update pkg

support printing sensor and cloud resources
print skipped
2026-04-05 18:26:55 +00:00 · 2021-12-21 11:04:18 +02:00 · 2021-12-20 18:22:08 +02:00 · 2021-12-20 13:32:14 +02:00 · 2021-12-20 11:14:31 +02:00 · 2021-12-20 11:11:31 +02:00
91 changed files with 8926 additions and 1001 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -77,8 +77,8 @@ jobs:
        run: echo quay.io/armosec/kubescape:v1.0.${{ github.run_number }} > build_tag.txt

      - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt)
-      
+        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt) --build-arg run_number=${{ github.run_number }}
+
      - name: Re-Tag Image to latest
        run: docker tag $(cat build_tag.txt) quay.io/armosec/kubescape:latest

--- a/.github/workflows/build_dev.yaml
+++ b/.github/workflows/build_dev.yaml
@@ -56,7 +56,7 @@ jobs:
        run: echo quay.io/armosec/kubescape:dev-v1.0.${{ github.run_number }} > build_tag.txt

      - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt)
+        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt) --build-arg run_number=${{ github.run_number }}
      
      - name: Login to Quay.io
        env: # Or as an environment variable
--- a/.github/workflows/master_pr_checks.yaml
+++ b/.github/workflows/master_pr_checks.yaml
@@ -31,8 +31,9 @@ jobs:
          CGO_ENABLED: 0
        run: python3 --version && python3 build.py

-      - name: Upload build artifacts 
-        uses: actions/upload-artifact@v2
-        with:
-          name: kubescape-${{ matrix.os }}
-          path: build/${{ matrix.os }}/kubescape 
+      - name: Smoke Testing
+        env:
+          RELEASE: v1.0.${{ github.run_number }} 
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
+        
--- a/README.md
+++ b/README.md
@@ -24,13 +24,22 @@ curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh |

 ## Run:
 ```
-kubescape scan framework nsa
+kubescape scan --submit
 ```

 <img src="docs/summary.png">

+</br>
+
+> Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
+
+</br>
+
 ### Click [👍](https://github.com/armosec/kubescape/stargazers) if you want us to continue to develop and improve Kubescape 😀

+</br>
+
+
 # Being part of the team

 We invite you to our team! We are excited about this project and want to return the love we get.
@@ -42,8 +51,16 @@ Want to contribute? Want to discuss something? Have an issue?

 [<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://armosec.github.io/kubescape/)

+
 # Options and examples

+## Tutorials
+
+* [Overview](https://youtu.be/wdBkt_0Qhbg)
+* [Scanning Kubernetes YAML files](https://youtu.be/Ox6DaR7_4ZI)
+* [Scan Kubescape on an air-gapped environment (offline support)](https://youtu.be/IGXL9s37smM)
+* [Managing exceptions in the Kubescape SaaS version](https://youtu.be/OzpvxGmCR80)
+
 ## Install on Windows

 **Requires powershell v5.0+**
@@ -72,8 +89,9 @@ Set-ExecutionPolicy RemoteSigned -scope CurrentUser
 | flag                        | default                   | description                                                                                                                                                                                                                                                                                                          | options                          |
 |-----------------------------|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------|
 | `-e`/`--exclude-namespaces` | Scan all namespaces       | Namespaces to exclude from scanning. Recommended to exclude `kube-system` and `kube-public` namespaces                                                                                                                                                                                                               |                                              |
+| `--include-namespaces`      | Scan all namespaces       | Scan specific namespaces                                                                                                                            |                                              |
 | `-s`/`--silent`             | Display progress messages | Silent progress messages                                                                                                                                                                                                                                                                                             |                                              |
-| `-t`/`--fail-threshold`     | `0` (do not fail)         | fail command (return exit code 1) if result bellow threshold                                                                                                                                                                                                                                                         | `0` -> `100`                                 |
+| `-t`/`--fail-threshold`     | `0` (do not fail)         | fail command (return exit code 1) if result is below threshold                                                                                                                                                                                                                                                       | `0` -> `100`                                 |
 | `-f`/`--format`             | `pretty-printer`          | Output format                                                                                                                                                                                                                                                                                                        | `pretty-printer`/`json`/`junit`/`prometheus` |
 | `-o`/`--output`             | print to stdout           | Save scan result in file                                                                                                                                                                                                                                                                                             |                                              |
 | `--use-from`                |                           | Load local framework object from specified path. If not used will download latest                                                                                                                                                                                                                                    |                                              |
@@ -82,76 +100,91 @@ Set-ExecutionPolicy RemoteSigned -scope CurrentUser
 | `--submit`                  | `false`                   | If set, Kubescape will send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not sent | `true`/`false`                               |
 | `--keep-local`              | `false`                   | Kubescape will not send scan results to Armo management portal. Use this flag if you ran with the `--submit` flag in the past and you do not want to submit your current scan results                                                                                                                                | `true`/`false`                               |
 | `--account`                 |                           | Armo portal account ID. Default will load account ID from configMap or config file                                                                                                                                                                                                                                   |                                              |
+| `--verbose`                 | `false`                   | Display all of the input resources and not only failed resources                                                                                                                                                                                                                                                     | `true`/`false`                               |
+

 ## Usage & Examples

 ### Examples

-* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework and submit results to the [Kubescape SaaS version](https://portal.armo.cloud/)
+#### Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework and submit results to the [Kubescape SaaS version](https://portal.armo.cloud/)
 ```
 kubescape scan framework nsa --submit
 ```


-* Scan a running Kubernetes cluster with [`MITRE ATT&CK®`](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) framework and submit results to the [Kubescape SaaS version](https://portal.armo.cloud/)
+#### Scan a running Kubernetes cluster with [`MITRE ATT&CK®`](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) framework and submit results to the [Kubescape SaaS version](https://portal.armo.cloud/)
 ```
 kubescape scan framework mitre --submit
 ```


-* Scan a running Kubernetes cluster with a specific control using the control name or control ID. [List of controls](https://hub.armo.cloud/docs/controls) 
+#### Scan a running Kubernetes cluster with a specific control using the control name or control ID. [List of controls](https://hub.armo.cloud/docs/controls) 
 ```
 kubescape scan control "Privileged container"
 ```

-* Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI)
+#### Scan specific namespaces
+```
+kubescape scan framework nsa --include-namespaces development,staging,production
+```
+
+#### Scan cluster and exclude some namespaces
+```
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
+```
+
+#### Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI)
 ```
 kubescape scan framework nsa *.yaml
 ```

-
-* Scan kubernetes manifest files from a public github repository 
+#### Scan kubernetes manifest files from a public github repository 
 ```
 kubescape scan framework nsa https://github.com/armosec/kubescape
 ```

-* Output in `json` format
+#### Display all scanned resources (including the resources who passed) 
 ```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format json --output results.json
+kubescape scan framework nsa --verbose
 ```

-* Output in `junit xml` format
+#### Output in `json` format
 ```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml
+kubescape scan framework nsa --format json --output results.json
 ```

-* Output in `prometheus` metrics format
+#### Output in `junit xml` format
 ```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format prometheus
+kubescape scan framework nsa --format junit --output results.xml
 ```

-* Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`
+#### Output in `prometheus` metrics format - Contributed by [@Joibel](https://github.com/Joibel)
 ```
-kubescape scan framework nsa --exceptions examples/exceptions.json
+kubescape scan framework nsa --format prometheus
 ```

-### CronJob Scan Periodically 
+#### Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`
+[Full documentation](examples/exceptions/README.md)
+```
+kubescape scan framework nsa --exceptions examples/exceptions/exclude-kube-namespaces.json
+```

-For setting up a cronJob please follow the [instructions](examples/cronJob-support/README.md) 
-
-### Helm Support
-
-* Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout
+#### Scan Helm charts - Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout
 ```
 helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
 ```

-for example:
+e.g.
 ```
 helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
 ```
+
+
 ### Offline Support

+[Video tutorial](https://youtu.be/IGXL9s37smM)
+
 It is possible to run Kubescape offline!

 First download the framework and then scan with `--use-from` flag
@@ -166,13 +199,40 @@ kubescape download framework nsa --output nsa.json
 kubescape scan framework nsa --use-from nsa.json
 ```

-Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.

+## Scan Periodically using Helm - Contributed by [@yonahd](https://github.com/yonahd)  
+ 
+You can scan your cluster periodically by adding a `CronJob` that will repeatedly trigger kubescape
+
+```
+helm install kubescape examples/helm_chart/
+```
+
+## Scan using docker image
+
+Official Docker image `quay.io/armosec/kubescape`
+
+```
+docker run -v "$(pwd)/example.yaml:/app/example.yaml  quay.io/armosec/kubescape scan framework nsa /app/example.yaml
+```
+
+# Submit data manually
+
+Use the `submit` command if you wish to submit data manually
+
+## Submit scan results manually
+
+First, scan your cluster using the `json` format flag: `kubescape scan framework <name> --format json --output path/to/results.json`.
+
+Now you can submit the results to the Kubaescape SaaS version -
+```
+kubescape submit results path/to/results.json
+```
 # How to build

 ## Build using python (3.7^) script

-Kubescpae can be built using:
+Kubescape can be built using:

 ``` sh
 python build.py
@@ -208,12 +268,8 @@ go build -o kubescape .

 4. Enjoy :zany_face:

-## Docker Support
+## Docker Build

-### Official Docker image
-```
-quay.io/armosec/kubescape
-```
 ### Build your own Docker image

 1. Clone Project
@@ -226,10 +282,11 @@ git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
 docker build -t kubescape -f build/Dockerfile .
 ```

+
 # Under the hood

 ## Tests
-Kubescape is running the following tests according to what is defined by [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
+Kubescape is running the following tests according to what is defined by [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
 * Non-root containers
 * Immutable container filesystem
 * Privileged containers
--- a/build.py
+++ b/build.py
@@ -41,7 +41,7 @@ def main():

    # Set some variables
    packageName = getPackageName()
-    buildUrl = "github.com/armosec/kubescape/clihandler/cmd.BuildNumber"
+    buildUrl = "github.com/armosec/kubescape/cautils.BuildNumber"
    releaseVersion = os.getenv("RELEASE")
    ArmoBEServer = os.getenv("ArmoBEServer")
    ArmoERServer = os.getenv("ArmoERServer")
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -1,5 +1,10 @@
 FROM golang:1.17-alpine as builder
 #ENV GOPROXY=https://goproxy.io,direct
+
+ARG run_number
+
+ENV RELEASE=v1.0.${run_number}
+
 ENV GO111MODULE=

 ENV CGO_ENABLED=0
--- a/cautils/customerloader.go
+++ b/cautils/customerloader.go
@@ -4,14 +4,13 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"net/url"
 	"os"
 	"strings"

-	"github.com/armosec/kubescape/cautils/getter"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/kubescape/cautils/getter"
 	corev1 "k8s.io/api/core/v1"
 )

@@ -57,82 +56,89 @@ func (co *ConfigObj) Config() []byte {
 // ======================================================================================
 // =============================== interface ============================================
 // ======================================================================================
-type IClusterConfig interface {
-
+type ITenantConfig interface {
 	// set
-	SetConfig(customerGUID string) error
+	SetTenant() error

 	// getters
 	GetClusterName() string
 	GetCustomerGUID() string
 	GetConfigObj() *ConfigObj
-	GetK8sAPI() *k8sinterface.KubernetesApi
-	GetBackendAPI() getter.IBackend
-	GetDefaultNS() string
-	GenerateURL()
-}
+	// GetBackendAPI() getter.IBackend
+	// GenerateURL()

-// ClusterConfigSetup - Setup the desired cluster behavior regarding submittion to the Armo BE
-func ClusterConfigSetup(scanInfo *ScanInfo, k8s *k8sinterface.KubernetesApi, beAPI getter.IBackend) IClusterConfig {
-	/*
-
-		If "First run (local config not found)" -
-			Default - Do not send report (local)
-			Local - Do not send report
-			Submit - Create tenant & Submit report
-
-		If "Submitted but not signed up" -
-			Default	- Delete local config & Do not send report (local)
-			Local - Delete local config & Do not send report
-			Submit - Submit report
-
-		If "Signed up user" -
-			Default	- Submit report (submit)
-			Local - Do not send report
-			Submit - Submit report
-
-	*/
-	clusterConfig := NewClusterConfig(k8s, beAPI)
-	clusterConfig.LoadConfig()
-
-	if !IsSubmitted(clusterConfig) {
-		if scanInfo.Submit {
-			return clusterConfig // submit - Create tenant & Submit report
-		}
-		return NewEmptyConfig() // local/default - Do not send report
-	}
-	if !IsRegistered(clusterConfig) {
-		if scanInfo.Submit {
-			return clusterConfig // submit/default - Submit report
-		}
-		DeleteConfig(k8s)
-		return NewEmptyConfig() // local - Delete local config & Do not send report
-	}
-	if scanInfo.Local {
-		scanInfo.Submit = false
-		return NewEmptyConfig() // local - Do not send report
-	}
-	scanInfo.Submit = true
-	return clusterConfig // submit/default -  Submit report
+	IsConfigFound() bool
 }

 // ======================================================================================
-// ============================= Mock Config ============================================
+// ============================ Local Config ============================================
 // ======================================================================================
-type EmptyConfig struct {
+// Config when scanning YAML files or URL but not a Kubernetes cluster
+type LocalConfig struct {
+	backendAPI getter.IBackend
+	configObj  *ConfigObj
 }

-func NewEmptyConfig() *EmptyConfig                            { return &EmptyConfig{} }
-func (c *EmptyConfig) SetConfig(customerGUID string) error    { return nil }
-func (c *EmptyConfig) GetConfigObj() *ConfigObj               { return &ConfigObj{} }
-func (c *EmptyConfig) GetCustomerGUID() string                { return "" }
-func (c *EmptyConfig) GetK8sAPI() *k8sinterface.KubernetesApi { return nil } // TODO: return mock obj
-func (c *EmptyConfig) GetDefaultNS() string                   { return k8sinterface.GetDefaultNamespace() }
-func (c *EmptyConfig) GetBackendAPI() getter.IBackend         { return nil } // TODO: return mock obj
-func (c *EmptyConfig) GetClusterName() string                 { return adoptClusterName(k8sinterface.GetClusterName()) }
-func (c *EmptyConfig) GenerateURL() {
-	message := fmt.Sprintf("\nCheckout for more cool features: https://%s\n", getter.GetArmoAPIConnector().GetFrontendURL())
-	InfoTextDisplay(os.Stdout, fmt.Sprintf("\n%s\n", message))
+func NewLocalConfig(backendAPI getter.IBackend, customerGUID string) *LocalConfig {
+	var configObj *ConfigObj
+
+	lc := &LocalConfig{
+		backendAPI: backendAPI,
+		configObj:  &ConfigObj{},
+	}
+	// get from configMap
+	if existsConfigFile() { // get from file
+		configObj, _ = loadConfigFromFile()
+	} else {
+		configObj = &ConfigObj{}
+	}
+	if configObj != nil {
+		lc.configObj = configObj
+	}
+	if customerGUID != "" {
+		lc.configObj.CustomerGUID = customerGUID // override config customerGUID
+	}
+	if lc.configObj.CustomerGUID != "" {
+		if err := lc.SetTenant(); err != nil {
+			fmt.Println(err)
+		}
+	}
+
+	return lc
+}
+
+func (lc *LocalConfig) GetConfigObj() *ConfigObj { return lc.configObj }
+func (lc *LocalConfig) GetCustomerGUID() string  { return lc.configObj.CustomerGUID }
+func (lc *LocalConfig) GetClusterName() string   { return "" }
+func (lc *LocalConfig) IsConfigFound() bool      { return existsConfigFile() }
+func (lc *LocalConfig) SetTenant() error {
+	// ARMO tenant GUID
+	if err := getTenantConfigFromBE(lc.backendAPI, lc.configObj); err != nil {
+		return err
+	}
+	updateConfigFile(lc.configObj)
+	return nil
+
+}
+
+func getTenantConfigFromBE(backendAPI getter.IBackend, configObj *ConfigObj) error {
+
+	// get from armoBE
+	tenantResponse, err := backendAPI.GetCustomerGUID(configObj.CustomerGUID)
+	if err == nil && tenantResponse != nil {
+		if tenantResponse.AdminMail != "" { // registered tenant
+			configObj.CustomerAdminEMail = tenantResponse.AdminMail
+		} else { // new tenant
+			configObj.Token = tenantResponse.Token
+			configObj.CustomerGUID = tenantResponse.TenantID
+		}
+	} else {
+		if err != nil && !strings.Contains(err.Error(), "already exists") {
+			return err
+		}
+	}
+
+	return nil
 }

 // ======================================================================================
@@ -146,118 +152,67 @@ type ClusterConfig struct {
 	configObj  *ConfigObj
 }

-func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend) *ClusterConfig {
-	return &ClusterConfig{
+func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend, customerGUID string) *ClusterConfig {
+	defaultNS := k8sinterface.GetDefaultNamespace()
+	var configObj *ConfigObj
+	c := &ClusterConfig{
 		k8s:        k8s,
 		backendAPI: backendAPI,
 		configObj:  &ConfigObj{},
-		defaultNS:  k8sinterface.GetDefaultNamespace(),
-	}
-}
-func (c *ClusterConfig) GetConfigObj() *ConfigObj               { return c.configObj }
-func (c *ClusterConfig) GetK8sAPI() *k8sinterface.KubernetesApi { return c.k8s }
-func (c *ClusterConfig) GetDefaultNS() string                   { return c.defaultNS }
-func (c *ClusterConfig) GetBackendAPI() getter.IBackend         { return c.backendAPI }
-
-func (c *ClusterConfig) GenerateURL() {
-	message := "Checkout for more cool features: "
-
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = getter.GetArmoAPIConnector().GetFrontendURL()
-	if c.configObj == nil {
-		return
-	}
-	if c.configObj.CustomerAdminEMail != "" {
-		InfoTextDisplay(os.Stdout, "\n\n"+message+u.String()+"\n\n")
-		return
-	}
-	u.Path = "account/sign-up"
-	q := u.Query()
-	q.Add("invitationToken", c.configObj.Token)
-	q.Add("customerGUID", c.configObj.CustomerGUID)
-
-	u.RawQuery = q.Encode()
-	InfoTextDisplay(os.Stdout, "\n\n"+message+u.String()+"\n\n")
-}
-
-func (c *ClusterConfig) GetCustomerGUID() string {
-	if c.configObj != nil {
-		return c.configObj.CustomerGUID
-	}
-	return ""
-}
-
-func (c *ClusterConfig) SetConfig(customerGUID string) error {
-	if c.configObj == nil {
-		c.configObj = &ConfigObj{}
+		defaultNS:  defaultNS,
 	}

-	// cluster name
-	if c.GetClusterName() == "" {
-		c.setClusterName(k8sinterface.GetClusterName())
+	// get from configMap
+	if existsConfigMap(k8s, defaultNS) {
+		configObj, _ = loadConfigFromConfigMap(k8s, defaultNS)
+	} else if existsConfigFile() { // get from file
+		configObj, _ = loadConfigFromFile()
 	}
-
-	// ARMO customer GUID
-	if customerGUID != "" && c.GetCustomerGUID() != customerGUID {
-		c.setCustomerGUID(customerGUID) // override config customerGUID
+	if configObj != nil {
+		c.configObj = configObj
 	}
-
-	customerGUID = c.GetCustomerGUID()
-
-	// get from armoBE
-	tenantResponse, err := c.backendAPI.GetCustomerGUID(customerGUID)
-	if err == nil && tenantResponse != nil {
-		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
-			c.setCustomerAdminEMail(tenantResponse.AdminMail)
-		} else {
-			c.setToken(tenantResponse.Token)
-			c.setCustomerGUID(tenantResponse.TenantID)
-		}
-	} else {
-		if err != nil && !strings.Contains(err.Error(), "already exists") {
-			return err
+	if customerGUID != "" {
+		c.configObj.CustomerGUID = customerGUID // override config customerGUID
+	}
+	if c.configObj.CustomerGUID != "" {
+		if err := c.SetTenant(); err != nil {
+			fmt.Println(err)
 		}
 	}
+	if c.configObj.ClusterName == "" {
+		c.configObj.ClusterName = adoptClusterName(k8sinterface.GetClusterName())
+	}

+	return c
+}
+
+func (c *ClusterConfig) GetConfigObj() *ConfigObj { return c.configObj }
+func (c *ClusterConfig) GetDefaultNS() string     { return c.defaultNS }
+func (c *ClusterConfig) GetCustomerGUID() string  { return c.configObj.CustomerGUID }
+func (c *ClusterConfig) IsConfigFound() bool {
+	return existsConfigFile() || existsConfigMap(c.k8s, c.defaultNS)
+}
+
+func (c *ClusterConfig) SetTenant() error {
+
+	// ARMO tenant GUID
+	if err := getTenantConfigFromBE(c.backendAPI, c.configObj); err != nil {
+		return err
+	}
 	// update/create config
-	if c.existsConfigMap() {
+	if existsConfigMap(c.k8s, c.defaultNS) {
 		c.updateConfigMap()
 	} else {
 		c.createConfigMap()
 	}
-	c.updateConfigFile()
-
+	updateConfigFile(c.configObj)
 	return nil
+
 }

-func (c *ClusterConfig) setToken(token string) {
-	c.configObj.Token = token
-}
-
-func (c *ClusterConfig) setCustomerAdminEMail(customerAdminEMail string) {
-	c.configObj.CustomerAdminEMail = customerAdminEMail
-}
-func (c *ClusterConfig) setCustomerGUID(customerGUID string) {
-	c.configObj.CustomerGUID = customerGUID
-}
-
-func (c *ClusterConfig) setClusterName(clusterName string) {
-	c.configObj.ClusterName = adoptClusterName(clusterName)
-}
 func (c *ClusterConfig) GetClusterName() string {
 	return c.configObj.ClusterName
 }
-func (c *ClusterConfig) LoadConfig() {
-	// get from configMap
-	if c.existsConfigMap() {
-		c.configObj, _ = c.loadConfigFromConfigMap()
-	} else if existsConfigFile() { // get from file
-		c.configObj, _ = loadConfigFromFile()
-	} else {
-		c.configObj = &ConfigObj{}
-	}
-}

 func (c *ClusterConfig) ToMapString() map[string]interface{} {
 	m := map[string]interface{}{}
@@ -266,11 +221,8 @@ func (c *ClusterConfig) ToMapString() map[string]interface{} {
 	}
 	return m
 }
-func (c *ClusterConfig) loadConfigFromConfigMap() (*ConfigObj, error) {
-	if c.k8s == nil {
-		return nil, nil
-	}
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+func loadConfigFromConfigMap(k8s *k8sinterface.KubernetesApi, ns string) (*ConfigObj, error) {
+	configMap, err := k8s.KubernetesClient.CoreV1().ConfigMaps(ns).Get(context.Background(), configMapName, metav1.GetOptions{})
 	if err != nil {
 		return nil, err
 	}
@@ -281,8 +233,8 @@ func (c *ClusterConfig) loadConfigFromConfigMap() (*ConfigObj, error) {
 	return nil, nil
 }

-func (c *ClusterConfig) existsConfigMap() bool {
-	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+func existsConfigMap(k8s *k8sinterface.KubernetesApi, ns string) bool {
+	_, err := k8s.KubernetesClient.CoreV1().ConfigMaps(ns).Get(context.Background(), configMapName, metav1.GetOptions{})
 	// TODO - check if has customerGUID
 	return err == nil
 }
@@ -401,8 +353,8 @@ func (c *ClusterConfig) updateConfigMap() error {
 	return err
 }

-func (c *ClusterConfig) updateConfigFile() error {
-	if err := os.WriteFile(ConfigFileFullPath(), c.configObj.Config(), 0664); err != nil {
+func updateConfigFile(configObj *ConfigObj) error {
+	if err := os.WriteFile(ConfigFileFullPath(), configObj.Config(), 0664); err != nil {
 		return err
 	}
 	return nil
@@ -439,12 +391,12 @@ func readConfig(dat []byte) (*ConfigObj, error) {
 }

 // Check if the customer is submitted
-func IsSubmitted(clusterConfig *ClusterConfig) bool {
-	return clusterConfig.existsConfigMap() || existsConfigFile()
+func (clusterConfig *ClusterConfig) IsSubmitted() bool {
+	return existsConfigMap(clusterConfig.k8s, clusterConfig.defaultNS) || existsConfigFile()
 }

 // Check if the customer is registered
-func IsRegistered(clusterConfig *ClusterConfig) bool {
+func (clusterConfig *ClusterConfig) IsRegistered() bool {

 	// get from armoBE
 	tenantResponse, err := clusterConfig.backendAPI.GetCustomerGUID(clusterConfig.GetCustomerGUID())
@@ -456,8 +408,8 @@ func IsRegistered(clusterConfig *ClusterConfig) bool {
 	return false
 }

-func DeleteConfig(k8s *k8sinterface.KubernetesApi) error {
-	if err := DeleteConfigMap(k8s); err != nil {
+func (clusterConfig *ClusterConfig) DeleteConfig() error {
+	if err := DeleteConfigMap(clusterConfig.k8s); err != nil {
 		return err
 	}
 	if err := DeleteConfigFile(); err != nil {
--- a/cautils/datastructures.go
+++ b/cautils/datastructures.go
@@ -2,24 +2,27 @@ package cautils

 import (
 	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/k8s-interface/workloadinterface"
 	"github.com/armosec/opa-utils/reporthandling"
 )

-// K8SResources map[<api group>/<api version>/<resource>]<resource object>
-type K8SResources map[string]interface{}
+// K8SResources map[<api group>/<api version>/<resource>][]<resourceID>
+type K8SResources map[string][]string

 type OPASessionObj struct {
-	Frameworks    []reporthandling.Framework
-	K8SResources  *K8SResources
-	Exceptions    []armotypes.PostureExceptionPolicy
-	PostureReport *reporthandling.PostureReport
-	RegoInputData RegoInputData // map[<control name>][<input arguments>]
+	K8SResources  *K8SResources                          // input k8s objects
+	Frameworks    []reporthandling.Framework             // list of frameworks to scan
+	AllResources  map[string]workloadinterface.IMetadata // all scanned resources, map[<rtesource ID>]<resource>
+	PostureReport *reporthandling.PostureReport          // scan results
+	Exceptions    []armotypes.PostureExceptionPolicy     // list of exceptions to apply on scan results
+	RegoInputData RegoInputData                          // input passed to rgo for scanning. map[<control name>][<input arguments>]
 }

 func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SResources) *OPASessionObj {
 	return &OPASessionObj{
 		Frameworks:   frameworks,
 		K8SResources: k8sResources,
+		AllResources: make(map[string]workloadinterface.IMetadata),
 		PostureReport: &reporthandling.PostureReport{
 			ClusterName:  ClusterName,
 			CustomerGUID: CustomerGUID,
@@ -31,6 +34,7 @@ func NewOPASessionObjMock() *OPASessionObj {
 	return &OPASessionObj{
 		Frameworks:   nil,
 		K8SResources: nil,
+		AllResources: make(map[string]workloadinterface.IMetadata),
 		PostureReport: &reporthandling.PostureReport{
 			ClusterName:  "",
 			CustomerGUID: "",
--- a/cautils/getter/armoapi.go
+++ b/cautils/getter/armoapi.go
@@ -1,8 +1,10 @@
 package getter

 import (
+	"encoding/json"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"

 	"github.com/armosec/armoapi-go/armotypes"
@@ -23,15 +25,16 @@ var (

 	armoDevERURL = "report.eudev3.cyberarmorsoft.com"
 	armoDevBEURL = "eggdashbe.eudev3.cyberarmorsoft.com"
-	armoDevFEURL = "armoui.eudev3.cyberarmorsoft.com"
+	armoDevFEURL = "armoui-dev.eudev3.cyberarmorsoft.com"
 )

 // Armo API for downloading policies
 type ArmoAPI struct {
-	httpClient *http.Client
-	apiURL     string
-	erURL      string
-	feURL      string
+	httpClient   *http.Client
+	apiURL       string
+	erURL        string
+	feURL        string
+	customerGUID string
 }

 var globalArmoAPIConnecctor *ArmoAPI
@@ -82,7 +85,10 @@ func newArmoAPI() *ArmoAPI {
 		httpClient: &http.Client{Timeout: time.Duration(61) * time.Second},
 	}
 }
+func (armoAPI *ArmoAPI) SetCustomerGUID(customerGUID string) {
+	armoAPI.customerGUID = customerGUID

+}
 func (armoAPI *ArmoAPI) GetFrontendURL() string {
 	return armoAPI.feURL
 }
@@ -92,7 +98,7 @@ func (armoAPI *ArmoAPI) GetReportReceiverURL() string {
 }

 func (armoAPI *ArmoAPI) GetFramework(name string) (*reporthandling.Framework, error) {
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getFrameworkURL(name))
+	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getFrameworkURL(name), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -106,12 +112,16 @@ func (armoAPI *ArmoAPI) GetFramework(name string) (*reporthandling.Framework, er
 	return framework, err
 }

+func (armoAPI *ArmoAPI) GetControl(policyName string) (*reporthandling.Control, error) {
+	return nil, fmt.Errorf("control api is not public")
+}
+
 func (armoAPI *ArmoAPI) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
 	exceptions := []armotypes.PostureExceptionPolicy{}
 	if customerGUID == "" {
 		return exceptions, nil
 	}
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getExceptionsURL(customerGUID, clusterName))
+	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getExceptionsURL(customerGUID, clusterName), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -128,7 +138,7 @@ func (armoAPI *ArmoAPI) GetCustomerGUID(customerGUID string) (*TenantResponse, e
 	if customerGUID != "" {
 		url = fmt.Sprintf("%s?customerGUID=%s", url, customerGUID)
 	}
-	respStr, err := HttpGetter(armoAPI.httpClient, url)
+	respStr, err := HttpGetter(armoAPI.httpClient, url, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -146,7 +156,7 @@ func (armoAPI *ArmoAPI) GetAccountConfig(customerGUID, clusterName string) (*arm
 	if customerGUID == "" {
 		return accountConfig, nil
 	}
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getAccountConfig(customerGUID, clusterName))
+	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getAccountConfig(customerGUID, clusterName), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -167,6 +177,48 @@ func (armoAPI *ArmoAPI) GetControlsInputs(customerGUID, clusterName string) (map
 	return nil, err
 }

+func (armoAPI *ArmoAPI) ListCustomFrameworks(customerGUID string) ([]string, error) {
+	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getListFrameworkURL(), nil)
+	if err != nil {
+		return nil, err
+	}
+	frs := []reporthandling.Framework{}
+	if err = json.Unmarshal([]byte(respStr), &frs); err != nil {
+		return nil, err
+	}
+
+	frameworkList := []string{}
+	for _, fr := range frs {
+		if !isNativeFramework(fr.Name) {
+			frameworkList = append(frameworkList, fr.Name)
+		}
+	}
+
+	return frameworkList, nil
+}
+
+func (armoAPI *ArmoAPI) ListFrameworks(customerGUID string) ([]string, error) {
+	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getListFrameworkURL(), nil)
+	if err != nil {
+		return nil, err
+	}
+	frs := []reporthandling.Framework{}
+	if err = json.Unmarshal([]byte(respStr), &frs); err != nil {
+		return nil, err
+	}
+
+	frameworkList := []string{}
+	for _, fr := range frs {
+		if isNativeFramework(fr.Name) {
+			frameworkList = append(frameworkList, strings.ToLower(fr.Name))
+		} else {
+			frameworkList = append(frameworkList, fr.Name)
+		}
+	}
+
+	return frameworkList, nil
+}
+
 type TenantResponse struct {
 	TenantID  string `json:"tenantId"`
 	Token     string `json:"token"`
--- a/cautils/getter/armoapiutils.go
+++ b/cautils/getter/armoapiutils.go
@@ -5,20 +5,37 @@ import (
 	"strings"
 )

+var NativeFrameworks = []string{"nsa", "mitre", "armobest"}
+
 func (armoAPI *ArmoAPI) getFrameworkURL(frameworkName string) string {
 	u := url.URL{}
 	u.Scheme = "https"
 	u.Host = armoAPI.apiURL
-	u.Path = "v1/armoFrameworks"
+	u.Path = "api/v1/armoFrameworks"
 	q := u.Query()
-	q.Add("customerGUID", "11111111-1111-1111-1111-111111111111")
-	q.Add("frameworkName", strings.ToUpper(frameworkName))
-	q.Add("getRules", "true")
+	q.Add("customerGUID", armoAPI.customerGUID)
+	if isNativeFramework(frameworkName) {
+		q.Add("frameworkName", strings.ToUpper(frameworkName))
+	} else {
+		// For customer framework has to be the way it was added
+		q.Add("frameworkName", frameworkName)
+	}
 	u.RawQuery = q.Encode()

 	return u.String()
 }

+func (armoAPI *ArmoAPI) getListFrameworkURL() string {
+	u := url.URL{}
+	u.Scheme = "https"
+	u.Host = armoAPI.apiURL
+	u.Path = "api/v1/armoFrameworks"
+	q := u.Query()
+	q.Add("customerGUID", armoAPI.customerGUID)
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
 func (armoAPI *ArmoAPI) getExceptionsURL(customerGUID, clusterName string) string {
 	u := url.URL{}
 	u.Scheme = "https"
@@ -39,7 +56,7 @@ func (armoAPI *ArmoAPI) getAccountConfig(customerGUID, clusterName string) strin
 	u := url.URL{}
 	u.Scheme = "https"
 	u.Host = armoAPI.apiURL
-	u.Path = "api/v1/customerConfiguration"
+	u.Path = "api/v1/armoCustomerConfiguration"

 	q := u.Query()
 	q.Add("customerGUID", customerGUID)
--- a/cautils/getter/downloadreleasedpolicy.go
+++ b/cautils/getter/downloadreleasedpolicy.go
@@ -11,26 +11,22 @@ import (
 // ======================================== DownloadReleasedPolicy =======================================================
 // =======================================================================================================================

-// Download released version
+// Use gitregostore to get policies from github release
 type DownloadReleasedPolicy struct {
 	gs *gitregostore.GitRegoStore
 }

 func NewDownloadReleasedPolicy() *DownloadReleasedPolicy {
 	return &DownloadReleasedPolicy{
-		gs: gitregostore.InitDefaultGitRegoStore(-1),
+		gs: gitregostore.NewDefaultGitRegoStore(-1),
 	}
 }

-// Return control per name/id using ARMO api
 func (drp *DownloadReleasedPolicy) GetControl(policyName string) (*reporthandling.Control, error) {
 	var control *reporthandling.Control
 	var err error
-	if strings.HasPrefix(policyName, "C-") || strings.HasPrefix(policyName, "c-") {
-		control, err = drp.gs.GetOPAControlByID(policyName)
-	} else {
-		control, err = drp.gs.GetOPAControlByName(policyName)
-	}
+
+	control, err = drp.gs.GetOPAControl(policyName)
 	if err != nil {
 		return nil, err
 	}
@@ -44,3 +40,20 @@ func (drp *DownloadReleasedPolicy) GetFramework(name string) (*reporthandling.Fr
 	}
 	return framework, err
 }
+
+func (drp *DownloadReleasedPolicy) SetRegoObjects() error {
+	return drp.gs.SetRegoObjects()
+}
+
+func isNativeFramework(framework string) bool {
+	return contains(NativeFrameworks, framework)
+}
+
+func contains(s []string, str string) bool {
+	for _, v := range s {
+		if strings.EqualFold(v, str) {
+			return true
+		}
+	}
+	return false
+}
--- a/cautils/getter/getpoliciesutils.go
+++ b/cautils/getter/getpoliciesutils.go
@@ -1,6 +1,7 @@
 package getter

 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -77,12 +78,14 @@ func JSONDecoder(origin string) *json.Decoder {
 	return dec
 }

-func HttpGetter(httpClient *http.Client, fullURL string) (string, error) {
+func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) {

 	req, err := http.NewRequest("GET", fullURL, nil)
 	if err != nil {
 		return "", err
 	}
+	addHeaders(req, headers)
+
 	resp, err := httpClient.Do(req)
 	if err != nil {
 		return "", err
@@ -94,6 +97,32 @@ func HttpGetter(httpClient *http.Client, fullURL string) (string, error) {
 	return respStr, nil
 }

+func HttpPost(httpClient *http.Client, fullURL string, headers map[string]string, body []byte) (string, error) {
+
+	req, err := http.NewRequest("POST", fullURL, bytes.NewReader(body))
+	if err != nil {
+		return "", err
+	}
+	addHeaders(req, headers)
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	respStr, err := httpRespToString(resp)
+	if err != nil {
+		return "", err
+	}
+	return respStr, nil
+}
+
+func addHeaders(req *http.Request, headers map[string]string) {
+	if len(headers) >= 0 { // might be nil
+		for k, v := range headers {
+			req.Header.Add(k, v)
+		}
+	}
+}
+
 // HTTPRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
 func httpRespToString(resp *http.Response) (string, error) {
 	if resp == nil || resp.Body == nil {
--- a/cautils/getter/loadpolicy.go
+++ b/cautils/getter/loadpolicy.go
@@ -40,7 +40,7 @@ func (lp *LoadPolicy) GetControl(controlName string) (*reporthandling.Control, e
 		return control, err
 	}
 	if controlName != "" && !strings.EqualFold(controlName, control.Name) && !strings.EqualFold(controlName, control.ControlID) {
-		framework, err := lp.GetFramework(controlName)
+		framework, err := lp.GetFramework(control.Name)
 		if err != nil {
 			return nil, fmt.Errorf("control from file not matching")
 		} else {
--- a/cautils/rbac.go
+++ b/cautils/rbac.go
@@ -0,0 +1,117 @@
+package cautils
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/armosec/k8s-interface/workloadinterface"
+	"github.com/armosec/opa-utils/reporthandling"
+	"github.com/armosec/rbac-utils/rbacscanner"
+	"github.com/armosec/rbac-utils/rbacutils"
+	uuid "github.com/satori/go.uuid"
+)
+
+type RBACObjects struct {
+	scanner *rbacscanner.RbacScannerFromK8sAPI
+}
+
+func NewRBACObjects(scanner *rbacscanner.RbacScannerFromK8sAPI) *RBACObjects {
+	return &RBACObjects{scanner: scanner}
+}
+
+func (rbacObjects *RBACObjects) SetResourcesReport() (*reporthandling.PostureReport, error) {
+	return &reporthandling.PostureReport{
+		ReportID:             uuid.NewV4().String(),
+		ReportGenerationTime: time.Now().UTC(),
+		CustomerGUID:         rbacObjects.scanner.CustomerGUID,
+		ClusterName:          rbacObjects.scanner.ClusterName,
+	}, nil
+}
+
+func (rbacObjects *RBACObjects) ListAllResources() (map[string]workloadinterface.IMetadata, error) {
+	resources, err := rbacObjects.scanner.ListResources()
+	if err != nil {
+		return nil, err
+	}
+	allresources, err := rbacObjects.rbacObjectsToResources(resources)
+	if err != nil {
+		return nil, err
+	}
+	return allresources, nil
+}
+
+func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.RbacObjects) (map[string]workloadinterface.IMetadata, error) {
+	allresources := map[string]workloadinterface.IMetadata{}
+	// wrap rbac aggregated objects in IMetadata and add to allresources
+	rbacIMeta, err := rbacutils.RbacObjectIMetadataWrapper(resources.Rbac)
+	if err != nil {
+		return nil, err
+	}
+	allresources[rbacIMeta.GetID()] = rbacIMeta
+	rbacTableIMeta, err := rbacutils.RbacTableObjectIMetadataWrapper(resources.RbacT)
+	if err != nil {
+		return nil, err
+	}
+	allresources[rbacTableIMeta.GetID()] = rbacTableIMeta
+	SA2WLIDmapIMeta, err := rbacutils.SA2WLIDmapIMetadataWrapper(resources.SA2WLIDmap)
+	if err != nil {
+		return nil, err
+	}
+	allresources[SA2WLIDmapIMeta.GetID()] = SA2WLIDmapIMeta
+
+	// convert rbac k8s resources to IMetadata and add to allresources
+	for _, cr := range resources.ClusterRoles.Items {
+		crmap, err := convertToMap(cr)
+		if err != nil {
+			return nil, err
+		}
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
+		crIMeta := workloadinterface.NewWorkloadObj(crmap)
+		crIMeta.SetKind("ClusterRole")
+		allresources[crIMeta.GetID()] = crIMeta
+	}
+	for _, cr := range resources.Roles.Items {
+		crmap, err := convertToMap(cr)
+		if err != nil {
+			return nil, err
+		}
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
+		crIMeta := workloadinterface.NewWorkloadObj(crmap)
+		crIMeta.SetKind("Role")
+		allresources[crIMeta.GetID()] = crIMeta
+	}
+	for _, cr := range resources.ClusterRoleBindings.Items {
+		crmap, err := convertToMap(cr)
+		if err != nil {
+			return nil, err
+		}
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
+		crIMeta := workloadinterface.NewWorkloadObj(crmap)
+		crIMeta.SetKind("ClusterRoleBinding")
+		allresources[crIMeta.GetID()] = crIMeta
+	}
+	for _, cr := range resources.RoleBindings.Items {
+		crmap, err := convertToMap(cr)
+		if err != nil {
+			return nil, err
+		}
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
+		crIMeta := workloadinterface.NewWorkloadObj(crmap)
+		crIMeta.SetKind("RoleBinding")
+		allresources[crIMeta.GetID()] = crIMeta
+	}
+	return allresources, nil
+}
+
+func convertToMap(obj interface{}) (map[string]interface{}, error) {
+	var inInterface map[string]interface{}
+	inrec, err := json.Marshal(obj)
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(inrec, &inInterface)
+	if err != nil {
+		return nil, err
+	}
+	return inInterface, nil
+}
--- a/cautils/reporterutils.go
+++ b/cautils/reporterutils.go
@@ -1,5 +0,0 @@
-package cautils
-
-const (
-	ComponentIdentifier = "Posture"
-)
--- a/cautils/scaninfo.go
+++ b/cautils/scaninfo.go
@@ -1,29 +1,71 @@
 package cautils

 import (
+	"fmt"
 	"path/filepath"

 	"github.com/armosec/kubescape/cautils/getter"
 	"github.com/armosec/opa-utils/reporthandling"
 )

+const (
+	ScanCluster    string = "cluster"
+	ScanLocalFiles string = "yaml"
+)
+
+type BoolPtrFlag struct {
+	valPtr *bool
+}
+
+func (bpf *BoolPtrFlag) Type() string {
+	return "bool"
+}
+
+func (bpf *BoolPtrFlag) String() string {
+	if bpf.valPtr != nil {
+		return fmt.Sprintf("%v", *bpf.valPtr)
+	}
+	return ""
+}
+func (bpf *BoolPtrFlag) Get() *bool {
+	return bpf.valPtr
+}
+
+func (bpf *BoolPtrFlag) SetBool(val bool) {
+	bpf.valPtr = &val
+}
+
+func (bpf *BoolPtrFlag) Set(val string) error {
+	switch val {
+	case "true":
+		bpf.SetBool(true)
+	case "false":
+		bpf.SetBool(false)
+	}
+	return nil
+}
+
 type ScanInfo struct {
 	Getters
 	PolicyIdentifier   []reporthandling.PolicyIdentifier
-	UseExceptions      string   // Load file with exceptions configuration
-	ControlsInputs     string   // Load file with inputs for controls
-	UseFrom            []string // Load framework from local file (instead of download). Use when running offline
-	UseDefault         bool     // Load framework from cached file (instead of download). Use when running offline
-	Format             string   // Format results (table, json, junit ...)
-	Output             string   // Store results in an output file, Output file name
-	ExcludedNamespaces string   // DEPRECATED?
-	InputPatterns      []string // Yaml files input patterns
-	Silent             bool     // Silent mode - Do not print progress logs
-	FailThreshold      uint16   // Failure score threshold
-	Submit             bool     // Submit results to Armo BE
-	Local              bool     // Do not submit results
-	Account            string   // account ID
-	FrameworkScan      bool     // false if scanning control
+	UseExceptions      string      // Load file with exceptions configuration
+	ControlsInputs     string      // Load file with inputs for controls
+	UseFrom            []string    // Load framework from local file (instead of download). Use when running offline
+	UseDefault         bool        // Load framework from cached file (instead of download). Use when running offline
+	VerboseMode        bool        // Display all of the input resources and not only failed resources
+	Format             string      // Format results (table, json, junit ...)
+	Output             string      // Store results in an output file, Output file name
+	ExcludedNamespaces string      // used for host sensor namespace
+	IncludeNamespaces  string      // DEPRECATED?
+	InputPatterns      []string    // Yaml files input patterns
+	Silent             bool        // Silent mode - Do not print progress logs
+	FailThreshold      uint16      // Failure score threshold
+	Submit             bool        // Submit results to Armo BE
+	HostSensor         BoolPtrFlag // Deploy ARMO K8s host sensor to collect data from certain controls
+	Local              bool        // Do not submit results
+	Account            string      // account ID
+	FrameworkScan      bool        // false if scanning control
+	ScanAll            bool        // true if scan all frameworks
 }

 type Getters struct {
@@ -37,7 +79,6 @@ func (scanInfo *ScanInfo) Init() {
 	scanInfo.setUseExceptions()
 	scanInfo.setAccountConfig()
 	scanInfo.setOutputFile()
-	scanInfo.setGetter()

 }

@@ -65,14 +106,6 @@ func (scanInfo *ScanInfo) setUseFrom() {
 		}
 	}
 }
-func (scanInfo *ScanInfo) setGetter() {
-	if len(scanInfo.UseFrom) > 0 {
-		// load from file
-		scanInfo.PolicyGetter = getter.NewLoadPolicy(scanInfo.UseFrom)
-	} else {
-		scanInfo.PolicyGetter = getter.NewDownloadReleasedPolicy()
-	}
-}

 func (scanInfo *ScanInfo) setOutputFile() {
 	if scanInfo.Output == "" {
@@ -90,6 +123,29 @@ func (scanInfo *ScanInfo) setOutputFile() {
 	}
 }

-func (scanInfo *ScanInfo) ScanRunningCluster() bool {
-	return len(scanInfo.InputPatterns) == 0
+func (scanInfo *ScanInfo) GetScanningEnvironment() string {
+	if len(scanInfo.InputPatterns) != 0 {
+		return ScanLocalFiles
+	}
+	return ScanCluster
+}
+
+func (scanInfo *ScanInfo) SetPolicyIdentifiers(policies []string, kind reporthandling.NotificationPolicyKind) {
+	for _, policy := range policies {
+		if !scanInfo.contains(policy) {
+			newPolicy := reporthandling.PolicyIdentifier{}
+			newPolicy.Kind = kind // reporthandling.KindFramework
+			newPolicy.Name = policy
+			scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
+		}
+	}
+}
+
+func (scanInfo *ScanInfo) contains(policyName string) bool {
+	for _, policy := range scanInfo.PolicyIdentifier {
+		if policy.Name == policyName {
+			return true
+		}
+	}
+	return false
 }
--- a/cautils/versioncheck.go
+++ b/cautils/versioncheck.go
@@ -0,0 +1,133 @@
+package cautils
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os"
+
+	"github.com/armosec/kubescape/cautils/getter"
+	pkgutils "github.com/armosec/utils-go/utils"
+)
+
+const SKIP_VERSION_CHECK = "KUBESCAPE_SKIP_UPDATE_CHECK"
+
+var BuildNumber string
+
+const UnknownBuildNumber = "unknown"
+
+type IVersionCheckHandler interface {
+	CheckLatestVersion(*VersionCheckRequest) error
+}
+
+func NewIVersionCheckHandler() IVersionCheckHandler {
+	if BuildNumber == "" {
+		WarningDisplay(os.Stdout, "Warning: unknown build number, this might affect your scan results. Please make sure you are updated to latest version.\n")
+	}
+	if v, ok := os.LookupEnv(SKIP_VERSION_CHECK); ok && pkgutils.StringToBool(v) {
+		return NewVersionCheckHandlerMock()
+	}
+	return NewVersionCheckHandler()
+}
+
+type VersionCheckHandlerMock struct {
+}
+
+func NewVersionCheckHandlerMock() *VersionCheckHandlerMock {
+	return &VersionCheckHandlerMock{}
+}
+
+type VersionCheckHandler struct {
+	versionURL string
+}
+type VersionCheckRequest struct {
+	Client           string `json:"client"`           // kubescape
+	ClientVersion    string `json:"clientVersion"`    // kubescape version
+	Framework        string `json:"framework"`        // framework name
+	FrameworkVersion string `json:"frameworkVersion"` // framework version
+	ScanningTarget   string `json:"target"`           // scanning target- cluster/yaml
+}
+
+type VersionCheckResponse struct {
+	Client          string `json:"client"`          // kubescape
+	ClientUpdate    string `json:"clientUpdate"`    // kubescape latest version
+	Framework       string `json:"framework"`       // framework name
+	FrameworkUpdate string `json:"frameworkUpdate"` // framework latest version
+	Message         string `json:"message"`         // alert message
+}
+
+func NewVersionCheckHandler() *VersionCheckHandler {
+	return &VersionCheckHandler{
+		versionURL: "https://us-central1-elated-pottery-310110.cloudfunctions.net/ksgf1v1",
+	}
+}
+func NewVersionCheckRequest(buildNumber, frameworkName, frameworkVersion, scanningTarget string) *VersionCheckRequest {
+	if buildNumber == "" {
+		buildNumber = UnknownBuildNumber
+	}
+	return &VersionCheckRequest{
+		Client:           "kubescape",
+		ClientVersion:    buildNumber,
+		Framework:        frameworkName,
+		FrameworkVersion: frameworkVersion,
+		ScanningTarget:   scanningTarget,
+	}
+}
+
+func (v *VersionCheckHandlerMock) CheckLatestVersion(versionData *VersionCheckRequest) error {
+	fmt.Println("Skipping version check")
+	return nil
+}
+
+func (v *VersionCheckHandler) CheckLatestVersion(versionData *VersionCheckRequest) error {
+	defer func() {
+		if err := recover(); err != nil {
+			fmt.Println("failed to get latest version")
+		}
+	}()
+
+	latestVersion, err := v.getLatestVersion(versionData)
+	if err != nil || latestVersion == nil {
+		return fmt.Errorf("failed to get latest version")
+	}
+
+	if latestVersion.ClientUpdate != "" {
+		if BuildNumber != "" && BuildNumber < latestVersion.ClientUpdate {
+			fmt.Println(warningMessage(latestVersion.Client, latestVersion.ClientUpdate))
+		}
+	}
+
+	// TODO - Enable after supporting framework version
+	// if latestVersion.FrameworkUpdate != "" {
+	// 	fmt.Println(warningMessage(latestVersion.Framework, latestVersion.FrameworkUpdate))
+	// }
+
+	if latestVersion.Message != "" {
+		fmt.Println(latestVersion.Message)
+	}
+
+	return nil
+}
+
+func (v *VersionCheckHandler) getLatestVersion(versionData *VersionCheckRequest) (*VersionCheckResponse, error) {
+
+	reqBody, err := json.Marshal(*versionData)
+	if err != nil {
+		return nil, fmt.Errorf("in 'CheckLatestVersion' failed to json.Marshal, reason: %s", err.Error())
+	}
+
+	resp, err := getter.HttpPost(http.DefaultClient, v.versionURL, map[string]string{"Content-Type": "application/json"}, reqBody)
+	if err != nil {
+		return nil, err
+	}
+
+	vResp := &VersionCheckResponse{}
+	if err = getter.JSONDecoder(resp).Decode(vResp); err != nil {
+		return nil, err
+	}
+	return vResp, nil
+}
+
+func warningMessage(kind, release string) string {
+	return fmt.Sprintf("Warning: '%s' is not updated to the latest release: '%s'", kind, release)
+}
--- a/clihandler/cliinterfaces/submit.go
+++ b/clihandler/cliinterfaces/submit.go
@@ -0,0 +1,19 @@
+package cliinterfaces
+
+import (
+	"github.com/armosec/k8s-interface/workloadinterface"
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/resultshandling/reporter"
+	"github.com/armosec/opa-utils/reporthandling"
+)
+
+type ISubmitObjects interface {
+	SetResourcesReport() (*reporthandling.PostureReport, error)
+	ListAllResources() (map[string]workloadinterface.IMetadata, error)
+}
+
+type SubmitInterfaces struct {
+	SubmitObjects ISubmitObjects
+	Reporter      reporter.IReport
+	ClusterConfig cautils.ITenantConfig
+}
--- a/clihandler/cmd/cluster_get.go
+++ b/clihandler/cmd/cluster_get.go
@@ -7,7 +7,6 @@ import (
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/clihandler"
 	"github.com/spf13/cobra"
 )

@@ -15,7 +14,7 @@ var getCmd = &cobra.Command{
 	Use:       "get <key>",
 	Short:     "Get configuration in cluster",
 	Long:      ``,
-	ValidArgs: clihandler.SupportedFrameworks,
+	ValidArgs: getter.NativeFrameworks,
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) < 1 || len(args) > 1 {
 			return fmt.Errorf("requires  one argument")
@@ -32,7 +31,7 @@ var getCmd = &cobra.Command{
 		key := keyValue[0]

 		k8s := k8sinterface.NewKubernetesApi()
-		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector())
+		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account)
 		val, err := clusterConfig.GetValueByKeyFromConfigMap(key)
 		if err != nil {
 			if err.Error() == "value does not exist." {
--- a/clihandler/cmd/cluster_set.go
+++ b/clihandler/cmd/cluster_set.go
@@ -30,7 +30,7 @@ var setCmd = &cobra.Command{
 		data := keyValue[1]

 		k8s := k8sinterface.NewKubernetesApi()
-		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector())
+		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account)
 		if err := clusterConfig.SetKeyValueInConfigmap(key, data); err != nil {
 			return err
 		}
--- a/clihandler/cmd/control.go
+++ b/clihandler/cmd/control.go
@@ -2,10 +2,12 @@ package cmd

 import (
 	"fmt"
+	"io"
 	"os"
 	"strings"

 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
 	"github.com/armosec/kubescape/clihandler"
 	"github.com/armosec/opa-utils/reporthandling"
 	"github.com/spf13/cobra"
@@ -14,13 +16,13 @@ import (
 // controlCmd represents the control command
 var controlCmd = &cobra.Command{
 	Use:   "control <control names list>/<control ids list>.\nExamples:\n$ kubescape scan control C-0058,C-0057 [flags]\n$ kubescape scan contol C-0058 [flags]\n$ kubescape scan control 'privileged container,allowed hostpath' [flags]",
-	Short: fmt.Sprintf("The control you wish to use for scan. It must be present in at least one of the folloiwng frameworks: %s", clihandler.ValidFrameworks),
+	Short: fmt.Sprintf("The control you wish to use for scan. It must be present in at least one of the following frameworks: %s", getter.NativeFrameworks),
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) > 0 {
 			controls := strings.Split(args[0], ",")
 			if len(controls) > 1 {
 				if controls[1] == "" {
-					return fmt.Errorf("usage: <control_one>,<control_two>")
+					return fmt.Errorf("usage: <control-0>,<control-1>")
 				}
 			}
 		} else {
@@ -32,24 +34,36 @@ var controlCmd = &cobra.Command{
 		flagValidationControl()
 		scanInfo.PolicyIdentifier = []reporthandling.PolicyIdentifier{}

-		if len(args) < 1 {
-			scanInfo.PolicyIdentifier = SetScanForGivenFrameworks(clihandler.SupportedFrameworks)
-		} else {
-			var controls []string
-			if len(args) > 0 {
-				controls = strings.Split(args[0], ",")
-				scanInfo.PolicyIdentifier = []reporthandling.PolicyIdentifier{}
-				scanInfo.PolicyIdentifier = setScanForFirstControl(controls)
-			}
+		if len(args) == 0 {
+			scanInfo.SetPolicyIdentifiers(getter.NativeFrameworks, reporthandling.KindFramework)
+			scanInfo.ScanAll = true
+		} else { // expected control or list of control sepparated by ","

-			if len(controls) > 1 {
-				scanInfo.PolicyIdentifier = SetScanForGivenControls(controls[1:])
+			// Read controls from input args
+			scanInfo.SetPolicyIdentifiers(strings.Split(args[0], ","), reporthandling.KindControl)
+
+			if len(args) > 1 {
+				if len(args[1:]) == 0 || args[1] != "-" {
+					scanInfo.InputPatterns = args[1:]
+				} else { // store stdin to file - do NOT move to separate function !!
+					tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
+					if err != nil {
+						return err
+					}
+					defer os.Remove(tempFile.Name())
+
+					if _, err := io.Copy(tempFile, os.Stdin); err != nil {
+						return err
+					}
+					scanInfo.InputPatterns = []string{tempFile.Name()}
+				}
 			}
 		}
+
 		scanInfo.FrameworkScan = false
 		scanInfo.Init()
 		cautils.SetSilentMode(scanInfo.Silent)
-		err := clihandler.CliSetup(&scanInfo)
+		err := clihandler.ScanCliSetup(&scanInfo)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "error: %v\n", err)
 			os.Exit(1)
--- a/clihandler/cmd/download.go
+++ b/clihandler/cmd/download.go
@@ -6,14 +6,13 @@ import (

 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/clihandler"
 	"github.com/spf13/cobra"
 )

 var downloadInfo cautils.DownloadInfo

 var downloadCmd = &cobra.Command{
-	Use:   fmt.Sprintf("download framework/control <framework-name>/<control-name> [flags]\nSupported frameworks: %s", clihandler.ValidFrameworks),
+	Use:   fmt.Sprintf("download framework/control <framework-name>/<control-name> [flags]\nSupported frameworks: %s", getter.NativeFrameworks),
 	Short: "Download framework/control",
 	Long:  ``,
 	Args: func(cmd *cobra.Command, args []string) error {
@@ -29,6 +28,10 @@ var downloadCmd = &cobra.Command{
 		if strings.EqualFold(args[0], "framework") {
 			downloadInfo.FrameworkName = strings.ToLower(args[1])
 			g := getter.NewDownloadReleasedPolicy()
+			if err := g.SetRegoObjects(); err != nil {
+				return err
+			}
+
 			if downloadInfo.Path == "" {
 				downloadInfo.Path = getter.GetDefaultPath(downloadInfo.FrameworkName + ".json")
 			}
@@ -43,6 +46,9 @@ var downloadCmd = &cobra.Command{
 		} else if strings.EqualFold(args[0], "control") {
 			downloadInfo.ControlName = strings.ToLower(args[1])
 			g := getter.NewDownloadReleasedPolicy()
+			if err := g.SetRegoObjects(); err != nil {
+				return err
+			}
 			if downloadInfo.Path == "" {
 				downloadInfo.Path = getter.GetDefaultPath(downloadInfo.ControlName + ".json")
 			}
--- a/clihandler/cmd/framework.go
+++ b/clihandler/cmd/framework.go
@@ -7,23 +7,48 @@ import (
 	"strings"

 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
 	"github.com/armosec/kubescape/clihandler"
 	"github.com/armosec/opa-utils/reporthandling"
 	"github.com/spf13/cobra"
 )

+var (
+	frameworkExample = `
+  # Scan all frameworks and submit the results
+  kubescape scan --submit
+  
+  # Scan the NSA framework
+  kubescape scan framework nsa
+  
+  # Scan the NSA and MITRE framework
+  kubescape scan framework nsa,mitre
+  
+  # Scan kubernetes YAML manifest files
+  kubescape scan framework nsa *.yaml
+
+  # Scan and save the results in the JSON format
+  kubescape scan --format json --output results.json
+
+  # Save scan results in JSON format
+  kubescape scan --format json --output results.json
+
+  # Display all resources
+  kubescape scan --verbose
+`
+)
 var frameworkCmd = &cobra.Command{
-	Use:       fmt.Sprintf("framework <framework names list> [`<glob pattern>`/`-`] [flags]\nExamples:\n$ kubescape scan framework nsa [flags]\n$ kubescape scan framework mitre,nsa [flags]\n$ kubescape scan framework 'nsa, mitre' [flags]\nSupported frameworks: %s", clihandler.ValidFrameworks),
-	Short:     fmt.Sprintf("The framework you wish to use. Supported frameworks: %s", strings.Join(clihandler.SupportedFrameworks, ", ")),
+	Use:       "framework <framework names list> [`<glob pattern>`/`-`] [flags]",
+	Short:     fmt.Sprintf("The framework you wish to use. Supported frameworks: %s", strings.Join(getter.NativeFrameworks, ", ")),
+	Example:   frameworkExample,
 	Long:      "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
-	ValidArgs: clihandler.SupportedFrameworks,
+	ValidArgs: getter.NativeFrameworks,
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) > 0 {
-			// "nsa, mitre" -> ["nsa", "mitre"] and nsa,mitre -> ["nsa", "mitre"]
-			frameworks := strings.Split(strings.Join(strings.Fields(args[0]), ""), ",")
-			for _, framework := range frameworks {
-				if !isValidFramework(strings.ToLower(framework)) {
-					return fmt.Errorf(fmt.Sprintf("supported frameworks: %s", strings.Join(clihandler.SupportedFrameworks, ", ")))
+			frameworks := strings.Split(args[0], ",")
+			if len(frameworks) > 1 {
+				if frameworks[1] == "" {
+					return fmt.Errorf("usage: <framework-0>,<framework-1>")
 				}
 			}
 		} else {
@@ -33,75 +58,57 @@ var frameworkCmd = &cobra.Command{
 	},
 	RunE: func(cmd *cobra.Command, args []string) error {
 		flagValidationFramework()
-		scanInfo.PolicyIdentifier = []reporthandling.PolicyIdentifier{}
-		// If no framework provided, use all
-		if len(args) < 1 {
-			scanInfo.PolicyIdentifier = SetScanForGivenFrameworks(clihandler.SupportedFrameworks)
+		var frameworks []string
+
+		if len(args) == 0 { // scan all frameworks
+			frameworks = getter.NativeFrameworks
+			scanInfo.ScanAll = true
 		} else {
 			// Read frameworks from input args
-			scanInfo.PolicyIdentifier = []reporthandling.PolicyIdentifier{}
-			frameworks := strings.Split(strings.Join(strings.Fields(args[0]), ""), ",")
-			scanInfo.PolicyIdentifier = SetScanForFirstFramework(frameworks)
-			if len(frameworks) > 1 {
-				scanInfo.PolicyIdentifier = SetScanForGivenFrameworks(frameworks[1:])
-			}
-		}
-		if len(args) > 0 {
-			if len(args[1:]) == 0 || args[1] != "-" {
-				scanInfo.InputPatterns = args[1:]
-			} else { // store stout to file
-				tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
-				if err != nil {
-					return err
-				}
-				defer os.Remove(tempFile.Name())
+			frameworks = strings.Split(args[0], ",")

-				if _, err := io.Copy(tempFile, os.Stdin); err != nil {
-					return err
+			if len(args) > 1 {
+				if len(args[1:]) == 0 || args[1] != "-" {
+					scanInfo.InputPatterns = args[1:]
+				} else { // store stdin to file - do NOT move to separate function !!
+					tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
+					if err != nil {
+						return err
+					}
+					defer os.Remove(tempFile.Name())
+
+					if _, err := io.Copy(tempFile, os.Stdin); err != nil {
+						return err
+					}
+					scanInfo.InputPatterns = []string{tempFile.Name()}
 				}
-				scanInfo.InputPatterns = []string{tempFile.Name()}
 			}
 		}
+		scanInfo.SetPolicyIdentifiers(frameworks, reporthandling.KindFramework)
+
 		scanInfo.Init()
 		cautils.SetSilentMode(scanInfo.Silent)
-		err := clihandler.CliSetup(&scanInfo)
+		err := clihandler.ScanCliSetup(&scanInfo)
 		if err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n", err)
-			os.Exit(1)
+			return err
 		}
 		return nil
 	},
 }

-func isValidFramework(framework string) bool {
-	return cautils.StringInSlice(clihandler.SupportedFrameworks, framework) != cautils.ValueNotFound
-}
-
 func init() {
 	scanCmd.AddCommand(frameworkCmd)
 	scanInfo = cautils.ScanInfo{}
 	scanInfo.FrameworkScan = true
-	frameworkCmd.Flags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
-	frameworkCmd.Flags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to Armo backend. Use this flag if you ran with the '--submit' flag in the past and you do not want to submit your current scan results")
-	frameworkCmd.Flags().StringVarP(&scanInfo.Account, "account", "", "", "Armo portal account ID. Default will load account ID from configMap or config file")
-}
-func SetScanForGivenFrameworks(frameworks []string) []reporthandling.PolicyIdentifier {
-	for _, framework := range frameworks {
-		newPolicy := reporthandling.PolicyIdentifier{}
-		newPolicy.Kind = reporthandling.KindFramework
-		newPolicy.Name = framework
-		scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
-	}
-	return scanInfo.PolicyIdentifier
 }

-func SetScanForFirstFramework(frameworks []string) []reporthandling.PolicyIdentifier {
-	newPolicy := reporthandling.PolicyIdentifier{}
-	newPolicy.Kind = reporthandling.KindFramework
-	newPolicy.Name = frameworks[0]
-	scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
-	return scanInfo.PolicyIdentifier
-}
+// func SetScanForFirstFramework(frameworks []string) []reporthandling.PolicyIdentifier {
+// 	newPolicy := reporthandling.PolicyIdentifier{}
+// 	newPolicy.Kind = reporthandling.KindFramework
+// 	newPolicy.Name = frameworks[0]
+// 	scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
+// 	return scanInfo.PolicyIdentifier
+// }

 func flagValidationFramework() {
 	if scanInfo.Submit && scanInfo.Local {
--- a/clihandler/cmd/rbac.go
+++ b/clihandler/cmd/rbac.go
@@ -0,0 +1,53 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/clihandler"
+	"github.com/armosec/kubescape/clihandler/cliinterfaces"
+	"github.com/armosec/kubescape/resultshandling/reporter"
+	"github.com/armosec/rbac-utils/rbacscanner"
+	"github.com/spf13/cobra"
+)
+
+// rabcCmd represents the RBAC command
+var rabcCmd = &cobra.Command{
+	Use:   "rbac \nExample:\n$ kubescape submit rbac",
+	Short: "Submit cluster's Role-Based Access Control(RBAC)",
+	Long:  ``,
+	RunE: func(cmd *cobra.Command, args []string) error {
+
+		k8s := k8sinterface.NewKubernetesApi()
+
+		// get config
+		clusterConfig, err := getSubmittedClusterConfig(k8s)
+		if err != nil {
+			return err
+		}
+
+		// list RBAC
+		rbacObjects := cautils.NewRBACObjects(rbacscanner.NewRbacScannerFromK8sAPI(k8s, clusterConfig.GetCustomerGUID(), clusterConfig.GetClusterName()))
+
+		// submit resources
+		r := reporter.NewReportEventReceiver(clusterConfig.GetConfigObj())
+
+		submitInterfaces := cliinterfaces.SubmitInterfaces{
+			ClusterConfig: clusterConfig,
+			SubmitObjects: rbacObjects,
+			Reporter:      r,
+		}
+
+		if err := clihandler.Submit(submitInterfaces); err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+		return nil
+	},
+}
+
+func init() {
+	submitCmd.AddCommand(rabcCmd)
+}
--- a/clihandler/cmd/results.go
+++ b/clihandler/cmd/results.go
@@ -0,0 +1,107 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/k8s-interface/workloadinterface"
+	"github.com/armosec/kubescape/clihandler"
+	"github.com/armosec/kubescape/clihandler/cliinterfaces"
+	"github.com/armosec/kubescape/resultshandling/reporter"
+	"github.com/armosec/opa-utils/reporthandling"
+	uuid "github.com/satori/go.uuid"
+	"github.com/spf13/cobra"
+)
+
+type ResultsObject struct {
+	filePath     string
+	customerGUID string
+	clusterName  string
+}
+
+func NewResultsObject(customerGUID, clusterName, filePath string) *ResultsObject {
+	return &ResultsObject{
+		filePath:     filePath,
+		customerGUID: customerGUID,
+		clusterName:  clusterName,
+	}
+}
+
+func (resultsObject *ResultsObject) SetResourcesReport() (*reporthandling.PostureReport, error) {
+	// load framework results from json file
+	frameworkReports, err := loadResultsFromFile(resultsObject.filePath)
+	if err != nil {
+		return nil, err
+	}
+
+	return &reporthandling.PostureReport{
+		FrameworkReports:     frameworkReports,
+		ReportID:             uuid.NewV4().String(),
+		ReportGenerationTime: time.Now().UTC(),
+		CustomerGUID:         resultsObject.customerGUID,
+		ClusterName:          resultsObject.clusterName,
+	}, nil
+}
+
+func (resultsObject *ResultsObject) ListAllResources() (map[string]workloadinterface.IMetadata, error) {
+	return map[string]workloadinterface.IMetadata{}, nil
+}
+
+var resultsCmd = &cobra.Command{
+	Use:   "results <json file>\nExample:\n$ kubescape submit results path/to/results.json",
+	Short: "Submit a pre scanned results file. The file must be in json format",
+	Long:  ``,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if len(args) == 0 {
+			return fmt.Errorf("missing results file")
+		}
+
+		k8s := k8sinterface.NewKubernetesApi()
+
+		// get config
+		clusterConfig, err := getSubmittedClusterConfig(k8s)
+		if err != nil {
+			return err
+		}
+
+		resultsObjects := NewResultsObject(clusterConfig.GetCustomerGUID(), clusterConfig.GetClusterName(), args[0])
+
+		// submit resources
+		r := reporter.NewReportEventReceiver(clusterConfig.GetConfigObj())
+
+		submitInterfaces := cliinterfaces.SubmitInterfaces{
+			ClusterConfig: clusterConfig,
+			SubmitObjects: resultsObjects,
+			Reporter:      r,
+		}
+
+		if err := clihandler.Submit(submitInterfaces); err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+		return nil
+	},
+}
+
+func init() {
+	submitCmd.AddCommand(resultsCmd)
+}
+
+func loadResultsFromFile(filePath string) ([]reporthandling.FrameworkReport, error) {
+	frameworkReports := []reporthandling.FrameworkReport{}
+	f, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, err
+	}
+	if err = json.Unmarshal(f, &frameworkReports); err != nil {
+		frameworkReport := reporthandling.FrameworkReport{}
+		if err = json.Unmarshal(f, &frameworkReport); err != nil {
+			return frameworkReports, err
+		}
+		frameworkReports = append(frameworkReports, frameworkReport)
+	}
+	return frameworkReports, nil
+}
--- a/clihandler/cmd/root.go
+++ b/clihandler/cmd/root.go
@@ -31,6 +31,7 @@ func Execute() {
 }

 func init() {
+	rootCmd.PersistentFlags().StringVarP(&scanInfo.Account, "account", "", "", "Armo portal account ID. Default will load account ID from configMap or config file")
 	flag.CommandLine.StringVar(&armoBEURLs, "environment", "", envFlagUsage)
 	rootCmd.PersistentFlags().StringVar(&armoBEURLs, "environment", "", envFlagUsage)
 	rootCmd.PersistentFlags().MarkHidden("environment")
--- a/clihandler/cmd/scan.go
+++ b/clihandler/cmd/scan.go
@@ -5,7 +5,7 @@ import (
 	"strings"

 	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/clihandler"
+	"github.com/armosec/kubescape/cautils/getter"
 	"github.com/spf13/cobra"
 )

@@ -26,8 +26,9 @@ var scanCmd = &cobra.Command{
 	},
 	Run: func(cmd *cobra.Command, args []string) {
 		if len(args) == 0 {
-			frameworkArgs := []string{clihandler.ValidFrameworks}
-			frameworkArgs = append(frameworkArgs, args...)
+			scanInfo.ScanAll = true
+			frameworks := getter.NativeFrameworks
+			frameworkArgs := []string{strings.Join(frameworks, ",")}
 			frameworkCmd.RunE(cmd, frameworkArgs)
 		}
 	},
@@ -35,13 +36,21 @@ var scanCmd = &cobra.Command{

 func init() {
 	rootCmd.AddCommand(scanCmd)
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Recommended: kube-system, kube-public")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer"/"json"/"junit"`)
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
-	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "Silent progress messages")
-	scanCmd.PersistentFlags().Uint16VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 0, "Failure threshold is the percent bellow which the command fails and returns exit code 1")
-	scanCmd.PersistentFlags().StringSliceVar(&scanInfo.UseFrom, "use-from", nil, "Load local policy object from specified path. If not used will download latest")
-	scanCmd.PersistentFlags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local policy object from default path. If not used will download latest")
-	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Recommended: kube-system,kube-public")
+	scanCmd.PersistentFlags().Uint16VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 0, "Failure threshold is the percent below which the command fails and returns exit code 1")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer"/"json"/"junit"/"prometheus"`)
+	scanCmd.PersistentFlags().StringVar(&scanInfo.IncludeNamespaces, "include-namespaces", "", "scan specific namespaces. e.g: --include-namespaces ns-a,ns-b")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to Armo backend. Use this flag if you ran with the '--submit' flag in the past and you do not want to submit your current scan results")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
+	scanCmd.PersistentFlags().BoolVar(&scanInfo.VerboseMode, "verbose", false, "Display all of the input resources and not only failed resources")
+	scanCmd.PersistentFlags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local policy object from default path. If not used will download latest")
+	scanCmd.PersistentFlags().StringSliceVar(&scanInfo.UseFrom, "use-from", nil, "Load local policy object from specified path. If not used will download latest")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "Silent progress messages")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
+
+  hostF := scanCmd.PersistentFlags().VarPF(&scanInfo.HostSensor, "enable-host-scan", "", "Deploy ARMO K8s host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valueable data from cluster nodes for certain controls")
+	hostF.NoOptDefVal = "true"
+	hostF.DefValue = "false, for no TTY in stdin"
 }
--- a/clihandler/cmd/submit.go
+++ b/clihandler/cmd/submit.go
@@ -0,0 +1,31 @@
+package cmd
+
+import (
+	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/spf13/cobra"
+)
+
+var submitCmd = &cobra.Command{
+	Use:   "submit <command>",
+	Short: "Submit an object to the Kubescape SaaS version",
+	Long:  ``,
+	Run: func(cmd *cobra.Command, args []string) {
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(submitCmd)
+}
+
+func getSubmittedClusterConfig(k8s *k8sinterface.KubernetesApi) (*cautils.ClusterConfig, error) {
+	clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account) // TODO - support none cluster env submit
+	if clusterConfig.GetCustomerGUID() != "" {
+		if err := clusterConfig.SetTenant(); err != nil {
+			return clusterConfig, err
+		}
+	}
+
+	return clusterConfig, nil
+}
--- a/clihandler/cmd/version.go
+++ b/clihandler/cmd/version.go
@@ -1,49 +1,24 @@
 package cmd

 import (
-	"encoding/json"
 	"fmt"
-	"io"
-	"net/http"

+	"github.com/armosec/kubescape/cautils"
 	"github.com/spf13/cobra"
 )

-var BuildNumber string
-
 var versionCmd = &cobra.Command{
 	Use:   "version",
 	Short: "Get current version",
 	Long:  ``,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		fmt.Println("Your current version is: " + BuildNumber)
+		v := cautils.NewIVersionCheckHandler()
+		v.CheckLatestVersion(cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "version"))
+		fmt.Println("Your current version is: " + cautils.BuildNumber)
 		return nil
 	},
 }

-func GetLatestVersion() (string, error) {
-	latestVersion := "https://api.github.com/repos/armosec/kubescape/releases/latest"
-	resp, err := http.Get(latestVersion)
-	if err != nil {
-		return "unknown", fmt.Errorf("failed to get latest releases from '%s', reason: %s", latestVersion, err.Error())
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode < 200 || 301 < resp.StatusCode {
-		return "unknown", nil
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "unknown", fmt.Errorf("failed to read response body from '%s', reason: %s", latestVersion, err.Error())
-	}
-	var data map[string]interface{}
-	err = json.Unmarshal(body, &data)
-	if err != nil {
-		return "unknown", fmt.Errorf("failed to unmarshal response body from '%s', reason: %s", latestVersion, err.Error())
-	}
-	return fmt.Sprintf("%v", data["tag_name"]), nil
-}
-
 func init() {
 	rootCmd.AddCommand(versionCmd)
 }
--- a/clihandler/initcli.go
+++ b/clihandler/initcli.go
@@ -2,13 +2,13 @@ package clihandler

 import (
 	"fmt"
+	"io/fs"
 	"os"
-	"strings"

 	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/clihandler/cliinterfaces"
+	"github.com/armosec/kubescape/hostsensorutils"
 	"github.com/armosec/kubescape/opaprocessor"
 	"github.com/armosec/kubescape/policyhandler"
 	"github.com/armosec/kubescape/resourcehandler"
@@ -16,89 +16,91 @@ import (
 	"github.com/armosec/kubescape/resultshandling/printer"
 	"github.com/armosec/kubescape/resultshandling/reporter"
 	"github.com/armosec/opa-utils/reporthandling"
+	"github.com/mattn/go-isatty"
 )

-type CLIHandler struct {
-	policyHandler *policyhandler.PolicyHandler
-	scanInfo      *cautils.ScanInfo
-}
-
-var SupportedFrameworks = []string{"nsa", "mitre"}
-var ValidFrameworks = strings.Join(SupportedFrameworks, ", ")
-
 type componentInterfaces struct {
-	clusterConfig   cautils.IClusterConfig
-	resourceHandler resourcehandler.IResourceHandler
-	report          reporter.IReport
-	printerHandler  printer.IPrinter
+	tenantConfig      cautils.ITenantConfig
+	resourceHandler   resourcehandler.IResourceHandler
+	report            reporter.IReport
+	printerHandler    printer.IPrinter
+	hostSensorHandler hostsensorutils.IHostSensor
 }

-func getReporter(scanInfo *cautils.ScanInfo) reporter.IReport {
-	if !scanInfo.Submit {
-		return reporter.NewReportMock()
-	}
-	if !scanInfo.FrameworkScan {
-		return reporter.NewReportMock()
-	}
-
-	return reporter.NewReportEventReceiver()
-}
 func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
-	var resourceHandler resourcehandler.IResourceHandler
-	var clusterConfig cautils.IClusterConfig
-	var reportHandler reporter.IReport

-	if !scanInfo.ScanRunningCluster() {
-		k8sinterface.ConnectedToCluster = false
-		clusterConfig = cautils.NewEmptyConfig()
+	k8s := getKubernetesApi(scanInfo)

-		// load fom file
-		resourceHandler = resourcehandler.NewFileResourceHandler(scanInfo.InputPatterns)
+	tenantConfig := getTenantConfig(scanInfo, k8s)

-		// set mock report (do not send report)
-		reportHandler = reporter.NewReportMock()
-	} else {
-		k8s := k8sinterface.NewKubernetesApi()
-		resourceHandler = resourcehandler.NewK8sResourceHandler(k8s, scanInfo.ExcludedNamespaces)
-		clusterConfig = cautils.ClusterConfigSetup(scanInfo, k8s, getter.GetArmoAPIConnector())
+	// Set submit behavior AFTER loading tenant config
+	setSubmitBehavior(scanInfo, tenantConfig)

-		// setup reporter
-		reportHandler = getReporter(scanInfo)
-	}
+	hostSensorHandler := getHostSensorHandler(scanInfo, k8s)
+
+	resourceHandler := getResourceHandler(scanInfo, tenantConfig, k8s, hostSensorHandler)
+
+	// reporting behavior - setup reporter
+	reportHandler := getReporter(tenantConfig, scanInfo.Submit)
+
+	v := cautils.NewIVersionCheckHandler()
+	v.CheckLatestVersion(cautils.NewVersionCheckRequest(cautils.BuildNumber, policyIdentifierNames(scanInfo.PolicyIdentifier), "", scanInfo.GetScanningEnvironment()))

 	// setup printer
-	printerHandler := printer.GetPrinter(scanInfo.Format)
+	printerHandler := printer.GetPrinter(scanInfo.Format, scanInfo.VerboseMode)
 	printerHandler.SetWriter(scanInfo.Output)

 	return componentInterfaces{
-		clusterConfig:   clusterConfig,
-		resourceHandler: resourceHandler,
-		report:          reportHandler,
-		printerHandler:  printerHandler,
+		tenantConfig:      tenantConfig,
+		resourceHandler:   resourceHandler,
+		report:            reportHandler,
+		printerHandler:    printerHandler,
+		hostSensorHandler: hostSensorHandler,
 	}
 }

-func CliSetup(scanInfo *cautils.ScanInfo) error {
+func ScanCliSetup(scanInfo *cautils.ScanInfo) error {
+	cautils.ScanStartDisplay()

 	interfaces := getInterfaces(scanInfo)
+	// setPolicyGetter(scanInfo, interfaces.clusterConfig.GetCustomerGUID())

 	processNotification := make(chan *cautils.OPASessionObj)
 	reportResults := make(chan *cautils.OPASessionObj)

-	if err := interfaces.clusterConfig.SetConfig(scanInfo.Account); err != nil {
-		fmt.Println(err)
+	cautils.ClusterName = interfaces.tenantConfig.GetClusterName()   // TODO - Deprecated
+	cautils.CustomerGUID = interfaces.tenantConfig.GetCustomerGUID() // TODO - Deprecated
+	interfaces.report.SetClusterName(interfaces.tenantConfig.GetClusterName())
+	interfaces.report.SetCustomerGUID(interfaces.tenantConfig.GetCustomerGUID())
+
+	if err := interfaces.hostSensorHandler.Init(); err != nil {
+		errMsg := "failed to init host sensor"
+		if scanInfo.VerboseMode {
+			errMsg = fmt.Sprintf("%s: %v", errMsg, err)
+		}
+		cautils.ErrorDisplay(errMsg)
+	} else if len(scanInfo.IncludeNamespaces) == 0 && interfaces.hostSensorHandler.GetNamespace() != "" {
+		scanInfo.ExcludedNamespaces = fmt.Sprintf("%s,%s", scanInfo.ExcludedNamespaces, interfaces.hostSensorHandler)
+		defer func() {
+			if err := interfaces.hostSensorHandler.TearDown(); err != nil {
+				errMsg := "failed to tear down host sensor"
+				if scanInfo.VerboseMode {
+					errMsg = fmt.Sprintf("%s: %v", errMsg, err)
+				}
+				cautils.ErrorDisplay(errMsg)
+			}
+		}()
 	}

-	cautils.ClusterName = interfaces.clusterConfig.GetClusterName()   // TODO - Deprecated
-	cautils.CustomerGUID = interfaces.clusterConfig.GetCustomerGUID() // TODO - Deprecated
-	interfaces.report.SetClusterName(interfaces.clusterConfig.GetClusterName())
-	interfaces.report.SetCustomerGUID(interfaces.clusterConfig.GetCustomerGUID())
+	// set policy getter only after setting the customerGUID
+	setPolicyGetter(scanInfo, interfaces.tenantConfig.GetCustomerGUID())
+
 	// cli handler setup
 	go func() {
 		// policy handler setup
 		policyHandler := policyhandler.NewPolicyHandler(&processNotification, interfaces.resourceHandler)
-		cli := NewCLIHandler(policyHandler, scanInfo)
-		if err := cli.Scan(); err != nil {
+
+		if err := Scan(policyHandler, scanInfo); err != nil {
 			fmt.Println(err)
 			os.Exit(1)
 		}
@@ -114,33 +116,25 @@ func CliSetup(scanInfo *cautils.ScanInfo) error {
 	score := resultsHandling.HandleResults(scanInfo)

 	// print report url
-	interfaces.clusterConfig.GenerateURL()
+	interfaces.report.DisplayReportURL()

 	adjustedFailThreshold := float32(scanInfo.FailThreshold) / 100
 	if score < adjustedFailThreshold {
-		return fmt.Errorf("Scan score is bellow threshold")
+		return fmt.Errorf("Scan score is below threshold")
 	}

 	return nil
 }

-func NewCLIHandler(policyHandler *policyhandler.PolicyHandler, scanInfo *cautils.ScanInfo) *CLIHandler {
-	return &CLIHandler{
-		scanInfo:      scanInfo,
-		policyHandler: policyHandler,
-	}
-}
-
-func (clihandler *CLIHandler) Scan() error {
-	cautils.ScanStartDisplay()
+func Scan(policyHandler *policyhandler.PolicyHandler, scanInfo *cautils.ScanInfo) error {
 	policyNotification := &reporthandling.PolicyNotification{
 		NotificationType: reporthandling.TypeExecPostureScan,
-		Rules:            clihandler.scanInfo.PolicyIdentifier,
+		Rules:            scanInfo.PolicyIdentifier,
 		Designators:      armotypes.PortalDesignator{},
 	}
 	switch policyNotification.NotificationType {
 	case reporthandling.TypeExecPostureScan:
-		if err := clihandler.policyHandler.HandleNotificationRequest(policyNotification, clihandler.scanInfo); err != nil {
+		if err := policyHandler.HandleNotificationRequest(policyNotification, scanInfo); err != nil {
 			return err
 		}

@@ -149,3 +143,46 @@ func (clihandler *CLIHandler) Scan() error {
 	}
 	return nil
 }
+
+func Submit(submitInterfaces cliinterfaces.SubmitInterfaces) error {
+
+	// list resources
+	postureReport, err := submitInterfaces.SubmitObjects.SetResourcesReport()
+	if err != nil {
+		return err
+	}
+	allresources, err := submitInterfaces.SubmitObjects.ListAllResources()
+	if err != nil {
+		return err
+	}
+	// report
+	if err := submitInterfaces.Reporter.ActionSendReport(&cautils.OPASessionObj{PostureReport: postureReport, AllResources: allresources}); err != nil {
+		return err
+	}
+	fmt.Printf("\nData has been submitted successfully")
+	submitInterfaces.Reporter.DisplayReportURL()
+
+	return nil
+}
+
+func askUserForHostSensor() bool {
+	return false
+
+	if !isatty.IsTerminal(os.Stdin.Fd()) {
+		return false
+	}
+	if ssss, err := os.Stdin.Stat(); err == nil {
+		// fmt.Printf("Found stdin type: %s\n", ssss.Mode().Type())
+		if ssss.Mode().Type()&(fs.ModeDevice|fs.ModeCharDevice) > 0 { //has TTY
+			fmt.Printf("Would you like to scan K8s nodes? [y/N]. This is required to collect valuable data for certain controls\n")
+			fmt.Printf("Use --enable-host-scan flag to suppress this message\n")
+			var b []byte = make([]byte, 1)
+			if n, err := os.Stdin.Read(b); err == nil {
+				if n > 0 && len(b) > 0 && (b[0] == 'y' || b[0] == 'Y') {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
--- a/clihandler/initcliutils.go
+++ b/clihandler/initcliutils.go
@@ -0,0 +1,181 @@
+package clihandler
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/hostsensorutils"
+	"github.com/armosec/kubescape/resourcehandler"
+	"github.com/armosec/kubescape/resultshandling/reporter"
+	"github.com/armosec/opa-utils/reporthandling"
+	"github.com/armosec/rbac-utils/rbacscanner"
+	"github.com/golang/glog"
+)
+
+func getKubernetesApi(scanInfo *cautils.ScanInfo) *k8sinterface.KubernetesApi {
+	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
+		return nil
+	}
+	return k8sinterface.NewKubernetesApi()
+}
+func getTenantConfig(scanInfo *cautils.ScanInfo, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
+	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
+		return cautils.NewLocalConfig(getter.GetArmoAPIConnector(), scanInfo.Account)
+	}
+	return cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account)
+}
+
+func getRBACHandler(tenantConfig cautils.ITenantConfig, k8s *k8sinterface.KubernetesApi, submit bool) *cautils.RBACObjects {
+	if submit {
+		return cautils.NewRBACObjects(rbacscanner.NewRbacScannerFromK8sAPI(k8s, tenantConfig.GetCustomerGUID(), tenantConfig.GetClusterName()))
+	}
+	return nil
+}
+
+func getReporter(tenantConfig cautils.ITenantConfig, submit bool) reporter.IReport {
+	if submit {
+		return reporter.NewReportEventReceiver(tenantConfig.GetConfigObj())
+
+	}
+	return reporter.NewReportMock()
+}
+func getResourceHandler(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantConfig, k8s *k8sinterface.KubernetesApi, hostSensorHandler hostsensorutils.IHostSensor) resourcehandler.IResourceHandler {
+	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
+		return resourcehandler.NewFileResourceHandler(scanInfo.InputPatterns)
+	}
+	rbacObjects := getRBACHandler(tenantConfig, k8s, scanInfo.Submit)
+	return resourcehandler.NewK8sResourceHandler(k8s, getFieldSelector(scanInfo), hostSensorHandler, rbacObjects)
+}
+
+func getHostSensorHandler(scanInfo *cautils.ScanInfo, k8s *k8sinterface.KubernetesApi) hostsensorutils.IHostSensor {
+	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
+		return &hostsensorutils.HostSensorHandlerMock{}
+	}
+	hasHostSensorControls := true
+	// we need to determined which controls needs host sensor
+	if scanInfo.HostSensor.Get() == nil && hasHostSensorControls {
+		scanInfo.HostSensor.SetBool(askUserForHostSensor())
+	}
+	if hostSensorVal := scanInfo.HostSensor.Get(); hostSensorVal != nil && *hostSensorVal {
+		hostSensorHandler, err := hostsensorutils.NewHostSensorHandler(k8s)
+		if err != nil {
+			glog.Errorf("failed to create host sensor: %v", err)
+			return &hostsensorutils.HostSensorHandlerMock{}
+		}
+		return hostSensorHandler
+	}
+	return &hostsensorutils.HostSensorHandlerMock{}
+}
+
+func getFieldSelector(scanInfo *cautils.ScanInfo) resourcehandler.IFieldSelector {
+	if scanInfo.IncludeNamespaces != "" {
+		return resourcehandler.NewIncludeSelector(scanInfo.IncludeNamespaces)
+	}
+	if scanInfo.ExcludedNamespaces != "" {
+		return resourcehandler.NewExcludeSelector(scanInfo.ExcludedNamespaces)
+	}
+
+	return &resourcehandler.EmptySelector{}
+}
+
+func policyIdentifierNames(pi []reporthandling.PolicyIdentifier) string {
+	policiesNames := ""
+	for i := range pi {
+		policiesNames += pi[i].Name
+		if i+1 < len(pi) {
+			policiesNames += ","
+		}
+	}
+	if policiesNames == "" {
+		policiesNames = "all"
+	}
+	return policiesNames
+}
+
+// setSubmitBehavior - Setup the desired cluster behavior regarding submittion to the Armo BE
+func setSubmitBehavior(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantConfig) {
+
+	/*
+
+		If "First run (local config not found)" -
+			Default/keep-local - Do not send report
+			Submit - Create tenant & Submit report
+
+		If "Submitted" -
+			keep-local - Do not send report
+			Default/Submit - Submit report
+
+	*/
+
+	// do not submit control scanning
+	if !scanInfo.FrameworkScan {
+		scanInfo.Submit = false
+		return
+	}
+
+	// do not submit yaml/url scanning
+	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
+		scanInfo.Submit = false
+		return
+	}
+
+	if tenantConfig.IsConfigFound() { // config found in cache (submitted)
+		if !scanInfo.Local {
+			// Submit report
+			scanInfo.Submit = true
+		}
+	} else { // config not found in cache (not submitted)
+		if scanInfo.Submit {
+			// submit - Create tenant & Submit report
+			if err := tenantConfig.SetTenant(); err != nil {
+				fmt.Println(err)
+			}
+		}
+	}
+}
+
+// setPolicyGetter set the policy getter - local file/github release/ArmoAPI
+func setPolicyGetter(scanInfo *cautils.ScanInfo, customerGUID string) {
+	if len(scanInfo.UseFrom) > 0 {
+		scanInfo.PolicyGetter = getter.NewLoadPolicy(scanInfo.UseFrom)
+	} else {
+		if customerGUID == "" || !scanInfo.FrameworkScan {
+			setDownloadReleasedPolicy(scanInfo)
+		} else {
+			setGetArmoAPIConnector(scanInfo, customerGUID)
+		}
+	}
+}
+
+func setDownloadReleasedPolicy(scanInfo *cautils.ScanInfo) {
+	g := getter.NewDownloadReleasedPolicy()    // download policy from github release
+	if err := g.SetRegoObjects(); err != nil { // if failed to pull policy, fallback to cache
+		cautils.WarningDisplay(os.Stdout, "Warning: failed to get policies from github release, loading policies from cache\n")
+		scanInfo.PolicyGetter = getter.NewLoadPolicy(getDefaultFrameworksPaths())
+	} else {
+		scanInfo.PolicyGetter = g
+	}
+}
+func setGetArmoAPIConnector(scanInfo *cautils.ScanInfo, customerGUID string) {
+	g := getter.GetArmoAPIConnector() // download policy from ARMO backend
+	g.SetCustomerGUID(customerGUID)
+	scanInfo.PolicyGetter = g
+	if scanInfo.ScanAll {
+		frameworks, err := g.ListCustomFrameworks(customerGUID)
+		if err != nil {
+			glog.Error("failed to get custom frameworks") // handle error
+			return
+		}
+		scanInfo.SetPolicyIdentifiers(frameworks, reporthandling.KindFramework)
+	}
+}
+func getDefaultFrameworksPaths() []string {
+	fwPaths := []string{}
+	for i := range getter.NativeFrameworks {
+		fwPaths = append(fwPaths, getter.GetDefaultPath(getter.NativeFrameworks[i]))
+	}
+	return fwPaths
+}
--- a/docs/run-options.md
+++ b/docs/run-options.md
@@ -13,7 +13,7 @@ kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
 | --- | --- | --- | --- |
 | `-e`/`--exclude-namespaces` | Scan all namespaces | Namespaces to exclude from scanning. Recommended to exclude `kube-system` and `kube-public` namespaces |
 | `-s`/`--silent` | Display progress messages | Silent progress messages |
-| `-t`/`--fail-threshold` | `0` (do not fail) | fail command (return exit code 1) if result bellow threshold| `0` -> `100` |
+| `-t`/`--fail-threshold` | `0` (do not fail) | fail command (return exit code 1) if result is below threshold| `0` -> `100` |
 | `-f`/`--format` | `pretty-printer` | Output format | `pretty-printer`/`json`/`junit` | 
 | `-o`/`--output` | print to stdout | Save scan result in file |
 | `--use-from` | | Load local framework object from specified path. If not used will download latest |
@@ -25,7 +25,7 @@ kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
 
 ### Examples

-* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework
+* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework
 ```
 kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
 ```
@@ -85,5 +85,3 @@ kubescape scan framework nsa --use-from nsa.json
 ```

 Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
-
-
--- a/docs/summary.png
+++ b/docs/summary.png
--- a/examples/exceptions/README.md
+++ b/examples/exceptions/README.md
@@ -0,0 +1,179 @@
+# Kubescape Exceptions
+
+Kubescape Exceptions is the proper way of excluding failed resources from effecting the risk score.
+
+e.g. When a `kube-system` resource fails and it is ok, simply add the resource to the exceptions configurations.
+
+## Definitions
+
+
+* `name`- Exception name - unique name representing the exception
+* `policyType`- Do not change
+* `actions`- List of available actions. Currently alertOnly is supported
+* `resources`- List of resources to apply this exception on
+    * `designatorType: Attributes`- An attribute-based declaration {key: value}
+    Supported keys:
+    * `name`: k8s resource name (case-sensitive, regex supported)
+    * `kind`: k8s resource kind (case-sensitive, regex supported)
+    * `namespace`: k8s resource namespace (case-sensitive, regex supported)
+    * `cluster`: k8s cluster name (usually it is the `current-context`) (case-sensitive, regex supported)
+    * resource labels as key value (case-sensitive, regex NOT supported)
+* `posturePolicies`- An attribute-based declaration {key: value}
+    * `frameworkName` - Framework names can be find [here](https://github.com/armosec/regolibrary/tree/master/frameworks)
+    * `controlName` - Control names can be find [here](https://github.com/armosec/regolibrary/tree/master/controls) 
+    * `controlID` - Not yet supported
+    * `ruleName` - Rule names can be find [here](https://github.com/armosec/regolibrary/tree/master/rules) 
+ 
+
+## Usage
+
+The `resources` list and `posturePolicies` list are design to be a combination of the resources and policies to exclude
+> You must declare at least one resource and one policy
+
+e.g. If you wish to exclude all namespaces with the label `"environment": "dev"`, the resource list should look as following:
+```
+"resources": [
+    {
+        "designatorType": "Attributes",
+        "attributes": {
+            "namespace": ".*",
+            "environment": "dev"
+        }
+    }
+]
+```
+
+But if you wish to exclude all namespaces **OR** any resource with the label `"environment": "dev"`, the resource list should look as following:
+```
+"resources": [
+    {
+        "designatorType": "Attributes",
+        "attributes": {
+            "namespace": ".*"
+        }
+    },
+    {
+        "designatorType": "Attributes",
+        "attributes": {
+            "environment": "dev"
+        }
+    }
+]
+```
+
+Same works with the `posturePolicies` list ->
+
+e.g. If you wish to exclude the resources declared in the `resources` list that failed when scanning the `NSA` framework **AND** failed the `Allowed hostPath` control, the `posturePolicies` list should look as following:
+```
+"posturePolicies": [
+    {
+        "frameworkName": "NSA",
+        "controlName": "Allowed hostPath" 
+    }
+]
+```
+
+But if you wish to exclude the resources declared in the `resources` list that failed when scanning the `NSA` framework **OR** failed the `Allowed hostPath` control, the `posturePolicies` list should look as following:
+```
+"posturePolicies": [
+    {
+        "frameworkName": "NSA" 
+    },
+    {
+        "controlName": "Allowed hostPath" 
+    }
+]
+```
+
+## Examples
+
+Here are some examples demonstrating the different ways the exceptions file can be configured
+
+
+### Exclude  control
+
+Exclude the ["Allowed hostPath" control](https://github.com/armosec/regolibrary/blob/master/controls/allowedhostpath.json#L2) by declaring the control in the `"posturePolicies"` section.
+
+The resources
+
+```
+[
+    {
+        "name": "exclude-allowed-hostPath-control",
+        "policyType": "postureExceptionPolicy",
+        "actions": [
+            "alertOnly"
+        ],
+        "resources": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "kind": ".*"
+                }
+            }
+        ],
+        "posturePolicies": [
+            {
+                "controlName": "Allowed hostPath" 
+            }
+        ]
+    }
+]
+```
+
+### Exclude deployments in the default namespace that failed the "Allowed hostPath" control 
+```
+[
+    {
+        "name": "exclude-deployments-in-ns-default",
+        "policyType": "postureExceptionPolicy",
+        "actions": [
+            "alertOnly"
+        ],
+        "resources": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "namespace": "default",
+                    "kind": "Deployment"
+                }
+            }
+        ],
+        "posturePolicies": [
+            {
+                "controlName": "Allowed hostPath" 
+            }
+        ]
+    }
+]
+```
+
+### Exclude resources with label "app=nginx" running in a minikube cluster that failed the "NSA" or "MITRE" framework 
+```
+[
+    {
+        "name": "exclude-nginx-minikube",
+        "policyType": "postureExceptionPolicy",
+        "actions": [
+            "alertOnly"
+        ],
+        "resources": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "cluster": "minikube",
+                    "app": "nginx"
+                }
+            }
+        ],
+        "posturePolicies": [
+            {
+                "frameworkName": "NSA" 
+            },
+            {
+                "frameworkName": "MITRE" 
+            }
+        ]
+    }
+]
+```
--- a/examples/exceptions/exclude-allowed-hostPath-control.json
+++ b/examples/exceptions/exclude-allowed-hostPath-control.json
@@ -0,0 +1,22 @@
+[
+    {
+        "name": "exclude-allowed-hostPath-control",
+        "policyType": "postureExceptionPolicy",
+        "actions": [
+            "alertOnly"
+        ],
+        "resources": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "kind": ".*"
+                }
+            }
+        ],
+        "posturePolicies": [
+            {
+                "controlName": "Allowed hostPath" 
+            }
+        ]
+    }
+]
--- a/examples/exceptions/exclude-deployments-in-ns-default.json
+++ b/examples/exceptions/exclude-deployments-in-ns-default.json
@@ -0,0 +1,23 @@
+[
+    {
+        "name": "exclude-deployments-in-ns-default",
+        "policyType": "postureExceptionPolicy",
+        "actions": [
+            "alertOnly"
+        ],
+        "resources": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "namespace": "default",
+                    "kind": "Deployment"
+                }
+            }
+        ],
+        "posturePolicies": [
+            {
+                "controlName": "Allowed hostPath" 
+            }
+        ]
+    }
+]
--- a/examples/exceptions/exclude-kube-namespaces.json
+++ b/examples/exceptions/exclude-kube-namespaces.json
@@ -28,6 +28,12 @@
        "posturePolicies": [
            {
                "frameworkName": "NSA"
+            },
+            {
+                "frameworkName": "MITRE"
+            },
+            {
+                "frameworkName": "ArmoBest"
            }
        ]
    }
--- a/examples/exceptions/exclude-nginx-in-minikube.json
+++ b/examples/exceptions/exclude-nginx-in-minikube.json
@@ -0,0 +1,26 @@
+[
+    {
+        "name": "exclude-nginx-in-minikube",
+        "policyType": "postureExceptionPolicy",
+        "actions": [
+            "alertOnly"
+        ],
+        "resources": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "cluster": "minikube",
+                    "app": "nginx"
+                }
+            }
+        ],
+        "posturePolicies": [
+            {
+                "frameworkName": "NSA" 
+            },
+            {
+                "frameworkName": "MITRE" 
+            }
+        ]
+    }
+]
--- a/examples/helm_chart/Chart.yaml
+++ b/examples/helm_chart/Chart.yaml
@@ -0,0 +1,29 @@
+apiVersion: v2
+name: kubescape
+description:
+  Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks
+  regulatory, customized company policies and DevSecOps best practices, such as the  [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo) and the [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) .
+  Kubescape scans K8s clusters, YAML files, and HELM charts, and detect misconfigurations and software vulnerabilities at early stages of the CI/CD pipeline and provides a risk score instantly and risk trends over time.
+  Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI and Github workflows.
+
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "v1.0.128"
--- a/examples/helm_chart/README.md
+++ b/examples/helm_chart/README.md
@@ -0,0 +1,27 @@
+# kubescape
+
+![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.128](https://img.shields.io/badge/AppVersion-v1.0.128-informational?style=flat-square)
+
+Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks regulatory, customized company policies and DevSecOps best practices, such as the  [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo) and the [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) . Kubescape scans K8s clusters, YAML files, and HELM charts, and detect misconfigurations and software vulnerabilities at early stages of the CI/CD pipeline and provides a risk score instantly and risk trends over time. Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI and Github workflows.
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| configMap | object | `{"create":true,"params":{"clusterName":"<MyK8sClusterName>","customerGUID":"<MyGUID>,"}}` | ARMO customer information |
+| fullnameOverride | string | `""` |  |
+| image | object | `{"imageName":"kubescape","pullPolicy":"IfNotPresent","repository":"quay.io/armosec","tag":"latest"}` | Image and version to deploy |
+| imagePullSecrets | list | `[]` |  |
+| nameOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| podAnnotations | object | `{}` |  |
+| podSecurityContext | object | `{}` |  |
+| resources | object | `{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"200m","memory":"256Mi"}}` | Default resources for running the service in cluster |
+| schedule | string | `"0 0 * * *"` | Frequency of running the scan |
+| securityContext | object | `{}` |  |
+| serviceAccount | object | `{"annotations":{},"create":true,"name":"kubescape-discovery"}` | Service account that runs the scan and has permissions to view the cluster |
+| tolerations | list | `[]` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)
--- a/examples/helm_chart/templates/_helpers.tpl
+++ b/examples/helm_chart/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kubescape.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kubescape.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kubescape.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "kubescape.labels" -}}
+helm.sh/chart: {{ include "kubescape.chart" . }}
+{{ include "kubescape.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kubescape.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kubescape.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kubescape.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "kubescape.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
--- a/examples/helm_chart/templates/clusterrole.yaml
+++ b/examples/helm_chart/templates/clusterrole.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubescape.fullname" . }}
+  labels:
+    {{- include "kubescape.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["get", "list", "describe"]
+
--- a/examples/helm_chart/templates/clusterrolebinding.yaml
+++ b/examples/helm_chart/templates/clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kubescape.fullname" . }}
+  labels:
+    {{- include "kubescape.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kubescape.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kubescape.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace | quote }}
+
+
--- a/examples/helm_chart/templates/configmap.yaml
+++ b/examples/helm_chart/templates/configmap.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.configMap.create -}}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ include "kubescape.fullname" . }}-configmap
+  labels:
+    {{- include "kubescape.labels" . | nindent 4 }}
+data:
+  config.json: |
+    {
+      "customerGUID": "{{ .Values.configMap.params.customerGUID }}",
+      "clusterName": "{{ .Values.configMap.params.clusterName }}"
+    }
+{{- end }}
--- a/examples/helm_chart/templates/cronjob.yaml
+++ b/examples/helm_chart/templates/cronjob.yaml
@@ -0,0 +1,28 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "kubescape.fullname" . }}
+  labels:
+    {{- include "kubescape.labels" . | nindent 4 }}
+spec:
+  schedule: "{{ .Values.schedule }}"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: {{ .Chart.Name }}
+            image: "{{ .Values.image.repository }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+            imagePullPolicy: {{ .Values.image.pullPolicy }}
+            command: ["/bin/sh", "-c"]
+            args: ["kubescape scan framework nsa --submit"]
+            volumeMounts:
+            - name: kubescape-config-volume
+              mountPath: /root/.kubescape/config.json
+              subPath: config.json
+          restartPolicy: OnFailure
+          serviceAccountName: {{ include "kubescape.serviceAccountName" . }}
+          volumes:
+          - name: kubescape-config-volume
+            configMap:
+              name: {{ include "kubescape.fullname" . }}-configmap
--- a/examples/helm_chart/templates/role.yaml
+++ b/examples/helm_chart/templates/role.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "kubescape.fullname" . }}
+  labels:
+    {{- include "kubescape.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["get", "list", "describe"]
+
--- a/examples/helm_chart/templates/rolebinding.yaml
+++ b/examples/helm_chart/templates/rolebinding.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "kubescape.fullname" . }}
+  labels:
+    {{- include "kubescape.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kubescape.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kubescape.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace | quote }}
+
+
--- a/examples/helm_chart/templates/serviceaccount.yaml
+++ b/examples/helm_chart/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kubescape.serviceAccountName" . }}
+  labels:
+    {{- include "kubescape.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/examples/helm_chart/values.yaml
+++ b/examples/helm_chart/values.yaml
@@ -0,0 +1,74 @@
+# Default values for kubescape.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# -- Frequency of running the scan
+#       ┌────────────── timezone (optional)
+#       |  ┌───────────── minute (0 - 59)
+#       |  │ ┌───────────── hour (0 - 23)
+#       |  │ │ ┌───────────── day of the month (1 - 31)
+#       |  │ │ │ ┌───────────── month (1 - 12)
+#       |  │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday;
+#       |  │ │ │ │ │                         7 is also Sunday on some systems)
+#       |  │ │ │ │ │
+#       |  │ │ │ │ │
+#      UTC * * * * *
+schedule: "* * 1 * *"
+
+# -- Image and version to deploy
+image:
+  repository: quay.io/armosec
+  imageName: kubescape
+  pullPolicy: Always
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: latest
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+# -- Service account that runs the scan and has permissions to view the cluster
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: "kubescape-discovery"
+
+# -- ARMO customer information
+configMap:
+  create: false
+  params:
+    customerGUID: <MyGUID>
+    clusterName: <MyK8sClusterName>
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+# -- Default resources for running the service in cluster
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 200m
+    memory: 256Mi
+
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
--- a/examples/output_mocks/prometheus-verbose-flag.txt
+++ b/examples/output_mocks/prometheus-verbose-flag.txt
--- a/examples/output_mocks/prometheus.txt
+++ b/examples/output_mocks/prometheus.txt
--- a/go.mod
+++ b/go.mod
@@ -3,11 +3,12 @@ module github.com/armosec/kubescape
 go 1.17

 require (
-	github.com/armosec/armoapi-go v0.0.8
-	github.com/armosec/k8s-interface v0.0.8
-	github.com/armosec/opa-utils v0.0.21
+	github.com/armosec/armoapi-go v0.0.23
+	github.com/armosec/k8s-interface v0.0.50
+	github.com/armosec/opa-utils v0.0.75
+	github.com/armosec/rbac-utils v0.0.9
 	github.com/armosec/utils-go v0.0.3
-	github.com/briandowns/spinner v1.16.0
+	github.com/briandowns/spinner v1.18.0
 	github.com/enescakir/emoji v1.0.0
 	github.com/fatih/color v1.13.0
 	github.com/gofrs/uuid v4.1.0+incompatible
@@ -17,10 +18,12 @@ require (
 	github.com/open-policy-agent/opa v0.33.1
 	github.com/satori/go.uuid v1.2.0
 	github.com/spf13/cobra v1.2.1
+	github.com/stretchr/testify v1.7.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.22.2
 	k8s.io/apimachinery v0.22.2
 	k8s.io/client-go v0.22.2
+	sigs.k8s.io/yaml v1.2.0
 )

 require (
@@ -32,8 +35,8 @@ require (
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
-	github.com/armosec/rbac-utils v0.0.1 // indirect
 	github.com/armosec/utils-k8s-go v0.0.1 // indirect
+	github.com/aws/aws-sdk-go v1.41.11 // indirect
 	github.com/coreos/go-oidc v2.2.1+incompatible // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/docker v20.10.9+incompatible // indirect
@@ -46,30 +49,35 @@ require (
 	github.com/go-logr/logr v0.4.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-cmp v0.5.5 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.0.5 // indirect
 	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.11 // indirect
 	github.com/mattn/go-colorable v0.1.9 // indirect
 	github.com/mattn/go-runewidth v0.0.9 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.1 // indirect
+	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/pquerna/cachecontrol v0.1.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b // indirect
+	go.opencensus.io v0.23.0 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.19.1 // indirect
-	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 // indirect
+	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
 	golang.org/x/net v0.0.0-20210825183410-e898025ed96a // indirect
 	golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1 // indirect
 	golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf // indirect
@@ -77,7 +85,10 @@ require (
 	golang.org/x/text v0.3.6 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	gonum.org/v1/gonum v0.9.1 // indirect
+	google.golang.org/api v0.44.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
+	google.golang.org/grpc v1.38.0 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
@@ -86,5 +97,4 @@ require (
 	k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a // indirect
 	sigs.k8s.io/controller-runtime v0.10.2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
-	sigs.k8s.io/yaml v1.2.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -84,15 +84,18 @@ github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armosec/armoapi-go v0.0.2/go.mod h1:vIK17yoKbJRQyZXWWLe3AqfqCRITxW8qmSkApyq5xFs=
-github.com/armosec/armoapi-go v0.0.7/go.mod h1:iaVVGyc23QGGzAdv4n+szGQg3Rbpixn9yQTU3qWRpaw=
-github.com/armosec/armoapi-go v0.0.8 h1:JPa9rZynuE2RucamDh6dsy/sjCScmWDsyt1zagJFCDo=
-github.com/armosec/armoapi-go v0.0.8/go.mod h1:iaVVGyc23QGGzAdv4n+szGQg3Rbpixn9yQTU3qWRpaw=
-github.com/armosec/k8s-interface v0.0.8 h1:Eo3Qen4yFXxzVem49FNeij2ckyzHSAJ0w6PZMaSEIm8=
+github.com/armosec/armoapi-go v0.0.23 h1:jqoLIWM5CR7DCD9fpFgN0ePqtHvOCoZv/XzCwsUluJU=
+github.com/armosec/armoapi-go v0.0.23/go.mod h1:iaVVGyc23QGGzAdv4n+szGQg3Rbpixn9yQTU3qWRpaw=
 github.com/armosec/k8s-interface v0.0.8/go.mod h1:xxS+V5QT3gVQTwZyAMMDrYLWGrfKOpiJ7Jfhfa0w9sM=
-github.com/armosec/opa-utils v0.0.21 h1:LzQ4LoY+fKQIhyLdR7cI/YfjdCztLdAeP40Ct3Wcw5o=
-github.com/armosec/opa-utils v0.0.21/go.mod h1:JaE2a0kB2O22JZCqBBfOS9Pvh9rXs9xXXb9lVo01rTs=
-github.com/armosec/rbac-utils v0.0.1 h1:N2MI98F/0zbDjmRZ29CNElU1AXkFLk5csd/qAHOBdXY=
+github.com/armosec/k8s-interface v0.0.37/go.mod h1:vHxGWqD/uh6+GQb9Sqv7OGMs+Rvc2dsFVc0XtgRh1ZU=
+github.com/armosec/k8s-interface v0.0.50 h1:iLPGI0j85vwKANr9QDAnba4Efjg3DyIJg15jRJdvOnc=
+github.com/armosec/k8s-interface v0.0.50/go.mod h1:vHxGWqD/uh6+GQb9Sqv7OGMs+Rvc2dsFVc0XtgRh1ZU=
+github.com/armosec/opa-utils v0.0.64/go.mod h1:6tQP8UDq2EvEfSqh8vrUdr/9QVSCG4sJfju1SXQOn4c=
+github.com/armosec/opa-utils v0.0.75 h1:GBI3K18xc3WXJHIorIu4bGNAsfMYHUc1x7zueDz2ZbY=
+github.com/armosec/opa-utils v0.0.75/go.mod h1:L7d+uiIIXAZ3LEyKtmEIbMcI1hWgWaXGpn5zVCqzwSU=
 github.com/armosec/rbac-utils v0.0.1/go.mod h1:pQ8CBiij8kSKV7aeZm9FMvtZN28VgA7LZcYyTWimq40=
+github.com/armosec/rbac-utils v0.0.9 h1:rIOWp4K7BELUNX32ktSjVbb8d/0SpH7W76W6Tf+8rzw=
+github.com/armosec/rbac-utils v0.0.9/go.mod h1:Ex/IdGWhGv9HZq6Hs8N/ApzCKSIvpNe/ETqDfnuyah0=
 github.com/armosec/utils-go v0.0.2/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
 github.com/armosec/utils-go v0.0.3 h1:uyQI676yRciQM0sSN9uPoqHkbspTxHO0kmzXhBeE/xU=
 github.com/armosec/utils-go v0.0.3/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
@@ -100,6 +103,7 @@ github.com/armosec/utils-k8s-go v0.0.1 h1:Ay3y7fW+4+FjVc0+obOWm8YsnEvM31vPAVoKTy
 github.com/armosec/utils-k8s-go v0.0.1/go.mod h1:qrU4pmY2iZsOb39Eltpm0sTTNM3E4pmeyWx4dgDUC2U=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/aws/aws-sdk-go v1.41.1/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
+github.com/aws/aws-sdk-go v1.41.11 h1:QLouWsiYQ8i22kD8k58Dpdhio1A0MpT7bg9ZNXqEjuI=
 github.com/aws/aws-sdk-go v1.41.11/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
@@ -113,8 +117,8 @@ github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqO
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
-github.com/briandowns/spinner v1.16.0 h1:DFmp6hEaIx2QXXuqSJmtfSBSAjRmpGiKG6ip2Wm/yOs=
-github.com/briandowns/spinner v1.16.0/go.mod h1:QOuQk7x+EaDASo80FEXwlwiA+j/PPIcX3FScO+3/ZPQ=
+github.com/briandowns/spinner v1.18.0 h1:SJs0maNOs4FqhBwiJ3Gr7Z1D39/rukIVGQvpNZVHVcM=
+github.com/briandowns/spinner v1.18.0/go.mod h1:QOuQk7x+EaDASo80FEXwlwiA+j/PPIcX3FScO+3/ZPQ=
 github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
 github.com/bytecodealliance/wasmtime-go v0.30.0 h1:WfYpr4WdqInt8m5/HvYinf+HrSEAIhItKIcth+qb1h4=
 github.com/bytecodealliance/wasmtime-go v0.30.0/go.mod h1:q320gUxqyI8yB+ZqRuaJOEnGkAnHh6WtJjMaT2CW4wI=
@@ -332,9 +336,11 @@ github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLe
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gax-go v2.0.0+incompatible h1:j0GKcs05QVmm7yesiZq2+9cxHkNK9YM6zKx4D2qucQU=
 github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
 github.com/googleapis/gax-go/v2 v2.0.3/go.mod h1:LLvjysVCY1JZeum8Z6l8qUty8fiNwE08qbEPm1M08qg=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
 github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw=
@@ -379,7 +385,9 @@ github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NH
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
@@ -484,8 +492,9 @@ github.com/open-policy-agent/opa v0.33.1 h1:EJe00U5H82iMsemgxcNm9RFwjW8zPyRMvL+0
 github.com/open-policy-agent/opa v0.33.1/go.mod h1:Zb+IdRe0s7M++Rv/KgyuB0qvxO3CUpQ+ZW5v+w/cRUo=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
+github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
@@ -686,8 +695,9 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 h1:/ZScEX8SfEmUGRHs0gxpqteO5nfNW6axyZbBdw9A12g=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 h1:/UOmuWzQfxxo9UtlXMwuQU8CMgg1eZXqTRwkSQJWKOI=
+golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -883,6 +893,7 @@ golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1009,6 +1020,7 @@ google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34q
 google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
 google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
 google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
+google.golang.org/api v0.44.0 h1:URs6qR1lAxDsqWITsQXI4ZkGiYJ5dHtRNiCpfs2OeKA=
 google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1066,6 +1078,7 @@ google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
+google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c h1:wtujag7C+4D6KMoulW9YauvK2lgdvCMS260jsqqBXr0=
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
 google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.16.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio=
@@ -1090,6 +1103,7 @@ google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
+google.golang.org/grpc v1.38.0 h1:/9BgsAsa5nWe26HqOlvlgJnqBuktYOLCgjCPqsa56W0=
 google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
--- a/hostsensorutils/hostsensordeploy.go
+++ b/hostsensorutils/hostsensordeploy.go
@@ -0,0 +1,205 @@
+package hostsensorutils
+
+import (
+	"fmt"
+	"io"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/kubescape/cautils"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/apimachinery/pkg/watch"
+	appsapplyv1 "k8s.io/client-go/applyconfigurations/apps/v1"
+	coreapplyv1 "k8s.io/client-go/applyconfigurations/core/v1"
+)
+
+type HostSensorHandler struct {
+	HostSensorPort     int32
+	HostSensorPodNames map[string]string //map from pod names to node names
+	IsReady            <-chan bool       //readonly chan
+	k8sObj             *k8sinterface.KubernetesApi
+	DaemonSet          *appsv1.DaemonSet
+	podListLock        sync.RWMutex
+	gracePeriod        int64
+}
+
+func NewHostSensorHandler(k8sObj *k8sinterface.KubernetesApi) (*HostSensorHandler, error) {
+
+	if k8sObj == nil {
+		return nil, fmt.Errorf("nil k8s interface received")
+	}
+	hsh := &HostSensorHandler{
+		k8sObj:             k8sObj,
+		HostSensorPodNames: map[string]string{},
+		gracePeriod:        int64(15),
+	}
+	// Don't deploy on cluster with no nodes. Some cloud providers prevents termination of K8s objects for cluster with no nodes!!!
+	if nodeList, err := k8sObj.KubernetesClient.CoreV1().Nodes().List(k8sObj.Context, metav1.ListOptions{}); err != nil || len(nodeList.Items) == 0 {
+		if err == nil {
+			err = fmt.Errorf("no nodes to scan")
+		}
+		return hsh, fmt.Errorf("in NewHostSensorHandler, failed to get nodes list: %v", err)
+	}
+
+	return hsh, nil
+}
+
+func (hsh *HostSensorHandler) Init() error {
+	// deploy the YAML
+	// store namespace + port
+	// store pod names
+	// make sure all pods are running, after X seconds treat has running anyway, and log an error on the pods not running yet
+	cautils.ProgressTextDisplay("Installing host sensor")
+	cautils.StartSpinner()
+	defer cautils.StopSpinner()
+	if err := hsh.applyYAML(); err != nil {
+		return fmt.Errorf("in HostSensorHandler init failed to apply YAML: %v", err)
+	}
+	hsh.populatePodNamesToNodeNames()
+	if err := hsh.checkPodForEachNode(); err != nil {
+		fmt.Printf("failed to validate host-sensor pods status: %v", err)
+	}
+	return nil
+}
+
+func (hsh *HostSensorHandler) applyYAML() error {
+	dec := yaml.NewDocumentDecoder(io.NopCloser(strings.NewReader(hostSensorYAML)))
+	// apply namespace
+	singleYAMLBytes := make([]byte, 4096)
+	if readLen, err := dec.Read(singleYAMLBytes); err != nil {
+		return fmt.Errorf("failed to read YAML of namespace: %v", err)
+	} else {
+		singleYAMLBytes = singleYAMLBytes[:readLen]
+	}
+	namespaceAC := &coreapplyv1.NamespaceApplyConfiguration{}
+	if err := yaml.Unmarshal(singleYAMLBytes, namespaceAC); err != nil {
+		return fmt.Errorf("failed to Unmarshal YAML of namespace: %v", err)
+	}
+	namespaceName := ""
+
+	if ns, err := hsh.k8sObj.KubernetesClient.CoreV1().Namespaces().Apply(hsh.k8sObj.Context, namespaceAC, metav1.ApplyOptions{
+		FieldManager: "kubescape",
+	}); err != nil {
+		return fmt.Errorf("failed to apply YAML of namespace: %v", err)
+	} else {
+		namespaceName = ns.Name
+	}
+	// apply DaemonSet
+	daemonAC := &appsapplyv1.DaemonSetApplyConfiguration{}
+	singleYAMLBytes = make([]byte, 4096)
+	if readLen, err := dec.Read(singleYAMLBytes); err != nil {
+		if erra := hsh.tearDownNamesapce(namespaceName); erra != nil {
+			err = fmt.Errorf("%v; In addidtion %v", err, erra)
+		}
+		return fmt.Errorf("failed to read YAML of DaemonSet: %v", err)
+	} else {
+		singleYAMLBytes = singleYAMLBytes[:readLen]
+	}
+	if err := yaml.Unmarshal(singleYAMLBytes, daemonAC); err != nil {
+		if erra := hsh.tearDownNamesapce(namespaceName); erra != nil {
+			err = fmt.Errorf("%v; In addidtion %v", err, erra)
+		}
+		return fmt.Errorf("failed to Unmarshal YAML of DaemonSet: %v", err)
+	}
+	daemonAC.Namespace = &namespaceName
+	if ds, err := hsh.k8sObj.KubernetesClient.AppsV1().DaemonSets(namespaceName).Apply(hsh.k8sObj.Context, daemonAC, metav1.ApplyOptions{
+		FieldManager: "kubescape",
+	}); err != nil {
+		if erra := hsh.tearDownNamesapce(namespaceName); erra != nil {
+			err = fmt.Errorf("%v; In addidtion %v", err, erra)
+		}
+		return fmt.Errorf("failed to apply YAML of DaemonSet: %v", err)
+	} else {
+		hsh.HostSensorPort = ds.Spec.Template.Spec.Containers[0].Ports[0].ContainerPort
+		hsh.DaemonSet = ds
+	}
+	return nil
+}
+
+func (hsh *HostSensorHandler) checkPodForEachNode() error {
+	deadline := time.Now().Add(time.Second * 100)
+	for {
+		nodesList, err := hsh.k8sObj.KubernetesClient.CoreV1().Nodes().List(hsh.k8sObj.Context, metav1.ListOptions{})
+		if err != nil {
+			return fmt.Errorf("in checkPodsForEveryNode, failed to get nodes list: %v", nodesList)
+		}
+		hsh.podListLock.RLock()
+		podsNum := len(hsh.HostSensorPodNames)
+		hsh.podListLock.RUnlock()
+		if len(nodesList.Items) == podsNum {
+			break
+		}
+		if time.Now().After(deadline) {
+			return fmt.Errorf("host-sensor pods number (%d) differ than nodes number (%d) after deadline exceded", podsNum, len(nodesList.Items))
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+	return nil
+}
+
+// initiating routine to keep pod list updated
+func (hsh *HostSensorHandler) populatePodNamesToNodeNames() {
+
+	go func() {
+		watchRes, err := hsh.k8sObj.KubernetesClient.CoreV1().Pods(hsh.DaemonSet.Namespace).Watch(hsh.k8sObj.Context, metav1.ListOptions{
+			Watch:         true,
+			LabelSelector: fmt.Sprintf("name=%s", hsh.DaemonSet.Spec.Template.Labels["name"]),
+		})
+		if err != nil {
+			fmt.Printf("Failed to watch over daemonset pods")
+		}
+		for eve := range watchRes.ResultChan() {
+			pod, ok := eve.Object.(*corev1.Pod)
+			if !ok {
+				continue
+			}
+			go hsh.updatePodInListAtomic(eve.Type, pod)
+		}
+	}()
+}
+
+func (hsh *HostSensorHandler) updatePodInListAtomic(eventType watch.EventType, podObj *corev1.Pod) {
+	hsh.podListLock.Lock()
+	defer hsh.podListLock.Unlock()
+
+	switch eventType {
+	case watch.Added, watch.Modified:
+		if podObj.Status.Phase == corev1.PodRunning {
+			hsh.HostSensorPodNames[podObj.ObjectMeta.Name] = podObj.Spec.NodeName
+		} else {
+			delete(hsh.HostSensorPodNames, podObj.ObjectMeta.Name)
+		}
+	default:
+		delete(hsh.HostSensorPodNames, podObj.ObjectMeta.Name)
+	}
+}
+
+func (hsh *HostSensorHandler) tearDownNamesapce(namespace string) error {
+
+	if err := hsh.k8sObj.KubernetesClient.CoreV1().Namespaces().Delete(hsh.k8sObj.Context, namespace, metav1.DeleteOptions{GracePeriodSeconds: &hsh.gracePeriod}); err != nil {
+		return fmt.Errorf("failed to delete host-sensor namespace: %v", err)
+	}
+	return nil
+}
+
+func (hsh *HostSensorHandler) TearDown() error {
+	namespace := hsh.GetNamespace()
+	if err := hsh.k8sObj.KubernetesClient.AppsV1().DaemonSets(hsh.GetNamespace()).Delete(hsh.k8sObj.Context, hsh.DaemonSet.Name, metav1.DeleteOptions{GracePeriodSeconds: &hsh.gracePeriod}); err != nil {
+		return fmt.Errorf("failed to delete host-sensor daemonset: %v", err)
+	}
+	if err := hsh.tearDownNamesapce(namespace); err != nil {
+		return fmt.Errorf("failed to delete host-sensor daemonset: %v", err)
+	}
+	// TODO: wait for termination? may take up to 120 seconds!!!
+
+	return nil
+}
+
+func (hsh *HostSensorHandler) GetNamespace() string {
+	return hsh.DaemonSet.Namespace
+}
--- a/hostsensorutils/hostsensorgetfrompod.go
+++ b/hostsensorutils/hostsensorgetfrompod.go
@@ -0,0 +1,192 @@
+package hostsensorutils
+
+import (
+	"encoding/json"
+	"fmt"
+	"sync"
+
+	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/opa-utils/objectsenvelopes/hostsensor"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
+)
+
+func (hsh *HostSensorHandler) getPodList() (res map[string]string, err error) {
+	hsh.podListLock.RLock()
+	jsonBytes, err := json.Marshal(hsh.HostSensorPodNames)
+	hsh.podListLock.RUnlock()
+	if err != nil {
+		return res, fmt.Errorf("failed to marshal pod list: %v", err)
+	}
+	err = json.Unmarshal(jsonBytes, &res)
+	if err != nil {
+		return res, fmt.Errorf("failed to unmarshal pod list: %v", err)
+	}
+	return res, nil
+}
+
+func (hsh *HostSensorHandler) HTTPGetToPod(podName, path string) ([]byte, error) {
+	//  send the request to the port
+
+	restProxy := hsh.k8sObj.KubernetesClient.CoreV1().Pods(hsh.DaemonSet.Namespace).ProxyGet("http", podName, fmt.Sprintf("%d", hsh.HostSensorPort), path, map[string]string{})
+	return restProxy.DoRaw(hsh.k8sObj.Context)
+
+}
+
+func (hsh *HostSensorHandler) ForwardToPod(podName, path string) ([]byte, error) {
+	// NOT IN USE:
+	// ---
+	// spawn port forwarding
+	// req := hsh.k8sObj.KubernetesClient.CoreV1().RESTClient().Post()
+	// req = req.Name(podName)
+	// req = req.Namespace(hsh.DaemonSet.Namespace)
+	// req = req.Resource("pods")
+	// req = req.SubResource("portforward")
+	// ----
+	// https://github.com/gianarb/kube-port-forward
+	// fullPath := fmt.Sprintf("/api/v1/namespaces/%s/pods/%s/portforward",
+	// 	hsh.DaemonSet.Namespace, podName)
+	// transport, upgrader, err := spdy.RoundTripperFor(hsh.k8sObj.KubernetesClient.config)
+	// if err != nil {
+	// 	return nil, err
+	// }
+	// hostIP := strings.TrimLeft(req.RestConfig.Host, "htps:/")
+	// dialer := spdy.NewDialer(upgrader, &http.Client{Transport: transport}, http.MethodPost, &url.URL{Scheme: "http", Path: path, Host: hostIP})
+	return nil, nil
+}
+
+// sendAllPodsHTTPGETRequest fills the raw byte response in the envelope and the node name, but not the GroupVersionKind
+// so the caller is responsible to convert the raw data to some structured data and add the GroupVersionKind details
+func (hsh *HostSensorHandler) sendAllPodsHTTPGETRequest(path, requestKind string) ([]hostsensor.HostSensorDataEnvelope, error) {
+	podList, err := hsh.getPodList()
+	if err != nil {
+		return nil, fmt.Errorf("failed to sendAllPodsHTTPGETRequest: %v", err)
+	}
+	res := make([]hostsensor.HostSensorDataEnvelope, 0, len(podList))
+	resLock := sync.Mutex{}
+	wg := sync.WaitGroup{}
+	wg.Add(len(podList))
+	for podName := range podList {
+		go func(podName, path string) {
+			defer wg.Done()
+			resBytes, err := hsh.HTTPGetToPod(podName, path)
+			if err != nil {
+				fmt.Printf("In sendAllPodsHTTPGETRequest failed to get data '%s' from pod '%s': %v", path, podName, err)
+			} else {
+				resLock.Lock()
+				defer resLock.Unlock()
+				hostSensorDataEnvelope := hostsensor.HostSensorDataEnvelope{}
+				hostSensorDataEnvelope.SetApiVersion(k8sinterface.JoinGroupVersion(hostsensor.GroupHostSensor, hostsensor.Version))
+				hostSensorDataEnvelope.SetKind(requestKind)
+				hostSensorDataEnvelope.SetName(podList[podName])
+				hostSensorDataEnvelope.SetData(resBytes)
+				res = append(res, hostSensorDataEnvelope)
+			}
+
+		}(podName, path)
+	}
+	wg.Wait()
+	return res, nil
+}
+
+// return list of OpenPortsList
+func (hsh *HostSensorHandler) GetOpenPortsList() ([]hostsensor.HostSensorDataEnvelope, error) {
+	// loop over pods and port-forward it to each of them
+	return hsh.sendAllPodsHTTPGETRequest("/openedPorts", "OpenPortsList")
+}
+
+// return list of LinuxSecurityHardeningStatus
+func (hsh *HostSensorHandler) GetLinuxSecurityHardeningStatus() ([]hostsensor.HostSensorDataEnvelope, error) {
+	// loop over pods and port-forward it to each of them
+	return hsh.sendAllPodsHTTPGETRequest("/linuxSecurityHardening", "LinuxSecurityHardeningStatus")
+}
+
+// return list of KubeletCommandLine
+func (hsh *HostSensorHandler) GetKubeletCommandLine() ([]hostsensor.HostSensorDataEnvelope, error) {
+	// loop over pods and port-forward it to each of them
+	return hsh.sendAllPodsHTTPGETRequest("/kubeletCommandLine", "KubeletCommandLine")
+}
+
+// return list of
+func (hsh *HostSensorHandler) GetKernelVersion() ([]hostsensor.HostSensorDataEnvelope, error) {
+	// loop over pods and port-forward it to each of them
+	return hsh.sendAllPodsHTTPGETRequest("/kernelVersion", "KernelVersion")
+}
+
+// return list of
+func (hsh *HostSensorHandler) GetOsReleaseFile() ([]hostsensor.HostSensorDataEnvelope, error) {
+	// loop over pods and port-forward it to each of them
+	return hsh.sendAllPodsHTTPGETRequest("/osRelease", "OsReleaseFile")
+}
+
+// return list of
+func (hsh *HostSensorHandler) GetKubeletConfigurations() ([]hostsensor.HostSensorDataEnvelope, error) {
+	// loop over pods and port-forward it to each of them
+	res, err := hsh.sendAllPodsHTTPGETRequest("/kubeletConfigurations", "") // empty kind, will be overridden
+	for resIdx := range res {
+		jsonBytes, err := yaml.YAMLToJSON(res[resIdx].Data)
+		if err != nil {
+			fmt.Printf("In GetKubeletConfigurations failed to YAMLToJSON: %v;\n%v", err, res[resIdx])
+			continue
+		}
+		res[resIdx].SetData(jsonBytes)
+
+		kindDet := metav1.TypeMeta{}
+		if err = json.Unmarshal(jsonBytes, &kindDet); err != nil {
+			fmt.Printf("In GetKubeletConfigurations failed to Unmarshal GroupVersionKind: %v;\n%v", err, jsonBytes)
+			continue
+		}
+		res[resIdx].SetKind(kindDet.Kind)
+		res[resIdx].SetApiVersion(k8sinterface.JoinGroupVersion(kindDet.GroupVersionKind().Group, kindDet.GroupVersionKind().Version))
+	}
+	return res, err
+}
+
+func (hsh *HostSensorHandler) CollectResources() ([]hostsensor.HostSensorDataEnvelope, error) {
+	res := make([]hostsensor.HostSensorDataEnvelope, 0)
+	if hsh.DaemonSet == nil {
+		return res, nil
+	}
+	cautils.ProgressTextDisplay("Accessing host sensor")
+	cautils.StartSpinner()
+	defer cautils.StopSpinner()
+	kcData, err := hsh.GetKubeletConfigurations()
+	if err != nil {
+		return kcData, err
+	}
+	res = append(res, kcData...)
+	//
+	kcData, err = hsh.GetKubeletCommandLine()
+	if err != nil {
+		return kcData, err
+	}
+	res = append(res, kcData...)
+	//
+	kcData, err = hsh.GetOsReleaseFile()
+	if err != nil {
+		return kcData, err
+	}
+	res = append(res, kcData...)
+	//
+	kcData, err = hsh.GetKernelVersion()
+	if err != nil {
+		return kcData, err
+	}
+	res = append(res, kcData...)
+	//
+	kcData, err = hsh.GetLinuxSecurityHardeningStatus()
+	if err != nil {
+		return kcData, err
+	}
+	res = append(res, kcData...)
+	//
+	kcData, err = hsh.GetOpenPortsList()
+	if err != nil {
+		return kcData, err
+	}
+	res = append(res, kcData...)
+	// finish
+	cautils.SuccessTextDisplay("Read host information from host sensor")
+	return res, nil
+}
--- a/hostsensorutils/hostsensorinterface.go
+++ b/hostsensorutils/hostsensorinterface.go
@@ -0,0 +1,10 @@
+package hostsensorutils
+
+import "github.com/armosec/opa-utils/objectsenvelopes/hostsensor"
+
+type IHostSensor interface {
+	Init() error
+	TearDown() error
+	CollectResources() ([]hostsensor.HostSensorDataEnvelope, error)
+	GetNamespace() string
+}
--- a/hostsensorutils/hostsensormock.go
+++ b/hostsensorutils/hostsensormock.go
@@ -0,0 +1,24 @@
+package hostsensorutils
+
+import (
+	"github.com/armosec/opa-utils/objectsenvelopes/hostsensor"
+)
+
+type HostSensorHandlerMock struct {
+}
+
+func (hshm *HostSensorHandlerMock) Init() error {
+	return nil
+}
+
+func (hshm *HostSensorHandlerMock) TearDown() error {
+	return nil
+}
+
+func (hshm *HostSensorHandlerMock) CollectResources() ([]hostsensor.HostSensorDataEnvelope, error) {
+	return []hostsensor.HostSensorDataEnvelope{}, nil
+}
+
+func (hshm *HostSensorHandlerMock) GetNamespace() string {
+	return ""
+}
--- a/hostsensorutils/hostsensoryamls.go
+++ b/hostsensorutils/hostsensoryamls.go
@@ -0,0 +1,65 @@
+package hostsensorutils
+
+const hostSensorYAML = `apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app: host-sensor
+    kubernetes.io/metadata.name: armo-kube-host-sensor
+    tier: armo-kube-host-sensor-control-plane
+  name: armo-kube-host-sensor
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: host-sensor
+  namespace: armo-kube-host-sensor
+  labels:
+    k8s-app: armo-kube-host-sensor
+spec:
+  selector:
+    matchLabels:
+      name: host-sensor
+  template:
+    metadata:
+      labels:
+        name: host-sensor
+    spec:
+      tolerations:
+      # this toleration is to have the daemonset runnable on master nodes
+      # remove it if your masters can't run pods
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      containers:
+      - name: host-sensor
+        image: quay.io/armosec/kube-host-sensor:latest
+        securityContext:
+          privileged: true
+          readOnlyRootFilesystem: true
+          procMount: Unmasked
+        ports:
+          - name: http
+            hostPort: 7888
+            containerPort: 7888
+        resources:
+          limits:
+            cpu: 1m
+            memory: 200Mi
+          requests:
+            cpu: 1m
+            memory: 200Mi
+        volumeMounts:
+        - mountPath: /host_fs
+          name: host-filesystem
+      terminationGracePeriodSeconds: 120
+      dnsPolicy: ClusterFirstWithHostNet
+      automountServiceAccountToken: false
+      volumes:
+      - hostPath:
+          path: /
+          type: Directory
+        name: host-filesystem
+      hostNetwork: true
+      hostPID: true
+      hostIPC: true`
--- a/install.sh
+++ b/install.sh
@@ -53,6 +53,6 @@ echo -e "\033[0m"
 $KUBESCAPE_EXEC version
 echo

-echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan framework nsa"
+echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan --submit"

 echo -e "\033[0m"
--- a/main.go
+++ b/main.go
@@ -1,29 +1,9 @@
 package main

 import (
-	"fmt"
-	"os"
-
 	"github.com/armosec/kubescape/clihandler/cmd"
-	pkgutils "github.com/armosec/utils-go/utils"
 )

-const SKIP_VERSION_CHECK = "KUBESCAPE_SKIP_UPDATE_CHECK"
-
 func main() {
-	CheckLatestVersion()
 	cmd.Execute()
 }
-
-func CheckLatestVersion() {
-	if v, ok := os.LookupEnv(SKIP_VERSION_CHECK); ok && pkgutils.StringToBool(v) {
-		return
-	}
-	latest, err := cmd.GetLatestVersion()
-	if err != nil || latest == "unknown" {
-		return
-	}
-	if latest != cmd.BuildNumber {
-		fmt.Println("Warning: You are not updated to the latest release: " + latest)
-	}
-}
--- a/opaprocessor/processorhandler.go
+++ b/opaprocessor/processorhandler.go
@@ -6,13 +6,16 @@ import (
 	"time"

 	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/opa-utils/exceptions"
+	"github.com/armosec/opa-utils/objectsenvelopes"
 	"github.com/armosec/opa-utils/reporthandling"
+	"github.com/armosec/opa-utils/score"
+
+	"github.com/golang/glog"

 	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/k8s-interface/workloadinterface"

 	"github.com/armosec/opa-utils/resources"
-	"github.com/golang/glog"
 	"github.com/open-policy-agent/opa/ast"
 	"github.com/open-policy-agent/opa/rego"
 	uuid "github.com/satori/go.uuid"
@@ -57,7 +60,7 @@ func (opaHandler *OPAProcessorHandler) ProcessRulesListenner() {

 		// process
 		if err := opap.Process(); err != nil {
-			fmt.Println(err)
+			// fmt.Println(err)
 		}

 		// edit results
@@ -65,7 +68,8 @@ func (opaHandler *OPAProcessorHandler) ProcessRulesListenner() {

 		// update score
 		// opap.updateScore()
-
+		scoreutil := score.NewScore(opaSessionObj.AllResources)
+		scoreutil.Calculate(opaSessionObj.PostureReport.FrameworkReports)
 		// report
 		*opaHandler.reportResults <- opaSessionObj
 	}
@@ -80,7 +84,7 @@ func (opap *OPAProcessor) Process() error {
 	for i := range opap.Frameworks {
 		frameworkReport, err := opap.processFramework(&opap.Frameworks[i])
 		if err != nil {
-			errs = fmt.Errorf("%v\n%s", errs, err.Error())
+			appendError(&errs, err)
 		}
 		frameworkReports = append(frameworkReports, *frameworkReport)
 	}
@@ -94,6 +98,16 @@ func (opap *OPAProcessor) Process() error {
 	return errs
 }

+func appendError(errs *error, err error) {
+	if err == nil {
+		return
+	}
+	if errs == nil {
+		errs = &err
+	} else {
+		*errs = fmt.Errorf("%v\n%s", *errs, err.Error())
+	}
+}
 func (opap *OPAProcessor) processFramework(framework *reporthandling.Framework) (*reporthandling.FrameworkReport, error) {
 	var errs error

@@ -104,7 +118,8 @@ func (opap *OPAProcessor) processFramework(framework *reporthandling.Framework)
 	for i := range framework.Controls {
 		controlReport, err := opap.processControl(&framework.Controls[i])
 		if err != nil {
-			errs = fmt.Errorf("%v\n%s", errs, err.Error())
+			appendError(&errs, err)
+			// errs = fmt.Errorf("%v\n%s", errs, err.Error())
 		}
 		if controlReport != nil {
 			controlReports = append(controlReports, *controlReport)
@@ -120,6 +135,8 @@ func (opap *OPAProcessor) processControl(control *reporthandling.Control) (*repo
 	controlReport := reporthandling.ControlReport{}
 	controlReport.PortalBase = control.PortalBase
 	controlReport.ControlID = control.ControlID
+	controlReport.BaseScore = control.BaseScore
+
 	controlReport.Control_ID = control.Control_ID // TODO: delete when 'id' is deprecated

 	controlReport.Name = control.Name
@@ -130,7 +147,7 @@ func (opap *OPAProcessor) processControl(control *reporthandling.Control) (*repo
 	for i := range control.Rules {
 		ruleReport, err := opap.processRule(&control.Rules[i])
 		if err != nil {
-			errs = fmt.Errorf("%v\n%s", errs, err.Error())
+			appendError(&errs, err)
 		}
 		if ruleReport != nil {
 			ruleReports = append(ruleReports, *ruleReport)
@@ -144,31 +161,70 @@ func (opap *OPAProcessor) processControl(control *reporthandling.Control) (*repo
 }

 func (opap *OPAProcessor) processRule(rule *reporthandling.PolicyRule) (*reporthandling.RuleReport, error) {
-	if ruleWithArmoOpaDependency(rule.Attributes) {
+	if ruleWithArmoOpaDependency(rule.Attributes) || !isRuleKubescapeVersionCompatible(rule) {
 		return nil, nil
 	}
-	k8sObjects := getKubernetesObjects(opap.K8SResources, rule.Match)
-	ruleReport, err := opap.runOPAOnSingleRule(rule, k8sObjects)
+
+	inputResources, err := reporthandling.RegoResourcesAggregator(rule, getAllSupportedObjects(opap.K8SResources, opap.AllResources, rule))
 	if err != nil {
+		return nil, fmt.Errorf("error getting aggregated k8sObjects: %s", err.Error())
+	}
+
+	inputRawResources := workloadinterface.ListMetaToMap(inputResources)
+
+	ruleReport, err := opap.runOPAOnSingleRule(rule, inputRawResources, ruleData)
+	if err != nil {
+		// ruleReport.RuleStatus.Status = reporthandling.StatusFailed
 		ruleReport.RuleStatus.Status = "failure"
 		ruleReport.RuleStatus.Message = err.Error()
 		glog.Error(err)
 	} else {
-		ruleReport.RuleStatus.Status = "success"
+		ruleReport.RuleStatus.Status = reporthandling.StatusPassed
 	}
-	ruleReport.ListInputResources = k8sObjects
+
+	// the failed resources are a subgroup of the enumeratedData, so we store the enumeratedData like it was the input data
+	enumeratedData, err := opap.enumerateData(rule, inputRawResources)
+	if err != nil {
+		return nil, err
+	}
+	inputResources = objectsenvelopes.ListMapToMeta(enumeratedData)
+	ruleReport.ListInputKinds = workloadinterface.ListMetaIDs(inputResources)
+
+	for i := range inputResources {
+		opap.AllResources[inputResources[i].GetID()] = inputResources[i]
+	}
+
+	failedResources := objectsenvelopes.ListMapToMeta(ruleReport.GetFailedResources())
+	for i := range failedResources {
+		if r, ok := opap.AllResources[failedResources[i].GetID()]; !ok {
+			opap.AllResources[failedResources[i].GetID()] = r
+		}
+	}
+	warningResources := objectsenvelopes.ListMapToMeta(ruleReport.GetWarnignResources())
+	for i := range warningResources {
+		if r, ok := opap.AllResources[warningResources[i].GetID()]; !ok {
+			opap.AllResources[warningResources[i].GetID()] = r
+		}
+	}
+
+	// remove all data from responses, leave only the metadata
+	keepFields := []string{"kind", "apiVersion", "metadata"}
+	keepMetadataFields := []string{"name", "namespace", "labels"}
+	ruleReport.RemoveData(keepFields, keepMetadataFields)
+
 	return &ruleReport, err
 }

-func (opap *OPAProcessor) runOPAOnSingleRule(rule *reporthandling.PolicyRule, k8sObjects []map[string]interface{}) (reporthandling.RuleReport, error) {
+func (opap *OPAProcessor) runOPAOnSingleRule(rule *reporthandling.PolicyRule, k8sObjects []map[string]interface{}, getRuleData func(*reporthandling.PolicyRule) string) (reporthandling.RuleReport, error) {
 	switch rule.RuleLanguage {
 	case reporthandling.RegoLanguage, reporthandling.RegoLanguage2:
-		return opap.runRegoOnK8s(rule, k8sObjects)
+		return opap.runRegoOnK8s(rule, k8sObjects, getRuleData)
 	default:
 		return reporthandling.RuleReport{}, fmt.Errorf("rule: '%s', language '%v' not supported", rule.Name, rule.RuleLanguage)
 	}
 }
-func (opap *OPAProcessor) runRegoOnK8s(rule *reporthandling.PolicyRule, k8sObjects []map[string]interface{}) (reporthandling.RuleReport, error) {
+
+func (opap *OPAProcessor) runRegoOnK8s(rule *reporthandling.PolicyRule, k8sObjects []map[string]interface{}, getRuleData func(*reporthandling.PolicyRule) string) (reporthandling.RuleReport, error) {
 	var errs error
 	ruleReport := reporthandling.RuleReport{
 		Name: rule.Name,
@@ -179,7 +235,7 @@ func (opap *OPAProcessor) runRegoOnK8s(rule *reporthandling.PolicyRule, k8sObjec
 	if err != nil {
 		return ruleReport, fmt.Errorf("rule: '%s', %s", rule.Name, err.Error())
 	}
-	modules[rule.Name] = rule.Rule
+	modules[rule.Name] = getRuleData(rule)
 	compiled, err := ast.CompileModules(modules)
 	if err != nil {
 		return ruleReport, fmt.Errorf("in 'runRegoOnSingleRule', failed to compile rule, name: %s, reason: %s", rule.Name, err.Error())
@@ -213,11 +269,9 @@ func (opap *OPAProcessor) regoEval(inputObj []map[string]interface{}, compiledRe
 	// Run evaluation
 	resultSet, err := rego.Eval(context.Background())
 	if err != nil {
-		return nil, fmt.Errorf("in 'regoEval', failed to evaluate rule, reason: %s", err.Error())
+		return nil, err
 	}
 	results, err := reporthandling.ParseRegoResult(&resultSet)
-
-	// results, err := ParseRegoResult(&resultSet)
 	if err != nil {
 		return results, err
 	}
@@ -225,27 +279,14 @@ func (opap *OPAProcessor) regoEval(inputObj []map[string]interface{}, compiledRe
 	return results, nil
 }

-func (opap *OPAProcessor) updateResults() {
-	for f := range opap.PostureReport.FrameworkReports {
-		// set exceptions
-		exceptions.SetFrameworkExceptions(&opap.PostureReport.FrameworkReports[f], opap.Exceptions, cautils.ClusterName)
-
-		// set counters
-		reporthandling.SetUniqueResourcesCounter(&opap.PostureReport.FrameworkReports[f])
-
-		// set default score
-		reporthandling.SetDefaultScore(&opap.PostureReport.FrameworkReports[f])
-
-		// edit results - remove data
-
-		// TODO - move function to pkg - use RemoveData
-		for c := range opap.PostureReport.FrameworkReports[f].ControlReports {
-			for r, ruleReport := range opap.PostureReport.FrameworkReports[f].ControlReports[c].RuleReports {
-				// editing the responses -> removing duplications, clearing secret data, etc.
-				opap.PostureReport.FrameworkReports[f].ControlReports[c].RuleReports[r].RuleResponses = editRuleResponses(ruleReport.RuleResponses)
-			}
-		}
+func (opap *OPAProcessor) enumerateData(rule *reporthandling.PolicyRule, k8sObjects []map[string]interface{}) ([]map[string]interface{}, error) {

+	if ruleEnumeratorData(rule) == "" {
+		return k8sObjects, nil
 	}
-
+	ruleReport, err := opap.runOPAOnSingleRule(rule, k8sObjects, ruleEnumeratorData)
+	if err != nil {
+		return nil, err
+	}
+	return ruleReport.GetFailedResources(), nil
 }
--- a/opaprocessor/processorhandler_test.go
+++ b/opaprocessor/processorhandler_test.go
@@ -4,10 +4,12 @@ import (
 	"testing"

 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/opa-utils/objectsenvelopes"
 	"github.com/armosec/opa-utils/reporthandling"
 	"github.com/armosec/opa-utils/resources"

 	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/k8s-interface/workloadinterface"
 	// _ "k8s.io/client-go/plugin/pkg/client/auth"
 )

@@ -18,12 +20,18 @@ func TestProcess(t *testing.T) {

 	// set k8s
 	k8sResources := make(cautils.K8SResources)
-	k8sResources["/v1/pods"] = k8sinterface.ConvertUnstructuredSliceToMap(k8sinterface.V1KubeSystemNamespaceMock().Items)
+	allResources := make(map[string]workloadinterface.IMetadata)
+	imetaObj := objectsenvelopes.ListMapToMeta(k8sinterface.ConvertUnstructuredSliceToMap(k8sinterface.V1KubeSystemNamespaceMock().Items))
+	for i := range imetaObj {
+		allResources[imetaObj[i].GetID()] = imetaObj[i]
+	}
+	k8sResources["/v1/pods"] = workloadinterface.ListMetaIDs(imetaObj)

 	// set opaSessionObj
 	opaSessionObj := cautils.NewOPASessionObjMock()
 	opaSessionObj.Frameworks = []reporthandling.Framework{*reporthandling.MockFrameworkA()}
 	opaSessionObj.K8SResources = &k8sResources
+	opaSessionObj.AllResources = allResources

 	opap := NewOPAProcessor(opaSessionObj, resources.NewRegoDependenciesDataMock())
 	opap.Process()
--- a/opaprocessor/processorhandlerutils.go
+++ b/opaprocessor/processorhandlerutils.go
@@ -7,15 +7,40 @@ import (

 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/k8s-interface/workloadinterface"
+	"github.com/armosec/opa-utils/exceptions"
 	"github.com/armosec/opa-utils/reporthandling"
 	resources "github.com/armosec/opa-utils/resources"

 	"github.com/golang/glog"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )

-func getKubernetesObjects(k8sResources *cautils.K8SResources, match []reporthandling.RuleMatchObjects) []map[string]interface{} {
-	k8sObjects := []map[string]interface{}{}
+func (opap *OPAProcessor) updateResults() {
+	// remove data from all objects
+	for i := range opap.AllResources {
+		removeData(opap.AllResources[i])
+	}
+
+	for f := range opap.PostureReport.FrameworkReports {
+		// set exceptions
+		exceptions.SetFrameworkExceptions(&opap.PostureReport.FrameworkReports[f], opap.Exceptions, cautils.ClusterName)
+
+		// set counters
+		reporthandling.SetUniqueResourcesCounter(&opap.PostureReport.FrameworkReports[f])
+
+		// set default score
+		// reporthandling.SetDefaultScore(&opap.PostureReport.FrameworkReports[f])
+	}
+}
+
+func getAllSupportedObjects(k8sResources *cautils.K8SResources, allResources map[string]workloadinterface.IMetadata, rule *reporthandling.PolicyRule) []workloadinterface.IMetadata {
+	k8sObjects := []workloadinterface.IMetadata{}
+	k8sObjects = append(k8sObjects, getKubernetesObjects(k8sResources, allResources, rule.Match)...)
+	k8sObjects = append(k8sObjects, getKubernetesObjects(k8sResources, allResources, rule.DynamicMatch)...)
+	return k8sObjects
+}
+
+func getKubernetesObjects(k8sResources *cautils.K8SResources, allResources map[string]workloadinterface.IMetadata, match []reporthandling.RuleMatchObjects) []workloadinterface.IMetadata {
+	k8sObjects := []workloadinterface.IMetadata{}
 	for m := range match {
 		for _, groups := range match[m].APIGroups {
 			for _, version := range match[m].APIVersions {
@@ -24,15 +49,11 @@ func getKubernetesObjects(k8sResources *cautils.K8SResources, match []reporthand
 					for _, groupResource := range groupResources {
 						if k8sObj, ok := (*k8sResources)[groupResource]; ok {
 							if k8sObj == nil {
+								continue
 								// glog.Errorf("Resource '%s' is nil, probably failed to pull the resource", groupResource)
-							} else if v, k := k8sObj.([]map[string]interface{}); k {
-								k8sObjects = append(k8sObjects, v...)
-							} else if v, k := k8sObj.(map[string]interface{}); k {
-								k8sObjects = append(k8sObjects, v)
-							} else if v, k := k8sObj.([]unstructured.Unstructured); k {
-								k8sObjects = append(k8sObjects, k8sinterface.ConvertUnstructuredSliceToMap(v)...) //
-							} else {
-								glog.Errorf("In 'getKubernetesObjects' resource '%s' unknown type", groupResource)
+							}
+							for i := range k8sObj {
+								k8sObjects = append(k8sObjects, allResources[k8sObj[i]])
 							}
 						}
 					}
@@ -52,28 +73,6 @@ func getRuleDependencies() (map[string]string, error) {
 	return modules, nil
 }

-//editRuleResponses editing the responses -> removing duplications, clearing secret data, etc.
-func editRuleResponses(ruleResponses []reporthandling.RuleResponse) []reporthandling.RuleResponse {
-	lenRuleResponses := len(ruleResponses)
-	for i := 0; i < lenRuleResponses; i++ {
-		for j := range ruleResponses[i].AlertObject.K8SApiObjects {
-			w := workloadinterface.NewWorkloadObj(ruleResponses[i].AlertObject.K8SApiObjects[j])
-			if w == nil {
-				continue
-			}
-
-			cleanRuleResponses(w)
-			ruleResponses[i].AlertObject.K8SApiObjects[j] = w.GetWorkload()
-		}
-	}
-	return ruleResponses
-}
-func cleanRuleResponses(workload k8sinterface.IWorkload) {
-	if workload.GetKind() == "Secret" {
-		workload.RemoveSecretData()
-	}
-}
-
 func ruleWithArmoOpaDependency(annotations map[string]interface{}) bool {
 	if annotations == nil {
 		return false
@@ -83,3 +82,88 @@ func ruleWithArmoOpaDependency(annotations map[string]interface{}) bool {
 	}
 	return false
 }
+
+// Checks that kubescape version is in range of use for this rule
+// In local build (BuildNumber = ""):
+// returns true only if rule doesn't have the "until" attribute
+func isRuleKubescapeVersionCompatible(rule *reporthandling.PolicyRule) bool {
+	if from, ok := rule.Attributes["useFromKubescapeVersion"]; ok {
+		if cautils.BuildNumber != "" {
+			if from.(string) > cautils.BuildNumber {
+				return false
+			}
+		}
+	}
+	if until, ok := rule.Attributes["useUntilKubescapeVersion"]; ok {
+		if cautils.BuildNumber != "" {
+			if until.(string) <= cautils.BuildNumber {
+				return false
+			}
+		} else {
+			return false
+		}
+	}
+	return true
+}
+
+func removeData(obj workloadinterface.IMetadata) {
+	if !k8sinterface.IsTypeWorkload(obj.GetObject()) {
+		return // remove data only from kubernetes objects
+	}
+	workload := workloadinterface.NewWorkloadObj(obj.GetObject())
+	switch workload.GetKind() {
+	case "Secret":
+		removeSecretData(workload)
+	case "ConfigMap":
+		removeConfigMapData(workload)
+	default:
+		removePodData(workload)
+	}
+}
+
+func removeConfigMapData(workload workloadinterface.IWorkload) {
+	workload.RemoveAnnotation("kubectl.kubernetes.io/last-applied-configuration")
+	workloadinterface.RemoveFromMap(workload.GetObject(), "metadata", "managedFields")
+	overrideSensitiveData(workload)
+}
+
+func overrideSensitiveData(workload workloadinterface.IWorkload) {
+	dataInterface, ok := workloadinterface.InspectMap(workload.GetObject(), "data")
+	if ok {
+		data, ok := dataInterface.(map[string]interface{})
+		if ok {
+			for key := range data {
+				workloadinterface.SetInMap(workload.GetObject(), []string{"data"}, key, "XXXXXX")
+			}
+		}
+	}
+}
+
+func removeSecretData(workload workloadinterface.IWorkload) {
+	workload.RemoveAnnotation("kubectl.kubernetes.io/last-applied-configuration")
+	workloadinterface.RemoveFromMap(workload.GetObject(), "metadata", "managedFields")
+	overrideSensitiveData(workload)
+}
+func removePodData(workload workloadinterface.IWorkload) {
+	workload.RemoveAnnotation("kubectl.kubernetes.io/last-applied-configuration")
+	workloadinterface.RemoveFromMap(workload.GetObject(), "metadata", "managedFields")
+
+	containers, err := workload.GetContainers()
+	if err != nil || len(containers) == 0 {
+		return
+	}
+	for i := range containers {
+		for j := range containers[i].Env {
+			containers[i].Env[j].Value = "XXXXXX"
+		}
+	}
+	workloadinterface.SetInMap(workload.GetObject(), workloadinterface.PodSpec(workload.GetKind()), "containers", containers)
+}
+
+func ruleData(rule *reporthandling.PolicyRule) string {
+	return rule.Rule
+}
+
+func ruleEnumeratorData(rule *reporthandling.PolicyRule) string {
+	return rule.ResourceEnumerator
+}
--- a/opaprocessor/processorhandlerutils_test.go
+++ b/opaprocessor/processorhandlerutils_test.go
@@ -2,7 +2,73 @@ package opaprocessor

 import (
 	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/k8s-interface/workloadinterface"
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/opa-utils/reporthandling"
 )

 func TestGetKubernetesObjects(t *testing.T) {
 }
+
+var rule_v1_0_131 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useUntilKubescapeVersion": "v1.0.132"}}}
+var rule_v1_0_132 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.132", "useUntilKubescapeVersion": "v1.0.133"}}}
+var rule_v1_0_133 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.133", "useUntilKubescapeVersion": "v1.0.134"}}}
+var rule_v1_0_134 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.134"}}}
+
+func TestIsRuleKubescapeVersionCompatible(t *testing.T) {
+	// local build- no build number
+	// should use only rules that don't have "until"
+	cautils.BuildNumber = ""
+	if isRuleKubescapeVersionCompatible(rule_v1_0_131) {
+		t.Error("error in isRuleKubescapeVersionCompatible")
+	}
+	if isRuleKubescapeVersionCompatible(rule_v1_0_132) {
+		t.Error("error in isRuleKubescapeVersionCompatible")
+	}
+	if isRuleKubescapeVersionCompatible(rule_v1_0_133) {
+		t.Error("error in isRuleKubescapeVersionCompatible")
+	}
+	if !isRuleKubescapeVersionCompatible(rule_v1_0_134) {
+		t.Error("error in isRuleKubescapeVersionCompatible")
+	}
+
+	// should only use rules that version is in range of use
+	cautils.BuildNumber = "v1.0.133"
+	if isRuleKubescapeVersionCompatible(rule_v1_0_131) {
+		t.Error("error in isRuleKubescapeVersionCompatible")
+	}
+	if isRuleKubescapeVersionCompatible(rule_v1_0_132) {
+		t.Error("error in isRuleKubescapeVersionCompatible")
+	}
+	if !isRuleKubescapeVersionCompatible(rule_v1_0_133) {
+		t.Error("error in isRuleKubescapeVersionCompatible")
+	}
+	if isRuleKubescapeVersionCompatible(rule_v1_0_134) {
+		t.Error("error in isRuleKubescapeVersionCompatible")
+	}
+}
+
+func TestRemoveData(t *testing.T) {
+	k8sinterface.InitializeMapResourcesMock()
+
+	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"demoservice-server"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"demoservice-server"}},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}}}`
+	obj, _ := workloadinterface.NewWorkload([]byte(w))
+	removeData(obj)
+
+	workload := workloadinterface.NewWorkloadObj(obj.GetObject())
+	c, _ := workload.GetContainers()
+	for i := range c {
+		for _, e := range c[i].Env {
+			assert.Equal(t, "XXXXXX", e.Value)
+		}
+	}
+}
--- a/policyhandler/handlenotification.go
+++ b/policyhandler/handlenotification.go
@@ -35,22 +35,29 @@ func (policyHandler *PolicyHandler) HandleNotificationRequest(notification *repo
 		return err
 	}

-	k8sResources, err := policyHandler.getResources(notification, opaSessionObj, scanInfo)
+	err := policyHandler.getResources(notification, opaSessionObj, scanInfo)
 	if err != nil {
 		return err
 	}
-	if k8sResources == nil || len(*k8sResources) == 0 {
+	if opaSessionObj.K8SResources == nil || len(*opaSessionObj.K8SResources) == 0 {
 		return fmt.Errorf("empty list of resources")
 	}
-	opaSessionObj.K8SResources = k8sResources

 	// update channel
 	*policyHandler.processPolicy <- opaSessionObj
 	return nil
 }

-func (policyHandler *PolicyHandler) getResources(notification *reporthandling.PolicyNotification, opaSessionObj *cautils.OPASessionObj, scanInfo *cautils.ScanInfo) (*cautils.K8SResources, error) {
+func (policyHandler *PolicyHandler) getResources(notification *reporthandling.PolicyNotification, opaSessionObj *cautils.OPASessionObj, scanInfo *cautils.ScanInfo) error {

 	opaSessionObj.PostureReport.ClusterAPIServerInfo = policyHandler.resourceHandler.GetClusterAPIServerInfo()
-	return policyHandler.resourceHandler.GetResources(opaSessionObj.Frameworks, &notification.Designators)
+	resourcesMap, allResources, err := policyHandler.resourceHandler.GetResources(opaSessionObj.Frameworks, &notification.Designators)
+	if err != nil {
+		return err
+	}
+
+	opaSessionObj.K8SResources = resourcesMap
+	opaSessionObj.AllResources = allResources
+
+	return nil
 }
--- a/policyhandler/handlepullpolicies.go
+++ b/policyhandler/handlepullpolicies.go
@@ -59,9 +59,9 @@ func (policyHandler *PolicyHandler) getScanPolicies(notification *reporthandling
 			if err != nil {
 				return frameworks, policyDownloadError(err)
 			}
-		}
-		if receivedControl != nil {
-			f.Controls = append(f.Controls, *receivedControl)
+			if receivedControl != nil {
+				f.Controls = append(f.Controls, *receivedControl)
+			}
 		}
 		frameworks = append(frameworks, f)
 		// TODO: add case for control from file
--- a/resourcehandler/fieldselector.go
+++ b/resourcehandler/fieldselector.go
@@ -0,0 +1,69 @@
+package resourcehandler
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/k8s-interface/k8sinterface"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+type IFieldSelector interface {
+	GetNamespacesSelectors(*schema.GroupVersionResource) []string
+}
+
+type EmptySelector struct {
+}
+
+func (es *EmptySelector) GetNamespacesSelectors(resource *schema.GroupVersionResource) []string {
+	return []string{""} //
+}
+
+type ExcludeSelector struct {
+	namespace string
+}
+
+func NewExcludeSelector(ns string) *ExcludeSelector {
+	return &ExcludeSelector{namespace: ns}
+}
+
+type IncludeSelector struct {
+	namespace string
+}
+
+func NewIncludeSelector(ns string) *IncludeSelector {
+	return &IncludeSelector{namespace: ns}
+}
+func (es *ExcludeSelector) GetNamespacesSelectors(resource *schema.GroupVersionResource) []string {
+	fieldSelectors := ""
+	for _, n := range strings.Split(es.namespace, ",") {
+		if n != "" {
+			fieldSelectors += getNamespacesSelector(resource, n, "!=") + ","
+		}
+	}
+	return []string{fieldSelectors}
+
+}
+
+func (is *IncludeSelector) GetNamespacesSelectors(resource *schema.GroupVersionResource) []string {
+	fieldSelectors := []string{}
+	for _, n := range strings.Split(is.namespace, ",") {
+		if n != "" {
+			fieldSelectors = append(fieldSelectors, getNamespacesSelector(resource, n, "=="))
+		}
+	}
+	return fieldSelectors
+}
+
+func getNamespacesSelector(resource *schema.GroupVersionResource, ns, operator string) string {
+	fieldSelector := "metadata."
+	if resource.Resource == "namespaces" {
+		fieldSelector += "name"
+	} else if k8sinterface.IsResourceInNamespaceScope(resource.Resource) {
+		fieldSelector += "namespace"
+	} else {
+		return ""
+	}
+	return fmt.Sprintf("%s%s%s", fieldSelector, operator, ns)
+
+}
--- a/resourcehandler/fieldselector_test.go
+++ b/resourcehandler/fieldselector_test.go
@@ -0,0 +1,43 @@
+package resourcehandler
+
+import (
+	"testing"
+
+	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+func TestGetNamespacesSelector(t *testing.T) {
+	k8sinterface.InitializeMapResourcesMock()
+	assert.Equal(t, "metadata.namespace==default", getNamespacesSelector(&schema.GroupVersionResource{Version: "v1", Resource: "pods"}, "default", "=="))
+	assert.Equal(t, "", getNamespacesSelector(&schema.GroupVersionResource{Version: "v1", Resource: "nodes"}, "default", "=="))
+}
+
+func TestExcludedNamespacesSelectors(t *testing.T) {
+	k8sinterface.InitializeMapResourcesMock()
+
+	es := NewExcludeSelector("default,ingress")
+	selectors := es.GetNamespacesSelectors(&schema.GroupVersionResource{Resource: "pods"})
+	assert.Equal(t, 1, len(selectors))
+	assert.Equal(t, "metadata.namespace!=default,metadata.namespace!=ingress,", selectors[0])
+
+	selectors2 := es.GetNamespacesSelectors(&schema.GroupVersionResource{Resource: "namespaces"})
+	assert.Equal(t, 1, len(selectors2))
+	assert.Equal(t, "metadata.name!=default,metadata.name!=ingress,", selectors2[0])
+}
+
+func TestIncludeNamespacesSelectors(t *testing.T) {
+	k8sinterface.InitializeMapResourcesMock()
+
+	is := NewIncludeSelector("default,ingress")
+	selectors := is.GetNamespacesSelectors(&schema.GroupVersionResource{Resource: "pods"})
+	assert.Equal(t, 2, len(selectors))
+	assert.Equal(t, "metadata.namespace==default", selectors[0])
+	assert.Equal(t, "metadata.namespace==ingress", selectors[1])
+
+	selectors2 := is.GetNamespacesSelectors(&schema.GroupVersionResource{Resource: "namespaces"})
+	assert.Equal(t, 2, len(selectors2))
+	assert.Equal(t, "metadata.name==default", selectors2[0])
+	assert.Equal(t, "metadata.name==ingress", selectors2[1])
+}
--- a/resourcehandler/filesloader.go
+++ b/resourcehandler/filesloader.go
@@ -14,6 +14,7 @@ import (

 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/opa-utils/objectsenvelopes"
 	"github.com/armosec/opa-utils/reporthandling"

 	"gopkg.in/yaml.v2"
@@ -37,18 +38,25 @@ type FileResourceHandler struct {
 }

 func NewFileResourceHandler(inputPatterns []string) *FileResourceHandler {
+	k8sinterface.InitializeMapResourcesMock() // initialize the resource map
 	return &FileResourceHandler{
 		inputPatterns: inputPatterns,
 	}
 }

-func (fileHandler *FileResourceHandler) GetResources(frameworks []reporthandling.Framework, designator *armotypes.PortalDesignator) (*cautils.K8SResources, error) {
-	workloads := []k8sinterface.IWorkload{}
+func (fileHandler *FileResourceHandler) GetResources(frameworks []reporthandling.Framework, designator *armotypes.PortalDesignator) (*cautils.K8SResources, map[string]workloadinterface.IMetadata, error) {
+
+	// build resources map
+	// map resources based on framework required resources: map["/group/version/kind"][]<k8s workloads ids>
+	k8sResources := setResourceMap(frameworks)
+	allResources := map[string]workloadinterface.IMetadata{}
+
+	workloads := []workloadinterface.IMetadata{}

 	// load resource from local file system
 	w, err := loadResourcesFromFiles(fileHandler.inputPatterns)
 	if err != nil {
-		return nil, err
+		return nil, allResources, err
 	}
 	if w != nil {
 		workloads = append(workloads, w...)
@@ -57,31 +65,32 @@ func (fileHandler *FileResourceHandler) GetResources(frameworks []reporthandling
 	// load resources from url
 	w, err = loadResourcesFromUrl(fileHandler.inputPatterns)
 	if err != nil {
-		return nil, err
+		return nil, allResources, err
 	}
 	if w != nil {
 		workloads = append(workloads, w...)
 	}

 	if len(workloads) == 0 {
-		return nil, fmt.Errorf("empty list of workloads - no workloads found")
+		return nil, allResources, fmt.Errorf("empty list of workloads - no workloads found")
 	}

 	// map all resources: map["/group/version/kind"][]<k8s workloads>
-	allResources := mapResources(workloads)
-
-	// build resources map
-	// map resources based on framework required resources: map["/group/version/kind"][]<k8s workloads>
-	k8sResources := setResourceMap(frameworks) // TODO - support designators
+	mappedResources := mapResources(workloads)

 	// save only relevant resources
-	for i := range allResources {
+	for i := range mappedResources {
 		if _, ok := (*k8sResources)[i]; ok {
-			(*k8sResources)[i] = allResources[i]
+			ids := []string{}
+			for j := range mappedResources[i] {
+				ids = append(ids, mappedResources[i][j].GetID())
+				allResources[mappedResources[i][j].GetID()] = mappedResources[i][j]
+			}
+			(*k8sResources)[i] = ids
 		}
 	}

-	return k8sResources, nil
+	return k8sResources, allResources, nil

 }

@@ -89,7 +98,7 @@ func (fileHandler *FileResourceHandler) GetClusterAPIServerInfo() *version.Info
 	return nil
 }

-func loadResourcesFromFiles(inputPatterns []string) ([]k8sinterface.IWorkload, error) {
+func loadResourcesFromFiles(inputPatterns []string) ([]workloadinterface.IMetadata, error) {
 	files, errs := listFiles(inputPatterns)
 	if len(errs) > 0 {
 		cautils.ErrorDisplay(fmt.Sprintf("%v", errs)) // TODO - print error
@@ -106,32 +115,36 @@ func loadResourcesFromFiles(inputPatterns []string) ([]k8sinterface.IWorkload, e
 }

 // build resources map
-func mapResources(workloads []k8sinterface.IWorkload) map[string][]map[string]interface{} {
-	allResources := map[string][]map[string]interface{}{}
+func mapResources(workloads []workloadinterface.IMetadata) map[string][]workloadinterface.IMetadata {
+
+	allResources := map[string][]workloadinterface.IMetadata{}
 	for i := range workloads {
 		groupVersionResource, err := k8sinterface.GetGroupVersionResource(workloads[i].GetKind())
 		if err != nil {
 			// TODO - print warning
 			continue
 		}
-		if groupVersionResource.Group != workloads[i].GetGroup() || groupVersionResource.Version != workloads[i].GetVersion() {
-			// TODO - print warning
-			continue
+
+		if k8sinterface.IsTypeWorkload(workloads[i].GetObject()) {
+			w := workloadinterface.NewWorkloadObj(workloads[i].GetObject())
+			if groupVersionResource.Group != w.GetGroup() || groupVersionResource.Version != w.GetVersion() {
+				// TODO - print warning
+				continue
+			}
 		}
 		resourceTriplets := k8sinterface.JoinResourceTriplets(groupVersionResource.Group, groupVersionResource.Version, groupVersionResource.Resource)
 		if r, ok := allResources[resourceTriplets]; ok {
-			r = append(r, workloads[i].GetWorkload())
-			allResources[resourceTriplets] = r
+			allResources[resourceTriplets] = append(r, workloads[i])
 		} else {
-			allResources[resourceTriplets] = []map[string]interface{}{workloads[i].GetWorkload()}
+			allResources[resourceTriplets] = []workloadinterface.IMetadata{workloads[i]}
 		}
 	}
 	return allResources

 }

-func loadFiles(filePaths []string) ([]k8sinterface.IWorkload, []error) {
-	workloads := []k8sinterface.IWorkload{}
+func loadFiles(filePaths []string) ([]workloadinterface.IMetadata, []error) {
+	workloads := []workloadinterface.IMetadata{}
 	errs := []error{}
 	for i := range filePaths {
 		f, err := loadFile(filePaths[i])
@@ -151,7 +164,7 @@ func loadFiles(filePaths []string) ([]k8sinterface.IWorkload, []error) {
 func loadFile(filePath string) ([]byte, error) {
 	return os.ReadFile(filePath)
 }
-func readFile(fileContent []byte, fileFromat FileFormat) ([]k8sinterface.IWorkload, []error) {
+func readFile(fileContent []byte, fileFromat FileFormat) ([]workloadinterface.IMetadata, []error) {

 	switch fileFromat {
 	case YAML_FILE_FORMAT:
@@ -185,12 +198,12 @@ func listFiles(patterns []string) ([]string, []error) {
 	return files, errs
 }

-func readYamlFile(yamlFile []byte) ([]k8sinterface.IWorkload, []error) {
+func readYamlFile(yamlFile []byte) ([]workloadinterface.IMetadata, []error) {
 	errs := []error{}

 	r := bytes.NewReader(yamlFile)
 	dec := yaml.NewDecoder(r)
-	yamlObjs := []k8sinterface.IWorkload{}
+	yamlObjs := []workloadinterface.IMetadata{}

 	var t interface{}
 	for dec.Decode(&t) == nil {
@@ -199,7 +212,9 @@ func readYamlFile(yamlFile []byte) ([]k8sinterface.IWorkload, []error) {
 			continue
 		}
 		if obj, ok := j.(map[string]interface{}); ok {
-			yamlObjs = append(yamlObjs, workloadinterface.NewWorkloadObj(obj))
+			if o := objectsenvelopes.NewObject(obj); o != nil {
+				yamlObjs = append(yamlObjs, o)
+			}
 		} else {
 			errs = append(errs, fmt.Errorf("failed to convert yaml file to map[string]interface, file content: %v", j))
 		}
@@ -208,8 +223,8 @@ func readYamlFile(yamlFile []byte) ([]k8sinterface.IWorkload, []error) {
 	return yamlObjs, errs
 }

-func readJsonFile(jsonFile []byte) ([]k8sinterface.IWorkload, []error) {
-	workloads := []k8sinterface.IWorkload{}
+func readJsonFile(jsonFile []byte) ([]workloadinterface.IMetadata, []error) {
+	workloads := []workloadinterface.IMetadata{}
 	var jsonObj interface{}
 	if err := json.Unmarshal(jsonFile, &jsonObj); err != nil {
 		return workloads, []error{err}
@@ -219,11 +234,13 @@ func readJsonFile(jsonFile []byte) ([]k8sinterface.IWorkload, []error) {

 	return workloads, nil
 }
-func convertJsonToWorkload(jsonObj interface{}, workloads *[]k8sinterface.IWorkload) {
+func convertJsonToWorkload(jsonObj interface{}, workloads *[]workloadinterface.IMetadata) {

 	switch x := jsonObj.(type) {
 	case map[string]interface{}:
-		(*workloads) = append(*workloads, workloadinterface.NewWorkloadObj(x))
+		if o := objectsenvelopes.NewObject(x); o != nil {
+			(*workloads) = append(*workloads, o)
+		}
 	case []interface{}:
 		for i := range x {
 			convertJsonToWorkload(x[i], workloads)
--- a/resourcehandler/filesloader_test.go
+++ b/resourcehandler/filesloader_test.go
@@ -41,7 +41,7 @@ func TestLoadFile(t *testing.T) {
 		t.Errorf("%v", err)
 	}
 }
-func TestLoadResources(t *testing.T) {
+func TestMapResources(t *testing.T) {
 	// policyHandler := &PolicyHandler{}
 	// k8sResources, err := policyHandler.loadResources(opaSessionObj.Frameworks, scanInfo)
 	// files, _ := listFiles([]string{onlineBoutiquePath()})
--- a/resourcehandler/k8sresources.go
+++ b/resourcehandler/k8sresources.go
@@ -3,12 +3,17 @@ package resourcehandler
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"

 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/hostsensorutils"
+	"github.com/armosec/opa-utils/objectsenvelopes"
 	"github.com/armosec/opa-utils/reporthandling"

+	"github.com/armosec/k8s-interface/cloudsupport"
 	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/k8s-interface/workloadinterface"

 	"github.com/armosec/armoapi-go/armotypes"

@@ -21,107 +26,192 @@ import (
 )

 type K8sResourceHandler struct {
-	k8s                *k8sinterface.KubernetesApi
-	excludedNamespaces string // excluded namespaces (separated by comma)
+	k8s               *k8sinterface.KubernetesApi
+	hostSensorHandler hostsensorutils.IHostSensor
+	fieldSelector     IFieldSelector
+	rbacObjectsAPI    *cautils.RBACObjects
 }

-func NewK8sResourceHandler(k8s *k8sinterface.KubernetesApi, excludedNamespaces string) *K8sResourceHandler {
+func NewK8sResourceHandler(k8s *k8sinterface.KubernetesApi, fieldSelector IFieldSelector, hostSensorHandler hostsensorutils.IHostSensor, rbacObjects *cautils.RBACObjects) *K8sResourceHandler {
 	return &K8sResourceHandler{
-		k8s:                k8s,
-		excludedNamespaces: excludedNamespaces,
+		k8s:               k8s,
+		fieldSelector:     fieldSelector,
+		hostSensorHandler: hostSensorHandler,
+		rbacObjectsAPI:    rbacObjects,
 	}
 }

-func (k8sHandler *K8sResourceHandler) GetResources(frameworks []reporthandling.Framework, designator *armotypes.PortalDesignator) (*cautils.K8SResources, error) {
+func (k8sHandler *K8sResourceHandler) GetResources(frameworks []reporthandling.Framework, designator *armotypes.PortalDesignator) (*cautils.K8SResources, map[string]workloadinterface.IMetadata, error) {
+	allResources := map[string]workloadinterface.IMetadata{}
+
 	// get k8s resources
 	cautils.ProgressTextDisplay("Accessing Kubernetes objects")

+	cautils.StartSpinner()
+
 	// build resources map
+	// map resources based on framework required resources: map["/group/version/kind"][]<k8s workloads ids>
 	k8sResourcesMap := setResourceMap(frameworks)

 	// get namespace and labels from designator (ignore cluster labels)
 	_, namespace, labels := armotypes.DigestPortalDesignator(designator)

 	// pull k8s recourses
-	if err := k8sHandler.pullResources(k8sResourcesMap, namespace, labels, k8sHandler.excludedNamespaces); err != nil {
-		return k8sResourcesMap, err
+	if err := k8sHandler.pullResources(k8sResourcesMap, allResources, namespace, labels); err != nil {
+		return k8sResourcesMap, allResources, err
+	}
+	if err := k8sHandler.collectHostResources(allResources, k8sResourcesMap); err != nil {
+		return k8sResourcesMap, allResources, err
 	}

-	cautils.SuccessTextDisplay("Accessed successfully to Kubernetes objects, let’s start!!!")
-	return k8sResourcesMap, nil
+	if err := k8sHandler.collectRbacResources(allResources); err != nil {
+		cautils.WarningDisplay(os.Stdout, "Warning: failed to collect rbac resources\n")
+	}
+	if err := getCloudProviderDescription(allResources, k8sResourcesMap); err != nil {
+		cautils.WarningDisplay(os.Stdout, fmt.Sprintf("Warning: %v\n", err.Error()))
+	}
+
+	cautils.StopSpinner()
+
+	cautils.SuccessTextDisplay("Accessed successfully to Kubernetes objects")
+	return k8sResourcesMap, allResources, nil
 }

 func (k8sHandler *K8sResourceHandler) GetClusterAPIServerInfo() *version.Info {
-	clusterAPIServerInfo, err := k8sHandler.k8s.KubernetesClient.Discovery().ServerVersion()
+	clusterAPIServerInfo, err := k8sHandler.k8s.DiscoveryClient.ServerVersion()
 	if err != nil {
 		cautils.ErrorDisplay(fmt.Sprintf("Failed to discover API server information: %v", err))
 		return nil
 	}
 	return clusterAPIServerInfo
 }
-func (k8sHandler *K8sResourceHandler) pullResources(k8sResources *cautils.K8SResources, namespace string, labels map[string]string, excludedNamespaces string) error {
+
+func (k8sHandler *K8sResourceHandler) pullResources(k8sResources *cautils.K8SResources, allResources map[string]workloadinterface.IMetadata, namespace string, labels map[string]string) error {

 	var errs error
 	for groupResource := range *k8sResources {
 		apiGroup, apiVersion, resource := k8sinterface.StringToResourceGroup(groupResource)
 		gvr := schema.GroupVersionResource{Group: apiGroup, Version: apiVersion, Resource: resource}
-		result, err := k8sHandler.pullSingleResource(&gvr, namespace, labels, excludedNamespaces)
+		result, err := k8sHandler.pullSingleResource(&gvr, namespace, labels)
 		if err != nil {
-			// handle error
-			if errs == nil {
-				errs = err
-			} else {
-				errs = fmt.Errorf("%s\n%s", errs, err.Error())
+			if !strings.Contains(err.Error(), "the server could not find the requested resource") {
+				// handle error
+				if errs == nil {
+					errs = err
+				} else {
+					errs = fmt.Errorf("%s\n%s", errs, err.Error())
+				}
 			}
-		} else {
-			// store result as []map[string]interface{}
-			(*k8sResources)[groupResource] = k8sinterface.ConvertUnstructuredSliceToMap(k8sinterface.FilterOutOwneredResources(result))
+			continue
 		}
+		// store result as []map[string]interface{}
+		metaObjs := ConvertMapListToMeta(k8sinterface.ConvertUnstructuredSliceToMap(k8sinterface.FilterOutOwneredResources(result)))
+		for i := range metaObjs {
+			allResources[metaObjs[i].GetID()] = metaObjs[i]
+		}
+		(*k8sResources)[groupResource] = workloadinterface.ListMetaIDs(metaObjs)
 	}
 	return errs
 }

-func (k8sHandler *K8sResourceHandler) pullSingleResource(resource *schema.GroupVersionResource, namespace string, labels map[string]string, excludedNamespaces string) ([]unstructured.Unstructured, error) {
-
+func (k8sHandler *K8sResourceHandler) pullSingleResource(resource *schema.GroupVersionResource, namespace string, labels map[string]string) ([]unstructured.Unstructured, error) {
+	resourceList := []unstructured.Unstructured{}
 	// set labels
 	listOptions := metav1.ListOptions{}
-	if excludedNamespaces != "" {
-		setFieldSelector(&listOptions, resource, excludedNamespaces)
-	}
-	if len(labels) > 0 {
-		set := k8slabels.Set(labels)
-		listOptions.LabelSelector = set.AsSelector().String()
+	fieldSelectors := k8sHandler.fieldSelector.GetNamespacesSelectors(resource)
+	for i := range fieldSelectors {
+
+		listOptions.FieldSelector = fieldSelectors[i]
+
+		if len(labels) > 0 {
+			set := k8slabels.Set(labels)
+			listOptions.LabelSelector = set.AsSelector().String()
+		}
+
+		// set dynamic object
+		var clientResource dynamic.ResourceInterface
+		if namespace != "" && k8sinterface.IsNamespaceScope(resource) {
+			clientResource = k8sHandler.k8s.DynamicClient.Resource(*resource).Namespace(namespace)
+		} else {
+			clientResource = k8sHandler.k8s.DynamicClient.Resource(*resource)
+		}
+
+		// list resources
+		result, err := clientResource.List(context.Background(), listOptions)
+		if err != nil || result == nil {
+			return nil, fmt.Errorf("failed to get resource: %v, namespace: %s, labelSelector: %v, reason: %v", resource, namespace, listOptions.LabelSelector, err)
+		}
+
+		resourceList = append(resourceList, result.Items...)
+
 	}

-	// set dynamic object
-	var clientResource dynamic.ResourceInterface
-	if namespace != "" && k8sinterface.IsNamespaceScope(resource.Group, resource.Resource) {
-		clientResource = k8sHandler.k8s.DynamicClient.Resource(*resource).Namespace(namespace)
-	} else {
-		clientResource = k8sHandler.k8s.DynamicClient.Resource(*resource)
-	}
+	return resourceList, nil

-	// list resources
-	result, err := clientResource.List(context.Background(), listOptions)
+}
+func ConvertMapListToMeta(resourceMap []map[string]interface{}) []workloadinterface.IMetadata {
+	workloads := []workloadinterface.IMetadata{}
+	for i := range resourceMap {
+		if w := objectsenvelopes.NewObject(resourceMap[i]); w != nil {
+			workloads = append(workloads, w)
+		}
+	}
+	return workloads
+}
+
+func (k8sHandler *K8sResourceHandler) collectHostResources(allResources map[string]workloadinterface.IMetadata, resourcesMap *cautils.K8SResources) error {
+	hostResources, err := k8sHandler.hostSensorHandler.CollectResources()
 	if err != nil {
-		return nil, fmt.Errorf("failed to get resource: %v, namespace: %s, labelSelector: %v, reason: %s", resource, namespace, listOptions.LabelSelector, err.Error())
+		return err
 	}
+	for rscIdx := range hostResources {
+		group, version := getGroupNVersion(hostResources[rscIdx].GetApiVersion())
+		groupResource := k8sinterface.JoinResourceTriplets(group, version, hostResources[rscIdx].GetKind())
+		allResources[hostResources[rscIdx].GetID()] = &hostResources[rscIdx]

-	return result.Items, nil
-
+		grpResourceList, ok := (*resourcesMap)[groupResource]
+		if !ok {
+			grpResourceList = make([]string, 0)
+		}
+		(*resourcesMap)[groupResource] = append(grpResourceList, hostResources[rscIdx].GetID())
+	}
+	return nil
 }

-func setFieldSelector(listOptions *metav1.ListOptions, resource *schema.GroupVersionResource, excludedNamespaces string) {
-	fieldSelector := "metadata."
-	if resource.Resource == "namespaces" {
-		fieldSelector += "name"
-	} else if k8sinterface.IsNamespaceScope(resource.Group, resource.Resource) {
-		fieldSelector += "namespace"
-	} else {
-		return
+func (k8sHandler *K8sResourceHandler) collectRbacResources(allResources map[string]workloadinterface.IMetadata) error {
+	if k8sHandler.rbacObjectsAPI == nil {
+		return nil
 	}
-	excludedNamespacesSlice := strings.Split(excludedNamespaces, ",")
-	for _, excludedNamespace := range excludedNamespacesSlice {
-		listOptions.FieldSelector += fmt.Sprintf("%s!=%s,", fieldSelector, excludedNamespace)
+	allRbacResources, err := k8sHandler.rbacObjectsAPI.ListAllResources()
+	if err != nil {
+		return err
 	}
+	for k, v := range allRbacResources {
+		allResources[k] = v
+	}
+	return nil
+}
+
+func getCloudProviderDescription(allResources map[string]workloadinterface.IMetadata, k8sResourcesMap *cautils.K8SResources) error {
+	if cloudsupport.IsRunningInCloudProvider() {
+		wl, err := cloudsupport.GetDescriptiveInfoFromCloudProvider()
+		if err != nil {
+			cluster := k8sinterface.GetCurrentContext().Cluster
+			provider := cloudsupport.GetCloudProvider(cluster)
+			// Return error with useful info on how to configure credentials for getting cloud provider info
+			switch provider {
+			case "gke":
+				return fmt.Errorf("could not get descriptive information about gke cluster: %s using sdk client. See https://developers.google.com/accounts/docs/application-default-credentials for more information", cluster)
+			case "eks":
+				return fmt.Errorf("could not get descriptive information about eks cluster: %s using sdk client. Check out how to configure credentials in https://docs.aws.amazon.com/sdk-for-go/api/", cluster)
+			case "aks":
+				return fmt.Errorf("could not get descriptive information about aks cluster: %s. %v", cluster, err.Error())
+			}
+			return err
+		}
+		allResources[wl.GetID()] = wl
+		(*k8sResourcesMap)[fmt.Sprintf("%s/%s", wl.GetApiVersion(), wl.GetKind())] = []string{wl.GetID()}
+	}
+	return nil
+
 }
--- a/resourcehandler/k8sresourcesutils.go
+++ b/resourcehandler/k8sresourcesutils.go
@@ -1,6 +1,8 @@
 package resourcehandler

 import (
+	"strings"
+
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/opa-utils/reporthandling"

@@ -66,3 +68,15 @@ func insertK8sResources(k8sResources map[string]map[string]map[string]interface{
 		}
 	}
 }
+
+func getGroupNVersion(apiVersion string) (string, string) {
+	gv := strings.Split(apiVersion, "/")
+	group, version := "", ""
+	if len(gv) >= 1 {
+		group = gv[0]
+	}
+	if len(gv) >= 2 {
+		version = gv[1]
+	}
+	return group, version
+}
--- a/resourcehandler/k8sresourcesutils_test.go
+++ b/resourcehandler/k8sresourcesutils_test.go
@@ -11,6 +11,7 @@ func TestGetK8sResources(t *testing.T) {
 	// getK8sResources
 }
 func TestSetResourceMap(t *testing.T) {
+	k8sinterface.InitializeMapResourcesMock()
 	framework := reporthandling.MockFrameworkA()
 	k8sResources := setResourceMap([]reporthandling.Framework{*framework})
 	resources := k8sinterface.ResourceGroupToString("*", "v1", "Pod")
--- a/resourcehandler/repositoryscanner.go
+++ b/resourcehandler/repositoryscanner.go
@@ -95,7 +95,7 @@ func (g *GitHubRepository) setBranch(branchOptional string) error {
 	// By default it is "master", unless the branchOptional came with a value
 	if branchOptional == "" {

-		body, err := getter.HttpGetter(&http.Client{}, g.defaultBranchAPI())
+		body, err := getter.HttpGetter(&http.Client{}, g.defaultBranchAPI(), nil)
 		if err != nil {
 			return err
 		}
@@ -117,7 +117,7 @@ func (g *GitHubRepository) defaultBranchAPI() string {
 }

 func (g *GitHubRepository) setTree() error {
-	body, err := getter.HttpGetter(&http.Client{}, g.treeAPI())
+	body, err := getter.HttpGetter(&http.Client{}, g.treeAPI(), nil)
 	if err != nil {
 		return err
 	}
--- a/resourcehandler/resourceshandler.go
+++ b/resourcehandler/resourceshandler.go
@@ -2,12 +2,13 @@ package resourcehandler

 import (
 	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/k8s-interface/workloadinterface"
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/opa-utils/reporthandling"
 	"k8s.io/apimachinery/pkg/version"
 )

 type IResourceHandler interface {
-	GetResources(frameworks []reporthandling.Framework, designator *armotypes.PortalDesignator) (*cautils.K8SResources, error)
+	GetResources([]reporthandling.Framework, *armotypes.PortalDesignator) (*cautils.K8SResources, map[string]workloadinterface.IMetadata, error)
 	GetClusterAPIServerInfo() *version.Info
 }
--- a/resourcehandler/urlloader.go
+++ b/resourcehandler/urlloader.go
@@ -7,11 +7,11 @@ import (
 	"net/http"
 	"strings"

-	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/k8s-interface/workloadinterface"
 	"github.com/armosec/kubescape/cautils"
 )

-func loadResourcesFromUrl(inputPatterns []string) ([]k8sinterface.IWorkload, error) {
+func loadResourcesFromUrl(inputPatterns []string) ([]workloadinterface.IMetadata, error) {
 	urls := listUrls(inputPatterns)
 	if len(urls) == 0 {
 		return nil, nil
@@ -43,8 +43,8 @@ func listUrls(patterns []string) []string {
 	return urls
 }

-func downloadFiles(urls []string) ([]k8sinterface.IWorkload, []error) {
-	workloads := []k8sinterface.IWorkload{}
+func downloadFiles(urls []string) ([]workloadinterface.IMetadata, []error) {
+	workloads := []workloadinterface.IMetadata{}
 	errs := []error{}
 	for i := range urls {
 		f, err := downloadFile(urls[i])
--- a/resultshandling/printer/junit.go
+++ b/resultshandling/printer/junit.go
@@ -103,7 +103,7 @@ func convertPostureReportToJunitResult(postureResult *reporthandling.PostureRepo
 			testCase := JUnitTestCase{}
 			testCase.Name = controlReports.Name
 			testCase.Classname = "Kubescape"
-			testCase.Time = "0"
+			testCase.Time = postureResult.ReportGenerationTime.String()
 			if 0 < len(controlReports.RuleReports[0].RuleResponses) {

 				testCase.Resources = controlReports.GetNumberOfResources()
--- a/resultshandling/printer/prettyprinter.go
+++ b/resultshandling/printer/prettyprinter.go
@@ -4,8 +4,11 @@ import (
 	"fmt"
 	"os"
 	"sort"
+	"strings"

+	"github.com/armosec/k8s-interface/workloadinterface"
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/opa-utils/objectsenvelopes"
 	"github.com/armosec/opa-utils/reporthandling"
 	"github.com/enescakir/emoji"
 	"github.com/olekukonko/tablewriter"
@@ -14,37 +17,47 @@ import (
 type PrettyPrinter struct {
 	writer             *os.File
 	summary            Summary
+	verboseMode        bool
 	sortedControlNames []string
-	frameworkSummary   ControlSummary
+	frameworkSummary   ResultSummary
 }

-func NewPrettyPrinter() *PrettyPrinter {
+func NewPrettyPrinter(verboseMode bool) *PrettyPrinter {
 	return &PrettyPrinter{
-		summary: NewSummary(),
+		verboseMode: verboseMode,
+		summary:     NewSummary(),
 	}
 }

-// Initializes empty printer for new table
-func (printer *PrettyPrinter) init() *PrettyPrinter {
-	printer.frameworkSummary = ControlSummary{}
-	printer.summary = Summary{}
-	printer.sortedControlNames = []string{}
-	return printer
-}
-
 func (printer *PrettyPrinter) ActionPrint(opaSessionObj *cautils.OPASessionObj) {
 	// score := calculatePostureScore(opaSessionObj.PostureReport)
-	for _, report := range opaSessionObj.PostureReport.FrameworkReports {
-		// Print summary table together for control scan
-		if report.Name != "" {
-			printer = printer.init()
-		}
-		printer.summarySetup(report)
-		printer.printResults()
-		printer.printSummaryTable(report.Name)
+	failedResources := []string{}
+	warningResources := []string{}
+	allResources := []string{}
+	frameworkNames := []string{}
+
+	var overallRiskScore float32 = 0
+	for _, frameworkReport := range opaSessionObj.PostureReport.FrameworkReports {
+		frameworkNames = append(frameworkNames, frameworkReport.Name)
+		failedResources = reporthandling.GetUniqueResourcesIDs(append(failedResources, frameworkReport.ListResourcesIDs().GetFailedResources()...))
+		warningResources = reporthandling.GetUniqueResourcesIDs(append(warningResources, frameworkReport.ListResourcesIDs().GetWarningResources()...))
+		allResources = reporthandling.GetUniqueResourcesIDs(append(allResources, frameworkReport.ListResourcesIDs().GetAllResources()...))
+		printer.summarySetup(frameworkReport, opaSessionObj.AllResources)
+		overallRiskScore += frameworkReport.Score
 	}

-	// return score
+	overallRiskScore /= float32(len(opaSessionObj.PostureReport.FrameworkReports))
+
+	printer.frameworkSummary = ResultSummary{
+		RiskScore:      overallRiskScore,
+		TotalResources: len(allResources),
+		TotalFailed:    len(failedResources),
+		TotalWarning:   len(warningResources),
+	}
+
+	printer.printResults()
+	printer.printSummaryTable(frameworkNames)
+
 }

 func (printer *PrettyPrinter) SetWriter(outputFile string) {
@@ -54,28 +67,34 @@ func (printer *PrettyPrinter) SetWriter(outputFile string) {
 func (printer *PrettyPrinter) Score(score float32) {
 }

-func (printer *PrettyPrinter) summarySetup(fr reporthandling.FrameworkReport) {
-	printer.frameworkSummary = ControlSummary{
-		TotalResources: fr.GetNumberOfResources(),
-		TotalFailed:    fr.GetNumberOfFailedResources(),
-		TotalWarnign:   fr.GetNumberOfWarningResources(),
-	}
+func (printer *PrettyPrinter) summarySetup(fr reporthandling.FrameworkReport, allResources map[string]workloadinterface.IMetadata) {
+
 	for _, cr := range fr.ControlReports {
 		if len(cr.RuleReports) == 0 {
 			continue
 		}
-		workloadsSummary := listResultSummary(cr.RuleReports)
+		workloadsSummary := listResultSummary(cr.RuleReports, allResources)

-		printer.summary[cr.Name] = ControlSummary{
+		var passedWorkloads map[string][]WorkloadSummary
+		if printer.verboseMode {
+			passedWorkloads = groupByNamespaceOrKind(workloadsSummary, workloadSummaryPassed)
+		}
+
+		//controlSummary
+		printer.summary[cr.Name] = ResultSummary{
+			ID:                cr.ControlID,
+			RiskScore:         cr.Score,
 			TotalResources:    cr.GetNumberOfResources(),
 			TotalFailed:       cr.GetNumberOfFailedResources(),
-			TotalWarnign:      cr.GetNumberOfWarningResources(),
-			FailedWorkloads:   groupByNamespace(workloadsSummary, workloadSummaryFailed),
-			ExcludedWorkloads: groupByNamespace(workloadsSummary, workloadSummaryExclude),
+			TotalWarning:      cr.GetNumberOfWarningResources(),
+			FailedWorkloads:   groupByNamespaceOrKind(workloadsSummary, workloadSummaryFailed),
+			ExcludedWorkloads: groupByNamespaceOrKind(workloadsSummary, workloadSummaryExclude),
+			PassedWorkloads:   passedWorkloads,
 			Description:       cr.Description,
 			Remediation:       cr.Remediation,
 			ListInputKinds:    cr.ListControlsInputKinds(),
 		}
+
 	}
 	printer.sortedControlNames = printer.getSortedControlsNames()
 }
@@ -91,10 +110,10 @@ func (printer *PrettyPrinter) printResults() {
 	}
 }

-func (printer *PrettyPrinter) printSummary(controlName string, controlSummary *ControlSummary) {
+func (printer *PrettyPrinter) printSummary(controlName string, controlSummary *ResultSummary) {
 	cautils.SimpleDisplay(printer.writer, "Summary - ")
-	cautils.SuccessDisplay(printer.writer, "Passed:%v   ", controlSummary.TotalResources-controlSummary.TotalFailed-controlSummary.TotalWarnign)
-	cautils.WarningDisplay(printer.writer, "Excluded:%v   ", controlSummary.TotalWarnign)
+	cautils.SuccessDisplay(printer.writer, "Passed:%v   ", controlSummary.TotalResources-controlSummary.TotalFailed-controlSummary.TotalWarning)
+	cautils.WarningDisplay(printer.writer, "Excluded:%v   ", controlSummary.TotalWarning)
 	cautils.FailureDisplay(printer.writer, "Failed:%v   ", controlSummary.TotalFailed)
 	cautils.InfoDisplay(printer.writer, "Total:%v\n", controlSummary.TotalResources)
 	if controlSummary.TotalFailed > 0 {
@@ -103,14 +122,13 @@ func (printer *PrettyPrinter) printSummary(controlName string, controlSummary *C
 	cautils.DescriptionDisplay(printer.writer, "\n")

 }
-
-func (printer *PrettyPrinter) printTitle(controlName string, controlSummary *ControlSummary) {
-	cautils.InfoDisplay(printer.writer, "[control: %s] ", controlName)
+func (printer *PrettyPrinter) printTitle(controlName string, controlSummary *ResultSummary) {
+	cautils.InfoDisplay(printer.writer, "[control: %s - %s] ", controlName, getControlURL(controlSummary.ID))
 	if controlSummary.TotalResources == 0 {
-		cautils.InfoDisplay(printer.writer, "resources not found %v\n", emoji.ConfusedFace)
+		cautils.InfoDisplay(printer.writer, "skipped %v\n", emoji.ConfusedFace)
 	} else if controlSummary.TotalFailed != 0 {
 		cautils.FailureDisplay(printer.writer, "failed %v\n", emoji.SadButRelievedFace)
-	} else if controlSummary.TotalWarnign != 0 {
+	} else if controlSummary.TotalWarning != 0 {
 		cautils.WarningDisplay(printer.writer, "excluded %v\n", emoji.NeutralFace)
 	} else {
 		cautils.SuccessDisplay(printer.writer, "passed %v\n", emoji.ThumbsUp)
@@ -119,7 +137,7 @@ func (printer *PrettyPrinter) printTitle(controlName string, controlSummary *Con
 	cautils.DescriptionDisplay(printer.writer, "Description: %s\n", controlSummary.Description)

 }
-func (printer *PrettyPrinter) printResources(controlSummary *ControlSummary) {
+func (printer *PrettyPrinter) printResources(controlSummary *ResultSummary) {

 	if len(controlSummary.FailedWorkloads) > 0 {
 		cautils.FailureDisplay(printer.writer, "Failed:\n")
@@ -129,70 +147,80 @@ func (printer *PrettyPrinter) printResources(controlSummary *ControlSummary) {
 		cautils.WarningDisplay(printer.writer, "Excluded:\n")
 		printer.printGroupedResources(controlSummary.ExcludedWorkloads)
 	}
-
-}
-
-func (printer *PrettyPrinter) printGroupedResources(workloads map[string][]WorkloadSummary) {
-
-	indent := INDENT
-
-	for ns, rsc := range workloads {
-		preIndent := indent
-		if ns != "" {
-			cautils.SimpleDisplay(printer.writer, "%sNamespace %s\n", indent, ns)
-		}
-		preIndent2 := indent
-		for r := range rsc {
-			indent += indent
-			cautils.SimpleDisplay(printer.writer, fmt.Sprintf("%s%s - %s\n", indent, rsc[r].Kind, rsc[r].Name))
-			indent = preIndent2
-		}
-		indent = preIndent
+	if len(controlSummary.PassedWorkloads) > 0 {
+		cautils.SuccessDisplay(printer.writer, "Passed:\n")
+		printer.printGroupedResources(controlSummary.PassedWorkloads)
 	}

 }

-func generateRow(control string, cs ControlSummary) []string {
+func (printer *PrettyPrinter) printGroupedResources(workloads map[string][]WorkloadSummary) {
+	indent := INDENT
+	for title, rsc := range workloads {
+		printer.printGroupedResource(indent, title, rsc)
+	}
+}
+
+func (printer *PrettyPrinter) printGroupedResource(indent string, title string, rsc []WorkloadSummary) {
+	preIndent := indent
+	if title != "" {
+		cautils.SimpleDisplay(printer.writer, "%s%s\n", indent, title)
+		indent += indent
+	}
+
+	for r := range rsc {
+		relatedObjectsStr := generateRelatedObjectsStr(rsc[r])
+		cautils.SimpleDisplay(printer.writer, fmt.Sprintf("%s%s - %s %s\n", indent, rsc[r].resource.GetKind(), rsc[r].resource.GetName(), relatedObjectsStr))
+	}
+	indent = preIndent
+}
+
+func generateRelatedObjectsStr(workload WorkloadSummary) string {
+	relatedStr := ""
+	if workload.resource.GetObjectType() == workloadinterface.TypeWorkloadObject {
+		relatedObjects := objectsenvelopes.NewRegoResponseVectorObject(workload.resource.GetObject()).GetRelatedObjects()
+		for i, related := range relatedObjects {
+			if ns := related.GetNamespace(); i == 0 && ns != "" {
+				relatedStr += fmt.Sprintf("Namespace - %s, ", ns)
+			}
+			relatedStr += fmt.Sprintf("%s - %s, ", related.GetKind(), related.GetName())
+		}
+	}
+	if relatedStr != "" {
+		relatedStr = fmt.Sprintf(" [%s]", relatedStr[:len(relatedStr)-2])
+	}
+	return relatedStr
+}
+
+func generateRow(control string, cs ResultSummary) []string {
 	row := []string{control}
 	row = append(row, cs.ToSlice()...)
 	if cs.TotalResources != 0 {
-		row = append(row, fmt.Sprintf("%d%s", percentage(cs.TotalResources, cs.TotalFailed), "%"))
+		row = append(row, fmt.Sprintf("%d", int(cs.RiskScore))+"%")
 	} else {
-		row = append(row, EmptyPercentage)
+		row = append(row, "skipped")
 	}
 	return row
 }

 func generateHeader() []string {
-	return []string{"Control Name", "Failed Resources", "Excluded Resources", "All Resources", "% success"}
+	return []string{"Control Name", "Failed Resources", "Excluded Resources", "All Resources", "% risk-score"}
 }

-func percentage(big, small int) int {
-	if big == 0 {
-		if small == 0 {
-			return 100
-		}
-		return 0
-	}
-	return int(float64(float64(big-small)/float64(big)) * 100)
-}
-func generateFooter(numControlers, sumFailed, sumWarning, sumTotal int) []string {
+func generateFooter(printer *PrettyPrinter) []string {
 	// Control name | # failed resources | all resources | % success
 	row := []string{}
 	row = append(row, "Resource Summary") //fmt.Sprintf(""%d", numControlers"))
-	row = append(row, fmt.Sprintf("%d", sumFailed))
-	row = append(row, fmt.Sprintf("%d", sumWarning))
-	row = append(row, fmt.Sprintf("%d", sumTotal))
-	if sumTotal != 0 {
-		row = append(row, fmt.Sprintf("%d%s", percentage(sumTotal, sumFailed), "%"))
-	} else {
-		row = append(row, EmptyPercentage)
-	}
+	row = append(row, fmt.Sprintf("%d", printer.frameworkSummary.TotalFailed))
+	row = append(row, fmt.Sprintf("%d", printer.frameworkSummary.TotalWarning))
+	row = append(row, fmt.Sprintf("%d", printer.frameworkSummary.TotalResources))
+	row = append(row, fmt.Sprintf("%.2f%s", printer.frameworkSummary.RiskScore, "%"))
+
 	return row
 }
-func (printer *PrettyPrinter) printSummaryTable(framework string) {
+func (printer *PrettyPrinter) printSummaryTable(frameworksNames []string) {
 	// For control scan framework will be nil
-	printer.printFramework(framework)
+	printer.printFramework(frameworksNames)

 	summaryTable := tablewriter.NewWriter(printer.writer)
 	summaryTable.SetAutoWrapText(false)
@@ -205,13 +233,23 @@ func (printer *PrettyPrinter) printSummaryTable(framework string) {
 		controlSummary := printer.summary[printer.sortedControlNames[i]]
 		summaryTable.Append(generateRow(printer.sortedControlNames[i], controlSummary))
 	}
-	summaryTable.SetFooter(generateFooter(len(printer.summary), printer.frameworkSummary.TotalFailed, printer.frameworkSummary.TotalWarnign, printer.frameworkSummary.TotalResources))
+
+	summaryTable.SetFooter(generateFooter(printer))
+
+	// summaryTable.SetFooter(generateFooter())
 	summaryTable.Render()
 }

-func (printer *PrettyPrinter) printFramework(framework string) {
-	if framework != "" {
-		cautils.InfoTextDisplay(printer.writer, fmt.Sprintf("%s FRAMEWORK\n", framework))
+func (printer *PrettyPrinter) printFramework(frameworksNames []string) {
+	if len(frameworksNames) == 1 {
+		cautils.InfoTextDisplay(printer.writer, fmt.Sprintf("%s FRAMEWORK\n", frameworksNames[0]))
+	} else if len(frameworksNames) > 1 {
+		p := ""
+		for i := 0; i < len(frameworksNames)-1; i++ {
+			p += frameworksNames[i] + ", "
+		}
+		p += frameworksNames[len(frameworksNames)-1]
+		cautils.InfoTextDisplay(printer.writer, fmt.Sprintf("%s FRAMEWORKS\n", p))
 	}
 }

@@ -229,7 +267,7 @@ func getWriter(outputFile string) *os.File {
 	if outputFile != "" {
 		f, err := os.OpenFile(outputFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
 		if err != nil {
-			fmt.Println("Error opening file")
+			fmt.Println("failed to open file for writing, reason: ", err.Error())
 			return os.Stdout
 		}
 		return f
@@ -237,3 +275,7 @@ func getWriter(outputFile string) *os.File {
 	return os.Stdout

 }
+
+func getControlURL(controlID string) string {
+	return fmt.Sprintf("https://hub.armo.cloud/docs/%s", strings.ToLower(controlID))
+}
--- a/resultshandling/printer/printresults.go
+++ b/resultshandling/printer/printresults.go
@@ -6,13 +6,11 @@ import (

 var INDENT = "   "

-const EmptyPercentage = "NaN"
-
 const (
-	PrettyFormat       string = "pretty-printer"
-	JsonFormat         string = "json"
-	JunitResultFormat  string = "junit"
-	PrometheusFormat   string = "prometheus"
+	PrettyFormat      string = "pretty-printer"
+	JsonFormat        string = "json"
+	JunitResultFormat string = "junit"
+	PrometheusFormat  string = "prometheus"
 )

 type IPrinter interface {
@@ -21,15 +19,15 @@ type IPrinter interface {
 	Score(score float32)
 }

-func GetPrinter(printFormat string) IPrinter {
+func GetPrinter(printFormat string, verboseMode bool) IPrinter {
 	switch printFormat {
 	case JsonFormat:
 		return NewJsonPrinter()
 	case JunitResultFormat:
 		return NewJunitPrinter()
 	case PrometheusFormat:
-		return NewPrometheusPrinter()
+		return NewPrometheusPrinter(verboseMode)
 	default:
-		return NewPrettyPrinter()
+		return NewPrettyPrinter(verboseMode)
 	}
 }
--- a/resultshandling/printer/prometheusprinter.go
+++ b/resultshandling/printer/prometheusprinter.go
@@ -1,20 +1,23 @@
 package printer

 import (
-	"errors"
 	"fmt"
 	"os"

+	"github.com/armosec/k8s-interface/workloadinterface"
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/opa-utils/reporthandling"
 )

 type PrometheusPrinter struct {
-	writer *os.File
+	writer      *os.File
+	verboseMode bool
 }

-func NewPrometheusPrinter() *PrometheusPrinter {
-	return &PrometheusPrinter{}
+func NewPrometheusPrinter(verboseMode bool) *PrometheusPrinter {
+	return &PrometheusPrinter{
+		verboseMode: verboseMode,
+	}
 }

 func (prometheusPrinter *PrometheusPrinter) SetWriter(outputFile string) {
@@ -25,44 +28,33 @@ func (prometheusPrinter *PrometheusPrinter) Score(score float32) {
 	fmt.Printf("\n# Overall score out of 100\nkubescape_score %f\n", score*100)
 }

-func (printer *PrometheusPrinter) printDetails(details []reporthandling.RuleResponse, frameworkName string, controlName string) error {
+func (printer *PrometheusPrinter) printResources(allResources map[string]workloadinterface.IMetadata, resourcesIDs *reporthandling.ResourcesIDs, frameworkName, controlName string) {
+	printer.printDetails(allResources, resourcesIDs.GetFailedResources(), frameworkName, controlName, "failed")
+	printer.printDetails(allResources, resourcesIDs.GetWarningResources(), frameworkName, controlName, "excluded")
+	if printer.verboseMode {
+		printer.printDetails(allResources, resourcesIDs.GetPassedResources(), frameworkName, controlName, "passed")
+	}
+
+}
+func (printer *PrometheusPrinter) printDetails(allResources map[string]workloadinterface.IMetadata, resourcesIDs []string, frameworkName, controlName, status string) {
 	objs := make(map[string]map[string]map[string]int)
-	for _, ruleResponses := range details {
-		for _, k8sObj := range ruleResponses.AlertObject.K8SApiObjects {
-			kind, ok := k8sObj[`kind`].(string)
-			if (!ok) {
-				return errors.New("Found object with non string kind")
-			}
-			apiVersion,ok := k8sObj[`apiVersion`].(string)
-			if (!ok) {
-				return errors.New("Found object with non string apiVersion")
-			}
-			gvk := fmt.Sprintf("%s/%s",apiVersion,kind)
-			metadata,ok := k8sObj[`metadata`].(map[string]interface{})
-			if (!ok) {
-				return errors.New("Found object with non convertable metadata")
-			}
-			name,ok := metadata[`name`].(string)
-			if (!ok) {
-				return errors.New("Found metadata with non string name")
-			}
-			namespace,ok := metadata[`namespace`].(string)
-			if (!ok) {
-				namespace = ""
-			}
-			if (objs[gvk] == nil) {
-				objs[gvk] = make(map[string]map[string]int)
-			}
-			if (objs[gvk][namespace] == nil) {
-				objs[gvk][namespace] = make(map[string]int)
-			}
-			objs[gvk][namespace][name]++
+	for _, resourceID := range resourcesIDs {
+		resource := allResources[resourceID]
+
+		gvk := fmt.Sprintf("%s/%s", resource.GetApiVersion(), resource.GetKind())
+
+		if objs[gvk] == nil {
+			objs[gvk] = make(map[string]map[string]int)
 		}
+		if objs[gvk][resource.GetNamespace()] == nil {
+			objs[gvk][resource.GetNamespace()] = make(map[string]int)
+		}
+		objs[gvk][resource.GetNamespace()][resource.GetName()]++
 	}
 	for gvk, namespaces := range objs {
 		for namespace, names := range namespaces {
 			for name, value := range names {
-				fmt.Fprintf(printer.writer, "# Failed object from %s control %s\n", frameworkName, controlName)
+				fmt.Fprintf(printer.writer, "# Failed object from \"%s\" control \"%s\"\n", frameworkName, controlName)
 				if namespace != "" {
 					fmt.Fprintf(printer.writer, "kubescape_object_failed_count{framework=\"%s\",control=\"%s\",namespace=\"%s\",name=\"%s\",groupVersionKind=\"%s\"} %d\n", frameworkName, controlName, namespace, name, gvk, value)
 				} else {
@@ -71,28 +63,29 @@ func (printer *PrometheusPrinter) printDetails(details []reporthandling.RuleResp
 			}
 		}
 	}
-	return nil
 }

-func (printer *PrometheusPrinter) printReports(frameworks []reporthandling.FrameworkReport) error {
-	for _, framework := range frameworks {
-		for _, controlReports := range framework.ControlReports {
-			if len(controlReports.RuleReports[0].RuleResponses) > 0 {
-				fmt.Fprintf(printer.writer, "# Number of resources found as part of %s control %s\nkubescape_resources_found_count{framework=\"%s\",control=\"%s\"} %d\n", framework.Name, controlReports.Name, framework.Name, controlReports.Name, controlReports.GetNumberOfResources())
-				fmt.Fprintf(printer.writer, "# Number of resources excluded as part of %s control %s\nkubescape_resources_excluded_count{framework=\"%s\",control=\"%s\"} %d\n", framework.Name, controlReports.Name, framework.Name, controlReports.Name, controlReports.GetNumberOfWarningResources())
-				fmt.Fprintf(printer.writer, "# Number of resources failed as part of %s control %s\nkubescape_resources_failed_count{framework=\"%s\",control=\"%s\"} %d\n", framework.Name, controlReports.Name, framework.Name, controlReports.Name, controlReports.GetNumberOfFailedResources())
-				err := printer.printDetails(controlReports.RuleReports[0].RuleResponses, framework.Name, controlReports.Name)
-				if err != nil {
-					return err
-				}
+func (printer *PrometheusPrinter) printReports(allResources map[string]workloadinterface.IMetadata, frameworks []reporthandling.FrameworkReport) error {
+	for _, frameworkReport := range frameworks {
+		for _, controlReport := range frameworkReport.ControlReports {
+			if controlReport.GetNumberOfResources() == 0 {
+				continue // the control did not test any resources
 			}
+			if controlReport.Passed() {
+				continue // control passed, do not print results
+			}
+			fmt.Fprintf(printer.writer, "# Number of resources found as part of %s control %s\nkubescape_resources_found_count{framework=\"%s\",control=\"%s\"} %d\n", frameworkReport.Name, controlReport.Name, frameworkReport.Name, controlReport.Name, controlReport.GetNumberOfResources())
+			fmt.Fprintf(printer.writer, "# Number of resources excluded as part of %s control %s\nkubescape_resources_excluded_count{framework=\"%s\",control=\"%s\"} %d\n", frameworkReport.Name, controlReport.Name, frameworkReport.Name, controlReport.Name, controlReport.GetNumberOfWarningResources())
+			fmt.Fprintf(printer.writer, "# Number of resources failed as part of %s control %s\nkubescape_resources_failed_count{framework=\"%s\",control=\"%s\"} %d\n", frameworkReport.Name, controlReport.Name, frameworkReport.Name, controlReport.Name, controlReport.GetNumberOfFailedResources())
+
+			printer.printResources(allResources, controlReport.ListResourcesIDs(), frameworkReport.Name, controlReport.Name)
 		}
 	}
 	return nil
 }

 func (printer *PrometheusPrinter) ActionPrint(opaSessionObj *cautils.OPASessionObj) {
-	err := printer.printReports(opaSessionObj.PostureReport.FrameworkReports)
+	err := printer.printReports(opaSessionObj.AllResources, opaSessionObj.PostureReport.FrameworkReports)
 	if err != nil {
 		fmt.Println(err)
 		os.Exit(1)
--- a/resultshandling/printer/summary.go
+++ b/resultshandling/printer/summary.go
@@ -3,50 +3,52 @@ package printer
 import (
 	"fmt"

-	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/k8s-interface/workloadinterface"
+	"github.com/armosec/opa-utils/reporthandling"
 )

-type Summary map[string]ControlSummary
+type Summary map[string]ResultSummary

 func NewSummary() Summary {
-	return make(map[string]ControlSummary)
+	return make(map[string]ResultSummary)
 }

-type ControlSummary struct {
+type ResultSummary struct {
+	ID                string
+	RiskScore         float32
 	TotalResources    int
 	TotalFailed       int
-	TotalWarnign      int
+	TotalWarning      int
 	Description       string
 	Remediation       string
+	Framework         []string
 	ListInputKinds    []string
 	FailedWorkloads   map[string][]WorkloadSummary // <namespace>:[<WorkloadSummary>]
 	ExcludedWorkloads map[string][]WorkloadSummary // <namespace>:[<WorkloadSummary>]
+	PassedWorkloads   map[string][]WorkloadSummary // <namespace>:[<WorkloadSummary>]
 }

 type WorkloadSummary struct {
-	Kind      string
-	Name      string
-	Namespace string
-	Group     string
-	Exception *armotypes.PostureExceptionPolicy
+	resource workloadinterface.IMetadata
+	status   string
 }

-func (controlSummary *ControlSummary) ToSlice() []string {
+func (controlSummary *ResultSummary) ToSlice() []string {
 	s := []string{}
 	s = append(s, fmt.Sprintf("%d", controlSummary.TotalFailed))
-	s = append(s, fmt.Sprintf("%d", controlSummary.TotalWarnign))
+	s = append(s, fmt.Sprintf("%d", controlSummary.TotalWarning))
 	s = append(s, fmt.Sprintf("%d", controlSummary.TotalResources))
 	return s
 }

-func (workloadSummary *WorkloadSummary) ToString() string {
-	return fmt.Sprintf("/%s/%s/%s/%s", workloadSummary.Group, workloadSummary.Namespace, workloadSummary.Kind, workloadSummary.Name)
-}
-
 func workloadSummaryFailed(workloadSummary *WorkloadSummary) bool {
-	return workloadSummary.Exception == nil
+	return workloadSummary.status == reporthandling.StatusFailed
 }

 func workloadSummaryExclude(workloadSummary *WorkloadSummary) bool {
-	return workloadSummary.Exception != nil && workloadSummary.Exception.IsAlertOnly()
+	return workloadSummary.status == reporthandling.StatusWarning
+}
+
+func workloadSummaryPassed(workloadSummary *WorkloadSummary) bool {
+	return workloadSummary.status == reporthandling.StatusPassed
 }
--- a/resultshandling/printer/summeryhelpers.go
+++ b/resultshandling/printer/summeryhelpers.go
@@ -1,75 +1,85 @@
 package printer

 import (
-	"fmt"
-
+	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/k8s-interface/workloadinterface"
+	"github.com/armosec/opa-utils/objectsenvelopes"
 	"github.com/armosec/opa-utils/reporthandling"
 )

 // Group workloads by namespace - return {"namespace": <[]WorkloadSummary>}
-func groupByNamespace(resources []WorkloadSummary, status func(workloadSummary *WorkloadSummary) bool) map[string][]WorkloadSummary {
+func groupByNamespaceOrKind(resources []WorkloadSummary, status func(workloadSummary *WorkloadSummary) bool) map[string][]WorkloadSummary {
 	mapResources := make(map[string][]WorkloadSummary)
 	for i := range resources {
-		if status(&resources[i]) {
-			if r, ok := mapResources[resources[i].Namespace]; ok {
+		if !status(&resources[i]) {
+			continue
+		}
+		t := resources[i].resource.GetObjectType()
+		if t == objectsenvelopes.TypeRegoResponseVectorObject && !isKindToBeGrouped(resources[i].resource.GetKind()) {
+			t = workloadinterface.TypeWorkloadObject
+		}
+		switch t { // TODO - find a better way to defind the groups
+		case workloadinterface.TypeWorkloadObject:
+			ns := ""
+			if resources[i].resource.GetNamespace() != "" {
+				ns = "Namescape " + resources[i].resource.GetNamespace()
+			}
+			if r, ok := mapResources[ns]; ok {
 				r = append(r, resources[i])
-				mapResources[resources[i].Namespace] = r
+				mapResources[ns] = r
 			} else {
-				mapResources[resources[i].Namespace] = []WorkloadSummary{resources[i]}
+				mapResources[ns] = []WorkloadSummary{resources[i]}
+			}
+		case objectsenvelopes.TypeRegoResponseVectorObject:
+			group := resources[i].resource.GetKind() + "s"
+			if r, ok := mapResources[group]; ok {
+				r = append(r, resources[i])
+				mapResources[group] = r
+			} else {
+				mapResources[group] = []WorkloadSummary{resources[i]}
+			}
+		default:
+			group, _ := k8sinterface.SplitApiVersion(resources[i].resource.GetApiVersion())
+			if r, ok := mapResources[group]; ok {
+				r = append(r, resources[i])
+				mapResources[group] = r
+			} else {
+				mapResources[group] = []WorkloadSummary{resources[i]}
 			}
 		}
 	}
 	return mapResources
 }
-func listResultSummary(ruleReports []reporthandling.RuleReport) []WorkloadSummary {
+
+func isKindToBeGrouped(kind string) bool {
+	if kind == "Group" || kind == "User" {
+		return true
+	}
+	return false
+}
+
+func listResultSummary(ruleReports []reporthandling.RuleReport, allResources map[string]workloadinterface.IMetadata) []WorkloadSummary {
 	workloadsSummary := []WorkloadSummary{}
-	track := map[string]bool{}

 	for c := range ruleReports {
-		for _, ruleReport := range ruleReports[c].RuleResponses {
-			resource, err := ruleResultSummary(ruleReport.AlertObject)
-			if err != nil {
-				fmt.Println(err.Error())
-				continue
-			}
+		resourcesIDs := ruleReports[c].ListResourcesIDs()
+		workloadsSummary = append(workloadsSummary, newListWorkloadsSummary(allResources, resourcesIDs.GetFailedResources(), reporthandling.StatusFailed)...)
+		workloadsSummary = append(workloadsSummary, newListWorkloadsSummary(allResources, resourcesIDs.GetWarningResources(), reporthandling.StatusWarning)...)
+		workloadsSummary = append(workloadsSummary, newListWorkloadsSummary(allResources, resourcesIDs.GetPassedResources(), reporthandling.StatusPassed)...)
+	}
+	return workloadsSummary
+}

-			// add resource only once
-			for i := range resource {
-				resource[i].Exception = ruleReport.Exception
-				if ok := track[resource[i].ToString()]; !ok {
-					track[resource[i].ToString()] = true
-					workloadsSummary = append(workloadsSummary, resource[i])
-				}
-			}
+func newListWorkloadsSummary(allResources map[string]workloadinterface.IMetadata, resourcesIDs []string, status string) []WorkloadSummary {
+	workloadsSummary := []WorkloadSummary{}
+
+	for _, i := range resourcesIDs {
+		if r, ok := allResources[i]; ok {
+			workloadsSummary = append(workloadsSummary, WorkloadSummary{
+				resource: r,
+				status:   status,
+			})
 		}
 	}
 	return workloadsSummary
 }
-func ruleResultSummary(obj reporthandling.AlertObject) ([]WorkloadSummary, error) {
-	resource := []WorkloadSummary{}
-
-	for i := range obj.K8SApiObjects {
-		r, err := newWorkloadSummary(obj.K8SApiObjects[i])
-		if err != nil {
-			return resource, err
-		}
-
-		resource = append(resource, *r)
-	}
-
-	return resource, nil
-}
-
-func newWorkloadSummary(obj map[string]interface{}) (*WorkloadSummary, error) {
-	r := &WorkloadSummary{}
-
-	workload := workloadinterface.NewWorkloadObj(obj)
-	if workload == nil {
-		return r, fmt.Errorf("expecting k8s API object")
-	}
-	r.Kind = workload.GetKind()
-	r.Namespace = workload.GetNamespace()
-	r.Name = workload.GetName()
-	return r, nil
-}
--- a/resultshandling/reporter/mockreporter.go
+++ b/resultshandling/reporter/mockreporter.go
@@ -1,6 +1,12 @@
 package reporter

-import "github.com/armosec/kubescape/cautils"
+import (
+	"fmt"
+	"os"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+)

 type ReportMock struct {
 }
@@ -8,10 +14,17 @@ type ReportMock struct {
 func NewReportMock() *ReportMock {
 	return &ReportMock{}
 }
-func (reportMock *ReportMock) ActionSendReport(opaSessionObj *cautils.OPASessionObj) {}
+func (reportMock *ReportMock) ActionSendReport(opaSessionObj *cautils.OPASessionObj) error {
+	return nil
+}

 func (reportMock *ReportMock) SetCustomerGUID(customerGUID string) {
 }

 func (reportMock *ReportMock) SetClusterName(clusterName string) {
 }
+
+func (reportMock *ReportMock) DisplayReportURL() {
+	message := fmt.Sprintf("\nYou can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more by registering here: https://%s/cli-signup \n", getter.GetArmoAPIConnector().GetFrontendURL())
+	cautils.InfoTextDisplay(os.Stdout, fmt.Sprintf("\n%s\n", message))
+}
--- a/resultshandling/reporter/reporteventreceiver.go
+++ b/resultshandling/reporter/reporteventreceiver.go
@@ -1,42 +1,52 @@
 package reporter

 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"net/url"
+	"os"

+	"github.com/armosec/k8s-interface/workloadinterface"
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
 	"github.com/armosec/opa-utils/reporthandling"
 )

+const MAX_REPORT_SIZE = 2097152 // 2 MB
+
 type IReport interface {
-	ActionSendReport(opaSessionObj *cautils.OPASessionObj)
+	ActionSendReport(opaSessionObj *cautils.OPASessionObj) error
 	SetCustomerGUID(customerGUID string)
 	SetClusterName(clusterName string)
+	DisplayReportURL()
 }

 type ReportEventReceiver struct {
-	httpClient   http.Client
-	clusterName  string
-	customerGUID string
+	httpClient         *http.Client
+	clusterName        string
+	customerGUID       string
+	eventReceiverURL   *url.URL
+	token              string
+	customerAdminEMail string
 }

-func NewReportEventReceiver() *ReportEventReceiver {
+func NewReportEventReceiver(tenantConfig *cautils.ConfigObj) *ReportEventReceiver {
 	return &ReportEventReceiver{
-		httpClient: http.Client{},
+		httpClient:         &http.Client{},
+		clusterName:        tenantConfig.ClusterName,
+		customerGUID:       tenantConfig.CustomerGUID,
+		token:              tenantConfig.Token,
+		customerAdminEMail: tenantConfig.CustomerAdminEMail,
 	}
 }

-func (report *ReportEventReceiver) ActionSendReport(opaSessionObj *cautils.OPASessionObj) {
-	// Remove data before reporting
-	keepFields := []string{"kind", "apiVersion", "metadata"}
-	keepMetadataFields := []string{"name", "namespace", "labels"}
-	opaSessionObj.PostureReport.RemoveData(keepFields, keepMetadataFields)
+func (report *ReportEventReceiver) ActionSendReport(opaSessionObj *cautils.OPASessionObj) error {

-	if err := report.send(opaSessionObj.PostureReport); err != nil {
-		fmt.Println(err)
+	if err := report.prepareReport(opaSessionObj.PostureReport, opaSessionObj.AllResources); err != nil {
+		return err
 	}
+	return nil
 }

 func (report *ReportEventReceiver) SetCustomerGUID(customerGUID string) {
@@ -47,25 +57,83 @@ func (report *ReportEventReceiver) SetClusterName(clusterName string) {
 	report.clusterName = clusterName
 }

-func (report *ReportEventReceiver) send(postureReport *reporthandling.PostureReport) error {
+func (report *ReportEventReceiver) prepareReport(postureReport *reporthandling.PostureReport, allResources map[string]workloadinterface.IMetadata) error {
+	report.initEventReceiverURL()
+	host := hostToString(report.eventReceiverURL, postureReport.ReportID)

-	reqBody, err := json.Marshal(*postureReport)
-	if err != nil {
-		return fmt.Errorf("in 'Send' failed to json.Marshal, reason: %v", err)
-	}
-	host := hostToString(report.initEventReceiverURL(), postureReport.ReportID)
+	cautils.StartSpinner()
+	defer cautils.StopSpinner()

-	req, err := http.NewRequest("POST", host, bytes.NewReader(reqBody))
-	if err != nil {
-		return fmt.Errorf("in 'Send', http.NewRequest failed, host: %s, reason: %v", host, err)
+	// send framework results
+	if err := report.sendReport(host, postureReport); err != nil {
+		return err
 	}
-	res, err := report.httpClient.Do(req)
-	if err != nil {
-		return fmt.Errorf("httpClient.Do failed: %v", err)
+
+	// send resources
+	if err := report.sendResources(host, postureReport, allResources); err != nil {
+		return err
 	}
-	msg, err := httpRespToString(res)
+	return nil
+}
+
+func (report *ReportEventReceiver) sendResources(host string, postureReport *reporthandling.PostureReport, allResources map[string]workloadinterface.IMetadata) error {
+	splittedPostureReport := setPaginationReport(postureReport)
+	counter := 0
+
+	for _, v := range allResources {
+		r, err := json.Marshal(*iMetaToResource(v))
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal resource '%s', reason: %v", v.GetID(), err)
+		}
+
+		if counter+len(r) >= MAX_REPORT_SIZE && len(splittedPostureReport.Resources) > 0 {
+
+			// send report
+			if err := report.sendReport(host, splittedPostureReport); err != nil {
+				return err
+			}
+
+			// delete resources
+			splittedPostureReport.Resources = []reporthandling.Resource{}
+
+			// restart counter
+			counter = 0
+		}
+
+		counter += len(r)
+		splittedPostureReport.Resources = append(splittedPostureReport.Resources, *iMetaToResource(v))
+	}
+
+	return report.sendReport(host, splittedPostureReport)
+}
+func (report *ReportEventReceiver) sendReport(host string, postureReport *reporthandling.PostureReport) error {
+	reqBody, err := json.Marshal(postureReport)
+	if err != nil {
+		return fmt.Errorf("in 'sendReport' failed to json.Marshal, reason: %v", err)
+	}
+	msg, err := getter.HttpPost(report.httpClient, host, nil, reqBody)
 	if err != nil {
 		return fmt.Errorf("%s, %v:%s", host, err, msg)
 	}
 	return err
 }
+
+func (report *ReportEventReceiver) DisplayReportURL() {
+	message := "You can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more by registering here:"
+
+	u := url.URL{}
+	u.Scheme = "https"
+	u.Host = getter.GetArmoAPIConnector().GetFrontendURL()
+
+	if report.customerAdminEMail != "" {
+		cautils.InfoTextDisplay(os.Stdout, fmt.Sprintf("\n\n%s %s/risk/%s\n(Account: %s)\n\n", message, u.String(), report.clusterName, report.customerGUID))
+		return
+	}
+	u.Path = "account/sign-up"
+	q := u.Query()
+	q.Add("invitationToken", report.token)
+	q.Add("customerGUID", report.customerGUID)
+
+	u.RawQuery = q.Encode()
+	cautils.InfoTextDisplay(os.Stdout, fmt.Sprintf("\n\n%s %s\n\n", message, u.String()))
+}
--- a/resultshandling/reporter/reporteventreceiverutils.go
+++ b/resultshandling/reporter/reporteventreceiverutils.go
@@ -1,38 +1,15 @@
 package reporter

 import (
-	"fmt"
-	"io"
-	"net/http"
 	"net/url"
-	"strings"

+	"github.com/armosec/k8s-interface/workloadinterface"
 	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/opa-utils/reporthandling"
 	"github.com/gofrs/uuid"
 )

-// HTTPRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
-func httpRespToString(resp *http.Response) (string, error) {
-	if resp == nil || resp.Body == nil {
-		return "", nil
-	}
-	strBuilder := strings.Builder{}
-	defer resp.Body.Close()
-	if resp.ContentLength > 0 {
-		strBuilder.Grow(int(resp.ContentLength))
-	}
-	_, err := io.Copy(&strBuilder, resp.Body)
-	if err != nil {
-		return strBuilder.String(), err
-	}
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		err = fmt.Errorf("response status: %d. Content: %s", resp.StatusCode, strBuilder.String())
-	}
-
-	return strBuilder.String(), err
-}
-
-func (report *ReportEventReceiver) initEventReceiverURL() *url.URL {
+func (report *ReportEventReceiver) initEventReceiverURL() {
 	urlObj := url.URL{}

 	urlObj.Scheme = "https"
@@ -44,7 +21,7 @@ func (report *ReportEventReceiver) initEventReceiverURL() *url.URL {

 	urlObj.RawQuery = q.Encode()

-	return &urlObj
+	report.eventReceiverURL = &urlObj
 }

 func hostToString(host *url.URL, reportID string) string {
@@ -53,3 +30,18 @@ func hostToString(host *url.URL, reportID string) string {
 	host.RawQuery = q.Encode()
 	return host.String()
 }
+
+func setPaginationReport(postureReport *reporthandling.PostureReport) *reporthandling.PostureReport {
+	return &reporthandling.PostureReport{
+		CustomerGUID:         postureReport.CustomerGUID,
+		ClusterName:          postureReport.ClusterName,
+		ReportID:             postureReport.ReportID,
+		ReportGenerationTime: postureReport.ReportGenerationTime,
+	}
+}
+func iMetaToResource(obj workloadinterface.IMetadata) *reporthandling.Resource {
+	return &reporthandling.Resource{
+		ResourceID: obj.GetID(),
+		Object:     obj.GetObject(),
+	}
+}
--- a/resultshandling/results.go
+++ b/resultshandling/results.go
@@ -1,6 +1,8 @@
 package resultshandling

 import (
+	"fmt"
+
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/resultshandling/printer"
 	"github.com/armosec/kubescape/resultshandling/reporter"
@@ -27,10 +29,16 @@ func (resultsHandler *ResultsHandler) HandleResults(scanInfo *cautils.ScanInfo)

 	resultsHandler.printerObj.ActionPrint(opaSessionObj)

-	resultsHandler.reporterObj.ActionSendReport(opaSessionObj)
+	if err := resultsHandler.reporterObj.ActionSendReport(opaSessionObj); err != nil {
+		fmt.Println(err)
+	}

 	// TODO - get score from table
-	score := CalculatePostureScore(opaSessionObj.PostureReport)
+	var score float32 = 0
+	for i := range opaSessionObj.PostureReport.FrameworkReports {
+		score += opaSessionObj.PostureReport.FrameworkReports[i].Score
+	}
+	score /= float32(len(opaSessionObj.PostureReport.FrameworkReports))
 	resultsHandler.printerObj.Score(score)

 	return score
@@ -38,19 +46,12 @@ func (resultsHandler *ResultsHandler) HandleResults(scanInfo *cautils.ScanInfo)

 // CalculatePostureScore calculate final score
 func CalculatePostureScore(postureReport *reporthandling.PostureReport) float32 {
-	lowestScore := float32(100)
+	failedResources := []string{}
+	allResources := []string{}
 	for _, frameworkReport := range postureReport.FrameworkReports {
-		totalFailed := frameworkReport.GetNumberOfFailedResources()
-		totalResources := frameworkReport.GetNumberOfResources()
-
-		frameworkScore := float32(0)
-		if float32(totalResources) > 0 {
-			frameworkScore = (float32(totalResources) - float32(totalFailed)) / float32(totalResources)
-		}
-		if lowestScore > frameworkScore {
-			lowestScore = frameworkScore
-		}
+		failedResources = reporthandling.GetUniqueResourcesIDs(append(failedResources, frameworkReport.ListResourcesIDs().GetFailedResources()...))
+		allResources = reporthandling.GetUniqueResourcesIDs(append(allResources, frameworkReport.ListResourcesIDs().GetAllResources()...))
 	}

-	return lowestScore
+	return (float32(len(allResources)) - float32(len(failedResources))) / float32(len(allResources))
 }
--- a/smoke_testing/init.py
+++ b/smoke_testing/init.py
@@ -1,11 +1,25 @@
+"""
+Kubescape smoke testing
+
+Execute all tests:
+python init.py path/the/bin/kubescape
+
+Execute single test:
+python test_<name>.py path/the/bin/kubescape
+
+Add a new test:
+1. Create a python file with test_ prefix
+2. Implement a function named run()
+
+"""
+
 import sys
 import smoke_utils
+import glob
+import os

-
-tests_pkg = [
-    "test_command"
-    , "test_version"
-]
+# get all python files in dir that begin with test_
+tests_pkg = list(map(lambda x: os.path.splitext(os.path.basename(x))[0], glob.glob(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'test_*.py'))))


 def run(**kwargs):
@@ -15,4 +29,19 @@ def run(**kwargs):


 if __name__ == "__main__":
+    # the first argument should be the kubescape binary path
    run(kubescape_exec=smoke_utils.get_exec_from_args(sys.argv))
+
+'''
+Supported tests:
+1. Commands
+2. Version number
+3. E2E yaml scanning
+
+TODO:
+1. Test formats + output
+2. Test --fail-threshold
+3. Test known supported FW
+4. Test FW list
+5. Test Controls list
+'''
--- a/smoke_testing/smoke_utils.py
+++ b/smoke_testing/smoke_utils.py
@@ -1,34 +1,19 @@
-import platform
-from os import path
-from sys import stderr
-
-
-def get_build_dir():
-    current_platform = platform.system()
-    build_dir = "build/"
-
-    if current_platform == "Windows": build_dir += "windows-latest"
-    elif current_platform == "Linux": build_dir += "ubuntu-latest"
-    elif current_platform == "Darwin": build_dir += "macos-latest"
-    else: raise OSError(f"Platform {current_platform} is not supported!")
-
-    return build_dir
-
-
-def get_package_name():
-    return "kubescape"
-
-
-def get_bin_cli():
-    return path.abspath(path.join(get_build_dir(), get_package_name()))
-
-
-def check_status(status, msg):
-    if status != 0:
-        stderr.write(msg)
-        exit(status)
+import subprocess


 def get_exec_from_args(args: list):
    return args[1]

+
+def run_command(command, stdin=subprocess.PIPE, stderr=subprocess.STDOUT):
+    try:
+        return f"{subprocess.check_output(command, stdin=stdin, stderr=stderr)}"
+    except Exception as e:
+        return f"{e}"
+
+
+def assertion(msg):
+    errors = ["Error: invalid parameter", "exit status 1"]
+    for e in errors:
+        assert e not in msg, msg
+
--- a/smoke_testing/test_command.py
+++ b/smoke_testing/test_command.py
@@ -1,4 +1,3 @@
-import subprocess
 import smoke_utils
 import sys

@@ -6,7 +5,7 @@ import sys
 def test_command(command: list):
    print(f"Testing \"{' '.join(command[1:])}\" command")

-    msg = str(subprocess.check_output(command))
+    msg = smoke_utils.run_command(command)
    assert "unknown command" not in msg, f"{command[1:]} is missing: {msg}"
    assert "invalid parameter" not in msg, f"{command[1:]} is invalid: {msg}"

@@ -20,10 +19,11 @@ def run(kubescape_exec:str):
    test_command(command=[kubescape_exec, "download"])
    test_command(command=[kubescape_exec, "config"])
    test_command(command=[kubescape_exec, "help"])
-    test_command(command=[kubescape_exec, "scan"])
    test_command(command=[kubescape_exec, "scan", "framework"])
    test_command(command=[kubescape_exec, "scan", "control"])
-    
+    test_command(command=[kubescape_exec, "submit", "results"])
+    test_command(command=[kubescape_exec, "submit", "rbac"])
+
    print("Done testing commands")


--- a/smoke_testing/test_scan.py
+++ b/smoke_testing/test_scan.py
@@ -0,0 +1,76 @@
+import os
+import smoke_utils
+import sys
+
+
+all_files = os.path.join("..", "*.yaml")
+# all_files = os.path.join("..", "examples", "online-boutique", "*.yaml")
+single_file = os.path.join("..", "examples", "online-boutique", "frontend.yaml")
+
+
+def scan_all(kubescape_exec: str):
+    return smoke_utils.run_command(command=[kubescape_exec, "scan", all_files, "--enable-host-scan=false"])
+
+
+def scan_control_name(kubescape_exec: str):
+    return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'Allowed hostPath', all_files, "--enable-host-scan=false"])
+
+
+def scan_control_id(kubescape_exec: str):
+    return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'C-0006', all_files, "--enable-host-scan=false"])
+
+
+def scan_controls(kubescape_exec: str):
+    return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'Allowed hostPath,Allow privilege escalation', all_files, "--enable-host-scan=false"])
+
+
+def scan_framework(kubescape_exec: str):
+    return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa", all_files, "--enable-host-scan=false"])
+
+
+def scan_frameworks(kubescape_exec: str):
+    return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa,mitre,armobest", all_files, "--enable-host-scan=false"])
+
+
+def scan_from_stdin(kubescape_exec: str):
+    return smoke_utils.run_command(command=["cat", single_file, "|", kubescape_exec, "scan", "framework", "nsa", "-", "--enable-host-scan=false"])
+
+
+def run(kubescape_exec: str):
+    print("Testing E2E on yaml files")
+
+    # TODO - fix support
+    # print("Testing scan all yaml files")
+    # msg = scan_all(kubescape_exec=kubescape_exec)
+    # smoke_utils.assertion(msg)
+
+    print("Testing scan control name")
+    msg = scan_control_name(kubescape_exec=kubescape_exec)
+    smoke_utils.assertion(msg)
+
+    print("Testing scan control id")
+    msg = scan_control_id(kubescape_exec=kubescape_exec)
+    smoke_utils.assertion(msg)
+
+    print("Testing scan controls")
+    msg = scan_controls(kubescape_exec=kubescape_exec)
+    smoke_utils.assertion(msg)
+
+    print("Testing scan framework")
+    msg = scan_framework(kubescape_exec=kubescape_exec)
+    smoke_utils.assertion(msg)
+
+    print("Testing scan frameworks")
+    msg = scan_frameworks(kubescape_exec=kubescape_exec)
+    smoke_utils.assertion(msg)
+
+    # TODO - fix test
+    # print("Testing scan from stdin")
+    # msg = scan_from_stdin(kubescape_exec=kubescape_exec)
+    # smoke_utils.assertion(msg)
+
+    print("Done E2E yaml files")
+
+
+if __name__ == "__main__":
+    run(kubescape_exec=smoke_utils.get_exec_from_args(sys.argv))
--- a/smoke_testing/test_version.py
+++ b/smoke_testing/test_version.py
@@ -1,14 +1,13 @@
 import os
-import subprocess
 import smoke_utils
 import sys


-def run(kubescape_exec:str):
+def run(kubescape_exec: str):
    print("Testing version")

    ver = os.getenv("RELEASE")
-    msg = str(subprocess.check_output([kubescape_exec, "version"]))
+    msg = smoke_utils.run_command(command=[kubescape_exec, "version"])
    assert ver in msg, f"expected version: {ver}, found: {msg}"

    print("Done testing version")
Author	SHA1	Message	Date
dwertent	37effda7c5	update pkg	2021-12-21 11:04:18 +02:00
dwertent	0ef516d147	support printing sensor and cloud resources	2021-12-20 18:22:08 +02:00
dwertent	f57a30898c	print skipped	2021-12-20 13:32:14 +02:00
dwertent	a10c67555d	adding spinner when sending reporting	2021-12-20 11:14:31 +02:00
dwertent	14d0df3926	update generated url	2021-12-20 11:11:31 +02:00
dwertent	c085aeaa68	adding control url to results	2021-12-20 10:53:40 +02:00
dwertent	61b5603a3b	support host sensor and cloud descirption	2021-12-19 23:21:05 +02:00
dwertent	e3efffb2ec	Merge remote-tracking branch 'upstream/dev'	2021-12-19 15:07:48 +02:00
dwertent	fe9a342b42	update submit testing	2021-12-19 15:06:30 +02:00
Rotem Refael	c7668b4436	Merge pull request #272 from LiorAlafiArmo/dev ARMO risk-score	2021-12-16 14:33:53 +02:00
Rotem Refael	ccdf6b227f	Merge pull request #271 from LiorAlafiArmo/master ARMO risk-score	2021-12-16 14:32:13 +02:00
Lior Alafi	0aea384f41	changed prettyprint to work with risk-score	2021-12-15 19:04:40 +02:00
Lior Alafi	467059cd26	adding score	2021-12-15 18:13:58 +02:00
David Wertenteil	f41af36ea9	Adding cloudSupport objects to interface	2021-12-14 20:10:45 +02:00
dwertent	e2f8902222	use objectsenvelopes pkg	2021-12-14 20:06:38 +02:00
David Wertenteil	52bfd4cadc	Submit configmap and env vars keys	2021-12-14 18:13:42 +02:00
Daniel-GrunbergerCA	7cdc556292	go mod	2021-12-14 14:16:50 +02:00
Daniel-GrunbergerCA	039bda9eaf	Merge remote-tracking branch 'upstream/dev' into send_keys	2021-12-14 14:05:13 +02:00
Daniel-GrunbergerCA	a6d73d6f8b	ssend keys for configmaps and env vars	2021-12-14 14:05:07 +02:00
Ben Hirschberg	8e5af59153	Merge pull request #267 from armosec/dev Hot fix - Download command	2021-12-14 12:16:24 +02:00
dwertent	278467518e	call SetRegoObjects when downloading	2021-12-14 12:07:07 +02:00
dwertent	a7080a5778	remove data from resource after saving in list	2021-12-14 11:33:33 +02:00
Daniel-GrunbergerCA	6a71ef6745	Merge remote-tracking branch 'upstream/dev'	2021-12-13 15:44:44 +02:00
Rotem Refael	10eb576260	Merge pull request #264 from armosec/dev Hot fix - all resource list missing some of the failed resources	2021-12-13 14:35:26 +02:00
David Wertenteil	f14acb79bf	Merge pull request #263 from dwertent/master Hot fix - adding failed resources to the all-list of resources	2021-12-13 14:18:55 +02:00
dwertent	b8e011bd27	Merge remote-tracking branch 'upstream/dev'	2021-12-13 14:06:23 +02:00
dwertent	f6295308cd	hot-fix eks failing resources	2021-12-13 14:06:07 +02:00
Rotem Refael	f981675850	Merge pull request #262 from armosec/dev New features and bug fixing - new release	2021-12-12 18:06:25 +02:00
dwertent	93bb7610e6	update summary table	2021-12-12 17:43:34 +02:00
Rotem Refael	23975ee359	change dev-ui link	2021-12-12 13:50:06 +02:00
David Wertenteil	14eaedf375	revert prometheus output * Revert prometheus output * Revert sensor behavior	2021-12-12 11:37:50 +02:00
dwertent	ced0b741b9	Do not ask user about host sensor	2021-12-12 11:36:35 +02:00
dwertent	13e805b213	remove passed resources	2021-12-12 10:50:22 +02:00
dwertent	c424c1e394	revert prometheus output	2021-12-12 10:41:09 +02:00
David Wertenteil	77d68bdc73	version and submit improvements	2021-12-09 15:10:50 +02:00
dwertent	a1555bb9cd	after merge with dev branch	2021-12-09 14:10:44 +02:00
dwertent	3ca61b218e	execute the ResourceEnumerator	2021-12-09 13:41:19 +02:00
dwertent	e7917277e7	move rbac objects to cautils	2021-12-09 13:27:23 +02:00
dwertent	aa18be17fa	remove rego from armo, support release fallback	2021-12-09 11:54:25 +02:00
Daniel-GrunbergerCA	39c7af5f8d	Merge remote-tracking branch 'upstream/dev'	2021-12-08 13:36:51 +02:00
David Wertenteil	a5f7f8bbe4	Merge pull request #258 from Bezbran/dev take nodes list from corev1 API.	2021-12-08 11:04:20 +02:00
Bezalel Brandwine	420e491963	add some more host sensor data	2021-12-08 08:58:07 +02:00
Bezbran	36f2ff997a	Merge pull request #13 from armosec/dev Dev	2021-12-08 08:44:04 +02:00
YiscahLevySilas1	c33807d052	Merge pull request #257 from YiscahLevySilas1/dev add apiVersion to rbac obj	2021-12-07 20:13:00 +02:00
yiscah	fb3946b64f	Merge branch 'dev' of https://github.com/YiscahLevySilas1/kubescape into dev	2021-12-07 19:50:31 +02:00
yiscah	51322e7270	add apiVersion to rbac objs	2021-12-07 19:50:14 +02:00
David Wertenteil	3f084d8525	Merge pull request #256 from dwertent/master * Fixed url scanning * Support preRun rego	2021-12-07 17:15:06 +02:00
David Wertenteil	b1f4002036	Merge pull request #255 from AlexsJones/dev spelling mistake on clihandler/cmd/control.go:19	2021-12-07 16:51:15 +02:00
dwertent	bb1cbe0902	fixed url scanning, support preRun rego	2021-12-07 16:50:43 +02:00
Alex Jones	a095634755	spelling mistake on clihandler/cmd/control.go:19	2021-12-07 13:03:44 +00:00
Daniel-GrunbergerCA	1b9ff074af	run workflow	2021-12-07 14:51:34 +02:00
Daniel-GrunbergerCA	f8361446a4	integrate cloud provider description	2021-12-07 14:49:56 +02:00
Bezalel Brandwine	5713490f14	Merge branch 'dev' of github.com:Bezbran/kubescape into dev	2021-12-07 12:48:51 +02:00
Bezalel Brandwine	1ceac2a0a0	take node list from core v1	2021-12-07 12:48:45 +02:00
Daniel-GrunbergerCA	8a2967a0db	Merge remote-tracking branch 'upstream/dev'	2021-12-07 10:49:23 +02:00
David Wertenteil	86297720d5	Merge pull request #254 from dwertent/master store data only once	2021-12-07 10:33:15 +02:00
dwertent	1aeb2b96e2	store data only once	2021-12-07 10:30:03 +02:00
Bezbran	4ee8b9d7f6	Merge pull request #12 from armosec/dev Dev	2021-12-06 10:18:33 +02:00
David Wertenteil	1d208ed5ec	Merge pull request #252 from Bezbran/dev Merge host-sensor capability	2021-12-05 17:32:57 +02:00
Bezalel Brandwine	3883aaabab	fault tolerence for host sensor installing failures	2021-12-05 16:01:38 +02:00
Bezalel Brandwine	6fb3c070d0	dont print skipping node scanning	2021-12-05 15:42:07 +02:00
Bezalel Brandwine	d8d8b4ed73	add k8s resources map all in all to all resources report	2021-12-05 15:40:21 +02:00
David Wertenteil	907f46769f	Merge pull request #251 from dwertent/master return list of strings	2021-12-05 15:14:31 +02:00
dwertent	1ffdb717f7	return list of string	2021-12-05 15:11:44 +02:00
Bezalel Brandwine	9080603bce	integrate host sensor into k8s IMetadata resource map	2021-12-05 15:08:05 +02:00
David Wertenteil	5796ae9084	supporting list of include-namespaces Fixed issue #247	2021-12-05 13:54:23 +02:00
dwertent	50636e3a7e	supporting list of include-namespaces	2021-12-05 13:52:06 +02:00
David Wertenteil	501d4c9dfc	Update k8s-interface version	2021-12-05 13:12:46 +02:00
dwertent	84cbc4ae04	Update verswion	2021-12-05 12:42:07 +02:00
Bezalel Brandwine	cbb2a3e46f	go get + build after merge from armosec	2021-12-05 12:28:28 +02:00
Bezbran	493197c073	Merge pull request #11 from armosec/dev Dev	2021-12-05 12:24:29 +02:00
Bezbran	31a2952101	Merge branch 'dev' into dev	2021-12-05 12:24:10 +02:00
Bezalel Brandwine	acaccc23e8	merge conflicts 1	2021-12-05 12:15:55 +02:00
David Wertenteil	70e339164d	Separate offline behavior from yaml input	2021-12-05 09:57:54 +02:00
dwertent	0de5d72d75	Merge remote-tracking branch 'upstream/dev'	2021-12-05 09:54:57 +02:00
dwertent	d604cc7faf	update k8sinterface version	2021-12-05 09:50:56 +02:00
dwertent	d843a3e359	set tenant if config not found	2021-12-02 19:18:35 +02:00
dwertent	37586662b3	handle yaml files and armo api behavior	2021-12-02 19:13:05 +02:00
David Wertenteil	193687418f	RBAC object sent using pagination mechanism	2021-12-02 10:13:04 +02:00
yiscah	72e6bb9537	send rbac objs in all resources	2021-12-01 21:30:04 +02:00
David Wertenteil	d69e790c61	Supporting verbose flag	2021-12-01 14:49:53 +02:00
dwertent	01d41520d4	initialize mock resourceMap when scanning yamls	2021-12-01 14:12:00 +02:00
dwertent	aea9eb9e01	use mapResource mock when testing	2021-12-01 12:35:09 +02:00
dwertent	26717b13e9	supporing verbose flag	2021-12-01 12:30:16 +02:00
dwertent	5f36417bd9	update ver	2021-11-30 17:06:20 +02:00
dwertent	021ea34814	update k8s package	2021-11-30 15:47:56 +02:00
David Wertenteil	4a08fbdf28	Adding pagination to report	2021-11-30 10:59:30 +02:00
dwertent	268753091d	fixed test	2021-11-30 10:49:05 +02:00
dwertent	ec688829b5	support report pagination	2021-11-29 17:24:50 +02:00
Rotem Refael	ec5bf58b0f	Merge pull request #242 from YiscahLevySilas1/dev add comment for isRuleKubescapeVersionCompatible()	2021-11-29 13:06:05 +02:00
Bezalel Brandwine	f877d821f0	in the middle of refactoring	2021-11-28 16:47:44 +02:00
Bezalel Brandwine	6c22cfef1e	in the middle of refactoring	2021-11-28 16:47:24 +02:00
Bezalel Brandwine	05305d858b	host sensor flag + user input asking	2021-11-28 12:35:21 +02:00
yiscah	e094237bbf	add comment for isRuleKubescapeVersionCompatible()	2021-11-28 10:23:47 +02:00
David Wertenteil	77eb52bc51	Working with IMetadata interface	2021-11-28 08:14:00 +02:00
dwertent	c79834cec7	working with IMetadata interface	2021-11-26 00:52:03 +02:00
Bezalel Brandwine	aefc5fded7	kubelet configuration is in kubescape	2021-11-25 17:54:26 +02:00
Bezalel Brandwine	5fd5a5d4fa	[host-sensor] first integration in kubescape	2021-11-25 17:43:21 +02:00
David Wertenteil	0368ecf7f3	External object support * Aggregate rego input * Display `User` and `Group` in output * Update dependencies	2021-11-25 14:33:28 +02:00
yiscah	d9ec5dcb56	rule version - kubescape version check	2021-11-25 12:30:02 +02:00
yiscah	030bc6c6b6	handle pretty print external objects	2021-11-25 12:29:05 +02:00
yiscah	c1dd2fe0f4	print warning in local build to work with latest version	2021-11-25 12:27:28 +02:00
Bezalel Brandwine	4e0851868e	initial host sensor deployment stage	2021-11-24 15:23:50 +02:00
Bezbran	276178c27c	Merge pull request #10 from armosec/dev Dev	2021-11-23 10:53:41 +02:00
yiscah	3006e6bcbf	add isKindToBeGrouped	2021-11-23 09:07:37 +02:00
yiscah	3a50c5686e	print externalObjects with their relatedObjects	2021-11-22 20:34:29 +02:00
yiscah	f8eea4d082	use inputaggregator on k8sresources, don't use v0 rules	2021-11-22 11:06:29 +02:00
YiscahLevySilas1	8a42d77990	Merge branch 'armosec:dev' into dev	2021-11-22 11:05:07 +02:00
Rotem Refael	3980d1a9b0	Merge pull request #235 from armosec/dev * Hot fixes * Smoke tests * Update documentation	2021-11-21 10:22:32 +02:00
Rotem Refael	53741ec26e	Update README.md	2021-11-21 10:13:31 +02:00
David Wertenteil	c398cf46c9	Comment out policy version check	2021-11-21 09:23:21 +02:00
dwertent	e869ce4a64	comment out policy version check	2021-11-21 08:49:24 +02:00
YiscahLevySilas1	4064be6577	Merge branch 'armosec:dev' into dev	2021-11-18 16:47:58 +02:00
David Wertenteil	1f00cf4151	Fixed stdin support * Fixed stdin * Adding smoke tests	2021-11-16 17:30:06 +02:00
dwertent	bae0ca62b8	update smoke testing	2021-11-16 16:03:31 +02:00
dwertent	b7a51a2495	fixed stdin support	2021-11-16 15:57:23 +02:00
Rotem Refael	4f6a3e39d0	Update SAAS link	2021-11-15 21:59:30 +02:00
David Wertenteil	528f6b7402	Fix broken links #231	2021-11-14 16:42:40 +02:00
David Wertenteil	c252f29e6d	Adding basic exceptions documentation #232 #80	2021-11-14 14:46:31 +02:00
dwertent	fea84c9652	update opa-utils pkg version	2021-11-14 14:42:10 +02:00
dwertent	9b9940f708	adding exceptions docs	2021-11-14 14:31:53 +02:00
Thibault Le Reste	a34ab17307	fix Kubernetes Hardening Guidance broken links	2021-11-14 13:16:28 +01:00
yiscah	477a3e7263	update nsa url in readme	2021-11-14 08:59:34 +02:00
Rotem Refael	f94c9496df	Merge pull request #223 from armosec/dev Adding features and fixing bugs	2021-11-11 15:08:38 +02:00
lalafi@cyberarmor.io	1c31281b7b	add baseScore to controlReport	2021-11-11 13:57:52 +02:00
dwertent	0e5204ecb4	support custom frameworks	2021-11-11 11:15:33 +02:00
David Wertenteil	f3dc6235d7	Merge pull request #225 from Daniel-GrunbergerCA/master Supporting custom frameworks	2021-11-11 09:43:40 +02:00
Daniel-GrunbergerCA	37cdf1a19e	erase repetitive frameworks	2021-11-10 18:57:05 +02:00
Daniel-GrunbergerCA	1fb642c777	scan with custom framework	2021-11-10 18:30:03 +02:00
dwertent	8f791ceb12	Improve readme	2021-11-10 09:38:34 +02:00
dwertent	f40eaa0f56	Merge branch 'dev'	2021-11-10 08:17:51 +02:00
dwertent	cb34d17ba1	fixed merge	2021-11-10 08:01:33 +02:00
dwertent	328ba82007	Merge branch 'master' of github.com:armosec/kubescape	2021-11-10 07:59:05 +02:00
David Wertenteil	010ed1b047	Merge pull request #222 from dwertent/master Adding json to http headers	2021-11-10 07:55:38 +02:00
dwertent	5a81a77d92	adding json to http headers	2021-11-10 07:53:35 +02:00
David Wertenteil	c7ea10d206	Merge pull request #221 from dwertent/master Checking latest version	2021-11-09 17:09:01 +02:00
dwertent	a37d00b40a	checking latest version	2021-11-09 17:07:06 +02:00
David Wertenteil	0168b768d2	Merge pull request #214 from mboersma/fix-spelling-fail-threshold Fix spelling in --fail-threshold description	2021-11-09 15:10:17 +02:00
David Wertenteil	9a85b57ba4	Merge pull request #201 from Joibel/fix/spelling Minor spelling fixes	2021-11-09 15:10:02 +02:00
dwertent	eafece6497	update helm command in readme	2021-11-09 11:18:30 +02:00
dwertent	8f08271664	udpate cronjob configmap	2021-11-09 11:16:13 +02:00
David Wertenteil	da0271e624	Merge pull request #218 from yonahd/helm_chart Helm chart for kubescape	2021-11-08 13:17:37 +02:00
Yonah Dissen	94f52fb4ac	Documentation running using docker	2021-11-08 11:52:04 +02:00
David Wertenteil	524c2922a4	Merge pull request #219 from Daniel-GrunbergerCA/master Support scanning multiple controls	2021-11-08 11:29:50 +02:00
Daniel-GrunbergerCA	0891d64654	comment to run workflow	2021-11-08 10:48:39 +02:00
Daniel-GrunbergerCA	d1c23f7442	scan multiple controls	2021-11-08 10:39:31 +02:00
Daniel-GrunbergerCA	8cbbe35f24	Merge remote-tracking branch 'upstream/dev'	2021-11-08 08:53:27 +02:00
Yonah Dissen	a21e9d706e	small changes in helm chart	2021-11-07 21:23:57 +02:00
Yonah Dissen	57160c4d04	add helm chart to deploy kubescape in cluster	2021-11-07 21:17:45 +02:00
Yonah Dissen	8b46a49e23	add helm chart to deploy kubescape in cluster	2021-11-07 21:09:30 +02:00
David Wertenteil	c11ebb49f7	Merge pull request #217 from dwertent/master Fixed include namespaces	2021-11-07 13:56:56 +02:00
dwertent	e4c3935a1b	fixed include ns	2021-11-07 13:50:46 +02:00
David Wertenteil	ade062fdd3	Merge pull request #216 from dwertent/master support armoBest framework name	2021-11-07 09:23:27 +02:00
dwertent	b0f6357482	support armoBest	2021-11-07 09:13:51 +02:00
Matt Boersma	38a9c11286	Fix spelling in --fail-threshold description	2021-11-05 10:33:06 -06:00
David Wertenteil	0d95f02e60	Merge pull request #213 from dwertent/master support include namespaces	2021-11-04 12:09:27 +02:00
dwertent	1c30528eea	support include ns	2021-11-04 12:06:34 +02:00
David Wertenteil	d1b116d314	Merge pull request #210 from dwertent/master Sbumit support	2021-11-03 17:31:23 +02:00
dwertent	9d20fd41a8	fixed rbac submit	2021-11-03 17:28:37 +02:00
dwertent	54648bb973	update opa pkg	2021-11-03 15:28:42 +02:00
dwertent	fc4edb12f9	adding stdout to smoke tests	2021-11-02 18:59:34 +02:00
dwertent	9a1b8d7ce2	support submit	2021-11-02 16:14:09 +02:00
dwertent	6909975503	controls support yaml inputs	2021-11-02 10:14:39 +02:00
David Wertenteil	5d94bd990a	Merge pull request #208 from dwertent/master Adding smoke testing and support inputs for controls	2021-11-01 17:22:31 +02:00
dwertent	67c8719f34	adding smoke tests to PR	2021-11-01 14:04:20 +02:00
dwertent	d5b60c6ac8	update config api	2021-11-01 13:52:40 +02:00
dwertent	a99d2e9e26	remove scan	2021-11-01 12:41:54 +02:00
dwertent	5c7d89cb9e	use command	2021-11-01 11:55:54 +02:00
Yonah Dissen	5a90dc46f0	fix version for cli in docker image	2021-11-01 09:17:46 +02:00
Yonah Dissen	294f886588	fix version for cli in docker image	2021-10-31 17:50:55 +02:00
dwertent	667ffe9cd3	Merge remote-tracking branch 'prometheus/feature/prometheus'	2021-10-31 08:58:57 +02:00
dwertent	6f4086cd8c	Merge branch 'master' of github.com:armosec/kubescape	2021-10-31 08:58:44 +02:00
Rotem Refael	f384e8a6e3	Merge pull request #203 from armosec/cluster-name-issue adopt cluster name (HotFix)	2021-10-26 20:51:42 +03:00
Alan Clucas	a5ef6aa126	Minor spelling fixes	2021-10-26 15:19:05 +01:00
Bezbran	cd0f20ca2f	Merge pull request #9 from armosec/master Dev	2021-10-21 14:38:17 +03:00
dwertent	5a71c3270a	Merge branch 'master' of github.com:armosec/kubescape	2021-10-21 11:32:40 +03:00
dwertent	70a9a7bbbd	Update resource count	2021-10-18 10:23:06 +03:00