override default worker pool size with KUBESCAPE_WORKERS

Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
Merge pull request #1803 from kubescape/dependabot/go_modules/github.com/go-jose/go-jose/v3-3.0.4
2026-02-14 18:09:55 +00:00 · 2025-03-07 18:13:29 +01:00 · 2025-03-04 10:38:44 +01:00 · 2025-03-04 09:28:14 +01:00 · 2025-03-03 15:20:14 +02:00 · 2025-02-26 11:51:42 +01:00
194 changed files with 5688 additions and 3538 deletions
--- a/.github/workflows/00-pr-scanner.yaml
+++ b/.github/workflows/00-pr-scanner.yaml
@@ -23,7 +23,6 @@ jobs:
    permissions:
      actions: read
      checks: read
-      contents: read
      deployments: read
      id-token: write
      issues: read
@@ -34,6 +33,8 @@ jobs:
      repository-projects: read
      security-events: read
      statuses: read
+      attestations: read
+      contents: write
    uses: ./.github/workflows/a-pr-scanner.yaml
    with:
      RELEASE: ""
@@ -47,7 +48,7 @@ jobs:
    permissions:
      actions: read
      checks: read
-      contents: read
+      contents: write
      deployments: read
      discussions: read
      id-token: write
@@ -58,12 +59,13 @@ jobs:
      repository-projects: read
      security-events: read
      statuses: read
+      attestations: read
    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
    with:
      COMPONENT_NAME: kubescape
      CGO_ENABLED: 0
      GO111MODULE: ""
-      GO_VERSION: "1.21"
+      GO_VERSION: "1.23"
      RELEASE: "latest"
      CLIENT: test
    secrets: inherit
--- a/.github/workflows/02-release.yaml
+++ b/.github/workflows/02-release.yaml
@@ -8,9 +8,9 @@ jobs:
  retag:
    outputs:
      NEW_TAG: ${{ steps.tag-calculator.outputs.NEW_TAG }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu22-core4-mem16-ssd150
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+      - uses: actions/checkout@v4
      - id: tag-calculator
        uses: ./.github/actions/tag-action
        with:
@@ -19,7 +19,6 @@ jobs:
    permissions:
      actions: read
      checks: read
-      contents: read
      deployments: read
      discussions: read
      id-token: write
@@ -30,13 +29,15 @@ jobs:
      repository-projects: read
      security-events: read
      statuses: read
+      contents: write
+      attestations: write
    needs: [retag]
    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
    with:
      COMPONENT_NAME: kubescape
      CGO_ENABLED: 0
      GO111MODULE: ""
-      GO_VERSION: "1.21"
+      GO_VERSION: "1.23"
      RELEASE: ${{ needs.retag.outputs.NEW_TAG }}
      CLIENT: release
    secrets: inherit
@@ -55,6 +56,7 @@ jobs:
      repository-projects: read
      statuses: read
      security-events: read
+      attestations: read
    needs: [retag, binary-build]
    uses: ./.github/workflows/c-create-release.yaml
    with:
@@ -66,7 +68,6 @@ jobs:
    permissions:
      actions: read
      checks: read
-      contents: read
      deployments: read
      discussions: read
      id-token: write
@@ -77,6 +78,8 @@ jobs:
      repository-projects: read
      security-events: read
      statuses: read
+      attestations: read
+      contents: write
    uses: ./.github/workflows/d-publish-image.yaml
    needs: [create-release, retag]
    with:
@@ -86,3 +89,24 @@ jobs:
      support_platforms: true
      cosign: true
    secrets: inherit
+  post-release:
+    permissions:
+      actions: read
+      checks: read
+      deployments: read
+      discussions: read
+      id-token: write
+      issues: read
+      packages: write
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: read
+      statuses: read
+      attestations: read
+      contents: write
+    uses: ./.github/workflows/e-post-release.yaml
+    needs: [publish-image]
+    with:
+      TAG: ${{ needs.retag.outputs.NEW_TAG }}
+    secrets: inherit
--- a/.github/workflows/04-publish-krew-plugin.yaml
+++ b/.github/workflows/04-publish-krew-plugin.yaml
@@ -1,17 +0,0 @@
-name: 04-publish_krew_plugin
-permissions: read-all
-on:
-  push:
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+'
-jobs:
-  publish_krew_plugin:
-    name: Publish Krew plugin
-    runs-on: ubuntu-latest
-    if: github.repository_owner == 'kubescape'
-    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
-        with:
-          submodules: recursive
-      - name: Update new version in krew-index
-        uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # ratchet:rajatjindal/krew-release-bot@v0.0.43
--- a/.github/workflows/a-pr-scanner.yaml
+++ b/.github/workflows/a-pr-scanner.yaml
@@ -27,10 +27,10 @@ jobs:
    name: Create cross-platform build
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu22-core4-mem16-ssd150
    steps:

-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          submodules: recursive
@@ -39,7 +39,6 @@ jobs:
        name: Installing go
        with:
          go-version: ${{ inputs.GO_VERSION }}
-          cache: true

      - name: Test core pkg
        run: ${{ env.DOCKER_CMD }} go test -v ./...
@@ -71,18 +70,20 @@ jobs:

      - name: golangci-lint
        continue-on-error: false
-        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # ratchet:golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v3
        with:
          version: latest
-          args: --timeout 10m --build-tags=static
+          args: --timeout 10m
          only-new-issues: true
+          skip-pkg-cache: true
+          skip-build-cache: true

  scanners:
    env:
      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
    name: PR Scanner
-    runs-on: ubuntu-latest
+    runs-on: ubuntu22-core4-mem16-ssd150
    steps:
      - uses: actions/checkout@v4
        with:
@@ -91,8 +92,7 @@ jobs:
      - uses: actions/setup-go@v4
        name: Installing go
        with:
-          go-version: '1.21'
-          cache: true
+          go-version: "1.23"
      - name: Scanning - Forbidden Licenses (go-licenses)
        id: licenses-scan
        continue-on-error: true
@@ -105,7 +105,7 @@ jobs:
        if: ${{ env.GITGUARDIAN_API_KEY }}
        continue-on-error: true
        id: credentials-scan
-        uses: GitGuardian/ggshield-action@4ab2994172fadab959240525e6b833d9ae3aca61 # ratchet:GitGuardian/ggshield-action@master
+        uses: GitGuardian/ggshield-action@master
        with:
          args: -v --all-policies
        env:
@@ -118,7 +118,7 @@ jobs:
        if: ${{ env.SNYK_TOKEN }}
        id: vulnerabilities-scan
        continue-on-error: true
-        uses: snyk/actions/golang@806182742461562b67788a64410098c9d9b96adb # ratchet:snyk/actions/golang@master
+        uses: snyk/actions/golang@master
        with:
          command: test --all-projects
        env:
@@ -140,7 +140,7 @@ jobs:

      - name: Comment results to PR
        continue-on-error: true # Warning: This might break opening PRs from forks
-        uses: peter-evans/create-or-update-comment@5adcb0bb0f9fb3f95ef05400558bdb3f329ee808 # ratchet:peter-evans/create-or-update-comment@v2.1.0
+        uses: peter-evans/create-or-update-comment@v4
        with:
          issue-number: ${{ github.event.pull_request.number }}
          body: |
--- a/.github/workflows/b-binary-build-and-e2e-tests.yaml
+++ b/.github/workflows/b-binary-build-and-e2e-tests.yaml
@@ -18,7 +18,7 @@ on:
      GO_VERSION:
        required: false
        type: string
-        default: "1.21"
+        default: "1.23"
      GO111MODULE:
        required: false
        type: string
@@ -30,7 +30,32 @@ on:
      BINARY_TESTS:
        type: string
        required: false
-        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score", "control_cluster_from_CLI_config_scan_exclude_namespaces", "control_cluster_from_CLI_config_scan_include_namespaces", "control_cluster_from_CLI_config_scan_host_scanner_enabled", "control_cluster_from_CLI_config_scan_MITRE_framework", "control_cluster_from_CLI_vulnerabilities_scan_default", "control_cluster_from_CLI_vulnerabilities_scan_include_namespaces" ]'
+        default: '[
+          "ks_microservice_create_2_cronjob_mitre_and_nsa_proxy",
+          "ks_microservice_triggering_with_cron_job",
+          "ks_microservice_update_cronjob_schedule",
+          "ks_microservice_delete_cronjob",
+          "ks_microservice_create_2_cronjob_mitre_and_nsa",
+          "ks_microservice_ns_creation",
+          "ks_microservice_on_demand",
+          "ks_microservice_mitre_framework_on_demand",
+          "ks_microservice_nsa_and_mitre_framework_demand",
+          "scan_nsa",
+          "scan_mitre",
+          "scan_with_exceptions",
+          "scan_repository",
+          "scan_local_file",
+          "scan_local_glob_files",
+          "scan_local_list_of_files",
+          "scan_with_exception_to_backend",
+          "scan_nsa_and_submit_to_backend",
+          "scan_mitre_and_submit_to_backend",
+          "scan_local_repository_and_submit_to_backend",
+          "scan_repository_from_url_and_submit_to_backend",
+          "scan_with_custom_framework",
+          "scan_customer_configuration",
+          "scan_compliance_score"
+          ]'

  workflow_call:
    inputs:
@@ -45,7 +70,7 @@ on:
        type: string
      GO_VERSION:
        type: string
-        default: "1.21"
+        default: "1.23"
      GO111MODULE:
        required: true
        type: string
@@ -54,7 +79,25 @@ on:
        default: 1
      BINARY_TESTS:
        type: string
-        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score", "scan_custom_framework_scanning_file_scope_testing", "scan_custom_framework_scanning_cluster_scope_testing", "scan_custom_framework_scanning_cluster_and_file_scope_testing" ]'
+        default: '[ 
+          "scan_nsa", 
+          "scan_mitre", 
+          "scan_with_exceptions", 
+          "scan_repository", 
+          "scan_local_file", 
+          "scan_local_glob_files", 
+          "scan_local_list_of_files", 
+          "scan_nsa_and_submit_to_backend", 
+          "scan_mitre_and_submit_to_backend", 
+          "scan_local_repository_and_submit_to_backend", 
+          "scan_repository_from_url_and_submit_to_backend", 
+          "scan_with_custom_framework", 
+          "scan_customer_configuration", 
+          "scan_compliance_score", 
+          "scan_custom_framework_scanning_file_scope_testing", 
+          "scan_custom_framework_scanning_cluster_scope_testing", 
+          "scan_custom_framework_scanning_cluster_and_file_scope_testing"
+          ]'

 jobs:
  wf-preparation:
@@ -75,7 +118,7 @@ jobs:
          SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-        run: "echo \"is-secret-set=${{ env.CUSTOMER != '' && \n                        env.USERNAME != '' &&\n                        env.PASSWORD != '' &&\n                        env.CLIENT_ID != '' &&\n                        env.SECRET_KEY != '' &&\n                        env.REGISTRY_USERNAME != '' &&\n                        env.REGISTRY_PASSWORD != ''\n                      }}\" >> $GITHUB_OUTPUT\n"
+        run: "echo \"is-secret-set=${{ env.CUSTOMER != '' && env.USERNAME != '' && env.PASSWORD != '' && env.CLIENT_ID != '' && env.SECRET_KEY != '' && env.REGISTRY_USERNAME != '' && env.REGISTRY_PASSWORD != '' }}\" >> $GITHUB_OUTPUT\n"

      - id: export_tests_to_env
        name: set test name
@@ -103,31 +146,47 @@ jobs:
    needs: wf-preparation
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-large
    steps:
+      - name: (debug) Step 1 - Check disk space before checkout
+        run: df -h

-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          submodules: recursive

+      - name: (debug) Step 2 - Check disk space before installing Go
+        run: df -h
+
      - uses: actions/setup-go@v4
        name: Installing go
        with:
          go-version: ${{ inputs.GO_VERSION }}
-          cache: true
+
+      - name: (debug) Step 3 - Check disk space before build
+        run: df -h

      - name: Test core pkg
        run: ${{ env.DOCKER_CMD }} go test -v ./...
        if: startsWith(github.ref, 'refs/tags')

+      - name: (debug) Step 4 - Check disk space before testing httphandler pkg
+        run: df -h
+
      - name: Test httphandler pkg
        run: ${{ env.DOCKER_CMD }} sh -c 'cd httphandler && go test -v ./...'
        if: startsWith(github.ref, 'refs/tags')

-      - uses: anchore/sbom-action/download-syft@v0.15.2
+      - name: (debug) Step 5 - Check disk space before setting up Syft
+        run: df -h
+
+      - uses: anchore/sbom-action/download-syft@v0
        name: Setup Syft

+      - name: (debug) Step 6 - Check disk space before goreleaser
+        run: df -h
+
      - uses: goreleaser/goreleaser-action@v5
        name: Build
        with:
@@ -139,30 +198,44 @@ jobs:
          CLIENT: ${{ inputs.CLIENT }}
          CGO_ENABLED: ${{ inputs.CGO_ENABLED }}

+      - name: (debug) Step 7 - Check disk space before smoke testing
+        run: df -h
+
      - name: Smoke Testing
        env:
          RELEASE: ${{ inputs.RELEASE }}
          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ${PWD}/dist/kubescape-ubuntu-latest

+      - name: (debug) Step 8 - Check disk space before golangci-lint
+        run: df -h
+
      - name: golangci-lint
        continue-on-error: true
-        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # ratchet:golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v3
        with:
          version: latest
-          args: --timeout 10m --build-tags=static
+          args: --timeout 10m
          only-new-issues: true
+          skip-pkg-cache: true
+          skip-build-cache: true

-      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1
+      - name: (debug) Step 9 - Check disk space before uploading artifacts
+        run: df -h
+
+      - uses: actions/upload-artifact@v4
        name: Upload artifacts
        with:
          name: kubescape
          path: dist/kubescape*
          if-no-files-found: error

+      - name: (debug) Step 10 - Check disk space after uploading artifacts
+        run: df -h
+
  build-http-image:
    permissions:
-      contents: read
+      contents: write
      id-token: write
      packages: write
      pull-requests: read
@@ -175,7 +248,7 @@ jobs:
      CGO_ENABLED: 0
      GO111MODULE: "on"
      BUILD_PLATFORM: linux/amd64,linux/arm64
-      GO_VERSION: "1.21"
+      GO_VERSION: "1.23"
      REQUIRED_TESTS: '[
                "ks_microservice_create_2_cronjob_mitre_and_nsa_proxy", 
                "ks_microservice_triggering_with_cron_job",
@@ -186,8 +259,22 @@ jobs:
                "ks_microservice_on_demand",
                "ks_microservice_mitre_framework_on_demand",
                "ks_microservice_nsa_and_mitre_framework_demand",
+                "scan_nsa", 
+                "scan_mitre", 
+                "scan_with_exceptions", 
+                "scan_repository", 
+                "scan_local_file", 
+                "scan_local_glob_files", 
+                "scan_local_list_of_files", 
+                "scan_with_exception_to_backend", 
+                "scan_nsa_and_submit_to_backend", 
+                "scan_mitre_and_submit_to_backend", 
+                "scan_local_repository_and_submit_to_backend", 
+                "scan_repository_from_url_and_submit_to_backend", 
+                "scan_with_custom_framework", 
+                "scan_customer_configuration", 
                "scan_compliance_score"
-              ]'
+                ]'
      COSIGN: true
      HELM_E2E_TEST: true
      FORCE: true
@@ -202,7 +289,7 @@ jobs:
    if: ${{ (needs.wf-preparation.outputs.is-secret-set == 'true') && (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }}
    runs-on: ubuntu-latest # This cannot change
    steps:
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
+      - uses: actions/download-artifact@v4
        id: download-artifact
        with:
          name: kubescape
@@ -214,12 +301,12 @@ jobs:
        run: chmod +x -R ${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest

      - name: Checkout systests repo
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          repository: armosec/system-tests
          path: .

-      - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # ratchet:actions/setup-python@v4
+      - uses: actions/setup-python@v4
        with:
          python-version: '3.8.13'
          cache: 'pip'
@@ -234,7 +321,7 @@ jobs:

      - name: Create k8s Kind Cluster
        id: kind-cluster-install
-        uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d # ratchet:helm/kind-action@v1.3.0
+        uses: helm/kind-action@v1.10.0
        with:
          cluster_name: ${{ steps.uuid.outputs.RANDOM_UUID }}

@@ -264,8 +351,9 @@ jobs:
          deactivate

      - name: Test Report
-        uses: mikepenz/action-junit-report@6e9933f4a97f4d2b99acef4d7b97924466037882 # ratchet:mikepenz/action-junit-report@v3.6.1
+        uses: mikepenz/action-junit-report@v5
        if: always() # always run even if the previous step fails
        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
          report_paths: '**/results_xml_format/**.xml'
          commit: ${{github.event.workflow_run.head_sha}}
--- a/.github/workflows/build-image.yaml
+++ b/.github/workflows/build-image.yaml
@@ -23,7 +23,7 @@ jobs:
    permissions:
      id-token: write
      packages: write
-      contents: read
+      contents: write
      pull-requests: read
    uses: kubescape/workflows/.github/workflows/incluster-comp-pr-merged.yaml@main
    with:
@@ -33,7 +33,7 @@ jobs:
      CGO_ENABLED: 0
      GO111MODULE: "on"
      BUILD_PLATFORM: ${{ inputs.PLATFORMS && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
-      GO_VERSION: "1.21"
+      GO_VERSION: "1.23"
      REQUIRED_TESTS: '[]'
      COSIGN: ${{ inputs.CO_SIGN }}
      HELM_E2E_TEST: false
--- a/.github/workflows/c-create-release.yaml
+++ b/.github/workflows/c-create-release.yaml
@@ -24,18 +24,19 @@ jobs:
      MAC_OS: macos-latest
      UBUNTU_OS: ubuntu-latest
      WINDOWS_OS: windows-latest
-    # permissions:
-    #   contents: write
+    permissions:
+      contents: write
    steps:
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
+      - uses: actions/download-artifact@v4
        id: download-artifact
        with:
+          name: kubescape
          path: .

      # TODO: kubescape-windows-latest is deprecated and should be removed
      - name: Get kubescape.exe from kubescape-windows-latest.exe
-        run: cp ${{steps.download-artifact.outputs.download-path}}/kubescape/kubescape-${{ env.WINDOWS_OS }}.exe ${{steps.download-artifact.outputs.download-path}}/kubescape/kubescape.exe
-      
+        run: cp ${{steps.download-artifact.outputs.download-path}}/kubescape-${{ env.WINDOWS_OS }}.exe ${{steps.download-artifact.outputs.download-path}}/kubescape.exe
+
      - name: Set release token
        id: set-token
        run: |
@@ -44,13 +45,13 @@ jobs:
          else
            echo "token=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_OUTPUT;
          fi
-          
+
      - name: List artifacts
        run: |
          find . -type f -print

      - name: Release
-        uses: softprops/action-gh-release@975c1b265e11dd76618af1c374e7981f9a6ff44a 
+        uses: softprops/action-gh-release@v2
        with:
          token: ${{ steps.set-token.outputs.token }}
          name: ${{ inputs.RELEASE_NAME }}
@@ -60,23 +61,32 @@ jobs:
          prerelease: false
          fail_on_unmatched_files: true
          files: |
-            ./kubescape/kubescape-${{ env.UBUNTU_OS }}.tar.gz 
-            ./kubescape/kubescape-${{ env.UBUNTU_OS }}.tar.gz.sbom 
-            ./kubescape/kubescape-arm64-${{ env.WINDOWS_OS }}.tar.gz.sbom 
-            ./kubescape/kubescape-${{ env.WINDOWS_OS }}.exe 
-            ./kubescape/kubescape-${{ env.WINDOWS_OS }}.tar.gz 
-            ./kubescape/kubescape-arm64-${{ env.WINDOWS_OS }}.tar.gz 
-            ./kubescape/kubescape-arm64-${{ env.MAC_OS }}.tar.gz.sbom 
-            ./kubescape/kubescape-arm64-${{ env.UBUNTU_OS }}
-            ./kubescape/kubescape-${{ env.UBUNTU_OS }} 
-            ./kubescape/kubescape-arm64-${{ env.UBUNTU_OS }}.tar.gz 
-            ./kubescape/kubescape-arm64-${{ env.MAC_OS }} 
-            ./kubescape/kubescape-${{ env.MAC_OS }}.tar.gz 
-            ./kubescape/kubescape-${{ env.MAC_OS }}.tar.gz.sbom 
-            ./kubescape/kubescape.exe 
-            ./kubescape/kubescape-${{ env.WINDOWS_OS }}.tar.gz.sbom 
-            ./kubescape/kubescape-arm64-${{ env.UBUNTU_OS }}.tar.gz.sbom 
-            ./kubescape/kubescape-${{ env.MAC_OS }} 
-            ./kubescape/kubescape-arm64-${{ env.MAC_OS }}.tar.gz 
-            ./kubescape/kubescape-arm64-${{ env.WINDOWS_OS }}.exe
-  
+            ./kubescape-${{ env.MAC_OS }}
+            ./kubescape-${{ env.MAC_OS }}.sbom
+            ./kubescape-${{ env.MAC_OS }}.sha256
+            ./kubescape-${{ env.MAC_OS }}.tar.gz
+            ./kubescape-${{ env.UBUNTU_OS }}
+            ./kubescape-${{ env.UBUNTU_OS }}.sbom
+            ./kubescape-${{ env.UBUNTU_OS }}.sha256
+            ./kubescape-${{ env.UBUNTU_OS }}.tar.gz
+            ./kubescape-${{ env.WINDOWS_OS }}.exe
+            ./kubescape-${{ env.WINDOWS_OS }}.exe.sbom
+            ./kubescape-${{ env.WINDOWS_OS }}.exe.sha256
+            ./kubescape-${{ env.WINDOWS_OS }}.tar.gz
+            ./kubescape-arm64-${{ env.MAC_OS }}
+            ./kubescape-arm64-${{ env.MAC_OS }}.sbom
+            ./kubescape-arm64-${{ env.MAC_OS }}.sha256
+            ./kubescape-arm64-${{ env.MAC_OS }}.tar.gz
+            ./kubescape-arm64-${{ env.UBUNTU_OS }}
+            ./kubescape-arm64-${{ env.UBUNTU_OS }}.sbom
+            ./kubescape-arm64-${{ env.UBUNTU_OS }}.sha256
+            ./kubescape-arm64-${{ env.UBUNTU_OS }}.tar.gz
+            ./kubescape-arm64-${{ env.WINDOWS_OS }}.exe
+            ./kubescape-arm64-${{ env.WINDOWS_OS }}.exe.sbom
+            ./kubescape-arm64-${{ env.WINDOWS_OS }}.exe.sha256
+            ./kubescape-arm64-${{ env.WINDOWS_OS }}.tar.gz
+            ./kubescape-riscv64-${{ env.UBUNTU_OS }}
+            ./kubescape-riscv64-${{ env.UBUNTU_OS }}.sbom
+            ./kubescape-riscv64-${{ env.UBUNTU_OS }}.sha256
+            ./kubescape-riscv64-${{ env.UBUNTU_OS }}.tar.gz
+            ./kubescape.exe
--- a/.github/workflows/d-publish-image.yaml
+++ b/.github/workflows/d-publish-image.yaml
@@ -1,5 +1,18 @@
 name: d-publish-image
-permissions: read-all
+permissions:
+  actions: read
+  checks: read
+  contents: write
+  deployments: read
+  discussions: read
+  id-token: write
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
 on:
  workflow_call:
    inputs:
@@ -46,26 +59,25 @@ jobs:
    name: Build image and upload to registry
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          submodules: recursive
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # ratchet:docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      - name: Login to Quay.io
        env:
          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
+      - uses: actions/download-artifact@v4
        id: download-artifact
        with:
+          name: kubescape
          path: .
      - name: mv kubescape amd64 binary
-        run: mv ${{steps.download-artifact.outputs.download-path}}/kubescape/kubescape-ubuntu-latest kubescape-amd64-ubuntu-latest
-      - name: mv kubescape arm64 binary
-        run: mv ${{steps.download-artifact.outputs.download-path}}/kubescape/kubescape-arm64-ubuntu-latest kubescape-arm64-ubuntu-latest
+        run: mv kubescape-ubuntu-latest kubescape-amd64-ubuntu-latest
      - name: chmod +x
        run: chmod +x -v kubescape-a*
      - name: Build and push images
@@ -93,4 +105,3 @@ jobs:
            # Verify the image
            echo "$COSIGN_PUBLIC_KEY" > cosign.pub
            cosign verify -key cosign.pub ${{ inputs.image_name }}:${{ inputs.image_tag }}
-
--- a/.github/workflows/03-post-release.yaml
+++ b/.github/workflows/03-post-release.yaml
@@ -1,21 +1,25 @@
-name: 03-post_release
+name: e-post_release
 permissions: read-all
 on:
-  release:
-    types: [published]
-    branches:
-      - 'master'
-      - 'main'
+  workflow_call:
+    inputs:
+      TAG:
+        description: 'Tag name'
+        required: true
+        type: string
 jobs:
  post_release:
    name: Post release jobs
    runs-on: ubuntu-latest
    steps:
-      - name: Digest
-        uses: MCJack123/ghaction-generate-release-hashes@c03f3111b39432dde3edebe401c5a8d1ffbbf917 # ratchet:MCJack123/ghaction-generate-release-hashes@v1
+      - uses: actions/checkout@v4
        with:
-          hash-type: sha1
-          file-name: kubescape-release-digests
+          submodules: recursive
+      - name: Update new version in krew-index
+        uses: rajatjindal/krew-release-bot@v0.0.47
+        if: github.repository_owner == 'kubescape'
+        env:
+          GITHUB_REF: ${{ inputs.TAG }}
      - name: Invoke workflow to update packaging
        uses: benc-uk/workflow-dispatch@v1
        if: github.repository_owner == 'kubescape'
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -32,12 +32,12 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
@@ -59,7 +59,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@v4
        with:
          name: SARIF file
          path: results.sarif
@@ -67,6 +67,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
--- a/.github/workflows/z-close-typos-issues.yaml
+++ b/.github/workflows/z-close-typos-issues.yaml
@@ -7,14 +7,14 @@ jobs:
    if: github.event.label.name == 'typo'
    runs-on: ubuntu-latest
    steps:
-      - uses: ben-z/actions-comment-on-issue@10be23f9c43ac792663043420fda29dde07e2f0f # ratchet:ben-z/actions-comment-on-issue@1.0.2
+      - uses: ben-z/actions-comment-on-issue@1.0.2
        with:
          message: "Hello! :wave:\n\nThis issue is being automatically closed, Please open a PR with a relevant fix."
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  auto_close_issues:
    runs-on: ubuntu-latest
    steps:
-      - uses: lee-dohm/close-matching-issues@e9e43aad2fa6f06a058cedfd8fb975fd93b56d8f # ratchet:lee-dohm/close-matching-issues@v2
+      - uses: lee-dohm/close-matching-issues@v2
        with:
          query: 'label:typo'
          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,6 +1,6 @@
 linters-settings:
  govet:
-    check-shadowing: true
+    shadow: true
  dupl:
    threshold: 200
  goconst:
@@ -24,7 +24,6 @@ linters:
    - gosimple
  disable:
    # temporarily disabled
-    - varcheck
    - errcheck
    - dupl
    - gocritic
@@ -36,8 +35,6 @@ linters:
    - unparam
    #- forbidigo # <- see later
    # should remain disabled
-    - deadcode   # deprecated linter
-    - maligned
    - lll
    - gochecknoinits
    - gochecknoglobals
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -12,16 +12,18 @@ before:
    - go mod tidy

 builds:
-  - id: "kubescape-cli"
-    goos:
+  - goos:
      - linux
      - windows
      - darwin
    goarch:
      - amd64
      - arm64
+      - riscv64
    ldflags:
-      - -s -w -X "github.com/kubescape/kubescape/v3/core/cautils.BuildNumber={{.Env.RELEASE}}"
+      - -s -w
+      - -X "github.com/kubescape/kubescape/v3/core/cautils.BuildNumber={{.Env.RELEASE}}"
+      - -X "github.com/kubescape/kubescape/v3/core/cautils.Client={{.Env.CLIENT}}"
    binary: >-
      {{ .ProjectName }}-
      {{- if eq .Arch "amd64" }}
@@ -32,8 +34,11 @@ builds:
    no_unique_dist_dir: true

 archives:
+  - format: binary
+    id: binaries
+    name_template: >-
+      {{ .Binary }}
  - format: tar.gz
-    # this name template makes the OS and Arch compatible with the results of `uname`.
    name_template: >-
      {{ .Binary }}

@@ -44,5 +49,12 @@ changelog:
      - "^docs:"
      - "^test:"

+checksum:
+  ids:
+    - binaries
+  split: true
+
 sboms:
-  - artifacts: archive
+  - artifacts: binary
+    documents:
+      - "{{ .Binary }}.sbom"
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -1,22 +1,5 @@
 # Adopters

-# Well-known companies
-Well-known companies who are using and/or contributing to Kubescape are (in alphabetical order):
-* Accenture
-* Amazon.com
-* IBM
-* Intel
-* Meetup
-* RedHat
-* Scaleway
+The Kubescape project manages this document in the central project repository.

-# Users
-
-If you want to be listed here and share with others your experience, open a PR and add the bellow table:
-
-
-| Name | Company | Use case | Contact for questions (optional) |
-| ---- | ------- | -------- | -------------------------------- |
-| Yonathan Amzallag | ARMO | Vulnerability monitoring | yonatana@armosec.io |
-| Engin Diri | Schwarz IT (SIT) | Ensure continuous compliance for edge k8s cluster | engin.diri@mail.schwarz |
-| Idan Bidani | Cox Communications | Security analysis for k8s best practices in CI pipelines of 3,000 applications 🔒☸ | idan.bidani@cox.com |
+Go to the [centralized ADOPTERS.md](https://github.com/kubescape/project-governance/blob/main/ADOPTERS.md)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,3 +1,5 @@
-## Code of Conduct
+# Code of Conduct

-The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized CODE_OF_CONDUCT.md](https://github.com/kubescape/project-governance/blob/main/CODE_OF_CONDUCT.md)
--- a/COMMUNITY.md
+++ b/COMMUNITY.md
@@ -0,0 +1,5 @@
+# Community
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized COMMUNITY.md](https://github.com/kubescape/project-governance/blob/main/COMMUNITY.md)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,98 +1,5 @@
 # Contributing

-First, it is awesome that you are considering contributing to Kubescape! Contributing is important and fun and we welcome your efforts.
+The Kubescape project manages this document in the central project repository.

-When contributing, we categorize contributions into two:
-* Small code changes or fixes, whose scope is limited to a single or two files
-* Complex features and improvements, with potentially unlimited scope
-
-If you have a small change, feel free to fire up a Pull Request.
-
-When planning a bigger change, please first discuss the change you wish to make via an issue,
-so the maintainers are able to help guide you and let you know if you are going in the right direction.
-
-## Code of Conduct
-
-Please follow our [code of conduct](CODE_OF_CONDUCT.md) in all of your interactions within the project.
-
-## Build and test locally
-
-Please follow the [instructions here](https://github.com/kubescape/kubescape/wiki/Building).
-
-## Pull Request Process
-
-1. Ensure any install or build dependencies are removed before the end of the layer when doing a 
-   build.
-2. Update the README.md with details of changes to the interface, this includes new environment 
-   variables, exposed ports, useful file locations and container parameters.
-3. Open Pull Request to the `master` branch.
-4. We will merge the Pull Request once you have the sign-off.
-
-## Developer Certificate of Origin
-
-All commits to the project must be "signed off", which states that you agree to the terms of the [Developer Certificate of Origin](https://developercertificate.org/).  This is done by adding a "Signed-off-by:" line in the commit message, with your name and email address.
-
-Commits made through the GitHub web application are automatically signed off.
-
-### Configuring Git to sign off commits
-
-First, configure your name and email address in Git global settings:
-
-```
-$ git config --global user.name "John Doe" 
-$ git config --global user.email johndoe@example.com
-```
-
-You can now sign off per-commit, or configure Git to always sign off commits per repository.
-
-### Sign off per-commit
-
-Add [`-s`](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) to your Git command line. For example:
-
-```git commit -s -m "Fix issue 64738"```
-
-This is tedious, and if you forget, you'll have to [amend your commit](#fixing-a-commit-where-the-dco-failed).
-
-### Configure a repository to always include sign off
-
-There are many ways to achieve this with Git hooks, but the simplest is to do the following:
-
-```
-cd your-repo
-curl -Ls https://gist.githubusercontent.com/dixudx/7d7edea35b4d91e1a2a8fbf41d0954fa/raw/prepare-commit-msg -o .git/hooks/prepare-commit-msg
-chmod +x .git/hooks/prepare-commit-msg
-```
-
-### Use semantic commit messages (optional)
-
-When contributing, you could consider using [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/), in order to improve logs readability and help us to automatically generate `CHANGELOG`s.
-
-Format: `<type>(<scope>): <subject>`
-
-`<scope>` is optional
-
-#### Example
-
-```
-feat(cmd): add kubectl plugin
-^--^ ^-^   ^----------------^
-|    |     |
-|    |     +-> subject: summary in present tense.
-|    |
-|    +-------> scope: point of interest
-|
-+-------> type: chore, docs, feat, fix, refactor, style, or test.
-```
-
-More Examples:
-* `feat`: new feature for the user, not a new feature for build script
-* `fix`: bug fix for the user, not a fix to a build script
-* `docs`: changes to the documentation
-* `style`: formatting, missing semi colons, etc; no production code change
-* `refactor`: refactoring production code, eg. renaming a variable
-* `test`: adding missing tests, refactoring tests; no production code change
-* `chore`: updating grunt tasks etc; no production code change
-
-## Fixing a commit where the DCO failed
-
-Check out [this guide](https://github.com/src-d/guide/blob/master/developer-community/fix-DCO.md).
+Go to the [centralized CONTRIBUTING.md](https://github.com/kubescape/project-governance/blob/main/CONTRIBUTING.md)
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@@ -1,65 +1,5 @@
-# Governance of Kubescape
+# Governance

-## Overview
+The Kubescape project manages this document in the central project repository.

-The Kubescape project is an open-source initiative dedicated to improve security and best practices in Kubernetes environments. This document outlines the governance structure of the Kubescape project and provides guidance for its community contributors.
-
-## Decision Making
-
-### Maintainers
-
- Maintainers are responsible for the smooth operation of the project.
- They review and merge pull requests, manage releases, and ensure the quality and stability of the codebase.
- Maintainers are chosen based on their ongoing contributions and their demonstrated commitment to the project.
- Everyone who had at least 5 code contribution in the last 12 month can submit her/himself for joining the maintainer team
- Maintainers who are not taken part in the project work (code, reviews, discussions) for 12 month are automaticaly removed from the maintainer team
-
-
-### Committers
-
- Committers are contributors who have made significant and consistent contributions to the project.
- They have the ability to merge minor pull requests if assigned by maintainers.
- A contributor can be proposed as a committer by any existing maintainer. The proposal will be reviewed and voted on by the existing maintainers.
-
-### Community Members
-
- Anyone can become a community member by contributing to the project. This can be in the form of code contributions, documentation, or any other form of project support.
-
-## Processes
-
-### Proposing Changes
-
-1. Open an issue on the project repository to discuss the proposed change.
-2. Once there is consensus around the proposed change, create a pull request.
-3. Pull requests will be reviewed by committers and/or maintainers.
-4. Once the pull request has received approval, it can be merged into the main codebase.
-
-### Conflict Resolution
-
-1. In case of any conflicts, it is primarily the responsibility of the parties involved to resolve it.
-2. If the conflict cannot be resolved, it will be escalated to the maintainers for resolution.
-3. Maintainers' decision will be final in case of unresolved conflicts.
-
-## Roles and Responsibilities
-
-### Maintainers
-
- Ensure the quality and stability of the project.
- Resolve conflicts.
- Provide direction and set priorities for the project.
-
-### Committers
-
- Review and merge minor pull requests.
- Assist maintainers in project tasks.
- Promote best practices within the community.
-
-### Community Members
-
- Contribute to the project in any form.
- Participate in discussions and provide feedback.
- Respect the code of conduct and governance of the project.
-
-## Changes to the Governance Document
-
-Proposed changes to this governance document should follow the same process as any other code change to the Kubescape project (see "Proposing Changes").
+Go to the [centralized GOVERNANCE.md](https://github.com/kubescape/project-governance/blob/main/GOVERNANCE.md)
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@@ -1,12 +1,5 @@
 # Maintainers

-The following table lists the Kubescape project core maintainers:
-
-| Name | GitHub | Organization | Added/Renewed On |
-| --- | --- | --- | --- |
-| [Matthias Bertschy](https://www.linkedin.com/in/matthias-bertschy-b427b815/) | [@matthyx](https://github.com/matthyx) | [ARMO](https://www.armosec.io/) | 2023-01-01 |
-| [Craig Box](https://www.linkedin.com/in/crbnz/) | [@craigbox](https://github.com/craigbox) | [Solo.io](https://www.solo.io/) | 2022-10-31 |
-| [Ben Hirschberg](https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890) | [@slashben](https://github.com/slashben) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
-| [Rotem Refael](https://www.linkedin.com/in/rotem-refael) | [@rotemamsa](https://github.com/rotemamsa) | [ARMO](https://www.armosec.io/) | 2021-10-11 |
-| [David Wertenteil](https://www.linkedin.com/in/david-wertenteil-0ba277b9) | [@dwertent](https://github.com/dwertent) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
+The Kubescape project manages this document in the central project repository.

+Go to the [centralized MAINTAINERS.md](https://github.com/kubescape/project-governance/blob/main/MAINTAINERS.md)
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubescape/kubescape)](https://goreportcard.com/report/github.com/kubescape/kubescape)
 [![Gitpod Ready-to-Code](https://img.shields.io/badge/Gitpod-Ready--to--Code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/kubescape/kubescape)
 [![GitHub](https://img.shields.io/github/license/kubescape/kubescape)](https://github.com/kubescape/kubescape/blob/master/LICENSE)
-[![CNCF](https://shields.io/badge/CNCF-Sandbox%20project-blue?logo=linux-foundation&style=flat)](https://landscape.cncf.io/card-mode?project=sandbox&selected=kubescape)
+[![CNCF](https://shields.io/badge/CNCF-Incubating%20project-blue?logo=linux-foundation&style=flat)](https://landscape.cncf.io/?item=provisioning--security-compliance--kubescape)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubescape)](https://artifacthub.io/packages/search?repo=kubescape)
 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkubescape%2Fkubescape.svg?type=shield&issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubescape%2Fkubescape?ref=badge_shield&issueType=license)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/6944/badge)](https://www.bestpractices.dev/projects/6944)
@@ -20,21 +20,22 @@
  <img alt="Kubescape logo" align="right" src="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
 </picture>

-_An open-source Kubernetes security platform for your clusters, CI/CD pipelines, and IDE that seperates out the security signal from the scanner noise_
+_Comprehensive Kubernetes Security from Development to Runtime_

-Kubescape is an open-source Kubernetes security platform, built for use in your day-to-day workflow, by fitting into your clusters, CI/CD pipelines and IDE. It serves as a one-stop-shop for Kuberenetes security and includes vulnerability and misconfiguration scanning. You can run scans via the CLI, or add the Kubescape Helm chart, which gives an in-depth view of what is going on in the cluster.
+Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage, from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments. It saves Kubernetes users and admins precious time, effort, and resources.

-Kubescape includes misconfiguration and vulnerability scanning as well as risk analysis and security compliance indicators. All results are presented in context and users get many cues on what to do based on scan results.Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.
+Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.armosec.io/glossary/mitre-attck-framework/?utm_source=github&utm_medium=repository) and the [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)).

-Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) and the [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)).
-
-Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository) and is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/).
-
-## Demo
-<img src="docs/img/demo-v3.gif">
+Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository) and is a [Cloud Native Computing Foundation (CNCF) incubating project](https://www.cncf.io/projects/).

 _Please [star ⭐](https://github.com/kubescape/kubescape/stargazers) the repo if you want us to continue developing and improving Kubescape! 😀_

+## Demo
+
+Kubescape has a command line tool that you can use to quickly get a report on the security posture of a Kubernetes cluster:
+
+<img src="docs/img/demo-v3.gif">
+
 ## Getting started

 Experimenting with Kubescape is as easy as:
@@ -43,13 +44,13 @@ Experimenting with Kubescape is as easy as:
 curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
 ```

+This script will automatically download the latest Kubescape CLI release and scan the Kubernetes cluster in your current kubectl context.
+
 Learn more about:

-* [Installing Kubescape](docs/installation.md)
-* [Running your first scan](docs/getting-started.md#run-your-first-scan)
-* [Usage](docs/getting-started.md#examples)
-* [Architecture](docs/architecture.md)
-* [Building Kubescape from source](https://github.com/kubescape/kubescape/wiki/Building)
+* [Installing the Kubescape CLI](https://kubescape.io/docs/install-cli/)
+* [Running your first scan](https://kubescape.io/docs/scanning/)
+* [Accepting risk with exceptions](https://kubescape.io/docs/accepting-risk/)

 _Did you know you can use Kubescape in all these places?_

@@ -57,45 +58,47 @@ _Did you know you can use Kubescape in all these places?_
    <img src="docs/img/ksfromcodetodeploy.png" alt="Places you can use Kubescape: in your IDE, CI, CD, or against a running cluster.">
 </div>

-## Kubescape-operator Helm-Chart
+### Continuous security monitoring with the Kubescape Operator

-Besides the CLI, the Kubescape operator can also be installed via a Helm chart. Installing the Helm chart is an excellent way to begin using Kubescape, as it provides extensive features such as continuous scanning, image vulnerability scanning, runtime analysis, network policy generation, and more. You can find the Helm chart in the [Kubescape-operator documentation](https://kubescape.io/docs/install-operator/).
+As well as a CLI, Kubescape provides an in-cluster mode, which is installed via a Helm chart. Kubescape in-cluster provides extensive features such as continuous scanning, image vulnerability scanning, runtime analysis, network policy generation, and more. [Learn more about the Kubescape operator](https://kubescape.io/docs/operator/).

-## Kubescape GitHub Action
+### Using Kubescape as a GitHub Action

 Kubescape can be used as a GitHub Action. This is a great way to integrate Kubescape into your CI/CD pipeline. You can find the Kubescape GitHub Action in the [GitHub Action marketplace](https://github.com/marketplace/actions/kubescape).

 ## Under the hood

 Kubescape uses [Open Policy Agent](https://github.com/open-policy-agent/opa) to verify Kubernetes objects against [a library of posture controls](https://github.com/kubescape/regolibrary).
+For image scanning, it uses [Grype](https://github.com/anchore/grype).  
+For image patching, it uses [Copacetic](https://github.com/project-copacetic/copacetic).
+For eBPF, it uses [Inspektor Gadget](https://github.com/inspektor-gadget)

-By default, the results are printed in a console-friendly manner, but they can be:
+By default, CLI scan results are printed in a console-friendly manner, but they can be:

-* exported to JSON or junit XML
+* exported to JSON, junit XML or SARIF
 * rendered to HTML or PDF
 * submitted to a [cloud service](docs/providers.md)

-It retrieves Kubernetes objects from the API server and runs a set of [Rego snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io?utm_source=github&utm_medium=repository).
+### In-cluster architecture 
+
+![Architecture diagram](docs/img/architecture-diagram.png)

 ## Community

-Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the Kubernetes community and are building more tests and controls as the ecosystem develops.
+Kubescape is an open source project. We welcome your feedback and ideas for improvement. We are part of the CNCF community and are evolving Kubescape in sync with the security needs of Kubernetes users. To learn more about where Kubescape is heading, please check out our [ROADMAP](https://github.com/kubescape/project-governance/blob/main/ROADMAP.md).

-We hold [community meetings](https://zoom.us/j/95174063585) on Zoom, on the first Tuesday of every month, at 14:00 GMT. ([See that in your local time zone](https://time.is/compare/1400_in_GMT)).
+If you feel inspired to contribute to Kubescape, check out our [CONTRIBUTING](https://github.com/kubescape/project-governance/blob/main/CONTRIBUTING.md) file to learn how. You can find the issues we are working on (triage to development) on the [Kubescaping board](https://github.com/orgs/kubescape/projects/4/views/1)
+
+* Feel free to pick a task from the [board](https://github.com/orgs/kubescape/projects/4) or suggest a feature of your own.
+* Open an issue on the board. We aim to respond to all issues within 48 hours.
+* [Join the CNCF Slack](https://slack.cncf.io/) and then our [users](https://cloud-native.slack.com/archives/C04EY3ZF9GE) or [developers](https://cloud-native.slack.com/archives/C04GY6H082K) channel.

 The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).

-### Adopters
+For more information about the Kubescape community, please visit [COMMUNITY](https://github.com/kubescape/project-governance/blob/main/COMMUNITY.md).

-See [here](ADOPTERS.md) a list of adopters.

-## Contributions
-
-Thanks to all our contributors!  Check out our [CONTRIBUTING](CONTRIBUTING.md) file to learn how to join them.
-
-* Feel free to pick a task from the [issues](https://github.com/kubescape/kubescape/issues?q=is%3Aissue+is%3Aopen+label%3A%22open+for+contribution%22), [roadmap](docs/roadmap.md) or suggest a feature of your own.
-* [Open an issue](https://github.com/kubescape/kubescape/issues/new/choose): we aim to respond to all issues within 48 hours.
-* [Join the CNCF Slack](https://slack.cncf.io/) and then our [users](https://cloud-native.slack.com/archives/C04EY3ZF9GE) or [developers](https://cloud-native.slack.com/archives/C04GY6H082K) channel.
+We would like to take this opportunity to thank all our contibutors to date.

 <br>

@@ -105,14 +108,14 @@ Thanks to all our contributors!  Check out our [CONTRIBUTING](CONTRIBUTING.md) f

 ## Changelog

-Kubescape changes are tracked on the [release](https://github.com/kubescape/kubescape/releases) page
+Kubescape changes are tracked on the [release](https://github.com/kubescape/kubescape/releases) page.

 ## License

-Copyright 2021-2023, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.
+Copyright 2021-2024, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.

-Kubescape is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/) and was contributed by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository).
+Kubescape is a [Cloud Native Computing Foundation (CNCF) incubating project](https://www.cncf.io/projects/kubescape/) and was contributed by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository).

 <div align="center">
-    <img src="https://raw.githubusercontent.com/cncf/artwork/master/other/cncf-sandbox/horizontal/color/cncf-sandbox-horizontal-color.svg" width="300" alt="CNCF Sandbox Project">
+    <img src="https://raw.githubusercontent.com/cncf/artwork/refs/heads/main/other/cncf-member/incubating/color/cncf-incubating-color.svg" width="300" alt="CNCF Incubating Project">
 </div>
--- a/SECURITY-INSIGHTS.yml
+++ b/SECURITY-INSIGHTS.yml
@@ -4,15 +4,19 @@ header:
  last-reviewed: '2023-10-12'
  expiration-date: '2024-10-12T01:00:00.000Z'
  project-url: https://github.com/kubescape/kubescape/
-  project-release: '1.0.0'
+  project-release: 1.0.0
 project-lifecycle:
  status: active
  bug-fixes-only: false
  core-maintainers:
-  - github:slashben
+  - github:amirmalka
+  - github:amitschendel
+  - github:bezbran
  - github:craigbox
-  - github:matthyx
  - github:dwertent
+  - github:matthyx
+  - github:rotemamsa
+  - github:slashben
 contribution-policy:
  accepts-pull-requests: true
  accepts-automated-pull-requests: false
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,7 +1,5 @@
-# Reporting Security Issues
+# Security

-To report a security issue or vulnerability, submit a [private vulnerability report via GitHub](https://github.com/kubescape/kubescape/security/advisories/new) to the repository maintainers with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+The Kubescape project manages this document in the central project repository.

-The maintainers will respond within 7 working days of your report. If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it. This project follows a 90 day disclosure timeline.
-
-Other contacts: cncf-kubescape-maintainers@lists.cncf.io
+Go to the [centralized SECURITY.md](https://github.com/kubescape/project-governance/blob/main/SECURITY.md)
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.21-bullseye as builder
+FROM --platform=$BUILDPLATFORM golang:1.23-bookworm AS builder

 ENV GO111MODULE=on CGO_ENABLED=0
 WORKDIR /work
@@ -8,13 +8,18 @@ RUN --mount=target=. \
    --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg \
    cd httphandler && GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/ksserver .
+RUN --mount=target=. \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    go run downloader/main.go

-FROM gcr.io/distroless/static-debian11:nonroot
+FROM gcr.io/distroless/static-debian12:nonroot

 USER nonroot
 WORKDIR /home/nonroot/

 COPY --from=builder /out/ksserver /usr/bin/ksserver
+COPY --from=builder /root/.kubescape /home/nonroot/.kubescape

 ARG image_version client
 ENV RELEASE=$image_version CLIENT=$client
--- a/build/kubescape-cli.Dockerfile
+++ b/build/kubescape-cli.Dockerfile
@@ -1,4 +1,4 @@
-FROM gcr.io/distroless/base-debian11:debug-nonroot
+FROM gcr.io/distroless/static-debian12:debug-nonroot

 USER nonroot
 WORKDIR /home/nonroot/
--- a/cmd/config/delete.go
+++ b/cmd/config/delete.go
@@ -1,9 +1,7 @@
 package config

 import (
-	"context"
-
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
@@ -15,7 +13,7 @@ func getDeleteCmd(ks meta.IKubescape) *cobra.Command {
 		Short: "Delete cached configurations",
 		Long:  ``,
 		Run: func(cmd *cobra.Command, args []string) {
-			if err := ks.DeleteCachedConfig(context.TODO(), &v1.DeleteConfig{}); err != nil {
+			if err := ks.DeleteCachedConfig(&v1.DeleteConfig{}); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 		},
--- a/cmd/config/set.go
+++ b/cmd/config/set.go
@@ -5,7 +5,7 @@ import (
 	"sort"
 	"strings"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
--- a/cmd/config/view.go
+++ b/cmd/config/view.go
@@ -3,7 +3,7 @@ package config
 import (
 	"os"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
--- a/cmd/download/download.go
+++ b/cmd/download/download.go
@@ -1,18 +1,17 @@
 package download

 import (
-	"context"
 	"fmt"
 	"path/filepath"
+	"slices"
 	"strings"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/core"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
-	"golang.org/x/exp/slices"
 )

 var (
@@ -74,11 +73,9 @@ func GetDownloadCmd(ks meta.IKubescape) *cobra.Command {

 			downloadInfo.Target = args[0]
 			if len(args) >= 2 {
-
 				downloadInfo.Identifier = args[1]
-
 			}
-			if err := ks.Download(context.TODO(), &downloadInfo); err != nil {
+			if err := ks.Download(&downloadInfo); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 			return nil
--- a/cmd/fix/fix.go
+++ b/cmd/fix/fix.go
@@ -1,14 +1,12 @@
 package fix

 import (
-	"context"
 	"errors"
 	"fmt"

 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
-
 	"github.com/spf13/cobra"
 )

@@ -36,7 +34,7 @@ func GetFixCmd(ks meta.IKubescape) *cobra.Command {
 			}
 			fixInfo.ReportFile = args[0]

-			return ks.Fix(context.TODO(), &fixInfo)
+			return ks.Fix(&fixInfo)
 		},
 	}

--- a/cmd/list/list.go
+++ b/cmd/list/list.go
@@ -1,18 +1,17 @@
 package list

 import (
-	"context"
 	"errors"
 	"fmt"
+	"slices"
 	"strings"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/core"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
-	"golang.org/x/exp/slices"
 )

 var (
@@ -62,7 +61,7 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {

 			listPolicies.Target = args[0]

-			if err := ks.List(context.TODO(), &listPolicies); err != nil {
+			if err := ks.List(&listPolicies); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 			return nil
--- a/cmd/operator/operator.go
+++ b/cmd/operator/operator.go
@@ -6,7 +6,6 @@ import (

 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
-
 	"github.com/spf13/cobra"
 )

--- a/cmd/patch/README.md
+++ b/cmd/patch/README.md
@@ -47,6 +47,7 @@ The patch command can be run in 2 ways:
 | -a, --addr     | Address of the buildkitd service                       | No       | unix:///run/buildkit/buildkitd.sock |
 | -t, --tag      | Tag of the resultant patched image                     | No       | image_name-patched                  |
 | --timeout      | Timeout for the patching process                       | No       | 5m                                  |
+| --ignore-errors| Ignore errors during patching                          | No       | false                               |
 | -u, --username | Username for the image registry login                  | No       |                                     |
 | -p, --password | Password for the image registry login                  | No       |                                     |
 | -f, --format   | Output file format.                                    | No       |                                     |
--- a/cmd/patch/patch.go
+++ b/cmd/patch/patch.go
@@ -1,22 +1,18 @@
 package patch

 import (
-	"context"
 	"errors"
 	"fmt"
 	"strings"
 	"time"

-	ref "github.com/distribution/distribution/reference"
 	"github.com/docker/distribution/reference"
-
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/cmd/shared"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/kubescape/kubescape/v3/pkg/imagescan"
-
 	"github.com/spf13/cobra"
 )

@@ -53,7 +49,7 @@ func GetPatchCmd(ks meta.IKubescape) *cobra.Command {
 				return err
 			}

-			results, err := ks.Patch(context.Background(), &patchInfo, &scanInfo)
+			results, err := ks.Patch(&patchInfo, &scanInfo)
 			if err != nil {
 				return err
 			}
@@ -70,6 +66,7 @@ func GetPatchCmd(ks meta.IKubescape) *cobra.Command {
 	patchCmd.PersistentFlags().StringVarP(&patchInfo.PatchedImageTag, "tag", "t", "", "Tag for the patched image. Defaults to '<image-tag>-patched' ")
 	patchCmd.PersistentFlags().StringVarP(&patchInfo.BuildkitAddress, "address", "a", "unix:///run/buildkit/buildkitd.sock", "Address of buildkitd service, defaults to local buildkitd.sock")
 	patchCmd.PersistentFlags().DurationVar(&patchInfo.Timeout, "timeout", 5*time.Minute, "Timeout for the operation, defaults to '5m'")
+	patchCmd.PersistentFlags().BoolVar(&patchInfo.IgnoreError, "ignore-errors", false, "Ignore errors and continue patching other images. Default to false")

 	patchCmd.PersistentFlags().StringVarP(&patchInfo.Username, "username", "u", "", "Username for registry login")
 	patchCmd.PersistentFlags().StringVarP(&patchInfo.Password, "password", "p", "", "Password for registry login")
@@ -97,22 +94,22 @@ func validateImagePatchInfo(patchInfo *metav1.PatchInfo) error {
 	}

 	// Parse the image full name to get image name and tag
-	named, err := ref.ParseNamed(patchInfoImage)
+	named, err := reference.ParseNamed(patchInfoImage)
 	if err != nil {
 		return err
 	}

 	// If no tag or digest is provided, default to 'latest'
-	if ref.IsNameOnly(named) {
+	if reference.IsNameOnly(named) {
 		logger.L().Warning("Image name has no tag or digest, using latest as tag")
-		named = ref.TagNameOnly(named)
+		named = reference.TagNameOnly(named)
 	}
 	patchInfo.Image = named.String()

 	// If no patched image tag is provided, default to '<image-tag>-patched'
 	if patchInfo.PatchedImageTag == "" {

-		taggedName, ok := named.(ref.Tagged)
+		taggedName, ok := named.(reference.Tagged)
 		if !ok {
 			return errors.New("unexpected error while parsing image tag")
 		}
--- a/cmd/prerequisites/prerequisites.go
+++ b/cmd/prerequisites/prerequisites.go
@@ -0,0 +1,46 @@
+package prerequisites
+
+import (
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	"github.com/kubescape/sizing-checker/pkg/checks/connectivitycheck"
+	"github.com/kubescape/sizing-checker/pkg/checks/ebpfcheck"
+	"github.com/kubescape/sizing-checker/pkg/checks/pvcheck"
+	"github.com/kubescape/sizing-checker/pkg/checks/sizing"
+	"github.com/kubescape/sizing-checker/pkg/common"
+	"github.com/spf13/cobra"
+)
+
+func GetPreReqCmd(ks meta.IKubescape) *cobra.Command {
+	// preReqCmd represents the prerequisites command
+	preReqCmd := &cobra.Command{
+		Use:   "prerequisites",
+		Short: "Check prerequisites for installing Kubescape Operator",
+		Run: func(cmd *cobra.Command, args []string) {
+			clientSet, inCluster := common.BuildKubeClient()
+			if clientSet == nil {
+				logger.L().Fatal("Could not create kube client. Exiting.")
+			}
+
+			// 1) Collect cluster data
+			clusterData, err := common.CollectClusterData(ks.Context(), clientSet)
+			if err != nil {
+				logger.L().Error("Failed to collect cluster data", helpers.Error(err))
+			}
+
+			// 2) Run checks
+			sizingResult := sizing.RunSizingChecker(clusterData)
+			pvResult := pvcheck.RunPVProvisioningCheck(ks.Context(), clientSet, clusterData, inCluster)
+			connectivityResult := connectivitycheck.RunConnectivityChecks(ks.Context(), clientSet, clusterData, inCluster)
+			ebpfResult := ebpfcheck.RunEbpfCheck(ks.Context(), clientSet, clusterData, inCluster)
+
+			// 3) Build and export the final ReportData
+			finalReport := common.BuildReportData(clusterData, sizingResult, pvResult, connectivityResult, ebpfResult)
+			finalReport.InCluster = inCluster
+
+			common.GenerateOutput(finalReport, inCluster)
+		},
+	}
+	return preReqCmd
+}
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -1,10 +1,11 @@
 package cmd

 import (
+	"context"
 	"fmt"
 	"strings"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/kubescape/v3/cmd/completion"
@@ -14,14 +15,15 @@ import (
 	"github.com/kubescape/kubescape/v3/cmd/list"
 	"github.com/kubescape/kubescape/v3/cmd/operator"
 	"github.com/kubescape/kubescape/v3/cmd/patch"
+	"github.com/kubescape/kubescape/v3/cmd/prerequisites"
 	"github.com/kubescape/kubescape/v3/cmd/scan"
 	"github.com/kubescape/kubescape/v3/cmd/update"
+	"github.com/kubescape/kubescape/v3/cmd/vap"
 	"github.com/kubescape/kubescape/v3/cmd/version"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"
 	"github.com/kubescape/kubescape/v3/core/core"
 	"github.com/kubescape/kubescape/v3/core/meta"
-
 	"github.com/spf13/cobra"
 )

@@ -41,8 +43,8 @@ var ksExamples = fmt.Sprintf(`
  %[1]s config view
 `, cautils.ExecName())

-func NewDefaultKubescapeCommand() *cobra.Command {
-	ks := core.NewKubescape()
+func NewDefaultKubescapeCommand(ctx context.Context) *cobra.Command {
+	ks := core.NewKubescape(ctx)
 	return getRootCmd(ks)
 }

@@ -83,8 +85,6 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {

 	rootCmd.PersistentFlags().StringVarP(&rootInfo.Logger, "logger", "l", helpers.InfoLevel.String(), fmt.Sprintf("Logger level. Supported: %s [$KS_LOGGER]", strings.Join(helpers.SupportedLevels(), "/")))
 	rootCmd.PersistentFlags().StringVar(&rootInfo.CacheDir, "cache-dir", getter.DefaultLocalStore, "Cache directory [$KS_CACHE_DIR]")
-	rootCmd.PersistentFlags().BoolVarP(&rootInfo.DisableColor, "disable-color", "", false, "Disable color output for logging")
-	rootCmd.PersistentFlags().BoolVarP(&rootInfo.EnableColor, "enable-color", "", false, "Force enable color output for logging")

 	rootCmd.PersistentFlags().StringVarP(&rootInfo.KubeContext, "kube-context", "", "", "Kube context. Default will use the current-context")
 	// Supported commands
@@ -92,12 +92,14 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 	rootCmd.AddCommand(download.GetDownloadCmd(ks))
 	rootCmd.AddCommand(list.GetListCmd(ks))
 	rootCmd.AddCommand(completion.GetCompletionCmd())
-	rootCmd.AddCommand(version.GetVersionCmd())
+	rootCmd.AddCommand(version.GetVersionCmd(ks))
 	rootCmd.AddCommand(config.GetConfigCmd(ks))
-	rootCmd.AddCommand(update.GetUpdateCmd())
+	rootCmd.AddCommand(update.GetUpdateCmd(ks))
 	rootCmd.AddCommand(fix.GetFixCmd(ks))
 	rootCmd.AddCommand(patch.GetPatchCmd(ks))
+	rootCmd.AddCommand(vap.GetVapHelperCmd())
 	rootCmd.AddCommand(operator.GetOperatorCmd(ks))
+	rootCmd.AddCommand(prerequisites.GetPreReqCmd(ks))

 	// deprecated commands
 	rootCmd.AddCommand(&cobra.Command{
@@ -112,7 +114,7 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 	return rootCmd
 }

-func Execute() error {
-	ks := NewDefaultKubescapeCommand()
+func Execute(ctx context.Context) error {
+	ks := NewDefaultKubescapeCommand(ctx)
 	return ks.Execute()
 }
--- a/cmd/rootutils.go
+++ b/cmd/rootutils.go
@@ -8,20 +8,16 @@ import (
 	v1 "github.com/kubescape/backend/pkg/client/v1"
 	"github.com/kubescape/backend/pkg/servicediscovery"
 	sdClientV2 "github.com/kubescape/backend/pkg/servicediscovery/v2"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/go-logger/iconlogger"
 	"github.com/kubescape/go-logger/zaplogger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"
-
 	"github.com/mattn/go-isatty"
 )

 func initLogger() {
-	logger.DisableColor(rootInfo.DisableColor)
-	logger.EnableColor(rootInfo.EnableColor)
-
 	if rootInfo.LoggerName == "" {
 		if l := os.Getenv("KS_LOGGER_NAME"); l != "" {
 			rootInfo.LoggerName = l
@@ -35,8 +31,8 @@ func initLogger() {
 	}

 	logger.InitLogger(rootInfo.LoggerName)
-
 }
+
 func initLoggerLevel() {
 	if rootInfo.Logger == helpers.InfoLevel.String() {
 	} else if l := os.Getenv("KS_LOGGER"); l != "" {
@@ -77,7 +73,7 @@ func initEnvironment() {
 	)

 	if err != nil {
-		logger.L().Fatal("failed to to get services from server", helpers.Error(err), helpers.String("server", rootInfo.DiscoveryServerURL))
+		logger.L().Fatal("failed to get services from server", helpers.Error(err), helpers.String("server", rootInfo.DiscoveryServerURL))
 		return
 	}

--- a/cmd/scan/control.go
+++ b/cmd/scan/control.go
@@ -1,20 +1,17 @@
 package scan

 import (
-	"context"
 	"fmt"
 	"io"
 	"os"
 	"strings"

-	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
-
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/cmd/shared"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
-
+	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/spf13/cobra"
 )

@@ -98,12 +95,11 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 				return err
 			}

-			ctx := context.TODO()
-			results, err := ks.Scan(ctx, scanInfo)
+			results, err := ks.Scan(scanInfo)
 			if err != nil {
 				logger.L().Fatal(err.Error())
 			}
-			if err := results.HandleResults(ctx); err != nil {
+			if err := results.HandleResults(ks.Context()); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 			if !scanInfo.VerboseMode {
--- a/cmd/scan/framework.go
+++ b/cmd/scan/framework.go
@@ -1,25 +1,22 @@
 package scan

 import (
-	"context"
 	"errors"
 	"fmt"
 	"io"
 	"os"
+	"slices"
 	"strings"

-	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
-	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
-	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
-	"golang.org/x/exp/slices"
-
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/cmd/shared"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"
 	"github.com/kubescape/kubescape/v3/core/meta"
-
+	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
 	"github.com/spf13/cobra"
 )

@@ -115,13 +112,12 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm

 			scanInfo.SetPolicyIdentifiers(frameworks, apisv1.KindFramework)

-			ctx := context.TODO()
-			results, err := ks.Scan(ctx, scanInfo)
+			results, err := ks.Scan(scanInfo)
 			if err != nil {
 				logger.L().Fatal(err.Error())
 			}

-			if err = results.HandleResults(ctx); err != nil {
+			if err = results.HandleResults(ks.Context()); err != nil {
 				logger.L().Fatal(err.Error())
 			}

--- a/cmd/scan/image.go
+++ b/cmd/scan/image.go
@@ -1,16 +1,14 @@
 package scan

 import (
-	"context"
 	"fmt"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/cmd/shared"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/kubescape/kubescape/v3/pkg/imagescan"
-
 	"github.com/spf13/cobra"
 )

@@ -25,12 +23,17 @@ var (
  # Scan the 'nginx' image and see the full report 
  %[1]s scan image "nginx" -v

+  # Scan the 'nginx' image and use exceptions
+  %[1]s scan image "nginx" --exceptions exceptions.json
+
 `, cautils.ExecName())
 )

 // getImageCmd returns the scan image command
 func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
 	var imgCredentials shared.ImageCredentials
+	var exceptions string
+
 	cmd := &cobra.Command{
 		Use:     "image <image>:<tag> [flags]",
 		Short:   "Scan an image for vulnerabilities",
@@ -51,12 +54,13 @@ func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command
 			}

 			imgScanInfo := &metav1.ImageScanInfo{
-				Image:    args[0],
-				Username: imgCredentials.Username,
-				Password: imgCredentials.Password,
+				Image:      args[0],
+				Username:   imgCredentials.Username,
+				Password:   imgCredentials.Password,
+				Exceptions: exceptions,
 			}

-			results, err := ks.ScanImage(context.Background(), imgScanInfo, scanInfo)
+			results, err := ks.ScanImage(imgScanInfo, scanInfo)
 			if err != nil {
 				return err
 			}
@@ -69,6 +73,8 @@ func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command
 		},
 	}

+	// The exceptions flag
+	cmd.PersistentFlags().StringVarP(&exceptions, "exceptions", "", "", "Path to the exceptions file")
 	cmd.PersistentFlags().StringVarP(&imgCredentials.Username, "username", "u", "", "Username for registry login")
 	cmd.PersistentFlags().StringVarP(&imgCredentials.Password, "password", "p", "", "Password for registry login")

--- a/cmd/scan/scan.go
+++ b/cmd/scan/scan.go
@@ -1,12 +1,11 @@
 package scan

 import (
-	"context"
 	"flag"
 	"fmt"
 	"strings"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"
 	"github.com/kubescape/kubescape/v3/core/meta"
@@ -15,12 +14,12 @@ import (
 )

 var scanCmdExamples = fmt.Sprintf(`
-  Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks 
-  
+  Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks
+
  # Scan current cluster
  %[1]s scan

-  # Scan kubernetes manifest files 
+  # Scan kubernetes manifest files
  %[1]s scan .

  # Scan and save the results in the JSON format
@@ -29,7 +28,7 @@ var scanCmdExamples = fmt.Sprintf(`
  # Display all resources
  %[1]s scan --verbose

-  # Scan different clusters from the kubectl context 
+  # Scan different clusters from the kubectl context
  %[1]s scan --kube-context <kubernetes context>
 `, cautils.ExecName())

@@ -64,6 +63,8 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 		},
 	}

+	scanInfo.TriggeredByCLI = true
+
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.AccountID, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.AccessKey, "access-key", "", "", "Kubescape SaaS access key. Default will load access key from cache")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
@@ -89,6 +90,7 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Submit the scan results to Kubescape SaaS where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.OmitRawResources, "omit-raw-resources", "", false, "Omit raw resources from the output. By default the raw resources are included in the output")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.PrintAttackTree, "print-attack-tree", "", false, "Print attack tree")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.EnableRegoPrint, "enable-rego-prints", "", false, "Enable sending to rego prints to the logs (use with debug log level: -l debug)")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.ScanImages, "scan-images", "", false, "Scan resources images")

 	scanCmd.PersistentFlags().MarkDeprecated("fail-threshold", "use '--compliance-threshold' flag instead. Flag will be removed at 1.Dec.2023")
@@ -132,15 +134,12 @@ func setSecurityViewScanInfo(args []string, scanInfo *cautils.ScanInfo) {
 }

 func securityScan(scanInfo cautils.ScanInfo, ks meta.IKubescape) error {
-
-	ctx := context.TODO()
-
-	results, err := ks.Scan(ctx, &scanInfo)
+	results, err := ks.Scan(&scanInfo)
 	if err != nil {
 		return err
 	}

-	if err = results.HandleResults(ctx); err != nil {
+	if err = results.HandleResults(ks.Context()); err != nil {
 		return err
 	}

--- a/cmd/scan/scan_test.go
+++ b/cmd/scan/scan_test.go
@@ -2,20 +2,18 @@ package scan

 import (
 	"context"
+	"os"
+	"reflect"
+	"testing"

 	"github.com/kubescape/go-logger/helpers"
-	"github.com/stretchr/testify/assert"
-
 	"github.com/kubescape/kubescape/v3/cmd/shared"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/mocks"
 	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/kubescape/opa-utils/reporthandling/apis"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
-
-	"os"
-	"reflect"
-	"testing"
+	"github.com/stretchr/testify/assert"
 )

 func TestExceedsSeverity(t *testing.T) {
--- a/cmd/scan/workload.go
+++ b/cmd/scan/workload.go
@@ -1,17 +1,15 @@
 package scan

 import (
-	"context"
 	"errors"
 	"fmt"
 	"strings"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/kubescape/opa-utils/objectsenvelopes"
-
 	"github.com/spf13/cobra"
 )

@@ -67,13 +65,12 @@ func getWorkloadCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comma
 			setWorkloadScanInfo(scanInfo, kind, name)

 			// todo: add api version if provided
-			ctx := context.TODO()
-			results, err := ks.Scan(ctx, scanInfo)
+			results, err := ks.Scan(scanInfo)
 			if err != nil {
 				logger.L().Fatal(err.Error())
 			}

-			if err = results.HandleResults(ctx); err != nil {
+			if err = results.HandleResults(ks.Context()); err != nil {
 				logger.L().Fatal(err.Error())
 			}

--- a/cmd/update/update.go
+++ b/cmd/update/update.go
@@ -5,11 +5,13 @@ package update
 //          kubescape update

 import (
-	"context"
 	"fmt"
 	"strings"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/meta"
+
+	"github.com/kubescape/backend/pkg/versioncheck"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/spf13/cobra"
@@ -24,30 +26,31 @@ var updateCmdExamples = fmt.Sprintf(`
  %[1]s update
 `, cautils.ExecName())

-func GetUpdateCmd() *cobra.Command {
+func GetUpdateCmd(ks meta.IKubescape) *cobra.Command {
 	updateCmd := &cobra.Command{
 		Use:     "update",
 		Short:   "Update to latest release version",
 		Long:    ``,
 		Example: updateCmdExamples,
 		RunE: func(_ *cobra.Command, args []string) error {
-			ctx := context.TODO()
-			v := cautils.NewVersionCheckHandler()
-			versionCheckRequest := cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "update")
-			v.CheckLatestVersion(ctx, versionCheckRequest)
+			v := versioncheck.NewVersionCheckHandler()
+			versionCheckRequest := versioncheck.NewVersionCheckRequest("", versioncheck.BuildNumber, "", "", "update", nil)
+			if err := v.CheckLatestVersion(ks.Context(), versionCheckRequest); err != nil {
+				return err
+			}

 			//Checking the user's version of kubescape to the latest release
-			if cautils.BuildNumber == "" || strings.Contains(cautils.BuildNumber, "rc") {
+			if versioncheck.BuildNumber == "" || strings.Contains(versioncheck.BuildNumber, "rc") {
 				//your version is unknown
 				fmt.Printf("Nothing to update: you are running the development version\n")
-			} else if cautils.LatestReleaseVersion == "" {
+			} else if versioncheck.LatestReleaseVersion == "" {
 				//Failed to check for updates
-				logger.L().Info(("Failed to check for updates"))
-			} else if cautils.BuildNumber == cautils.LatestReleaseVersion {
+				logger.L().Info("Failed to check for updates")
+			} else if versioncheck.BuildNumber == versioncheck.LatestReleaseVersion {
 				//your version == latest version
-				logger.L().Info(("Nothing to update: you are running the latest version"), helpers.String("Version", cautils.BuildNumber))
+				logger.L().Info("Nothing to update: you are running the latest version", helpers.String("Version", versioncheck.BuildNumber))
 			} else {
-				fmt.Printf("Version %s is available. Please refer to our installation documentation: %s\n", cautils.LatestReleaseVersion, installationLink)
+				fmt.Printf("Version %s is available. Please refer to our installation documentation: %s\n", versioncheck.LatestReleaseVersion, installationLink)
 			}
 			return nil
 		},
--- a/cmd/vap/vap.go
+++ b/cmd/vap/vap.go
@@ -0,0 +1,235 @@
+package vap
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"regexp"
+
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/spf13/cobra"
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
+)
+
+var vapHelperCmdExamples = fmt.Sprintf(`
+  vap command can be used for managing Validating Admission Policies in a Kubernetes cluster.
+  This is an experimental feature and it might change.
+
+  Examples:
+
+  # Install Kubescape CEL admission policy library
+  %[1]s vap deploy-library | kubectl apply -f -
+  # Create a policy binding
+  %[1]s vap create-policy-binding --name my-policy-binding --policy c-0016 --namespace=my-namespace | kubectl apply -f -
+`, cautils.ExecName())
+
+func GetVapHelperCmd() *cobra.Command {
+
+	vapHelperCmd := &cobra.Command{
+		Use:     "vap",
+		Short:   "Helper commands for managing Validating Admission Policies in a Kubernetes cluster",
+		Long:    ``,
+		Example: vapHelperCmdExamples,
+	}
+
+	// Create subcommands
+	vapHelperCmd.AddCommand(getDeployLibraryCmd())
+	vapHelperCmd.AddCommand(getCreatePolicyBindingCmd())
+
+	return vapHelperCmd
+}
+
+func getDeployLibraryCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:   "deploy-library",
+		Short: "Install Kubescape CEL admission policy library",
+		Long:  ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return deployLibrary()
+		},
+	}
+}
+
+func getCreatePolicyBindingCmd() *cobra.Command {
+	var policyBindingName string
+	var policyName string
+	var namespaceArr []string
+	var labelArr []string
+	var action string
+	var parameterReference string
+
+	createPolicyBindingCmd := &cobra.Command{
+		Use:   "create-policy-binding",
+		Short: "Create a policy binding",
+		Long:  ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			// Validate the inputs
+			if err := isValidK8sObjectName(policyBindingName); err != nil {
+				return fmt.Errorf("invalid policy binding name %s: %w", policyBindingName, err)
+			}
+			if err := isValidK8sObjectName(policyName); err != nil {
+				return fmt.Errorf("invalid policy name %s: %w", policyName, err)
+			}
+			for _, namespace := range namespaceArr {
+				if err := isValidK8sObjectName(namespace); err != nil {
+					return fmt.Errorf("invalid namespace %s: %w", namespace, err)
+				}
+			}
+			for _, label := range labelArr {
+				// Label selector must be in the format key=value
+				if !regexp.MustCompile(`^[a-zA-Z0-9]+=[a-zA-Z0-9]+$`).MatchString(label) {
+					return fmt.Errorf("invalid label selector: %s", label)
+				}
+			}
+			if action != "Deny" && action != "Audit" && action != "Warn" {
+				return fmt.Errorf("invalid action: %s", action)
+			}
+			if parameterReference != "" {
+				if err := isValidK8sObjectName(parameterReference); err != nil {
+					return fmt.Errorf("invalid parameter reference %s: %w", parameterReference, err)
+				}
+			}
+
+			return createPolicyBinding(policyBindingName, policyName, action, parameterReference, namespaceArr, labelArr)
+		},
+	}
+	// Must specify the name of the policy binding
+	createPolicyBindingCmd.Flags().StringVarP(&policyBindingName, "name", "n", "", "Name of the policy binding")
+	createPolicyBindingCmd.MarkFlagRequired("name")
+	createPolicyBindingCmd.Flags().StringVarP(&policyName, "policy", "p", "", "Name of the policy to bind the resources to")
+	createPolicyBindingCmd.MarkFlagRequired("policy")
+	createPolicyBindingCmd.Flags().StringSliceVar(&namespaceArr, "namespace", []string{}, "Resource namespace selector")
+	createPolicyBindingCmd.Flags().StringSliceVar(&labelArr, "label", []string{}, "Resource label selector")
+	createPolicyBindingCmd.Flags().StringVarP(&action, "action", "a", "Deny", "Action to take when policy fails")
+	createPolicyBindingCmd.Flags().StringVarP(&parameterReference, "parameter-reference", "r", "", "Parameter reference object name")
+
+	return createPolicyBindingCmd
+}
+
+// Implementation of the VAP helper commands
+// deploy-library
+func deployLibrary() error {
+	logger.L().Info("Downloading the Kubescape CEL admission policy library")
+	// Download the policy-configuration-definition.yaml from the latest release URL
+	policyConfigurationDefinitionURL := "https://github.com/kubescape/cel-admission-library/releases/latest/download/policy-configuration-definition.yaml"
+	policyConfigurationDefinition, err := downloadFileToString(policyConfigurationDefinitionURL)
+	if err != nil {
+		return err
+	}
+
+	// Download the basic-control-configuration.yaml from the latest release URL
+	basicControlConfigurationURL := "https://github.com/kubescape/cel-admission-library/releases/latest/download/basic-control-configuration.yaml"
+	basicControlConfiguration, err := downloadFileToString(basicControlConfigurationURL)
+	if err != nil {
+		return err
+	}
+
+	// Download the kubescape-validating-admission-policies.yaml from the latest release URL
+	kubescapeValidatingAdmissionPoliciesURL := "https://github.com/kubescape/cel-admission-library/releases/latest/download/kubescape-validating-admission-policies.yaml"
+	kubescapeValidatingAdmissionPolicies, err := downloadFileToString(kubescapeValidatingAdmissionPoliciesURL)
+	if err != nil {
+		return err
+	}
+
+	logger.L().Info("Successfully downloaded admission policy library")
+
+	// Print the downloaded files to the STDOUT for the user to apply connecting them to a single YAML with ---
+	fmt.Println(policyConfigurationDefinition)
+	fmt.Println("---")
+	fmt.Println(basicControlConfiguration)
+	fmt.Println("---")
+	fmt.Println(kubescapeValidatingAdmissionPolicies)
+
+	return nil
+}
+
+func downloadFileToString(url string) (string, error) {
+	// Send an HTTP GET request to the URL
+	response, err := http.Get(url) //nolint:gosec
+	if err != nil {
+		return "", err // Return an empty string and the error if the request fails
+	}
+	defer response.Body.Close()
+
+	// Check for a successful response (HTTP 200 OK)
+	if response.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("failed to download file: %s", response.Status)
+	}
+
+	// Read the response body
+	bodyBytes, err := io.ReadAll(response.Body)
+	if err != nil {
+		return "", err // Return an empty string and the error if reading fails
+	}
+
+	// Convert the byte slice to a string
+	bodyString := string(bodyBytes)
+	return bodyString, nil
+}
+
+func isValidK8sObjectName(name string) error {
+	// Kubernetes object names must consist of lower case alphanumeric characters, '-' or '.',
+	// and must start and end with an alphanumeric character (e.g., 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')
+	// Max length of 63 characters.
+	if len(name) > 63 {
+		return errors.New("name should be less than 63 characters")
+	}
+
+	regex := regexp.MustCompile(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`)
+	if !regex.MatchString(name) {
+		return errors.New("name should consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character")
+	}
+
+	return nil
+}
+
+// Create a policy binding
+func createPolicyBinding(bindingName string, policyName string, action string, paramRefName string, namespaceArr []string, labelMatch []string) error {
+	// Create a policy binding struct
+	policyBinding := &admissionv1.ValidatingAdmissionPolicyBinding{}
+	// Print the policy binding after marshalling it to YAML to the STDOUT
+	// The user can apply the output to the cluster
+	policyBinding.APIVersion = "admissionregistration.k8s.io/v1"
+	policyBinding.Name = bindingName
+	policyBinding.Kind = "ValidatingAdmissionPolicyBinding"
+	policyBinding.Spec.PolicyName = policyName
+	policyBinding.Spec.MatchResources = &admissionv1.MatchResources{}
+	if len(namespaceArr) > 0 {
+		policyBinding.Spec.MatchResources.NamespaceSelector = &metav1.LabelSelector{
+			MatchExpressions: []metav1.LabelSelectorRequirement{
+				{
+					Key:      "kubernetes.io/metadata.name",
+					Operator: metav1.LabelSelectorOpIn,
+					Values:   namespaceArr,
+				},
+			},
+		}
+	}
+
+	if len(labelMatch) > 0 {
+		policyBinding.Spec.MatchResources.ObjectSelector = &metav1.LabelSelector{}
+		policyBinding.Spec.MatchResources.ObjectSelector.MatchLabels = make(map[string]string)
+		for _, label := range labelMatch {
+			labelParts := regexp.MustCompile(`=`).Split(label, 2)
+			policyBinding.Spec.MatchResources.ObjectSelector.MatchLabels[labelParts[0]] = labelParts[1]
+		}
+	}
+
+	policyBinding.Spec.ValidationActions = []admissionv1.ValidationAction{admissionv1.ValidationAction(action)}
+	if paramRefName != "" {
+		policyBinding.Spec.ParamRef = &admissionv1.ParamRef{
+			Name: paramRefName,
+		}
+	}
+	// Marshal the policy binding to YAML
+	out, err := yaml.Marshal(policyBinding)
+	if err != nil {
+		return err
+	}
+	fmt.Println(string(out))
+	return nil
+}
--- a/cmd/vap/vap_test.go
+++ b/cmd/vap/vap_test.go
@@ -0,0 +1,10 @@
+package vap
+
+import (
+	"testing"
+)
+
+func TestGetVapHelperCmd(t *testing.T) {
+	// Call the GetFixCmd function
+	_ = GetVapHelperCmd()
+}
--- a/cmd/version/version.go
+++ b/cmd/version/version.go
@@ -1,23 +1,26 @@
 package version

 import (
-	"context"
 	"fmt"

-	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+
+	"github.com/kubescape/backend/pkg/versioncheck"
 	"github.com/spf13/cobra"
 )

-func GetVersionCmd() *cobra.Command {
+func GetVersionCmd(ks meta.IKubescape) *cobra.Command {
 	versionCmd := &cobra.Command{
 		Use:   "version",
 		Short: "Get current version",
 		Long:  ``,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			ctx := context.TODO()
-			v := cautils.NewIVersionCheckHandler(ctx)
-			versionCheckRequest := cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "version")
-			v.CheckLatestVersion(ctx, versionCheckRequest)
+			v := versioncheck.NewIVersionCheckHandler(ks.Context())
+			versionCheckRequest := versioncheck.NewVersionCheckRequest("", versioncheck.BuildNumber, "", "", "version", nil)
+			if err := v.CheckLatestVersion(ks.Context(), versionCheckRequest); err != nil {
+				return err
+			}
+
 			fmt.Fprintf(cmd.OutOrStdout(),
 				"Your current version is: %s\n",
 				versionCheckRequest.ClientVersion,
--- a/cmd/version/version_test.go
+++ b/cmd/version/version_test.go
@@ -2,10 +2,13 @@ package version

 import (
 	"bytes"
+	"context"
 	"io"
 	"testing"

-	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/core"
+
+	"github.com/kubescape/backend/pkg/versioncheck"
 	"github.com/stretchr/testify/assert"
 )

@@ -28,9 +31,10 @@ func TestGetVersionCmd(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cautils.BuildNumber = tt.buildNumber
+			versioncheck.BuildNumber = tt.buildNumber

-			if cmd := GetVersionCmd(); cmd != nil {
+			ks := core.NewKubescape(context.TODO())
+			if cmd := GetVersionCmd(ks); cmd != nil {
 				buf := bytes.NewBufferString("")
 				cmd.SetOut(buf)
 				cmd.Execute()
--- a/core/cautils/buildinfo.go
+++ b/core/cautils/buildinfo.go
@@ -0,0 +1,21 @@
+package cautils
+
+import (
+	"os"
+
+	"github.com/kubescape/backend/pkg/versioncheck"
+)
+
+var BuildNumber string
+var Client string
+
+func init() {
+	if BuildNumber != "" {
+		versioncheck.BuildNumber = BuildNumber
+	} else {
+		versioncheck.BuildNumber = os.Getenv("RELEASE")
+	}
+	if Client != "" {
+		versioncheck.Client = Client
+	}
+}
--- a/core/cautils/customerloader.go
+++ b/core/cautils/customerloader.go
@@ -7,18 +7,17 @@ import (
 	"path/filepath"
 	"regexp"

-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
 	"github.com/google/uuid"
 	v1 "github.com/kubescape/backend/pkg/client/v1"
 	"github.com/kubescape/backend/pkg/servicediscovery"
 	servicediscoveryv1 "github.com/kubescape/backend/pkg/servicediscovery/v1"
 	servicediscoveryv2 "github.com/kubescape/backend/pkg/servicediscovery/v2"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

 const (
--- a/core/cautils/datastructures.go
+++ b/core/cautils/datastructures.go
@@ -59,6 +59,7 @@ type OPASessionObj struct {
 	SingleResourceScan    workloadinterface.IWorkload        // single resource scan
 	TopWorkloadsByScore   []reporthandling.IResource
 	TemplateMapping       map[string]MappingNodes // Map chart obj to template (only for rendering from path)
+	TriggeredByCLI        bool
 }

 func NewOPASessionObj(ctx context.Context, frameworks []reporthandling.Framework, k8sResources K8SResources, scanInfo *ScanInfo) *OPASessionObj {
@@ -75,6 +76,7 @@ func NewOPASessionObj(ctx context.Context, frameworks []reporthandling.Framework
 		SessionID:             scanInfo.ScanID,
 		Metadata:              scanInfoToScanMetadata(ctx, scanInfo),
 		OmitRawResources:      scanInfo.OmitRawResources,
+		TriggeredByCLI:        scanInfo.TriggeredByCLI,
 		TemplateMapping:       make(map[string]MappingNodes),
 	}
 }
--- a/core/cautils/datastructuresmethods.go
+++ b/core/cautils/datastructuresmethods.go
@@ -1,11 +1,11 @@
 package cautils

 import (
-	"golang.org/x/mod/semver"
-
+	"github.com/kubescape/backend/pkg/versioncheck"
 	"github.com/kubescape/opa-utils/reporthandling"
 	"github.com/kubescape/opa-utils/reporthandling/apis"
 	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+	"golang.org/x/mod/semver"
 )

 func NewPolicies() *Policies {
@@ -63,7 +63,7 @@ func (policies *Policies) Set(frameworks []reporthandling.Framework, excludedRul
 //  1. Rule is compatible with the current kubescape version
 //  2. Rule fits the current scanning scope
 func ShouldSkipRule(control reporthandling.Control, rule reporthandling.PolicyRule, scanningScope reporthandling.ScanningScopeType) bool {
-	if !isRuleKubescapeVersionCompatible(rule.Attributes, BuildNumber) {
+	if !isRuleKubescapeVersionCompatible(rule.Attributes, versioncheck.BuildNumber) {
 		return true
 	}
 	if !isControlFitToScanScope(control, scanningScope) {
--- a/core/cautils/datastructuresmethods_test.go
+++ b/core/cautils/datastructuresmethods_test.go
@@ -239,3 +239,59 @@ func TestIsFrameworkFitToScanScope(t *testing.T) {
 		})
 	}
 }
+
+var rule_v1_0_131 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useUntilKubescapeVersion": "v1.0.132"}}}
+var rule_v1_0_132 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.132", "useUntilKubescapeVersion": "v1.0.133"}}}
+var rule_v1_0_133 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.133", "useUntilKubescapeVersion": "v1.0.134"}}}
+var rule_v1_0_134 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.134"}}}
+var rule_invalid_from = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": 1.0135, "useUntilKubescapeVersion": "v1.0.135"}}}
+var rule_invalid_until = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.135", "useUntilKubescapeVersion": 1.0135}}}
+
+func TestIsRuleKubescapeVersionCompatible(t *testing.T) {
+	// local build- no build number
+
+	// should not crash when the value of useUntilKubescapeVersion is not a string
+	buildNumberMock := "v1.0.135"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_invalid_from.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_invalid_until.Attributes, buildNumberMock))
+	// should use only rules that don't have "until"
+	buildNumberMock = ""
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.130"
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.132"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.133"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.135"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+}
--- a/core/cautils/display.go
+++ b/core/cautils/display.go
@@ -9,7 +9,7 @@ import (

 	spinnerpkg "github.com/briandowns/spinner"
 	"github.com/jwalton/gchalk"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/mattn/go-isatty"
 	"github.com/schollz/progressbar/v3"
--- a/core/cautils/fileutils.go
+++ b/core/cautils/fileutils.go
@@ -7,16 +7,14 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"

+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
-	"golang.org/x/exp/slices"
-
-	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/opa-utils/objectsenvelopes"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
-
 	"gopkg.in/yaml.v3"
 )

@@ -38,7 +36,7 @@ type Chart struct {
 }

 // LoadResourcesFromHelmCharts scans a given path (recursively) for helm charts, renders the templates and returns a map of workloads and a map of chart names
-func LoadResourcesFromHelmCharts(ctx context.Context, basePath string) (map[string][]workloadinterface.IMetadata, map[string]Chart, map[string]MappingNodes) {
+func LoadResourcesFromHelmCharts(ctx context.Context, basePath string) (map[string][]workloadinterface.IMetadata, map[string]Chart) {
 	directories, _ := listDirs(basePath)
 	helmDirectories := make([]string, 0)
 	for _, dir := range directories {
@@ -49,17 +47,14 @@ func LoadResourcesFromHelmCharts(ctx context.Context, basePath string) (map[stri

 	sourceToWorkloads := map[string][]workloadinterface.IMetadata{}
 	sourceToChart := make(map[string]Chart, 0)
-	sourceToNodes := map[string]MappingNodes{}
 	for _, helmDir := range helmDirectories {
 		chart, err := NewHelmChart(helmDir)
 		if err == nil {
-			wls, templateToNodes, errs := chart.GetWorkloadsWithDefaultValues()
+			wls, errs := chart.GetWorkloadsWithDefaultValues()
 			if len(errs) > 0 {
 				logger.L().Ctx(ctx).Warning(fmt.Sprintf("Rendering of Helm chart template '%s', failed: %v", chart.GetName(), errs))
 				continue
 			}
-			sourceToNodes = templateToNodes
-
 			chartName := chart.GetName()
 			for k, v := range wls {
 				sourceToWorkloads[k] = v
@@ -68,12 +63,9 @@ func LoadResourcesFromHelmCharts(ctx context.Context, basePath string) (map[stri
 					Path: helmDir,
 				}
 			}
-			// for k, v := range templateMappings {
-			// 	sourceToNodes[k] = v
-			// }
 		}
 	}
-	return sourceToWorkloads, sourceToChart, sourceToNodes
+	return sourceToWorkloads, sourceToChart
 }

 // If the contents at given path is a Kustomize Directory, LoadResourcesFromKustomizeDirectory will
--- a/core/cautils/fileutils_test.go
+++ b/core/cautils/fileutils_test.go
@@ -45,7 +45,7 @@ func TestLoadResourcesFromFiles(t *testing.T) {
 }

 func TestLoadResourcesFromHelmCharts(t *testing.T) {
-	sourceToWorkloads, sourceToChartName, _ := LoadResourcesFromHelmCharts(context.TODO(), helmChartPath())
+	sourceToWorkloads, sourceToChartName := LoadResourcesFromHelmCharts(context.TODO(), helmChartPath())
 	assert.Equal(t, 6, len(sourceToWorkloads))

 	for file, workloads := range sourceToWorkloads {
--- a/core/cautils/getter/downloadreleasedpolicy.go
+++ b/core/cautils/getter/downloadreleasedpolicy.go
@@ -5,11 +5,9 @@ import (
 	"strings"

 	"github.com/armosec/armoapi-go/armotypes"
-
 	"github.com/kubescape/opa-utils/reporthandling"
 	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
-
-	"github.com/kubescape/regolibrary/gitregostore"
+	"github.com/kubescape/regolibrary/v2/gitregostore"
 )

 // =======================================================================================================================
@@ -29,7 +27,7 @@ type DownloadReleasedPolicy struct {

 func NewDownloadReleasedPolicy() *DownloadReleasedPolicy {
 	return &DownloadReleasedPolicy{
-		gs: gitregostore.NewDefaultGitRegoStore(-1),
+		gs: gitregostore.NewGitRegoStoreV2(-1),
 	}
 }

--- a/core/cautils/helmchart.go
+++ b/core/cautils/helmchart.go
@@ -1,16 +1,14 @@
 package cautils

 import (
-	"fmt"
 	"path/filepath"
 	"strconv"
 	"strings"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
-
 	helmchart "helm.sh/helm/v3/pkg/chart"
 	helmloader "helm.sh/helm/v3/pkg/chart/loader"
 	helmchartutil "helm.sh/helm/v3/pkg/chartutil"
@@ -46,38 +44,24 @@ func (hc *HelmChart) GetDefaultValues() map[string]interface{} {
 	return hc.chart.Values
 }

-// GetWorkloads renders chart template using the default values and returns a map of source file to its workloads
-func (hc *HelmChart) GetWorkloadsWithDefaultValues() (map[string][]workloadinterface.IMetadata, map[string]MappingNodes, []error) {
+// GetWorkloadsWithDefaultValues renders chart template using the default values and returns a map of source file to its workloads
+func (hc *HelmChart) GetWorkloadsWithDefaultValues() (map[string][]workloadinterface.IMetadata, []error) {
 	return hc.GetWorkloads(hc.GetDefaultValues())
 }

 // GetWorkloads renders chart template using the provided values and returns a map of source (absolute) file path to its workloads
-func (hc *HelmChart) GetWorkloads(values map[string]interface{}) (map[string][]workloadinterface.IMetadata, map[string]MappingNodes, []error) {
+func (hc *HelmChart) GetWorkloads(values map[string]interface{}) (map[string][]workloadinterface.IMetadata, []error) {
 	vals, err := helmchartutil.ToRenderValues(hc.chart, values, helmchartutil.ReleaseOptions{}, nil)
 	if err != nil {
-		return nil, nil, []error{err}
+		return nil, []error{err}
 	}
-
-	// change the chart to template with comment, only is template(.yaml added otherwise no)
-	hc.AddCommentToTemplate()
-
 	sourceToFile, err := helmengine.Render(hc.chart, vals)
 	if err != nil {
-		return nil, nil, []error{err}
+		return nil, []error{err}
 	}

-	// get the resouse and analysis and store it to the struct
-	fileMapping := make(map[string]MappingNodes)
-	err = GetTemplateMapping(sourceToFile, fileMapping)
-	if err != nil {
-		return nil, nil, []error{err}
-	}
-
-	// delete the comment from chart and from sourceToFile
-	RemoveComment(sourceToFile)
-
-	workloads := make(map[string][]workloadinterface.IMetadata, 0)
-	errs := []error{}
+	workloads := make(map[string][]workloadinterface.IMetadata)
+	var errs []error

 	for path, renderedYaml := range sourceToFile {
 		if !IsYaml(strings.ToLower(path)) {
@@ -91,14 +75,9 @@ func (hc *HelmChart) GetWorkloads(values map[string]interface{}) (map[string][]w
 		if len(wls) == 0 {
 			continue
 		}
-		if firstPathSeparatorIndex := strings.Index(path, string("/")); firstPathSeparatorIndex != -1 {
+		if firstPathSeparatorIndex := strings.Index(path, "/"); firstPathSeparatorIndex != -1 {
 			absPath := filepath.Join(hc.path, path[firstPathSeparatorIndex:])

-			if nodes, ok := fileMapping[path]; ok {
-				fileMapping[absPath] = nodes
-				delete(fileMapping, path)
-			}
-
 			workloads[absPath] = []workloadinterface.IMetadata{}
 			for i := range wls {
 				lw := localworkload.NewLocalWorkload(wls[i].GetObject())
@@ -107,7 +86,7 @@ func (hc *HelmChart) GetWorkloads(values map[string]interface{}) (map[string][]w
 			}
 		}
 	}
-	return workloads, fileMapping, errs
+	return workloads, errs
 }

 func (hc *HelmChart) AddCommentToTemplate() {
@@ -126,27 +105,3 @@ func (hc *HelmChart) AddCommentToTemplate() {
 		}
 	}
 }
-
-func RemoveComment(sourceToFile map[string]string) {
-	// commentRe := regexp.MustCompile(CommentFormat)
-	for fileName, file := range sourceToFile {
-		if !IsYaml(strings.ToLower((fileName))) {
-			continue
-		}
-		sourceToFile[fileName] = commentRe.ReplaceAllLiteralString(file, "")
-	}
-}
-
-func GetTemplateMapping(sourceToFile map[string]string, fileMapping map[string]MappingNodes) error {
-	for fileName, fileContent := range sourceToFile {
-		mappingNodes, err := GetMapping(fileName, fileContent)
-		if err != nil {
-			err = fmt.Errorf("GetMapping wrong, err: %s", err.Error())
-			return err
-		}
-		if len(mappingNodes.Nodes) != 0 {
-			fileMapping[fileName] = *mappingNodes
-		}
-	}
-	return nil
-}
--- a/core/cautils/helmchart_test.go
+++ b/core/cautils/helmchart_test.go
@@ -83,7 +83,7 @@ func (s *HelmChartTestSuite) TestGetWorkloadsWithOverride() {
 	// Override default value
 	values["image"].(map[string]interface{})["pullPolicy"] = "Never"

-	fileToWorkloads, _, errs := chart.GetWorkloads(values)
+	fileToWorkloads, errs := chart.GetWorkloads(values)
 	s.Len(errs, 0)

 	s.Lenf(fileToWorkloads, len(s.expectedFiles), "Expected %d files", len(s.expectedFiles))
@@ -111,7 +111,7 @@ func (s *HelmChartTestSuite) TestGetWorkloadsMissingValue() {
 	values := chart.GetDefaultValues()
 	delete(values, "image")

-	fileToWorkloads, _, errs := chart.GetWorkloads(values)
+	fileToWorkloads, errs := chart.GetWorkloads(values)
 	s.Nil(fileToWorkloads)
 	s.Len(errs, 1, "Expected an error due to missing value")

--- a/core/cautils/kustomizedirectory.go
+++ b/core/cautils/kustomizedirectory.go
@@ -4,11 +4,10 @@ import (
 	"os"
 	"path/filepath"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
-
 	"sigs.k8s.io/kustomize/api/krusty"
 	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
--- a/core/cautils/normalize_image_name.go
+++ b/core/cautils/normalize_image_name.go
@@ -1,7 +1,7 @@
 package cautils

 import (
-	"github.com/docker/distribution/reference"
+	"github.com/distribution/reference"
 )

 func NormalizeImageName(img string) (string, error) {
--- a/core/cautils/parseFile.go
+++ b/core/cautils/parseFile.go
@@ -1,13 +1,12 @@
 package cautils

 import (
-	"errors"
 	"fmt"
 	"regexp"
 	"strconv"
 	"strings"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/mikefarah/yq/v4/pkg/yqlib"
 	"gopkg.in/op/go-logging.v1"
 )
@@ -78,7 +77,7 @@ func GetMapping(fileName string, fileContent string) (*MappingNodes, error) {
 			expression := fmt.Sprintf(lineExpression, index)
 			output, err := getYamlLineInfo(expression, fileContent)
 			if err != nil {
-				return nil, fmt.Errorf("getYamlLineInfo wrong, the err is %s", err.Error())
+				return nil, err
 			}

 			path := extractParameter(pathRe, output, "$path")
@@ -184,7 +183,7 @@ func getInfoFromOne(output string, lastNumber int, isMapType bool) (value string
 func getYamlLineInfo(expression string, yamlFile string) (string, error) {
 	out, err := exectuateYq(expression, yamlFile)
 	if err != nil {
-		return "", fmt.Errorf("exectuateYq err: %s", err.Error())
+		return "", fmt.Errorf("exectuate yqlib err: %s", err.Error())
 	}
 	return out, nil
 }
@@ -203,7 +202,7 @@ func exectuateYq(expression string, yamlContent string) (string, error) {

 	out, err := stringEvaluator.Evaluate(expression, yamlContent, encoder, decoder)
 	if err != nil {
-		return "", errors.New("no matches found")
+		return "", fmt.Errorf("no matches found")
 	}
 	return out, err
 }
--- a/core/cautils/rbac.go
+++ b/core/cautils/rbac.go
@@ -4,10 +4,9 @@ import (
 	"encoding/json"
 	"time"

-	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
-
 	"github.com/google/uuid"
 	"github.com/kubescape/k8s-interface/workloadinterface"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
 	"github.com/kubescape/rbac-utils/rbacscanner"
 	"github.com/kubescape/rbac-utils/rbacutils"
 )
@@ -85,7 +84,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
 		if err != nil {
 			return nil, err
 		}
-		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the the correct apiVersion?
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the correct apiVersion?
 		crIMeta := workloadinterface.NewWorkloadObj(crmap)
 		crIMeta.SetKind("ClusterRole")
 		allresources[crIMeta.GetID()] = crIMeta
@@ -95,7 +94,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
 		if err != nil {
 			return nil, err
 		}
-		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the the correct apiVersion?
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the correct apiVersion?
 		crIMeta := workloadinterface.NewWorkloadObj(crmap)
 		crIMeta.SetKind("Role")
 		allresources[crIMeta.GetID()] = crIMeta
@@ -105,7 +104,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
 		if err != nil {
 			return nil, err
 		}
-		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the the correct apiVersion?
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the correct apiVersion?
 		crIMeta := workloadinterface.NewWorkloadObj(crmap)
 		crIMeta.SetKind("ClusterRoleBinding")
 		allresources[crIMeta.GetID()] = crIMeta
@@ -115,7 +114,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
 		if err != nil {
 			return nil, err
 		}
-		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the the correct apiVersion?
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the correct apiVersion?
 		crIMeta := workloadinterface.NewWorkloadObj(crmap)
 		crIMeta.SetKind("RoleBinding")
 		allresources[crIMeta.GetID()] = crIMeta
--- a/core/pkg/resourcehandler/remotegitutils.go
+++ b/core/pkg/resourcehandler/remotegitutils.go
@@ -1,6 +1,7 @@
-package resourcehandler
+package cautils

 import (
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	nethttp "net/http"
@@ -12,8 +13,44 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	giturl "github.com/kubescape/go-git-url"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
 )

+var tmpDirPaths map[string]string
+
+func hashRepoURL(repoURL string) string {
+	h := sha256.New()
+	h.Write([]byte(repoURL))
+	return string(h.Sum(nil))
+}
+
+func getDirPath(repoURL string) string {
+	if tmpDirPaths == nil {
+		return ""
+	}
+	return tmpDirPaths[hashRepoURL(repoURL)]
+}
+
+// Create a temporary directory this function is called once
+func createTempDir(repoURL string) (string, error) {
+	tmpDirPath := getDirPath(repoURL)
+	if tmpDirPath != "" {
+		return tmpDirPath, nil
+	}
+	// create temp directory
+	tmpDir, err := os.MkdirTemp("", "")
+	if err != nil {
+		return "", fmt.Errorf("failed to create temporary directory: %w", err)
+	}
+	if tmpDirPaths == nil {
+		tmpDirPaths = make(map[string]string)
+	}
+	tmpDirPaths[hashRepoURL(repoURL)] = tmpDir
+
+	return tmpDir, nil
+}
+
 // To Check if the given repository is Public(No Authentication needed), send a HTTP GET request to the URL
 // If response code is 200, the repository is Public.
 func isGitRepoPublic(u string) bool {
@@ -55,34 +92,38 @@ func getProviderError(gitURL giturl.IGitAPI) error {

 // cloneRepo clones a repository to a local temporary directory and returns the directory
 func cloneRepo(gitURL giturl.IGitAPI) (string, error) {
-
-	// Create temp directory
-	tmpDir, err := os.MkdirTemp("", "")
-	if err != nil {
-		return "", fmt.Errorf("failed to create temporary directory: %w", err)
-	}
-
-	// Get the URL to clone
 	cloneURL := gitURL.GetHttpCloneURL()

-	isGitRepoPublic := isGitRepoPublic(cloneURL)
+	// Check if directory exists
+	if p := getDirPath(cloneURL); p != "" {
+		// directory exists, meaning this repo was cloned
+		return p, nil
+	}
+	// Get the URL to clone
+
+	// Create temp directory
+	tmpDir, err := createTempDir(cloneURL)
+	if err != nil {
+		return "", err
+	}
+
+	isGitTokenPresent := isGitTokenPresent(gitURL)

 	// Declare the authentication variable required for cloneOptions
 	var auth transport.AuthMethod

-	if isGitRepoPublic {
-		// No authentication needed if repository is public
-		auth = nil
-	} else {
-
-		// Return Error if the AUTH_TOKEN is not present
-		if isGitTokenPresent := isGitTokenPresent(gitURL); !isGitTokenPresent {
-			return "", getProviderError(gitURL)
-		}
+	if isGitTokenPresent {
 		auth = &http.BasicAuth{
 			Username: "x-token-auth",
 			Password: gitURL.GetToken(),
 		}
+	} else {
+		// If the repository is public, no authentication is needed
+		if isGitRepoPublic(cloneURL) {
+			auth = nil
+		} else {
+			return "", getProviderError(gitURL)
+		}
 	}

 	// For Azure repo cloning
@@ -102,6 +143,42 @@ func cloneRepo(gitURL giturl.IGitAPI) (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to clone %s. %w", gitURL.GetRepoName(), err)
 	}
+	// tmpDir = filepath.Join(tmpDir, gitURL.GetRepoName())
+	tmpDirPaths[hashRepoURL(cloneURL)] = tmpDir

 	return tmpDir, nil
 }
+
+// CloneGitRepo clone git repository
+func CloneGitRepo(path *string) (string, error) {
+	var clonedDir string
+
+	gitURL, err := giturl.NewGitAPI(*path)
+	if err != nil {
+		return "", nil
+	}
+
+	// Clone git repository if needed
+	logger.L().Start("cloning", helpers.String("repository url", gitURL.GetURL().String()))
+
+	clonedDir, err = cloneRepo(gitURL)
+	if err != nil {
+		logger.L().StopError("failed to clone git repo", helpers.String("url", gitURL.GetURL().String()), helpers.Error(err))
+		return "", fmt.Errorf("failed to clone git repo '%s',  %w", gitURL.GetURL().String(), err)
+	}
+	*path = clonedDir
+
+	logger.L().StopSuccess("Done accessing remote repo")
+
+	return clonedDir, nil
+}
+
+func GetClonedPath(path string) string {
+
+	gitURL, err := giturl.NewGitAPI(path)
+	if err != nil {
+		return ""
+	}
+
+	return getDirPath(gitURL.GetHttpCloneURL())
+}
--- a/core/pkg/resourcehandler/remotegitutils_test.go
+++ b/core/pkg/resourcehandler/remotegitutils_test.go
@@ -1,4 +1,4 @@
-package resourcehandler
+package cautils

 import (
 	"errors"
@@ -93,3 +93,63 @@ func TestCloneRepo(t *testing.T) {
 		})
 	}
 }
+func TestGetClonedPath(t *testing.T) {
+	testCases := []struct {
+		name     string
+		path     string
+		expected string
+	}{
+		{
+			name:     "Valid Git URL",
+			path:     "https://github.com/kubescape/kubescape.git",
+			expected: "/path/to/cloned/repo", // replace with the expected path
+		},
+		{
+			name:     "Invalid Git URL",
+			path:     "invalid",
+			expected: "",
+		},
+	}
+	tmpDirPaths = make(map[string]string)
+	tmpDirPaths[hashRepoURL("https://github.com/kubescape/kubescape.git")] = "/path/to/cloned/repo" // replace with the actual path
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := GetClonedPath(tc.path)
+			if result != tc.expected {
+				t.Errorf("Expected %q, got %q", tc.expected, result)
+			}
+		})
+	}
+}
+func TestGetDirPath(t *testing.T) {
+	testCases := []struct {
+		name     string
+		repoURL  string
+		expected string
+	}{
+		{
+			name:     "Existing Repo URL",
+			repoURL:  "https://github.com/user/repo.git",
+			expected: "/path/to/cloned/repo", // replace with the expected path
+		},
+		{
+			name:     "Non-Existing Repo URL",
+			repoURL:  "https://github.com/user/nonexistentrepo.git",
+			expected: "",
+		},
+	}
+
+	// Initialize tmpDirPaths
+	tmpDirPaths = make(map[string]string)
+	tmpDirPaths[hashRepoURL("https://github.com/user/repo.git")] = "/path/to/cloned/repo" // replace with the actual path
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := getDirPath(tc.repoURL)
+			if result != tc.expected {
+				t.Errorf("Expected %q, got %q", tc.expected, result)
+			}
+		})
+	}
+}
--- a/core/cautils/rootinfo.go
+++ b/core/cautils/rootinfo.go
@@ -10,8 +10,6 @@ type RootInfo struct {
 	Logger             string // logger level
 	LoggerName         string // logger name ("pretty"/"zap"/"none")
 	CacheDir           string // cached dir
-	DisableColor       bool   // Disable Color
-	EnableColor        bool   // Force enable Color
 	DiscoveryServerURL string // Discovery Server URL  (See https://github.com/kubescape/backend/tree/main/pkg/servicediscovery)
 	KubeContext        string //  context name
 }
--- a/core/cautils/scaninfo.go
+++ b/core/cautils/scaninfo.go
@@ -8,6 +8,8 @@ import (
 	"path/filepath"
 	"strings"

+	"github.com/google/uuid"
+	"github.com/kubescape/backend/pkg/versioncheck"
 	giturl "github.com/kubescape/go-git-url"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
@@ -17,27 +19,22 @@ import (
 	"github.com/kubescape/opa-utils/objectsenvelopes"
 	"github.com/kubescape/opa-utils/reporthandling"
 	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
-
-	"github.com/google/uuid"
 )

 type ScanningContext string

 const (
-	ContextCluster  ScanningContext = "cluster"
-	ContextFile     ScanningContext = "single-file"
-	ContextDir      ScanningContext = "local-dir"
-	ContextGitURL   ScanningContext = "git-url"
-	ContextGitLocal ScanningContext = "git-local"
+	ContextCluster   ScanningContext = "cluster"
+	ContextFile      ScanningContext = "single-file"
+	ContextDir       ScanningContext = "local-dir"
+	ContextGitLocal  ScanningContext = "git-local"
+	ContextGitRemote ScanningContext = "git-remote"
 )

 const ( // deprecated
 	ScopeCluster = "cluster"
-	ScopeYAML    = "yaml"
 )
 const (
-	// ScanCluster                string = "cluster"
-	// ScanLocalFiles             string = "yaml"
 	localControlInputsFilename string = "controls-inputs.json"
 	LocalExceptionsFilename    string = "exceptions.json"
 	LocalAttackTracksFilename  string = "attack-tracks.json"
@@ -110,8 +107,8 @@ type ScanInfo struct {
 	UseFrom               []string                     // Load framework from local file (instead of download). Use when running offline
 	UseDefault            bool                         // Load framework from cached file (instead of download). Use when running offline
 	UseArtifactsFrom      string                       // Load artifacts from local path. Use when running offline
-	VerboseMode           bool                         // Display all of the input resources and not only failed resources
-	View                  string                       // Display all of the input resources and not only failed resources
+	VerboseMode           bool                         // Display all the input resources and not only failed resources
+	View                  string                       //
 	Format                string                       // Format results (table, json, junit ...)
 	Output                string                       // Store results in an output file, Output file name
 	FormatVersion         string                       // Output object can be different between versions, this is for testing and backward compatibility
@@ -134,12 +131,16 @@ type ScanInfo struct {
 	ScanAll               bool                         // true if scan all frameworks
 	OmitRawResources      bool                         // true if omit raw resources from the output
 	PrintAttackTree       bool                         // true if print attack tree
+	EnableRegoPrint       bool                         // true if print rego
 	ScanObject            *objectsenvelopes.ScanObject // identifies a single resource (k8s object) to be scanned
 	IsDeletedScanObject   bool                         // indicates whether the ScanObject is a deleted K8S resource
+	TriggeredByCLI        bool                         // indicates whether the scan was triggered by the CLI
 	ScanType              ScanTypes
 	ScanImages            bool
 	ChartPath             string
 	FilePath              string
+	scanningContext       *ScanningContext
+	cleanups              []func()
 }

 type Getters struct {
@@ -155,7 +156,12 @@ func (scanInfo *ScanInfo) Init(ctx context.Context) {
 	if scanInfo.ScanID == "" {
 		scanInfo.ScanID = uuid.NewString()
 	}
+}

+func (scanInfo *ScanInfo) Cleanup() {
+	for _, cleanup := range scanInfo.cleanups {
+		cleanup()
+	}
 }

 func (scanInfo *ScanInfo) setUseArtifactsFrom(ctx context.Context) {
@@ -259,7 +265,7 @@ func scanInfoToScanMetadata(ctx context.Context, scanInfo *ScanInfo) *reporthand
 		metadata.ScanMetadata.TargetNames = append(metadata.ScanMetadata.TargetNames, policy.Identifier)
 	}

-	metadata.ScanMetadata.KubescapeVersion = BuildNumber
+	metadata.ScanMetadata.KubescapeVersion = versioncheck.BuildNumber
 	metadata.ScanMetadata.VerboseMode = scanInfo.VerboseMode
 	metadata.ScanMetadata.FailThreshold = scanInfo.FailThreshold
 	metadata.ScanMetadata.ComplianceThreshold = scanInfo.ComplianceThreshold
@@ -267,51 +273,63 @@ func scanInfoToScanMetadata(ctx context.Context, scanInfo *ScanInfo) *reporthand
 	metadata.ScanMetadata.VerboseMode = scanInfo.VerboseMode
 	metadata.ScanMetadata.ControlsInputs = scanInfo.ControlsInputs

-	inputFiles := ""
-	if len(scanInfo.InputPatterns) > 0 {
-		inputFiles = scanInfo.InputPatterns[0]
-	}
-	switch GetScanningContext(inputFiles) {
+	switch scanInfo.GetScanningContext() {
 	case ContextCluster:
 		// cluster
 		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.Cluster
 	case ContextFile:
 		// local file
 		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.File
-	case ContextGitURL:
-		// url
-		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.Repo
 	case ContextGitLocal:
 		// local-git
 		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.GitLocal
+	case ContextGitRemote:
+		// remote
+		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.Repo
 	case ContextDir:
 		// directory
 		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.Directory

 	}

-	setContextMetadata(ctx, &metadata.ContextMetadata, inputFiles)
+	scanInfo.setContextMetadata(ctx, &metadata.ContextMetadata)

 	return metadata
 }

-func (scanInfo *ScanInfo) GetScanningContext() ScanningContext {
+func (scanInfo *ScanInfo) GetInputFiles() string {
 	if len(scanInfo.InputPatterns) > 0 {
-		return GetScanningContext(scanInfo.InputPatterns[0])
+		return scanInfo.InputPatterns[0]
 	}
-	return GetScanningContext("")
+	return ""
 }

-// GetScanningContext get scanning context from the input param
-func GetScanningContext(input string) ScanningContext {
+func (scanInfo *ScanInfo) GetScanningContext() ScanningContext {
+	if scanInfo.scanningContext == nil {
+		scanningContext := scanInfo.getScanningContext(scanInfo.GetInputFiles())
+		scanInfo.scanningContext = &scanningContext
+	}
+	return *scanInfo.scanningContext
+}
+
+// getScanningContext get scanning context from the input param
+// this function should be called only once. Call GetScanningContext() to get the scanning context
+func (scanInfo *ScanInfo) getScanningContext(input string) ScanningContext {
 	//  cluster
 	if input == "" {
 		return ContextCluster
 	}

-	// url
+	// git url
 	if _, err := giturl.NewGitURL(input); err == nil {
-		return ContextGitURL
+		if repo, err := CloneGitRepo(&input); err == nil {
+			if _, err := NewLocalGitRepository(repo); err == nil {
+				scanInfo.cleanups = append(scanInfo.cleanups, func() {
+					_ = os.RemoveAll(repo)
+				})
+				return ContextGitRemote
+			}
+		}
 	}

 	if !filepath.IsAbs(input) { // parse path
@@ -333,19 +351,14 @@ func GetScanningContext(input string) ScanningContext {
 	//  dir/glob
 	return ContextDir
 }
-func setContextMetadata(ctx context.Context, contextMetadata *reporthandlingv2.ContextMetadata, input string) {
-	switch GetScanningContext(input) {
+
+func (scanInfo *ScanInfo) setContextMetadata(ctx context.Context, contextMetadata *reporthandlingv2.ContextMetadata) {
+	input := scanInfo.GetInputFiles()
+	switch scanInfo.GetScanningContext() {
 	case ContextCluster:
 		contextMetadata.ClusterContextMetadata = &reporthandlingv2.ClusterMetadata{
 			ContextName: k8sinterface.GetContextName(),
 		}
-	case ContextGitURL:
-		// url
-		context, err := metadataGitURL(input)
-		if err != nil {
-			logger.L().Ctx(ctx).Warning("in setContextMetadata", helpers.Interface("case", ContextGitURL), helpers.Error(err))
-		}
-		contextMetadata.RepoContextMetadata = context
 	case ContextDir:
 		contextMetadata.DirectoryContextMetadata = &reporthandlingv2.DirectoryContextMetadata{
 			BasePath: getAbsPath(input),
@@ -377,43 +390,21 @@ func setContextMetadata(ctx context.Context, contextMetadata *reporthandlingv2.C
 		}
 	case ContextGitLocal:
 		// local
-		context, err := metadataGitLocal(input)
+		repoContext, err := metadataGitLocal(input)
 		if err != nil {
-			logger.L().Ctx(ctx).Warning("in setContextMetadata", helpers.Interface("case", ContextGitURL), helpers.Error(err))
+			logger.L().Ctx(ctx).Warning("in setContextMetadata", helpers.Interface("case", ContextGitLocal), helpers.Error(err))
 		}
-		contextMetadata.RepoContextMetadata = context
+		contextMetadata.RepoContextMetadata = repoContext
+	case ContextGitRemote:
+		// remote
+		repoContext, err := metadataGitLocal(GetClonedPath(input))
+		if err != nil {
+			logger.L().Ctx(ctx).Warning("in setContextMetadata", helpers.Interface("case", ContextGitRemote), helpers.Error(err))
+		}
+		contextMetadata.RepoContextMetadata = repoContext
 	}
 }

-func metadataGitURL(input string) (*reporthandlingv2.RepoContextMetadata, error) {
-	context := &reporthandlingv2.RepoContextMetadata{}
-	gitParser, err := giturl.NewGitAPI(input)
-	if err != nil {
-		return context, fmt.Errorf("%w", err)
-	}
-	if gitParser.GetBranchName() == "" {
-		gitParser.SetDefaultBranchName()
-	}
-	context.Provider = gitParser.GetProvider()
-	context.Repo = gitParser.GetRepoName()
-	context.Owner = gitParser.GetOwnerName()
-	context.Branch = gitParser.GetBranchName()
-	context.RemoteURL = gitParser.GetURL().String()
-
-	commit, err := gitParser.GetLatestCommit()
-	if err != nil {
-		return context, fmt.Errorf("%w", err)
-	}
-
-	context.LastCommit = reporthandling.LastCommit{
-		Hash:          commit.SHA,
-		Date:          commit.Committer.Date,
-		CommitterName: commit.Committer.Name,
-	}
-
-	return context, nil
-}
-
 func metadataGitLocal(input string) (*reporthandlingv2.RepoContextMetadata, error) {
 	gitParser, err := NewLocalGitRepository(input)
 	if err != nil {
@@ -423,31 +414,31 @@ func metadataGitLocal(input string) (*reporthandlingv2.RepoContextMetadata, erro
 	if err != nil {
 		return nil, fmt.Errorf("%w", err)
 	}
-	context := &reporthandlingv2.RepoContextMetadata{}
+	repoContext := &reporthandlingv2.RepoContextMetadata{}
 	gitParserURL, err := giturl.NewGitURL(remoteURL)
 	if err != nil {
-		return context, fmt.Errorf("%w", err)
+		return repoContext, fmt.Errorf("%w", err)
 	}
 	gitParserURL.SetBranchName(gitParser.GetBranchName())

-	context.Provider = gitParserURL.GetProvider()
-	context.Repo = gitParserURL.GetRepoName()
-	context.Owner = gitParserURL.GetOwnerName()
-	context.Branch = gitParserURL.GetBranchName()
-	context.RemoteURL = gitParserURL.GetURL().String()
+	repoContext.Provider = gitParserURL.GetProvider()
+	repoContext.Repo = gitParserURL.GetRepoName()
+	repoContext.Owner = gitParserURL.GetOwnerName()
+	repoContext.Branch = gitParserURL.GetBranchName()
+	repoContext.RemoteURL = gitParserURL.GetURL().String()

 	commit, err := gitParser.GetLastCommit()
 	if err != nil {
-		return context, fmt.Errorf("%w", err)
+		return repoContext, fmt.Errorf("%w", err)
 	}
-	context.LastCommit = reporthandling.LastCommit{
+	repoContext.LastCommit = reporthandling.LastCommit{
 		Hash:          commit.SHA,
 		Date:          commit.Committer.Date,
 		CommitterName: commit.Committer.Name,
 	}
-	context.LocalRootPath, _ = gitParser.GetRootDir()
+	repoContext.LocalRootPath, _ = gitParser.GetRootDir()

-	return context, nil
+	return repoContext, nil
 }
 func getHostname() string {
 	if h, e := os.Hostname(); e == nil {
@@ -464,11 +455,3 @@ func getAbsPath(p string) string {
 	}
 	return p
 }
-
-// ScanningContextToScanningScope convert the context to the deprecated scope
-func ScanningContextToScanningScope(scanningContext ScanningContext) string {
-	if scanningContext == ContextCluster {
-		return ScopeCluster
-	}
-	return ScopeYAML
-}
--- a/core/cautils/scaninfo_test.go
+++ b/core/cautils/scaninfo_test.go
@@ -3,17 +3,19 @@ package cautils
 import (
 	"context"
 	"os"
-	"path/filepath"
 	"testing"

+	"github.com/go-git/go-git/v5"
 	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestSetContextMetadata(t *testing.T) {
 	{
 		ctx := reporthandlingv2.ContextMetadata{}
-		setContextMetadata(context.TODO(), &ctx, "")
+		scanInfo := &ScanInfo{}
+		scanInfo.setContextMetadata(context.TODO(), &ctx)

 		assert.NotNil(t, ctx.ClusterContextMetadata)
 		assert.Nil(t, ctx.DirectoryContextMetadata)
@@ -42,13 +44,57 @@ func TestGetHostname(t *testing.T) {
 }

 func TestGetScanningContext(t *testing.T) {
-	// Test with empty input
-	assert.Equal(t, ContextCluster, GetScanningContext(""))
-
-	// Test with Git URL input
-	assert.Equal(t, ContextGitURL, GetScanningContext("https://github.com/kubescape/kubescape"))
-
-	// TODO: Add more tests with other input types
+	repoRoot, err := os.MkdirTemp("", "repo")
+	require.NoError(t, err)
+	defer func(name string) {
+		_ = os.Remove(name)
+	}(repoRoot)
+	_, err = git.PlainClone(repoRoot, false, &git.CloneOptions{
+		URL: "https://github.com/kubescape/http-request",
+	})
+	require.NoError(t, err)
+	tmpFile, err := os.CreateTemp("", "single.*.txt")
+	require.NoError(t, err)
+	defer func(name string) {
+		_ = os.Remove(name)
+	}(tmpFile.Name())
+	tests := []struct {
+		name  string
+		input string
+		want  ScanningContext
+	}{
+		{
+			name:  "empty input",
+			input: "",
+			want:  ContextCluster,
+		},
+		{
+			name:  "git URL input",
+			input: "https://github.com/kubescape/http-request",
+			want:  ContextGitRemote,
+		},
+		{
+			name:  "local git input",
+			input: repoRoot,
+			want:  ContextGitLocal,
+		},
+		{
+			name:  "single file input",
+			input: tmpFile.Name(),
+			want:  ContextFile,
+		},
+		{
+			name:  "directory input",
+			input: os.TempDir(),
+			want:  ContextDir,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			scanInfo := &ScanInfo{}
+			assert.Equalf(t, tt.want, scanInfo.getScanningContext(tt.input), "GetScanningContext(%v)", tt.input)
+		})
+	}
 }

 func TestScanInfoFormats(t *testing.T) {
@@ -77,30 +123,3 @@ func TestScanInfoFormats(t *testing.T) {
 		})
 	}
 }
-
-func TestGetScanningContextWithFile(t *testing.T) {
-	// Test with a file
-	dir, err := os.MkdirTemp("", "example")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(dir)
-
-	filePath := filepath.Join(dir, "file.txt")
-	if _, err := os.Create(filePath); err != nil {
-		t.Fatal(err)
-	}
-
-	assert.Equal(t, ContextFile, GetScanningContext(filePath))
-}
-
-func TestGetScanningContextWithDir(t *testing.T) {
-	// Test with a directory
-	dir, err := os.MkdirTemp("", "example")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(dir)
-
-	assert.Equal(t, ContextDir, GetScanningContext(dir))
-}
--- a/core/cautils/versioncheck.go
+++ b/core/cautils/versioncheck.go
@@ -1,186 +0,0 @@
-package cautils
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"os"
-	"strings"
-
-	"github.com/armosec/utils-go/boolutils"
-	utils "github.com/kubescape/backend/pkg/utils"
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/go-logger/helpers"
-	"github.com/kubescape/kubescape/v3/core/cautils/getter"
-	"github.com/mattn/go-isatty"
-	"go.opentelemetry.io/otel"
-	"golang.org/x/mod/semver"
-)
-
-const SKIP_VERSION_CHECK_DEPRECATED_ENV = "KUBESCAPE_SKIP_UPDATE_CHECK"
-const SKIP_VERSION_CHECK_ENV = "KS_SKIP_UPDATE_CHECK"
-const CLIENT_ENV = "KS_CLIENT"
-
-var BuildNumber string
-var Client string
-var LatestReleaseVersion string
-
-const UnknownBuildNumber = "unknown"
-
-type IVersionCheckHandler interface {
-	CheckLatestVersion(context.Context, *VersionCheckRequest) error
-}
-
-func NewIVersionCheckHandler(ctx context.Context) IVersionCheckHandler {
-	if BuildNumber == "" {
-		logger.L().Ctx(ctx).Warning("Unknown build number: this might affect your scan results. Please ensure that you are running the latest version.")
-	}
-
-	if v, ok := os.LookupEnv(CLIENT_ENV); ok && v != "" {
-		Client = v
-	}
-
-	if v, ok := os.LookupEnv(SKIP_VERSION_CHECK_ENV); ok && boolutils.StringToBool(v) {
-		return NewVersionCheckHandlerMock()
-	} else if v, ok := os.LookupEnv(SKIP_VERSION_CHECK_DEPRECATED_ENV); ok && boolutils.StringToBool(v) {
-		return NewVersionCheckHandlerMock()
-	}
-	return NewVersionCheckHandler()
-}
-
-type VersionCheckHandlerMock struct {
-}
-
-func NewVersionCheckHandlerMock() *VersionCheckHandlerMock {
-	return &VersionCheckHandlerMock{}
-}
-
-type VersionCheckHandler struct {
-	versionURL string
-}
-type VersionCheckRequest struct {
-	Client           string `json:"client"`           // kubescape
-	ClientBuild      string `json:"clientBuild"`      // client build environment
-	ClientVersion    string `json:"clientVersion"`    // kubescape version
-	Framework        string `json:"framework"`        // framework name
-	FrameworkVersion string `json:"frameworkVersion"` // framework version
-	ScanningTarget   string `json:"target"`           // Deprecated
-	ScanningContext  string `json:"context"`          // scanning context- cluster/file/gitURL/localGit/dir
-	TriggeredBy      string `json:"triggeredBy"`      // triggered by - cli/ ci / microservice
-}
-
-type VersionCheckResponse struct {
-	Client          string `json:"client"`          // kubescape
-	ClientUpdate    string `json:"clientUpdate"`    // kubescape latest version
-	Framework       string `json:"framework"`       // framework name
-	FrameworkUpdate string `json:"frameworkUpdate"` // framework latest version
-	Message         string `json:"message"`         // alert message
-}
-
-func NewVersionCheckHandler() *VersionCheckHandler {
-	return &VersionCheckHandler{
-		versionURL: "https://us-central1-elated-pottery-310110.cloudfunctions.net/ksgf1v1",
-	}
-}
-
-func getTriggerSource() string {
-	if strings.Contains(os.Args[0], "ksserver") {
-		return "microservice"
-	}
-
-	if !isatty.IsTerminal(os.Stdin.Fd()) && !isatty.IsCygwinTerminal(os.Stdin.Fd()) {
-		// non-interactive shell
-		return "pipeline"
-	}
-
-	if os.Getenv("GITHUB_ACTIONS") == "true" {
-		return "pipeline"
-	}
-
-	return "cli"
-}
-
-func NewVersionCheckRequest(buildNumber, frameworkName, frameworkVersion, scanningTarget string) *VersionCheckRequest {
-	if buildNumber == "" {
-		buildNumber = UnknownBuildNumber
-	}
-
-	if scanningTarget == "" {
-		scanningTarget = "unknown"
-	}
-
-	if Client == "" {
-		Client = "local-build"
-	}
-
-	return &VersionCheckRequest{
-		Client:           "kubescape",
-		ClientBuild:      Client,
-		ClientVersion:    buildNumber,
-		Framework:        frameworkName,
-		FrameworkVersion: frameworkVersion,
-		ScanningTarget:   scanningTarget,
-		TriggeredBy:      getTriggerSource(),
-	}
-}
-
-func (v *VersionCheckHandlerMock) CheckLatestVersion(_ context.Context, _ *VersionCheckRequest) error {
-	logger.L().Info("Skipping version check")
-	return nil
-}
-
-func (v *VersionCheckHandler) CheckLatestVersion(ctx context.Context, versionData *VersionCheckRequest) error {
-	ctx, span := otel.Tracer("").Start(ctx, "versionCheckHandler.CheckLatestVersion")
-	defer span.End()
-	defer func() {
-		if err := recover(); err != nil {
-			logger.L().Ctx(ctx).Warning("failed to get latest version", helpers.Interface("error", err))
-		}
-	}()
-
-	latestVersion, err := v.getLatestVersion(versionData)
-	if err != nil || latestVersion == nil {
-		return fmt.Errorf("failed to get latest version")
-	}
-
-	LatestReleaseVersion = latestVersion.ClientUpdate
-
-	if latestVersion.ClientUpdate != "" {
-		if BuildNumber != "" && semver.Compare(BuildNumber, LatestReleaseVersion) == -1 {
-			logger.L().Ctx(ctx).Warning(warningMessage(LatestReleaseVersion))
-		}
-	}
-
-	// TODO - Enable after supporting framework version
-	// if latestVersion.FrameworkUpdate != "" {
-	// 	fmt.Println(warningMessage(latestVersion.Framework, latestVersion.FrameworkUpdate))
-	// }
-
-	if latestVersion.Message != "" {
-		logger.L().Info(latestVersion.Message)
-	}
-
-	return nil
-}
-
-func (v *VersionCheckHandler) getLatestVersion(versionData *VersionCheckRequest) (*VersionCheckResponse, error) {
-
-	reqBody, err := json.Marshal(*versionData)
-	if err != nil {
-		return nil, fmt.Errorf("in 'CheckLatestVersion' failed to json.Marshal, reason: %s", err.Error())
-	}
-
-	rdr, _, err := getter.HTTPPost(http.DefaultClient, v.versionURL, reqBody, map[string]string{"Content-Type": "application/json"})
-
-	vResp, err := utils.Decode[*VersionCheckResponse](rdr)
-	if err != nil {
-		return nil, err
-	}
-
-	return vResp, nil
-}
-
-func warningMessage(release string) string {
-	return fmt.Sprintf("current version '%s' is not updated to the latest release: '%s'", BuildNumber, release)
-}
--- a/core/cautils/versioncheck_test.go
+++ b/core/cautils/versioncheck_test.go
@@ -1,193 +0,0 @@
-package cautils
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"reflect"
-	"testing"
-
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/kubescape/opa-utils/reporthandling"
-	"github.com/stretchr/testify/assert"
-	"golang.org/x/mod/semver"
-)
-
-func TestGetKubernetesObjects(t *testing.T) {
-}
-
-var rule_v1_0_131 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
-	Attributes: map[string]interface{}{"useUntilKubescapeVersion": "v1.0.132"}}}
-var rule_v1_0_132 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
-	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.132", "useUntilKubescapeVersion": "v1.0.133"}}}
-var rule_v1_0_133 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
-	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.133", "useUntilKubescapeVersion": "v1.0.134"}}}
-var rule_v1_0_134 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
-	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.134"}}}
-var rule_invalid_from = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
-	Attributes: map[string]interface{}{"useFromKubescapeVersion": 1.0135, "useUntilKubescapeVersion": "v1.0.135"}}}
-var rule_invalid_until = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
-	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.135", "useUntilKubescapeVersion": 1.0135}}}
-
-func TestIsRuleKubescapeVersionCompatible(t *testing.T) {
-	// local build- no build number
-
-	// should not crash when the value of useUntilKubescapeVersion is not a string
-	buildNumberMock := "v1.0.135"
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_invalid_from.Attributes, buildNumberMock))
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_invalid_until.Attributes, buildNumberMock))
-	// should use only rules that don't have "until"
-	buildNumberMock = ""
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
-	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
-
-	// should only use rules that version is in range of use
-	buildNumberMock = "v1.0.130"
-	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
-
-	// should only use rules that version is in range of use
-	buildNumberMock = "v1.0.132"
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
-	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
-
-	// should only use rules that version is in range of use
-	buildNumberMock = "v1.0.133"
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
-	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
-
-	// should only use rules that version is in range of use
-	buildNumberMock = "v1.0.135"
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
-	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
-	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
-}
-
-func TestCheckLatestVersion_Semver_Compare(t *testing.T) {
-	assert.Equal(t, -1, semver.Compare("v2.0.150", "v2.0.151"))
-	assert.Equal(t, 0, semver.Compare("v2.0.150", "v2.0.150"))
-	assert.Equal(t, 1, semver.Compare("v2.0.150", "v2.0.149"))
-	assert.Equal(t, -1, semver.Compare("v2.0.150", "v3.0.150"))
-
-}
-
-func TestCheckLatestVersion(t *testing.T) {
-	type args struct {
-		ctx         context.Context
-		versionData *VersionCheckRequest
-		versionURL  string
-	}
-	tests := []struct {
-		name string
-		args args
-		err  error
-	}{
-		{
-			name: "Get latest version",
-			args: args{
-				ctx:         context.Background(),
-				versionData: &VersionCheckRequest{},
-				versionURL:  "https://us-central1-elated-pottery-310110.cloudfunctions.net/ksgf1v1",
-			},
-			err: nil,
-		},
-		{
-			name: "Failed to get latest version",
-			args: args{
-				ctx:         context.Background(),
-				versionData: &VersionCheckRequest{},
-				versionURL:  "https://example.com",
-			},
-			err: fmt.Errorf("failed to get latest version"),
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			v := &VersionCheckHandler{
-				versionURL: tt.args.versionURL,
-			}
-			err := v.CheckLatestVersion(tt.args.ctx, tt.args.versionData)
-
-			assert.Equal(t, tt.err, err)
-		})
-	}
-}
-
-func TestVersionCheckHandler_getLatestVersion(t *testing.T) {
-	type fields struct {
-		versionURL string
-	}
-	type args struct {
-		versionData *VersionCheckRequest
-	}
-	tests := []struct {
-		name    string
-		fields  fields
-		args    args
-		want    *VersionCheckResponse
-		wantErr bool
-	}{
-		{
-			name: "Get latest version",
-			fields: fields{
-				versionURL: "https://us-central1-elated-pottery-310110.cloudfunctions.net/ksgf1v1",
-			},
-			args: args{
-				versionData: &VersionCheckRequest{
-					Client: "kubescape",
-				},
-			},
-			want: &VersionCheckResponse{
-				Client:       "kubescape",
-				ClientUpdate: "v3.0.0",
-			},
-			wantErr: false,
-		},
-		{
-			name: "Failed to get latest version",
-			fields: fields{
-				versionURL: "https://example.com",
-			},
-			args: args{
-				versionData: &VersionCheckRequest{},
-			},
-			want:    nil,
-			wantErr: true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			v := &VersionCheckHandler{
-				versionURL: tt.fields.versionURL,
-			}
-			got, err := v.getLatestVersion(tt.args.versionData)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("VersionCheckHandler.getLatestVersion() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("VersionCheckHandler.getLatestVersion() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestGetTriggerSource(t *testing.T) {
-	// Running in github actions pipeline
-	os.Setenv("GITHUB_ACTIONS", "true")
-	source := getTriggerSource()
-	assert.Equal(t, "pipeline", source)
-
-	os.Args[0] = "ksserver"
-	source = getTriggerSource()
-	assert.Equal(t, "microservice", source)
-}
--- a/core/core/cachedconfig.go
+++ b/core/core/cachedconfig.go
@@ -1,7 +1,6 @@
 package core

 import (
-	"context"
 	"fmt"

 	"github.com/kubescape/kubescape/v3/core/cautils"
@@ -35,8 +34,8 @@ func (ks *Kubescape) ViewCachedConfig(viewConfig *metav1.ViewConfig) error {
 	return nil
 }

-func (ks *Kubescape) DeleteCachedConfig(ctx context.Context, deleteConfig *metav1.DeleteConfig) error {
+func (ks *Kubescape) DeleteCachedConfig(deleteConfig *metav1.DeleteConfig) error {

 	tenant := cautils.GetTenantConfig("", "", "", "", nil) // change k8sinterface
-	return tenant.DeleteCachedConfig(ctx)
+	return tenant.DeleteCachedConfig(ks.Context())
 }
--- a/core/core/clusterconnector.go
+++ b/core/core/clusterconnector.go
@@ -83,7 +83,10 @@ func (a *OperatorAdapter) httpPostOperatorScanRequest(body apis.Commands) (strin
 		return "", err
 	}
 	defer resp.Body.Close()
-	return httputils.HttpRespToString(resp)
+	if resp.StatusCode != 200 {
+		return "", fmt.Errorf("http-error: %d", resp.StatusCode)
+	}
+	return "success", nil
 }

 func (a *OperatorAdapter) OperatorScan() (string, error) {
--- a/core/core/download.go
+++ b/core/core/download.go
@@ -8,7 +8,7 @@ import (
 	"sort"
 	"strings"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"
@@ -44,12 +44,12 @@ func DownloadSupportCommands() []string {
 	return commands
 }

-func (ks *Kubescape) Download(ctx context.Context, downloadInfo *metav1.DownloadInfo) error {
+func (ks *Kubescape) Download(downloadInfo *metav1.DownloadInfo) error {
 	setPathAndFilename(downloadInfo)
 	if err := os.MkdirAll(downloadInfo.Path, os.ModePerm); err != nil {
 		return err
 	}
-	if err := downloadArtifact(ctx, downloadInfo, downloadFunc); err != nil {
+	if err := downloadArtifact(ks.Context(), downloadInfo, downloadFunc); err != nil {
 		return err
 	}
 	return nil
--- a/core/core/fix.go
+++ b/core/core/fix.go
@@ -1,13 +1,11 @@
 package core

 import (
-	"context"
 	"fmt"
 	"strings"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
-
 	"github.com/kubescape/kubescape/v3/core/pkg/fixhandler"
 )

@@ -17,14 +15,14 @@ const (
 	confirmationQuestion = "Would you like to apply the changes to the files above? [y|n]: "
 )

-func (ks *Kubescape) Fix(ctx context.Context, fixInfo *metav1.FixInfo) error {
+func (ks *Kubescape) Fix(fixInfo *metav1.FixInfo) error {
 	logger.L().Info("Reading report file...")
 	handler, err := fixhandler.NewFixHandler(fixInfo)
 	if err != nil {
 		return err
 	}

-	resourcesToFix := handler.PrepareResourcesToFix(ctx)
+	resourcesToFix := handler.PrepareResourcesToFix(ks.Context())

 	if len(resourcesToFix) == 0 {
 		logger.L().Info(noResourcesToFix)
@@ -43,12 +41,12 @@ func (ks *Kubescape) Fix(ctx context.Context, fixInfo *metav1.FixInfo) error {
 		return nil
 	}

-	updatedFilesCount, errors := handler.ApplyChanges(ctx, resourcesToFix)
+	updatedFilesCount, errors := handler.ApplyChanges(ks.Context(), resourcesToFix)
 	logger.L().Info(fmt.Sprintf("Fixed resources in %d files.", updatedFilesCount))

 	if len(errors) > 0 {
 		for _, err := range errors {
-			logger.L().Ctx(ctx).Warning(err.Error())
+			logger.L().Ctx(ks.Context()).Warning(err.Error())
 		}
 		return fmt.Errorf("Failed to fix some resources, check the logs for more details")
 	}
--- a/core/core/image_scan.go
+++ b/core/core/image_scan.go
@@ -1,18 +1,167 @@
 package core

 import (
-	"context"
+	"encoding/json"
 	"fmt"
+	"os"
+	"regexp"
+	"strings"

 	"github.com/anchore/grype/grype/presenter/models"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	ksmetav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling"
 	"github.com/kubescape/kubescape/v3/pkg/imagescan"
 )

-func (ks *Kubescape) ScanImage(ctx context.Context, imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) {
+// Data structure to represent attributes
+type Attributes struct {
+	Registry     string `json:"registry"`
+	Organization string `json:"organization,omitempty"`
+	ImageName    string `json:"imageName"`
+	ImageTag     string `json:"imageTag,omitempty"`
+}
+
+// Data structure for a target
+type Target struct {
+	DesignatorType string     `json:"designatorType"`
+	Attributes     Attributes `json:"attributes"`
+}
+
+// Data structure for metadata
+type Metadata struct {
+	Name string `json:"name"`
+}
+
+// Data structure for vulnerabilities and severities
+type VulnerabilitiesIgnorePolicy struct {
+	Metadata        Metadata `json:"metadata"`
+	Kind            string   `json:"kind"`
+	Targets         []Target `json:"targets"`
+	Vulnerabilities []string `json:"vulnerabilities"`
+	Severities      []string `json:"severities"`
+}
+
+// Loads excpetion policies from exceptions json object.
+func GetImageExceptionsFromFile(filePath string) ([]VulnerabilitiesIgnorePolicy, error) {
+	// Read the JSON file
+	jsonFile, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, fmt.Errorf("error reading exceptions file: %w", err)
+	}
+
+	// Unmarshal the JSON data into an array of VulnerabilitiesIgnorePolicy
+	var policies []VulnerabilitiesIgnorePolicy
+	err = json.Unmarshal(jsonFile, &policies)
+	if err != nil {
+		return nil, fmt.Errorf("error unmarshaling exceptions file: %w", err)
+	}
+
+	return policies, nil
+}
+
+// This function will identify the registry, organization and image tag from the image name
+func getAttributesFromImage(imgName string) (Attributes, error) {
+	canonicalImageName, err := cautils.NormalizeImageName(imgName)
+	if err != nil {
+		return Attributes{}, err
+	}
+
+	tokens := strings.Split(canonicalImageName, "/")
+	registry := tokens[0]
+	organization := tokens[1]
+
+	imageNameAndTag := strings.Split(tokens[2], ":")
+	imageName := imageNameAndTag[0]
+
+	// Intialize the image tag with default value
+	imageTag := "latest"
+	if len(imageNameAndTag) > 1 {
+		imageTag = imageNameAndTag[1]
+	}
+
+	attributes := Attributes{
+		Registry:     registry,
+		Organization: organization,
+		ImageName:    imageName,
+		ImageTag:     imageTag,
+	}
+
+	return attributes, nil
+}
+
+// Checks if the target string matches the regex pattern
+func regexStringMatch(pattern, target string) bool {
+	re, err := regexp.Compile(pattern)
+	if err != nil {
+		logger.L().StopError(fmt.Sprintf("Failed to generate regular expression: %s", err))
+		return false
+	}
+
+	if re.MatchString(target) {
+		return true
+	}
+
+	return false
+}
+
+// Compares the registry, organization, image name, image tag against the targets specified
+// in the exception policy object to check if the image being scanned qualifies for an
+// exception policy.
+func isTargetImage(targets []Target, attributes Attributes) bool {
+	for _, target := range targets {
+		return regexStringMatch(target.Attributes.Registry, attributes.Registry) && regexStringMatch(target.Attributes.Organization, attributes.Organization) && regexStringMatch(target.Attributes.ImageName, attributes.ImageName) && regexStringMatch(target.Attributes.ImageTag, attributes.ImageTag)
+	}
+
+	return false
+}
+
+// Generates a list of unique CVE-IDs and the severities which are to be excluded for
+// the image being scanned.
+func getUniqueVulnerabilitiesAndSeverities(policies []VulnerabilitiesIgnorePolicy, image string) ([]string, []string) {
+	// Create maps with slices as values to store unique vulnerabilities and severities (case-insensitive)
+	uniqueVulns := make(map[string][]string)
+	uniqueSevers := make(map[string][]string)
+
+	imageAttributes, err := getAttributesFromImage(image)
+	if err != nil {
+		logger.L().StopError(fmt.Sprintf("Failed to generate image attributes: %s", err))
+	}
+
+	// Iterate over each policy and its vulnerabilities/severities
+	for _, policy := range policies {
+		// Include the exceptions only if the image is one of the targets
+		if isTargetImage(policy.Targets, imageAttributes) {
+			for _, vulnerability := range policy.Vulnerabilities {
+				// Add to slice directly
+				vulnerabilityUppercase := strings.ToUpper(vulnerability)
+				uniqueVulns[vulnerabilityUppercase] = append(uniqueVulns[vulnerabilityUppercase], vulnerability)
+			}
+
+			for _, severity := range policy.Severities {
+				// Add to slice directly
+				severityUppercase := strings.ToUpper(severity)
+				uniqueSevers[severityUppercase] = append(uniqueSevers[severityUppercase], severity)
+			}
+		}
+	}
+
+	// Extract unique keys (which are unique vulnerabilities/severities) and their slices
+	uniqueVulnsList := make([]string, 0, len(uniqueVulns))
+	for vuln := range uniqueVulns {
+		uniqueVulnsList = append(uniqueVulnsList, vuln)
+	}
+
+	uniqueSeversList := make([]string, 0, len(uniqueSevers))
+	for sever := range uniqueSevers {
+		uniqueSeversList = append(uniqueSeversList, sever)
+	}
+
+	return uniqueVulnsList, uniqueSeversList
+}
+
+func (ks *Kubescape) ScanImage(imgScanInfo *ksmetav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) {
 	logger.L().Start(fmt.Sprintf("Scanning image %s...", imgScanInfo.Image))

 	dbCfg, _ := imagescan.NewDefaultDBConfig()
@@ -23,7 +172,19 @@ func (ks *Kubescape) ScanImage(ctx context.Context, imgScanInfo *ksmetav1.ImageS
 		Password: imgScanInfo.Password,
 	}

-	scanResults, err := svc.Scan(ctx, imgScanInfo.Image, creds)
+	var vulnerabilityExceptions []string
+	var severityExceptions []string
+	if imgScanInfo.Exceptions != "" {
+		exceptionPolicies, err := GetImageExceptionsFromFile(imgScanInfo.Exceptions)
+		if err != nil {
+			logger.L().StopError(fmt.Sprintf("Failed to load exceptions from file: %s", imgScanInfo.Exceptions))
+			return nil, err
+		}
+
+		vulnerabilityExceptions, severityExceptions = getUniqueVulnerabilitiesAndSeverities(exceptionPolicies, imgScanInfo.Image)
+	}
+
+	scanResults, err := svc.Scan(ks.Context(), imgScanInfo.Image, creds, vulnerabilityExceptions, severityExceptions)
 	if err != nil {
 		logger.L().StopError(fmt.Sprintf("Failed to scan image: %s", imgScanInfo.Image))
 		return nil, err
@@ -33,9 +194,9 @@ func (ks *Kubescape) ScanImage(ctx context.Context, imgScanInfo *ksmetav1.ImageS

 	scanInfo.SetScanType(cautils.ScanTypeImage)

-	outputPrinters := GetOutputPrinters(scanInfo, ctx, "")
+	outputPrinters := GetOutputPrinters(scanInfo, ks.Context(), "")

-	uiPrinter := GetUIPrinter(ctx, scanInfo, "")
+	uiPrinter := GetUIPrinter(ks.Context(), scanInfo, "")

 	resultsHandler := resultshandling.NewResultsHandler(nil, outputPrinters, uiPrinter)

@@ -46,5 +207,5 @@ func (ks *Kubescape) ScanImage(ctx context.Context, imgScanInfo *ksmetav1.ImageS
 		},
 	}

-	return scanResults, resultsHandler.HandleResults(ctx)
+	return scanResults, resultsHandler.HandleResults(ks.Context())
 }
--- a/core/core/image_scan_test.go
+++ b/core/core/image_scan_test.go
@@ -0,0 +1,420 @@
+package core
+
+import (
+	"sort"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetImageExceptionsFromFile(t *testing.T) {
+	tests := []struct {
+		filePath         string
+		expectedPolicies []VulnerabilitiesIgnorePolicy
+		expectedErr      error
+	}{
+		{
+			filePath: "./testdata/exceptions.json",
+			expectedPolicies: []VulnerabilitiesIgnorePolicy{
+				{
+					Metadata: Metadata{
+						Name: "medium-severity-vulnerabilites-exceptions",
+					},
+					Kind: "VulnerabilitiesIgnorePolicy",
+					Targets: []Target{
+						{
+							DesignatorType: "Attributes",
+							Attributes: Attributes{
+								Registry:     "docker.io",
+								Organization: "",
+								ImageName:    "",
+								ImageTag:     "",
+							},
+						},
+					},
+					Vulnerabilities: []string{},
+					Severities:      []string{"medium"},
+				},
+				{
+					Metadata: Metadata{
+						Name: "exclude-allowed-hostPath-control",
+					},
+					Kind: "VulnerabilitiesIgnorePolicy",
+					Targets: []Target{
+						{
+							DesignatorType: "Attributes",
+							Attributes: Attributes{
+								Registry:     "",
+								Organization: "",
+								ImageName:    "",
+								ImageTag:     "",
+							},
+						},
+					},
+					Vulnerabilities: []string{"CVE-2023-42366", "CVE-2023-42365"},
+					Severities:      []string{"critical", "low"},
+				},
+				{
+					Metadata: Metadata{
+						Name: "regex-example",
+					},
+					Kind: "VulnerabilitiesIgnorePolicy",
+					Targets: []Target{
+						{
+							DesignatorType: "Attributes",
+							Attributes: Attributes{
+								Registry:     "quay.*",
+								Organization: "kube*",
+								ImageName:    "kubescape*",
+								ImageTag:     "v2*",
+							},
+						},
+						{
+							DesignatorType: "Attributes",
+							Attributes: Attributes{
+								Registry:     "docker.io",
+								Organization: ".*",
+								ImageName:    "kube*",
+								ImageTag:     "v3*",
+							},
+						},
+					},
+					Vulnerabilities: []string{"CVE-2023-6879", "CVE-2023-44487"},
+					Severities:      []string{"critical", "low"},
+				},
+			},
+			expectedErr: nil,
+		},
+		{
+			filePath:         "./testdata/empty_exceptions.json",
+			expectedPolicies: []VulnerabilitiesIgnorePolicy{},
+			expectedErr:      nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.filePath, func(t *testing.T) {
+			policies, err := GetImageExceptionsFromFile(tt.filePath)
+			assert.Equal(t, tt.expectedPolicies, policies)
+			assert.Equal(t, tt.expectedErr, err)
+		})
+	}
+}
+
+func TestGetAttributesFromImage(t *testing.T) {
+	tests := []struct {
+		imageName          string
+		expectedAttributes Attributes
+		expectedErr        error
+	}{
+		{
+			imageName: "quay.io/kubescape/kubescape-cli:v3.0.0",
+			expectedAttributes: Attributes{
+				Registry:     "quay.io",
+				Organization: "kubescape",
+				ImageName:    "kubescape-cli",
+				ImageTag:     "v3.0.0",
+			},
+			expectedErr: nil,
+		},
+		{
+			imageName: "alpine",
+			expectedAttributes: Attributes{
+				Registry:     "docker.io",
+				Organization: "library",
+				ImageName:    "alpine",
+				ImageTag:     "latest",
+			},
+			expectedErr: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.imageName, func(t *testing.T) {
+			attributes, err := getAttributesFromImage(tt.imageName)
+			assert.Equal(t, tt.expectedErr, err)
+			assert.Equal(t, tt.expectedAttributes, attributes)
+		})
+	}
+}
+
+func TestRegexStringMatch(t *testing.T) {
+	tests := []struct {
+		pattern  string
+		target   string
+		expected bool
+	}{
+		{
+			pattern:  ".*",
+			target:   "quay.io",
+			expected: true,
+		},
+		{
+			pattern:  "kubescape",
+			target:   "kubescape",
+			expected: true,
+		},
+		{
+			pattern:  "kubescape*",
+			target:   "kubescape-cli",
+			expected: true,
+		},
+		{
+			pattern:  "",
+			target:   "v3.0.0",
+			expected: true,
+		},
+		{
+			pattern:  "docker.io",
+			target:   "quay.io",
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.target+"/"+tt.pattern, func(t *testing.T) {
+			assert.Equal(t, tt.expected, regexStringMatch(tt.pattern, tt.target))
+		})
+	}
+}
+
+func TestIsTargetImage(t *testing.T) {
+	tests := []struct {
+		targets    []Target
+		attributes Attributes
+		expected   bool
+	}{
+		{
+			targets: []Target{
+				{
+					Attributes: Attributes{
+						Registry:     "docker.io",
+						Organization: ".*",
+						ImageName:    ".*",
+						ImageTag:     "",
+					},
+				},
+			},
+			attributes: Attributes{
+				Registry:     "quay.io",
+				Organization: "kubescape",
+				ImageName:    "kubescape-cli",
+				ImageTag:     "v3.0.0",
+			},
+			expected: false,
+		},
+		{
+			targets: []Target{
+				{
+					Attributes: Attributes{
+						Registry:     "quay.io",
+						Organization: "kubescape",
+						ImageName:    "kubescape*",
+						ImageTag:     "",
+					},
+				},
+			},
+			attributes: Attributes{
+				Registry:     "quay.io",
+				Organization: "kubescape",
+				ImageName:    "kubescape-cli",
+				ImageTag:     "v3.0.0",
+			},
+			expected: true,
+		},
+		{
+			targets: []Target{
+				{
+					Attributes: Attributes{
+						Registry:     "docker.io",
+						Organization: "library",
+						ImageName:    "alpine",
+						ImageTag:     "",
+					},
+				},
+			},
+			attributes: Attributes{
+				Registry:     "docker.io",
+				Organization: "library",
+				ImageName:    "alpine",
+				ImageTag:     "latest",
+			},
+			expected: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.attributes.Registry+"/"+tt.attributes.ImageName, func(t *testing.T) {
+			assert.Equal(t, tt.expected, isTargetImage(tt.targets, tt.attributes))
+		})
+	}
+}
+
+func TestGetVulnerabilitiesAndSeverities(t *testing.T) {
+	tests := []struct {
+		policies                []VulnerabilitiesIgnorePolicy
+		image                   string
+		expectedVulnerabilities []string
+		expectedSeverities      []string
+	}{
+		{
+			policies: []VulnerabilitiesIgnorePolicy{
+				{
+					Metadata: Metadata{
+						Name: "vulnerabilites-exceptions",
+					},
+					Kind: "VulnerabilitiesIgnorePolicy",
+					Targets: []Target{
+						{
+							DesignatorType: "Attributes",
+							Attributes: Attributes{
+								Registry:     "",
+								Organization: "kubescape*",
+								ImageName:    "",
+								ImageTag:     "",
+							},
+						},
+					},
+					Vulnerabilities: []string{"CVE-2023-42365"},
+					Severities:      []string{},
+				},
+				{
+					Metadata: Metadata{
+						Name: "exclude-allowed-hostPath-control",
+					},
+					Kind: "VulnerabilitiesIgnorePolicy",
+					Targets: []Target{
+						{
+							DesignatorType: "Attributes",
+							Attributes: Attributes{
+								Registry:     "docker.io",
+								Organization: "",
+								ImageName:    "",
+								ImageTag:     "",
+							},
+						},
+					},
+					Vulnerabilities: []string{"CVE-2023-42366", "CVE-2023-42365"},
+					Severities:      []string{"critical", "low"},
+				},
+			},
+			image:                   "quay.io/kubescape/kubescape-cli:v3.0.0",
+			expectedVulnerabilities: []string{"CVE-2023-42365"},
+			expectedSeverities:      []string{},
+		},
+		{
+			policies: []VulnerabilitiesIgnorePolicy{
+				{
+					Metadata: Metadata{
+						Name: "medium-severity-vulnerabilites-exceptions",
+					},
+					Kind: "VulnerabilitiesIgnorePolicy",
+					Targets: []Target{
+						{
+							DesignatorType: "Attributes",
+							Attributes: Attributes{
+								Registry:     "",
+								Organization: "",
+								ImageName:    "",
+								ImageTag:     "",
+							},
+						},
+					},
+					Vulnerabilities: []string{},
+					Severities:      []string{"medium"},
+				},
+				{
+					Metadata: Metadata{
+						Name: "exclude-allowed-hostPath-control",
+					},
+					Kind: "VulnerabilitiesIgnorePolicy",
+					Targets: []Target{
+						{
+							DesignatorType: "Attributes",
+							Attributes: Attributes{
+								Registry:     "quay.io",
+								Organization: "",
+								ImageName:    "",
+								ImageTag:     "",
+							},
+						},
+					},
+					Vulnerabilities: []string{"CVE-2023-42366", "CVE-2023-42365"},
+					Severities:      []string{},
+				},
+			},
+			image:                   "alpine",
+			expectedVulnerabilities: []string{},
+			expectedSeverities:      []string{"MEDIUM"},
+		},
+		{
+			policies: []VulnerabilitiesIgnorePolicy{
+				{
+					Metadata: Metadata{
+						Name: "regex-example",
+					},
+					Kind: "VulnerabilitiesIgnorePolicy",
+					Targets: []Target{
+						{
+							DesignatorType: "Attributes",
+							Attributes: Attributes{
+								Registry:     "quay.io",
+								Organization: "kube*",
+								ImageName:    "kubescape*",
+								ImageTag:     ".*",
+							},
+						},
+					},
+					Vulnerabilities: []string{},
+					Severities:      []string{"critical"},
+				},
+				{
+					Metadata: Metadata{
+						Name: "only-for-docker-registry",
+					},
+					Kind: "VulnerabilitiesIgnorePolicy",
+					Targets: []Target{
+						{
+							DesignatorType: "Attributes",
+							Attributes: Attributes{
+								Registry: "docker.io",
+								ImageTag: "v3*",
+							},
+						},
+					},
+					Vulnerabilities: []string{"CVE-2023-42366", "CVE-2022-28391"},
+					Severities:      []string{"high"},
+				},
+				{
+					Metadata: Metadata{
+						Name: "exclude-allowed-hostPath-control",
+					},
+					Kind: "VulnerabilitiesIgnorePolicy",
+					Targets: []Target{
+						{
+							DesignatorType: "Attributes",
+							Attributes: Attributes{
+								ImageTag: "v3*",
+							},
+						},
+					},
+					Vulnerabilities: []string{"CVE-2022-30065", "CVE-2022-28391"},
+					Severities:      []string{},
+				},
+			},
+			image:                   "quay.io/kubescape/kubescape-cli:v3.0.0",
+			expectedVulnerabilities: []string{"CVE-2022-30065", "CVE-2022-28391"},
+			expectedSeverities:      []string{"CRITICAL"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.image, func(t *testing.T) {
+			vulnerabilities, severities := getUniqueVulnerabilitiesAndSeverities(tt.policies, tt.image)
+			sort.Strings(tt.expectedVulnerabilities)
+			sort.Strings(vulnerabilities)
+			assert.Equal(t, tt.expectedVulnerabilities, vulnerabilities)
+			assert.Equal(t, tt.expectedSeverities, severities)
+		})
+	}
+}
--- a/core/core/initutils.go
+++ b/core/core/initutils.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"

+	"github.com/google/uuid"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
@@ -16,11 +17,8 @@ import (
 	printerv2 "github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer/v2"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/reporter"
 	reporterv2 "github.com/kubescape/kubescape/v3/core/pkg/resultshandling/reporter/v2"
-	"go.opentelemetry.io/otel"
-
-	"github.com/google/uuid"
-
 	"github.com/kubescape/rbac-utils/rbacscanner"
+	"go.opentelemetry.io/otel"
 )

 // getKubernetesApi
@@ -277,7 +275,7 @@ func getAttackTracksGetter(ctx context.Context, attackTracks, accountID string,
 	return downloadReleasedPolicy
 }

-// getUIPrinter returns a printer that will be used to print to the program’s UI (terminal)
+// GetUIPrinter returns a printer that will be used to print to the program’s UI (terminal)
 func GetUIPrinter(ctx context.Context, scanInfo *cautils.ScanInfo, clusterName string) printer.IPrinter {
 	var p printer.IPrinter
 	if helpers.ToLevel(logger.L().GetLevel()) >= helpers.WarningLevel {
--- a/core/core/kscore.go
+++ b/core/core/kscore.go
@@ -1,7 +1,17 @@
 package core

-type Kubescape struct{}
+import (
+	"context"
+)

-func NewKubescape() *Kubescape {
-	return &Kubescape{}
+type Kubescape struct {
+	Ctx context.Context
+}
+
+func (ks *Kubescape) Context() context.Context {
+	return ks.Ctx
+}
+
+func NewKubescape(ctx context.Context) *Kubescape {
+	return &Kubescape{Ctx: ctx}
 }
--- a/core/core/kscore_test.go
+++ b/core/core/kscore_test.go
@@ -1,6 +1,7 @@
 package core

 import (
+	"context"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -8,7 +9,8 @@ import (

 // The function should return a non-nil pointer.
 func TestNewKubescape_ReturnsNonNilPointer(t *testing.T) {
-	k := NewKubescape()
+	ctx := context.TODO()
+	k := NewKubescape(ctx)
 	assert.NotNil(t, k)
 }

@@ -19,5 +21,6 @@ func TestNewKubescape_DoesNotPanic(t *testing.T) {
 			t.Errorf("Function panicked: %v", r)
 		}
 	}()
-	NewKubescape()
+	ctx := context.TODO()
+	NewKubescape(ctx)
 }
--- a/core/core/list.go
+++ b/core/core/list.go
@@ -38,16 +38,16 @@ func ListSupportActions() []string {
 	sort.Strings(commands)
 	return commands
 }
-func (ks *Kubescape) List(ctx context.Context, listPolicies *metav1.ListPolicies) error {
+func (ks *Kubescape) List(listPolicies *metav1.ListPolicies) error {
 	if policyListerFunc, ok := listFunc[listPolicies.Target]; ok {
-		policies, err := policyListerFunc(ctx, listPolicies)
+		policies, err := policyListerFunc(ks.Context(), listPolicies)
 		if err != nil {
 			return err
 		}
 		policies = naturalSortPolicies(policies)

 		if listFormatFunction, ok := listFormatFunc[listPolicies.Format]; ok {
-			listFormatFunction(ctx, listPolicies.Target, policies)
+			listFormatFunction(ks.Context(), listPolicies.Target, policies)
 		} else {
 			return fmt.Errorf("Invalid format \"%s\", Supported formats: 'pretty-print'/'json' ", listPolicies.Format)
 		}
--- a/core/core/patch.go
+++ b/core/core/patch.go
@@ -5,23 +5,26 @@ import (
 	"fmt"
 	"os"
 	"strings"
+	"time"

 	"github.com/anchore/grype/grype/presenter"
 	"github.com/anchore/grype/grype/presenter/models"
-	logger "github.com/kubescape/go-logger"
+	copaGrype "github.com/anubhav06/copa-grype/grype"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
-
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	ksmetav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer"
 	"github.com/kubescape/kubescape/v3/pkg/imagescan"
-
-	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling"
-	copa "github.com/project-copacetic/copacetic/pkg/patch"
+	"github.com/project-copacetic/copacetic/pkg/buildkit"
+	"github.com/project-copacetic/copacetic/pkg/pkgmgr"
+	"github.com/project-copacetic/copacetic/pkg/types/unversioned"
+	"github.com/project-copacetic/copacetic/pkg/utils"
 	log "github.com/sirupsen/logrus"
 )

-func (ks *Kubescape) Patch(ctx context.Context, patchInfo *ksmetav1.PatchInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) {
+func (ks *Kubescape) Patch(patchInfo *ksmetav1.PatchInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) {

 	// ===================== Scan the image =====================
 	logger.L().Start(fmt.Sprintf("Scanning image: %s", patchInfo.Image))
@@ -34,46 +37,51 @@ func (ks *Kubescape) Patch(ctx context.Context, patchInfo *ksmetav1.PatchInfo, s
 		Password: patchInfo.Password,
 	}
 	// Scan the image
-	scanResults, err := svc.Scan(ctx, patchInfo.Image, creds)
+	scanResults, err := svc.Scan(ks.Context(), patchInfo.Image, creds, nil, nil)
 	if err != nil {
 		return nil, err
 	}
+
+	// If the scan results ID is empty, set it to "grype"
+	if scanResults.ID.Name == "" {
+		scanResults.ID.Name = "grype"
+	}
 	// Save the scan results to a file in json format
 	pres := presenter.GetPresenter("json", "", false, *scanResults)

 	fileName := fmt.Sprintf("%s:%s.json", patchInfo.ImageName, patchInfo.ImageTag)
 	fileName = strings.ReplaceAll(fileName, "/", "-")

-	writer := printer.GetWriter(ctx, fileName)
+	writer := printer.GetWriter(ks.Context(), fileName)

-	if err := pres.Present(writer); err != nil {
+	if err = pres.Present(writer); err != nil {
 		return nil, err
 	}
 	logger.L().StopSuccess(fmt.Sprintf("Successfully scanned image: %s", patchInfo.Image))

 	// ===================== Patch the image using copacetic =====================
 	logger.L().Start("Patching image...")
+	patchedImageName := fmt.Sprintf("%s:%s", patchInfo.ImageName, patchInfo.PatchedImageTag)

 	sout, serr := os.Stdout, os.Stderr
 	if logger.L().GetLevel() != "debug" {
 		disableCopaLogger()
 	}

-	if err := copa.Patch(ctx, patchInfo.Timeout, patchInfo.BuildkitAddress, patchInfo.Image, fileName, patchInfo.PatchedImageTag, ""); err != nil {
+	if err = copaPatch(ks.Context(), patchInfo.Timeout, patchInfo.BuildkitAddress, patchInfo.Image, fileName, patchedImageName, "", patchInfo.IgnoreError, patchInfo.BuildKitOpts); err != nil {
 		return nil, err
 	}

 	// Restore the output streams
 	os.Stdout, os.Stderr = sout, serr

-	patchedImageName := fmt.Sprintf("%s:%s", patchInfo.ImageName, patchInfo.PatchedImageTag)
 	logger.L().StopSuccess(fmt.Sprintf("Patched image successfully. Loaded image: %s", patchedImageName))

 	// ===================== Re-scan the image =====================

 	logger.L().Start(fmt.Sprintf("Re-scanning image: %s", patchedImageName))

-	scanResultsPatched, err := svc.Scan(ctx, patchedImageName, creds)
+	scanResultsPatched, err := svc.Scan(ks.Context(), patchedImageName, creds, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -88,8 +96,8 @@ func (ks *Kubescape) Patch(ctx context.Context, patchInfo *ksmetav1.PatchInfo, s
 	// ===================== Results Handling =====================

 	scanInfo.SetScanType(cautils.ScanTypeImage)
-	outputPrinters := GetOutputPrinters(scanInfo, ctx, "")
-	uiPrinter := GetUIPrinter(ctx, scanInfo, "")
+	outputPrinters := GetOutputPrinters(scanInfo, ks.Context(), "")
+	uiPrinter := GetUIPrinter(ks.Context(), scanInfo, "")
 	resultsHandler := resultshandling.NewResultsHandler(nil, outputPrinters, uiPrinter)
 	resultsHandler.ImageScanData = []cautils.ImageScanData{
 		{
@@ -97,9 +105,8 @@ func (ks *Kubescape) Patch(ctx context.Context, patchInfo *ksmetav1.PatchInfo, s
 			Image:           patchedImageName,
 		},
 	}
-	resultsHandler.HandleResults(ctx)

-	return scanResultsPatched, resultsHandler.HandleResults(ctx)
+	return scanResultsPatched, resultsHandler.HandleResults(ks.Context())
 }

 func disableCopaLogger() {
@@ -107,3 +114,110 @@ func disableCopaLogger() {
 	null, _ := os.Open(os.DevNull)
 	log.SetOutput(null)
 }
+
+// copaPatch is a slightly modified copy of the Patch function from the original "project-copacetic/copacetic" repo
+// https://github.com/project-copacetic/copacetic/blob/main/pkg/patch/patch.go
+func copaPatch(ctx context.Context, timeout time.Duration, buildkitAddr, image, reportFile, patchedImageName, workingFolder string, ignoreError bool, bkOpts buildkit.Opts) error {
+	timeoutCtx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	ch := make(chan error)
+	go func() {
+		ch <- patchWithContext(timeoutCtx, buildkitAddr, image, reportFile, patchedImageName, workingFolder, ignoreError, bkOpts)
+	}()
+
+	select {
+	case err := <-ch:
+		return err
+	case <-timeoutCtx.Done():
+		// add a grace period for long running deferred cleanup functions to complete
+		<-time.After(1 * time.Second)
+
+		err := fmt.Errorf("patch exceeded timeout %v", timeout)
+		log.Error(err)
+		return err
+	}
+}
+
+func patchWithContext(ctx context.Context, buildkitAddr, image, reportFile, patchedImageName, workingFolder string, ignoreError bool, bkOpts buildkit.Opts) error {
+	// Ensure working folder exists for call to InstallUpdates
+	if workingFolder == "" {
+		var err error
+		workingFolder, err = os.MkdirTemp("", "copa-*")
+		if err != nil {
+			return err
+		}
+		defer os.RemoveAll(workingFolder)
+		if err := os.Chmod(workingFolder, 0o744); err != nil {
+			return err
+		}
+	} else {
+		if isNew, err := utils.EnsurePath(workingFolder, 0o744); err != nil {
+			log.Errorf("failed to create workingFolder %s", workingFolder)
+			return err
+		} else if isNew {
+			defer os.RemoveAll(workingFolder)
+		}
+	}
+
+	// Parse report for update packages
+	updates, err := tryParseScanReport(reportFile)
+	if err != nil {
+		return err
+	}
+
+	client, err := buildkit.NewClient(ctx, bkOpts)
+	if err != nil {
+		return err
+	}
+	defer client.Close()
+
+	// Configure buildctl/client for use by package manager
+	config, err := buildkit.InitializeBuildkitConfig(ctx, client, image, updates)
+	if err != nil {
+		return err
+	}
+
+	// Create package manager helper
+	pkgmgr, err := pkgmgr.GetPackageManager(updates.Metadata.OS.Type, config, workingFolder)
+	if err != nil {
+		return err
+	}
+
+	// Export the patched image state to Docker
+	patchedImageState, _, err := pkgmgr.InstallUpdates(ctx, updates, ignoreError)
+	if err != nil {
+		return err
+	}
+
+	if err = buildkit.SolveToDocker(ctx, config.Client, patchedImageState, config.ConfigData, patchedImageName); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// This function adds support to copa for patching Kubescape produced results
+func tryParseScanReport(file string) (*unversioned.UpdateManifest, error) {
+
+	parser := copaGrype.GrypeParser{}
+	manifest, err := parser.Parse(file)
+	if err != nil {
+		return nil, err
+	}
+
+	// Convert from v1alpha1 to unversioned.UpdateManifest
+	var um unversioned.UpdateManifest
+	um.Metadata.OS.Type = manifest.Metadata.OS.Type
+	um.Metadata.OS.Version = manifest.Metadata.OS.Version
+	um.Metadata.Config.Arch = manifest.Metadata.Config.Arch
+	um.Updates = make([]unversioned.UpdatePackage, len(manifest.Updates))
+	for i, update := range manifest.Updates {
+		um.Updates[i].Name = update.Name
+		um.Updates[i].InstalledVersion = update.InstalledVersion
+		um.Updates[i].FixedVersion = update.FixedVersion
+		um.Updates[i].VulnerabilityID = update.VulnerabilityID
+	}
+
+	return &um, nil
+}
--- a/core/core/scan.go
+++ b/core/core/scan.go
@@ -3,7 +3,9 @@ package core
 import (
 	"context"
 	"fmt"
+	"slices"

+	"github.com/kubescape/backend/pkg/versioncheck"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
@@ -20,10 +22,9 @@ import (
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/reporter"
 	"github.com/kubescape/kubescape/v3/pkg/imagescan"
 	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
-	"go.opentelemetry.io/otel"
-	"golang.org/x/exp/slices"
-
 	"github.com/kubescape/opa-utils/resources"
+	"go.opentelemetry.io/otel"
+	"k8s.io/client-go/kubernetes"
 )

 type componentInterfaces struct {
@@ -41,10 +42,13 @@ func getInterfaces(ctx context.Context, scanInfo *cautils.ScanInfo) componentInt

 	// ================== setup k8s interface object ======================================
 	var k8s *k8sinterface.KubernetesApi
+	var k8sClient kubernetes.Interface
 	if scanInfo.GetScanningContext() == cautils.ContextCluster {
 		k8s = getKubernetesApi()
 		if k8s == nil {
 			logger.L().Ctx(ctx).Fatal("failed connecting to Kubernetes cluster")
+		} else {
+			k8sClient = k8s.KubernetesClient
 		}
 	}

@@ -63,8 +67,8 @@ func getInterfaces(ctx context.Context, scanInfo *cautils.ScanInfo) componentInt

 	// ================== version testing ======================================

-	v := cautils.NewIVersionCheckHandler(ctx)
-	v.CheckLatestVersion(ctx, cautils.NewVersionCheckRequest(cautils.BuildNumber, policyIdentifierIdentities(scanInfo.PolicyIdentifier), "", cautils.ScanningContextToScanningScope(scanInfo.GetScanningContext())))
+	v := versioncheck.NewIVersionCheckHandler(ctx)
+	_ = v.CheckLatestVersion(ctx, versioncheck.NewVersionCheckRequest(scanInfo.AccountID, versioncheck.BuildNumber, policyIdentifierIdentities(scanInfo.PolicyIdentifier), "", string(scanInfo.GetScanningContext()), k8sClient))

 	// ================== setup host scanner object ======================================
 	ctxHostScanner, spanHostScanner := otel.Tracer("").Start(ctx, "setup host scanner")
@@ -117,12 +121,13 @@ func GetOutputPrinters(scanInfo *cautils.ScanInfo, ctx context.Context, clusterN
 	return outputPrinters
 }

-func (ks *Kubescape) Scan(ctx context.Context, scanInfo *cautils.ScanInfo) (*resultshandling.ResultsHandler, error) {
-	ctxInit, spanInit := otel.Tracer("").Start(ctx, "initialization")
+func (ks *Kubescape) Scan(scanInfo *cautils.ScanInfo) (*resultshandling.ResultsHandler, error) {
+	ctxInit, spanInit := otel.Tracer("").Start(ks.Context(), "initialization")
 	logger.L().Start("Kubescape scanner initializing...")

 	// ===================== Initialization =====================
 	scanInfo.Init(ctxInit) // initialize scan info
+	defer scanInfo.Cleanup()

 	interfaces := getInterfaces(ctxInit, scanInfo)
 	interfaces.report.SetTenantConfig(interfaces.tenantConfig)
@@ -143,7 +148,7 @@ func (ks *Kubescape) Scan(ctx context.Context, scanInfo *cautils.ScanInfo) (*res
 	// remove host scanner components
 	defer func() {
 		if err := interfaces.hostSensorHandler.TearDown(); err != nil {
-			logger.L().Ctx(ctx).StopError("Failed to tear down host scanner", helpers.Error(err))
+			logger.L().Ctx(ks.Context()).StopError("Failed to tear down host scanner", helpers.Error(err))
 		}
 	}()

@@ -163,7 +168,7 @@ func (ks *Kubescape) Scan(ctx context.Context, scanInfo *cautils.ScanInfo) (*res

 	// ===================== resources =====================
 	ctxResources, spanResources := otel.Tracer("").Start(ctxInit, "resources")
-	err = resourcehandler.CollectResources(ctxResources, interfaces.resourceHandler, scanInfo.PolicyIdentifier, scanData, cautils.NewProgressHandler(""), scanInfo)
+	err = resourcehandler.CollectResources(ctxResources, interfaces.resourceHandler, scanData, scanInfo)
 	if err != nil {
 		spanInit.End()
 		return resultsHandling, err
@@ -172,11 +177,11 @@ func (ks *Kubescape) Scan(ctx context.Context, scanInfo *cautils.ScanInfo) (*res
 	spanInit.End()

 	// ========================= opa testing =====================
-	ctxOpa, spanOpa := otel.Tracer("").Start(ctx, "opa testing")
+	ctxOpa, spanOpa := otel.Tracer("").Start(ks.Context(), "opa testing")
 	defer spanOpa.End()

 	deps := resources.NewRegoDependenciesData(k8sinterface.GetK8sConfig(), interfaces.tenantConfig.GetContextName())
-	reportResults := opaprocessor.NewOPAProcessor(scanData, deps, interfaces.tenantConfig.GetContextName())
+	reportResults := opaprocessor.NewOPAProcessor(scanData, deps, interfaces.tenantConfig.GetContextName(), scanInfo.ExcludedNamespaces, scanInfo.IncludeNamespaces, scanInfo.EnableRegoPrint)
 	if err = reportResults.ProcessRulesListener(ctxOpa, cautils.NewProgressHandler("")); err != nil {
 		// TODO - do something
 		return resultsHandling, fmt.Errorf("%w", err)
@@ -186,18 +191,18 @@ func (ks *Kubescape) Scan(ctx context.Context, scanInfo *cautils.ScanInfo) (*res
 	if scanInfo.PrintAttackTree || isPrioritizationScanType(scanInfo.ScanType) {
 		_, spanPrioritization := otel.Tracer("").Start(ctxOpa, "prioritization")
 		if priotizationHandler, err := resourcesprioritization.NewResourcesPrioritizationHandler(ctxOpa, scanInfo.Getters.AttackTracksGetter, scanInfo.PrintAttackTree); err != nil {
-			logger.L().Ctx(ctx).Warning("failed to get attack tracks, this may affect the scanning results", helpers.Error(err))
+			logger.L().Ctx(ks.Context()).Warning("failed to get attack tracks, this may affect the scanning results", helpers.Error(err))
 		} else if err := priotizationHandler.PrioritizeResources(scanData); err != nil {
 			return resultsHandling, fmt.Errorf("%w", err)
 		}
-		if err == nil && isPrioritizationScanType(scanInfo.ScanType) {
+		if isPrioritizationScanType(scanInfo.ScanType) {
 			scanData.SetTopWorkloads()
 		}
 		spanPrioritization.End()
 	}

 	if scanInfo.ScanImages {
-		scanImages(scanInfo.ScanType, scanData, ctx, resultsHandling)
+		scanImages(scanInfo.ScanType, scanData, ks.Context(), resultsHandling)
 	}
 	// ========================= results handling =====================
 	resultsHandling.SetData(scanData)
@@ -210,7 +215,7 @@ func (ks *Kubescape) Scan(ctx context.Context, scanInfo *cautils.ScanInfo) (*res
 }

 func scanImages(scanType cautils.ScanTypes, scanData *cautils.OPASessionObj, ctx context.Context, resultsHandling *resultshandling.ResultsHandler) {
-	imagesToScan := []string{}
+	var imagesToScan []string

 	if scanType == cautils.ScanTypeWorkload {
 		containers, err := workloadinterface.NewWorkloadObj(scanData.SingleResourceScan.GetObject()).GetContainers()
@@ -252,7 +257,7 @@ func scanImages(scanType cautils.ScanTypes, scanData *cautils.OPASessionObj, ctx

 func scanSingleImage(ctx context.Context, img string, svc imagescan.Service, resultsHandling *resultshandling.ResultsHandler) error {

-	scanResults, err := svc.Scan(ctx, img, imagescan.RegistryCredentials{})
+	scanResults, err := svc.Scan(ctx, img, imagescan.RegistryCredentials{}, nil, nil)
 	if err != nil {
 		return err
 	}
--- a/core/core/testdata/alpine-nginx-exceptions.json
+++ b/core/core/testdata/alpine-nginx-exceptions.json
@@ -0,0 +1,67 @@
+[
+    {   
+        "metadata": {
+                "name": "alpine-exceptions"
+        },
+        "kind": "VulnerabilitiesIgnorePolicy",
+        "targets": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "imageName": "alpine*"
+                }
+            }
+        ],
+        "severities": [
+            "medium"
+         ]
+    },
+    {   
+        "metadata": {
+                "name": "nginx-exceptions"
+        },
+        "kind": "VulnerabilitiesIgnorePolicy",
+        "targets": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "imageName": "nginx*"
+                }
+            }
+        ],
+        "vulnerabilities": [
+            "invalid-cve",
+            "CVE-2023-45853",
+            "CVE-2023-49463"
+        ],
+        "severities": [
+            "critical",
+            "medium",
+            "invalid-severity"
+         ]
+    },
+    {   
+        "metadata": {
+                "name": "applicable-only-to-quay-registry-images"
+        },
+        "kind": "VulnerabilitiesIgnorePolicy",
+        "targets": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "registry": "quay.io"
+                }
+            }
+        ],
+        "vulnerabilities": [
+            "CVE-2023-42365"
+        ],
+        "severities": [
+            "critical",
+            "medium",
+            "high",
+            "low"
+         ]
+    }   
+]
+
--- a/core/core/testdata/empty_exceptions.json
+++ b/core/core/testdata/empty_exceptions.json
@@ -0,0 +1 @@
+[]
--- a/core/core/testdata/exceptions.json
+++ b/core/core/testdata/exceptions.json
@@ -0,0 +1,78 @@
+[
+    {   
+        "metadata": {
+                "name": "medium-severity-vulnerabilites-exceptions"
+        },
+        "kind": "VulnerabilitiesIgnorePolicy",
+        "targets": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "Registry": "docker.io",
+                    "Organization": "",
+                    "ImageName": ""
+                }
+            }
+        ],
+        "vulnerabilities": [
+        ],
+        "severities": [
+            "medium"
+         ]
+    },
+    {   
+        "metadata": {
+                "name": "exclude-allowed-hostPath-control"
+        },
+        "kind": "VulnerabilitiesIgnorePolicy",
+        "targets": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                }
+            }
+        ],
+        "vulnerabilities": [
+            "CVE-2023-42366",
+            "CVE-2023-42365"
+        ],
+        "severities": [
+            "critical",
+            "low"
+         ]
+    },
+    {   
+        "metadata": {
+                "name": "regex-example"
+        },
+        "kind": "VulnerabilitiesIgnorePolicy",
+        "targets": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "Registry": "quay.*",
+                    "Organization": "kube*",
+                    "ImageName": "kubescape*",
+                    "ImageTag": "v2*"
+                }
+            },
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "Registry": "docker.io",
+                    "Organization": ".*",
+                    "ImageName": "kube*",
+                    "ImageTag": "v3*"
+                }
+            }
+        ],
+        "vulnerabilities": [
+            "CVE-2023-6879",
+            "CVE-2023-44487"
+        ],
+        "severities": [
+            "critical",
+            "low"
+         ]
+    }   
+]
--- a/core/meta/datastructures/v1/config.go
+++ b/core/meta/datastructures/v1/config.go
@@ -8,10 +8,8 @@ type SetConfig struct {
 	CloudReportURL string
 	CloudAPIURL    string
 }
-
 type ViewConfig struct {
 	Writer io.Writer
 }
-
 type DeleteConfig struct {
 }
--- a/core/meta/datastructures/v1/image_scan.go
+++ b/core/meta/datastructures/v1/image_scan.go
@@ -1,7 +1,8 @@
 package v1

 type ImageScanInfo struct {
-	Username string
-	Password string
-	Image    string
+	Username   string
+	Password   string
+	Image      string
+	Exceptions string
 }
--- a/core/meta/datastructures/v1/patch.go
+++ b/core/meta/datastructures/v1/patch.go
@@ -1,12 +1,18 @@
 package v1

-import "time"
+import (
+	"time"
+
+	"github.com/project-copacetic/copacetic/pkg/buildkit"
+)

 type PatchInfo struct {
 	Image           string        // image to be patched
 	PatchedImageTag string        // can be empty, if empty then the image tag will be patched with the latest tag
 	BuildkitAddress string        // buildkit address
 	Timeout         time.Duration // timeout for patching an image
+	IgnoreError     bool          // ignore errors and continue patching
+	BuildKitOpts    buildkit.Opts //build kit options

 	// Image registry credentials
 	Username string // username for registry login
--- a/core/meta/ksinterface.go
+++ b/core/meta/ksinterface.go
@@ -10,23 +10,25 @@ import (
 )

 type IKubescape interface {
-	Scan(ctx context.Context, scanInfo *cautils.ScanInfo) (*resultshandling.ResultsHandler, error) // TODO - use scanInfo from v1
+	Context() context.Context
+
+	Scan(scanInfo *cautils.ScanInfo) (*resultshandling.ResultsHandler, error) // TODO - use scanInfo from v1

 	// policies
-	List(ctx context.Context, listPolicies *metav1.ListPolicies) error     // TODO - return list response
-	Download(ctx context.Context, downloadInfo *metav1.DownloadInfo) error // TODO - return downloaded policies
+	List(listPolicies *metav1.ListPolicies) error     // TODO - return list response
+	Download(downloadInfo *metav1.DownloadInfo) error // TODO - return downloaded policies

 	// config
 	SetCachedConfig(setConfig *metav1.SetConfig) error
 	ViewCachedConfig(viewConfig *metav1.ViewConfig) error
-	DeleteCachedConfig(ctx context.Context, deleteConfig *metav1.DeleteConfig) error
+	DeleteCachedConfig(deleteConfig *metav1.DeleteConfig) error

 	// fix
-	Fix(ctx context.Context, fixInfo *metav1.FixInfo) error
+	Fix(fixInfo *metav1.FixInfo) error

 	// patch
-	Patch(ctx context.Context, patchInfo *metav1.PatchInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error)
+	Patch(patchInfo *metav1.PatchInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error)

 	// scan image
-	ScanImage(ctx context.Context, imgScanInfo *metav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error)
+	ScanImage(imgScanInfo *metav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error)
 }
--- a/core/mocks/cmd_mocks.go
+++ b/core/mocks/cmd_mocks.go
@@ -11,15 +11,19 @@ import (

 type MockIKubescape struct{}

-func (m *MockIKubescape) Scan(ctx context.Context, scanInfo *cautils.ScanInfo) (*resultshandling.ResultsHandler, error) {
+func (m *MockIKubescape) Context() context.Context {
+	return context.TODO()
+}
+
+func (m *MockIKubescape) Scan(scanInfo *cautils.ScanInfo) (*resultshandling.ResultsHandler, error) {
 	return nil, nil
 }

-func (m *MockIKubescape) List(ctx context.Context, listPolicies *metav1.ListPolicies) error {
+func (m *MockIKubescape) List(listPolicies *metav1.ListPolicies) error {
 	return nil
 }

-func (m *MockIKubescape) Download(ctx context.Context, downloadInfo *metav1.DownloadInfo) error {
+func (m *MockIKubescape) Download(downloadInfo *metav1.DownloadInfo) error {
 	return nil
 }

@@ -31,18 +35,18 @@ func (m *MockIKubescape) ViewCachedConfig(viewConfig *metav1.ViewConfig) error {
 	return nil
 }

-func (m *MockIKubescape) DeleteCachedConfig(ctx context.Context, deleteConfig *metav1.DeleteConfig) error {
+func (m *MockIKubescape) DeleteCachedConfig(deleteConfig *metav1.DeleteConfig) error {
 	return nil
 }

-func (m *MockIKubescape) Fix(ctx context.Context, fixInfo *metav1.FixInfo) error {
+func (m *MockIKubescape) Fix(fixInfo *metav1.FixInfo) error {
 	return nil
 }

-func (m *MockIKubescape) Patch(ctx context.Context, patchInfo *metav1.PatchInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) {
+func (m *MockIKubescape) Patch(patchInfo *metav1.PatchInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) {
 	return nil, nil
 }

-func (m *MockIKubescape) ScanImage(ctx context.Context, imgScanInfo *metav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) {
+func (m *MockIKubescape) ScanImage(imgScanInfo *metav1.ImageScanInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) {
 	return nil, nil
 }
--- a/core/pkg/containerscan/containerscan_mock.go
+++ b/core/pkg/containerscan/containerscan_mock.go
@@ -25,7 +25,7 @@ func GenerateContainerScanReportMock() ScanResultReport {
 	return ds
 }

-// GenerateContainerScanReportMock - generate a scan result
+// GenerateContainerScanReportNoVulMock - generate a scan result
 func GenerateContainerScanReportNoVulMock() ScanResultReport {
 	ds := ScanResultReport{
 		WLID:          "wlid://cluster-k8s-geriatrix-k8s-demo3/namespace-whisky-app/deployment-whisky4all-shipping",
--- a/core/pkg/fixhandler/fixhandler.go
+++ b/core/pkg/fixhandler/fixhandler.go
@@ -13,9 +13,8 @@ import (
 	"strings"

 	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/go-logger"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
-
-	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/opa-utils/objectsenvelopes"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
 	"github.com/kubescape/opa-utils/reporthandling"
--- a/core/pkg/fixhandler/fixhandler_test.go
+++ b/core/pkg/fixhandler/fixhandler_test.go
@@ -8,7 +8,7 @@ import (
 	"testing"

 	"github.com/armosec/armoapi-go/armotypes"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/kubescape/kubescape/v3/internal/testutils"
 	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
--- a/core/pkg/fixhandler/testdata/hybrids/tc-01-00-input.yaml
+++ b/core/pkg/fixhandler/testdata/hybrids/tc-01-00-input.yaml
@@ -14,6 +14,6 @@ metadata:
 spec:
  containers:
  - name: nginx_container
-    image: nginx
    securityContext:
      runAsRoot: true
+    image: nginx
--- a/core/pkg/fixhandler/testdata/hybrids/tc-02-00-input-indented-list.yaml
+++ b/core/pkg/fixhandler/testdata/hybrids/tc-02-00-input-indented-list.yaml
@@ -14,6 +14,6 @@ metadata:
 spec:
  containers:
    - name: nginx_container
-      image: nginx
      securityContext:
        runAsRoot: true
+      image: nginx
--- a/core/pkg/fixhandler/testdata/hybrids/tc-03-00-input-comments.yaml
+++ b/core/pkg/fixhandler/testdata/hybrids/tc-03-00-input-comments.yaml
@@ -16,6 +16,6 @@ spec:
  containers:
    # These are the first containers comments
    - name: nginx_container
-      image: nginx
      securityContext:
        runAsRoot: true
+      image: nginx
--- a/core/pkg/fixhandler/testdata/hybrids/tc-04-00-input-separated-keys.yaml
+++ b/core/pkg/fixhandler/testdata/hybrids/tc-04-00-input-separated-keys.yaml
@@ -15,7 +15,7 @@ spec:
  containers:
    - name: nginx_container

-      image: nginx
-
      securityContext:
        runAsRoot: true
+
+      image: nginx
--- a/core/pkg/fixhandler/testdata/hybrids/tc-04-01-expected.yaml
+++ b/core/pkg/fixhandler/testdata/hybrids/tc-04-01-expected.yaml
@@ -15,7 +15,7 @@ spec:
  containers:
    - name: nginx_container

+
      image: nginx
  securityContext:
    runAsRoot: false
-
--- a/core/pkg/fixhandler/testdata/hybrids/tc-05-00-input-leading-doc-separator.yaml
+++ b/core/pkg/fixhandler/testdata/hybrids/tc-05-00-input-leading-doc-separator.yaml
@@ -16,7 +16,7 @@ spec:
  containers:
    - name: nginx_container

-      image: nginx
-
      securityContext:
        runAsRoot: true
+
+      image: nginx
--- a/core/pkg/fixhandler/testdata/hybrids/tc-05-01-expected.yaml
+++ b/core/pkg/fixhandler/testdata/hybrids/tc-05-01-expected.yaml
@@ -16,7 +16,7 @@ spec:
  containers:
    - name: nginx_container

+
      image: nginx
  securityContext:
    runAsRoot: false
-
--- a/core/pkg/fixhandler/testdata/removals/tc-01-00-input.yaml
+++ b/core/pkg/fixhandler/testdata/removals/tc-01-00-input.yaml
@@ -9,6 +9,6 @@ metadata:
 spec:
  containers:
  - name: nginx_container
-    image: nginx
    securityContext:
-      runAsRoot: false
+      runAsRoot: false
+    image: nginx
--- a/Show More
+++ b/Show More