Adding new network scanner

Signed-off-by: Amit Schendel <amitschendel@gmail.com>

.gitattributes

@@ -0,0 +1,2 @@
+# Keep CRLF newlines in appropriate test files to have reproducible tests
+core/pkg/fixhandler/testdata/inserts/*-crlf-newlines.yaml text eol=crlf

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,33 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: 'bug'
+assignees: ''
+
+---
+
+# Description
+<!-- A clear and concise description of what the bug is. -->
+
+# Environment
+OS: ` ` <!-- the OS + version you’re running Kubescape on, e.g Ubuntu 22.04 LTS  -->
+Version: ` ` <!-- the version that Kubescape reports when you run `kubescape version`  -->
+ 
+# Steps To Reproduce
+<!--
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+-->
+
+# Expected behavior
+<!-- A clear and concise description of what you expected to happen. -->
+
+# Actual Behavior
+<!-- A clear and concise description of what happened. If applicable, add screenshots to help explain your  problem. -->
+
+# Additional context
+<!-- Add any other context about the problem here. -->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,24 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: 'feature'
+assignees: ''
+
+---
+
+## Overview
+<!-- A brief overview of the related current state -->
+
+## Problem
+<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
+
+## Solution
+<!-- A clear and concise description of what you want to happen. -->
+
+## Alternatives
+<!-- A clear and concise description of any alternative solutions or features you've considered. -->
+
+## Additional context
+<!-- Add any other context or screenshots about the feature request here. -->
+ 

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,44 @@
+## Overview
+<!-- Please provide a brief overview of the changes made in this pull request. e.g. current behavior/future behavior -->
+
+<!-- 
+## Additional Information
+
+> Any additional information that may be useful for reviewers to know 
+-->
+
+<!--
+## How to Test
+
+> Please provide instructions on how to test the changes made in this pull request
+-->
+
+<!--
+## Examples/Screenshots
+
+> Here you add related screenshots 
+-->
+
+<!-- 
+## Related issues/PRs:
+
+Here you add related issues and PRs.
+If this resolved an issue, write "Resolved #<issue number>
+
+e.g. If this PR resolves issues 1 and 2, it should look as follows:
+* Resolved #1
+* Resolved #2
+-->
+
+<!--
+## Checklist before requesting a review
+
+put an [x] in the box to get it checked 
+
+- [ ] My code follows the style guidelines of this project
+- [ ] I have commented on my code, particularly in hard-to-understand areas
+- [ ] I have performed a self-review of my code
+- [ ] If it is a core feature, I have added thorough tests.
+- [ ] New and existing unit tests pass locally with my changes
+
+--> 

.github/actions/tag-action/action.yaml

@@ -0,0 +1,44 @@
+name: 'Tag validator and retag'
+description: 'This action will check if the tag is rc and create a new tag for release'
+inputs:
+  ORIGINAL_TAG:  # id of input
+    description: 'Original tag'
+    required: true
+    default: ${{ github.ref_name }}
+  SUB_STRING: 
+    description: 'Sub string for rc tag'
+    required: true
+    default: "-rc"
+outputs:
+  NEW_TAG:
+    description: "The new tag for release"
+    value: ${{ steps.retag.outputs.NEW_TAG }}
+runs:
+  using: "composite"
+  steps:
+    - run: |
+        if [[ -z "${{ inputs.ORIGINAL_TAG }}" ]]; then
+          echo "The value of ORIGINAL_TAG is ${{ inputs.ORIGINAL_TAG }}"
+          echo "Setting the value of ORIGINAL_TAG to ${{ github.ref_name }}"
+          echo ORIGINAL_TAG="${{ github.ref_name }}" >> $GITHUB_ENV
+        fi
+      shell: bash
+
+    - run: |
+        if [[ "${{ inputs.ORIGINAL_TAG }}" == *"${{ inputs.SUB_STRING }}"* ]]; then
+            echo "Release candidate tag found."
+        else
+            echo "Release candidate tag not found."
+            exit 1
+        fi
+      shell: bash
+
+
+    - id: retag
+      run: | 
+          NEW_TAG=
+          echo "Original tag: ${{ inputs.ORIGINAL_TAG }}"
+          NEW_TAG=$(echo ${{ inputs.ORIGINAL_TAG }} | awk -F '-rc' '{print $1}')
+          echo "New tag: $NEW_TAG"
+          echo "NEW_TAG=$NEW_TAG" >> $GITHUB_OUTPUT
+      shell: bash

.github/dependabot.yaml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

.github/workflows/00-pr-scanner.yaml

@@ -0,0 +1,67 @@
+name: 00-pr_scanner
+permissions: read-all
+on:
+  pull_request:
+    types: [opened, reopened, synchronize, ready_for_review]
+    paths-ignore:
+      - '**.yaml'
+      - '**.yml'
+      - '**.md'
+      - '**.sh'
+      - 'website/*'
+      - 'examples/*'
+      - 'docs/*'
+      - 'build/*'
+      - '.github/*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pr-scanner:
+    permissions:
+      actions: read
+      checks: read
+      contents: read
+      deployments: read
+      id-token: write
+      issues: read
+      discussions: read
+      packages: read
+      pages: read
+      pull-requests: write
+      repository-projects: read
+      security-events: read
+      statuses: read
+    uses: ./.github/workflows/a-pr-scanner.yaml
+    with:
+      RELEASE: ""
+      CLIENT: test
+    secrets: inherit
+
+  binary-build:
+    if: ${{ github.actor == 'kubescape' }}
+    permissions:
+      actions: read
+      checks: read
+      contents: read
+      deployments: read
+      discussions: read
+      id-token: write
+      issues: read
+      packages: write
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: read
+      statuses: read
+    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
+    with:
+      COMPONENT_NAME: kubescape
+      CGO_ENABLED: 0
+      GO111MODULE: ""
+      GO_VERSION: "1.21"
+      RELEASE: "latest"
+      CLIENT: test
+    secrets: inherit

.github/workflows/02-release.yaml

@@ -0,0 +1,88 @@
+name: 02-create_release
+permissions: read-all
+on:
+  push:
+    tags:
+      - 'v*.*.*-rc.*'
+jobs:
+  retag:
+    outputs:
+      NEW_TAG: ${{ steps.tag-calculator.outputs.NEW_TAG }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+      - id: tag-calculator
+        uses: ./.github/actions/tag-action
+        with:
+          SUB_STRING: "-rc"
+  binary-build:
+    permissions:
+      actions: read
+      checks: read
+      contents: read
+      deployments: read
+      discussions: read
+      id-token: write
+      issues: read
+      packages: write
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: read
+      statuses: read
+    needs: [retag]
+    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
+    with:
+      COMPONENT_NAME: kubescape
+      CGO_ENABLED: 0
+      GO111MODULE: ""
+      GO_VERSION: "1.21"
+      RELEASE: ${{ needs.retag.outputs.NEW_TAG }}
+      CLIENT: release
+    secrets: inherit
+  create-release:
+    permissions:
+      actions: read
+      checks: read
+      contents: write
+      deployments: read
+      discussions: read
+      id-token: write
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+      security-events: read
+    needs: [retag, binary-build]
+    uses: ./.github/workflows/c-create-release.yaml
+    with:
+      RELEASE_NAME: "Release ${{ needs.retag.outputs.NEW_TAG }}"
+      TAG: ${{ needs.retag.outputs.NEW_TAG }}
+      DRAFT: false
+    secrets: inherit
+  publish-image:
+    permissions:
+      actions: read
+      checks: read
+      contents: read
+      deployments: read
+      discussions: read
+      id-token: write
+      issues: read
+      packages: write
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: read
+      statuses: read
+    uses: ./.github/workflows/d-publish-image.yaml
+    needs: [create-release, retag]
+    with:
+      client: "image-release"
+      image_name: "quay.io/${{ github.repository_owner }}/kubescape-cli"
+      image_tag: ${{ needs.retag.outputs.NEW_TAG }}
+      support_platforms: true
+      cosign: true
+    secrets: inherit

.github/workflows/03-post-release.yaml

@@ -0,0 +1,42 @@
+name: 03-post_release
+permissions: read-all
+on:
+  release:
+    types: [published]
+    branches:
+      - 'master'
+      - 'main'
+jobs:
+  post_release:
+    name: Post release jobs
+    runs-on: ubuntu-latest
+    steps:
+      - name: Digest
+        uses: MCJack123/ghaction-generate-release-hashes@c03f3111b39432dde3edebe401c5a8d1ffbbf917 # ratchet:MCJack123/ghaction-generate-release-hashes@v1
+        with:
+          hash-type: sha1
+          file-name: kubescape-release-digests
+      - name: Invoke workflow to update packaging
+        uses: benc-uk/workflow-dispatch@v1
+        if: github.repository_owner == 'kubescape'
+        with:
+          workflow: release.yml
+          repo: kubescape/packaging
+          ref: refs/heads/main
+          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+      - name: Invoke workflow to update homebrew tap
+        uses: benc-uk/workflow-dispatch@v1
+        if: github.repository_owner == 'kubescape'
+        with:
+          workflow: release.yml
+          repo: kubescape/homebrew-tap
+          ref: refs/heads/main
+          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+      - name: Invoke workflow to update github action
+        uses: benc-uk/workflow-dispatch@v1
+        if: github.repository_owner == 'kubescape'
+        with:
+          workflow: release.yaml
+          repo: kubescape/github-action
+          ref: refs/heads/main
+          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}

.github/workflows/04-publish-krew-plugin.yaml

@@ -0,0 +1,17 @@
+name: 04-publish_krew_plugin
+permissions: read-all
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+jobs:
+  publish_krew_plugin:
+    name: Publish Krew plugin
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'kubescape'
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+        with:
+          submodules: recursive
+      - name: Update new version in krew-index
+        uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # ratchet:rajatjindal/krew-release-bot@v0.0.43

.github/workflows/README.md

@@ -0,0 +1,52 @@
+# Kubescape workflows
+
+Tag terminology: `v<major>.<minor>.<patch>`
+
+## Developing process
+
+Kubescape's main branch is `main`, any PR will be opened against the main branch.
+
+### Opening a PR
+
+When a user opens a PR, this will trigger some basic tests (units, license, etc.)
+
+### Reviewing a PR
+
+The reviewer/maintainer of a PR will decide whether the PR introduces changes that require running the E2E system tests. If so, the reviewer will add the `trigger-integration-test` label.
+
+### Approving a PR
+
+Once a maintainer approves the PR, if the `trigger-integration-test` label was added to the PR, the GitHub actions will trigger the system test. The PR will be merged only after the system tests passed successfully. If the label was not added, the PR can be merged. 
+
+### Merging a PR
+
+The code is merged, no other actions are needed
+
+
+## Release process
+
+Every two weeks, we will create a new tag by bumping the minor version, this will create the release and publish the artifacts. 
+If we are introducing breaking changes, we will update the `major` version instead.
+
+When we wish to push a hot-fix/feature within the two weeks, we will bump the `patch`.
+
+### Creating a new tag
+Every two weeks or upon the decision of the maintainers, a maintainer can create a tag.
+
+The tag should look as follows: `v<A>.<B>.<C>-rc.D` (release candidate). 
+
+When creating a tag, GitHub will trigger the following actions:
+1. Basic tests - unit tests, license, etc.
+2. System tests (integration tests). If the tests fail, the actions will stop here.
+3. Create a new tag: `v<A>.<B>.<C>` (same tag just without the `rc` suffix)
+4. Create a release
+5. Publish artifacts
+6. Build and publish the docker image (this is meanwhile until we separate the microservice code from the LCI codebase)
+ 
+## Additional Information
+
+The "callers" have the alphabetic prefix and the "executes" have the numeric prefix
+
+## Screenshot
+
+<img width="1469" alt="image" src="https://user-images.githubusercontent.com/64066841/212532727-e82ec9e7-263d-408b-b4b0-a8c943f0109a.png">

.github/workflows/a-pr-scanner.yaml

@@ -0,0 +1,90 @@
+name: a-pr-scanner
+permissions: read-all
+on:
+  workflow_call:
+    inputs:
+      RELEASE:
+        description: 'release'
+        required: true
+        type: string
+      CLIENT:
+        description: 'Client name'
+        required: true
+        type: string
+      UNIT_TESTS_PATH:
+        required: false
+        type: string
+        default: "./..."
+jobs:
+  scanners:
+    env:
+      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+    name: PR Scanner
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: recursive
+      - uses: actions/setup-go@v4
+        name: Installing go
+        with:
+          go-version: '1.21'
+          cache: true
+      - name: Scanning - Forbidden Licenses (go-licenses)
+        id: licenses-scan
+        continue-on-error: true
+        run: |
+          echo "## Installing go-licenses tool"
+          go install github.com/google/go-licenses@latest
+          echo "## Scanning for forbiden licenses ##"
+          go-licenses check .
+      - name: Scanning - Credentials (GitGuardian)
+        if: ${{ env.GITGUARDIAN_API_KEY }}
+        continue-on-error: true
+        id: credentials-scan
+        uses: GitGuardian/ggshield-action@4ab2994172fadab959240525e6b833d9ae3aca61 # ratchet:GitGuardian/ggshield-action@master
+        with:
+          args: -v --all-policies
+        env:
+          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
+          GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
+          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+      - name: Scanning - Vulnerabilities (Snyk)
+        if: ${{ env.SNYK_TOKEN }}
+        id: vulnerabilities-scan
+        continue-on-error: true
+        uses: snyk/actions/golang@806182742461562b67788a64410098c9d9b96adb # ratchet:snyk/actions/golang@master
+        with:
+          command: test --all-projects
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Test coverage
+        id: unit-test
+        run: go test -v ${{ inputs.UNIT_TESTS_PATH }} -covermode=count -coverprofile=coverage.out
+
+      - name: Convert coverage count to lcov format
+        uses: jandelgado/gcov2lcov-action@v1
+
+      - name: Submit coverage tests to Coveralls
+        continue-on-error: true
+        uses: coverallsapp/github-action@v1
+        with:
+          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+          path-to-lcov: coverage.lcov
+
+      - name: Comment results to PR
+        continue-on-error: true # Warning: This might break opening PRs from forks
+        uses: peter-evans/create-or-update-comment@5adcb0bb0f9fb3f95ef05400558bdb3f329ee808 # ratchet:peter-evans/create-or-update-comment@v2.1.0
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            Scan results:
+            - License scan: ${{ steps.licenses-scan.outcome }}
+            - Credentials scan: ${{ steps.credentials-scan.outcome }}
+            - Vulnerabilities scan: ${{ steps.vulnerabilities-scan.outcome }}
+          reactions: 'eyes'

.github/workflows/b-binary-build-and-e2e-tests.yaml

@@ -0,0 +1,271 @@
+name: b-binary-build-and-e2e-tests
+permissions: read-all
+on:
+  workflow_dispatch:
+    inputs:
+      COMPONENT_NAME:
+        required: false
+        type: string
+        default: "kubescape"
+      RELEASE:
+        required: false
+        type: string
+        default: ""
+      CLIENT:
+        required: false
+        type: string
+        default: "test"
+      GO_VERSION:
+        required: false
+        type: string
+        default: "1.21"
+      GO111MODULE:
+        required: false
+        type: string
+        default: ""
+      CGO_ENABLED:
+        type: number
+        default: 1
+        required: false
+      BINARY_TESTS:
+        type: string
+        required: false
+        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score", "control_cluster_from_CLI_config_scan_exclude_namespaces", "control_cluster_from_CLI_config_scan_include_namespaces", "control_cluster_from_CLI_config_scan_host_scanner_enabled", "control_cluster_from_CLI_config_scan_MITRE_framework", "control_cluster_from_CLI_vulnerabilities_scan_default", "control_cluster_from_CLI_vulnerabilities_scan_include_namespaces" ]'
+
+  workflow_call:
+    inputs:
+      COMPONENT_NAME:
+        required: true
+        type: string
+      RELEASE:
+        required: true
+        type: string
+      CLIENT:
+        required: true
+        type: string
+      GO_VERSION:
+        type: string
+        default: "1.21"
+      GO111MODULE:
+        required: true
+        type: string
+      CGO_ENABLED:
+        type: number
+        default: 1
+      BINARY_TESTS:
+        type: string
+        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score", "scan_custom_framework_scanning_file_scope_testing", "scan_custom_framework_scanning_cluster_scope_testing", "scan_custom_framework_scanning_cluster_and_file_scope_testing" ]'
+
+jobs:
+  wf-preparation:
+    name: secret-validator
+    runs-on: ubuntu-latest
+    outputs:
+      TEST_NAMES: ${{ steps.export_tests_to_env.outputs.TEST_NAMES }}
+      is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
+
+    steps:
+      - name: check if the necessary secrets are set in github secrets
+        id: check-secret-set
+        env:
+          CUSTOMER: ${{ secrets.CUSTOMER }}
+          USERNAME: ${{ secrets.USERNAME }}
+          PASSWORD: ${{ secrets.PASSWORD }}
+          CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
+          SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: "echo \"is-secret-set=${{ env.CUSTOMER != '' && \n                        env.USERNAME != '' &&\n                        env.PASSWORD != '' &&\n                        env.CLIENT_ID != '' &&\n                        env.SECRET_KEY != '' &&\n                        env.REGISTRY_USERNAME != '' &&\n                        env.REGISTRY_PASSWORD != ''\n                      }}\" >> $GITHUB_OUTPUT\n"
+
+      - id: export_tests_to_env
+        name: set test name
+        run: |
+          echo "TEST_NAMES=$input" >> $GITHUB_OUTPUT
+        env:
+          input: ${{ inputs.BINARY_TESTS }}
+
+  check-secret:
+    name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
+    runs-on: ubuntu-latest
+    outputs:
+      is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
+    steps:
+      - name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
+        id: check-secret-set
+        env:
+          QUAYIO_REGISTRY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+          QUAYIO_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+        run: |
+          echo "is-secret-set=${{ env.QUAYIO_REGISTRY_USERNAME != '' && env.QUAYIO_REGISTRY_PASSWORD != '' }}" >> $GITHUB_OUTPUT
+
+  binary-build:
+    name: Create cross-platform build
+    needs: wf-preparation
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    runs-on: ubuntu-latest
+    steps:
+
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - uses: actions/setup-go@v4
+        name: Installing go
+        with:
+          go-version: ${{ inputs.GO_VERSION }}
+          cache: true
+
+      - name: Test core pkg
+        run: ${{ env.DOCKER_CMD }} go test -v ./...
+        if: startsWith(github.ref, 'refs/tags')
+
+      - name: Test httphandler pkg
+        run: ${{ env.DOCKER_CMD }} sh -c 'cd httphandler && go test -v ./...'
+        if: startsWith(github.ref, 'refs/tags')
+
+      - uses: anchore/sbom-action/download-syft@v0.15.2
+        name: Setup Syft
+
+      - uses: goreleaser/goreleaser-action@v5
+        name: Build
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean --snapshot
+        env:
+          RELEASE: ${{ inputs.RELEASE }}
+          CLIENT: ${{ inputs.CLIENT }}
+          CGO_ENABLED: ${{ inputs.CGO_ENABLED }}
+
+      - name: Smoke Testing
+        env:
+          RELEASE: ${{ inputs.RELEASE }}
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ${PWD}/dist/kubescape-ubuntu-latest
+
+      - name: golangci-lint
+        continue-on-error: true
+        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # ratchet:golangci/golangci-lint-action@v3
+        with:
+          version: latest
+          args: --timeout 10m --build-tags=static
+          only-new-issues: true
+
+      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1
+        name: Upload artifacts
+        with:
+          name: kubescape
+          path: dist/kubescape*
+          if-no-files-found: error
+
+  build-http-image:
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+      pull-requests: read
+    needs: [check-secret]
+    uses: kubescape/workflows/.github/workflows/incluster-comp-pr-merged.yaml@main
+    with:
+      IMAGE_NAME: quay.io/${{ github.repository_owner }}/kubescape
+      IMAGE_TAG: ${{ inputs.RELEASE }}
+      COMPONENT_NAME: kubescape
+      CGO_ENABLED: 0
+      GO111MODULE: "on"
+      BUILD_PLATFORM: linux/amd64,linux/arm64
+      GO_VERSION: "1.21"
+      REQUIRED_TESTS: '[
+                "ks_microservice_create_2_cronjob_mitre_and_nsa_proxy", 
+                "ks_microservice_triggering_with_cron_job",
+                "ks_microservice_update_cronjob_schedule",
+                "ks_microservice_delete_cronjob",
+                "ks_microservice_create_2_cronjob_mitre_and_nsa",
+                "ks_microservice_ns_creation",
+                "ks_microservice_on_demand",
+                "ks_microservice_mitre_framework_on_demand",
+                "ks_microservice_nsa_and_mitre_framework_demand",
+                "scan_compliance_score"
+              ]'
+      COSIGN: true
+      HELM_E2E_TEST: true
+      FORCE: true
+    secrets: inherit
+
+  run-tests:
+    strategy:
+      fail-fast: false
+      matrix:
+        TEST: ${{ fromJson(needs.wf-preparation.outputs.TEST_NAMES) }}
+    needs: [wf-preparation, binary-build]
+    if: ${{ (needs.wf-preparation.outputs.is-secret-set == 'true') && (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }}
+    runs-on: ubuntu-latest # This cannot change
+    steps:
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
+        id: download-artifact
+        with:
+          name: kubescape
+          path: "~"
+
+      - run: ls -laR
+
+      - name: chmod +x
+        run: chmod +x -R ${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest
+
+      - name: Checkout systests repo
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+        with:
+          repository: armosec/system-tests
+          path: .
+
+      - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # ratchet:actions/setup-python@v4
+        with:
+          python-version: '3.8.13'
+          cache: 'pip'
+
+      - name: create env
+        run: ./create_env.sh
+
+      - name: Generate uuid
+        id: uuid
+        run: |
+          echo "RANDOM_UUID=$(uuidgen)" >> $GITHUB_OUTPUT
+
+      - name: Create k8s Kind Cluster
+        id: kind-cluster-install
+        uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d # ratchet:helm/kind-action@v1.3.0
+        with:
+          cluster_name: ${{ steps.uuid.outputs.RANDOM_UUID }}
+
+      - name: run-tests-on-local-built-kubescape
+        env:
+          CUSTOMER: ${{ secrets.CUSTOMER }}
+          USERNAME: ${{ secrets.USERNAME }}
+          PASSWORD: ${{ secrets.PASSWORD }}
+          CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
+          SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: |
+          echo "Test history:"
+          echo " ${{ matrix.TEST }} " >/tmp/testhistory
+          cat /tmp/testhistory
+          source systests_python_env/bin/activate
+
+          python3 systest-cli.py             \
+            -t ${{ matrix.TEST }}            \
+            -b production                    \
+            -c CyberArmorTests               \
+            --duration 3                     \
+            --logger DEBUG                   \
+            --kwargs kubescape=${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest
+
+          deactivate
+
+      - name: Test Report
+        uses: mikepenz/action-junit-report@6e9933f4a97f4d2b99acef4d7b97924466037882 # ratchet:mikepenz/action-junit-report@v3.6.1
+        if: always() # always run even if the previous step fails
+        with:
+          report_paths: '**/results_xml_format/**.xml'
+          commit: ${{github.event.workflow_run.head_sha}}

.github/workflows/build-image.yaml

@@ -0,0 +1,41 @@
+name: build-image
+permissions: read-all
+on:
+    workflow_dispatch:
+      inputs:
+        CLIENT:
+          required: false
+          type: string
+          default: "test"
+        IMAGE_TAG:
+          required: true
+          type: string
+        CO_SIGN:
+          type: boolean
+          required: false
+          default: false
+        PLATFORMS:
+            type: boolean
+            required: false
+            default: false
+jobs:
+  build-http-image:
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      pull-requests: read
+    uses: kubescape/workflows/.github/workflows/incluster-comp-pr-merged.yaml@main
+    with:
+      IMAGE_NAME: quay.io/${{ github.repository_owner }}/kubescape
+      IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
+      COMPONENT_NAME: kubescape
+      CGO_ENABLED: 0
+      GO111MODULE: "on"
+      BUILD_PLATFORM: ${{ inputs.PLATFORMS && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
+      GO_VERSION: "1.21"
+      REQUIRED_TESTS: '[]'
+      COSIGN: ${{ inputs.CO_SIGN }}
+      HELM_E2E_TEST: false
+      FORCE: true
+    secrets: inherit

.github/workflows/build.yaml

@@ -1,89 +0,0 @@
-name: build
-
-on:
-  push:
-    branches: [ master ] 
-jobs:
-  once:
-    name: Create release
-    runs-on: ubuntu-latest
-    outputs:
-      upload_url: ${{ steps.create_release.outputs.upload_url }}
-    steps:
-      - name: Create a release
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: v1.0.${{ github.run_number }}
-          release_name: Release v1.0.${{ github.run_number }}
-          draft: false
-          prerelease: false
-  build:
-    name: Create cross-platform release build, tag and upload binaries
-    needs: once
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    steps:
-      - uses: actions/checkout@v1
-
-      - name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.17
-
-      - name: Test
-        run: go test -v ./...
-
-      - name: Build
-        env:
-          RELEASE: v1.0.${{ github.run_number }} 
-          ArmoBEServer: api.armo.cloud
-          ArmoERServer: report.armo.cloud
-          ArmoWebsite: portal.armo.cloud
-          CGO_ENABLED: 0
-        run: python3 --version && python3 build.py
-      
-      - name: Upload Release binaries
-        id: upload-release-asset
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ needs.once.outputs.upload_url }}
-          asset_path: build/${{ matrix.os }}/kubescape
-          asset_name: kubescape-${{ matrix.os }}
-          asset_content_type: application/octet-stream
-
-
-  build-docker:
-    name: Build docker container, tag and upload to registry
-    needs: build
-    if: ${{ github.workflow == 'armosec/kubescape' }}
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Set name
-        run: echo quay.io/armosec/kubescape:v1.0.${{ github.run_number }} > build_tag.txt
-
-      - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt)
-      
-      - name: Re-Tag Image to latest
-        run: docker tag $(cat build_tag.txt) quay.io/armosec/kubescape:latest
-
-      - name: Login to Quay.io
-        env: # Or as an environment variable
-          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-      - name: Push Docker image
-        run: |
-          docker push $(cat build_tag.txt)
-          docker push quay.io/armosec/kubescape:latest
-        

.github/workflows/build_dev.yaml

@@ -1,65 +0,0 @@
-name: build-dev
-
-on:
-  push:
-    branches: [ dev ]
-jobs:
-  build:
-    name: Create cross-platform dev build
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    steps:
-      - uses: actions/checkout@v1
-
-      - name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.17
-          
-      - name: Test
-        run: go test -v ./...
-
-      - name: Build
-        env:
-          RELEASE: v1.0.${{ github.run_number }} 
-          ArmoBEServer: api.armo.cloud
-          ArmoERServer: report.euprod1.cyberarmorsoft.com
-          ArmoWebsite: portal.armo.cloud
-          CGO_ENABLED: 0
-        run: python3 --version && python3 build.py
-      
-      - name: Upload build artifacts 
-        uses: actions/upload-artifact@v2
-        with:
-          name: kubescape-${{ matrix.os }}
-          path: build/${{ matrix.os }}/kubescape 
-
-
-  build-docker:
-    name: Build docker container, tag and upload to registry
-    needs: build
-    if: ${{ github.workflow == 'armosec/kubescape' }}
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Set name
-        run: echo quay.io/armosec/kubescape:dev-v1.0.${{ github.run_number }} > build_tag.txt
-
-      - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt)
-      
-      - name: Login to Quay.io
-        env: # Or as an environment variable
-          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-        
-      - name: Push Docker image
-        run: |
-          docker push $(cat build_tag.txt)
-    
-        

.github/workflows/c-create-release.yaml

@@ -0,0 +1,82 @@
+name: c-create_release
+permissions: read-all
+on:
+  workflow_call:
+    inputs:
+      RELEASE_NAME:
+        description: 'Release name'
+        required: true
+        type: string
+      TAG:
+        description: 'Tag name'
+        required: true
+        type: string
+      DRAFT:
+        description: 'Create draft release'
+        required: false
+        type: boolean
+        default: false
+jobs:
+  create-release:
+    name: create-release
+    runs-on: ubuntu-latest
+    env:
+      MAC_OS: macos-latest
+      UBUNTU_OS: ubuntu-latest
+      WINDOWS_OS: windows-latest
+    # permissions:
+    #   contents: write
+    steps:
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
+        id: download-artifact
+        with:
+          path: .
+
+      # TODO: kubescape-windows-latest is deprecated and should be removed
+      - name: Get kubescape.exe from kubescape-windows-latest.exe
+        run: cp ${{steps.download-artifact.outputs.download-path}}/kubescape/kubescape-${{ env.WINDOWS_OS }}.exe ${{steps.download-artifact.outputs.download-path}}/kubescape/kubescape.exe
+      
+      - name: Set release token
+        id: set-token
+        run: |
+          if [ "${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" != "" ]; then
+            echo "token=${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" >> $GITHUB_OUTPUT;
+          else
+            echo "token=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_OUTPUT;
+          fi
+          
+      - name: List artifacts
+        run: |
+          find . -type f -print
+
+      - name: Release
+        uses: softprops/action-gh-release@975c1b265e11dd76618af1c374e7981f9a6ff44a 
+        with:
+          token: ${{ steps.set-token.outputs.token }}
+          name: ${{ inputs.RELEASE_NAME }}
+          tag_name: ${{ inputs.TAG }}
+          body: ${{ github.event.pull_request.body }}
+          draft: ${{ inputs.DRAFT }}
+          prerelease: false
+          fail_on_unmatched_files: true
+          files: |
+            ./kubescape/kubescape-${{ env.UBUNTU_OS }}.tar.gz 
+            ./kubescape/kubescape-${{ env.UBUNTU_OS }}.tar.gz.sbom 
+            ./kubescape/kubescape-arm64-${{ env.WINDOWS_OS }}.tar.gz.sbom 
+            ./kubescape/kubescape-${{ env.WINDOWS_OS }}.exe 
+            ./kubescape/kubescape-${{ env.WINDOWS_OS }}.tar.gz 
+            ./kubescape/kubescape-arm64-${{ env.WINDOWS_OS }}.tar.gz 
+            ./kubescape/kubescape-arm64-${{ env.MAC_OS }}.tar.gz.sbom 
+            ./kubescape/kubescape-arm64-${{ env.UBUNTU_OS }}
+            ./kubescape/kubescape-${{ env.UBUNTU_OS }} 
+            ./kubescape/kubescape-arm64-${{ env.UBUNTU_OS }}.tar.gz 
+            ./kubescape/kubescape-arm64-${{ env.MAC_OS }} 
+            ./kubescape/kubescape-${{ env.MAC_OS }}.tar.gz 
+            ./kubescape/kubescape-${{ env.MAC_OS }}.tar.gz.sbom 
+            ./kubescape/kubescape.exe 
+            ./kubescape/kubescape-${{ env.WINDOWS_OS }}.tar.gz.sbom 
+            ./kubescape/kubescape-arm64-${{ env.UBUNTU_OS }}.tar.gz.sbom 
+            ./kubescape/kubescape-${{ env.MAC_OS }} 
+            ./kubescape/kubescape-arm64-${{ env.MAC_OS }}.tar.gz 
+            ./kubescape/kubescape-arm64-${{ env.WINDOWS_OS }}.exe
+  

.github/workflows/comments.yaml

@@ -0,0 +1,20 @@
+name: pr-agent
+permissions: read-all
+on:
+  issue_comment:
+
+jobs:
+  pr_agent:
+    permissions:
+      issues: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    name: Run pr agent on every pull request, respond to user comments
+    steps:
+      - name: PR Agent action step
+        continue-on-error: true
+        id: pragent
+        uses: Codium-ai/pr-agent@main
+        env:
+          OPENAI_KEY: ${{ secrets.OPENAI_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/d-publish-image.yaml

@@ -0,0 +1,96 @@
+name: d-publish-image
+permissions: read-all
+on:
+  workflow_call:
+    inputs:
+      client:
+        description: 'client name'
+        required: true
+        type: string
+      image_tag:
+        description: 'image tag'
+        required: true
+        type: string
+      image_name:
+        description: 'image registry and name'
+        required: true
+        type: string
+      cosign:
+        required: false
+        default: false
+        type: boolean
+        description: 'run cosign on released image'
+      support_platforms:
+        required: false
+        default: true
+        type: boolean
+        description: 'support amd64/arm64'
+jobs:
+  check-secret:
+    name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
+    runs-on: ubuntu-latest
+    outputs:
+      is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
+    steps:
+      - name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
+        id: check-secret-set
+        env:
+          QUAYIO_REGISTRY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+          QUAYIO_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+        run: |
+          echo "is-secret-set=${{ env.QUAYIO_REGISTRY_USERNAME != '' && env.QUAYIO_REGISTRY_PASSWORD != '' }}" >> $GITHUB_OUTPUT
+
+  build-cli-image:
+    needs: [check-secret]
+    if: needs.check-secret.outputs.is-secret-set == 'true'
+    name: Build image and upload to registry
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+        with:
+          submodules: recursive
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # ratchet:docker/setup-buildx-action@v2
+      - name: Login to Quay.io
+        env:
+          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
+        id: download-artifact
+        with:
+          path: .
+      - name: mv kubescape amd64 binary
+        run: mv ${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest kubescape-amd64-ubuntu-latest
+      - name: mv kubescape arm64 binary
+        run: mv ${{steps.download-artifact.outputs.download-path}}/kubescape-arm64-ubuntu-latest kubescape-arm64-ubuntu-latest
+      - name: chmod +x
+        run: chmod +x -v kubescape-a*
+      - name: Build and push images
+        run: docker buildx build . --file build/kubescape-cli.Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push --platform linux/amd64,linux/arm64
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v2.2.2'
+      - name: sign kubescape container image
+        if: ${{ inputs.cosign }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY_V1 }}
+          COSIGN_PRIVATE_KEY_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_V1_PASSWORD }}
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY_V1 }}
+        run: |
+            # Sign the image with keyless mode
+            cosign sign -y ${{ inputs.image_name }}:${{ inputs.image_tag }}
+
+            # Sign the image with key for verifier clients without keyless support
+            # Put the key from environment variable to a file
+            echo "$COSIGN_PRIVATE_KEY" > cosign.key
+            printf "$COSIGN_PRIVATE_KEY_PASSWORD" | cosign sign -key cosign.key -y ${{ inputs.image_name }}:${{ inputs.image_tag }}
+            rm cosign.key
+            # Verify the image
+            echo "$COSIGN_PUBLIC_KEY" > cosign.pub
+            cosign verify -key cosign.pub ${{ inputs.image_name }}:${{ inputs.image_tag }}
+

.github/workflows/master_pr_checks.yaml

@@ -1,38 +0,0 @@
-name: master-pr
-
-on:
-  pull_request:
-    branches: [ master ]
-    types: [ edited, opened, synchronize, reopened ]
-jobs:
-  build:
-    name: Create cross-platform build
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    steps:
-      - uses: actions/checkout@v1
-
-      - name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.17
-
-      - name: Test
-        run: go test -v ./...
-
-      - name: Build
-        env:
-          RELEASE: v1.0.${{ github.run_number }} 
-          ArmoBEServer: api.armo.cloud
-          ArmoERServer: report.armo.cloud
-          ArmoWebsite: portal.armo.cloud
-          CGO_ENABLED: 0
-        run: python3 --version && python3 build.py
-
-      - name: Upload build artifacts 
-        uses: actions/upload-artifact@v2
-        with:
-          name: kubescape-${{ matrix.os }}
-          path: build/${{ matrix.os }}/kubescape 

.github/workflows/scorecard.yml

@@ -0,0 +1,72 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '0 00 * * 1'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        with:
+          sarif_file: results.sarif

.github/workflows/z-close-typos-issues.yaml

@@ -0,0 +1,20 @@
+permissions: read-all
+on:
+  issues:
+    types: [opened, labeled]
+jobs:
+  open_PR_message:
+    if: github.event.label.name == 'typo'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ben-z/actions-comment-on-issue@10be23f9c43ac792663043420fda29dde07e2f0f # ratchet:ben-z/actions-comment-on-issue@1.0.2
+        with:
+          message: "Hello! :wave:\n\nThis issue is being automatically closed, Please open a PR with a relevant fix."
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  auto_close_issues:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: lee-dohm/close-matching-issues@e9e43aad2fa6f06a058cedfd8fb975fd93b56d8f # ratchet:lee-dohm/close-matching-issues@v2
+        with:
+          query: 'label:typo'
+          token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -1,4 +1,13 @@
 *.vs*
 *kubescape*
+!*Dockerfile*
 *debug*
-.idea
+*vendor*
+*.pyc*
+.idea
+.history
+ca.srl
+*.out
+ks
+
+dist/

.golangci.yml

@@ -0,0 +1,54 @@
+linters-settings:
+  govet:
+    check-shadowing: true
+  dupl:
+    threshold: 200
+  goconst:
+    min-len: 3
+    min-occurrences: 2
+  gocognit:
+    min-complexity: 65
+
+linters:
+  enable:
+    - gosec
+    - staticcheck
+    - nolintlint
+    - gofmt
+    - unused
+    - govet
+    - bodyclose
+    - typecheck
+    - goimports
+    - ineffassign
+    - gosimple
+  disable:
+    # temporarily disabled
+    - varcheck
+    - errcheck
+    - dupl
+    - gocritic
+    - gocognit
+    - nakedret
+    - revive
+    - stylecheck
+    - unconvert
+    - unparam
+    #- forbidigo # <- see later
+    # should remain disabled
+    - deadcode   # deprecated linter
+    - maligned
+    - lll
+    - gochecknoinits
+    - gochecknoglobals
+issues:
+  exclude-rules:
+    - linters:
+      - revive
+      text: "var-naming"
+    - linters:
+      - revive
+      text: "type name will be used as (.+?) by other packages, and that stutters"
+    - linters:
+      - stylecheck
+      text: "ST1003"

.goreleaser.yaml

@@ -0,0 +1,48 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines bellow are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+
+builds:
+  - id: "kubescape-cli"
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w -X "github.com/kubescape/kubescape/v3/core/cautils.BuildNumber={{.Env.RELEASE}}"
+    binary: >-
+      {{ .ProjectName }}-
+      {{- if eq .Arch "amd64" }}
+      {{- else }}{{ .Arch }}-{{ end }}
+      {{- if eq .Os "darwin" }}macos
+      {{- else if eq .Os "linux" }}ubuntu
+      {{- else }}{{ .Os }}{{ end }}-latest
+    no_unique_dist_dir: true
+
+archives:
+  - format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .Binary }}
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+
+sboms:
+  - artifacts: archive

.krew.yaml

@@ -0,0 +1,42 @@
+apiVersion: krew.googlecontainertools.github.com/v1alpha2
+kind: Plugin
+metadata:
+  name: kubescape
+spec:
+  homepage: https://github.com/kubescape/kubescape/
+  shortDescription: Scan resources and cluster configs against security frameworks.
+  version: {{ .TagName }}
+  description: |
+    It includes risk analysis, security compliance, and misconfiguration scanning
+    with an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.
+  platforms:
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: amd64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-macos-latest.tar.gz" .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: arm64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-arm64-macos-latest.tar.gz" .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: linux
+        arch: amd64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-ubuntu-latest.tar.gz" .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: linux
+        arch: arm64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-arm64-ubuntu-latest.tar.gz" .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: windows
+        arch: amd64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-windows-latest.tar.gz" .TagName }}
+    bin: kubescape.exe

ADOPTERS.md

@@ -0,0 +1,22 @@
+# Adopters
+
+# Well-known companies
+Well-known companies who are using and/or contributing to Kubescape are (in alphabetical order):
+* Accenture
+* Amazon.com
+* IBM
+* Intel
+* Meetup
+* RedHat
+* Scaleway
+
+# Users
+
+If you want to be listed here and share with others your experience, open a PR and add the bellow table:
+
+
+| Name | Company | Use case | Contact for questions (optional) |
+| ---- | ------- | -------- | -------------------------------- |
+| Yonathan Amzallag | ARMO | Vulnerability monitoring | yonatana@armosec.io |
+| Engin Diri | Schwarz IT (SIT) | Ensure continuous compliance for edge k8s cluster | engin.diri@mail.schwarz |
+| Idan Bidani | Cox Communications | Security analysis for k8s best practices in CI pipelines of 3,000 applications 🔒☸ | idan.bidani@cox.com |

CODE_OF_CONDUCT.md

@@ -0,0 +1,3 @@
+## Code of Conduct
+
+The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).

CONTRIBUTING.md

@@ -3,15 +3,21 @@
 First, it is awesome that you are considering contributing to Kubescape! Contributing is important and fun and we welcome your efforts.
 
 When contributing, we categorize contributions into two:
-* Small code changes or fixes, whose scope are limited to a single or two files
-* Complex features and improvements, whose are not limited
+* Small code changes or fixes, whose scope is limited to a single or two files
+* Complex features and improvements, with potentially unlimited scope
 
 If you have a small change, feel free to fire up a Pull Request.
 
-When planning a bigger change, please first discuss the change you wish to make via issue,
-email, or any other method with the owners of this repository before making a change. Most likely your changes or features are great, but sometimes we might already going to this direction (or the exact opposite ;-) ) and we don't want to waste your time.
+When planning a bigger change, please first discuss the change you wish to make via an issue,
+so the maintainers are able to help guide you and let you know if you are going in the right direction.
 
-Please note we have a code of conduct, please follow it in all your interactions with the project.
+## Code of Conduct
+
+Please follow our [code of conduct](CODE_OF_CONDUCT.md) in all of your interactions within the project.
+
+## Build and test locally
+
+Please follow the [instructions here](https://github.com/kubescape/kubescape/wiki/Building).
 
 ## Pull Request Process
 
@@ -19,81 +25,74 @@ Please note we have a code of conduct, please follow it in all your interactions
    build.
 2. Update the README.md with details of changes to the interface, this includes new environment 
    variables, exposed ports, useful file locations and container parameters.
-3. We will merge the Pull Request in once you have the sign-off.
+3. Open Pull Request to the `master` branch.
+4. We will merge the Pull Request once you have the sign-off.
 
-## Code of Conduct
+## Developer Certificate of Origin
 
-### Our Pledge
+All commits to the project must be "signed off", which states that you agree to the terms of the [Developer Certificate of Origin](https://developercertificate.org/).  This is done by adding a "Signed-off-by:" line in the commit message, with your name and email address.
 
-In the interest of fostering an open and welcoming environment, we as
-contributors and maintainers pledge to making participation in our project and
-our community a harassment-free experience for everyone, regardless of age, body
-size, disability, ethnicity, gender identity and expression, level of experience,
-nationality, personal appearance, race, religion, or sexual identity and
-orientation.
+Commits made through the GitHub web application are automatically signed off.
 
-### Our Standards
+### Configuring Git to sign off commits
 
-Examples of behavior that contributes to creating a positive environment
-include:
+First, configure your name and email address in Git global settings:
 
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
+```
+$ git config --global user.name "John Doe" 
+$ git config --global user.email johndoe@example.com
+```
 
-Examples of unacceptable behavior by participants include:
+You can now sign off per-commit, or configure Git to always sign off commits per repository.
 
-* The use of sexualized language or imagery and unwelcome sexual attention or
-advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
-  address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
+### Sign off per-commit
 
-We will distance those who are constantly adhere to unacceptable behavior.
+Add [`-s`](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) to your Git command line. For example:
 
-### Our Responsibilities
+```git commit -s -m "Fix issue 64738"```
 
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in
-response to any instances of unacceptable behavior.
+This is tedious, and if you forget, you'll have to [amend your commit](#fixing-a-commit-where-the-dco-failed).
 
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct, or to ban temporarily or
-permanently any contributor for other behaviors that they deem inappropriate,
-threatening, offensive, or harmful.
+### Configure a repository to always include sign off
 
-### Scope
+There are many ways to achieve this with Git hooks, but the simplest is to do the following:
 
-This Code of Conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community. Examples of
-representing a project or community include using an official project e-mail
-address, posting via an official social media account, or acting as an appointed
-representative at an online or offline event. Representation of a project may be
-further defined and clarified by project maintainers.
+```
+cd your-repo
+curl -Ls https://gist.githubusercontent.com/dixudx/7d7edea35b4d91e1a2a8fbf41d0954fa/raw/prepare-commit-msg -o .git/hooks/prepare-commit-msg
+chmod +x .git/hooks/prepare-commit-msg
+```
 
-### Enforcement
+### Use semantic commit messages (optional)
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at [INSERT EMAIL ADDRESS]. All
-complaints will be reviewed and investigated and will result in a response that
-is deemed necessary and appropriate to the circumstances. The project team is
-obligated to maintain confidentiality with regard to the reporter of an incident.
-Further details of specific enforcement policies may be posted separately.
+When contributing, you could consider using [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/), in order to improve logs readability and help us to automatically generate `CHANGELOG`s.
 
-Project maintainers who do not follow or enforce the Code of Conduct in good
-faith may face temporary or permanent repercussions as determined by other
-members of the project's leadership.
+Format: `<type>(<scope>): <subject>`
 
-### Attribution
+`<scope>` is optional
 
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
-available at [http://contributor-covenant.org/version/1/4][version]
+#### Example
 
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+```
+feat(cmd): add kubectl plugin
+^--^ ^-^   ^----------------^
+|    |     |
+|    |     +-> subject: summary in present tense.
+|    |
+|    +-------> scope: point of interest
+|
++-------> type: chore, docs, feat, fix, refactor, style, or test.
+```
+
+More Examples:
+* `feat`: new feature for the user, not a new feature for build script
+* `fix`: bug fix for the user, not a fix to a build script
+* `docs`: changes to the documentation
+* `style`: formatting, missing semi colons, etc; no production code change
+* `refactor`: refactoring production code, eg. renaming a variable
+* `test`: adding missing tests, refactoring tests; no production code change
+* `chore`: updating grunt tasks etc; no production code change
+
+## Fixing a commit where the DCO failed
+
+Check out [this guide](https://github.com/src-d/guide/blob/master/developer-community/fix-DCO.md).

GOVERNANCE.md

@@ -0,0 +1,65 @@
+# Governance of Kubescape
+
+## Overview
+
+The Kubescape project is an open-source initiative dedicated to improve security and best practices in Kubernetes environments. This document outlines the governance structure of the Kubescape project and provides guidance for its community contributors.
+
+## Decision Making
+
+### Maintainers
+
+- Maintainers are responsible for the smooth operation of the project.
+- They review and merge pull requests, manage releases, and ensure the quality and stability of the codebase.
+- Maintainers are chosen based on their ongoing contributions and their demonstrated commitment to the project.
+- Everyone who had at least 5 code contribution in the last 12 month can submit her/himself for joining the maintainer team
+- Maintainers who are not taken part in the project work (code, reviews, discussions) for 12 month are automaticaly removed from the maintainer team
+
+
+### Committers
+
+- Committers are contributors who have made significant and consistent contributions to the project.
+- They have the ability to merge minor pull requests if assigned by maintainers.
+- A contributor can be proposed as a committer by any existing maintainer. The proposal will be reviewed and voted on by the existing maintainers.
+
+### Community Members
+
+- Anyone can become a community member by contributing to the project. This can be in the form of code contributions, documentation, or any other form of project support.
+
+## Processes
+
+### Proposing Changes
+
+1. Open an issue on the project repository to discuss the proposed change.
+2. Once there is consensus around the proposed change, create a pull request.
+3. Pull requests will be reviewed by committers and/or maintainers.
+4. Once the pull request has received approval, it can be merged into the main codebase.
+
+### Conflict Resolution
+
+1. In case of any conflicts, it is primarily the responsibility of the parties involved to resolve it.
+2. If the conflict cannot be resolved, it will be escalated to the maintainers for resolution.
+3. Maintainers' decision will be final in case of unresolved conflicts.
+
+## Roles and Responsibilities
+
+### Maintainers
+
+- Ensure the quality and stability of the project.
+- Resolve conflicts.
+- Provide direction and set priorities for the project.
+
+### Committers
+
+- Review and merge minor pull requests.
+- Assist maintainers in project tasks.
+- Promote best practices within the community.
+
+### Community Members
+
+- Contribute to the project in any form.
+- Participate in discussions and provide feedback.
+- Respect the code of conduct and governance of the project.
+
+## Changes to the Governance Document
+
+Proposed changes to this governance document should follow the same process as any other code change to the Kubescape project (see "Proposing Changes").

MAINTAINERS.md

@@ -0,0 +1,12 @@
+# Maintainers
+
+The following table lists the Kubescape project core maintainers:
+
+| Name | GitHub | Organization | Added/Renewed On |
+| --- | --- | --- | --- |
+| [Matthias Bertschy](https://www.linkedin.com/in/matthias-bertschy-b427b815/) | [@matthyx](https://github.com/matthyx) | [ARMO](https://www.armosec.io/) | 2023-01-01 |
+| [Craig Box](https://www.linkedin.com/in/crbnz/) | [@craigbox](https://github.com/craigbox) | [Solo.io](https://www.solo.io/) | 2022-10-31 |
+| [Ben Hirschberg](https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890) | [@slashben](https://github.com/slashben) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
+| [Rotem Refael](https://www.linkedin.com/in/rotem-refael) | [@rotemamsa](https://github.com/rotemamsa) | [ARMO](https://www.armosec.io/) | 2021-10-11 |
+| [David Wertenteil](https://www.linkedin.com/in/david-wertenteil-0ba277b9) | [@dwertent](https://github.com/dwertent) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
+

Makefile

@@ -0,0 +1,12 @@
+.PHONY: test all build
+
+# default task invoked while running make
+all: build
+
+export CGO_ENABLED=0
+
+build:
+	go build -v .
+
+test:
+	go test -v ./...

README.md

@@ -1,242 +1,118 @@
-<img src="docs/kubescape.png" width="300" alt="logo" align="center">
+[![Version](https://img.shields.io/github/v/release/kubescape/kubescape)](https://github.com/kubescape/kubescape/releases)
+[![build](https://github.com/kubescape/kubescape/actions/workflows/02-release.yaml/badge.svg)](https://github.com/kubescape/kubescape/actions/workflows/02-release.yaml)
+[![Go Report Card](https://goreportcard.com/badge/github.com/kubescape/kubescape)](https://goreportcard.com/report/github.com/kubescape/kubescape)
+[![Gitpod Ready-to-Code](https://img.shields.io/badge/Gitpod-Ready--to--Code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/kubescape/kubescape)
+[![GitHub](https://img.shields.io/github/license/kubescape/kubescape)](https://github.com/kubescape/kubescape/blob/master/LICENSE)
+[![CNCF](https://shields.io/badge/CNCF-Sandbox%20project-blue?logo=linux-foundation&style=flat)](https://landscape.cncf.io/card-mode?project=sandbox&selected=kubescape)
+[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubescape)](https://artifacthub.io/packages/search?repo=kubescape)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkubescape%2Fkubescape.svg?type=shield&issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubescape%2Fkubescape?ref=badge_shield&issueType=license)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/6944/badge)](https://www.bestpractices.dev/projects/6944)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubescape/kubescape/badge)](https://securityscorecards.dev/viewer/?uri=github.com/kubescape/kubescape)
+[![Stars](https://img.shields.io/github/stars/kubescape/kubescape?style=social)](https://github.com/kubescape/kubescape/stargazers)
+[![Twitter Follow](https://img.shields.io/twitter/follow/kubescape?style=social)](https://twitter.com/kubescape)
+[![Slack](https://img.shields.io/badge/slack-kubescape-blueviolet?logo=slack)](https://cloud-native.slack.com/archives/C04EY3ZF9GE)
 
-[![build](https://github.com/armosec/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/armosec/kubescape/actions/workflows/build.yaml)
-[![Go Report Card](https://goreportcard.com/badge/github.com/armosec/kubescape)](https://goreportcard.com/report/github.com/armosec/kubescape)
+# Kubescape
 
-Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/white/kubescape-stacked-white.svg" width="150">
+  <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
+  <img alt="Kubescape logo" align="right" src="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
+</picture>
 
-Use Kubescape to test clusters or scan single YAML files and integrate it to your processes.
+_An open-source Kubernetes security platform for your clusters, CI/CD pipelines, and IDE that seperates out the security signal from the scanner noise_
 
-<img src="docs/demo.gif">
+Kubescape is an open-source Kubernetes security platform, built for use in your day-to-day workflow, by fitting into your clusters, CI/CD pipelines and IDE. It serves as a one-stop-shop for Kuberenetes security and includes vulnerability and misconfiguration scanning. You can run scans via the CLI, or add the Kubescape Helm chart, which gives an in-depth view of what is going on in the cluster.
 
-# TL;DR
-## Install:
-```
-curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
+Kubescape includes misconfiguration and vulnerability scanning as well as risk analysis and security compliance indicators. All results are presented in context and users get many cues on what to do based on scan results.Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.
+
+Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) and the [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)).
+
+Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository) and is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/).
+
+## Demo
+<img src="docs/img/demo-v3.gif">
+
+_Please [star ⭐](https://github.com/kubescape/kubescape/stargazers) the repo if you want us to continue developing and improving Kubescape! 😀_
+
+## Getting started
+
+Experimenting with Kubescape is as easy as:
+
+```sh
+curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
 ```
 
-[Install on windows](#install-on-windows)
+Learn more about:
 
-[Install on macOS](#install-on-macos)
+* [Installing Kubescape](docs/installation.md)
+* [Running your first scan](docs/getting-started.md#run-your-first-scan)
+* [Usage](docs/getting-started.md#examples)
+* [Architecture](docs/architecture.md)
+* [Building Kubescape from source](https://github.com/kubescape/kubescape/wiki/Building)
 
-## Run:
-```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
-```
+_Did you know you can use Kubescape in all these places?_
 
-If you wish to scan all namespaces in your cluster, remove the `--exclude-namespaces` flag.
+<div align="center">
+    <img src="docs/img/ksfromcodetodeploy.png" alt="Places you can use Kubescape: in your IDE, CI, CD, or against a running cluster.">
+</div>
 
-<img src="docs/summary.png">
+## Kubescape-operator Helm-Chart
 
-### Click [👍](https://github.com/armosec/kubescape/stargazers) if you want us to continue to develop and improve Kubescape 😀
+Besides the CLI, the Kubescape operator can also be installed via a Helm chart. Installing the Helm chart is an excellent way to begin using Kubescape, as it provides extensive features such as continuous scanning, image vulnerability scanning, runtime analysis, network policy generation, and more. You can find the Helm chart in the [Kubescape-operator documentation](https://kubescape.io/docs/install-helm-chart/).
 
-# Being part of the team
+## Kubescape GitHub Action
 
-We invite you to our team! We are excited about this project and want to return the love we get.
+Kubescape can be used as a GitHub Action. This is a great way to integrate Kubescape into your CI/CD pipeline. You can find the Kubescape GitHub Action in the [GitHub Action marketplace](https://github.com/marketplace/actions/kubescape).
 
-Want to contribute? Want to discuss something? Have an issue?
+## Under the hood
 
-* Open a issue, we are trying to respond within 48 hours
-* [Join us](https://armosec.github.io/kubescape/) in a discussion on our discord server!
+Kubescape uses [Open Policy Agent](https://github.com/open-policy-agent/opa) to verify Kubernetes objects against [a library of posture controls](https://github.com/kubescape/regolibrary).
 
-[<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://armosec.github.io/kubescape/)
+By default, the results are printed in a console-friendly manner, but they can be:
 
-# Options and examples
+* exported to JSON or junit XML
+* rendered to HTML or PDF
+* submitted to a [cloud service](docs/providers.md)
 
-## Install on Windows
+It retrieves Kubernetes objects from the API server and runs a set of [Rego snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io?utm_source=github&utm_medium=repository).
 
-**Requires powershell v5.0+**
+## Community
 
-``` powershell
-iwr -useb https://raw.githubusercontent.com/armosec/kubescape/master/install.ps1 | iex
-```
+Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the Kubernetes community and are building more tests and controls as the ecosystem develops.
 
-Note: if you get an error you might need to change the execution policy (i.e. enable Powershell) with
+We hold [community meetings](https://zoom.us/j/95174063585) on Zoom, on the first Tuesday of every month, at 14:00 GMT. ([See that in your local time zone](https://time.is/compare/1400_in_GMT)).
 
-``` powershell
-Set-ExecutionPolicy RemoteSigned -scope CurrentUser
-```
+The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
 
-## Install on macOS
+### Adopters
 
-1. ```
-    brew tap armosec/kubescape
-    ```
-2. ```
-    brew install kubescape
-    ```
+See [here](ADOPTERS.md) a list of adopters.
 
-## Flags
+## Contributions
 
-| flag |  default | description | options |
-| --- | --- | --- | --- |
-| `-e`/`--exclude-namespaces` | Scan all namespaces | Namespaces to exclude from scanning. Recommended to exclude `kube-system` and `kube-public` namespaces |
-| `-s`/`--silent` | Display progress messages | Silent progress messages |
-| `-t`/`--fail-threshold` | `0` (do not fail) | fail command (return exit code 1) if result bellow threshold| `0` -> `100` |
-| `-f`/`--format` | `pretty-printer` | Output format | `pretty-printer`/`json`/`junit` |
-| `-o`/`--output` | print to stdout | Save scan result in file |
-| `--use-from` | | Load local framework object from specified path. If not used will download latest |
-| `--use-default` | `false` | Load local framework object from default path. If not used will download latest | `true`/`false` |
-| `--exceptions` | | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal |
-| `--submit` | `false` | If set, Kubescape will send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not sent | `true`/`false`|
-| `--keep-local` | `false` | Kubescape will not send scan results to Armo management portal. Use this flag if you ran with the `--submit` flag in the past and you do not want to submit your current scan results | `true`/`false`|
-| `--account` | | Armo portal account ID. Default will load account ID from configMap or config file | |
+Thanks to all our contributors!  Check out our [CONTRIBUTING](CONTRIBUTING.md) file to learn how to join them.
 
-## Usage & Examples
+* Feel free to pick a task from the [issues](https://github.com/kubescape/kubescape/issues?q=is%3Aissue+is%3Aopen+label%3A%22open+for+contribution%22), [roadmap](docs/roadmap.md) or suggest a feature of your own.
+* [Open an issue](https://github.com/kubescape/kubescape/issues/new/choose): we aim to respond to all issues within 48 hours.
+* [Join the CNCF Slack](https://slack.cncf.io/) and then our [users](https://cloud-native.slack.com/archives/C04EY3ZF9GE) or [developers](https://cloud-native.slack.com/archives/C04GY6H082K) channel.
 
-### Examples
+<br>
 
-* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework and submit results to [Armo portal](https://portal.armo.cloud/)
-```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --submit
-```
+<a href = "https://github.com/kubescape/kubescape/graphs/contributors">
+  <img src = "https://contrib.rocks/image?repo=kubescape/kubescape"/>
+</a>
 
+## Changelog
 
-* Scan a running Kubernetes cluster with [`mitre`](https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/) framework and submit results to [Armo portal](https://portal.armo.cloud/)
-```
-kubescape scan framework mitre --exclude-namespaces kube-system,kube-public --submit
-```
+Kubescape changes are tracked on the [release](https://github.com/kubescape/kubescape/releases) page
 
-* Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI)
-```
-kubescape scan framework nsa *.yaml
-```
+## License
 
+Copyright 2021-2023, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.
 
-* Scan `yaml`/`json` files from url
-```
-kubescape scan framework nsa https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml
-```
+Kubescape is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/) and was contributed by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository).
 
-* Output in `json` format
-```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format json --output results.json
-```
-
-* Output in `junit xml` format
-```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml
-```
-
-* Scan with exceptions, objects with exceptions will be presented as `warning` and not `fail`  <img src="docs/new-feature.svg">
-```
-kubescape scan framework nsa --exceptions examples/exceptions.json
-```
-
-### Helm Support
-
-* Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout
-```
-helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
-```
-
-for example:
-```
-helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
-```
-### Offline Support
-
-It is possible to run Kubescape offline!
-
-First download the framework and then scan with `--use-from` flag
-
-1. Download and save in file, if file name not specified, will store save to `~/.kubescape/<framework name>.json`
-```
-kubescape download framework nsa --output nsa.json
-```
-
-2. Scan using the downloaded framework
-```
-kubescape scan framework nsa --use-from nsa.json
-```
-
-Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
-
-# How to build
-
-## Build using python (3.7^) script
-
-Kubescpae can be built using:
-
-``` sh
-python build.py
-```
-
-Note: In order to built using the above script, one must set the environment
-variables in this script:
-
-+ RELEASE
-+ ArmoBEServer
-+ ArmoERServer
-+ ArmoWebsite
-
-
-## Build using go
-
-Note: development (and the release process) is done with Go `1.17`
-
-1. Clone Project
-```
-git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
-```
-
-2. Build
-```
-go build -o kubescape .
-```
-
-3. Run
-```
-./kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
-```
-
-4. Enjoy :zany_face:
-
-## How to build in Docker
-
-1. Clone Project
-```
-git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
-```
-
-2. Build
-```
-docker build -t kubescape -f build/Dockerfile .
-```
-
-# Under the hood
-
-## Tests
-Kubescape is running the following tests according to what is defined by [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
-* Non-root containers
-* Immutable container filesystem
-* Privileged containers
-* hostPID, hostIPC privileges
-* hostNetwork access
-* allowedHostPaths field
-* Protecting pod service account tokens
-* Resource policies
-* Control plane hardening
-* Exposed dashboard
-* Allow privilege escalation
-* Applications credentials in configuration files
-* Cluster-admin binding
-* Exec into container
-* Dangerous capabilities
-* Insecure capabilities
-* Linux hardening
-* Ingress and Egress blocked
-* Container hostPort
-* Network policies
-* Symlink Exchange Can Allow Host Filesystem Access (CVE-2021-25741)
-
-
-
-## Technology
-Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO's posture controls.
-
-The tools retrieves Kubernetes objects from the API server and runs a set of [regos snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io/).
-
-The results by default printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.
-
-Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
+<div align="center">
+    <img src="https://raw.githubusercontent.com/cncf/artwork/master/other/cncf-sandbox/horizontal/color/cncf-sandbox-horizontal-color.svg" width="300" alt="CNCF Sandbox Project">
+</div>

SECURITY-INSIGHTS.yml

@@ -0,0 +1,52 @@
+header:
+  schema-version: 1.0.0
+  last-updated: '2023-10-12'
+  last-reviewed: '2023-10-12'
+  expiration-date: '2024-10-12T01:00:00.000Z'
+  project-url: https://github.com/kubescape/kubescape/
+  project-release: '1.0.0'
+project-lifecycle:
+  status: active
+  bug-fixes-only: false
+  core-maintainers:
+  - github:slashben
+  - github:craigbox
+  - github:matthyx
+  - github:dwertent
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: false
+  code-of-conduct: https://github.com/kubescape/kubescape/blob/master/CODE_OF_CONDUCT.md
+dependencies:
+  third-party-packages: true
+  dependencies-lists:
+  - https://github.com/kubescape/kubescape/blob/master/go.mod
+  - https://github.com/kubescape/kubescape/blob/master/httphandler/go.mod
+  env-dependencies-policy:
+    policy-url: https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md
+documentation:
+- https://github.com/kubescape/kubescape/tree/master/docs
+distribution-points:
+- https://github.com/kubescape/kubescape/
+security-artifacts:
+  threat-model:
+    threat-model-created: false
+security-testing:
+- tool-type: sca
+  tool-name: Dependabot
+  tool-version: latest
+  integration:
+    ad-hoc: false
+    ci: true
+    before-release: true
+  comment: |
+    Dependabot is enabled for this repo.
+security-contacts:
+- type: email
+  value: cncf-kubescape-maintainers@lists.cncf.io
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  security-policy: https://github.com/kubescape/kubescape/security/policy
+  email-contact: cncf-kubescape-maintainers@lists.cncf.io
+  comment: |
+    The first and best way to report a vulnerability is by using private security issues in GitHub.

SECURITY.md

@@ -0,0 +1,7 @@
+# Reporting Security Issues
+
+To report a security issue or vulnerability, submit a [private vulnerability report via GitHub](https://github.com/kubescape/kubescape/security/advisories/new) to the repository maintainers with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+
+The maintainers will respond within 7 working days of your report. If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it. This project follows a 90 day disclosure timeline.
+
+Other contacts: cncf-kubescape-maintainers@lists.cncf.io

build.py

@@ -1,82 +0,0 @@
-import os
-import sys
-import hashlib
-import platform
-import subprocess
-
-BASE_GETTER_CONST = "github.com/armosec/kubescape/cautils/getter"
-BE_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoBEURL"
-ER_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoERURL"
-WEBSITE_CONST     = BASE_GETTER_CONST + ".ArmoFEURL"
-
-def checkStatus(status, msg):
-    if status != 0:
-        sys.stderr.write(msg)
-        exit(status)
-
-
-def getBuildDir():
-    currentPlatform = platform.system()
-    buildDir = "build/"
-
-    if currentPlatform == "Windows": buildDir += "windows-latest"
-    elif currentPlatform == "Linux": buildDir += "ubuntu-latest"
-    elif currentPlatform == "Darwin": buildDir += "macos-latest"
-    else: raise OSError("Platform %s is not supported!" % (currentPlatform))
-
-    return buildDir
-
-def getPackageName():
-    packageName = "kubescape"
-    # if platform.system() == "Windows": packageName += ".exe"
-
-    return packageName
-
-
-def main():
-    print("Building Kubescape")
-
-    # print environment variables
-    print(os.environ)
-
-    # Set some variables
-    packageName = getPackageName()
-    buildUrl = "github.com/armosec/kubescape/cmd.BuildNumber"
-    releaseVersion = os.getenv("RELEASE")
-    ArmoBEServer = os.getenv("ArmoBEServer")
-    ArmoERServer = os.getenv("ArmoERServer")
-    ArmoWebsite = os.getenv("ArmoWebsite")
-
-    # Create build directory
-    buildDir = getBuildDir()
-
-    if not os.path.isdir(buildDir):
-        os.makedirs(buildDir)
-
-    # Build kubescape
-    ldflags = "-w -s -X %s=%s -X %s=%s -X %s=%s -X %s=%s" \
-        % (buildUrl, releaseVersion, BE_SERVER_CONST, ArmoBEServer,
-           ER_SERVER_CONST, ArmoERServer, WEBSITE_CONST, ArmoWebsite)
-    status = subprocess.call(["go", "build", "-o", "%s/%s" % (buildDir, packageName), "-ldflags" ,ldflags])
-    checkStatus(status, "Failed to build kubescape")
-    
-    test_cli_prints(buildDir,packageName)
-
-
-    sha1 = hashlib.sha1()
-    with open(buildDir + "/" + packageName, "rb") as kube:
-        sha1.update(kube.read())
-        with open(buildDir + "/" + packageName + ".sha1", "w") as kube_sha:
-            kube_sha.write(sha1.hexdigest())
-
-    print("Build Done")
-
-def test_cli_prints(buildDir,packageName):
-    bin_cli = os.path.abspath(os.path.join(buildDir,packageName))
-
-    print(f"testing CLI prints on {bin_cli}")
-    status = str(subprocess.check_output([bin_cli, "-h"]))
-    assert "download" in status, "download is missing: " + status    
-
-if __name__ == "__main__":
-    main()

build/Dockerfile

@@ -1,27 +1,22 @@
-FROM golang:1.17-alpine as builder
-#ENV GOPROXY=https://goproxy.io,direct
-ENV GO111MODULE=
-
-ENV CGO_ENABLED=0
-
-# Install required python/pip
-ENV PYTHONUNBUFFERED=1
-RUN apk add --update --no-cache python3 && ln -sf python3 /usr/bin/python
-RUN python3 -m ensurepip
-RUN pip3 install --no-cache --upgrade pip setuptools
+FROM --platform=$BUILDPLATFORM golang:1.21-bullseye as builder
 
+ENV GO111MODULE=on CGO_ENABLED=0
 WORKDIR /work
-ADD . .
+ARG TARGETOS TARGETARCH
 
-RUN python build.py
+RUN --mount=target=. \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    cd httphandler && GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/ksserver .
 
-RUN ls -ltr build/ubuntu-latest
-RUN cat /work/build/ubuntu-latest/kubescape.sha1
+FROM gcr.io/distroless/static-debian11:nonroot
 
-FROM alpine
-COPY --from=builder /work/build/ubuntu-latest/kubescape /usr/bin/kubescape
+USER nonroot
+WORKDIR /home/nonroot/
 
-# # Download the frameworks. Use the "--use-default" flag when running kubescape
-# RUN kubescape download framework nsa && kubescape download framework mitre
+COPY --from=builder /out/ksserver /usr/bin/ksserver
 
-CMD ["kubescape"]
+ARG image_version client
+ENV RELEASE=$image_version CLIENT=$client
+
+ENTRYPOINT ["ksserver"]

build/Dockerfile.dockerignore

@@ -0,0 +1,2 @@
+.git
+kubescape*

build/README.md

@@ -0,0 +1,19 @@
+## Docker Build
+
+### Build your own Docker image
+
+1. Clone Project
+```
+git clone https://github.com/kubescape/kubescape.git kubescape && cd "$_"
+```
+
+2. Build kubescape CLI Docker image
+```
+make all
+docker buildx build -t kubescape-cli -f build/kubescape-cli.Dockerfile --build-arg="ks_binary=kubescape" --load .
+```
+
+3. Build kubescape Docker image
+```
+docker buildx build -t kubescape -f build/Dockerfile --load .
+```

build/kubescape-cli.Dockerfile

@@ -0,0 +1,12 @@
+FROM gcr.io/distroless/base-debian11:debug-nonroot
+
+USER nonroot
+WORKDIR /home/nonroot/
+
+ARG image_version client TARGETARCH
+ENV RELEASE=$image_version CLIENT=$client
+
+COPY kubescape-${TARGETARCH}-ubuntu-latest /usr/bin/kubescape
+RUN ["kubescape", "download", "artifacts"]
+
+ENTRYPOINT ["kubescape"]

build/kubescape-cli.Dockerfile.dockerignore

@@ -0,0 +1 @@
+.git

cautils/customerloader.go

@@ -1,439 +0,0 @@
-package cautils
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/url"
-	"os"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils/getter"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	"github.com/armosec/k8s-interface/k8sinterface"
-	corev1 "k8s.io/api/core/v1"
-)
-
-const (
-	configMapName  = "kubescape"
-	configFileName = "config"
-)
-
-func ConfigFileFullPath() string { return getter.GetDefaultPath(configFileName + ".json") }
-
-// ======================================================================================
-// =============================== Config structure =====================================
-// ======================================================================================
-
-type ConfigObj struct {
-	CustomerGUID       string `json:"customerGUID"`
-	Token              string `json:"invitationParam"`
-	CustomerAdminEMail string `json:"adminMail"`
-}
-
-func (co *ConfigObj) Json() []byte {
-	if b, err := json.Marshal(co); err == nil {
-		return b
-	}
-	return []byte{}
-}
-
-// ======================================================================================
-// =============================== interface ============================================
-// ======================================================================================
-type IClusterConfig interface {
-	// setters
-	SetCustomerGUID(customerGUID string) error
-
-	// getters
-	GetCustomerGUID() string
-	GetConfigObj() *ConfigObj
-	GetK8sAPI() *k8sinterface.KubernetesApi
-	GetBackendAPI() getter.IBackend
-	GetDefaultNS() string
-	GenerateURL()
-}
-
-// ClusterConfigSetup - Setup the desired cluster behavior regarding submittion to the Armo BE
-func ClusterConfigSetup(scanInfo *ScanInfo, k8s *k8sinterface.KubernetesApi, beAPI getter.IBackend) IClusterConfig {
-	/*
-
-		If "First run (local config not found)" -
-			Default - Do not send report (local)
-			Local - Do not send report
-			Submit - Create tenant & Submit report
-
-		If "Submitted but not signed up" -
-			Default	- Delete local config & Do not send report (local)
-			Local - Delete local config & Do not send report
-			Submit - Submit report
-
-		If "Signed up user" -
-			Default	- Submit report (submit)
-			Local - Do not send report
-			Submit - Submit report
-
-	*/
-	clusterConfig := NewClusterConfig(k8s, beAPI)
-	clusterConfig.LoadConfig()
-
-	if !IsSubmitted(clusterConfig) {
-		if scanInfo.Submit {
-			return clusterConfig // submit - Create tenant & Submit report
-		}
-		return NewEmptyConfig() // local/default - Do not send report
-	}
-	if !IsRegistered(clusterConfig) {
-		if scanInfo.Submit {
-			return clusterConfig // submit/default - Submit report
-		}
-		DeleteConfig(k8s)
-		return NewEmptyConfig() // local - Delete local config & Do not send report
-	}
-	if scanInfo.Local {
-		return NewEmptyConfig() // local - Do not send report
-	}
-	return clusterConfig // submit/default -  Submit report
-}
-
-// ======================================================================================
-// ============================= Mock Config ============================================
-// ======================================================================================
-type EmptyConfig struct {
-}
-
-func NewEmptyConfig() *EmptyConfig                               { return &EmptyConfig{} }
-func (c *EmptyConfig) GetConfigObj() *ConfigObj                  { return &ConfigObj{} }
-func (c *EmptyConfig) SetCustomerGUID(customerGUID string) error { return nil }
-func (c *EmptyConfig) GetCustomerGUID() string                   { return "" }
-func (c *EmptyConfig) GetK8sAPI() *k8sinterface.KubernetesApi    { return nil } // TODO: return mock obj
-func (c *EmptyConfig) GetDefaultNS() string                      { return k8sinterface.GetDefaultNamespace() }
-func (c *EmptyConfig) GetBackendAPI() getter.IBackend            { return nil } // TODO: return mock obj
-func (c *EmptyConfig) GenerateURL() {
-	message := fmt.Sprintf("You can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more by registering here: https://%s", getter.GetArmoAPIConnector().GetFrontendURL())
-	InfoTextDisplay(os.Stdout, message+"\n")
-}
-
-// ======================================================================================
-// ========================== Cluster Config ============================================
-// ======================================================================================
-
-type ClusterConfig struct {
-	k8s        *k8sinterface.KubernetesApi
-	defaultNS  string
-	backendAPI getter.IBackend
-	configObj  *ConfigObj
-}
-
-func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend) *ClusterConfig {
-	return &ClusterConfig{
-		k8s:        k8s,
-		backendAPI: backendAPI,
-		configObj:  &ConfigObj{},
-		defaultNS:  k8sinterface.GetDefaultNamespace(),
-	}
-}
-func (c *ClusterConfig) GetConfigObj() *ConfigObj               { return c.configObj }
-func (c *ClusterConfig) GetK8sAPI() *k8sinterface.KubernetesApi { return c.k8s }
-func (c *ClusterConfig) GetDefaultNS() string                   { return c.defaultNS }
-func (c *ClusterConfig) GetBackendAPI() getter.IBackend         { return c.backendAPI }
-
-func (c *ClusterConfig) GenerateURL() {
-
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = getter.GetArmoAPIConnector().GetFrontendURL()
-	if c.configObj == nil {
-		return
-	}
-	message := fmt.Sprintf("You can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more by registering here: %s", u.String())
-	if c.configObj.CustomerAdminEMail != "" {
-		InfoTextDisplay(os.Stdout, message+"\n")
-		return
-	}
-	u.Path = "account/sign-up"
-	q := u.Query()
-	q.Add("invitationToken", c.configObj.Token)
-	q.Add("customerGUID", c.configObj.CustomerGUID)
-
-	u.RawQuery = q.Encode()
-	InfoTextDisplay(os.Stdout, message+"\n")
-
-}
-
-func (c *ClusterConfig) GetCustomerGUID() string {
-	if c.configObj != nil {
-		return c.configObj.CustomerGUID
-	}
-	return ""
-}
-
-func (c *ClusterConfig) SetCustomerGUID(customerGUID string) error {
-
-	if customerGUID != "" && c.GetCustomerGUID() != customerGUID {
-		c.configObj.CustomerGUID = customerGUID // override config customerGUID
-	}
-
-	customerGUID = c.GetCustomerGUID()
-
-	// get from armoBE
-	tenantResponse, err := c.backendAPI.GetCustomerGUID(customerGUID)
-	if err == nil && tenantResponse != nil {
-		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
-			c.configObj.CustomerAdminEMail = tenantResponse.AdminMail
-		} else {
-			c.configObj.Token = tenantResponse.Token
-			c.configObj.CustomerGUID = tenantResponse.TenantID
-		}
-	} else {
-		if err != nil && !strings.Contains(err.Error(), "already exists") {
-			return err
-		}
-	}
-
-	// update/create config
-	if c.existsConfigMap() {
-		c.updateConfigMap()
-	} else {
-		c.createConfigMap()
-	}
-	if existsConfigFile() {
-		c.updateConfigFile()
-	} else {
-		c.createConfigFile()
-	}
-
-	return nil
-}
-
-func (c *ClusterConfig) LoadConfig() {
-	// get from configMap
-	if c.existsConfigMap() {
-		c.configObj, _ = c.loadConfigFromConfigMap()
-	} else if existsConfigFile() { // get from file
-		c.configObj, _ = loadConfigFromFile()
-	} else {
-		c.configObj = &ConfigObj{}
-	}
-}
-
-func (c *ClusterConfig) ToMapString() map[string]interface{} {
-	m := map[string]interface{}{}
-	bc, _ := json.Marshal(c.configObj)
-	json.Unmarshal(bc, &m)
-	return m
-}
-func (c *ClusterConfig) loadConfigFromConfigMap() (*ConfigObj, error) {
-	if c.k8s == nil {
-		return nil, nil
-	}
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-	if err != nil {
-		return nil, err
-	}
-
-	if bData, err := json.Marshal(configMap.Data); err == nil {
-		return readConfig(bData)
-	}
-	return nil, nil
-}
-
-func (c *ClusterConfig) existsConfigMap() bool {
-	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-	// TODO - check if has customerGUID
-	return err == nil
-}
-
-func (c *ClusterConfig) GetValueByKeyFromConfigMap(key string) (string, error) {
-
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-
-	if err != nil {
-		return "", err
-	}
-	if val, ok := configMap.Data[key]; ok {
-		return val, nil
-	} else {
-		return "", fmt.Errorf("value does not exist")
-	}
-}
-
-func GetValueFromConfigJson(key string) (string, error) {
-	data, err := os.ReadFile(ConfigFileFullPath())
-	if err != nil {
-		return "", err
-	}
-	var obj map[string]interface{}
-	if err := json.Unmarshal(data, &obj); err != nil {
-		return "", err
-	}
-	if val, ok := obj[key]; ok {
-		return fmt.Sprint(val), nil
-	} else {
-		return "", fmt.Errorf("value does not exist")
-	}
-
-}
-
-func SetKeyValueInConfigJson(key string, value string) error {
-	data, err := os.ReadFile(ConfigFileFullPath())
-	if err != nil {
-		return err
-	}
-	var obj map[string]interface{}
-	err = json.Unmarshal(data, &obj)
-
-	if err != nil {
-		return err
-	}
-	obj[key] = value
-	newData, err := json.Marshal(obj)
-	if err != nil {
-		return err
-	}
-
-	return os.WriteFile(ConfigFileFullPath(), newData, 0664)
-
-}
-
-func (c *ClusterConfig) SetKeyValueInConfigmap(key string, value string) error {
-
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-	if err != nil {
-		configMap = &corev1.ConfigMap{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: configMapName,
-			},
-		}
-	}
-
-	if len(configMap.Data) == 0 {
-		configMap.Data = make(map[string]string)
-	}
-
-	configMap.Data[key] = value
-
-	if err != nil {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Create(context.Background(), configMap, metav1.CreateOptions{})
-	} else {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(configMap.Namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
-	}
-
-	return err
-}
-
-func existsConfigFile() bool {
-	_, err := os.ReadFile(ConfigFileFullPath())
-	return err == nil
-}
-
-func (c *ClusterConfig) createConfigMap() error {
-	if c.k8s == nil {
-		return nil
-	}
-	configMap := &corev1.ConfigMap{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: configMapName,
-		},
-	}
-	c.updateConfigData(configMap)
-
-	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Create(context.Background(), configMap, metav1.CreateOptions{})
-	return err
-}
-
-func (c *ClusterConfig) updateConfigMap() error {
-	if c.k8s == nil {
-		return nil
-	}
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-
-	if err != nil {
-		return err
-	}
-
-	c.updateConfigData(configMap)
-
-	_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(configMap.Namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
-	return err
-}
-
-func (c *ClusterConfig) updateConfigFile() error {
-	if err := os.WriteFile(ConfigFileFullPath(), c.configObj.Json(), 0664); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (c *ClusterConfig) createConfigFile() error {
-	if err := os.WriteFile(ConfigFileFullPath(), c.configObj.Json(), 0664); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (c *ClusterConfig) updateConfigData(configMap *corev1.ConfigMap) {
-	if len(configMap.Data) == 0 {
-		configMap.Data = make(map[string]string)
-	}
-	m := c.ToMapString()
-	for k, v := range m {
-		if s, ok := v.(string); ok {
-			configMap.Data[k] = s
-		}
-	}
-}
-func loadConfigFromFile() (*ConfigObj, error) {
-	dat, err := os.ReadFile(ConfigFileFullPath())
-	if err != nil {
-		return nil, err
-	}
-
-	return readConfig(dat)
-}
-func readConfig(dat []byte) (*ConfigObj, error) {
-
-	if len(dat) == 0 {
-		return nil, nil
-	}
-	configObj := &ConfigObj{}
-	err := json.Unmarshal(dat, configObj)
-
-	return configObj, err
-}
-
-// Check if the customer is submitted
-func IsSubmitted(clusterConfig *ClusterConfig) bool {
-	return clusterConfig.existsConfigMap() || existsConfigFile()
-}
-
-// Check if the customer is registered
-func IsRegistered(clusterConfig *ClusterConfig) bool {
-
-	// get from armoBE
-	tenantResponse, err := clusterConfig.backendAPI.GetCustomerGUID(clusterConfig.GetCustomerGUID())
-	if err == nil && tenantResponse != nil {
-		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
-			return true
-		}
-	}
-	return false
-}
-
-func DeleteConfig(k8s *k8sinterface.KubernetesApi) error {
-	if err := DeleteConfigMap(k8s); err != nil {
-		return err
-	}
-	if err := DeleteConfigFile(); err != nil {
-		return err
-	}
-	return nil
-}
-func DeleteConfigMap(k8s *k8sinterface.KubernetesApi) error {
-	return k8s.KubernetesClient.CoreV1().ConfigMaps(k8sinterface.GetDefaultNamespace()).Delete(context.Background(), configMapName, metav1.DeleteOptions{})
-}
-
-func DeleteConfigFile() error {
-	return os.Remove(ConfigFileFullPath())
-}

cautils/datastructures.go

@@ -1,51 +0,0 @@
-package cautils
-
-import (
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-// K8SResources map[<api group>/<api version>/<resource>]<resource object>
-type K8SResources map[string]interface{}
-
-type OPASessionObj struct {
-	Frameworks    []reporthandling.Framework
-	K8SResources  *K8SResources
-	Exceptions    []armotypes.PostureExceptionPolicy
-	PostureReport *reporthandling.PostureReport
-}
-
-func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SResources) *OPASessionObj {
-	return &OPASessionObj{
-		Frameworks:   frameworks,
-		K8SResources: k8sResources,
-		PostureReport: &reporthandling.PostureReport{
-			ClusterName:  ClusterName,
-			CustomerGUID: CustomerGUID,
-		},
-	}
-}
-
-func NewOPASessionObjMock() *OPASessionObj {
-	return &OPASessionObj{
-		Frameworks:   nil,
-		K8SResources: nil,
-		PostureReport: &reporthandling.PostureReport{
-			ClusterName:  "",
-			CustomerGUID: "",
-			ReportID:     "",
-			JobID:        "",
-		},
-	}
-}
-
-type ComponentConfig struct {
-	Exceptions Exception `json:"exceptions"`
-}
-
-type Exception struct {
-	Ignore        *bool                      `json:"ignore"`        // ignore test results
-	MultipleScore *reporthandling.AlertScore `json:"multipleScore"` // MultipleScore number - float32
-	Namespaces    []string                   `json:"namespaces"`
-	Regex         string                     `json:"regex"` // not supported
-}

cautils/display.go

@@ -1,79 +0,0 @@
-package cautils
-
-import (
-	"fmt"
-	"os"
-	"time"
-
-	"github.com/briandowns/spinner"
-	"github.com/fatih/color"
-	"github.com/mattn/go-isatty"
-)
-
-var silent = false
-
-func SetSilentMode(s bool) {
-	silent = s
-}
-
-func IsSilent() bool {
-	return silent
-}
-
-var FailureDisplay = color.New(color.Bold, color.FgHiRed).FprintfFunc()
-var WarningDisplay = color.New(color.Bold, color.FgCyan).FprintfFunc()
-var FailureTextDisplay = color.New(color.Faint, color.FgHiRed).FprintfFunc()
-var InfoDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
-var InfoTextDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
-var SimpleDisplay = color.New().FprintfFunc()
-var SuccessDisplay = color.New(color.Bold, color.FgHiGreen).FprintfFunc()
-var DescriptionDisplay = color.New(color.Faint, color.FgWhite).FprintfFunc()
-
-var Spinner *spinner.Spinner
-
-func ScanStartDisplay() {
-	if IsSilent() {
-		return
-	}
-	InfoDisplay(os.Stdout, "ARMO security scanner starting\n")
-}
-
-func SuccessTextDisplay(str string) {
-	if IsSilent() {
-		return
-	}
-	SuccessDisplay(os.Stdout, "[success] ")
-	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))
-
-}
-
-func ErrorDisplay(str string) {
-	if IsSilent() {
-		return
-	}
-	SuccessDisplay(os.Stdout, "[Error] ")
-	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))
-
-}
-
-func ProgressTextDisplay(str string) {
-	if IsSilent() {
-		return
-	}
-	InfoDisplay(os.Stdout, "[progress] ")
-	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))
-
-}
-func StartSpinner() {
-	if !IsSilent() && isatty.IsTerminal(os.Stdout.Fd()) {
-		Spinner = spinner.New(spinner.CharSets[7], 100*time.Millisecond) // Build our new spinner
-		Spinner.Start()
-	}
-}
-
-func StopSpinner() {
-	if Spinner == nil {
-		return
-	}
-	Spinner.Stop()
-}

cautils/downloadinfo.go

@@ -1,6 +0,0 @@
-package cautils
-
-type DownloadInfo struct {
-	Path          string
-	FrameworkName string
-}

cautils/environments.go

@@ -1,11 +0,0 @@
-package cautils
-
-// CA environment vars
-var (
-	CustomerGUID          = ""
-	ClusterName           = ""
-	EventReceiverURL      = ""
-	NotificationServerURL = ""
-	DashboardBackendURL   = ""
-	RestAPIPort           = "4001"
-)

cautils/getter/armoapi.go

@@ -1,148 +0,0 @@
-package getter
-
-import (
-	"fmt"
-	"net/http"
-	"time"
-
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/golang/glog"
-)
-
-// =======================================================================================================================
-// =============================================== ArmoAPI ===============================================================
-// =======================================================================================================================
-
-var (
-	// ATTENTION!!!
-	// Changes in this URLs variable names, or in the usage is affecting the build process! BE CAREFULL
-	armoERURL = "report.armo.cloud"
-	armoBEURL = "api.armo.cloud"
-	armoFEURL = "portal.armo.cloud"
-
-	armoDevERURL = "report.eudev3.cyberarmorsoft.com"
-	armoDevBEURL = "eggdashbe.eudev3.cyberarmorsoft.com"
-	armoDevFEURL = "armoui.eudev3.cyberarmorsoft.com"
-)
-
-// Armo API for downloading policies
-type ArmoAPI struct {
-	httpClient *http.Client
-	apiURL     string
-	erURL      string
-	feURL      string
-}
-
-var globalArmoAPIConnecctor *ArmoAPI
-
-func SetARMOAPIConnector(armoAPI *ArmoAPI) {
-	globalArmoAPIConnecctor = armoAPI
-}
-
-func GetArmoAPIConnector() *ArmoAPI {
-	if globalArmoAPIConnecctor == nil {
-		glog.Error("returning nil API connector")
-	}
-	return globalArmoAPIConnecctor
-}
-
-func NewARMOAPIDev() *ArmoAPI {
-	apiObj := newArmoAPI()
-
-	apiObj.apiURL = armoDevBEURL
-	apiObj.erURL = armoDevERURL
-	apiObj.feURL = armoDevFEURL
-
-	return apiObj
-}
-
-func NewARMOAPIProd() *ArmoAPI {
-	apiObj := newArmoAPI()
-
-	apiObj.apiURL = armoBEURL
-	apiObj.erURL = armoERURL
-	apiObj.feURL = armoFEURL
-
-	return apiObj
-}
-
-func NewARMOAPICustomized(armoERURL, armoBEURL, armoFEURL string) *ArmoAPI {
-	apiObj := newArmoAPI()
-
-	apiObj.erURL = armoERURL
-	apiObj.apiURL = armoBEURL
-	apiObj.feURL = armoFEURL
-
-	return apiObj
-}
-
-func newArmoAPI() *ArmoAPI {
-	return &ArmoAPI{
-		httpClient: &http.Client{Timeout: time.Duration(61) * time.Second},
-	}
-}
-
-func (armoAPI *ArmoAPI) GetFrontendURL() string {
-	return armoAPI.feURL
-}
-
-func (armoAPI *ArmoAPI) GetReportReceiverURL() string {
-	return armoAPI.erURL
-}
-
-func (armoAPI *ArmoAPI) GetFramework(name string) (*reporthandling.Framework, error) {
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getFrameworkURL(name))
-	if err != nil {
-		return nil, err
-	}
-
-	framework := &reporthandling.Framework{}
-	if err = JSONDecoder(respStr).Decode(framework); err != nil {
-		return nil, err
-	}
-	SaveFrameworkInFile(framework, GetDefaultPath(name+".json"))
-
-	return framework, err
-}
-
-func (armoAPI *ArmoAPI) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
-	exceptions := []armotypes.PostureExceptionPolicy{}
-	if customerGUID == "" {
-		return exceptions, nil
-	}
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getExceptionsURL(customerGUID, clusterName))
-	if err != nil {
-		return nil, err
-	}
-
-	if err = JSONDecoder(respStr).Decode(&exceptions); err != nil {
-		return nil, err
-	}
-
-	return exceptions, nil
-}
-
-func (armoAPI *ArmoAPI) GetCustomerGUID(customerGUID string) (*TenantResponse, error) {
-	url := armoAPI.getCustomerURL()
-	if customerGUID != "" {
-		url = fmt.Sprintf("%s?customerGUID=%s", url, customerGUID)
-	}
-	respStr, err := HttpGetter(armoAPI.httpClient, url)
-	if err != nil {
-		return nil, err
-	}
-	tenant := &TenantResponse{}
-	if err = JSONDecoder(respStr).Decode(tenant); err != nil {
-		return nil, err
-	}
-
-	return tenant, nil
-}
-
-type TenantResponse struct {
-	TenantID  string `json:"tenantId"`
-	Token     string `json:"token"`
-	Expires   string `json:"expires"`
-	AdminMail string `json:"adminMail,omitempty"`
-}

cautils/getter/armoapiutils.go

@@ -1,44 +0,0 @@
-package getter
-
-import (
-	"net/url"
-	"strings"
-)
-
-func (armoAPI *ArmoAPI) getFrameworkURL(frameworkName string) string {
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
-	u.Path = "v1/armoFrameworks"
-	q := u.Query()
-	q.Add("customerGUID", "11111111-1111-1111-1111-111111111111")
-	q.Add("frameworkName", strings.ToUpper(frameworkName))
-	q.Add("getRules", "true")
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (armoAPI *ArmoAPI) getExceptionsURL(customerGUID, clusterName string) string {
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
-	u.Path = "api/v1/armoPostureExceptions"
-
-	q := u.Query()
-	q.Add("customerGUID", customerGUID)
-	// if clusterName != "" { // TODO - fix customer name support in Armo BE
-	// 	q.Add("clusterName", clusterName)
-	// }
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (armoAPI *ArmoAPI) getCustomerURL() string {
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
-	u.Path = "api/v1/createTenant"
-	return u.String()
-}

cautils/getter/downloadreleasedpolicy.go

@@ -1,86 +0,0 @@
-package getter
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"time"
-
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-// =======================================================================================================================
-// ======================================== DownloadReleasedPolicy =======================================================
-// =======================================================================================================================
-
-// Download released version
-type DownloadReleasedPolicy struct {
-	hostURL    string
-	httpClient *http.Client
-}
-
-func NewDownloadReleasedPolicy() *DownloadReleasedPolicy {
-	return &DownloadReleasedPolicy{
-		hostURL:    "",
-		httpClient: &http.Client{Timeout: 61 * time.Second},
-	}
-}
-
-func (drp *DownloadReleasedPolicy) GetFramework(name string) (*reporthandling.Framework, error) {
-	if err := drp.setURL(name); err != nil {
-		return nil, err
-	}
-	respStr, err := HttpGetter(drp.httpClient, drp.hostURL)
-	if err != nil {
-		return nil, err
-	}
-
-	framework := &reporthandling.Framework{}
-	if err = JSONDecoder(respStr).Decode(framework); err != nil {
-		return framework, err
-	}
-
-	SaveFrameworkInFile(framework, GetDefaultPath(name+".json"))
-	return framework, err
-}
-
-func (drp *DownloadReleasedPolicy) setURL(frameworkName string) error {
-
-	latestReleases := "https://api.github.com/repos/armosec/regolibrary/releases/latest"
-	resp, err := http.Get(latestReleases)
-	if err != nil {
-		return fmt.Errorf("failed to get latest releases from '%s', reason: %s", latestReleases, err.Error())
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode < 200 || 301 < resp.StatusCode {
-		return fmt.Errorf("failed to download file, status code: %s", resp.Status)
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return fmt.Errorf("failed to read response body from '%s', reason: %s", latestReleases, err.Error())
-	}
-	var data map[string]interface{}
-	err = json.Unmarshal(body, &data)
-	if err != nil {
-		return fmt.Errorf("failed to unmarshal response body from '%s', reason: %s", latestReleases, err.Error())
-	}
-
-	if assets, ok := data["assets"].([]interface{}); ok {
-		for i := range assets {
-			if asset, ok := assets[i].(map[string]interface{}); ok {
-				if name, ok := asset["name"].(string); ok {
-					if name == frameworkName {
-						if url, ok := asset["browser_download_url"].(string); ok {
-							drp.hostURL = url
-							return nil
-						}
-					}
-				}
-			}
-		}
-	}
-	return fmt.Errorf("failed to download '%s' - not found", frameworkName)
-
-}

cautils/getter/getpolicies.go

@@ -1,17 +0,0 @@
-package getter
-
-import (
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-type IPolicyGetter interface {
-	GetFramework(name string) (*reporthandling.Framework, error)
-}
-
-type IExceptionsGetter interface {
-	GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error)
-}
-type IBackend interface {
-	GetCustomerGUID(customerGUID string) (*TenantResponse, error)
-}

cautils/getter/getpoliciesutils.go

@@ -1,100 +0,0 @@
-package getter
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"os"
-	"path"
-	"path/filepath"
-	"strings"
-
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-func GetDefaultPath(name string) string {
-	defaultfilePath := filepath.Join(DefaultLocalStore, name)
-	if homeDir, err := os.UserHomeDir(); err == nil {
-		defaultfilePath = filepath.Join(homeDir, defaultfilePath)
-	}
-	return defaultfilePath
-}
-
-func SaveFrameworkInFile(framework *reporthandling.Framework, pathStr string) error {
-	encodedData, err := json.Marshal(framework)
-	if err != nil {
-		return err
-	}
-	err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
-	if err != nil {
-		if os.IsNotExist(err) {
-			pathDir := path.Dir(pathStr)
-			if err := os.Mkdir(pathDir, 0744); err != nil {
-				return err
-			}
-		} else {
-			return err
-
-		}
-		err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// JSONDecoder returns JSON decoder for given string
-func JSONDecoder(origin string) *json.Decoder {
-	dec := json.NewDecoder(strings.NewReader(origin))
-	dec.UseNumber()
-	return dec
-}
-
-func HttpGetter(httpClient *http.Client, fullURL string) (string, error) {
-
-	req, err := http.NewRequest("GET", fullURL, nil)
-	if err != nil {
-		return "", err
-	}
-	resp, err := httpClient.Do(req)
-	if err != nil {
-		return "", err
-	}
-	respStr, err := httpRespToString(resp)
-	if err != nil {
-		return "", err
-	}
-	return respStr, nil
-}
-
-// HTTPRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
-func httpRespToString(resp *http.Response) (string, error) {
-	if resp == nil || resp.Body == nil {
-		return "", nil
-	}
-	strBuilder := strings.Builder{}
-	defer resp.Body.Close()
-	if resp.ContentLength > 0 {
-		strBuilder.Grow(int(resp.ContentLength))
-	}
-	bytesNum, err := io.Copy(&strBuilder, resp.Body)
-	respStr := strBuilder.String()
-	if err != nil {
-		respStrNewLen := len(respStr)
-		if respStrNewLen > 1024 {
-			respStrNewLen = 1024
-		}
-		return "", fmt.Errorf("HTTP request failed. URL: '%s', Read-ERROR: '%s', HTTP-CODE: '%s', BODY(top): '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), err, resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
-	}
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		respStrNewLen := len(respStr)
-		if respStrNewLen > 1024 {
-			respStrNewLen = 1024
-		}
-		err = fmt.Errorf("HTTP request failed. URL: '%s', HTTP-ERROR: '%s', BODY: '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
-	}
-
-	return respStr, err
-}

cautils/getter/loadpolicy.go

@@ -1,54 +0,0 @@
-package getter
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-	"strings"
-
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-// =======================================================================================================================
-// ============================================== LoadPolicy =============================================================
-// =======================================================================================================================
-const DefaultLocalStore = ".kubescape"
-
-// Load policies from a local repository
-type LoadPolicy struct {
-	filePath string
-}
-
-func NewLoadPolicy(filePath string) *LoadPolicy {
-	return &LoadPolicy{
-		filePath: filePath,
-	}
-}
-
-func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framework, error) {
-
-	framework := &reporthandling.Framework{}
-	f, err := os.ReadFile(lp.filePath)
-	if err != nil {
-		return nil, err
-	}
-
-	err = json.Unmarshal(f, framework)
-	if frameworkName != "" && !strings.EqualFold(frameworkName, framework.Name) {
-		return nil, fmt.Errorf("framework from file not matching")
-	}
-	return framework, err
-}
-
-func (lp *LoadPolicy) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
-
-	exception := []armotypes.PostureExceptionPolicy{}
-	f, err := os.ReadFile(lp.filePath)
-	if err != nil {
-		return nil, err
-	}
-
-	err = json.Unmarshal(f, &exception)
-	return exception, err
-}

cautils/reporterutils.go

@@ -1,5 +0,0 @@
-package cautils
-
-const (
-	ComponentIdentifier = "Posture"
-)

cautils/scaninfo.go

@@ -1,90 +0,0 @@
-package cautils
-
-import (
-	"path/filepath"
-
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-type ScanInfo struct {
-	Getters
-	PolicyIdentifier   reporthandling.PolicyIdentifier
-	UseExceptions      string   // Load exceptions configuration
-	UseFrom            string   // Load framework from local file (instead of download). Use when running offline
-	UseDefault         bool     // Load framework from cached file (instead of download). Use when running offline
-	Format             string   // Format results (table, json, junit ...)
-	Output             string   // Store results in an output file, Output file name
-	ExcludedNamespaces string   // DEPRECATED?
-	InputPatterns      []string // Yaml files input patterns
-	Silent             bool     // Silent mode - Do not print progress logs
-	FailThreshold      uint16   // Failure score threshold
-	Submit             bool     // Submit results to Armo BE
-	Local              bool     // Do not submit results
-	Account            string   // account ID
-}
-
-type Getters struct {
-	ExceptionsGetter getter.IExceptionsGetter
-	PolicyGetter     getter.IPolicyGetter
-}
-
-func (scanInfo *ScanInfo) Init() {
-	scanInfo.setUseFrom()
-	scanInfo.setUseExceptions()
-	scanInfo.setOutputFile()
-	scanInfo.setGetter()
-
-}
-
-func (scanInfo *ScanInfo) setUseExceptions() {
-	if scanInfo.UseExceptions != "" {
-		// load exceptions from file
-		scanInfo.ExceptionsGetter = getter.NewLoadPolicy(scanInfo.UseExceptions)
-	} else {
-		scanInfo.ExceptionsGetter = getter.GetArmoAPIConnector()
-	}
-
-}
-func (scanInfo *ScanInfo) setUseFrom() {
-	if scanInfo.UseFrom != "" {
-		return
-	}
-	if scanInfo.UseDefault {
-		scanInfo.UseFrom = getter.GetDefaultPath(scanInfo.PolicyIdentifier.Name + ".json")
-	}
-
-}
-func (scanInfo *ScanInfo) setGetter() {
-	if scanInfo.UseFrom != "" {
-		// load from file
-		scanInfo.PolicyGetter = getter.NewLoadPolicy(scanInfo.UseFrom)
-	} else {
-		scanInfo.PolicyGetter = getter.NewDownloadReleasedPolicy()
-	}
-}
-
-func (scanInfo *ScanInfo) setOutputFile() {
-	if scanInfo.Output == "" {
-		return
-	}
-	if scanInfo.Format == "json" {
-		if filepath.Ext(scanInfo.Output) != ".json" {
-			scanInfo.Output += ".json"
-		}
-	}
-	if scanInfo.Format == "junit" {
-		if filepath.Ext(scanInfo.Output) != ".xml" {
-			scanInfo.Output += ".xml"
-		}
-	}
-}
-
-func (scanInfo *ScanInfo) ScanRunningCluster() bool {
-	return len(scanInfo.InputPatterns) == 0
-}
-
-// func (scanInfo *ScanInfo) ConnectedToCluster(k8s k8sinterface.) bool {
-// 	_, err := k8s.KubernetesClient.CoreV1().Pods("").List(context.TODO(), metav1.ListOptions{})
-// 	return err == nil
-// }

cautils/strutils.go

@@ -1,44 +0,0 @@
-package cautils
-
-import (
-	"fmt"
-	"strings"
-)
-
-const ValueNotFound = -1
-
-func ConvertLabelsToString(labels map[string]string) string {
-	labelsStr := ""
-	delimiter := ""
-	for k, v := range labels {
-		labelsStr += fmt.Sprintf("%s%s=%s", delimiter, k, v)
-		delimiter = ";"
-	}
-	return labelsStr
-}
-
-// ConvertStringToLabels convert a string "a=b;c=d" to map: {"a":"b", "c":"d"}
-func ConvertStringToLabels(labelsStr string) map[string]string {
-	labels := make(map[string]string)
-	labelsSlice := strings.Split(labelsStr, ";")
-	if len(labelsSlice)%2 != 0 {
-		return labels
-	}
-	for i := range labelsSlice {
-		kvSlice := strings.Split(labelsSlice[i], "=")
-		if len(kvSlice) != 2 {
-			continue
-		}
-		labels[kvSlice[0]] = kvSlice[1]
-	}
-	return labels
-}
-
-func StringInSlice(strSlice []string, str string) int {
-	for i := range strSlice {
-		if strSlice[i] == str {
-			return i
-		}
-	}
-	return ValueNotFound
-}

cautils/strutils_test.go

@@ -1,35 +0,0 @@
-package cautils
-
-import (
-	"fmt"
-	"strings"
-	"testing"
-)
-
-func TestConvertLabelsToString(t *testing.T) {
-	str := "a=b;c=d"
-	strMap := map[string]string{"a": "b", "c": "d"}
-	rsrt := ConvertLabelsToString(strMap)
-	spilltedA := strings.Split(rsrt, ";")
-	spilltedB := strings.Split(str, ";")
-	for i := range spilltedA {
-		exists := false
-		for j := range spilltedB {
-			if spilltedB[j] == spilltedA[i] {
-				exists = true
-			}
-		}
-		if !exists {
-			t.Errorf("%s != %s", spilltedA[i], spilltedB[i])
-		}
-	}
-}
-
-func TestConvertStringToLabels(t *testing.T) {
-	str := "a=b;c=d"
-	strMap := map[string]string{"a": "b", "c": "d"}
-	rstrMap := ConvertStringToLabels(str)
-	if fmt.Sprintf("%v", rstrMap) != fmt.Sprintf("%v", strMap) {
-		t.Errorf("%s != %s", fmt.Sprintf("%v", rstrMap), fmt.Sprintf("%v", strMap))
-	}
-}

cmd/cluster.go

@@ -1,18 +0,0 @@
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-)
-
-// clusterCmd represents the cluster command
-var clusterCmd = &cobra.Command{
-	Use:   "cluster",
-	Short: "Set configuration for cluster",
-	Long:  ``,
-	Run: func(cmd *cobra.Command, args []string) {
-	},
-}
-
-func init() {
-	configCmd.AddCommand(clusterCmd)
-}

cmd/cluster_get.go

@@ -1,50 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/spf13/cobra"
-)
-
-var getCmd = &cobra.Command{
-	Use:       "get <key>",
-	Short:     "Get configuration in cluster",
-	Long:      ``,
-	ValidArgs: supportedFrameworks,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 || len(args) > 1 {
-			return fmt.Errorf("requires  one argument")
-		}
-
-		keyValue := strings.Split(args[0], "=")
-		if len(keyValue) != 1 {
-			return fmt.Errorf("requires  one argument")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		keyValue := strings.Split(args[0], "=")
-		key := keyValue[0]
-
-		k8s := k8sinterface.NewKubernetesApi()
-		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector())
-		val, err := clusterConfig.GetValueByKeyFromConfigMap(key)
-		if err != nil {
-			if err.Error() == "value does not exist." {
-				fmt.Printf("Could net get value from configmap, reason: %s\n", err)
-				return nil
-			}
-			return err
-		}
-		fmt.Println(key + "=" + val)
-		return nil
-	},
-}
-
-func init() {
-	clusterCmd.AddCommand(getCmd)
-}

cmd/cluster_set.go

@@ -1,44 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/spf13/cobra"
-)
-
-var setCmd = &cobra.Command{
-	Use:   "set <key>=<value>",
-	Short: "Set configuration in cluster",
-	Long:  ``,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 || len(args) > 1 {
-			return fmt.Errorf("requires  one argument: <key>=<value>")
-		}
-		keyValue := strings.Split(args[0], "=")
-		if len(keyValue) != 2 {
-			return fmt.Errorf("requires  one argument: <key>=<value>")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		keyValue := strings.Split(args[0], "=")
-		key := keyValue[0]
-		data := keyValue[1]
-
-		k8s := k8sinterface.NewKubernetesApi()
-		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector())
-		if err := clusterConfig.SetKeyValueInConfigmap(key, data); err != nil {
-			return err
-		}
-		fmt.Println("Value added successfully.")
-		return nil
-	},
-}
-
-func init() {
-	clusterCmd.AddCommand(setCmd)
-}

cmd/completion/completion.go

@@ -0,0 +1,53 @@
+package completion
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/spf13/cobra"
+)
+
+var completionCmdExamples = fmt.Sprintf(`
+  # Enable BASH shell autocompletion
+  $ source <(%[1]s completion bash)
+  $ echo 'source <(%[1]s completion bash)' >> ~/.bashrc
+
+  # Enable ZSH shell autocompletion
+  $ source <(%[1]s completion zsh)
+  $ echo 'source <(%[1]s completion zsh)' >> "${fpath[1]}/_%[1]s"
+`, cautils.ExecName())
+
+func GetCompletionCmd() *cobra.Command {
+	completionCmd := &cobra.Command{
+		Use:                   "completion [bash|zsh|fish|powershell]",
+		Short:                 "Generate autocompletion script",
+		Long:                  "To load completions",
+		Example:               completionCmdExamples,
+		DisableFlagsInUseLine: true,
+		ValidArgs:             []string{"bash", "zsh", "fish", "powershell"},
+		Args:                  cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs),
+		Run: func(cmd *cobra.Command, args []string) {
+			// Check if args array is not empty
+			if len(args) == 0 {
+				fmt.Println("No arguements provided.")
+				return
+			}
+
+			switch strings.ToLower(args[0]) {
+			case "bash":
+				cmd.Root().GenBashCompletion(os.Stdout)
+			case "zsh":
+				cmd.Root().GenZshCompletion(os.Stdout)
+			case "fish":
+				cmd.Root().GenFishCompletion(os.Stdout, true)
+			case "powershell":
+				cmd.Root().GenPowerShellCompletionWithDesc(os.Stdout)
+			default:
+				fmt.Printf("Invalid arguement %s", args[0])
+			}
+		},
+	}
+	return completionCmd
+}

cmd/completion/completion_test.go

@@ -0,0 +1,187 @@
+package completion
+
+import (
+	"io"
+	"os"
+	"testing"
+
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+// Generates autocompletion script for valid shell types
+func TestGetCompletionCmd(t *testing.T) {
+	// Arrange
+	completionCmd := GetCompletionCmd()
+	assert.Equal(t, "completion [bash|zsh|fish|powershell]", completionCmd.Use)
+	assert.Equal(t, "Generate autocompletion script", completionCmd.Short)
+	assert.Equal(t, "To load completions", completionCmd.Long)
+	assert.Equal(t, completionCmdExamples, completionCmd.Example)
+	assert.Equal(t, true, completionCmd.DisableFlagsInUseLine)
+	assert.Equal(t, []string{"bash", "zsh", "fish", "powershell"}, completionCmd.ValidArgs)
+}
+
+func TestGetCompletionCmd_RunExpectedOutputs(t *testing.T) {
+	tests := []struct {
+		name string
+		args []string
+		want string
+	}{
+		{
+			name: "Unknown completion",
+			args: []string{"unknown"},
+			want: "Invalid arguement unknown",
+		},
+		{
+			name: "Empty arguements",
+			args: []string{},
+			want: "No arguements provided.\n",
+		},
+	}
+
+	completionCmd := GetCompletionCmd()
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			completionCmd.Run(&cobra.Command{}, tt.args)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestGetCompletionCmd_RunNotExpectedOutputs(t *testing.T) {
+	notExpectedOutput1 := "No arguments provided."
+	notExpectedOutput2 := "No arguments provided."
+
+	tests := []struct {
+		name string
+		args []string
+	}{
+		{
+			name: "Bash completion",
+			args: []string{"bash"},
+		},
+		{
+			name: "Zsh completion",
+			args: []string{"zsh"},
+		},
+		{
+			name: "Fish completion",
+			args: []string{"fish"},
+		},
+		{
+			name: "PowerShell completion",
+			args: []string{"powershell"},
+		},
+	}
+
+	completionCmd := GetCompletionCmd()
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			completionCmd.Run(&cobra.Command{}, tt.args)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.NotEqual(t, notExpectedOutput1, string(got))
+			assert.NotEqual(t, notExpectedOutput2, string(got))
+		})
+	}
+}
+
+func TestGetCompletionCmd_RunBashCompletionNotExpectedOutputs(t *testing.T) {
+	notExpectedOutput1 := "Unexpected output for bash completion test 1."
+	notExpectedOutput2 := "Unexpected output for bash completion test 2."
+
+	// Redirect stdout to a buffer
+	rescueStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	completionCmd := GetCompletionCmd()
+	completionCmd.Run(&cobra.Command{}, []string{"bash"})
+
+	w.Close()
+	got, _ := io.ReadAll(r)
+	os.Stdout = rescueStdout
+
+	assert.NotEqual(t, notExpectedOutput1, string(got))
+	assert.NotEqual(t, notExpectedOutput2, string(got))
+}
+
+func TestGetCompletionCmd_RunZshCompletionNotExpectedOutputs(t *testing.T) {
+	notExpectedOutput1 := "Unexpected output for zsh completion test 1."
+	notExpectedOutput2 := "Unexpected output for zsh completion test 2."
+
+	// Redirect stdout to a buffer
+	rescueStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	completionCmd := GetCompletionCmd()
+	completionCmd.Run(&cobra.Command{}, []string{"zsh"})
+
+	w.Close()
+	got, _ := io.ReadAll(r)
+	os.Stdout = rescueStdout
+
+	assert.NotEqual(t, notExpectedOutput1, string(got))
+	assert.NotEqual(t, notExpectedOutput2, string(got))
+}
+
+func TestGetCompletionCmd_RunFishCompletionNotExpectedOutputs(t *testing.T) {
+	notExpectedOutput1 := "Unexpected output for fish completion test 1."
+	notExpectedOutput2 := "Unexpected output for fish completion test 2."
+
+	// Redirect stdout to a buffer
+	rescueStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	completionCmd := GetCompletionCmd()
+	completionCmd.Run(&cobra.Command{}, []string{"fish"})
+
+	w.Close()
+	got, _ := io.ReadAll(r)
+	os.Stdout = rescueStdout
+
+	assert.NotEqual(t, notExpectedOutput1, string(got))
+	assert.NotEqual(t, notExpectedOutput2, string(got))
+}
+
+func TestGetCompletionCmd_RunPowerShellCompletionNotExpectedOutputs(t *testing.T) {
+	notExpectedOutput1 := "Unexpected output for powershell completion test 1."
+	notExpectedOutput2 := "Unexpected output for powershell completion test 2."
+
+	// Redirect stdout to a buffer
+	rescueStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	completionCmd := GetCompletionCmd()
+	completionCmd.Run(&cobra.Command{}, []string{"powershell"})
+
+	w.Close()
+	got, _ := io.ReadAll(r)
+	os.Stdout = rescueStdout
+
+	assert.NotEqual(t, notExpectedOutput1, string(got))
+	assert.NotEqual(t, notExpectedOutput2, string(got))
+}

cmd/config.go

@@ -1,18 +0,0 @@
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-)
-
-// configCmd represents the config command
-var configCmd = &cobra.Command{
-	Use:   "config",
-	Short: "Set configuration",
-	Long:  ``,
-	Run: func(cmd *cobra.Command, args []string) {
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(configCmd)
-}

cmd/config/config.go

@@ -0,0 +1,45 @@
+package config
+
+import (
+	"fmt"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	"github.com/spf13/cobra"
+)
+
+var (
+	configExample = fmt.Sprintf(`
+  # View cached configurations 
+  %[1]s config view
+
+  # Delete cached configurations
+  %[1]s config delete
+
+  # Set cached configurations
+  %[1]s config set --help
+`, cautils.ExecName())
+	setConfigExample = fmt.Sprintf(`
+  # Set account id
+  %[1]s config set accountID <account id>
+
+  # Set cloud report URL
+  %[1]s config set cloudReportURL <cloud Report URL>
+`, cautils.ExecName())
+)
+
+func GetConfigCmd(ks meta.IKubescape) *cobra.Command {
+
+	// configCmd represents the config command
+	configCmd := &cobra.Command{
+		Use:     "config",
+		Short:   "Handle cached configurations",
+		Example: configExample,
+	}
+
+	configCmd.AddCommand(getDeleteCmd(ks))
+	configCmd.AddCommand(getSetCmd(ks))
+	configCmd.AddCommand(getViewCmd(ks))
+
+	return configCmd
+}

cmd/config/config_test.go

@@ -0,0 +1,44 @@
+package config
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetConfigCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetConfigCmd function
+	configCmd := GetConfigCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "config", configCmd.Use)
+	assert.Equal(t, "Handle cached configurations", configCmd.Short)
+	assert.Equal(t, configExample, configCmd.Example)
+
+	// Verify that the subcommands are added correctly
+	assert.Equal(t, 3, len(configCmd.Commands()))
+
+	for _, subcmd := range configCmd.Commands() {
+		switch subcmd.Name() {
+		case "delete":
+			// Verify that the delete subcommand is added correctly
+			assert.Equal(t, "delete", subcmd.Use)
+			assert.Equal(t, "Delete cached configurations", subcmd.Short)
+		case "set":
+			// Verify that the set subcommand is added correctly
+			assert.Equal(t, "set", subcmd.Use)
+			assert.Equal(t, "Set configurations, supported: "+strings.Join(stringKeysToSlice(supportConfigSet), "/"), subcmd.Short)
+		case "view":
+			// Verify that the view subcommand is added correctly
+			assert.Equal(t, "view", subcmd.Use)
+			assert.Equal(t, "View cached configurations", subcmd.Short)
+		default:
+			t.Errorf("Unexpected subcommand name: %s", subcmd.Name())
+		}
+	}
+}

cmd/config/delete.go

@@ -0,0 +1,23 @@
+package config
+
+import (
+	"context"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+)
+
+func getDeleteCmd(ks meta.IKubescape) *cobra.Command {
+	return &cobra.Command{
+		Use:   "delete",
+		Short: "Delete cached configurations",
+		Long:  ``,
+		Run: func(cmd *cobra.Command, args []string) {
+			if err := ks.DeleteCachedConfig(context.TODO(), &v1.DeleteConfig{}); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+		},
+	}
+}

cmd/config/delete_test.go

@@ -0,0 +1,21 @@
+package config
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetDeleteCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetConfigCmd function
+	configCmd := getDeleteCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "delete", configCmd.Use)
+	assert.Equal(t, "Delete cached configurations", configCmd.Short)
+	assert.Equal(t, "", configCmd.Long)
+}

cmd/config/set.go

@@ -0,0 +1,77 @@
+package config
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+)
+
+func getSetCmd(ks meta.IKubescape) *cobra.Command {
+
+	// configCmd represents the config command
+	configSetCmd := &cobra.Command{
+		Use:       "set",
+		Short:     fmt.Sprintf("Set configurations, supported: %s", strings.Join(stringKeysToSlice(supportConfigSet), "/")),
+		Example:   setConfigExample,
+		ValidArgs: stringKeysToSlice(supportConfigSet),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			setConfig, err := parseSetArgs(args)
+			if err != nil {
+				return err
+			}
+			if err := ks.SetCachedConfig(setConfig); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			return nil
+		},
+	}
+	return configSetCmd
+}
+
+var supportConfigSet = map[string]func(*metav1.SetConfig, string){
+	"accessKey":      func(s *metav1.SetConfig, accessKey string) { s.AccessKey = accessKey },
+	"accountID":      func(s *metav1.SetConfig, account string) { s.Account = account },
+	"cloudAPIURL":    func(s *metav1.SetConfig, cloudAPIURL string) { s.CloudAPIURL = cloudAPIURL },
+	"cloudReportURL": func(s *metav1.SetConfig, cloudReportURL string) { s.CloudReportURL = cloudReportURL },
+}
+
+func stringKeysToSlice(m map[string]func(*metav1.SetConfig, string)) []string {
+	keys := []string{}
+	for key := range m {
+		keys = append(keys, key)
+	}
+
+	// Sort the keys of the map
+	sort.Strings(keys)
+
+	l := []string{}
+	l = append(l, keys...)
+	return l
+}
+
+func parseSetArgs(args []string) (*metav1.SetConfig, error) {
+	var key string
+	var value string
+	if len(args) == 1 {
+		if keyValue := strings.Split(args[0], "="); len(keyValue) == 2 {
+			key = keyValue[0]
+			value = keyValue[1]
+		}
+	} else if len(args) == 2 {
+		key = args[0]
+		value = args[1]
+	}
+	setConfig := &metav1.SetConfig{}
+
+	if setConfigFunc, ok := supportConfigSet[key]; ok {
+		setConfigFunc(setConfig, value)
+	} else {
+		return setConfig, fmt.Errorf("key '%s' unknown . supported: %s", key, strings.Join(stringKeysToSlice(supportConfigSet), "/"))
+	}
+	return setConfig, nil
+}

cmd/config/set_test.go

@@ -0,0 +1,81 @@
+package config
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetSetCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetConfigCmd function
+	configSetCmd := getSetCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "set", configSetCmd.Use)
+	assert.Equal(t, "Set configurations, supported: "+strings.Join(stringKeysToSlice(supportConfigSet), "/"), configSetCmd.Short)
+	assert.Equal(t, setConfigExample, configSetCmd.Example)
+	assert.Equal(t, stringKeysToSlice(supportConfigSet), configSetCmd.ValidArgs)
+
+	err := configSetCmd.RunE(&cobra.Command{}, []string{"accountID=value1"})
+	assert.Nil(t, err)
+
+	err = configSetCmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage := "key '' unknown . supported: accessKey/accountID/cloudAPIURL/cloudReportURL"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
+
+// Should return a slice of keys when given a non-empty map
+func TestStringKeysToSlice(t *testing.T) {
+	m := map[string]func(*metav1.SetConfig, string){
+		"key1": nil,
+		"key2": nil,
+		"key3": nil,
+	}
+	result := stringKeysToSlice(m)
+	expected := []string{"key1", "key2", "key3"}
+	assert.ElementsMatch(t, expected, result)
+}
+
+func TestParseSetArgs_InvalidFormat(t *testing.T) {
+	args := []string{"key"}
+	setConfig, err := parseSetArgs(args)
+	assert.Equal(t, "", setConfig.Account)
+	assert.Equal(t, "", setConfig.AccessKey)
+	assert.Equal(t, "", setConfig.CloudReportURL)
+	assert.Equal(t, "", setConfig.CloudAPIURL)
+
+	expectedErrorMessage := fmt.Sprintf("key '' unknown . supported: %s", strings.Join(stringKeysToSlice(supportConfigSet), "/"))
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
+
+func TestParseSetArgs_AccessKey(t *testing.T) {
+	args := []string{"accessKey", "value1"}
+	setConfig, _ := parseSetArgs(args)
+	assert.Equal(t, "", setConfig.Account)
+	assert.Equal(t, "value1", setConfig.AccessKey)
+	assert.Equal(t, "", setConfig.CloudReportURL)
+	assert.Equal(t, "", setConfig.CloudAPIURL)
+}
+
+func TestParseSetArgs_Single(t *testing.T) {
+	args := []string{"accountID=value1"}
+	setConfig, _ := parseSetArgs(args)
+	assert.Equal(t, "value1", setConfig.Account)
+	assert.Equal(t, "", setConfig.AccessKey)
+	assert.Equal(t, "", setConfig.CloudReportURL)
+	assert.Equal(t, "", setConfig.CloudAPIURL)
+}
+
+func TestParseSetArgs_InvalidKey(t *testing.T) {
+	args := []string{"invalidKey=value1"}
+	_, err := parseSetArgs(args)
+	assert.Equal(t, "key 'invalidKey' unknown . supported: accessKey/accountID/cloudAPIURL/cloudReportURL", err.Error())
+}

cmd/config/view.go

@@ -0,0 +1,25 @@
+package config
+
+import (
+	"os"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+)
+
+func getViewCmd(ks meta.IKubescape) *cobra.Command {
+
+	// configCmd represents the config command
+	return &cobra.Command{
+		Use:   "view",
+		Short: "View cached configurations",
+		Long:  ``,
+		Run: func(cmd *cobra.Command, args []string) {
+			if err := ks.ViewCachedConfig(&v1.ViewConfig{Writer: os.Stdout}); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+		},
+	}
+}

cmd/config/view_test.go

@@ -0,0 +1,21 @@
+package config
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetViewCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetConfigCmd function
+	configCmd := getViewCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "view", configCmd.Use)
+	assert.Equal(t, "View cached configurations", configCmd.Short)
+	assert.Equal(t, "", configCmd.Long)
+}

cmd/download.go

@@ -1,45 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/spf13/cobra"
-)
-
-var downloadInfo cautils.DownloadInfo
-
-var downloadCmd = &cobra.Command{
-	Use:   fmt.Sprintf("download framework <framework-name> [flags]\nSupported frameworks: %s", validFrameworks),
-	Short: "Download framework controls",
-	Long:  ``,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) != 2 {
-			return fmt.Errorf("requires two arguments : framework <framework-name>")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		downloadInfo.FrameworkName = args[1]
-		g := getter.NewDownloadReleasedPolicy()
-		if downloadInfo.Path == "" {
-			downloadInfo.Path = getter.GetDefaultPath(downloadInfo.FrameworkName + ".json")
-		}
-		frameworks, err := g.GetFramework(downloadInfo.FrameworkName)
-		if err != nil {
-			return err
-		}
-		err = getter.SaveFrameworkInFile(frameworks, downloadInfo.Path)
-		if err != nil {
-			return err
-		}
-		return nil
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(downloadCmd)
-	downloadInfo = cautils.DownloadInfo{}
-	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If specified, will store save to `~/.kubescape/<framework name>.json`")
-}

cmd/download/download.go

@@ -0,0 +1,100 @@
+package download
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/core"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
+)
+
+var (
+	downloadExample = fmt.Sprintf(`
+  # Download all artifacts and save them in the default path (~/.kubescape)
+  %[1]s download artifacts
+  
+  # Download all artifacts and save them in /tmp path
+  %[1]s download artifacts --output /tmp
+  
+  # Download the NSA framework. Run '%[1]s list frameworks' for all frameworks names
+  %[1]s download framework nsa
+
+  # Download the "C-0001" control. Run '%[1]s list controls --id' for all controls ids
+  %[1]s download control "C-0001"
+
+  # Download the "C-0001" control. Run '%[1]s list controls --id' for all controls ids
+  %[1]s download control C-0001
+
+  # Download the configured exceptions
+  %[1]s download exceptions 
+
+  # Download the configured controls-inputs 
+  %[1]s download controls-inputs 
+`, cautils.ExecName())
+)
+
+func GetDownloadCmd(ks meta.IKubescape) *cobra.Command {
+	var downloadInfo = v1.DownloadInfo{}
+
+	downloadCmd := &cobra.Command{
+		Use:     "download <policy> <policy name>",
+		Short:   fmt.Sprintf("Download %s", strings.Join(core.DownloadSupportCommands(), ",")),
+		Long:    ``,
+		Example: downloadExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			supported := strings.Join(core.DownloadSupportCommands(), ",")
+			if len(args) < 1 {
+				return fmt.Errorf("policy type required, supported: %v", supported)
+			}
+			if !slices.Contains(core.DownloadSupportCommands(), args[0]) {
+				return fmt.Errorf("invalid parameter '%s'. Supported parameters: %s", args[0], supported)
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := flagValidationDownload(&downloadInfo); err != nil {
+				return err
+			}
+
+			if filepath.Ext(downloadInfo.Path) == ".json" {
+				downloadInfo.Path, downloadInfo.FileName = filepath.Split(downloadInfo.Path)
+			}
+
+			if len(args) == 0 {
+				return fmt.Errorf("no arguements provided")
+			}
+
+			downloadInfo.Target = args[0]
+			if len(args) >= 2 {
+
+				downloadInfo.Identifier = args[1]
+
+			}
+			if err := ks.Download(context.TODO(), &downloadInfo); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			return nil
+		},
+	}
+
+	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.AccountID, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.AccessKey, "access-key", "", "", "Kubescape SaaS access key. Default will load access key from cache")
+	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If not specified, will save in `~/.kubescape/<policy name>.json`")
+
+	return downloadCmd
+}
+
+// Check if the flag entered are valid
+func flagValidationDownload(downloadInfo *v1.DownloadInfo) error {
+
+	// Validate the user's credentials
+	return cautils.ValidateAccountID(downloadInfo.AccountID)
+}

cmd/download/download_test.go

@@ -0,0 +1,102 @@
+package download
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/core"
+	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetViewCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetConfigCmd function
+	configCmd := GetDownloadCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "download <policy> <policy name>", configCmd.Use)
+	assert.Equal(t, fmt.Sprintf("Download %s", strings.Join(core.DownloadSupportCommands(), ",")), configCmd.Short)
+	assert.Equal(t, "", configCmd.Long)
+	assert.Equal(t, downloadExample, configCmd.Example)
+}
+
+func TestGetViewCmd_Args(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetConfigCmd function
+	downloadCmd := GetDownloadCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "download <policy> <policy name>", downloadCmd.Use)
+	assert.Equal(t, fmt.Sprintf("Download %s", strings.Join(core.DownloadSupportCommands(), ",")), downloadCmd.Short)
+	assert.Equal(t, "", downloadCmd.Long)
+	assert.Equal(t, downloadExample, downloadCmd.Example)
+
+	err := downloadCmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage := "no arguements provided"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = downloadCmd.RunE(&cobra.Command{}, []string{"config"})
+	assert.Nil(t, err)
+
+	err = downloadCmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage = "policy type required, supported: artifacts,attack-tracks,control,controls-inputs,exceptions,framework"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = downloadCmd.Args(&cobra.Command{}, []string{"invalid"})
+	expectedErrorMessage = "invalid parameter 'invalid'. Supported parameters: artifacts,attack-tracks,control,controls-inputs,exceptions,framework"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = downloadCmd.Args(&cobra.Command{}, []string{"attack-tracks"})
+	assert.Nil(t, err)
+
+	err = downloadCmd.Args(&cobra.Command{}, []string{"control", "random.json"})
+	assert.Nil(t, err)
+
+	err = downloadCmd.Args(&cobra.Command{}, []string{"control", "C-0001"})
+	assert.Nil(t, err)
+
+	err = downloadCmd.Args(&cobra.Command{}, []string{"control", "C-0001", "C-0002"})
+	assert.Nil(t, err)
+
+	err = downloadCmd.RunE(&cobra.Command{}, []string{"control", "C-0001", "C-0002"})
+	assert.Nil(t, err)
+}
+
+func TestFlagValidationDownload_NoError(t *testing.T) {
+	downloadInfo := v1.DownloadInfo{
+		AccessKey: "",
+		AccountID: "",
+	}
+	assert.Equal(t, nil, flagValidationDownload(&downloadInfo))
+}
+
+func TestFlagValidationDownload_Error(t *testing.T) {
+	tests := []struct {
+		downloadInfo v1.DownloadInfo
+	}{
+		{
+			downloadInfo: v1.DownloadInfo{
+				AccountID: "12345678",
+			},
+		},
+		{
+			downloadInfo: v1.DownloadInfo{
+				AccountID: "New",
+			},
+		},
+	}
+	want := "bad argument: accound ID must be a valid UUID"
+	for _, tt := range tests {
+		t.Run(tt.downloadInfo.AccountID, func(t *testing.T) {
+			assert.Equal(t, want, flagValidationDownload(&tt.downloadInfo).Error())
+		})
+	}
+}

cmd/fix/fix.go

@@ -0,0 +1,48 @@
+package fix
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+
+	"github.com/spf13/cobra"
+)
+
+var fixCmdExamples = fmt.Sprintf(`
+  Fix command is for fixing kubernetes manifest files based on a scan command output.
+  Use with caution, this command will change your files in-place.
+
+  # Fix kubernetes YAML manifest files based on a scan command output (output.json)
+  1) %[1]s scan . --format json --output output.json
+  2) %[1]s fix output.json
+
+`, cautils.ExecName())
+
+func GetFixCmd(ks meta.IKubescape) *cobra.Command {
+	var fixInfo metav1.FixInfo
+
+	fixCmd := &cobra.Command{
+		Use:     "fix <report output file>",
+		Short:   "Propose a fix for the misconfiguration found when scanning Kubernetes manifest files",
+		Long:    ``,
+		Example: fixCmdExamples,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) < 1 {
+				return errors.New("report output file is required")
+			}
+			fixInfo.ReportFile = args[0]
+
+			return ks.Fix(context.TODO(), &fixInfo)
+		},
+	}
+
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.NoConfirm, "no-confirm", false, "No confirmation will be given to the user before applying the fix (default false)")
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.DryRun, "dry-run", false, "No changes will be applied (default false)")
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.SkipUserValues, "skip-user-values", true, "Changes which involve user-defined values will be skipped")
+
+	return fixCmd
+}

cmd/fix/fix_test.go

@@ -0,0 +1,30 @@
+package fix
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetFixCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetFixCmd function
+	fixCmd := GetFixCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "fix <report output file>", fixCmd.Use)
+	assert.Equal(t, "Propose a fix for the misconfiguration found when scanning Kubernetes manifest files", fixCmd.Short)
+	assert.Equal(t, "", fixCmd.Long)
+	assert.Equal(t, fixCmdExamples, fixCmd.Example)
+
+	err := fixCmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage := "report output file is required"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = fixCmd.RunE(&cobra.Command{}, []string{"random-file.json"})
+	assert.Nil(t, err)
+}

cmd/framework.go

@@ -1,197 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/opaprocessor"
-	"github.com/armosec/kubescape/policyhandler"
-	"github.com/armosec/kubescape/resultshandling"
-	"github.com/armosec/kubescape/resultshandling/printer"
-	"github.com/armosec/kubescape/resultshandling/reporter"
-	"github.com/armosec/opa-utils/reporthandling"
-
-	"github.com/spf13/cobra"
-)
-
-var scanInfo cautils.ScanInfo
-var supportedFrameworks = []string{"nsa", "mitre"}
-var validFrameworks = strings.Join(supportedFrameworks, ", ")
-
-type CLIHandler struct {
-	policyHandler *policyhandler.PolicyHandler
-	scanInfo      *cautils.ScanInfo
-}
-
-var frameworkCmd = &cobra.Command{
-
-	Use:       fmt.Sprintf("framework <framework name> [`<glob pattern>`/`-`] [flags]\nSupported frameworks: %s", validFrameworks),
-	Short:     fmt.Sprintf("The framework you wish to use. Supported frameworks: %s", strings.Join(supportedFrameworks, ", ")),
-	Long:      "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
-	ValidArgs: supportedFrameworks,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 && !(cmd.Flags().Lookup("use-from").Changed) {
-			return fmt.Errorf("requires at least one argument")
-		} else if len(args) > 0 {
-			if !isValidFramework(strings.ToLower(args[0])) {
-				return fmt.Errorf(fmt.Sprintf("supported frameworks: %s", strings.Join(supportedFrameworks, ", ")))
-			}
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		scanInfo.PolicyIdentifier = reporthandling.PolicyIdentifier{}
-		scanInfo.PolicyIdentifier.Kind = reporthandling.KindFramework
-
-		if !(cmd.Flags().Lookup("use-from").Changed) {
-			scanInfo.PolicyIdentifier.Name = strings.ToLower(args[0])
-		}
-		if len(args) > 0 {
-			if len(args[1:]) == 0 || args[1] != "-" {
-				scanInfo.InputPatterns = args[1:]
-			} else { // store stout to file
-				tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
-				if err != nil {
-					return err
-				}
-				defer os.Remove(tempFile.Name())
-
-				if _, err := io.Copy(tempFile, os.Stdin); err != nil {
-					return err
-				}
-				scanInfo.InputPatterns = []string{tempFile.Name()}
-			}
-		}
-		scanInfo.Init()
-		cautils.SetSilentMode(scanInfo.Silent)
-		err := CliSetup()
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n", err)
-			os.Exit(1)
-		}
-		return nil
-	},
-}
-
-func isValidFramework(framework string) bool {
-	return cautils.StringInSlice(supportedFrameworks, framework) != cautils.ValueNotFound
-}
-
-func init() {
-	scanCmd.AddCommand(frameworkCmd)
-	scanInfo = cautils.ScanInfo{}
-	frameworkCmd.Flags().StringVar(&scanInfo.UseFrom, "use-from", "", "Load local framework object from specified path. If not used will download latest")
-	frameworkCmd.Flags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local framework object from default path. If not used will download latest")
-	frameworkCmd.Flags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from Armo management portal")
-	frameworkCmd.Flags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Recommended: kube-system, kube-public")
-	frameworkCmd.Flags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer"/"json"/"junit"`)
-	frameworkCmd.Flags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
-	frameworkCmd.Flags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "Silent progress messages")
-	frameworkCmd.Flags().Uint16VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 0, "Failure threshold is the percent bellow which the command fails and returns exit code 1")
-	frameworkCmd.Flags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
-	frameworkCmd.Flags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to Armo backend. Use this flag if you ran with the '--submit' flag in the past and you do not want to submit your current scan results")
-	frameworkCmd.Flags().StringVarP(&scanInfo.Account, "account", "", "", "Armo portal account ID. Default will load account ID from configMap or config file")
-
-}
-
-func CliSetup() error {
-	flagValidation()
-
-	var k8s *k8sinterface.KubernetesApi
-	var clusterConfig cautils.IClusterConfig
-	if !scanInfo.ScanRunningCluster() {
-		k8sinterface.ConnectedToCluster = false
-		clusterConfig = cautils.NewEmptyConfig()
-	} else {
-		k8s = k8sinterface.NewKubernetesApi()
-		// setup cluster config
-		clusterConfig = cautils.ClusterConfigSetup(&scanInfo, k8s, getter.GetArmoAPIConnector())
-	}
-
-	processNotification := make(chan *cautils.OPASessionObj)
-	reportResults := make(chan *cautils.OPASessionObj)
-
-	// policy handler setup
-	policyHandler := policyhandler.NewPolicyHandler(&processNotification, k8s)
-
-	if err := clusterConfig.SetCustomerGUID(scanInfo.Account); err != nil {
-		fmt.Println(err)
-	}
-
-	cautils.CustomerGUID = clusterConfig.GetCustomerGUID()
-	cautils.ClusterName = k8sinterface.GetClusterName()
-
-	// cli handler setup
-	go func() {
-		cli := NewCLIHandler(policyHandler)
-		if err := cli.Scan(); err != nil {
-			fmt.Println(err)
-			os.Exit(1)
-		}
-	}()
-
-	// processor setup - rego run
-	go func() {
-		opaprocessorObj := opaprocessor.NewOPAProcessorHandler(&processNotification, &reportResults)
-		opaprocessorObj.ProcessRulesListenner()
-	}()
-
-	resultsHandling := resultshandling.NewResultsHandler(&reportResults, reporter.NewReportEventReceiver(), printer.NewPrinter(scanInfo.Format, scanInfo.Output))
-	score := resultsHandling.HandleResults()
-
-	// print report url
-	clusterConfig.GenerateURL()
-
-	adjustedFailThreshold := float32(scanInfo.FailThreshold) / 100
-	if score < adjustedFailThreshold {
-		return fmt.Errorf("Scan score is bellow threshold")
-	}
-
-	return nil
-}
-
-func NewCLIHandler(policyHandler *policyhandler.PolicyHandler) *CLIHandler {
-	return &CLIHandler{
-		scanInfo:      &scanInfo,
-		policyHandler: policyHandler,
-	}
-}
-
-func (clihandler *CLIHandler) Scan() error {
-	cautils.ScanStartDisplay()
-	policyNotification := &reporthandling.PolicyNotification{
-		NotificationType: reporthandling.TypeExecPostureScan,
-		Rules: []reporthandling.PolicyIdentifier{
-			clihandler.scanInfo.PolicyIdentifier,
-		},
-		Designators: armotypes.PortalDesignator{},
-	}
-	switch policyNotification.NotificationType {
-	case reporthandling.TypeExecPostureScan:
-		//
-		if err := clihandler.policyHandler.HandleNotificationRequest(policyNotification, clihandler.scanInfo); err != nil {
-			return err
-		}
-	default:
-		return fmt.Errorf("notification type '%s' Unknown", policyNotification.NotificationType)
-	}
-	return nil
-}
-
-func flagValidation() {
-
-	if scanInfo.Submit && scanInfo.Local {
-		fmt.Println("You can use `keep-local` or `submit`, but not both")
-		os.Exit(1)
-	}
-	if 100 < scanInfo.FailThreshold {
-		fmt.Println("bad argument: out of range threshold")
-		os.Exit(1)
-	}
-}

cmd/list/list.go

@@ -0,0 +1,84 @@
+package list
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/core"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
+)
+
+var (
+	listExample = fmt.Sprintf(`
+  # List default supported frameworks names
+  %[1]s list frameworks
+  
+  # List all supported frameworks names
+  %[1]s list frameworks --account <account id>
+	
+  # List all supported controls names with ids
+  %[1]s list controls
+  
+  Control documentation:
+  https://hub.armosec.io/docs/controls
+`, cautils.ExecName())
+)
+
+func GetListCmd(ks meta.IKubescape) *cobra.Command {
+	var listPolicies = v1.ListPolicies{}
+
+	listCmd := &cobra.Command{
+		Use:     "list <policy> [flags]",
+		Short:   "List frameworks/controls will list the supported frameworks and controls",
+		Long:    ``,
+		Example: listExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			supported := strings.Join(core.ListSupportActions(), ",")
+
+			if len(args) < 1 {
+				return fmt.Errorf("policy type requeued, supported: %s", supported)
+			}
+			if !slices.Contains(core.ListSupportActions(), args[0]) {
+				return fmt.Errorf("invalid parameter '%s'. Supported parameters: %s", args[0], supported)
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := flagValidationList(&listPolicies); err != nil {
+				return err
+			}
+
+			if len(args) < 1 {
+				return errors.New("no arguements provided")
+			}
+
+			listPolicies.Target = args[0]
+
+			if err := ks.List(context.TODO(), &listPolicies); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			return nil
+		},
+	}
+	listCmd.PersistentFlags().StringVarP(&listPolicies.AccountID, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	listCmd.PersistentFlags().StringVarP(&listPolicies.AccessKey, "access-key", "", "", "Kubescape SaaS access key. Default will load access key from cache")
+	listCmd.PersistentFlags().StringVar(&listPolicies.Format, "format", "pretty-print", "output format. supported: 'pretty-print'/'json'")
+	listCmd.PersistentFlags().MarkDeprecated("id", "Control ID's are included in list outputs")
+
+	return listCmd
+}
+
+// Check if the flag entered are valid
+func flagValidationList(listPolicies *v1.ListPolicies) error {
+
+	// Validate the user's credentials
+	return cautils.ValidateAccountID(listPolicies.AccountID)
+}

cmd/list/list_test.go

@@ -0,0 +1,44 @@
+package list
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/core"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetListCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetListCmd function
+	listCmd := GetListCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "list <policy> [flags]", listCmd.Use)
+	assert.Equal(t, "List frameworks/controls will list the supported frameworks and controls", listCmd.Short)
+	assert.Equal(t, "", listCmd.Long)
+	assert.Equal(t, listExample, listCmd.Example)
+	supported := strings.Join(core.ListSupportActions(), ",")
+
+	err := listCmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage := "policy type requeued, supported: " + supported
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = listCmd.Args(&cobra.Command{}, []string{"not-frameworks"})
+	expectedErrorMessage = "invalid parameter 'not-frameworks'. Supported parameters: " + supported
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = listCmd.Args(&cobra.Command{}, []string{"frameworks"})
+	assert.Nil(t, err)
+
+	err = listCmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage = "no arguements provided"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = listCmd.RunE(&cobra.Command{}, []string{"some-value"})
+	assert.Nil(t, err)
+}

cmd/local.go

@@ -1,17 +0,0 @@
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-)
-
-var localCmd = &cobra.Command{
-	Use:   "local",
-	Short: "Set configuration locally (for config.json)",
-	Long:  ``,
-	Run: func(cmd *cobra.Command, args []string) {
-	},
-}
-
-func init() {
-	configCmd.AddCommand(localCmd)
-}

cmd/local_get.go

@@ -1,45 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/spf13/cobra"
-)
-
-var localGetCmd = &cobra.Command{
-	Use:   "get <key>",
-	Short: "Get configuration locally",
-	Long:  ``,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 || len(args) > 1 {
-			return fmt.Errorf("requires  one argument")
-		}
-
-		keyValue := strings.Split(args[0], "=")
-		if len(keyValue) != 1 {
-			return fmt.Errorf("requires  one argument")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		keyValue := strings.Split(args[0], "=")
-		key := keyValue[0]
-
-		val, err := cautils.GetValueFromConfigJson(key)
-		if err != nil {
-			if err.Error() == "value does not exist." {
-				fmt.Printf("Could net get value from: %s, reason: %s\n", cautils.ConfigFileFullPath(), err)
-				return nil
-			}
-			return err
-		}
-		fmt.Println(key + "=" + val)
-		return nil
-	},
-}
-
-func init() {
-	localCmd.AddCommand(localGetCmd)
-}

cmd/local_set.go

@@ -1,40 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/spf13/cobra"
-)
-
-var localSetCmd = &cobra.Command{
-	Use:   "set <key>=<value>",
-	Short: "Set configuration locally",
-	Long:  ``,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 || len(args) > 1 {
-			return fmt.Errorf("requires  one argument: <key>=<value>")
-		}
-		keyValue := strings.Split(args[0], "=")
-		if len(keyValue) != 2 {
-			return fmt.Errorf("requires  one argument: <key>=<value>")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		keyValue := strings.Split(args[0], "=")
-		key := keyValue[0]
-		data := keyValue[1]
-
-		if err := cautils.SetKeyValueInConfigJson(key, data); err != nil {
-			return err
-		}
-		fmt.Println("Value added successfully.")
-		return nil
-	},
-}
-
-func init() {
-	localCmd.AddCommand(localSetCmd)
-}

cmd/operator/configscan.go

@@ -0,0 +1,56 @@
+package operator
+
+import (
+	"fmt"
+
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/core"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	"github.com/spf13/cobra"
+)
+
+var operatorScanConfigExamples = fmt.Sprintf(`
+  
+  # Run a configuration scan
+  %[1]s operator scan configurations
+
+`, cautils.ExecName())
+
+func getOperatorScanConfigCmd(ks meta.IKubescape, operatorInfo cautils.OperatorInfo) *cobra.Command {
+	configCmd := &cobra.Command{
+		Use:     "configurations",
+		Short:   "Trigger configuration scanning from the Kubescape Operator microservice",
+		Long:    ``,
+		Example: operatorScanConfigExamples,
+		Args: func(cmd *cobra.Command, args []string) error {
+			operatorInfo.Subcommands = append(operatorInfo.Subcommands, "config")
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			operatorAdapter, err := core.NewOperatorAdapter(operatorInfo.OperatorScanInfo, operatorInfo.Namespace)
+			if err != nil {
+				return err
+			}
+			logger.L().Start("Kubescape Operator Triggering for configuration scanning")
+			_, err = operatorAdapter.OperatorScan()
+			if err != nil {
+				logger.L().StopError("Failed to triggering Kubescape Operator for configuration scanning", helpers.Error(err))
+				return err
+			}
+			logger.L().StopSuccess("Triggered Kubescape Operator for configuration scanning")
+			return nil
+		},
+	}
+
+	configScanInfo := &cautils.ConfigScanInfo{}
+	operatorInfo.OperatorScanInfo = configScanInfo
+
+	configCmd.PersistentFlags().StringSliceVar(&configScanInfo.IncludedNamespaces, "include-namespaces", nil, "scan specific namespaces. e.g: --include-namespaces ns-a,ns-b")
+	configCmd.PersistentFlags().StringSliceVar(&configScanInfo.ExcludedNamespaces, "exclude-namespaces", nil, "Namespaces to exclude from scanning. e.g: --exclude-namespaces ns-a,ns-b. Notice, when running with `exclude-namespace` kubescape does not scan cluster-scoped objects.")
+	configCmd.PersistentFlags().StringSliceVar(&configScanInfo.Frameworks, "frameworks", nil, "Load frameworks for configuration scanning")
+	configCmd.PersistentFlags().BoolVarP(&configScanInfo.HostScanner, "enable-host-scan", "", false, "Deploy Kubescape host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valuable data from cluster nodes for certain controls. Yaml file: https://github.com/kubescape/kubescape/blob/master/core/pkg/hostsensorutils/hostsensor.yaml")
+
+	return configCmd
+}

cmd/operator/configscan_test.go

@@ -0,0 +1,32 @@
+package operator
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetOperatorScanConfigCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	operatorInfo := cautils.OperatorInfo{
+		Namespace: "namespace",
+	}
+
+	cmd := getOperatorScanConfigCmd(mockKubescape, operatorInfo)
+
+	// Verify the command name and short description
+	assert.Equal(t, "configurations", cmd.Use)
+	assert.Equal(t, "Trigger configuration scanning from the Kubescape Operator microservice", cmd.Short)
+	assert.Equal(t, "", cmd.Long)
+	assert.Equal(t, operatorScanConfigExamples, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	assert.Nil(t, err)
+
+	err = cmd.Args(&cobra.Command{}, []string{"configurations"})
+	assert.Nil(t, err)
+}

cmd/operator/operator.go

@@ -0,0 +1,56 @@
+package operator
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+
+	"github.com/spf13/cobra"
+)
+
+const (
+	scanSubCommand string = "scan"
+)
+
+var operatorExamples = fmt.Sprintf(`
+  
+  # Trigger a configuration scan
+  %[1]s operator scan configurations
+
+  # Trigger a vulnerabilities scan
+  %[1]s operator scan vulnerabilities
+
+`, cautils.ExecName())
+
+func GetOperatorCmd(ks meta.IKubescape) *cobra.Command {
+	var operatorInfo cautils.OperatorInfo
+
+	operatorCmd := &cobra.Command{
+		Use:     "operator",
+		Short:   "The operator is used to communicate with the Kubescape Operator within the cluster components.",
+		Long:    ``,
+		Example: operatorExamples,
+		Args: func(cmd *cobra.Command, args []string) error {
+			operatorInfo.Subcommands = append(operatorInfo.Subcommands, "operator")
+			if len(args) < 2 {
+				return errors.New("For the operator sub-command, you need to provide at least one additional sub-command. Refer to the examples above.")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) < 2 {
+				return errors.New("For the operator sub-command, you need to provide at least one additional sub-command. Refer to the examples above.")
+			}
+			if args[0] != scanSubCommand {
+				return errors.New(fmt.Sprintf("For the operator sub-command, only %s is supported. Refer to the examples above.", scanSubCommand))
+			}
+			return nil
+		},
+	}
+
+	operatorCmd.AddCommand(getOperatorScanCmd(ks, operatorInfo))
+
+	return operatorCmd
+}

cmd/operator/operator_test.go

@@ -0,0 +1,42 @@
+package operator
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetOperatorCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	cmd := GetOperatorCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "operator", cmd.Use)
+	assert.Equal(t, "The operator is used to communicate with the Kubescape Operator within the cluster components.", cmd.Short)
+	assert.Equal(t, "", cmd.Long)
+	assert.Equal(t, operatorExamples, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage := "For the operator sub-command, you need to provide at least one additional sub-command. Refer to the examples above."
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.Args(&cobra.Command{}, []string{"scan", "configurations"})
+	assert.Nil(t, err)
+
+	err = cmd.RunE(&cobra.Command{}, []string{})
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{"scan", "configurations"})
+	assert.Nil(t, err)
+
+	err = cmd.RunE(&cobra.Command{}, []string{"scan"})
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{"random-subcommand", "random-config"})
+	expectedErrorMessage = "For the operator sub-command, only " + scanSubCommand + " is supported. Refer to the examples above."
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}

cmd/operator/scan.go

@@ -0,0 +1,46 @@
+package operator
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	"github.com/spf13/cobra"
+)
+
+const (
+	vulnerabilitiesSubCommand string = "vulnerabilities"
+	configurationsSubCommand  string = "configurations"
+)
+
+func getOperatorScanCmd(ks meta.IKubescape, operatorInfo cautils.OperatorInfo) *cobra.Command {
+	operatorCmd := &cobra.Command{
+		Use:     "scan",
+		Short:   "Scan your cluster using the Kubescape-operator within the cluster components",
+		Long:    ``,
+		Example: operatorExamples,
+		Args: func(cmd *cobra.Command, args []string) error {
+			operatorInfo.Subcommands = append(operatorInfo.Subcommands, "scan")
+			if len(args) < 1 {
+				return errors.New("for operator scan sub command, you must pass at least 1 more sub commands, see above examples")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) < 1 {
+				return errors.New("for operator scan sub command, you must pass at least 1 more sub commands, see above examples")
+			}
+			if (args[0] != vulnerabilitiesSubCommand) && (args[0] != configurationsSubCommand) {
+				return errors.New(fmt.Sprintf("For the operator sub-command, only %s and %s are supported. Refer to the examples above.", vulnerabilitiesSubCommand, configurationsSubCommand))
+			}
+			return nil
+		},
+	}
+
+	operatorCmd.PersistentFlags().StringVar(&operatorInfo.Namespace, "namespace", "kubescape", "namespace of the Kubescape Operator")
+	operatorCmd.AddCommand(getOperatorScanConfigCmd(ks, operatorInfo))
+	operatorCmd.AddCommand(getOperatorScanVulnerabilitiesCmd(ks, operatorInfo))
+
+	return operatorCmd
+}

cmd/operator/scan_test.go

@@ -0,0 +1,46 @@
+package operator
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetOperatorScanCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	operatorInfo := cautils.OperatorInfo{
+		Namespace: "namespace",
+	}
+
+	cmd := getOperatorScanCmd(mockKubescape, operatorInfo)
+
+	// Verify the command name and short description
+	assert.Equal(t, "scan", cmd.Use)
+	assert.Equal(t, "Scan your cluster using the Kubescape-operator within the cluster components", cmd.Short)
+	assert.Equal(t, "", cmd.Long)
+	assert.Equal(t, operatorExamples, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage := "for operator scan sub command, you must pass at least 1 more sub commands, see above examples"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.Args(&cobra.Command{}, []string{"operator"})
+	assert.Nil(t, err)
+
+	err = cmd.RunE(&cobra.Command{}, []string{})
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{"configurations"})
+	assert.Nil(t, err)
+
+	err = cmd.RunE(&cobra.Command{}, []string{"vulnerabilities"})
+	assert.Nil(t, err)
+
+	err = cmd.RunE(&cobra.Command{}, []string{"random"})
+	expectedErrorMessage = "For the operator sub-command, only " + vulnerabilitiesSubCommand + " and " + configurationsSubCommand + " are supported. Refer to the examples above."
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}

cmd/operator/vulnerabilitiesscan.go

@@ -0,0 +1,56 @@
+package operator
+
+import (
+	"fmt"
+
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/k8sinterface"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/core"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	"github.com/spf13/cobra"
+)
+
+var operatorScanVulnerabilitiesExamples = fmt.Sprintf(`
+
+  # Trigger a vulnerabilities scan
+  %[1]s operator scan vulnerabilities
+
+`, cautils.ExecName())
+
+func getOperatorScanVulnerabilitiesCmd(ks meta.IKubescape, operatorInfo cautils.OperatorInfo) *cobra.Command {
+	configCmd := &cobra.Command{
+		Use:     "vulnerabilities",
+		Short:   "Vulnerabilities use for scan your cluster vulnerabilities using Kubescape operator in the in cluster components",
+		Long:    ``,
+		Example: operatorScanVulnerabilitiesExamples,
+		Args: func(cmd *cobra.Command, args []string) error {
+			operatorInfo.Subcommands = append(operatorInfo.Subcommands, "vulnerabilities")
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			operatorAdapter, err := core.NewOperatorAdapter(operatorInfo.OperatorScanInfo, operatorInfo.Namespace)
+			if err != nil {
+				return err
+			}
+			logger.L().Start("Triggering the Kubescape Operator for vulnerability scanning")
+			_, err = operatorAdapter.OperatorScan()
+			if err != nil {
+				logger.L().StopError("Failed to trigger the Kubescape Operator for vulnerability scanning", helpers.Error(err))
+				return err
+			}
+			logger.L().StopSuccess("Triggered Kubescape Operator for vulnerability scanning. View the scanning results once they are ready using the following command: \"kubectl get vulnerabilitysummaries\"")
+			return err
+		},
+	}
+
+	vulnerabilitiesScanInfo := &cautils.VulnerabilitiesScanInfo{
+		ClusterName: k8sinterface.GetContextName(),
+	}
+	operatorInfo.OperatorScanInfo = vulnerabilitiesScanInfo
+
+	configCmd.PersistentFlags().StringSliceVar(&vulnerabilitiesScanInfo.IncludeNamespaces, "include-namespaces", nil, "scan specific namespaces. e.g: --include-namespaces ns-a,ns-b")
+
+	return configCmd
+}

cmd/operator/vulnerabilitiesscan_test.go

@@ -0,0 +1,29 @@
+package operator
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetOperatorScanVulnerabilitiesCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	operatorInfo := cautils.OperatorInfo{
+		Namespace: "namespace",
+	}
+
+	cmd := getOperatorScanVulnerabilitiesCmd(mockKubescape, operatorInfo)
+
+	// Verify the command name and short description
+	assert.Equal(t, "vulnerabilities", cmd.Use)
+	assert.Equal(t, "Vulnerabilities use for scan your cluster vulnerabilities using Kubescape operator in the in cluster components", cmd.Short)
+	assert.Equal(t, "", cmd.Long)
+	assert.Equal(t, operatorScanVulnerabilitiesExamples, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{"random-arg"})
+	assert.Nil(t, err)
+}

cmd/patch/README.md

@@ -0,0 +1,141 @@
+# Patch Command
+
+The patch command is used for patching container images with vulnerabilities.  
+It uses [copa](https://github.com/project-copacetic/copacetic) and [buildkit](https://github.com/moby/buildkit) under the hood for patching the container images, and [grype](https://github.com/anchore/grype) as the engine for scanning the images (at the moment).
+
+## Usage
+
+```bash
+kubescape patch --image <image-name> [flags]
+```
+
+The patch command can be run in 2 ways:
+1. **With sudo privileges**
+
+    You will need to start `buildkitd` if it is not already running
+
+    ```bash
+    sudo buildkitd & 
+    sudo kubescape patch --image <image-name>
+    ```
+
+2. **Without sudo privileges**
+   ```bash
+    export BUILDKIT_VERSION=v0.11.4
+    export BUILDKIT_PORT=8888
+
+    docker run \
+        --detach \
+        --rm \
+        --privileged \
+        -p 127.0.0.1:$BUILDKIT_PORT:$BUILDKIT_PORT/tcp \
+        --name buildkitd \
+        --entrypoint buildkitd \
+        "moby/buildkit:$BUILDKIT_VERSION" \
+        --addr tcp://0.0.0.0:$BUILDKIT_PORT
+
+    kubescape patch \
+        -i <image-name> \
+        -a tcp://0.0.0.0:$BUILDKIT_PORT
+   ```
+
+### Flags
+
+| Flag           | Description                                            | Required | Default                             |
+| -------------- | ------------------------------------------------------ | -------- | ----------------------------------- |
+| -i, --image    | Image name to be patched (should be in canonical form) | Yes      |                                     |
+| -a, --addr     | Address of the buildkitd service                       | No       | unix:///run/buildkit/buildkitd.sock |
+| -t, --tag      | Tag of the resultant patched image                     | No       | image_name-patched                  |
+| --timeout      | Timeout for the patching process                       | No       | 5m                                  |
+| -u, --username | Username for the image registry login                  | No       |                                     |
+| -p, --password | Password for the image registry login                  | No       |                                     |
+| -f, --format   | Output file format.                                    | No       |                                     |
+| -o, --output   | Output file. Print output to file and not stdout       | No       |                                     |
+| -v, --verbose  | Display full report. Default to false                  | No       |                                     |
+| -h, --help     | help for patch                                         | No       |                                     |
+
+
+## Example
+
+We will demonstrate how to use the patch command with an example of [nginx](https://www.nginx.com/) image.
+
+### Pre-requisites
+
+- [docker](https://docs.docker.com/desktop/install/linux-install/#generic-installation-steps) daemon must be installed and running.
+- [buildkit](https://github.com/moby/buildkit) daemon must be installed
+    
+### Steps
+
+1. Run `buildkitd` service:
+
+    ```bash
+    sudo buildkitd
+    ```
+
+2. In a seperate terminal, run the `kubescape patch` command: 
+    
+    ```bash
+    sudo kubescape patch --image docker.io/library/nginx:1.22
+    ```
+
+3. You will get an output like below:
+
+    ```bash
+    ✅  Successfully scanned image: docker.io/library/nginx:1.22
+    ✅  Patched image successfully. Loaded image: nginx:1.22-patched
+    ✅  Successfully re-scanned image: nginx:1.22-patched
+
+    | Severity | Vulnerability  | Component     | Version                 | Fixed In |
+    | -------- | -------------- | ------------- | ----------------------- | -------- |
+    | Critical | CVE-2023-23914 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | Critical | CVE-2019-8457  | libdb5.3      | 5.3.28+dfsg1-0.8        | wont-fix |
+    | High     | CVE-2022-42916 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-1304  | libext2fs2    | 1.46.2-2                | wont-fix |
+    | High     | CVE-2022-42916 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-1304  | e2fsprogs     | 1.46.2-2                | wont-fix |
+    | High     | CVE-2022-1304  | libcom-err2   | 1.46.2-2                | wont-fix |
+    | High     | CVE-2023-27533 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2023-27534 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2023-27533 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-43551 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-3715  | bash          | 5.1-2+deb11u1           | wont-fix |
+    | High     | CVE-2023-27534 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-43551 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2021-33560 | libgcrypt20   | 1.8.7-6                 | wont-fix |
+    | High     | CVE-2023-2953  | libldap-2.4-2 | 2.4.57+dfsg-3+deb11u1   | wont-fix |
+    | High     | CVE-2022-1304  | libss2        | 1.46.2-2                | wont-fix |
+    | High     | CVE-2020-22218 | libssh2-1     | 1.9.0-2                 | wont-fix |
+    | High     | CVE-2023-29491 | libtinfo6     | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2022-2309  | libxml2       | 2.9.10+dfsg-6.7+deb11u4 | wont-fix |
+    | High     | CVE-2022-4899  | libzstd1      | 1.4.8+dfsg-2.1          | wont-fix |
+    | High     | CVE-2022-1304  | logsave       | 1.46.2-2                | wont-fix |
+    | High     | CVE-2023-29491 | ncurses-base  | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2023-29491 | ncurses-bin   | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2023-31484 | perl-base     | 5.32.1-4+deb11u2        | wont-fix |
+    | High     | CVE-2020-16156 | perl-base     | 5.32.1-4+deb11u2        | wont-fix |
+    
+    Vulnerability summary - 161 vulnerabilities found:
+    Image: nginx:1.22-patched
+      * 3 Critical
+      * 24 High
+      * 31 Medium
+      * 103 Other
+
+    Most vulnerable components:
+      * curl (7.74.0-1.3+deb11u7) - 1 Critical, 4 High, 5 Medium, 1 Low, 3 Negligible
+      * libcurl4 (7.74.0-1.3+deb11u7) - 1 Critical, 4 High, 5 Medium, 1 Low, 3 Negligible
+      * libtiff5 (4.2.0-1+deb11u4) - 7 Medium, 10 Negligible, 2 Unknown
+      * libxml2 (2.9.10+dfsg-6.7+deb11u4) - 1 High, 2 Medium
+      * perl-base (5.32.1-4+deb11u2) - 2 High, 2 Negligible
+    
+    What now?
+    ─────────
+    * Run with '--verbose'/'-v' flag for detailed vulnerabilities view
+    * Install Kubescape in your cluster for continuous monitoring and a full vulnerability report: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator
+    ```
+
+## Limitations
+
+- The patch command can only fix OS-level vulnerability. It cannot fix application-level vulnerabilities. This is a limitation of copa. The reason behind this is that application level vulnerabilities are best suited to be fixed by the developers of the application.
+Hence, this is not really a limitation but a design decision.
+- No support for windows containers given the dependency on buildkit.

cmd/patch/patch.go

@@ -0,0 +1,144 @@
+package patch
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	ref "github.com/distribution/distribution/reference"
+	"github.com/docker/distribution/reference"
+
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/cmd/shared"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/kubescape/kubescape/v3/pkg/imagescan"
+
+	"github.com/spf13/cobra"
+)
+
+var patchCmdExamples = fmt.Sprintf(`
+  # Patch the nginx:1.22 image
+  1) sudo buildkitd        # start buildkitd service, run in seperate terminal
+  2) sudo %[1]s patch --image docker.io/library/nginx:1.22   # patch the image
+
+  # The patch command can also be run without sudo privileges
+  # Documentation: https://github.com/kubescape/kubescape/tree/master/cmd/patch
+`, cautils.ExecName())
+
+func GetPatchCmd(ks meta.IKubescape) *cobra.Command {
+	var patchInfo metav1.PatchInfo
+	var scanInfo cautils.ScanInfo
+
+	patchCmd := &cobra.Command{
+		Use:     "patch --image <image>:<tag> [flags]",
+		Short:   "Patch container images with vulnerabilities",
+		Long:    `Patch command is for automatically patching images with vulnerabilities.`,
+		Example: patchCmdExamples,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 0 {
+				return fmt.Errorf("the command takes no arguments")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := shared.ValidateImageScanInfo(&scanInfo); err != nil {
+				return err
+			}
+
+			if err := validateImagePatchInfo(&patchInfo); err != nil {
+				return err
+			}
+
+			results, err := ks.Patch(context.Background(), &patchInfo, &scanInfo)
+			if err != nil {
+				return err
+			}
+
+			if imagescan.ExceedsSeverityThreshold(results, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)) {
+				shared.TerminateOnExceedingSeverity(&scanInfo, logger.L())
+			}
+
+			return nil
+		},
+	}
+
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.Image, "image", "i", "", "Application image name and tag to patch")
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.PatchedImageTag, "tag", "t", "", "Tag for the patched image. Defaults to '<image-tag>-patched' ")
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.BuildkitAddress, "address", "a", "unix:///run/buildkit/buildkitd.sock", "Address of buildkitd service, defaults to local buildkitd.sock")
+	patchCmd.PersistentFlags().DurationVar(&patchInfo.Timeout, "timeout", 5*time.Minute, "Timeout for the operation, defaults to '5m'")
+
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.Username, "username", "u", "", "Username for registry login")
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.Password, "password", "p", "", "Password for registry login")
+
+	patchCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "", `Output file format. Supported formats: "pretty-printer", "json", "sarif"`)
+	patchCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
+	patchCmd.PersistentFlags().BoolVarP(&scanInfo.VerboseMode, "verbose", "v", false, "Display full report. Default to false")
+
+	patchCmd.PersistentFlags().StringVarP(&scanInfo.FailThresholdSeverity, "severity-threshold", "s", "", "Severity threshold is the severity of a vulnerability at which the command fails and returns exit code 1")
+
+	return patchCmd
+}
+
+// validateImagePatchInfo validates the image patch info for the `patch` command
+func validateImagePatchInfo(patchInfo *metav1.PatchInfo) error {
+
+	if patchInfo.Image == "" {
+		return errors.New("image tag is required")
+	}
+
+	// Convert image to canonical format (required by copacetic for patching images)
+	patchInfoImage, err := cautils.NormalizeImageName(patchInfo.Image)
+	if err != nil {
+		return nil
+	}
+
+	// Parse the image full name to get image name and tag
+	named, err := ref.ParseNamed(patchInfoImage)
+	if err != nil {
+		return err
+	}
+
+	// If no tag or digest is provided, default to 'latest'
+	if ref.IsNameOnly(named) {
+		logger.L().Warning("Image name has no tag or digest, using latest as tag")
+		named = ref.TagNameOnly(named)
+	}
+	patchInfo.Image = named.String()
+
+	// If no patched image tag is provided, default to '<image-tag>-patched'
+	if patchInfo.PatchedImageTag == "" {
+
+		taggedName, ok := named.(ref.Tagged)
+		if !ok {
+			return errors.New("unexpected error while parsing image tag")
+		}
+
+		patchInfo.ImageTag = taggedName.Tag()
+
+		if patchInfo.ImageTag == "" {
+			logger.L().Warning("No tag provided, defaulting to 'patched'")
+			patchInfo.PatchedImageTag = "patched"
+		} else {
+			patchInfo.PatchedImageTag = fmt.Sprintf("%s-%s", patchInfo.ImageTag, "patched")
+		}
+
+	}
+
+	// Extract the "image" name from the canonical Image URL
+	// If it's an official docker image, we store just the "image-name". Else if a docker repo then we store as "repo/image". Else complete URL
+	ref, _ := reference.ParseNormalizedNamed(patchInfo.Image)
+	imageName := named.Name()
+	if strings.Contains(imageName, "docker.io/library/") {
+		imageName = reference.Path(ref)
+		imageName = imageName[strings.LastIndex(imageName, "/")+1:]
+	} else if strings.Contains(imageName, "docker.io/") {
+		imageName = reference.Path(ref)
+	}
+	patchInfo.ImageName = imageName
+
+	return nil
+}

cmd/patch/patch_test.go

@@ -0,0 +1,52 @@
+package patch
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetPatchCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	cmd := GetPatchCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "patch --image <image>:<tag> [flags]", cmd.Use)
+	assert.Equal(t, "Patch container images with vulnerabilities", cmd.Short)
+	assert.Equal(t, "Patch command is for automatically patching images with vulnerabilities.", cmd.Long)
+	assert.Equal(t, patchCmdExamples, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	assert.Nil(t, err)
+
+	err = cmd.Args(&cobra.Command{}, []string{"test"})
+	expectedErrorMessage := "the command takes no arguments"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage = "image tag is required"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{"patch", "--image", "docker.io/library/nginx:1.22"})
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
+
+func TestGetPatchCmdWithNonExistentImage(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetPatchCmd function
+	cmd := GetPatchCmd(mockKubescape)
+
+	// Run the command with a non-existent image argument
+	err := cmd.RunE(&cobra.Command{}, []string{"patch", "--image", "non-existent-image"})
+
+	// Check that there is an error and the error message is as expected
+	expectedErrorMessage := "image tag is required"
+	assert.Error(t, err)
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}

cmd/root.go

@@ -1,68 +1,118 @@
 package cmd
 
 import (
-	"flag"
-	"os"
+	"fmt"
 	"strings"
 
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/golang/glog"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/k8sinterface"
+	"github.com/kubescape/kubescape/v3/cmd/completion"
+	"github.com/kubescape/kubescape/v3/cmd/config"
+	"github.com/kubescape/kubescape/v3/cmd/download"
+	"github.com/kubescape/kubescape/v3/cmd/fix"
+	"github.com/kubescape/kubescape/v3/cmd/list"
+	"github.com/kubescape/kubescape/v3/cmd/operator"
+	"github.com/kubescape/kubescape/v3/cmd/patch"
+	"github.com/kubescape/kubescape/v3/cmd/scan"
+	"github.com/kubescape/kubescape/v3/cmd/update"
+	"github.com/kubescape/kubescape/v3/cmd/version"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/cautils/getter"
+	"github.com/kubescape/kubescape/v3/core/core"
+	"github.com/kubescape/kubescape/v3/core/meta"
+
 	"github.com/spf13/cobra"
 )
 
-var cfgFile string
-var armoBEURLs = ""
+var rootInfo cautils.RootInfo
 
-const envFlagUsage = "Send report results to specific URL. Format:<ReportReceiver>,<Backend>,<Frontend>.\n\t\tExample:report.armo.cloud,api.armo.cloud,portal.armo.cloud"
+var ksExamples = fmt.Sprintf(`
+  # Scan a Kubernetes cluster or YAML files for image vulnerabilities and misconfigurations
+  %[1]s scan
 
-var rootCmd = &cobra.Command{
-	Use:   "kubescape",
-	Short: "Kubescape is a tool for testing Kubernetes security posture",
-	Long:  `Kubescape is a tool for testing Kubernetes security posture based on NSA \ MITRE ATT&CK® specifications.`,
-	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-		flag.Parse()
-		InitArmoBEConnector()
-		return nil
-	},
+  # List supported controls
+  %[1]s list controls
+
+  # Download artifacts (air-gapped environment support)
+  %[1]s download artifacts
+
+  # View cached configurations
+  %[1]s config view
+`, cautils.ExecName())
+
+func NewDefaultKubescapeCommand() *cobra.Command {
+	ks := core.NewKubescape()
+	return getRootCmd(ks)
 }
 
-func Execute() {
-	rootCmd.Execute()
-}
+func getRootCmd(ks meta.IKubescape) *cobra.Command {
 
-func init() {
-	flag.CommandLine.StringVar(&armoBEURLs, "environment", "", envFlagUsage)
-	rootCmd.PersistentFlags().StringVar(&armoBEURLs, "environment", "", envFlagUsage)
+	rootCmd := &cobra.Command{
+		Use:     "kubescape",
+		Short:   "Kubescape is a tool for testing Kubernetes security posture. Docs: https://hub.armosec.io/docs",
+		Example: ksExamples,
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+			k8sinterface.SetClusterContextName(rootInfo.KubeContext)
+			initLogger()
+			initLoggerLevel()
+			initEnvironment()
+			initCacheDir()
+		},
+	}
+
+	if cautils.IsKrewPlugin() {
+		// Invoked as a kubectl plugin.
+
+		// Cobra doesn't have a way to specify a two word command (i.e. "kubectl kubescape"), so set a custom usage template
+		// with kubectl in it. Cobra will use this template for the root and all child commands.
+		oldUsageTemplate := rootCmd.UsageTemplate()
+		newUsageTemplate := strings.NewReplacer("{{.UseLine}}", "kubectl {{.UseLine}}", "{{.CommandPath}}", "kubectl {{.CommandPath}}").Replace(oldUsageTemplate)
+		rootCmd.SetUsageTemplate(newUsageTemplate)
+	}
+
+	rootCmd.PersistentFlags().StringVar(&rootInfo.DiscoveryServerURL, "server", "", "Backend discovery server URL")
+
+	rootCmd.PersistentFlags().MarkDeprecated("environment", "'environment' is no longer supported, Use 'server' instead. Feel free to contact the Kubescape maintainers for more information.")
+	rootCmd.PersistentFlags().MarkDeprecated("env", "'env' is no longer supported, Use 'server' instead. Feel free to contact the Kubescape maintainers for more information.")
 	rootCmd.PersistentFlags().MarkHidden("environment")
-	cobra.OnInitialize(initConfig)
+	rootCmd.PersistentFlags().MarkHidden("env")
 
+	rootCmd.PersistentFlags().StringVar(&rootInfo.LoggerName, "logger-name", "", fmt.Sprintf("Logger name. Supported: %s [$KS_LOGGER_NAME]", strings.Join(logger.ListLoggersNames(), "/")))
+	rootCmd.PersistentFlags().MarkHidden("logger-name")
+
+	rootCmd.PersistentFlags().StringVarP(&rootInfo.Logger, "logger", "l", helpers.InfoLevel.String(), fmt.Sprintf("Logger level. Supported: %s [$KS_LOGGER]", strings.Join(helpers.SupportedLevels(), "/")))
+	rootCmd.PersistentFlags().StringVar(&rootInfo.CacheDir, "cache-dir", getter.DefaultLocalStore, "Cache directory [$KS_CACHE_DIR]")
+	rootCmd.PersistentFlags().BoolVarP(&rootInfo.DisableColor, "disable-color", "", false, "Disable color output for logging")
+	rootCmd.PersistentFlags().BoolVarP(&rootInfo.EnableColor, "enable-color", "", false, "Force enable color output for logging")
+
+	rootCmd.PersistentFlags().StringVarP(&rootInfo.KubeContext, "kube-context", "", "", "Kube context. Default will use the current-context")
+	// Supported commands
+	rootCmd.AddCommand(scan.GetScanCommand(ks))
+	rootCmd.AddCommand(download.GetDownloadCmd(ks))
+	rootCmd.AddCommand(list.GetListCmd(ks))
+	rootCmd.AddCommand(completion.GetCompletionCmd())
+	rootCmd.AddCommand(version.GetVersionCmd())
+	rootCmd.AddCommand(config.GetConfigCmd(ks))
+	rootCmd.AddCommand(update.GetUpdateCmd())
+	rootCmd.AddCommand(fix.GetFixCmd(ks))
+	rootCmd.AddCommand(patch.GetPatchCmd(ks))
+	rootCmd.AddCommand(operator.GetOperatorCmd(ks))
+
+	// deprecated commands
+	rootCmd.AddCommand(&cobra.Command{
+		Use:        "submit",
+		Deprecated: "This command is deprecated. Contact Kubescape maintainers for more information.",
+	})
+	rootCmd.AddCommand(&cobra.Command{
+		Use:        "delete",
+		Deprecated: "This command is deprecated. Contact Kubescape maintainers for more information.",
+	})
+
+	return rootCmd
 }
 
-// initConfig reads in config file and ENV variables if set.
-func initConfig() {
-}
-
-func InitArmoBEConnector() {
-	urlSlices := strings.Split(armoBEURLs, ",")
-	if len(urlSlices) > 3 {
-		glog.Errorf("Too many URLs")
-		os.Exit(1)
-	}
-	switch len(urlSlices) {
-	case 1:
-		switch urlSlices[0] {
-		case "dev":
-			getter.SetARMOAPIConnector(getter.NewARMOAPIDev())
-		case "":
-			getter.SetARMOAPIConnector(getter.NewARMOAPIProd())
-		default:
-			glog.Errorf("--environment flag usage: %s", envFlagUsage)
-			os.Exit(1)
-		}
-	case 2:
-		glog.Errorf("--environment flag usage: %s", envFlagUsage)
-		os.Exit(1)
-	case 3:
-		getter.SetARMOAPIConnector(getter.NewARMOAPICustomized(urlSlices[0], urlSlices[1], urlSlices[2]))
-	}
+func Execute() error {
+	ks := NewDefaultKubescapeCommand()
+	return ks.Execute()
 }

cmd/rootutils.go

@@ -0,0 +1,110 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	v1 "github.com/kubescape/backend/pkg/client/v1"
+	"github.com/kubescape/backend/pkg/servicediscovery"
+	sdClientV2 "github.com/kubescape/backend/pkg/servicediscovery/v2"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/go-logger/iconlogger"
+	"github.com/kubescape/go-logger/zaplogger"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/cautils/getter"
+
+	"github.com/mattn/go-isatty"
+)
+
+func initLogger() {
+	logger.DisableColor(rootInfo.DisableColor)
+	logger.EnableColor(rootInfo.EnableColor)
+
+	if rootInfo.LoggerName == "" {
+		if l := os.Getenv("KS_LOGGER_NAME"); l != "" {
+			rootInfo.LoggerName = l
+		} else {
+			if isatty.IsTerminal(os.Stdout.Fd()) {
+				rootInfo.LoggerName = iconlogger.LoggerName
+			} else {
+				rootInfo.LoggerName = zaplogger.LoggerName
+			}
+		}
+	}
+
+	logger.InitLogger(rootInfo.LoggerName)
+
+}
+func initLoggerLevel() {
+	if rootInfo.Logger == helpers.InfoLevel.String() {
+	} else if l := os.Getenv("KS_LOGGER"); l != "" {
+		rootInfo.Logger = l
+	}
+
+	if err := logger.L().SetLevel(rootInfo.Logger); err != nil {
+		logger.L().Fatal(fmt.Sprintf("supported levels: %s", strings.Join(helpers.SupportedLevels(), "/")), helpers.Error(err))
+	}
+}
+
+func initCacheDir() {
+	if rootInfo.CacheDir != getter.DefaultLocalStore {
+		getter.DefaultLocalStore = rootInfo.CacheDir
+	} else if cacheDir := os.Getenv("KS_CACHE_DIR"); cacheDir != "" {
+		getter.DefaultLocalStore = cacheDir
+	} else {
+		return // using default cache dir location
+	}
+
+	logger.L().Debug("cache dir updated", helpers.String("path", getter.DefaultLocalStore))
+}
+func initEnvironment() {
+	if rootInfo.DiscoveryServerURL == "" {
+		return
+	}
+
+	logger.L().Debug("fetching URLs from service discovery server", helpers.String("server", rootInfo.DiscoveryServerURL))
+
+	client, err := sdClientV2.NewServiceDiscoveryClientV2(rootInfo.DiscoveryServerURL)
+	if err != nil {
+		logger.L().Fatal("failed to create service discovery client", helpers.Error(err), helpers.String("server", rootInfo.DiscoveryServerURL))
+		return
+	}
+
+	services, err := servicediscovery.GetServices(
+		client,
+	)
+
+	if err != nil {
+		logger.L().Fatal("failed to to get services from server", helpers.Error(err), helpers.String("server", rootInfo.DiscoveryServerURL))
+		return
+	}
+
+	logger.L().Debug("configuring service discovery URLs", helpers.String("cloudAPIURL", services.GetApiServerUrl()), helpers.String("cloudReportURL", services.GetReportReceiverHttpUrl()))
+
+	tenant := cautils.GetTenantConfig("", "", "", "", nil)
+	if services.GetApiServerUrl() != "" {
+		tenant.GetConfigObj().CloudAPIURL = services.GetApiServerUrl()
+	}
+	if services.GetReportReceiverHttpUrl() != "" {
+		tenant.GetConfigObj().CloudReportURL = services.GetReportReceiverHttpUrl()
+	}
+
+	if err = tenant.UpdateCachedConfig(); err != nil {
+		logger.L().Error("failed to update cached config", helpers.Error(err))
+	}
+
+	ksCloud, err := v1.NewKSCloudAPI(
+		services.GetApiServerUrl(),
+		services.GetReportReceiverHttpUrl(),
+		"",
+		"",
+	)
+	if err != nil {
+		logger.L().Fatal("failed to create KS Cloud client", helpers.Error(err))
+		return
+	}
+
+	getter.SetKSCloudAPIConnector(ksCloud)
+}

cmd/scan.go

@@ -1,18 +0,0 @@
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-)
-
-// scanCmd represents the scan command
-var scanCmd = &cobra.Command{
-	Use:   "scan",
-	Short: "Scan the current running cluster or yaml files",
-	Long:  `The action you want to perform`,
-	Run: func(cmd *cobra.Command, args []string) {
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(scanCmd)
-}

cmd/scan/control.go

@@ -0,0 +1,137 @@
+package scan
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v3/cmd/shared"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	controlExample = fmt.Sprintf(`
+  # Scan the 'privileged container' control
+  %[1]s scan control "privileged container"
+	
+  # Scan list of controls separated with a comma
+  %[1]s scan control "privileged container","HostPath mount"
+  
+  # Scan list of controls using the control ID separated with a comma
+  %[1]s scan control C-0058,C-0057
+  
+  Run '%[1]s list controls' for the list of supported controls
+  
+  Control documentation:
+  https://hub.armosec.io/docs/controls
+`, cautils.ExecName())
+)
+
+// controlCmd represents the control command
+func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
+	return &cobra.Command{
+		Use:     "control <control names list>/<control ids list>",
+		Short:   fmt.Sprintf("The controls you wish to use. Run '%[1]s list controls' for the list of supported controls", cautils.ExecName()),
+		Example: controlExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) > 0 {
+				controls := strings.Split(args[0], ",")
+				if len(controls) > 1 {
+					for _, control := range controls {
+						if control == "" {
+							return fmt.Errorf("usage: <control-0>,<control-1>")
+						}
+					}
+				}
+			} else {
+				return fmt.Errorf("requires at least one control name")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := validateFrameworkScanInfo(scanInfo); err != nil {
+				return err
+			}
+
+			// flagValidationControl(scanInfo)
+			scanInfo.PolicyIdentifier = []cautils.PolicyIdentifier{}
+
+			if len(args) == 0 {
+				scanInfo.ScanAll = true
+			} else { // expected control or list of control separated by ","
+
+				// Read controls from input args
+				scanInfo.SetPolicyIdentifiers(strings.Split(args[0], ","), apisv1.KindControl)
+
+				if len(args) > 1 {
+					if len(args[1:]) == 0 || args[1] != "-" {
+						scanInfo.InputPatterns = args[1:]
+					} else { // store stdin to file - do NOT move to separate function !!
+						tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
+						if err != nil {
+							return err
+						}
+						defer os.Remove(tempFile.Name())
+
+						if _, err := io.Copy(tempFile, os.Stdin); err != nil {
+							return err
+						}
+						scanInfo.InputPatterns = []string{tempFile.Name()}
+					}
+				}
+			}
+
+			scanInfo.FrameworkScan = false
+			scanInfo.SetScanType(cautils.ScanTypeControl)
+
+			if err := validateControlScanInfo(scanInfo); err != nil {
+				return err
+			}
+
+			ctx := context.TODO()
+			results, err := ks.Scan(ctx, scanInfo)
+			if err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			if err := results.HandleResults(ctx); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			if !scanInfo.VerboseMode {
+				logger.L().Info("Run with '--verbose'/'-v' flag for detailed resources view\n")
+			}
+			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
+				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
+			}
+			if results.GetComplianceScore() < float32(scanInfo.ComplianceThreshold) {
+				logger.L().Fatal("scan compliance-score is below permitted threshold", helpers.String("compliance score", fmt.Sprintf("%.2f", results.GetComplianceScore())), helpers.String("compliance-threshold", fmt.Sprintf("%.2f", scanInfo.ComplianceThreshold)))
+			}
+			enforceSeverityThresholds(results.GetResults().SummaryDetails.GetResourcesSeverityCounters(), scanInfo, terminateOnExceedingSeverity)
+
+			return nil
+		},
+	}
+}
+
+// validateControlScanInfo validates the ScanInfo struct for the `control` command
+func validateControlScanInfo(scanInfo *cautils.ScanInfo) error {
+	severity := scanInfo.FailThresholdSeverity
+
+	if scanInfo.Submit && scanInfo.OmitRawResources {
+		return fmt.Errorf("you can use `omit-raw-resources` or `submit`, but not both")
+	}
+
+	if err := shared.ValidateSeverity(severity); severity != "" && err != nil {
+		return err
+	}
+	return nil
+}

cmd/scan/control_test.go

@@ -0,0 +1,60 @@
+package scan
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetControlCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	scanInfo := cautils.ScanInfo{
+		AccountID: "new",
+	}
+
+	cmd := getControlCmd(mockKubescape, &scanInfo)
+
+	// Verify the command name and short description
+	assert.Equal(t, "control <control names list>/<control ids list>", cmd.Use)
+	assert.Equal(t, fmt.Sprintf("The controls you wish to use. Run '%[1]s list controls' for the list of supported controls", cautils.ExecName()), cmd.Short)
+	assert.Equal(t, controlExample, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage := "requires at least one control name"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.Args(&cobra.Command{}, []string{"C-0001,C-0002"})
+	assert.Nil(t, err)
+
+	err = cmd.Args(&cobra.Command{}, []string{"C-0001,C-0002,"})
+	expectedErrorMessage = "usage: <control-0>,<control-1>"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage = "bad argument: accound ID must be a valid UUID"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
+
+func TestGetControlCmdWithNonExistentControl(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	scanInfo := cautils.ScanInfo{
+		AccountID: "new",
+	}
+
+	// Call the GetControlCmd function
+	cmd := getControlCmd(mockKubescape, &scanInfo)
+
+	// Run the command with a non-existent control argument
+	err := cmd.RunE(&cobra.Command{}, []string{"control", "C-0001,C-0002"})
+
+	// Check that there is an error and the error message is as expected
+	expectedErrorMessage := "bad argument: accound ID must be a valid UUID"
+	assert.Error(t, err)
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}

cmd/scan/framework.go

@@ -0,0 +1,224 @@
+package scan
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
+	"golang.org/x/exp/slices"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v3/cmd/shared"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/cautils/getter"
+	"github.com/kubescape/kubescape/v3/core/meta"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	frameworkExample = fmt.Sprintf(`
+  # Scan all frameworks
+  %[1]s scan framework all
+  
+  # Scan the NSA framework
+  %[1]s scan framework nsa
+  
+  # Scan the NSA and MITRE framework
+  %[1]s scan framework nsa,mitre
+  
+  # Scan all frameworks
+  %[1]s scan framework all
+
+  # Scan kubernetes YAML manifest files (single file or glob)
+  %[1]s scan framework nsa .
+
+  Run '%[1]s list frameworks' for the list of supported frameworks
+`, cautils.ExecName())
+
+	ErrSecurityViewNotSupported = errors.New("security view is not supported for framework scan")
+	ErrBadThreshold             = errors.New("bad argument: out of range threshold")
+	ErrKeepLocalOrSubmit        = errors.New("you can use `keep-local` or `submit`, but not both")
+	ErrOmitRawResourcesOrSubmit = errors.New("you can use `omit-raw-resources` or `submit`, but not both")
+)
+
+func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
+
+	return &cobra.Command{
+		Use:     "framework <framework names list> [`<glob pattern>`/`-`] [flags]",
+		Short:   fmt.Sprintf("The framework you wish to use. Run '%[1]s list frameworks' for the list of supported frameworks", cautils.ExecName()),
+		Example: frameworkExample,
+		Long:    "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) > 0 {
+				frameworks := strings.Split(args[0], ",")
+				if len(frameworks) > 1 {
+					for _, framework := range frameworks {
+						if framework == "" {
+							return fmt.Errorf("usage: <framework-0>,<framework-1>")
+						}
+					}
+				}
+			} else {
+				return fmt.Errorf("requires at least one framework name")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := validateFrameworkScanInfo(scanInfo); err != nil {
+				return err
+			}
+			scanInfo.FrameworkScan = true
+
+			// We do not scan all frameworks by default when triggering scan from the CLI
+			scanInfo.ScanAll = false
+
+			var frameworks []string
+
+			if len(args) == 0 {
+				scanInfo.ScanAll = true
+			} else {
+				// Read frameworks from input args
+				frameworks = strings.Split(args[0], ",")
+				if slices.Contains(frameworks, "all") {
+					scanInfo.ScanAll = true
+					frameworks = getter.NativeFrameworks
+
+				}
+				if len(args) > 1 {
+					if args[1] != "-" {
+						scanInfo.InputPatterns = args[1:]
+						logger.L().Debug("List of input files", helpers.Interface("patterns", scanInfo.InputPatterns))
+					} else { // store stdin to file - do NOT move to separate function !!
+						tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
+						if err != nil {
+							return err
+						}
+						defer os.Remove(tempFile.Name())
+
+						if _, err := io.Copy(tempFile, os.Stdin); err != nil {
+							return err
+						}
+						scanInfo.InputPatterns = []string{tempFile.Name()}
+					}
+				}
+			}
+			scanInfo.SetScanType(cautils.ScanTypeFramework)
+
+			scanInfo.SetPolicyIdentifiers(frameworks, apisv1.KindFramework)
+
+			ctx := context.TODO()
+			results, err := ks.Scan(ctx, scanInfo)
+			if err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
+			if err = results.HandleResults(ctx); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
+			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
+				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
+			}
+			if results.GetComplianceScore() < float32(scanInfo.ComplianceThreshold) {
+				logger.L().Fatal("scan compliance-score is below permitted threshold", helpers.String("compliance-score", fmt.Sprintf("%.2f", results.GetComplianceScore())), helpers.String("compliance-threshold", fmt.Sprintf("%.2f", scanInfo.ComplianceThreshold)))
+			}
+
+			enforceSeverityThresholds(results.GetData().Report.SummaryDetails.GetResourcesSeverityCounters(), scanInfo, terminateOnExceedingSeverity)
+			return nil
+		},
+	}
+
+}
+
+// countersExceedSeverityThreshold returns true if severity of failed controls exceed the set severity threshold, else returns false
+func countersExceedSeverityThreshold(severityCounters reportsummary.ISeverityCounters, scanInfo *cautils.ScanInfo) (bool, error) {
+	targetSeverity := scanInfo.FailThresholdSeverity
+	if err := shared.ValidateSeverity(targetSeverity); err != nil {
+		return false, err
+	}
+
+	getFailedResourcesFuncsBySeverity := []struct {
+		SeverityName       string
+		GetFailedResources func() int
+	}{
+		{reporthandlingapis.SeverityLowString, severityCounters.NumberOfLowSeverity},
+		{reporthandlingapis.SeverityMediumString, severityCounters.NumberOfMediumSeverity},
+		{reporthandlingapis.SeverityHighString, severityCounters.NumberOfHighSeverity},
+		{reporthandlingapis.SeverityCriticalString, severityCounters.NumberOfCriticalSeverity},
+	}
+
+	targetSeverityIdx := 0
+	for idx, description := range getFailedResourcesFuncsBySeverity {
+		if strings.EqualFold(description.SeverityName, targetSeverity) {
+			targetSeverityIdx = idx
+			break
+		}
+	}
+
+	for _, description := range getFailedResourcesFuncsBySeverity[targetSeverityIdx:] {
+		failedResourcesCount := description.GetFailedResources()
+		if failedResourcesCount > 0 {
+			return true, nil
+		}
+	}
+
+	return false, nil
+
+}
+
+// terminateOnExceedingSeverity terminates the application on exceeding severity
+func terminateOnExceedingSeverity(scanInfo *cautils.ScanInfo, l helpers.ILogger) {
+	l.Fatal("compliance result exceeds severity threshold", helpers.String("set severity threshold", scanInfo.FailThresholdSeverity))
+}
+
+// enforceSeverityThresholds ensures that the scan results are below the defined severity threshold
+//
+// The function forces the application to terminate with an exit code 1 if at least one control failed control that exceeds the set severity threshold
+func enforceSeverityThresholds(severityCounters reportsummary.ISeverityCounters, scanInfo *cautils.ScanInfo, onExceed func(*cautils.ScanInfo, helpers.ILogger)) {
+	// If a severity threshold is not set, we don’t need to enforce it
+	if scanInfo.FailThresholdSeverity == "" {
+		return
+	}
+
+	if val, err := countersExceedSeverityThreshold(severityCounters, scanInfo); val && err == nil {
+		onExceed(scanInfo, logger.L())
+	} else if err != nil {
+		logger.L().Fatal(err.Error())
+	}
+}
+
+// validateFrameworkScanInfo validates the scan info struct for the `scan framework` command
+func validateFrameworkScanInfo(scanInfo *cautils.ScanInfo) error {
+	if scanInfo.View == string(cautils.SecurityViewType) {
+		scanInfo.View = string(cautils.ResourceViewType)
+	}
+
+	if scanInfo.Submit && scanInfo.Local {
+		return ErrKeepLocalOrSubmit
+	}
+	if 100 < scanInfo.ComplianceThreshold || 0 > scanInfo.ComplianceThreshold {
+		return ErrBadThreshold
+	}
+	if 100 < scanInfo.FailThreshold || 0 > scanInfo.FailThreshold {
+		return ErrBadThreshold
+	}
+	if scanInfo.Submit && scanInfo.OmitRawResources {
+		return ErrOmitRawResourcesOrSubmit
+	}
+	severity := scanInfo.FailThresholdSeverity
+	if err := shared.ValidateSeverity(severity); severity != "" && err != nil {
+		return err
+	}
+
+	// Validate the user's credentials
+	return cautils.ValidateAccountID(scanInfo.AccountID)
+}

cmd/scan/framework_test.go

@@ -0,0 +1,60 @@
+package scan
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetFrameworkCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	scanInfo := cautils.ScanInfo{
+		AccountID: "new",
+	}
+
+	cmd := getFrameworkCmd(mockKubescape, &scanInfo)
+
+	// Verify the command name and short description
+	assert.Equal(t, "framework <framework names list> [`<glob pattern>`/`-`] [flags]", cmd.Use)
+	assert.Equal(t, fmt.Sprintf("The framework you wish to use. Run '%[1]s list frameworks' for the list of supported frameworks", cautils.ExecName()), cmd.Short)
+	assert.Equal(t, frameworkExample, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage := "requires at least one framework name"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.Args(&cobra.Command{}, []string{"nsa,mitre"})
+	assert.Nil(t, err)
+
+	err = cmd.Args(&cobra.Command{}, []string{"nsa,mitre,"})
+	expectedErrorMessage = "usage: <framework-0>,<framework-1>"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage = "bad argument: accound ID must be a valid UUID"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
+
+func TestGetFrameworkCmdWithNonExistentFramework(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	scanInfo := cautils.ScanInfo{
+		AccountID: "new",
+	}
+
+	// Call the GetFrameworkCmd function
+	cmd := getFrameworkCmd(mockKubescape, &scanInfo)
+
+	// Run the command with a non-existent framework argument
+	err := cmd.RunE(&cobra.Command{}, []string{"framework", "nsa,mitre"})
+
+	// Check that there is an error and the error message is as expected
+	expectedErrorMessage := "bad argument: accound ID must be a valid UUID"
+	assert.Error(t, err)
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}

cmd/scan/image.go

@@ -0,0 +1,76 @@
+package scan
+
+import (
+	"context"
+	"fmt"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/cmd/shared"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/kubescape/kubescape/v3/pkg/imagescan"
+
+	"github.com/spf13/cobra"
+)
+
+// TODO(vladklokun): document image scanning on the Kubescape Docs Hub?
+var (
+	imageExample = fmt.Sprintf(`
+  Scan an image for vulnerabilities. 
+
+  # Scan the 'nginx' image
+  %[1]s scan image "nginx"
+
+  # Scan the 'nginx' image and see the full report 
+  %[1]s scan image "nginx" -v
+
+`, cautils.ExecName())
+)
+
+// getImageCmd returns the scan image command
+func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
+	var imgCredentials shared.ImageCredentials
+	cmd := &cobra.Command{
+		Use:     "image <image>:<tag> [flags]",
+		Short:   "Scan an image for vulnerabilities",
+		Example: imageExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("the command takes exactly one image name as an argument")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("the command takes exactly one image name as an argument")
+			}
+
+			if err := shared.ValidateImageScanInfo(scanInfo); err != nil {
+				return err
+			}
+
+			imgScanInfo := &metav1.ImageScanInfo{
+				Image:    args[0],
+				Username: imgCredentials.Username,
+				Password: imgCredentials.Password,
+			}
+
+			results, err := ks.ScanImage(context.Background(), imgScanInfo, scanInfo)
+			if err != nil {
+				return err
+			}
+
+			if imagescan.ExceedsSeverityThreshold(results, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)) {
+				shared.TerminateOnExceedingSeverity(scanInfo, logger.L())
+			}
+
+			return nil
+		},
+	}
+
+	cmd.PersistentFlags().StringVarP(&imgCredentials.Username, "username", "u", "", "Username for registry login")
+	cmd.PersistentFlags().StringVarP(&imgCredentials.Password, "password", "p", "", "Password for registry login")
+
+	return cmd
+}