Merge pull request #169 from armosec/rotemamsa-patch-1

Delete backendconnectormethods.go

.github/workflows/build.yaml

@@ -2,11 +2,7 @@ name: build
 
 on:
   push:
-    branches: [ master ]
-  pull_request:
-    branches: [ master ]
-    types: [ closed ]
-
+    branches: [ master ] 
 jobs:
   once:
     name: Create release
@@ -37,12 +33,21 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16
+          go-version: 1.17
+
+      - name: Test
+        run: go test -v ./...
 
       - name: Build
-        run: mkdir -p build/${{ matrix.os }}  && go mod tidy && go build -ldflags "-w -s" -o build/${{ matrix.os }}/kubescape
+        env:
+          RELEASE: v1.0.${{ github.run_number }} 
+          ArmoBEServer: api.armo.cloud
+          ArmoERServer: report.armo.cloud
+          ArmoWebsite: portal.armo.cloud
+          CGO_ENABLED: 0
+        run: python3 --version && python3 build.py
       
-      - name: Upload Release Asset
+      - name: Upload Release binaries
         id: upload-release-asset
         uses: actions/upload-release-asset@v1
         env:

.github/workflows/build_dev.yaml

@@ -0,0 +1,40 @@
+name: build-dev
+
+on:
+  push:
+    branches: [ dev ]
+  pull_request:
+    branches: [ dev ]
+    types: [ closed ]
+jobs:
+  build:
+    name: Create cross-platform dev build
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@v1
+
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+          
+      - name: Test
+        run: go test -v ./...
+
+      - name: Build
+        env:
+          RELEASE: v1.0.${{ github.run_number }} 
+          ArmoBEServer: api.armo.cloud
+          ArmoERServer: report.euprod1.cyberarmorsoft.com
+          ArmoWebsite: portal.armo.cloud
+          CGO_ENABLED: 0
+        run: python3 --version && python3 build.py
+      
+      - name: Upload build artifacts 
+        uses: actions/upload-artifact@v2
+        with:
+          name: kubescape-${{ matrix.os }}
+          path: build/${{ matrix.os }}/kubescape 

.github/workflows/master_pr_checks.yaml

@@ -0,0 +1,38 @@
+name: master-pr
+
+on:
+  pull_request:
+    branches: [ master ]
+    types: [ edited, opened, synchronize, reopened ]
+jobs:
+  build:
+    name: Create cross-platform build
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@v1
+
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+
+      - name: Test
+        run: go test -v ./...
+
+      - name: Build
+        env:
+          RELEASE: v1.0.${{ github.run_number }} 
+          ArmoBEServer: api.armo.cloud
+          ArmoERServer: report.armo.cloud
+          ArmoWebsite: portal.armo.cloud
+          CGO_ENABLED: 0
+        run: python3 --version && python3 build.py
+
+      - name: Upload build artifacts 
+        uses: actions/upload-artifact@v2
+        with:
+          name: kubescape-${{ matrix.os }}
+          path: build/${{ matrix.os }}/kubescape 

.gitignore

@@ -1,4 +1,4 @@
 *.vs*
-*go.sum*
 *kubescape*
-*debug*
+*debug*
+.idea

CONTRIBUTING.md

@@ -0,0 +1,99 @@
+# Contributing
+
+First, it is awesome that you are considering contributing to Kubescape! Contributing is important and fun and we welcome your efforts.
+
+When contributing, we categorize contributions into two:
+* Small code changes or fixes, whose scope are limited to a single or two files
+* Complex features and improvements, whose are not limited
+
+If you have a small change, feel free to fire up a Pull Request.
+
+When planning a bigger change, please first discuss the change you wish to make via issue,
+email, or any other method with the owners of this repository before making a change. Most likely your changes or features are great, but sometimes we might already going to this direction (or the exact opposite ;-) ) and we don't want to waste your time.
+
+Please note we have a code of conduct, please follow it in all your interactions with the project.
+
+## Pull Request Process
+
+1. Ensure any install or build dependencies are removed before the end of the layer when doing a 
+   build.
+2. Update the README.md with details of changes to the interface, this includes new environment 
+   variables, exposed ports, useful file locations and container parameters.
+3. We will merge the Pull Request in once you have the sign-off.
+
+## Code of Conduct
+
+### Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+### Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+We will distance those who are constantly adhere to unacceptable behavior.
+
+### Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+### Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+### Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at [INSERT EMAIL ADDRESS]. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+### Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

README.md

@@ -1,24 +1,25 @@
 <img src="docs/kubescape.png" width="300" alt="logo" align="center">
 
 [![build](https://github.com/armosec/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/armosec/kubescape/actions/workflows/build.yaml)
-[![Github All Releases](https://img.shields.io/github/downloads/armosec/kubescape/total.svg)](https://github.com/armosec/kubescape)
 [![Go Report Card](https://goreportcard.com/badge/github.com/armosec/kubescape)](https://goreportcard.com/report/github.com/armosec/kubescape)
 
-Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
+Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
 
-Use Kubescape to test clusters or scan single YAML files and integrate it to your processes. 
+Use Kubescape to test clusters or scan single YAML files and integrate it to your processes.
 
 <img src="docs/demo.gif">
 
 # TL;DR
-## Install & Run
-
-### Install:
+## Install:
 ```
 curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
 ```
 
-### Run:
+[Install on windows](#install-on-windows)
+
+[Install on macOS](#install-on-macos)
+
+## Run:
 ```
 kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
 ```
@@ -27,31 +28,78 @@ If you wish to scan all namespaces in your cluster, remove the `--exclude-namesp
 
 <img src="docs/summary.png">
 
+### Click [👍](https://github.com/armosec/kubescape/stargazers) if you want us to continue to develop and improve Kubescape 😀
+
+# Being part of the team
+
+We invite you to our team! We are excited about this project and want to return the love we get.
+
+Want to contribute? Want to discuss something? Have an issue?
+
+* Open a issue, we are trying to respond within 48 hours
+* [Join us](https://armosec.github.io/kubescape/) in a discussion on our discord server!
+
+[<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://armosec.github.io/kubescape/)
+
+# Options and examples
+
+## Install on Windows
+
+**Requires powershell v5.0+**
+
+``` powershell
+iwr -useb https://raw.githubusercontent.com/armosec/kubescape/master/install.ps1 | iex
+```
+
+Note: if you get an error you might need to change the execution policy (i.e. enable Powershell) with
+
+``` powershell
+Set-ExecutionPolicy RemoteSigned -scope CurrentUser
+```
+
+## Install on macOS
+
+1. ```
+    brew tap armosec/kubescape
+    ```
+2. ```
+    brew install kubescape
+    ```
+
+## Flags
+
+| flag |  default | description | options |
+| --- | --- | --- | --- |
+| `-e`/`--exclude-namespaces` | Scan all namespaces | Namespaces to exclude from scanning. Recommended to exclude `kube-system` and `kube-public` namespaces |
+| `-s`/`--silent` | Display progress messages | Silent progress messages |
+| `-t`/`--fail-threshold` | `0` (do not fail) | fail command (return exit code 1) if result bellow threshold| `0` -> `100` |
+| `-f`/`--format` | `pretty-printer` | Output format | `pretty-printer`/`json`/`junit` |
+| `-o`/`--output` | print to stdout | Save scan result in file |
+| `--use-from` | | Load local framework object from specified path. If not used will download latest |
+| `--use-default` | `false` | Load local framework object from default path. If not used will download latest | `true`/`false` |
+| `--exceptions` | | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal |
+| `--submit` | `false` | If set, Kubescape will send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not sent | `true`/`false`|
+| `--keep-local` | `false` | Kubescape will not send scan results to Armo management portal. Use this flag if you ran with the `--submit` flag in the past and you do not want to submit your current scan results | `true`/`false`|
+| `--account` | | Armo portal account ID. Default will load account ID from configMap or config file | |
 
 ## Usage & Examples
 
-### Pre-Deployment Testing
-Check your YAML files before you're deploying, simply add them at the end of command line:
-```
-kubescape scan framework nsa *.yaml
-```
-
-### Integration with other tools
-
-Kubescape can produce output fitting for later processing:
-* JSON (`-f json`)
-* JUnit XML (`-f junit`)
-
 ### Examples
 
-* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework
+* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework and submit results to [Armo portal](https://portal.armo.cloud/)
 ```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --submit
 ```
 
-* Scan local `yaml`/`json` files
+
+* Scan a running Kubernetes cluster with [`mitre`](https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/) framework and submit results to [Armo portal](https://portal.armo.cloud/)
 ```
-kubescape scan framework nsa examples/online-boutique/*
+kubescape scan framework mitre --exclude-namespaces kube-system,kube-public --submit
+```
+
+* Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI)
+```
+kubescape scan framework nsa *.yaml
 ```
 
 
@@ -70,30 +118,71 @@ kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --form
 kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml
 ```
 
+* Scan with exceptions, objects with exceptions will be presented as `warning` and not `fail`  <img src="docs/new-feature.svg">
+```
+kubescape scan framework nsa --exceptions examples/exceptions.json
+```
+
 ### Helm Support
 
-Render the helm template and pass as stdout
+* Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout
 ```
-helm template [CHART] [flags] --generate-name --dry-run | kubescape scan framework nsa -
+helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
 ```
 
 for example:
 ```
 helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
 ```
+### Offline Support
 
-# How to build 
+It is possible to run Kubescape offline!
 
-Note: development (and the release process) is done with Go `1.16`
+First download the framework and then scan with `--use-from` flag
+
+1. Download and save in file, if file name not specified, will store save to `~/.kubescape/<framework name>.json`
+```
+kubescape download framework nsa --output nsa.json
+```
+
+2. Scan using the downloaded framework
+```
+kubescape scan framework nsa --use-from nsa.json
+```
+
+Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
+
+# How to build
+
+## Build using python (3.7^) script
+
+Kubescpae can be built using:
+
+``` sh
+python build.py
+```
+
+Note: In order to built using the above script, one must set the environment
+variables in this script:
+
++ RELEASE
++ ArmoBEServer
++ ArmoERServer
++ ArmoWebsite
+
+
+## Build using go
+
+Note: development (and the release process) is done with Go `1.17`
 
 1. Clone Project
 ```
-git clone git@github.com:armosec/kubescape.git kubescape && cd "$_"
+git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
 ```
 
 2. Build
 ```
-go mod tidy && go build -o kubescape .
+go build -o kubescape .
 ```
 
 3. Run
@@ -103,19 +192,31 @@ go mod tidy && go build -o kubescape .
 
 4. Enjoy :zany_face:
 
+## How to build in Docker
+
+1. Clone Project
+```
+git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
+```
+
+2. Build
+```
+docker build -t kubescape -f build/Dockerfile .
+```
+
 # Under the hood
 
 ## Tests
 Kubescape is running the following tests according to what is defined by [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
 * Non-root containers
-* Immutable container filesystem 
-* Privileged containers 
+* Immutable container filesystem
+* Privileged containers
 * hostPID, hostIPC privileges
 * hostNetwork access
 * allowedHostPaths field
 * Protecting pod service account tokens
 * Resource policies
-* Control plane hardening 
+* Control plane hardening
 * Exposed dashboard
 * Allow privilege escalation
 * Applications credentials in configuration files
@@ -126,16 +227,16 @@ Kubescape is running the following tests according to what is defined by [Kubern
 * Linux hardening
 * Ingress and Egress blocked
 * Container hostPort
-* Anonymous requests
+* Network policies
+* Symlink Exchange Can Allow Host Filesystem Access (CVE-2021-25741)
+
 
 
 ## Technology
-Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO's posture controls. 
+Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO's posture controls.
 
-The tools retrieves Kubernetes objects from the API server and runs a set of [regos snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io/). 
+The tools retrieves Kubernetes objects from the API server and runs a set of [regos snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io/).
 
 The results by default printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.
 
 Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
-
-

build.py

@@ -0,0 +1,82 @@
+import os
+import sys
+import hashlib
+import platform
+import subprocess
+
+BASE_GETTER_CONST = "github.com/armosec/kubescape/cautils/getter"
+BE_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoBEURL"
+ER_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoERURL"
+WEBSITE_CONST     = BASE_GETTER_CONST + ".ArmoFEURL"
+
+def checkStatus(status, msg):
+    if status != 0:
+        sys.stderr.write(msg)
+        exit(status)
+
+
+def getBuildDir():
+    currentPlatform = platform.system()
+    buildDir = "build/"
+
+    if currentPlatform == "Windows": buildDir += "windows-latest"
+    elif currentPlatform == "Linux": buildDir += "ubuntu-latest"
+    elif currentPlatform == "Darwin": buildDir += "macos-latest"
+    else: raise OSError("Platform %s is not supported!" % (currentPlatform))
+
+    return buildDir
+
+def getPackageName():
+    packageName = "kubescape"
+    # if platform.system() == "Windows": packageName += ".exe"
+
+    return packageName
+
+
+def main():
+    print("Building Kubescape")
+
+    # print environment variables
+    print(os.environ)
+
+    # Set some variables
+    packageName = getPackageName()
+    buildUrl = "github.com/armosec/kubescape/cmd.BuildNumber"
+    releaseVersion = os.getenv("RELEASE")
+    ArmoBEServer = os.getenv("ArmoBEServer")
+    ArmoERServer = os.getenv("ArmoERServer")
+    ArmoWebsite = os.getenv("ArmoWebsite")
+
+    # Create build directory
+    buildDir = getBuildDir()
+
+    if not os.path.isdir(buildDir):
+        os.makedirs(buildDir)
+
+    # Build kubescape
+    ldflags = "-w -s -X %s=%s -X %s=%s -X %s=%s -X %s=%s" \
+        % (buildUrl, releaseVersion, BE_SERVER_CONST, ArmoBEServer,
+           ER_SERVER_CONST, ArmoERServer, WEBSITE_CONST, ArmoWebsite)
+    status = subprocess.call(["go", "build", "-o", "%s/%s" % (buildDir, packageName), "-ldflags" ,ldflags])
+    checkStatus(status, "Failed to build kubescape")
+    
+    test_cli_prints(buildDir,packageName)
+
+
+    sha1 = hashlib.sha1()
+    with open(buildDir + "/" + packageName, "rb") as kube:
+        sha1.update(kube.read())
+        with open(buildDir + "/" + packageName + ".sha1", "w") as kube_sha:
+            kube_sha.write(sha1.hexdigest())
+
+    print("Build Done")
+
+def test_cli_prints(buildDir,packageName):
+    bin_cli = os.path.abspath(os.path.join(buildDir,packageName))
+
+    print(f"testing CLI prints on {bin_cli}")
+    status = str(subprocess.check_output([bin_cli, "-h"]))
+    assert "download" in status, "download is missing: " + status    
+
+if __name__ == "__main__":
+    main()

build/Dockerfile

@@ -0,0 +1,15 @@
+FROM golang:1.17-alpine as builder
+ENV GOPROXY=https://goproxy.io,direct
+ENV GO111MODULE=on
+
+WORKDIR /work
+ADD . .
+RUN GOOS=linux CGO_ENABLED=0 go build -ldflags="-s -w " -installsuffix cgo  -o kubescape .
+
+FROM alpine
+COPY --from=builder /work/kubescape /usr/bin/kubescape
+
+# # Download the frameworks. Use the "--use-default" flag when running kubescape
+# RUN kubescape download framework nsa && kubescape download framework mitre
+
+CMD ["kubescape"]

cautils/apis/backendconnector.go

@@ -3,7 +3,7 @@ package apis
 import (
 	"bytes"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 )
 
@@ -66,7 +66,7 @@ func BEHttpRequest(loginobj *LoginObject, beURL,
 		return nil, fmt.Errorf("Error #%v Due to: %v", resp.StatusCode, resp.Status)
 	}
 	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

cautils/apis/backendconnectormethods.go

@@ -1,128 +0,0 @@
-package apis
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"strings"
-)
-
-func MakeBackendConnector(client *http.Client, baseURL string, loginDetails *CustomerLoginDetails) (*BackendConnector, error) {
-	if err := ValidateBEConnectorMakerInput(client, baseURL, loginDetails); err != nil {
-		return nil, err
-	}
-	conn := &BackendConnector{BaseURL: baseURL, Credentials: loginDetails, HTTPClient: client}
-	err := conn.Login()
-
-	return conn, err
-}
-
-func ValidateBEConnectorMakerInput(client *http.Client, baseURL string, loginDetails *CustomerLoginDetails) error {
-	if client == nil {
-		fmt.Errorf("You must provide an initialized httpclient")
-	}
-	if len(baseURL) == 0 {
-		return fmt.Errorf("you must provide a valid backend url")
-	}
-
-	if loginDetails == nil || (len(loginDetails.Email) == 0 && len(loginDetails.Password) == 0) {
-		return fmt.Errorf("you must provide valid login details")
-	}
-	return nil
-
-}
-
-func (r *BackendConnector) Login() error {
-	if !r.IsExpired() {
-		return nil
-	}
-
-	loginInfoBytes, err := json.Marshal(r.Credentials)
-	if err != nil {
-		return fmt.Errorf("unable to marshal credentials properly")
-	}
-
-	beURL := fmt.Sprintf("%v/%v", r.BaseURL, "login")
-
-	req, err := http.NewRequest("POST", beURL, bytes.NewReader(loginInfoBytes))
-	if err != nil {
-		return err
-	}
-
-	req.Header.Set("Referer", strings.Replace(beURL, "dashbe", "cpanel", 1))
-	resp, err := r.HTTPClient.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return fmt.Errorf("unable to read login response")
-	}
-
-	loginS := &BELoginResponse{}
-	json.Unmarshal(body, &loginS)
-
-	loginS.Cookies = resp.Cookies()
-	r.BELoginResponse = loginS
-
-	return nil
-}
-
-func (r *BackendConnector) IsExpired() bool {
-	return r.BELoginResponse == nil || r.BELoginResponse.ToLoginObject().IsExpired()
-}
-
-func (r *BackendConnector) GetBaseURL() string {
-	return r.BaseURL
-}
-func (r *BackendConnector) GetLoginObj() *LoginObject {
-	return r.BELoginResponse.ToLoginObject()
-}
-func (r *BackendConnector) GetClient() *http.Client {
-	return r.HTTPClient
-}
-
-func (r *BackendConnector) HTTPSend(httpverb string,
-	endpoint string,
-	payload []byte,
-	f HTTPReqFunc,
-	qryData interface{}) ([]byte, error) {
-
-	beURL := fmt.Sprintf("%v/%v", r.GetBaseURL(), endpoint)
-	req, err := http.NewRequest(httpverb, beURL, bytes.NewReader(payload))
-	if err != nil {
-		return nil, err
-	}
-
-	if r.IsExpired() {
-		r.Login()
-	}
-
-	loginobj := r.GetLoginObj()
-	req.Header.Set("Authorization", loginobj.Authorization)
-	f(req, qryData)
-	q := req.URL.Query()
-	q.Set("customerGUID", loginobj.GUID)
-	req.URL.RawQuery = q.Encode()
-
-	for _, cookie := range loginobj.Cookies {
-		req.AddCookie(cookie)
-	}
-	resp, err := r.GetClient().Do(req)
-	if err != nil {
-		return nil, err
-	}
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		fmt.Printf("req:\n%v\nresp:%v\n", req, resp)
-		return nil, fmt.Errorf("Error #%v Due to: %v", resp.StatusCode, resp.Status)
-	}
-	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-	return body, nil
-}

cautils/apis/login.go

@@ -2,11 +2,10 @@ package apis
 
 import (
 	"bytes"
+	"io"
 	"net/http"
 	"time"
 
-	"io/ioutil"
-
 	oidc "github.com/coreos/go-oidc"
 	uuid "github.com/satori/go.uuid"
 
@@ -231,7 +230,7 @@ func BELogin(loginDetails *CustomerLoginDetails, login string, cfg string) (*BEL
 		return nil, err
 	}
 	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

cautils/apis/login_test.go

@@ -1,41 +0,0 @@
-package apis
-
-// func TestLogin2BE(t *testing.T) {
-
-// 	loginDetails := CustomerLoginDetails{Email: "lalafi@cyberarmor.io", Password: "***", CustomerName: "CyberArmorTests"}
-// 	res, err := BELogin(loginDetails, "login")
-// 	if err != nil {
-// 		t.Errorf("failed to get raw audit is different ")
-// 	}
-// 	k := res.ToLoginObject()
-
-// 	fmt.Printf("%v\n", k)
-
-// }
-
-// func TestGetMicroserviceOverview(t *testing.T) {
-// 	// client := &http.Client{}
-// 	loginDetails := CustomerLoginDetails{Email: "lalafi@cyberarmor.io", Password: "***", CustomerName: "CyberArmorTests"}
-// 	loginobj, err := BELogin(loginDetails, "login")
-// 	if err != nil {
-// 		t.Errorf("failed to get raw audit is different ")
-// 	}
-// 	k := loginobj.ToLoginObject()
-// 	beURL := GetBEInfo("")
-
-// 	res, err := BEHttpRequest(k, beURL,
-// 		"GET",
-// 		"v1/microservicesOverview",
-// 		nil,
-// 		BasicBEQuery,
-// 		k)
-
-// 	if err != nil {
-// 		t.Errorf("failed to get raw audit is different ")
-// 	}
-
-// 	s := string(res)
-
-// 	fmt.Printf("%v\n", s)
-
-// }

cautils/armotypes/executionpolicytypes.go

@@ -1,6 +1,6 @@
 package armotypes
 
-type EnforcmentsRule struct {
+type EnforcementsRule struct {
 	MonitoredObject          []string `json:"monitoredObject"`
 	MonitoredObjectExistence []string `json:"objectExistence"`
 	MonitoredObjectEvent     []string `json:"event"`
@@ -12,5 +12,5 @@ type ExecutionPolicy struct {
 	Designators               []PortalDesignator `json:"designators"`
 	PolicyType                string             `json:"policyType"`
 	CreationTime              string             `json:"creation_time"`
-	ExecutionEnforcmentsRules []EnforcmentsRule  `json:"enforcementRules"`
+	ExecutionEnforcementsRule []EnforcementsRule `json:"enforcementRules"`
 }

cautils/armotypes/portaltypes.go

@@ -1,5 +1,7 @@
 package armotypes
 
+import "strings"
+
 const (
 	CostumerGuidQuery   = "costumerGUID"
 	ClusterNameQuery    = "cluster"
@@ -22,6 +24,7 @@ type DesignatorType string
 // Supported designators
 const (
 	DesignatorAttributes DesignatorType = "Attributes"
+	DesignatorAttribute  DesignatorType = "Attribute" // Deprecated
 	/*
 		WorkloadID format.
 		k8s format: wlid://cluster-<cluster>/namespace-<namespace>/<kind>-<name>
@@ -41,10 +44,16 @@ const (
 	DesignatorSid           DesignatorType = "Sid" // secret id
 )
 
+func (dt DesignatorType) ToLower() DesignatorType {
+	return DesignatorType(strings.ToLower(string(dt)))
+}
+
 // attributes
 const (
 	AttributeCluster   = "cluster"
 	AttributeNamespace = "namespace"
+	AttributeKind      = "kind"
+	AttributeName      = "name"
 )
 
 // PortalDesignator represented single designation options

cautils/armotypes/portaltypesutils.go

@@ -1,24 +1,100 @@
 package armotypes
 
+import (
+	"github.com/armosec/kubescape/cautils/cautils"
+	"github.com/golang/glog"
+)
+
 var IgnoreLabels = []string{AttributeCluster, AttributeNamespace}
 
+func (designator *PortalDesignator) GetCluster() string {
+	cluster, _, _, _, _ := designator.DigestPortalDesignator()
+	return cluster
+}
+
+func (designator *PortalDesignator) GetNamespace() string {
+	_, namespace, _, _, _ := designator.DigestPortalDesignator()
+	return namespace
+}
+
+func (designator *PortalDesignator) GetKind() string {
+	_, _, kind, _, _ := designator.DigestPortalDesignator()
+	return kind
+}
+
+func (designator *PortalDesignator) GetName() string {
+	_, _, _, name, _ := designator.DigestPortalDesignator()
+	return name
+}
+func (designator *PortalDesignator) GetLabels() map[string]string {
+	_, _, _, _, labels := designator.DigestPortalDesignator()
+	return labels
+}
+
 // DigestPortalDesignator - get cluster namespace and labels from designator
+func (designator *PortalDesignator) DigestPortalDesignator() (string, string, string, string, map[string]string) {
+	switch designator.DesignatorType.ToLower() {
+	case DesignatorAttributes.ToLower(), DesignatorAttribute.ToLower():
+		return designator.DigestAttributesDesignator()
+	case DesignatorWlid.ToLower(), DesignatorWildWlid.ToLower():
+		return cautils.GetClusterFromWlid(designator.WLID), cautils.GetNamespaceFromWlid(designator.WLID), cautils.GetKindFromWlid(designator.WLID), cautils.GetNameFromWlid(designator.WLID), map[string]string{}
+	// case DesignatorSid: // TODO
+	default:
+		glog.Warningf("in 'digestPortalDesignator' designator type: '%v' not yet supported. please contact Armo team", designator.DesignatorType)
+	}
+	return "", "", "", "", nil
+}
+
+func (designator *PortalDesignator) DigestAttributesDesignator() (string, string, string, string, map[string]string) {
+	cluster := ""
+	namespace := ""
+	kind := ""
+	name := ""
+	labels := map[string]string{}
+	attributes := designator.Attributes
+	if attributes == nil {
+		return cluster, namespace, kind, name, labels
+	}
+	for k, v := range attributes {
+		labels[k] = v
+	}
+	if v, ok := attributes[AttributeNamespace]; ok {
+		namespace = v
+		delete(labels, AttributeNamespace)
+	}
+	if v, ok := attributes[AttributeCluster]; ok {
+		cluster = v
+		delete(labels, AttributeCluster)
+	}
+	if v, ok := attributes[AttributeKind]; ok {
+		kind = v
+		delete(labels, AttributeKind)
+	}
+	if v, ok := attributes[AttributeName]; ok {
+		name = v
+		delete(labels, AttributeName)
+	}
+	return cluster, namespace, kind, name, labels
+}
+
+// DigestPortalDesignator DEPRECATED. use designator.DigestPortalDesignator() - get cluster namespace and labels from designator
 func DigestPortalDesignator(designator *PortalDesignator) (string, string, map[string]string) {
 	switch designator.DesignatorType {
-	case DesignatorAttributes:
+	case DesignatorAttributes, DesignatorAttribute:
 		return DigestAttributesDesignator(designator.Attributes)
-	// case DesignatorWlid: TODO
-	// case DesignatorWildWlid: TODO
+	case DesignatorWlid, DesignatorWildWlid:
+		return cautils.GetClusterFromWlid(designator.WLID), cautils.GetNamespaceFromWlid(designator.WLID), map[string]string{}
+	// case DesignatorSid: // TODO
 	default:
+		glog.Warningf("in 'digestPortalDesignator' designator type: '%v' not yet supported. please contact Armo team", designator.DesignatorType)
 	}
 	return "", "", nil
 }
-
 func DigestAttributesDesignator(attributes map[string]string) (string, string, map[string]string) {
 	cluster := ""
 	namespace := ""
 	labels := map[string]string{}
-	if attributes == nil || len(attributes) == 0 {
+	if attributes == nil {
 		return cluster, namespace, labels
 	}
 	for k, v := range attributes {
@@ -32,5 +108,6 @@ func DigestAttributesDesignator(attributes map[string]string) (string, string, m
 		cluster = v
 		delete(labels, AttributeCluster)
 	}
+
 	return cluster, namespace, labels
 }

cautils/armotypes/postureexceptionpolicytypes.go

@@ -0,0 +1,42 @@
+package armotypes
+
+type PostureExceptionPolicyActions string
+
+const AlertOnly PostureExceptionPolicyActions = "alertOnly"
+const Disable PostureExceptionPolicyActions = "disable"
+
+type PostureExceptionPolicy struct {
+	PortalBase      `json:",inline"`
+	PolicyType      string                          `json:"policyType"`
+	CreationTime    string                          `json:"creationTime"`
+	Actions         []PostureExceptionPolicyActions `json:"actions"`
+	Resources       []PortalDesignator              `json:"resources"`
+	PosturePolicies []PosturePolicy                 `json:"posturePolicies"`
+}
+
+type PosturePolicy struct {
+	FrameworkName string `json:"frameworkName"`
+	ControlName   string `json:"controlName"`
+	RuleName      string `json:"ruleName"`
+}
+
+func (exceptionPolicy *PostureExceptionPolicy) IsAlertOnly() bool {
+	if exceptionPolicy.IsDisable() {
+		return false
+	}
+
+	for i := range exceptionPolicy.Actions {
+		if exceptionPolicy.Actions[i] == AlertOnly {
+			return true
+		}
+	}
+	return false
+}
+func (exceptionPolicy *PostureExceptionPolicy) IsDisable() bool {
+	for i := range exceptionPolicy.Actions {
+		if exceptionPolicy.Actions[i] == Disable {
+			return true
+		}
+	}
+	return false
+}

cautils/armotypes/postureexceptionpolicytypesutils.go

@@ -0,0 +1 @@
+package armotypes

cautils/cautils/armometadata.go

@@ -3,7 +3,6 @@ package cautils
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"strings"
 
@@ -154,7 +153,7 @@ func LoadConfig(configPath string, loadToEnv bool) (*ClusterConfig, error) {
 		configPath = "/etc/config/clusterData.json"
 	}
 
-	dat, err := ioutil.ReadFile(configPath)
+	dat, err := os.ReadFile(configPath)
 	if err != nil || len(dat) == 0 {
 		return nil, fmt.Errorf("Config empty or not found. path: %s", configPath)
 	}
@@ -191,7 +190,7 @@ func (clusterConfig *ClusterConfig) LoadConfigToEnv() {
 func SetEnv(key, value string) {
 	if e := os.Getenv(key); e == "" {
 		if err := os.Setenv(key, value); err != nil {
-			glog.Warning("%s: %s", key, err.Error())
+			glog.Warningf("%s: %s", key, err.Error())
 		}
 	}
 }

cautils/customerloader.go

@@ -0,0 +1,439 @@
+package cautils
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils/getter"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/armosec/kubescape/cautils/k8sinterface"
+	corev1 "k8s.io/api/core/v1"
+)
+
+const (
+	configMapName  = "kubescape"
+	configFileName = "config"
+)
+
+func ConfigFileFullPath() string { return getter.GetDefaultPath(configFileName + ".json") }
+
+// ======================================================================================
+// =============================== Config structure =====================================
+// ======================================================================================
+
+type ConfigObj struct {
+	CustomerGUID       string `json:"customerGUID"`
+	Token              string `json:"invitationParam"`
+	CustomerAdminEMail string `json:"adminMail"`
+}
+
+func (co *ConfigObj) Json() []byte {
+	if b, err := json.Marshal(co); err == nil {
+		return b
+	}
+	return []byte{}
+}
+
+// ======================================================================================
+// =============================== interface ============================================
+// ======================================================================================
+type IClusterConfig interface {
+	// setters
+	SetCustomerGUID(customerGUID string) error
+
+	// getters
+	GetCustomerGUID() string
+	GetConfigObj() *ConfigObj
+	GetK8sAPI() *k8sinterface.KubernetesApi
+	GetBackendAPI() getter.IBackend
+	GetDefaultNS() string
+	GenerateURL()
+}
+
+// ClusterConfigSetup - Setup the desired cluster behavior regarding submittion to the Armo BE
+func ClusterConfigSetup(scanInfo *ScanInfo, k8s *k8sinterface.KubernetesApi, beAPI getter.IBackend) IClusterConfig {
+	/*
+
+		If "First run (local config not found)" -
+			Default - Do not send report (local)
+			Local - Do not send report
+			Submit - Create tenant & Submit report
+
+		If "Submitted but not signed up" -
+			Default	- Delete local config & Do not send report (local)
+			Local - Delete local config & Do not send report
+			Submit - Submit report
+
+		If "Signed up user" -
+			Default	- Submit report (submit)
+			Local - Do not send report
+			Submit - Submit report
+
+	*/
+	clusterConfig := NewClusterConfig(k8s, beAPI)
+	clusterConfig.LoadConfig()
+
+	if !IsSubmitted(clusterConfig) {
+		if scanInfo.Submit {
+			return clusterConfig // submit - Create tenant & Submit report
+		}
+		return NewEmptyConfig() // local/default - Do not send report
+	}
+	if !IsRegistered(clusterConfig) {
+		if scanInfo.Submit {
+			return clusterConfig // submit/default - Submit report
+		}
+		DeleteConfig(k8s)
+		return NewEmptyConfig() // local - Delete local config & Do not send report
+	}
+	if scanInfo.Local {
+		return NewEmptyConfig() // local - Do not send report
+	}
+	return clusterConfig // submit/default -  Submit report
+}
+
+// ======================================================================================
+// ============================= Mock Config ============================================
+// ======================================================================================
+type EmptyConfig struct {
+}
+
+func NewEmptyConfig() *EmptyConfig                               { return &EmptyConfig{} }
+func (c *EmptyConfig) GetConfigObj() *ConfigObj                  { return &ConfigObj{} }
+func (c *EmptyConfig) SetCustomerGUID(customerGUID string) error { return nil }
+func (c *EmptyConfig) GetCustomerGUID() string                   { return "" }
+func (c *EmptyConfig) GetK8sAPI() *k8sinterface.KubernetesApi    { return nil } // TODO: return mock obj
+func (c *EmptyConfig) GetDefaultNS() string                      { return k8sinterface.GetDefaultNamespace() }
+func (c *EmptyConfig) GetBackendAPI() getter.IBackend            { return nil } // TODO: return mock obj
+func (c *EmptyConfig) GenerateURL() {
+	message := fmt.Sprintf("You can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more by registering here: https://%s", getter.GetArmoAPIConnector().GetFrontendURL())
+	InfoTextDisplay(os.Stdout, message+"\n")
+}
+
+// ======================================================================================
+// ========================== Cluster Config ============================================
+// ======================================================================================
+
+type ClusterConfig struct {
+	k8s        *k8sinterface.KubernetesApi
+	defaultNS  string
+	backendAPI getter.IBackend
+	configObj  *ConfigObj
+}
+
+func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend) *ClusterConfig {
+	return &ClusterConfig{
+		k8s:        k8s,
+		backendAPI: backendAPI,
+		configObj:  &ConfigObj{},
+		defaultNS:  k8sinterface.GetDefaultNamespace(),
+	}
+}
+func (c *ClusterConfig) GetConfigObj() *ConfigObj               { return c.configObj }
+func (c *ClusterConfig) GetK8sAPI() *k8sinterface.KubernetesApi { return c.k8s }
+func (c *ClusterConfig) GetDefaultNS() string                   { return c.defaultNS }
+func (c *ClusterConfig) GetBackendAPI() getter.IBackend         { return c.backendAPI }
+
+func (c *ClusterConfig) GenerateURL() {
+
+	u := url.URL{}
+	u.Scheme = "https"
+	u.Host = getter.GetArmoAPIConnector().GetFrontendURL()
+	if c.configObj == nil {
+		return
+	}
+	message := fmt.Sprintf("You can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more by registering here: %s", u.String())
+	if c.configObj.CustomerAdminEMail != "" {
+		InfoTextDisplay(os.Stdout, message+"\n")
+		return
+	}
+	u.Path = "account/sign-up"
+	q := u.Query()
+	q.Add("invitationToken", c.configObj.Token)
+	q.Add("customerGUID", c.configObj.CustomerGUID)
+
+	u.RawQuery = q.Encode()
+	InfoTextDisplay(os.Stdout, message+"\n")
+
+}
+
+func (c *ClusterConfig) GetCustomerGUID() string {
+	if c.configObj != nil {
+		return c.configObj.CustomerGUID
+	}
+	return ""
+}
+
+func (c *ClusterConfig) SetCustomerGUID(customerGUID string) error {
+
+	if customerGUID != "" && c.GetCustomerGUID() != customerGUID {
+		c.configObj.CustomerGUID = customerGUID // override config customerGUID
+	}
+
+	customerGUID = c.GetCustomerGUID()
+
+	// get from armoBE
+	tenantResponse, err := c.backendAPI.GetCustomerGUID(customerGUID)
+	if err == nil && tenantResponse != nil {
+		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
+			c.configObj.CustomerAdminEMail = tenantResponse.AdminMail
+		} else {
+			c.configObj.Token = tenantResponse.Token
+			c.configObj.CustomerGUID = tenantResponse.TenantID
+		}
+	} else {
+		if err != nil && !strings.Contains(err.Error(), "already exists") {
+			return err
+		}
+	}
+
+	// update/create config
+	if c.existsConfigMap() {
+		c.updateConfigMap()
+	} else {
+		c.createConfigMap()
+	}
+	if existsConfigFile() {
+		c.updateConfigFile()
+	} else {
+		c.createConfigFile()
+	}
+
+	return nil
+}
+
+func (c *ClusterConfig) LoadConfig() {
+	// get from configMap
+	if c.existsConfigMap() {
+		c.configObj, _ = c.loadConfigFromConfigMap()
+	} else if existsConfigFile() { // get from file
+		c.configObj, _ = loadConfigFromFile()
+	} else {
+		c.configObj = &ConfigObj{}
+	}
+}
+
+func (c *ClusterConfig) ToMapString() map[string]interface{} {
+	m := map[string]interface{}{}
+	bc, _ := json.Marshal(c.configObj)
+	json.Unmarshal(bc, &m)
+	return m
+}
+func (c *ClusterConfig) loadConfigFromConfigMap() (*ConfigObj, error) {
+	if c.k8s == nil {
+		return nil, nil
+	}
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	if bData, err := json.Marshal(configMap.Data); err == nil {
+		return readConfig(bData)
+	}
+	return nil, nil
+}
+
+func (c *ClusterConfig) existsConfigMap() bool {
+	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+	// TODO - check if has customerGUID
+	return err == nil
+}
+
+func (c *ClusterConfig) GetValueByKeyFromConfigMap(key string) (string, error) {
+
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+
+	if err != nil {
+		return "", err
+	}
+	if val, ok := configMap.Data[key]; ok {
+		return val, nil
+	} else {
+		return "", fmt.Errorf("value does not exist")
+	}
+}
+
+func GetValueFromConfigJson(key string) (string, error) {
+	data, err := os.ReadFile(ConfigFileFullPath())
+	if err != nil {
+		return "", err
+	}
+	var obj map[string]interface{}
+	if err := json.Unmarshal(data, &obj); err != nil {
+		return "", err
+	}
+	if val, ok := obj[key]; ok {
+		return fmt.Sprint(val), nil
+	} else {
+		return "", fmt.Errorf("value does not exist")
+	}
+
+}
+
+func SetKeyValueInConfigJson(key string, value string) error {
+	data, err := os.ReadFile(ConfigFileFullPath())
+	if err != nil {
+		return err
+	}
+	var obj map[string]interface{}
+	err = json.Unmarshal(data, &obj)
+
+	if err != nil {
+		return err
+	}
+	obj[key] = value
+	newData, err := json.Marshal(obj)
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(ConfigFileFullPath(), newData, 0664)
+
+}
+
+func (c *ClusterConfig) SetKeyValueInConfigmap(key string, value string) error {
+
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+	if err != nil {
+		configMap = &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: configMapName,
+			},
+		}
+	}
+
+	if len(configMap.Data) == 0 {
+		configMap.Data = make(map[string]string)
+	}
+
+	configMap.Data[key] = value
+
+	if err != nil {
+		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Create(context.Background(), configMap, metav1.CreateOptions{})
+	} else {
+		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(configMap.Namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
+	}
+
+	return err
+}
+
+func existsConfigFile() bool {
+	_, err := os.ReadFile(ConfigFileFullPath())
+	return err == nil
+}
+
+func (c *ClusterConfig) createConfigMap() error {
+	if c.k8s == nil {
+		return nil
+	}
+	configMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: configMapName,
+		},
+	}
+	c.updateConfigData(configMap)
+
+	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Create(context.Background(), configMap, metav1.CreateOptions{})
+	return err
+}
+
+func (c *ClusterConfig) updateConfigMap() error {
+	if c.k8s == nil {
+		return nil
+	}
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+
+	if err != nil {
+		return err
+	}
+
+	c.updateConfigData(configMap)
+
+	_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(configMap.Namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
+	return err
+}
+
+func (c *ClusterConfig) updateConfigFile() error {
+	if err := os.WriteFile(ConfigFileFullPath(), c.configObj.Json(), 0664); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *ClusterConfig) createConfigFile() error {
+	if err := os.WriteFile(ConfigFileFullPath(), c.configObj.Json(), 0664); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *ClusterConfig) updateConfigData(configMap *corev1.ConfigMap) {
+	if len(configMap.Data) == 0 {
+		configMap.Data = make(map[string]string)
+	}
+	m := c.ToMapString()
+	for k, v := range m {
+		if s, ok := v.(string); ok {
+			configMap.Data[k] = s
+		}
+	}
+}
+func loadConfigFromFile() (*ConfigObj, error) {
+	dat, err := os.ReadFile(ConfigFileFullPath())
+	if err != nil {
+		return nil, err
+	}
+
+	return readConfig(dat)
+}
+func readConfig(dat []byte) (*ConfigObj, error) {
+
+	if len(dat) == 0 {
+		return nil, nil
+	}
+	configObj := &ConfigObj{}
+	err := json.Unmarshal(dat, configObj)
+
+	return configObj, err
+}
+
+// Check if the customer is submitted
+func IsSubmitted(clusterConfig *ClusterConfig) bool {
+	return clusterConfig.existsConfigMap() || existsConfigFile()
+}
+
+// Check if the customer is registered
+func IsRegistered(clusterConfig *ClusterConfig) bool {
+
+	// get from armoBE
+	tenantResponse, err := clusterConfig.backendAPI.GetCustomerGUID(clusterConfig.GetCustomerGUID())
+	if err == nil && tenantResponse != nil {
+		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
+			return true
+		}
+	}
+	return false
+}
+
+func DeleteConfig(k8s *k8sinterface.KubernetesApi) error {
+	if err := DeleteConfigMap(k8s); err != nil {
+		return err
+	}
+	if err := DeleteConfigFile(); err != nil {
+		return err
+	}
+	return nil
+}
+func DeleteConfigMap(k8s *k8sinterface.KubernetesApi) error {
+	return k8s.KubernetesClient.CoreV1().ConfigMaps(k8sinterface.GetDefaultNamespace()).Delete(context.Background(), configMapName, metav1.DeleteOptions{})
+}
+
+func DeleteConfigFile() error {
+	return os.Remove(ConfigFileFullPath())
+}

cautils/datastructures.go

@@ -1,6 +1,7 @@
 package cautils
 
 import (
+	"github.com/armosec/kubescape/cautils/armotypes"
 	"github.com/armosec/kubescape/cautils/opapolicy"
 )
 
@@ -10,6 +11,7 @@ type K8SResources map[string]interface{}
 type OPASessionObj struct {
 	Frameworks    []opapolicy.Framework
 	K8SResources  *K8SResources
+	Exceptions    []armotypes.PostureExceptionPolicy
 	PostureReport *opapolicy.PostureReport
 }
 

cautils/display.go

@@ -21,10 +21,11 @@ func IsSilent() bool {
 }
 
 var FailureDisplay = color.New(color.Bold, color.FgHiRed).FprintfFunc()
+var WarningDisplay = color.New(color.Bold, color.FgCyan).FprintfFunc()
 var FailureTextDisplay = color.New(color.Faint, color.FgHiRed).FprintfFunc()
 var InfoDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
-var InfoTextDisplay = color.New(color.Faint, color.FgHiYellow).FprintfFunc()
-var SimpleDisplay = color.New(color.Bold, color.FgHiWhite).FprintfFunc()
+var InfoTextDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
+var SimpleDisplay = color.New().FprintfFunc()
 var SuccessDisplay = color.New(color.Bold, color.FgHiGreen).FprintfFunc()
 var DescriptionDisplay = color.New(color.Faint, color.FgWhite).FprintfFunc()
 

cautils/downloadinfo.go

@@ -0,0 +1,6 @@
+package cautils
+
+type DownloadInfo struct {
+	Path          string
+	FrameworkName string
+}

cautils/getter/armoapi.go

@@ -0,0 +1,148 @@
+package getter
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/armosec/kubescape/cautils/armotypes"
+	"github.com/armosec/kubescape/cautils/opapolicy"
+	"github.com/golang/glog"
+)
+
+// =======================================================================================================================
+// =============================================== ArmoAPI ===============================================================
+// =======================================================================================================================
+
+var (
+	// ATTENTION!!!
+	// Changes in this URLs variable names, or in the usage is affecting the build process! BE CAREFULL
+	armoERURL = "report.armo.cloud"
+	armoBEURL = "api.armo.cloud"
+	armoFEURL = "portal.armo.cloud"
+
+	armoDevERURL = "report.eudev3.cyberarmorsoft.com"
+	armoDevBEURL = "eggdashbe.eudev3.cyberarmorsoft.com"
+	armoDevFEURL = "armoui.eudev3.cyberarmorsoft.com"
+)
+
+// Armo API for downloading policies
+type ArmoAPI struct {
+	httpClient *http.Client
+	apiURL     string
+	erURL      string
+	feURL      string
+}
+
+var globalArmoAPIConnecctor *ArmoAPI
+
+func SetARMOAPIConnector(armoAPI *ArmoAPI) {
+	globalArmoAPIConnecctor = armoAPI
+}
+
+func GetArmoAPIConnector() *ArmoAPI {
+	if globalArmoAPIConnecctor == nil {
+		glog.Error("returning nil API connector")
+	}
+	return globalArmoAPIConnecctor
+}
+
+func NewARMOAPIDev() *ArmoAPI {
+	apiObj := newArmoAPI()
+
+	apiObj.apiURL = armoDevBEURL
+	apiObj.erURL = armoDevERURL
+	apiObj.feURL = armoDevFEURL
+
+	return apiObj
+}
+
+func NewARMOAPIProd() *ArmoAPI {
+	apiObj := newArmoAPI()
+
+	apiObj.apiURL = armoBEURL
+	apiObj.erURL = armoERURL
+	apiObj.feURL = armoFEURL
+
+	return apiObj
+}
+
+func NewARMOAPICustomized(armoERURL, armoBEURL, armoFEURL string) *ArmoAPI {
+	apiObj := newArmoAPI()
+
+	apiObj.erURL = armoERURL
+	apiObj.apiURL = armoBEURL
+	apiObj.feURL = armoFEURL
+
+	return apiObj
+}
+
+func newArmoAPI() *ArmoAPI {
+	return &ArmoAPI{
+		httpClient: &http.Client{Timeout: time.Duration(61) * time.Second},
+	}
+}
+
+func (armoAPI *ArmoAPI) GetFrontendURL() string {
+	return armoAPI.feURL
+}
+
+func (armoAPI *ArmoAPI) GetReportReceiverURL() string {
+	return armoAPI.erURL
+}
+
+func (armoAPI *ArmoAPI) GetFramework(name string) (*opapolicy.Framework, error) {
+	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getFrameworkURL(name))
+	if err != nil {
+		return nil, err
+	}
+
+	framework := &opapolicy.Framework{}
+	if err = JSONDecoder(respStr).Decode(framework); err != nil {
+		return nil, err
+	}
+	SaveFrameworkInFile(framework, GetDefaultPath(name+".json"))
+
+	return framework, err
+}
+
+func (armoAPI *ArmoAPI) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
+	exceptions := []armotypes.PostureExceptionPolicy{}
+	if customerGUID == "" {
+		return exceptions, nil
+	}
+	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getExceptionsURL(customerGUID, clusterName))
+	if err != nil {
+		return nil, err
+	}
+
+	if err = JSONDecoder(respStr).Decode(&exceptions); err != nil {
+		return nil, err
+	}
+
+	return exceptions, nil
+}
+
+func (armoAPI *ArmoAPI) GetCustomerGUID(customerGUID string) (*TenantResponse, error) {
+	url := armoAPI.getCustomerURL()
+	if customerGUID != "" {
+		url = fmt.Sprintf("%s?customerGUID=%s", url, customerGUID)
+	}
+	respStr, err := HttpGetter(armoAPI.httpClient, url)
+	if err != nil {
+		return nil, err
+	}
+	tenant := &TenantResponse{}
+	if err = JSONDecoder(respStr).Decode(tenant); err != nil {
+		return nil, err
+	}
+
+	return tenant, nil
+}
+
+type TenantResponse struct {
+	TenantID  string `json:"tenantId"`
+	Token     string `json:"token"`
+	Expires   string `json:"expires"`
+	AdminMail string `json:"adminMail,omitempty"`
+}

cautils/getter/armoapiutils.go

@@ -0,0 +1,44 @@
+package getter
+
+import (
+	"net/url"
+	"strings"
+)
+
+func (armoAPI *ArmoAPI) getFrameworkURL(frameworkName string) string {
+	u := url.URL{}
+	u.Scheme = "https"
+	u.Host = armoAPI.apiURL
+	u.Path = "v1/armoFrameworks"
+	q := u.Query()
+	q.Add("customerGUID", "11111111-1111-1111-1111-111111111111")
+	q.Add("frameworkName", strings.ToUpper(frameworkName))
+	q.Add("getRules", "true")
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
+func (armoAPI *ArmoAPI) getExceptionsURL(customerGUID, clusterName string) string {
+	u := url.URL{}
+	u.Scheme = "https"
+	u.Host = armoAPI.apiURL
+	u.Path = "api/v1/armoPostureExceptions"
+
+	q := u.Query()
+	q.Add("customerGUID", customerGUID)
+	// if clusterName != "" { // TODO - fix customer name support in Armo BE
+	// 	q.Add("clusterName", clusterName)
+	// }
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
+func (armoAPI *ArmoAPI) getCustomerURL() string {
+	u := url.URL{}
+	u.Scheme = "https"
+	u.Host = armoAPI.apiURL
+	u.Path = "api/v1/createTenant"
+	return u.String()
+}

cautils/getter/downloadreleasedpolicy.go

@@ -0,0 +1,86 @@
+package getter
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"github.com/armosec/kubescape/cautils/opapolicy"
+)
+
+// =======================================================================================================================
+// ======================================== DownloadReleasedPolicy =======================================================
+// =======================================================================================================================
+
+// Download released version
+type DownloadReleasedPolicy struct {
+	hostURL    string
+	httpClient *http.Client
+}
+
+func NewDownloadReleasedPolicy() *DownloadReleasedPolicy {
+	return &DownloadReleasedPolicy{
+		hostURL:    "",
+		httpClient: &http.Client{Timeout: 61 * time.Second},
+	}
+}
+
+func (drp *DownloadReleasedPolicy) GetFramework(name string) (*opapolicy.Framework, error) {
+	if err := drp.setURL(name); err != nil {
+		return nil, err
+	}
+	respStr, err := HttpGetter(drp.httpClient, drp.hostURL)
+	if err != nil {
+		return nil, err
+	}
+
+	framework := &opapolicy.Framework{}
+	if err = JSONDecoder(respStr).Decode(framework); err != nil {
+		return framework, err
+	}
+
+	SaveFrameworkInFile(framework, GetDefaultPath(name+".json"))
+	return framework, err
+}
+
+func (drp *DownloadReleasedPolicy) setURL(frameworkName string) error {
+
+	latestReleases := "https://api.github.com/repos/armosec/regolibrary/releases/latest"
+	resp, err := http.Get(latestReleases)
+	if err != nil {
+		return fmt.Errorf("failed to get latest releases from '%s', reason: %s", latestReleases, err.Error())
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode < 200 || 301 < resp.StatusCode {
+		return fmt.Errorf("failed to download file, status code: %s", resp.Status)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("failed to read response body from '%s', reason: %s", latestReleases, err.Error())
+	}
+	var data map[string]interface{}
+	err = json.Unmarshal(body, &data)
+	if err != nil {
+		return fmt.Errorf("failed to unmarshal response body from '%s', reason: %s", latestReleases, err.Error())
+	}
+
+	if assets, ok := data["assets"].([]interface{}); ok {
+		for i := range assets {
+			if asset, ok := assets[i].(map[string]interface{}); ok {
+				if name, ok := asset["name"].(string); ok {
+					if name == frameworkName {
+						if url, ok := asset["browser_download_url"].(string); ok {
+							drp.hostURL = url
+							return nil
+						}
+					}
+				}
+			}
+		}
+	}
+	return fmt.Errorf("failed to download '%s' - not found", frameworkName)
+
+}

cautils/getter/getpolicies.go

@@ -0,0 +1,17 @@
+package getter
+
+import (
+	"github.com/armosec/kubescape/cautils/armotypes"
+	"github.com/armosec/kubescape/cautils/opapolicy"
+)
+
+type IPolicyGetter interface {
+	GetFramework(name string) (*opapolicy.Framework, error)
+}
+
+type IExceptionsGetter interface {
+	GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error)
+}
+type IBackend interface {
+	GetCustomerGUID(customerGUID string) (*TenantResponse, error)
+}

cautils/getter/getpoliciesutils.go

@@ -0,0 +1,100 @@
+package getter
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils/opapolicy"
+)
+
+func GetDefaultPath(name string) string {
+	defaultfilePath := filepath.Join(DefaultLocalStore, name)
+	if homeDir, err := os.UserHomeDir(); err == nil {
+		defaultfilePath = filepath.Join(homeDir, defaultfilePath)
+	}
+	return defaultfilePath
+}
+
+func SaveFrameworkInFile(framework *opapolicy.Framework, pathStr string) error {
+	encodedData, err := json.Marshal(framework)
+	if err != nil {
+		return err
+	}
+	err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
+	if err != nil {
+		if os.IsNotExist(err) {
+			pathDir := path.Dir(pathStr)
+			if err := os.Mkdir(pathDir, 0744); err != nil {
+				return err
+			}
+		} else {
+			return err
+
+		}
+		err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// JSONDecoder returns JSON decoder for given string
+func JSONDecoder(origin string) *json.Decoder {
+	dec := json.NewDecoder(strings.NewReader(origin))
+	dec.UseNumber()
+	return dec
+}
+
+func HttpGetter(httpClient *http.Client, fullURL string) (string, error) {
+
+	req, err := http.NewRequest("GET", fullURL, nil)
+	if err != nil {
+		return "", err
+	}
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	respStr, err := httpRespToString(resp)
+	if err != nil {
+		return "", err
+	}
+	return respStr, nil
+}
+
+// HTTPRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
+func httpRespToString(resp *http.Response) (string, error) {
+	if resp == nil || resp.Body == nil {
+		return "", nil
+	}
+	strBuilder := strings.Builder{}
+	defer resp.Body.Close()
+	if resp.ContentLength > 0 {
+		strBuilder.Grow(int(resp.ContentLength))
+	}
+	bytesNum, err := io.Copy(&strBuilder, resp.Body)
+	respStr := strBuilder.String()
+	if err != nil {
+		respStrNewLen := len(respStr)
+		if respStrNewLen > 1024 {
+			respStrNewLen = 1024
+		}
+		return "", fmt.Errorf("HTTP request failed. URL: '%s', Read-ERROR: '%s', HTTP-CODE: '%s', BODY(top): '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), err, resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
+	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		respStrNewLen := len(respStr)
+		if respStrNewLen > 1024 {
+			respStrNewLen = 1024
+		}
+		err = fmt.Errorf("HTTP request failed. URL: '%s', HTTP-ERROR: '%s', BODY: '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
+	}
+
+	return respStr, err
+}

cautils/getter/loadpolicy.go

@@ -0,0 +1,54 @@
+package getter
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils/armotypes"
+	"github.com/armosec/kubescape/cautils/opapolicy"
+)
+
+// =======================================================================================================================
+// ============================================== LoadPolicy =============================================================
+// =======================================================================================================================
+const DefaultLocalStore = ".kubescape"
+
+// Load policies from a local repository
+type LoadPolicy struct {
+	filePath string
+}
+
+func NewLoadPolicy(filePath string) *LoadPolicy {
+	return &LoadPolicy{
+		filePath: filePath,
+	}
+}
+
+func (lp *LoadPolicy) GetFramework(frameworkName string) (*opapolicy.Framework, error) {
+
+	framework := &opapolicy.Framework{}
+	f, err := os.ReadFile(lp.filePath)
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal(f, framework)
+	if frameworkName != "" && !strings.EqualFold(frameworkName, framework.Name) {
+		return nil, fmt.Errorf("framework from file not matching")
+	}
+	return framework, err
+}
+
+func (lp *LoadPolicy) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
+
+	exception := []armotypes.PostureExceptionPolicy{}
+	f, err := os.ReadFile(lp.filePath)
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal(f, &exception)
+	return exception, err
+}

cautils/jsonutils.go

@@ -0,0 +1,23 @@
+package cautils
+
+import (
+	"bytes"
+	"encoding/json"
+)
+
+const (
+	empty = ""
+	tab   = "  "
+)
+
+func PrettyJson(data interface{}) ([]byte, error) {
+	buffer := new(bytes.Buffer)
+	encoder := json.NewEncoder(buffer)
+	encoder.SetIndent(empty, tab)
+
+	err := encoder.Encode(data)
+	if err != nil {
+		return nil, err
+	}
+	return buffer.Bytes(), nil
+}

cautils/k8sinterface/cloudvendorregistrycreds.go

@@ -5,7 +5,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"strings"
@@ -105,7 +105,7 @@ func getAzureAADAccessToken() (string, error) {
 	}
 
 	// Pull out response body
-	responseBytes, err := ioutil.ReadAll(resp.Body)
+	responseBytes, err := io.ReadAll(resp.Body)
 	defer resp.Body.Close()
 	if err != nil {
 		return "", fmt.Errorf("reading response body : %v", err)
@@ -173,7 +173,7 @@ func excahngeAzureAADAccessTokenForACRRefreshToken(registry, tenantID, azureAADA
 	}
 
 	// Pull out response body
-	responseBytes, err := ioutil.ReadAll(resp.Body)
+	responseBytes, err := io.ReadAll(resp.Body)
 	defer resp.Body.Close()
 	if err != nil {
 		return "", fmt.Errorf("reading response body : %v", err)

cautils/k8sinterface/k8sconfig.go

@@ -4,16 +4,20 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"strings"
 
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
 
 	// DO NOT REMOVE - load cloud providers auth
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 )
 
+var ConnectedToCluster = true
+
 // K8SConfig pointer to k8s config
 var K8SConfig *restclient.Config
 
@@ -26,8 +30,15 @@ type KubernetesApi struct {
 
 // NewKubernetesApi -
 func NewKubernetesApi() *KubernetesApi {
+	var kubernetesClient *kubernetes.Clientset
+	var err error
 
-	kubernetesClient, err := kubernetes.NewForConfig(GetK8sConfig())
+	if !IsConnectedToCluster() {
+		fmt.Println(fmt.Errorf("failed to load kubernetes config: no configuration has been provided, try setting KUBECONFIG environment variable"))
+		os.Exit(1)
+	}
+
+	kubernetesClient, err = kubernetes.NewForConfig(GetK8sConfig())
 	if err != nil {
 		fmt.Printf("Failed to load config file, reason: %s", err.Error())
 		os.Exit(1)
@@ -52,23 +63,59 @@ var RunningIncluster bool
 func LoadK8sConfig() error {
 	kubeconfig, err := config.GetConfig()
 	if err != nil {
-		return fmt.Errorf("Failed to load kubernetes config: %s\n", err)
+		return fmt.Errorf("failed to load kubernetes config: %s", strings.ReplaceAll(err.Error(), "KUBERNETES_MASTER", "KUBECONFIG"))
 	}
 	if _, err := restclient.InClusterConfig(); err == nil {
 		RunningIncluster = true
 	}
+
 	K8SConfig = kubeconfig
 	return nil
 }
 
-// GetK8sConfig get config. load if not loaded yer
+// GetK8sConfig get config. load if not loaded yet
 func GetK8sConfig() *restclient.Config {
-	if K8SConfig == nil {
-		if err := LoadK8sConfig(); err != nil {
-			// print error
-			fmt.Printf("%s", err.Error())
-			os.Exit(1)
-		}
+	if !IsConnectedToCluster() {
+		return nil
 	}
 	return K8SConfig
 }
+
+func IsConnectedToCluster() bool {
+	if K8SConfig == nil {
+		if err := LoadK8sConfig(); err != nil {
+			ConnectedToCluster = false
+		}
+	}
+	return ConnectedToCluster
+}
+func GetClusterName() string {
+	if !ConnectedToCluster {
+		return ""
+	}
+
+	kubeConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(clientcmd.NewDefaultClientConfigLoadingRules(), &clientcmd.ConfigOverrides{})
+	config, err := kubeConfig.RawConfig()
+	if err != nil {
+		return ""
+	}
+	// TODO - Handle if empty
+	return config.CurrentContext
+}
+
+func GetDefaultNamespace() string {
+	defaultNamespace := "default"
+	clientCfg, err := clientcmd.NewDefaultClientConfigLoadingRules().Load()
+	if err != nil {
+		return defaultNamespace
+	}
+	apiContext, ok := clientCfg.Contexts[clientCfg.CurrentContext]
+	if !ok || apiContext == nil {
+		return defaultNamespace
+	}
+	namespace := apiContext.Namespace
+	if apiContext.Namespace == "" {
+		namespace = defaultNamespace
+	}
+	return namespace
+}

cautils/k8sinterface/k8sdynamic_test.go

@@ -37,7 +37,7 @@ func NewKubernetesApiMock() *KubernetesApi {
 // 	} else {
 // 		bla, _ := json.Marshal(clientResource)
 // 		// t.Errorf("BearerToken: %v", *K8SConfig)
-// 		// ioutil.WriteFile("bla.json", bla, 777)
+// 		// os.WriteFile("bla.json", bla, 777)
 // 		t.Errorf("clientResource: %s", string(bla))
 // 	}
 // }

cautils/opapolicy/datastructures.go

@@ -1,7 +1,6 @@
 package opapolicy
 
 import (
-	"path/filepath"
 	"time"
 
 	armotypes "github.com/armosec/kubescape/cautils/armotypes"
@@ -17,14 +16,15 @@ const (
 
 // RegoResponse the expected response of single run of rego policy
 type RuleResponse struct {
-	AlertMessage string     `json:"alertMessage"`
-	PackageName  string     `json:"packagename"`
-	AlertScore   AlertScore `json:"alertScore"`
-	// AlertObject   AlertObject `json:"alertObject"`
-	AlertObject   AlertObject `json:"alertObject"` // TODO - replace interface to AlertObject
-	Context       []string    `json:"context"`     // TODO - Remove
-	Rulename      string      `json:"rulename"`    // TODO - Remove
-	ExceptionName string      `json:"exceptionName"`
+	AlertMessage  string                            `json:"alertMessage"`
+	RuleStatus    string                            `json:"ruleStatus"`
+	PackageName   string                            `json:"packagename"`
+	AlertScore    AlertScore                        `json:"alertScore"`
+	AlertObject   AlertObject                       `json:"alertObject"`
+	Context       []string                          `json:"context,omitempty"`       // TODO - Remove
+	Rulename      string                            `json:"rulename,omitempty"`      // TODO - Remove
+	ExceptionName string                            `json:"exceptionName,omitempty"` // Not in use
+	Exception     *armotypes.PostureExceptionPolicy `json:"exception,omitempty"`
 }
 
 type AlertObject struct {
@@ -33,19 +33,28 @@ type AlertObject struct {
 }
 
 type FrameworkReport struct {
-	Name           string          `json:"name"`
-	ControlReports []ControlReport `json:"controlReports"`
+	Name            string          `json:"name"`
+	ControlReports  []ControlReport `json:"controlReports"`
+	Score           float32         `json:"score,omitempty"`
+	ARMOImprovement float32         `json:"ARMOImprovement,omitempty"`
+	WCSScore        float32         `json:"wcsScore,omitempty"`
 }
 type ControlReport struct {
-	Name        string       `json:"name"`
-	RuleReports []RuleReport `json:"ruleReports"`
-	Remediation string       `json:"remediation"`
-	Description string       `json:"description"`
+	armotypes.PortalBase `json:",inline"`
+	Control_ID           string       `json:"id,omitempty"` // to be Deprecated
+	ControlID            string       `json:"controlID"`
+	Name                 string       `json:"name"`
+	RuleReports          []RuleReport `json:"ruleReports"`
+	Remediation          string       `json:"remediation"`
+	Description          string       `json:"description"`
+	Score                float32      `json:"score"`
+	BaseScore            float32      `json:"baseScore,omitempty"`
+	ARMOImprovement      float32      `json:"ARMOImprovement,omitempty"`
 }
 type RuleReport struct {
 	Name               string                   `json:"name"`
 	Remediation        string                   `json:"remediation"`
-	RuleStatus         RuleStatus               `json:"ruleStatus"`
+	RuleStatus         RuleStatus               `json:"ruleStatus"` // did we run the rule or not (if there where compile errors, the value will be failed)
 	RuleResponses      []RuleResponse           `json:"ruleResponses"`
 	ListInputResources []map[string]interface{} `json:"-"`
 	ListInputKinds     []string                 `json:"-"`
@@ -93,6 +102,8 @@ type PolicyRule struct {
 // Control represents a collection of rules which are combined together to single purpose
 type Control struct {
 	armotypes.PortalBase `json:",inline"`
+	Control_ID           string       `json:"id,omitempty"` // to be Deprecated
+	ControlID            string       `json:"controlID"`
 	CreationTime         string       `json:"creationTime"`
 	Description          string       `json:"description"`
 	Remediation          string       `json:"remediation"`
@@ -150,43 +161,3 @@ type PolicyIdentifier struct {
 	Kind NotificationPolicyKind `json:"kind"`
 	Name string                 `json:"name"`
 }
-
-type ScanInfo struct {
-	PolicyIdentifier   PolicyIdentifier
-	Format             string
-	Output             string
-	ExcludedNamespaces string
-	InputPatterns      []string
-	Silent             bool
-}
-
-func (scanInfo *ScanInfo) Init() {
-	// scanInfo.setSilentMode()
-	scanInfo.setOutputFile()
-
-}
-
-func (scanInfo *ScanInfo) setSilentMode() {
-	if scanInfo.Format == "json" || scanInfo.Format == "junit" {
-		scanInfo.Silent = true
-	}
-	if scanInfo.Output != "" {
-		scanInfo.Silent = true
-	}
-}
-
-func (scanInfo *ScanInfo) setOutputFile() {
-	if scanInfo.Output == "" {
-		return
-	}
-	if scanInfo.Format == "json" {
-		if filepath.Ext(scanInfo.Output) != "json" {
-			scanInfo.Output += ".json"
-		}
-	}
-	if scanInfo.Format == "junit" {
-		if filepath.Ext(scanInfo.Output) != "xml" {
-			scanInfo.Output += ".xml"
-		}
-	}
-}

cautils/opapolicy/datastructures_mock.go

@@ -33,7 +33,8 @@ func MockFrameworkReportA() *FrameworkReport {
 		Name: AMockFrameworkName,
 		ControlReports: []ControlReport{
 			{
-				Name: AMockControlName,
+				ControlID: "C-0010",
+				Name:      AMockControlName,
 				RuleReports: []RuleReport{
 					{
 						Name:        AMockRuleName,

cautils/opapolicy/datastructuresmethods.go

@@ -3,10 +3,6 @@ package opapolicy
 import (
 	"bytes"
 	"encoding/json"
-	"fmt"
-
-	"github.com/golang/glog"
-	"github.com/open-policy-agent/opa/rego"
 )
 
 func (pn *PolicyNotification) ToJSONBytesBuffer() (*bytes.Buffer, error) {
@@ -17,6 +13,19 @@ func (pn *PolicyNotification) ToJSONBytesBuffer() (*bytes.Buffer, error) {
 	return bytes.NewBuffer(res), err
 }
 
+func (RuleResponse *RuleResponse) GetSingleResultStatus() string {
+	if RuleResponse.Exception != nil {
+		if RuleResponse.Exception.IsAlertOnly() {
+			return "warning"
+		}
+		if RuleResponse.Exception.IsDisable() {
+			return "ignore"
+		}
+	}
+	return "failed"
+
+}
+
 func (ruleReport *RuleReport) GetRuleStatus() (string, []RuleResponse, []RuleResponse) {
 	if len(ruleReport.RuleResponses) == 0 {
 		return "success", nil, nil
@@ -26,9 +35,11 @@ func (ruleReport *RuleReport) GetRuleStatus() (string, []RuleResponse, []RuleRes
 
 	for _, rule := range ruleReport.RuleResponses {
 		if rule.ExceptionName != "" {
-			failed = append(failed, rule)
-		} else {
 			exceptions = append(exceptions, rule)
+		} else if rule.Exception != nil {
+			exceptions = append(exceptions, rule)
+		} else {
+			failed = append(failed, rule)
 		}
 	}
 
@@ -38,46 +49,30 @@ func (ruleReport *RuleReport) GetRuleStatus() (string, []RuleResponse, []RuleRes
 	}
 	return status, failed, exceptions
 }
-func ParseRegoResult(regoResult *rego.ResultSet) ([]RuleResponse, error) {
-	var errs error
-	ruleResponses := []RuleResponse{}
-	for _, result := range *regoResult {
-		for desicionIdx := range result.Expressions {
-			if resMap, ok := result.Expressions[desicionIdx].Value.(map[string]interface{}); ok {
-				for objName := range resMap {
-					jsonBytes, err := json.Marshal(resMap[objName])
-					if err != nil {
-						err = fmt.Errorf("in parseRegoResult, json.Marshal failed. name: %s, obj: %v, reason: %s", objName, resMap[objName], err)
-						glog.Error(err)
-						errs = fmt.Errorf("%s\n%s", errs, err)
-						continue
-					}
-					desObj := make([]RuleResponse, 0)
-					if err := json.Unmarshal(jsonBytes, &desObj); err != nil {
-						err = fmt.Errorf("in parseRegoResult, json.Unmarshal failed. name: %s, obj: %v, reason: %s", objName, resMap[objName], err)
-						glog.Error(err)
-						errs = fmt.Errorf("%s\n%s", errs, err)
-						continue
-					}
-					ruleResponses = append(ruleResponses, desObj...)
-				}
-			}
-		}
-	}
-	return ruleResponses, errs
-}
 
 func (controlReport *ControlReport) GetNumberOfResources() int {
 	sum := 0
 	for i := range controlReport.RuleReports {
-		if controlReport.RuleReports[i].ListInputResources == nil {
-			continue
-		}
-		sum += len(controlReport.RuleReports[i].ListInputResources)
+		sum += controlReport.RuleReports[i].GetNumberOfResources()
 	}
 	return sum
 }
 
+func (controlReport *ControlReport) GetNumberOfFailedResources() int {
+	sum := 0
+	for i := range controlReport.RuleReports {
+		sum += controlReport.RuleReports[i].GetNumberOfFailedResources()
+	}
+	return sum
+}
+
+func (controlReport *ControlReport) GetNumberOfWarningResources() int {
+	sum := 0
+	for i := range controlReport.RuleReports {
+		sum += controlReport.RuleReports[i].GetNumberOfWarningResources()
+	}
+	return sum
+}
 func (controlReport *ControlReport) ListControlsInputKinds() []string {
 	listControlsInputKinds := []string{}
 	for i := range controlReport.RuleReports {
@@ -85,15 +80,119 @@ func (controlReport *ControlReport) ListControlsInputKinds() []string {
 	}
 	return listControlsInputKinds
 }
+
 func (controlReport *ControlReport) Passed() bool {
 	for i := range controlReport.RuleReports {
-		if len(controlReport.RuleReports[i].RuleResponses) > 0 {
+		if len(controlReport.RuleReports[i].RuleResponses) != 0 {
 			return false
 		}
 	}
 	return true
 }
 
-func (controlReport *ControlReport) Failed() bool {
-	return !controlReport.Passed()
+func (controlReport *ControlReport) Warning() bool {
+	if controlReport.Passed() || controlReport.Failed() {
+		return false
+	}
+	for i := range controlReport.RuleReports {
+		if status, _, _ := controlReport.RuleReports[i].GetRuleStatus(); status == "warning" {
+			return true
+		}
+	}
+	return false
+}
+
+func (controlReport *ControlReport) Failed() bool {
+	if controlReport.Passed() {
+		return false
+	}
+	for i := range controlReport.RuleReports {
+		if status, _, _ := controlReport.RuleReports[i].GetRuleStatus(); status == "failed" {
+			return true
+		}
+	}
+	return false
+}
+
+func (ruleReport *RuleReport) GetNumberOfResources() int {
+	return len(ruleReport.ListInputResources)
+}
+
+func (ruleReport *RuleReport) GetNumberOfFailedResources() int {
+	sum := 0
+	for i := len(ruleReport.RuleResponses) - 1; i >= 0; i-- {
+		if ruleReport.RuleResponses[i].GetSingleResultStatus() == "failed" {
+			sum += len(ruleReport.RuleResponses[i].AlertObject.K8SApiObjects)
+		}
+	}
+	return sum
+}
+
+func (ruleReport *RuleReport) GetNumberOfWarningResources() int {
+	sum := 0
+	for i := range ruleReport.RuleResponses {
+		if ruleReport.RuleResponses[i].GetSingleResultStatus() == "warning" {
+			sum += len(ruleReport.RuleResponses[i].AlertObject.K8SApiObjects)
+		}
+	}
+	return sum
+}
+
+func (postureReport *PostureReport) RemoveData() {
+	for i := range postureReport.FrameworkReports {
+		postureReport.FrameworkReports[i].RemoveData()
+	}
+}
+func (frameworkReport *FrameworkReport) RemoveData() {
+	for i := range frameworkReport.ControlReports {
+		frameworkReport.ControlReports[i].RemoveData()
+	}
+}
+func (controlReport *ControlReport) RemoveData() {
+	for i := range controlReport.RuleReports {
+		controlReport.RuleReports[i].RemoveData()
+	}
+}
+
+func (ruleReport *RuleReport) RemoveData() {
+	for i := range ruleReport.RuleResponses {
+		ruleReport.RuleResponses[i].RemoveData()
+	}
+}
+
+func (r *RuleResponse) RemoveData() {
+	r.AlertObject.ExternalObjects = nil
+
+	keepFields := []string{"kind", "apiVersion", "metadata"}
+	keepMetadataFields := []string{"name", "namespace", "labels"}
+
+	for i := range r.AlertObject.K8SApiObjects {
+		deleteFromMap(r.AlertObject.K8SApiObjects[i], keepFields)
+		for k := range r.AlertObject.K8SApiObjects[i] {
+			if k == "metadata" {
+				if b, ok := r.AlertObject.K8SApiObjects[i][k].(map[string]interface{}); ok {
+					deleteFromMap(b, keepMetadataFields)
+					r.AlertObject.K8SApiObjects[i][k] = b
+				}
+			}
+		}
+	}
+}
+
+func deleteFromMap(m map[string]interface{}, keepFields []string) {
+	for k := range m {
+		if StringInSlice(keepFields, k) {
+			continue
+		}
+		delete(m, k)
+	}
+}
+
+func StringInSlice(strSlice []string, str string) bool {
+	for i := range strSlice {
+		if strSlice[i] == str {
+			return true
+		}
+	}
+	return false
 }

cautils/opapolicy/resources/resourcesutils.go

@@ -3,7 +3,6 @@ package resources
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -42,9 +41,12 @@ func NewRegoDependenciesDataMock() *RegoDependenciesData {
 
 func NewRegoDependenciesData(k8sConfig *rest.Config) *RegoDependenciesData {
 
-	regoDependenciesData := RegoDependenciesData{
-		K8sConfig: *NewRegoK8sConfig(k8sConfig),
+	regoDependenciesData := RegoDependenciesData{}
+
+	if k8sConfig != nil {
+		regoDependenciesData.K8sConfig = *NewRegoK8sConfig(k8sConfig)
 	}
+
 	return &regoDependenciesData
 }
 func NewRegoK8sConfig(k8sConfig *rest.Config) *RegoK8sConfig {
@@ -61,19 +63,9 @@ func NewRegoK8sConfig(k8sConfig *rest.Config) *RegoK8sConfig {
 		token = fmt.Sprintf("Bearer %s", k8sConfig.BearerToken)
 	}
 
-	// crtFile := os.Getenv("KUBERNETES_CRT_PATH")
-	// if crtFile == "" {
-	// 	crtFile = k8sConfig.CAFile
-	// 	// crtFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
-	// }
-
-	// glog.Infof("===========================================================================")
-	// glog.Infof(fmt.Sprintf("%v", k8sConfig.String()))
-	// glog.Infof("===========================================================================")
-
 	regoK8sConfig := RegoK8sConfig{
 		Token:         token,
-		Host:          k8sConfig.Host,
+		Host:          host,
 		CrtFile:       k8sConfig.CAFile,
 		ClientCrtFile: k8sConfig.CertFile,
 		ClientKeyFile: k8sConfig.KeyFile,
@@ -101,7 +93,7 @@ func LoadRegoFiles(dir string) map[string]string {
 	// Compile the module. The keys are used as identifiers in error messages.
 	filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
 		if err == nil && strings.HasSuffix(path, ".rego") && !info.IsDir() {
-			content, err := ioutil.ReadFile(path)
+			content, err := os.ReadFile(path)
 			if err != nil {
 				glog.Errorf("LoadRegoFiles, Failed to load: %s: %v", path, err)
 			} else {

cautils/opapolicy/resources/resourcesutils_test.go

@@ -1,17 +1 @@
 package resources
-
-import (
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-func TestLoadRegoDependenciesFromDir(t *testing.T) {
-	dir, _ := os.Getwd()
-	t.Errorf("%s", filepath.Join(dir, "rego/dependencies"))
-	return
-	// modules := LoadRegoDependenciesFromDir("")
-	// if len(modules) == 0 {
-	// 	t.Errorf("modules len == 0")
-	// }
-}

cautils/scaninfo.go

@@ -0,0 +1,91 @@
+package cautils
+
+import (
+	"path/filepath"
+
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/opapolicy"
+)
+
+type ScanInfo struct {
+	Getters
+	PolicyIdentifier   opapolicy.PolicyIdentifier
+	UseExceptions      string   // Load exceptions configuration
+	UseFrom            string   // Load framework from local file (instead of download). Use when running offline
+	UseDefault         bool     // Load framework from cached file (instead of download). Use when running offline
+	Format             string   // Format results (table, json, junit ...)
+	Output             string   // Store results in an output file, Output file name
+	ExcludedNamespaces string   // DEPRECATED?
+	InputPatterns      []string // Yaml files input patterns
+	Silent             bool     // Silent mode - Do not print progress logs
+	FailThreshold      uint16   // Failure score threshold
+	DoNotSendResults   bool     // DEPRECATED
+	Submit             bool     // Submit results to Armo BE
+	Local              bool     // Do not submit results
+	Account            string   // account ID
+}
+
+type Getters struct {
+	ExceptionsGetter getter.IExceptionsGetter
+	PolicyGetter     getter.IPolicyGetter
+}
+
+func (scanInfo *ScanInfo) Init() {
+	scanInfo.setUseFrom()
+	scanInfo.setUseExceptions()
+	scanInfo.setOutputFile()
+	scanInfo.setGetter()
+
+}
+
+func (scanInfo *ScanInfo) setUseExceptions() {
+	if scanInfo.UseExceptions != "" {
+		// load exceptions from file
+		scanInfo.ExceptionsGetter = getter.NewLoadPolicy(scanInfo.UseExceptions)
+	} else {
+		scanInfo.ExceptionsGetter = getter.GetArmoAPIConnector()
+	}
+
+}
+func (scanInfo *ScanInfo) setUseFrom() {
+	if scanInfo.UseFrom != "" {
+		return
+	}
+	if scanInfo.UseDefault {
+		scanInfo.UseFrom = getter.GetDefaultPath(scanInfo.PolicyIdentifier.Name + ".json")
+	}
+
+}
+func (scanInfo *ScanInfo) setGetter() {
+	if scanInfo.UseFrom != "" {
+		// load from file
+		scanInfo.PolicyGetter = getter.NewLoadPolicy(scanInfo.UseFrom)
+	} else {
+		scanInfo.PolicyGetter = getter.NewDownloadReleasedPolicy()
+	}
+}
+
+func (scanInfo *ScanInfo) setOutputFile() {
+	if scanInfo.Output == "" {
+		return
+	}
+	if scanInfo.Format == "json" {
+		if filepath.Ext(scanInfo.Output) != ".json" {
+			scanInfo.Output += ".json"
+		}
+	}
+	if scanInfo.Format == "junit" {
+		if filepath.Ext(scanInfo.Output) != ".xml" {
+			scanInfo.Output += ".xml"
+		}
+	}
+}
+
+func (scanInfo *ScanInfo) ScanRunningCluster() bool {
+	return len(scanInfo.InputPatterns) == 0
+}
+
+// func (scanInfo *ScanInfo) ConnectedToCluster(k8s k8sinterface.) bool {
+// 	_, err := k8s.KubernetesClient.CoreV1().Pods("").List(context.TODO(), metav1.ListOptions{})
+// 	return err == nil
+// }

cautils/strutils_test.go

@@ -13,7 +13,13 @@ func TestConvertLabelsToString(t *testing.T) {
 	spilltedA := strings.Split(rsrt, ";")
 	spilltedB := strings.Split(str, ";")
 	for i := range spilltedA {
-		if spilltedA[i] != spilltedB[i] {
+		exists := false
+		for j := range spilltedB {
+			if spilltedB[j] == spilltedA[i] {
+				exists = true
+			}
+		}
+		if !exists {
 			t.Errorf("%s != %s", spilltedA[i], spilltedB[i])
 		}
 	}

cmd/cluster.go

@@ -0,0 +1,18 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// clusterCmd represents the cluster command
+var clusterCmd = &cobra.Command{
+	Use:   "cluster",
+	Short: "Set configuration for cluster",
+	Long:  ``,
+	Run: func(cmd *cobra.Command, args []string) {
+	},
+}
+
+func init() {
+	configCmd.AddCommand(clusterCmd)
+}

cmd/cluster_get.go

@@ -0,0 +1,50 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/k8sinterface"
+	"github.com/spf13/cobra"
+)
+
+var getCmd = &cobra.Command{
+	Use:       "get <key>",
+	Short:     "Get configuration in cluster",
+	Long:      ``,
+	ValidArgs: supportedFrameworks,
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 || len(args) > 1 {
+			return fmt.Errorf("requires  one argument")
+		}
+
+		keyValue := strings.Split(args[0], "=")
+		if len(keyValue) != 1 {
+			return fmt.Errorf("requires  one argument")
+		}
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		keyValue := strings.Split(args[0], "=")
+		key := keyValue[0]
+
+		k8s := k8sinterface.NewKubernetesApi()
+		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector())
+		val, err := clusterConfig.GetValueByKeyFromConfigMap(key)
+		if err != nil {
+			if err.Error() == "value does not exist." {
+				fmt.Printf("Could net get value from configmap, reason: %s\n", err)
+				return nil
+			}
+			return err
+		}
+		fmt.Println(key + "=" + val)
+		return nil
+	},
+}
+
+func init() {
+	clusterCmd.AddCommand(getCmd)
+}

cmd/cluster_set.go

@@ -0,0 +1,44 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/k8sinterface"
+	"github.com/spf13/cobra"
+)
+
+var setCmd = &cobra.Command{
+	Use:   "set <key>=<value>",
+	Short: "Set configuration in cluster",
+	Long:  ``,
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 || len(args) > 1 {
+			return fmt.Errorf("requires  one argument: <key>=<value>")
+		}
+		keyValue := strings.Split(args[0], "=")
+		if len(keyValue) != 2 {
+			return fmt.Errorf("requires  one argument: <key>=<value>")
+		}
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		keyValue := strings.Split(args[0], "=")
+		key := keyValue[0]
+		data := keyValue[1]
+
+		k8s := k8sinterface.NewKubernetesApi()
+		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector())
+		if err := clusterConfig.SetKeyValueInConfigmap(key, data); err != nil {
+			return err
+		}
+		fmt.Println("Value added successfully.")
+		return nil
+	},
+}
+
+func init() {
+	clusterCmd.AddCommand(setCmd)
+}

cmd/config.go

@@ -0,0 +1,18 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// configCmd represents the config command
+var configCmd = &cobra.Command{
+	Use:   "config",
+	Short: "Set configuration",
+	Long:  ``,
+	Run: func(cmd *cobra.Command, args []string) {
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(configCmd)
+}

cmd/download.go

@@ -0,0 +1,45 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/spf13/cobra"
+)
+
+var downloadInfo cautils.DownloadInfo
+
+var downloadCmd = &cobra.Command{
+	Use:   fmt.Sprintf("download framework <framework-name> [flags]\nSupported frameworks: %s", validFrameworks),
+	Short: "Download framework controls",
+	Long:  ``,
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) != 2 {
+			return fmt.Errorf("requires two arguments : framework <framework-name>")
+		}
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		downloadInfo.FrameworkName = args[1]
+		g := getter.NewDownloadReleasedPolicy()
+		if downloadInfo.Path == "" {
+			downloadInfo.Path = getter.GetDefaultPath(downloadInfo.FrameworkName + ".json")
+		}
+		frameworks, err := g.GetFramework(downloadInfo.FrameworkName)
+		if err != nil {
+			return err
+		}
+		err = getter.SaveFrameworkInFile(frameworks, downloadInfo.Path)
+		if err != nil {
+			return err
+		}
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(downloadCmd)
+	downloadInfo = cautils.DownloadInfo{}
+	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If specified, will store save to `~/.kubescape/<framework name>.json`")
+}

cmd/framework.go

@@ -1,69 +1,80 @@
 package cmd
 
 import (
-	"flag"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"strings"
 
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/armotypes"
+	"github.com/armosec/kubescape/cautils/getter"
 	"github.com/armosec/kubescape/cautils/k8sinterface"
 	"github.com/armosec/kubescape/cautils/opapolicy"
 	"github.com/armosec/kubescape/opaprocessor"
 	"github.com/armosec/kubescape/policyhandler"
-	"github.com/armosec/kubescape/printer"
+	"github.com/armosec/kubescape/resultshandling"
+	"github.com/armosec/kubescape/resultshandling/printer"
+	"github.com/armosec/kubescape/resultshandling/reporter"
 
 	"github.com/spf13/cobra"
 )
 
-var scanInfo opapolicy.ScanInfo
-var supportedFrameworks = []string{"nsa"}
+var scanInfo cautils.ScanInfo
+var supportedFrameworks = []string{"nsa", "mitre"}
+var validFrameworks = strings.Join(supportedFrameworks, ", ")
 
 type CLIHandler struct {
 	policyHandler *policyhandler.PolicyHandler
-	scanInfo      *opapolicy.ScanInfo
+	scanInfo      *cautils.ScanInfo
 }
 
 var frameworkCmd = &cobra.Command{
-	Use:       "framework <framework name> [`<glob patter>`/`-`] [flags]",
+
+	Use:       fmt.Sprintf("framework <framework name> [`<glob pattern>`/`-`] [flags]\nSupported frameworks: %s", validFrameworks),
 	Short:     fmt.Sprintf("The framework you wish to use. Supported frameworks: %s", strings.Join(supportedFrameworks, ", ")),
 	Long:      "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
 	ValidArgs: supportedFrameworks,
 	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
+		if len(args) < 1 && !(cmd.Flags().Lookup("use-from").Changed) {
 			return fmt.Errorf("requires at least one argument")
-		}
-		if !isValidFramework(args[0]) {
-			return fmt.Errorf(fmt.Sprintf("supported frameworks: %s", strings.Join(supportedFrameworks, ", ")))
+		} else if len(args) > 0 {
+			if !isValidFramework(strings.ToLower(args[0])) {
+				return fmt.Errorf(fmt.Sprintf("supported frameworks: %s", strings.Join(supportedFrameworks, ", ")))
+			}
 		}
 		return nil
 	},
 	RunE: func(cmd *cobra.Command, args []string) error {
 		scanInfo.PolicyIdentifier = opapolicy.PolicyIdentifier{}
 		scanInfo.PolicyIdentifier.Kind = opapolicy.KindFramework
-		scanInfo.PolicyIdentifier.Name = args[0]
 
-		if len(args[1:]) == 0 || args[1] != "-" {
-			scanInfo.InputPatterns = args[1:]
-		} else { // store stout to file
-			tempFile, err := ioutil.TempFile(".", "tmp-kubescape*.yaml")
-			if err != nil {
-				return err
-			}
-			defer os.Remove(tempFile.Name())
+		if !(cmd.Flags().Lookup("use-from").Changed) {
+			scanInfo.PolicyIdentifier.Name = strings.ToLower(args[0])
+		}
+		if len(args) > 0 {
+			if len(args[1:]) == 0 || args[1] != "-" {
+				scanInfo.InputPatterns = args[1:]
+			} else { // store stout to file
+				tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
+				if err != nil {
+					return err
+				}
+				defer os.Remove(tempFile.Name())
 
-			if _, err := io.Copy(tempFile, os.Stdin); err != nil {
-				return err
+				if _, err := io.Copy(tempFile, os.Stdin); err != nil {
+					return err
+				}
+				scanInfo.InputPatterns = []string{tempFile.Name()}
 			}
-			scanInfo.InputPatterns = []string{tempFile.Name()}
 		}
 		scanInfo.Init()
 		cautils.SetSilentMode(scanInfo.Silent)
-		CliSetup()
-
+		err := CliSetup()
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "error: %v\n", err)
+			os.Exit(1)
+		}
 		return nil
 	},
 }
@@ -74,17 +85,35 @@ func isValidFramework(framework string) bool {
 
 func init() {
 	scanCmd.AddCommand(frameworkCmd)
-	scanInfo = opapolicy.ScanInfo{}
-	frameworkCmd.Flags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "namespaces to exclude from check")
-	frameworkCmd.Flags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `output format. supported formats: "pretty-printer"/"json"/"junit"`)
-	frameworkCmd.Flags().StringVarP(&scanInfo.Output, "output", "o", "", "output file. print output to file and not stdout")
-	frameworkCmd.Flags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "silent progress output")
+	scanInfo = cautils.ScanInfo{}
+	frameworkCmd.Flags().StringVar(&scanInfo.UseFrom, "use-from", "", "Load local framework object from specified path. If not used will download latest")
+	frameworkCmd.Flags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local framework object from default path. If not used will download latest")
+	frameworkCmd.Flags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from Armo management portal")
+	frameworkCmd.Flags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Recommended: kube-system, kube-public")
+	frameworkCmd.Flags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer"/"json"/"junit"`)
+	frameworkCmd.Flags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
+	frameworkCmd.Flags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "Silent progress messages")
+	frameworkCmd.Flags().Uint16VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 0, "Failure threshold is the percent bellow which the command fails and returns exit code 1")
+	frameworkCmd.Flags().BoolVarP(&scanInfo.DoNotSendResults, "results-locally", "", false, "Deprecated. Please use `--keep-local` instead")
+	frameworkCmd.Flags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
+	frameworkCmd.Flags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to Armo backend. Use this flag if you ran with the `--submit` flag in the past and you do not want to submit your current scan results")
+	frameworkCmd.Flags().StringVarP(&scanInfo.Account, "account", "", "", "Armo portal account ID. Default will load account ID from configMap or config file")
+
 }
 
 func CliSetup() error {
-	flag.Parse()
+	flagValidation()
 
-	k8s := k8sinterface.NewKubernetesApi()
+	var k8s *k8sinterface.KubernetesApi
+	var clusterConfig cautils.IClusterConfig
+	if !scanInfo.ScanRunningCluster() {
+		k8sinterface.ConnectedToCluster = false
+		clusterConfig = cautils.NewEmptyConfig()
+	} else {
+		k8s = k8sinterface.NewKubernetesApi()
+		// setup cluster config
+		clusterConfig =  cautils.ClusterConfigSetup(&scanInfo, k8s, getter.GetArmoAPIConnector())
+	}
 
 	processNotification := make(chan *cautils.OPASessionObj)
 	reportResults := make(chan *cautils.OPASessionObj)
@@ -92,19 +121,38 @@ func CliSetup() error {
 	// policy handler setup
 	policyHandler := policyhandler.NewPolicyHandler(&processNotification, k8s)
 
-	// cli handler setup
-	cli := NewCLIHandler(policyHandler)
-	if err := cli.Scan(); err != nil {
-		panic(err)
+	if err := clusterConfig.SetCustomerGUID(scanInfo.Account); err != nil {
+		fmt.Println(err)
 	}
 
+	cautils.CustomerGUID = clusterConfig.GetCustomerGUID()
+	cautils.ClusterName = k8sinterface.GetClusterName()
+
+	// cli handler setup
+	go func() {
+		cli := NewCLIHandler(policyHandler)
+		if err := cli.Scan(); err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+	}()
+
 	// processor setup - rego run
 	go func() {
-		reporterObj := opaprocessor.NewOPAProcessor(&processNotification, &reportResults)
-		reporterObj.ProcessRulesListenner()
+		opaprocessorObj := opaprocessor.NewOPAProcessorHandler(&processNotification, &reportResults)
+		opaprocessorObj.ProcessRulesListenner()
 	}()
-	p := printer.NewPrinter(&reportResults, scanInfo.Format, scanInfo.Output)
-	p.ActionPrint()
+
+	resultsHandling := resultshandling.NewResultsHandler(&reportResults, reporter.NewReportEventReceiver(), printer.NewPrinter(scanInfo.Format, scanInfo.Output))
+	score := resultsHandling.HandleResults()
+
+	// print report url
+	clusterConfig.GenerateURL()
+
+	adjustedFailThreshold := float32(scanInfo.FailThreshold) / 100
+	if score < adjustedFailThreshold {
+		return fmt.Errorf("Scan score is bellow threshold")
+	}
 
 	return nil
 }
@@ -127,14 +175,27 @@ func (clihandler *CLIHandler) Scan() error {
 	}
 	switch policyNotification.NotificationType {
 	case opapolicy.TypeExecPostureScan:
-		go func() {
-			if err := clihandler.policyHandler.HandleNotificationRequest(policyNotification, clihandler.scanInfo); err != nil {
-				fmt.Printf("%v\n", err)
-				os.Exit(0)
-			}
-		}()
+		//
+		if err := clihandler.policyHandler.HandleNotificationRequest(policyNotification, clihandler.scanInfo); err != nil {
+			return err
+		}
 	default:
 		return fmt.Errorf("notification type '%s' Unknown", policyNotification.NotificationType)
 	}
 	return nil
 }
+
+func flagValidation() {
+	if scanInfo.DoNotSendResults {
+		fmt.Println("Deprecated. Please use `--keep-local` instead")
+	}
+
+	if scanInfo.Submit && scanInfo.Local {
+		fmt.Println("You can use `keep-local` or `submit`, but not both")
+		os.Exit(1)
+	}
+	if 100 < scanInfo.FailThreshold {
+		fmt.Println("bad argument: out of range threshold")
+		os.Exit(1)
+	}
+}

cmd/local.go

@@ -0,0 +1,17 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var localCmd = &cobra.Command{
+	Use:   "local",
+	Short: "Set configuration locally (for config.json)",
+	Long:  ``,
+	Run: func(cmd *cobra.Command, args []string) {
+	},
+}
+
+func init() {
+	configCmd.AddCommand(localCmd)
+}

cmd/local_get.go

@@ -0,0 +1,45 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/spf13/cobra"
+)
+
+var localGetCmd = &cobra.Command{
+	Use:   "get <key>",
+	Short: "Get configuration locally",
+	Long:  ``,
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 || len(args) > 1 {
+			return fmt.Errorf("requires  one argument")
+		}
+
+		keyValue := strings.Split(args[0], "=")
+		if len(keyValue) != 1 {
+			return fmt.Errorf("requires  one argument")
+		}
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		keyValue := strings.Split(args[0], "=")
+		key := keyValue[0]
+
+		val, err := cautils.GetValueFromConfigJson(key)
+		if err != nil {
+			if err.Error() == "value does not exist." {
+				fmt.Printf("Could net get value from: %s, reason: %s\n", cautils.ConfigFileFullPath(), err)
+				return nil
+			}
+			return err
+		}
+		fmt.Println(key + "=" + val)
+		return nil
+	},
+}
+
+func init() {
+	localCmd.AddCommand(localGetCmd)
+}

cmd/local_set.go

@@ -0,0 +1,40 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/spf13/cobra"
+)
+
+var localSetCmd = &cobra.Command{
+	Use:   "set <key>=<value>",
+	Short: "Set configuration locally",
+	Long:  ``,
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 || len(args) > 1 {
+			return fmt.Errorf("requires  one argument: <key>=<value>")
+		}
+		keyValue := strings.Split(args[0], "=")
+		if len(keyValue) != 2 {
+			return fmt.Errorf("requires  one argument: <key>=<value>")
+		}
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		keyValue := strings.Split(args[0], "=")
+		key := keyValue[0]
+		data := keyValue[1]
+
+		if err := cautils.SetKeyValueInConfigJson(key, data); err != nil {
+			return err
+		}
+		fmt.Println("Value added successfully.")
+		return nil
+	},
+}
+
+func init() {
+	localCmd.AddCommand(localSetCmd)
+}

cmd/root.go

@@ -1,15 +1,29 @@
 package cmd
 
 import (
+	"flag"
+	"os"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/golang/glog"
 	"github.com/spf13/cobra"
 )
 
 var cfgFile string
+var armoBEURLs = ""
+
+const envFlagUsage = "Send report results to specific URL. Format:<ReportReceiver>,<Backend>,<Frontend>.\n\t\tExample:report.armo.cloud,api.armo.cloud,portal.armo.cloud"
 
 var rootCmd = &cobra.Command{
 	Use:   "kubescape",
 	Short: "Kubescape is a tool for testing Kubernetes security posture",
-	Long:  `Kubescape is a tool for testing Kubernetes security posture based on NSA and MITRE specifications.`,
+	Long:  `Kubescape is a tool for testing Kubernetes security posture based on NSA \ MITRE ATT&CK® specifications.`,
+	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+		flag.Parse()
+		InitArmoBEConnector()
+		return nil
+	},
 }
 
 func Execute() {
@@ -17,9 +31,38 @@ func Execute() {
 }
 
 func init() {
+	flag.CommandLine.StringVar(&armoBEURLs, "environment", "", envFlagUsage)
+	rootCmd.PersistentFlags().StringVar(&armoBEURLs, "environment", "", envFlagUsage)
+	rootCmd.PersistentFlags().MarkHidden("environment")
 	cobra.OnInitialize(initConfig)
+
 }
 
 // initConfig reads in config file and ENV variables if set.
 func initConfig() {
 }
+
+func InitArmoBEConnector() {
+	urlSlices := strings.Split(armoBEURLs, ",")
+	if len(urlSlices) > 3 {
+		glog.Errorf("Too many URLs")
+		os.Exit(1)
+	}
+	switch len(urlSlices) {
+	case 1:
+		switch urlSlices[0] {
+		case "dev":
+			getter.SetARMOAPIConnector(getter.NewARMOAPIDev())
+		case "":
+			getter.SetARMOAPIConnector(getter.NewARMOAPIProd())
+		default:
+			glog.Errorf("--environment flag usage: %s", envFlagUsage)
+			os.Exit(1)
+		}
+	case 2:
+		glog.Errorf("--environment flag usage: %s", envFlagUsage)
+		os.Exit(1)
+	case 3:
+		getter.SetARMOAPIConnector(getter.NewARMOAPICustomized(urlSlices[0], urlSlices[1], urlSlices[2]))
+	}
+}

cmd/version.go

@@ -0,0 +1,49 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/spf13/cobra"
+)
+
+var BuildNumber string
+
+var versionCmd = &cobra.Command{
+	Use:   "version",
+	Short: "Get current version",
+	Long:  ``,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		fmt.Println("Your current version is: " + BuildNumber)
+		return nil
+	},
+}
+
+func GetLatestVersion() (string, error) {
+	latestVersion := "https://api.github.com/repos/armosec/kubescape/releases/latest"
+	resp, err := http.Get(latestVersion)
+	if err != nil {
+		return "", fmt.Errorf("failed to get latest releases from '%s', reason: %s", latestVersion, err.Error())
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode < 200 || 301 < resp.StatusCode {
+		return "", fmt.Errorf("failed to download file, status code: %s", resp.Status)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", fmt.Errorf("failed to read response body from '%s', reason: %s", latestVersion, err.Error())
+	}
+	var data map[string]interface{}
+	err = json.Unmarshal(body, &data)
+	if err != nil {
+		return "", fmt.Errorf("failed to unmarshal response body from '%s', reason: %s", latestVersion, err.Error())
+	}
+	return fmt.Sprintf("%v", data["tag_name"]), nil
+}
+
+func init() {
+	rootCmd.AddCommand(versionCmd)
+}

docs/index.html

@@ -0,0 +1,24 @@
+<html>
+
+<head>
+    <title>
+        Kubscape Website
+    </title>
+    <link rel="icon" type="image/x-icon" href="favicon.ico">
+</head>
+<style>
+    img {
+        display: block;
+        margin-left: auto;
+        margin-right: auto;
+    }
+</style>
+
+<body style="text-align: center;">
+    <img src="kubescape.png" alt="Kubescap logo" style="width:20%">
+    <iframe src="https://discordapp.com/widget?id=893048809884643379&theme=dark" width="350" height="500"
+        allowtransparency="true" frameborder="0"
+        sandbox="allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"></iframe>
+</body>
+
+</html>

docs/release.md

@@ -50,6 +50,18 @@ kubescape scan framework nsa https://raw.githubusercontent.com/GoogleCloudPlatfo
 helm template [CHART] [flags] --generate-name --dry-run | kubescape scan framework nsa -
 ```
 
+### Scan on-prem (offline)
+
+* Scan using a framework from the local file system 
+```
+kubescape scan framework --use-from <path> 
+```
+
+* Scan using the framework from the default location in file system  
+```
+kubescape scan framework  --use-default 
+```
+
 ## Output formats
 
 By default, the output is user friendly.
@@ -64,4 +76,16 @@ kubescape scan framework nsa --format json --output results.json
 * Output in `junit xml` format <img src="new-feature.svg">
 ```
 kubescape scan framework nsa --format junit --output results.xml
-```
+```
+
+## Download
+
+* Download and save in file <img src="new-feature.svg">
+```
+kubescape download framework nsa --output nsa.json
+```
+
+* Download and save in default file (`~/.kubescape/<framework name>.json`)
+```
+kubescape download framework nsa 
+```

docs/run-options.md

@@ -0,0 +1,89 @@
+<img src="kubescape.png" width="300" alt="logo" align="center">
+
+# More detailed look on command line arguments and options
+
+## Simple run:
+```
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
+```
+
+## Flags
+
+| flag |  default | description | options |
+| --- | --- | --- | --- |
+| `-e`/`--exclude-namespaces` | Scan all namespaces | Namespaces to exclude from scanning. Recommended to exclude `kube-system` and `kube-public` namespaces |
+| `-s`/`--silent` | Display progress messages | Silent progress messages |
+| `-t`/`--fail-threshold` | `0` (do not fail) | fail command (return exit code 1) if result bellow threshold| `0` -> `100` |
+| `-f`/`--format` | `pretty-printer` | Output format | `pretty-printer`/`json`/`junit` | 
+| `-o`/`--output` | print to stdout | Save scan result in file |
+| `--use-from` | | Load local framework object from specified path. If not used will download latest |
+| `--use-default` | `false` | Load local framework object from default path. If not used will download latest | `true`/`false` |
+| `--exceptions` | | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal |
+| `--results-locally` | `false` | Kubescape sends scan results to Armo management portal to allow users to control exceptions and maintain chronological scan results. Use this flag if you do not wish to use these features | `true`/`false`|
+
+## Usage & Examples
+ 
+### Examples
+
+* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework
+```
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
+```
+
+* Scan local `yaml`/`json` files before deploying
+```
+kubescape scan framework nsa *.yaml
+```
+
+
+* Scan `yaml`/`json` files from url 
+```
+kubescape scan framework nsa https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml
+```
+
+* Output in `json` format 
+```
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format json --output results.json
+```
+
+* Output in `junit xml` format 
+```
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml
+```
+
+* Scan with exceptions, objects with exceptions will be presented as `warning` and not `fail`  <img src="docs/new-feature.svg">
+```
+kubescape scan framework nsa --exceptions examples/exceptions.json
+```
+
+### Helm Support
+
+* Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout 
+```
+helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
+```
+
+for example:
+```
+helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
+```
+
+### Offline Support <img src="docs/new-feature.svg">
+
+It is possible to run Kubescape offline!
+
+First download the framework and then scan with `--use-from` flag
+
+* Download and save in file, if file name not specified, will store save to `~/.kubescape/<framework name>.json`
+```
+kubescape download framework nsa --output nsa.json
+```
+
+* Scan using the downloaded framework 
+```
+kubescape scan framework nsa --use-from nsa.json
+```
+
+Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
+
+

examples/exceptions.json

@@ -0,0 +1,34 @@
+[
+    {
+        "name": "ignore-kube-namespaces",
+        "policyType": "postureExceptionPolicy",
+        "actions": [
+            "alertOnly"
+        ],
+        "resources": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "namespace": "kube-system"
+                }
+            },
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "namespace": "kube-public"
+                }
+            },
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "namespace": "kube-node-lease"
+                }
+            }
+        ],
+        "posturePolicies": [
+            {
+                "frameworkName": "NSA"
+            }
+        ]
+    }
+]

go.mod

@@ -1,6 +1,6 @@
 module github.com/armosec/kubescape
 
-go 1.16
+go 1.17
 
 require (
 	github.com/aws/aws-sdk-go v1.40.30
@@ -28,3 +28,57 @@ require (
 	k8s.io/client-go v0.22.1
 	sigs.k8s.io/controller-runtime v0.9.6
 )
+
+require (
+	cloud.google.com/go v0.81.0 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.18 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.13 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/bytecodealliance/wasmtime-go v0.28.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/evanphx/json-patch v4.11.0+incompatible // indirect
+	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-logr/logr v0.4.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/go-cmp v0.5.5 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.11 // indirect
+	github.com/mattn/go-colorable v0.1.8 // indirect
+	github.com/mattn/go-runewidth v0.0.9 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b // indirect
+	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 // indirect
+	golang.org/x/net v0.0.0-20210614182718-04defd469f4e // indirect
+	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
+	golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect
+	golang.org/x/text v0.3.6 // indirect
+	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.26.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/square/go-jose.v2 v2.2.2 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	k8s.io/klog/v2 v2.9.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect
+	k8s.io/utils v0.0.0-20210722164352-7f3ee0f31471 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
+	sigs.k8s.io/yaml v1.2.0 // indirect
+)

install.ps1

@@ -0,0 +1,26 @@
+Write-Host "Installing Kubescape..." -ForegroundColor Cyan
+
+$BASE_DIR=$env:USERPROFILE + "\.kubescape"
+$packageName = "/kubescape-windows-latest"
+
+# Get latest release url
+$config = Invoke-WebRequest "https://api.github.com/repos/armosec/kubescape/releases/latest" | ConvertFrom-Json
+$url = $config.html_url.Replace("/tag/","/download/")
+$fullUrl = $url + $packageName
+
+# Create a new directory if needed
+New-Item -Path $BASE_DIR -ItemType "directory" -ErrorAction SilentlyContinue
+
+# Download the binary
+Invoke-WebRequest -Uri $fullUrl -OutFile $BASE_DIR\kubescape.exe
+
+# Update user PATH if needed
+$currentPath = [Environment]::GetEnvironmentVariable("Path", "User")
+if (-not $currentPath.Contains($BASE_DIR)) {
+    $confirmation = Read-Host "Add kubescape to user path? (y/n)"
+    if ($confirmation -eq 'y') {
+        [Environment]::SetEnvironmentVariable("Path", [Environment]::GetEnvironmentVariable("Path", "User") + ";$BASE_DIR;", "User")
+    }
+}
+
+Write-Host "Finished Installation" -ForegroundColor Green 

install.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -e
 
-echo "Installing Kubescape..."
+echo -e "\033[0;36mInstalling Kubescape..."
 echo
  
 BASE_DIR=~/.kubescape
@@ -9,33 +9,50 @@ KUBESCAPE_EXEC=kubescape
 
 osName=$(uname -s)
 if [[ $osName == *"MINGW"* ]]; then
-    osName=windows-latest
+    osName=windows
 elif [[ $osName == *"Darwin"* ]]; then
-    osName=macos-latest
+    osName=macos
 else
-    osName=ubuntu-latest
+    osName=ubuntu
 fi
 
-GITHUB_OWNER=armosec
-
-DOWNLOAD_URL=$(curl --silent "https://api.github.com/repos/$GITHUB_OWNER/kubescape/releases/latest" | grep -o "browser_download_url.*${osName}.*")
-DOWNLOAD_URL=${DOWNLOAD_URL//\"}
-DOWNLOAD_URL=${DOWNLOAD_URL/browser_download_url: /}
-
 mkdir -p $BASE_DIR 
 
 OUTPUT=$BASE_DIR/$KUBESCAPE_EXEC
-
+DOWNLOAD_URL="https://github.com/armosec/kubescape/releases/latest/download/kubescape-${osName}-latest"
 curl --progress-bar -L $DOWNLOAD_URL -o $OUTPUT
-echo -e "\033[32m[V] Downloaded Kubescape"
 
-sudo chmod +x $OUTPUT
-sudo rm -f /usr/local/bin/$KUBESCAPE_EXEC
-sudo cp $OUTPUT /usr/local/bin
-rm -rf $BASE_DIR
+# Checking if SUDO needed/exists 
+SUDO=
+if [ "$(id -u)" -ne 0 ] && [ -n "$(which sudo)" ]; then
+    SUDO=sudo
+fi
 
-echo -e "[V] Finished Installation"
+
+# Find install dir
+install_dir=/usr/local/bin #default
+for pdir in ${PATH//:/ }; do
+    edir="${pdir/#\~/$HOME}"
+    if [[ $edir == $HOME/* ]]; then
+        install_dir=$edir
+        mkdir -p $install_dir 2>/dev/null || true
+        SUDO=
+        break
+    fi
+done
+
+chmod +x $OUTPUT 2>/dev/null 
+$SUDO rm -f /usr/local/bin/$KUBESCAPE_EXEC 2>/dev/null || true # clearning up old install
+$SUDO cp $OUTPUT $install_dir/$KUBESCAPE_EXEC 
+rm -rf $OUTPUT
+
+echo
+echo -e "\033[32mFinished Installation."
+
+echo -e "\033[0m"
+$KUBESCAPE_EXEC version
 echo
 
-echo -e "\033[35m Usage: $ $KUBESCAPE_EXEC scan framework nsa --exclude-namespaces kube-system,kube-public"
-echo
+echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan framework nsa --exclude-namespaces kube-system,kube-public"
+
+echo -e "\033[0m"

main.go

@@ -1,7 +1,23 @@
 package main
 
-import "github.com/armosec/kubescape/cmd"
+import (
+	"fmt"
+	"os"
+
+	"github.com/armosec/kubescape/cmd"
+)
 
 func main() {
+	CheckLatestVersion()
 	cmd.Execute()
 }
+
+func CheckLatestVersion() {
+	latest, err := cmd.GetLatestVersion()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "error: %v\n", err)
+	} else if latest != cmd.BuildNumber {
+		fmt.Println("Warning: You are not updated to the latest release: " + latest)
+	}
+
+}

opaprocessor/processorhandler.go

@@ -6,105 +6,166 @@ import (
 	"time"
 
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/scapepkg/exceptions"
+	"github.com/armosec/kubescape/scapepkg/score"
 
 	"github.com/armosec/kubescape/cautils/k8sinterface"
 
 	"github.com/armosec/kubescape/cautils/opapolicy"
 	"github.com/armosec/kubescape/cautils/opapolicy/resources"
-
 	"github.com/golang/glog"
 	"github.com/open-policy-agent/opa/ast"
 	"github.com/open-policy-agent/opa/rego"
 	"github.com/open-policy-agent/opa/storage"
+	uuid "github.com/satori/go.uuid"
 )
 
-type OPAProcessor struct {
-	processedPolicy    *chan *cautils.OPASessionObj
-	reportResults      *chan *cautils.OPASessionObj
-	regoK8sCredentials storage.Store
+const ScoreConfigPath = "/resources/config"
+
+var RegoK8sCredentials storage.Store
+
+type OPAProcessorHandler struct {
+	processedPolicy *chan *cautils.OPASessionObj
+	reportResults   *chan *cautils.OPASessionObj
+	// componentConfig    cautils.ComponentConfig
 }
 
-func NewOPAProcessor(processedPolicy, reportResults *chan *cautils.OPASessionObj) *OPAProcessor {
+type OPAProcessor struct {
+	*cautils.OPASessionObj
+}
+
+func NewOPAProcessor(sessionObj *cautils.OPASessionObj) *OPAProcessor {
+	return &OPAProcessor{
+		OPASessionObj: sessionObj,
+	}
+}
+
+func NewOPAProcessorHandler(processedPolicy, reportResults *chan *cautils.OPASessionObj) *OPAProcessorHandler {
 
 	regoDependenciesData := resources.NewRegoDependenciesData(k8sinterface.GetK8sConfig())
 	store, err := regoDependenciesData.TOStorage()
 	if err != nil {
 		panic(err)
 	}
-	return &OPAProcessor{
-		processedPolicy:    processedPolicy,
-		reportResults:      reportResults,
-		regoK8sCredentials: store,
+	RegoK8sCredentials = store
+
+	return &OPAProcessorHandler{
+		processedPolicy: processedPolicy,
+		reportResults:   reportResults,
 	}
 }
 
-func (opap *OPAProcessor) ProcessRulesListenner() {
+func (opaHandler *OPAProcessorHandler) ProcessRulesListenner() {
+
 	for {
-		// recover
-		defer func() {
-			if err := recover(); err != nil {
-				glog.Errorf("RECOVER in ProcessRulesListenner, reason: %v", err)
-			}
-		}()
-		opaSessionObj := <-*opap.processedPolicy
-		go func() {
-			if err := opap.ProcessRulesHandler(opaSessionObj); err != nil {
-				// opaSessionObj.Reporter.SendError(nil, true, true)
-			}
-			*opap.reportResults <- opaSessionObj
-		}()
+		opaSessionObj := <-*opaHandler.processedPolicy
+		opap := NewOPAProcessor(opaSessionObj)
+
+		// process
+		if err := opap.Process(); err != nil {
+			fmt.Println(err)
+		}
+
+		// edit results
+		opap.updateResults()
+
+		// update score
+		// opap.updateScore()
+
+		// report
+		*opaHandler.reportResults <- opaSessionObj
 	}
 }
 
-func (opap *OPAProcessor) ProcessRulesHandler(opaSessionObj *cautils.OPASessionObj) error {
+func (opap *OPAProcessor) Process() error {
+	// glog.Infof(fmt.Sprintf("Starting 'Process'. reportID: %s", opap.PostureReport.ReportID))
 	cautils.ProgressTextDisplay(fmt.Sprintf("Scanning cluster %s", cautils.ClusterName))
 	cautils.StartSpinner()
 	frameworkReports := []opapolicy.FrameworkReport{}
 	var errs error
-	for _, framework := range opaSessionObj.Frameworks {
-		frameworkReport := opapolicy.FrameworkReport{}
-		frameworkReport.Name = framework.Name
-		controlReports := []opapolicy.ControlReport{}
-		for _, control := range framework.Controls {
-			// cautils.SimpleDisplay(os.Stdout, fmt.Sprintf("\033[2K\r%s", control.Name))
-			controlReport := opapolicy.ControlReport{}
-			controlReport.Name = control.Name
-			controlReport.Description = control.Description
-			controlReport.Remediation = control.Remediation
-			ruleReports := []opapolicy.RuleReport{}
-			for _, rule := range control.Rules {
-				if ruleWithArmoOpaDependency(rule.Attributes) {
-					continue
-				}
-				k8sObjects := getKubernetesObjects(opaSessionObj.K8SResources, rule.Match)
-				ruleReport, err := opap.runOPAOnSingleRule(&rule, k8sObjects)
-				if err != nil {
-					ruleReport.RuleStatus.Status = "failure"
-					ruleReport.RuleStatus.Message = err.Error()
-					glog.Error(err)
-
-					errs = fmt.Errorf("%v\n%s", errs, err.Error())
-				} else {
-					ruleReport.RuleStatus.Status = "success"
-				}
-				ruleReport.ListInputResources = k8sObjects
-				ruleReport.ListInputKinds = listMatchKinds(rule.Match)
-				ruleReports = append(ruleReports, ruleReport)
-			}
-			controlReport.RuleReports = ruleReports
-			controlReports = append(controlReports, controlReport)
+	for i := range opap.Frameworks {
+		frameworkReport, err := opap.processFramework(&opap.Frameworks[i])
+		if err != nil {
+			errs = fmt.Errorf("%v\n%s", errs, err.Error())
 		}
-		frameworkReport.ControlReports = controlReports
-		frameworkReports = append(frameworkReports, frameworkReport)
+		frameworkReports = append(frameworkReports, *frameworkReport)
 	}
 
-	opaSessionObj.PostureReport.FrameworkReports = frameworkReports
-	opaSessionObj.PostureReport.ReportGenerationTime = time.Now().UTC()
+	opap.PostureReport.FrameworkReports = frameworkReports
+	opap.PostureReport.ReportID = uuid.NewV4().String()
+	opap.PostureReport.ReportGenerationTime = time.Now().UTC()
+	// glog.Infof(fmt.Sprintf("Done 'Process'. reportID: %s", opap.PostureReport.ReportID))
 	cautils.StopSpinner()
 	cautils.SuccessTextDisplay(fmt.Sprintf("Done scanning cluster %s", cautils.ClusterName))
 	return errs
 }
 
+func (opap *OPAProcessor) processFramework(framework *opapolicy.Framework) (*opapolicy.FrameworkReport, error) {
+	var errs error
+
+	frameworkReport := opapolicy.FrameworkReport{}
+	frameworkReport.Name = framework.Name
+
+	controlReports := []opapolicy.ControlReport{}
+	for i := range framework.Controls {
+		controlReport, err := opap.processControl(&framework.Controls[i])
+		if err != nil {
+			errs = fmt.Errorf("%v\n%s", errs, err.Error())
+		}
+		if controlReport != nil {
+			controlReports = append(controlReports, *controlReport)
+		}
+	}
+	frameworkReport.ControlReports = controlReports
+	return &frameworkReport, errs
+}
+
+func (opap *OPAProcessor) processControl(control *opapolicy.Control) (*opapolicy.ControlReport, error) {
+	var errs error
+
+	controlReport := opapolicy.ControlReport{}
+	controlReport.PortalBase = control.PortalBase
+	controlReport.ControlID = control.ControlID
+	controlReport.Control_ID = control.Control_ID // TODO: delete when 'id' is deprecated
+
+	controlReport.Name = control.Name
+	controlReport.Description = control.Description
+	controlReport.Remediation = control.Remediation
+
+	ruleReports := []opapolicy.RuleReport{}
+	for i := range control.Rules {
+		ruleReport, err := opap.processRule(&control.Rules[i])
+		if err != nil {
+			errs = fmt.Errorf("%v\n%s", errs, err.Error())
+		}
+		if ruleReport != nil {
+			ruleReports = append(ruleReports, *ruleReport)
+		}
+	}
+	if len(ruleReports) == 0 {
+		return nil, nil
+	}
+	controlReport.RuleReports = ruleReports
+	return &controlReport, errs
+}
+
+func (opap *OPAProcessor) processRule(rule *opapolicy.PolicyRule) (*opapolicy.RuleReport, error) {
+	if ruleWithArmoOpaDependency(rule.Attributes) {
+		return nil, nil
+	}
+	k8sObjects := getKubernetesObjects(opap.K8SResources, rule.Match)
+	ruleReport, err := opap.runOPAOnSingleRule(rule, k8sObjects)
+	if err != nil {
+		ruleReport.RuleStatus.Status = "failure"
+		ruleReport.RuleStatus.Message = err.Error()
+		glog.Error(err)
+	} else {
+		ruleReport.RuleStatus.Status = "success"
+	}
+	ruleReport.ListInputResources = k8sObjects
+	return &ruleReport, err
+}
+
 func (opap *OPAProcessor) runOPAOnSingleRule(rule *opapolicy.PolicyRule, k8sObjects []map[string]interface{}) (opapolicy.RuleReport, error) {
 	switch rule.RuleLanguage {
 	case opapolicy.RegoLanguage, opapolicy.RegoLanguage2:
@@ -147,18 +208,52 @@ func (opap *OPAProcessor) regoEval(inputObj []map[string]interface{}, compiledRe
 		rego.Query("data.armo_builtins"), // get package name from rule
 		rego.Compiler(compiledRego),
 		rego.Input(inputObj),
-		rego.Store(opap.regoK8sCredentials),
+		rego.Store(RegoK8sCredentials),
 	)
 
 	// Run evaluation
 	resultSet, err := rego.Eval(context.Background())
 	if err != nil {
-		return nil, fmt.Errorf("In 'regoEval', failed to evaluate rule, reason: %s", err.Error())
+		return nil, fmt.Errorf("in 'regoEval', failed to evaluate rule, reason: %s", err.Error())
 	}
-	results, err := opapolicy.ParseRegoResult(&resultSet)
+	results, err := parseRegoResult(&resultSet)
+
+	// results, err := ParseRegoResult(&resultSet)
 	if err != nil {
 		return results, err
 	}
 
 	return results, nil
 }
+
+func (opap *OPAProcessor) updateScore() {
+
+	if !k8sinterface.ConnectedToCluster {
+		return
+	}
+
+	// calculate score
+	s := score.NewScore(k8sinterface.NewKubernetesApi(), ScoreConfigPath)
+	s.Calculate(opap.PostureReport.FrameworkReports)
+}
+
+func (opap *OPAProcessor) updateResults() {
+	for f, frameworkReport := range opap.PostureReport.FrameworkReports {
+		sumFailed := 0
+		sumTotal := 0
+		for c, controlReport := range opap.PostureReport.FrameworkReports[f].ControlReports {
+			for r, ruleReport := range opap.PostureReport.FrameworkReports[f].ControlReports[c].RuleReports {
+				// editing the responses -> removing duplications, clearing secret data, etc.
+				opap.PostureReport.FrameworkReports[f].ControlReports[c].RuleReports[r].RuleResponses = editRuleResponses(ruleReport.RuleResponses)
+
+				// adding exceptions to the rules
+				ruleExceptions := exceptions.ListRuleExceptions(opap.Exceptions, frameworkReport.Name, controlReport.Name, ruleReport.Name)
+				exceptions.AddExceptionsToRuleResponses(opap.PostureReport.FrameworkReports[f].ControlReports[c].RuleReports[r].RuleResponses, ruleExceptions)
+			}
+			sumFailed += controlReport.GetNumberOfFailedResources()
+			sumTotal += controlReport.GetNumberOfResources()
+			opap.PostureReport.FrameworkReports[f].ControlReports[c].Score = float32(percentage(controlReport.GetNumberOfResources(), controlReport.GetNumberOfFailedResources()))
+		}
+		opap.PostureReport.FrameworkReports[f].Score = float32(percentage(sumTotal, sumTotal-sumFailed))
+	}
+}

opaprocessor/processorhandler_test.go

@@ -1,44 +1,21 @@
 package opaprocessor
 
 import (
-	"context"
-	"encoding/json"
-	"os"
-	"path"
-	"strings"
 	"testing"
 
 	"github.com/armosec/kubescape/cautils"
 
 	"github.com/armosec/kubescape/cautils/k8sinterface"
 	// _ "k8s.io/client-go/plugin/pkg/client/auth"
-	restclient "k8s.io/client-go/rest"
 
 	"github.com/armosec/kubescape/cautils/opapolicy"
-	"github.com/armosec/kubescape/cautils/opapolicy/resources"
-
-	"github.com/open-policy-agent/opa/ast"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/client-go/dynamic"
 )
 
 func NewOPAProcessorMock() *OPAProcessor {
-	c := make(chan *cautils.OPASessionObj)
-
-	deps := resources.NewRegoDependenciesDataMock()
-	storage, err := deps.TOStorage()
-	if err != nil {
-		panic(err)
-	}
-	return &OPAProcessor{
-		processedPolicy:    &c,
-		reportResults:      &c,
-		regoK8sCredentials: storage,
-	}
+	return &OPAProcessor{}
 }
-func TestProcessRulesHandler(t *testing.T) {
+func TestProcess(t *testing.T) {
+
 	// set k8s
 	k8sResources := make(cautils.K8SResources)
 	k8sResources["/v1/pods"] = k8sinterface.ConvertUnstructuredSliceToMap(k8sinterface.V1KubeSystemNamespaceMock().Items)
@@ -47,149 +24,21 @@ func TestProcessRulesHandler(t *testing.T) {
 	opaSessionObj := cautils.NewOPASessionObjMock()
 	opaSessionObj.Frameworks = []opapolicy.Framework{*opapolicy.MockFrameworkA()}
 	opaSessionObj.K8SResources = &k8sResources
-	k8sinterface.K8SConfig = &restclient.Config{}
 
-	// run test
-	processor := NewOPAProcessorMock()
-	if err := processor.ProcessRulesHandler(opaSessionObj); err != nil {
-		t.Errorf("%v", err)
-	}
-	// bla, _ := json.Marshal(opaSessionObj.PostureReport)
-	// t.Errorf("%v", string(bla))
-}
-
-func TestRunRegoOnK8s(t *testing.T) {
-	// set k8s
-	k8sResources := make(cautils.K8SResources)
-	// k8sResources["/v1/pods"] = k8sinterface.ConvertUnstructuredSliceToMap(k8sinterface.V1KubeSystemNamespaceMock().Items)
-	k8sResources["/v1/pods"] = k8sinterface.V1KubeSystemNamespaceMock().Items
-
-	k8sinterface.K8SConfig = &restclient.Config{}
-
-	// run test
-	processor := NewOPAProcessorMock()
-	report, err := processor.runRegoOnK8s(opapolicy.MockRuleA(), []map[string]interface{}{k8sResources})
-	if err != nil {
-		t.Errorf("%v", err)
-	}
-	if len(report.RuleResponses) == 0 {
-		t.Errorf("len(report.RuleResponses) == 0")
-	}
-}
-
-func TestCompromisedRegistries(t *testing.T) {
-	// set k8s
-	k8sResources := make(cautils.K8SResources)
-	// k8sResources["/v1/pods"] = k8sinterface.ConvertUnstructuredSliceToMap(k8sinterface.V1KubeSystemNamespaceMock().Items)
-	k8sResources["/v1/pods"] = k8sinterface.V1AllClusterWithCompromisedRegistriesMock().Items
-	wd, _ := os.Getwd()
-	baseDirName := "kubescape"
-	idx := strings.Index(wd, baseDirName)
-	wd = wd[0:idx]
-	resources.RegoDependenciesPath = path.Join(wd, "/kubescape/vendor/asterix.cyberarmor.io/cyberarmor/capacketsgo/opapolicy/resources/rego/dependencies")
-	k8sinterface.K8SConfig = &restclient.Config{}
-
-	opaProcessor := NewOPAProcessorMock()
-
-	// run test
-	reportB, errB := opaProcessor.runRegoOnK8s(opapolicy.MockRuleUntrustedRegistries(), []map[string]interface{}{k8sResources})
-	if errB != nil {
-		t.Errorf("%v", errB)
-	}
-	if len(reportB.RuleResponses) == 0 {
-		t.Errorf("len(report.RuleResponses) == 0")
-		return
-	}
-	// bla, _ := json.Marshal(reportB.RuleResponses[0])
-	// t.Errorf("%s", bla)
-}
-
-// func TestForLior(t *testing.T) {
-// 	// set k8s
-// 	k8sResources := make(cautils.K8SResources)
-// 	// k8sResources["/v1/pods"] = k8sinterface.ConvertUnstructuredSliceToMap(k8sinterface.V1KubeSystemNamespaceMock().Items)
-// 	k8sResources["/v1/pods"] = k8sinterface.V1KubeSystemNamespaceMock().Items
-// 	resources.RegoDependenciesPath = "/home/david/go/src/kubescape/vendor/asterix.cyberarmor.io/cyberarmor/capacketsgo/opapolicy/resources/rego/dependencies"
-// 	opaProcessor := NewOPAProcessorMock()
-
-// 	// set opaSessionObj
-// 	opaSessionObj := cautils.NewOPASessionObjMock()
-// 	opaSessionObj.K8SResources = &k8sResources
-
-// 	opaSessionObj.Frameworks = []opapolicy.Framework{*opapolicy.MockFrameworkA()}
-// 	opaSessionObj.Frameworks[0].Controls[0].Rules[0] = *opapolicy.MockRuleB()
-
-// 	// run test
-// 	reportB, errB := opaProcessor.runRegoOnK8s(opapolicy.MockRuleB(), opaSessionObj)
-// 	if errB != nil {
-// 		t.Errorf("%v", errB)
-// 		return
-// 	}
-// 	if len(reportB.RuleResponses) == 0 {
-// 		t.Errorf("len(report.RuleResponses) == 0")
-// 		return
-// 	}
-// 	bla, _ := json.Marshal(reportB.RuleResponses[0])
-// 	t.Errorf("%s", bla)
-// }
-
-func TestNewRego(t *testing.T) {
-	// TODO - remove before testing
-	return
-
-	// k8sConfig := k8sinterface.GetK8sConfig()
-
-	// t.Errorf(fmt.Sprintf("%v", k8sConfig.String()))
-	// t.Errorf(fmt.Sprintf("%v", k8sConfig.AuthProvider.Config))
-	// return
-
-	ruleName := "some rule"
-	rule := opapolicy.MockTemp()
-	allResources := []schema.GroupVersionResource{
-		{Group: "api-versions", Version: "", Resource: ""},
-	}
-	namespace := ""
-	k8sinterface.K8SConfig = nil
-
-	// compile modules
-	modules, err := getRuleDependencies()
-	if err != nil {
-		t.Errorf("err: %v", err)
-		return
-	}
-	modules[ruleName] = rule
-	compiled, err := ast.CompileModules(modules)
-	if err != nil {
-		t.Errorf("err: %v", err)
-		return
-	}
-	opaProcessor := NewOPAProcessorMock()
-	k8s := k8sinterface.NewKubernetesApi()
-
-	// set dynamic object
-	var clientResource dynamic.ResourceInterface
-	recourceList := []unstructured.Unstructured{}
-	for i := range allResources {
-		if namespace != "" {
-			clientResource = k8s.DynamicClient.Resource(allResources[i]).Namespace(namespace)
-		} else {
-			clientResource = k8s.DynamicClient.Resource(allResources[i])
+	opap := NewOPAProcessor(opaSessionObj)
+	opap.Process()
+	opap.updateResults()
+	for _, f := range opap.PostureReport.FrameworkReports {
+		for _, c := range f.ControlReports {
+			for _, r := range c.RuleReports {
+				for _, rr := range r.RuleResponses {
+					// t.Errorf("AlertMessage: %v", rr.AlertMessage)
+					if rr.Exception != nil {
+						t.Errorf("Exception: %v", rr.Exception)
+					}
+				}
+			}
 		}
-		l, err := clientResource.List(context.Background(), metav1.ListOptions{})
-		if err != nil {
-			t.Errorf("err: %v", err)
-			return
-		}
-		recourceList = append(recourceList, l.Items...)
 	}
-	inputObj := k8sinterface.ConvertUnstructuredSliceToMap(k8sinterface.FilterOutOwneredResources(recourceList))
-	// inputObj := k8sinterface.ConvertUnstructuredSliceToMap(l.Items)
-	result, err := opaProcessor.regoEval(inputObj, compiled)
-	if err != nil {
-		t.Errorf("%v", err)
-		return
-	}
-	resb, _ := json.Marshal(result)
-	t.Errorf("result: %s", resb)
 
 }

opaprocessor/processorhandlerutils.go

@@ -1,12 +1,17 @@
 package opaprocessor
 
 import (
-	"github.com/armosec/kubescape/cautils"
+	"encoding/json"
+	"fmt"
 
 	pkgcautils "github.com/armosec/kubescape/cautils/cautils"
+
+	"github.com/armosec/kubescape/cautils"
+
 	"github.com/armosec/kubescape/cautils/k8sinterface"
 	"github.com/armosec/kubescape/cautils/opapolicy"
 	resources "github.com/armosec/kubescape/cautils/opapolicy/resources"
+	"github.com/open-policy-agent/opa/rego"
 
 	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -49,6 +54,74 @@ func getRuleDependencies() (map[string]string, error) {
 	}
 	return modules, nil
 }
+func parseRegoResult(regoResult *rego.ResultSet) ([]opapolicy.RuleResponse, error) {
+	var errs error
+	ruleResponses := []opapolicy.RuleResponse{}
+	for _, result := range *regoResult {
+		for desicionIdx := range result.Expressions {
+			if resMap, ok := result.Expressions[desicionIdx].Value.(map[string]interface{}); ok {
+				for objName := range resMap {
+					jsonBytes, err := json.Marshal(resMap[objName])
+					if err != nil {
+						err = fmt.Errorf("in parseRegoResult, json.Marshal failed. name: %s, obj: %v, reason: %s", objName, resMap[objName], err)
+						glog.Error(err)
+						errs = fmt.Errorf("%s\n%s", errs, err)
+						continue
+					}
+					desObj := make([]opapolicy.RuleResponse, 0)
+					if err := json.Unmarshal(jsonBytes, &desObj); err != nil {
+						err = fmt.Errorf("in parseRegoResult, json.Unmarshal failed. name: %s, obj: %v, reason: %s", objName, resMap[objName], err)
+						glog.Error(err)
+						errs = fmt.Errorf("%s\n%s", errs, err)
+						continue
+					}
+					ruleResponses = append(ruleResponses, desObj...)
+				}
+			}
+		}
+	}
+	return ruleResponses, errs
+}
+
+//editRuleResponses editing the responses -> removing duplications, clearing secret data, etc.
+func editRuleResponses(ruleResponses []opapolicy.RuleResponse) []opapolicy.RuleResponse {
+	uniqueRuleResponses := map[string]bool{}
+	lenRuleResponses := len(ruleResponses)
+	for i := 0; i < lenRuleResponses; i++ {
+		for j := range ruleResponses[i].AlertObject.K8SApiObjects {
+			w := k8sinterface.NewWorkloadObj(ruleResponses[i].AlertObject.K8SApiObjects[j])
+			if w == nil {
+				continue
+			}
+			resourceID := fmt.Sprintf("%s/%s/%s/%s", w.GetApiVersion(), w.GetNamespace(), w.GetKind(), w.GetName())
+			if found := uniqueRuleResponses[resourceID]; found {
+				// resource found -> remove from slice
+				ruleResponses = removeFromSlice(ruleResponses, i)
+				lenRuleResponses -= 1
+				i -= 1
+				break
+			} else {
+				cleanRuleResponses(w)
+				ruleResponses[i].AlertObject.K8SApiObjects[j] = w.GetWorkload()
+				uniqueRuleResponses[resourceID] = true
+			}
+		}
+	}
+	return ruleResponses
+}
+func cleanRuleResponses(workload k8sinterface.IWorkload) {
+	if workload.GetKind() == "Secret" {
+		workload.RemoveSecretData()
+	}
+}
+
+func removeFromSlice(ruleResponses []opapolicy.RuleResponse, i int) []opapolicy.RuleResponse {
+	if i != len(ruleResponses)-1 {
+		ruleResponses[i] = ruleResponses[len(ruleResponses)-1]
+	}
+
+	return ruleResponses[:len(ruleResponses)-1]
+}
 
 func ruleWithArmoOpaDependency(annotations map[string]interface{}) bool {
 	if annotations == nil {
@@ -67,3 +140,13 @@ func listMatchKinds(match []opapolicy.RuleMatchObjects) []string {
 	}
 	return matchKinds
 }
+
+func percentage(big, small int) int {
+	if big == 0 {
+		if small == 0 {
+			return 100
+		}
+		return 0
+	}
+	return int(float64(float64(big-small)/float64(big)) * 100)
+}

policyhandler/filesloader.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -28,7 +27,7 @@ const (
 	JSON_FILE_FORMAT FileFormat = "json"
 )
 
-func (policyHandler *PolicyHandler) loadResources(frameworks []opapolicy.Framework, scanInfo *opapolicy.ScanInfo) (*cautils.K8SResources, error) {
+func (policyHandler *PolicyHandler) loadResources(frameworks []opapolicy.Framework, scanInfo *cautils.ScanInfo) (*cautils.K8SResources, error) {
 	workloads := []k8sinterface.IWorkload{}
 
 	// load resource from local file system
@@ -131,7 +130,7 @@ func loadFiles(filePaths []string) ([]k8sinterface.IWorkload, []error) {
 }
 
 func loadFile(filePath string) ([]byte, error) {
-	return ioutil.ReadFile(filePath)
+	return os.ReadFile(filePath)
 }
 func readFile(fileContent []byte, fileFromat FileFormat) ([]k8sinterface.IWorkload, []error) {
 

policyhandler/filesloader_test.go

@@ -6,29 +6,20 @@ import (
 	"path/filepath"
 	"strings"
 	"testing"
-
-	"github.com/armosec/kubescape/cautils"
 )
 
-func combine(base, rel string) string {
-	finalPath := []string{}
-	sBase := strings.Split(base, "/")
-	sRel := strings.Split(rel, "/")
-	for i := range sBase {
-		if cautils.StringInSlice(sRel, sBase[i]) != cautils.ValueNotFound {
-			finalPath = append(finalPath, sRel...)
-			break
-		}
-		finalPath = append(finalPath, sBase[i])
-	}
-	return fmt.Sprintf("/%s", filepath.Join(finalPath...))
-}
 func onlineBoutiquePath() string {
 	o, _ := os.Getwd()
-	return combine(o, "github.com/armosec/kubescape/examples/online-boutique/*")
+	return filepath.Join(filepath.Dir(o), "examples/online-boutique/*")
 }
+
 func TestListFiles(t *testing.T) {
-	files, errs := listFiles([]string{onlineBoutiquePath()})
+	workDir, err := os.Getwd()
+	fmt.Printf("\n------------------\n%s,%v\n--------------\n", workDir, err)
+	filesPath := onlineBoutiquePath()
+	fmt.Printf("\n------------------\n%s\n--------------\n", filesPath)
+
+	files, errs := listFiles([]string{filesPath})
 	if len(errs) > 0 {
 		t.Error(errs)
 	}
@@ -44,15 +35,15 @@ func TestLoadFiles(t *testing.T) {
 }
 
 func TestLoadFile(t *testing.T) {
-	files, _ := listFiles([]string{strings.Replace(onlineBoutiquePath(), "*", "bi-monitor.yaml", 1)})
+	files, _ := listFiles([]string{strings.Replace(onlineBoutiquePath(), "*", "adservice.yaml", 1)})
 	_, err := loadFile(files[0])
 	if err != nil {
 		t.Errorf("%v", err)
 	}
 }
 func TestLoadResources(t *testing.T) {
-
-	// k8sResources, err = policyHandler.loadResources(opaSessionObj.Frameworks, scanInfo)
+	// policyHandler := &PolicyHandler{}
+	// k8sResources, err := policyHandler.loadResources(opaSessionObj.Frameworks, scanInfo)
 	// files, _ := listFiles([]string{onlineBoutiquePath()})
 	// bb, err := loadFile(files[0])
 	// if len(err) > 0 {

policyhandler/handlenotification.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/armosec/kubescape/cautils"
 
+	"github.com/armosec/kubescape/cautils/armotypes"
 	"github.com/armosec/kubescape/cautils/k8sinterface"
 
 	"github.com/armosec/kubescape/cautils/opapolicy"
@@ -15,6 +16,7 @@ type PolicyHandler struct {
 	k8s *k8sinterface.KubernetesApi
 	// we are listening on this chan in opaprocessor/processorhandler.go/ProcessRulesListenner func
 	processPolicy *chan *cautils.OPASessionObj
+	getters       *cautils.Getters
 }
 
 // CreatePolicyHandler Create ws-handler obj
@@ -25,13 +27,14 @@ func NewPolicyHandler(processPolicy *chan *cautils.OPASessionObj, k8s *k8sinterf
 	}
 }
 
-func (policyHandler *PolicyHandler) HandleNotificationRequest(notification *opapolicy.PolicyNotification, scanInfo *opapolicy.ScanInfo) error {
+func (policyHandler *PolicyHandler) HandleNotificationRequest(notification *opapolicy.PolicyNotification, scanInfo *cautils.ScanInfo) error {
 	opaSessionObj := cautils.NewOPASessionObj(nil, nil)
 	// validate notification
 	// TODO
+	policyHandler.getters = &scanInfo.Getters
 
 	// get policies
-	frameworks, err := policyHandler.getPolicies(notification)
+	frameworks, exceptions, err := policyHandler.getPolicies(notification)
 	if err != nil {
 		return err
 	}
@@ -39,6 +42,7 @@ func (policyHandler *PolicyHandler) HandleNotificationRequest(notification *opap
 		return fmt.Errorf("empty list of frameworks")
 	}
 	opaSessionObj.Frameworks = frameworks
+	opaSessionObj.Exceptions = exceptions
 
 	k8sResources, err := policyHandler.getResources(notification, opaSessionObj, scanInfo)
 	if err != nil {
@@ -54,33 +58,31 @@ func (policyHandler *PolicyHandler) HandleNotificationRequest(notification *opap
 	return nil
 }
 
-func (policyHandler *PolicyHandler) getPolicies(notification *opapolicy.PolicyNotification) ([]opapolicy.Framework, error) {
+func (policyHandler *PolicyHandler) getPolicies(notification *opapolicy.PolicyNotification) ([]opapolicy.Framework, []armotypes.PostureExceptionPolicy, error) {
 
-	cautils.ProgressTextDisplay("Downloading framework definitions")
+	cautils.ProgressTextDisplay("Downloading/Loading framework definitions")
 
-	// TODO - support load policies from local file
-	frameworks, err := policyHandler.GetPoliciesFromBackend(notification)
+	frameworks, exceptions, err := policyHandler.GetPoliciesFromBackend(notification)
 	if err != nil {
-		return frameworks, err
+		return frameworks, exceptions, err
 	}
 
 	if len(frameworks) == 0 {
 		err := fmt.Errorf("could not download any policies, please check previous logs")
-		return frameworks, err
+		return frameworks, exceptions, err
 	}
-	cautils.SuccessTextDisplay("Downloaded framework")
+	cautils.SuccessTextDisplay("Downloaded/Loaded framework")
 
-	return frameworks, nil
+	return frameworks, exceptions, nil
 }
 
-func (policyHandler *PolicyHandler) getResources(notification *opapolicy.PolicyNotification, opaSessionObj *cautils.OPASessionObj, scanInfo *opapolicy.ScanInfo) (*cautils.K8SResources, error) {
+func (policyHandler *PolicyHandler) getResources(notification *opapolicy.PolicyNotification, opaSessionObj *cautils.OPASessionObj, scanInfo *cautils.ScanInfo) (*cautils.K8SResources, error) {
 	var k8sResources *cautils.K8SResources
 	var err error
-	if len(scanInfo.InputPatterns) > 0 {
-		k8sResources, err = policyHandler.loadResources(opaSessionObj.Frameworks, scanInfo)
-	} else {
+	if k8sinterface.ConnectedToCluster {
 		k8sResources, err = policyHandler.getK8sResources(opaSessionObj.Frameworks, &notification.Designators, scanInfo.ExcludedNamespaces)
-
+	} else {
+		k8sResources, err = policyHandler.loadResources(opaSessionObj.Frameworks, scanInfo)
 	}
 
 	return k8sResources, err

policyhandler/handlepullpolicies.go

@@ -1,152 +1,54 @@
 package policyhandler
 
 import (
-	"encoding/json"
 	"fmt"
-	"io"
-	"net/http"
-	"net/url"
 	"strings"
 
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/armotypes"
 	"github.com/armosec/kubescape/cautils/opapolicy"
 )
 
-// URLEncoder encode url
-func URLEncoder(oldURL string) string {
-	fullURL := strings.Split(oldURL, "?")
-	baseURL, err := url.Parse(fullURL[0])
-	if err != nil {
-		return ""
-	}
-
-	// Prepare Query Parameters
-	if len(fullURL) > 1 {
-		params := url.Values{}
-		queryParams := strings.Split(fullURL[1], "&")
-		for _, i := range queryParams {
-			queryParam := strings.Split(i, "=")
-			val := ""
-			if len(queryParam) > 1 {
-				val = queryParam[1]
-			}
-			params.Add(queryParam[0], val)
-		}
-		baseURL.RawQuery = params.Encode()
-	}
-
-	return baseURL.String()
-}
-
-type IArmoAPI interface {
-	OPAFRAMEWORKGet(string) ([]opapolicy.Framework, error)
-}
-
-type ArmoAPI struct {
-	httpClient *http.Client
-	hostURL    string
-}
-
-func NewArmoAPI() *ArmoAPI {
-	return &ArmoAPI{
-		httpClient: &http.Client{},
-		hostURL:    "https://dashbe.eustage2.cyberarmorsoft.com",
-	}
-}
-func (db *ArmoAPI) GetServerAddress() string {
-	return db.hostURL
-}
-func (db *ArmoAPI) GetHttpClient() *http.Client {
-	return db.httpClient
-}
-func (db *ArmoAPI) OPAFRAMEWORKGet(name string) ([]opapolicy.Framework, error) {
-	requestURI := "v1/armoFrameworks"
-	requestURI += fmt.Sprintf("?customerGUID=%s", "11111111-1111-1111-1111-111111111111")
-	requestURI += fmt.Sprintf("&frameworkName=%s", strings.ToUpper(name))
-	requestURI += "&getRules=true"
-
-	fullURL := URLEncoder(fmt.Sprintf("%s/%s", db.GetServerAddress(), requestURI))
-	frameworkList := []opapolicy.Framework{}
-
-	req, err := http.NewRequest("GET", fullURL, nil)
-	if err != nil {
-		return frameworkList, err
-	}
-	c := http.Client{}
-	resp, err := c.Do(req)
-	if err != nil {
-		return frameworkList, err
-	}
-	respStr, err := HTTPRespToString(resp)
-	if err != nil {
-		return frameworkList, err
-	}
-	if name != "" {
-		frameworkSingle := opapolicy.Framework{}
-		err = JSONDecoder(respStr).Decode(&frameworkSingle)
-		frameworkList = append(frameworkList, frameworkSingle)
-	} else {
-		err = JSONDecoder(respStr).Decode(&frameworkList)
-	}
-	return frameworkList, err
-}
-
-// JSONDecoder returns JSON decoder for given string
-func JSONDecoder(origin string) *json.Decoder {
-	dec := json.NewDecoder(strings.NewReader(origin))
-	dec.UseNumber()
-	return dec
-}
-
-// HTTPRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
-func HTTPRespToString(resp *http.Response) (string, error) {
-	if resp == nil || resp.Body == nil {
-		return "", nil
-	}
-	strBuilder := strings.Builder{}
-	defer resp.Body.Close()
-	if resp.ContentLength > 0 {
-		strBuilder.Grow(int(resp.ContentLength))
-	}
-	bytesNum, err := io.Copy(&strBuilder, resp.Body)
-	respStr := strBuilder.String()
-	if err != nil {
-		respStrNewLen := len(respStr)
-		if respStrNewLen > 1024 {
-			respStrNewLen = 1024
-		}
-		return "", fmt.Errorf("HTTP request failed. URL: '%s', Read-ERROR: '%s', HTTP-CODE: '%s', BODY(top): '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), err, resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
-	}
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		respStrNewLen := len(respStr)
-		if respStrNewLen > 1024 {
-			respStrNewLen = 1024
-		}
-		err = fmt.Errorf("HTTP request failed. URL: '%s', HTTP-ERROR: '%s', BODY: '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
-	}
-
-	return respStr, err
-}
-
-func (policyHandler *PolicyHandler) GetPoliciesFromBackend(notification *opapolicy.PolicyNotification) ([]opapolicy.Framework, error) {
+func (policyHandler *PolicyHandler) GetPoliciesFromBackend(notification *opapolicy.PolicyNotification) ([]opapolicy.Framework, []armotypes.PostureExceptionPolicy, error) {
 	var errs error
-	d := NewArmoAPI()
 	frameworks := []opapolicy.Framework{}
+	exceptionPolicies := []armotypes.PostureExceptionPolicy{}
+
 	// Get - cacli opa get
 	for _, rule := range notification.Rules {
 		switch rule.Kind {
 		case opapolicy.KindFramework:
-			// backend
-			receivedFrameworks, err := d.OPAFRAMEWORKGet(rule.Name)
-			if err != nil {
-				errs = fmt.Errorf("Could not download framework, please check if this framework exists")
+			receivedFramework, recExceptionPolicies, err := policyHandler.getFrameworkPolicies(rule.Name)
+			if receivedFramework != nil {
+				frameworks = append(frameworks, *receivedFramework)
+				if recExceptionPolicies != nil {
+					exceptionPolicies = append(exceptionPolicies, recExceptionPolicies...)
+				}
+			} else if err != nil {
+				if strings.Contains(err.Error(), "unsupported protocol scheme") {
+					err = fmt.Errorf("failed to download from GitHub release, try running with `--use-default` flag")
+				}
+				return nil, nil, fmt.Errorf("kind: %v, name: %s, error: %s", rule.Kind, rule.Name, err.Error())
 			}
-			frameworks = append(frameworks, receivedFrameworks...)
 
 		default:
-			err := fmt.Errorf("Missing rule kind, expected: %s", opapolicy.KindFramework)
+			err := fmt.Errorf("missing rule kind, expected: %s", opapolicy.KindFramework)
 			errs = fmt.Errorf("%s", err.Error())
-
 		}
 	}
-	return frameworks, errs
+	return frameworks, exceptionPolicies, errs
+}
+
+func (policyHandler *PolicyHandler) getFrameworkPolicies(policyName string) (*opapolicy.Framework, []armotypes.PostureExceptionPolicy, error) {
+	receivedFramework, err := policyHandler.getters.PolicyGetter.GetFramework(policyName)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	receivedException, err := policyHandler.getters.ExceptionsGetter.GetExceptions(cautils.CustomerGUID, cautils.ClusterName)
+	if err != nil {
+		return receivedFramework, nil, err
+	}
+
+	return receivedFramework, receivedException, nil
 }

policyhandler/k8sresources.go

@@ -65,11 +65,8 @@ func (policyHandler *PolicyHandler) pullSingleResource(resource *schema.GroupVer
 
 	// set labels
 	listOptions := metav1.ListOptions{}
-	if excludedNamespaces != "" && k8sinterface.IsNamespaceScope(resource.Group, resource.Resource) {
-		excludedNamespacesSlice := strings.Split(excludedNamespaces, ",")
-		for _, excludedNamespace := range excludedNamespacesSlice {
-			listOptions.FieldSelector += "metadata.namespace!=" + excludedNamespace + ","
-		}
+	if excludedNamespaces != "" {
+		setFieldSelector(&listOptions, resource, excludedNamespaces)
 	}
 	if len(labels) > 0 {
 		set := k8slabels.Set(labels)
@@ -93,3 +90,18 @@ func (policyHandler *PolicyHandler) pullSingleResource(resource *schema.GroupVer
 	return result.Items, nil
 
 }
+
+func setFieldSelector(listOptions *metav1.ListOptions, resource *schema.GroupVersionResource, excludedNamespaces string) {
+	fieldSelector := "metadata."
+	if resource.Resource == "namespaces" {
+		fieldSelector += "name"
+	} else if k8sinterface.IsNamespaceScope(resource.Group, resource.Resource) {
+		fieldSelector += "namespace"
+	} else {
+		return
+	}
+	excludedNamespacesSlice := strings.Split(excludedNamespaces, ",")
+	for _, excludedNamespace := range excludedNamespacesSlice {
+		listOptions.FieldSelector += fmt.Sprintf("%s!=%s,", fieldSelector, excludedNamespace)
+	}
+}

resultshandling/printer/printresults.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/armosec/kubescape/cautils"
 
-	"github.com/armosec/kubescape/cautils/k8sinterface"
 	"github.com/armosec/kubescape/cautils/opapolicy"
 
 	"github.com/enescakir/emoji"
@@ -27,58 +26,69 @@ const (
 )
 
 type Printer struct {
-	opaSessionObj      *chan *cautils.OPASessionObj
 	writer             *os.File
 	summary            Summary
 	sortedControlNames []string
 	printerType        string
 }
 
-func NewPrinter(opaSessionObj *chan *cautils.OPASessionObj, printerType, outputFile string) *Printer {
+func NewPrinter(printerType, outputFile string) *Printer {
 	return &Printer{
-		opaSessionObj: opaSessionObj,
-		summary:       NewSummary(),
-		printerType:   printerType,
-		writer:        getWriter(outputFile),
+		summary:     NewSummary(),
+		writer:      getWriter(outputFile),
+		printerType: printerType,
 	}
 }
 
-func (printer *Printer) ActionPrint() {
-
-	for {
-		opaSessionObj := <-*printer.opaSessionObj
-		if printer.printerType == PrettyPrinter {
-			printer.SummarySetup(opaSessionObj.PostureReport)
-			printer.PrintResults()
-			printer.PrintSummaryTable()
-		} else if printer.printerType == JsonPrinter {
-			postureReportStr, err := json.Marshal(opaSessionObj.PostureReport.FrameworkReports[0])
-			if err != nil {
-				fmt.Println("Failed to convert posture report object!")
-				os.Exit(1)
-			}
-			printer.writer.Write(postureReportStr)
-		} else if printer.printerType == JunitResultPrinter {
-			junitResult, err := convertPostureReportToJunitResult(opaSessionObj.PostureReport)
-			if err != nil {
-				fmt.Println("Failed to convert posture report object!")
-				os.Exit(1)
-			}
-			postureReportStr, err := xml.Marshal(junitResult)
-			if err != nil {
-				fmt.Println("Failed to convert posture report object!")
-				os.Exit(1)
-			}
-			printer.writer.Write(postureReportStr)
-		} else if !cautils.IsSilent() {
-			fmt.Println("unknown output printer")
-			os.Exit(1)
-		}
-
-		if !k8sinterface.RunningIncluster {
-			break
+func calculatePostureScore(postureReport *opapolicy.PostureReport) float32 {
+	totalResources := 0
+	totalFailed := 0
+	for _, frameworkReport := range postureReport.FrameworkReports {
+		for _, controlReport := range frameworkReport.ControlReports {
+			totalFailed += controlReport.GetNumberOfFailedResources()
+			totalResources += controlReport.GetNumberOfResources()
 		}
 	}
+	if totalResources == 0 {
+		return float32(0)
+	}
+	return (float32(totalResources) - float32(totalFailed)) / float32(totalResources)
+}
+
+func (printer *Printer) ActionPrint(opaSessionObj *cautils.OPASessionObj) float32 {
+	var score float32
+
+	if printer.printerType == PrettyPrinter {
+		printer.SummarySetup(opaSessionObj.PostureReport)
+		printer.PrintResults()
+		printer.PrintSummaryTable()
+	} else if printer.printerType == JsonPrinter {
+		postureReportStr, err := json.Marshal(opaSessionObj.PostureReport.FrameworkReports[0])
+		if err != nil {
+			fmt.Println("Failed to convert posture report object!")
+			os.Exit(1)
+		}
+		printer.writer.Write(postureReportStr)
+	} else if printer.printerType == JunitResultPrinter {
+		junitResult, err := convertPostureReportToJunitResult(opaSessionObj.PostureReport)
+		if err != nil {
+			fmt.Println("Failed to convert posture report object!")
+			os.Exit(1)
+		}
+		postureReportStr, err := xml.Marshal(junitResult)
+		if err != nil {
+			fmt.Println("Failed to convert posture report object!")
+			os.Exit(1)
+		}
+		printer.writer.Write(postureReportStr)
+	} else if !cautils.IsSilent() {
+		fmt.Println("unknown output printer")
+		os.Exit(1)
+	}
+
+	score = calculatePostureScore(opaSessionObj.PostureReport)
+
+	return score
 }
 
 func (printer *Printer) SummarySetup(postureReport *opapolicy.PostureReport) {
@@ -92,7 +102,8 @@ func (printer *Printer) SummarySetup(postureReport *opapolicy.PostureReport) {
 
 			printer.summary[cr.Name] = ControlSummary{
 				TotalResources:  cr.GetNumberOfResources(),
-				TotalFailed:     len(workloadsSummary),
+				TotalFailed:     cr.GetNumberOfFailedResources(),
+				TotalWarnign:    cr.GetNumberOfWarningResources(),
 				WorkloadSummary: mapResources,
 				Description:     cr.Description,
 				Remediation:     cr.Remediation,
@@ -101,9 +112,7 @@ func (printer *Printer) SummarySetup(postureReport *opapolicy.PostureReport) {
 		}
 	}
 	printer.sortedControlNames = printer.getSortedControlsNames()
-
 }
-
 func (printer *Printer) PrintResults() {
 	for i := 0; i < len(printer.sortedControlNames); i++ {
 		controlSummary := printer.summary[printer.sortedControlNames[i]]
@@ -119,7 +128,8 @@ func (printer *Printer) PrintResults() {
 
 func (printer *Printer) printSummary(controlName string, controlSummary *ControlSummary) {
 	cautils.SimpleDisplay(printer.writer, "Summary - ")
-	cautils.SuccessDisplay(printer.writer, "Passed:%v   ", controlSummary.TotalResources-controlSummary.TotalFailed)
+	cautils.SuccessDisplay(printer.writer, "Passed:%v   ", controlSummary.TotalResources-controlSummary.TotalFailed-controlSummary.TotalWarnign)
+	cautils.WarningDisplay(printer.writer, "Excluded:%v   ", controlSummary.TotalWarnign)
 	cautils.FailureDisplay(printer.writer, "Failed:%v   ", controlSummary.TotalFailed)
 	cautils.InfoDisplay(printer.writer, "Total:%v\n", controlSummary.TotalResources)
 	if controlSummary.TotalFailed > 0 {
@@ -133,10 +143,12 @@ func (printer *Printer) printTitle(controlName string, controlSummary *ControlSu
 	cautils.InfoDisplay(printer.writer, "[control: %s] ", controlName)
 	if controlSummary.TotalResources == 0 && len(controlSummary.ListInputKinds) > 0 {
 		cautils.InfoDisplay(printer.writer, "resources not found %v\n", emoji.ConfusedFace)
-	} else if controlSummary.TotalFailed == 0 {
-		cautils.SuccessDisplay(printer.writer, "passed %v\n", emoji.ThumbsUp)
-	} else {
+	} else if controlSummary.TotalFailed != 0 {
 		cautils.FailureDisplay(printer.writer, "failed %v\n", emoji.SadButRelievedFace)
+	} else if controlSummary.TotalWarnign != 0 {
+		cautils.WarningDisplay(printer.writer, "excluded %v\n", emoji.NeutralFace)
+	} else {
+		cautils.SuccessDisplay(printer.writer, "passed %v\n", emoji.ThumbsUp)
 	}
 
 	cautils.DescriptionDisplay(printer.writer, "Description: %s\n", controlSummary.Description)
@@ -161,6 +173,10 @@ func (printer *Printer) printResult(controlName string, controlSummary *ControlS
 
 }
 
+func (printer *Printer) PrintUrl(url string) {
+	cautils.InfoTextDisplay(printer.writer, url)
+}
+
 func generateRow(control string, cs ControlSummary) []string {
 	row := []string{control}
 	row = append(row, cs.ToSlice()...)
@@ -173,7 +189,7 @@ func generateRow(control string, cs ControlSummary) []string {
 }
 
 func generateHeader() []string {
-	return []string{"Control Name", "Failed Resources", "All Resources", "% success"}
+	return []string{"Control Name", "Failed Resources", "Excluded Resources", "All Resources", "% success"}
 }
 
 func percentage(big, small int) int {
@@ -185,11 +201,12 @@ func percentage(big, small int) int {
 	}
 	return int(float64(float64(big-small)/float64(big)) * 100)
 }
-func generateFooter(numControlers, sumFailed, sumTotal int) []string {
+func generateFooter(numControlers, sumFailed, sumWarning, sumTotal int) []string {
 	// Control name | # failed resources | all resources | % success
 	row := []string{}
 	row = append(row, fmt.Sprintf("%d", numControlers))
 	row = append(row, fmt.Sprintf("%d", sumFailed))
+	row = append(row, fmt.Sprintf("%d", sumWarning))
 	row = append(row, fmt.Sprintf("%d", sumTotal))
 	if sumTotal != 0 {
 		row = append(row, fmt.Sprintf("%d%s", percentage(sumTotal, sumFailed), "%"))
@@ -206,14 +223,16 @@ func (printer *Printer) PrintSummaryTable() {
 	summaryTable.SetAlignment(tablewriter.ALIGN_LEFT)
 	sumTotal := 0
 	sumFailed := 0
+	sumWarning := 0
 
 	for i := 0; i < len(printer.sortedControlNames); i++ {
 		controlSummary := printer.summary[printer.sortedControlNames[i]]
 		summaryTable.Append(generateRow(printer.sortedControlNames[i], controlSummary))
 		sumFailed += controlSummary.TotalFailed
+		sumWarning += controlSummary.TotalWarnign
 		sumTotal += controlSummary.TotalResources
 	}
-	summaryTable.SetFooter(generateFooter(len(printer.summary), sumFailed, sumTotal))
+	summaryTable.SetFooter(generateFooter(len(printer.summary), sumFailed, sumWarning, sumTotal))
 	summaryTable.Render()
 }
 
@@ -227,7 +246,7 @@ func (printer *Printer) getSortedControlsNames() []string {
 }
 
 func getWriter(outputFile string) *os.File {
-
+	os.Remove(outputFile)
 	if outputFile != "" {
 		f, err := os.OpenFile(outputFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
 		if err != nil {

resultshandling/printer/summary.go

@@ -2,6 +2,8 @@ package printer
 
 import (
 	"fmt"
+
+	"github.com/armosec/kubescape/cautils/armotypes"
 )
 
 type Summary map[string]ControlSummary
@@ -13,6 +15,7 @@ func NewSummary() Summary {
 type ControlSummary struct {
 	TotalResources  int
 	TotalFailed     int
+	TotalWarnign    int
 	Description     string
 	Remediation     string
 	ListInputKinds  []string
@@ -24,11 +27,13 @@ type WorkloadSummary struct {
 	Name      string
 	Namespace string
 	Group     string
+	Exception *armotypes.PostureExceptionPolicy
 }
 
 func (controlSummary *ControlSummary) ToSlice() []string {
 	s := []string{}
 	s = append(s, fmt.Sprintf("%d", controlSummary.TotalFailed))
+	s = append(s, fmt.Sprintf("%d", controlSummary.TotalWarnign))
 	s = append(s, fmt.Sprintf("%d", controlSummary.TotalResources))
 	return s
 }

resultshandling/printer/summeryhelpers.go

@@ -34,6 +34,7 @@ func listResultSummary(ruleReports []opapolicy.RuleReport) []WorkloadSummary {
 
 			// add resource only once
 			for i := range resource {
+				resource[i].Exception = ruleReport.Exception
 				if ok := track[resource[i].ToString()]; !ok {
 					track[resource[i].ToString()] = true
 					workloadsSummary = append(workloadsSummary, resource[i])
@@ -51,6 +52,7 @@ func ruleResultSummary(obj opapolicy.AlertObject) ([]WorkloadSummary, error) {
 		if err != nil {
 			return resource, err
 		}
+
 		resource = append(resource, *r)
 	}
 

resultshandling/reporter/reporteventreceiver.go

@@ -0,0 +1,58 @@
+package reporter
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/opapolicy"
+)
+
+type ReportEventReceiver struct {
+	httpClient http.Client
+	host       url.URL
+}
+
+func NewReportEventReceiver() *ReportEventReceiver {
+	hostURL := initEventReceiverURL()
+	return &ReportEventReceiver{
+		httpClient: http.Client{},
+		host:       *hostURL,
+	}
+}
+
+func (report *ReportEventReceiver) ActionSendReportListenner(opaSessionObj *cautils.OPASessionObj) {
+	if cautils.CustomerGUID == "" {
+		return
+	}
+	//Add score
+	opaSessionObj.PostureReport.RemoveData()
+	if err := report.Send(opaSessionObj.PostureReport); err != nil {
+		fmt.Println(err)
+	}
+}
+func (report *ReportEventReceiver) Send(postureReport *opapolicy.PostureReport) error {
+
+	reqBody, err := json.Marshal(*postureReport)
+	if err != nil {
+		return fmt.Errorf("in 'Send' failed to json.Marshal, reason: %v", err)
+	}
+	host := hostToString(&report.host, postureReport.ReportID)
+
+	req, err := http.NewRequest("POST", host, bytes.NewReader(reqBody))
+	if err != nil {
+		return fmt.Errorf("in 'Send', http.NewRequest failed, host: %s, reason: %v", host, err)
+	}
+	res, err := report.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("httpClient.Do failed: %v", err)
+	}
+	msg, err := httpRespToString(res)
+	if err != nil {
+		return fmt.Errorf("%s, %v:%s", host, err, msg)
+	}
+	return err
+}

resultshandling/reporter/reporteventreceiverutils.go

@@ -0,0 +1,56 @@
+package reporter
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/gofrs/uuid"
+)
+
+// HTTPRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
+func httpRespToString(resp *http.Response) (string, error) {
+	if resp == nil || resp.Body == nil {
+		return "", nil
+	}
+	strBuilder := strings.Builder{}
+	defer resp.Body.Close()
+	if resp.ContentLength > 0 {
+		strBuilder.Grow(int(resp.ContentLength))
+	}
+	_, err := io.Copy(&strBuilder, resp.Body)
+	if err != nil {
+		return strBuilder.String(), err
+	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		err = fmt.Errorf("response status: %d. Content: %s", resp.StatusCode, strBuilder.String())
+	}
+
+	return strBuilder.String(), err
+}
+
+func initEventReceiverURL() *url.URL {
+	urlObj := url.URL{}
+
+	urlObj.Scheme = "https"
+	urlObj.Host = getter.GetArmoAPIConnector().GetReportReceiverURL()
+	urlObj.Path = "/k8s/postureReport"
+	q := urlObj.Query()
+	q.Add("customerGUID", uuid.FromStringOrNil(cautils.CustomerGUID).String())
+	q.Add("clusterName", cautils.ClusterName)
+
+	urlObj.RawQuery = q.Encode()
+
+	return &urlObj
+}
+
+func hostToString(host *url.URL, reportID string) string {
+	q := host.Query()
+	q.Add("reportID", reportID) // TODO - do we add the reportID?
+	host.RawQuery = q.Encode()
+	return host.String()
+}

resultshandling/reporter/reporteventreceiverutils_test.go

@@ -0,0 +1,20 @@
+package reporter
+
+import (
+	"net/url"
+	"testing"
+)
+
+func TestHostToString(t *testing.T) {
+	host := url.URL{
+		Scheme:   "https",
+		Host:     "report.eudev3.cyberarmorsoft.com",
+		Path:     "k8srestapi/v1/postureReport",
+		RawQuery: "cluster=openrasty_seal-7fvz&customerGUID=5d817063-096f-4d91-b39b-8665240080af",
+	}
+	expectedHost := "https://report.eudev3.cyberarmorsoft.com/k8srestapi/v1/postureReport?cluster=openrasty_seal-7fvz&customerGUID=5d817063-096f-4d91-b39b-8665240080af&reportID=ffdd2a00-4dc8-4bf3-b97a-a6d4fd198a41"
+	receivedHost := hostToString(&host, "ffdd2a00-4dc8-4bf3-b97a-a6d4fd198a41")
+	if receivedHost != expectedHost {
+		t.Errorf("%s != %s", receivedHost, expectedHost)
+	}
+}

resultshandling/results.go

@@ -0,0 +1,32 @@
+package resultshandling
+
+import (
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/resultshandling/printer"
+	"github.com/armosec/kubescape/resultshandling/reporter"
+)
+
+type ResultsHandler struct {
+	opaSessionObj *chan *cautils.OPASessionObj
+	reporterObj   *reporter.ReportEventReceiver
+	printerObj    *printer.Printer
+}
+
+func NewResultsHandler(opaSessionObj *chan *cautils.OPASessionObj, reporterObj *reporter.ReportEventReceiver, printerObj *printer.Printer) *ResultsHandler {
+	return &ResultsHandler{
+		opaSessionObj: opaSessionObj,
+		reporterObj:   reporterObj,
+		printerObj:    printerObj,
+	}
+}
+
+func (resultsHandler *ResultsHandler) HandleResults() float32 {
+
+	opaSessionObj := <-*resultsHandler.opaSessionObj
+
+	score := resultsHandler.printerObj.ActionPrint(opaSessionObj)
+
+	resultsHandler.reporterObj.ActionSendReportListenner(opaSessionObj)
+
+	return score
+}

scapepkg/exceptions/exceptionprocessor.go

@@ -0,0 +1,148 @@
+package exceptions
+
+import (
+	"regexp"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/k8sinterface"
+
+	"github.com/armosec/kubescape/cautils/armotypes"
+	"github.com/armosec/kubescape/cautils/opapolicy"
+	"k8s.io/apimachinery/pkg/labels"
+)
+
+func ListRuleExceptions(exceptionPolicies []armotypes.PostureExceptionPolicy, frameworkName, controlName, ruleName string) []armotypes.PostureExceptionPolicy {
+	ruleExceptions := []armotypes.PostureExceptionPolicy{}
+	for i := range exceptionPolicies {
+		if ruleHasExceptions(&exceptionPolicies[i], frameworkName, controlName, ruleName) {
+			ruleExceptions = append(ruleExceptions, exceptionPolicies[i])
+		}
+	}
+
+	return ruleExceptions
+
+}
+
+func ruleHasExceptions(exceptionPolicy *armotypes.PostureExceptionPolicy, frameworkName, controlName, ruleName string) bool {
+	for _, posturePolicy := range exceptionPolicy.PosturePolicies {
+		if posturePolicy.FrameworkName == "" && posturePolicy.ControlName == "" && posturePolicy.RuleName == "" {
+			continue // empty policy -> ignore
+		}
+		if posturePolicy.FrameworkName != "" && posturePolicy.FrameworkName != frameworkName {
+			continue // policy does not match
+		}
+		if posturePolicy.ControlName != "" && posturePolicy.ControlName != controlName {
+			continue // policy does not match
+		}
+		if posturePolicy.RuleName != "" && posturePolicy.RuleName != ruleName {
+			continue // policy does not match
+		}
+		return true // policies match
+	}
+
+	return false
+
+}
+
+func AddExceptionsToRuleResponses(results []opapolicy.RuleResponse, ruleExceptions []armotypes.PostureExceptionPolicy) {
+	if len(ruleExceptions) == 0 {
+		return
+	}
+	for i := range results {
+		workloads := alertObjectToWorkloads(&results[i].AlertObject)
+		if len(workloads) == 0 {
+			continue
+		}
+		for w := range workloads {
+			if exception := getException(ruleExceptions, workloads[w]); exception != nil {
+				results[i].Exception = exception
+			}
+		}
+		results[i].RuleStatus = results[i].GetSingleResultStatus()
+	}
+}
+
+func alertObjectToWorkloads(obj *opapolicy.AlertObject) []k8sinterface.IWorkload {
+	resource := []k8sinterface.IWorkload{}
+
+	for i := range obj.K8SApiObjects {
+		r := k8sinterface.NewWorkloadObj(obj.K8SApiObjects[i])
+		if r == nil {
+			continue
+		}
+		resource = append(resource, r)
+		ns := r.GetNamespace()
+		if ns != "" {
+
+		}
+	}
+
+	return resource
+}
+func getException(ruleExceptions []armotypes.PostureExceptionPolicy, workload k8sinterface.IWorkload) *armotypes.PostureExceptionPolicy {
+	for e := range ruleExceptions {
+		for _, resource := range ruleExceptions[e].Resources {
+			if hasException(&resource, workload) {
+				return &ruleExceptions[e] // TODO - return disable exception out of all exceptions
+			}
+		}
+	}
+	return nil
+}
+
+// compareMetadata - compare namespace and kind
+func hasException(designator *armotypes.PortalDesignator, workload k8sinterface.IWorkload) bool {
+	cluster, namespace, kind, name, labels := designator.DigestPortalDesignator()
+
+	if cluster == "" && namespace == "" && kind == "" && name == "" && len(labels) == 0 {
+		return false // if designators are empty
+	}
+
+	if cluster != "" && cautils.ClusterName != "" && !regexCompare(cluster, cautils.ClusterName) { // TODO - where do we receive cluster name from?
+		return false // cluster name does not match
+	}
+
+	if namespace != "" && !compareNamespace(workload, namespace) {
+		return false // namespaces do not match
+	}
+
+	if kind != "" && !compareKind(workload, kind) {
+		return false // kinds do not match
+	}
+
+	if name != "" && !compareName(workload, name) {
+		return false // names do not match
+	}
+	if len(labels) > 0 && !compareLabels(workload, labels) {
+		return false // labels do not match
+	}
+
+	return true // no mismatch found -> the workload has an exception
+}
+
+func compareNamespace(workload k8sinterface.IWorkload, namespace string) bool {
+	if workload.GetKind() == "Namespace" {
+		return regexCompare(namespace, workload.GetName())
+	}
+	return regexCompare(namespace, workload.GetNamespace())
+}
+
+func compareKind(workload k8sinterface.IWorkload, kind string) bool {
+	return regexCompare(kind, workload.GetKind())
+}
+
+func compareName(workload k8sinterface.IWorkload, name string) bool {
+	return regexCompare(workload.GetName(), name)
+}
+
+func compareLabels(workload k8sinterface.IWorkload, attributes map[string]string) bool {
+	workloadLabels := labels.Set(workload.GetLabels())
+	designators := labels.Set(attributes).AsSelector()
+
+	return designators.Matches(workloadLabels)
+}
+
+func regexCompare(reg, name string) bool {
+	r, _ := regexp.MatchString(reg, name)
+	return r
+}

scapepkg/exceptions/exceptionprocessor_test.go

@@ -0,0 +1,59 @@
+package exceptions
+
+import (
+	"testing"
+
+	"github.com/armosec/kubescape/cautils/armotypes"
+)
+
+func PostureExceptionPolicyDisableMock() *armotypes.PostureExceptionPolicy {
+	return &armotypes.PostureExceptionPolicy{}
+}
+
+func PostureExceptionPolicyAlertOnlyMock() *armotypes.PostureExceptionPolicy {
+	return &armotypes.PostureExceptionPolicy{
+		PortalBase: armotypes.PortalBase{
+			Name: "postureExceptionPolicyAlertOnlyMock",
+		},
+		PolicyType: "postureExceptionPolicy",
+		Actions:    []armotypes.PostureExceptionPolicyActions{armotypes.AlertOnly},
+		Resources: []armotypes.PortalDesignator{
+			{
+				DesignatorType: armotypes.DesignatorAttributes,
+				Attributes: map[string]string{
+					armotypes.AttributeNamespace: "default",
+					armotypes.AttributeCluster:   "unittest",
+				},
+			},
+		},
+		PosturePolicies: []armotypes.PosturePolicy{
+			{
+				FrameworkName: "MITRE",
+			},
+		},
+	}
+}
+
+func TestListRuleExceptions(t *testing.T) {
+	exceptionPolicies := []armotypes.PostureExceptionPolicy{*PostureExceptionPolicyAlertOnlyMock()}
+	res1 := ListRuleExceptions(exceptionPolicies, "MITRE", "", "")
+	if len(res1) != 1 {
+		t.Errorf("expecting 1 exception")
+	}
+	res2 := ListRuleExceptions(exceptionPolicies, "", "hostPath mount", "")
+	if len(res2) != 0 {
+		t.Errorf("expecting 0 exception")
+	}
+}
+
+// func TestGetException(t *testing.T) {
+// 	exceptionPolicies := []armotypes.PostureExceptionPolicy{*PostureExceptionPolicyAlertOnlyMock()}
+// 	res1 := ListRuleExceptions(exceptionPolicies, "MITRE", "", "")
+// 	if len(res1) != 1 {
+// 		t.Errorf("expecting 1 exception")
+// 	}
+// 	res2 := ListRuleExceptions(exceptionPolicies, "", "hostPath mount", "")
+// 	if len(res2) != 0 {
+// 		t.Errorf("expecting 0 exception")
+// 	}
+// }

scapepkg/score/frameworkdict.json

@@ -0,0 +1,232 @@
+{
+    "developer_framework": {
+        "Writable hostPath mount": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Compromised images in registry": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Exposed dashboard": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Network mapping": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Access container service account": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Access Kubelet API": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Cluster-admin binding": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Kubernetes CronJob": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "SSH server running inside container": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Pod / container name similarity": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Cluster internal networking": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Access Kubernetes dashboard": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Privileged container": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "hostPath mount": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Instance Metadata API": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Applications credentials in configuration files": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        }
+    },
+    "MITRE": {
+        "Writable hostPath mount": {
+            "baseScore": 8.0,
+            "improvementRatio": 0.5
+        },
+        "Sidecar injection": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Compromised images in registry": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Access tiller endpoint": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Data Destruction": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Resource Hijacking": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Access the Kubernetes API server": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Exposed dashboard": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Backdoor container": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Network mapping": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Images from private registry": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Mount service principal": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Access container service account": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Malicious admission controller (validating)": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Access Kubelet API": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Vulnerable application": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Application exploit (RCE)": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Cluster-admin binding": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Kubernetes CronJob": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "SSH server running inside container": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "List Kubernetes secrets": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Pod / container name similarity": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Cluster internal networking": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Exposed sensitive interfaces": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Bash/cmd inside container": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Clear container logs": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Access Kubernetes dashboard": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "New container": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Privileged container": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "CoreDNS poisoning": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "hostPath mount": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Instance Metadata API": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Malicious admission controller (mutating)": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Exec into container": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Delete Kubernetes events": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Applications credentials in configuration files": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        }
+    },
+    "NSA": {
+        "Control plane hardening": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Immutable container filesystem": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Non-root containers": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        },
+        "Host PID/IPC privileges": {
+            "baseScore": 1.0,
+            "improvementRatio": 1.0
+        }
+    }
+}

scapepkg/score/resourcesdict.json

@@ -0,0 +1,22 @@
+{
+    "pod": 1.0,
+    "service": 1.0,
+    "daemonset": 1.0,
+    "deployment": 1.0,
+    "replicaset": 1.1,
+    "statefulset": 1.0,
+    "job": 1.0,
+    "secret": 1.0,
+    "cronjob": 1.0,
+    "clusterrolebinding": 1.0,
+    "clusterrole": 1.0,
+    "rolebinding": 1.0,
+    "role": 1.0,
+    "networkpolicy": 1.0,
+    "controllerrevision": 1.0,
+    "namespace": 1.0,
+    "serviceaccount": 1.0,
+    "configmap": 1.0,
+    "node": 1.0
+
+}

scapepkg/score/score.go

@@ -0,0 +1,201 @@
+package score
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"strings"
+
+	appsv1 "k8s.io/api/apps/v1"
+
+	// corev1 "k8s.io/api/core/v1"
+	k8sinterface "github.com/armosec/kubescape/cautils/k8sinterface"
+	"github.com/armosec/kubescape/cautils/opapolicy"
+)
+
+type ControlScoreWeights struct {
+	BaseScore                    float32 `json:"baseScore"`
+	RuntimeImprovementMultiplier float32 `json:"improvementRatio"`
+}
+
+type ScoreUtil struct {
+	ResourceTypeScores map[string]float32
+	FrameworksScore    map[string]map[string]ControlScoreWeights
+	K8SApoObj          *k8sinterface.KubernetesApi
+	configPath         string
+}
+
+var postureScore *ScoreUtil
+
+func (su *ScoreUtil) Calculate(frameworksReports []opapolicy.FrameworkReport) error {
+	for i := range frameworksReports {
+		su.CalculateFrameworkScore(&frameworksReports[i])
+	}
+
+	return nil
+}
+
+func (su *ScoreUtil) CalculateFrameworkScore(framework *opapolicy.FrameworkReport) error {
+	for i := range framework.ControlReports {
+		framework.WCSScore += su.ControlScore(&framework.ControlReports[i], framework.Name)
+		framework.Score += framework.ControlReports[i].Score
+		framework.ARMOImprovement += framework.ControlReports[i].ARMOImprovement
+	}
+	if framework.WCSScore > 0 {
+		framework.Score = (framework.Score * 100) / framework.WCSScore
+		framework.ARMOImprovement = (framework.ARMOImprovement * 100) / framework.WCSScore
+	}
+
+	return fmt.Errorf("unable to calculate score for framework %s due to bad wcs score", framework.Name)
+
+}
+
+/*
+daemonset: daemonsetscore*#nodes
+workloads: if replicas:
+             replicascore*workloadkindscore*#replicas
+           else:
+		     regular
+
+*/
+func (su *ScoreUtil) resourceRules(resources []map[string]interface{}) float32 {
+	var weight float32 = 0
+
+	for _, v := range resources {
+		var score float32 = 0
+		wl := k8sinterface.NewWorkloadObj(v)
+		kind := ""
+		if wl != nil {
+			kind = strings.ToLower(wl.GetKind())
+			replicas := wl.GetReplicas()
+			score = su.ResourceTypeScores[kind]
+			if replicas > 1 {
+				score *= su.ResourceTypeScores["replicaset"] * float32(replicas)
+			}
+
+		} else {
+			epsilon := float32(0.00001)
+			keys := make([]string, 0, len(v))
+			for k := range v {
+				keys = append(keys, k)
+			}
+			kind = keys[0]
+			score = su.ResourceTypeScores[kind]
+			if score == 0.0 || (score > -1*epsilon && score < epsilon) {
+				score = 1
+			}
+		}
+
+		if kind == "daemonset" {
+			b, err := json.Marshal(v)
+			if err == nil {
+				dmnset := appsv1.DaemonSet{}
+				json.Unmarshal(b, &dmnset)
+				score *= float32(dmnset.Status.DesiredNumberScheduled)
+			}
+		}
+		weight += score
+	}
+
+	return weight
+}
+
+func (su *ScoreUtil) externalResourceConverter(rscs map[string]interface{}) []map[string]interface{} {
+	resources := make([]map[string]interface{}, 0)
+	for atype, v := range rscs {
+		resources = append(resources, map[string]interface{}{atype: v})
+	}
+	return resources
+}
+
+/*
+ControlScore:
+@input:
+ctrlReport - opapolicy.ControlReport object, must contain down the line the Input resources and the output resources
+frameworkName - calculate this control according to a given framework weights
+
+ctrl.score = baseScore * SUM_resource (resourceWeight*min(#replicas*replicaweight,1)(nodes if daemonset)
+
+returns control score ***for the input resources***
+
+*/
+func (su *ScoreUtil) ControlScore(ctrlReport *opapolicy.ControlReport, frameworkName string) float32 {
+
+	aggregatedInputs := make([]map[string]interface{}, 0)
+	aggregatedResponses := make([]map[string]interface{}, 0)
+	for _, ruleReport := range ctrlReport.RuleReports {
+		status, _, _ := ruleReport.GetRuleStatus()
+		if status != "warning" {
+			for _, ruleResponse := range ruleReport.RuleResponses {
+				aggregatedResponses = append(aggregatedResponses, ruleResponse.AlertObject.K8SApiObjects...)
+				aggregatedResponses = append(aggregatedResponses, su.externalResourceConverter(ruleResponse.AlertObject.ExternalObjects)...)
+			}
+		}
+
+		aggregatedInputs = append(aggregatedInputs, ruleReport.ListInputResources...)
+
+	}
+	improvementRatio := float32(1)
+	if ctrls, isOk := su.FrameworksScore[frameworkName]; isOk {
+		if scoreobj, isOk2 := ctrls[ctrlReport.Name]; isOk2 {
+			ctrlReport.BaseScore = scoreobj.BaseScore
+			improvementRatio -= scoreobj.RuntimeImprovementMultiplier
+		}
+	} else {
+		ctrlReport.BaseScore = 1.0
+	}
+
+	ctrlReport.Score = ctrlReport.BaseScore * su.resourceRules(aggregatedResponses)
+	ctrlReport.ARMOImprovement = ctrlReport.Score * improvementRatio
+
+	return ctrlReport.BaseScore * su.resourceRules(aggregatedInputs)
+
+}
+
+func getPostureFrameworksScores(weightPath string) map[string]map[string]ControlScoreWeights {
+	if len(weightPath) != 0 {
+		weightPath = weightPath + "/"
+	}
+	frameworksScoreMap := make(map[string]map[string]ControlScoreWeights)
+	dat, err := os.ReadFile(weightPath + "frameworkdict.json")
+	if err != nil {
+		return nil
+	}
+	if err := json.Unmarshal(dat, &frameworksScoreMap); err != nil {
+		return nil
+	}
+
+	return frameworksScoreMap
+
+}
+
+func getPostureResourceScores(weightPath string) map[string]float32 {
+	if len(weightPath) != 0 {
+		weightPath = weightPath + "/"
+	}
+	resourceScoreMap := make(map[string]float32)
+	dat, err := os.ReadFile(weightPath + "resourcesdict.json")
+	if err != nil {
+		return nil
+	}
+	if err := json.Unmarshal(dat, &resourceScoreMap); err != nil {
+		return nil
+	}
+
+	return resourceScoreMap
+
+}
+
+func NewScore(k8sapiobj *k8sinterface.KubernetesApi, configPath string) *ScoreUtil {
+	if postureScore == nil {
+
+		postureScore = &ScoreUtil{
+			ResourceTypeScores: getPostureResourceScores(configPath),
+			FrameworksScore:    getPostureFrameworksScores(configPath),
+			configPath:         configPath,
+		}
+
+	}
+
+	return postureScore
+}

scapepkg/score/score_mocks.go

@@ -0,0 +1,77 @@
+package score
+
+import (
+	"encoding/json"
+	"os"
+	"strings"
+
+	k8sinterface "github.com/armosec/kubescape/cautils/k8sinterface"
+	"github.com/armosec/kubescape/cautils/opapolicy"
+)
+
+func loadResourcesMock() []map[string]interface{} {
+	resources := make([]map[string]interface{}, 0)
+
+	dat, err := os.ReadFile("resourcemocks.json")
+
+	if err != nil {
+		return resources
+	}
+	if err := json.Unmarshal(dat, &resources); err != nil {
+		return resources
+	}
+
+	return resources
+}
+
+func getResouceByType(desiredType string) map[string]interface{} {
+	rsrcs := loadResourcesMock()
+	if rsrcs == nil {
+		return nil
+	}
+	for _, v := range rsrcs {
+		wl := k8sinterface.NewWorkloadObj(v)
+		if wl != nil {
+			if strings.ToLower(wl.GetKind()) == desiredType {
+				return v
+			}
+			continue
+
+		} else {
+			for k := range v {
+				if k == desiredType {
+					return v
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func loadFrameworkMock() *opapolicy.FrameworkReport {
+	report := &opapolicy.FrameworkReport{}
+
+	dat, err := os.ReadFile("frameworkmock.json")
+
+	if err != nil {
+		return report
+	}
+	if err := json.Unmarshal(dat, &report); err != nil {
+		return report
+	}
+
+	return report
+}
+func getMITREFrameworkResultMock() []opapolicy.FrameworkReport {
+	l := make([]opapolicy.FrameworkReport, 0)
+	report := loadFrameworkMock()
+	resources := loadResourcesMock()
+	if report != nil && resources != nil {
+
+		report.ControlReports[0].RuleReports[0].ListInputResources = resources
+		l = append(l, *report)
+
+	}
+
+	return l
+}

scapepkg/score/score_test.go

@@ -0,0 +1,65 @@
+package score
+
+import (
+	"testing"
+)
+
+func TestFrameworkMock(t *testing.T) {
+	r := getMITREFrameworkResultMock()
+	su := NewScore(nil, "")
+	var epsilon float32 = 0.001
+	su.Calculate(r)
+	var sumweights float32 = 0.0
+	for _, v := range su.ResourceTypeScores {
+		sumweights += v
+	}
+
+	for _, framework := range r {
+		if framework.Score < 1 {
+			t.Errorf("framework %s invalid calculation1: %v", framework.Name, framework)
+		}
+
+		if framework.Score > framework.WCSScore+epsilon {
+			t.Errorf("framework %s invalid calculation2: %v", framework.Name, framework)
+		}
+		if framework.ARMOImprovement > framework.Score+epsilon {
+			t.Errorf("framework %s invalid calculation3: %v", framework.Name, framework)
+		}
+		if framework.ControlReports[0].Score*sumweights <= 0+epsilon {
+			t.Errorf("framework %s invalid calculation4: %v", framework.Name, framework)
+		}
+	}
+	//
+}
+
+func TestDaemonsetRule(t *testing.T) {
+	desiredType := "daemonset"
+	r := getResouceByType(desiredType)
+	if r == nil {
+		t.Errorf("no %v was found in the mock, should be 1", desiredType)
+	}
+	su := NewScore(nil, "")
+
+	resources := []map[string]interface{}{r}
+	weights := su.resourceRules(resources)
+	expecting := 13 * su.ResourceTypeScores[desiredType]
+	if weights != expecting {
+		t.Errorf("no %v unexpected weights were calculated expecting: %v got %v", desiredType, expecting, weights)
+	}
+}
+
+func TestMultipleReplicasRule(t *testing.T) {
+	desiredType := "deployment"
+	r := getResouceByType(desiredType)
+	if r == nil {
+		t.Errorf("no %v was found in the mock, should be 1", desiredType)
+	}
+	su := NewScore(nil, "")
+
+	resources := []map[string]interface{}{r}
+	weights := su.resourceRules(resources)
+	expecting := 3 * su.ResourceTypeScores[desiredType] * su.ResourceTypeScores["replicaset"]
+	if weights != expecting {
+		t.Errorf("no %v unexpected weights were calculated expecting: %v got %v", desiredType, expecting, weights)
+	}
+}

scapepkg/score/scoremethods.go

@@ -0,0 +1 @@
+package score

website/index.html

@@ -0,0 +1,14 @@
+<html>
+    <head>
+        <title>
+            Kubscape Website
+        </title>
+        <h1>Kubscape Website</h1>
+    </head>
+    <body>
+<h2>
+    Join us!!!
+    <iframe src="https://discordapp.com/widget?id=893048809884643379&theme=dark" width="350" height="500" allowtransparency="true" frameborder="0" sandbox="allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"></iframe>
+</h2>
+    </body>
+</html>