adding cluster flag - support submiting yaml file

Minor features and improvements

README.md

@@ -100,6 +100,7 @@ Set-ExecutionPolicy RemoteSigned -scope CurrentUser
 | `--submit`                  | `false`                   | If set, Kubescape will send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not sent | `true`/`false`                               |
 | `--keep-local`              | `false`                   | Kubescape will not send scan results to Armo management portal. Use this flag if you ran with the `--submit` flag in the past and you do not want to submit your current scan results                                                                                                                                | `true`/`false`                               |
 | `--account`                 |                           | Armo portal account ID. Default will load account ID from configMap or config file                                                                                                                                                                                                                                   |                                              |
+| `--cluster`                 |        current-context               |  Cluster context to scan                                                                                                                                                                                                                              |                                              |
 | `--verbose`                 | `false`                   | Display all of the input resources and not only failed resources                                                                                                                                                                                                                                                     | `true`/`false`                               |
 
 

cautils/customerloader.go

@@ -14,10 +14,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 )
 
-const (
-	configMapName  = "kubescape"
-	configFileName = "config"
-)
+const configFileName = "config"
 
 func ConfigFileFullPath() string { return getter.GetDefaultPath(configFileName + ".json") }
 
@@ -79,7 +76,7 @@ type LocalConfig struct {
 	configObj  *ConfigObj
 }
 
-func NewLocalConfig(backendAPI getter.IBackend, customerGUID string) *LocalConfig {
+func NewLocalConfig(backendAPI getter.IBackend, customerGUID, clusterName string) *LocalConfig {
 	var configObj *ConfigObj
 
 	lc := &LocalConfig{
@@ -98,6 +95,9 @@ func NewLocalConfig(backendAPI getter.IBackend, customerGUID string) *LocalConfi
 	if customerGUID != "" {
 		lc.configObj.CustomerGUID = customerGUID // override config customerGUID
 	}
+	if clusterName != "" {
+		lc.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
+	}
 	if lc.configObj.CustomerGUID != "" {
 		if err := lc.SetTenant(); err != nil {
 			fmt.Println(err)
@@ -107,10 +107,11 @@ func NewLocalConfig(backendAPI getter.IBackend, customerGUID string) *LocalConfi
 	return lc
 }
 
-func (lc *LocalConfig) GetConfigObj() *ConfigObj { return lc.configObj }
-func (lc *LocalConfig) GetCustomerGUID() string  { return lc.configObj.CustomerGUID }
-func (lc *LocalConfig) GetClusterName() string   { return "" }
-func (lc *LocalConfig) IsConfigFound() bool      { return existsConfigFile() }
+func (lc *LocalConfig) GetConfigObj() *ConfigObj            { return lc.configObj }
+func (lc *LocalConfig) GetCustomerGUID() string             { return lc.configObj.CustomerGUID }
+func (lc *LocalConfig) SetCustomerGUID(customerGUID string) { lc.configObj.CustomerGUID = customerGUID }
+func (lc *LocalConfig) GetClusterName() string              { return lc.configObj.ClusterName }
+func (lc *LocalConfig) IsConfigFound() bool                 { return existsConfigFile() }
 func (lc *LocalConfig) SetTenant() error {
 	// ARMO tenant GUID
 	if err := getTenantConfigFromBE(lc.backendAPI, lc.configObj); err != nil {
@@ -124,7 +125,8 @@ func (lc *LocalConfig) SetTenant() error {
 func getTenantConfigFromBE(backendAPI getter.IBackend, configObj *ConfigObj) error {
 
 	// get from armoBE
-	tenantResponse, err := backendAPI.GetCustomerGUID(configObj.CustomerGUID)
+	backendAPI.SetCustomerGUID(configObj.CustomerGUID)
+	tenantResponse, err := backendAPI.GetCustomerGUID()
 	if err == nil && tenantResponse != nil {
 		if tenantResponse.AdminMail != "" { // registered tenant
 			configObj.CustomerAdminEMail = tenantResponse.AdminMail
@@ -145,27 +147,40 @@ func getTenantConfigFromBE(backendAPI getter.IBackend, configObj *ConfigObj) err
 // ========================== Cluster Config ============================================
 // ======================================================================================
 
+// ClusterConfig configuration of specific cluster
+/*
+
+Supported environments variables:
+KS_DEFAULT_CONFIGMAP_NAME  // name of configmap, if not set default is 'kubescape'
+KS_DEFAULT_CONFIGMAP_NAMESPACE   // configmap namespace, if not set default is 'default'
+
+TODO - supprot:
+KS_ACCOUNT // Account ID
+KS_CACHE // path to cached files
+*/
 type ClusterConfig struct {
-	k8s        *k8sinterface.KubernetesApi
-	defaultNS  string
-	backendAPI getter.IBackend
-	configObj  *ConfigObj
+	k8s                *k8sinterface.KubernetesApi
+	configMapName      string
+	configMapNamespace string
+	backendAPI         getter.IBackend
+	configObj          *ConfigObj
 }
 
-func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend, customerGUID string) *ClusterConfig {
-	defaultNS := k8sinterface.GetDefaultNamespace()
+func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend, customerGUID, clusterName string) *ClusterConfig {
 	var configObj *ConfigObj
 	c := &ClusterConfig{
-		k8s:        k8s,
-		backendAPI: backendAPI,
-		configObj:  &ConfigObj{},
-		defaultNS:  defaultNS,
+		k8s:                k8s,
+		backendAPI:         backendAPI,
+		configObj:          &ConfigObj{},
+		configMapName:      getConfigMapName(),
+		configMapNamespace: getConfigMapNamespace(),
 	}
 
 	// get from configMap
-	if existsConfigMap(k8s, defaultNS) {
-		configObj, _ = loadConfigFromConfigMap(k8s, defaultNS)
-	} else if existsConfigFile() { // get from file
+	if c.existsConfigMap() {
+		configObj, _ = c.loadConfigFromConfigMap()
+	}
+	if configObj == nil && existsConfigFile() { // get from file
 		configObj, _ = loadConfigFromFile()
 	}
 	if configObj != nil {
@@ -174,6 +189,9 @@ func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBacken
 	if customerGUID != "" {
 		c.configObj.CustomerGUID = customerGUID // override config customerGUID
 	}
+	if clusterName != "" {
+		c.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
+	}
 	if c.configObj.CustomerGUID != "" {
 		if err := c.SetTenant(); err != nil {
 			fmt.Println(err)
@@ -188,11 +206,12 @@ func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBacken
 	return c
 }
 
-func (c *ClusterConfig) GetConfigObj() *ConfigObj { return c.configObj }
-func (c *ClusterConfig) GetDefaultNS() string     { return c.defaultNS }
-func (c *ClusterConfig) GetCustomerGUID() string  { return c.configObj.CustomerGUID }
+func (c *ClusterConfig) GetConfigObj() *ConfigObj            { return c.configObj }
+func (c *ClusterConfig) GetDefaultNS() string                { return c.configMapNamespace }
+func (c *ClusterConfig) GetCustomerGUID() string             { return c.configObj.CustomerGUID }
+func (c *ClusterConfig) SetCustomerGUID(customerGUID string) { c.configObj.CustomerGUID = customerGUID }
 func (c *ClusterConfig) IsConfigFound() bool {
-	return existsConfigFile() || existsConfigMap(c.k8s, c.defaultNS)
+	return existsConfigFile() || c.existsConfigMap()
 }
 
 func (c *ClusterConfig) SetTenant() error {
@@ -202,7 +221,7 @@ func (c *ClusterConfig) SetTenant() error {
 		return err
 	}
 	// update/create config
-	if existsConfigMap(c.k8s, c.defaultNS) {
+	if c.existsConfigMap() {
 		c.updateConfigMap()
 	} else {
 		c.createConfigMap()
@@ -223,8 +242,8 @@ func (c *ClusterConfig) ToMapString() map[string]interface{} {
 	}
 	return m
 }
-func loadConfigFromConfigMap(k8s *k8sinterface.KubernetesApi, ns string) (*ConfigObj, error) {
-	configMap, err := k8s.KubernetesClient.CoreV1().ConfigMaps(ns).Get(context.Background(), configMapName, metav1.GetOptions{})
+func (c *ClusterConfig) loadConfigFromConfigMap() (*ConfigObj, error) {
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
 	if err != nil {
 		return nil, err
 	}
@@ -235,15 +254,15 @@ func loadConfigFromConfigMap(k8s *k8sinterface.KubernetesApi, ns string) (*Confi
 	return nil, nil
 }
 
-func existsConfigMap(k8s *k8sinterface.KubernetesApi, ns string) bool {
-	_, err := k8s.KubernetesClient.CoreV1().ConfigMaps(ns).Get(context.Background(), configMapName, metav1.GetOptions{})
+func (c *ClusterConfig) existsConfigMap() bool {
+	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
 	// TODO - check if has customerGUID
 	return err == nil
 }
 
 func (c *ClusterConfig) GetValueByKeyFromConfigMap(key string) (string, error) {
 
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
 
 	if err != nil {
 		return "", err
@@ -295,11 +314,11 @@ func SetKeyValueInConfigJson(key string, value string) error {
 
 func (c *ClusterConfig) SetKeyValueInConfigmap(key string, value string) error {
 
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
 	if err != nil {
 		configMap = &corev1.ConfigMap{
 			ObjectMeta: metav1.ObjectMeta{
-				Name: configMapName,
+				Name: c.configMapName,
 			},
 		}
 	}
@@ -311,9 +330,9 @@ func (c *ClusterConfig) SetKeyValueInConfigmap(key string, value string) error {
 	configMap.Data[key] = value
 
 	if err != nil {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Create(context.Background(), configMap, metav1.CreateOptions{})
+		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Create(context.Background(), configMap, metav1.CreateOptions{})
 	} else {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(configMap.Namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
+		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
 	}
 
 	return err
@@ -330,12 +349,12 @@ func (c *ClusterConfig) createConfigMap() error {
 	}
 	configMap := &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: configMapName,
+			Name: c.configMapName,
 		},
 	}
 	c.updateConfigData(configMap)
 
-	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Create(context.Background(), configMap, metav1.CreateOptions{})
+	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Create(context.Background(), configMap, metav1.CreateOptions{})
 	return err
 }
 
@@ -343,7 +362,7 @@ func (c *ClusterConfig) updateConfigMap() error {
 	if c.k8s == nil {
 		return nil
 	}
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
 
 	if err != nil {
 		return err
@@ -351,7 +370,7 @@ func (c *ClusterConfig) updateConfigMap() error {
 
 	c.updateConfigData(configMap)
 
-	_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(configMap.Namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
+	_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
 	return err
 }
 
@@ -387,21 +406,23 @@ func readConfig(dat []byte) (*ConfigObj, error) {
 		return nil, nil
 	}
 	configObj := &ConfigObj{}
-	err := json.Unmarshal(dat, configObj)
-
-	return configObj, err
+	if err := json.Unmarshal(dat, configObj); err != nil {
+		return nil, err
+	}
+	return configObj, nil
 }
 
 // Check if the customer is submitted
 func (clusterConfig *ClusterConfig) IsSubmitted() bool {
-	return existsConfigMap(clusterConfig.k8s, clusterConfig.defaultNS) || existsConfigFile()
+	return clusterConfig.existsConfigMap() || existsConfigFile()
 }
 
 // Check if the customer is registered
 func (clusterConfig *ClusterConfig) IsRegistered() bool {
 
 	// get from armoBE
-	tenantResponse, err := clusterConfig.backendAPI.GetCustomerGUID(clusterConfig.GetCustomerGUID())
+	clusterConfig.backendAPI.SetCustomerGUID(clusterConfig.GetCustomerGUID())
+	tenantResponse, err := clusterConfig.backendAPI.GetCustomerGUID()
 	if err == nil && tenantResponse != nil {
 		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
 			return true
@@ -411,7 +432,7 @@ func (clusterConfig *ClusterConfig) IsRegistered() bool {
 }
 
 func (clusterConfig *ClusterConfig) DeleteConfig() error {
-	if err := DeleteConfigMap(clusterConfig.k8s); err != nil {
+	if err := clusterConfig.DeleteConfigMap(); err != nil {
 		return err
 	}
 	if err := DeleteConfigFile(); err != nil {
@@ -419,8 +440,8 @@ func (clusterConfig *ClusterConfig) DeleteConfig() error {
 	}
 	return nil
 }
-func DeleteConfigMap(k8s *k8sinterface.KubernetesApi) error {
-	return k8s.KubernetesClient.CoreV1().ConfigMaps(k8sinterface.GetDefaultNamespace()).Delete(context.Background(), configMapName, metav1.DeleteOptions{})
+func (clusterConfig *ClusterConfig) DeleteConfigMap() error {
+	return clusterConfig.k8s.KubernetesClient.CoreV1().ConfigMaps(clusterConfig.configMapNamespace).Delete(context.Background(), clusterConfig.configMapName, metav1.DeleteOptions{})
 }
 
 func DeleteConfigFile() error {
@@ -430,3 +451,17 @@ func DeleteConfigFile() error {
 func AdoptClusterName(clusterName string) string {
 	return strings.ReplaceAll(clusterName, "/", "-")
 }
+
+func getConfigMapName() string {
+	if n := os.Getenv("KS_DEFAULT_CONFIGMAP_NAME"); n != "" {
+		return n
+	}
+	return "kubescape"
+}
+
+func getConfigMapNamespace() string {
+	if n := os.Getenv("KS_DEFAULT_CONFIGMAP_NAMESPACE"); n != "" {
+		return n
+	}
+	return "default"
+}

cautils/datastructuresmethods.go

@@ -25,8 +25,10 @@ func (policies *Policies) Set(frameworks []reporthandling.Framework, version str
 					compatibleRules = append(compatibleRules, frameworks[i].Controls[j].Rules[r])
 				}
 			}
-			frameworks[i].Controls[j].Rules = compatibleRules
-			policies.Controls[frameworks[i].Controls[j].ControlID] = frameworks[i].Controls[j]
+			if len(compatibleRules) > 0 {
+				frameworks[i].Controls[j].Rules = compatibleRules
+				policies.Controls[frameworks[i].Controls[j].ControlID] = frameworks[i].Controls[j]
+			}
 		}
 	}
 }

cautils/downloadinfo.go

@@ -1,7 +1,8 @@
 package cautils
 
 type DownloadInfo struct {
-	Path          string
-	FrameworkName string
-	ControlName   string
+	Path    string
+	Target  string
+	Name    string
+	Account string
 }

cautils/getter/armoapi.go

@@ -100,14 +100,14 @@ func (armoAPI *ArmoAPI) GetReportReceiverURL() string {
 func (armoAPI *ArmoAPI) GetFramework(name string) (*reporthandling.Framework, error) {
 	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getFrameworkURL(name), nil)
 	if err != nil {
-		return nil, err
+		return nil, nil
 	}
 
 	framework := &reporthandling.Framework{}
 	if err = JSONDecoder(respStr).Decode(framework); err != nil {
 		return nil, err
 	}
-	SaveFrameworkInFile(framework, GetDefaultPath(name+".json"))
+	SaveInFile(framework, GetDefaultPath(name+".json"))
 
 	return framework, err
 }
@@ -116,12 +116,10 @@ func (armoAPI *ArmoAPI) GetControl(policyName string) (*reporthandling.Control,
 	return nil, fmt.Errorf("control api is not public")
 }
 
-func (armoAPI *ArmoAPI) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
+func (armoAPI *ArmoAPI) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
 	exceptions := []armotypes.PostureExceptionPolicy{}
-	if customerGUID == "" {
-		return exceptions, nil
-	}
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getExceptionsURL(customerGUID, clusterName), nil)
+
+	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getExceptionsURL(clusterName), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -133,10 +131,10 @@ func (armoAPI *ArmoAPI) GetExceptions(customerGUID, clusterName string) ([]armot
 	return exceptions, nil
 }
 
-func (armoAPI *ArmoAPI) GetCustomerGUID(customerGUID string) (*TenantResponse, error) {
+func (armoAPI *ArmoAPI) GetCustomerGUID() (*TenantResponse, error) {
 	url := armoAPI.getCustomerURL()
-	if customerGUID != "" {
-		url = fmt.Sprintf("%s?customerGUID=%s", url, customerGUID)
+	if armoAPI.customerGUID != "" {
+		url = fmt.Sprintf("%s?customerGUID=%s", url, armoAPI.customerGUID)
 	}
 	respStr, err := HttpGetter(armoAPI.httpClient, url, nil)
 	if err != nil {
@@ -151,12 +149,12 @@ func (armoAPI *ArmoAPI) GetCustomerGUID(customerGUID string) (*TenantResponse, e
 }
 
 // ControlsInputs  // map[<control name>][<input arguments>]
-func (armoAPI *ArmoAPI) GetAccountConfig(customerGUID, clusterName string) (*armotypes.CustomerConfig, error) {
+func (armoAPI *ArmoAPI) GetAccountConfig(clusterName string) (*armotypes.CustomerConfig, error) {
 	accountConfig := &armotypes.CustomerConfig{}
-	if customerGUID == "" {
+	if armoAPI.customerGUID == "" {
 		return accountConfig, nil
 	}
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getAccountConfig(customerGUID, clusterName), nil)
+	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getAccountConfig(clusterName), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -169,15 +167,15 @@ func (armoAPI *ArmoAPI) GetAccountConfig(customerGUID, clusterName string) (*arm
 }
 
 // ControlsInputs  // map[<control name>][<input arguments>]
-func (armoAPI *ArmoAPI) GetControlsInputs(customerGUID, clusterName string) (map[string][]string, error) {
-	accountConfig, err := armoAPI.GetAccountConfig(customerGUID, clusterName)
+func (armoAPI *ArmoAPI) GetControlsInputs(clusterName string) (map[string][]string, error) {
+	accountConfig, err := armoAPI.GetAccountConfig(clusterName)
 	if err == nil {
 		return accountConfig.Settings.PostureControlInputs, nil
 	}
 	return nil, err
 }
 
-func (armoAPI *ArmoAPI) ListCustomFrameworks(customerGUID string) ([]string, error) {
+func (armoAPI *ArmoAPI) ListCustomFrameworks() ([]string, error) {
 	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getListFrameworkURL(), nil)
 	if err != nil {
 		return nil, err
@@ -197,7 +195,7 @@ func (armoAPI *ArmoAPI) ListCustomFrameworks(customerGUID string) ([]string, err
 	return frameworkList, nil
 }
 
-func (armoAPI *ArmoAPI) ListFrameworks(customerGUID string) ([]string, error) {
+func (armoAPI *ArmoAPI) ListFrameworks() ([]string, error) {
 	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getListFrameworkURL(), nil)
 	if err != nil {
 		return nil, err
@@ -219,6 +217,10 @@ func (armoAPI *ArmoAPI) ListFrameworks(customerGUID string) ([]string, error) {
 	return frameworkList, nil
 }
 
+func (armoAPI *ArmoAPI) ListControls(l ListType) ([]string, error) {
+	return nil, fmt.Errorf("control api is not public")
+}
+
 type TenantResponse struct {
 	TenantID  string `json:"tenantId"`
 	Token     string `json:"token"`

cautils/getter/armoapiutils.go

@@ -5,7 +5,7 @@ import (
 	"strings"
 )
 
-var NativeFrameworks = []string{"nsa", "mitre", "armobest"}
+var NativeFrameworks = []string{"nsa", "mitre", "armobest", "devopsbest"}
 
 func (armoAPI *ArmoAPI) getFrameworkURL(frameworkName string) string {
 	u := url.URL{}
@@ -36,14 +36,14 @@ func (armoAPI *ArmoAPI) getListFrameworkURL() string {
 
 	return u.String()
 }
-func (armoAPI *ArmoAPI) getExceptionsURL(customerGUID, clusterName string) string {
+func (armoAPI *ArmoAPI) getExceptionsURL(clusterName string) string {
 	u := url.URL{}
 	u.Scheme = "https"
 	u.Host = armoAPI.apiURL
 	u.Path = "api/v1/armoPostureExceptions"
 
 	q := u.Query()
-	q.Add("customerGUID", customerGUID)
+	q.Add("customerGUID", armoAPI.customerGUID)
 	// if clusterName != "" { // TODO - fix customer name support in Armo BE
 	// 	q.Add("clusterName", clusterName)
 	// }
@@ -52,14 +52,14 @@ func (armoAPI *ArmoAPI) getExceptionsURL(customerGUID, clusterName string) strin
 	return u.String()
 }
 
-func (armoAPI *ArmoAPI) getAccountConfig(customerGUID, clusterName string) string {
+func (armoAPI *ArmoAPI) getAccountConfig(clusterName string) string {
 	u := url.URL{}
 	u.Scheme = "https"
 	u.Host = armoAPI.apiURL
 	u.Path = "api/v1/armoCustomerConfiguration"
 
 	q := u.Query()
-	q.Add("customerGUID", customerGUID)
+	q.Add("customerGUID", armoAPI.customerGUID)
 	if clusterName != "" { // TODO - fix customer name support in Armo BE
 		q.Add("clusterName", clusterName)
 	}

cautils/getter/downloadreleasedpolicy.go

@@ -41,7 +41,20 @@ func (drp *DownloadReleasedPolicy) GetFramework(name string) (*reporthandling.Fr
 	return framework, err
 }
 
-func (drp *DownloadReleasedPolicy) GetControlsInputs(customerGUID, clusterName string) (map[string][]string, error) {
+func (drp *DownloadReleasedPolicy) ListFrameworks() ([]string, error) {
+	return drp.gs.GetOPAFrameworksNamesList()
+}
+
+func (drp *DownloadReleasedPolicy) ListControls(listType ListType) ([]string, error) {
+	switch listType {
+	case ListID:
+		return drp.gs.GetOPAControlsIDsList()
+	default:
+		return drp.gs.GetOPAControlsNamesList()
+	}
+}
+
+func (drp *DownloadReleasedPolicy) GetControlsInputs(clusterName string) (map[string][]string, error) {
 	defaultConfigInputs, err := drp.gs.GetDefaultConfigInputs()
 	if err != nil {
 		return nil, err

cautils/getter/getpolicies.go

@@ -5,18 +5,28 @@ import (
 	"github.com/armosec/opa-utils/reporthandling"
 )
 
+// supported listing
+type ListType string
+
+const ListID ListType = "id"
+const ListName ListType = "name"
+
 type IPolicyGetter interface {
 	GetFramework(name string) (*reporthandling.Framework, error)
 	GetControl(name string) (*reporthandling.Control, error)
+
+	ListFrameworks() ([]string, error)
+	ListControls(ListType) ([]string, error)
 }
 
 type IExceptionsGetter interface {
-	GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error)
+	GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error)
 }
 type IBackend interface {
-	GetCustomerGUID(customerGUID string) (*TenantResponse, error)
+	GetCustomerGUID() (*TenantResponse, error)
+	SetCustomerGUID(customerGUID string)
 }
 
 type IControlsInputsGetter interface {
-	GetControlsInputs(customerGUID, clusterName string) (map[string][]string, error)
+	GetControlsInputs(clusterName string) (map[string][]string, error)
 }

cautils/getter/getpoliciesutils.go

@@ -10,8 +10,6 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
-
-	"github.com/armosec/opa-utils/reporthandling"
 )
 
 func GetDefaultPath(name string) string {
@@ -22,33 +20,8 @@ func GetDefaultPath(name string) string {
 	return defaultfilePath
 }
 
-// Save control as json in file
-func SaveControlInFile(control *reporthandling.Control, pathStr string) error {
-	encodedData, err := json.Marshal(control)
-	if err != nil {
-		return err
-	}
-	err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
-	if err != nil {
-		if os.IsNotExist(err) {
-			pathDir := path.Dir(pathStr)
-			if err := os.Mkdir(pathDir, 0744); err != nil {
-				return err
-			}
-		} else {
-			return err
-
-		}
-		err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func SaveFrameworkInFile(framework *reporthandling.Framework, pathStr string) error {
-	encodedData, err := json.Marshal(framework)
+func SaveInFile(policy interface{}, pathStr string) error {
+	encodedData, err := json.Marshal(policy)
 	if err != nil {
 		return err
 	}

cautils/getter/loadpolicy.go

@@ -78,7 +78,17 @@ func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framew
 	return framework, err
 }
 
-func (lp *LoadPolicy) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
+func (lp *LoadPolicy) ListFrameworks() ([]string, error) {
+	// TODO - Support
+	return []string{}, fmt.Errorf("loading frameworks list from file is not supported")
+}
+
+func (lp *LoadPolicy) ListControls(listType ListType) ([]string, error) {
+	// TODO - Support
+	return []string{}, fmt.Errorf("loading controls list from file is not supported")
+}
+
+func (lp *LoadPolicy) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
 	filePath := lp.filePath()
 	exception := []armotypes.PostureExceptionPolicy{}
 	f, err := os.ReadFile(filePath)
@@ -90,7 +100,7 @@ func (lp *LoadPolicy) GetExceptions(customerGUID, clusterName string) ([]armotyp
 	return exception, err
 }
 
-func (lp *LoadPolicy) GetControlsInputs(customerGUID, clusterName string) (map[string][]string, error) {
+func (lp *LoadPolicy) GetControlsInputs(clusterName string) (map[string][]string, error) {
 	filePath := lp.filePath()
 	accountConfig := &armotypes.CustomerConfig{}
 	f, err := os.ReadFile(filePath)

cautils/getter/loadpolicy_test.go

@@ -1,9 +1,7 @@
 package getter
 
 import (
-	"os"
 	"path/filepath"
-	"testing"
 )
 
 var mockFrameworkBasePath = filepath.Join("examples", "mocks", "frameworks")
@@ -13,8 +11,3 @@ func MockNewLoadPolicy() *LoadPolicy {
 		filePaths: []string{""},
 	}
 }
-
-func TestBla(t *testing.T) {
-	dir, _ := os.Getwd()
-	t.Error(dir)
-}

cautils/listpolicies.go

@@ -0,0 +1,7 @@
+package cautils
+
+type ListPolicies struct {
+	Target  string
+	ListIDs bool
+	Account string
+}

cautils/rbac.go

@@ -43,22 +43,19 @@ func (rbacObjects *RBACObjects) ListAllResources() (map[string]workloadinterface
 func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.RbacObjects) (map[string]workloadinterface.IMetadata, error) {
 	allresources := map[string]workloadinterface.IMetadata{}
 	// wrap rbac aggregated objects in IMetadata and add to allresources
-	rbacIMeta, err := rbacutils.RbacObjectIMetadataWrapper(resources.Rbac)
-	if err != nil {
-		return nil, err
-	}
-	allresources[rbacIMeta.GetID()] = rbacIMeta
-	rbacTableIMeta, err := rbacutils.RbacTableObjectIMetadataWrapper(resources.RbacT)
-	if err != nil {
-		return nil, err
-	}
-	allresources[rbacTableIMeta.GetID()] = rbacTableIMeta
+	// TODO - DEPRECATE SA2WLIDmap
 	SA2WLIDmapIMeta, err := rbacutils.SA2WLIDmapIMetadataWrapper(resources.SA2WLIDmap)
 	if err != nil {
 		return nil, err
 	}
 	allresources[SA2WLIDmapIMeta.GetID()] = SA2WLIDmapIMeta
 
+	SAID2WLIDmapIMeta, err := rbacutils.SAID2WLIDmapIMetadataWrapper(resources.SAID2WLIDmap)
+	if err != nil {
+		return nil, err
+	}
+	allresources[SAID2WLIDmapIMeta.GetID()] = SAID2WLIDmapIMeta
+
 	// convert rbac k8s resources to IMetadata and add to allresources
 	for _, cr := range resources.ClusterRoles.Items {
 		crmap, err := convertToMap(cr)

cautils/reportv2tov1.go

@@ -1,15 +1,16 @@
-package v1
+package cautils
 
 import (
-	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/opa-utils/reporthandling"
 	helpersv1 "github.com/armosec/opa-utils/reporthandling/helpers/v1"
 	"github.com/armosec/opa-utils/reporthandling/results/v1/reportsummary"
-	"github.com/armosec/opa-utils/reporthandling/results/v1/resourcesresults"
 	"github.com/armosec/opa-utils/score"
 )
 
-func reportV2ToV1(opaSessionObj *cautils.OPASessionObj) {
+func ReportV2ToV1(opaSessionObj *OPASessionObj) {
+	if len(opaSessionObj.PostureReport.FrameworkReports) > 0 {
+		return // report already converted
+	}
 
 	opaSessionObj.PostureReport.ClusterCloudProvider = opaSessionObj.Report.ClusterCloudProvider
 
@@ -34,9 +35,9 @@ func reportV2ToV1(opaSessionObj *cautils.OPASessionObj) {
 		frameworks = append(frameworks, fwv1)
 	}
 
-	// remove unused data
-	opaSessionObj.Report = nil
-	opaSessionObj.ResourcesResult = nil
+	// // remove unused data
+	// opaSessionObj.Report = nil
+	// opaSessionObj.ResourcesResult = nil
 
 	// setup counters and score
 	for f := range frameworks {
@@ -76,7 +77,7 @@ func reportV2ToV1(opaSessionObj *cautils.OPASessionObj) {
 	// }
 }
 
-func controlReportV2ToV1(opaSessionObj *cautils.OPASessionObj, frameworkName string, controls map[string]reportsummary.ControlSummary) []reporthandling.ControlReport {
+func controlReportV2ToV1(opaSessionObj *OPASessionObj, frameworkName string, controls map[string]reportsummary.ControlSummary) []reporthandling.ControlReport {
 	controlRepors := []reporthandling.ControlReport{}
 	for controlID, crv2 := range controls {
 		crv1 := reporthandling.ControlReport{}
@@ -90,12 +91,18 @@ func controlReportV2ToV1(opaSessionObj *cautils.OPASessionObj, frameworkName str
 		crv1.Description = crv2.Description
 		crv1.Remediation = crv2.Remediation
 
-		rulesv1 := initializeRuleList(&crv2, opaSessionObj.ResourcesResult)
+		rulesv1 := map[string]reporthandling.RuleReport{}
 
-		for _, resourceID := range crv2.List().All() {
+		for _, resourceID := range crv2.ListResourcesIDs().All() {
 			if result, ok := opaSessionObj.ResourcesResult[resourceID]; ok {
 				for _, rulev2 := range result.ListRulesOfControl(crv2.GetID(), "") {
 
+					if _, ok := rulesv1[rulev2.GetName()]; !ok {
+						rulesv1[rulev2.GetName()] = reporthandling.RuleReport{
+							Name: rulev2.GetName(),
+						}
+					}
+
 					rulev1 := rulesv1[rulev2.GetName()]
 					status := rulev2.GetStatus(&helpersv1.Filters{FrameworkNames: []string{frameworkName}})
 
@@ -133,21 +140,3 @@ func controlReportV2ToV1(opaSessionObj *cautils.OPASessionObj, frameworkName str
 	}
 	return controlRepors
 }
-
-func initializeRuleList(crv2 *reportsummary.ControlSummary, resourcesResult map[string]resourcesresults.Result) map[string]reporthandling.RuleReport {
-	rulesv1 := map[string]reporthandling.RuleReport{} // ruleName: rules
-
-	for _, resourceID := range crv2.List().All() {
-		if result, ok := resourcesResult[resourceID]; ok {
-			for _, rulev2 := range result.ListRulesOfControl(crv2.GetID(), "") {
-				// add to rule
-				if _, ok := rulesv1[rulev2.GetName()]; !ok {
-					rulesv1[rulev2.GetName()] = reporthandling.RuleReport{
-						Name: rulev2.GetName(),
-					}
-				}
-			}
-		}
-	}
-	return rulesv1
-}

cautils/scaninfo.go

@@ -64,6 +64,7 @@ type ScanInfo struct {
 	HostSensor         BoolPtrFlag // Deploy ARMO K8s host sensor to collect data from certain controls
 	Local              bool        // Do not submit results
 	Account            string      // account ID
+	ClusterName        string      // cluster name
 	FrameworkScan      bool        // false if scanning control
 	ScanAll            bool        // true if scan all frameworks
 }
@@ -76,20 +77,10 @@ type Getters struct {
 
 func (scanInfo *ScanInfo) Init() {
 	scanInfo.setUseFrom()
-	scanInfo.setUseExceptions()
 	scanInfo.setOutputFile()
 
 }
 
-func (scanInfo *ScanInfo) setUseExceptions() {
-	if scanInfo.UseExceptions != "" {
-		// load exceptions from file
-		scanInfo.ExceptionsGetter = getter.NewLoadPolicy([]string{scanInfo.UseExceptions})
-	} else {
-		scanInfo.ExceptionsGetter = getter.GetArmoAPIConnector()
-	}
-}
-
 func (scanInfo *ScanInfo) setUseFrom() {
 	if scanInfo.UseDefault {
 		for _, policy := range scanInfo.PolicyIdentifier {

clihandler/clidownload.go

@@ -0,0 +1,114 @@
+package clihandler
+
+import (
+	"fmt"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+)
+
+var downloadFunc = map[string]func(*cautils.DownloadInfo) error{
+	"controls-inputs": downloadConfigInputs,
+	"exceptions":      downloadExceptions,
+	"control":         downloadControl,
+	"framework":       downloadFramework,
+}
+
+func DownloadSupportCommands() []string {
+	commands := []string{}
+	for k := range downloadFunc {
+		commands = append(commands, k)
+	}
+	return commands
+}
+
+func CliDownload(downloadInfo *cautils.DownloadInfo) error {
+	if f, ok := downloadFunc[downloadInfo.Target]; ok {
+		if err := f(downloadInfo); err != nil {
+			return err
+		}
+		fmt.Printf("'%s' downloaded successfully and saved at: '%s'\n", downloadInfo.Target, downloadInfo.Path)
+		return nil
+	}
+	return fmt.Errorf("unknown command to download")
+}
+
+func downloadConfigInputs(downloadInfo *cautils.DownloadInfo) error {
+	tenant := getTenantConfig(downloadInfo.Account, "", getKubernetesApi()) // change k8sinterface
+	controlsInputsGetter := getConfigInputsGetter(downloadInfo.Name, tenant.GetCustomerGUID(), nil)
+	controlInputs, err := controlsInputsGetter.GetControlsInputs(tenant.GetClusterName())
+	if err != nil {
+		return err
+	}
+	if downloadInfo.Path == "" {
+		downloadInfo.Path = getter.GetDefaultPath(fmt.Sprintf("%s.json", downloadInfo.Target))
+	}
+	// save in file
+	err = getter.SaveInFile(controlInputs, downloadInfo.Path)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func downloadExceptions(downloadInfo *cautils.DownloadInfo) error {
+	tenant := getTenantConfig(downloadInfo.Account, "", getKubernetesApi()) // change k8sinterface
+	exceptionsGetter := getExceptionsGetter("")
+	exceptions, err := exceptionsGetter.GetExceptions(tenant.GetClusterName())
+	if err != nil {
+		return err
+	}
+	if downloadInfo.Path == "" {
+		downloadInfo.Path = getter.GetDefaultPath(fmt.Sprintf("%s.json", downloadInfo.Target))
+	}
+	// save in file
+	err = getter.SaveInFile(exceptions, downloadInfo.Path)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func downloadFramework(downloadInfo *cautils.DownloadInfo) error {
+	tenant := getTenantConfig(downloadInfo.Account, "", getKubernetesApi()) // change k8sinterface
+	g := getPolicyGetter(nil, tenant.GetCustomerGUID(), true, nil)
+
+	if downloadInfo.Name == "" {
+		// TODO - support
+		return fmt.Errorf("missing framework name")
+	}
+	if downloadInfo.Path == "" {
+		downloadInfo.Path = getter.GetDefaultPath(downloadInfo.Name + ".json")
+	}
+	frameworks, err := g.GetFramework(downloadInfo.Name)
+	if err != nil {
+		return err
+	}
+	err = getter.SaveInFile(frameworks, downloadInfo.Path)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func downloadControl(downloadInfo *cautils.DownloadInfo) error {
+	tenant := getTenantConfig(downloadInfo.Account, "", getKubernetesApi()) // change k8sinterface
+	g := getPolicyGetter(nil, tenant.GetCustomerGUID(), false, nil)
+
+	if downloadInfo.Name == "" {
+		// TODO - support
+		return fmt.Errorf("missing control name")
+	}
+	if downloadInfo.Path == "" {
+		downloadInfo.Path = getter.GetDefaultPath(downloadInfo.Name + ".json")
+	}
+	controls, err := g.GetControl(downloadInfo.Name)
+	if err != nil {
+		return err
+	}
+	err = getter.SaveInFile(controls, downloadInfo.Path)
+	if err != nil {
+		return err
+	}
+	return nil
+}

clihandler/clilist.go

@@ -0,0 +1,58 @@
+package clihandler
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+)
+
+var listFunc = map[string]func(*cautils.ListPolicies) ([]string, error){
+	"controls":   listControls,
+	"frameworks": listFrameworks,
+}
+
+func ListSupportCommands() []string {
+	commands := []string{}
+	for k := range listFunc {
+		commands = append(commands, k)
+	}
+	return commands
+}
+func CliList(listPolicies *cautils.ListPolicies) error {
+	if f, ok := listFunc[listPolicies.Target]; ok {
+		policies, err := f(listPolicies)
+		if err != nil {
+			return err
+		}
+		sort.Strings(policies)
+
+		sep := "\n  * "
+		usageCmd := strings.TrimSuffix(listPolicies.Target, "s")
+		fmt.Printf("Supported %s:%s%s\n", listPolicies.Target, sep, strings.Join(policies, sep))
+		fmt.Printf("\nUseage:\n")
+		fmt.Printf("$ kubescape scan %s \"name\"\n", usageCmd)
+		fmt.Printf("$ kubescape scan %s \"name-0\",\"name-1\"\n\n", usageCmd)
+		return nil
+	}
+	return fmt.Errorf("unknown command to download")
+}
+
+func listFrameworks(listPolicies *cautils.ListPolicies) ([]string, error) {
+	tenant := getTenantConfig(listPolicies.Account, "", getKubernetesApi()) // change k8sinterface
+	g := getPolicyGetter(nil, tenant.GetCustomerGUID(), true, nil)
+
+	return listFrameworksNames(g), nil
+}
+
+func listControls(listPolicies *cautils.ListPolicies) ([]string, error) {
+	tenant := getTenantConfig(listPolicies.Account, "", getKubernetesApi()) // change k8sinterface
+	g := getPolicyGetter(nil, tenant.GetCustomerGUID(), false, nil)
+	l := getter.ListName
+	if listPolicies.ListIDs {
+		l = getter.ListID
+	}
+	return g.ListControls(l)
+}

clihandler/cmd/cluster_get.go

@@ -11,10 +11,9 @@ import (
 )
 
 var getCmd = &cobra.Command{
-	Use:       "get <key>",
-	Short:     "Get configuration in cluster",
-	Long:      ``,
-	ValidArgs: getter.NativeFrameworks,
+	Use:   "get <key>",
+	Short: "Get configuration in cluster",
+	Long:  ``,
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) < 1 || len(args) > 1 {
 			return fmt.Errorf("requires  one argument")
@@ -31,7 +30,7 @@ var getCmd = &cobra.Command{
 		key := keyValue[0]
 
 		k8s := k8sinterface.NewKubernetesApi()
-		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account)
+		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account, "")
 		val, err := clusterConfig.GetValueByKeyFromConfigMap(key)
 		if err != nil {
 			if err.Error() == "value does not exist." {

clihandler/cmd/cluster_set.go

@@ -30,7 +30,7 @@ var setCmd = &cobra.Command{
 		data := keyValue[1]
 
 		k8s := k8sinterface.NewKubernetesApi()
-		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account)
+		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account, "")
 		if err := clusterConfig.SetKeyValueInConfigmap(key, data); err != nil {
 			return err
 		}

clihandler/cmd/control.go

@@ -7,16 +7,34 @@ import (
 	"strings"
 
 	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
 	"github.com/armosec/kubescape/clihandler"
 	"github.com/armosec/opa-utils/reporthandling"
 	"github.com/spf13/cobra"
 )
 
+var (
+	controlExample = `
+  # Scan the 'privileged container' control
+  kubescape scan control "privileged container"
+	
+  # Scan list of controls separated with a comma
+  kubescape scan control "privileged container","allowed hostpath"
+  
+  # Scan list of controls using the control ID separated with a comma
+  kubescape scan control C-0058,C-0057
+  
+  Run 'kubescape list controls' for the list of supported controls
+  
+  Control documentation:
+  https://hub.armo.cloud/docs/controls
+`
+)
+
 // controlCmd represents the control command
 var controlCmd = &cobra.Command{
-	Use:   "control <control names list>/<control ids list>.\nExamples:\n$ kubescape scan control C-0058,C-0057 [flags]\n$ kubescape scan contol C-0058 [flags]\n$ kubescape scan control 'privileged container,allowed hostpath' [flags]",
-	Short: fmt.Sprintf("The control you wish to use for scan. It must be present in at least one of the following frameworks: %s", getter.NativeFrameworks),
+	Use:     "control <control names list>/<control ids list>",
+	Short:   "The controls you wish to use. Run 'kubescape list controls' for the list of supported controls",
+	Example: controlExample,
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) > 0 {
 			controls := strings.Split(args[0], ",")
@@ -35,7 +53,7 @@ var controlCmd = &cobra.Command{
 		scanInfo.PolicyIdentifier = []reporthandling.PolicyIdentifier{}
 
 		if len(args) == 0 {
-			scanInfo.SetPolicyIdentifiers(getter.NativeFrameworks, reporthandling.KindFramework)
+			// scanInfo.SetPolicyIdentifiers(getter.NativeFrameworks, reporthandling.KindFramework)
 			scanInfo.ScanAll = true
 		} else { // expected control or list of control sepparated by ","
 

clihandler/cmd/download.go

@@ -6,27 +6,32 @@ import (
 	"strings"
 
 	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/clihandler"
 	"github.com/spf13/cobra"
 )
 
-var downloadInfo cautils.DownloadInfo
+var downloadInfo = cautils.DownloadInfo{}
 
 var downloadCmd = &cobra.Command{
-	Use:   fmt.Sprintf("download framework/control <framework-name>/<control-name> [flags]\nSupported frameworks: %s", getter.NativeFrameworks),
-	Short: "Download framework/control",
+	Use:   "download <policy> <policy name>",
+	Short: fmt.Sprintf("Download %s", strings.Join(clihandler.DownloadSupportCommands(), "/")),
 	Long:  ``,
 	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) != 2 {
-			return fmt.Errorf("requires two arguments : framework/control <framework-name>/<control-name>")
+		supported := strings.Join(clihandler.DownloadSupportCommands(), ",")
+		if len(args) < 1 {
+			return fmt.Errorf("policy type requeued, supported: %v", supported)
 		}
-		if !strings.EqualFold(args[0], "framework") && !strings.EqualFold(args[0], "control") {
-			return fmt.Errorf("invalid parameter '%s'. Supported parameters: framework, control", args[0])
+		if cautils.StringInSlice(clihandler.DownloadSupportCommands(), args[0]) == cautils.ValueNotFound {
+			return fmt.Errorf("invalid parameter '%s'. Supported parameters: %s", args[0], supported)
 		}
 		return nil
 	},
 	RunE: func(cmd *cobra.Command, args []string) error {
-		if err := download(args); err != nil {
+		downloadInfo.Target = args[0]
+		if len(args) >= 2 {
+			downloadInfo.Name = args[1]
+		}
+		if err := clihandler.CliDownload(&downloadInfo); err != nil {
 			fmt.Fprintf(os.Stderr, "error: %v\n", err)
 			os.Exit(1)
 		}
@@ -35,61 +40,10 @@ var downloadCmd = &cobra.Command{
 }
 
 func init() {
+	// cobra.OnInitialize(initConfig)
+
 	rootCmd.AddCommand(downloadCmd)
-	downloadInfo = cautils.DownloadInfo{}
-	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If specified, will store save to `~/.kubescape/<framework name>.json`")
-}
+	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If specified, will store save to `~/.kubescape/<policy name>.json`")
+	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Account, "account", "", "", "Armo portal account ID. Default will load account ID from configMap or config file")
 
-func download(args []string) error {
-	switch strings.ToLower(args[0]) {
-	case "framework":
-		return downloadFramework(args[1])
-	case "control":
-		return downloadControl(args[1])
-	// case "exceptions":
-	// case "artifacts":
-	default:
-		return fmt.Errorf("unknown command to download")
-	}
-}
-
-func downloadFramework(frameworkName string) error {
-	downloadInfo.FrameworkName = strings.ToLower(frameworkName)
-	g := getter.NewDownloadReleasedPolicy()
-	if err := g.SetRegoObjects(); err != nil {
-		return err
-	}
-
-	if downloadInfo.Path == "" {
-		downloadInfo.Path = getter.GetDefaultPath(downloadInfo.FrameworkName + ".json")
-	}
-	frameworks, err := g.GetFramework(downloadInfo.FrameworkName)
-	if err != nil {
-		return err
-	}
-	err = getter.SaveFrameworkInFile(frameworks, downloadInfo.Path)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func downloadControl(controlName string) error {
-	downloadInfo.ControlName = strings.ToLower(controlName)
-	g := getter.NewDownloadReleasedPolicy()
-	if err := g.SetRegoObjects(); err != nil {
-		return err
-	}
-	if downloadInfo.Path == "" {
-		downloadInfo.Path = getter.GetDefaultPath(downloadInfo.ControlName + ".json")
-	}
-	controls, err := g.GetControl(downloadInfo.ControlName)
-	if err != nil {
-		return err
-	}
-	err = getter.SaveControlInFile(controls, downloadInfo.Path)
-	if err != nil {
-		return err
-	}
-	return nil
 }

clihandler/cmd/framework.go

@@ -7,7 +7,6 @@ import (
 	"strings"
 
 	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
 	"github.com/armosec/kubescape/clihandler"
 	"github.com/armosec/opa-utils/reporthandling"
 	"github.com/spf13/cobra"
@@ -24,6 +23,9 @@ var (
   # Scan the NSA and MITRE framework
   kubescape scan framework nsa,mitre
   
+  # Scan all frameworks
+  kubescape scan framework all
+
   # Scan kubernetes YAML manifest files
   kubescape scan framework nsa *.yaml
 
@@ -35,14 +37,16 @@ var (
 
   # Display all resources
   kubescape scan --verbose
+
+  Run 'kubescape list frameworks' for the list of supported frameworks
 `
 )
 var frameworkCmd = &cobra.Command{
-	Use:       "framework <framework names list> [`<glob pattern>`/`-`] [flags]",
-	Short:     fmt.Sprintf("The framework you wish to use. Supported frameworks: %s", strings.Join(getter.NativeFrameworks, ", ")),
-	Example:   frameworkExample,
-	Long:      "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
-	ValidArgs: getter.NativeFrameworks,
+	Use:     "framework <framework names list> [`<glob pattern>`/`-`] [flags]",
+	Short:   "The framework you wish to use. Run 'kubescape list frameworks' for the list of supported frameworks",
+	Example: frameworkExample,
+	Long:    "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
+	// ValidArgs: getter.NativeFrameworks,
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) > 0 {
 			frameworks := strings.Split(args[0], ",")
@@ -61,12 +65,15 @@ var frameworkCmd = &cobra.Command{
 		var frameworks []string
 
 		if len(args) == 0 { // scan all frameworks
-			frameworks = getter.NativeFrameworks
+			// frameworks = getter.NativeFrameworks
 			scanInfo.ScanAll = true
 		} else {
 			// Read frameworks from input args
 			frameworks = strings.Split(args[0], ",")
-
+			if cautils.StringInSlice(frameworks, "all") != cautils.ValueNotFound {
+				scanInfo.ScanAll = true
+				frameworks = []string{}
+			}
 			if len(args) > 1 {
 				if len(args[1:]) == 0 || args[1] != "-" {
 					scanInfo.InputPatterns = args[1:]
@@ -84,6 +91,8 @@ var frameworkCmd = &cobra.Command{
 				}
 			}
 		}
+		scanInfo.FrameworkScan = true
+
 		scanInfo.SetPolicyIdentifiers(frameworks, reporthandling.KindFramework)
 
 		scanInfo.Init()

clihandler/cmd/list.go

@@ -0,0 +1,66 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/clihandler"
+	"github.com/spf13/cobra"
+)
+
+var (
+	listExample = `
+  # List default supported frameworks names
+  kubescape list frameworks
+  
+  # List all supported frameworks names
+  kubescape list frameworks --account <account id>
+	
+  # List all supported controls names
+  kubescape list controls
+
+  # List all supported controls id's
+  kubescape list controls --id 
+  
+  Control documentation:
+  https://hub.armo.cloud/docs/controls
+`
+)
+var listPolicies = cautils.ListPolicies{}
+
+var listCmd = &cobra.Command{
+	Use:     "list <policy> [flags]",
+	Short:   "List frameworks/controls will list the supported frameworks and controls",
+	Long:    ``,
+	Example: listExample,
+	Args: func(cmd *cobra.Command, args []string) error {
+		supported := strings.Join(clihandler.ListSupportCommands(), ",")
+
+		if len(args) < 1 {
+			return fmt.Errorf("policy type requeued, supported: %s", supported)
+		}
+		if cautils.StringInSlice(clihandler.ListSupportCommands(), args[0]) == cautils.ValueNotFound {
+			return fmt.Errorf("invalid parameter '%s'. Supported parameters: %s", args[0], supported)
+		}
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		listPolicies.Target = args[0]
+
+		if err := clihandler.CliList(&listPolicies); err != nil {
+			fmt.Fprintf(os.Stderr, "error: %v\n", err)
+			os.Exit(1)
+		}
+		return nil
+	},
+}
+
+func init() {
+	// cobra.OnInitialize(initConfig)
+
+	rootCmd.AddCommand(listCmd)
+	listCmd.PersistentFlags().StringVarP(&listPolicies.Account, "account", "", "", "Armo portal account ID. Default will load account ID from configMap or config file")
+	listCmd.PersistentFlags().BoolVarP(&listPolicies.ListIDs, "id", "", false, "List control ID's instead of controls names")
+}

clihandler/cmd/root.go

@@ -35,14 +35,9 @@ func init() {
 	flag.CommandLine.StringVar(&armoBEURLs, "environment", "", envFlagUsage)
 	rootCmd.PersistentFlags().StringVar(&armoBEURLs, "environment", "", envFlagUsage)
 	rootCmd.PersistentFlags().MarkHidden("environment")
-	cobra.OnInitialize(initConfig)
 
 }
 
-// initConfig reads in config file and ENV variables if set.
-func initConfig() {
-}
-
 func InitArmoBEConnector() {
 	urlSlices := strings.Split(armoBEURLs, ",")
 	if len(urlSlices) > 3 {

clihandler/cmd/scan.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
 	"github.com/spf13/cobra"
 )
 
@@ -27,15 +27,22 @@ var scanCmd = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		if len(args) == 0 {
 			scanInfo.ScanAll = true
-			frameworks := getter.NativeFrameworks
-			frameworkArgs := []string{strings.Join(frameworks, ",")}
-			frameworkCmd.RunE(cmd, frameworkArgs)
+			// frameworks := getter.NativeFrameworks
+			// frameworkArgs := []string{strings.Join(frameworks, ",")}
+			frameworkCmd.RunE(cmd, []string{"all"})
 		}
 	},
 }
 
+func frameworkInitConfig() {
+	k8sinterface.SetClusterContextName(scanInfo.ClusterName)
+}
+
 func init() {
+	cobra.OnInitialize(frameworkInitConfig)
+
 	rootCmd.AddCommand(scanCmd)
+	rootCmd.PersistentFlags().StringVarP(&scanInfo.ClusterName, "cluster", "", "", "Cluster name. Default will use the current-context")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Recommended: kube-system,kube-public")

clihandler/cmd/submit.go

@@ -20,7 +20,7 @@ func init() {
 }
 
 func getSubmittedClusterConfig(k8s *k8sinterface.KubernetesApi) (*cautils.ClusterConfig, error) {
-	clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account) // TODO - support none cluster env submit
+	clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account, scanInfo.ClusterName) // TODO - support none cluster env submit
 	if clusterConfig.GetCustomerGUID() != "" {
 		if err := clusterConfig.SetTenant(); err != nil {
 			return clusterConfig, err

clihandler/initcli.go

@@ -5,6 +5,7 @@ import (
 	"io/fs"
 	"os"
 
+	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/resultshandling/printer"
 	printerv1 "github.com/armosec/kubescape/resultshandling/printer/v1"
 
@@ -34,9 +35,16 @@ type componentInterfaces struct {
 
 func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
 
-	k8s := getKubernetesApi(scanInfo)
+	var k8s *k8sinterface.KubernetesApi
+	if scanInfo.GetScanningEnvironment() == cautils.ScanCluster {
+		k8s = getKubernetesApi()
+		if k8s == nil {
+			fmt.Println("Failed connecting to Kubernetes cluster")
+			os.Exit(1)
+		}
+	}
 
-	tenantConfig := getTenantConfig(scanInfo, k8s)
+	tenantConfig := getTenantConfig(scanInfo.Account, scanInfo.ClusterName, k8s)
 
 	// Set submit behavior AFTER loading tenant config
 	setSubmitBehavior(scanInfo, tenantConfig)
@@ -92,10 +100,18 @@ func ScanCliSetup(scanInfo *cautils.ScanInfo) error {
 	interfaces.report.SetCustomerGUID(interfaces.tenantConfig.GetCustomerGUID())
 
 	downloadReleasedPolicy := getter.NewDownloadReleasedPolicy() // download config inputs from github release
-	// set policy getter only after setting the customerGUID
-	setPolicyGetter(scanInfo, interfaces.tenantConfig.GetCustomerGUID(), downloadReleasedPolicy)
-	setConfigInputsGetter(scanInfo, interfaces.tenantConfig.GetCustomerGUID(), downloadReleasedPolicy)
 
+	// set policy getter only after setting the customerGUID
+	scanInfo.Getters.PolicyGetter = getPolicyGetter(scanInfo.UseFrom, interfaces.tenantConfig.GetCustomerGUID(), scanInfo.FrameworkScan, downloadReleasedPolicy)
+	scanInfo.Getters.ControlsInputsGetter = getConfigInputsGetter(scanInfo.ControlsInputs, interfaces.tenantConfig.GetCustomerGUID(), downloadReleasedPolicy)
+	scanInfo.Getters.ExceptionsGetter = getExceptionsGetter(scanInfo.UseExceptions)
+
+	// TODO - list supported frameworks/controls
+	if scanInfo.ScanAll {
+		scanInfo.SetPolicyIdentifiers(listFrameworksNames(scanInfo.Getters.PolicyGetter), reporthandling.KindFramework)
+	}
+
+	//
 	defer func() {
 		if err := interfaces.hostSensorHandler.TearDown(); err != nil {
 			errMsg := "failed to tear down host sensor"
@@ -129,7 +145,7 @@ func ScanCliSetup(scanInfo *cautils.ScanInfo) error {
 	// print report url
 	interfaces.report.DisplayReportURL()
 
-	if score >= float32(scanInfo.FailThreshold) {
+	if score > float32(scanInfo.FailThreshold) {
 		return fmt.Errorf("scan risk-score %.2f is above permitted threshold %d", score, scanInfo.FailThreshold)
 	}
 

clihandler/initcliutils.go

@@ -13,21 +13,30 @@ import (
 	reporterv1 "github.com/armosec/kubescape/resultshandling/reporter/v1"
 	"github.com/armosec/opa-utils/reporthandling"
 	"github.com/armosec/rbac-utils/rbacscanner"
-	"github.com/golang/glog"
 	// reporterv2 "github.com/armosec/kubescape/resultshandling/reporter/v2"
 )
 
-func getKubernetesApi(scanInfo *cautils.ScanInfo) *k8sinterface.KubernetesApi {
-	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
+// getKubernetesApi
+func getKubernetesApi() *k8sinterface.KubernetesApi {
+	if !k8sinterface.IsConnectedToCluster() {
 		return nil
 	}
 	return k8sinterface.NewKubernetesApi()
 }
-func getTenantConfig(scanInfo *cautils.ScanInfo, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
-	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
-		return cautils.NewLocalConfig(getter.GetArmoAPIConnector(), scanInfo.Account)
+func getTenantConfig(Account, clusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
+	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
+		return cautils.NewLocalConfig(getter.GetArmoAPIConnector(), Account, clusterName)
+	}
+	return cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), Account, clusterName)
+}
+
+func getExceptionsGetter(useExceptions string) getter.IExceptionsGetter {
+	if useExceptions != "" {
+		// load exceptions from file
+		return getter.NewLoadPolicy([]string{useExceptions})
+	} else {
+		return getter.GetArmoAPIConnector()
 	}
-	return cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account)
 }
 
 func getRBACHandler(tenantConfig cautils.ITenantConfig, k8s *k8sinterface.KubernetesApi, submit bool) *cautils.RBACObjects {
@@ -43,8 +52,9 @@ func getReporter(tenantConfig cautils.ITenantConfig, submit bool) reporter.IRepo
 	}
 	return reporterv1.NewReportMock()
 }
+
 func getResourceHandler(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantConfig, k8s *k8sinterface.KubernetesApi, hostSensorHandler hostsensorutils.IHostSensor) resourcehandler.IResourceHandler {
-	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
+	if len(scanInfo.InputPatterns) > 0 || k8s == nil {
 		return resourcehandler.NewFileResourceHandler(scanInfo.InputPatterns)
 	}
 	rbacObjects := getRBACHandler(tenantConfig, k8s, scanInfo.Submit)
@@ -52,18 +62,20 @@ func getResourceHandler(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenant
 }
 
 func getHostSensorHandler(scanInfo *cautils.ScanInfo, k8s *k8sinterface.KubernetesApi) hostsensorutils.IHostSensor {
-	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
+	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
 		return &hostsensorutils.HostSensorHandlerMock{}
 	}
+
 	hasHostSensorControls := true
 	// we need to determined which controls needs host sensor
 	if scanInfo.HostSensor.Get() == nil && hasHostSensorControls {
 		scanInfo.HostSensor.SetBool(askUserForHostSensor())
+		cautils.WarningDisplay(os.Stderr, "Warning: Kubernetes cluster nodes scanning is disabled. This is required to collect valuable data for certain controls. You can enable it using  the --enable-host-scan flag\n")
 	}
 	if hostSensorVal := scanInfo.HostSensor.Get(); hostSensorVal != nil && *hostSensorVal {
 		hostSensorHandler, err := hostsensorutils.NewHostSensorHandler(k8s)
-		if err != nil || hostSensorHandler == nil {
-			glog.Errorf("failed to create host sensor: %v", err)
+		if err != nil {
+			cautils.WarningDisplay(os.Stderr, fmt.Sprintf("Warning: failed to create host sensor: %v\n", err.Error()))
 			return &hostsensorutils.HostSensorHandlerMock{}
 		}
 		return hostSensorHandler
@@ -116,12 +128,6 @@ func setSubmitBehavior(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantC
 		return
 	}
 
-	// do not submit yaml/url scanning
-	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
-		scanInfo.Submit = false
-		return
-	}
-
 	if tenantConfig.IsConfigFound() { // config found in cache (submitted)
 		if !scanInfo.Local {
 			// Submit report
@@ -138,55 +144,64 @@ func setSubmitBehavior(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantC
 }
 
 // setPolicyGetter set the policy getter - local file/github release/ArmoAPI
-func setPolicyGetter(scanInfo *cautils.ScanInfo, customerGUID string, downloadReleasedPolicy *getter.DownloadReleasedPolicy) {
-	if len(scanInfo.UseFrom) > 0 {
-		scanInfo.PolicyGetter = getter.NewLoadPolicy(scanInfo.UseFrom)
-	} else {
-		if customerGUID == "" || !scanInfo.FrameworkScan {
-			setDownloadReleasedPolicy(scanInfo, downloadReleasedPolicy)
-		} else {
-			setGetArmoAPIConnector(scanInfo, customerGUID)
-		}
+func getPolicyGetter(loadPoliciesFromFile []string, accountID string, frameworkScope bool, downloadReleasedPolicy *getter.DownloadReleasedPolicy) getter.IPolicyGetter {
+	if len(loadPoliciesFromFile) > 0 {
+		return getter.NewLoadPolicy(loadPoliciesFromFile)
 	}
+	if accountID != "" && frameworkScope {
+		g := getter.GetArmoAPIConnector() // download policy from ARMO backend
+		g.SetCustomerGUID(accountID)
+		return g
+	}
+	if downloadReleasedPolicy == nil {
+		downloadReleasedPolicy = getter.NewDownloadReleasedPolicy()
+	}
+	return getDownloadReleasedPolicy(downloadReleasedPolicy)
+
 }
 
+// func setGetArmoAPIConnector(scanInfo *cautils.ScanInfo, customerGUID string) {
+// 	g := getter.GetArmoAPIConnector() // download policy from ARMO backend
+// 	g.SetCustomerGUID(customerGUID)
+// 	scanInfo.PolicyGetter = g
+// 	if scanInfo.ScanAll {
+// 		frameworks, err := g.ListCustomFrameworks(customerGUID)
+// 		if err != nil {
+// 			glog.Error("failed to get custom frameworks") // handle error
+// 			return
+// 		}
+// 		scanInfo.SetPolicyIdentifiers(frameworks, reporthandling.KindFramework)
+// 	}
+// }
+
 // setConfigInputsGetter sets the config input getter - local file/github release/ArmoAPI
-func setConfigInputsGetter(scanInfo *cautils.ScanInfo, customerGUID string, downloadReleasedPolicy *getter.DownloadReleasedPolicy) {
-	if len(scanInfo.ControlsInputs) > 0 {
-		scanInfo.Getters.ControlsInputsGetter = getter.NewLoadPolicy([]string{scanInfo.ControlsInputs})
+func getConfigInputsGetter(ControlsInputs string, accountID string, downloadReleasedPolicy *getter.DownloadReleasedPolicy) getter.IControlsInputsGetter {
+	if len(ControlsInputs) > 0 {
+		return getter.NewLoadPolicy([]string{ControlsInputs})
+	}
+	if accountID != "" {
+		g := getter.GetArmoAPIConnector() // download config from ARMO backend
+		g.SetCustomerGUID(accountID)
+		return g
+	}
+	if downloadReleasedPolicy == nil {
+		downloadReleasedPolicy = getter.NewDownloadReleasedPolicy()
+	}
+	if err := downloadReleasedPolicy.SetRegoObjects(); err != nil { // if failed to pull config inputs, fallback to BE
+		cautils.WarningDisplay(os.Stderr, "Warning: failed to get config inputs from github release, this may affect the scanning results\n")
+	}
+	return downloadReleasedPolicy
+}
+
+func getDownloadReleasedPolicy(downloadReleasedPolicy *getter.DownloadReleasedPolicy) getter.IPolicyGetter {
+	if err := downloadReleasedPolicy.SetRegoObjects(); err != nil { // if failed to pull policy, fallback to cache
+		cautils.WarningDisplay(os.Stderr, "Warning: failed to get policies from github release, loading policies from cache\n")
+		return getter.NewLoadPolicy(getDefaultFrameworksPaths())
 	} else {
-		if customerGUID != "" {
-			scanInfo.Getters.ControlsInputsGetter = getter.GetArmoAPIConnector()
-		} else {
-			if err := downloadReleasedPolicy.SetRegoObjects(); err != nil { // if failed to pull config inputs, fallback to BE
-				cautils.WarningDisplay(os.Stderr, "Warning: failed to get config inputs from github release, this may affect the scanning results\n")
-			}
-			scanInfo.Getters.ControlsInputsGetter = downloadReleasedPolicy
-		}
+		return downloadReleasedPolicy
 	}
 }
 
-func setDownloadReleasedPolicy(scanInfo *cautils.ScanInfo, downloadReleasedPolicy *getter.DownloadReleasedPolicy) {
-	if err := downloadReleasedPolicy.SetRegoObjects(); err != nil { // if failed to pull policy, fallback to cache
-		cautils.WarningDisplay(os.Stderr, "Warning: failed to get policies from github release, loading policies from cache\n")
-		scanInfo.PolicyGetter = getter.NewLoadPolicy(getDefaultFrameworksPaths())
-	} else {
-		scanInfo.PolicyGetter = downloadReleasedPolicy
-	}
-}
-func setGetArmoAPIConnector(scanInfo *cautils.ScanInfo, customerGUID string) {
-	g := getter.GetArmoAPIConnector() // download policy from ARMO backend
-	g.SetCustomerGUID(customerGUID)
-	scanInfo.PolicyGetter = g
-	if scanInfo.ScanAll {
-		frameworks, err := g.ListCustomFrameworks(customerGUID)
-		if err != nil {
-			glog.Error("failed to get custom frameworks") // handle error
-			return
-		}
-		scanInfo.SetPolicyIdentifiers(frameworks, reporthandling.KindFramework)
-	}
-}
 func getDefaultFrameworksPaths() []string {
 	fwPaths := []string{}
 	for i := range getter.NativeFrameworks {
@@ -194,3 +209,11 @@ func getDefaultFrameworksPaths() []string {
 	}
 	return fwPaths
 }
+
+func listFrameworksNames(policyGetter getter.IPolicyGetter) []string {
+	fw, err := policyGetter.ListFrameworks()
+	if err != nil {
+		fw = getDefaultFrameworksPaths()
+	}
+	return fw
+}

docs/proposals/container-image-vulnerability-adaptor.md

@@ -0,0 +1,117 @@
+# Container image vulnerabilty adaptor interface proposal
+
+## Rationale
+
+source #287 
+
+### Big picture
+
+* Kubescape team planning to create controls which take into account image vulnerabilities, example: looking for public internet facing workloads with critical vulnerabilities. These are seriously effecting the security health of a cluster and therefore we think it is important to cover it. We think that most container registries are/will support image scanning like Harbor and therefore the ability to get information from them is important.
+* There are information in the image repository which is important for existing controls as well. They are incomplete without it, example see this issue: Non-root containers check is broken #19 . These are not necessarily image vulnerability related. Can be information in the image manifest (like the issue before), but it can be the image BOM related.
+
+### Relation to this proposal
+
+There are multiple changes and design decisions needs to be made before Kubescape will support the before outlined controls. However, a focal point the whole picutre is the ability to access vulnerabilty databases of container images. We anticiapte that most container image repositories will support image vulnerabilty scanning, some major players are already do. Since there is no a single API available which all of these data sources support it is important to create an adaption layer within Kubescape so different datasources can serve Kubescape's goals.
+
+## High level design of Kubescape
+
+### Layers
+
+* Controls and Rules: that actual control logic implementation, the "tests" themselves. Implemented in rego
+* OPA engine: the [OPA](https://github.com/open-policy-agent/opa) rego interpreter 
+* Rules processor: Kubescape component, it enumerates and runs the controls while also preparing the all the input data that the controls need for running
+* Data sources: set of different modules providing data to the Rules processor so it can run the controls with them. Examples: Kubernetes objects, cloud vendor API objects and adding in this proposal the vulnerability infomration
+* Cloud Image Vulnerability adaption interface: the subject of this proposal, it gives a common interface for different registry/vulnerabilty vendors to adapt to.
+* CIV adaptors: specific implementation of the CIV interface, example Harbor adaption
+```
+ -----------------------
+| Controls/Rules (rego) |
+ -----------------------
+            |
+ -----------------------
+|      OPA engine       |
+ -----------------------
+            |
+ -----------------------
+|    Rules processor    |
+ ----------------------- 
+            |
+ -----------------------
+|     Data sources      |
+ -----------------------              
+            |
+ =======================
+| CIV adaption interface|    <- Adding this layer in this proposal
+ ======================= 
+            |
+ -----------------------
+| Specific CIV adaptors |    <- will be implemented based on this proposal
+ -----------------------      
+
+        
+
+```
+
+## Functionalities to cover
+
+The interface needs to cover the following functionalities:
+
+* Authentication against the information source (abstracted login)
+* Triggering image scan (if applicable, the source might store vulnerabilities for images but cannot scan alone)
+* Reading image scan status (with last scan date and etc.)
+* Getting vulnerability information for a given image
+* Getting image information
+  * Image manifests
+  * Image BOMs (bill of material)
+
+## Go API proposal
+
+```
+
+/*type ContainerImageRegistryCredentials struct {
+	   map[string]string
+	Password string
+	Tag        string
+	Hash       string
+}*/
+
+type ContainerImageIdentifier struct {
+	Registry   string
+	Repository string
+	Tag        string
+	Hash       string
+}
+
+type ContainerImageScanStatus struct {
+	ImageID         ContainerImageIdentifier
+	IsScanAvailable bool
+	IsBomAvailable  bool
+	LastScanDate    time.Time
+}
+
+type ContainerImageVulnerability struct {
+	ImageID ContainerImageIdentifier
+	// TBD
+}
+
+type ContainerImageInformation struct {
+	ImageID       ContainerImageIdentifier
+	Bom           []string
+	ImageManifest Manifest // will use here Docker package definition
+}
+
+type IContainerImageVulnerabilityAdaptor interface {
+	// Credentials are coming from user input (CLI or configuration file) and they are abstracted at string to string map level
+	// so and example use would be like registry: "simpledockerregistry:80" and credentials like {"username":"joedoe","password":"abcd1234"}
+	Login(registry string, credentials map[string]string) error
+
+	// For "help" purposes
+	DescribeAdaptor() string
+
+	GetImagesScanStatus(imageIDs []ContainerImageIdentifier) ([]ContainerImageScanStatus, error)
+
+	GetImagesVulnerabilties(imageIDs []ContainerImageIdentifier) ([]ContainerImageVulnerability, error)
+
+	GetImagesInformation(imageIDs []ContainerImageIdentifier) ([]ContainerImageInformation, error)
+}
+```

go.mod

@@ -4,9 +4,9 @@ go 1.17
 
 require (
 	github.com/armosec/armoapi-go v0.0.40
-	github.com/armosec/k8s-interface v0.0.50
-	github.com/armosec/opa-utils v0.0.88
-	github.com/armosec/rbac-utils v0.0.9
+	github.com/armosec/k8s-interface v0.0.54
+	github.com/armosec/opa-utils v0.0.92
+	github.com/armosec/rbac-utils v0.0.11
 	github.com/armosec/utils-go v0.0.3
 	github.com/briandowns/spinner v1.18.0
 	github.com/enescakir/emoji v1.0.0

go.sum

@@ -89,14 +89,15 @@ github.com/armosec/armoapi-go v0.0.40 h1:KQRJXFqw95s6cV7HoGgw1x8qrRZ9eNVze//yQbo
 github.com/armosec/armoapi-go v0.0.40/go.mod h1:iaVVGyc23QGGzAdv4n+szGQg3Rbpixn9yQTU3qWRpaw=
 github.com/armosec/k8s-interface v0.0.8/go.mod h1:xxS+V5QT3gVQTwZyAMMDrYLWGrfKOpiJ7Jfhfa0w9sM=
 github.com/armosec/k8s-interface v0.0.37/go.mod h1:vHxGWqD/uh6+GQb9Sqv7OGMs+Rvc2dsFVc0XtgRh1ZU=
-github.com/armosec/k8s-interface v0.0.50 h1:iLPGI0j85vwKANr9QDAnba4Efjg3DyIJg15jRJdvOnc=
 github.com/armosec/k8s-interface v0.0.50/go.mod h1:vHxGWqD/uh6+GQb9Sqv7OGMs+Rvc2dsFVc0XtgRh1ZU=
+github.com/armosec/k8s-interface v0.0.54 h1:1sQeoEZA5bgpXVibXhEiTSeLd3GKY5NkTOeewdgR0Bs=
+github.com/armosec/k8s-interface v0.0.54/go.mod h1:vHxGWqD/uh6+GQb9Sqv7OGMs+Rvc2dsFVc0XtgRh1ZU=
 github.com/armosec/opa-utils v0.0.64/go.mod h1:6tQP8UDq2EvEfSqh8vrUdr/9QVSCG4sJfju1SXQOn4c=
-github.com/armosec/opa-utils v0.0.88 h1:IxIml3w7l0HFqbb+XzKuXf+Pw78DHIxPwRIkgudKQRw=
-github.com/armosec/opa-utils v0.0.88/go.mod h1:ZOXYVTtuyrV4TldcfbzgRqP6F9Drlf4hB0zr210OXgM=
+github.com/armosec/opa-utils v0.0.92 h1:RzzORhfLx9Evc2ceFtNRoehxUFzwlvK5iMtR6fLWzZc=
+github.com/armosec/opa-utils v0.0.92/go.mod h1:ZOXYVTtuyrV4TldcfbzgRqP6F9Drlf4hB0zr210OXgM=
 github.com/armosec/rbac-utils v0.0.1/go.mod h1:pQ8CBiij8kSKV7aeZm9FMvtZN28VgA7LZcYyTWimq40=
-github.com/armosec/rbac-utils v0.0.9 h1:rIOWp4K7BELUNX32ktSjVbb8d/0SpH7W76W6Tf+8rzw=
-github.com/armosec/rbac-utils v0.0.9/go.mod h1:Ex/IdGWhGv9HZq6Hs8N/ApzCKSIvpNe/ETqDfnuyah0=
+github.com/armosec/rbac-utils v0.0.11 h1:SCiVLqUeV+WGpUsWbOBt6jKkFAd62jztuzB6PIgHz7w=
+github.com/armosec/rbac-utils v0.0.11/go.mod h1:Ex/IdGWhGv9HZq6Hs8N/ApzCKSIvpNe/ETqDfnuyah0=
 github.com/armosec/utils-go v0.0.2/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
 github.com/armosec/utils-go v0.0.3 h1:uyQI676yRciQM0sSN9uPoqHkbspTxHO0kmzXhBeE/xU=
 github.com/armosec/utils-go v0.0.3/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=

hostsensorutils/hostsensorgetfrompod.go

@@ -104,7 +104,22 @@ func (hsh *HostSensorHandler) GetLinuxSecurityHardeningStatus() ([]hostsensor.Ho
 // return list of KubeletCommandLine
 func (hsh *HostSensorHandler) GetKubeletCommandLine() ([]hostsensor.HostSensorDataEnvelope, error) {
 	// loop over pods and port-forward it to each of them
-	return hsh.sendAllPodsHTTPGETRequest("/kubeletCommandLine", "KubeletCommandLine")
+	resps, err := hsh.sendAllPodsHTTPGETRequest("/kubeletCommandLine", "KubeletCommandLine")
+	if err != nil {
+		return resps, err
+	}
+	for resp := range resps {
+		var data = make(map[string]interface{})
+		data["fullCommand"] = string(resps[resp].Data)
+		resBytesMarshal, err := json.Marshal(data)
+		// TODO catch error
+		if err == nil {
+			resps[resp].Data = json.RawMessage(resBytesMarshal)
+		}
+	}
+
+	return resps, nil
+
 }
 
 // return list of
@@ -122,7 +137,7 @@ func (hsh *HostSensorHandler) GetOsReleaseFile() ([]hostsensor.HostSensorDataEnv
 // return list of
 func (hsh *HostSensorHandler) GetKubeletConfigurations() ([]hostsensor.HostSensorDataEnvelope, error) {
 	// loop over pods and port-forward it to each of them
-	res, err := hsh.sendAllPodsHTTPGETRequest("/kubeletConfigurations", "KubeletConfigurations") // empty kind, will be overridden
+	res, err := hsh.sendAllPodsHTTPGETRequest("/kubeletConfigurations", "KubeletConfiguration") // empty kind, will be overridden
 	for resIdx := range res {
 		jsonBytes, err := yaml.YAMLToJSON(res[resIdx].Data)
 		if err != nil {

opaprocessor/processorhandler.go

@@ -59,10 +59,10 @@ func (opaHandler *OPAProcessorHandler) ProcessRulesListenner() {
 		opaSessionObj := <-*opaHandler.processedPolicy
 		opap := NewOPAProcessor(opaSessionObj, opaHandler.regoDependenciesData)
 
-		ConvertFrameworksToSummaryDetails(&opap.Report.SummaryDetails, opap.Frameworks)
-
 		policies := ConvertFrameworksToPolicies(opap.Frameworks, cautils.BuildNumber)
 
+		ConvertFrameworksToSummaryDetails(&opap.Report.SummaryDetails, opap.Frameworks, policies)
+
 		// process
 		if err := opap.Process(policies); err != nil {
 			// fmt.Println(err)
@@ -197,6 +197,7 @@ func (opap *OPAProcessor) processRule(rule *reporthandling.PolicyRule) (map[stri
 				if r, k := resources[failedResources[j].GetID()]; k {
 					ruleResult = r
 				}
+
 				ruleResult.Status = apis.StatusFailed
 				for j := range ruleResponses[i].FailedPaths {
 					ruleResult.Paths = append(ruleResult.Paths, resourcesresults.Path{FailedPath: ruleResponses[i].FailedPaths[j]})

opaprocessor/processorhandler_test.go

@@ -71,7 +71,7 @@ func TestProcessResourcesResult(t *testing.T) {
 	opaSessionObj.Frameworks = frameworks
 
 	policies := ConvertFrameworksToPolicies(opaSessionObj.Frameworks, "")
-	ConvertFrameworksToSummaryDetails(&opaSessionObj.Report.SummaryDetails, opaSessionObj.Frameworks)
+	ConvertFrameworksToSummaryDetails(&opaSessionObj.Report.SummaryDetails, opaSessionObj.Frameworks, policies)
 
 	opaSessionObj.K8SResources = &k8sResources
 	opaSessionObj.AllResources[deployment.GetID()] = deployment

opaprocessor/processorhandlerutils.go

@@ -70,6 +70,7 @@ func getAllSupportedObjects(k8sResources *cautils.K8SResources, allResources map
 
 func getKubernetesObjects(k8sResources *cautils.K8SResources, allResources map[string]workloadinterface.IMetadata, match []reporthandling.RuleMatchObjects) []workloadinterface.IMetadata {
 	k8sObjects := []workloadinterface.IMetadata{}
+
 	for m := range match {
 		for _, groups := range match[m].APIGroups {
 			for _, version := range match[m].APIVersions {
@@ -91,9 +92,33 @@ func getKubernetesObjects(k8sResources *cautils.K8SResources, allResources map[s
 		}
 	}
 
-	return k8sObjects
+	return filterOutChildResources(k8sObjects, match)
 }
 
+// filterOutChildResources filter out child resources if the parent resource is in the list
+func filterOutChildResources(objects []workloadinterface.IMetadata, match []reporthandling.RuleMatchObjects) []workloadinterface.IMetadata {
+	response := []workloadinterface.IMetadata{}
+	owners := []string{}
+	for m := range match {
+		for i := range match[m].Resources {
+			owners = append(owners, match[m].Resources[i])
+		}
+	}
+	for i := range objects {
+		if !k8sinterface.IsTypeWorkload(objects[i].GetObject()) {
+			response = append(response, objects[i])
+			continue
+		}
+		w := workloadinterface.NewWorkloadObj(objects[i].GetObject())
+		ownerReferences, err := w.GetOwnerReferences()
+		if err != nil || len(ownerReferences) == 0 {
+			response = append(response, w)
+		} else if !k8sinterface.IsStringInSlice(owners, ownerReferences[0].Kind) {
+			response = append(response, w)
+		}
+	}
+	return response
+}
 func getRuleDependencies() (map[string]string, error) {
 	modules := resources.LoadRegoModules()
 	if len(modules) == 0 {

opaprocessor/utils.go

@@ -14,7 +14,7 @@ func ConvertFrameworksToPolicies(frameworks []reporthandling.Framework, version
 }
 
 // ConvertFrameworksToSummaryDetails initialize the summary details for the report object
-func ConvertFrameworksToSummaryDetails(summaryDetails *reportsummary.SummaryDetails, frameworks []reporthandling.Framework) {
+func ConvertFrameworksToSummaryDetails(summaryDetails *reportsummary.SummaryDetails, frameworks []reporthandling.Framework, policies *cautils.Policies) {
 	if summaryDetails.Controls == nil {
 		summaryDetails.Controls = make(map[string]reportsummary.ControlSummary)
 	}
@@ -22,17 +22,19 @@ func ConvertFrameworksToSummaryDetails(summaryDetails *reportsummary.SummaryDeta
 		controls := map[string]reportsummary.ControlSummary{}
 		for j := range frameworks[i].Controls {
 			id := frameworks[i].Controls[j].ControlID
-			c := reportsummary.ControlSummary{
-				Name:        frameworks[i].Controls[j].Name,
-				ControlID:   id,
-				ScoreFactor: frameworks[i].Controls[j].BaseScore,
-				Description: frameworks[i].Controls[j].Description,
-				Remediation: frameworks[i].Controls[j].Remediation,
+			if _, ok := policies.Controls[id]; ok {
+				c := reportsummary.ControlSummary{
+					Name:        frameworks[i].Controls[j].Name,
+					ControlID:   id,
+					ScoreFactor: frameworks[i].Controls[j].BaseScore,
+					Description: frameworks[i].Controls[j].Description,
+					Remediation: frameworks[i].Controls[j].Remediation,
+				}
+				controls[frameworks[i].Controls[j].ControlID] = c
+				summaryDetails.Controls[id] = c
 			}
-			controls[frameworks[i].Controls[j].ControlID] = c
-			summaryDetails.Controls[id] = c
 		}
-		if frameworks[i].Name != "" {
+		if cautils.StringInSlice(policies.Frameworks, frameworks[i].Name) != cautils.ValueNotFound {
 			summaryDetails.Frameworks = append(summaryDetails.Frameworks, reportsummary.FrameworkSummary{
 				Name:     frameworks[i].Name,
 				Controls: controls,

opaprocessor/utils_test.go

@@ -23,7 +23,8 @@ func TestInitializeSummaryDetails(t *testing.T) {
 
 	summaryDetails := reportsummary.SummaryDetails{}
 	frameworks := []reporthandling.Framework{*fw0, *fw1}
-	ConvertFrameworksToSummaryDetails(&summaryDetails, frameworks)
+	policies := ConvertFrameworksToPolicies([]reporthandling.Framework{*fw0, *fw1}, "")
+	ConvertFrameworksToSummaryDetails(&summaryDetails, frameworks, policies)
 	assert.Equal(t, 2, len(summaryDetails.Frameworks))
 	assert.Equal(t, 3, len(summaryDetails.Controls))
 }

policyhandler/handlepullpolicies.go

@@ -2,6 +2,7 @@ package policyhandler
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/opa-utils/reporthandling"
@@ -15,19 +16,19 @@ func (policyHandler *PolicyHandler) getPolicies(notification *reporthandling.Pol
 		return err
 	}
 	if len(frameworks) == 0 {
-		return fmt.Errorf("failed to download policies, please ARMO team for more information")
+		return fmt.Errorf("failed to download policies: '%s'. Make sure the policy exist and you spelled it correctly. For more information, please feel free to contact ARMO team", strings.Join(policyIdentifierToSlice(notification.Rules), ","))
 	}
 
 	policiesAndResources.Frameworks = frameworks
 
 	// get exceptions
-	exceptionPolicies, err := policyHandler.getters.ExceptionsGetter.GetExceptions(cautils.CustomerGUID, cautils.ClusterName)
+	exceptionPolicies, err := policyHandler.getters.ExceptionsGetter.GetExceptions(cautils.ClusterName)
 	if err == nil {
 		policiesAndResources.Exceptions = exceptionPolicies
 	}
 
 	// get account configuration
-	controlsInputs, err := policyHandler.getters.ControlsInputsGetter.GetControlsInputs(cautils.CustomerGUID, cautils.ClusterName)
+	controlsInputs, err := policyHandler.getters.ControlsInputsGetter.GetControlsInputs(cautils.ClusterName)
 	if err == nil {
 		policiesAndResources.RegoInputData.PostureControlInputs = controlsInputs
 	}
@@ -70,3 +71,11 @@ func (policyHandler *PolicyHandler) getScanPolicies(notification *reporthandling
 	}
 	return frameworks, nil
 }
+
+func policyIdentifierToSlice(rules []reporthandling.PolicyIdentifier) []string {
+	s := []string{}
+	for i := range rules {
+		s = append(s, fmt.Sprintf("%s: %s", rules[i].Kind, rules[i].Name))
+	}
+	return s
+}

resourcehandler/filesloader.go

@@ -213,7 +213,11 @@ func readYamlFile(yamlFile []byte) ([]workloadinterface.IMetadata, []error) {
 		}
 		if obj, ok := j.(map[string]interface{}); ok {
 			if o := objectsenvelopes.NewObject(obj); o != nil {
-				yamlObjs = append(yamlObjs, o)
+				if o.GetKind() == "List" {
+					yamlObjs = append(yamlObjs, handleListObject(o)...)
+				} else {
+					yamlObjs = append(yamlObjs, o)
+				}
 			}
 		} else {
 			errs = append(errs, fmt.Errorf("failed to convert yaml file to map[string]interface, file content: %v", j))
@@ -303,3 +307,20 @@ func getFileFormat(filePath string) FileFormat {
 		return FileFormat(filePath)
 	}
 }
+
+// handleListObject handle a List manifest
+func handleListObject(obj workloadinterface.IMetadata) []workloadinterface.IMetadata {
+	yamlObjs := []workloadinterface.IMetadata{}
+	if i, ok := workloadinterface.InspectMap(obj.GetObject(), "items"); ok && i != nil {
+		if items, ok := i.([]interface{}); ok && items != nil {
+			for item := range items {
+				if m, ok := items[item].(map[string]interface{}); ok && m != nil {
+					if o := objectsenvelopes.NewObject(m); o != nil {
+						yamlObjs = append(yamlObjs, o)
+					}
+				}
+			}
+		}
+	}
+	return yamlObjs
+}

resourcehandler/k8sresources.go

@@ -61,14 +61,14 @@ func (k8sHandler *K8sResourceHandler) GetResources(frameworks []reporthandling.F
 		return k8sResourcesMap, allResources, err
 	}
 	if err := k8sHandler.collectHostResources(allResources, k8sResourcesMap); err != nil {
-		return k8sResourcesMap, allResources, err
+		cautils.WarningDisplay(os.Stderr, "Warning: failed to collect host sensor resources\n")
 	}
 
 	if err := k8sHandler.collectRbacResources(allResources); err != nil {
-		cautils.WarningDisplay(os.Stdout, "Warning: failed to collect rbac resources\n")
+		cautils.WarningDisplay(os.Stderr, "Warning: failed to collect rbac resources\n")
 	}
 	if err := getCloudProviderDescription(allResources, k8sResourcesMap); err != nil {
-		cautils.WarningDisplay(os.Stdout, fmt.Sprintf("Warning: %v\n", err.Error()))
+		cautils.WarningDisplay(os.Stderr, fmt.Sprintf("Warning: %v\n", err.Error()))
 	}
 
 	cautils.StopSpinner()
@@ -105,7 +105,7 @@ func (k8sHandler *K8sResourceHandler) pullResources(k8sResources *cautils.K8SRes
 			continue
 		}
 		// store result as []map[string]interface{}
-		metaObjs := ConvertMapListToMeta(k8sinterface.ConvertUnstructuredSliceToMap(k8sinterface.FilterOutOwneredResources(result)))
+		metaObjs := ConvertMapListToMeta(k8sinterface.ConvertUnstructuredSliceToMap(result))
 		for i := range metaObjs {
 			allResources[metaObjs[i].GetID()] = metaObjs[i]
 		}

resultshandling/printer/printresults.go

@@ -20,9 +20,6 @@ type IPrinter interface {
 	ActionPrint(opaSessionObj *cautils.OPASessionObj)
 	SetWriter(outputFile string)
 	Score(score float32)
-
-	// FinalizeData convert 'opaSessionObj' data to be ready for printing/reporting
-	FinalizeData(opaSessionObj *cautils.OPASessionObj)
 }
 
 func GetWriter(outputFile string) *os.File {

resultshandling/printer/v1/jsonprinter.go

@@ -26,6 +26,8 @@ func (jsonPrinter *JsonPrinter) Score(score float32) {
 }
 
 func (jsonPrinter *JsonPrinter) ActionPrint(opaSessionObj *cautils.OPASessionObj) {
+	cautils.ReportV2ToV1(opaSessionObj)
+
 	var postureReportStr []byte
 	var err error
 
@@ -41,6 +43,3 @@ func (jsonPrinter *JsonPrinter) ActionPrint(opaSessionObj *cautils.OPASessionObj
 	}
 	jsonPrinter.writer.Write(postureReportStr)
 }
-func (jsonPrinter *JsonPrinter) FinalizeData(opaSessionObj *cautils.OPASessionObj) {
-	reportV2ToV1(opaSessionObj)
-}

resultshandling/printer/v1/junit.go

@@ -26,11 +26,9 @@ func (junitPrinter *JunitPrinter) Score(score float32) {
 	fmt.Fprintf(os.Stderr, "\nOverall risk-score (0- Excellent, 100- All failed): %d\n", int(score))
 }
 
-func (junitPrinter *JunitPrinter) FinalizeData(opaSessionObj *cautils.OPASessionObj) {
-	reportV2ToV1(opaSessionObj)
-}
-
 func (junitPrinter *JunitPrinter) ActionPrint(opaSessionObj *cautils.OPASessionObj) {
+	cautils.ReportV2ToV1(opaSessionObj)
+
 	junitResult, err := convertPostureReportToJunitResult(opaSessionObj.PostureReport)
 	if err != nil {
 		fmt.Println("Failed to convert posture report object!")

resultshandling/printer/v1/prettyprinter.go

@@ -31,6 +31,8 @@ func NewPrettyPrinter(verboseMode bool) *PrettyPrinter {
 }
 
 func (prettyPrinter *PrettyPrinter) ActionPrint(opaSessionObj *cautils.OPASessionObj) {
+	cautils.ReportV2ToV1(opaSessionObj)
+
 	// score := calculatePostureScore(opaSessionObj.PostureReport)
 	failedResources := []string{}
 	warningResources := []string{}
@@ -67,18 +69,15 @@ func (prettyPrinter *PrettyPrinter) SetWriter(outputFile string) {
 	prettyPrinter.writer = printer.GetWriter(outputFile)
 }
 
-func (prettyPrinter *PrettyPrinter) FinalizeData(opaSessionObj *cautils.OPASessionObj) {
-	reportV2ToV1(opaSessionObj)
-}
 func (prettyPrinter *PrettyPrinter) Score(score float32) {
 }
 
 func (prettyPrinter *PrettyPrinter) summarySetup(fr reporthandling.FrameworkReport, allResources map[string]workloadinterface.IMetadata) {
 
 	for _, cr := range fr.ControlReports {
-		if len(cr.RuleReports) == 0 {
-			continue
-		}
+		// if len(cr.RuleReports) == 0 {
+		// 	continue
+		// }
 		workloadsSummary := listResultSummary(cr.RuleReports, allResources)
 
 		var passedWorkloads map[string][]WorkloadSummary
@@ -248,7 +247,9 @@ func (prettyPrinter *PrettyPrinter) printSummaryTable(frameworksNames []string,
 
 func (prettyPrinter *PrettyPrinter) printFramework(frameworksNames []string, frameworkScores []float32) {
 	if len(frameworksNames) == 1 {
-		cautils.InfoTextDisplay(prettyPrinter.writer, fmt.Sprintf("FRAMEWORK %s\n", frameworksNames[0]))
+		if frameworksNames[0] != "" {
+			cautils.InfoTextDisplay(prettyPrinter.writer, fmt.Sprintf("FRAMEWORK %s\n", frameworksNames[0]))
+		}
 	} else if len(frameworksNames) > 1 {
 		p := "FRAMEWORKS: "
 		for i := 0; i < len(frameworksNames)-1; i++ {

resultshandling/printer/v1/printresults.go

@@ -1,6 +1,9 @@
 package v1
 
-import "github.com/armosec/kubescape/resultshandling/printer"
+import (
+	"github.com/armosec/kubescape/resultshandling/printer"
+	"github.com/armosec/kubescape/resultshandling/printer/v2/controlmapping"
+)
 
 var INDENT = "   "
 
@@ -13,6 +16,6 @@ func GetPrinter(printFormat string, verboseMode bool) printer.IPrinter {
 	case printer.PrometheusFormat:
 		return NewPrometheusPrinter(verboseMode)
 	default:
-		return NewPrettyPrinter(verboseMode)
+		return controlmapping.NewPrettyPrinter(verboseMode)
 	}
 }

resultshandling/printer/v1/prometheusprinter.go

@@ -29,10 +29,6 @@ func (prometheusPrinter *PrometheusPrinter) Score(score float32) {
 	fmt.Printf("\n# Overall risk-score (0- Excellent, 100- All failed)\nkubescape_score %d\n", int(score))
 }
 
-func (prometheusPrinter *PrometheusPrinter) FinalizeData(opaSessionObj *cautils.OPASessionObj) {
-	reportV2ToV1(opaSessionObj)
-}
-
 func (printer *PrometheusPrinter) printResources(allResources map[string]workloadinterface.IMetadata, resourcesIDs *reporthandling.ResourcesIDs, frameworkName, controlName string) {
 	printer.printDetails(allResources, resourcesIDs.GetFailedResources(), frameworkName, controlName, "failed")
 	printer.printDetails(allResources, resourcesIDs.GetWarningResources(), frameworkName, controlName, "excluded")
@@ -90,6 +86,8 @@ func (printer *PrometheusPrinter) printReports(allResources map[string]workloadi
 }
 
 func (printer *PrometheusPrinter) ActionPrint(opaSessionObj *cautils.OPASessionObj) {
+	cautils.ReportV2ToV1(opaSessionObj)
+
 	err := printer.printReports(opaSessionObj.AllResources, opaSessionObj.PostureReport.FrameworkReports)
 	if err != nil {
 		fmt.Println(err)

resultshandling/printer/v2/controlmapping/prettyprinter.go

@@ -0,0 +1,241 @@
+package controlmapping
+
+import (
+	"fmt"
+	"os"
+	"sort"
+	"strings"
+
+	"github.com/armosec/k8s-interface/workloadinterface"
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/resultshandling/printer"
+	"github.com/armosec/opa-utils/objectsenvelopes"
+	"github.com/armosec/opa-utils/reporthandling/apis"
+	"github.com/armosec/opa-utils/reporthandling/results/v1/reportsummary"
+	"github.com/enescakir/emoji"
+	"github.com/olekukonko/tablewriter"
+)
+
+type PrettyPrinter struct {
+	writer             *os.File
+	verboseMode        bool
+	sortedControlNames []string
+}
+
+func NewPrettyPrinter(verboseMode bool) *PrettyPrinter {
+	return &PrettyPrinter{
+		verboseMode: verboseMode,
+	}
+}
+
+func (prettyPrinter *PrettyPrinter) ActionPrint(opaSessionObj *cautils.OPASessionObj) {
+	prettyPrinter.sortedControlNames = getSortedControlsNames(opaSessionObj.Report.SummaryDetails.Controls) // ListControls().All())
+
+	prettyPrinter.printResults(&opaSessionObj.Report.SummaryDetails.Controls, opaSessionObj.AllResources)
+	prettyPrinter.printSummaryTable(&opaSessionObj.Report.SummaryDetails)
+
+}
+
+func (prettyPrinter *PrettyPrinter) SetWriter(outputFile string) {
+	prettyPrinter.writer = printer.GetWriter(outputFile)
+}
+
+func (prettyPrinter *PrettyPrinter) Score(score float32) {
+}
+
+func (prettyPrinter *PrettyPrinter) printResults(controls *reportsummary.ControlSummaries, allResources map[string]workloadinterface.IMetadata) {
+	for i := 0; i < len(prettyPrinter.sortedControlNames); i++ {
+
+		controlSummary := controls.GetControl(reportsummary.EControlCriteriaName, prettyPrinter.sortedControlNames[i]) //  summaryDetails.Controls ListControls().All() Controls.GetControl(ca)
+		prettyPrinter.printTitle(controlSummary)
+		prettyPrinter.printResources(controlSummary, allResources)
+
+		if controlSummary.GetStatus().IsSkipped() {
+			prettyPrinter.printSummary(prettyPrinter.sortedControlNames[i], controlSummary)
+		}
+	}
+}
+
+func (prettyPrinter *PrettyPrinter) printSummary(controlName string, controlSummary reportsummary.IControlSummary) {
+	cautils.SimpleDisplay(prettyPrinter.writer, "Summary - ")
+	cautils.SuccessDisplay(prettyPrinter.writer, "Passed:%v   ", controlSummary.NumberOfResources().Passed())
+	cautils.WarningDisplay(prettyPrinter.writer, "Excluded:%v   ", controlSummary.NumberOfResources().Excluded())
+	cautils.FailureDisplay(prettyPrinter.writer, "Failed:%v   ", controlSummary.NumberOfResources().Failed())
+	cautils.InfoDisplay(prettyPrinter.writer, "Total:%v\n", controlSummary.NumberOfResources().All())
+	if controlSummary.GetStatus().IsFailed() {
+		cautils.DescriptionDisplay(prettyPrinter.writer, "Remediation: %v\n", controlSummary.GetRemediation())
+	}
+	cautils.DescriptionDisplay(prettyPrinter.writer, "\n")
+
+}
+func (prettyPrinter *PrettyPrinter) printTitle(controlSummary reportsummary.IControlSummary) {
+	cautils.InfoDisplay(prettyPrinter.writer, "[control: %s - %s] ", controlSummary.GetName(), getControlURL(controlSummary.GetID()))
+	switch controlSummary.GetStatus().Status() {
+	case apis.StatusSkipped:
+		cautils.InfoDisplay(prettyPrinter.writer, "skipped %v\n", emoji.ConfusedFace)
+	case apis.StatusFailed:
+		cautils.FailureDisplay(prettyPrinter.writer, "failed %v\n", emoji.SadButRelievedFace)
+	case apis.StatusExcluded:
+		cautils.WarningDisplay(prettyPrinter.writer, "excluded %v\n", emoji.NeutralFace)
+	default:
+		cautils.SuccessDisplay(prettyPrinter.writer, "passed %v\n", emoji.ThumbsUp)
+	}
+	cautils.DescriptionDisplay(prettyPrinter.writer, "Description: %s\n", controlSummary.GetDescription())
+}
+func (prettyPrinter *PrettyPrinter) printResources(controlSummary reportsummary.IControlSummary, allResources map[string]workloadinterface.IMetadata) {
+
+	workloadsSummary := listResultSummary(controlSummary, allResources)
+
+	failedWorkloads := groupByNamespaceOrKind(workloadsSummary, workloadSummaryFailed)
+	excludedWorkloads := groupByNamespaceOrKind(workloadsSummary, workloadSummaryExclude)
+
+	var passedWorkloads map[string][]WorkloadSummary
+	if prettyPrinter.verboseMode {
+		passedWorkloads = groupByNamespaceOrKind(workloadsSummary, workloadSummaryPassed)
+	}
+	if len(failedWorkloads) > 0 {
+		cautils.FailureDisplay(prettyPrinter.writer, "Failed:\n")
+		prettyPrinter.printGroupedResources(failedWorkloads)
+	}
+	if len(excludedWorkloads) > 0 {
+		cautils.WarningDisplay(prettyPrinter.writer, "Excluded:\n")
+		prettyPrinter.printGroupedResources(excludedWorkloads)
+	}
+	if len(passedWorkloads) > 0 {
+		cautils.SuccessDisplay(prettyPrinter.writer, "Passed:\n")
+		prettyPrinter.printGroupedResources(passedWorkloads)
+	}
+
+}
+
+func (prettyPrinter *PrettyPrinter) printGroupedResources(workloads map[string][]WorkloadSummary) {
+	indent := "  "
+	for title, rsc := range workloads {
+		prettyPrinter.printGroupedResource(indent, title, rsc)
+	}
+}
+
+func (prettyPrinter *PrettyPrinter) printGroupedResource(indent string, title string, rsc []WorkloadSummary) {
+	preIndent := indent
+	if title != "" {
+		cautils.SimpleDisplay(prettyPrinter.writer, "%s%s\n", indent, title)
+		indent += indent
+	}
+
+	resources := []string{}
+	for r := range rsc {
+		relatedObjectsStr := generateRelatedObjectsStr(rsc[r]) // TODO -
+		resources = append(resources, fmt.Sprintf("%s%s - %s %s", indent, rsc[r].resource.GetKind(), rsc[r].resource.GetName(), relatedObjectsStr))
+	}
+
+	sort.Strings(resources)
+	for i := range resources {
+		cautils.SimpleDisplay(prettyPrinter.writer, resources[i]+"\n")
+	}
+
+	indent = preIndent
+}
+
+func generateRelatedObjectsStr(workload WorkloadSummary) string {
+	relatedStr := ""
+	if workload.resource.GetObjectType() == workloadinterface.TypeWorkloadObject {
+		relatedObjects := objectsenvelopes.NewRegoResponseVectorObject(workload.resource.GetObject()).GetRelatedObjects()
+		for i, related := range relatedObjects {
+			if ns := related.GetNamespace(); i == 0 && ns != "" {
+				relatedStr += fmt.Sprintf("Namespace - %s, ", ns)
+			}
+			relatedStr += fmt.Sprintf("%s - %s, ", related.GetKind(), related.GetName())
+		}
+	}
+	if relatedStr != "" {
+		relatedStr = fmt.Sprintf(" [%s]", relatedStr[:len(relatedStr)-2])
+	}
+	return relatedStr
+}
+
+func generateRow(controlSummary reportsummary.IControlSummary) []string {
+	row := []string{controlSummary.GetName()}
+	row = append(row, fmt.Sprintf("%d", controlSummary.NumberOfResources().Failed()))
+	row = append(row, fmt.Sprintf("%d", controlSummary.NumberOfResources().Excluded()))
+	row = append(row, fmt.Sprintf("%d", controlSummary.NumberOfResources().All()))
+
+	if !controlSummary.GetStatus().IsSkipped() {
+		row = append(row, fmt.Sprintf("%d", int(controlSummary.GetScore()))+"%")
+	} else {
+		row = append(row, "skipped")
+	}
+	return row
+}
+
+func generateHeader() []string {
+	return []string{"Control Name", "Failed Resources", "Excluded Resources", "All Resources", "% risk-score"}
+}
+
+func generateFooter(summaryDetails *reportsummary.SummaryDetails) []string {
+	// Control name | # failed resources | all resources | % success
+	row := []string{}
+	row = append(row, "Resource Summary") //fmt.Sprintf(""%d", numControlers"))
+	row = append(row, fmt.Sprintf("%d", summaryDetails.NumberOfResources().Failed()))
+	row = append(row, fmt.Sprintf("%d", summaryDetails.NumberOfResources().Excluded()))
+	row = append(row, fmt.Sprintf("%d", summaryDetails.NumberOfResources().All()))
+	row = append(row, fmt.Sprintf("%.2f%s", summaryDetails.Score, "%"))
+
+	return row
+}
+func (prettyPrinter *PrettyPrinter) printSummaryTable(summaryDetails *reportsummary.SummaryDetails) {
+	// For control scan framework will be nil
+	prettyPrinter.printFramework(summaryDetails.ListFrameworks().All())
+
+	summaryTable := tablewriter.NewWriter(prettyPrinter.writer)
+	summaryTable.SetAutoWrapText(false)
+	summaryTable.SetHeader(generateHeader())
+	summaryTable.SetHeaderLine(true)
+	alignments := []int{tablewriter.ALIGN_LEFT, tablewriter.ALIGN_CENTER, tablewriter.ALIGN_CENTER, tablewriter.ALIGN_CENTER, tablewriter.ALIGN_CENTER}
+	summaryTable.SetColumnAlignment(alignments)
+
+	for i := 0; i < len(prettyPrinter.sortedControlNames); i++ {
+		summaryTable.Append(generateRow(summaryDetails.Controls.GetControl(reportsummary.EControlCriteriaName, prettyPrinter.sortedControlNames[i])))
+	}
+
+	summaryTable.SetFooter(generateFooter(summaryDetails))
+
+	// summaryTable.SetFooter(generateFooter())
+	summaryTable.Render()
+}
+
+func (prettyPrinter *PrettyPrinter) printFramework(frameworks []reportsummary.IPolicies) {
+	if len(frameworks) == 1 {
+		if frameworks[0].GetName() != "" {
+			cautils.InfoTextDisplay(prettyPrinter.writer, fmt.Sprintf("FRAMEWORK %s\n", frameworks[0].GetName()))
+		}
+	} else if len(frameworks) > 1 {
+		p := "FRAMEWORKS: "
+		i := 0
+		for ; i < len(frameworks)-1; i++ {
+			p += fmt.Sprintf("%s (risk: %.2f), ", frameworks[i].GetName(), frameworks[i].GetScore())
+		}
+		p += fmt.Sprintf("%s (risk: %.2f)\n", frameworks[i].GetName(), frameworks[i].GetScore())
+		cautils.InfoTextDisplay(prettyPrinter.writer, p)
+	}
+}
+func getSortedControlsNames(controls reportsummary.ControlSummaries) []string {
+	controlNames := make([]string, 0, len(controls))
+	for k := range controls {
+		c := controls[k]
+		controlNames = append(controlNames, c.GetName())
+	}
+	sort.Strings(controlNames)
+	return controlNames
+}
+
+// func getSortedControlsNames(controls []reportsummary.IPolicies) []string {
+// 	controlNames := make([]string, 0, len(controls))
+// 	for k := range controls {
+// 		controlNames = append(controlNames, controls[k].Get())
+// 	}
+// 	sort.Strings(controlNames)
+// 	return controlNames
+// }
+func getControlURL(controlID string) string {
+	return fmt.Sprintf("https://hub.armo.cloud/docs/%s", strings.ToLower(controlID))
+}

resultshandling/printer/v2/controlmapping/summeryhelpers.go

@@ -0,0 +1,101 @@
+package controlmapping
+
+import (
+	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/k8s-interface/workloadinterface"
+	"github.com/armosec/opa-utils/objectsenvelopes"
+	"github.com/armosec/opa-utils/reporthandling/apis"
+	"github.com/armosec/opa-utils/reporthandling/results/v1/reportsummary"
+)
+
+type WorkloadSummary struct {
+	resource workloadinterface.IMetadata
+	status   apis.ScanningStatus
+}
+
+func workloadSummaryFailed(workloadSummary *WorkloadSummary) bool {
+	return workloadSummary.status == apis.StatusFailed
+}
+
+func workloadSummaryExclude(workloadSummary *WorkloadSummary) bool {
+	return workloadSummary.status == apis.StatusExcluded
+}
+
+func workloadSummaryPassed(workloadSummary *WorkloadSummary) bool {
+	return workloadSummary.status == apis.StatusPassed
+}
+
+// Group workloads by namespace - return {"namespace": <[]WorkloadSummary>}
+func groupByNamespaceOrKind(resources []WorkloadSummary, status func(workloadSummary *WorkloadSummary) bool) map[string][]WorkloadSummary {
+	mapResources := make(map[string][]WorkloadSummary)
+	for i := range resources {
+		if !status(&resources[i]) {
+			continue
+		}
+		t := resources[i].resource.GetObjectType()
+		if t == objectsenvelopes.TypeRegoResponseVectorObject && !isKindToBeGrouped(resources[i].resource.GetKind()) {
+			t = workloadinterface.TypeWorkloadObject
+		}
+		switch t { // TODO - find a better way to defind the groups
+		case workloadinterface.TypeWorkloadObject:
+			ns := ""
+			if resources[i].resource.GetNamespace() != "" {
+				ns = "Namescape " + resources[i].resource.GetNamespace()
+			}
+			if r, ok := mapResources[ns]; ok {
+				r = append(r, resources[i])
+				mapResources[ns] = r
+			} else {
+				mapResources[ns] = []WorkloadSummary{resources[i]}
+			}
+		case objectsenvelopes.TypeRegoResponseVectorObject:
+			group := resources[i].resource.GetKind() + "s"
+			if r, ok := mapResources[group]; ok {
+				r = append(r, resources[i])
+				mapResources[group] = r
+			} else {
+				mapResources[group] = []WorkloadSummary{resources[i]}
+			}
+		default:
+			group, _ := k8sinterface.SplitApiVersion(resources[i].resource.GetApiVersion())
+			if r, ok := mapResources[group]; ok {
+				r = append(r, resources[i])
+				mapResources[group] = r
+			} else {
+				mapResources[group] = []WorkloadSummary{resources[i]}
+			}
+		}
+	}
+	return mapResources
+}
+
+func isKindToBeGrouped(kind string) bool {
+	if kind == "Group" || kind == "User" {
+		return true
+	}
+	return false
+}
+
+func listResultSummary(controlSummary reportsummary.IControlSummary, allResources map[string]workloadinterface.IMetadata) []WorkloadSummary {
+	workloadsSummary := []WorkloadSummary{}
+
+	workloadsSummary = append(workloadsSummary, newListWorkloadsSummary(allResources, controlSummary.ListResourcesIDs().Failed(), apis.StatusFailed)...)
+	workloadsSummary = append(workloadsSummary, newListWorkloadsSummary(allResources, controlSummary.ListResourcesIDs().Excluded(), apis.StatusExcluded)...)
+	workloadsSummary = append(workloadsSummary, newListWorkloadsSummary(allResources, controlSummary.ListResourcesIDs().Passed(), apis.StatusPassed)...)
+
+	return workloadsSummary
+}
+
+func newListWorkloadsSummary(allResources map[string]workloadinterface.IMetadata, resourcesIDs []string, status apis.ScanningStatus) []WorkloadSummary {
+	workloadsSummary := []WorkloadSummary{}
+
+	for _, i := range resourcesIDs {
+		if r, ok := allResources[i]; ok {
+			workloadsSummary = append(workloadsSummary, WorkloadSummary{
+				resource: r,
+				status:   status,
+			})
+		}
+	}
+	return workloadsSummary
+}

resultshandling/printer/v2/printresults.go

@@ -1,18 +1,21 @@
 package v2
 
-import "github.com/armosec/kubescape/resultshandling/printer"
+import (
+	"github.com/armosec/kubescape/resultshandling/printer"
+	"github.com/armosec/kubescape/resultshandling/printer/v2/resourcemapping"
+)
 
 var INDENT = "   "
 
 func GetPrinter(printFormat string, verboseMode bool) printer.IPrinter {
 	switch printFormat {
 	case printer.JsonFormat:
-		return NewJsonPrinter()
+		return resourcemapping.NewJsonPrinter()
 	case printer.JunitResultFormat:
 		return NewJunitPrinter()
 	// case printer.PrometheusFormat:
 	// 	return NewPrometheusPrinter(verboseMode)
 	default:
-		return NewPrettyPrinter(verboseMode)
+		return resourcemapping.NewPrettyPrinter(verboseMode)
 	}
 }

resultshandling/printer/v2/resourcemapping/jsonprinter.go

@@ -1,4 +1,4 @@
-package v2
+package resourcemapping
 
 import (
 	"encoding/json"
@@ -37,5 +37,5 @@ func (jsonPrinter *JsonPrinter) ActionPrint(opaSessionObj *cautils.OPASessionObj
 }
 
 func (jsonPrinter *JsonPrinter) FinalizeData(opaSessionObj *cautils.OPASessionObj) {
-	finalizeReport(opaSessionObj)
+	// finalizeReport(opaSessionObj)
 }

resultshandling/printer/v2/resourcemapping/prettyprinter.go

@@ -1,4 +1,4 @@
-package v2
+package resourcemapping
 
 import (
 	"fmt"
@@ -89,7 +89,7 @@ func (prettyPrinter *PrettyPrinter) SetWriter(outputFile string) {
 }
 
 func (prettyPrinter *PrettyPrinter) FinalizeData(opaSessionObj *cautils.OPASessionObj) {
-	finalizeReport(opaSessionObj)
+	// finalizeReport(opaSessionObj)
 }
 func (prettyPrinter *PrettyPrinter) Score(score float32) {
 }

resultshandling/reporter/v1/reporteventreceiver.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"strings"
 
 	"github.com/armosec/k8s-interface/workloadinterface"
 	"github.com/armosec/kubescape/cautils"
@@ -23,6 +24,7 @@ type ReportEventReceiver struct {
 	eventReceiverURL   *url.URL
 	token              string
 	customerAdminEMail string
+	message            string
 }
 
 func NewReportEventReceiver(tenantConfig *cautils.ConfigObj) *ReportEventReceiver {
@@ -36,16 +38,24 @@ func NewReportEventReceiver(tenantConfig *cautils.ConfigObj) *ReportEventReceive
 }
 
 func (report *ReportEventReceiver) ActionSendReport(opaSessionObj *cautils.OPASessionObj) error {
+	cautils.ReportV2ToV1(opaSessionObj)
 
-	if report.customerGUID == "" || report.clusterName == "" {
-		return fmt.Errorf("missing accout ID or cluster name. AccountID: '%s', Cluster name: '%s'", report.customerGUID, report.clusterName)
+	if report.customerGUID == "" {
+		report.message = "WARNING: Failed to publish results. Reason: Unknown accout ID. Run kubescape with the '--account <account ID>' flag. Contact ARMO team for more details"
+		return nil
 	}
+	if report.clusterName == "" {
+		report.message = "WARNING: Failed to publish results. Reason: Unknown cluster name. Run kubescape with the '--cluster <cluster name>' flag"
+		return nil
+	}
+
 	opaSessionObj.PostureReport.ReportID = uuid.NewV4().String()
 	opaSessionObj.PostureReport.CustomerGUID = report.clusterName
 	opaSessionObj.PostureReport.ClusterName = report.customerGUID
 
 	if err := report.prepareReport(opaSessionObj.PostureReport, opaSessionObj.AllResources); err != nil {
-		return err
+		report.message = err.Error()
+		return nil
 	}
 	return nil
 }
@@ -74,6 +84,8 @@ func (report *ReportEventReceiver) prepareReport(postureReport *reporthandling.P
 	if err := report.sendResources(host, postureReport, allResources); err != nil {
 		return err
 	}
+	report.generateMessage()
+
 	return nil
 }
 
@@ -119,7 +131,7 @@ func (report *ReportEventReceiver) sendReport(host string, postureReport *report
 	return err
 }
 
-func (report *ReportEventReceiver) DisplayReportURL() {
+func (report *ReportEventReceiver) generateMessage() {
 	message := "You can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more by registering here:"
 
 	u := url.URL{}
@@ -127,7 +139,7 @@ func (report *ReportEventReceiver) DisplayReportURL() {
 	u.Host = getter.GetArmoAPIConnector().GetFrontendURL()
 
 	if report.customerAdminEMail != "" {
-		cautils.InfoTextDisplay(os.Stderr, fmt.Sprintf("\n\n%s %s/risk/%s\n(Account: %s)\n\n", message, u.String(), report.clusterName, report.customerGUID))
+		report.message = fmt.Sprintf("%s %s/risk/%s\n(Account: %s)", message, u.String(), report.clusterName, maskID(report.customerGUID))
 		return
 	}
 	u.Path = "account/sign-up"
@@ -136,5 +148,27 @@ func (report *ReportEventReceiver) DisplayReportURL() {
 	q.Add("customerGUID", report.customerGUID)
 
 	u.RawQuery = q.Encode()
-	cautils.InfoTextDisplay(os.Stderr, fmt.Sprintf("\n\n%s %s\n\n", message, u.String()))
+	report.message = fmt.Sprintf("%s %s", message, u.String())
+}
+
+func (report *ReportEventReceiver) DisplayReportURL() {
+	cautils.InfoTextDisplay(os.Stderr, fmt.Sprintf("\n\n%s\n\n", report.message))
+}
+
+func maskID(id string) string {
+	sep := "-"
+	splitted := strings.Split(id, sep)
+	if len(splitted) != 5 {
+		return ""
+	}
+	str := splitted[0][:4]
+	splitted[0] = splitted[0][4:]
+	for i := range splitted {
+		for j := 0; j < len(splitted[i]); j++ {
+			str += "X"
+		}
+		str += sep
+	}
+
+	return strings.TrimSuffix(str, sep)
 }

resultshandling/reporter/v2/reporteventreceiver.go

@@ -24,6 +24,7 @@ type ReportEventReceiver struct {
 	eventReceiverURL   *url.URL
 	token              string
 	customerAdminEMail string
+	message            string
 }
 
 func NewReportEventReceiver(tenantConfig *cautils.ConfigObj) *ReportEventReceiver {
@@ -37,16 +38,22 @@ func NewReportEventReceiver(tenantConfig *cautils.ConfigObj) *ReportEventReceive
 }
 
 func (report *ReportEventReceiver) ActionSendReport(opaSessionObj *cautils.OPASessionObj) error {
+	finalizeReport(opaSessionObj)
 
-	if report.customerGUID == "" || report.clusterName == "" {
-		return fmt.Errorf("missing accout ID or cluster name. AccountID: '%s', Cluster name: '%s'", report.customerGUID, report.clusterName)
+	if report.customerGUID == "" {
+		report.message = "WARNING: Failed to publish results. Reason: Unknown accout ID. Run kubescape with the '--account <account ID>' flag. Contact ARMO team for more details"
+		return nil
+	}
+	if report.clusterName == "" {
+		report.message = "WARNING: Failed to publish results. Reason: Unknown cluster name. Run kubescape with the '--cluster <cluster name>' flag"
+		return nil
 	}
 	opaSessionObj.Report.ReportID = uuid.NewV4().String()
 	opaSessionObj.Report.CustomerGUID = report.clusterName
 	opaSessionObj.Report.ClusterName = report.customerGUID
 
 	if err := report.prepareReport(opaSessionObj.Report); err != nil {
-		return err
+		report.message = err.Error()
 	}
 	return nil
 }
@@ -159,7 +166,7 @@ func (report *ReportEventReceiver) sendReport(host string, postureReport *report
 	return err
 }
 
-func (report *ReportEventReceiver) DisplayReportURL() {
+func (report *ReportEventReceiver) generateMessage() {
 	message := "You can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more by registering here:"
 
 	u := url.URL{}
@@ -167,7 +174,7 @@ func (report *ReportEventReceiver) DisplayReportURL() {
 	u.Host = getter.GetArmoAPIConnector().GetFrontendURL()
 
 	if report.customerAdminEMail != "" {
-		cautils.InfoTextDisplay(os.Stderr, fmt.Sprintf("\n\n%s %s/risk/%s\n(Account: %s)\n\n", message, u.String(), report.clusterName, report.customerGUID))
+		report.message = fmt.Sprintf("%s %s/risk/%s\n(Account: %s)", message, u.String(), report.clusterName, maskID(report.customerGUID))
 		return
 	}
 	u.Path = "account/sign-up"
@@ -176,5 +183,9 @@ func (report *ReportEventReceiver) DisplayReportURL() {
 	q.Add("customerGUID", report.customerGUID)
 
 	u.RawQuery = q.Encode()
-	cautils.InfoTextDisplay(os.Stderr, fmt.Sprintf("\n\n%s %s\n\n", message, u.String()))
+	report.message = fmt.Sprintf("%s %s", message, u.String())
+}
+
+func (report *ReportEventReceiver) DisplayReportURL() {
+	cautils.InfoTextDisplay(os.Stderr, fmt.Sprintf("\n\n%s\n\n", report.message))
 }

resultshandling/reporter/v2/utils.go

@@ -0,0 +1,63 @@
+package v2
+
+import (
+	"strings"
+
+	"github.com/armosec/k8s-interface/workloadinterface"
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/opa-utils/reporthandling/results/v1/resourcesresults"
+	reporthandlingv2 "github.com/armosec/opa-utils/reporthandling/v2"
+)
+
+// finalizeV2Report finalize the results objects by copying data from map to lists
+func finalizeReport(opaSessionObj *cautils.OPASessionObj) {
+	opaSessionObj.PostureReport = nil
+	if len(opaSessionObj.Report.Results) == 0 {
+		opaSessionObj.Report.Results = make([]resourcesresults.Result, len(opaSessionObj.ResourcesResult))
+		finalizeResults(opaSessionObj.Report.Results, opaSessionObj.ResourcesResult)
+		opaSessionObj.ResourcesResult = nil
+	}
+
+	if len(opaSessionObj.Report.Resources) == 0 {
+		opaSessionObj.Report.Resources = make([]reporthandlingv2.Resource, len(opaSessionObj.AllResources))
+		finalizeResources(opaSessionObj.Report.Resources, opaSessionObj.AllResources)
+		opaSessionObj.AllResources = nil
+	}
+
+}
+func finalizeResults(results []resourcesresults.Result, resourcesResult map[string]resourcesresults.Result) {
+	index := 0
+	for resourceID := range resourcesResult {
+		results[index] = resourcesResult[resourceID]
+		index++
+	}
+}
+
+func finalizeResources(resources []reporthandlingv2.Resource, allResources map[string]workloadinterface.IMetadata) {
+	index := 0
+	for resourceID := range allResources {
+		resources[index] = reporthandlingv2.Resource{
+			ResourceID: resourceID,
+			Object:     allResources[resourceID],
+		}
+		index++
+	}
+}
+
+func maskID(id string) string {
+	sep := "-"
+	splitted := strings.Split(id, sep)
+	if len(splitted) != 5 {
+		return ""
+	}
+	str := splitted[0][:4]
+	splitted[0] = splitted[0][4:]
+	for i := range splitted {
+		for j := 0; j < len(splitted[i]); j++ {
+			str += "X"
+		}
+		str += sep
+	}
+
+	return strings.TrimSuffix(str, sep)
+}

resultshandling/results.go

@@ -27,7 +27,6 @@ func (resultsHandler *ResultsHandler) HandleResults(scanInfo *cautils.ScanInfo)
 
 	opaSessionObj := <-*resultsHandler.opaSessionObj
 
-	resultsHandler.printerObj.FinalizeData(opaSessionObj)
 	resultsHandler.printerObj.ActionPrint(opaSessionObj)
 
 	if err := resultsHandler.reporterObj.ActionSendReport(opaSessionObj); err != nil {