Merge pull request #330 from armosec/dev

New kubescape major version

.github/workflows/build.yaml

@@ -16,8 +16,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: v1.0.${{ github.run_number }}
-          release_name: Release v1.0.${{ github.run_number }}
+          tag_name: v2.0.${{ github.run_number }}
+          release_name: Release v2.0.${{ github.run_number }}
           draft: false
           prerelease: false
   build:
@@ -39,7 +39,7 @@ jobs:
 
       - name: Build
         env:
-          RELEASE: v1.0.${{ github.run_number }} 
+          RELEASE: v2.0.${{ github.run_number }} 
           ArmoBEServer: api.armo.cloud
           ArmoERServer: report.armo.cloud
           ArmoWebsite: portal.armo.cloud
@@ -48,7 +48,7 @@ jobs:
       
       - name: Smoke Testing
         env:
-          RELEASE: v1.0.${{ github.run_number }} 
+          RELEASE: v2.0.${{ github.run_number }} 
           KUBESCAPE_SKIP_UPDATE_CHECK: "true"
         run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
 
@@ -74,7 +74,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Set name
-        run: echo quay.io/armosec/kubescape:v1.0.${{ github.run_number }} > build_tag.txt
+        run: echo quay.io/armosec/kubescape:v2.0.${{ github.run_number }} > build_tag.txt
 
       - name: Build the Docker image
         run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt) --build-arg run_number=${{ github.run_number }}

.github/workflows/build_dev.yaml

@@ -23,7 +23,7 @@ jobs:
 
       - name: Build
         env:
-          RELEASE: v1.0.${{ github.run_number }} 
+          RELEASE: v2.0.${{ github.run_number }} 
           ArmoBEServer: api.armo.cloud
           ArmoERServer: report.euprod1.cyberarmorsoft.com
           ArmoWebsite: portal.armo.cloud
@@ -32,7 +32,7 @@ jobs:
       
       - name: Smoke Testing
         env:
-          RELEASE: v1.0.${{ github.run_number }}
+          RELEASE: v2.0.${{ github.run_number }}
           KUBESCAPE_SKIP_UPDATE_CHECK: "true"
         run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
 
@@ -53,7 +53,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Set name
-        run: echo quay.io/armosec/kubescape:dev-v1.0.${{ github.run_number }} > build_tag.txt
+        run: echo quay.io/armosec/kubescape:dev-v2.0.${{ github.run_number }} > build_tag.txt
 
       - name: Build the Docker image
         run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt) --build-arg run_number=${{ github.run_number }}

.github/workflows/master_pr_checks.yaml

@@ -24,7 +24,7 @@ jobs:
 
       - name: Build
         env:
-          RELEASE: v1.0.${{ github.run_number }} 
+          RELEASE: v2.0.${{ github.run_number }} 
           ArmoBEServer: api.armo.cloud
           ArmoERServer: report.armo.cloud
           ArmoWebsite: portal.armo.cloud
@@ -33,7 +33,7 @@ jobs:
 
       - name: Smoke Testing
         env:
-          RELEASE: v1.0.${{ github.run_number }} 
+          RELEASE: v2.0.${{ github.run_number }} 
           KUBESCAPE_SKIP_UPDATE_CHECK: "true"
         run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
         

README.md

@@ -3,10 +3,10 @@
 [![build](https://github.com/armosec/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/armosec/kubescape/actions/workflows/build.yaml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/armosec/kubescape)](https://goreportcard.com/report/github.com/armosec/kubescape)
 
-Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks:
-regulatory, customized company policies and DevSecOps best practices, such as the  [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo) and the [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) .  
-Kubescape scans K8s clusters, YAML files, and HELM charts, and detect misconfigurations and software vulnerabilities at early stages of the CI/CD pipeline and provides a risk score instantly and risk trends over time.
-Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI and Github workflows.
+Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning. 
+Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo) , [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/)), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time.
+It became one of the fastest-growing Kubernetes tools among developers due to its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins’ precious time, effort, and resources.
+Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Prometheus, and Slack, and supports multi-cloud K8s deployments like EKS, GKE, and AKS.
 
 </br>
 
@@ -24,7 +24,7 @@ curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh |
 
 ## Run:
 ```
-kubescape scan --submit
+kubescape scan --submit --enable-host-scan
 ```
 
 <img src="docs/summary.png">
@@ -97,9 +97,11 @@ Set-ExecutionPolicy RemoteSigned -scope CurrentUser
 | `-t`/`--fail-threshold`     | `100` (do not fail)         | fail command (return exit code 1) if result is above threshold                                                                                                                                                                                                                                                       | `0` -> `100`                                 |
 | `-f`/`--format`             | `pretty-printer`          | Output format                                                                                                                                                                                                                                                                                                        | `pretty-printer`/`json`/`junit`/`prometheus` |
 | `-o`/`--output`             | print to stdout           | Save scan result in file                                                                                                                                                                                                                                                                                             |                                              |
-| `--use-from`                |                           | Load local framework object from specified path. If not used will download latest                                                                                                                                                                                                                                    |                                              |
+| `--use-from`                |                           | Load local framework object from specified path. If not used will download latest                                                                                                                                                                                                                                    | 
+| `--use-artifacts-from`                |                           | Load artifacts (frameworks, control-config, exceptions) from local directory. If not used will download them                                                                                                                                                                                                                                    |                                              |
 | `--use-default`             | `false`                   | Load local framework object from default path. If not used will download latest                                                                                                                                                                                                                                      | `true`/`false`                               |
-| `--exceptions`              |                           | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal                                                                                                                                                                                               |                                              |
+| `--exceptions`              |                           | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal                                                                                                                                                                                               |  
+| `--controls-config`              |                           | Path to a controls-config obj. If not set will download controls-config from ARMO management portal                                                                                                                                                                                               |                                            |
 | `--submit`                  | `false`                   | If set, Kubescape will send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not sent | `true`/`false`                               |
 | `--keep-local`              | `false`                   | Kubescape will not send scan results to Armo management portal. Use this flag if you ran with the `--submit` flag in the past and you do not want to submit your current scan results                                                                                                                                | `true`/`false`                               |
 | `--account`                 |                           | Armo portal account ID. Default will load account ID from configMap or config file                                                                                                                                                                                                                                   |                                              |
@@ -193,7 +195,7 @@ It is possible to run Kubescape offline!
 
 First download the framework and then scan with `--use-from` flag
 
-1. Download and save in file, if file name not specified, will store save to `~/.kubescape/<framework name>.json`
+1. Download and save in file, if file name not specified, will save in `~/.kubescape/<framework name>.json`
 ```
 kubescape download framework nsa --output nsa.json
 ```
@@ -204,6 +206,19 @@ kubescape scan framework nsa --use-from nsa.json
 ```
 
 
+
+You can also download all artifacts to a local path and then load them using `--use-artifacts-from` flag
+
+1. Download and save in local directory, if path not specified, will save all in `~/.kubescape`
+```
+kubescape download artifacts --output path/to/local/dir
+```
+
+2. Scan using the downloaded artifacts
+```
+kubescape scan framework nsa --use-artifacts-from path/to/local/dir
+```
+
 ## Scan Periodically using Helm - Contributed by [@yonahd](https://github.com/yonahd)  
  
 You can scan your cluster periodically by adding a `CronJob` that will repeatedly trigger kubescape
@@ -267,7 +282,7 @@ go build -o kubescape .
 
 3. Run
 ```
-./kubescape scan framework nsa
+./kubescape scan --submit --enable-host-scan
 ```
 
 4. Enjoy :zany_face:

cautils/getter/loadpolicy.go

@@ -85,8 +85,19 @@ func (lp *LoadPolicy) GetFrameworks() ([]reporthandling.Framework, error) {
 }
 
 func (lp *LoadPolicy) ListFrameworks() ([]string, error) {
-	// TODO - Support
-	return []string{}, fmt.Errorf("loading frameworks list from file is not supported")
+	fwNames := []string{}
+	framework := &reporthandling.Framework{}
+	for _, f := range lp.filePaths {
+		file, err := os.ReadFile(f)
+		if err == nil {
+			if err := json.Unmarshal(file, framework); err == nil {
+				if !contains(fwNames, framework.Name) {
+					fwNames = append(fwNames, framework.Name)
+				}
+			}
+		}
+	}
+	return fwNames, nil
 }
 
 func (lp *LoadPolicy) ListControls(listType ListType) ([]string, error) {
@@ -114,7 +125,7 @@ func (lp *LoadPolicy) GetControlsInputs(clusterName string) (map[string][]string
 		return nil, err
 	}
 
-	if err = json.Unmarshal(f, &accountConfig); err == nil {
+	if err = json.Unmarshal(f, &accountConfig.Settings.PostureControlInputs); err == nil {
 		return accountConfig.Settings.PostureControlInputs, nil
 	}
 	return nil, err

cautils/scaninfo.go

@@ -1,16 +1,23 @@
 package cautils
 
 import (
+	"encoding/json"
 	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/armosec/kubescape/cautils/getter"
 	"github.com/armosec/opa-utils/reporthandling"
 )
 
 const (
-	ScanCluster    string = "cluster"
-	ScanLocalFiles string = "yaml"
+	ScanCluster                string = "cluster"
+	ScanLocalFiles             string = "yaml"
+	localControlInputsFilename string = "controls-inputs.json"
+	localExceptionsFilename    string = "exceptions.json"
 )
 
 type BoolPtrFlag struct {
@@ -52,6 +59,7 @@ type ScanInfo struct {
 	ControlsInputs     string      // Load file with inputs for controls
 	UseFrom            []string    // Load framework from local file (instead of download). Use when running offline
 	UseDefault         bool        // Load framework from cached file (instead of download). Use when running offline
+	UseArtifactsFrom   string      // Load artifacts from local path. Use when running offline
 	VerboseMode        bool        // Display all of the input resources and not only failed resources
 	Format             string      // Format results (table, json, junit ...)
 	Output             string      // Store results in an output file, Output file name
@@ -78,6 +86,39 @@ type Getters struct {
 func (scanInfo *ScanInfo) Init() {
 	scanInfo.setUseFrom()
 	scanInfo.setOutputFile()
+	scanInfo.setUseArtifactsFrom()
+}
+
+func (scanInfo *ScanInfo) setUseArtifactsFrom() {
+	if scanInfo.UseArtifactsFrom == "" {
+		return
+	}
+	// UseArtifactsFrom must be a path without a filename
+	dir, file := filepath.Split(scanInfo.UseArtifactsFrom)
+	if dir == "" {
+		scanInfo.UseArtifactsFrom = file
+	} else if strings.Contains(file, ".json") {
+		scanInfo.UseArtifactsFrom = dir
+	}
+	// set frameworks files
+	files, err := ioutil.ReadDir(scanInfo.UseArtifactsFrom)
+	if err != nil {
+		log.Fatal(err)
+	}
+	framework := &reporthandling.Framework{}
+	for _, f := range files {
+		filePath := filepath.Join(scanInfo.UseArtifactsFrom, f.Name())
+		file, err := os.ReadFile(filePath)
+		if err == nil {
+			if err := json.Unmarshal(file, framework); err == nil {
+				scanInfo.UseFrom = append(scanInfo.UseFrom, filepath.Join(scanInfo.UseArtifactsFrom, f.Name()))
+			}
+		}
+	}
+	// set config-inputs file
+	scanInfo.ControlsInputs = filepath.Join(scanInfo.UseArtifactsFrom, localControlInputsFilename)
+	// set exceptions
+	scanInfo.UseExceptions = filepath.Join(scanInfo.UseArtifactsFrom, localExceptionsFilename)
 }
 
 func (scanInfo *ScanInfo) setUseExceptions() {

clihandler/clidownload.go

@@ -51,7 +51,7 @@ func setPathandFilename(downloadInfo *cautils.DownloadInfo) {
 		dir, file := filepath.Split(downloadInfo.Path)
 		if dir == "" {
 			downloadInfo.Path = file
-		} else {
+		} else if strings.Contains(file, ".json") {
 			downloadInfo.Path = dir
 			downloadInfo.FileName = file
 		}

clihandler/cmd/scan.go

@@ -42,9 +42,10 @@ func init() {
 	cobra.OnInitialize(frameworkInitConfig)
 
 	rootCmd.AddCommand(scanCmd)
-	rootCmd.PersistentFlags().StringVarP(&scanInfo.KubeContext, "--kube-context", "", "", "Kube context. Default will use the current-context")
+	rootCmd.PersistentFlags().StringVarP(&scanInfo.KubeContext, "kube-context", "", "", "Kube context. Default will use the current-context")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.UseArtifactsFrom, "use-artifacts-from", "", "Load artifacts from local directory. If not used will download them")
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Recommended: kube-system,kube-public")
 	scanCmd.PersistentFlags().Uint16VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 100, "Failure threshold is the percent above which the command fails and returns exit code 1")
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer"/"json"/"junit"/"prometheus"`)

examples/cloud-vendor-integration/aws.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# AWS
+# Attach the Kubescape service account to an AWS IAM role with the described cluster permission
+
+# Prerequisites:
+# eksctl, awscli v2
+
+# Set environment variables
+echo 'Set environment variables'
+export kubescape_namespace=armo-system
+export kubescape_serviceaccount=armo-kubescape-service-account
+
+# Get current context
+echo 'Get current context'
+export context=$(kubectl config current-context)
+
+# Get cluster arn
+echo 'Get cluster arn'
+export cluster_arn=$(kubectl config view -o jsonpath="{.contexts[?(@.name == \"$context\")].context.cluster}")
+
+# Get cluster name
+echo 'Get cluster name'
+export cluster_name=$(echo "$cluster_arn" | awk -F'/' '{print $NF}')
+
+# Get cluster region
+echo 'Get cluster region'
+export cluster_region=$(echo "$cluster_arn" | awk -F':' '{print $4}')
+
+# First step, Create IAM OIDC provider for the cluster (Not required if the third step runs as is):
+echo 'Create IAM OIDC provider for the cluster'
+eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve
+
+# Second step, Create a policy and service account role:
+# Create a kubescape policy
+echo 'Create a kubescape policy'
+export kubescape_policy_arn=$(aws iam create-policy \
+                --output yaml \
+                --query 'Policy.Arn' \
+    --policy-name kubescape \
+    --policy-document \
+"$(cat <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "eks:DescribeCluster",
+            "Resource": "$cluster_arn"
+        }
+    ]
+}
+EOF
+)")
+
+# Create Kubernetes Kubescape service account, and AWS IAM attachment role
+echo 'Create Kubernetes Kubescape service account, and AWS IAM attachment role'
+eksctl create iamserviceaccount \
+    --name $kubescape_serviceaccount \
+    --namespace $kubescape_namespace \
+    --cluster $cluster_name \
+    --attach-policy-arn $kubescape_policy_arn \
+    --approve \
+    --override-existing-serviceaccounts
+
+# Install/Upgrade Kubescape chart
+echo 'Install/Upgrade Kubescape chart'
+helm upgrade --install armo  armo-components/ -n armo-system --create-namespace --set clusterName=$cluster_name --set cloud_provider_engine=eks --set createKubescapeServiceAccount=false --set cloudRegion=$cluster_region

examples/cloud-vendor-integration/gcp.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# GCP
+# Attach the Kubescape service account to a GCP service account with the get cluster permission
+
+# Prerequisites:
+# gcloud
+# Workload Identity enabled on the cluster.
+# Node pool with --workload-metadata=GKE_METADATA where the pod can run. 
+# CLUSTER_NAME and CLUSTER_REGION environment variables.
+
+[ -z $CLUSTER_NAME ] && >&2 echo "Please set the CLUSTER_NAME environment variable" && exit 1
+[ -z $CLUSTER_REGION ] && >&2 echo "Please set the CLUSTER_REGION environment variable" && exit 1
+
+# Create GCP service account
+gcloud iam service-accounts create kubescape --display-name=kubescape
+
+# Set environment variables
+echo 'Set environment variables'
+export kubescape_namespace=armo-system
+export kubescape_serviceaccount=armo-kubescape-service-account
+
+# Get current GCP project
+echo 'Get current GCP project'
+export gcp_project=$(gcloud config get-value project)
+
+sleep 5
+# Get service account email
+echo 'Get service account email'
+export gcp_service_account=$(gcloud iam service-accounts list --filter="email ~ kubescape@" --format="value(email)")
+
+# Create custome cluster.get role
+echo 'Create custome cluster.get role'
+export custom_role_name=$(gcloud iam roles create kubescape --project=$gcp_project --title='Armo kubernetes' --description='Allow clusters.get to Kubernetes armo service account' --permissions=container.clusters.get --stage=GA  --format='value(name)')
+
+# Attach policies to the service account
+echo 'Attach policies to the service account'
+gcloud --quiet projects add-iam-policy-binding $gcp_project --member serviceAccount:$gcp_service_account --role $custom_role_name >/dev/null
+gcloud --quiet projects add-iam-policy-binding $gcp_project --member serviceAccount:$gcp_service_account --role roles/storage.objectViewer >/dev/null
+
+# If there are missing permissions, use this role instead
+# gcloud --quiet projects add-iam-policy-binding $gcp_project --member serviceAccount:$gcp_service_account --role roles/container.clusterViewer
+
+# Bind the GCP kubescape service account to kubescape kubernetes service account
+gcloud iam service-accounts add-iam-policy-binding $gcp_service_account --role roles/iam.workloadIdentityUser --member "serviceAccount:${gcp_project}.svc.id.goog[${kubescape_namespace}/${kubescape_serviceaccount}]"
+
+# Install/Upgrade Kubescape chart
+echo 'Install/Upgrade Kubescape chart'
+helm upgrade --install armo  armo-components/ -n armo-system --create-namespace --set cloud_provider_engine=gke --set gke_service_account=$gcp_service_account --set cloudRegion=$CLUSTER_REGION --set clusterName=$CLUSTER_NAME --set gkeProject=$gcp_project

go.mod

@@ -5,7 +5,7 @@ go 1.17
 require (
 	github.com/armosec/armoapi-go v0.0.41
 	github.com/armosec/k8s-interface v0.0.56
-	github.com/armosec/opa-utils v0.0.97
+	github.com/armosec/opa-utils v0.0.99
 	github.com/armosec/rbac-utils v0.0.12
 	github.com/armosec/utils-go v0.0.3
 	github.com/briandowns/spinner v1.18.0
@@ -19,6 +19,7 @@ require (
 	github.com/satori/go.uuid v1.2.0
 	github.com/spf13/cobra v1.2.1
 	github.com/stretchr/testify v1.7.0
+	go.uber.org/zap v1.19.1
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.22.2
 	k8s.io/apimachinery v0.22.2
@@ -77,7 +78,6 @@ require (
 	go.opencensus.io v0.23.0 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
-	go.uber.org/zap v1.19.1 // indirect
 	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
 	golang.org/x/net v0.0.0-20210825183410-e898025ed96a // indirect
 	golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1 // indirect

go.sum

@@ -95,8 +95,8 @@ github.com/armosec/k8s-interface v0.0.50/go.mod h1:vHxGWqD/uh6+GQb9Sqv7OGMs+Rvc2
 github.com/armosec/k8s-interface v0.0.56 h1:7dOgc3qZaI7ReLRZcJa2JZKk0rliyYi05l1vuHc6gcE=
 github.com/armosec/k8s-interface v0.0.56/go.mod h1:vHxGWqD/uh6+GQb9Sqv7OGMs+Rvc2dsFVc0XtgRh1ZU=
 github.com/armosec/opa-utils v0.0.64/go.mod h1:6tQP8UDq2EvEfSqh8vrUdr/9QVSCG4sJfju1SXQOn4c=
-github.com/armosec/opa-utils v0.0.97 h1:KPjRZdsAC9EObo17QxiW+s5KWmF6vNFu+VQSOgFv5uk=
-github.com/armosec/opa-utils v0.0.97/go.mod h1:BNTjeianyXlflJMz3bZM0GimBWqmzirUf1whWR6Os04=
+github.com/armosec/opa-utils v0.0.99 h1:ZuoIPg6vbgO4J09xJZDO/yIRD59odwmK2Bm55uTvkU8=
+github.com/armosec/opa-utils v0.0.99/go.mod h1:BNTjeianyXlflJMz3bZM0GimBWqmzirUf1whWR6Os04=
 github.com/armosec/rbac-utils v0.0.1/go.mod h1:pQ8CBiij8kSKV7aeZm9FMvtZN28VgA7LZcYyTWimq40=
 github.com/armosec/rbac-utils v0.0.12 h1:uJpMGDyLAX129PrKHp6NPNB6lVRhE0OZIwV6ywzSDrs=
 github.com/armosec/rbac-utils v0.0.12/go.mod h1:Ex/IdGWhGv9HZq6Hs8N/ApzCKSIvpNe/ETqDfnuyah0=

opaprocessor/processorhandler.go

@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/armosec/kubescape/cautils"
+	ksscore "github.com/armosec/kubescape/score"
 	"github.com/armosec/opa-utils/objectsenvelopes"
 	"github.com/armosec/opa-utils/reporthandling"
 	"github.com/armosec/opa-utils/reporthandling/apis"
@@ -71,6 +72,9 @@ func (opaHandler *OPAProcessorHandler) ProcessRulesListenner() {
 		// edit results
 		opap.updateResults()
 
+		//TODO: review this location
+		scorewrapper := ksscore.NewScoreWrapper(opaSessionObj)
+		scorewrapper.Calculate(ksscore.EPostureReportV2)
 		// report
 		*opaHandler.reportResults <- opaSessionObj
 	}

resourcehandler/cloudproviderhandler.go

@@ -2,6 +2,7 @@ package resourcehandler
 
 import (
 	"os"
+	"strings"
 
 	"github.com/armosec/k8s-interface/cloudsupport"
 	"github.com/armosec/k8s-interface/k8sinterface"
@@ -22,32 +23,24 @@ type ICloudProvider interface {
 }
 
 func initCloudProvider() ICloudProvider {
-	var provider string
-	if isEnvVars() {
-		provider = getCloudProviderFromEnvVar()
-		switch provider {
-		case "gke":
-			return NewGKEProviderEnvVar()
-		case "eks":
-			return NewEKSProviderEnvVar()
-		}
-	} else {
-		provider = getCloudProviderFromContext()
-		switch provider {
-		case "gke":
-			return NewGKEProviderContext()
-		case "eks":
-			return NewEKSProviderContext()
-		}
+
+	switch getCloudProvider() {
+	case "gke", "gcp":
+		return NewGKEProviderContext()
+	case "eks", "aws":
+		return NewEKSProviderContext()
 	}
 	return NewEmptyCloudProvider()
 }
 
 func getCloudProvider() string {
+	var provider string
 	if isEnvVars() {
-		return getCloudProviderFromEnvVar()
+		provider = getCloudProviderFromEnvVar()
+	} else {
+		provider = getCloudProviderFromContext()
 	}
-	return getCloudProviderFromContext()
+	return strings.ToLower(provider)
 }
 
 func getCloudProviderFromContext() string {

resultshandling/reporter/v2/reporteventreceiver.go

@@ -82,12 +82,12 @@ func (report *ReportEventReceiver) prepareReport(postureReport *reporthandlingv2
 	if err := report.sendResources(host, postureReport, &reportCounter, false); err != nil {
 		return err
 	}
-	reportCounter++
+	// reportCounter++
 
-	// send results
-	if err := report.sendResults(host, postureReport, &reportCounter, true); err != nil {
-		return err
-	}
+	// // send results
+	// if err := report.sendResults(host, postureReport, &reportCounter, true); err != nil {
+	// 	return err
+	// }
 
 	return nil
 }
@@ -112,6 +112,7 @@ func (report *ReportEventReceiver) sendResources(host string, postureReport *rep
 
 			// delete resources
 			splittedPostureReport.Resources = []reporthandling.Resource{}
+			splittedPostureReport.Results = []resourcesresults.Result{}
 
 			// restart counter
 			counter = 0
@@ -121,20 +122,13 @@ func (report *ReportEventReceiver) sendResources(host string, postureReport *rep
 		splittedPostureReport.Resources = append(splittedPostureReport.Resources, v)
 	}
 
-	return report.sendReport(host, splittedPostureReport, *reportCounter, isLastReport)
-}
-
-func (report *ReportEventReceiver) sendResults(host string, postureReport *reporthandlingv2.PostureReport, reportCounter *int, isLastReport bool) error {
-	splittedPostureReport := setSubReport(postureReport)
-	counter := 0
-
 	for _, v := range postureReport.Results {
 		r, err := json.Marshal(v)
 		if err != nil {
 			return fmt.Errorf("failed to unmarshal resource '%s', reason: %v", v.GetResourceID(), err)
 		}
 
-		if counter+len(r) >= MAX_REPORT_SIZE && len(splittedPostureReport.Resources) > 0 {
+		if counter+len(r) >= MAX_REPORT_SIZE && len(splittedPostureReport.Results) > 0 {
 
 			// send report
 			if err := report.sendReport(host, splittedPostureReport, *reportCounter, false); err != nil {
@@ -144,6 +138,7 @@ func (report *ReportEventReceiver) sendResults(host string, postureReport *repor
 
 			// delete results
 			splittedPostureReport.Results = []resourcesresults.Result{}
+			splittedPostureReport.Resources = []reporthandling.Resource{}
 
 			// restart counter
 			counter = 0
@@ -153,9 +148,41 @@ func (report *ReportEventReceiver) sendResults(host string, postureReport *repor
 		splittedPostureReport.Results = append(splittedPostureReport.Results, v)
 	}
 
-	return report.sendReport(host, splittedPostureReport, *reportCounter, isLastReport)
+	return report.sendReport(host, splittedPostureReport, *reportCounter, true)
 }
 
+// func (report *ReportEventReceiver) sendResults(host string, postureReport *reporthandlingv2.PostureReport, reportCounter *int, isLastReport bool) error {
+// 	splittedPostureReport := setSubReport(postureReport)
+// 	counter := 0
+
+// 	for _, v := range postureReport.Results {
+// 		r, err := json.Marshal(v)
+// 		if err != nil {
+// 			return fmt.Errorf("failed to unmarshal resource '%s', reason: %v", v.GetResourceID(), err)
+// 		}
+
+// 		if counter+len(r) >= MAX_REPORT_SIZE && len(splittedPostureReport.Resources) > 0 {
+
+// 			// send report
+// 			if err := report.sendReport(host, splittedPostureReport, *reportCounter, false); err != nil {
+// 				return err
+// 			}
+// 			*reportCounter++
+
+// 			// delete results
+// 			splittedPostureReport.Results = []resourcesresults.Result{}
+
+// 			// restart counter
+// 			counter = 0
+// 		}
+
+// 		counter += len(r)
+// 		splittedPostureReport.Results = append(splittedPostureReport.Results, v)
+// 	}
+
+// 	return report.sendReport(host, splittedPostureReport, *reportCounter, isLastReport)
+// }
+
 func (report *ReportEventReceiver) sendReport(host string, postureReport *reporthandlingv2.PostureReport, counter int, isLastReport bool) error {
 	postureReport.PaginationInfo = reporthandlingv2.PaginationMarks{
 		ReportNumber: counter,

resultshandling/results.go

@@ -33,17 +33,7 @@ func (resultsHandler *ResultsHandler) HandleResults(scanInfo *cautils.ScanInfo)
 		fmt.Println(err)
 	}
 
-	// TODO - get score from table
-	var score float32 = 0
-	if opaSessionObj.PostureReport != nil {
-		for i := range opaSessionObj.PostureReport.FrameworkReports {
-			score += opaSessionObj.PostureReport.FrameworkReports[i].Score
-		}
-		score /= float32(len(opaSessionObj.PostureReport.FrameworkReports))
-		resultsHandler.printerObj.Score(score)
-	}
-
-	return score
+	return opaSessionObj.Report.SummaryDetails.Score
 }
 
 // CalculatePostureScore calculate final score

score/score.go

@@ -0,0 +1,43 @@
+package score
+
+import (
+	"fmt"
+
+	"github.com/armosec/opa-utils/score"
+
+	"github.com/armosec/kubescape/cautils"
+)
+
+/* provides a wrapper for scoreUtils, since there's no common interface between postureReportV1 and PostureReportV2
+and the need of concrete objects
+	I've decided to create scoreWrapper that will allow calculating score regardless (as long as opaSessionObj is there)
+*/
+type ScoreWrapper struct {
+	scoreUtil     *score.ScoreUtil
+	opaSessionObj *cautils.OPASessionObj
+}
+
+type PostureReportVersion string
+
+const (
+	EPostureReportV1 PostureReportVersion = "v1"
+	EPostureReportV2 PostureReportVersion = "V2"
+)
+
+func (su *ScoreWrapper) Calculate(reportVersion PostureReportVersion) error {
+	switch reportVersion {
+	case EPostureReportV1:
+		return su.scoreUtil.Calculate(su.opaSessionObj.PostureReport.FrameworkReports)
+	case EPostureReportV2:
+		return su.scoreUtil.CalculatePostureReportV2(su.opaSessionObj.Report)
+	}
+
+	return fmt.Errorf("unsupported score calculator")
+}
+
+func NewScoreWrapper(opaSessionObj *cautils.OPASessionObj) *ScoreWrapper {
+	return &ScoreWrapper{
+		scoreUtil:     score.NewScore(opaSessionObj.AllResources),
+		opaSessionObj: opaSessionObj,
+	}
+}

score/score_test.go

@@ -0,0 +1 @@
+package score