Merge pull request #100 from slashben/master

Adding discord links to readme

.github/workflows/build.yaml

@@ -40,7 +40,11 @@ jobs:
       - name: Build
         env:
           RELEASE: v1.0.${{ github.run_number }} 
-        run: mkdir -p build/${{ matrix.os }}  && go mod tidy && go build -ldflags "-w -s -X github.com/armosec/kubescape/cmd.BuildNumber=$RELEASE" -o build/${{ matrix.os }}/kubescape # && md5sum build/${{ matrix.os }}/kubescape > build/${{ matrix.os }}/kubescape.md5
+          ArmoBEServer: api.armo.cloud
+          ArmoERServer: report.euprod1.cyberarmorsoft.com
+          ArmoWebsite: portal.armo.cloud
+          CGO_ENABLED: 0
+        run: mkdir -p build/${{ matrix.os }}  && go mod tidy && go build -ldflags "-w -s -X github.com/armosec/kubescape/cmd.BuildNumber=$RELEASE -X github.com/armosec/kubescape/cautils/getter.ArmoBEURL=$ArmoBEServer -X github.com/armosec/kubescape/cautils/getter.ArmoERURL=$ArmoERServer -X github.com/armosec/kubescape/cautils/getter.ArmoFEURL=$ArmoWebsite" -o build/${{ matrix.os }}/kubescape # && md5sum build/${{ matrix.os }}/kubescape > build/${{ matrix.os }}/kubescape.md5
       
       - name: Upload Release binaries
         id: upload-release-asset

.github/workflows/build_dev.yaml

@@ -0,0 +1,36 @@
+name: build-dev
+
+on:
+  push:
+    branches: [ dev ]
+  pull_request:
+    branches: [ dev ]
+    types: [ closed ]
+jobs:
+  build:
+    name: Create cross-platform dev build
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@v1
+
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+      - name: Build
+        env:
+          RELEASE: v1.0.${{ github.run_number }} 
+          ArmoBEServer: api.armo.cloud
+          ArmoERServer: report.euprod1.cyberarmorsoft.com
+          ArmoWebsite: portal.armo.cloud
+          CGO_ENABLED: 0
+        run: mkdir -p build/${{ matrix.os }}  && go mod tidy && go build -ldflags "-w -s -X github.com/armosec/kubescape/cmd.BuildNumber=$RELEASE -X github.com/armosec/kubescape/cautils/getter.ArmoBEURL=$ArmoBEServer -X github.com/armosec/kubescape/cautils/getter.ArmoERURL=$ArmoERServer -X github.com/armosec/kubescape/cautils/getter.ArmoFEURL=$ArmoWebsite" -o build/${{ matrix.os }}/kubescape # && md5sum build/${{ matrix.os }}/kubescape > build/${{ matrix.os }}/kubescape.md5
+      
+      - name: Upload build artifacts 
+        uses: actions/upload-artifact@v2
+        with:
+          name: kubescape-${{ matrix.os }}
+          path: build/${{ matrix.os }}/kubescape 

CONTRIBUTING.md

@@ -0,0 +1,99 @@
+# Contributing
+
+First, it is awesome that you are considering contributing to Kubescape! Contributing is important and fun and we welcome your efforts.
+
+When contributing, we categorize contributions into two:
+* Small code changes or fixes, whose scope are limited to a single or two files
+* Complex features and improvements, whose are not limited
+
+If you have a small change, feel free to fire up a Pull Request.
+
+When planning a bigger change, please first discuss the change you wish to make via issue,
+email, or any other method with the owners of this repository before making a change. Most likely your changes or features are great, but sometimes we might already going to this direction (or the exact opposite ;-) ) and we don't want to waste your time.
+
+Please note we have a code of conduct, please follow it in all your interactions with the project.
+
+## Pull Request Process
+
+1. Ensure any install or build dependencies are removed before the end of the layer when doing a 
+   build.
+2. Update the README.md with details of changes to the interface, this includes new environment 
+   variables, exposed ports, useful file locations and container parameters.
+3. We will merge the Pull Request in once you have the sign-off.
+
+## Code of Conduct
+
+### Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+### Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+We will distance those who are constantly adhere to unacceptable behavior.
+
+### Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+### Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+### Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at [INSERT EMAIL ADDRESS]. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+### Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

README.md

@@ -3,21 +3,19 @@
 [![build](https://github.com/armosec/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/armosec/kubescape/actions/workflows/build.yaml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/armosec/kubescape)](https://goreportcard.com/report/github.com/armosec/kubescape)
 
-Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
+Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
 
 Use Kubescape to test clusters or scan single YAML files and integrate it to your processes. 
 
 <img src="docs/demo.gif">
 
 # TL;DR
-## Install & Run
-
-### Install:
+## Install:
 ```
 curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
 ```
 
-### Run:
+## Run:
 ```
 kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
 ```
@@ -26,8 +24,20 @@ If you wish to scan all namespaces in your cluster, remove the `--exclude-namesp
 
 <img src="docs/summary.png">
 
+# Being part of the team
 
-### Flags
+We invite you to our team! We are excited about this project and want to return the love we get. 
+
+Want to contribute? Want to discuss something? Have an issue?
+
+* Open a issue, we are trying to respond within 48 hours
+* [Join us](https://discordapp.com/invite/CTcCaBbb) in a discussion on our discord server! 
+
+[<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://discordapp.com/invite/CTcCaBbb)
+
+# Options and examples
+
+## Flags
 
 | flag |  default | description | options |
 | --- | --- | --- | --- |
@@ -38,8 +48,8 @@ If you wish to scan all namespaces in your cluster, remove the `--exclude-namesp
 | `-o`/`--output` | print to stdout | Save scan result in file |
 | `--use-from` | | Load local framework object from specified path. If not used will download latest |
 | `--use-default` | `false` | Load local framework object from default path. If not used will download latest | `true`/`false` |
-| `--exceptions` | | Path to an [exceptions obj](examples/exceptions.json) |
-| `--results-locally` | | Kubescape sends scan results to Armosec backend to allow users to control exceptions and maintain chronological scan results. Use this flag if you do not wish to use these features |
+| `--exceptions` | | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal |
+| `--results-locally` | `false` | Kubescape sends scan results to Armo management portal to allow users to control exceptions and maintain chronological scan results. Use this flag if you do not wish to use these features | `true`/`false`|
 
 ## Usage & Examples
  
@@ -87,7 +97,6 @@ for example:
 ```
 helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
 ```
-
 ### Offline Support <img src="docs/new-feature.svg">
 
 It is possible to run Kubescape offline!
@@ -104,9 +113,12 @@ kubescape download framework nsa --output nsa.json
 kubescape scan framework nsa --use-from nsa.json
 ```
 
+Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
 
 # How to build 
 
+## For development
+
 Note: development (and the release process) is done with Go `1.16`
 
 1. Clone Project
@@ -126,7 +138,7 @@ go mod tidy && go build -o kubescape .
 
 4. Enjoy :zany_face:
 
-# How to build in Docker
+## How to build in Docker
 
 1. Clone Project
 ```
@@ -162,6 +174,7 @@ Kubescape is running the following tests according to what is defined by [Kubern
 * Ingress and Egress blocked
 * Container hostPort
 * Network policies
+* Symlink Exchange Can Allow Host Filesystem Access (CVE-2021-25741)
 
 
 

build/Dockerfile

@@ -4,7 +4,7 @@ ENV GO111MODULE=on
 
 WORKDIR /work
 ADD . .
-RUN go mod download
+RUN go mod tidy
 RUN GOOS=linux CGO_ENABLED=0 go build -ldflags="-s -w " -installsuffix cgo  -o kubescape .
 
 FROM alpine

cautils/armotypes/portaltypes.go

@@ -1,5 +1,7 @@
 package armotypes
 
+import "strings"
+
 const (
 	CostumerGuidQuery   = "costumerGUID"
 	ClusterNameQuery    = "cluster"
@@ -42,6 +44,10 @@ const (
 	DesignatorSid           DesignatorType = "Sid" // secret id
 )
 
+func (dt DesignatorType) ToLower() DesignatorType {
+	return DesignatorType(strings.ToLower(string(dt)))
+}
+
 // attributes
 const (
 	AttributeCluster   = "cluster"

cautils/armotypes/portaltypesutils.go

@@ -33,10 +33,10 @@ func (designator *PortalDesignator) GetLabels() map[string]string {
 
 // DigestPortalDesignator - get cluster namespace and labels from designator
 func (designator *PortalDesignator) DigestPortalDesignator() (string, string, string, string, map[string]string) {
-	switch designator.DesignatorType {
-	case DesignatorAttributes, DesignatorAttribute:
+	switch designator.DesignatorType.ToLower() {
+	case DesignatorAttributes.ToLower(), DesignatorAttribute.ToLower():
 		return designator.DigestAttributesDesignator()
-	case DesignatorWlid, DesignatorWildWlid:
+	case DesignatorWlid.ToLower(), DesignatorWildWlid.ToLower():
 		return cautils.GetClusterFromWlid(designator.WLID), cautils.GetNamespaceFromWlid(designator.WLID), cautils.GetKindFromWlid(designator.WLID), cautils.GetNameFromWlid(designator.WLID), map[string]string{}
 	// case DesignatorSid: // TODO
 	default:

cautils/customerloader.go

@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"net/url"
 	"os"
+	"strings"
 
 	"github.com/armosec/kubescape/cautils/getter"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -17,12 +18,13 @@ import (
 
 const (
 	configMapName  = "kubescape"
-	configFileName = "config"
+	ConfigFileName = "config"
 )
 
 type ConfigObj struct {
-	CustomerGUID string `json:"customerGUID"`
-	Token        string `json:"token"`
+	CustomerGUID       string `json:"customerGUID"`
+	Token              string `json:"invitationParam"`
+	CustomerAdminEMail string `json:"adminMail"`
 }
 
 func (co *ConfigObj) Json() []byte {
@@ -70,15 +72,26 @@ func NewClusterConfig(k8s *k8sinterface.KubernetesApi, armoAPI *getter.ArmoAPI)
 		defaultNS: k8sinterface.GetDefaultNamespace(),
 	}
 }
+func createConfigJson() {
+	ioutil.WriteFile(getter.GetDefaultPath(ConfigFileName+".json"), nil, 0664)
 
-func (c *ClusterConfig) update(configObj *ConfigObj) {
-	c.configObj = configObj
-	ioutil.WriteFile(getter.GetDefaultPath(configFileName+".json"), c.configObj.Json(), 0664)
+}
+
+func update(configObj *ConfigObj) {
+	ioutil.WriteFile(getter.GetDefaultPath(ConfigFileName+".json"), configObj.Json(), 0664)
 }
 func (c *ClusterConfig) GenerateURL() {
 	u := url.URL{}
 	u.Scheme = "https"
 	u.Host = getter.ArmoFEURL
+	if c.configObj == nil {
+		return
+	}
+	if c.configObj.CustomerAdminEMail != "" {
+		msgStr := fmt.Sprintf("To view all controls and get remediations ask access permissions to %s from %s", u.String(), c.configObj.CustomerAdminEMail)
+		InfoTextDisplay(os.Stdout, msgStr+"\n")
+		return
+	}
 	u.Path = "account/sign-up"
 	q := u.Query()
 	q.Add("invitationToken", c.configObj.Token)
@@ -91,30 +104,130 @@ func (c *ClusterConfig) GenerateURL() {
 }
 
 func (c *ClusterConfig) GetCustomerGUID() string {
-	return c.configObj.CustomerGUID
+	if c.configObj != nil {
+		return c.configObj.CustomerGUID
+	}
+	return ""
 }
-func (c *ClusterConfig) SetCustomerGUID() error {
 
-	// get from configMap
-	if configObj, _ := c.loadConfigFromConfigMap(); configObj != nil {
-		c.update(configObj)
-		return nil
+func (c *ClusterConfig) GetValueByKeyFromConfigMap(key string) (string, error) {
+
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+
+	if err != nil {
+		return "", err
 	}
-
-	// get from file
-	if configObj, _ := c.loadConfigFromFile(); configObj != nil {
-		c.update(configObj)
-		c.updateConfigMap()
-		return nil
-	}
-
-	// get from armoBE
-	if tenantResponse, err := c.armoAPI.GetCustomerGUID(); tenantResponse != nil {
-		c.update(&ConfigObj{CustomerGUID: tenantResponse.TenantID, Token: tenantResponse.Token})
-		return c.updateConfigMap()
+	if val, ok := configMap.Data[key]; ok {
+		return val, nil
 	} else {
+		return "", fmt.Errorf("value does not exist")
+	}
+
+}
+
+func GetValueFromConfigJson(key string) (string, error) {
+	data, err := ioutil.ReadFile(getter.GetDefaultPath(ConfigFileName + ".json"))
+	if err != nil {
+		return "", err
+	}
+	var obj map[string]interface{}
+	err = json.Unmarshal(data, &obj)
+	if val, ok := obj[key]; ok {
+		return fmt.Sprint(val), nil
+	} else {
+		return "", fmt.Errorf("value does not exist")
+	}
+
+}
+
+func SetKeyValueInConfigJson(key string, value string) error {
+	data, err := ioutil.ReadFile(getter.GetDefaultPath(ConfigFileName + ".json"))
+	if err != nil {
 		return err
 	}
+	var obj map[string]interface{}
+	err = json.Unmarshal(data, &obj)
+
+	if err != nil {
+		return err
+	}
+	obj[key] = value
+	newData, err := json.Marshal(obj)
+	if err != nil {
+		return err
+	}
+
+	return ioutil.WriteFile(getter.GetDefaultPath(ConfigFileName+".json"), newData, 0664)
+
+}
+
+func (c *ClusterConfig) SetKeyValueInConfigmap(key string, value string) error {
+
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+	if err != nil {
+		configMap = &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: configMapName,
+			},
+		}
+	}
+
+	if len(configMap.Data) == 0 {
+		configMap.Data = make(map[string]string)
+	}
+
+	configMap.Data[key] = value
+
+	if err != nil {
+		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Create(context.Background(), configMap, metav1.CreateOptions{})
+	} else {
+		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(configMap.Namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
+	}
+
+	return err
+}
+
+func (c *ClusterConfig) SetCustomerGUID() error {
+
+	// get from file
+	if existsConfigJson() {
+		c.configObj, _ = loadConfigFromFile()
+	} else if c.existsConfigMap() {
+		c.configObj, _ = c.loadConfigFromConfigMap()
+	} else {
+		c.createConfigMap()
+		createConfigJson()
+	}
+
+	customerGUID := c.GetCustomerGUID()
+	// get from armoBE
+	tenantResponse, err := c.armoAPI.GetCustomerGUID(customerGUID)
+
+	if err == nil && tenantResponse != nil {
+		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
+			if existsConfigJson() {
+				update(&ConfigObj{CustomerGUID: customerGUID, CustomerAdminEMail: tenantResponse.AdminMail})
+			}
+			if c.existsConfigMap() {
+				c.configObj.CustomerAdminEMail = tenantResponse.AdminMail
+				c.updateConfigMap()
+			}
+		} else {
+			if existsConfigJson() {
+				update(&ConfigObj{CustomerGUID: tenantResponse.TenantID, Token: tenantResponse.Token})
+			}
+			if c.existsConfigMap() {
+				c.configObj = &ConfigObj{CustomerGUID: tenantResponse.TenantID, Token: tenantResponse.Token}
+				c.updateConfigMap()
+			}
+		}
+	} else {
+		if err != nil && strings.Contains(err.Error(), "Invitation for tenant already exists") {
+			return nil
+		}
+		return err
+	}
+	return nil
 }
 
 func (c *ClusterConfig) loadConfigFromConfigMap() (*ConfigObj, error) {
@@ -132,28 +245,49 @@ func (c *ClusterConfig) loadConfigFromConfigMap() (*ConfigObj, error) {
 	return nil, nil
 }
 
+func (c *ClusterConfig) existsConfigMap() bool {
+	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+	return err == nil
+}
+
+func existsConfigJson() bool {
+	_, err := ioutil.ReadFile(getter.GetDefaultPath(ConfigFileName + ".json"))
+
+	return err == nil
+
+}
+
+func (c *ClusterConfig) createConfigMap() error {
+	if c.k8s == nil {
+		return nil
+	}
+	configMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: configMapName,
+		},
+	}
+	c.updateConfigData(configMap)
+
+	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Create(context.Background(), configMap, metav1.CreateOptions{})
+	return err
+}
+
 func (c *ClusterConfig) updateConfigMap() error {
 	if c.k8s == nil {
 		return nil
 	}
 	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
+
 	if err != nil {
-		configMap = &corev1.ConfigMap{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: configMapName,
-			},
-		}
+		return err
 	}
 
 	c.updateConfigData(configMap)
 
-	if err != nil {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Create(context.Background(), configMap, metav1.CreateOptions{})
-	} else {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(configMap.Namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
-	}
+	_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(configMap.Namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
 	return err
 }
+
 func (c *ClusterConfig) updateConfigData(configMap *corev1.ConfigMap) {
 	if len(configMap.Data) == 0 {
 		configMap.Data = make(map[string]string)
@@ -165,8 +299,8 @@ func (c *ClusterConfig) updateConfigData(configMap *corev1.ConfigMap) {
 		}
 	}
 }
-func (c *ClusterConfig) loadConfigFromFile() (*ConfigObj, error) {
-	dat, err := ioutil.ReadFile(getter.GetDefaultPath(configFileName + ".json"))
+func loadConfigFromFile() (*ConfigObj, error) {
+	dat, err := ioutil.ReadFile(getter.GetDefaultPath(ConfigFileName + ".json"))
 	if err != nil {
 		return nil, err
 	}

cautils/getter/armoapi.go

@@ -1,6 +1,7 @@
 package getter
 
 import (
+	"fmt"
 	"net/http"
 
 	"github.com/armosec/kubescape/cautils/armotypes"
@@ -11,7 +12,9 @@ import (
 // =============================================== ArmoAPI ===============================================================
 // =======================================================================================================================
 
-const (
+var (
+	// ATTENTION!!!
+	// Changes in this URLs variable names, or in the usage is affecting the build process! BE CAREFULL
 	ArmoBEURL = "eggdashbe.eudev3.cyberarmorsoft.com"
 	ArmoERURL = "report.eudev3.cyberarmorsoft.com"
 	ArmoFEURL = "armoui.eudev3.cyberarmorsoft.com"
@@ -60,8 +63,12 @@ func (armoAPI *ArmoAPI) GetExceptions(customerGUID, clusterName string) ([]armot
 	return exceptions, nil
 }
 
-func (armoAPI *ArmoAPI) GetCustomerGUID() (*TenantResponse, error) {
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getCustomerURL())
+func (armoAPI *ArmoAPI) GetCustomerGUID(customerGUID string) (*TenantResponse, error) {
+	url := armoAPI.getCustomerURL()
+	if customerGUID != "" {
+		url = fmt.Sprintf("%s?customerGUID=%s", url, customerGUID)
+	}
+	respStr, err := HttpGetter(armoAPI.httpClient, url)
 	if err != nil {
 		return nil, err
 	}
@@ -74,7 +81,8 @@ func (armoAPI *ArmoAPI) GetCustomerGUID() (*TenantResponse, error) {
 }
 
 type TenantResponse struct {
-	TenantID string `json:"tenantId"`
-	Token    string `json:"token"`
-	Expires  string `json:"expires"`
+	TenantID  string `json:"tenantId"`
+	Token     string `json:"token"`
+	Expires   string `json:"expires"`
+	AdminMail string `json:"adminMail,omitempty"`
 }

cautils/getter/downloadreleasedpolicy.go

@@ -27,7 +27,9 @@ func NewDownloadReleasedPolicy() *DownloadReleasedPolicy {
 }
 
 func (drp *DownloadReleasedPolicy) GetFramework(name string) (*opapolicy.Framework, error) {
-	drp.setURL(name)
+	if err := drp.setURL(name); err != nil {
+		return nil, err
+	}
 	respStr, err := HttpGetter(drp.httpClient, drp.hostURL)
 	if err != nil {
 		return nil, err
@@ -71,12 +73,13 @@ func (drp *DownloadReleasedPolicy) setURL(frameworkName string) error {
 					if name == frameworkName {
 						if url, ok := asset["browser_download_url"].(string); ok {
 							drp.hostURL = url
+							return nil
 						}
 					}
 				}
 			}
 		}
 	}
-	return nil
+	return fmt.Errorf("failed to download '%s' - not found", frameworkName)
 
 }

cautils/opapolicy/datastructures.go

@@ -41,8 +41,8 @@ type FrameworkReport struct {
 }
 type ControlReport struct {
 	armotypes.PortalBase `json:",inline"`
+	ControlID            string       `json:"id"`
 	Name                 string       `json:"name"`
-	ID                   string       `json:"id"`
 	RuleReports          []RuleReport `json:"ruleReports"`
 	Remediation          string       `json:"remediation"`
 	Description          string       `json:"description"`
@@ -101,7 +101,7 @@ type PolicyRule struct {
 // Control represents a collection of rules which are combined together to single purpose
 type Control struct {
 	armotypes.PortalBase `json:",inline"`
-	ID                   string       `json:"id"`
+	ControlID            string       `json:"id"`
 	CreationTime         string       `json:"creationTime"`
 	Description          string       `json:"description"`
 	Remediation          string       `json:"remediation"`

cautils/opapolicy/datastructures_mock.go

@@ -33,7 +33,8 @@ func MockFrameworkReportA() *FrameworkReport {
 		Name: AMockFrameworkName,
 		ControlReports: []ControlReport{
 			{
-				Name: AMockControlName,
+				ControlID: "C-0010",
+				Name:      AMockControlName,
 				RuleReports: []RuleReport{
 					{
 						Name:        AMockRuleName,

cautils/opapolicy/datastructuresmethods.go

@@ -3,6 +3,8 @@ package opapolicy
 import (
 	"bytes"
 	"encoding/json"
+
+	"github.com/armosec/kubescape/cautils/k8sinterface"
 )
 
 func (pn *PolicyNotification) ToJSONBytesBuffer() (*bytes.Buffer, error) {
@@ -83,11 +85,11 @@ func (controlReport *ControlReport) ListControlsInputKinds() []string {
 
 func (controlReport *ControlReport) Passed() bool {
 	for i := range controlReport.RuleReports {
-		if len(controlReport.RuleReports[i].RuleResponses) == 0 {
-			return true
+		if len(controlReport.RuleReports[i].RuleResponses) != 0 {
+			return false
 		}
 	}
-	return false
+	return true
 }
 
 func (controlReport *ControlReport) Warning() bool {
@@ -120,14 +122,50 @@ func (ruleReport *RuleReport) GetNumberOfResources() int {
 
 func (ruleReport *RuleReport) GetNumberOfFailedResources() int {
 	sum := 0
-	for i := range ruleReport.RuleResponses {
+	for i := len(ruleReport.RuleResponses) - 1; i >= 0; i-- {
 		if ruleReport.RuleResponses[i].GetSingleResultStatus() == "failed" {
-			sum += 1
+			if !ruleReport.DeleteIfRedundantResponse(&ruleReport.RuleResponses[i], i) {
+				sum++
+			}
 		}
 	}
 	return sum
 }
 
+func (ruleReport *RuleReport) DeleteIfRedundantResponse(RuleResponse *RuleResponse, index int) bool {
+	if b, rr := ruleReport.IsDuplicateResponseOfResource(RuleResponse, index); b {
+		rr.AddMessageToResponse(RuleResponse.AlertMessage)
+		ruleReport.RuleResponses = removeResponse(ruleReport.RuleResponses, index)
+		return true
+	}
+	return false
+}
+
+func (ruleResponse *RuleResponse) AddMessageToResponse(message string) {
+	ruleResponse.AlertMessage += message
+}
+
+func (ruleReport *RuleReport) IsDuplicateResponseOfResource(RuleResponse *RuleResponse, index int) (bool, *RuleResponse) {
+	for i := range ruleReport.RuleResponses {
+		if i != index {
+			for j := range ruleReport.RuleResponses[i].AlertObject.K8SApiObjects {
+				for k := range RuleResponse.AlertObject.K8SApiObjects {
+					w1 := k8sinterface.NewWorkloadObj(ruleReport.RuleResponses[i].AlertObject.K8SApiObjects[j])
+					w2 := k8sinterface.NewWorkloadObj(RuleResponse.AlertObject.K8SApiObjects[k])
+					if w1.GetName() == w2.GetName() && w1.GetNamespace() == w2.GetNamespace() && w1.GetKind() != "Role" && w1.GetKind() != "ClusterRole" {
+						return true, &ruleReport.RuleResponses[i]
+					}
+				}
+			}
+		}
+	}
+	return false, nil
+}
+
+func removeResponse(slice []RuleResponse, index int) []RuleResponse {
+	return append(slice[:index], slice[index+1:]...)
+}
+
 func (ruleReport *RuleReport) GetNumberOfWarningResources() int {
 	sum := 0
 	for i := range ruleReport.RuleResponses {

cautils/scaninfo.go

@@ -67,12 +67,12 @@ func (scanInfo *ScanInfo) setOutputFile() {
 		return
 	}
 	if scanInfo.Format == "json" {
-		if filepath.Ext(scanInfo.Output) != "json" {
+		if filepath.Ext(scanInfo.Output) != ".json" {
 			scanInfo.Output += ".json"
 		}
 	}
 	if scanInfo.Format == "junit" {
-		if filepath.Ext(scanInfo.Output) != "xml" {
+		if filepath.Ext(scanInfo.Output) != ".xml" {
 			scanInfo.Output += ".xml"
 		}
 	}

cmd/cluster.go

@@ -0,0 +1,18 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// clusterCmd represents the cluster command
+var clusterCmd = &cobra.Command{
+	Use:   "cluster",
+	Short: "Set configuration for cluster",
+	Long:  ``,
+	Run: func(cmd *cobra.Command, args []string) {
+	},
+}
+
+func init() {
+	configCmd.AddCommand(clusterCmd)
+}

cmd/cluster_get.go

@@ -0,0 +1,50 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/k8sinterface"
+	"github.com/spf13/cobra"
+)
+
+var getCmd = &cobra.Command{
+	Use:       "get <key>",
+	Short:     "Get configuration in cluster",
+	Long:      ``,
+	ValidArgs: supportedFrameworks,
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 || len(args) > 1 {
+			return fmt.Errorf("requires  one argument")
+		}
+
+		keyValue := strings.Split(args[0], "=")
+		if len(keyValue) != 1 {
+			return fmt.Errorf("requires  one argument")
+		}
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		keyValue := strings.Split(args[0], "=")
+		key := keyValue[0]
+
+		k8s := k8sinterface.NewKubernetesApi()
+		clusterConfig := cautils.NewClusterConfig(k8s, getter.NewArmoAPI())
+		val, err := clusterConfig.GetValueByKeyFromConfigMap(key)
+		if err != nil {
+			if err.Error() == "value does not exist." {
+				fmt.Printf("Could net get value from configmap, reason: %s\n", err)
+				return nil
+			}
+			return err
+		}
+		fmt.Println(key + "=" + val)
+		return nil
+	},
+}
+
+func init() {
+	clusterCmd.AddCommand(getCmd)
+}

cmd/cluster_set.go

@@ -0,0 +1,44 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/k8sinterface"
+	"github.com/spf13/cobra"
+)
+
+var setCmd = &cobra.Command{
+	Use:   "set <key>=<value>",
+	Short: "Set configuration in cluster",
+	Long:  ``,
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 || len(args) > 1 {
+			return fmt.Errorf("requires  one argument: <key>=<value>")
+		}
+		keyValue := strings.Split(args[0], "=")
+		if len(keyValue) != 2 {
+			return fmt.Errorf("requires  one argument: <key>=<value>")
+		}
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		keyValue := strings.Split(args[0], "=")
+		key := keyValue[0]
+		data := keyValue[1]
+
+		k8s := k8sinterface.NewKubernetesApi()
+		clusterConfig := cautils.NewClusterConfig(k8s, getter.NewArmoAPI())
+		if err := clusterConfig.SetKeyValueInConfigmap(key, data); err != nil {
+			return err
+		}
+		fmt.Println("Value added successfully.")
+		return nil
+	},
+}
+
+func init() {
+	clusterCmd.AddCommand(setCmd)
+}

cmd/config.go

@@ -0,0 +1,19 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// configCmd represents the config command
+var configCmd = &cobra.Command{
+	Use:   "config",
+	Short: "Set configuration",
+	Long:  ``,
+	Run: func(cmd *cobra.Command, args []string) {
+
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(configCmd)
+}

cmd/local.go

@@ -0,0 +1,17 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var localCmd = &cobra.Command{
+	Use:   "local",
+	Short: "Set configuration locally (for config.json)",
+	Long:  ``,
+	Run: func(cmd *cobra.Command, args []string) {
+	},
+}
+
+func init() {
+	configCmd.AddCommand(localCmd)
+}

cmd/local_get.go

@@ -0,0 +1,46 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/spf13/cobra"
+)
+
+var localGetCmd = &cobra.Command{
+	Use:   "get <key>",
+	Short: "Get configuration locally",
+	Long:  ``,
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 || len(args) > 1 {
+			return fmt.Errorf("requires  one argument")
+		}
+
+		keyValue := strings.Split(args[0], "=")
+		if len(keyValue) != 1 {
+			return fmt.Errorf("requires  one argument")
+		}
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		keyValue := strings.Split(args[0], "=")
+		key := keyValue[0]
+
+		val, err := cautils.GetValueFromConfigJson(key)
+		if err != nil {
+			if err.Error() == "value does not exist." {
+				fmt.Printf("Could net get value from: %s, reason: %s\n", getter.GetDefaultPath(cautils.ConfigFileName+".json"), err)
+				return nil
+			}
+			return err
+		}
+		fmt.Println(key + "=" + val)
+		return nil
+	},
+}
+
+func init() {
+	localCmd.AddCommand(localGetCmd)
+}

cmd/local_set.go

@@ -0,0 +1,40 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils"
+	"github.com/spf13/cobra"
+)
+
+var localSetCmd = &cobra.Command{
+	Use:   "set <key>=<value>",
+	Short: "Set configuration locally",
+	Long:  ``,
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 || len(args) > 1 {
+			return fmt.Errorf("requires  one argument: <key>=<value>")
+		}
+		keyValue := strings.Split(args[0], "=")
+		if len(keyValue) != 2 {
+			return fmt.Errorf("requires  one argument: <key>=<value>")
+		}
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		keyValue := strings.Split(args[0], "=")
+		key := keyValue[0]
+		data := keyValue[1]
+
+		if err := cautils.SetKeyValueInConfigJson(key, data); err != nil {
+			return err
+		}
+		fmt.Println("Value added successfully.")
+		return nil
+	},
+}
+
+func init() {
+	localCmd.AddCommand(localSetCmd)
+}

docs/run-options.md

@@ -0,0 +1,89 @@
+<img src="kubescape.png" width="300" alt="logo" align="center">
+
+# More detailed look on command line arguments and options
+
+## Simple run:
+```
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
+```
+
+## Flags
+
+| flag |  default | description | options |
+| --- | --- | --- | --- |
+| `-e`/`--exclude-namespaces` | Scan all namespaces | Namespaces to exclude from scanning. Recommended to exclude `kube-system` and `kube-public` namespaces |
+| `-s`/`--silent` | Display progress messages | Silent progress messages |
+| `-t`/`--fail-threshold` | `0` (do not fail) | fail command (return exit code 1) if result bellow threshold| `0` -> `100` |
+| `-f`/`--format` | `pretty-printer` | Output format | `pretty-printer`/`json`/`junit` | 
+| `-o`/`--output` | print to stdout | Save scan result in file |
+| `--use-from` | | Load local framework object from specified path. If not used will download latest |
+| `--use-default` | `false` | Load local framework object from default path. If not used will download latest | `true`/`false` |
+| `--exceptions` | | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal |
+| `--results-locally` | `false` | Kubescape sends scan results to Armo management portal to allow users to control exceptions and maintain chronological scan results. Use this flag if you do not wish to use these features | `true`/`false`|
+
+## Usage & Examples
+ 
+### Examples
+
+* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework
+```
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
+```
+
+* Scan local `yaml`/`json` files before deploying
+```
+kubescape scan framework nsa *.yaml
+```
+
+
+* Scan `yaml`/`json` files from url 
+```
+kubescape scan framework nsa https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml
+```
+
+* Output in `json` format 
+```
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format json --output results.json
+```
+
+* Output in `junit xml` format 
+```
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml
+```
+
+* Scan with exceptions, objects with exceptions will be presented as `warning` and not `fail`  <img src="docs/new-feature.svg">
+```
+kubescape scan framework nsa --exceptions examples/exceptions.json
+```
+
+### Helm Support
+
+* Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout 
+```
+helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
+```
+
+for example:
+```
+helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
+```
+
+### Offline Support <img src="docs/new-feature.svg">
+
+It is possible to run Kubescape offline!
+
+First download the framework and then scan with `--use-from` flag
+
+* Download and save in file, if file name not specified, will store save to `~/.kubescape/<framework name>.json`
+```
+kubescape download framework nsa --output nsa.json
+```
+
+* Scan using the downloaded framework 
+```
+kubescape scan framework nsa --use-from nsa.json
+```
+
+Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
+
+

install.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -e
 
-echo "Installing Kubescape..."
+echo -e "\033[0;36mInstalling Kubescape..."
 echo
  
 BASE_DIR=~/.kubescape
@@ -27,18 +27,38 @@ mkdir -p $BASE_DIR
 OUTPUT=$BASE_DIR/$KUBESCAPE_EXEC
 
 curl --progress-bar -L $DOWNLOAD_URL -o $OUTPUT
-echo -e "\033[32m[V] Downloaded Kubescape"
 
-# Ping download counter
-curl --silent https://us-central1-elated-pottery-310110.cloudfunctions.net/kubescape-download-counter -o /dev/null
- 
-chmod +x $OUTPUT 2>&1 || sudo chmod +x $OUTPUT
-rm -f /usr/local/bin/$KUBESCAPE_EXEC 2>&1 || sudo rm -f /usr/local/bin/$KUBESCAPE_EXEC
-cp $OUTPUT /usr/local/bin 2>&1 || sudo cp $OUTPUT /usr/local/bin
+# Checking if SUDO needed/exists 
+SUDO=
+if [ "$(id -u)" -ne 0 ] && [ -n "$(which sudo)" ]; then
+    SUDO=sudo
+fi
+
+
+# Find install dir
+install_dir=/usr/local/bin #default
+for pdir in ${PATH//:/ }; do
+    edir="${pdir/#\~/$HOME}"
+    if [[ $edir == $HOME/* ]]; then
+        install_dir=$edir
+        mkdir -p $install_dir 2>/dev/null || true
+        SUDO=
+        break
+    fi
+done
+
+chmod +x $OUTPUT 2>/dev/null 
+$SUDO rm -f /usr/local/bin/$KUBESCAPE_EXEC 2>/dev/null || true # clearning up old install
+$SUDO cp $OUTPUT $install_dir/$KUBESCAPE_EXEC 
 rm -rf $OUTPUT
 
-echo -e "[V] Finished Installation." $($KUBESCAPE_EXEC version)
+echo
+echo -e "\033[32mFinished Installation."
+
+echo -e "\033[0m"
+$KUBESCAPE_EXEC version
 echo
 
-echo -e "\033[35m Usage: $ $KUBESCAPE_EXEC scan framework nsa --exclude-namespaces kube-system,kube-public"
-echo
+echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan framework nsa --exclude-namespaces kube-system,kube-public"
+
+echo -e "\033[0m"

opaprocessor/processorhandler.go

@@ -123,9 +123,9 @@ func (opap *OPAProcessor) processControl(control *opapolicy.Control) (*opapolicy
 
 	controlReport := opapolicy.ControlReport{}
 	controlReport.PortalBase = control.PortalBase
+	controlReport.ControlID = control.ControlID
 
 	controlReport.Name = control.Name
-	controlReport.ID = control.ID
 	controlReport.Description = control.Description
 	controlReport.Remediation = control.Remediation
 

policyhandler/handlepullpolicies.go

@@ -19,7 +19,7 @@ func (policyHandler *PolicyHandler) GetPoliciesFromBackend(notification *opapoli
 		case opapolicy.KindFramework:
 			receivedFramework, recExceptionPolicies, err := policyHandler.getFrameworkPolicies(rule.Name)
 			if err != nil {
-				errs = fmt.Errorf("%v\nKind: %v, Name: %s, error: %s", errs, rule.Kind, rule.Name, err.Error())
+				return nil, nil, fmt.Errorf("kind: %v, name: %s, error: %s", rule.Kind, rule.Name, err.Error())
 			}
 			if receivedFramework != nil {
 				frameworks = append(frameworks, *receivedFramework)

scapepkg/exceptions/exceptionprocessor.go

@@ -69,6 +69,10 @@ func alertObjectToWorkloads(obj *opapolicy.AlertObject) []k8sinterface.IWorkload
 			continue
 		}
 		resource = append(resource, r)
+		ns := r.GetNamespace()
+		if ns != "" {
+
+		}
 	}
 
 	return resource