))
+				logger.L().Info(("Nothing to update, you are running the latest version"), helpers.String("Version", cautils.BuildNumber))
 			} else {
-
-				const OSTYPE string = runtime.GOOS
-				var ShellToUse string
-				switch OSTYPE {
-
-				case "windows":
-					cautils.StartSpinner()
-					//run the installation command for windows
-					ShellToUse = "powershell"
-					_, err := exec.Command(ShellToUse, "-c", "iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex").Output()
-
-					if err != nil {
-						logger.L().Fatal(err.Error())
-					}
-					cautils.StopSpinner()
-
-				default:
-					ShellToUse = "bash"
-					cautils.StartSpinner()
-					//run the installation command for linux and macOS
-					_, err := exec.Command(ShellToUse, "-c", "curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash").Output()
-					if err != nil {
-						logger.L().Fatal(err.Error())
-					}
-
-					cautils.StopSpinner()
-				}
+				fmt.Printf("Please refer to our installation docs in the following link: %s", installationLink)
 			}
 			return nil
 		},

cmd/utils/utils.go

@@ -0,0 +1,27 @@
+package utils
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
+)
+
+var ErrUnknownSeverity = fmt.Errorf("unknown severity. Supported severities are: %s", strings.Join(reporthandlingapis.GetSupportedSeverities(), ", "))
+
+// validateSeverity returns an error if a given severity is not known, nil otherwise
+func ValidateSeverity(severity string) error {
+	for _, val := range reporthandlingapis.GetSupportedSeverities() {
+		if strings.EqualFold(severity, val) {
+			return nil
+		}
+	}
+	return ErrUnknownSeverity
+
+}
+
+func TerminateOnExceedingSeverity(scanInfo *cautils.ScanInfo, l helpers.ILogger) {
+	l.Fatal("result exceeds severity threshold", helpers.String("Set severity threshold", scanInfo.FailThresholdSeverity))
+}

cmd/utils/utils_test.go

@@ -0,0 +1,124 @@
+package utils
+
+import (
+	"context"
+	"os"
+	"reflect"
+	"testing"
+
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/opa-utils/reporthandling/apis"
+)
+
+type spyLogMessage struct {
+	Message string
+	Details map[string]string
+}
+
+type spyLogger struct {
+	setItems []spyLogMessage
+}
+
+func (l *spyLogger) Error(msg string, details ...helpers.IDetails)       {}
+func (l *spyLogger) Success(msg string, details ...helpers.IDetails)     {}
+func (l *spyLogger) Warning(msg string, details ...helpers.IDetails)     {}
+func (l *spyLogger) Info(msg string, details ...helpers.IDetails)        {}
+func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)       {}
+func (l *spyLogger) SetLevel(level string) error                         { return nil }
+func (l *spyLogger) GetLevel() string                                    { return "" }
+func (l *spyLogger) SetWriter(w *os.File)                                {}
+func (l *spyLogger) GetWriter() *os.File                                 { return &os.File{} }
+func (l *spyLogger) LoggerName() string                                  { return "" }
+func (l *spyLogger) Ctx(_ context.Context) helpers.ILogger               { return l }
+func (l *spyLogger) Start(msg string, details ...helpers.IDetails)       {}
+func (l *spyLogger) StopSuccess(msg string, details ...helpers.IDetails) {}
+func (l *spyLogger) StopError(msg string, details ...helpers.IDetails)   {}
+
+func (l *spyLogger) Fatal(msg string, details ...helpers.IDetails) {
+	firstDetail := details[0]
+	detailsMap := map[string]string{firstDetail.Key(): firstDetail.Value().(string)}
+
+	newMsg := spyLogMessage{msg, detailsMap}
+	l.setItems = append(l.setItems, newMsg)
+}
+
+func (l *spyLogger) GetSpiedItems() []spyLogMessage {
+	return l.setItems
+}
+
+func TestTerminateOnExceedingSeverity(t *testing.T) {
+	expectedMessage := "result exceeds severity threshold"
+	expectedKey := "Set severity threshold"
+
+	testCases := []struct {
+		Description     string
+		ExpectedMessage string
+		ExpectedKey     string
+		ExpectedValue   string
+		Logger          *spyLogger
+	}{
+		{
+			"Should log the Critical threshold that was set in scan info",
+			expectedMessage,
+			expectedKey,
+			apis.SeverityCriticalString,
+			&spyLogger{},
+		},
+		{
+			"Should log the High threshold that was set in scan info",
+			expectedMessage,
+			expectedKey,
+			apis.SeverityHighString,
+			&spyLogger{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				want := []spyLogMessage{
+					{tc.ExpectedMessage, map[string]string{tc.ExpectedKey: tc.ExpectedValue}},
+				}
+				scanInfo := &cautils.ScanInfo{FailThresholdSeverity: tc.ExpectedValue}
+
+				TerminateOnExceedingSeverity(scanInfo, tc.Logger)
+
+				got := tc.Logger.GetSpiedItems()
+				if !reflect.DeepEqual(got, want) {
+					t.Errorf("got: %v, want: %v", got, want)
+				}
+			},
+		)
+	}
+}
+
+func TestValidateSeverity(t *testing.T) {
+	testCases := []struct {
+		Description string
+		Input       string
+		Want        error
+	}{
+		{"low should be a valid severity", "low", nil},
+		{"Low should be a valid severity", "Low", nil},
+		{"medium should be a valid severity", "medium", nil},
+		{"Medium should be a valid severity", "Medium", nil},
+		{"high should be a valid severity", "high", nil},
+		{"Critical should be a valid severity", "Critical", nil},
+		{"critical should be a valid severity", "critical", nil},
+		{"Unknown should be an invalid severity", "Unknown", ErrUnknownSeverity},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.Description, func(t *testing.T) {
+			input := testCase.Input
+			want := testCase.Want
+			got := ValidateSeverity(input)
+
+			if got != want {
+				t.Errorf("got: %v, want: %v", got, want)
+			}
+		})
+	}
+}

cmd/version/git_native_disabled.go

@@ -0,0 +1,7 @@
+//go:build !gitenabled
+
+package version
+
+func isGitEnabled() bool {
+	return false
+}

cmd/version/git_native_enabled.go

@@ -0,0 +1,7 @@
+//go:build gitenabled
+
+package version
+
+func isGitEnabled() bool {
+	return true
+}

cmd/version/version.go

@@ -1,9 +1,11 @@
 package version
 
 import (
+	"context"
 	"fmt"
 	"os"
 
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/spf13/cobra"
 )
@@ -14,9 +16,14 @@ func GetVersionCmd() *cobra.Command {
 		Short: "Get current version",
 		Long:  ``,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			v := cautils.NewIVersionCheckHandler()
-			v.CheckLatestVersion(cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "version"))
-			fmt.Fprintln(os.Stdout, "Your current version is: "+cautils.BuildNumber)
+			ctx := context.TODO()
+			v := cautils.NewIVersionCheckHandler(ctx)
+			v.CheckLatestVersion(ctx, cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "version"))
+			fmt.Fprintf(os.Stdout,
+				"Your current version is: %s\n",
+				cautils.BuildNumber,
+			)
+			logger.L().Debug(fmt.Sprintf("git enabled in build: %t", isGitEnabled()))
 			return nil
 		},
 	}

core/cautils/controllink.go

@@ -0,0 +1,12 @@
+package cautils
+
+import (
+	"fmt"
+	"strings"
+)
+
+func GetControlLink(controlID string) string {
+	// For CIS Controls, cis-1.1.3 will be transformed to cis-1-1-3 in documentation link.
+	docLinkID := strings.ReplaceAll(controlID, ".", "-")
+	return fmt.Sprintf("https://hub.armosec.io/docs/%s", strings.ToLower(docLinkID))
+}

core/cautils/customerloader.go

@@ -3,13 +3,16 @@ package cautils
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	"os"
+	"path/filepath"
 	"regexp"
-	"strings"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"github.com/google/uuid"
+	v1 "github.com/kubescape/backend/pkg/client/v1"
+	"github.com/kubescape/backend/pkg/servicediscovery"
+	servicediscoveryv1 "github.com/kubescape/backend/pkg/servicediscovery/v1"
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
@@ -17,7 +20,20 @@ import (
 	corev1 "k8s.io/api/core/v1"
 )
 
-const configFileName = "config"
+const (
+	configFileName              string = "config"
+	kubescapeNamespace          string = "kubescape"
+	kubescapeConfigMapName      string = "kubescape-config"
+	kubescapeCloudConfigMapName string = "ks-cloud-config"
+
+	// env vars
+	defaultConfigMapNameEnvVar      string = "KS_DEFAULT_CONFIGMAP_NAME"
+	defaultCloudConfigMapNameEnvVar string = "KS_DEFAULT_CLOUD_CONFIGMAP_NAME"
+	defaultConfigMapNamespaceEnvVar string = "KS_DEFAULT_CONFIGMAP_NAMESPACE"
+	accountIdEnvVar                 string = "KS_ACCOUNT_ID"
+	cloudApiUrlEnvVar               string = "KS_CLOUD_API_URL"
+	cloudReportUrlEnvVar            string = "KS_CLOUD_REPORT_URL"
+)
 
 func ConfigFileFullPath() string { return getter.GetDefaultPath(configFileName + ".json") }
 
@@ -26,17 +42,10 @@ func ConfigFileFullPath() string { return getter.GetDefaultPath(configFileName +
 // ======================================================================================
 
 type ConfigObj struct {
-	AccountID          string `json:"accountID,omitempty"`
-	ClientID           string `json:"clientID,omitempty"`
-	SecretKey          string `json:"secretKey,omitempty"`
-	CustomerGUID       string `json:"customerGUID,omitempty"` // Deprecated
-	Token              string `json:"invitationParam,omitempty"`
-	CustomerAdminEMail string `json:"adminMail,omitempty"`
-	ClusterName        string `json:"clusterName,omitempty"`
-	CloudReportURL     string `json:"cloudReportURL,omitempty"`
-	CloudAPIURL        string `json:"cloudAPIURL,omitempty"`
-	CloudUIURL         string `json:"cloudUIURL,omitempty"`
-	CloudAuthURL       string `json:"cloudAuthURL,omitempty"`
+	AccountID      string `json:"accountID,omitempty"`
+	ClusterName    string `json:"clusterName,omitempty"`
+	CloudReportURL string `json:"cloudReportURL,omitempty"`
+	CloudAPIURL    string `json:"cloudAPIURL,omitempty"`
 }
 
 // Config - convert ConfigObj to config file
@@ -44,17 +53,11 @@ func (co *ConfigObj) Config() []byte {
 
 	// remove cluster name before saving to file
 	clusterName := co.ClusterName
-	customerAdminEMail := co.CustomerAdminEMail
-	token := co.Token
 	co.ClusterName = ""
-	co.Token = ""
-	co.CustomerAdminEMail = ""
 
 	b, err := json.MarshalIndent(co, "", "  ")
 
 	co.ClusterName = clusterName
-	co.CustomerAdminEMail = customerAdminEMail
-	co.Token = token
 
 	if err == nil {
 		return b
@@ -63,55 +66,61 @@ func (co *ConfigObj) Config() []byte {
 	return []byte{}
 }
 
+func (co *ConfigObj) updateEmptyFields(inCO *ConfigObj) error {
+	if inCO.AccountID != "" {
+		co.AccountID = inCO.AccountID
+	}
+	if inCO.CloudAPIURL != "" {
+		co.CloudAPIURL = inCO.CloudAPIURL
+	}
+	if inCO.CloudReportURL != "" {
+		co.CloudReportURL = inCO.CloudReportURL
+	}
+	if inCO.ClusterName != "" {
+		co.ClusterName = inCO.ClusterName
+	}
+
+	return nil
+}
+
 // ======================================================================================
 // =============================== interface ============================================
 // ======================================================================================
 type ITenantConfig interface {
-	// set
-	SetTenant() error
 	UpdateCachedConfig() error
-	DeleteCachedConfig() error
+	DeleteCachedConfig(ctx context.Context) error
+	GenerateAccountID() (string, error)
+	DeleteAccountID() error
 
 	// getters
 	GetContextName() string
 	GetAccountID() string
-	GetTenantEmail() string
-	GetToken() string
-	GetClientID() string
-	GetSecretKey() string
 	GetConfigObj() *ConfigObj
 	GetCloudReportURL() string
 	GetCloudAPIURL() string
-	GetCloudUIURL() string
-	GetCloudAuthURL() string
-	// GetBackendAPI() getter.IBackend
-	// GenerateURL()
-
-	IsConfigFound() bool
 }
 
 // ======================================================================================
 // ============================ Local Config ============================================
 // ======================================================================================
 // Config when scanning YAML files or URL but not a Kubernetes cluster
+
+var _ ITenantConfig = &LocalConfig{}
+
 type LocalConfig struct {
-	backendAPI getter.IBackend
-	configObj  *ConfigObj
+	configObj *ConfigObj
 }
 
-func NewLocalConfig(
-	backendAPI getter.IBackend, credentials *Credentials, clusterName string, customClusterName string) *LocalConfig {
-
+func NewLocalConfig(accountID, clusterName string, customClusterName string) *LocalConfig {
 	lc := &LocalConfig{
-		backendAPI: backendAPI,
-		configObj:  &ConfigObj{},
+		configObj: &ConfigObj{},
 	}
 	// get from configMap
 	if existsConfigFile() { // get from file
 		loadConfigFromFile(lc.configObj)
 	}
 
-	updateCredentials(lc.configObj, credentials)
+	updateAccountID(lc.configObj, accountID)
 	updateCloudURLs(lc.configObj)
 
 	// If a custom cluster name is provided then set that name, else use the cluster's original name
@@ -121,87 +130,41 @@ func NewLocalConfig(
 		lc.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
 	}
 
-	lc.backendAPI.SetAccountID(lc.configObj.AccountID)
-	lc.backendAPI.SetClientID(lc.configObj.ClientID)
-	lc.backendAPI.SetSecretKey(lc.configObj.SecretKey)
-	if lc.configObj.CloudAPIURL != "" {
-		lc.backendAPI.SetCloudAPIURL(lc.configObj.CloudAPIURL)
-	} else {
-		lc.configObj.CloudAPIURL = lc.backendAPI.GetCloudAPIURL()
-	}
-	if lc.configObj.CloudAuthURL != "" {
-		lc.backendAPI.SetCloudAuthURL(lc.configObj.CloudAuthURL)
-	} else {
-		lc.configObj.CloudAuthURL = lc.backendAPI.GetCloudAuthURL()
-	}
-	if lc.configObj.CloudReportURL != "" {
-		lc.backendAPI.SetCloudReportURL(lc.configObj.CloudReportURL)
-	} else {
-		lc.configObj.CloudReportURL = lc.backendAPI.GetCloudReportURL()
-	}
-	if lc.configObj.CloudUIURL != "" {
-		lc.backendAPI.SetCloudUIURL(lc.configObj.CloudUIURL)
-	} else {
-		lc.configObj.CloudUIURL = lc.backendAPI.GetCloudUIURL()
-	}
-	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", lc.backendAPI.GetCloudAPIURL()), helpers.String("auth", lc.backendAPI.GetCloudAuthURL()), helpers.String("report", lc.backendAPI.GetCloudReportURL()), helpers.String("UI", lc.backendAPI.GetCloudUIURL()))
+	updatedKsCloud := initializeCloudAPI(lc)
+	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", updatedKsCloud.GetCloudAPIURL()), helpers.String("report", updatedKsCloud.GetCloudReportURL()))
 
 	return lc
 }
 
 func (lc *LocalConfig) GetConfigObj() *ConfigObj  { return lc.configObj }
-func (lc *LocalConfig) GetTenantEmail() string    { return lc.configObj.CustomerAdminEMail }
 func (lc *LocalConfig) GetAccountID() string      { return lc.configObj.AccountID }
-func (lc *LocalConfig) GetClientID() string       { return lc.configObj.ClientID }
-func (lc *LocalConfig) GetSecretKey() string      { return lc.configObj.SecretKey }
 func (lc *LocalConfig) GetContextName() string    { return lc.configObj.ClusterName }
-func (lc *LocalConfig) GetToken() string          { return lc.configObj.Token }
 func (lc *LocalConfig) GetCloudReportURL() string { return lc.configObj.CloudReportURL }
 func (lc *LocalConfig) GetCloudAPIURL() string    { return lc.configObj.CloudAPIURL }
-func (lc *LocalConfig) GetCloudUIURL() string     { return lc.configObj.CloudUIURL }
-func (lc *LocalConfig) GetCloudAuthURL() string   { return lc.configObj.CloudAuthURL }
-func (lc *LocalConfig) IsConfigFound() bool       { return existsConfigFile() }
-func (lc *LocalConfig) SetTenant() error {
-
-	// Kubescape Cloud tenant GUID
-	if err := getTenantConfigFromBE(lc.backendAPI, lc.configObj); err != nil {
-		return err
-	}
-	lc.UpdateCachedConfig()
-	return nil
 
+func (lc *LocalConfig) GenerateAccountID() (string, error) {
+	lc.configObj.AccountID = uuid.NewString()
+	err := lc.UpdateCachedConfig()
+	return lc.configObj.AccountID, err
 }
+
+func (lc *LocalConfig) DeleteAccountID() error {
+	lc.configObj.AccountID = ""
+	return lc.UpdateCachedConfig()
+}
+
 func (lc *LocalConfig) UpdateCachedConfig() error {
+	logger.L().Debug("updating cached config", helpers.Interface("configObj", lc.configObj))
 	return updateConfigFile(lc.configObj)
 }
 
-func (lc *LocalConfig) DeleteCachedConfig() error {
+func (lc *LocalConfig) DeleteCachedConfig(ctx context.Context) error {
 	if err := DeleteConfigFile(); err != nil {
-		logger.L().Warning(err.Error())
+		logger.L().Ctx(ctx).Warning(err.Error())
 	}
 	return nil
 }
 
-func getTenantConfigFromBE(backendAPI getter.IBackend, configObj *ConfigObj) error {
-
-	// get from Kubescape Cloud API
-	tenantResponse, err := backendAPI.GetTenant()
-	if err == nil && tenantResponse != nil {
-		if tenantResponse.AdminMail != "" { // registered tenant
-			configObj.CustomerAdminEMail = tenantResponse.AdminMail
-		} else { // new tenant
-			configObj.Token = tenantResponse.Token
-			configObj.AccountID = tenantResponse.TenantID
-		}
-	} else {
-		if err != nil && !strings.Contains(err.Error(), "already exists") {
-			return err
-		}
-	}
-
-	return nil
-}
-
 // ======================================================================================
 // ========================== Cluster Config ============================================
 // ======================================================================================
@@ -214,40 +177,45 @@ KS_DEFAULT_CONFIGMAP_NAME  // name of configmap, if not set default is 'kubescap
 KS_DEFAULT_CONFIGMAP_NAMESPACE   // configmap namespace, if not set default is 'default'
 
 KS_ACCOUNT_ID
-KS_CLIENT_ID
-KS_SECRET_KEY
 
 TODO - support:
 KS_CACHE // path to cached files
 */
+var _ ITenantConfig = &ClusterConfig{}
+
 type ClusterConfig struct {
-	backendAPI         getter.IBackend
-	k8s                *k8sinterface.KubernetesApi
-	configObj          *ConfigObj
-	configMapName      string
-	configMapNamespace string
+	k8s                  *k8sinterface.KubernetesApi
+	configObj            *ConfigObj
+	configMapNamespace   string
+	ksConfigMapName      string
+	ksCloudConfigMapName string
 }
 
-func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend, credentials *Credentials, clusterName string, customClusterName string) *ClusterConfig {
-	// var configObj *ConfigObj
+func NewClusterConfig(k8s *k8sinterface.KubernetesApi, accountID, clusterName string, customClusterName string) *ClusterConfig {
 	c := &ClusterConfig{
-		k8s:                k8s,
-		backendAPI:         backendAPI,
-		configObj:          &ConfigObj{},
-		configMapName:      getConfigMapName(),
-		configMapNamespace: getConfigMapNamespace(),
+		k8s:                  k8s,
+		configObj:            &ConfigObj{},
+		ksConfigMapName:      getKubescapeConfigMapName(),
+		ksCloudConfigMapName: getKubescapeCloudConfigMapName(),
+		configMapNamespace:   GetConfigMapNamespace(),
 	}
 
-	// first, load from configMap
-	if c.existsConfigMap() {
-		c.loadConfigFromConfigMap()
-	}
-
-	// second, load from file
+	// first, load from file
 	if existsConfigFile() { // get from file
 		loadConfigFromFile(c.configObj)
 	}
-	updateCredentials(c.configObj, credentials)
+
+	// second, load from configMap
+	if c.existsConfigMap(c.ksConfigMapName) {
+		c.updateConfigEmptyFieldsFromKubescapeConfigMap()
+	}
+
+	// third, load urls from cloudConfigMap
+	if c.existsConfigMap(c.ksCloudConfigMapName) {
+		c.updateConfigEmptyFieldsFromKubescapeCloudConfigMap()
+	}
+
+	updateAccountID(c.configObj, accountID)
 	updateCloudURLs(c.configObj)
 
 	// If a custom cluster name is provided then set that name, else use the cluster's original name
@@ -262,80 +230,25 @@ func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBacken
 	} else { // override the cluster name if it has unwanted characters
 		c.configObj.ClusterName = AdoptClusterName(c.configObj.ClusterName)
 	}
-
-	c.backendAPI.SetAccountID(c.configObj.AccountID)
-	c.backendAPI.SetClientID(c.configObj.ClientID)
-	c.backendAPI.SetSecretKey(c.configObj.SecretKey)
-	if c.configObj.CloudAPIURL != "" {
-		c.backendAPI.SetCloudAPIURL(c.configObj.CloudAPIURL)
-	} else {
-		c.configObj.CloudAPIURL = c.backendAPI.GetCloudAPIURL()
-	}
-	if c.configObj.CloudAuthURL != "" {
-		c.backendAPI.SetCloudAuthURL(c.configObj.CloudAuthURL)
-	} else {
-		c.configObj.CloudAuthURL = c.backendAPI.GetCloudAuthURL()
-	}
-	if c.configObj.CloudReportURL != "" {
-		c.backendAPI.SetCloudReportURL(c.configObj.CloudReportURL)
-	} else {
-		c.configObj.CloudReportURL = c.backendAPI.GetCloudReportURL()
-	}
-	if c.configObj.CloudUIURL != "" {
-		c.backendAPI.SetCloudUIURL(c.configObj.CloudUIURL)
-	} else {
-		c.configObj.CloudUIURL = c.backendAPI.GetCloudUIURL()
-	}
-	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", c.backendAPI.GetCloudAPIURL()), helpers.String("auth", c.backendAPI.GetCloudAuthURL()), helpers.String("report", c.backendAPI.GetCloudReportURL()), helpers.String("UI", c.backendAPI.GetCloudUIURL()))
-
+	updatedKsCloud := initializeCloudAPI(c)
+	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", updatedKsCloud.GetCloudAPIURL()), helpers.String("report", updatedKsCloud.GetCloudReportURL()))
 	return c
 }
 
 func (c *ClusterConfig) GetConfigObj() *ConfigObj  { return c.configObj }
 func (c *ClusterConfig) GetDefaultNS() string      { return c.configMapNamespace }
 func (c *ClusterConfig) GetAccountID() string      { return c.configObj.AccountID }
-func (c *ClusterConfig) GetClientID() string       { return c.configObj.ClientID }
-func (c *ClusterConfig) GetSecretKey() string      { return c.configObj.SecretKey }
-func (c *ClusterConfig) GetTenantEmail() string    { return c.configObj.CustomerAdminEMail }
-func (c *ClusterConfig) GetToken() string          { return c.configObj.Token }
 func (c *ClusterConfig) GetCloudReportURL() string { return c.configObj.CloudReportURL }
 func (c *ClusterConfig) GetCloudAPIURL() string    { return c.configObj.CloudAPIURL }
-func (c *ClusterConfig) GetCloudUIURL() string     { return c.configObj.CloudUIURL }
-func (c *ClusterConfig) GetCloudAuthURL() string   { return c.configObj.CloudAuthURL }
-
-func (c *ClusterConfig) IsConfigFound() bool { return existsConfigFile() || c.existsConfigMap() }
-
-func (c *ClusterConfig) SetTenant() error {
-
-	// ARMO tenant GUID
-	if err := getTenantConfigFromBE(c.backendAPI, c.configObj); err != nil {
-		return err
-	}
-	c.UpdateCachedConfig()
-	return nil
-
-}
 
 func (c *ClusterConfig) UpdateCachedConfig() error {
-	// update/create config
-	if c.existsConfigMap() {
-		if err := c.updateConfigMap(); err != nil {
-			return err
-		}
-	} else {
-		if err := c.createConfigMap(); err != nil {
-			return err
-		}
-	}
+	logger.L().Debug("updating cached config", helpers.Interface("configObj", c.configObj))
 	return updateConfigFile(c.configObj)
 }
 
-func (c *ClusterConfig) DeleteCachedConfig() error {
-	if err := c.deleteConfigMap(); err != nil {
-		logger.L().Warning(err.Error())
-	}
+func (c *ClusterConfig) DeleteCachedConfig(ctx context.Context) error {
 	if err := DeleteConfigFile(); err != nil {
-		logger.L().Warning(err.Error())
+		logger.L().Ctx(ctx).Warning(err.Error())
 	}
 	return nil
 }
@@ -350,13 +263,45 @@ func (c *ClusterConfig) ToMapString() map[string]interface{} {
 	}
 	return m
 }
-func (c *ClusterConfig) loadConfigFromConfigMap() error {
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
+
+func (c *ClusterConfig) updateConfigEmptyFieldsFromKubescapeConfigMap() error {
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.ksConfigMapName, metav1.GetOptions{})
 	if err != nil {
 		return err
 	}
 
-	return loadConfigFromData(c.configObj, configMap.Data)
+	tempCO := ConfigObj{}
+	if jsonConf, ok := configMap.Data["config.json"]; ok {
+		if err = json.Unmarshal([]byte(jsonConf), &tempCO); err != nil {
+			return err
+		}
+		return c.configObj.updateEmptyFields(&tempCO)
+	}
+	return err
+}
+
+func (c *ClusterConfig) updateConfigEmptyFieldsFromKubescapeCloudConfigMap() error {
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.ksCloudConfigMapName, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	if jsonConf, ok := configMap.Data["services"]; ok {
+		services, err := servicediscovery.GetServices(
+			servicediscoveryv1.NewServiceDiscoveryStreamV1([]byte(jsonConf)),
+		)
+		if err != nil {
+			return err
+		}
+
+		if services.GetApiServerUrl() != "" {
+			c.configObj.CloudAPIURL = services.GetApiServerUrl()
+		}
+		if services.GetReportReceiverHttpUrl() != "" {
+			c.configObj.CloudReportURL = services.GetReportReceiverHttpUrl()
+		}
+	}
+	return nil
 }
 
 func loadConfigFromData(co *ConfigObj, data map[string]string) error {
@@ -370,110 +315,36 @@ func loadConfigFromData(co *ConfigObj, data map[string]string) error {
 
 	return e
 }
-func (c *ClusterConfig) existsConfigMap() bool {
-	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
-	// TODO - check if has customerGUID
+
+func (c *ClusterConfig) existsConfigMap(name string) bool {
+	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), name, metav1.GetOptions{})
 	return err == nil
 }
 
-func (c *ClusterConfig) GetValueByKeyFromConfigMap(key string) (string, error) {
-
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
-
-	if err != nil {
-		return "", err
-	}
-	if val, ok := configMap.Data[key]; ok {
-		return val, nil
-	} else {
-		return "", fmt.Errorf("value does not exist")
-	}
-}
-
-func GetValueFromConfigJson(key string) (string, error) {
-	data, err := os.ReadFile(ConfigFileFullPath())
-	if err != nil {
-		return "", err
-	}
-	var obj map[string]interface{}
-	if err := json.Unmarshal(data, &obj); err != nil {
-		return "", err
-	}
-	if val, ok := obj[key]; ok {
-		return fmt.Sprint(val), nil
-	} else {
-		return "", fmt.Errorf("value does not exist")
-	}
-
-}
-
-func (c *ClusterConfig) SetKeyValueInConfigmap(key string, value string) error {
-
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
-	if err != nil {
-		configMap = &corev1.ConfigMap{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: c.configMapName,
-			},
-		}
-	}
-
-	if len(configMap.Data) == 0 {
-		configMap.Data = make(map[string]string)
-	}
-
-	configMap.Data[key] = value
-
-	if err != nil {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Create(context.Background(), configMap, metav1.CreateOptions{})
-	} else {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
-	}
-
-	return err
-}
-
 func existsConfigFile() bool {
 	_, err := os.ReadFile(ConfigFileFullPath())
 	return err == nil
 }
 
-func (c *ClusterConfig) createConfigMap() error {
-	if c.k8s == nil {
-		return nil
-	}
-	configMap := &corev1.ConfigMap{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: c.configMapName,
-		},
-	}
-	c.updateConfigData(configMap)
-
-	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Create(context.Background(), configMap, metav1.CreateOptions{})
-	return err
-}
-
-func (c *ClusterConfig) updateConfigMap() error {
-	if c.k8s == nil {
-		return nil
-	}
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
-
-	if err != nil {
-		return err
-	}
-
-	c.updateConfigData(configMap)
-
-	_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
-	return err
-}
-
 func updateConfigFile(configObj *ConfigObj) error {
-	if err := os.WriteFile(ConfigFileFullPath(), configObj.Config(), 0664); err != nil {
+	fullPath := ConfigFileFullPath()
+	dir := filepath.Dir(fullPath)
+	if err := os.MkdirAll(dir, 0755); err != nil {
 		return err
 	}
-	return nil
+
+	return os.WriteFile(fullPath, configObj.Config(), 0664) //nolint:gosec
+}
+
+func (c *ClusterConfig) GenerateAccountID() (string, error) {
+	c.configObj.AccountID = uuid.NewString()
+	err := c.UpdateCachedConfig()
+	return c.configObj.AccountID, err
+}
+
+func (c *ClusterConfig) DeleteAccountID() error {
+	c.configObj.AccountID = ""
+	return c.UpdateCachedConfig()
 }
 
 func (c *ClusterConfig) updateConfigData(configMap *corev1.ConfigMap) {
@@ -503,35 +374,9 @@ func readConfig(dat []byte, configObj *ConfigObj) error {
 	if err := json.Unmarshal(dat, configObj); err != nil {
 		return err
 	}
-	if configObj.AccountID == "" {
-		configObj.AccountID = configObj.CustomerGUID
-	}
-	configObj.CustomerGUID = ""
 	return nil
 }
 
-// Check if the customer is submitted
-func (clusterConfig *ClusterConfig) IsSubmitted() bool {
-	return clusterConfig.existsConfigMap() || existsConfigFile()
-}
-
-// Check if the customer is registered
-func (clusterConfig *ClusterConfig) IsRegistered() bool {
-
-	// get from armoBE
-	tenantResponse, err := clusterConfig.backendAPI.GetTenant()
-	if err == nil && tenantResponse != nil {
-		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
-			return true
-		}
-	}
-	return false
-}
-
-func (clusterConfig *ClusterConfig) deleteConfigMap() error {
-	return clusterConfig.k8s.KubernetesClient.CoreV1().ConfigMaps(clusterConfig.configMapNamespace).Delete(context.Background(), clusterConfig.configMapName, metav1.DeleteOptions{})
-}
-
 func DeleteConfigFile() error {
 	return os.Remove(ConfigFileFullPath())
 }
@@ -544,66 +389,49 @@ func AdoptClusterName(clusterName string) string {
 	return re.ReplaceAllString(clusterName, "-")
 }
 
-func getConfigMapName() string {
-	if n := os.Getenv("KS_DEFAULT_CONFIGMAP_NAME"); n != "" {
+func getKubescapeConfigMapName() string {
+	if n := os.Getenv(defaultConfigMapNameEnvVar); n != "" {
 		return n
 	}
-	return "kubescape"
+	return kubescapeConfigMapName
 }
 
-func getConfigMapNamespace() string {
-	if n := os.Getenv("KS_DEFAULT_CONFIGMAP_NAMESPACE"); n != "" {
+func getKubescapeCloudConfigMapName() string {
+	if n := os.Getenv(defaultCloudConfigMapNameEnvVar); n != "" {
 		return n
 	}
-	return "default"
+
+	return kubescapeCloudConfigMapName
 }
 
-func getAccountFromEnv(credentials *Credentials) {
-	// load from env
-	if accountID := os.Getenv("KS_ACCOUNT_ID"); credentials.Account == "" && accountID != "" {
-		credentials.Account = accountID
-	}
-	if clientID := os.Getenv("KS_CLIENT_ID"); credentials.ClientID == "" && clientID != "" {
-		credentials.ClientID = clientID
-	}
-	if secretKey := os.Getenv("KS_SECRET_KEY"); credentials.SecretKey == "" && secretKey != "" {
-		credentials.SecretKey = secretKey
+// GetConfigMapNamespace returns the namespace of the cluster config, which is the same for all in-cluster components
+func GetConfigMapNamespace() string {
+	if n := os.Getenv(defaultConfigMapNamespaceEnvVar); n != "" {
+		return n
 	}
+	return kubescapeNamespace
 }
 
-func updateCredentials(configObj *ConfigObj, credentials *Credentials) {
-
-	if credentials == nil {
-		credentials = &Credentials{}
-	}
-	getAccountFromEnv(credentials)
-
-	if credentials.Account != "" {
-		configObj.AccountID = credentials.Account // override config Account
-	}
-	if credentials.ClientID != "" {
-		configObj.ClientID = credentials.ClientID // override config ClientID
-	}
-	if credentials.SecretKey != "" {
-		configObj.SecretKey = credentials.SecretKey // override config SecretKey
+func updateAccountID(configObj *ConfigObj, accountID string) {
+	if accountID != "" {
+		configObj.AccountID = accountID
 	}
 
+	if envAccountID := os.Getenv(accountIdEnvVar); envAccountID != "" {
+		configObj.AccountID = envAccountID
+	}
 }
 
 func getCloudURLsFromEnv(cloudURLs *CloudURLs) {
 	// load from env
-	if cloudAPIURL := os.Getenv("KS_CLOUD_API_URL"); cloudAPIURL != "" {
+	if cloudAPIURL := os.Getenv(cloudApiUrlEnvVar); cloudAPIURL != "" {
+		logger.L().Debug("cloud API URL updated from env var", helpers.Interface(cloudApiUrlEnvVar, cloudAPIURL))
 		cloudURLs.CloudAPIURL = cloudAPIURL
 	}
-	if cloudAuthURL := os.Getenv("KS_CLOUD_AUTH_URL"); cloudAuthURL != "" {
-		cloudURLs.CloudAuthURL = cloudAuthURL
-	}
-	if cloudReportURL := os.Getenv("KS_CLOUD_REPORT_URL"); cloudReportURL != "" {
+	if cloudReportURL := os.Getenv(cloudReportUrlEnvVar); cloudReportURL != "" {
+		logger.L().Debug("cloud Report URL updated from env var", helpers.Interface(cloudReportUrlEnvVar, cloudReportURL))
 		cloudURLs.CloudReportURL = cloudReportURL
 	}
-	if cloudUIURL := os.Getenv("KS_CLOUD_UI_URL"); cloudUIURL != "" {
-		cloudURLs.CloudUIURL = cloudUIURL
-	}
 }
 
 func updateCloudURLs(configObj *ConfigObj) {
@@ -614,14 +442,25 @@ func updateCloudURLs(configObj *ConfigObj) {
 	if cloudURLs.CloudAPIURL != "" {
 		configObj.CloudAPIURL = cloudURLs.CloudAPIURL // override config CloudAPIURL
 	}
-	if cloudURLs.CloudAuthURL != "" {
-		configObj.CloudAuthURL = cloudURLs.CloudAuthURL // override config CloudAuthURL
-	}
 	if cloudURLs.CloudReportURL != "" {
 		configObj.CloudReportURL = cloudURLs.CloudReportURL // override config CloudReportURL
 	}
-	if cloudURLs.CloudUIURL != "" {
-		configObj.CloudUIURL = cloudURLs.CloudUIURL // override config CloudUIURL
-	}
 
 }
+
+func initializeCloudAPI(c ITenantConfig) *v1.KSCloudAPI {
+	logger.L().Debug("initializing KS Cloud API from config", helpers.String("accountID", c.GetAccountID()), helpers.String("cloudAPIURL", c.GetCloudAPIURL()), helpers.String("cloudReportURL", c.GetCloudReportURL()))
+	cloud, err := v1.NewKSCloudAPI(c.GetCloudAPIURL(), c.GetCloudReportURL(), c.GetAccountID())
+	if err != nil {
+		logger.L().Fatal("failed to create KS Cloud client", helpers.Error(err))
+	}
+	getter.SetKSCloudAPIConnector(cloud)
+	return getter.GetKSCloudAPIConnector()
+}
+
+func GetTenantConfig(accountID, clusterName, customClusterName string, k8s *k8sinterface.KubernetesApi) ITenantConfig {
+	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
+		return NewLocalConfig(accountID, clusterName, customClusterName)
+	}
+	return NewClusterConfig(k8s, accountID, clusterName, customClusterName)
+}

core/cautils/customerloader_test.go

@@ -5,35 +5,28 @@ import (
 	"os"
 	"testing"
 
+	"github.com/kubescape/kubescape/v2/core/cautils/getter"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 )
 
 func mockConfigObj() *ConfigObj {
 	return &ConfigObj{
-		AccountID:          "aaa",
-		ClientID:           "bbb",
-		SecretKey:          "ccc",
-		ClusterName:        "ddd",
-		CustomerAdminEMail: "ab@cd",
-		Token:              "eee",
-		CloudReportURL:     "report.armo.cloud",
-		CloudAPIURL:        "api.armosec.io",
-		CloudUIURL:         "cloud.armosec.io",
-		CloudAuthURL:       "auth.armosec.io",
+		AccountID:      "aaa",
+		ClusterName:    "ddd",
+		CloudReportURL: "report.domain.com",
+		CloudAPIURL:    "api.domain.com",
 	}
 }
 func mockLocalConfig() *LocalConfig {
 	return &LocalConfig{
-		backendAPI: nil,
-		configObj:  mockConfigObj(),
+		configObj: mockConfigObj(),
 	}
 }
 
 func mockClusterConfig() *ClusterConfig {
 	return &ClusterConfig{
-		backendAPI: nil,
-		configObj:  mockConfigObj(),
+		configObj: mockConfigObj(),
 	}
 }
 func TestConfig(t *testing.T) {
@@ -42,15 +35,9 @@ func TestConfig(t *testing.T) {
 
 	assert.NoError(t, json.Unmarshal(co.Config(), &cop))
 	assert.Equal(t, co.AccountID, cop.AccountID)
-	assert.Equal(t, co.ClientID, cop.ClientID)
-	assert.Equal(t, co.SecretKey, cop.SecretKey)
 	assert.Equal(t, co.CloudReportURL, cop.CloudReportURL)
 	assert.Equal(t, co.CloudAPIURL, cop.CloudAPIURL)
-	assert.Equal(t, co.CloudUIURL, cop.CloudUIURL)
-	assert.Equal(t, co.CloudAuthURL, cop.CloudAuthURL)
-	assert.Equal(t, "", cop.ClusterName)        // Not copied to bytes
-	assert.Equal(t, "", cop.CustomerAdminEMail) // Not copied to bytes
-	assert.Equal(t, "", cop.Token)              // Not copied to bytes
+	assert.Equal(t, "", cop.ClusterName) // Not copied to bytes
 
 }
 
@@ -64,27 +51,15 @@ func TestITenantConfig(t *testing.T) {
 
 	// test LocalConfig methods
 	assert.Equal(t, co.AccountID, lc.GetAccountID())
-	assert.Equal(t, co.ClientID, lc.GetClientID())
-	assert.Equal(t, co.SecretKey, lc.GetSecretKey())
 	assert.Equal(t, co.ClusterName, lc.GetContextName())
-	assert.Equal(t, co.CustomerAdminEMail, lc.GetTenantEmail())
-	assert.Equal(t, co.Token, lc.GetToken())
 	assert.Equal(t, co.CloudReportURL, lc.GetCloudReportURL())
 	assert.Equal(t, co.CloudAPIURL, lc.GetCloudAPIURL())
-	assert.Equal(t, co.CloudUIURL, lc.GetCloudUIURL())
-	assert.Equal(t, co.CloudAuthURL, lc.GetCloudAuthURL())
 
 	// test ClusterConfig methods
 	assert.Equal(t, co.AccountID, c.GetAccountID())
-	assert.Equal(t, co.ClientID, c.GetClientID())
-	assert.Equal(t, co.SecretKey, c.GetSecretKey())
 	assert.Equal(t, co.ClusterName, c.GetContextName())
-	assert.Equal(t, co.CustomerAdminEMail, c.GetTenantEmail())
-	assert.Equal(t, co.Token, c.GetToken())
 	assert.Equal(t, co.CloudReportURL, c.GetCloudReportURL())
 	assert.Equal(t, co.CloudAPIURL, c.GetCloudAPIURL())
-	assert.Equal(t, co.CloudUIURL, c.GetCloudUIURL())
-	assert.Equal(t, co.CloudAuthURL, c.GetCloudAuthURL())
 }
 
 func TestUpdateConfigData(t *testing.T) {
@@ -95,12 +70,8 @@ func TestUpdateConfigData(t *testing.T) {
 	c.updateConfigData(configMap)
 
 	assert.Equal(t, c.GetAccountID(), configMap.Data["accountID"])
-	assert.Equal(t, c.GetClientID(), configMap.Data["clientID"])
-	assert.Equal(t, c.GetSecretKey(), configMap.Data["secretKey"])
 	assert.Equal(t, c.GetCloudReportURL(), configMap.Data["cloudReportURL"])
 	assert.Equal(t, c.GetCloudAPIURL(), configMap.Data["cloudAPIURL"])
-	assert.Equal(t, c.GetCloudUIURL(), configMap.Data["cloudUIURL"])
-	assert.Equal(t, c.GetCloudAuthURL(), configMap.Data["cloudAuthURL"])
 }
 
 func TestReadConfig(t *testing.T) {
@@ -113,15 +84,9 @@ func TestReadConfig(t *testing.T) {
 	readConfig(b, co)
 
 	assert.Equal(t, com.AccountID, co.AccountID)
-	assert.Equal(t, com.ClientID, co.ClientID)
-	assert.Equal(t, com.SecretKey, co.SecretKey)
 	assert.Equal(t, com.ClusterName, co.ClusterName)
-	assert.Equal(t, com.CustomerAdminEMail, co.CustomerAdminEMail)
-	assert.Equal(t, com.Token, co.Token)
 	assert.Equal(t, com.CloudReportURL, co.CloudReportURL)
 	assert.Equal(t, com.CloudAPIURL, co.CloudAPIURL)
-	assert.Equal(t, com.CloudUIURL, co.CloudUIURL)
-	assert.Equal(t, com.CloudAuthURL, co.CloudAuthURL)
 }
 
 func TestLoadConfigFromData(t *testing.T) {
@@ -140,15 +105,9 @@ func TestLoadConfigFromData(t *testing.T) {
 		loadConfigFromData(c.configObj, configMap.Data)
 
 		assert.Equal(t, c.GetAccountID(), co.AccountID)
-		assert.Equal(t, c.GetClientID(), co.ClientID)
-		assert.Equal(t, c.GetSecretKey(), co.SecretKey)
 		assert.Equal(t, c.GetContextName(), co.ClusterName)
-		assert.Equal(t, c.GetTenantEmail(), co.CustomerAdminEMail)
-		assert.Equal(t, c.GetToken(), co.Token)
 		assert.Equal(t, c.GetCloudReportURL(), co.CloudReportURL)
 		assert.Equal(t, c.GetCloudAPIURL(), co.CloudAPIURL)
-		assert.Equal(t, c.GetCloudUIURL(), co.CloudUIURL)
-		assert.Equal(t, c.GetCloudAuthURL(), co.CloudAuthURL)
 	}
 
 	// use case: all data is in config.json
@@ -166,12 +125,8 @@ func TestLoadConfigFromData(t *testing.T) {
 		loadConfigFromData(c.configObj, configMap.Data)
 
 		assert.Equal(t, c.GetAccountID(), co.AccountID)
-		assert.Equal(t, c.GetClientID(), co.ClientID)
-		assert.Equal(t, c.GetSecretKey(), co.SecretKey)
 		assert.Equal(t, c.GetCloudReportURL(), co.CloudReportURL)
 		assert.Equal(t, c.GetCloudAPIURL(), co.CloudAPIURL)
-		assert.Equal(t, c.GetCloudUIURL(), co.CloudUIURL)
-		assert.Equal(t, c.GetCloudAuthURL(), co.CloudAuthURL)
 	}
 
 	// use case: some data is in config.json
@@ -182,21 +137,15 @@ func TestLoadConfigFromData(t *testing.T) {
 		}
 
 		// add to map
-		configMap.Data["clientID"] = c.configObj.ClientID
-		configMap.Data["secretKey"] = c.configObj.SecretKey
 		configMap.Data["cloudReportURL"] = c.configObj.CloudReportURL
 
 		// delete the content
-		c.configObj.ClientID = ""
-		c.configObj.SecretKey = ""
 		c.configObj.CloudReportURL = ""
 
 		configMap.Data["config.json"] = string(c.GetConfigObj().Config())
 		loadConfigFromData(c.configObj, configMap.Data)
 
 		assert.NotEmpty(t, c.GetAccountID())
-		assert.NotEmpty(t, c.GetClientID())
-		assert.NotEmpty(t, c.GetSecretKey())
 		assert.NotEmpty(t, c.GetCloudReportURL())
 	}
 
@@ -211,19 +160,11 @@ func TestLoadConfigFromData(t *testing.T) {
 
 		// add to map
 		configMap.Data["accountID"] = mockConfigObj().AccountID
-		configMap.Data["clientID"] = c.configObj.ClientID
-		configMap.Data["secretKey"] = c.configObj.SecretKey
-
-		// delete the content
-		c.configObj.ClientID = ""
-		c.configObj.SecretKey = ""
 
 		configMap.Data["config.json"] = string(c.GetConfigObj().Config())
 		loadConfigFromData(c.configObj, configMap.Data)
 
 		assert.Equal(t, mockConfigObj().AccountID, c.GetAccountID())
-		assert.NotEmpty(t, c.GetClientID())
-		assert.NotEmpty(t, c.GetSecretKey())
 	}
 
 }
@@ -268,3 +209,149 @@ func TestUpdateCloudURLs(t *testing.T) {
 	updateCloudURLs(co)
 	assert.Equal(t, co.CloudAPIURL, mockCloudAPIURL)
 }
+
+func Test_initializeCloudAPI(t *testing.T) {
+	type args struct {
+		c ITenantConfig
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "test",
+			args: args{
+				c: mockClusterConfig(),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			initializeCloudAPI(tt.args.c)
+			cloud := getter.GetKSCloudAPIConnector()
+			assert.Equal(t, "https://api.domain.com", cloud.GetCloudAPIURL())
+			assert.Equal(t, "https://report.domain.com", cloud.GetCloudReportURL())
+			assert.Equal(t, tt.args.c.GetAccountID(), cloud.GetAccountID())
+		})
+	}
+}
+
+func TestGetConfigMapNamespace(t *testing.T) {
+	tests := []struct {
+		name string
+		env  string
+		want string
+	}{
+		{
+			name: "no env",
+			want: kubescapeNamespace,
+		},
+		{
+			name: "default ns",
+			env:  kubescapeNamespace,
+			want: kubescapeNamespace,
+		},
+		{
+			name: "custom ns",
+			env:  "my-ns",
+			want: "my-ns",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.env != "" {
+				_ = os.Setenv("KS_DEFAULT_CONFIGMAP_NAMESPACE", tt.env)
+			}
+			assert.Equalf(t, tt.want, GetConfigMapNamespace(), "GetConfigMapNamespace()")
+		})
+	}
+}
+
+const (
+	anyString       string = "anyString"
+	shouldNotUpdate string = "shouldNotUpdate"
+	shouldUpdate    string = "shouldUpdate"
+)
+
+func checkIsUpdateCorrectly(t *testing.T, beforeField string, afterField string) {
+	switch beforeField {
+	case anyString:
+		assert.Equal(t, anyString, afterField)
+	case "":
+		assert.Equal(t, shouldUpdate, afterField)
+	}
+}
+
+func TestUpdateEmptyFields(t *testing.T) {
+
+	tests := []struct {
+		inCo  *ConfigObj
+		outCo *ConfigObj
+	}{
+		{
+			outCo: &ConfigObj{
+				AccountID:      "",
+				ClusterName:    "",
+				CloudReportURL: "",
+				CloudAPIURL:    "",
+			},
+			inCo: &ConfigObj{
+				AccountID:      shouldUpdate,
+				ClusterName:    shouldUpdate,
+				CloudReportURL: shouldUpdate,
+				CloudAPIURL:    shouldUpdate,
+			},
+		},
+		{
+			outCo: &ConfigObj{
+				AccountID:      anyString,
+				ClusterName:    "",
+				CloudReportURL: "",
+				CloudAPIURL:    "",
+			},
+			inCo: &ConfigObj{
+				AccountID:      shouldNotUpdate,
+				ClusterName:    shouldUpdate,
+				CloudReportURL: shouldUpdate,
+				CloudAPIURL:    shouldUpdate,
+			},
+		},
+		{
+			outCo: &ConfigObj{
+				AccountID:      "",
+				ClusterName:    anyString,
+				CloudReportURL: anyString,
+				CloudAPIURL:    anyString,
+			},
+			inCo: &ConfigObj{
+				AccountID:      shouldUpdate,
+				ClusterName:    shouldNotUpdate,
+				CloudReportURL: shouldNotUpdate,
+				CloudAPIURL:    shouldNotUpdate,
+			},
+		},
+		{
+			outCo: &ConfigObj{
+				AccountID:      anyString,
+				ClusterName:    anyString,
+				CloudReportURL: "",
+				CloudAPIURL:    anyString,
+			},
+			inCo: &ConfigObj{
+				AccountID:      shouldNotUpdate,
+				ClusterName:    shouldNotUpdate,
+				CloudReportURL: shouldUpdate,
+				CloudAPIURL:    shouldNotUpdate,
+			},
+		},
+	}
+
+	for i := range tests {
+		beforeChangesOutCO := tests[i].outCo
+		tests[i].outCo.updateEmptyFields(tests[i].inCo)
+		checkIsUpdateCorrectly(t, beforeChangesOutCO.AccountID, tests[i].outCo.AccountID)
+		checkIsUpdateCorrectly(t, beforeChangesOutCO.CloudAPIURL, tests[i].outCo.CloudAPIURL)
+		checkIsUpdateCorrectly(t, beforeChangesOutCO.CloudReportURL, tests[i].outCo.CloudReportURL)
+		checkIsUpdateCorrectly(t, beforeChangesOutCO.ClusterName, tests[i].outCo.ClusterName)
+	}
+}

core/cautils/datastructures.go

@@ -1,10 +1,15 @@
 package cautils
 
 import (
+	"context"
+	"sort"
+
+	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/opa-utils/reporthandling"
 	apis "github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/prioritization"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/resourcesresults"
 	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
@@ -12,27 +17,50 @@ import (
 
 // K8SResources map[<api group>/<api version>/<resource>][]<resourceID>
 type K8SResources map[string][]string
-type KSResources map[string][]string
+type ExternalResources map[string][]string
+
+type ImageScanData struct {
+	PresenterConfig *models.PresenterConfig
+	Image           string
+}
+
+type ScanTypes string
+
+const (
+	TopWorkloadsNumber           = 5
+	ScanTypeCluster    ScanTypes = "cluster"
+	ScanTypeRepo       ScanTypes = "repo"
+	ScanTypeImage      ScanTypes = "image"
+	ScanTypeWorkload   ScanTypes = "workload"
+	ScanTypeFramework  ScanTypes = "framework"
+	ScanTypeControl    ScanTypes = "control"
+)
 
 type OPASessionObj struct {
-	K8SResources          *K8SResources                                 // input k8s objects
-	ArmoResource          *KSResources                                  // input ARMO objects
+	K8SResources          K8SResources                                  // input k8s objects
+	ExternalResources     ExternalResources                             // input non-k8s objects (external resources)
 	AllPolicies           *Policies                                     // list of all frameworks
-	Policies              []reporthandling.Framework                    // list of frameworks to scan
+	ExcludedRules         map[string]bool                               // rules to exclude map[rule name>]X
 	AllResources          map[string]workloadinterface.IMetadata        // all scanned resources, map[<resource ID>]<resource>
 	ResourcesResult       map[string]resourcesresults.Result            // resources scan results, map[<resource ID>]<resource result>
 	ResourceSource        map[string]reporthandling.Source              // resources sources, map[<resource ID>]<resource result>
 	ResourcesPrioritized  map[string]prioritization.PrioritizedResource // resources prioritization information, map[<resource ID>]<prioritized resource>
-	Report                *reporthandlingv2.PostureReport               // scan results v2 - Remove
-	Exceptions            []armotypes.PostureExceptionPolicy            // list of exceptions to apply on scan results
-	RegoInputData         RegoInputData                                 // input passed to rego for scanning. map[<control name>][<input arguments>]
+	ResourceAttackTracks  map[string]v1alpha1.IAttackTrack              // resources attack tracks, map[<resource ID>]<attack track>
+	AttackTracks          map[string]v1alpha1.IAttackTrack
+	Report                *reporthandlingv2.PostureReport // scan results v2 - Remove
+	RegoInputData         RegoInputData                   // input passed to rego for scanning. map[<control name>][<input arguments>]
 	Metadata              *reporthandlingv2.Metadata
-	InfoMap               map[string]apis.StatusInfo // Map errors of resources to StatusInfo
-	ResourceToControlsMap map[string][]string        // map[<apigroup/apiversion/resource>] = [<control_IDs>]
-	SessionID             string                     // SessionID
+	InfoMap               map[string]apis.StatusInfo         // Map errors of resources to StatusInfo
+	ResourceToControlsMap map[string][]string                // map[<apigroup/apiversion/resource>] = [<control_IDs>]
+	SessionID             string                             // SessionID
+	Policies              []reporthandling.Framework         // list of frameworks to scan
+	Exceptions            []armotypes.PostureExceptionPolicy // list of exceptions to apply on scan results
+	OmitRawResources      bool                               // omit raw resources from output
+	SingleResourceScan    workloadinterface.IWorkload        // single resource scan
+	TopWorkloadsByScore   []reporthandling.IResource
 }
 
-func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SResources, scanInfo *ScanInfo) *OPASessionObj {
+func NewOPASessionObj(ctx context.Context, frameworks []reporthandling.Framework, k8sResources K8SResources, scanInfo *ScanInfo) *OPASessionObj {
 	return &OPASessionObj{
 		Report:                &reporthandlingv2.PostureReport{},
 		Policies:              frameworks,
@@ -44,7 +72,47 @@ func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SRe
 		ResourceToControlsMap: make(map[string][]string),
 		ResourceSource:        make(map[string]reporthandling.Source),
 		SessionID:             scanInfo.ScanID,
-		Metadata:              scanInfoToScanMetadata(scanInfo),
+		Metadata:              scanInfoToScanMetadata(ctx, scanInfo),
+		OmitRawResources:      scanInfo.OmitRawResources,
+	}
+}
+
+// SetTopWorkloads sets the top workloads by score
+func (sessionObj *OPASessionObj) SetTopWorkloads() {
+	count := 0
+
+	topWorkloadsSorted := make([]prioritization.PrioritizedResource, 0)
+
+	// create list in order to sort
+	for _, wl := range sessionObj.ResourcesPrioritized {
+		topWorkloadsSorted = append(topWorkloadsSorted, wl)
+	}
+
+	// sort by score. If scores are equal, sort by resource ID
+	sort.Slice(topWorkloadsSorted, func(i, j int) bool {
+		if topWorkloadsSorted[i].Score == topWorkloadsSorted[j].Score {
+			return topWorkloadsSorted[i].ResourceID < topWorkloadsSorted[j].ResourceID
+		}
+		return topWorkloadsSorted[i].Score > topWorkloadsSorted[j].Score
+	})
+
+	if sessionObj.Report == nil {
+		sessionObj.Report = &reporthandlingv2.PostureReport{}
+	}
+
+	// set top workloads according to number of top workloads
+	for i := 0; i < TopWorkloadsNumber; i++ {
+		if i >= len(topWorkloadsSorted) {
+			break
+		}
+		source := sessionObj.ResourceSource[topWorkloadsSorted[i].ResourceID]
+		wlObj := &reporthandling.Resource{
+			IMetadata: sessionObj.AllResources[topWorkloadsSorted[i].ResourceID],
+			Source:    &source,
+		}
+
+		sessionObj.TopWorkloadsByScore = append(sessionObj.TopWorkloadsByScore, wlObj)
+		count++
 	}
 }
 
@@ -94,6 +162,7 @@ type Exception struct {
 
 type RegoInputData struct {
 	PostureControlInputs map[string][]string `json:"postureControlInputs"`
+	DataControlInputs    map[string]string   `json:"dataControlInputs"`
 	// ClusterName          string              `json:"clusterName"`
 	// K8sConfig            RegoK8sConfig       `json:"k8sconfig"`
 }

core/cautils/datastructuresmethods.go

@@ -4,7 +4,9 @@ import (
 	"golang.org/x/mod/semver"
 
 	"github.com/armosec/utils-go/boolutils"
+	cloudsupport "github.com/kubescape/k8s-interface/cloudsupport/v1"
 	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/apis"
 )
 
 func NewPolicies() *Policies {
@@ -14,22 +16,41 @@ func NewPolicies() *Policies {
 	}
 }
 
-func (policies *Policies) Set(frameworks []reporthandling.Framework, version string) {
+func (policies *Policies) Set(frameworks []reporthandling.Framework, version string, excludedRules map[string]bool, scanningScope reporthandling.ScanningScopeType) {
 	for i := range frameworks {
+		if !isFrameworkFitToScanScope(frameworks[i], scanningScope) {
+			continue
+		}
 		if frameworks[i].Name != "" && len(frameworks[i].Controls) > 0 {
 			policies.Frameworks = append(policies.Frameworks, frameworks[i].Name)
 		}
 		for j := range frameworks[i].Controls {
 			compatibleRules := []reporthandling.PolicyRule{}
 			for r := range frameworks[i].Controls[j].Rules {
-				if !ruleWithKSOpaDependency(frameworks[i].Controls[j].Rules[r].Attributes) && isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) {
+				if excludedRules != nil {
+					ruleName := frameworks[i].Controls[j].Rules[r].Name
+					if _, exclude := excludedRules[ruleName]; exclude {
+						continue
+					}
+				}
+
+				if !ruleWithKSOpaDependency(frameworks[i].Controls[j].Rules[r].Attributes) && isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) && isControlFitToScanScope(frameworks[i].Controls[j], scanningScope) {
 					compatibleRules = append(compatibleRules, frameworks[i].Controls[j].Rules[r])
 				}
 			}
 			if len(compatibleRules) > 0 {
 				frameworks[i].Controls[j].Rules = compatibleRules
 				policies.Controls[frameworks[i].Controls[j].ControlID] = frameworks[i].Controls[j]
+			} else { // if the control type is manual review, add it to the list of controls
+				actionRequiredStr := frameworks[i].Controls[j].GetActionRequiredAttribute()
+				if actionRequiredStr == "" {
+					continue
+				}
+				if actionRequiredStr == string(apis.SubStatusManualReview) {
+					policies.Controls[frameworks[i].Controls[j].ControlID] = frameworks[i].Controls[j]
+				}
 			}
+
 		}
 
 	}
@@ -66,3 +87,81 @@ func isRuleKubescapeVersionCompatible(attributes map[string]interface{}, version
 	}
 	return true
 }
+
+func getCloudProvider(scanInfo *ScanInfo) reporthandling.ScanningScopeType {
+	if cloudsupport.IsAKS() {
+		return reporthandling.ScopeCloudAKS
+	}
+	if cloudsupport.IsEKS() {
+		return reporthandling.ScopeCloudEKS
+	}
+	if cloudsupport.IsGKE() {
+		return reporthandling.ScopeCloudGKE
+	}
+	return ""
+}
+
+func GetScanningScope(scanInfo *ScanInfo) reporthandling.ScanningScopeType {
+
+	switch scanInfo.GetScanningContext() {
+	case ContextCluster:
+		if cloudProvider := getCloudProvider(scanInfo); cloudProvider != "" {
+			return cloudProvider
+		}
+		return reporthandling.ScopeCluster
+	default:
+		return reporthandling.ScopeFile
+	}
+}
+
+func isScanningScopeMatchToControlScope(scanScope reporthandling.ScanningScopeType, controlScope reporthandling.ScanningScopeType) bool {
+
+	switch controlScope {
+	case reporthandling.ScopeFile:
+		return reporthandling.ScopeFile == scanScope
+	case reporthandling.ScopeCluster:
+		return reporthandling.ScopeCluster == scanScope || reporthandling.ScopeCloud == scanScope || reporthandling.ScopeCloudAKS == scanScope || reporthandling.ScopeCloudEKS == scanScope || reporthandling.ScopeCloudGKE == scanScope
+	case reporthandling.ScopeCloud:
+		return reporthandling.ScopeCloud == scanScope || reporthandling.ScopeCloudAKS == scanScope || reporthandling.ScopeCloudEKS == scanScope || reporthandling.ScopeCloudGKE == scanScope
+	case reporthandling.ScopeCloudAKS:
+		return reporthandling.ScopeCloudAKS == scanScope
+	case reporthandling.ScopeCloudEKS:
+		return reporthandling.ScopeCloudEKS == scanScope
+	case reporthandling.ScopeCloudGKE:
+		return reporthandling.ScopeCloudGKE == scanScope
+	default:
+		return true
+	}
+}
+
+func isControlFitToScanScope(control reporthandling.Control, scanScopeMatches reporthandling.ScanningScopeType) bool {
+	// for backward compatibility - case: kubescape with scope(new one) and regolibrary without scope(old one)
+	if control.ScanningScope == nil {
+		return true
+	}
+	if len(control.ScanningScope.Matches) == 0 {
+		return true
+	}
+	for i := range control.ScanningScope.Matches {
+		if isScanningScopeMatchToControlScope(scanScopeMatches, control.ScanningScope.Matches[i]) {
+			return true
+		}
+	}
+	return false
+}
+
+func isFrameworkFitToScanScope(framework reporthandling.Framework, scanScopeMatches reporthandling.ScanningScopeType) bool {
+	// for backward compatibility - case: kubescape with scope(new one) and regolibrary without scope(old one)
+	if framework.ScanningScope == nil {
+		return true
+	}
+	if len(framework.ScanningScope.Matches) == 0 {
+		return true
+	}
+	for i := range framework.ScanningScope.Matches {
+		if isScanningScopeMatchToControlScope(scanScopeMatches, framework.ScanningScope.Matches[i]) {
+			return true
+		}
+	}
+	return false
+}

core/cautils/datastructuresmethods_test.go

@@ -0,0 +1,334 @@
+package cautils
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsControlFitToScanScope(t *testing.T) {
+	tests := []struct {
+		scanInfo     *ScanInfo
+		Control      reporthandling.Control
+		expected_res bool
+	}{
+		{
+			scanInfo: &ScanInfo{
+				InputPatterns: []string{
+					"./testdata/any_file_for_test.json",
+				},
+			},
+			Control: reporthandling.Control{
+				ScanningScope: &reporthandling.ScanningScope{
+					Matches: []reporthandling.ScanningScopeType{
+						reporthandling.ScopeFile,
+					},
+				},
+			},
+			expected_res: true,
+		},
+		{
+			scanInfo: &ScanInfo{
+				InputPatterns: []string{
+					"./testdata/any_file_for_test.json",
+				},
+			},
+			Control: reporthandling.Control{
+				ScanningScope: &reporthandling.ScanningScope{
+
+					Matches: []reporthandling.ScanningScopeType{
+						reporthandling.ScopeCluster,
+						reporthandling.ScopeFile,
+					},
+				},
+			},
+			expected_res: true,
+		},
+		{
+			scanInfo: &ScanInfo{},
+			Control: reporthandling.Control{
+				ScanningScope: &reporthandling.ScanningScope{
+
+					Matches: []reporthandling.ScanningScopeType{
+						reporthandling.ScopeCluster,
+					},
+				},
+			},
+			expected_res: true,
+		},
+		{
+			scanInfo: &ScanInfo{
+				InputPatterns: []string{
+					"./testdata/any_file_for_test.json",
+				},
+			},
+			Control: reporthandling.Control{
+				ScanningScope: &reporthandling.ScanningScope{
+
+					Matches: []reporthandling.ScanningScopeType{
+						reporthandling.ScopeCloudGKE,
+					},
+				},
+			},
+			expected_res: false,
+		},
+		{
+			scanInfo: &ScanInfo{},
+			Control: reporthandling.Control{
+				ScanningScope: &reporthandling.ScanningScope{
+					Matches: []reporthandling.ScanningScopeType{
+						reporthandling.ScopeCloudEKS,
+					},
+				},
+			},
+			expected_res: false,
+		},
+		{
+			scanInfo: &ScanInfo{},
+			Control: reporthandling.Control{
+				ScanningScope: &reporthandling.ScanningScope{
+					Matches: []reporthandling.ScanningScopeType{
+						reporthandling.ScopeCloud,
+					},
+				},
+			},
+			expected_res: false,
+		}}
+	for i := range tests {
+		assert.Equal(t, tests[i].expected_res, isControlFitToScanScope(tests[i].Control, GetScanningScope(tests[i].scanInfo)), fmt.Sprintf("tests_true index %d", i))
+	}
+}
+
+func TestIsScanningScopeMatchToControlScope(t *testing.T) {
+	tests := []struct {
+		scanScope    reporthandling.ScanningScopeType
+		controlScope reporthandling.ScanningScopeType
+		expected     bool
+	}{
+		{
+			scanScope:    reporthandling.ScopeFile,
+			controlScope: reporthandling.ScopeFile,
+			expected:     true,
+		},
+		{
+			scanScope:    ScopeCluster,
+			controlScope: ScopeCluster,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloud,
+			controlScope: reporthandling.ScopeCloud,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudAKS,
+			controlScope: reporthandling.ScopeCloudAKS,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudEKS,
+			controlScope: reporthandling.ScopeCloudEKS,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudGKE,
+			controlScope: reporthandling.ScopeCloudGKE,
+			expected:     true,
+		},
+		{
+			scanScope:    ScopeCluster,
+			controlScope: reporthandling.ScopeCloud,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloud,
+			controlScope: ScopeCluster,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudAKS,
+			controlScope: ScopeCluster,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudEKS,
+			controlScope: ScopeCluster,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudGKE,
+			controlScope: ScopeCluster,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloud,
+			controlScope: reporthandling.ScopeCloudAKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudAKS,
+			controlScope: reporthandling.ScopeCloud,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudEKS,
+			controlScope: reporthandling.ScopeCloud,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudGKE,
+			controlScope: reporthandling.ScopeCloud,
+			expected:     true,
+		},
+		{
+			scanScope:    ScopeCluster,
+			controlScope: reporthandling.ScopeCloudAKS,
+			expected:     false,
+		},
+		{
+			scanScope:    ScopeCluster,
+			controlScope: reporthandling.ScopeCloudEKS,
+			expected:     false,
+		},
+		{
+			scanScope:    ScopeCluster,
+			controlScope: reporthandling.ScopeCloudGKE,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeFile,
+			controlScope: ScopeCluster,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeFile,
+			controlScope: reporthandling.ScopeCloud,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeFile,
+			controlScope: reporthandling.ScopeCloudAKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeFile,
+			controlScope: reporthandling.ScopeCloudEKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeFile,
+			controlScope: reporthandling.ScopeCloudGKE,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloud,
+			controlScope: reporthandling.ScopeCloudEKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloud,
+			controlScope: reporthandling.ScopeCloudGKE,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudAKS,
+			controlScope: reporthandling.ScopeCloudEKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudAKS,
+			controlScope: reporthandling.ScopeCloudGKE,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudEKS,
+			controlScope: reporthandling.ScopeCloudAKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudEKS,
+			controlScope: reporthandling.ScopeCloudGKE,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudGKE,
+			controlScope: reporthandling.ScopeCloudAKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudGKE,
+			controlScope: reporthandling.ScopeCloudEKS,
+			expected:     false,
+		},
+	}
+
+	for _, test := range tests {
+		result := isScanningScopeMatchToControlScope(test.scanScope, test.controlScope)
+		assert.Equal(t, test.expected, result, fmt.Sprintf("scanScope: %v, controlScope: %v", test.scanScope, test.controlScope))
+	}
+}
+
+func TestIsFrameworkFitToScanScope(t *testing.T) {
+	tests := []struct {
+		name           string
+		framework      reporthandling.Framework
+		scanScopeMatch reporthandling.ScanningScopeType
+		want           bool
+	}{
+		{
+			name: "Framework with nil ScanningScope should return true",
+			framework: reporthandling.Framework{
+				PortalBase: armotypes.PortalBase{
+					Name: "test-framework",
+				},
+			},
+			scanScopeMatch: reporthandling.ScopeFile,
+			want:           true,
+		},
+		{
+			name: "Framework with empty ScanningScope.Matches should return true",
+			framework: reporthandling.Framework{
+				PortalBase: armotypes.PortalBase{
+					Name: "test-framework",
+				}, ScanningScope: &reporthandling.ScanningScope{},
+			},
+			scanScopeMatch: reporthandling.ScopeFile,
+			want:           true,
+		},
+		{
+			name: "Framework with matching ScanningScope.Matches should return true",
+			framework: reporthandling.Framework{
+				PortalBase: armotypes.PortalBase{
+					Name: "test-framework",
+				}, ScanningScope: &reporthandling.ScanningScope{
+					Matches: []reporthandling.ScanningScopeType{reporthandling.ScopeFile},
+				},
+			},
+			scanScopeMatch: reporthandling.ScopeFile,
+			want:           true,
+		},
+		{
+			name: "Framework with non-matching ScanningScope.Matches should return false",
+			framework: reporthandling.Framework{
+				PortalBase: armotypes.PortalBase{
+					Name: "test-framework",
+				}, ScanningScope: &reporthandling.ScanningScope{
+					Matches: []reporthandling.ScanningScopeType{reporthandling.ScopeCluster},
+				},
+			},
+			scanScopeMatch: reporthandling.ScopeFile,
+			want:           false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := isFrameworkFitToScanScope(tt.framework, tt.scanScopeMatch); got != tt.want {
+				t.Errorf("isFrameworkFitToScanScope() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

core/cautils/display.go

@@ -1,26 +1,62 @@
 package cautils
 
 import (
+	"fmt"
+	"io"
 	"os"
 	"time"
 
 	spinnerpkg "github.com/briandowns/spinner"
-	"github.com/fatih/color"
+	"github.com/jwalton/gchalk"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
 	"github.com/mattn/go-isatty"
+	"github.com/schollz/progressbar/v3"
 )
 
-var FailureDisplay = color.New(color.Bold, color.FgHiRed).FprintfFunc()
-var WarningDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
-var FailureTextDisplay = color.New(color.Faint, color.FgHiRed).FprintfFunc()
-var InfoDisplay = color.New(color.Bold, color.FgCyan).FprintfFunc()
-var InfoTextDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
-var SimpleDisplay = color.New().FprintfFunc()
-var SuccessDisplay = color.New(color.Bold, color.FgHiGreen).FprintfFunc()
-var DescriptionDisplay = color.New(color.Faint, color.FgWhite).FprintfFunc()
+func FailureDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithBrightRed().Bold(format), a...)
+}
+
+func WarningDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithBrightYellow().Bold(format), a...)
+}
+
+func FailureTextDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithBrightRed().Dim(format), a...)
+}
+
+func InfoDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithCyan().Bold(format), a...)
+}
+
+func InfoTextDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithBrightYellow().Bold(format), a...)
+}
+
+func SimpleDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.White(format), a...)
+}
+
+func SuccessDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithBlue().Bold(format), a...)
+}
+
+func DescriptionDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithWhite().Dim(format), a...)
+}
+
+func BoldDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.Bold(format), a...)
+}
 
 var spinner *spinnerpkg.Spinner
 
 func StartSpinner() {
+	if helpers.ToLevel(logger.L().GetLevel()) >= helpers.WarningLevel {
+		return
+	}
+
 	if spinner != nil {
 		if !spinner.Active() {
 			spinner.Start()
@@ -39,3 +75,28 @@ func StopSpinner() {
 	}
 	spinner.Stop()
 }
+
+type ProgressHandler struct {
+	pb    *progressbar.ProgressBar
+	title string
+}
+
+func NewProgressHandler(title string) *ProgressHandler {
+	return &ProgressHandler{title: title}
+}
+
+func (p *ProgressHandler) Start(allSteps int) {
+	if !isatty.IsTerminal(os.Stderr.Fd()) || helpers.ToLevel(logger.L().GetLevel()) >= helpers.WarningLevel {
+		p.pb = progressbar.DefaultSilent(int64(allSteps), p.title)
+		return
+	}
+	p.pb = progressbar.Default(int64(allSteps), p.title)
+}
+
+func (p *ProgressHandler) ProgressJob(step int, message string) {
+	p.pb.Add(step)
+	p.pb.Describe(message)
+}
+
+func (p *ProgressHandler) Stop() {
+}

core/cautils/display_test.go

@@ -0,0 +1,32 @@
+package cautils
+
+import (
+	"testing"
+
+	"github.com/kubescape/go-logger"
+)
+
+func TestStartSpinner(t *testing.T) {
+	tests := []struct {
+		name        string
+		loggerLevel string
+		enabled     bool
+	}{
+		{
+			name:        "TestStartSpinner - disabled",
+			loggerLevel: "warning",
+			enabled:     false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			logger.L().SetLevel(tt.loggerLevel)
+			StartSpinner()
+			if !tt.enabled {
+				if spinner != nil {
+					t.Errorf("spinner should be nil")
+				}
+			}
+		})
+	}
+}

core/cautils/environments.go

@@ -1,7 +0,0 @@
-package cautils
-
-// Kubescape Cloud environment vars
-var (
-	CustomerGUID = ""
-	ClusterName  = ""
-)

core/cautils/fileutils.go

@@ -2,6 +2,7 @@ package cautils
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"os"
@@ -10,6 +11,7 @@ import (
 
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
+	"golang.org/x/exp/slices"
 
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/opa-utils/objectsenvelopes"
@@ -30,8 +32,13 @@ const (
 	JSON_FILE_FORMAT FileFormat = "json"
 )
 
+type Chart struct {
+	Name string
+	Path string
+}
+
 // LoadResourcesFromHelmCharts scans a given path (recursively) for helm charts, renders the templates and returns a map of workloads and a map of chart names
-func LoadResourcesFromHelmCharts(basePath string) (map[string][]workloadinterface.IMetadata, map[string]string) {
+func LoadResourcesFromHelmCharts(ctx context.Context, basePath string) (map[string][]workloadinterface.IMetadata, map[string]Chart) {
 	directories, _ := listDirs(basePath)
 	helmDirectories := make([]string, 0)
 	for _, dir := range directories {
@@ -41,29 +48,32 @@ func LoadResourcesFromHelmCharts(basePath string) (map[string][]workloadinterfac
 	}
 
 	sourceToWorkloads := map[string][]workloadinterface.IMetadata{}
-	sourceToChartName := map[string]string{}
+	sourceToChart := make(map[string]Chart, 0)
 	for _, helmDir := range helmDirectories {
 		chart, err := NewHelmChart(helmDir)
 		if err == nil {
 			wls, errs := chart.GetWorkloadsWithDefaultValues()
 			if len(errs) > 0 {
-				logger.L().Error(fmt.Sprintf("Rendering of Helm chart template '%s', failed: %v", chart.GetName(), errs))
+				logger.L().Ctx(ctx).Warning(fmt.Sprintf("Rendering of Helm chart template '%s', failed: %v", chart.GetName(), errs))
 				continue
 			}
 
 			chartName := chart.GetName()
 			for k, v := range wls {
 				sourceToWorkloads[k] = v
-				sourceToChartName[k] = chartName
+				sourceToChart[k] = Chart{
+					Name: chartName,
+					Path: helmDir,
+				}
 			}
 		}
 	}
-	return sourceToWorkloads, sourceToChartName
+	return sourceToWorkloads, sourceToChart
 }
 
 // If the contents at given path is a Kustomize Directory, LoadResourcesFromKustomizeDirectory will
 // generate yaml files using "Kustomize" & renders a map of workloads from those yaml files
-func LoadResourcesFromKustomizeDirectory(basePath string) (map[string][]workloadinterface.IMetadata, string) {
+func LoadResourcesFromKustomizeDirectory(ctx context.Context, basePath string) (map[string][]workloadinterface.IMetadata, string) {
 	isKustomizeDirectory := IsKustomizeDirectory(basePath)
 	isKustomizeFile := IsKustomizeFile(basePath)
 	if ok := isKustomizeDirectory || isKustomizeFile; !ok {
@@ -87,7 +97,7 @@ func LoadResourcesFromKustomizeDirectory(basePath string) (map[string][]workload
 	kustomizeDirectoryName := GetKustomizeDirectoryName(newBasePath)
 
 	if len(errs) > 0 {
-		logger.L().Error(fmt.Sprintf("Rendering yaml from Kustomize failed: %v", errs))
+		logger.L().Ctx(ctx).Warning(fmt.Sprintf("Rendering yaml from Kustomize failed: %v", errs))
 	}
 
 	for k, v := range wls {
@@ -96,18 +106,19 @@ func LoadResourcesFromKustomizeDirectory(basePath string) (map[string][]workload
 	return sourceToWorkloads, kustomizeDirectoryName
 }
 
-func LoadResourcesFromFiles(input, rootPath string) map[string][]workloadinterface.IMetadata {
+func LoadResourcesFromFiles(ctx context.Context, input, rootPath string) map[string][]workloadinterface.IMetadata {
 	files, errs := listFiles(input)
 	if len(errs) > 0 {
-		logger.L().Error(fmt.Sprintf("%v", errs))
+		logger.L().Ctx(ctx).Warning(fmt.Sprintf("%v", errs))
 	}
 	if len(files) == 0 {
+		logger.L().Ctx(ctx).Error("no files found to scan", helpers.String("input", input))
 		return nil
 	}
 
 	workloads, errs := loadFiles(rootPath, files)
 	if len(errs) > 0 {
-		logger.L().Error(fmt.Sprintf("%v", errs))
+		logger.L().Ctx(ctx).Warning(fmt.Sprintf("%v", errs))
 	}
 
 	return workloads
@@ -282,11 +293,11 @@ func convertYamlToJson(i interface{}) interface{} {
 }
 
 func IsYaml(filePath string) bool {
-	return StringInSlice(YAML_PREFIX, strings.ReplaceAll(filepath.Ext(filePath), ".", "")) != ValueNotFound
+	return slices.Contains(YAML_PREFIX, strings.ReplaceAll(filepath.Ext(filePath), ".", ""))
 }
 
 func IsJson(filePath string) bool {
-	return StringInSlice(JSON_PREFIX, strings.ReplaceAll(filepath.Ext(filePath), ".", "")) != ValueNotFound
+	return slices.Contains(JSON_PREFIX, strings.ReplaceAll(filepath.Ext(filePath), ".", ""))
 }
 
 func glob(root, pattern string, onlyDirectories bool) ([]string, error) {

core/cautils/fileutils_test.go

@@ -1,6 +1,7 @@
 package cautils
 
 import (
+	"context"
 	"os"
 	"path/filepath"
 	"strings"
@@ -30,7 +31,7 @@ func TestListFiles(t *testing.T) {
 }
 
 func TestLoadResourcesFromFiles(t *testing.T) {
-	workloads := LoadResourcesFromFiles(onlineBoutiquePath(), "")
+	workloads := LoadResourcesFromFiles(context.TODO(), onlineBoutiquePath(), "")
 	assert.Equal(t, 12, len(workloads))
 
 	for i, w := range workloads {
@@ -44,7 +45,7 @@ func TestLoadResourcesFromFiles(t *testing.T) {
 }
 
 func TestLoadResourcesFromHelmCharts(t *testing.T) {
-	sourceToWorkloads, sourceToChartName := LoadResourcesFromHelmCharts(helmChartPath())
+	sourceToWorkloads, sourceToChartName := LoadResourcesFromHelmCharts(context.TODO(), helmChartPath())
 	assert.Equal(t, 6, len(sourceToWorkloads))
 
 	for file, workloads := range sourceToWorkloads {
@@ -52,7 +53,8 @@ func TestLoadResourcesFromHelmCharts(t *testing.T) {
 
 		w := workloads[0]
 		assert.True(t, localworkload.IsTypeLocalWorkload(w.GetObject()), "Expected localworkload as object type")
-		assert.Equal(t, "kubescape", sourceToChartName[file])
+		assert.Equal(t, "kubescape", sourceToChartName[file].Name)
+		assert.Equal(t, helmChartPath(), sourceToChartName[file].Path)
 
 		switch filepath.Base(file) {
 		case "serviceaccount.yaml":

core/cautils/getter/datastructures.go

@@ -1,24 +1,4 @@
 package getter
 
-type FeLoginData struct {
-	Secret   string `json:"secret"`
-	ClientId string `json:"clientId"`
-}
-
-type FeLoginResponse struct {
-	Token        string `json:"accessToken"`
-	RefreshToken string `json:"refreshToken"`
-	Expires      string `json:"expires"`
-	ExpiresIn    int32  `json:"expiresIn"`
-}
-
-type KSCloudSelectCustomer struct {
-	SelectedCustomerGuid string `json:"selectedCustomer"`
-}
-
-type TenantResponse struct {
-	TenantID  string `json:"tenantId"`
-	Token     string `json:"token"`
-	Expires   string `json:"expires"`
-	AdminMail string `json:"adminMail,omitempty"`
-}
+// NativeFrameworks identifies all pre-built, native frameworks.
+var NativeFrameworks = []string{"allcontrols", "nsa", "mitre"}

core/cautils/getter/doc.go

@@ -0,0 +1,8 @@
+// Package getter provides functionality to retrieve policy objects.
+//
+// It comes with 3 implementations:
+//
+// * KSCloudAPI is a client for the KS Cloud SaaS API
+// * LoadPolicy exposes policy objects stored in a local repository
+// * DownloadReleasedPolicy downloads policy objects from the policy library released on github: https://github.com/kubescape/regolibrary
+package getter

core/cautils/getter/downloadreleasedpolicy.go

@@ -1,17 +1,26 @@
 package getter
 
 import (
+	"fmt"
 	"strings"
 
 	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/kubescape/opa-utils/gitregostore"
+
 	"github.com/kubescape/opa-utils/reporthandling"
 	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
+
+	"github.com/kubescape/regolibrary/gitregostore"
 )
 
 // =======================================================================================================================
 // ======================================== DownloadReleasedPolicy =======================================================
 // =======================================================================================================================
+var (
+	_ IPolicyGetter         = &DownloadReleasedPolicy{}
+	_ IExceptionsGetter     = &DownloadReleasedPolicy{}
+	_ IAttackTracksGetter   = &DownloadReleasedPolicy{}
+	_ IControlsInputsGetter = &DownloadReleasedPolicy{}
+)
 
 // Use gitregostore to get policies from github release
 type DownloadReleasedPolicy struct {
@@ -24,11 +33,11 @@ func NewDownloadReleasedPolicy() *DownloadReleasedPolicy {
 	}
 }
 
-func (drp *DownloadReleasedPolicy) GetControl(policyName string) (*reporthandling.Control, error) {
+func (drp *DownloadReleasedPolicy) GetControl(ID string) (*reporthandling.Control, error) {
 	var control *reporthandling.Control
 	var err error
 
-	control, err = drp.gs.GetOPAControl(policyName)
+	control, err = drp.gs.GetOPAControlByID(ID)
 	if err != nil {
 		return nil, err
 	}
@@ -55,13 +64,29 @@ func (drp *DownloadReleasedPolicy) ListFrameworks() ([]string, error) {
 	return drp.gs.GetOPAFrameworksNamesList()
 }
 
-func (drp *DownloadReleasedPolicy) ListControls(listType ListType) ([]string, error) {
-	switch listType {
-	case ListID:
-		return drp.gs.GetOPAControlsIDsList()
-	default:
-		return drp.gs.GetOPAControlsNamesList()
+func (drp *DownloadReleasedPolicy) ListControls() ([]string, error) {
+	controlsIDsList, err := drp.gs.GetOPAControlsIDsList()
+	if err != nil {
+		return []string{}, err
 	}
+	controlsNamesList, err := drp.gs.GetOPAControlsNamesList()
+	if err != nil {
+		return []string{}, err
+	}
+	controls, err := drp.gs.GetOPAControls()
+	if err != nil {
+		return []string{}, err
+	}
+	var controlsFrameworksList [][]string
+	for _, control := range controls {
+		controlsFrameworksList = append(controlsFrameworksList, drp.gs.GetOpaFrameworkListByControlID(control.ControlID))
+	}
+	controlsNamesWithIDsandFrameworksList := make([]string, len(controlsIDsList))
+	// by design all slices have the same lengt
+	for i := range controlsIDsList {
+		controlsNamesWithIDsandFrameworksList[i] = fmt.Sprintf("%v|%v|%v", controlsIDsList[i], controlsNamesList[i], strings.Join(controlsFrameworksList[i], ", "))
+	}
+	return controlsNamesWithIDsandFrameworksList, nil
 }
 
 func (drp *DownloadReleasedPolicy) GetControlsInputs(clusterName string) (map[string][]string, error) {
@@ -88,19 +113,6 @@ func (drp *DownloadReleasedPolicy) SetRegoObjects() error {
 	return drp.gs.SetRegoObjects()
 }
 
-func isNativeFramework(framework string) bool {
-	return contains(NativeFrameworks, framework)
-}
-
-func contains(s []string, str string) bool {
-	for _, v := range s {
-		if strings.EqualFold(v, str) {
-			return true
-		}
-	}
-	return false
-}
-
 func (drp *DownloadReleasedPolicy) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
 	exceptions, err := drp.gs.GetSystemPostureExceptionPolicies()
 	if err != nil {

core/cautils/getter/downloadreleasedpolicy_test.go

@@ -0,0 +1,172 @@
+package getter
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	jsoniter "github.com/json-iterator/go"
+	"github.com/kubescape/kubescape/v2/internal/testutils"
+	"github.com/stretchr/testify/require"
+)
+
+func min(a, b int64) int64 {
+	if a < b {
+		return a
+	}
+
+	return b
+}
+
+func TestReleasedPolicy(t *testing.T) {
+	t.Parallel()
+
+	p := NewDownloadReleasedPolicy()
+
+	t.Run("should initialize objects", func(t *testing.T) {
+		t.Parallel()
+
+		// acquire from github or from local fixture
+		hydrateReleasedPolicyFromMock(t, p)
+
+		require.NoError(t, p.SetRegoObjects())
+
+		t.Run("with ListControls", func(t *testing.T) {
+			t.Parallel()
+
+			controlIDs, err := p.ListControls()
+			require.NoError(t, err)
+			require.NotEmpty(t, controlIDs)
+
+			sampleSize := int(min(int64(len(controlIDs)), 10))
+
+			for _, toPin := range controlIDs[:sampleSize] {
+				// Example of a returned "ID": `C-0154|Ensure_that_the_--client-cert-auth_argument_is_set_to_true|`
+				controlString := toPin
+				parts := strings.Split(controlString, "|")
+				controlID := parts[0]
+
+				t.Run(fmt.Sprintf("with GetControl(%q)", controlID), func(t *testing.T) {
+					t.Parallel()
+
+					ctrl, err := p.GetControl(controlID)
+					require.NoError(t, err)
+					require.NotEmpty(t, ctrl)
+					require.Equal(t, controlID, ctrl.ControlID)
+				})
+			}
+
+			t.Run("with unknown GetControl()", func(t *testing.T) {
+				t.Parallel()
+
+				ctrl, err := p.GetControl("zork")
+				require.Error(t, err)
+				require.Nil(t, ctrl)
+			})
+		})
+
+		t.Run("with GetFrameworks", func(t *testing.T) {
+			t.Parallel()
+
+			frameworks, err := p.GetFrameworks()
+			require.NoError(t, err)
+			require.NotEmpty(t, frameworks)
+
+			for _, toPin := range frameworks {
+				framework := toPin
+				require.NotEmpty(t, framework)
+				require.NotEmpty(t, framework.Name)
+
+				t.Run(fmt.Sprintf("with GetFramework(%q)", framework.Name), func(t *testing.T) {
+					t.Parallel()
+
+					fw, err := p.GetFramework(framework.Name)
+					require.NoError(t, err)
+					require.NotNil(t, fw)
+
+					require.EqualValues(t, framework, *fw)
+				})
+			}
+
+			t.Run("with unknown GetFramework()", func(t *testing.T) {
+				t.Parallel()
+
+				ctrl, err := p.GetFramework("zork")
+				require.Error(t, err)
+				require.Nil(t, ctrl)
+			})
+
+			t.Run("with ListFrameworks", func(t *testing.T) {
+				t.Parallel()
+
+				frameworkIDs, err := p.ListFrameworks()
+				require.NoError(t, err)
+				require.NotEmpty(t, frameworkIDs)
+
+				require.Len(t, frameworkIDs, len(frameworks))
+			})
+
+		})
+
+		t.Run("with GetControlsInput", func(t *testing.T) {
+			t.Parallel()
+
+			controlInputs, err := p.GetControlsInputs("") // NOTE: cluster name currently unused
+			require.NoError(t, err)
+			require.NotEmpty(t, controlInputs)
+		})
+
+		t.Run("with GetAttackTracks", func(t *testing.T) {
+			t.Parallel()
+
+			attackTracks, err := p.GetAttackTracks()
+			require.NoError(t, err)
+			require.NotEmpty(t, attackTracks)
+		})
+
+		t.Run("with GetExceptions", func(t *testing.T) {
+			t.Parallel()
+
+			exceptions, err := p.GetExceptions("") // NOTE: cluster name currently unused
+			require.NoError(t, err)
+			require.NotEmpty(t, exceptions)
+		})
+	})
+}
+
+func hydrateReleasedPolicyFromMock(t testing.TB, p *DownloadReleasedPolicy) {
+	regoFile := testRegoFile("policy")
+
+	if _, err := os.Stat(regoFile); errors.Is(err, fs.ErrNotExist) {
+		// retrieve fixture from latest released policy from github.
+		//
+		// NOTE: to update the mock, just delete the testdata/policy.json file and run the tests again.
+		t.Logf("updating fixture file %q from github", regoFile)
+
+		require.NoError(t, p.SetRegoObjects())
+		require.NotNil(t, p.gs)
+
+		require.NoError(t,
+			SaveInFile(p.gs, regoFile),
+		)
+
+		return
+	}
+
+	// we have a mock fixture: load this rather than calling github
+	t.Logf("populating rego policy from fixture file %q", regoFile)
+	buf, err := os.ReadFile(regoFile)
+	require.NoError(t, err)
+
+	require.NoError(t,
+		jsoniter.Unmarshal(buf, p.gs),
+	)
+}
+
+func testRegoFile(framework string) string {
+	return filepath.Join(testutils.CurrentDir(), "testdata", fmt.Sprintf("%s.json", framework))
+}

core/cautils/getter/gcpcloudapi.go

@@ -1,42 +0,0 @@
-package getter
-
-import (
-	"context"
-	"os"
-
-	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
-)
-
-type GCPCloudAPI struct {
-	credentialsPath  string
-	context          context.Context
-	client           *containeranalysis.Client
-	projectID        string
-	credentialsCheck bool
-}
-
-func GetGlobalGCPCloudAPIConnector() *GCPCloudAPI {
-
-	if os.Getenv("KS_GCP_CREDENTIALS_PATH") == "" || os.Getenv("KS_GCP_PROJECT_ID") == "" {
-		return &GCPCloudAPI{
-			credentialsCheck: false,
-		}
-	} else {
-		return &GCPCloudAPI{
-			context:          context.Background(),
-			credentialsPath:  os.Getenv("KS_GCP_CREDENTIALS_PATH"),
-			projectID:        os.Getenv("KS_GCP_PROJECT_ID"),
-			credentialsCheck: true,
-		}
-	}
-}
-
-func (api *GCPCloudAPI) SetClient(client *containeranalysis.Client) {
-	api.client = client
-}
-
-func (api *GCPCloudAPI) GetCredentialsPath() string           { return api.credentialsPath }
-func (api *GCPCloudAPI) GetClient() *containeranalysis.Client { return api.client }
-func (api *GCPCloudAPI) GetProjectID() string                 { return api.projectID }
-func (api *GCPCloudAPI) GetCredentialsCheck() bool            { return api.credentialsCheck }
-func (api *GCPCloudAPI) GetContext() context.Context          { return api.context }

core/cautils/getter/getpolicies.go

@@ -1,53 +0,0 @@
-package getter
-
-import (
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/kubescape/opa-utils/reporthandling"
-	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
-)
-
-// supported listing
-type ListType string
-
-const ListID ListType = "id"
-const ListName ListType = "name"
-
-type IPolicyGetter interface {
-	GetFramework(name string) (*reporthandling.Framework, error)
-	GetFrameworks() ([]reporthandling.Framework, error)
-	GetControl(name string) (*reporthandling.Control, error)
-
-	ListFrameworks() ([]string, error)
-	ListControls(ListType) ([]string, error)
-}
-
-type IExceptionsGetter interface {
-	GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error)
-}
-type IBackend interface {
-	GetAccountID() string
-	GetClientID() string
-	GetSecretKey() string
-	GetCloudReportURL() string
-	GetCloudAPIURL() string
-	GetCloudUIURL() string
-	GetCloudAuthURL() string
-
-	SetAccountID(accountID string)
-	SetClientID(clientID string)
-	SetSecretKey(secretKey string)
-	SetCloudReportURL(cloudReportURL string)
-	SetCloudAPIURL(cloudAPIURL string)
-	SetCloudUIURL(cloudUIURL string)
-	SetCloudAuthURL(cloudAuthURL string)
-
-	GetTenant() (*TenantResponse, error)
-}
-
-type IControlsInputsGetter interface {
-	GetControlsInputs(clusterName string) (map[string][]string, error)
-}
-
-type IAttackTracksGetter interface {
-	GetAttackTracks() ([]v1alpha1.AttackTrack, error)
-}

core/cautils/getter/getpoliciesutils.go

@@ -2,37 +2,40 @@ package getter
 
 import (
 	"bytes"
-	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
-	"path"
 	"path/filepath"
 	"strings"
 )
 
+// GetDefaultPath returns a location under the local dot files for kubescape.
+//
+// This is typically located under $HOME/.kubescape
 func GetDefaultPath(name string) string {
 	return filepath.Join(DefaultLocalStore, name)
 }
 
-func SaveInFile(policy interface{}, pathStr string) error {
-	encodedData, err := json.MarshalIndent(policy, "", "  ")
+// SaveInFile serializes any object as a JSON file.
+func SaveInFile(object interface{}, targetFile string) error {
+	encodedData, err := json.MarshalIndent(object, "", "  ")
 	if err != nil {
 		return err
 	}
-	err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
+	err = os.WriteFile(targetFile, encodedData, 0644) //nolint:gosec
 	if err != nil {
 		if os.IsNotExist(err) {
-			pathDir := path.Dir(pathStr)
-			if err := os.Mkdir(pathDir, 0744); err != nil {
-				return err
+			pathDir := filepath.Dir(targetFile)
+			// pathDir could contain subdirectories
+			if erm := os.MkdirAll(pathDir, 0755); erm != nil {
+				return erm
 			}
 		} else {
 			return err
 
 		}
-		err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
+		err = os.WriteFile(targetFile, encodedData, 0644) //nolint:gosec
 		if err != nil {
 			return err
 		}
@@ -40,13 +43,9 @@ func SaveInFile(policy interface{}, pathStr string) error {
 	return nil
 }
 
-// JSONDecoder returns JSON decoder for given string
-func JSONDecoder(origin string) *json.Decoder {
-	dec := json.NewDecoder(strings.NewReader(origin))
-	dec.UseNumber()
-	return dec
-}
-
+// HttpDelete provides a low-level capability to send a HTTP DELETE request and serialize the response as a string.
+//
+// Deprecated: use methods of the KSCloudAPI client instead.
 func HttpDelete(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) {
 
 	req, err := http.NewRequest("DELETE", fullURL, nil)
@@ -65,8 +64,11 @@ func HttpDelete(httpClient *http.Client, fullURL string, headers map[string]stri
 	}
 	return respStr, nil
 }
-func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) {
 
+// HttpGetter provides a low-level capability to send a HTTP GET request and serialize the response as a string.
+//
+// Deprecated: use methods of the KSCloudAPI client instead.
+func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) {
 	req, err := http.NewRequest("GET", fullURL, nil)
 	if err != nil {
 		return "", err
@@ -84,8 +86,10 @@ func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]stri
 	return respStr, nil
 }
 
+// HttpPost provides a low-level capability to send a HTTP POST request and serialize the response as a string.
+//
+// Deprecated: use methods of the KSCloudAPI client instead.
 func HttpPost(httpClient *http.Client, fullURL string, headers map[string]string, body []byte) (string, error) {
-
 	req, err := http.NewRequest("POST", fullURL, bytes.NewReader(body))
 	if err != nil {
 		return "", err
@@ -110,7 +114,7 @@ func setHeaders(req *http.Request, headers map[string]string) {
 	}
 }
 
-// HTTPRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
+// httpRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
 func httpRespToString(resp *http.Response) (string, error) {
 	if resp == nil || resp.Body == nil {
 		return "", nil
@@ -120,6 +124,7 @@ func httpRespToString(resp *http.Response) (string, error) {
 	if resp.ContentLength > 0 {
 		strBuilder.Grow(int(resp.ContentLength))
 	}
+
 	_, err := io.Copy(&strBuilder, resp.Body)
 	respStr := strBuilder.String()
 	if err != nil {

core/cautils/getter/getpoliciesutils_test.go

@@ -0,0 +1,98 @@
+package getter
+
+import (
+	"net/http"
+	"os"
+	"path/filepath"
+	"testing"
+
+	beClient "github.com/kubescape/backend/pkg/client/v1"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetDefaultPath(t *testing.T) {
+	t.Parallel()
+
+	const name = "mine"
+
+	pth := GetDefaultPath(name)
+	require.Equal(t, name, filepath.Base(pth))
+	require.Equal(t, ".kubescape", filepath.Base(filepath.Dir(pth)))
+}
+
+func TestSaveInFile(t *testing.T) {
+	t.Parallel()
+
+	dir, err := os.MkdirTemp(".", "test")
+	require.NoError(t, err)
+	defer func() {
+		_ = os.RemoveAll(dir)
+	}()
+
+	policy := map[string]interface{}{
+		"key":    "value",
+		"number": 1.00,
+	}
+
+	t.Run("should save data as JSON (target folder exists)", func(t *testing.T) {
+		target := filepath.Join(dir, "target.json")
+		require.NoError(t, SaveInFile(policy, target))
+
+		buf, err := os.ReadFile(target)
+		require.NoError(t, err)
+		var retrieved interface{}
+		require.NoError(t, json.Unmarshal(buf, &retrieved))
+
+		require.EqualValues(t, policy, retrieved)
+	})
+
+	t.Run("should save data as JSON (new target folder)", func(t *testing.T) {
+		target := filepath.Join(dir, "subdir", "target.json")
+		require.NoError(t, SaveInFile(policy, target))
+
+		buf, err := os.ReadFile(target)
+		require.NoError(t, err)
+		var retrieved interface{}
+		require.NoError(t, json.Unmarshal(buf, &retrieved))
+
+		require.EqualValues(t, policy, retrieved)
+	})
+
+	t.Run("should error", func(t *testing.T) {
+		badPolicy := map[string]interface{}{
+			"key":    "value",
+			"number": 1.00,
+			"err":    func() {},
+		}
+		target := filepath.Join(dir, "error.json")
+		require.Error(t, SaveInFile(badPolicy, target))
+	})
+}
+
+func TestHttpMethods(t *testing.T) {
+	client := http.DefaultClient
+	hdrs := map[string]string{"key": "value"}
+
+	srv := beClient.MockAPIServer(t)
+	t.Cleanup(srv.Close)
+
+	t.Run("HttpGetter should GET", func(t *testing.T) {
+		resp, err := HttpGetter(client, srv.URL(pathTestGet), hdrs)
+		require.NoError(t, err)
+		require.EqualValues(t, "body-get", resp)
+	})
+
+	t.Run("HttpPost should POST", func(t *testing.T) {
+		body := []byte("body-post")
+
+		resp, err := HttpPost(client, srv.URL(pathTestPost), hdrs, body)
+		require.NoError(t, err)
+		require.EqualValues(t, string(body), resp)
+	})
+
+	t.Run("HttpDelete should DELETE", func(t *testing.T) {
+		resp, err := HttpDelete(client, srv.URL(pathTestDelete), hdrs)
+		require.NoError(t, err)
+		require.EqualValues(t, "body-delete", resp)
+	})
+}

core/cautils/getter/interfaces.go

@@ -0,0 +1,34 @@
+package getter
+
+import (
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
+)
+
+type (
+	// IPolicyGetter knows how to retrieve policies, i.e. frameworks and their controls.
+	IPolicyGetter interface {
+		GetFramework(name string) (*reporthandling.Framework, error)
+		GetFrameworks() ([]reporthandling.Framework, error)
+		GetControl(ID string) (*reporthandling.Control, error)
+
+		ListFrameworks() ([]string, error)
+		ListControls() ([]string, error)
+	}
+
+	// IExceptionsGetter knows how to retrieve exceptions.
+	IExceptionsGetter interface {
+		GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error)
+	}
+
+	// IControlsInputsGetter knows how to retrieve controls inputs.
+	IControlsInputsGetter interface {
+		GetControlsInputs(clusterName string) (map[string][]string, error)
+	}
+
+	// IAttackTracksGetter knows how to retrieve attack tracks.
+	IAttackTracksGetter interface {
+		GetAttackTracks() ([]v1alpha1.AttackTrack, error)
+	}
+)

core/cautils/getter/json.go

@@ -0,0 +1,38 @@
+package getter
+
+import (
+	"io"
+	"strings"
+
+	jsoniter "github.com/json-iterator/go"
+)
+
+var json jsoniter.API
+
+func init() {
+	// NOTE(fredbi): attention, this configuration rounds floats down to 6 digits
+	// For finer-grained config, see: https://pkg.go.dev/github.com/json-iterator/go#section-readme
+	json = jsoniter.ConfigFastest
+}
+
+// JSONDecoder provides a low-level utility that returns a JSON decoder for given string.
+//
+// Deprecated: use higher level methods from the KSCloudAPI client instead.
+func JSONDecoder(origin string) *jsoniter.Decoder {
+	dec := jsoniter.NewDecoder(strings.NewReader(origin))
+	dec.UseNumber()
+
+	return dec
+}
+
+func decode[T any](rdr io.Reader) (T, error) {
+	var receiver T
+	dec := newDecoder(rdr)
+	err := dec.Decode(&receiver)
+
+	return receiver, err
+}
+
+func newDecoder(rdr io.Reader) *jsoniter.Decoder {
+	return json.NewDecoder(rdr)
+}

core/cautils/getter/json_test.go

@@ -0,0 +1,32 @@
+package getter
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestJSONDecoder(t *testing.T) {
+	t.Run("should decode json string", func(t *testing.T) {
+		const input = `"xyz"`
+		d := JSONDecoder(input)
+		var receiver string
+		require.NoError(t, d.Decode(&receiver))
+		require.Equal(t, "xyz", receiver)
+	})
+
+	t.Run("should decode json number", func(t *testing.T) {
+		const input = `123.01`
+		d := JSONDecoder(input)
+		var receiver float64
+		require.NoError(t, d.Decode(&receiver))
+		require.Equal(t, 123.01, receiver)
+	})
+
+	t.Run("requires json quotes", func(t *testing.T) {
+		const input = `xyz`
+		d := JSONDecoder(input)
+		var receiver string
+		require.Error(t, d.Decode(&receiver))
+	})
+}

core/cautils/getter/kscloudapi.go

@@ -1,380 +1,49 @@
 package getter
 
 import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"strings"
-	"time"
-
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/kubescape/opa-utils/reporthandling"
-	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
+	v1 "github.com/kubescape/backend/pkg/client/v1"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
 )
 
 var (
-	ksCloudERURL   = "report.armo.cloud"
-	ksCloudBEURL   = "api.armosec.io"
-	ksCloudFEURL   = "cloud.armosec.io"
-	ksCloudAUTHURL = "auth.armosec.io"
+	// globalKSCloudAPIConnector is a static global instance of the KS Cloud client,
+	// to be initialized with SetKSCloudAPIConnector.
+	globalKSCloudAPIConnector *v1.KSCloudAPI
 
-	ksCloudStageERURL   = "report-ks.eustage2.cyberarmorsoft.com"
-	ksCloudStageBEURL   = "api-stage.armosec.io"
-	ksCloudStageFEURL   = "armoui-stage.armosec.io"
-	ksCloudStageAUTHURL = "eggauth-stage.armosec.io"
-
-	ksCloudDevERURL   = "report.eudev3.cyberarmorsoft.com"
-	ksCloudDevBEURL   = "api-dev.armosec.io"
-	ksCloudDevFEURL   = "cloud-dev.armosec.io"
-	ksCloudDevAUTHURL = "eggauth-dev.armosec.io"
+	_ IPolicyGetter         = &v1.KSCloudAPI{}
+	_ IExceptionsGetter     = &v1.KSCloudAPI{}
+	_ IAttackTracksGetter   = &v1.KSCloudAPI{}
+	_ IControlsInputsGetter = &v1.KSCloudAPI{}
 )
 
-// KSCloudAPI allows accessing the API of the Kubescape Cloud offering
-type KSCloudAPI struct {
-	httpClient     *http.Client
-	cloudAPIURL    string
-	cloudAuthURL   string
-	cloudReportURL string
-	cloudUIURL     string
-	accountID      string
-	clientID       string
-	secretKey      string
-	authCookie     string
-	feToken        FeLoginResponse
-	loggedIn       bool
-}
-
-var globalKSCloudAPIConnector *KSCloudAPI
-
-func SetKSCloudAPIConnector(ksCloudAPI *KSCloudAPI) {
+// SetKSCloudAPIConnector registers a global instance of the KS Cloud client.
+//
+// NOTE: cannot be used concurrently.
+func SetKSCloudAPIConnector(ksCloudAPI *v1.KSCloudAPI) {
+	if ksCloudAPI != nil {
+		logger.L().Debug("setting global KS Cloud API connector",
+			helpers.String("accountID", ksCloudAPI.GetAccountID()),
+			helpers.String("cloudAPIURL", ksCloudAPI.GetCloudAPIURL()),
+			helpers.String("cloudReportURL", ksCloudAPI.GetCloudReportURL()))
+	} else {
+		logger.L().Debug("setting global KS Cloud API connector (nil)")
+	}
 	globalKSCloudAPIConnector = ksCloudAPI
 }
 
-func GetKSCloudAPIConnector() *KSCloudAPI {
+// GetKSCloudAPIConnector returns a shallow clone of the KS Cloud client registered for this package.
+//
+// NOTE: cannot be used concurrently with SetKSCloudAPIConnector.
+func GetKSCloudAPIConnector() *v1.KSCloudAPI {
 	if globalKSCloudAPIConnector == nil {
-		SetKSCloudAPIConnector(NewKSCloudAPIProd())
+		SetKSCloudAPIConnector(v1.NewEmptyKSCloudAPI())
 	}
-	return globalKSCloudAPIConnector
-}
-
-func NewKSCloudAPIDev() *KSCloudAPI {
-	apiObj := newKSCloudAPI()
-
-	apiObj.cloudAPIURL = ksCloudDevBEURL
-	apiObj.cloudAuthURL = ksCloudDevAUTHURL
-	apiObj.cloudReportURL = ksCloudDevERURL
-	apiObj.cloudUIURL = ksCloudDevFEURL
-
-	return apiObj
-}
-
-func NewKSCloudAPIProd() *KSCloudAPI {
-	apiObj := newKSCloudAPI()
-
-	apiObj.cloudAPIURL = ksCloudBEURL
-	apiObj.cloudReportURL = ksCloudERURL
-	apiObj.cloudUIURL = ksCloudFEURL
-	apiObj.cloudAuthURL = ksCloudAUTHURL
-
-	return apiObj
-}
-
-func NewKSCloudAPIStaging() *KSCloudAPI {
-	apiObj := newKSCloudAPI()
-
-	apiObj.cloudAPIURL = ksCloudStageBEURL
-	apiObj.cloudReportURL = ksCloudStageERURL
-	apiObj.cloudUIURL = ksCloudStageFEURL
-	apiObj.cloudAuthURL = ksCloudStageAUTHURL
-
-	return apiObj
-}
-
-func NewKSCloudAPICustomized(ksCloudERURL, ksCloudBEURL, ksCloudFEURL, ksCloudAUTHURL string) *KSCloudAPI {
-	apiObj := newKSCloudAPI()
-
-	apiObj.cloudReportURL = ksCloudERURL
-	apiObj.cloudAPIURL = ksCloudBEURL
-	apiObj.cloudUIURL = ksCloudFEURL
-	apiObj.cloudAuthURL = ksCloudAUTHURL
-
-	return apiObj
-}
-
-func newKSCloudAPI() *KSCloudAPI {
-	return &KSCloudAPI{
-		httpClient: &http.Client{Timeout: time.Duration(61) * time.Second},
-		loggedIn:   false,
-	}
-}
-
-func (api *KSCloudAPI) Post(fullURL string, headers map[string]string, body []byte) (string, error) {
-	if headers == nil {
-		headers = make(map[string]string)
-	}
-	api.appendAuthHeaders(headers)
-	return HttpPost(api.httpClient, fullURL, headers, body)
-}
-
-func (api *KSCloudAPI) Delete(fullURL string, headers map[string]string) (string, error) {
-	if headers == nil {
-		headers = make(map[string]string)
-	}
-	api.appendAuthHeaders(headers)
-	return HttpDelete(api.httpClient, fullURL, headers)
-}
-func (api *KSCloudAPI) Get(fullURL string, headers map[string]string) (string, error) {
-	if headers == nil {
-		headers = make(map[string]string)
-	}
-	api.appendAuthHeaders(headers)
-	return HttpGetter(api.httpClient, fullURL, headers)
-}
-
-func (api *KSCloudAPI) GetAccountID() string      { return api.accountID }
-func (api *KSCloudAPI) IsLoggedIn() bool          { return api.loggedIn }
-func (api *KSCloudAPI) GetClientID() string       { return api.clientID }
-func (api *KSCloudAPI) GetSecretKey() string      { return api.secretKey }
-func (api *KSCloudAPI) GetCloudReportURL() string { return api.cloudReportURL }
-func (api *KSCloudAPI) GetCloudAPIURL() string    { return api.cloudAPIURL }
-func (api *KSCloudAPI) GetCloudUIURL() string     { return api.cloudUIURL }
-func (api *KSCloudAPI) GetCloudAuthURL() string   { return api.cloudAuthURL }
-
-func (api *KSCloudAPI) SetAccountID(accountID string)           { api.accountID = accountID }
-func (api *KSCloudAPI) SetClientID(clientID string)             { api.clientID = clientID }
-func (api *KSCloudAPI) SetSecretKey(secretKey string)           { api.secretKey = secretKey }
-func (api *KSCloudAPI) SetCloudReportURL(cloudReportURL string) { api.cloudReportURL = cloudReportURL }
-func (api *KSCloudAPI) SetCloudAPIURL(cloudAPIURL string)       { api.cloudAPIURL = cloudAPIURL }
-func (api *KSCloudAPI) SetCloudUIURL(cloudUIURL string)         { api.cloudUIURL = cloudUIURL }
-func (api *KSCloudAPI) SetCloudAuthURL(cloudAuthURL string)     { api.cloudAuthURL = cloudAuthURL }
-
-func (api *KSCloudAPI) GetAttackTracks() ([]v1alpha1.AttackTrack, error) {
-	respStr, err := api.Get(api.getAttackTracksURL(), nil)
-	if err != nil {
-		return nil, nil
-	}
-
-	attackTracks := []v1alpha1.AttackTrack{}
-	if err = JSONDecoder(respStr).Decode(&attackTracks); err != nil {
-		return nil, err
-	}
-
-	return attackTracks, err
-}
-
-func (api *KSCloudAPI) GetFramework(name string) (*reporthandling.Framework, error) {
-	respStr, err := api.Get(api.getFrameworkURL(name), nil)
-	if err != nil {
-		return nil, nil
-	}
-
-	framework := &reporthandling.Framework{}
-	if err = JSONDecoder(respStr).Decode(framework); err != nil {
-		return nil, err
-	}
-
-	return framework, err
-}
-
-func (api *KSCloudAPI) GetFrameworks() ([]reporthandling.Framework, error) {
-	respStr, err := api.Get(api.getListFrameworkURL(), nil)
-	if err != nil {
-		return nil, nil
-	}
-
-	frameworks := []reporthandling.Framework{}
-	if err = JSONDecoder(respStr).Decode(&frameworks); err != nil {
-		return nil, err
-	}
-
-	return frameworks, err
-}
-
-func (api *KSCloudAPI) GetControl(policyName string) (*reporthandling.Control, error) {
-	return nil, fmt.Errorf("control api is not public")
-}
-
-func (api *KSCloudAPI) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
-	exceptions := []armotypes.PostureExceptionPolicy{}
-
-	respStr, err := api.Get(api.getExceptionsURL(clusterName), nil)
-	if err != nil {
-		return nil, err
-	}
-
-	if err = JSONDecoder(respStr).Decode(&exceptions); err != nil {
-		return nil, err
-	}
-
-	return exceptions, nil
-}
-
-func (api *KSCloudAPI) GetTenant() (*TenantResponse, error) {
-	url := api.getAccountURL()
-	if api.accountID != "" {
-		url = fmt.Sprintf("%s?customerGUID=%s", url, api.accountID)
-	}
-	respStr, err := api.Get(url, nil)
-	if err != nil {
-		return nil, err
-	}
-	tenant := &TenantResponse{}
-	if err = JSONDecoder(respStr).Decode(tenant); err != nil {
-		return nil, err
-	}
-	if tenant.TenantID != "" {
-		api.accountID = tenant.TenantID
-	}
-	return tenant, nil
-}
-
-// ControlsInputs  // map[<control name>][<input arguments>]
-func (api *KSCloudAPI) GetAccountConfig(clusterName string) (*armotypes.CustomerConfig, error) {
-	accountConfig := &armotypes.CustomerConfig{}
-	if api.accountID == "" {
-		return accountConfig, nil
-	}
-	respStr, err := api.Get(api.getAccountConfig(clusterName), nil)
-	if err != nil {
-		return nil, err
-	}
-
-	if err = JSONDecoder(respStr).Decode(&accountConfig); err != nil {
-		// try with default scope
-		respStr, err = api.Get(api.getAccountConfigDefault(clusterName), nil)
-		if err != nil {
-			return nil, err
-		}
-		if err = JSONDecoder(respStr).Decode(&accountConfig); err != nil {
-			return nil, err
-		}
-	}
-
-	return accountConfig, nil
-}
-
-// ControlsInputs  // map[<control name>][<input arguments>]
-func (api *KSCloudAPI) GetControlsInputs(clusterName string) (map[string][]string, error) {
-	accountConfig, err := api.GetAccountConfig(clusterName)
-	if err == nil {
-		return accountConfig.Settings.PostureControlInputs, nil
-	}
-	return nil, err
-}
-
-func (api *KSCloudAPI) ListCustomFrameworks() ([]string, error) {
-	respStr, err := api.Get(api.getListFrameworkURL(), nil)
-	if err != nil {
-		return nil, err
-	}
-	frs := []reporthandling.Framework{}
-	if err = json.Unmarshal([]byte(respStr), &frs); err != nil {
-		return nil, err
-	}
-
-	frameworkList := []string{}
-	for _, fr := range frs {
-		if !isNativeFramework(fr.Name) {
-			frameworkList = append(frameworkList, fr.Name)
-		}
-	}
-
-	return frameworkList, nil
-}
-
-func (api *KSCloudAPI) ListFrameworks() ([]string, error) {
-	respStr, err := api.Get(api.getListFrameworkURL(), nil)
-	if err != nil {
-		return nil, err
-	}
-	frs := []reporthandling.Framework{}
-	if err = json.Unmarshal([]byte(respStr), &frs); err != nil {
-		return nil, err
-	}
-
-	frameworkList := []string{}
-	for _, fr := range frs {
-		if isNativeFramework(fr.Name) {
-			frameworkList = append(frameworkList, strings.ToLower(fr.Name))
-		} else {
-			frameworkList = append(frameworkList, fr.Name)
-		}
-	}
-
-	return frameworkList, nil
-}
-
-func (api *KSCloudAPI) ListControls(l ListType) ([]string, error) {
-	return nil, fmt.Errorf("control api is not public")
-}
-
-func (api *KSCloudAPI) PostExceptions(exceptions []armotypes.PostureExceptionPolicy) error {
-
-	for i := range exceptions {
-		ex, err := json.Marshal(exceptions[i])
-		if err != nil {
-			return err
-		}
-		_, err = api.Post(api.exceptionsURL(""), map[string]string{"Content-Type": "application/json"}, ex)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (api *KSCloudAPI) DeleteException(exceptionName string) error {
-
-	_, err := api.Delete(api.exceptionsURL(exceptionName), nil)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-func (api *KSCloudAPI) Login() error {
-	if api.accountID == "" {
-		return fmt.Errorf("failed to login, missing accountID")
-	}
-	if api.clientID == "" {
-		return fmt.Errorf("failed to login, missing clientID")
-	}
-	if api.secretKey == "" {
-		return fmt.Errorf("failed to login, missing secretKey")
-	}
-
-	// init URLs
-	feLoginData := FeLoginData{ClientId: api.clientID, Secret: api.secretKey}
-	body, _ := json.Marshal(feLoginData)
-
-	resp, err := http.Post(api.getApiToken(), "application/json", bytes.NewBuffer(body))
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("error authenticating: %d", resp.StatusCode)
-	}
-
-	responseBody, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return err
-	}
-	var feLoginResponse FeLoginResponse
-
-	if err = json.Unmarshal(responseBody, &feLoginResponse); err != nil {
-		return err
-	}
-	api.feToken = feLoginResponse
-
-	/* Now we have JWT */
-
-	api.authCookie, err = api.getAuthCookie()
-	if err != nil {
-		return err
-	}
-	api.loggedIn = true
-	return nil
+
+	// we return a shallow clone that may be freely modified by the caller.
+	client := *globalKSCloudAPIConnector
+	options := *globalKSCloudAPIConnector.KsCloudOptions
+	client.KsCloudOptions = &options
+
+	return &client
 }

core/cautils/getter/kscloudapi_test.go

@@ -0,0 +1,49 @@
+package getter
+
+import (
+	"os"
+	"sync"
+	"testing"
+
+	v1 "github.com/kubescape/backend/pkg/client/v1"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	// extra mock API routes
+
+	pathTestPost   = "/test-post"
+	pathTestDelete = "/test-delete"
+	pathTestGet    = "/test-get"
+)
+
+var (
+	globalMx sync.Mutex // a mutex to avoid data races on package globals while testing
+
+	testOptions = []v1.KSCloudOption{
+		v1.WithTrace(os.Getenv("DEBUG_TEST") != ""),
+	}
+)
+
+func TestGlobalKSCloudAPIConnector(t *testing.T) {
+	t.Parallel()
+
+	globalMx.Lock()
+	defer globalMx.Unlock()
+
+	globalKSCloudAPIConnector = nil
+
+	t.Run("uninitialized global connector should yield an empty KS client", func(t *testing.T) {
+		empty := v1.NewEmptyKSCloudAPI()
+		require.EqualValues(t, empty, GetKSCloudAPIConnector())
+	})
+
+	t.Run("initialized global connector should yield the same pointer", func(t *testing.T) {
+		ksCloud, _ := v1.NewKSCloudAPI("test-123", "test-456", "account")
+		SetKSCloudAPIConnector(ksCloud)
+
+		client := GetKSCloudAPIConnector()
+		require.Equal(t, ksCloud, client)
+		require.Equal(t, client, GetKSCloudAPIConnector())
+	})
+}

core/cautils/getter/kscloudapiutils.go

@@ -1,187 +0,0 @@
-package getter
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/url"
-	"strings"
-)
-
-var NativeFrameworks = []string{"nsa", "mitre", "armobest", "devopsbest"}
-
-func (api *KSCloudAPI) getFrameworkURL(frameworkName string) string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/armoFrameworks"
-	q := u.Query()
-	q.Add("customerGUID", api.getCustomerGUIDFallBack())
-	if isNativeFramework(frameworkName) {
-		q.Add("frameworkName", strings.ToUpper(frameworkName))
-	} else {
-		// For customer framework has to be the way it was added
-		q.Add("frameworkName", frameworkName)
-	}
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (api *KSCloudAPI) getAttackTracksURL() string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/attackTracks"
-	q := u.Query()
-	q.Add("customerGUID", api.getCustomerGUIDFallBack())
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (api *KSCloudAPI) getListFrameworkURL() string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/armoFrameworks"
-	q := u.Query()
-	q.Add("customerGUID", api.getCustomerGUIDFallBack())
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-func (api *KSCloudAPI) getExceptionsURL(clusterName string) string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/armoPostureExceptions"
-
-	q := u.Query()
-	q.Add("customerGUID", api.getCustomerGUIDFallBack())
-	// if clusterName != "" { // TODO - fix customer name support in Armo BE
-	// 	q.Add("clusterName", clusterName)
-	// }
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (api *KSCloudAPI) exceptionsURL(exceptionsPolicyName string) string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/postureExceptionPolicy"
-
-	q := u.Query()
-	q.Add("customerGUID", api.getCustomerGUIDFallBack())
-	if exceptionsPolicyName != "" { // for delete
-		q.Add("policyName", exceptionsPolicyName)
-	}
-
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (api *KSCloudAPI) getAccountConfigDefault(clusterName string) string {
-	config := api.getAccountConfig(clusterName)
-	url := config + "&scope=customer"
-	return url
-}
-
-func (api *KSCloudAPI) getAccountConfig(clusterName string) string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/armoCustomerConfiguration"
-
-	q := u.Query()
-	q.Add("customerGUID", api.getCustomerGUIDFallBack())
-	if clusterName != "" { // TODO - fix customer name support in Armo BE
-		q.Add("clusterName", clusterName)
-	}
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (api *KSCloudAPI) getAccountURL() string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/createTenant"
-	return u.String()
-}
-
-func (api *KSCloudAPI) getApiToken() string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAuthURL())
-	u.Path = "identity/resources/auth/v1/api-token"
-	return u.String()
-}
-
-func (api *KSCloudAPI) getOpenidCustomers() string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/openid_customers"
-	return u.String()
-}
-
-func (api *KSCloudAPI) getAuthCookie() (string, error) {
-	selectCustomer := KSCloudSelectCustomer{SelectedCustomerGuid: api.accountID}
-	requestBody, _ := json.Marshal(selectCustomer)
-	client := &http.Client{}
-	httpRequest, err := http.NewRequest(http.MethodPost, api.getOpenidCustomers(), bytes.NewBuffer(requestBody))
-	if err != nil {
-		return "", err
-	}
-	httpRequest.Header.Set("Content-Type", "application/json")
-	httpRequest.Header.Set("Authorization", fmt.Sprintf("Bearer %s", api.feToken.Token))
-	httpResponse, err := client.Do(httpRequest)
-	if err != nil {
-		return "", err
-	}
-	defer httpResponse.Body.Close()
-	if httpResponse.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("failed to get cookie from %s: status %d", api.getOpenidCustomers(), httpResponse.StatusCode)
-	}
-
-	cookies := httpResponse.Header.Get("set-cookie")
-	if len(cookies) == 0 {
-		return "", fmt.Errorf("no cookie field in response from %s", api.getOpenidCustomers())
-	}
-
-	authCookie := ""
-	for _, cookie := range strings.Split(cookies, ";") {
-		kv := strings.Split(cookie, "=")
-		if kv[0] == "auth" {
-			authCookie = kv[1]
-		}
-	}
-
-	if len(authCookie) == 0 {
-		return "", fmt.Errorf("no auth cookie field in response from %s", api.getOpenidCustomers())
-	}
-
-	return authCookie, nil
-}
-func (api *KSCloudAPI) appendAuthHeaders(headers map[string]string) {
-
-	if api.feToken.Token != "" {
-		headers["Authorization"] = fmt.Sprintf("Bearer %s", api.feToken.Token)
-	}
-	if api.authCookie != "" {
-		headers["Cookie"] = fmt.Sprintf("auth=%s", api.authCookie)
-	}
-}
-
-func (api *KSCloudAPI) getCustomerGUIDFallBack() string {
-	if api.accountID != "" {
-		return api.accountID
-	}
-	return "11111111-1111-1111-1111-111111111111"
-}
-
-func parseHost(host string) (string, string) {
-	if strings.HasPrefix(host, "http://") {
-		return "http", strings.Replace(host, "http://", "", 1)
-	}
-
-	// default scheme
-	return "https", strings.Replace(host, "https://", "", 1)
-}

core/cautils/getter/loadpolicy.go

@@ -1,7 +1,7 @@
 package getter
 
 import (
-	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -9,12 +9,29 @@ import (
 
 	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
 )
 
 // =======================================================================================================================
 // ============================================== LoadPolicy =============================================================
 // =======================================================================================================================
-var DefaultLocalStore = getCacheDir()
+var (
+	DefaultLocalStore = getCacheDir()
+
+	ErrNotImplemented       = errors.New("feature is currently not supported")
+	ErrNotFound             = errors.New("name not found")
+	ErrNameRequired         = errors.New("missing required input framework name")
+	ErrIDRequired           = errors.New("missing required input control ID")
+	ErrFrameworkNotMatching = errors.New("framework from file not matching")
+	ErrControlNotMatching   = errors.New("framework from file not matching")
+)
+
+var (
+	_ IPolicyGetter         = &LoadPolicy{}
+	_ IExceptionsGetter     = &LoadPolicy{}
+	_ IAttackTracksGetter   = &LoadPolicy{}
+	_ IControlsInputsGetter = &LoadPolicy{}
+)
 
 func getCacheDir() string {
 	defaultDirPath := ".kubescape"
@@ -24,125 +41,225 @@ func getCacheDir() string {
 	return defaultDirPath
 }
 
-// Load policies from a local repository
+// LoadPolicy loads policies from a local repository.
 type LoadPolicy struct {
 	filePaths []string
 }
 
+// NewLoadPolicy builds a LoadPolicy.
 func NewLoadPolicy(filePaths []string) *LoadPolicy {
 	return &LoadPolicy{
 		filePaths: filePaths,
 	}
 }
 
-// Return control from file
-func (lp *LoadPolicy) GetControl(controlName string) (*reporthandling.Control, error) {
+// GetControl returns a control from the policy file.
+func (lp *LoadPolicy) GetControl(controlID string) (*reporthandling.Control, error) {
+	if controlID == "" {
+		return nil, ErrIDRequired
+	}
 
-	control := &reporthandling.Control{}
+	// NOTE: this assumes that only the first path contains either a valid control descriptor or a framework descriptor
 	filePath := lp.filePath()
-	f, err := os.ReadFile(filePath)
+	buf, err := os.ReadFile(filePath)
+
 	if err != nil {
 		return nil, err
 	}
 
-	if err = json.Unmarshal(f, control); err != nil {
-		return control, err
-	}
-	if controlName != "" && !strings.EqualFold(controlName, control.Name) && !strings.EqualFold(controlName, control.ControlID) {
-		framework, err := lp.GetFramework(control.Name)
-		if err != nil {
-			return nil, fmt.Errorf("control from file not matching")
-		} else {
-			for _, ctrl := range framework.Controls {
-				if strings.EqualFold(ctrl.Name, controlName) || strings.EqualFold(ctrl.ControlID, controlName) {
-					control = &ctrl
-					break
-				}
-			}
+	// check if the file is a control descriptor: a ControlID field is populated.
+	var control reporthandling.Control
+	if err = json.Unmarshal(buf, &control); err == nil && control.ControlID != "" {
+		if strings.EqualFold(controlID, control.ControlID) {
+			return &control, nil
 		}
-	}
-	return control, err
-}
 
-func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framework, error) {
+		return nil, fmt.Errorf("controlID: %s: %w", controlID, ErrControlNotMatching)
+	}
+
+	// check if the file is a framework descriptor
 	var framework reporthandling.Framework
-	var err error
+	if err = json.Unmarshal(buf, &framework); err != nil {
+		return nil, err
+	}
+
+	for _, toPin := range framework.Controls {
+		ctrl := toPin
+
+		if strings.EqualFold(ctrl.ControlID, controlID) {
+			return &ctrl, nil
+		}
+	}
+
+	return nil, fmt.Errorf("controlID: %s: %w", controlID, ErrControlNotMatching)
+}
+
+// GetFramework retrieves a framework configuration from the policy paths.
+func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framework, error) {
+	if frameworkName == "" {
+		return nil, ErrNameRequired
+	}
+
 	for _, filePath := range lp.filePaths {
-		framework = reporthandling.Framework{}
-		f, err := os.ReadFile(filePath)
+		buf, err := os.ReadFile(filePath)
 		if err != nil {
 			return nil, err
 		}
-		if err = json.Unmarshal(f, &framework); err != nil {
+
+		var framework reporthandling.Framework
+		if err = json.Unmarshal(buf, &framework); err != nil {
 			return nil, err
 		}
+
 		if strings.EqualFold(frameworkName, framework.Name) {
-			break
+			return &framework, nil
 		}
 	}
-	if frameworkName != "" && !strings.EqualFold(frameworkName, framework.Name) {
 
-		return nil, fmt.Errorf("framework from file not matching")
-	}
-	return &framework, err
+	return nil, fmt.Errorf("framework: %s: %w", frameworkName, ErrFrameworkNotMatching)
 }
 
+// GetFrameworks returns all configured framework descriptors.
 func (lp *LoadPolicy) GetFrameworks() ([]reporthandling.Framework, error) {
-	frameworks := []reporthandling.Framework{}
-	var err error
-	return frameworks, err
-}
+	frameworks := make([]reporthandling.Framework, 0, 10)
+	seenFws := make(map[string]struct{})
 
-func (lp *LoadPolicy) ListFrameworks() ([]string, error) {
-	fwNames := []string{}
-	framework := &reporthandling.Framework{}
 	for _, f := range lp.filePaths {
-		file, err := os.ReadFile(f)
-		if err == nil {
-			if err := json.Unmarshal(file, framework); err == nil {
-				if !contains(fwNames, framework.Name) {
-					fwNames = append(fwNames, framework.Name)
-				}
-			}
+		buf, err := os.ReadFile(f)
+		if err != nil {
+			return nil, err
 		}
+
+		var framework reporthandling.Framework
+		if err = json.Unmarshal(buf, &framework); err != nil {
+			// ignore invalid framework files
+			continue
+		}
+
+		// dedupe
+		_, alreadyLoaded := seenFws[framework.Name]
+		if alreadyLoaded {
+			continue
+		}
+
+		seenFws[framework.Name] = struct{}{}
+		frameworks = append(frameworks, framework)
 	}
-	return fwNames, nil
+
+	return frameworks, nil
 }
 
-func (lp *LoadPolicy) ListControls(listType ListType) ([]string, error) {
-	// TODO - Support
-	return []string{}, fmt.Errorf("loading controls list from file is not supported")
+// ListFrameworks lists the names of all configured frameworks in this policy.
+func (lp *LoadPolicy) ListFrameworks() ([]string, error) {
+	frameworkNames := make([]string, 0, 10)
+
+	for _, f := range lp.filePaths {
+		buf, err := os.ReadFile(f)
+		if err != nil {
+			return nil, err
+		}
+
+		var framework reporthandling.Framework
+		if err := json.Unmarshal(buf, &framework); err != nil {
+			continue
+		}
+
+		if framework.Name == "" || contains(frameworkNames, framework.Name) {
+			continue
+		}
+
+		frameworkNames = append(frameworkNames, framework.Name)
+	}
+
+	return frameworkNames, nil
 }
 
-func (lp *LoadPolicy) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
+// ListControls returns the list of controls for this framework.
+//
+// At this moment, controls are listed for one single configured framework.
+func (lp *LoadPolicy) ListControls() ([]string, error) {
+	controlIDs := make([]string, 0, 100)
 	filePath := lp.filePath()
-	exception := []armotypes.PostureExceptionPolicy{}
-	f, err := os.ReadFile(filePath)
+	buf, err := os.ReadFile(filePath)
 	if err != nil {
 		return nil, err
 	}
 
-	err = json.Unmarshal(f, &exception)
+	var framework reporthandling.Framework
+	if err = json.Unmarshal(buf, &framework); err != nil {
+		return nil, err
+	}
+
+	for _, ctrl := range framework.Controls {
+		controlIDs = append(controlIDs, ctrl.ControlID)
+	}
+
+	return controlIDs, nil
+}
+
+// GetExceptions retrieves configured exceptions.
+//
+// NOTE: the cluster parameter is not used at this moment.
+func (lp *LoadPolicy) GetExceptions(_ /* clusterName */ string) ([]armotypes.PostureExceptionPolicy, error) {
+	// NOTE: this assumes that the first path contains a valid exceptions descriptor
+	filePath := lp.filePath()
+
+	buf, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, err
+	}
+
+	exception := make([]armotypes.PostureExceptionPolicy, 0, 300)
+	err = json.Unmarshal(buf, &exception)
+
 	return exception, err
 }
 
-func (lp *LoadPolicy) GetControlsInputs(clusterName string) (map[string][]string, error) {
+// GetControlsInputs retrieves the map of control configs.
+//
+// NOTE: the cluster parameter is not used at this moment.
+func (lp *LoadPolicy) GetControlsInputs(_ /* clusterName */ string) (map[string][]string, error) {
+	// NOTE: this assumes that only the first path contains a valid control inputs descriptor
 	filePath := lp.filePath()
-	accountConfig := &armotypes.CustomerConfig{}
-	f, err := os.ReadFile(filePath)
 	fileName := filepath.Base(filePath)
+
+	buf, err := os.ReadFile(filePath)
 	if err != nil {
-		formattedError := fmt.Errorf("Error opening %s file, \"controls-config\" will be downloaded from ARMO management portal", fileName)
+		formattedError := fmt.Errorf(
+			`Error opening %s file, "controls-config" will be downloaded from ARMO management portal`,
+			fileName,
+		)
+
 		return nil, formattedError
 	}
 
-	if err = json.Unmarshal(f, &accountConfig.Settings.PostureControlInputs); err == nil {
-		return accountConfig.Settings.PostureControlInputs, nil
+	controlInputs := make(map[string][]string, 100) // from armotypes.Settings.PostureControlInputs
+	if err = json.Unmarshal(buf, &controlInputs); err != nil {
+		formattedError := fmt.Errorf(
+			`Error reading %s file, %v, "controls-config" will be downloaded from ARMO management portal`,
+			fileName, err,
+		)
+
+		return nil, formattedError
 	}
 
-	formattedError := fmt.Errorf("Error reading %s file, %s, \"controls-config\" will be downloaded from ARMO management portal", fileName, err.Error())
+	return controlInputs, nil
+}
 
-	return nil, formattedError
+// GetAttackTracks yields the attack tracks from a config file.
+func (lp *LoadPolicy) GetAttackTracks() ([]v1alpha1.AttackTrack, error) {
+	attackTracks := make([]v1alpha1.AttackTrack, 0, 20)
+
+	buf, err := os.ReadFile(lp.filePath())
+	if err != nil {
+		return nil, err
+	}
+
+	if err = json.Unmarshal(buf, &attackTracks); err != nil {
+		return nil, err
+	}
+
+	return attackTracks, nil
 }
 
 // temporary support for a list of files

core/cautils/getter/loadpolicy_test.go

@@ -1,13 +1,410 @@
 package getter
 
 import (
+	"fmt"
+	"os"
 	"path/filepath"
-)
+	"testing"
 
-var mockFrameworkBasePath = filepath.Join("examples", "mocks", "frameworks")
+	"github.com/kubescape/kubescape/v2/internal/testutils"
+	"github.com/stretchr/testify/require"
+)
 
 func MockNewLoadPolicy() *LoadPolicy {
 	return &LoadPolicy{
 		filePaths: []string{""},
 	}
 }
+
+func TestLoadPolicy(t *testing.T) {
+	t.Parallel()
+
+	const (
+		testFramework = "MITRE"
+		testControl   = "C-0053"
+	)
+
+	t.Run("with GetFramework", func(t *testing.T) {
+		t.Run("should retrieve named framework", func(t *testing.T) {
+			t.Parallel()
+
+			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+			fw, err := p.GetFramework(testFramework)
+			require.NoError(t, err)
+			require.NotNil(t, fw)
+
+			require.Equal(t, testFramework, fw.Name)
+		})
+
+		t.Run("should fail to retrieve framework", func(t *testing.T) {
+			t.Parallel()
+
+			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+			fw, err := p.GetFramework("wrong")
+			require.Error(t, err)
+			require.Nil(t, fw)
+		})
+
+		t.Run("edge case: should error on empty framework", func(t *testing.T) {
+			t.Parallel()
+
+			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+			fw, err := p.GetFramework("")
+			require.ErrorIs(t, err, ErrNameRequired)
+			require.Nil(t, fw)
+		})
+
+		t.Run("edge case: corrupted json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidFramework = "invalid-fw"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidFramework)})
+			fw, err := p.GetFramework(invalidFramework)
+			require.Error(t, err)
+			require.Nil(t, fw)
+		})
+
+		t.Run("edge case: missing json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidFramework = "nowheretobefound"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidFramework)})
+			_, err := p.GetFramework(invalidFramework)
+			require.Error(t, err)
+		})
+	})
+
+	t.Run("with GetControl", func(t *testing.T) {
+		t.Run("should retrieve named control from framework", func(t *testing.T) {
+			t.Parallel()
+
+			const (
+				expectedControlName = "Access container service account"
+			)
+			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+			ctrl, err := p.GetControl(testControl)
+			require.NoError(t, err)
+			require.NotNil(t, ctrl)
+
+			require.Equal(t, testControl, ctrl.ControlID)
+			require.Equal(t, expectedControlName, ctrl.Name)
+		})
+
+		t.Run("with single control descriptor", func(t *testing.T) {
+			const (
+				singleControl       = "C-0001"
+				expectedControlName = "Forbidden Container Registries"
+			)
+
+			t.Run("should retrieve named control from control descriptor", func(t *testing.T) {
+				t.Parallel()
+
+				p := NewLoadPolicy([]string{testFrameworkFile(singleControl)})
+				ctrl, err := p.GetControl(singleControl)
+				require.NoError(t, err)
+				require.NotNil(t, ctrl)
+
+				require.Equal(t, singleControl, ctrl.ControlID)
+				require.Equal(t, expectedControlName, ctrl.Name)
+			})
+
+			t.Run("should fail to retrieve named control from control descriptor", func(t *testing.T) {
+				t.Parallel()
+
+				p := NewLoadPolicy([]string{testFrameworkFile(singleControl)})
+				ctrl, err := p.GetControl("wrong")
+				require.Error(t, err)
+				require.Nil(t, ctrl)
+			})
+		})
+
+		t.Run("with framework descriptor", func(t *testing.T) {
+			t.Run("should fail to retrieve named control", func(t *testing.T) {
+				t.Parallel()
+
+				const testControl = "wrong"
+				p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+				ctrl, err := p.GetControl(testControl)
+				require.ErrorIs(t, err, ErrControlNotMatching)
+				require.Nil(t, ctrl)
+			})
+		})
+
+		t.Run("edge case: corrupted json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidControl = "invalid-fw"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidControl)})
+			_, err := p.GetControl(invalidControl)
+			require.Error(t, err)
+		})
+
+		t.Run("edge case: missing json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidControl = "nowheretobefound"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidControl)})
+			_, err := p.GetControl(invalidControl)
+			require.Error(t, err)
+		})
+
+		t.Run("edge case: should error on empty control", func(t *testing.T) {
+			t.Parallel()
+
+			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+			ctrl, err := p.GetControl("")
+			require.ErrorIs(t, err, ErrIDRequired)
+			require.Nil(t, ctrl)
+		})
+	})
+
+	t.Run("with ListFrameworks", func(t *testing.T) {
+		t.Run("should return all frameworks in the policy path", func(t *testing.T) {
+			t.Parallel()
+
+			const (
+				extraFramework = "NSA"
+				attackTracks   = "attack-tracks"
+			)
+			p := NewLoadPolicy([]string{
+				testFrameworkFile(testFramework),
+				testFrameworkFile(extraFramework),
+				testFrameworkFile(extraFramework), // should  be deduped
+				testFrameworkFile(attackTracks),   // should be ignored
+			})
+			fws, err := p.ListFrameworks()
+			require.NoError(t, err)
+			require.Len(t, fws, 2)
+
+			require.Equal(t, testFramework, fws[0])
+			require.Equal(t, extraFramework, fws[1])
+		})
+
+		t.Run("should not return an empty framework", func(t *testing.T) {
+			t.Parallel()
+
+			const (
+				extraFramework = "NSA"
+				attackTracks   = "attack-tracks"
+				controlsInputs = "controls-inputs"
+			)
+			p := NewLoadPolicy([]string{
+				testFrameworkFile(testFramework),
+				testFrameworkFile(extraFramework),
+				testFrameworkFile(attackTracks),   // should be ignored
+				testFrameworkFile(controlsInputs), // should be ignored
+			})
+			fws, err := p.ListFrameworks()
+			require.NoError(t, err)
+			require.Len(t, fws, 2)
+			require.NotContains(t, fws, "")
+
+			require.Equal(t, testFramework, fws[0])
+			require.Equal(t, extraFramework, fws[1])
+		})
+
+		t.Run("should fail on file error", func(t *testing.T) {
+			t.Parallel()
+
+			const (
+				extraFramework = "NSA"
+				nowhere        = "nowheretobeseen"
+			)
+			p := NewLoadPolicy([]string{
+				testFrameworkFile(testFramework),
+				testFrameworkFile(extraFramework),
+				testFrameworkFile(nowhere), // should raise an error
+			})
+			fws, err := p.ListFrameworks()
+			require.Error(t, err)
+			require.Nil(t, fws)
+		})
+	})
+
+	t.Run("edge case: policy without path", func(t *testing.T) {
+		t.Parallel()
+
+		p := NewLoadPolicy([]string{})
+		require.Empty(t, p.filePath())
+	})
+
+	t.Run("with GetFrameworks", func(t *testing.T) {
+		const extraFramework = "NSA"
+
+		t.Run("should return all configured frameworks", func(t *testing.T) {
+			t.Parallel()
+
+			p := NewLoadPolicy([]string{
+				testFrameworkFile(testFramework),
+				testFrameworkFile(extraFramework),
+			})
+			fws, err := p.GetFrameworks()
+			require.NoError(t, err)
+			require.Len(t, fws, 2)
+
+			require.Equal(t, testFramework, fws[0].Name)
+			require.Equal(t, extraFramework, fws[1].Name)
+		})
+
+		t.Run("should return dedupe configured frameworks", func(t *testing.T) {
+			t.Parallel()
+
+			const attackTracks = "attack-tracks"
+			p := NewLoadPolicy([]string{
+				testFrameworkFile(testFramework),
+				testFrameworkFile(extraFramework),
+				testFrameworkFile(extraFramework),
+				testFrameworkFile(attackTracks), // should be ignored
+			})
+			fws, err := p.GetFrameworks()
+			require.NoError(t, err)
+			require.Len(t, fws, 2)
+
+			require.Equal(t, testFramework, fws[0].Name)
+			require.Equal(t, extraFramework, fws[1].Name)
+		})
+	})
+
+	t.Run("with ListControls", func(t *testing.T) {
+		t.Run("should return controls", func(t *testing.T) {
+			t.Parallel()
+
+			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+			controlIDs, err := p.ListControls()
+			require.NoError(t, err)
+			require.Greater(t, len(controlIDs), 0)
+			require.Equal(t, testControl, controlIDs[0])
+		})
+	})
+
+	t.Run("with GetAttackTracks", func(t *testing.T) {
+		t.Run("should return attack tracks", func(t *testing.T) {
+			t.Parallel()
+
+			const attackTracks = "attack-tracks"
+			p := NewLoadPolicy([]string{testFrameworkFile(attackTracks)})
+			tracks, err := p.GetAttackTracks()
+			require.NoError(t, err)
+			require.Greater(t, len(tracks), 0)
+
+			for _, track := range tracks {
+				require.Equal(t, "AttackTrack", track.Kind)
+			}
+		})
+
+		t.Run("edge case: corrupted json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidTracks = "invalid-fw"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidTracks)})
+			_, err := p.GetAttackTracks()
+			require.Error(t, err)
+		})
+
+		t.Run("edge case: missing json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidTracks = "nowheretobefound"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidTracks)})
+			_, err := p.GetAttackTracks()
+			require.Error(t, err)
+		})
+	})
+
+	t.Run("with GetControlsInputs", func(t *testing.T) {
+		const cluster = "dummy" // unused parameter at the moment
+
+		t.Run("should return control inputs for a cluster", func(t *testing.T) {
+			t.Parallel()
+
+			fixture, expected := writeTempJSONControlInputs(t)
+			t.Cleanup(func() {
+				_ = os.Remove(fixture)
+			})
+
+			p := NewLoadPolicy([]string{fixture})
+			inputs, err := p.GetControlsInputs(cluster)
+			require.NoError(t, err)
+			require.EqualValues(t, expected, inputs)
+		})
+
+		t.Run("edge case: corrupted json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidInputs = "invalid-fw"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidInputs)})
+			_, err := p.GetControlsInputs(cluster)
+			require.Error(t, err)
+		})
+
+		t.Run("edge case: missing json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidInputs = "nowheretobefound"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidInputs)})
+			_, err := p.GetControlsInputs(cluster)
+			require.Error(t, err)
+		})
+	})
+
+	t.Run("with GetExceptions", func(t *testing.T) {
+		const cluster = "dummy" // unused parameter at the moment
+
+		t.Run("should return exceptions", func(t *testing.T) {
+			t.Parallel()
+
+			const exceptions = "exceptions"
+
+			p := NewLoadPolicy([]string{testFrameworkFile(exceptions)})
+			exceptionPolicies, err := p.GetExceptions(cluster)
+			require.NoError(t, err)
+
+			require.Greater(t, len(exceptionPolicies), 0)
+			t.Logf("len=%d", len(exceptionPolicies))
+			for _, policy := range exceptionPolicies {
+				require.NotEmpty(t, policy.Name)
+			}
+		})
+
+		t.Run("edge case: corrupted json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidInputs = "invalid-fw"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidInputs)})
+			_, err := p.GetExceptions(cluster)
+			require.Error(t, err)
+		})
+
+		t.Run("edge case: missing json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidInputs = "nowheretobefound"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidInputs)})
+			_, err := p.GetExceptions(cluster)
+			require.Error(t, err)
+		})
+	})
+}
+
+func testFrameworkFile(framework string) string {
+	return filepath.Join(testutils.CurrentDir(), "testdata", fmt.Sprintf("%s.json", framework))
+}
+
+func writeTempJSONControlInputs(t testing.TB) (string, map[string][]string) {
+	fileName := testFrameworkFile("control-inputs")
+	mock := map[string][]string{
+		"key1": {
+			"val1", "val2",
+		},
+		"key2": {
+			"val3", "val4",
+		},
+	}
+
+	buf, err := json.Marshal(mock)
+	require.NoError(t, err)
+
+	require.NoError(t, os.WriteFile(fileName, buf, 0600))
+
+	return fileName, mock
+}

core/cautils/getter/testdata/C-0001.json

@@ -0,0 +1,85 @@
+{
+  "guid": "",
+  "name": "Forbidden Container Registries",
+  "attributes": {
+    "armoBuiltin": true,
+    "attackTracks": [
+      {
+        "attackTrack": "container",
+        "categories": [
+          "Initial access"
+        ]
+      }
+    ],
+    "controlTypeTags": [
+      "security",
+      "compliance"
+    ],
+    "microsoftMitreColumns": [
+      "Initial Access"
+    ]
+  },
+  "id": "C-0001",
+  "controlID": "C-0001",
+  "creationTime": "",
+  "description": "In cases where the Kubernetes cluster is provided by a CSP (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to the cluster takeover. Attackers may abuse cloud account credentials or IAM mechanism to the cluster’s management layer.",
+  "remediation": "Limit the registries from which you pull container images from",
+  "rules": [
+    {
+      "guid": "",
+      "name": "rule-identify-blocklisted-image-registries",
+      "attributes": {
+        "armoBuiltin": true,
+        "m$K8sThreatMatrix": "Initial Access::Compromised images in registry"
+      },
+      "creationTime": "",
+      "rule": "package armo_builtins\nimport data\n# Check for images from blocklisted repos\n\nuntrustedImageRepo[msga] {\n\tpod := input[_]\n\tk := pod.kind\n\tk == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\tpath := sprintf(\"spec.containers[%v].image\", [format_int(i, 10)])\n\timage := container.image\n    untrusted_or_public_registries(image)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"image '%v' in container '%s' comes from untrusted registry\", [image, container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 2,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": [path],\n         \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n    }\n}\n\nuntrustedImageRepo[msga] {\n\twl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n\tcontainer := wl.spec.template.spec.containers[i]\n\tpath := sprintf(\"spec.template.spec.containers[%v].image\", [format_int(i, 10)])\n\timage := container.image\n    untrusted_or_public_registries(image)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"image '%v' in container '%s' comes from untrusted registry\", [image, container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 2,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": [path],\n         \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n    }\n}\n\nuntrustedImageRepo[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer := wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tpath := sprintf(\"spec.jobTemplate.spec.template.spec.containers[%v].image\", [format_int(i, 10)])\n\timage := container.image\n    untrusted_or_public_registries(image)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"image '%v' in container '%s' comes from untrusted registry\", [image, container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 2,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": [path],\n        \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n    }\n}\n\nuntrusted_or_public_registries(image){\n\t# see default-config-inputs.json for list values\n\tuntrusted_registries := data.postureControlInputs.untrustedRegistries\n\trepo_prefix := untrusted_registries[_]\n\tstartswith(image, repo_prefix)\n}\n\nuntrusted_or_public_registries(image){\n\t# see default-config-inputs.json for list values\n\tpublic_registries := data.postureControlInputs.publicRegistries\n\trepo_prefix := public_registries[_]\n\tstartswith(image, repo_prefix)\n}",
+      "resourceEnumerator": "",
+      "ruleLanguage": "Rego",
+      "match": [
+        {
+          "apiGroups": [
+            "*"
+          ],
+          "apiVersions": [
+            "*"
+          ],
+          "resources": [
+            "Pod",
+            "Deployment",
+            "ReplicaSet",
+            "DaemonSet",
+            "StatefulSet",
+            "Job",
+            "CronJob"
+          ]
+        }
+      ],
+      "ruleDependencies": [],
+      "configInputs": [
+        "settings.postureControlInputs.publicRegistries",
+        "settings.postureControlInputs.untrustedRegistries"
+      ],
+      "controlConfigInputs": [
+        {
+          "path": "settings.postureControlInputs.publicRegistries",
+          "name": "Public registries",
+          "description": "Kubescape checks none of these public registries are in use."
+        },
+        {
+          "path": "settings.postureControlInputs.untrustedRegistries",
+          "name": "Registries block list",
+          "description": "Kubescape checks none of the following registries are in use."
+        }
+      ],
+      "description": "Identifying if pod container images are from unallowed registries",
+      "remediation": "Use images from safe registry",
+      "ruleQuery": "",
+      "relevantCloudProviders": null
+    }
+  ],
+  "rulesIDs": [
+    ""
+  ],
+  "baseScore": 7
+}