fix: update documentation links to include 'controls' path

Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
Test file updated
2026-02-16 19:09:59 +00:00 · 2025-11-03 07:47:37 +01:00 · 2025-10-30 01:14:25 +05:30 · 2025-10-25 17:39:28 +05:30 · 2025-10-21 09:45:29 +02:00 · 2025-10-21 09:31:33 +02:00
35 changed files with 1681 additions and 3924 deletions
--- a/.github/workflows/02-release.yaml
+++ b/.github/workflows/02-release.yaml
@@ -8,7 +8,7 @@ jobs:
  retag:
    outputs:
      NEW_TAG: ${{ steps.tag-calculator.outputs.NEW_TAG }}
-    runs-on: ubuntu22-core4-mem16-ssd150
+    runs-on: ubuntu-large
    steps:
      - uses: actions/checkout@v4
      - id: tag-calculator
@@ -110,7 +110,7 @@ jobs:
      attestations: read
      contents: write
    uses: ./.github/workflows/e-post-release.yaml
-    needs: [publish-image]
+    needs: [retag, publish-image]
    with:
      TAG: ${{ needs.retag.outputs.NEW_TAG }}
    secrets: inherit
--- a/.github/workflows/a-pr-scanner.yaml
+++ b/.github/workflows/a-pr-scanner.yaml
@@ -27,7 +27,7 @@ jobs:
    name: Create cross-platform build
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    runs-on: ubuntu22-core4-mem16-ssd150
+    runs-on: ubuntu-large
    steps:

      - uses: actions/checkout@v4
@@ -48,7 +48,7 @@ jobs:
        run: ${{ env.DOCKER_CMD }} sh -c 'cd httphandler && go test -v ./...'
        if: startsWith(github.ref, 'refs/tags')

-      - uses: anchore/sbom-action/download-syft@v0.15.2
+      - uses: anchore/sbom-action/download-syft@v0
        name: Setup Syft

      - uses: goreleaser/goreleaser-action@v6
@@ -70,20 +70,18 @@ jobs:

      - name: golangci-lint
        continue-on-error: false
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v8
        with:
-          version: latest
+          version: v2.1
          args: --timeout 10m
          only-new-issues: true
-          skip-pkg-cache: true
-          skip-build-cache: true

  scanners:
    env:
      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
    name: PR Scanner
-    runs-on: ubuntu22-core4-mem16-ssd150
+    runs-on: ubuntu-large
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/b-binary-build-and-e2e-tests.yaml
+++ b/.github/workflows/b-binary-build-and-e2e-tests.yaml
@@ -308,7 +308,7 @@ jobs:

      - uses: actions/setup-python@v4
        with:
-          python-version: '3.8.13'
+          python-version: '3.9'
          cache: 'pip'

      - name: create env
--- a/.github/workflows/e-post-release.yaml
+++ b/.github/workflows/e-post-release.yaml
@@ -19,7 +19,7 @@ jobs:
        uses: rajatjindal/krew-release-bot@v0.0.47
        if: github.repository_owner == 'kubescape'
        env:
-          GITHUB_REF: ${{ inputs.TAG }}
+          GITHUB_REF: refs/tags/${{ inputs.TAG }}
      - name: Invoke workflow to update packaging
        uses: benc-uk/workflow-dispatch@v1
        if: github.repository_owner == 'kubescape'
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,51 +1,57 @@
-linters-settings:
-  govet:
-    shadow: true
-  dupl:
-    threshold: 200
-  goconst:
-    min-len: 3
-    min-occurrences: 2
-  gocognit:
-    min-complexity: 65
-
+version: "2"
 linters:
  enable:
-    - gosec
-    - staticcheck
-    - nolintlint
-    - gofmt
-    - unused
-    - govet
    - bodyclose
-    - typecheck
-    - goimports
-    - ineffassign
-    - gosimple
+    - gosec
+    - nolintlint
  disable:
-    # temporarily disabled
-    - errcheck
    - dupl
-    - gocritic
+    - errcheck
+    - gochecknoglobals
+    - gochecknoinits
    - gocognit
+    - gocritic
+    - lll
    - nakedret
    - revive
-    - stylecheck
    - unconvert
    - unparam
-    #- forbidigo # <- see later
-    # should remain disabled
-    - lll
-    - gochecknoinits
-    - gochecknoglobals
-issues:
-  exclude-rules:
-    - linters:
-      - revive
-      text: "var-naming"
-    - linters:
-      - revive
-      text: "type name will be used as (.+?) by other packages, and that stutters"
-    - linters:
-      - stylecheck
-      text: "ST1003"
+  settings:
+    dupl:
+      threshold: 200
+    gocognit:
+      min-complexity: 65
+    goconst:
+      min-len: 3
+      min-occurrences: 2
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - revive
+        text: var-naming
+      - linters:
+          - revive
+        text: type name will be used as (.+?) by other packages, and that stutters
+      - linters:
+          - staticcheck
+        text: ST1003
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
--- a/cmd/patch/patch.go
+++ b/cmd/patch/patch.go
@@ -12,7 +12,6 @@ import (
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
-	"github.com/kubescape/kubescape/v3/pkg/imagescan"
 	"github.com/spf13/cobra"
 )

@@ -53,12 +52,12 @@ func GetPatchCmd(ks meta.IKubescape) *cobra.Command {
 			// Set the UseDefaultMatchers field in scanInfo
 			scanInfo.UseDefaultMatchers = useDefaultMatchers

-			results, err := ks.Patch(&patchInfo, &scanInfo)
+			exceedsSeverityThreshold, err := ks.Patch(&patchInfo, &scanInfo)
 			if err != nil {
 				return err
 			}

-			if imagescan.ExceedsSeverityThreshold(results, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)) {
+			if exceedsSeverityThreshold {
 				shared.TerminateOnExceedingSeverity(&scanInfo, logger.L())
 			}

--- a/cmd/scan/scan_test.go
+++ b/cmd/scan/scan_test.go
@@ -5,6 +5,7 @@ import (
 	"os"
 	"reflect"
 	"testing"
+	"time"

 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/cmd/shared"
@@ -186,20 +187,23 @@ type spyLogger struct {
 	setItems []spyLogMessage
 }

-func (l *spyLogger) Error(msg string, details ...helpers.IDetails)       {}
-func (l *spyLogger) Success(msg string, details ...helpers.IDetails)     {}
-func (l *spyLogger) Warning(msg string, details ...helpers.IDetails)     {}
-func (l *spyLogger) Info(msg string, details ...helpers.IDetails)        {}
-func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)       {}
-func (l *spyLogger) SetLevel(level string) error                         { return nil }
-func (l *spyLogger) GetLevel() string                                    { return "" }
-func (l *spyLogger) SetWriter(w *os.File)                                {}
-func (l *spyLogger) GetWriter() *os.File                                 { return &os.File{} }
-func (l *spyLogger) LoggerName() string                                  { return "" }
-func (l *spyLogger) Ctx(_ context.Context) helpers.ILogger               { return l }
-func (l *spyLogger) Start(msg string, details ...helpers.IDetails)       {}
-func (l *spyLogger) StopSuccess(msg string, details ...helpers.IDetails) {}
-func (l *spyLogger) StopError(msg string, details ...helpers.IDetails)   {}
+var _ helpers.ILogger = &spyLogger{}
+
+func (l *spyLogger) Error(msg string, details ...helpers.IDetails)                    {}
+func (l *spyLogger) Success(msg string, details ...helpers.IDetails)                  {}
+func (l *spyLogger) Warning(msg string, details ...helpers.IDetails)                  {}
+func (l *spyLogger) Info(msg string, details ...helpers.IDetails)                     {}
+func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)                    {}
+func (l *spyLogger) SetLevel(level string) error                                      { return nil }
+func (l *spyLogger) GetLevel() string                                                 { return "" }
+func (l *spyLogger) SetWriter(w *os.File)                                             {}
+func (l *spyLogger) GetWriter() *os.File                                              { return &os.File{} }
+func (l *spyLogger) LoggerName() string                                               { return "" }
+func (l *spyLogger) Ctx(_ context.Context) helpers.ILogger                            { return l }
+func (l *spyLogger) Start(msg string, details ...helpers.IDetails)                    {}
+func (l *spyLogger) StopSuccess(msg string, details ...helpers.IDetails)              {}
+func (l *spyLogger) StopError(msg string, details ...helpers.IDetails)                {}
+func (l *spyLogger) TimedWrapper(funcName string, timeout time.Duration, task func()) {}

 func (l *spyLogger) Fatal(msg string, details ...helpers.IDetails) {
 	firstDetail := details[0]
--- a/cmd/shared/scan_test.go
+++ b/cmd/shared/scan_test.go
@@ -5,6 +5,7 @@ import (
 	"os"
 	"reflect"
 	"testing"
+	"time"

 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
@@ -20,20 +21,23 @@ type spyLogger struct {
 	setItems []spyLogMessage
 }

-func (l *spyLogger) Error(msg string, details ...helpers.IDetails)       {}
-func (l *spyLogger) Success(msg string, details ...helpers.IDetails)     {}
-func (l *spyLogger) Warning(msg string, details ...helpers.IDetails)     {}
-func (l *spyLogger) Info(msg string, details ...helpers.IDetails)        {}
-func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)       {}
-func (l *spyLogger) SetLevel(level string) error                         { return nil }
-func (l *spyLogger) GetLevel() string                                    { return "" }
-func (l *spyLogger) SetWriter(w *os.File)                                {}
-func (l *spyLogger) GetWriter() *os.File                                 { return &os.File{} }
-func (l *spyLogger) LoggerName() string                                  { return "" }
-func (l *spyLogger) Ctx(_ context.Context) helpers.ILogger               { return l }
-func (l *spyLogger) Start(msg string, details ...helpers.IDetails)       {}
-func (l *spyLogger) StopSuccess(msg string, details ...helpers.IDetails) {}
-func (l *spyLogger) StopError(msg string, details ...helpers.IDetails)   {}
+var _ helpers.ILogger = &spyLogger{}
+
+func (l *spyLogger) Error(msg string, details ...helpers.IDetails)                    {}
+func (l *spyLogger) Success(msg string, details ...helpers.IDetails)                  {}
+func (l *spyLogger) Warning(msg string, details ...helpers.IDetails)                  {}
+func (l *spyLogger) Info(msg string, details ...helpers.IDetails)                     {}
+func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)                    {}
+func (l *spyLogger) SetLevel(level string) error                                      { return nil }
+func (l *spyLogger) GetLevel() string                                                 { return "" }
+func (l *spyLogger) SetWriter(w *os.File)                                             {}
+func (l *spyLogger) GetWriter() *os.File                                              { return &os.File{} }
+func (l *spyLogger) LoggerName() string                                               { return "" }
+func (l *spyLogger) Ctx(_ context.Context) helpers.ILogger                            { return l }
+func (l *spyLogger) Start(msg string, details ...helpers.IDetails)                    {}
+func (l *spyLogger) StopSuccess(msg string, details ...helpers.IDetails)              {}
+func (l *spyLogger) StopError(msg string, details ...helpers.IDetails)                {}
+func (l *spyLogger) TimedWrapper(funcName string, timeout time.Duration, task func()) {}

 func (l *spyLogger) Fatal(msg string, details ...helpers.IDetails) {
 	firstDetail := details[0]
--- a/cmd/vap/vap.go
+++ b/cmd/vap/vap.go
@@ -220,9 +220,11 @@ func createPolicyBinding(bindingName string, policyName string, action string, p
 	}

 	policyBinding.Spec.ValidationActions = []admissionv1.ValidationAction{admissionv1.ValidationAction(action)}
+	paramAction := admissionv1.DenyAction
 	if paramRefName != "" {
 		policyBinding.Spec.ParamRef = &admissionv1.ParamRef{
-			Name: paramRefName,
+			Name:                    paramRefName,
+			ParameterNotFoundAction: &paramAction,
 		}
 	}
 	// Marshal the policy binding to YAML
--- a/core/cautils/datastructures.go
+++ b/core/cautils/datastructures.go
@@ -4,7 +4,10 @@ import (
 	"context"
 	"sort"

-	"github.com/anchore/grype/grype/presenter/models"
+	"github.com/anchore/grype/grype/match"
+	"github.com/anchore/grype/grype/pkg"
+	"github.com/anchore/grype/grype/vulnerability"
+	"github.com/anchore/syft/syft/sbom"
 	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/opa-utils/reporthandling"
@@ -20,8 +23,14 @@ type K8SResources map[string][]string
 type ExternalResources map[string][]string

 type ImageScanData struct {
-	PresenterConfig *models.PresenterConfig
-	Image           string
+	Context               pkg.Context
+	IgnoredMatches        []match.IgnoredMatch
+	Image                 string
+	Matches               match.Matches
+	Packages              []pkg.Package
+	RemainingMatches      *match.Matches
+	SBOM                  *sbom.SBOM
+	VulnerabilityProvider vulnerability.Provider
 }

 type ScanTypes string
--- a/core/core/image_scan.go
+++ b/core/core/image_scan.go
@@ -165,8 +165,8 @@ func getUniqueVulnerabilitiesAndSeverities(policies []VulnerabilitiesIgnorePolic
 func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (bool, error) {
 	logger.L().Start(fmt.Sprintf("Scanning image %s...", imgScanInfo.Image))

-	dbCfg, _ := imagescan.NewDefaultDBConfig()
-	svc, err := imagescan.NewScanServiceWithMatchers(dbCfg, imgScanInfo.UseDefaultMatchers)
+	distCfg, installCfg, _ := imagescan.NewDefaultDBConfig()
+	svc, err := imagescan.NewScanServiceWithMatchers(distCfg, installCfg, imgScanInfo.UseDefaultMatchers)
 	if err != nil {
 		logger.L().StopError(fmt.Sprintf("Failed to initialize image scanner: %s", err))
 		return false, err
@@ -190,7 +190,7 @@ func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *ca
 		vulnerabilityExceptions, severityExceptions = getUniqueVulnerabilitiesAndSeverities(exceptionPolicies, imgScanInfo.Image)
 	}

-	scanResults, err := svc.Scan(ks.Context(), imgScanInfo.Image, creds, vulnerabilityExceptions, severityExceptions)
+	imageScanData, err := svc.Scan(ks.Context(), imgScanInfo.Image, creds, vulnerabilityExceptions, severityExceptions)
 	if err != nil {
 		logger.L().StopError(fmt.Sprintf("Failed to scan image: %s", imgScanInfo.Image))
 		return false, err
@@ -206,12 +206,7 @@ func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *ca

 	resultsHandler := resultshandling.NewResultsHandler(nil, outputPrinters, uiPrinter)

-	resultsHandler.ImageScanData = []cautils.ImageScanData{
-		{
-			PresenterConfig: scanResults,
-			Image:           imgScanInfo.Image,
-		},
-	}
+	resultsHandler.ImageScanData = []cautils.ImageScanData{*imageScanData}

-	return imagescan.ExceedsSeverityThreshold(scanResults, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)), resultsHandler.HandleResults(ks.Context(), scanInfo)
+	return svc.ExceedsSeverityThreshold(imagescan.ParseSeverity(scanInfo.FailThresholdSeverity), imageScanData.Matches), resultsHandler.HandleResults(ks.Context(), scanInfo)
 }
--- a/core/core/patch.go
+++ b/core/core/patch.go
@@ -10,7 +10,8 @@ import (
 	"strings"
 	"time"

-	"github.com/anchore/grype/grype/presenter"
+	"github.com/anchore/clio"
+	grypejson "github.com/anchore/grype/grype/presenter/json"
 	"github.com/anchore/grype/grype/presenter/models"
 	copaGrype "github.com/anubhav06/copa-grype/grype"
 	"github.com/containerd/platforms"
@@ -41,17 +42,17 @@ const (
 	copaProduct = "copa"
 )

-func (ks *Kubescape) Patch(patchInfo *ksmetav1.PatchInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) {
+func (ks *Kubescape) Patch(patchInfo *ksmetav1.PatchInfo, scanInfo *cautils.ScanInfo) (bool, error) {

 	// ===================== Scan the image =====================
 	logger.L().Start(fmt.Sprintf("Scanning image: %s", patchInfo.Image))

 	// Setup the scan service
-	dbCfg, _ := imagescan.NewDefaultDBConfig()
-	svc, err := imagescan.NewScanServiceWithMatchers(dbCfg, scanInfo.UseDefaultMatchers)
+	distCfg, installCfg, _ := imagescan.NewDefaultDBConfig()
+	svc, err := imagescan.NewScanServiceWithMatchers(distCfg, installCfg, scanInfo.UseDefaultMatchers)
 	if err != nil {
 		logger.L().StopError(fmt.Sprintf("Failed to initialize image scanner: %s", err))
-		return nil, err
+		return false, err
 	}
 	defer svc.Close()
 	creds := imagescan.RegistryCredentials{
@@ -61,15 +62,21 @@ func (ks *Kubescape) Patch(patchInfo *ksmetav1.PatchInfo, scanInfo *cautils.Scan
 	// Scan the image
 	scanResults, err := svc.Scan(ks.Context(), patchInfo.Image, creds, nil, nil)
 	if err != nil {
-		return nil, err
+		return false, err
+	}
+
+	model, err := models.NewDocument(clio.Identification{}, scanResults.Packages, scanResults.Context,
+		*scanResults.RemainingMatches, scanResults.IgnoredMatches, scanResults.VulnerabilityProvider, nil, nil, models.DefaultSortStrategy, false)
+	if err != nil {
+		return false, fmt.Errorf("failed to create document: %w", err)
 	}

 	// If the scan results ID is empty, set it to "grype"
-	if scanResults.ID.Name == "" {
-		scanResults.ID.Name = "grype"
+	if model.Descriptor.Name == "" {
+		model.Descriptor.Name = "grype"
 	}
 	// Save the scan results to a file in json format
-	pres := presenter.GetPresenter("json", "", false, *scanResults)
+	pres := grypejson.NewPresenter(models.PresenterConfig{Document: model, SBOM: scanResults.SBOM})

 	fileName := fmt.Sprintf("%s:%s.json", patchInfo.ImageName, patchInfo.ImageTag)
 	fileName = strings.ReplaceAll(fileName, "/", "-")
@@ -77,7 +84,7 @@ func (ks *Kubescape) Patch(patchInfo *ksmetav1.PatchInfo, scanInfo *cautils.Scan
 	writer := printer.GetWriter(ks.Context(), fileName)

 	if err = pres.Present(writer); err != nil {
-		return nil, err
+		return false, err
 	}
 	logger.L().StopSuccess(fmt.Sprintf("Successfully scanned image: %s", patchInfo.Image))

@@ -91,7 +98,7 @@ func (ks *Kubescape) Patch(patchInfo *ksmetav1.PatchInfo, scanInfo *cautils.Scan
 	}

 	if err = copaPatch(ks.Context(), patchInfo.Timeout, patchInfo.BuildkitAddress, patchInfo.Image, fileName, patchedImageName, "", patchInfo.IgnoreError, patchInfo.BuildKitOpts); err != nil {
-		return nil, err
+		return false, err
 	}

 	// Restore the output streams
@@ -105,7 +112,7 @@ func (ks *Kubescape) Patch(patchInfo *ksmetav1.PatchInfo, scanInfo *cautils.Scan

 	scanResultsPatched, err := svc.Scan(ks.Context(), patchedImageName, creds, nil, nil)
 	if err != nil {
-		return nil, err
+		return false, err
 	}
 	logger.L().StopSuccess(fmt.Sprintf("Successfully re-scanned image: %s", patchedImageName))

@@ -121,14 +128,9 @@ func (ks *Kubescape) Patch(patchInfo *ksmetav1.PatchInfo, scanInfo *cautils.Scan
 	outputPrinters := GetOutputPrinters(scanInfo, ks.Context(), "")
 	uiPrinter := GetUIPrinter(ks.Context(), scanInfo, "")
 	resultsHandler := resultshandling.NewResultsHandler(nil, outputPrinters, uiPrinter)
-	resultsHandler.ImageScanData = []cautils.ImageScanData{
-		{
-			PresenterConfig: scanResultsPatched,
-			Image:           patchedImageName,
-		},
-	}
+	resultsHandler.ImageScanData = []cautils.ImageScanData{*scanResultsPatched}

-	return scanResultsPatched, resultsHandler.HandleResults(ks.Context(), scanInfo)
+	return svc.ExceedsSeverityThreshold(imagescan.ParseSeverity(scanInfo.FailThresholdSeverity), scanResultsPatched.Matches), resultsHandler.HandleResults(ks.Context(), scanInfo)
 }

 func disableCopaLogger() {
--- a/core/core/scan.go
+++ b/core/core/scan.go
@@ -243,8 +243,8 @@ func scanImages(scanType cautils.ScanTypes, scanData *cautils.OPASessionObj, ctx
 		}
 	}

-	dbCfg, _ := imagescan.NewDefaultDBConfig()
-	svc, err := imagescan.NewScanServiceWithMatchers(dbCfg, scanInfo.UseDefaultMatchers)
+	distCfg, installCfg, _ := imagescan.NewDefaultDBConfig()
+	svc, err := imagescan.NewScanServiceWithMatchers(distCfg, installCfg, scanInfo.UseDefaultMatchers)
 	if err != nil {
 		logger.L().StopError(fmt.Sprintf("Failed to initialize image scanner: %s", err))
 		return
@@ -267,10 +267,7 @@ func scanSingleImage(ctx context.Context, img string, svc *imagescan.Service, re
 		return err
 	}

-	resultsHandling.ImageScanData = append(resultsHandling.ImageScanData, cautils.ImageScanData{
-		Image:           img,
-		PresenterConfig: scanResults,
-	})
+	resultsHandling.ImageScanData = append(resultsHandling.ImageScanData, *scanResults)
 	return nil
 }

--- a/core/meta/ksinterface.go
+++ b/core/meta/ksinterface.go
@@ -3,7 +3,6 @@ package meta
 import (
 	"context"

-	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling"
@@ -27,7 +26,7 @@ type IKubescape interface {
 	Fix(fixInfo *metav1.FixInfo) error

 	// patch
-	Patch(patchInfo *metav1.PatchInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error)
+	Patch(patchInfo *metav1.PatchInfo, scanInfo *cautils.ScanInfo) (bool, error)

 	// scan image
 	ScanImage(imgScanInfo *metav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (bool, error)
--- a/core/mocks/cmd_mocks.go
+++ b/core/mocks/cmd_mocks.go
@@ -3,7 +3,6 @@ package mocks
 import (
 	"context"

-	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling"
@@ -43,8 +42,8 @@ func (m *MockIKubescape) Fix(_ *metav1.FixInfo) error {
 	return nil
 }

-func (m *MockIKubescape) Patch(_ *metav1.PatchInfo, _ *cautils.ScanInfo) (*models.PresenterConfig, error) {
-	return nil, nil
+func (m *MockIKubescape) Patch(_ *metav1.PatchInfo, _ *cautils.ScanInfo) (bool, error) {
+	return false, nil
 }

 func (m *MockIKubescape) ScanImage(_ *metav1.ImageScanInfo, _ *cautils.ScanInfo) (bool, error) {
--- a/core/pkg/hostsensorutils/hostsensordeploy.go
+++ b/core/pkg/hostsensorutils/hostsensordeploy.go
@@ -96,7 +96,7 @@ func (hsh *HostSensorHandler) Init(ctx context.Context) error {

 	hsh.populatePodNamesToNodeNames(ctx, log)
 	if err := hsh.checkPodForEachNode(); err != nil {
-		logger.L().Ctx(ctx).Warning(failedToValidateHostSensorPodStatus, helpers.Error(err))
+		return fmt.Errorf("%s: %v", failedToValidateHostSensorPodStatus, err)
 	}

 	return nil
--- a/core/pkg/resultshandling/printer/v2/jsonprinter.go
+++ b/core/pkg/resultshandling/printer/v2/jsonprinter.go
@@ -6,10 +6,11 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"

 	"github.com/anchore/clio"
-	"github.com/anchore/grype/grype/presenter"
+	grypejson "github.com/anchore/grype/grype/presenter/json"
 	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
@@ -17,7 +18,6 @@ import (
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer/v2/prettyprinter/tableprinter/imageprinter"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
-	"k8s.io/utils/strings/slices"
 )

 const (
@@ -70,17 +70,10 @@ func (jp *JsonPrinter) convertToImageScanSummary(imageScanData []cautils.ImageSc
 			imageScanSummary.Images = append(imageScanSummary.Images, imageScanData[i].Image)
 		}

-		presenterConfig := imageScanData[i].PresenterConfig
-		doc, err := models.NewDocument(clio.Identification{}, presenterConfig.Packages, presenterConfig.Context, presenterConfig.Matches, presenterConfig.IgnoredMatches, presenterConfig.MetadataProvider, nil, presenterConfig.DBStatus)
-		if err != nil {
-			logger.L().Error(fmt.Sprintf("failed to create document for image: %v", imageScanData[i].Image), helpers.Error(err))
-			continue
-		}
-
-		CVEs := extractCVEs(doc.Matches)
+		CVEs := extractCVEs(imageScanData[i].Matches)
 		imageScanSummary.CVEs = append(imageScanSummary.CVEs, CVEs...)

-		setPkgNameToScoreMap(doc.Matches, imageScanSummary.PackageScores)
+		setPkgNameToScoreMap(imageScanData[i].Matches, imageScanSummary.PackageScores)

 		setSeverityToSummaryMap(CVEs, imageScanSummary.MapsSeverityToSummary)
 	}
@@ -92,9 +85,15 @@ func (jp *JsonPrinter) ActionPrint(ctx context.Context, opaSessionObj *cautils.O
 	var err error

 	if opaSessionObj != nil {
-		err = printConfigurationsScanning(opaSessionObj, ctx, imageScanData, jp)
+		err = printConfigurationsScanning(opaSessionObj, imageScanData, jp)
 	} else if imageScanData != nil {
-		err = jp.PrintImageScan(ctx, imageScanData[0].PresenterConfig)
+		model, err2 := models.NewDocument(clio.Identification{}, imageScanData[0].Packages, imageScanData[0].Context,
+			*imageScanData[0].RemainingMatches, imageScanData[0].IgnoredMatches, imageScanData[0].VulnerabilityProvider, nil, nil, models.DefaultSortStrategy, false)
+		if err2 != nil {
+			logger.L().Ctx(ctx).Error("failed to create document: %w", helpers.Error(err))
+			return
+		}
+		err = grypejson.NewPresenter(models.PresenterConfig{Document: model, SBOM: imageScanData[0].SBOM}).Present(jp.writer)
 	} else {
 		err = fmt.Errorf("no data provided")
 	}
@@ -107,7 +106,7 @@ func (jp *JsonPrinter) ActionPrint(ctx context.Context, opaSessionObj *cautils.O
 	printer.LogOutputFile(jp.writer.Name())
 }

-func printConfigurationsScanning(opaSessionObj *cautils.OPASessionObj, ctx context.Context, imageScanData []cautils.ImageScanData, jp *JsonPrinter) error {
+func printConfigurationsScanning(opaSessionObj *cautils.OPASessionObj, imageScanData []cautils.ImageScanData, jp *JsonPrinter) error {

 	if imageScanData != nil {
 		imageScanSummary, err := jp.convertToImageScanSummary(imageScanData)
@@ -168,14 +167,6 @@ func convertToReportSummary(input map[string]*imageprinter.SeveritySummary) map[
 	return output
 }

-func (jp *JsonPrinter) PrintImageScan(ctx context.Context, scanResults *models.PresenterConfig) error {
-	if scanResults == nil {
-		return fmt.Errorf("no image vulnerability data provided")
-	}
-	pres := presenter.GetPresenter("json", "", false, *scanResults)
-	return pres.Present(jp.writer)
-}
-
 func (jp *JsonPrinter) PrintNextSteps() {

 }
--- a/core/pkg/resultshandling/printer/v2/prettyprinter.go
+++ b/core/pkg/resultshandling/printer/v2/prettyprinter.go
@@ -7,8 +7,6 @@ import (
 	"sort"
 	"strings"

-	"github.com/anchore/clio"
-	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/enescakir/emoji"
 	"github.com/jedib0t/go-pretty/v6/table"
 	"github.com/jedib0t/go-pretty/v6/text"
@@ -91,17 +89,10 @@ func (pp *PrettyPrinter) convertToImageScanSummary(imageScanData []cautils.Image
 			imageScanSummary.Images = append(imageScanSummary.Images, imageScanData[i].Image)
 		}

-		presenterConfig := imageScanData[i].PresenterConfig
-		doc, err := models.NewDocument(clio.Identification{}, presenterConfig.Packages, presenterConfig.Context, presenterConfig.Matches, presenterConfig.IgnoredMatches, presenterConfig.MetadataProvider, nil, presenterConfig.DBStatus)
-		if err != nil {
-			logger.L().Error(fmt.Sprintf("failed to create document for image: %v", imageScanData[i].Image), helpers.Error(err))
-			continue
-		}
-
-		CVEs := extractCVEs(doc.Matches)
+		CVEs := extractCVEs(imageScanData[i].Matches)
 		imageScanSummary.CVEs = append(imageScanSummary.CVEs, CVEs...)

-		setPkgNameToScoreMap(doc.Matches, imageScanSummary.PackageScores)
+		setPkgNameToScoreMap(imageScanData[i].Matches, imageScanSummary.PackageScores)

 		setSeverityToSummaryMap(CVEs, imageScanSummary.MapsSeverityToSummary)
 	}
--- a/core/pkg/resultshandling/printer/v2/prettyprinter/tableprinter/configurationprinter/categorytable.go
+++ b/core/pkg/resultshandling/printer/v2/prettyprinter/tableprinter/configurationprinter/categorytable.go
@@ -11,7 +11,7 @@ import (
 )

 const (
-	docsPrefix        = "https://kubescape.io/docs"
+	docsPrefix        = "https://kubescape.io/docs/controls"
 	scanControlPrefix = "$ kubescape scan control"
 	controlNameHeader = "Control name"
 	statusHeader      = ""
--- a/core/pkg/resultshandling/printer/v2/prettyprinter/tableprinter/configurationprinter/categorytable_test.go
+++ b/core/pkg/resultshandling/printer/v2/prettyprinter/tableprinter/configurationprinter/categorytable_test.go
@@ -102,7 +102,7 @@ func TestGenerateCategoryStatusRow(t *testing.T) {
 				Status:    apis.StatusFailed,
 				ControlID: "ctrlID",
 			},
-			expectedRows: table.Row{"❌", "test", "https://kubescape.io/docs/ctrlid"},
+			expectedRows: table.Row{"❌", "test", "https://kubescape.io/docs/controls/ctrlid"},
 		},
 		{
 			name: "skipped control",
@@ -114,7 +114,7 @@ func TestGenerateCategoryStatusRow(t *testing.T) {
 				},
 				ControlID: "ctrlID",
 			},
-			expectedRows: table.Row{"⚠️", "test", "https://kubescape.io/docs/ctrlid"},
+			expectedRows: table.Row{"⚠️", "test", "https://kubescape.io/docs/controls/ctrlid"},
 			infoToPrintInfo: []utils.InfoStars{
 				{
 					Info:  "testInfo",
@@ -129,7 +129,7 @@ func TestGenerateCategoryStatusRow(t *testing.T) {
 				Status:    apis.StatusPassed,
 				ControlID: "ctrlID",
 			},
-			expectedRows: table.Row{"✅", "test", "https://kubescape.io/docs/ctrlid"},
+			expectedRows: table.Row{"✅", "test", "https://kubescape.io/docs/controls/ctrlid"},
 		},
 		{
 			name: "big name",
@@ -138,7 +138,7 @@ func TestGenerateCategoryStatusRow(t *testing.T) {
 				Status:    apis.StatusFailed,
 				ControlID: "ctrlID",
 			},
-			expectedRows: table.Row{"❌", "testtesttesttesttesttesttesttesttesttesttesttestte...", "https://kubescape.io/docs/ctrlid"},
+			expectedRows: table.Row{"❌", "testtesttesttesttesttesttesttesttesttesttesttestte...", "https://kubescape.io/docs/controls/ctrlid"},
 		},
 	}

--- a/core/pkg/resultshandling/printer/v2/prettyprinter/tableprinter/configurationprinter/utils_test.go
+++ b/core/pkg/resultshandling/printer/v2/prettyprinter/tableprinter/configurationprinter/utils_test.go
@@ -542,14 +542,14 @@ func TestGetDocsForControl(t *testing.T) {
 			controlSummary: &reportsummary.ControlSummary{
 				ControlID: "ctrlID1",
 			},
-			expectedDocsLink: "https://kubescape.io/docs/ctrlid1",
+			expectedDocsLink: "https://kubescape.io/docs/controls/ctrlid1",
 		},
 		{
 			name: "control with lowercase ID",
 			controlSummary: &reportsummary.ControlSummary{
 				ControlID: "ctrlid1",
 			},
-			expectedDocsLink: "https://kubescape.io/docs/ctrlid1",
+			expectedDocsLink: "https://kubescape.io/docs/controls/ctrlid1",
 		},
 	}

--- a/core/pkg/resultshandling/printer/v2/prometheus.go
+++ b/core/pkg/resultshandling/printer/v2/prometheus.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"os"

-	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
@@ -59,9 +58,6 @@ func (pp *PrometheusPrinter) generatePrometheusFormat(
 	return m
 }

-func (pp *PrometheusPrinter) PrintImageScan(context.Context, *models.PresenterConfig) {
-}
-
 func (pp *PrometheusPrinter) ActionPrint(ctx context.Context, opaSessionObj *cautils.OPASessionObj, imageScanData []cautils.ImageScanData) {
 	if opaSessionObj == nil {
 		logger.L().Ctx(ctx).Error("failed to print results, missing data")
--- a/core/pkg/resultshandling/printer/v2/sarifprinter.go
+++ b/core/pkg/resultshandling/printer/v2/sarifprinter.go
@@ -12,8 +12,9 @@ import (
 	"strconv"
 	"strings"

-	"github.com/anchore/grype/grype/presenter"
+	"github.com/anchore/clio"
 	"github.com/anchore/grype/grype/presenter/models"
+	grypesarif "github.com/anchore/grype/grype/presenter/sarif"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
@@ -115,12 +116,14 @@ func (sp *SARIFPrinter) addResult(scanRun *sarif.Run, ctl reportsummary.IControl
 		})
 }

-func (sp *SARIFPrinter) printImageScan(ctx context.Context, scanResults *models.PresenterConfig) error {
-	if scanResults == nil {
-		return fmt.Errorf("no no image vulnerability data provided")
+func (sp *SARIFPrinter) printImageScan(ctx context.Context, scanResults cautils.ImageScanData) error {
+	model, err := models.NewDocument(clio.Identification{}, scanResults.Packages, scanResults.Context,
+		*scanResults.RemainingMatches, scanResults.IgnoredMatches, scanResults.VulnerabilityProvider, nil, nil, models.DefaultSortStrategy, false)
+	if err != nil {
+		return fmt.Errorf("failed to create document: %w", err)
 	}

-	pres := presenter.GetPresenter(printer.SARIFFormat, "", false, *scanResults)
+	pres := grypesarif.NewPresenter(models.PresenterConfig{Document: model, SBOM: scanResults.SBOM})
 	if err := pres.Present(sp.writer); err != nil {
 		return err
 	}
@@ -164,7 +167,7 @@ func (sp *SARIFPrinter) ActionPrint(ctx context.Context, opaSessionObj *cautils.
 		}

 		// image scan
-		if err := sp.printImageScan(ctx, imageScanData[0].PresenterConfig); err != nil {
+		if err := sp.printImageScan(ctx, imageScanData[0]); err != nil {
 			logger.L().Ctx(ctx).Error("failed to write results in sarif format", helpers.Error(err))
 			return
 		}
--- a/core/pkg/resultshandling/printer/v2/silentprinter.go
+++ b/core/pkg/resultshandling/printer/v2/silentprinter.go
@@ -3,7 +3,6 @@ package printer
 import (
 	"context"

-	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer"
 )
@@ -18,9 +17,6 @@ func (silentPrinter *SilentPrinter) PrintNextSteps() {

 }

-func (silentPrinter *SilentPrinter) PrintImageScan(context.Context, *models.PresenterConfig) {
-}
-
 func (silentPrinter *SilentPrinter) ActionPrint(ctx context.Context, opaSessionObj *cautils.OPASessionObj, imageScanData []cautils.ImageScanData) {
 }

--- a/core/pkg/resultshandling/printer/v2/utils.go
+++ b/core/pkg/resultshandling/printer/v2/utils.go
@@ -2,7 +2,7 @@ package printer

 import (
 	v5 "github.com/anchore/grype/grype/db/v5"
-	"github.com/anchore/grype/grype/presenter/models"
+	"github.com/anchore/grype/grype/match"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer/v2/prettyprinter/tableprinter/imageprinter"
@@ -103,39 +103,39 @@ func setSeverityToSummaryMap(cves []imageprinter.CVE, mapSeverityToSummary map[s
 	}
 }

-func setPkgNameToScoreMap(matches []models.Match, pkgScores map[string]*imageprinter.PackageScore) {
-	for i := range matches {
+func setPkgNameToScoreMap(matches match.Matches, pkgScores map[string]*imageprinter.PackageScore) {
+	for _, m := range matches.Sorted() {
 		// key is pkg name + version to avoid version conflicts
-		key := matches[i].Artifact.Name + matches[i].Artifact.Version
+		key := m.Package.Name + m.Package.Version

 		if _, ok := pkgScores[key]; !ok {
 			pkgScores[key] = &imageprinter.PackageScore{
-				Version:                 matches[i].Artifact.Version,
-				Name:                    matches[i].Artifact.Name,
+				Version:                 m.Package.Version,
+				Name:                    m.Package.Name,
 				MapSeverityToCVEsNumber: make(map[string]int, 0),
 			}
 		}

-		if _, ok := pkgScores[key].MapSeverityToCVEsNumber[matches[i].Vulnerability.Severity]; !ok {
-			pkgScores[key].MapSeverityToCVEsNumber[matches[i].Vulnerability.Severity] = 1
+		if _, ok := pkgScores[key].MapSeverityToCVEsNumber[m.Vulnerability.Metadata.Severity]; !ok {
+			pkgScores[key].MapSeverityToCVEsNumber[m.Vulnerability.Metadata.Severity] = 1
 		} else {
-			pkgScores[key].MapSeverityToCVEsNumber[matches[i].Vulnerability.Severity] += 1
+			pkgScores[key].MapSeverityToCVEsNumber[m.Vulnerability.Metadata.Severity] += 1
 		}

-		pkgScores[key].Score += utils.ImageSeverityToInt(matches[i].Vulnerability.Severity)
+		pkgScores[key].Score += utils.ImageSeverityToInt(m.Vulnerability.Metadata.Severity)
 	}
 }

-func extractCVEs(matches []models.Match) []imageprinter.CVE {
-	CVEs := []imageprinter.CVE{}
-	for i := range matches {
+func extractCVEs(matches match.Matches) []imageprinter.CVE {
+	var CVEs []imageprinter.CVE
+	for _, m := range matches.Sorted() {
 		cve := imageprinter.CVE{
-			ID:          matches[i].Vulnerability.ID,
-			Severity:    matches[i].Vulnerability.Severity,
-			Package:     matches[i].Artifact.Name,
-			Version:     matches[i].Artifact.Version,
-			FixVersions: matches[i].Vulnerability.Fix.Versions,
-			FixedState:  matches[i].Vulnerability.Fix.State,
+			ID:          m.Vulnerability.Metadata.ID,
+			Severity:    m.Vulnerability.Metadata.Severity,
+			Package:     m.Package.Name,
+			Version:     m.Package.Version,
+			FixVersions: m.Vulnerability.Fix.Versions,
+			FixedState:  m.Vulnerability.Fix.State.String(),
 		}
 		CVEs = append(CVEs, cve)
 	}
--- a/core/pkg/resultshandling/printer/v2/utils_test.go
+++ b/core/pkg/resultshandling/printer/v2/utils_test.go
@@ -4,7 +4,9 @@ import (
 	"testing"

 	v5 "github.com/anchore/grype/grype/db/v5"
-	"github.com/anchore/grype/grype/presenter/models"
+	"github.com/anchore/grype/grype/match"
+	"github.com/anchore/grype/grype/pkg"
+	"github.com/anchore/grype/grype/vulnerability"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer/v2/prettyprinter/tableprinter/imageprinter"
 	"github.com/stretchr/testify/assert"
 )
@@ -12,29 +14,30 @@ import (
 func TestExtractCVEs(t *testing.T) {
 	tests := []struct {
 		name    string
-		matches []models.Match
+		matches match.Matches
 		want    []imageprinter.CVE
 	}{
 		{
 			name: "single vuln",
-			matches: []models.Match{
+			matches: match.NewMatches([]match.Match{
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "1",
 						Name:    "foo",
 						Version: "1.2.3",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							ID:       "CVE-2020-1234",
 							Severity: "High",
 						},
-						Fix: models.Fix{
+						Fix: vulnerability.Fix{
 							Versions: []string{"1.2.3"},
 							State:    "Fixed",
 						},
 					},
 				},
-			},
+			}...),
 			want: []imageprinter.CVE{
 				{
 					ID:          "CVE-2020-1234",
@@ -48,56 +51,59 @@ func TestExtractCVEs(t *testing.T) {
 		},
 		{
 			name: "multiple vulns",
-			matches: []models.Match{
+			matches: match.NewMatches([]match.Match{
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "1",
 						Name:    "foo",
 						Version: "1.2.3",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							ID:       "CVE-2020-1234",
 							Severity: "High",
 						},
-						Fix: models.Fix{
+						Fix: vulnerability.Fix{
 							Versions: []string{"1.2.3"},
 							State:    "Fixed",
 						},
 					},
 				},
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "2",
 						Name:    "test",
 						Version: "1",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							ID:       "CVE-2020-1235",
 							Severity: "Critical",
 						},
-						Fix: models.Fix{
+						Fix: vulnerability.Fix{
 							Versions: []string{"1"},
 							State:    "Fixed",
 						},
 					},
 				},
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "3",
 						Name:    "test2",
 						Version: "3",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							ID:       "CVE-2020-1236",
 							Severity: "Low",
 						},
-						Fix: models.Fix{
+						Fix: vulnerability.Fix{
 							Versions: []string{"2", "3", "4"},
 							State:    "Not fixed",
 						},
 					},
 				},
-			},
+			}...),
 			want: []imageprinter.CVE{
 				{
 					ID:          "CVE-2020-1234",
@@ -127,7 +133,7 @@ func TestExtractCVEs(t *testing.T) {
 		},
 		{
 			name:    "empty vulns",
-			matches: []models.Match{},
+			matches: match.NewMatches([]match.Match{}...),
 			want:    []imageprinter.CVE{},
 		},
 	}
@@ -171,25 +177,26 @@ func TestExtractCVEs(t *testing.T) {
 func TestSetPkgNameToScoreMap(t *testing.T) {
 	tests := []struct {
 		name        string
-		matches     []models.Match
+		matches     match.Matches
 		originalMap map[string]*imageprinter.PackageScore
 		want        map[string]*imageprinter.PackageScore
 	}{
 		{
 			name: "single package",
-			matches: []models.Match{
+			matches: match.NewMatches([]match.Match{
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "1",
 						Name:    "foo",
 						Version: "1.2.3",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "High",
 						},
 					},
 				},
-			},
+			}...),
 			want: map[string]*imageprinter.PackageScore{
 				"foo1.2.3": {
 					Name:    "foo",
@@ -203,41 +210,44 @@ func TestSetPkgNameToScoreMap(t *testing.T) {
 		},
 		{
 			name: "multiple packages - different versions",
-			matches: []models.Match{
+			matches: match.NewMatches([]match.Match{
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "1",
 						Name:    "pkg1",
 						Version: "version1",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "Critical",
 						},
 					},
 				},
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "2",
 						Name:    "pkg2",
 						Version: "1.2",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "Low",
 						},
 					},
 				},
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "3",
 						Name:    "pkg3",
 						Version: "1.2.3",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "High",
 						},
 					},
 				},
-			},
+			}...),
 			want: map[string]*imageprinter.PackageScore{
 				"pkg1version1": {
 					Name:    "pkg1",
@@ -267,74 +277,80 @@ func TestSetPkgNameToScoreMap(t *testing.T) {
 		},
 		{
 			name: "multiple packages - mixed versions",
-			matches: []models.Match{
+			matches: match.NewMatches([]match.Match{
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "1",
 						Name:    "pkg1",
 						Version: "version1",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "High",
 						},
 					},
 				},
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "2",
 						Name:    "pkg1",
 						Version: "version1",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "High",
 						},
 					},
 				},
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "3",
 						Name:    "pkg1",
 						Version: "version2",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "Critical",
 						},
 					},
 				},
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "4",
 						Name:    "pkg3",
 						Version: "1.2",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "Medium",
 						},
 					},
 				},
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "5",
 						Name:    "pkg3",
 						Version: "1.2",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "Low",
 						},
 					},
 				},
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "6",
 						Name:    "pkg4",
 						Version: "1.2.3",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "High",
 						},
 					},
 				},
-			},
+			}...),
 			want: map[string]*imageprinter.PackageScore{
 				"pkg1version1": {
 					Name:    "pkg1",
@@ -373,46 +389,49 @@ func TestSetPkgNameToScoreMap(t *testing.T) {
 		},
 		{
 			name:    "empty packages",
-			matches: []models.Match{},
+			matches: match.NewMatches(),
 			want:    map[string]*imageprinter.PackageScore{},
 		},
 		{
 			name: "original map not empty",
-			matches: []models.Match{
+			matches: match.NewMatches([]match.Match{
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "1",
 						Name:    "pkg1",
 						Version: "version2",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "Critical",
 						},
 					},
 				},
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "2",
 						Name:    "pkg1",
 						Version: "version1",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "High",
 						},
 					},
 				},
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "3",
 						Name:    "pkg1",
 						Version: "version1",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "High",
 						},
 					},
 				},
-			},
+			}...),
 			originalMap: map[string]*imageprinter.PackageScore{
 				"pkg41.2.3": {
 					Name:    "pkg4",
@@ -452,41 +471,44 @@ func TestSetPkgNameToScoreMap(t *testing.T) {
 		},
 		{
 			name: "original map with same package",
-			matches: []models.Match{
+			matches: match.NewMatches([]match.Match{
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "1",
 						Name:    "pkg1",
 						Version: "version2",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "Critical",
 						},
 					},
 				},
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "2",
 						Name:    "pkg1",
 						Version: "version1",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "High",
 						},
 					},
 				},
 				{
-					Artifact: models.Package{
+					Package: pkg.Package{
+						ID:      "3",
 						Name:    "pkg1",
 						Version: "version1",
 					},
-					Vulnerability: models.Vulnerability{
-						VulnerabilityMetadata: models.VulnerabilityMetadata{
+					Vulnerability: vulnerability.Vulnerability{
+						Metadata: &vulnerability.Metadata{
 							Severity: "High",
 						},
 					},
 				},
-			},
+			}...),
 			originalMap: map[string]*imageprinter.PackageScore{
 				"pkg1version1": {
 					Name:    "pkg1",
@@ -518,37 +540,37 @@ func TestSetPkgNameToScoreMap(t *testing.T) {
 		},
 	}

-	for i := range tests {
-		t.Run(tests[i].name, func(t *testing.T) {
-			if tests[i].originalMap == nil {
-				tests[i].originalMap = make(map[string]*imageprinter.PackageScore)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.originalMap == nil {
+				tt.originalMap = make(map[string]*imageprinter.PackageScore)
 			}

-			setPkgNameToScoreMap(tests[i].matches, tests[i].originalMap)
-			if len(tests[i].originalMap) == 0 {
-				assert.Equal(t, tests[i].want, tests[i].originalMap)
+			setPkgNameToScoreMap(tt.matches, tt.originalMap)
+			if len(tt.originalMap) == 0 {
+				assert.Equal(t, tt.want, tt.originalMap)
 				return
 			}

-			if len(tests[i].originalMap) != len(tests[i].want) {
-				t.Errorf("%s failed for length, got = %v, want %v", tests[i].name, len(tests[i].originalMap), len(tests[i].want))
+			if len(tt.originalMap) != len(tt.want) {
+				t.Errorf("%s failed for length, got = %v, want %v", tt.name, len(tt.originalMap), len(tt.want))
 			}

-			for k := range tests[i].originalMap {
-				if tests[i].originalMap[k].Score != tests[i].want[k].Score {
-					t.Errorf("%s failed for score, got = %v, want %v", tests[i].name, tests[i].want[k].Score, tests[i].originalMap[k].Score)
+			for k := range tt.originalMap {
+				if tt.originalMap[k].Score != tt.want[k].Score {
+					t.Errorf("%s failed for score, got = %v, want %v", tt.name, tt.want[k].Score, tt.originalMap[k].Score)
 				}
-				if tests[i].originalMap[k].Version != tests[i].want[k].Version {
-					t.Errorf("%s failed for version, got = %v, want %v", tests[i].name, tests[i].want[k].Version, tests[i].originalMap[k].Version)
+				if tt.originalMap[k].Version != tt.want[k].Version {
+					t.Errorf("%s failed for version, got = %v, want %v", tt.name, tt.want[k].Version, tt.originalMap[k].Version)

 				}
-				if tests[i].originalMap[k].Name != tests[i].want[k].Name {
-					t.Errorf("%s failed for name, got = %v, want %v", tests[i].name, tests[i].want[k].Name, tests[i].originalMap[k].Name)
+				if tt.originalMap[k].Name != tt.want[k].Name {
+					t.Errorf("%s failed for name, got = %v, want %v", tt.name, tt.want[k].Name, tt.originalMap[k].Name)
 				}

-				for s := range tests[i].originalMap[k].MapSeverityToCVEsNumber {
-					if tests[i].originalMap[k].MapSeverityToCVEsNumber[s] != tests[i].want[k].MapSeverityToCVEsNumber[s] {
-						t.Errorf("%s failed for severity %s, got = %v, want %v", tests[i].name, s, tests[i].want[k].MapSeverityToCVEsNumber[s], tests[i].originalMap[k].MapSeverityToCVEsNumber[s])
+				for s := range tt.originalMap[k].MapSeverityToCVEsNumber {
+					if tt.originalMap[k].MapSeverityToCVEsNumber[s] != tt.want[k].MapSeverityToCVEsNumber[s] {
+						t.Errorf("%s failed for severity %s, got = %v, want %v", tt.name, s, tt.want[k].MapSeverityToCVEsNumber[s], tt.originalMap[k].MapSeverityToCVEsNumber[s])
 					}
 				}
 			}
--- a/go.mod
+++ b/go.mod
@@ -1,38 +1,38 @@
 module github.com/kubescape/kubescape/v3

-go 1.24.0
+go 1.24.1

 toolchain go1.24.6

 require (
 	github.com/adrg/xdg v0.5.3
-	github.com/anchore/clio v0.0.0-20241115144204-29e89f9fa837
-	github.com/anchore/grype v0.81.0
-	github.com/anchore/stereoscope v0.0.11
-	github.com/anchore/syft v1.18.1
+	github.com/anchore/clio v0.0.0-20250715152405-a0fa658e5084
+	github.com/anchore/grype v0.99.1
+	github.com/anchore/stereoscope v0.1.9
+	github.com/anchore/syft v1.32.0
 	github.com/anubhav06/copa-grype v1.0.3-alpha.1
 	github.com/armosec/armoapi-go v0.0.562
 	github.com/armosec/utils-go v0.0.58
 	github.com/armosec/utils-k8s-go v0.0.30
-	github.com/briandowns/spinner v1.23.1
+	github.com/briandowns/spinner v1.23.2
 	github.com/chainguard-dev/git-urls v1.0.2
 	github.com/containerd/platforms v1.0.0-rc.1
 	github.com/distribution/reference v0.6.0
 	github.com/docker/buildx v0.21.3
-	github.com/docker/cli v28.0.4+incompatible
+	github.com/docker/cli v28.3.3+incompatible
 	github.com/enescakir/emoji v1.0.0
 	github.com/francoispqt/gojay v1.2.13
-	github.com/go-git/go-git/v5 v5.13.2
-	github.com/google/go-containerregistry v0.20.3
+	github.com/go-git/go-git/v5 v5.16.2
+	github.com/google/go-containerregistry v0.20.6
 	github.com/google/uuid v1.6.0
-	github.com/jedib0t/go-pretty/v6 v6.6.4
+	github.com/jedib0t/go-pretty/v6 v6.6.8
 	github.com/johnfercher/go-tree v1.1.0
 	github.com/johnfercher/maroto/v2 v2.2.2
 	github.com/json-iterator/go v1.1.12
 	github.com/jwalton/gchalk v1.3.0
 	github.com/kubescape/backend v0.0.20
 	github.com/kubescape/go-git-url v0.0.30
-	github.com/kubescape/go-logger v0.0.23
+	github.com/kubescape/go-logger v0.0.25
 	github.com/kubescape/k8s-interface v0.0.195
 	github.com/kubescape/opa-utils v0.0.288
 	github.com/kubescape/rbac-utils v0.0.21-0.20230806101615-07e36f555520
@@ -50,15 +50,15 @@ require (
 	github.com/project-copacetic/copacetic v0.10.0
 	github.com/quay/claircore v1.5.35
 	github.com/schollz/progressbar/v3 v3.13.0
-	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3
+	github.com/sergi/go-diff v1.4.0
 	github.com/sigstore/cosign/v2 v2.2.4
-	github.com/sirupsen/logrus v1.9.3
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af
 	github.com/spf13/cobra v1.9.1
-	github.com/stretchr/testify v1.10.0
-	go.opentelemetry.io/otel v1.35.0
-	go.opentelemetry.io/otel/metric v1.35.0
-	golang.org/x/mod v0.25.0
-	golang.org/x/term v0.33.0
+	github.com/stretchr/testify v1.11.1
+	go.opentelemetry.io/otel v1.37.0
+	go.opentelemetry.io/otel/metric v1.37.0
+	golang.org/x/mod v0.27.0
+	golang.org/x/term v0.34.0
 	gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.18.5
@@ -72,19 +72,19 @@ require (
 )

 require (
-	cel.dev/expr v0.19.1 // indirect
-	cloud.google.com/go v0.118.3 // indirect
-	cloud.google.com/go/auth v0.15.0 // indirect
+	cel.dev/expr v0.24.0 // indirect
+	cloud.google.com/go v0.121.3 // indirect
+	cloud.google.com/go/auth v0.16.2 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
-	cloud.google.com/go/compute/metadata v0.6.0 // indirect
-	cloud.google.com/go/container v1.42.2 // indirect
-	cloud.google.com/go/iam v1.4.1 // indirect
-	cloud.google.com/go/monitoring v1.24.0 // indirect
-	cloud.google.com/go/storage v1.50.0 // indirect
-	dario.cat/mergo v1.0.1 // indirect
+	cloud.google.com/go/compute/metadata v0.7.0 // indirect
+	cloud.google.com/go/container v1.43.0 // indirect
+	cloud.google.com/go/iam v1.5.2 // indirect
+	cloud.google.com/go/monitoring v1.24.2 // indirect
+	cloud.google.com/go/storage v1.55.0 // indirect
+	dario.cat/mergo v1.0.2 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
-	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect
+	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa // indirect
 	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.1 // indirect
@@ -104,22 +104,27 @@ require (
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
-	github.com/CycloneDX/cyclonedx-go v0.9.1 // indirect
-	github.com/DataDog/zstd v1.5.5 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0 // indirect
+	github.com/CycloneDX/cyclonedx-go v0.9.2 // indirect
+	github.com/DataDog/zstd v1.5.7 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 // indirect
+	github.com/Intevation/gval v1.3.0 // indirect
+	github.com/Intevation/jsonpath v0.2.1 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
-	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/Microsoft/hcsshim v0.12.9 // indirect
-	github.com/ProtonMail/go-crypto v1.1.6 // indirect
+	github.com/Microsoft/hcsshim v0.13.0 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/ProtonMail/go-crypto v1.3.0 // indirect
+	github.com/STARRY-S/zip v0.2.3 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
 	github.com/a8m/envsubst v1.3.0 // indirect
 	github.com/acobaugh/osrelease v0.1.0 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.2.1 // indirect
 	github.com/alecthomas/participle/v2 v2.1.0 // indirect
 	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
@@ -134,65 +139,78 @@ require (
 	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
 	github.com/aliyun/credentials-go v1.3.1 // indirect
 	github.com/anchore/archiver/v3 v3.5.3-0.20241210171143-5b1d8d1c7c51 // indirect
-	github.com/anchore/fangs v0.0.0-20241014201141-b6e4b3469f10 // indirect
-	github.com/anchore/go-collections v0.0.0-20240216171411-9321230ce537 // indirect
-	github.com/anchore/go-logger v0.0.0-20241205183533-4fc29b5832e7 // indirect
-	github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb // indirect
-	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
+	github.com/anchore/fangs v0.0.0-20250716230140-94c22408c232 // indirect
+	github.com/anchore/go-collections v0.0.0-20241211140901-567f400e9a46 // indirect
+	github.com/anchore/go-homedir v0.0.0-20250319154043-c29668562e4d // indirect
+	github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722 // indirect
+	github.com/anchore/go-lzo v0.1.0 // indirect
+	github.com/anchore/go-macholibre v0.0.0-20250320151634-807da7ad2331 // indirect
+	github.com/anchore/go-rpmdb v0.0.0-20250516171929-f77691e1faec // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20250211213226-cce56d595160 // indirect
+	github.com/anchore/go-sync v0.0.0-20250714163430-add63db73ad1 // indirect
 	github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 // indirect
-	github.com/anchore/packageurl-go v0.1.1-0.20241018175412-5c22e6360c4f // indirect
-	github.com/andybalholm/brotli v1.1.1 // indirect
+	github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 // indirect
+	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
-	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 // indirect
+	github.com/aquasecurity/go-pep440-version v0.0.1 // indirect
 	github.com/aquasecurity/go-version v0.0.1 // indirect
 	github.com/armosec/gojay v1.2.17 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go v1.55.6 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.29.10 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.63 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go v1.55.7 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.5 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.17 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.70 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.34.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.25.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/eks v1.48.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/iam v1.35.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect
-	github.com/aws/smithy-go v1.22.2 // indirect
-	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.34.0 // indirect
+	github.com/aws/smithy-go v1.22.4 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/becheran/wildmatch-go v1.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/bitnami/go-version v0.0.0-20250505154626-452e8c5ee607 // indirect
+	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/bmatcuk/doublestar/v2 v2.0.4 // indirect
-	github.com/bmatcuk/doublestar/v4 v4.8.1 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.9.1 // indirect
+	github.com/bodgit/plumbing v1.3.0 // indirect
+	github.com/bodgit/sevenzip v1.6.1 // indirect
+	github.com/bodgit/windows v1.0.1 // indirect
 	github.com/boombuler/barcode v1.0.2 // indirect
 	github.com/buildkite/agent/v3 v3.62.0 // indirect
 	github.com/buildkite/go-pipeline v0.3.2 // indirect
 	github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/charmbracelet/lipgloss v1.0.0 // indirect
-	github.com/charmbracelet/x/ansi v0.4.5 // indirect
+	github.com/charmbracelet/colorprofile v0.3.1 // indirect
+	github.com/charmbracelet/lipgloss v1.1.0 // indirect
+	github.com/charmbracelet/x/ansi v0.9.3 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
+	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
 	github.com/cilium/cilium v1.16.9 // indirect
 	github.com/clbanning/mxj/v2 v2.7.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
-	github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 // indirect
+	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
 	github.com/containerd/cgroups/v3 v3.0.5 // indirect
 	github.com/containerd/console v1.0.4 // indirect
-	github.com/containerd/containerd v1.7.27 // indirect
-	github.com/containerd/containerd/api v1.8.0 // indirect
+	github.com/containerd/containerd v1.7.28 // indirect
+	github.com/containerd/containerd/api v1.9.0 // indirect
 	github.com/containerd/containerd/v2 v2.0.5 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
@@ -209,21 +227,19 @@ require (
 	github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da // indirect
+	github.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/diskfs/go-diskfs v1.7.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker v28.0.4+incompatible // indirect
+	github.com/docker/docker v28.3.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.3 // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
-	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
-	github.com/docker/go-metrics v0.0.1 // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
+	github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
-	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
+	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/edsrzf/mmap-go v1.1.0 // indirect
 	github.com/elliotchance/orderedmap v1.5.0 // indirect
 	github.com/elliotchance/phpserialize v1.4.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
@@ -235,14 +251,14 @@ require (
 	github.com/f-amaral/go-async v0.3.0 // indirect
 	github.com/facebookincubator/nvdtools v0.1.5 // indirect
 	github.com/fatih/color v1.18.0 // indirect
-	github.com/felixge/fgprof v0.9.3 // indirect
+	github.com/felixge/fgprof v0.9.5 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fvbommel/sortorder v1.1.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.7 // indirect
-	github.com/github/go-spdx/v2 v2.3.2 // indirect
-	github.com/glebarez/go-sqlite v1.21.2 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
+	github.com/github/go-spdx/v2 v2.3.3 // indirect
+	github.com/glebarez/go-sqlite v1.22.0 // indirect
 	github.com/glebarez/sqlite v1.11.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
@@ -252,7 +268,7 @@ require (
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
 	github.com/go-openapi/errors v0.22.1 // indirect
@@ -266,17 +282,19 @@ require (
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/go-piv/piv-go v1.11.0 // indirect
 	github.com/go-restruct/restruct v1.2.0-alpha // indirect
-	github.com/go-test/deep v1.1.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
-	github.com/goccy/go-yaml v1.11.0 // indirect
+	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/gocsaf/csaf/v3 v3.3.0 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/gohugoio/hashstructure v0.5.0 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/golang/snappy v0.0.4 // indirect
+	github.com/golang/snappy v1.0.0 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/certificate-transparency-go v1.3.1 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
@@ -284,16 +302,16 @@ require (
 	github.com/google/go-github/v55 v55.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/licensecheck v0.3.1 // indirect
-	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
+	github.com/google/pprof v0.0.0-20250630185457-6e76a2b096b5 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
-	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
-	github.com/gookit/color v1.5.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/gookit/color v1.6.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect
 	github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -302,7 +320,8 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
-	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
 	github.com/hhrutter/lzw v1.0.0 // indirect
 	github.com/hhrutter/tiff v1.0.1 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
@@ -325,21 +344,21 @@ require (
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f // indirect
 	github.com/knqyf263/go-deb-version v0.0.0-20241115132648-6f4aee6ccd23 // indirect
 	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075 // indirect
-	github.com/knqyf263/go-rpmdb v0.1.1 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mackerelio/go-osstat v0.2.5 // indirect
-	github.com/magiconair/properties v1.8.9 // indirect
+	github.com/magiconair/properties v1.8.10 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
-	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08 // indirect
+	github.com/masahiro331/go-mvn-version v0.0.0-20250131095131-f4974fa13b8a // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
-	github.com/mholt/archiver/v3 v3.5.1 // indirect
-	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
+	github.com/mholt/archives v0.1.5 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mikelolasagasti/xz v1.0.1 // indirect
+	github.com/minio/minlz v1.0.1 // indirect
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
@@ -351,6 +370,7 @@ require (
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/sys/mountinfo v0.7.2 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/moby/sys/signal v0.7.1 // indirect
@@ -362,15 +382,19 @@ require (
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect
-	github.com/muesli/termenv v0.15.2 // indirect
+	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/nix-community/go-nix v0.0.0-20250101154619-4bdde671e0a1 // indirect
 	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/nwaples/rardecode v1.1.3 // indirect
+	github.com/nwaples/rardecode/v2 v2.2.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/oleiade/reflections v1.0.1 // indirect
-	github.com/olekukonko/tablewriter v0.0.6-0.20230417144759-edd1a71a5576 // indirect
+	github.com/olekukonko/errors v1.1.0 // indirect
+	github.com/olekukonko/ll v0.0.9 // indirect
+	github.com/olekukonko/tablewriter v1.0.9 // indirect
 	github.com/olvrng/ujson v1.1.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
@@ -380,18 +404,20 @@ require (
 	github.com/openvex/go-vex v0.2.5 // indirect
 	github.com/owenrumney/go-sarif v1.1.2-0.20231003122901-1000f5e05554 // indirect
 	github.com/package-url/packageurl-go v0.1.3 // indirect
+	github.com/pandatix/go-cvss v0.6.2 // indirect
 	github.com/pborman/indent v1.2.1 // indirect
 	github.com/pborman/uuid v1.2.1 // indirect
 	github.com/pdfcpu/pdfcpu v0.9.1 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
-	github.com/pjbgf/sha1cd v0.3.2 // indirect
+	github.com/pjbgf/sha1cd v0.4.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/profile v1.7.0 // indirect
+	github.com/pkg/xattr v0.4.12 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
@@ -405,16 +431,14 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rs/zerolog v1.30.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/saferwall/pe v1.5.6 // indirect
-	github.com/sagikazarmark/locafero v0.7.0 // indirect
-	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c // indirect
+	github.com/sagikazarmark/locafero v0.9.0 // indirect
 	github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
 	github.com/sasha-s/go-deadlock v0.3.5 // indirect
 	github.com/sassoftware/go-rpmutils v0.4.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e // indirect
-	github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d // indirect
 	github.com/seccomp/libseccomp-golang v0.10.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
@@ -423,21 +447,23 @@ require (
 	github.com/sigstore/fulcio v1.6.6 // indirect
 	github.com/sigstore/protobuf-specs v0.4.1 // indirect
 	github.com/sigstore/rekor v1.3.10 // indirect
-	github.com/sigstore/sigstore v1.9.3 // indirect
+	github.com/sigstore/sigstore v1.9.5 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
+	github.com/sorairolake/lzip-go v0.3.8 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spdx/gordf v0.0.0-20250128162952-000978ccd6fb // indirect
 	github.com/spdx/tools-golang v0.5.5 // indirect
-	github.com/spf13/afero v1.12.0 // indirect
-	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/afero v1.15.0 // indirect
+	github.com/spf13/cast v1.9.2 // indirect
 	github.com/spf13/pflag v1.0.7 // indirect
 	github.com/spf13/viper v1.20.1 // indirect
-	github.com/spiffe/go-spiffe/v2 v2.4.0 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
 	github.com/stripe/stripe-go/v74 v74.30.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/sylabs/sif/v2 v2.21.1 // indirect
-	github.com/sylabs/squashfs v1.0.4 // indirect
+	github.com/sylabs/sif/v2 v2.22.0 // indirect
+	github.com/sylabs/squashfs v1.0.6 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/tchap/go-patricia/v2 v2.3.2 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
@@ -451,17 +477,16 @@ require (
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
 	github.com/tonistiigi/vt100 v0.0.0-20240514184818-90bafcd6abab // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
-	github.com/ulikunitz/xz v0.5.14 // indirect
+	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/uptrace/opentelemetry-go-extra/otelutil v0.3.2 // indirect
 	github.com/uptrace/opentelemetry-go-extra/otelzap v0.3.2 // indirect
-	github.com/uptrace/uptrace-go v1.30.1 // indirect
+	github.com/uptrace/uptrace-go v1.37.0 // indirect
 	github.com/vbatts/go-mtree v0.5.4 // indirect
 	github.com/vbatts/tar-split v0.12.1 // indirect
 	github.com/vifraa/gopom v1.0.0 // indirect
 	github.com/vishvananda/netlink v1.3.1-0.20241022031324-976bd8de7d81 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
 	github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 // indirect
-	github.com/wagoodman/go-presenter v0.0.0-20211015174752-f9c01afc824b // indirect
 	github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/go-gitlab v0.102.0 // indirect
@@ -474,60 +499,62 @@ require (
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/yl2chen/cidranger v1.0.2 // indirect
 	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
-	github.com/zclconf/go-cty v1.16.2 // indirect
-	github.com/zeebo/errs v1.3.0 // indirect
+	github.com/zclconf/go-cty v1.16.3 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	go.etcd.io/bbolt v1.4.2 // indirect
 	go.mongodb.org/mongo-driver v1.17.1 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/detectors/gcp v1.34.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.37.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.62.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.56.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/runtime v0.55.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/runtime v0.62.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.13.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 // indirect
-	go.opentelemetry.io/otel/log v0.8.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk/log v0.8.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.37.0 // indirect
+	go.opentelemetry.io/otel/log v0.13.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
+	go.opentelemetry.io/otel/sdk/log v0.13.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.7.0 // indirect
 	go.step.sm/crypto v0.60.0 // indirect
 	go.uber.org/mock v0.5.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	go.yaml.in/yaml/v3 v3.0.3 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
-	golang.org/x/crypto v0.40.0 // indirect
-	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
+	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc // indirect
 	golang.org/x/image v0.24.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/oauth2 v0.29.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.34.0 // indirect
-	golang.org/x/text v0.27.0 // indirect
-	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
-	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect
+	golang.org/x/net v0.43.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
+	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
 	gonum.org/v1/gonum v0.12.0 // indirect
-	google.golang.org/api v0.228.0 // indirect
-	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
-	google.golang.org/grpc v1.71.1 // indirect
+	google.golang.org/api v0.242.0 // indirect
+	google.golang.org/genproto v0.0.0-20250715232539-7130f93afb79 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250715232539-7130f93afb79 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79 // indirect
+	google.golang.org/grpc v1.74.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gorm.io/gorm v1.25.12 // indirect
+	gorm.io/gorm v1.30.2 // indirect
 	k8s.io/apiextensions-apiserver v0.33.3 // indirect
 	k8s.io/apiserver v0.33.3 // indirect
 	k8s.io/cli-runtime v0.33.3 // indirect
@@ -535,10 +562,10 @@ require (
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
 	k8s.io/kubectl v0.33.3 // indirect
-	modernc.org/libc v1.61.13 // indirect
+	modernc.org/libc v1.66.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
-	modernc.org/memory v1.8.2 // indirect
-	modernc.org/sqlite v1.36.2 // indirect
+	modernc.org/memory v1.11.0 // indirect
+	modernc.org/sqlite v1.38.2 // indirect
 	oras.land/oras-go/v2 v2.6.0 // indirect
 	sigs.k8s.io/controller-runtime v0.18.4 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
@@ -547,10 +574,6 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
 )

-replace github.com/anchore/stereoscope => github.com/matthyx/stereoscope v0.0.0-20250211130420-468901f0e973
+replace github.com/anchore/stereoscope => github.com/matthyx/stereoscope v0.0.0-20250916161743-dd57158479de

-replace github.com/google/go-containerregistry => github.com/matthyx/go-containerregistry v0.0.0-20240227132928-63ceb71ae0b9
-
-replace github.com/mholt/archiver/v3 v3.5.1 => github.com/anchore/archiver/v3 v3.5.2
-
-replace github.com/spf13/viper => github.com/spf13/viper v1.19.0
+replace github.com/google/go-containerregistry => github.com/matthyx/go-containerregistry v0.0.0-20250916162850-293c5b36a9f8
--- a/go.sum
+++ b/go.sum
--- a/httphandler/go.mod
+++ b/httphandler/go.mod
@@ -1,6 +1,6 @@
 module github.com/kubescape/kubescape/v3/httphandler

-go 1.24.0
+go 1.24.1

 toolchain go1.24.6

@@ -15,47 +15,47 @@ require (
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/schema v1.4.1
 	github.com/kubescape/backend v0.0.20
-	github.com/kubescape/go-logger v0.0.23
+	github.com/kubescape/go-logger v0.0.25
 	github.com/kubescape/k8s-interface v0.0.195
 	github.com/kubescape/kubescape/v3 v3.0.4
 	github.com/kubescape/opa-utils v0.0.288
 	github.com/kubescape/storage v0.0.184
 	github.com/spf13/viper v1.20.1
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.45.0
-	go.opentelemetry.io/otel v1.35.0
+	go.opentelemetry.io/otel v1.37.0
 	k8s.io/apimachinery v0.33.3
 	k8s.io/client-go v0.33.3
 	k8s.io/utils v0.0.0-20241210054802-24370beab758
 )

 require (
-	go.opentelemetry.io/otel/trace v1.35.0
+	go.opentelemetry.io/otel/trace v1.37.0
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.40.0 // indirect
-	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/oauth2 v0.29.0 // indirect
-	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/grpc v1.71.1 // indirect
+	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc // indirect
+	golang.org/x/mod v0.27.0 // indirect
+	golang.org/x/net v0.43.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	google.golang.org/genproto v0.0.0-20250715232539-7130f93afb79 // indirect
+	google.golang.org/grpc v1.74.0 // indirect
 )

 require (
-	cel.dev/expr v0.19.1 // indirect
-	cloud.google.com/go v0.118.3 // indirect
-	cloud.google.com/go/auth v0.15.0 // indirect
+	cel.dev/expr v0.24.0 // indirect
+	cloud.google.com/go v0.121.3 // indirect
+	cloud.google.com/go/auth v0.16.2 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
-	cloud.google.com/go/compute/metadata v0.6.0 // indirect
-	cloud.google.com/go/container v1.42.2 // indirect
-	cloud.google.com/go/iam v1.4.1 // indirect
-	cloud.google.com/go/monitoring v1.24.0 // indirect
-	cloud.google.com/go/storage v1.50.0 // indirect
-	dario.cat/mergo v1.0.1 // indirect
+	cloud.google.com/go/compute/metadata v0.7.0 // indirect
+	cloud.google.com/go/container v1.43.0 // indirect
+	cloud.google.com/go/iam v1.5.2 // indirect
+	cloud.google.com/go/monitoring v1.24.2 // indirect
+	cloud.google.com/go/storage v1.55.0 // indirect
+	dario.cat/mergo v1.0.2 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
-	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect
+	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa // indirect
 	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.1 // indirect
@@ -75,23 +75,28 @@ require (
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
-	github.com/CycloneDX/cyclonedx-go v0.9.1 // indirect
-	github.com/DataDog/zstd v1.5.5 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0 // indirect
+	github.com/CycloneDX/cyclonedx-go v0.9.2 // indirect
+	github.com/DataDog/zstd v1.5.7 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 // indirect
+	github.com/Intevation/gval v1.3.0 // indirect
+	github.com/Intevation/jsonpath v0.2.1 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
-	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/Microsoft/hcsshim v0.12.9 // indirect
-	github.com/ProtonMail/go-crypto v1.1.6 // indirect
+	github.com/Microsoft/hcsshim v0.13.0 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/ProtonMail/go-crypto v1.3.0 // indirect
+	github.com/STARRY-S/zip v0.2.3 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
 	github.com/a8m/envsubst v1.3.0 // indirect
 	github.com/acobaugh/osrelease v0.1.0 // indirect
 	github.com/adrg/xdg v0.5.3 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.2.1 // indirect
 	github.com/alecthomas/participle/v2 v2.1.0 // indirect
 	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
@@ -106,72 +111,85 @@ require (
 	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
 	github.com/aliyun/credentials-go v1.3.1 // indirect
 	github.com/anchore/archiver/v3 v3.5.3-0.20241210171143-5b1d8d1c7c51 // indirect
-	github.com/anchore/clio v0.0.0-20241115144204-29e89f9fa837 // indirect
-	github.com/anchore/fangs v0.0.0-20241014201141-b6e4b3469f10 // indirect
-	github.com/anchore/go-collections v0.0.0-20240216171411-9321230ce537 // indirect
-	github.com/anchore/go-logger v0.0.0-20241205183533-4fc29b5832e7 // indirect
-	github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb // indirect
-	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
+	github.com/anchore/clio v0.0.0-20250715152405-a0fa658e5084 // indirect
+	github.com/anchore/fangs v0.0.0-20250716230140-94c22408c232 // indirect
+	github.com/anchore/go-collections v0.0.0-20241211140901-567f400e9a46 // indirect
+	github.com/anchore/go-homedir v0.0.0-20250319154043-c29668562e4d // indirect
+	github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722 // indirect
+	github.com/anchore/go-lzo v0.1.0 // indirect
+	github.com/anchore/go-macholibre v0.0.0-20250320151634-807da7ad2331 // indirect
+	github.com/anchore/go-rpmdb v0.0.0-20250516171929-f77691e1faec // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20250211213226-cce56d595160 // indirect
+	github.com/anchore/go-sync v0.0.0-20250714163430-add63db73ad1 // indirect
 	github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 // indirect
-	github.com/anchore/grype v0.81.0 // indirect
-	github.com/anchore/packageurl-go v0.1.1-0.20241018175412-5c22e6360c4f // indirect
-	github.com/anchore/stereoscope v0.0.11 // indirect
-	github.com/anchore/syft v1.18.1 // indirect
-	github.com/andybalholm/brotli v1.1.1 // indirect
+	github.com/anchore/grype v0.99.1 // indirect
+	github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 // indirect
+	github.com/anchore/stereoscope v0.1.9 // indirect
+	github.com/anchore/syft v1.32.0 // indirect
+	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/anubhav06/copa-grype v1.0.3-alpha.1 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
-	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 // indirect
+	github.com/aquasecurity/go-pep440-version v0.0.1 // indirect
 	github.com/aquasecurity/go-version v0.0.1 // indirect
 	github.com/armosec/gojay v1.2.17 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go v1.55.6 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.29.10 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.63 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go v1.55.7 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.5 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.17 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.70 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.34.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.25.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/eks v1.48.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/iam v1.35.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect
-	github.com/aws/smithy-go v1.22.2 // indirect
-	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.34.0 // indirect
+	github.com/aws/smithy-go v1.22.4 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/becheran/wildmatch-go v1.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/bitnami/go-version v0.0.0-20250505154626-452e8c5ee607 // indirect
+	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/bmatcuk/doublestar/v2 v2.0.4 // indirect
-	github.com/bmatcuk/doublestar/v4 v4.8.1 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.9.1 // indirect
+	github.com/bodgit/plumbing v1.3.0 // indirect
+	github.com/bodgit/sevenzip v1.6.1 // indirect
+	github.com/bodgit/windows v1.0.1 // indirect
 	github.com/boombuler/barcode v1.0.2 // indirect
-	github.com/briandowns/spinner v1.23.1 // indirect
+	github.com/briandowns/spinner v1.23.2 // indirect
 	github.com/buildkite/agent/v3 v3.62.0 // indirect
 	github.com/buildkite/go-pipeline v0.3.2 // indirect
 	github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/chainguard-dev/git-urls v1.0.2 // indirect
-	github.com/charmbracelet/lipgloss v1.0.0 // indirect
-	github.com/charmbracelet/x/ansi v0.4.5 // indirect
+	github.com/charmbracelet/colorprofile v0.3.1 // indirect
+	github.com/charmbracelet/lipgloss v1.1.0 // indirect
+	github.com/charmbracelet/x/ansi v0.9.3 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
+	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
 	github.com/cilium/cilium v1.16.9 // indirect
 	github.com/clbanning/mxj/v2 v2.7.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
-	github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 // indirect
+	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
 	github.com/containerd/cgroups/v3 v3.0.5 // indirect
 	github.com/containerd/console v1.0.4 // indirect
-	github.com/containerd/containerd v1.7.27 // indirect
-	github.com/containerd/containerd/api v1.8.0 // indirect
+	github.com/containerd/containerd v1.7.28 // indirect
+	github.com/containerd/containerd/api v1.9.0 // indirect
 	github.com/containerd/containerd/v2 v2.0.5 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
@@ -189,23 +207,22 @@ require (
 	github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da // indirect
+	github.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/diskfs/go-diskfs v1.7.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/buildx v0.21.3 // indirect
-	github.com/docker/cli v28.0.4+incompatible // indirect
+	github.com/docker/cli v28.3.3+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker v28.0.4+incompatible // indirect
+	github.com/docker/docker v28.3.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.3 // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
-	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
-	github.com/docker/go-metrics v0.0.1 // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
+	github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
+	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/edsrzf/mmap-go v1.1.0 // indirect
 	github.com/elliotchance/orderedmap v1.5.0 // indirect
 	github.com/elliotchance/phpserialize v1.4.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
@@ -218,26 +235,26 @@ require (
 	github.com/f-amaral/go-async v0.3.0 // indirect
 	github.com/facebookincubator/nvdtools v0.1.5 // indirect
 	github.com/fatih/color v1.18.0 // indirect
-	github.com/felixge/fgprof v0.9.3 // indirect
+	github.com/felixge/fgprof v0.9.5 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/francoispqt/gojay v1.2.13 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fvbommel/sortorder v1.1.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.7 // indirect
-	github.com/github/go-spdx/v2 v2.3.2 // indirect
-	github.com/glebarez/go-sqlite v1.21.2 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
+	github.com/github/go-spdx/v2 v2.3.3 // indirect
+	github.com/glebarez/go-sqlite v1.22.0 // indirect
 	github.com/glebarez/sqlite v1.11.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
-	github.com/go-git/go-git/v5 v5.13.2 // indirect
+	github.com/go-git/go-git/v5 v5.16.2 // indirect
 	github.com/go-gota/gota v0.12.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
 	github.com/go-openapi/errors v0.22.1 // indirect
@@ -250,34 +267,36 @@ require (
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/go-piv/piv-go v1.11.0 // indirect
 	github.com/go-restruct/restruct v1.2.0-alpha // indirect
-	github.com/go-test/deep v1.1.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
-	github.com/goccy/go-yaml v1.11.0 // indirect
+	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/gocsaf/csaf/v3 v3.3.0 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/gohugoio/hashstructure v0.5.0 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/golang/snappy v0.0.4 // indirect
+	github.com/golang/snappy v1.0.0 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/certificate-transparency-go v1.3.1 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/go-containerregistry v0.20.3 // indirect
+	github.com/google/go-containerregistry v0.20.6 // indirect
 	github.com/google/go-github/v55 v55.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/licensecheck v0.3.1 // indirect
-	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
+	github.com/google/pprof v0.0.0-20250630185457-6e76a2b096b5 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
-	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
-	github.com/gookit/color v1.5.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/gookit/color v1.6.0 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect
 	github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -286,7 +305,8 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
-	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
 	github.com/hhrutter/lzw v1.0.0 // indirect
 	github.com/hhrutter/tiff v1.0.1 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
@@ -294,7 +314,7 @@ require (
 	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jedib0t/go-pretty/v6 v6.6.4 // indirect
+	github.com/jedib0t/go-pretty/v6 v6.6.8 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
 	github.com/jinzhu/copier v0.4.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
@@ -314,7 +334,6 @@ require (
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f // indirect
 	github.com/knqyf263/go-deb-version v0.0.0-20241115132648-6f4aee6ccd23 // indirect
 	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075 // indirect
-	github.com/knqyf263/go-rpmdb v0.1.1 // indirect
 	github.com/kubescape/go-git-url v0.0.30 // indirect
 	github.com/kubescape/rbac-utils v0.0.21-0.20230806101615-07e36f555520 // indirect
 	github.com/kubescape/regolibrary/v2 v2.0.1 // indirect
@@ -323,19 +342,20 @@ require (
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mackerelio/go-osstat v0.2.5 // indirect
-	github.com/magiconair/properties v1.8.9 // indirect
+	github.com/magiconair/properties v1.8.10 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/maruel/natural v1.1.1 // indirect
-	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08 // indirect
+	github.com/masahiro331/go-mvn-version v0.0.0-20250131095131-f4974fa13b8a // indirect
 	github.com/matthyx/go-gitlog v0.0.0-20231005131906-9ffabe3c5bcd // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
-	github.com/mholt/archiver/v3 v3.5.1 // indirect
-	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
+	github.com/mholt/archives v0.1.5 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mikefarah/yq/v4 v4.29.1 // indirect
+	github.com/mikelolasagasti/xz v1.0.1 // indirect
+	github.com/minio/minlz v1.0.1 // indirect
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
@@ -348,6 +368,7 @@ require (
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/sys/mountinfo v0.7.2 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/moby/sys/signal v0.7.1 // indirect
@@ -359,15 +380,19 @@ require (
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect
-	github.com/muesli/termenv v0.15.2 // indirect
+	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/nix-community/go-nix v0.0.0-20250101154619-4bdde671e0a1 // indirect
 	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/nwaples/rardecode v1.1.3 // indirect
+	github.com/nwaples/rardecode/v2 v2.2.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/oleiade/reflections v1.0.1 // indirect
-	github.com/olekukonko/tablewriter v0.0.6-0.20230417144759-edd1a71a5576 // indirect
+	github.com/olekukonko/errors v1.1.0 // indirect
+	github.com/olekukonko/ll v0.0.9 // indirect
+	github.com/olekukonko/tablewriter v1.0.9 // indirect
 	github.com/olvrng/ujson v1.1.0 // indirect
 	github.com/open-policy-agent/opa v1.4.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
@@ -379,18 +404,20 @@ require (
 	github.com/owenrumney/go-sarif v1.1.2-0.20231003122901-1000f5e05554 // indirect
 	github.com/owenrumney/go-sarif/v2 v2.3.0 // indirect
 	github.com/package-url/packageurl-go v0.1.3 // indirect
+	github.com/pandatix/go-cvss v0.6.2 // indirect
 	github.com/pborman/indent v1.2.1 // indirect
 	github.com/pborman/uuid v1.2.1 // indirect
 	github.com/pdfcpu/pdfcpu v0.9.1 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
-	github.com/pjbgf/sha1cd v0.3.2 // indirect
+	github.com/pjbgf/sha1cd v0.4.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/profile v1.7.0 // indirect
+	github.com/pkg/xattr v0.4.12 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/project-copacetic/copacetic v0.10.0 // indirect
@@ -406,9 +433,8 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rs/zerolog v1.30.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/saferwall/pe v1.5.6 // indirect
-	github.com/sagikazarmark/locafero v0.7.0 // indirect
-	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c // indirect
+	github.com/sagikazarmark/locafero v0.9.0 // indirect
 	github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
 	github.com/sasha-s/go-deadlock v0.3.5 // indirect
@@ -416,33 +442,34 @@ require (
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/schollz/progressbar/v3 v3.13.0 // indirect
 	github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e // indirect
-	github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d // indirect
 	github.com/seccomp/libseccomp-golang v0.10.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
-	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sigstore/cosign/v2 v2.2.4 // indirect
 	github.com/sigstore/fulcio v1.6.6 // indirect
 	github.com/sigstore/protobuf-specs v0.4.1 // indirect
 	github.com/sigstore/rekor v1.3.10 // indirect
-	github.com/sigstore/sigstore v1.9.3 // indirect
+	github.com/sigstore/sigstore v1.9.5 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
+	github.com/sorairolake/lzip-go v0.3.8 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spdx/gordf v0.0.0-20250128162952-000978ccd6fb // indirect
 	github.com/spdx/tools-golang v0.5.5 // indirect
-	github.com/spf13/afero v1.12.0 // indirect
-	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/afero v1.15.0 // indirect
+	github.com/spf13/cast v1.9.2 // indirect
 	github.com/spf13/cobra v1.9.1 // indirect
 	github.com/spf13/pflag v1.0.7 // indirect
-	github.com/spiffe/go-spiffe/v2 v2.4.0 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
 	github.com/stripe/stripe-go/v74 v74.30.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/sylabs/sif/v2 v2.21.1 // indirect
-	github.com/sylabs/squashfs v1.0.4 // indirect
+	github.com/sylabs/sif/v2 v2.22.0 // indirect
+	github.com/sylabs/squashfs v1.0.6 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/tchap/go-patricia/v2 v2.3.2 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
@@ -456,17 +483,16 @@ require (
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
 	github.com/tonistiigi/vt100 v0.0.0-20240514184818-90bafcd6abab // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
-	github.com/ulikunitz/xz v0.5.14 // indirect
+	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/uptrace/opentelemetry-go-extra/otelutil v0.3.2 // indirect
 	github.com/uptrace/opentelemetry-go-extra/otelzap v0.3.2 // indirect
-	github.com/uptrace/uptrace-go v1.30.1 // indirect
+	github.com/uptrace/uptrace-go v1.37.0 // indirect
 	github.com/vbatts/go-mtree v0.5.4 // indirect
 	github.com/vbatts/tar-split v0.12.1 // indirect
 	github.com/vifraa/gopom v1.0.0 // indirect
 	github.com/vishvananda/netlink v1.3.1-0.20241022031324-976bd8de7d81 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
 	github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 // indirect
-	github.com/wagoodman/go-presenter v0.0.0-20211015174752-f9c01afc824b // indirect
 	github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/go-gitlab v0.102.0 // indirect
@@ -478,46 +504,48 @@ require (
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/yl2chen/cidranger v1.0.2 // indirect
-	github.com/zclconf/go-cty v1.16.2 // indirect
-	github.com/zeebo/errs v1.3.0 // indirect
+	github.com/zclconf/go-cty v1.16.3 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	go.etcd.io/bbolt v1.4.2 // indirect
 	go.mongodb.org/mongo-driver v1.17.1 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/detectors/gcp v1.34.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.37.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.62.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.56.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/runtime v0.55.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/runtime v0.62.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.13.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 // indirect
-	go.opentelemetry.io/otel/log v0.8.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk/log v0.8.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.37.0 // indirect
+	go.opentelemetry.io/otel/log v0.13.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
+	go.opentelemetry.io/otel/sdk/log v0.13.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.37.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.7.0 // indirect
 	go.step.sm/crypto v0.60.0 // indirect
 	go.uber.org/mock v0.5.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	go.yaml.in/yaml/v3 v3.0.3 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
 	golang.org/x/image v0.24.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.34.0 // indirect
-	golang.org/x/term v0.33.0 // indirect
-	golang.org/x/text v0.27.0 // indirect
-	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
-	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/term v0.34.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
+	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
 	gonum.org/v1/gonum v0.12.0 // indirect
-	google.golang.org/api v0.228.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
+	google.golang.org/api v0.242.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250715232539-7130f93afb79 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -526,7 +554,7 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	gorm.io/gorm v1.25.12 // indirect
+	gorm.io/gorm v1.30.2 // indirect
 	helm.sh/helm/v3 v3.18.5 // indirect
 	k8s.io/api v0.33.3 // indirect
 	k8s.io/apiextensions-apiserver v0.33.3 // indirect
@@ -536,10 +564,10 @@ require (
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
 	k8s.io/kubectl v0.33.3 // indirect
-	modernc.org/libc v1.61.13 // indirect
+	modernc.org/libc v1.66.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
-	modernc.org/memory v1.8.2 // indirect
-	modernc.org/sqlite v1.36.2 // indirect
+	modernc.org/memory v1.11.0 // indirect
+	modernc.org/sqlite v1.38.2 // indirect
 	oras.land/oras-go/v2 v2.6.0 // indirect
 	sigs.k8s.io/controller-runtime v0.18.4 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
@@ -554,7 +582,3 @@ require (
 replace github.com/docker/distribution v2.8.3+incompatible => github.com/docker/distribution v2.8.2+incompatible

 replace github.com/docker/docker v27.1.1+incompatible => github.com/docker/docker v26.1.5+incompatible
-
-replace github.com/mholt/archiver/v3 v3.5.1 => github.com/anchore/archiver/v3 v3.5.2
-
-replace github.com/spf13/viper => github.com/spf13/viper v1.19.0
--- a/httphandler/go.sum
+++ b/httphandler/go.sum
--- a/install.sh
+++ b/install.sh
@@ -96,5 +96,6 @@ if ! kubectl get nodes &> /dev/null; then
 fi

 echo -e "\033[0;37;40m"
-echo -e "\033[0;37;32mExecuting Kubescape."
-$KUBESCAPE_EXEC scan
+echo -e "\033[0;37;32mFinished Installation.\n"
+$KUBESCAPE_EXEC version
+echo -e "\033[0;37;35m\nUsage: $ kubescape scan"
--- a/pkg/imagescan/imagescan.go
+++ b/pkg/imagescan/imagescan.go
@@ -9,7 +9,8 @@ import (

 	"github.com/adrg/xdg"
 	"github.com/anchore/grype/grype"
-	"github.com/anchore/grype/grype/db"
+	"github.com/anchore/grype/grype/db/v6/distribution"
+	"github.com/anchore/grype/grype/db/v6/installation"
 	"github.com/anchore/grype/grype/grypeerr"
 	"github.com/anchore/grype/grype/match"
 	"github.com/anchore/grype/grype/matcher"
@@ -21,15 +22,14 @@ import (
 	"github.com/anchore/grype/grype/matcher/ruby"
 	"github.com/anchore/grype/grype/matcher/stock"
 	"github.com/anchore/grype/grype/pkg"
-	"github.com/anchore/grype/grype/presenter/models"
-	"github.com/anchore/grype/grype/store"
 	"github.com/anchore/grype/grype/vulnerability"
 	"github.com/anchore/stereoscope/pkg/image"
 	"github.com/anchore/syft/syft"
+	"github.com/kubescape/kubescape/v3/core/cautils"
 )

 const (
-	defaultGrypeListingURL = "https://toolbox-data.anchore.io/grype/databases/listing.json"
+	defaultGrypeListingURL = "https://grype.anchore.io/databases"
 	defaultDBDirName       = "grypedb"
 )

@@ -42,57 +42,66 @@ func (c RegistryCredentials) IsEmpty() bool {
 	return c.Username == "" || c.Password == ""
 }

-// ExceedsSeverityThreshold returns true if vulnerabilities in the scan results exceed the severity threshold, false otherwise.
-//
-// Values equal to the threshold are considered failing, too.
-func ExceedsSeverityThreshold(scanResults *models.PresenterConfig, severity vulnerability.Severity) bool {
-	if scanResults.MetadataProvider == nil {
-		return false
-	}
-
-	return grype.HasSeverityAtOrAbove(scanResults.MetadataProvider, severity, scanResults.Matches)
-}
-
-func NewDefaultDBConfig() (db.Config, bool) {
+func NewDefaultDBConfig() (distribution.Config, installation.Config, bool) {
 	dir := filepath.Join(xdg.CacheHome, defaultDBDirName)
 	url := defaultGrypeListingURL
 	shouldUpdate := true

-	return db.Config{
-		DBRootDir:  dir,
-		ListingURL: url,
-	}, shouldUpdate
+	return distribution.Config{
+			LatestURL: url,
+		}, installation.Config{
+			DBRootDir: dir,
+		}, shouldUpdate
 }

-func getMatchers(useDefaultMatchers bool) []matcher.Matcher {
+func getMatchers(useDefaultMatchers bool) []match.Matcher {
 	if useDefaultMatchers {
-		return matcher.NewDefaultMatchers(
-			matcher.Config{
-				Java: java.MatcherConfig{
-					ExternalSearchConfig: java.ExternalSearchConfig{MavenBaseURL: "https://search.maven.org/solrsearch/select"},
-					UseCPEs:              true,
-				},
-				Ruby:       ruby.MatcherConfig{UseCPEs: true},
-				Python:     python.MatcherConfig{UseCPEs: true},
-				Dotnet:     dotnet.MatcherConfig{UseCPEs: true},
-				Javascript: javascript.MatcherConfig{UseCPEs: true},
-				Golang:     golang.MatcherConfig{UseCPEs: true},
-				Stock:      stock.MatcherConfig{UseCPEs: true},
-			},
-		)
+		return matcher.NewDefaultMatchers(defaultMatcherConfig())
 	}
-	return nil
+	return matcher.NewDefaultMatchers(
+		matcher.Config{
+			Java: java.MatcherConfig{
+				ExternalSearchConfig: java.ExternalSearchConfig{MavenBaseURL: "https://search.maven.org/solrsearch/select"},
+				UseCPEs:              true,
+			},
+			Ruby:       ruby.MatcherConfig{UseCPEs: true},
+			Python:     python.MatcherConfig{UseCPEs: true},
+			Dotnet:     dotnet.MatcherConfig{UseCPEs: true},
+			Javascript: javascript.MatcherConfig{UseCPEs: true},
+			Golang:     golang.MatcherConfig{UseCPEs: true},
+			Stock:      stock.MatcherConfig{UseCPEs: true},
+		},
+	)
 }

-func validateDBLoad(loadErr error, status *db.Status) error {
+func defaultMatcherConfig() matcher.Config {
+	return matcher.Config{
+		Java: java.MatcherConfig{
+			ExternalSearchConfig: java.ExternalSearchConfig{MavenBaseURL: "https://search.maven.org/solrsearch/select"},
+			UseCPEs:              false,
+		},
+		Ruby:       ruby.MatcherConfig{UseCPEs: false},
+		Python:     python.MatcherConfig{UseCPEs: false},
+		Dotnet:     dotnet.MatcherConfig{UseCPEs: false},
+		Javascript: javascript.MatcherConfig{UseCPEs: false},
+		Golang: golang.MatcherConfig{
+			UseCPEs:                                false,
+			AlwaysUseCPEForStdlib:                  true,
+			AllowMainModulePseudoVersionComparison: false,
+		},
+		Stock: stock.MatcherConfig{UseCPEs: true},
+	}
+}
+
+func validateDBLoad(loadErr error, status *vulnerability.ProviderStatus) error {
 	if loadErr != nil {
 		return fmt.Errorf("failed to load vulnerability db: %w", loadErr)
 	}
 	if status == nil {
 		return fmt.Errorf("unable to determine the status of the vulnerability db")
 	}
-	if status.Err != nil {
-		return fmt.Errorf("db could not be loaded: %w", status.Err)
+	if status.Error != nil {
+		return fmt.Errorf("db could not be loaded: %w", status.Error)
 	}
 	return nil
 }
@@ -118,14 +127,11 @@ func getProviderConfig(creds RegistryCredentials) pkg.ProviderConfig {
 //
 // It performs image scanning and everything needed in between.
 type Service struct {
-	dbCfg              db.Config
-	dbCloser           *db.Closer
-	dbStatus           *db.Status
-	dbStore            *store.Store
 	useDefaultMatchers bool
+	vp                 vulnerability.Provider
 }

-func getIgnoredMatches(vulnerabilityExceptions []string, store *store.Store, packages []pkg.Package, pkgContext pkg.Context, useDefaultMatchers bool) (*match.Matches, []match.IgnoredMatch, error) {
+func getIgnoredMatches(vulnerabilityExceptions []string, vp vulnerability.Provider, packages []pkg.Package, pkgContext pkg.Context, useDefaultMatchers bool) (*match.Matches, []match.IgnoredMatch, error) {
 	if vulnerabilityExceptions == nil {
 		vulnerabilityExceptions = []string{}
 	}
@@ -138,13 +144,13 @@ func getIgnoredMatches(vulnerabilityExceptions []string, store *store.Store, pac
 		ignoreRules = append(ignoreRules, rule)
 	}

-	matcher := grype.VulnerabilityMatcher{
-		Store:       *store,
-		Matchers:    getMatchers(useDefaultMatchers),
-		IgnoreRules: ignoreRules,
+	vulnMatcher := grype.VulnerabilityMatcher{
+		VulnerabilityProvider: vp,
+		Matchers:              getMatchers(useDefaultMatchers),
+		IgnoreRules:           ignoreRules,
 	}

-	remainingMatches, ignoredMatches, err := matcher.FindMatches(packages, pkgContext)
+	remainingMatches, ignoredMatches, err := vulnMatcher.FindMatches(packages, pkgContext)
 	if err != nil {
 		if !errors.Is(err, grypeerr.ErrAboveSeverityThreshold) {
 			return nil, nil, err
@@ -154,8 +160,8 @@ func getIgnoredMatches(vulnerabilityExceptions []string, store *store.Store, pac
 	return remainingMatches, ignoredMatches, nil
 }

-// Filter the remaing matches based on severity exceptions.
-func filterMatchesBasedOnSeverity(severityExceptions []string, remainingMatches match.Matches, store *store.Store) match.Matches {
+// Filter the remaining matches based on severity exceptions.
+func filterMatchesBasedOnSeverity(severityExceptions []string, remainingMatches match.Matches, vp vulnerability.Provider) match.Matches {
 	if severityExceptions == nil {
 		return remainingMatches
 	}
@@ -163,7 +169,7 @@ func filterMatchesBasedOnSeverity(severityExceptions []string, remainingMatches
 	filteredMatches := match.NewMatches()

 	for m := range remainingMatches.Enumerate() {
-		metadata, err := store.GetMetadata(m.Vulnerability.ID, m.Vulnerability.Namespace)
+		metadata, err := vp.VulnerabilityMetadata(m.Vulnerability.Reference)
 		if err != nil {
 			continue
 		}
@@ -185,54 +191,71 @@ func filterMatchesBasedOnSeverity(severityExceptions []string, remainingMatches
 	return filteredMatches
 }

-func (s *Service) Scan(_ context.Context, userInput string, creds RegistryCredentials, vulnerabilityExceptions, severityExceptions []string) (*models.PresenterConfig, error) {
+func (s *Service) Scan(_ context.Context, userInput string, creds RegistryCredentials, vulnerabilityExceptions, severityExceptions []string) (*cautils.ImageScanData, error) {
 	packages, pkgContext, sbom, err := pkg.Provide(userInput, getProviderConfig(creds))
 	if err != nil {
 		return nil, err
 	}

-	remainingMatches, ignoredMatches, err := getIgnoredMatches(vulnerabilityExceptions, s.dbStore, packages, pkgContext, s.useDefaultMatchers)
+	remainingMatches, ignoredMatches, err := getIgnoredMatches(vulnerabilityExceptions, s.vp, packages, pkgContext, s.useDefaultMatchers)
 	if err != nil {
 		return nil, err
 	}

-	filteredMatches := filterMatchesBasedOnSeverity(severityExceptions, *remainingMatches, s.dbStore)
+	filteredMatches := filterMatchesBasedOnSeverity(severityExceptions, *remainingMatches, s.vp)

-	pb := models.PresenterConfig{
-		Matches:          filteredMatches,
-		IgnoredMatches:   ignoredMatches,
-		Packages:         packages,
-		Context:          pkgContext,
-		MetadataProvider: s.dbStore,
-		SBOM:             sbom,
-		AppConfig:        nil,
-		DBStatus:         s.dbStatus,
+	pb := cautils.ImageScanData{
+		Context:               pkgContext,
+		IgnoredMatches:        ignoredMatches,
+		Image:                 userInput,
+		Matches:               filteredMatches,
+		Packages:              packages,
+		RemainingMatches:      remainingMatches,
+		SBOM:                  sbom,
+		VulnerabilityProvider: s.vp,
 	}
 	return &pb, nil
 }

+// ExceedsSeverityThreshold returns true if vulnerabilities in the scan results exceed the severity threshold, false otherwise.
+//
+// Values equal to the threshold are considered failing, too.
+func (s *Service) ExceedsSeverityThreshold(severity vulnerability.Severity, matches match.Matches) bool {
+	if severity == vulnerability.UnknownSeverity {
+		return false
+	}
+	for m := range matches.Enumerate() {
+		metadata, err := s.vp.VulnerabilityMetadata(m.Vulnerability.Reference)
+		if err != nil {
+			continue
+		}
+
+		if vulnerability.ParseSeverity(metadata.Severity) >= severity {
+			return true
+		}
+	}
+	return false
+}
+
 func (s *Service) Close() {
-	s.dbCloser.Close()
+	_ = s.vp.Close()
 }

-func NewVulnerabilityDB(cfg db.Config, update bool) (*store.Store, *db.Status, *db.Closer, error) {
-	return grype.LoadVulnerabilityDB(cfg, update)
+func NewVulnerabilityDB(distCfg distribution.Config, installCfg installation.Config, update bool) (vulnerability.Provider, *vulnerability.ProviderStatus, error) {
+	return grype.LoadVulnerabilityDB(distCfg, installCfg, update)
 }

-func NewScanService(dbCfg db.Config) (*Service, error) {
-	return NewScanServiceWithMatchers(dbCfg, true)
+func NewScanService(distCfg distribution.Config, installCfg installation.Config) (*Service, error) {
+	return NewScanServiceWithMatchers(distCfg, installCfg, true)
 }

-func NewScanServiceWithMatchers(dbCfg db.Config, useDefaultMatchers bool) (*Service, error) {
-	dbStore, dbStatus, dbCloser, err := NewVulnerabilityDB(dbCfg, true)
-	if err = validateDBLoad(err, dbStatus); err != nil {
+func NewScanServiceWithMatchers(distCfg distribution.Config, installCfg installation.Config, useDefaultMatchers bool) (*Service, error) {
+	vp, status, err := NewVulnerabilityDB(distCfg, installCfg, true)
+	if err = validateDBLoad(err, status); err != nil {
 		return nil, err
 	}
 	return &Service{
-		dbCfg:              dbCfg,
-		dbCloser:           dbCloser,
-		dbStatus:           dbStatus,
-		dbStore:            dbStore,
+		vp:                 vp,
 		useDefaultMatchers: useDefaultMatchers,
 	}, nil
 }
--- a/pkg/imagescan/imagescan_test.go
+++ b/pkg/imagescan/imagescan_test.go
@@ -1,137 +1,13 @@
 package imagescan

 import (
-	"errors"
-	"net/http"
-	"path"
 	"testing"
-	"time"

-	"github.com/adrg/xdg"
-	"github.com/anchore/grype/grype/db"
-	grypedb "github.com/anchore/grype/grype/db/v5"
-	"github.com/anchore/grype/grype/match"
-	"github.com/anchore/grype/grype/pkg"
-	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/anchore/grype/grype/vulnerability"
-	syftPkg "github.com/anchore/syft/syft/pkg"
-	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

-func TestVulnerabilityAndSeverityExceptions(t *testing.T) {
-	go func() {
-		_ = http.ListenAndServe(":8000", http.FileServer(http.Dir("testdata"))) //nolint:gosec
-	}()
-	dbCfg := db.Config{
-		DBRootDir:  path.Join(xdg.CacheHome, "grype-light", "db"),
-		ListingURL: "http://localhost:8000/listing.json",
-	}
-	svc, err := NewScanService(dbCfg)
-	require.NoError(t, err)
-	defer svc.Close()
-	creds := RegistryCredentials{}
-
-	tests := []struct {
-		name                    string
-		image                   string
-		vulnerabilityExceptions []string
-		ignoredLen              int
-		severityExceptions      []string
-		filteredLen             int
-	}{
-		{
-			name:               "alpine:3.19.1 without medium vulnerabilities",
-			image:              "alpine:3.19.1",
-			ignoredLen:         0,
-			severityExceptions: []string{"MEDIUM"},
-			filteredLen:        0,
-		},
-		{
-			name:                    "alpine:3.9.6",
-			image:                   "alpine:3.9.6",
-			vulnerabilityExceptions: []string{"CVE-2020-1971", "CVE-2020-28928", "CVE-2021-23840"},
-			ignoredLen:              6,
-			severityExceptions:      []string{"HIGH", "MEDIUM"},
-			filteredLen:             8,
-		},
-		{
-			name:                    "alpine:3.9.6 with invalid vulnerability and severity exceptions",
-			image:                   "alpine:3.9.6",
-			vulnerabilityExceptions: []string{"invalid-cve", "CVE-2020-28928", "CVE-2021-23840"},
-			ignoredLen:              4,
-			severityExceptions:      []string{"CRITICAL", "MEDIUM", "invalid-severity"},
-			filteredLen:             10,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			store, status, dbCloser, err := NewVulnerabilityDB(svc.dbCfg, true)
-			assert.NoError(t, validateDBLoad(err, status))
-
-			packages, pkgContext, _, err := pkg.Provide(tc.image, getProviderConfig(creds))
-			assert.NoError(t, err)
-
-			if dbCloser != nil {
-				defer dbCloser.Close()
-			}
-
-			remainingMatches, ignoredMatches, err := getIgnoredMatches(tc.vulnerabilityExceptions, store, packages, pkgContext, svc.useDefaultMatchers)
-			assert.NoError(t, err)
-			assert.Equal(t, tc.ignoredLen, len(ignoredMatches))
-
-			filteredMatches := filterMatchesBasedOnSeverity(tc.severityExceptions, *remainingMatches, store)
-			assert.Equal(t, tc.filteredLen, filteredMatches.Count())
-		})
-	}
-}
-
-// fakeMetaProvider is a test double that fakes an actual MetadataProvider
-type fakeMetaProvider struct {
-	vulnerabilities map[string]map[string][]grypedb.Vulnerability
-	metadata        map[string]map[string]*grypedb.VulnerabilityMetadata
-}
-
-func newFakeMetaProvider() *fakeMetaProvider {
-	d := fakeMetaProvider{
-		vulnerabilities: make(map[string]map[string][]grypedb.Vulnerability),
-		metadata:        make(map[string]map[string]*grypedb.VulnerabilityMetadata),
-	}
-	d.fillWithData()
-	return &d
-}
-func (d *fakeMetaProvider) GetAllVulnerabilityMetadata() (*[]grypedb.VulnerabilityMetadata, error) {
-	return nil, nil
-}
-func (d *fakeMetaProvider) GetVulnerabilityMatchExclusion(id string) ([]grypedb.VulnerabilityMatchExclusion, error) {
-	return nil, nil
-}
-func (d *fakeMetaProvider) GetVulnerabilityMetadata(id, namespace string) (*grypedb.VulnerabilityMetadata, error) {
-	return d.metadata[id][namespace], nil
-}
-func (d *fakeMetaProvider) fillWithData() {
-	d.metadata["CVE-2014-fake-1"] = map[string]*grypedb.VulnerabilityMetadata{
-		"debian:distro:debian:8": {
-			ID:        "CVE-2014-fake-1",
-			Namespace: "debian:distro:debian:8",
-			Severity:  "medium",
-		},
-	}
-	d.vulnerabilities["debian:distro:debian:8"] = map[string][]grypedb.Vulnerability{
-		"neutron": {
-			{
-				PackageName:       "neutron",
-				Namespace:         "debian:distro:debian:8",
-				VersionConstraint: "< 2014.1.3-6",
-				ID:                "CVE-2014-fake-1",
-				VersionFormat:     "deb",
-			},
-		},
-	}
-}
-
 func TestParseSeverity(t *testing.T) {
 	tests := []struct {
 		name string
@@ -221,81 +97,6 @@ func TestIsEmpty(t *testing.T) {
 	}
 }

-func TestNewDefaultDBConfig(t *testing.T) {
-	config, shouldUpdate := NewDefaultDBConfig()
-	assert.NotNil(t, config)
-	assert.Equal(t, true, shouldUpdate)
-	assert.Contains(t, config.DBRootDir, "grypedb")
-	assert.Equal(t, "https://toolbox-data.anchore.io/grype/databases/listing.json", config.ListingURL)
-}
-
-func TestValidateDBLoad(t *testing.T) {
-	currentTime := time.Now()
-	tests := []struct {
-		name               string
-		loadErr            error
-		status             *db.Status
-		expectedErrMessage string
-	}{
-		{
-			name:               "status nil",
-			loadErr:            nil,
-			status:             nil,
-			expectedErrMessage: "unable to determine the status of the vulnerability db",
-		},
-		{
-			name:    "loadErr nil and status error nil",
-			loadErr: nil,
-			status: &db.Status{
-				Built:         currentTime,
-				SchemaVersion: 7,
-				Location:      "New Delhi",
-				Checksum:      "invalid",
-				Err:           nil,
-			},
-			expectedErrMessage: "",
-		},
-		{
-			name:    "loadErr nil but status error not nil",
-			loadErr: nil,
-			status: &db.Status{
-				Built:         currentTime,
-				SchemaVersion: 7,
-				Location:      "New Delhi",
-				Checksum:      "invalid",
-				Err:           errors.New("Some error"),
-			},
-			expectedErrMessage: "db could not be loaded: Some error",
-		},
-		{
-			name:    "loadErr not nil",
-			loadErr: errors.New("Some error"),
-			status: &db.Status{
-				Built:         currentTime,
-				SchemaVersion: 7,
-				Location:      "New Delhi",
-				Checksum:      "invalid",
-				Err:           errors.New("Some error"),
-			},
-			expectedErrMessage: "failed to load vulnerability db: Some error",
-		},
-		{
-			name:               "load Error, no db status",
-			loadErr:            errors.New("Some error"),
-			status:             nil,
-			expectedErrMessage: "failed to load vulnerability db: Some error",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := validateDBLoad(tt.loadErr, tt.status)
-			if err != nil {
-				assert.Equal(t, tt.expectedErrMessage, err.Error())
-			}
-		})
-	}
-}
-
 func TestGetProviderConfig(t *testing.T) {
 	tests := []struct {
 		name  string
@@ -339,14 +140,6 @@ func TestGetProviderConfig(t *testing.T) {
 	}
 }

-func TestNewScanService(t *testing.T) {
-	defaultConfig, _ := NewDefaultDBConfig()
-	svc, err := NewScanService(defaultConfig)
-	require.NoError(t, err)
-	defer svc.Close()
-	assert.Equal(t, defaultConfig, svc.dbCfg)
-}
-
 func TestNewScanServiceWithDefaultMatchers(t *testing.T) {
 	// Test the Service struct creation with different useDefaultMatchers values
 	// This test doesn't require a real database
@@ -364,114 +157,6 @@ func TestNewScanServiceWithDefaultMatchers(t *testing.T) {
 	assert.False(t, svcWithoutDefault.useDefaultMatchers)
 }

-func TestExceedsSeverityThreshold(t *testing.T) {
-	my_matches := match.NewMatches()
-	my_matches.Add(match.Match{
-		Vulnerability: vulnerability.Vulnerability{
-			ID:        "CVE-2014-fake-1",
-			Namespace: "debian:distro:debian:8",
-		},
-		Package: pkg.Package{
-			ID:      pkg.ID(uuid.NewString()),
-			Name:    "the-package",
-			Version: "v0.1",
-			Type:    syftPkg.RpmPkg,
-		},
-		Details: match.Details{
-			{
-				Type: match.ExactDirectMatch,
-			},
-		},
-	})
-	my_metadataProvider := db.NewVulnerabilityMetadataProvider(newFakeMetaProvider())
-
-	type args struct {
-		scanResults *models.PresenterConfig
-		severity    vulnerability.Severity
-	}
-	tests := []struct {
-		name string
-		args args
-		want bool
-	}{
-		{
-			name: "No severity set",
-			args: args{
-				scanResults: &models.PresenterConfig{
-					Matches:          match.NewMatches(),
-					MetadataProvider: nil,
-				},
-				severity: vulnerability.UnknownSeverity,
-			},
-			want: false,
-		},
-		{
-			name: "No MetadataProvider",
-			args: args{
-				scanResults: &models.PresenterConfig{
-					Matches:          my_matches,
-					MetadataProvider: nil,
-				},
-				severity: vulnerability.MediumSeverity,
-			},
-			want: false,
-		},
-		{
-			name: "Severity higher than vulnerability",
-			args: args{
-				scanResults: &models.PresenterConfig{
-					Matches:          my_matches,
-					MetadataProvider: my_metadataProvider,
-				},
-				severity: vulnerability.HighSeverity,
-			},
-			want: false,
-		},
-		{
-			name: "Severity equal to vulnerability",
-			args: args{
-				scanResults: &models.PresenterConfig{
-					Matches:          my_matches,
-					MetadataProvider: my_metadataProvider,
-				},
-				severity: vulnerability.MediumSeverity,
-			},
-			want: true,
-		},
-		{
-			name: "Fail severity below found vulnerability",
-			args: args{
-				scanResults: &models.PresenterConfig{
-					Matches:          my_matches,
-					MetadataProvider: my_metadataProvider,
-				},
-				severity: vulnerability.LowSeverity,
-			},
-			want: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-
-			got := ExceedsSeverityThreshold(tt.args.scanResults, tt.args.severity)
-
-			assert.Equal(t, tt.want, got)
-		})
-	}
-}
-
-func TestGetMatchers(t *testing.T) {
-	// Test with default matchers enabled
-	matchersWithDefault := getMatchers(true)
-	assert.NotNil(t, matchersWithDefault)
-	assert.Greater(t, len(matchersWithDefault), 0)
-
-	// Test with default matchers disabled
-	matchersWithoutDefault := getMatchers(false)
-	assert.Nil(t, matchersWithoutDefault)
-}
-
 func TestNewScanServiceWithMatchers(t *testing.T) {
 	// Test the Service struct creation with different useDefaultMatchers values
 	// This test doesn't require a real database
@@ -491,16 +176,16 @@ func TestNewScanServiceWithMatchers(t *testing.T) {

 func TestNewScanServiceWithMatchersIntegration(t *testing.T) {
 	// Test the actual NewScanServiceWithMatchers function
-	defaultConfig, _ := NewDefaultDBConfig()
+	distCfg, installCfg, _ := NewDefaultDBConfig()

 	// Test with default matchers enabled
-	svcWithDefault, err := NewScanServiceWithMatchers(defaultConfig, true)
+	svcWithDefault, err := NewScanServiceWithMatchers(distCfg, installCfg, true)
 	require.NoError(t, err)
 	defer svcWithDefault.Close()
 	assert.True(t, svcWithDefault.useDefaultMatchers)

 	// Test with default matchers disabled
-	svcWithoutDefault, err := NewScanServiceWithMatchers(defaultConfig, false)
+	svcWithoutDefault, err := NewScanServiceWithMatchers(distCfg, installCfg, false)
 	require.NoError(t, err)
 	defer svcWithoutDefault.Close()
 	assert.False(t, svcWithoutDefault.useDefaultMatchers)
--- a/pkg/imagescan/testdata/listing.json
+++ b/pkg/imagescan/testdata/listing.json
@@ -1,12 +0,0 @@
-{
-  "available": {
-    "5": [
-      {
-        "built": "2023-12-13T01:27:01Z",
-        "version": 5,
-        "url": "http://localhost:8000/vulnerability-db_v5_2023-03-24T06_54_57Z_fab15e5405c096d82dfd.tar.gz",
-        "checksum": "sha256:99ad9fd54be5295351555a02a0fb6986a461a9d23eb8ae3b34ea892c252a8c80"
-      }
-    ]
-  }
-}
--- a/pkg/imagescan/testdata/vulnerability-db_v5_2023-03-24T06_54_57Z_fab15e5405c096d82dfd.tar.gz
+++ b/pkg/imagescan/testdata/vulnerability-db_v5_2023-03-24T06_54_57Z_fab15e5405c096d82dfd.tar.gz
Author	SHA1	Message	Date
Matthias Bertschy	33d1e018ec	fix: update documentation links to include 'controls' path Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>	2025-11-03 07:47:37 +01:00
Mujib Ahasan	0c74599314	Test file updated Signed-off-by: Mujib Ahasan <ahasanmujib8@gmail.com>	2025-10-30 01:14:25 +05:30
Mujib Ahasan	c23b85cc84	fixed 404 url issue in kubescape scan Signed-off-by: Mujib Ahasan <ahasanmujib8@gmail.com>	2025-10-25 17:39:28 +05:30
Matthias Bertschy	aab10d14a2	Merge pull request #1881 from kubescape/dependabot/go_modules/github.com/nwaples/rardecode/v2-2.2.0 Bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0	2025-10-21 09:45:29 +02:00
dependabot[bot]	2fcbe54e4e	Bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 Bumps [github.com/nwaples/rardecode/v2](https://github.com/nwaples/rardecode) from 2.1.1 to 2.2.0. - [Commits](https://github.com/nwaples/rardecode/compare/v2.1.1...v2.2.0) --- updated-dependencies: - dependency-name: github.com/nwaples/rardecode/v2 dependency-version: 2.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2025-10-21 09:31:33 +02:00
Matthias Bertschy	078d154ab8	chore: update runners to use ubuntu-large for improved performance Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>	2025-10-15 10:12:24 +02:00
Matthias Bertschy	cc9dcf827e	Revert "use ubuntu-latest-16-cores runner for docker build" This reverts commit `76943d05fb`.	2025-10-15 10:01:39 +02:00
Matthias Bertschy	76943d05fb	use ubuntu-latest-16-cores runner for docker build Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>	2025-10-13 10:23:07 +02:00
Matthias Bertschy	621ac111cb	Merge pull request #1880 from kubescape/hostagent-block fix: improve error handling in hostscanner pod validation	2025-10-12 11:52:16 +02:00
Matthias Bertschy	3f80bce811	fix: improve error handling in hostscanner pod validation Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>	2025-10-10 16:13:43 +02:00
Matthias Bertschy	cc6895fc50	chore: update syft action to use latest version Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>	2025-10-10 15:00:35 +02:00
Matthias Bertschy	7d9d8e4b59	Merge pull request #1879 from kubescape/fix-post-release fix: post release action does not take tag from GITHUB_REF env var	2025-10-08 15:57:44 +02:00
Amir Malka	f8d4bf515d	fix: post release action does not take tag from GITHUB_REF env var Signed-off-by: Amir Malka <amirm@armosec.io>	2025-10-08 16:18:35 +03:00
Matthias Bertschy	774ebe4a5f	bump python to 3.9 Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>	2025-09-29 17:44:13 +02:00
Matthias Bertschy	45a07a8046	Merge pull request #1877 from kubescape/grype migrate to grype v0.99.1	2025-09-17 11:35:30 +02:00
Matthias Bertschy	ff96edae4d	use grype v0.99.1 Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>	2025-09-17 10:11:19 +02:00
Matthias Bertschy	34b82cad27	Merge pull request #1875 from kkrypt0nn/master fix: Don't run scan in installation script	2025-09-16 15:13:31 +02:00
Matthias Bertschy	1a4c979ab8	update golangci-lint config Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>	2025-09-16 13:54:23 +02:00
Matthias Bertschy	3481af4a5b	bump golangci-lint action Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>	2025-09-16 11:48:02 +02:00
Ben Hirschberg	71dc7a702c	Merge pull request #1876 from cx-anjali-deore/fix/policy-binding-param Fixed issue #1800 : Added parameterNotFoundAction in spec.paramRef while creating policy binding	2025-09-15 10:17:52 +03:00
anjali-deore	6d92389285	Fixed issue 1800 Signed-off-by: anjali-deore <200181980+cx-anjali-deore@users.noreply.github.com>	2025-09-13 18:06:37 +05:30
Krypton	bd0be45c0b	fix: Don't run scan in installation script Signed-off-by: Krypton <root@krypton.ninja>	2025-09-12 19:54:31 +02:00
Amir Malka	7ebf078d0c	fix post-release workflow (#1873 ) Signed-off-by: Amir Malka <amirm@armosec.io>	2025-09-02 19:51:20 +03:00