Merge pull request #1046 from fredbi/fix/1040-empty-framework-name

fix ListFrameworks (could return an empty element)

.gitattributes

@@ -0,0 +1,2 @@
+# Keep CRLF newlines in appropriate test files to have reproducible tests
+core/pkg/fixhandler/testdata/inserts/*-crlf-newlines.yaml text eol=crlf

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,33 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: 'bug'
+assignees: ''
+
+---
+
+# Description
+<!-- A clear and concise description of what the bug is. -->
+
+# Environment
+OS: ` ` <!-- the OS + version you’re running Kubescape on, e.g Ubuntu 22.04 LTS  -->
+Version: ` ` <!-- the version that Kubescape reports when you run `kubescape version`  -->
+ 
+# Steps To Reproduce
+<!--
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+-->
+
+# Expected behavior
+<!-- A clear and concise description of what you expected to happen. -->
+
+# Actual Behavior
+<!-- A clear and concise description of what happened. If applicable, add screenshots to help explain your  problem. -->
+
+# Additional context
+<!-- Add any other context about the problem here. -->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,24 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: 'feature'
+assignees: ''
+
+---
+
+## Overview
+<!-- A brief overview of the related current state -->
+
+## Problem
+<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
+
+## Solution
+<!-- A clear and concise description of what you want to happen. -->
+
+## Alternatives
+<!-- A clear and concise description of any alternative solutions or features you've considered. -->
+
+## Additional context
+<!-- Add any other context or screenshots about the feature request here. -->
+ 

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,47 @@
+## Overview
+<!-- Please provide a brief overview of the changes made in this pull request. e.g. current behavior/future behavior -->
+
+<!-- 
+## Additional Information
+
+> Any additional information that may be useful for reviewers to know 
+-->
+
+<!--
+## How to Test
+
+> Please provide instructions on how to test the changes made in this pull request
+-->
+
+<!--
+## Examples/Screenshots
+
+> Here you add related screenshots 
+-->
+
+<!-- 
+## Related issues/PRs:
+
+Here you add related issues and PRs.
+If this resolved an issue, write "Resolved #<issue number>
+
+e.g. If this PR resolves issues 1 and 2, it should look as follows:
+* Resolved #1
+* Resolved #2
+-->
+
+<!--
+## Checklist before requesting a review
+
+put an [x] in the box to get it checked 
+
+- [ ] My code follows the style guidelines of this project
+- [ ] I have commented on my code, particularly in hard-to-understand areas
+- [ ] I have performed a self-review of my code
+- [ ] If it is a core feature, I have added thorough tests.
+- [ ] New and existing unit tests pass locally with my changes
+
+**Please open the PR against the `dev` branch (Unless the PR contains only documentation changes)**
+
+-->
+ 

.github/workflows/01-golang-lint.yaml

@@ -0,0 +1,64 @@
+name: golangci-lint
+on:
+  push:
+    branches:
+      - dev
+  pull_request:
+    types: [ edited, opened, synchronize, reopened ]
+    branches: 
+      - 'master'
+      - 'main'
+      - 'dev'
+    paths-ignore:
+      - '**.yaml'
+      - '**.md'
+      - '**.sh'
+      - 'website/*'
+      - 'examples/*'
+      - 'docs/*'
+      - 'build/*'
+      - '.github/*'
+permissions:
+  contents: read
+  # Optional: allow read access to pull request. Use with `only-new-issues` option.
+  pull-requests: read
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+      - name: Install libgit2
+        run: make libgit2
+      - name: golangci-lint
+        continue-on-error: true
+        uses: golangci/golangci-lint-action@v3
+        with:
+          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
+          version: latest
+
+          # Optional: working directory, useful for monorepos
+          # working-directory: somedir
+
+          # Optional: golangci-lint command line arguments.
+          # args: --issues-exit-code=0
+          args: --timeout 10m --build-tags=static
+          #--new-from-rev dev
+
+          # Optional: show only new issues if it's a pull request. The default value is `false`.
+          only-new-issues: true
+
+          # Optional: if set to true then the all caching functionality will be complete disabled,
+          #           takes precedence over all other caching options.
+          # skip-cache: true
+
+          # Optional: if set to true then the action don't cache or restore ~/go/pkg.
+          # skip-pkg-cache: true
+
+          # Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
+          # skip-build-cache: true

.github/workflows/build-image.yaml

@@ -0,0 +1,89 @@
+name: build
+
+on:
+  workflow_call:
+    inputs:
+      client:
+        description: 'client name'
+        required: true
+        type: string
+      image_tag:
+        description: 'image tag'
+        required: true
+        type: string
+      image_name:
+        description: 'image registry and name'
+        required: true
+        type: string
+      cosign:
+        required: false
+        default: false
+        type: boolean
+        description: 'run cosign on released image'
+      support_platforms:
+        required: false
+        default: true
+        type: boolean
+        description: 'support amd64/arm64'
+
+jobs:
+  check-secret:
+    name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
+    runs-on: ubuntu-latest
+    outputs:
+      is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
+    steps:
+      - name: Check whether unity activation requests should be done
+        id: check-secret-set
+        env:
+            QUAYIO_REGISTRY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+            QUAYIO_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+        run: |
+            echo "is-secret-set=${{ env.QUAYIO_REGISTRY_USERNAME != '' && env.QUAYIO_REGISTRY_PASSWORD != '' }}" >> $GITHUB_OUTPUT
+
+  build-image:
+    needs: [check-secret]
+    if: needs.check-secret.outputs.is-secret-set == 'true'
+    name: Build image and upload to registry
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to Quay.io
+        env:
+          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
+
+      - name: Build and push image
+        if: ${{ inputs.support_platforms }}
+        run: docker buildx build . --file build/Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push --platform linux/amd64,linux/arm64
+
+      - name: Build and push image without amd64/arm64 support
+        if: ${{ !inputs.support_platforms }}
+        run: docker buildx build . --file build/Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push 
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.12.0'
+      - name: sign kubescape container image
+        if: ${{ inputs.cosign }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: |
+            cosign sign --force ${{ inputs.image_name }}
+

.github/workflows/build.yaml

@@ -2,87 +2,123 @@ name: build
 
 on:
   push:
-    branches: [ master ] 
+    branches: 
+      - 'master'
+      - 'main'
+    paths-ignore:
+      - '**.yaml'
+      - '**.md'
+      - '**.sh'
+      - 'website/*'
+      - 'examples/*'
+      - 'docs/*'
+      - 'build/*'
+      - '.github/*'
 jobs:
-  once:
-    name: Create release
-    runs-on: ubuntu-latest
-    outputs:
-      upload_url: ${{ steps.create_release.outputs.upload_url }}
-    steps:
-      - name: Create a release
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: v1.0.${{ github.run_number }}
-          release_name: Release v1.0.${{ github.run_number }}
-          draft: false
-          prerelease: false
-  build:
-    name: Create cross-platform release build, tag and upload binaries
-    needs: once
+  test:
+    uses: ./.github/workflows/test.yaml
+    with:
+      release: "v2.0.${{ github.run_number }}"
+      client: test
+
+  create-release:
+    uses: ./.github/workflows/release.yaml
+    needs: test
+    with:
+      release_name: "Release v2.0.${{ github.run_number }}"
+      tag_name: "v2.0.${{ github.run_number }}"
+    secrets: inherit
+
+  publish-artifacts:
+    name: Build and publish artifacts
+    needs: create-release
     runs-on: ${{ matrix.os }}
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
+        os: [ubuntu-20.04, macos-latest, windows-latest]
     steps:
-      - uses: actions/checkout@v1
-      - name: Set up Go
-        uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
         with:
-          go-version: 1.17
+          submodules: recursive
+ 
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
 
-      - name: Test
-        run: go test -v ./...
+      - name: Install MSYS2 & libgit2 (Windows)
+        shell: cmd
+        run: .\build.bat all
+        if: matrix.os == 'windows-latest'
+
+      - name: Install libgit2 (Linux/macOS)
+        run: make libgit2
+        if: matrix.os != 'windows-latest'
 
       - name: Build
         env:
-          RELEASE: v1.0.${{ github.run_number }} 
-          ArmoBEServer: api.armo.cloud
-          ArmoERServer: report.armo.cloud
-          ArmoWebsite: portal.armo.cloud
-          CGO_ENABLED: 0
+          RELEASE: v2.0.${{ github.run_number }}
+          CLIENT: release
+          CGO_ENABLED: 1
         run: python3 --version && python3 build.py
-      
-      - name: Upload Release binaries
-        id: upload-release-asset
+ 
+      - name: Upload release binaries (Windows / MacOS)
+        id: upload-release-asset-win-macos
         uses: actions/upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          upload_url: ${{ needs.once.outputs.upload_url }}
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
           asset_path: build/${{ matrix.os }}/kubescape
           asset_name: kubescape-${{ matrix.os }}
           asset_content_type: application/octet-stream
+        if: matrix.os != 'ubuntu-20.04'
 
+      - name: Upload release binaries (Linux)
+        id: upload-release-asset-linux
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: build/ubuntu-latest/kubescape
+          asset_name: kubescape-ubuntu-latest
+          asset_content_type: application/octet-stream
+        if: matrix.os == 'ubuntu-20.04'
 
-  build-docker:
-    name: Build docker container, tag and upload to registry
-    needs: build
-    if: ${{ github.repository == 'armosec/kubescape' }}
-    runs-on: ubuntu-latest
+      - name: Upload release hash (Windows / MacOS)
+        id: upload-release-hash-win-macos
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: build/${{ matrix.os }}/kubescape.sha256
+          asset_name: kubescape-${{ matrix.os }}-sha256
+          asset_content_type: application/octet-stream
+        if: matrix.os != 'ubuntu-20.04'
 
-    steps:
-      - uses: actions/checkout@v2
+      - name: Upload release hash (Linux)
+        id: upload-release-hash-linux
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: build/ubuntu-latest/kubescape.sha256
+          asset_name: kubescape-ubuntu-latest-sha256
+          asset_content_type: application/octet-stream     
+        if: matrix.os == 'ubuntu-20.04'
 
-      - name: Set name
-        run: echo quay.io/armosec/kubescape:v1.0.${{ github.run_number }} > build_tag.txt
-
-      - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt)
-      
-      - name: Re-Tag Image to latest
-        run: docker tag $(cat build_tag.txt) quay.io/armosec/kubescape:latest
-
-      - name: Login to Quay.io
-        env: # Or as an environment variable
-          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-      - name: Push Docker image
-        run: |
-          docker push $(cat build_tag.txt)
-          docker push quay.io/armosec/kubescape:latest
-        
+  publish-image:
+    uses: ./.github/workflows/build-image.yaml
+    needs: create-release
+    with:
+      client: "image-release"
+      image_name: "quay.io/${{ github.repository_owner }}/kubescape"
+      image_tag: "v2.0.${{ github.run_number }}"
+      support_platforms: true
+      cosign: true
+    secrets: inherit

.github/workflows/build_dev.yaml

@@ -3,63 +3,29 @@ name: build-dev
 on:
   push:
     branches: [ dev ]
+    paths-ignore:
+      - '**.yaml'
+      - '**.md'
+      - '**.sh'
+      - 'website/*'
+      - 'examples/*'
+      - 'docs/*'
+      - 'build/*'
+      - '.github/*'
 jobs:
-  build:
-    name: Create cross-platform dev build
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    steps:
-      - uses: actions/checkout@v1
-
-      - name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.17
-          
-      - name: Test
-        run: go test -v ./...
-
-      - name: Build
-        env:
-          RELEASE: v1.0.${{ github.run_number }} 
-          ArmoBEServer: api.armo.cloud
-          ArmoERServer: report.euprod1.cyberarmorsoft.com
-          ArmoWebsite: portal.armo.cloud
-          CGO_ENABLED: 0
-        run: python3 --version && python3 build.py
-      
-      - name: Upload build artifacts 
-        uses: actions/upload-artifact@v2
-        with:
-          name: kubescape-${{ matrix.os }}
-          path: build/${{ matrix.os }}/kubescape 
-
-
-  build-docker:
-    name: Build docker container, tag and upload to registry
-    needs: build
-    if: ${{ github.repository == 'armosec/kubescape' }}
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Set name
-        run: echo quay.io/armosec/kubescape:dev-v1.0.${{ github.run_number }} > build_tag.txt
-
-      - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt)
-      
-      - name: Login to Quay.io
-        env: # Or as an environment variable
-          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-        
-      - name: Push Docker image
-        run: |
-          docker push $(cat build_tag.txt)
-    
-        
+  test:
+    uses: ./.github/workflows/test.yaml
+    with:
+      release: "v2.0.${{ github.run_number }}"
+      client: test
+ 
+  # publish-dev-image:
+  #   uses: ./.github/workflows/build-image.yaml
+  #   needs: test
+  #   with:
+  #     client: "image-dev"
+  #     image_name: "quay.io/${{ github.repository_owner }}/kubescape"
+  #     image_tag: "dev-v2.0.${{ github.run_number }}"
+  #     support_platforms: true
+  #     cosign: true
+  #   secrets: inherit

.github/workflows/close-typos-issues.yaml

@@ -0,0 +1,23 @@
+on:
+  issues:
+    types: [opened, labeled]
+
+jobs:
+  open_PR_message:
+    if: github.event.label.name == 'typo'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ben-z/actions-comment-on-issue@1.0.2
+        with:
+          message: "Hello! :wave:\n\nThis issue is being automatically closed, Please open a PR with a relevant fix."
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          
+          
+  auto_close_issues:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: lee-dohm/close-matching-issues@v2
+        with:
+          query: 'label:typo'
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/master_pr_checks.yaml

@@ -1,38 +0,0 @@
-name: master-pr
-
-on:
-  pull_request:
-    branches: [ master ]
-    types: [ edited, opened, synchronize, reopened ]
-jobs:
-  build:
-    name: Create cross-platform build
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    steps:
-      - uses: actions/checkout@v1
-
-      - name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.17
-
-      - name: Test
-        run: go test -v ./...
-
-      - name: Build
-        env:
-          RELEASE: v1.0.${{ github.run_number }} 
-          ArmoBEServer: api.armo.cloud
-          ArmoERServer: report.armo.cloud
-          ArmoWebsite: portal.armo.cloud
-          CGO_ENABLED: 0
-        run: python3 --version && python3 build.py
-
-      - name: Upload build artifacts 
-        uses: actions/upload-artifact@v2
-        with:
-          name: kubescape-${{ matrix.os }}
-          path: build/${{ matrix.os }}/kubescape 

.github/workflows/post-release.yaml

@@ -0,0 +1,19 @@
+name: create release digests
+
+on:
+  release:
+    types: [ published]
+    branches:
+    - 'master'
+    - 'main'
+  
+jobs:
+  once:
+    name: Creating digests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Digest
+        uses: MCJack123/ghaction-generate-release-hashes@v1
+        with:
+          hash-type: sha1
+          file-name: kubescape-release-digests

.github/workflows/pr_checks.yaml

@@ -0,0 +1,24 @@
+name: pr-checks
+
+on:
+  pull_request:
+    types: [ edited, opened, synchronize, reopened ]
+    branches: 
+      - 'master'
+      - 'main'
+      - 'dev'
+    paths-ignore:
+      - '**.yaml'
+      - '**.md'
+      - '**.sh'
+      - 'website/*'
+      - 'examples/*'
+      - 'docs/*'
+      - 'build/*'
+      - '.github/*'
+jobs:
+  test:
+    uses: ./.github/workflows/test.yaml
+    with:
+      release: "v2.0.${{ github.run_number }}"
+      client: test

.github/workflows/release.yaml

@@ -0,0 +1,41 @@
+name: build
+
+on:
+  workflow_call:
+    inputs:
+      release_name:
+        description: 'release'
+        required: true
+        type: string
+      tag_name:
+        description: 'tag'
+        required: true
+        type: string
+      draft:
+        description: 'create draft release'
+        required: false
+        type: boolean
+        default: false
+    outputs:
+      upload_url:
+        description: "The first output string"
+        value: ${{ jobs.release.outputs.upload_url }}
+
+jobs:
+  release:
+    name: Create release
+    runs-on: ubuntu-latest
+    outputs:
+      upload_url: ${{ steps.create_release.outputs.upload_url }}
+    steps:
+      - name: Create a release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ inputs.tag_name }}
+          release_name: ${{ inputs.release_name }}
+          draft: ${{ inputs.draft }}
+          prerelease: false
+   

.github/workflows/test.yaml

@@ -0,0 +1,100 @@
+name: test
+
+on:
+  workflow_call:
+    inputs:
+      release:
+        description: 'release'
+        required: true
+        type: string
+      client:
+        description: 'Client name'
+        required: true
+        type: string
+jobs:
+  build:
+    name: Create cross-platform build
+    runs-on: ${{ matrix.os }}
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    strategy:
+      matrix:
+        os: [ubuntu-20.04, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Cache Go modules (Linux)
+        if: matrix.os == 'ubuntu-20.04'
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Cache Go modules (macOS)
+        if: matrix.os == 'macos-latest' 
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/Library/Caches/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Cache Go modules (Windows)
+        if: matrix.os == 'windows-latest'
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~\AppData\Local\go-build
+            ~\go\pkg\mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+
+      - name: Install MSYS2 & libgit2 (Windows)
+        shell: cmd
+        run: .\build.bat all
+        if: matrix.os == 'windows-latest'
+
+      - name: Install libgit2 (Linux/macOS)
+        run: make libgit2
+        if: matrix.os != 'windows-latest'
+ 
+      - name: Test core pkg
+        run: go test "-tags=static,gitenabled" -v ./...
+
+      - name: Test httphandler pkg
+        run: cd httphandler && go test "-tags=static,gitenabled" -v ./...
+
+      - name: Build
+        env:
+          RELEASE: ${{ inputs.release }}
+          CLIENT: test
+          CGO_ENABLED: 1
+        run: python3 --version && python3 build.py
+
+      - name: Smoke Testing (Windows / MacOS)
+        env:
+          RELEASE: ${{ inputs.release }} 
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
+        if: matrix.os != 'ubuntu-20.04'
+
+      - name: Smoke Testing (Linux)
+        env:
+          RELEASE: ${{ inputs.release }} 
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: python3 smoke_testing/init.py ${PWD}/build/ubuntu-latest/kubescape
+        if: matrix.os == 'ubuntu-20.04'        

.gitignore

@@ -1,5 +1,9 @@
 *.vs*
 *kubescape*
 *debug*
-*vender*
-.idea
+*vendor*
+*.pyc*
+.idea
+.history
+ca.srl
+*.out

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "git2go"]
+	path = git2go
+	url = https://github.com/libgit2/git2go.git

.golangci.yml

@@ -0,0 +1,57 @@
+linters-settings:
+  govet:
+    check-shadowing: true
+  dupl:
+    threshold: 200
+  goconst:
+    min-len: 3
+    min-occurrences: 2
+  gocognit:
+    min-complexity: 65
+
+linters:
+  enable:
+    - gosec
+    - staticcheck
+    - nolintlint
+    - gofmt
+    - unused
+    - govet
+    - bodyclose
+    - typecheck
+    - goimports
+    - ineffassign
+    - gosimple
+  disable:
+    # temporarily disabled
+    - varcheck
+    - errcheck
+    - dupl
+    - gocritic
+    - gocognit
+    - nakedret
+    - revive
+    - stylecheck
+    - unconvert
+    - unparam
+    #- forbidigo # <- see later
+    # should remain disabled
+    - deadcode   # deprecated linter
+    - maligned
+    - lll
+    - gochecknoinits
+    - gochecknoglobals
+issues:
+  exclude-rules:
+    - linters:
+      - revive
+      text: "var-naming"
+    - linters:
+      - revive
+      text: "type name will be used as (.+?) by other packages, and that stutters"
+    - linters:
+      - stylecheck
+      text: "ST1003"
+run:
+  skip-dirs:
+    - git2go

CODE_OF_CONDUCT.md

@@ -0,0 +1,3 @@
+## Code of Conduct
+
+The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).

CONTRIBUTING.md

@@ -3,15 +3,17 @@
 First, it is awesome that you are considering contributing to Kubescape! Contributing is important and fun and we welcome your efforts.
 
 When contributing, we categorize contributions into two:
-* Small code changes or fixes, whose scope are limited to a single or two files
-* Complex features and improvements, whose are not limited
+* Small code changes or fixes, whose scope is limited to a single or two files
+* Complex features and improvements, with potentially unlimited scope
 
 If you have a small change, feel free to fire up a Pull Request.
 
-When planning a bigger change, please first discuss the change you wish to make via issue,
-email, or any other method with the owners of this repository before making a change. Most likely your changes or features are great, but sometimes we might already going to this direction (or the exact opposite ;-) ) and we don't want to waste your time.
+When planning a bigger change, please first discuss the change you wish to make via an issue,
+so the maintainers are able to help guide you and let you know if you are going in the right direction.
 
-Please note we have a code of conduct, please follow it in all your interactions with the project.
+## Code of Conduct
+
+Please follow our [code of conduct](CODE_OF_CONDUCT.md) in all of your interactions within the project.
 
 ## Pull Request Process
 
@@ -19,81 +21,44 @@ Please note we have a code of conduct, please follow it in all your interactions
    build.
 2. Update the README.md with details of changes to the interface, this includes new environment 
    variables, exposed ports, useful file locations and container parameters.
-3. We will merge the Pull Request in once you have the sign-off.
+3. Open Pull Request to `dev` branch - we test the component before merging into the `master` branch
+4. We will merge the Pull Request once you have the sign-off.
 
-## Code of Conduct
+## Developer Certificate of Origin
 
-### Our Pledge
+All commits to the project must be "signed off", which states that you agree to the terms of the [Developer Certificate of Origin](https://developercertificate.org/).  This is done by adding a "Signed-off-by:" line in the commit message, with your name and email address.
 
-In the interest of fostering an open and welcoming environment, we as
-contributors and maintainers pledge to making participation in our project and
-our community a harassment-free experience for everyone, regardless of age, body
-size, disability, ethnicity, gender identity and expression, level of experience,
-nationality, personal appearance, race, religion, or sexual identity and
-orientation.
+Commits made through the GitHub web application are automatically signed off.
 
-### Our Standards
+### Configuring Git to sign off commits
 
-Examples of behavior that contributes to creating a positive environment
-include:
+First, configure your name and email address in Git global settings:
 
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
+```
+$ git config --global user.name "John Doe" 
+$ git config --global user.email johndoe@example.com
+```
 
-Examples of unacceptable behavior by participants include:
+You can now sign off per-commit, or configure Git to always sign off commits per repository.
 
-* The use of sexualized language or imagery and unwelcome sexual attention or
-advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
-  address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
+### Sign off per-commit
 
-We will distance those who are constantly adhere to unacceptable behavior.
+Add [`-s`](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) to your Git command line. For example:
 
-### Our Responsibilities
+```git commit -s -m "Fix issue 64738"```
 
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in
-response to any instances of unacceptable behavior.
+This is tedious, and if you forget, you'll have to [amend your commit](#f)
 
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct, or to ban temporarily or
-permanently any contributor for other behaviors that they deem inappropriate,
-threatening, offensive, or harmful.
+### Configure a repository to always include sign off
 
-### Scope
+There are many ways to achieve this with Git hooks, but the simplest is to do the following:
 
-This Code of Conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community. Examples of
-representing a project or community include using an official project e-mail
-address, posting via an official social media account, or acting as an appointed
-representative at an online or offline event. Representation of a project may be
-further defined and clarified by project maintainers.
+```
+cd your-repo
+curl -Ls https://gist.githubusercontent.com/dixudx/7d7edea35b4d91e1a2a8fbf41d0954fa/raw/prepare-commit-msg -o .git/hooks/prepare-commit-msg
+chmod +x .git/hooks/prepare-commit-msg
+```
 
-### Enforcement
+## Fixing a commit where the DCO failed
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at [INSERT EMAIL ADDRESS]. All
-complaints will be reviewed and investigated and will result in a response that
-is deemed necessary and appropriate to the circumstances. The project team is
-obligated to maintain confidentiality with regard to the reporter of an incident.
-Further details of specific enforcement policies may be posted separately.
-
-Project maintainers who do not follow or enforce the Code of Conduct in good
-faith may face temporary or permanent repercussions as determined by other
-members of the project's leadership.
-
-### Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
-available at [http://contributor-covenant.org/version/1/4][version]
-
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+Check out [this guide](https://github.com/src-d/guide/blob/master/developer-community/fix-DCO.md).

MAINTAINERS.md

@@ -0,0 +1,11 @@
+# Maintainers
+
+The following table lists the Kubescape project maintainers:
+
+| Name | GitHub | Organization | Added/Renewed On |
+| --- | --- | --- | --- |
+| [Ben Hirschberg](https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890) | [@slashben](https://github.com/slashben) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
+| [Rotem Refael](https://www.linkedin.com/in/rotem-refael) | [@rotemamsa](https://github.com/rotemamsa) | [ARMO](https://www.armosec.io/) | 2021-10-11 |
+| [David Wertenteil](https://www.linkedin.com/in/david-wertenteil-0ba277b9) | [@dwertent](https://github.com/dwertent) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
+| [Bezalel Brandwine](https://www.linkedin.com/in/bezalel-brandwine) | [@Bezbran](https://github.com/Bezbran) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
+| [Craig Box](https://www.linkedin.com/in/crbnz/) | [@craigbox](https://github.com/craigbox) | [ARMO](https://www.armosec.io/) | 2022-10-31 |

Makefile

@@ -0,0 +1,20 @@
+.PHONY: test all build libgit2
+
+# default task invoked while running make
+all: libgit2 build
+
+export CGO_ENABLED=1
+
+# build and install libgit2
+libgit2:
+	-git submodule update --init --recursive
+	cd git2go; make install-static
+
+# go build tags
+TAGS = "gitenabled,static"
+
+build:
+	go build -v -tags=$(TAGS) .
+
+test:
+	go test -v -tags=$(TAGS) ./...

README.md

@@ -1,259 +1,94 @@
-<img src="docs/kubescape.png" width="300" alt="logo" align="center">
+[![Version](https://img.shields.io/github/v/release/kubescape/kubescape)](releases)
+[![build](https://github.com/kubescape/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/kubescape/kubescape/actions/workflows/build.yaml)
+[![Go Report Card](https://goreportcard.com/badge/github.com/kubescape/kubescape)](https://goreportcard.com/report/github.com/kubescape/kubescape)
+[![Gitpod Ready-to-Code](https://img.shields.io/badge/Gitpod-Ready--to--Code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/kubescape/kubescape)
+[![GitHub](https://img.shields.io/github/license/kubescape/kubescape)](https://github.com/kubescape/kubescape/blob/master/LICENSE)
+[![CNCF](https://shields.io/badge/CNCF-Sandbox%20project-blue?logo=linux-foundation&style=flat)](https://landscape.cncf.io/card-mode?project=sandbox&selected=kubescape)
+[![Twitter Follow](https://img.shields.io/twitter/follow/kubescape?style=social)](https://twitter.com/kubescape)
 
-[![build](https://github.com/armosec/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/armosec/kubescape/actions/workflows/build.yaml)
-[![Go Report Card](https://goreportcard.com/badge/github.com/armosec/kubescape)](https://goreportcard.com/report/github.com/armosec/kubescape)
+# Kubescape
 
-Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks:
-regulatory, customized company policies and DevSecOps best practices, such as the  [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo) and the [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) .  
-Kubescape scans K8s clusters, YAML files, and HELM charts, and detect misconfigurations and software vulnerabilities at early stages of the CI/CD pipeline and provides a risk score instantly and risk trends over time.
-Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI and Github workflows.
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/white/kubescape-stacked-white.svg" width="150">
+  <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
+  <img alt="Kubescape logo" align="right" src="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
+</picture>
 
-</br>
+_An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters_
 
-<img src="docs/demo.gif">
+Kubescape is an open-source Kubernetes security platform. It includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.
 
-# TL;DR
-## Install:
-```
-curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
+Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) and the [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)).
+
+Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository) and is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/).
+
+## Demo
+<img src="docs/img/demo.gif">
+
+_Please [star ⭐](https://github.com/kubescape/kubescape/stargazers) the repo if you want us to continue developing and improving Kubescape! 😀_
+
+## Getting started
+
+Experimenting with Kubescape is as easy as:
+
+```sh
+curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
 ```
 
-[Install on windows](#install-on-windows)
+Learn more about:
 
-[Install on macOS](#install-on-macos)
+* [Installing Kubescape](docs/getting-started.md#install-kubescape)
+* [Running your first scan](docs/getting-started.md#run-your-first-scan)
+* [Usage](docs/getting-started.md#examples)
+* [Architecture](docs/architecture.md)
+* [Building Kubescape from source](docs/building.md)
 
-## Run:
-```
-kubescape scan framework nsa
-```
+_Did you know you can use Kubescape in all these places?_
 
-<img src="docs/summary.png">
+<div align="center">
+    <img src="docs/img/ksfromcodetodeploy.png" alt="Places you can use Kubescape: in your IDE, CI, CD, or against a running cluster.">
+</div>
 
-### Click [👍](https://github.com/armosec/kubescape/stargazers) if you want us to continue to develop and improve Kubescape 😀
+## Under the hood
 
-# Being part of the team
+Kubescape uses [Open Policy Agent](https://github.com/open-policy-agent/opa) to verify Kubernetes objects against [a library of posture controls](https://github.com/kubescape/regolibrary).
 
-We invite you to our team! We are excited about this project and want to return the love we get.
+By default, the results are printed in a console-friendly manner, but they can be:
 
-Want to contribute? Want to discuss something? Have an issue?
+* exported to JSON or junit XML
+* rendered to HTML or PDF
+* submitted to a [cloud service](docs/providers.md)
 
-* Open a issue, we are trying to respond within 48 hours
-* [Join us](https://armosec.github.io/kubescape/) in a discussion on our discord server!
+It retrieves Kubernetes objects from the API server and runs a set of [Rego snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io?utm_source=github&utm_medium=repository).
 
-[<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://armosec.github.io/kubescape/)
+## Community
 
-# Options and examples
+Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the Kubernetes community and are building more tests and controls as the ecosystem develops.
 
-## Install on Windows
+We hold [community meetings](https://us02web.zoom.us/j/84020231442) on Zoom, on the first Tuesday of every month, at 14:00 GMT.
 
-**Requires powershell v5.0+**
+The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
 
-``` powershell
-iwr -useb https://raw.githubusercontent.com/armosec/kubescape/master/install.ps1 | iex
-```
+## Contributions 
 
-Note: if you get an error you might need to change the execution policy (i.e. enable Powershell) with
+Thanks to all our contributors!  Check out our [CONTRIBUTING](CONTRIBUTING.md) file to learn how to join them.
 
-``` powershell
-Set-ExecutionPolicy RemoteSigned -scope CurrentUser
-```
+* Feel free to pick a task from the [issues](https://github.com/kubescape/kubescape/issues?q=is%3Aissue+is%3Aopen+label%3A%22open+for+contribution%22), [roadmap](docs/roadmap.md) or suggest a feature of your own.
+* [Open an issue](https://github.com/kubescape/kubescape/issues/new/choose): we aim to respond to all issues within 48 hours.
+* [Join the CNCF Slack](https://slack.cncf.io/) and then our [users](https://cloud-native.slack.com/archives/C04EY3ZF9GE) or [developers](https://cloud-native.slack.com/archives/C04GY6H082K) channel.
 
-## Install on macOS
+<br>
 
-1. ```
-    brew tap armosec/kubescape
-    ```
-2. ```
-    brew install kubescape
-    ```
+<a href = "https://github.com/kubescape/kubescape/graphs/contributors">
+  <img src = "https://contrib.rocks/image?repo=kubescape/kubescape"/>
+</a>
 
-## Flags
+## License
 
-| flag |  default | description | options |
-| --- | --- | --- | --- |
-| `-e`/`--exclude-namespaces` | Scan all namespaces | Namespaces to exclude from scanning. Recommended to exclude `kube-system` and `kube-public` namespaces |
-| `-s`/`--silent` | Display progress messages | Silent progress messages |
-| `-t`/`--fail-threshold` | `0` (do not fail) | fail command (return exit code 1) if result bellow threshold| `0` -> `100` |
-| `-f`/`--format` | `pretty-printer` | Output format | `pretty-printer`/`json`/`junit` |
-| `-o`/`--output` | print to stdout | Save scan result in file |
-| `--use-from` | | Load local framework object from specified path. If not used will download latest |
-| `--use-default` | `false` | Load local framework object from default path. If not used will download latest | `true`/`false` |
-| `--exceptions` | | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal |
-| `--submit` | `false` | If set, Kubescape will send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not sent | `true`/`false`|
-| `--keep-local` | `false` | Kubescape will not send scan results to Armo management portal. Use this flag if you ran with the `--submit` flag in the past and you do not want to submit your current scan results | `true`/`false`|
-| `--account` | | Armo portal account ID. Default will load account ID from configMap or config file | |
+Copyright 2021-2023, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.
 
-## Usage & Examples
+Kubescape is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/) and was contributed by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository).
 
-### Examples
-
-* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework and submit results to [ARMO portal](https://portal.armo.cloud/)
-```
-kubescape scan framework nsa --submit
-```
-
-
-* Scan a running Kubernetes cluster with [`MITRE ATT&CK®`](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) framework and submit results to [ARMO portal](https://portal.armo.cloud/)
-```
-kubescape scan framework mitre --submit
-```
-
-
-* Scan a running Kubernetes cluster with a specific control using the control name or control ID. [List of controls](https://hub.armo.cloud/docs/controls) 
-```
-kubescape scan control "Privileged container"
-```
-
-* Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI)
-```
-kubescape scan framework nsa *.yaml
-```
-
-
-* Scan kubernetes manifest files from a public github repository 
-```
-kubescape scan framework nsa https://github.com/armosec/kubescape
-```
-
-* Output in `json` format
-```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format json --output results.json
-```
-
-* Output in `junit xml` format
-```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml
-```
-
-* Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`
-```
-kubescape scan framework nsa --exceptions examples/exceptions.json
-```
-
-### Repeatedly Kubescape Scanning using a CronJob
-
-For setting up a cronJob please follow the [instructions](examples/cronJob-suport/README.md) 
-
-### Helm Support
-
-* Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout
-```
-helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
-```
-
-for example:
-```
-helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
-```
-### Offline Support
-
-It is possible to run Kubescape offline!
-
-First download the framework and then scan with `--use-from` flag
-
-1. Download and save in file, if file name not specified, will store save to `~/.kubescape/<framework name>.json`
-```
-kubescape download framework nsa --output nsa.json
-```
-
-2. Scan using the downloaded framework
-```
-kubescape scan framework nsa --use-from nsa.json
-```
-
-Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
-
-# How to build
-
-## Build using python (3.7^) script
-
-Kubescpae can be built using:
-
-``` sh
-python build.py
-```
-
-Note: In order to built using the above script, one must set the environment
-variables in this script:
-
-+ RELEASE
-+ ArmoBEServer
-+ ArmoERServer
-+ ArmoWebsite
-
-
-## Build using go
-
-Note: development (and the release process) is done with Go `1.17`
-
-1. Clone Project
-```
-git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
-```
-
-2. Build
-```
-go build -o kubescape .
-```
-
-3. Run
-```
-./kubescape scan framework nsa
-```
-
-4. Enjoy :zany_face:
-
-## Docker Support
-
-### Official Docker image
-```
-quay.io/armosec/kubescape
-```
-### Build your own Docker image
-
-1. Clone Project
-```
-git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
-```
-
-2. Build
-```
-docker build -t kubescape -f build/Dockerfile .
-```
-
-# Under the hood
-
-## Tests
-Kubescape is running the following tests according to what is defined by [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
-* Non-root containers
-* Immutable container filesystem
-* Privileged containers
-* hostPID, hostIPC privileges
-* hostNetwork access
-* allowedHostPaths field
-* Protecting pod service account tokens
-* Resource policies
-* Control plane hardening
-* Exposed dashboard
-* Allow privilege escalation
-* Applications credentials in configuration files
-* Cluster-admin binding
-* Exec into container
-* Dangerous capabilities
-* Insecure capabilities
-* Linux hardening
-* Ingress and Egress blocked
-* Container hostPort
-* Network policies
-* Symlink Exchange Can Allow Host Filesystem Access (CVE-2021-25741)
-
-
-
-## Technology
-Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO's posture controls.
-
-The tools retrieves Kubernetes objects from the API server and runs a set of [regos snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io/).
-
-The results by default printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.
-
-Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
+<div align="center">
+    <img src="https://raw.githubusercontent.com/cncf/artwork/master/other/cncf-sandbox/horizontal/color/cncf-sandbox-horizontal-color.svg" width="300" alt="CNCF Sandbox Project">
+</div>

build.bat

@@ -0,0 +1,51 @@
+@ECHO OFF
+
+IF "%1"=="install" goto Install
+IF "%1"=="build" goto Build
+IF "%1"=="all" goto All
+IF "%1"=="" goto Error ELSE goto Error
+
+:Install
+
+if exist C:\MSYS64\ (
+    echo "MSYS2 already installed"
+) else (
+    mkdir temp_install & cd temp_install
+
+    echo "Downloading MSYS2..."
+    curl -L https://github.com/msys2/msys2-installer/releases/download/2022-06-03/msys2-x86_64-20220603.exe > msys2-x86_64-20220603.exe
+
+    echo "Installing MSYS2..."
+    msys2-x86_64-20220603.exe install --root C:\MSYS64 --confirm-command
+
+    cd .. && rmdir /s /q temp_install
+)
+
+
+echo "Adding MSYS2 to path..."
+SET "PATH=C:\MSYS64\mingw64\bin;C:\MSYS64\usr\bin;%PATH%"
+echo %PATH%
+
+echo "Installing MSYS2 packages..."
+pacman -S --needed --noconfirm make
+pacman -S --needed --noconfirm mingw-w64-x86_64-cmake
+pacman -S --needed --noconfirm mingw-w64-x86_64-gcc
+pacman -S --needed --noconfirm mingw-w64-x86_64-pkg-config
+pacman -S --needed --noconfirm msys2-w32api-runtime
+
+IF "%1"=="all" GOTO Build
+GOTO End
+
+:Build
+SET "PATH=C:\MSYS2\mingw64\bin;C:\MSYS2\usr\bin;%PATH%"
+make libgit2
+GOTO End
+
+:All
+GOTO Install
+
+:Error
+echo "Error: Unknown option"
+GOTO End
+
+:End

build.py

@@ -4,79 +4,77 @@ import hashlib
 import platform
 import subprocess
 
-BASE_GETTER_CONST = "github.com/armosec/kubescape/cautils/getter"
-BE_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoBEURL"
-ER_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoERURL"
-WEBSITE_CONST     = BASE_GETTER_CONST + ".ArmoFEURL"
+BASE_GETTER_CONST = "github.com/kubescape/kubescape/v2/core/cautils/getter"
 
-def checkStatus(status, msg):
+def check_status(status, msg):
     if status != 0:
         sys.stderr.write(msg)
         exit(status)
 
 
-def getBuildDir():
-    currentPlatform = platform.system()
-    buildDir = "build/"
+def get_build_dir():
+    current_platform = platform.system()
+    build_dir = ""
 
-    if currentPlatform == "Windows": buildDir += "windows-latest"
-    elif currentPlatform == "Linux": buildDir += "ubuntu-latest"
-    elif currentPlatform == "Darwin": buildDir += "macos-latest"
-    else: raise OSError("Platform %s is not supported!" % (currentPlatform))
+    if current_platform == "Windows": build_dir = "windows-latest"
+    elif current_platform == "Linux": build_dir = "ubuntu-latest"
+    elif current_platform == "Darwin": build_dir = "macos-latest"
+    else: raise OSError("Platform %s is not supported!" % (current_platform))
 
-    return buildDir
+    return os.path.join("build", build_dir)
 
-def getPackageName():
-    packageName = "kubescape"
-    # if platform.system() == "Windows": packageName += ".exe"
 
-    return packageName
+def get_package_name():
+    package_name = "kubescape"
+
+    return package_name
 
 
 def main():
     print("Building Kubescape")
 
-    # print environment variables
-    print(os.environ)
-
     # Set some variables
-    packageName = getPackageName()
-    buildUrl = "github.com/armosec/kubescape/clihandler/cmd.BuildNumber"
-    releaseVersion = os.getenv("RELEASE")
-    ArmoBEServer = os.getenv("ArmoBEServer")
-    ArmoERServer = os.getenv("ArmoERServer")
-    ArmoWebsite = os.getenv("ArmoWebsite")
+    package_name = get_package_name()
+    build_url = "github.com/kubescape/kubescape/v2/core/cautils.BuildNumber"
+    release_version = os.getenv("RELEASE")
+
+    client_var = "github.com/kubescape/kubescape/v2/core/cautils.Client"
+    client_name = os.getenv("CLIENT")
 
     # Create build directory
-    buildDir = getBuildDir()
+    build_dir = get_build_dir()
 
-    if not os.path.isdir(buildDir):
-        os.makedirs(buildDir)
+    ks_file = os.path.join(build_dir, package_name)
+    hash_file = ks_file + ".sha256"
+
+    if not os.path.isdir(build_dir):
+        os.makedirs(build_dir)
 
     # Build kubescape
-    ldflags = "-w -s -X %s=%s -X %s=%s -X %s=%s -X %s=%s" \
-        % (buildUrl, releaseVersion, BE_SERVER_CONST, ArmoBEServer,
-           ER_SERVER_CONST, ArmoERServer, WEBSITE_CONST, ArmoWebsite)
-    status = subprocess.call(["go", "build", "-o", "%s/%s" % (buildDir, packageName), "-ldflags" ,ldflags])
-    checkStatus(status, "Failed to build kubescape")
-    
-    test_cli_prints(buildDir,packageName)
+    ldflags = "-w -s"
+    if release_version:
+        ldflags += " -X {}={}".format(build_url, release_version)
+    if client_name:
+        ldflags += " -X {}={}".format(client_var, client_name)
 
+    build_command = ["go", "build", "-buildmode=pie", "-tags=static,gitenabled", "-o", ks_file, "-ldflags" ,ldflags]
 
-    sha1 = hashlib.sha1()
-    with open(buildDir + "/" + packageName, "rb") as kube:
-        sha1.update(kube.read())
-        with open(buildDir + "/" + packageName + ".sha1", "w") as kube_sha:
-            kube_sha.write(sha1.hexdigest())
+    print("Building kubescape and saving here: {}".format(ks_file))
+    print("Build command: {}".format(" ".join(build_command)))
+
+    status = subprocess.call(build_command)
+    check_status(status, "Failed to build kubescape")
+
+    sha256 = hashlib.sha256()
+    with open(ks_file, "rb") as kube:
+        sha256.update(kube.read())
+        with open(hash_file, "w") as kube_sha:
+            hash = sha256.hexdigest()
+            print("kubescape hash: {}, file: {}".format(hash, hash_file))
+            kube_sha.write(sha256.hexdigest())
 
     print("Build Done")
 
-def test_cli_prints(buildDir,packageName):
-    bin_cli = os.path.abspath(os.path.join(buildDir,packageName))
-
-    print(f"testing CLI prints on {bin_cli}")
-    status = str(subprocess.check_output([bin_cli, "-h"]))
-    assert "download" in status, "download is missing: " + status    
 
 if __name__ == "__main__":
     main()

build/Dockerfile

@@ -1,27 +1,51 @@
-FROM golang:1.17-alpine as builder
-#ENV GOPROXY=https://goproxy.io,direct
+FROM golang:1.19-alpine as builder
+
+ARG image_version
+ARG client
+
+ENV RELEASE=$image_version
+ENV CLIENT=$client
+
 ENV GO111MODULE=
 
-ENV CGO_ENABLED=0
+ENV CGO_ENABLED=1
 
 # Install required python/pip
 ENV PYTHONUNBUFFERED=1
-RUN apk add --update --no-cache python3 && ln -sf python3 /usr/bin/python
+RUN apk add --update --no-cache python3 gcc make git libc-dev binutils-gold cmake pkgconfig && ln -sf python3 /usr/bin/python
 RUN python3 -m ensurepip
 RUN pip3 install --no-cache --upgrade pip setuptools
 
 WORKDIR /work
 ADD . .
 
+# install libgit2
+RUN rm -rf git2go && make libgit2
+
+# build kubescape server
+WORKDIR /work/httphandler
+RUN python build.py
+RUN ls -ltr build/ubuntu-latest
+
+# build kubescape cmd
+WORKDIR /work
 RUN python build.py
 
-RUN ls -ltr build/ubuntu-latest
-RUN cat /work/build/ubuntu-latest/kubescape.sha1
+RUN /work/build/ubuntu-latest/kubescape download artifacts -o /work/artifacts
 
-FROM alpine
+FROM alpine:3.16.2
+
+RUN addgroup -S ks && adduser -S ks -G ks
+
+COPY --from=builder /work/artifacts/ /home/ks/.kubescape
+
+RUN chown -R ks:ks /home/ks/.kubescape
+
+USER ks
+
+WORKDIR /home/ks
+
+COPY --from=builder /work/httphandler/build/ubuntu-latest/kubescape /usr/bin/ksserver
 COPY --from=builder /work/build/ubuntu-latest/kubescape /usr/bin/kubescape
 
-# # Download the frameworks. Use the "--use-default" flag when running kubescape
-# RUN kubescape download framework nsa && kubescape download framework mitre
-
-ENTRYPOINT ["kubescape"]
+ENTRYPOINT ["ksserver"]

build/README.md

@@ -0,0 +1,13 @@
+## Docker Build
+
+### Build your own Docker image
+
+1. Clone Project
+```
+git clone https://github.com/kubescape/kubescape.git kubescape && cd "$_"
+```
+
+2. Build
+```
+docker build -t kubescape -f build/Dockerfile .
+```

cautils/customerloader.go

@@ -1,474 +0,0 @@
-package cautils
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/url"
-	"os"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils/getter"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	"github.com/armosec/k8s-interface/k8sinterface"
-	corev1 "k8s.io/api/core/v1"
-)
-
-const (
-	configMapName  = "kubescape"
-	configFileName = "config"
-)
-
-func ConfigFileFullPath() string { return getter.GetDefaultPath(configFileName + ".json") }
-
-// ======================================================================================
-// =============================== Config structure =====================================
-// ======================================================================================
-
-type ConfigObj struct {
-	CustomerGUID       string `json:"customerGUID"`
-	Token              string `json:"invitationParam"`
-	CustomerAdminEMail string `json:"adminMail"`
-	ClusterName        string `json:"clusterName"`
-}
-
-func (co *ConfigObj) Json() []byte {
-	if b, err := json.Marshal(co); err == nil {
-		return b
-	}
-	return []byte{}
-}
-
-// Config - convert ConfigObj to config file
-func (co *ConfigObj) Config() []byte {
-	clusterName := co.ClusterName
-	co.ClusterName = "" // remove cluster name before saving to file
-	b, err := json.Marshal(co)
-	co.ClusterName = clusterName
-
-	if err == nil {
-		return b
-	}
-
-	return []byte{}
-}
-
-// ======================================================================================
-// =============================== interface ============================================
-// ======================================================================================
-type IClusterConfig interface {
-
-	// set
-	SetConfig(customerGUID string) error
-
-	// getters
-	GetClusterName() string
-	GetCustomerGUID() string
-	GetConfigObj() *ConfigObj
-	GetK8sAPI() *k8sinterface.KubernetesApi
-	GetBackendAPI() getter.IBackend
-	GetDefaultNS() string
-	GenerateURL()
-}
-
-// ClusterConfigSetup - Setup the desired cluster behavior regarding submittion to the Armo BE
-func ClusterConfigSetup(scanInfo *ScanInfo, k8s *k8sinterface.KubernetesApi, beAPI getter.IBackend) IClusterConfig {
-	/*
-
-		If "First run (local config not found)" -
-			Default - Do not send report (local)
-			Local - Do not send report
-			Submit - Create tenant & Submit report
-
-		If "Submitted but not signed up" -
-			Default	- Delete local config & Do not send report (local)
-			Local - Delete local config & Do not send report
-			Submit - Submit report
-
-		If "Signed up user" -
-			Default	- Submit report (submit)
-			Local - Do not send report
-			Submit - Submit report
-
-	*/
-	clusterConfig := NewClusterConfig(k8s, beAPI)
-	clusterConfig.LoadConfig()
-
-	if !IsSubmitted(clusterConfig) {
-		if scanInfo.Submit {
-			return clusterConfig // submit - Create tenant & Submit report
-		}
-		return NewEmptyConfig() // local/default - Do not send report
-	}
-	if !IsRegistered(clusterConfig) {
-		if scanInfo.Submit {
-			return clusterConfig // submit/default - Submit report
-		}
-		DeleteConfig(k8s)
-		return NewEmptyConfig() // local - Delete local config & Do not send report
-	}
-	if scanInfo.Local {
-		scanInfo.Submit = false
-		return NewEmptyConfig() // local - Do not send report
-	}
-	scanInfo.Submit = true
-	return clusterConfig // submit/default -  Submit report
-}
-
-// ======================================================================================
-// ============================= Mock Config ============================================
-// ======================================================================================
-type EmptyConfig struct {
-}
-
-func NewEmptyConfig() *EmptyConfig                            { return &EmptyConfig{} }
-func (c *EmptyConfig) SetConfig(customerGUID string) error    { return nil }
-func (c *EmptyConfig) GetConfigObj() *ConfigObj               { return &ConfigObj{} }
-func (c *EmptyConfig) GetCustomerGUID() string                { return "" }
-func (c *EmptyConfig) GetK8sAPI() *k8sinterface.KubernetesApi { return nil } // TODO: return mock obj
-func (c *EmptyConfig) GetDefaultNS() string                   { return k8sinterface.GetDefaultNamespace() }
-func (c *EmptyConfig) GetBackendAPI() getter.IBackend         { return nil } // TODO: return mock obj
-func (c *EmptyConfig) GetClusterName() string                 { return k8sinterface.GetClusterName() }
-func (c *EmptyConfig) GenerateURL() {
-	message := fmt.Sprintf("\nCheckout for more cool features: https://%s\n", getter.GetArmoAPIConnector().GetFrontendURL())
-	InfoTextDisplay(os.Stdout, fmt.Sprintf("\n%s\n", message))
-}
-
-// ======================================================================================
-// ========================== Cluster Config ============================================
-// ======================================================================================
-
-type ClusterConfig struct {
-	k8s        *k8sinterface.KubernetesApi
-	defaultNS  string
-	backendAPI getter.IBackend
-	configObj  *ConfigObj
-}
-
-func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend) *ClusterConfig {
-	return &ClusterConfig{
-		k8s:        k8s,
-		backendAPI: backendAPI,
-		configObj:  &ConfigObj{},
-		defaultNS:  k8sinterface.GetDefaultNamespace(),
-	}
-}
-func (c *ClusterConfig) GetConfigObj() *ConfigObj               { return c.configObj }
-func (c *ClusterConfig) GetK8sAPI() *k8sinterface.KubernetesApi { return c.k8s }
-func (c *ClusterConfig) GetDefaultNS() string                   { return c.defaultNS }
-func (c *ClusterConfig) GetBackendAPI() getter.IBackend         { return c.backendAPI }
-
-func (c *ClusterConfig) GenerateURL() {
-	message := "Checkout for more cool features: "
-
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = getter.GetArmoAPIConnector().GetFrontendURL()
-	if c.configObj == nil {
-		return
-	}
-	if c.configObj.CustomerAdminEMail != "" {
-		InfoTextDisplay(os.Stdout, "\n\n"+message+u.String()+"\n\n")
-		return
-	}
-	u.Path = "account/sign-up"
-	q := u.Query()
-	q.Add("invitationToken", c.configObj.Token)
-	q.Add("customerGUID", c.configObj.CustomerGUID)
-
-	u.RawQuery = q.Encode()
-	InfoTextDisplay(os.Stdout, "\n\n"+message+u.String()+"\n\n")
-}
-
-func (c *ClusterConfig) GetCustomerGUID() string {
-	if c.configObj != nil {
-		return c.configObj.CustomerGUID
-	}
-	return ""
-}
-
-func (c *ClusterConfig) SetConfig(customerGUID string) error {
-	if c.configObj == nil {
-		c.configObj = &ConfigObj{}
-	}
-
-	// cluster name
-	if c.GetClusterName() == "" {
-		c.setClusterName(k8sinterface.GetClusterName())
-	}
-
-	// ARMO customer GUID
-	if customerGUID != "" && c.GetCustomerGUID() != customerGUID {
-		c.setCustomerGUID(customerGUID) // override config customerGUID
-	}
-
-	customerGUID = c.GetCustomerGUID()
-
-	// get from armoBE
-	tenantResponse, err := c.backendAPI.GetCustomerGUID(customerGUID)
-	if err == nil && tenantResponse != nil {
-		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
-			c.setCustomerAdminEMail(tenantResponse.AdminMail)
-		} else {
-			c.setToken(tenantResponse.Token)
-			c.setCustomerGUID(tenantResponse.TenantID)
-		}
-	} else {
-		if err != nil && !strings.Contains(err.Error(), "already exists") {
-			return err
-		}
-	}
-
-	// update/create config
-	if c.existsConfigMap() {
-		c.updateConfigMap()
-	} else {
-		c.createConfigMap()
-	}
-	c.updateConfigFile()
-
-	return nil
-}
-
-func (c *ClusterConfig) setToken(token string) {
-	c.configObj.Token = token
-}
-
-func (c *ClusterConfig) setCustomerAdminEMail(customerAdminEMail string) {
-	c.configObj.CustomerAdminEMail = customerAdminEMail
-}
-func (c *ClusterConfig) setCustomerGUID(customerGUID string) {
-	c.configObj.CustomerGUID = customerGUID
-}
-
-func (c *ClusterConfig) setClusterName(clusterName string) {
-	c.configObj.ClusterName = clusterName
-}
-func (c *ClusterConfig) GetClusterName() string {
-	return c.configObj.ClusterName
-}
-func (c *ClusterConfig) LoadConfig() {
-	// get from configMap
-	if c.existsConfigMap() {
-		c.configObj, _ = c.loadConfigFromConfigMap()
-	} else if existsConfigFile() { // get from file
-		c.configObj, _ = loadConfigFromFile()
-	} else {
-		c.configObj = &ConfigObj{}
-	}
-}
-
-func (c *ClusterConfig) ToMapString() map[string]interface{} {
-	m := map[string]interface{}{}
-	if bc, err := json.Marshal(c.configObj); err == nil {
-		json.Unmarshal(bc, &m)
-	}
-	return m
-}
-func (c *ClusterConfig) loadConfigFromConfigMap() (*ConfigObj, error) {
-	if c.k8s == nil {
-		return nil, nil
-	}
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-	if err != nil {
-		return nil, err
-	}
-
-	if bData, err := json.Marshal(configMap.Data); err == nil {
-		return readConfig(bData)
-	}
-	return nil, nil
-}
-
-func (c *ClusterConfig) existsConfigMap() bool {
-	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-	// TODO - check if has customerGUID
-	return err == nil
-}
-
-func (c *ClusterConfig) GetValueByKeyFromConfigMap(key string) (string, error) {
-
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-
-	if err != nil {
-		return "", err
-	}
-	if val, ok := configMap.Data[key]; ok {
-		return val, nil
-	} else {
-		return "", fmt.Errorf("value does not exist")
-	}
-}
-
-func GetValueFromConfigJson(key string) (string, error) {
-	data, err := os.ReadFile(ConfigFileFullPath())
-	if err != nil {
-		return "", err
-	}
-	var obj map[string]interface{}
-	if err := json.Unmarshal(data, &obj); err != nil {
-		return "", err
-	}
-	if val, ok := obj[key]; ok {
-		return fmt.Sprint(val), nil
-	} else {
-		return "", fmt.Errorf("value does not exist")
-	}
-
-}
-
-func SetKeyValueInConfigJson(key string, value string) error {
-	data, err := os.ReadFile(ConfigFileFullPath())
-	if err != nil {
-		return err
-	}
-	var obj map[string]interface{}
-	err = json.Unmarshal(data, &obj)
-
-	if err != nil {
-		return err
-	}
-	obj[key] = value
-	newData, err := json.Marshal(obj)
-	if err != nil {
-		return err
-	}
-
-	return os.WriteFile(ConfigFileFullPath(), newData, 0664)
-
-}
-
-func (c *ClusterConfig) SetKeyValueInConfigmap(key string, value string) error {
-
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-	if err != nil {
-		configMap = &corev1.ConfigMap{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: configMapName,
-			},
-		}
-	}
-
-	if len(configMap.Data) == 0 {
-		configMap.Data = make(map[string]string)
-	}
-
-	configMap.Data[key] = value
-
-	if err != nil {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Create(context.Background(), configMap, metav1.CreateOptions{})
-	} else {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(configMap.Namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
-	}
-
-	return err
-}
-
-func existsConfigFile() bool {
-	_, err := os.ReadFile(ConfigFileFullPath())
-	return err == nil
-}
-
-func (c *ClusterConfig) createConfigMap() error {
-	if c.k8s == nil {
-		return nil
-	}
-	configMap := &corev1.ConfigMap{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: configMapName,
-		},
-	}
-	c.updateConfigData(configMap)
-
-	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Create(context.Background(), configMap, metav1.CreateOptions{})
-	return err
-}
-
-func (c *ClusterConfig) updateConfigMap() error {
-	if c.k8s == nil {
-		return nil
-	}
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-
-	if err != nil {
-		return err
-	}
-
-	c.updateConfigData(configMap)
-
-	_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(configMap.Namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
-	return err
-}
-
-func (c *ClusterConfig) updateConfigFile() error {
-	if err := os.WriteFile(ConfigFileFullPath(), c.configObj.Config(), 0664); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (c *ClusterConfig) updateConfigData(configMap *corev1.ConfigMap) {
-	if len(configMap.Data) == 0 {
-		configMap.Data = make(map[string]string)
-	}
-	m := c.ToMapString()
-	for k, v := range m {
-		if s, ok := v.(string); ok {
-			configMap.Data[k] = s
-		}
-	}
-}
-func loadConfigFromFile() (*ConfigObj, error) {
-	dat, err := os.ReadFile(ConfigFileFullPath())
-	if err != nil {
-		return nil, err
-	}
-
-	return readConfig(dat)
-}
-func readConfig(dat []byte) (*ConfigObj, error) {
-
-	if len(dat) == 0 {
-		return nil, nil
-	}
-	configObj := &ConfigObj{}
-	err := json.Unmarshal(dat, configObj)
-
-	return configObj, err
-}
-
-// Check if the customer is submitted
-func IsSubmitted(clusterConfig *ClusterConfig) bool {
-	return clusterConfig.existsConfigMap() || existsConfigFile()
-}
-
-// Check if the customer is registered
-func IsRegistered(clusterConfig *ClusterConfig) bool {
-
-	// get from armoBE
-	tenantResponse, err := clusterConfig.backendAPI.GetCustomerGUID(clusterConfig.GetCustomerGUID())
-	if err == nil && tenantResponse != nil {
-		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
-			return true
-		}
-	}
-	return false
-}
-
-func DeleteConfig(k8s *k8sinterface.KubernetesApi) error {
-	if err := DeleteConfigMap(k8s); err != nil {
-		return err
-	}
-	if err := DeleteConfigFile(); err != nil {
-		return err
-	}
-	return nil
-}
-func DeleteConfigMap(k8s *k8sinterface.KubernetesApi) error {
-	return k8s.KubernetesClient.CoreV1().ConfigMaps(k8sinterface.GetDefaultNamespace()).Delete(context.Background(), configMapName, metav1.DeleteOptions{})
-}
-
-func DeleteConfigFile() error {
-	return os.Remove(ConfigFileFullPath())
-}

cautils/datastructures.go

@@ -1,51 +0,0 @@
-package cautils
-
-import (
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-// K8SResources map[<api group>/<api version>/<resource>]<resource object>
-type K8SResources map[string]interface{}
-
-type OPASessionObj struct {
-	Frameworks    []reporthandling.Framework
-	K8SResources  *K8SResources
-	Exceptions    []armotypes.PostureExceptionPolicy
-	PostureReport *reporthandling.PostureReport
-}
-
-func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SResources) *OPASessionObj {
-	return &OPASessionObj{
-		Frameworks:   frameworks,
-		K8SResources: k8sResources,
-		PostureReport: &reporthandling.PostureReport{
-			ClusterName:  ClusterName,
-			CustomerGUID: CustomerGUID,
-		},
-	}
-}
-
-func NewOPASessionObjMock() *OPASessionObj {
-	return &OPASessionObj{
-		Frameworks:   nil,
-		K8SResources: nil,
-		PostureReport: &reporthandling.PostureReport{
-			ClusterName:  "",
-			CustomerGUID: "",
-			ReportID:     "",
-			JobID:        "",
-		},
-	}
-}
-
-type ComponentConfig struct {
-	Exceptions Exception `json:"exceptions"`
-}
-
-type Exception struct {
-	Ignore        *bool                      `json:"ignore"`        // ignore test results
-	MultipleScore *reporthandling.AlertScore `json:"multipleScore"` // MultipleScore number - float32
-	Namespaces    []string                   `json:"namespaces"`
-	Regex         string                     `json:"regex"` // not supported
-}

cautils/display.go

@@ -1,79 +0,0 @@
-package cautils
-
-import (
-	"fmt"
-	"os"
-	"time"
-
-	"github.com/briandowns/spinner"
-	"github.com/fatih/color"
-	"github.com/mattn/go-isatty"
-)
-
-var silent = false
-
-func SetSilentMode(s bool) {
-	silent = s
-}
-
-func IsSilent() bool {
-	return silent
-}
-
-var FailureDisplay = color.New(color.Bold, color.FgHiRed).FprintfFunc()
-var WarningDisplay = color.New(color.Bold, color.FgCyan).FprintfFunc()
-var FailureTextDisplay = color.New(color.Faint, color.FgHiRed).FprintfFunc()
-var InfoDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
-var InfoTextDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
-var SimpleDisplay = color.New().FprintfFunc()
-var SuccessDisplay = color.New(color.Bold, color.FgHiGreen).FprintfFunc()
-var DescriptionDisplay = color.New(color.Faint, color.FgWhite).FprintfFunc()
-
-var Spinner *spinner.Spinner
-
-func ScanStartDisplay() {
-	if IsSilent() {
-		return
-	}
-	InfoDisplay(os.Stdout, "ARMO security scanner starting\n")
-}
-
-func SuccessTextDisplay(str string) {
-	if IsSilent() {
-		return
-	}
-	SuccessDisplay(os.Stdout, "[success] ")
-	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))
-
-}
-
-func ErrorDisplay(str string) {
-	if IsSilent() {
-		return
-	}
-	SuccessDisplay(os.Stdout, "[Error] ")
-	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))
-
-}
-
-func ProgressTextDisplay(str string) {
-	if IsSilent() {
-		return
-	}
-	InfoDisplay(os.Stdout, "[progress] ")
-	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))
-
-}
-func StartSpinner() {
-	if !IsSilent() && isatty.IsTerminal(os.Stdout.Fd()) {
-		Spinner = spinner.New(spinner.CharSets[7], 100*time.Millisecond) // Build our new spinner
-		Spinner.Start()
-	}
-}
-
-func StopSpinner() {
-	if Spinner == nil {
-		return
-	}
-	Spinner.Stop()
-}

cautils/downloadinfo.go

@@ -1,7 +0,0 @@
-package cautils
-
-type DownloadInfo struct {
-	Path          string
-	FrameworkName string
-	ControlName   string
-}

cautils/environments.go

@@ -1,11 +0,0 @@
-package cautils
-
-// CA environment vars
-var (
-	CustomerGUID          = ""
-	ClusterName           = ""
-	EventReceiverURL      = ""
-	NotificationServerURL = ""
-	DashboardBackendURL   = ""
-	RestAPIPort           = "4001"
-)

cautils/getter/armoapi.go

@@ -1,148 +0,0 @@
-package getter
-
-import (
-	"fmt"
-	"net/http"
-	"time"
-
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/golang/glog"
-)
-
-// =======================================================================================================================
-// =============================================== ArmoAPI ===============================================================
-// =======================================================================================================================
-
-var (
-	// ATTENTION!!!
-	// Changes in this URLs variable names, or in the usage is affecting the build process! BE CAREFULL
-	armoERURL = "report.armo.cloud"
-	armoBEURL = "api.armo.cloud"
-	armoFEURL = "portal.armo.cloud"
-
-	armoDevERURL = "report.eudev3.cyberarmorsoft.com"
-	armoDevBEURL = "eggdashbe.eudev3.cyberarmorsoft.com"
-	armoDevFEURL = "armoui.eudev3.cyberarmorsoft.com"
-)
-
-// Armo API for downloading policies
-type ArmoAPI struct {
-	httpClient *http.Client
-	apiURL     string
-	erURL      string
-	feURL      string
-}
-
-var globalArmoAPIConnecctor *ArmoAPI
-
-func SetARMOAPIConnector(armoAPI *ArmoAPI) {
-	globalArmoAPIConnecctor = armoAPI
-}
-
-func GetArmoAPIConnector() *ArmoAPI {
-	if globalArmoAPIConnecctor == nil {
-		glog.Error("returning nil API connector")
-	}
-	return globalArmoAPIConnecctor
-}
-
-func NewARMOAPIDev() *ArmoAPI {
-	apiObj := newArmoAPI()
-
-	apiObj.apiURL = armoDevBEURL
-	apiObj.erURL = armoDevERURL
-	apiObj.feURL = armoDevFEURL
-
-	return apiObj
-}
-
-func NewARMOAPIProd() *ArmoAPI {
-	apiObj := newArmoAPI()
-
-	apiObj.apiURL = armoBEURL
-	apiObj.erURL = armoERURL
-	apiObj.feURL = armoFEURL
-
-	return apiObj
-}
-
-func NewARMOAPICustomized(armoERURL, armoBEURL, armoFEURL string) *ArmoAPI {
-	apiObj := newArmoAPI()
-
-	apiObj.erURL = armoERURL
-	apiObj.apiURL = armoBEURL
-	apiObj.feURL = armoFEURL
-
-	return apiObj
-}
-
-func newArmoAPI() *ArmoAPI {
-	return &ArmoAPI{
-		httpClient: &http.Client{Timeout: time.Duration(61) * time.Second},
-	}
-}
-
-func (armoAPI *ArmoAPI) GetFrontendURL() string {
-	return armoAPI.feURL
-}
-
-func (armoAPI *ArmoAPI) GetReportReceiverURL() string {
-	return armoAPI.erURL
-}
-
-func (armoAPI *ArmoAPI) GetFramework(name string) (*reporthandling.Framework, error) {
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getFrameworkURL(name))
-	if err != nil {
-		return nil, err
-	}
-
-	framework := &reporthandling.Framework{}
-	if err = JSONDecoder(respStr).Decode(framework); err != nil {
-		return nil, err
-	}
-	SaveFrameworkInFile(framework, GetDefaultPath(name+".json"))
-
-	return framework, err
-}
-
-func (armoAPI *ArmoAPI) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
-	exceptions := []armotypes.PostureExceptionPolicy{}
-	if customerGUID == "" {
-		return exceptions, nil
-	}
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getExceptionsURL(customerGUID, clusterName))
-	if err != nil {
-		return nil, err
-	}
-
-	if err = JSONDecoder(respStr).Decode(&exceptions); err != nil {
-		return nil, err
-	}
-
-	return exceptions, nil
-}
-
-func (armoAPI *ArmoAPI) GetCustomerGUID(customerGUID string) (*TenantResponse, error) {
-	url := armoAPI.getCustomerURL()
-	if customerGUID != "" {
-		url = fmt.Sprintf("%s?customerGUID=%s", url, customerGUID)
-	}
-	respStr, err := HttpGetter(armoAPI.httpClient, url)
-	if err != nil {
-		return nil, err
-	}
-	tenant := &TenantResponse{}
-	if err = JSONDecoder(respStr).Decode(tenant); err != nil {
-		return nil, err
-	}
-
-	return tenant, nil
-}
-
-type TenantResponse struct {
-	TenantID  string `json:"tenantId"`
-	Token     string `json:"token"`
-	Expires   string `json:"expires"`
-	AdminMail string `json:"adminMail,omitempty"`
-}

cautils/getter/armoapiutils.go

@@ -1,44 +0,0 @@
-package getter
-
-import (
-	"net/url"
-	"strings"
-)
-
-func (armoAPI *ArmoAPI) getFrameworkURL(frameworkName string) string {
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
-	u.Path = "v1/armoFrameworks"
-	q := u.Query()
-	q.Add("customerGUID", "11111111-1111-1111-1111-111111111111")
-	q.Add("frameworkName", strings.ToUpper(frameworkName))
-	q.Add("getRules", "true")
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (armoAPI *ArmoAPI) getExceptionsURL(customerGUID, clusterName string) string {
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
-	u.Path = "api/v1/armoPostureExceptions"
-
-	q := u.Query()
-	q.Add("customerGUID", customerGUID)
-	// if clusterName != "" { // TODO - fix customer name support in Armo BE
-	// 	q.Add("clusterName", clusterName)
-	// }
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (armoAPI *ArmoAPI) getCustomerURL() string {
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
-	u.Path = "api/v1/createTenant"
-	return u.String()
-}

cautils/getter/downloadreleasedpolicy.go

@@ -1,46 +0,0 @@
-package getter
-
-import (
-	"strings"
-
-	"github.com/armosec/opa-utils/gitregostore"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-// =======================================================================================================================
-// ======================================== DownloadReleasedPolicy =======================================================
-// =======================================================================================================================
-
-// Download released version
-type DownloadReleasedPolicy struct {
-	gs *gitregostore.GitRegoStore
-}
-
-func NewDownloadReleasedPolicy() *DownloadReleasedPolicy {
-	return &DownloadReleasedPolicy{
-		gs: gitregostore.InitDefaultGitRegoStore(-1),
-	}
-}
-
-// Return control per name/id using ARMO api
-func (drp *DownloadReleasedPolicy) GetControl(policyName string) (*reporthandling.Control, error) {
-	var control *reporthandling.Control
-	var err error
-	if strings.HasPrefix(policyName, "C-") || strings.HasPrefix(policyName, "c-") {
-		control, err = drp.gs.GetOPAControlByID(policyName)
-	} else {
-		control, err = drp.gs.GetOPAControlByName(policyName)
-	}
-	if err != nil {
-		return nil, err
-	}
-	return control, nil
-}
-
-func (drp *DownloadReleasedPolicy) GetFramework(name string) (*reporthandling.Framework, error) {
-	framework, err := drp.gs.GetOPAFrameworkByName(name)
-	if err != nil {
-		return nil, err
-	}
-	return framework, err
-}

cautils/getter/getpolicies.go

@@ -1,18 +0,0 @@
-package getter
-
-import (
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-type IPolicyGetter interface {
-	GetFramework(name string) (*reporthandling.Framework, error)
-	GetControl(policyName string) (*reporthandling.Control, error)
-}
-
-type IExceptionsGetter interface {
-	GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error)
-}
-type IBackend interface {
-	GetCustomerGUID(customerGUID string) (*TenantResponse, error)
-}

cautils/getter/getpoliciesutils.go

@@ -1,125 +0,0 @@
-package getter
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"os"
-	"path"
-	"path/filepath"
-	"strings"
-
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-func GetDefaultPath(name string) string {
-	defaultfilePath := filepath.Join(DefaultLocalStore, name)
-	if homeDir, err := os.UserHomeDir(); err == nil {
-		defaultfilePath = filepath.Join(homeDir, defaultfilePath)
-	}
-	return defaultfilePath
-}
-
-// Save control as json in file
-func SaveControlInFile(control *reporthandling.Control, pathStr string) error {
-	encodedData, err := json.Marshal(control)
-	if err != nil {
-		return err
-	}
-	err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
-	if err != nil {
-		if os.IsNotExist(err) {
-			pathDir := path.Dir(pathStr)
-			if err := os.Mkdir(pathDir, 0744); err != nil {
-				return err
-			}
-		} else {
-			return err
-
-		}
-		err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func SaveFrameworkInFile(framework *reporthandling.Framework, pathStr string) error {
-	encodedData, err := json.Marshal(framework)
-	if err != nil {
-		return err
-	}
-	err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
-	if err != nil {
-		if os.IsNotExist(err) {
-			pathDir := path.Dir(pathStr)
-			if err := os.Mkdir(pathDir, 0744); err != nil {
-				return err
-			}
-		} else {
-			return err
-
-		}
-		err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// JSONDecoder returns JSON decoder for given string
-func JSONDecoder(origin string) *json.Decoder {
-	dec := json.NewDecoder(strings.NewReader(origin))
-	dec.UseNumber()
-	return dec
-}
-
-func HttpGetter(httpClient *http.Client, fullURL string) (string, error) {
-
-	req, err := http.NewRequest("GET", fullURL, nil)
-	if err != nil {
-		return "", err
-	}
-	resp, err := httpClient.Do(req)
-	if err != nil {
-		return "", err
-	}
-	respStr, err := httpRespToString(resp)
-	if err != nil {
-		return "", err
-	}
-	return respStr, nil
-}
-
-// HTTPRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
-func httpRespToString(resp *http.Response) (string, error) {
-	if resp == nil || resp.Body == nil {
-		return "", nil
-	}
-	strBuilder := strings.Builder{}
-	defer resp.Body.Close()
-	if resp.ContentLength > 0 {
-		strBuilder.Grow(int(resp.ContentLength))
-	}
-	bytesNum, err := io.Copy(&strBuilder, resp.Body)
-	respStr := strBuilder.String()
-	if err != nil {
-		respStrNewLen := len(respStr)
-		if respStrNewLen > 1024 {
-			respStrNewLen = 1024
-		}
-		return "", fmt.Errorf("HTTP request failed. URL: '%s', Read-ERROR: '%s', HTTP-CODE: '%s', BODY(top): '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), err, resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
-	}
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		respStrNewLen := len(respStr)
-		if respStrNewLen > 1024 {
-			respStrNewLen = 1024
-		}
-		err = fmt.Errorf("HTTP request failed. URL: '%s', HTTP-ERROR: '%s', BODY: '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
-	}
-
-	return respStr, err
-}

cautils/getter/loadpolicy.go

@@ -1,76 +0,0 @@
-package getter
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-	"strings"
-
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-// =======================================================================================================================
-// ============================================== LoadPolicy =============================================================
-// =======================================================================================================================
-const DefaultLocalStore = ".kubescape"
-
-// Load policies from a local repository
-type LoadPolicy struct {
-	filePath string
-}
-
-func NewLoadPolicy(filePath string) *LoadPolicy {
-	return &LoadPolicy{
-		filePath: filePath,
-	}
-}
-
-// Return control from file
-func (lp *LoadPolicy) GetControl(controlName string) (*reporthandling.Control, error) {
-
-	control := &reporthandling.Control{}
-	f, err := os.ReadFile(lp.filePath)
-	if err != nil {
-		return nil, err
-	}
-
-	if err = json.Unmarshal(f, control); err != nil {
-		return control, err
-	}
-
-	if controlName != "" && !strings.EqualFold(controlName, control.Name) && !strings.EqualFold(controlName, control.ControlID) {
-		return nil, fmt.Errorf("control from file not matching")
-	}
-	return control, err
-}
-
-func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framework, error) {
-
-	framework := &reporthandling.Framework{}
-	f, err := os.ReadFile(lp.filePath)
-	if err != nil {
-		return nil, err
-	}
-
-	if err = json.Unmarshal(f, framework); err != nil {
-		return framework, err
-	}
-
-	if frameworkName != "" && !strings.EqualFold(frameworkName, framework.Name) {
-		return nil, fmt.Errorf("framework from file not matching")
-	}
-	return framework, err
-}
-
-func (lp *LoadPolicy) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
-
-	exception := []armotypes.PostureExceptionPolicy{}
-	f, err := os.ReadFile(lp.filePath)
-	if err != nil {
-		return nil, err
-	}
-
-	err = json.Unmarshal(f, &exception)
-	return exception, err
-}

cautils/reporterutils.go

@@ -1,5 +0,0 @@
-package cautils
-
-const (
-	ComponentIdentifier = "Posture"
-)

cautils/scaninfo.go

@@ -1,85 +0,0 @@
-package cautils
-
-import (
-	"path/filepath"
-
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-type ScanInfo struct {
-	Getters
-	PolicyIdentifier   reporthandling.PolicyIdentifier
-	UseExceptions      string   // Load exceptions configuration
-	UseFrom            string   // Load framework from local file (instead of download). Use when running offline
-	UseDefault         bool     // Load framework from cached file (instead of download). Use when running offline
-	Format             string   // Format results (table, json, junit ...)
-	Output             string   // Store results in an output file, Output file name
-	ExcludedNamespaces string   // DEPRECATED?
-	InputPatterns      []string // Yaml files input patterns
-	Silent             bool     // Silent mode - Do not print progress logs
-	FailThreshold      uint16   // Failure score threshold
-	Submit             bool     // Submit results to Armo BE
-	Local              bool     // Do not submit results
-	Account            string   // account ID
-	FrameworkScan      bool     // false if scanning control
-}
-
-type Getters struct {
-	ExceptionsGetter getter.IExceptionsGetter
-	PolicyGetter     getter.IPolicyGetter
-}
-
-func (scanInfo *ScanInfo) Init() {
-	scanInfo.setUseFrom()
-	scanInfo.setUseExceptions()
-	scanInfo.setOutputFile()
-	scanInfo.setGetter()
-
-}
-
-func (scanInfo *ScanInfo) setUseExceptions() {
-	if scanInfo.UseExceptions != "" {
-		// load exceptions from file
-		scanInfo.ExceptionsGetter = getter.NewLoadPolicy(scanInfo.UseExceptions)
-	} else {
-		scanInfo.ExceptionsGetter = getter.GetArmoAPIConnector()
-	}
-
-}
-func (scanInfo *ScanInfo) setUseFrom() {
-	if scanInfo.UseFrom != "" {
-		return
-	}
-	if scanInfo.UseDefault {
-		scanInfo.UseFrom = getter.GetDefaultPath(scanInfo.PolicyIdentifier.Name + ".json")
-	}
-}
-func (scanInfo *ScanInfo) setGetter() {
-	if scanInfo.UseFrom != "" {
-		// load from file
-		scanInfo.PolicyGetter = getter.NewLoadPolicy(scanInfo.UseFrom)
-	} else {
-		scanInfo.PolicyGetter = getter.NewDownloadReleasedPolicy()
-	}
-}
-
-func (scanInfo *ScanInfo) setOutputFile() {
-	if scanInfo.Output == "" {
-		return
-	}
-	if scanInfo.Format == "json" {
-		if filepath.Ext(scanInfo.Output) != ".json" {
-			scanInfo.Output += ".json"
-		}
-	}
-	if scanInfo.Format == "junit" {
-		if filepath.Ext(scanInfo.Output) != ".xml" {
-			scanInfo.Output += ".xml"
-		}
-	}
-}
-
-func (scanInfo *ScanInfo) ScanRunningCluster() bool {
-	return len(scanInfo.InputPatterns) == 0
-}

clihandler/cmd/cluster.go

@@ -1,18 +0,0 @@
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-)
-
-// clusterCmd represents the cluster command
-var clusterCmd = &cobra.Command{
-	Use:   "cluster",
-	Short: "Set configuration for cluster",
-	Long:  ``,
-	Run: func(cmd *cobra.Command, args []string) {
-	},
-}
-
-func init() {
-	configCmd.AddCommand(clusterCmd)
-}

clihandler/cmd/cluster_get.go

@@ -1,51 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/clihandler"
-	"github.com/spf13/cobra"
-)
-
-var getCmd = &cobra.Command{
-	Use:       "get <key>",
-	Short:     "Get configuration in cluster",
-	Long:      ``,
-	ValidArgs: clihandler.SupportedFrameworks,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 || len(args) > 1 {
-			return fmt.Errorf("requires  one argument")
-		}
-
-		keyValue := strings.Split(args[0], "=")
-		if len(keyValue) != 1 {
-			return fmt.Errorf("requires  one argument")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		keyValue := strings.Split(args[0], "=")
-		key := keyValue[0]
-
-		k8s := k8sinterface.NewKubernetesApi()
-		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector())
-		val, err := clusterConfig.GetValueByKeyFromConfigMap(key)
-		if err != nil {
-			if err.Error() == "value does not exist." {
-				fmt.Printf("Could net get value from configmap, reason: %s\n", err)
-				return nil
-			}
-			return err
-		}
-		fmt.Println(key + "=" + val)
-		return nil
-	},
-}
-
-func init() {
-	clusterCmd.AddCommand(getCmd)
-}

clihandler/cmd/cluster_set.go

@@ -1,44 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/spf13/cobra"
-)
-
-var setCmd = &cobra.Command{
-	Use:   "set <key>=<value>",
-	Short: "Set configuration in cluster",
-	Long:  ``,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 || len(args) > 1 {
-			return fmt.Errorf("requires  one argument: <key>=<value>")
-		}
-		keyValue := strings.Split(args[0], "=")
-		if len(keyValue) != 2 {
-			return fmt.Errorf("requires  one argument: <key>=<value>")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		keyValue := strings.Split(args[0], "=")
-		key := keyValue[0]
-		data := keyValue[1]
-
-		k8s := k8sinterface.NewKubernetesApi()
-		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector())
-		if err := clusterConfig.SetKeyValueInConfigmap(key, data); err != nil {
-			return err
-		}
-		fmt.Println("Value added successfully.")
-		return nil
-	},
-}
-
-func init() {
-	clusterCmd.AddCommand(setCmd)
-}

clihandler/cmd/config.go

@@ -1,18 +0,0 @@
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-)
-
-// configCmd represents the config command
-var configCmd = &cobra.Command{
-	Use:   "config",
-	Short: "Set configuration",
-	Long:  ``,
-	Run: func(cmd *cobra.Command, args []string) {
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(configCmd)
-}

clihandler/cmd/control.go

@@ -1,53 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"os"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/clihandler"
-	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/spf13/cobra"
-)
-
-// controlCmd represents the control command
-var controlCmd = &cobra.Command{
-	Use:   "control <control name>/<control id>",
-	Short: fmt.Sprintf("The control you wish to use for scan. It must be present in at least one of the folloiwng frameworks: %s", clihandler.ValidFrameworks),
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 && !(cmd.Flags().Lookup("use-from").Changed) {
-			return fmt.Errorf("requires at least one argument")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		flagValidationControl()
-		scanInfo.PolicyIdentifier = reporthandling.PolicyIdentifier{}
-		if !(cmd.Flags().Lookup("use-from").Changed) {
-			scanInfo.PolicyIdentifier.Name = strings.ToLower(args[0])
-		}
-		scanInfo.FrameworkScan = false
-		scanInfo.PolicyIdentifier.Kind = reporthandling.KindControl
-		scanInfo.Init()
-		cautils.SetSilentMode(scanInfo.Silent)
-		err := clihandler.CliSetup(&scanInfo)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n", err)
-			os.Exit(1)
-		}
-		return nil
-	},
-}
-
-func init() {
-	scanInfo = cautils.ScanInfo{}
-	scanCmd.AddCommand(controlCmd)
-}
-
-func flagValidationControl() {
-	if 100 < scanInfo.FailThreshold {
-		fmt.Println("bad argument: out of range threshold")
-		os.Exit(1)
-	}
-}

clihandler/cmd/download.go

@@ -1,67 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/clihandler"
-	"github.com/spf13/cobra"
-)
-
-var downloadInfo cautils.DownloadInfo
-
-var downloadCmd = &cobra.Command{
-	Use:   fmt.Sprintf("download framework/control <framework-name>/<control-name> [flags]\nSupported frameworks: %s", clihandler.ValidFrameworks),
-	Short: "Download framework/control",
-	Long:  ``,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) != 2 {
-			return fmt.Errorf("requires two arguments : framework/control <framework-name>/<control-name>")
-		}
-		if !strings.EqualFold(args[0], "framework") && !strings.EqualFold(args[0], "control") {
-			return fmt.Errorf("invalid parameter '%s'. Supported parameters: framework, control", args[0])
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		if strings.EqualFold(args[0], "framework") {
-			downloadInfo.FrameworkName = strings.ToLower(args[1])
-			g := getter.NewDownloadReleasedPolicy()
-			if downloadInfo.Path == "" {
-				downloadInfo.Path = getter.GetDefaultPath(downloadInfo.FrameworkName + ".json")
-			}
-			frameworks, err := g.GetFramework(downloadInfo.FrameworkName)
-			if err != nil {
-				return err
-			}
-			err = getter.SaveFrameworkInFile(frameworks, downloadInfo.Path)
-			if err != nil {
-				return err
-			}
-		} else if strings.EqualFold(args[0], "control") {
-			downloadInfo.ControlName = strings.ToLower(args[1])
-			g := getter.NewDownloadReleasedPolicy()
-			if downloadInfo.Path == "" {
-				downloadInfo.Path = getter.GetDefaultPath(downloadInfo.ControlName + ".json")
-			}
-			controls, err := g.GetControl(downloadInfo.ControlName)
-			if err != nil {
-				return err
-			}
-			err = getter.SaveControlInFile(controls, downloadInfo.Path)
-			if err != nil {
-				return err
-			}
-		}
-
-		return nil
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(downloadCmd)
-	downloadInfo = cautils.DownloadInfo{}
-	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If specified, will store save to `~/.kubescape/<framework name>.json`")
-}

clihandler/cmd/framework.go

@@ -1,90 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/clihandler"
-	"github.com/armosec/opa-utils/reporthandling"
-
-	"github.com/spf13/cobra"
-)
-
-var frameworkCmd = &cobra.Command{
-
-	Use:       fmt.Sprintf("framework <framework name> [`<glob pattern>`/`-`] [flags]\nSupported frameworks: %s", clihandler.ValidFrameworks),
-	Short:     fmt.Sprintf("The framework you wish to use. Supported frameworks: %s", strings.Join(clihandler.SupportedFrameworks, ", ")),
-	Long:      "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
-	ValidArgs: clihandler.SupportedFrameworks,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 && !(cmd.Flags().Lookup("use-from").Changed) {
-			return fmt.Errorf("requires at least one argument")
-		} else if len(args) > 0 {
-			if !isValidFramework(strings.ToLower(args[0])) {
-				return fmt.Errorf(fmt.Sprintf("supported frameworks: %s", strings.Join(clihandler.SupportedFrameworks, ", ")))
-			}
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		scanInfo.PolicyIdentifier = reporthandling.PolicyIdentifier{}
-		scanInfo.PolicyIdentifier.Kind = reporthandling.KindFramework
-		flagValidationFramework()
-		if !(cmd.Flags().Lookup("use-from").Changed) {
-			scanInfo.PolicyIdentifier.Name = strings.ToLower(args[0])
-		}
-		if len(args) > 0 {
-			if len(args[1:]) == 0 || args[1] != "-" {
-				scanInfo.InputPatterns = args[1:]
-			} else { // store stout to file
-				tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
-				if err != nil {
-					return err
-				}
-				defer os.Remove(tempFile.Name())
-
-				if _, err := io.Copy(tempFile, os.Stdin); err != nil {
-					return err
-				}
-				scanInfo.InputPatterns = []string{tempFile.Name()}
-			}
-		}
-		scanInfo.Init()
-		cautils.SetSilentMode(scanInfo.Silent)
-		err := clihandler.CliSetup(&scanInfo)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n", err)
-			os.Exit(1)
-		}
-		return nil
-	},
-}
-
-func isValidFramework(framework string) bool {
-	return cautils.StringInSlice(clihandler.SupportedFrameworks, framework) != cautils.ValueNotFound
-}
-
-func init() {
-	scanCmd.AddCommand(frameworkCmd)
-	scanInfo = cautils.ScanInfo{}
-	scanInfo.FrameworkScan = true
-	frameworkCmd.Flags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
-	frameworkCmd.Flags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to Armo backend. Use this flag if you ran with the '--submit' flag in the past and you do not want to submit your current scan results")
-	frameworkCmd.Flags().StringVarP(&scanInfo.Account, "account", "", "", "Armo portal account ID. Default will load account ID from configMap or config file")
-
-}
-
-func flagValidationFramework() {
-
-	if scanInfo.Submit && scanInfo.Local {
-		fmt.Println("You can use `keep-local` or `submit`, but not both")
-		os.Exit(1)
-	}
-	if 100 < scanInfo.FailThreshold {
-		fmt.Println("bad argument: out of range threshold")
-		os.Exit(1)
-	}
-}

clihandler/cmd/local.go

@@ -1,17 +0,0 @@
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-)
-
-var localCmd = &cobra.Command{
-	Use:   "local",
-	Short: "Set configuration locally (for config.json)",
-	Long:  ``,
-	Run: func(cmd *cobra.Command, args []string) {
-	},
-}
-
-func init() {
-	configCmd.AddCommand(localCmd)
-}

clihandler/cmd/local_get.go

@@ -1,45 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/spf13/cobra"
-)
-
-var localGetCmd = &cobra.Command{
-	Use:   "get <key>",
-	Short: "Get configuration locally",
-	Long:  ``,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 || len(args) > 1 {
-			return fmt.Errorf("requires  one argument")
-		}
-
-		keyValue := strings.Split(args[0], "=")
-		if len(keyValue) != 1 {
-			return fmt.Errorf("requires  one argument")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		keyValue := strings.Split(args[0], "=")
-		key := keyValue[0]
-
-		val, err := cautils.GetValueFromConfigJson(key)
-		if err != nil {
-			if err.Error() == "value does not exist." {
-				fmt.Printf("Could net get value from: %s, reason: %s\n", cautils.ConfigFileFullPath(), err)
-				return nil
-			}
-			return err
-		}
-		fmt.Println(key + "=" + val)
-		return nil
-	},
-}
-
-func init() {
-	localCmd.AddCommand(localGetCmd)
-}

clihandler/cmd/local_set.go

@@ -1,40 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/spf13/cobra"
-)
-
-var localSetCmd = &cobra.Command{
-	Use:   "set <key>=<value>",
-	Short: "Set configuration locally",
-	Long:  ``,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 || len(args) > 1 {
-			return fmt.Errorf("requires  one argument: <key>=<value>")
-		}
-		keyValue := strings.Split(args[0], "=")
-		if len(keyValue) != 2 {
-			return fmt.Errorf("requires  one argument: <key>=<value>")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		keyValue := strings.Split(args[0], "=")
-		key := keyValue[0]
-		data := keyValue[1]
-
-		if err := cautils.SetKeyValueInConfigJson(key, data); err != nil {
-			return err
-		}
-		fmt.Println("Value added successfully.")
-		return nil
-	},
-}
-
-func init() {
-	localCmd.AddCommand(localSetCmd)
-}

clihandler/cmd/root.go

@@ -1,68 +0,0 @@
-package cmd
-
-import (
-	"flag"
-	"os"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/golang/glog"
-	"github.com/spf13/cobra"
-)
-
-var cfgFile string
-var armoBEURLs = ""
-
-const envFlagUsage = "Send report results to specific URL. Format:<ReportReceiver>,<Backend>,<Frontend>.\n\t\tExample:report.armo.cloud,api.armo.cloud,portal.armo.cloud"
-
-var rootCmd = &cobra.Command{
-	Use:   "kubescape",
-	Short: "Kubescape is a tool for testing Kubernetes security posture",
-	Long:  `Kubescape is a tool for testing Kubernetes security posture based on NSA \ MITRE ATT&CK® specifications.`,
-	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-		flag.Parse()
-		InitArmoBEConnector()
-		return nil
-	},
-}
-
-func Execute() {
-	rootCmd.Execute()
-}
-
-func init() {
-	flag.CommandLine.StringVar(&armoBEURLs, "environment", "", envFlagUsage)
-	rootCmd.PersistentFlags().StringVar(&armoBEURLs, "environment", "", envFlagUsage)
-	rootCmd.PersistentFlags().MarkHidden("environment")
-	cobra.OnInitialize(initConfig)
-
-}
-
-// initConfig reads in config file and ENV variables if set.
-func initConfig() {
-}
-
-func InitArmoBEConnector() {
-	urlSlices := strings.Split(armoBEURLs, ",")
-	if len(urlSlices) > 3 {
-		glog.Errorf("Too many URLs")
-		os.Exit(1)
-	}
-	switch len(urlSlices) {
-	case 1:
-		switch urlSlices[0] {
-		case "dev":
-			getter.SetARMOAPIConnector(getter.NewARMOAPIDev())
-		case "":
-			getter.SetARMOAPIConnector(getter.NewARMOAPIProd())
-		default:
-			glog.Errorf("--environment flag usage: %s", envFlagUsage)
-			os.Exit(1)
-		}
-	case 2:
-		glog.Errorf("--environment flag usage: %s", envFlagUsage)
-		os.Exit(1)
-	case 3:
-		getter.SetARMOAPIConnector(getter.NewARMOAPICustomized(urlSlices[0], urlSlices[1], urlSlices[2]))
-	}
-}

clihandler/cmd/scan.go

@@ -1,41 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/spf13/cobra"
-)
-
-var scanInfo cautils.ScanInfo
-
-// scanCmd represents the scan command
-var scanCmd = &cobra.Command{
-	Use:   "scan <command>",
-	Short: "Scan the current running cluster or yaml files",
-	Long:  `The action you want to perform`,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) == 0 {
-			return fmt.Errorf("requires one  argument: framework/control")
-		}
-		if !strings.EqualFold(args[0], "framework") && !strings.EqualFold(args[0], "control") {
-			return fmt.Errorf("invalid parameter '%s'. Supported parameters: framework, control", args[0])
-		}
-		return nil
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(scanCmd)
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Recommended: kube-system, kube-public")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer"/"json"/"junit"`)
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
-	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "Silent progress messages")
-	scanCmd.PersistentFlags().Uint16VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 0, "Failure threshold is the percent bellow which the command fails and returns exit code 1")
-	scanCmd.PersistentFlags().StringVar(&scanInfo.UseFrom, "use-from", "", "Load local framework object from specified path. If not used will download latest")
-	scanCmd.PersistentFlags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local framework object from default path. If not used will download latest")
-	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from Armo management portal")
-}

clihandler/cmd/version.go

@@ -1,49 +0,0 @@
-package cmd
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-
-	"github.com/spf13/cobra"
-)
-
-var BuildNumber string
-
-var versionCmd = &cobra.Command{
-	Use:   "version",
-	Short: "Get current version",
-	Long:  ``,
-	RunE: func(cmd *cobra.Command, args []string) error {
-		fmt.Println("Your current version is: " + BuildNumber)
-		return nil
-	},
-}
-
-func GetLatestVersion() (string, error) {
-	latestVersion := "https://api.github.com/repos/armosec/kubescape/releases/latest"
-	resp, err := http.Get(latestVersion)
-	if err != nil {
-		return "unknown", fmt.Errorf("failed to get latest releases from '%s', reason: %s", latestVersion, err.Error())
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode < 200 || 301 < resp.StatusCode {
-		return "unknown", fmt.Errorf("failed to download file, status code: %s", resp.Status)
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "unknown", fmt.Errorf("failed to read response body from '%s', reason: %s", latestVersion, err.Error())
-	}
-	var data map[string]interface{}
-	err = json.Unmarshal(body, &data)
-	if err != nil {
-		return "unknown", fmt.Errorf("failed to unmarshal response body from '%s', reason: %s", latestVersion, err.Error())
-	}
-	return fmt.Sprintf("%v", data["tag_name"]), nil
-}
-
-func init() {
-	rootCmd.AddCommand(versionCmd)
-}

clihandler/initcli.go

@@ -1,153 +0,0 @@
-package clihandler
-
-import (
-	"fmt"
-	"os"
-	"strings"
-
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/opaprocessor"
-	"github.com/armosec/kubescape/policyhandler"
-	"github.com/armosec/kubescape/resourcehandler"
-	"github.com/armosec/kubescape/resultshandling"
-	"github.com/armosec/kubescape/resultshandling/printer"
-	"github.com/armosec/kubescape/resultshandling/reporter"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-type CLIHandler struct {
-	policyHandler *policyhandler.PolicyHandler
-	scanInfo      *cautils.ScanInfo
-}
-
-var SupportedFrameworks = []string{"nsa", "mitre"}
-var ValidFrameworks = strings.Join(SupportedFrameworks, ", ")
-
-type componentInterfaces struct {
-	clusterConfig   cautils.IClusterConfig
-	resourceHandler resourcehandler.IResourceHandler
-	report          reporter.IReport
-	printerHandler  printer.IPrinter
-}
-
-func getReporter(scanInfo *cautils.ScanInfo) reporter.IReport {
-	if !scanInfo.Submit {
-		return reporter.NewReportMock()
-	}
-	if !scanInfo.FrameworkScan {
-		return reporter.NewReportMock()
-	}
-
-	return reporter.NewReportEventReceiver()
-}
-func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
-	var resourceHandler resourcehandler.IResourceHandler
-	var clusterConfig cautils.IClusterConfig
-	var reportHandler reporter.IReport
-
-	if !scanInfo.ScanRunningCluster() {
-		k8sinterface.ConnectedToCluster = false
-		clusterConfig = cautils.NewEmptyConfig()
-
-		// load fom file
-		resourceHandler = resourcehandler.NewFileResourceHandler(scanInfo.InputPatterns)
-
-		// set mock report (do not send report)
-		reportHandler = reporter.NewReportMock()
-	} else {
-		k8s := k8sinterface.NewKubernetesApi()
-		resourceHandler = resourcehandler.NewK8sResourceHandler(k8s, scanInfo.ExcludedNamespaces)
-		clusterConfig = cautils.ClusterConfigSetup(scanInfo, k8s, getter.GetArmoAPIConnector())
-
-		// setup reporter
-		reportHandler = getReporter(scanInfo)
-	}
-
-	// setup printer
-	printerHandler := printer.GetPrinter(scanInfo.Format)
-	printerHandler.SetWriter(scanInfo.Output)
-
-	return componentInterfaces{
-		clusterConfig:   clusterConfig,
-		resourceHandler: resourceHandler,
-		report:          reportHandler,
-		printerHandler:  printerHandler,
-	}
-}
-
-func CliSetup(scanInfo *cautils.ScanInfo) error {
-
-	interfaces := getInterfaces(scanInfo)
-
-	processNotification := make(chan *cautils.OPASessionObj)
-	reportResults := make(chan *cautils.OPASessionObj)
-
-	if err := interfaces.clusterConfig.SetConfig(scanInfo.Account); err != nil {
-		fmt.Println(err)
-	}
-
-	cautils.ClusterName = interfaces.clusterConfig.GetClusterName()   // TODO - Deprecated
-	cautils.CustomerGUID = interfaces.clusterConfig.GetCustomerGUID() // TODO - Deprecated
-	interfaces.report.SetClusterName(interfaces.clusterConfig.GetClusterName())
-	interfaces.report.SetCustomerGUID(interfaces.clusterConfig.GetCustomerGUID())
-	// cli handler setup
-	go func() {
-		// policy handler setup
-		policyHandler := policyhandler.NewPolicyHandler(&processNotification, interfaces.resourceHandler)
-		cli := NewCLIHandler(policyHandler, scanInfo)
-		if err := cli.Scan(); err != nil {
-			fmt.Println(err)
-			os.Exit(1)
-		}
-	}()
-
-	// processor setup - rego run
-	go func() {
-		opaprocessorObj := opaprocessor.NewOPAProcessorHandler(&processNotification, &reportResults)
-		opaprocessorObj.ProcessRulesListenner()
-	}()
-
-	resultsHandling := resultshandling.NewResultsHandler(&reportResults, interfaces.report, interfaces.printerHandler)
-	score := resultsHandling.HandleResults(scanInfo)
-
-	// print report url
-	interfaces.clusterConfig.GenerateURL()
-
-	adjustedFailThreshold := float32(scanInfo.FailThreshold) / 100
-	if score < adjustedFailThreshold {
-		return fmt.Errorf("Scan score is bellow threshold")
-	}
-
-	return nil
-}
-
-func NewCLIHandler(policyHandler *policyhandler.PolicyHandler, scanInfo *cautils.ScanInfo) *CLIHandler {
-	return &CLIHandler{
-		scanInfo:      scanInfo,
-		policyHandler: policyHandler,
-	}
-}
-
-func (clihandler *CLIHandler) Scan() error {
-	cautils.ScanStartDisplay()
-	policyNotification := &reporthandling.PolicyNotification{
-		NotificationType: reporthandling.TypeExecPostureScan,
-		Rules: []reporthandling.PolicyIdentifier{
-			clihandler.scanInfo.PolicyIdentifier,
-		},
-		Designators: armotypes.PortalDesignator{},
-	}
-	switch policyNotification.NotificationType {
-	case reporthandling.TypeExecPostureScan:
-		if err := clihandler.policyHandler.HandleNotificationRequest(policyNotification, clihandler.scanInfo); err != nil {
-			return err
-		}
-
-	default:
-		return fmt.Errorf("notification type '%s' Unknown", policyNotification.NotificationType)
-	}
-	return nil
-}

cmd/completion/completion.go

@@ -0,0 +1,45 @@
+package completion
+
+import (
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+)
+
+var completionCmdExamples = `
+
+  # Enable BASH shell autocompletion
+  $ source <(kubescape completion bash)
+  $ echo 'source <(kubescape completion bash)' >> ~/.bashrc
+
+  # Enable ZSH shell autocompletion
+  $ source <(kubectl completion zsh)
+  $ echo 'source <(kubectl completion zsh)' >> "${fpath[1]}/_kubectl"
+
+`
+
+func GetCompletionCmd() *cobra.Command {
+	completionCmd := &cobra.Command{
+		Use:                   "completion [bash|zsh|fish|powershell]",
+		Short:                 "Generate autocompletion script",
+		Long:                  "To load completions",
+		Example:               completionCmdExamples,
+		DisableFlagsInUseLine: true,
+		ValidArgs:             []string{"bash", "zsh", "fish", "powershell"},
+		Args:                  cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs),
+		Run: func(cmd *cobra.Command, args []string) {
+			switch strings.ToLower(args[0]) {
+			case "bash":
+				cmd.Root().GenBashCompletion(os.Stdout)
+			case "zsh":
+				cmd.Root().GenZshCompletion(os.Stdout)
+			case "fish":
+				cmd.Root().GenFishCompletion(os.Stdout, true)
+			case "powershell":
+				cmd.Root().GenPowerShellCompletionWithDesc(os.Stdout)
+			}
+		},
+	}
+	return completionCmd
+}

cmd/config/config.go

@@ -0,0 +1,48 @@
+package config
+
+import (
+	"github.com/kubescape/kubescape/v2/core/meta"
+	"github.com/spf13/cobra"
+)
+
+var (
+	configExample = `
+  # View cached configurations 
+  kubescape config view
+
+  # Delete cached configurations
+  kubescape config delete
+
+  # Set cached configurations
+  kubescape config set --help
+`
+	setConfigExample = `
+  # Set account id
+  kubescape config set accountID <account id>
+
+  # Set client id
+  kubescape config set clientID <client id> 
+
+  # Set access key
+  kubescape config set secretKey <access key>
+
+  # Set cloudAPIURL
+  kubescape config set cloudAPIURL <cloud API URL>
+`
+)
+
+func GetConfigCmd(ks meta.IKubescape) *cobra.Command {
+
+	// configCmd represents the config command
+	configCmd := &cobra.Command{
+		Use:     "config",
+		Short:   "Handle cached configurations",
+		Example: configExample,
+	}
+
+	configCmd.AddCommand(getDeleteCmd(ks))
+	configCmd.AddCommand(getSetCmd(ks))
+	configCmd.AddCommand(getViewCmd(ks))
+
+	return configCmd
+}

cmd/config/delete.go

@@ -0,0 +1,21 @@
+package config
+
+import (
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+)
+
+func getDeleteCmd(ks meta.IKubescape) *cobra.Command {
+	return &cobra.Command{
+		Use:   "delete",
+		Short: "Delete cached configurations",
+		Long:  ``,
+		Run: func(cmd *cobra.Command, args []string) {
+			if err := ks.DeleteCachedConfig(&v1.DeleteConfig{}); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+		},
+	}
+}

cmd/config/set.go

@@ -0,0 +1,73 @@
+package config
+
+import (
+	"fmt"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+)
+
+func getSetCmd(ks meta.IKubescape) *cobra.Command {
+
+	// configCmd represents the config command
+	configSetCmd := &cobra.Command{
+		Use:       "set",
+		Short:     fmt.Sprintf("Set configurations, supported: %s", strings.Join(stringKeysToSlice(supportConfigSet), "/")),
+		Example:   setConfigExample,
+		ValidArgs: stringKeysToSlice(supportConfigSet),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			setConfig, err := parseSetArgs(args)
+			if err != nil {
+				return err
+			}
+			if err := ks.SetCachedConfig(setConfig); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			return nil
+		},
+	}
+	return configSetCmd
+}
+
+var supportConfigSet = map[string]func(*metav1.SetConfig, string){
+	"accountID":      func(s *metav1.SetConfig, account string) { s.Account = account },
+	"clientID":       func(s *metav1.SetConfig, clientID string) { s.ClientID = clientID },
+	"secretKey":      func(s *metav1.SetConfig, secretKey string) { s.SecretKey = secretKey },
+	"cloudAPIURL":    func(s *metav1.SetConfig, cloudAPIURL string) { s.CloudAPIURL = cloudAPIURL },
+	"cloudAuthURL":   func(s *metav1.SetConfig, cloudAuthURL string) { s.CloudAuthURL = cloudAuthURL },
+	"cloudReportURL": func(s *metav1.SetConfig, cloudReportURL string) { s.CloudReportURL = cloudReportURL },
+	"cloudUIURL":     func(s *metav1.SetConfig, cloudUIURL string) { s.CloudUIURL = cloudUIURL },
+}
+
+func stringKeysToSlice(m map[string]func(*metav1.SetConfig, string)) []string {
+	l := []string{}
+	for i := range m {
+		l = append(l, i)
+	}
+	return l
+}
+
+func parseSetArgs(args []string) (*metav1.SetConfig, error) {
+	var key string
+	var value string
+	if len(args) == 1 {
+		if keyValue := strings.Split(args[0], "="); len(keyValue) == 2 {
+			key = keyValue[0]
+			value = keyValue[1]
+		}
+	} else if len(args) == 2 {
+		key = args[0]
+		value = args[1]
+	}
+	setConfig := &metav1.SetConfig{}
+
+	if setConfigFunc, ok := supportConfigSet[key]; ok {
+		setConfigFunc(setConfig, value)
+	} else {
+		return setConfig, fmt.Errorf("key '%s' unknown . supported: %s", key, strings.Join(stringKeysToSlice(supportConfigSet), "/"))
+	}
+	return setConfig, nil
+}

cmd/config/view.go

@@ -0,0 +1,25 @@
+package config
+
+import (
+	"os"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+)
+
+func getViewCmd(ks meta.IKubescape) *cobra.Command {
+
+	// configCmd represents the config command
+	return &cobra.Command{
+		Use:   "view",
+		Short: "View cached configurations",
+		Long:  ``,
+		Run: func(cmd *cobra.Command, args []string) {
+			if err := ks.ViewCachedConfig(&v1.ViewConfig{Writer: os.Stdout}); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+		},
+	}
+}

cmd/delete/delete.go

@@ -0,0 +1,34 @@
+package delete
+
+import (
+	"github.com/kubescape/kubescape/v2/core/meta"
+	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+)
+
+var deleteExceptionsExamples = `
+  # Delete single exception
+  kubescape delete exceptions "exception name"
+
+  # Delete multiple exceptions
+  kubescape delete exceptions "first exception;second exception;third exception"
+`
+
+func GetDeleteCmd(ks meta.IKubescape) *cobra.Command {
+	var deleteInfo v1.Delete
+
+	var deleteCmd = &cobra.Command{
+		Use:   "delete <command>",
+		Short: "Delete configurations in Kubescape SaaS version",
+		Long:  ``,
+		Run: func(cmd *cobra.Command, args []string) {
+		},
+	}
+	deleteCmd.PersistentFlags().StringVarP(&deleteInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	deleteCmd.PersistentFlags().StringVarP(&deleteInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
+	deleteCmd.PersistentFlags().StringVarP(&deleteInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
+
+	deleteCmd.AddCommand(getExceptionsCmd(ks, &deleteInfo))
+
+	return deleteCmd
+}

cmd/delete/exceptions.go

@@ -0,0 +1,46 @@
+package delete
+
+import (
+	"fmt"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+)
+
+func getExceptionsCmd(ks meta.IKubescape, deleteInfo *v1.Delete) *cobra.Command {
+	return &cobra.Command{
+		Use:     "exceptions <exception name>",
+		Short:   "Delete exceptions from Kubescape SaaS version. Run 'kubescape list exceptions' for all exceptions names",
+		Example: deleteExceptionsExamples,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("missing exceptions names")
+			}
+			return nil
+		},
+		Run: func(cmd *cobra.Command, args []string) {
+
+			if err := flagValidationDelete(deleteInfo); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
+			exceptionsNames := strings.Split(args[0], ";")
+			if len(exceptionsNames) == 0 {
+				logger.L().Fatal("missing exceptions names")
+			}
+			if err := ks.DeleteExceptions(&v1.DeleteExceptions{Credentials: deleteInfo.Credentials, Exceptions: exceptionsNames}); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+		},
+	}
+}
+
+// Check if the flag entered are valid
+func flagValidationDelete(deleteInfo *v1.Delete) error {
+
+	// Validate the user's credentials
+	return deleteInfo.Credentials.Validate()
+}

cmd/download/download.go

@@ -0,0 +1,97 @@
+package download
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/core"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+)
+
+var (
+	downloadExample = `
+  # Download all artifacts and save them in the default path (~/.kubescape)
+  kubescape download artifacts
+  
+  # Download all artifacts and save them in /tmp path
+  kubescape download artifacts --output /tmp
+  
+  # Download the NSA framework. Run 'kubescape list frameworks' for all frameworks names
+  kubescape download framework nsa
+
+  # Download the "C-0001" control. Run 'kubescape list controls --id' for all controls ids
+  kubescape download control "C-0001"
+
+  # Download the "C-0001" control. Run 'kubescape list controls --id' for all controls ids
+  kubescape download control C-0001
+
+  # Download the configured exceptions
+  kubescape download exceptions 
+
+  # Download the configured controls-inputs 
+  kubescape download controls-inputs 
+
+  # Download the attack tracks
+  kubescape download attack-tracks
+`
+)
+
+func GeDownloadCmd(ks meta.IKubescape) *cobra.Command {
+	var downloadInfo = v1.DownloadInfo{}
+
+	downloadCmd := &cobra.Command{
+		Use:     "download <policy> <policy name>",
+		Short:   fmt.Sprintf("Download %s", strings.Join(core.DownloadSupportCommands(), ",")),
+		Long:    ``,
+		Example: downloadExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			supported := strings.Join(core.DownloadSupportCommands(), ",")
+			if len(args) < 1 {
+				return fmt.Errorf("policy type required, supported: %v", supported)
+			}
+			if cautils.StringInSlice(core.DownloadSupportCommands(), args[0]) == cautils.ValueNotFound {
+				return fmt.Errorf("invalid parameter '%s'. Supported parameters: %s", args[0], supported)
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := flagValidationDownload(&downloadInfo); err != nil {
+				return err
+			}
+
+			if filepath.Ext(downloadInfo.Path) == ".json" {
+				downloadInfo.Path, downloadInfo.FileName = filepath.Split(downloadInfo.Path)
+			}
+			downloadInfo.Target = args[0]
+			if len(args) >= 2 {
+
+				downloadInfo.Identifier = args[1]
+
+			}
+			if err := ks.Download(&downloadInfo); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			return nil
+		},
+	}
+
+	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
+	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
+	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If not specified, will save in `~/.kubescape/<policy name>.json`")
+
+	return downloadCmd
+}
+
+// Check if the flag entered are valid
+func flagValidationDownload(downloadInfo *v1.DownloadInfo) error {
+
+	// Validate the user's credentials
+	return downloadInfo.Credentials.Validate()
+}

cmd/fix/fix.go

@@ -0,0 +1,45 @@
+package fix
+
+import (
+	"errors"
+
+	"github.com/kubescape/kubescape/v2/core/meta"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+
+	"github.com/spf13/cobra"
+)
+
+var fixCmdExamples = `
+  Fix command is for fixing kubernetes manifest files based on a scan command output.
+  Use with caution, this command will change your files in-place.
+
+  # Fix kubernetes YAML manifest files based on a scan command output (output.json)
+  1) kubescape scan --format json --format-version v2 --output output.json
+  2) kubescape fix output.json
+
+`
+
+func GetFixCmd(ks meta.IKubescape) *cobra.Command {
+	var fixInfo metav1.FixInfo
+
+	fixCmd := &cobra.Command{
+		Use:     "fix <report output file>",
+		Short:   "Fix misconfiguration in files",
+		Long:    ``,
+		Example: fixCmdExamples,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) < 1 {
+				return errors.New("report output file is required")
+			}
+			fixInfo.ReportFile = args[0]
+
+			return ks.Fix(&fixInfo)
+		},
+	}
+
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.NoConfirm, "no-confirm", false, "No confirmation will be given to the user before applying the fix (default false)")
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.DryRun, "dry-run", false, "No changes will be applied (default false)")
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.SkipUserValues, "skip-user-values", true, "Changes which involve user-defined values will be skipped")
+
+	return fixCmd
+}

cmd/list/list.go

@@ -0,0 +1,78 @@
+package list
+
+import (
+	"fmt"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/core"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+)
+
+var (
+	listExample = `
+  # List default supported frameworks names
+  kubescape list frameworks
+  
+  # List all supported frameworks names
+  kubescape list frameworks --account <account id>
+	
+  # List all supported controls names with ids
+  kubescape list controls
+  
+  Control documentation:
+  https://hub.armosec.io/docs/controls
+`
+)
+
+func GetListCmd(ks meta.IKubescape) *cobra.Command {
+	var listPolicies = v1.ListPolicies{}
+
+	listCmd := &cobra.Command{
+		Use:     "list <policy> [flags]",
+		Short:   "List frameworks/controls will list the supported frameworks and controls",
+		Long:    ``,
+		Example: listExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			supported := strings.Join(core.ListSupportActions(), ",")
+
+			if len(args) < 1 {
+				return fmt.Errorf("policy type requeued, supported: %s", supported)
+			}
+			if cautils.StringInSlice(core.ListSupportActions(), args[0]) == cautils.ValueNotFound {
+				return fmt.Errorf("invalid parameter '%s'. Supported parameters: %s", args[0], supported)
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := flagValidationList(&listPolicies); err != nil {
+				return err
+			}
+
+			listPolicies.Target = args[0]
+
+			if err := ks.List(&listPolicies); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			return nil
+		},
+	}
+	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
+	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
+	listCmd.PersistentFlags().StringVar(&listPolicies.Format, "format", "pretty-print", "output format. supported: 'pretty-print'/'json'")
+	listCmd.PersistentFlags().MarkDeprecated("id", "Control ID's are included in list outpus")
+
+	return listCmd
+}
+
+// Check if the flag entered are valid
+func flagValidationList(listPolicies *v1.ListPolicies) error {
+
+	// Validate the user's credentials
+	return listPolicies.Credentials.Validate()
+}

cmd/root.go

@@ -0,0 +1,90 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/cmd/completion"
+	"github.com/kubescape/kubescape/v2/cmd/config"
+	"github.com/kubescape/kubescape/v2/cmd/delete"
+	"github.com/kubescape/kubescape/v2/cmd/download"
+	"github.com/kubescape/kubescape/v2/cmd/fix"
+	"github.com/kubescape/kubescape/v2/cmd/list"
+	"github.com/kubescape/kubescape/v2/cmd/scan"
+	"github.com/kubescape/kubescape/v2/cmd/submit"
+	"github.com/kubescape/kubescape/v2/cmd/update"
+	"github.com/kubescape/kubescape/v2/cmd/version"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/cautils/getter"
+	"github.com/kubescape/kubescape/v2/core/core"
+	"github.com/kubescape/kubescape/v2/core/meta"
+
+	"github.com/spf13/cobra"
+)
+
+var rootInfo cautils.RootInfo
+
+var ksExamples = `
+  # Scan command
+  kubescape scan
+
+  # List supported frameworks
+  kubescape list frameworks
+
+  # Download artifacts (air-gapped environment support)
+  kubescape download artifacts
+
+  # View cached configurations
+  kubescape config view
+`
+
+func NewDefaultKubescapeCommand() *cobra.Command {
+	ks := core.NewKubescape()
+	return getRootCmd(ks)
+}
+
+func getRootCmd(ks meta.IKubescape) *cobra.Command {
+
+	rootCmd := &cobra.Command{
+		Use:     "kubescape",
+		Short:   "Kubescape is a tool for testing Kubernetes security posture. Docs: https://hub.armosec.io/docs",
+		Example: ksExamples,
+	}
+
+	rootCmd.PersistentFlags().StringVar(&rootInfo.KSCloudBEURLsDep, "environment", "", envFlagUsage)
+	rootCmd.PersistentFlags().StringVar(&rootInfo.KSCloudBEURLs, "env", "", envFlagUsage)
+	rootCmd.PersistentFlags().MarkDeprecated("environment", "use 'env' instead")
+	rootCmd.PersistentFlags().MarkHidden("environment")
+	rootCmd.PersistentFlags().MarkHidden("env")
+
+	rootCmd.PersistentFlags().StringVar(&rootInfo.LoggerName, "logger-name", "", fmt.Sprintf("Logger name. Supported: %s [$KS_LOGGER_NAME]", strings.Join(logger.ListLoggersNames(), "/")))
+	rootCmd.PersistentFlags().MarkHidden("logger-name")
+
+	rootCmd.PersistentFlags().StringVarP(&rootInfo.Logger, "logger", "l", helpers.InfoLevel.String(), fmt.Sprintf("Logger level. Supported: %s [$KS_LOGGER]", strings.Join(helpers.SupportedLevels(), "/")))
+	rootCmd.PersistentFlags().StringVar(&rootInfo.CacheDir, "cache-dir", getter.DefaultLocalStore, "Cache directory [$KS_CACHE_DIR]")
+	rootCmd.PersistentFlags().BoolVarP(&rootInfo.DisableColor, "disable-color", "", false, "Disable Color output for logging")
+	rootCmd.PersistentFlags().BoolVarP(&rootInfo.EnableColor, "enable-color", "", false, "Force enable Color output for logging")
+
+	cobra.OnInitialize(initLogger, initLoggerLevel, initEnvironment, initCacheDir)
+
+	// Supported commands
+	rootCmd.AddCommand(scan.GetScanCommand(ks))
+	rootCmd.AddCommand(download.GeDownloadCmd(ks))
+	rootCmd.AddCommand(delete.GetDeleteCmd(ks))
+	rootCmd.AddCommand(list.GetListCmd(ks))
+	rootCmd.AddCommand(submit.GetSubmitCmd(ks))
+	rootCmd.AddCommand(completion.GetCompletionCmd())
+	rootCmd.AddCommand(version.GetVersionCmd())
+	rootCmd.AddCommand(config.GetConfigCmd(ks))
+	rootCmd.AddCommand(update.GetUpdateCmd())
+	rootCmd.AddCommand(fix.GetFixCmd(ks))
+
+	return rootCmd
+}
+
+func Execute() error {
+	ks := NewDefaultKubescapeCommand()
+	return ks.Execute()
+}

cmd/rootutils.go

@@ -0,0 +1,90 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/core/cautils/getter"
+
+	"github.com/mattn/go-isatty"
+)
+
+const envFlagUsage = "Send report results to specific URL. Format:<ReportReceiver>,<Backend>,<Frontend>.\n\t\tExample:report.armo.cloud,api.armo.cloud,portal.armo.cloud"
+
+func initLogger() {
+	logger.DisableColor(rootInfo.DisableColor)
+	logger.EnableColor(rootInfo.EnableColor)
+
+	if rootInfo.LoggerName == "" {
+		if l := os.Getenv("KS_LOGGER_NAME"); l != "" {
+			rootInfo.LoggerName = l
+		} else {
+			if isatty.IsTerminal(os.Stdout.Fd()) {
+				rootInfo.LoggerName = "pretty"
+			} else {
+				rootInfo.LoggerName = "zap"
+			}
+		}
+	}
+
+	logger.InitLogger(rootInfo.LoggerName)
+
+}
+func initLoggerLevel() {
+	if rootInfo.Logger == helpers.InfoLevel.String() {
+	} else if l := os.Getenv("KS_LOGGER"); l != "" {
+		rootInfo.Logger = l
+	}
+
+	if err := logger.L().SetLevel(rootInfo.Logger); err != nil {
+		logger.L().Fatal(fmt.Sprintf("supported levels: %s", strings.Join(helpers.SupportedLevels(), "/")), helpers.Error(err))
+	}
+}
+
+func initCacheDir() {
+	if rootInfo.CacheDir != getter.DefaultLocalStore {
+		getter.DefaultLocalStore = rootInfo.CacheDir
+	} else if cacheDir := os.Getenv("KS_CACHE_DIR"); cacheDir != "" {
+		getter.DefaultLocalStore = cacheDir
+	} else {
+		return // using default cache dir location
+	}
+
+	logger.L().Debug("cache dir updated", helpers.String("path", getter.DefaultLocalStore))
+}
+func initEnvironment() {
+	if rootInfo.KSCloudBEURLs == "" {
+		rootInfo.KSCloudBEURLs = rootInfo.KSCloudBEURLsDep
+	}
+	urlSlices := strings.Split(rootInfo.KSCloudBEURLs, ",")
+	if len(urlSlices) != 1 && len(urlSlices) < 3 {
+		logger.L().Fatal("expected at least 3 URLs (report, api, frontend, auth)")
+	}
+	switch len(urlSlices) {
+	case 1:
+		switch urlSlices[0] {
+		case "dev", "development":
+			getter.SetKSCloudAPIConnector(getter.NewKSCloudAPIDev())
+		case "stage", "staging":
+			getter.SetKSCloudAPIConnector(getter.NewKSCloudAPIStaging())
+		case "":
+			getter.SetKSCloudAPIConnector(getter.NewKSCloudAPIProd())
+		default:
+			logger.L().Fatal("--environment flag usage: " + envFlagUsage)
+		}
+	case 2:
+		logger.L().Fatal("--environment flag usage: " + envFlagUsage)
+	case 3, 4:
+		var ksAuthURL string
+		ksEventReceiverURL := urlSlices[0] // mandatory
+		ksBackendURL := urlSlices[1]       // mandatory
+		ksFrontendURL := urlSlices[2]      // mandatory
+		if len(urlSlices) >= 4 {
+			ksAuthURL = urlSlices[3]
+		}
+		getter.SetKSCloudAPIConnector(getter.NewKSCloudAPICustomized(ksEventReceiverURL, ksBackendURL, ksFrontendURL, ksAuthURL))
+	}
+}

cmd/scan/control.go

@@ -0,0 +1,131 @@
+package scan
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/meta"
+
+	"github.com/enescakir/emoji"
+	"github.com/spf13/cobra"
+)
+
+var (
+	controlExample = `
+  # Scan the 'privileged container' control
+  kubescape scan control "privileged container"
+	
+  # Scan list of controls separated with a comma
+  kubescape scan control "privileged container","HostPath mount"
+  
+  # Scan list of controls using the control ID separated with a comma
+  kubescape scan control C-0058,C-0057
+  
+  Run 'kubescape list controls' for the list of supported controls
+  
+  Control documentation:
+  https://hub.armosec.io/docs/controls
+`
+)
+
+// controlCmd represents the control command
+func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
+	return &cobra.Command{
+		Use:     "control <control names list>/<control ids list>",
+		Short:   "The controls you wish to use. Run 'kubescape list controls' for the list of supported controls",
+		Example: controlExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) > 0 {
+				controls := strings.Split(args[0], ",")
+				if len(controls) > 1 {
+					for _, control := range controls {
+						if control == "" {
+							return fmt.Errorf("usage: <control-0>,<control-1>")
+						}
+					}
+				}
+			} else {
+				return fmt.Errorf("requires at least one control name")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := validateFrameworkScanInfo(scanInfo); err != nil {
+				return err
+			}
+
+			// flagValidationControl(scanInfo)
+			scanInfo.PolicyIdentifier = []cautils.PolicyIdentifier{}
+
+			if len(args) == 0 {
+				scanInfo.ScanAll = true
+			} else { // expected control or list of control sepparated by ","
+
+				// Read controls from input args
+				scanInfo.SetPolicyIdentifiers(strings.Split(args[0], ","), apisv1.KindControl)
+
+				if len(args) > 1 {
+					if len(args[1:]) == 0 || args[1] != "-" {
+						scanInfo.InputPatterns = args[1:]
+					} else { // store stdin to file - do NOT move to separate function !!
+						tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
+						if err != nil {
+							return err
+						}
+						defer os.Remove(tempFile.Name())
+
+						if _, err := io.Copy(tempFile, os.Stdin); err != nil {
+							return err
+						}
+						scanInfo.InputPatterns = []string{tempFile.Name()}
+					}
+				}
+			}
+
+			scanInfo.FrameworkScan = false
+
+			if err := validateControlScanInfo(scanInfo); err != nil {
+				return err
+			}
+
+			results, err := ks.Scan(scanInfo)
+			if err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			if err := results.HandleResults(); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			if !scanInfo.VerboseMode {
+				cautils.SimpleDisplay(os.Stderr, "%s  Run with '--verbose'/'-v' flag for detailed resources view\n\n", emoji.Detective)
+			}
+			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
+				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
+			}
+			enforceSeverityThresholds(results.GetResults().SummaryDetails.GetResourcesSeverityCounters(), scanInfo, terminateOnExceedingSeverity)
+
+			return nil
+		},
+	}
+}
+
+// validateControlScanInfo validates the ScanInfo struct for the `control` command
+func validateControlScanInfo(scanInfo *cautils.ScanInfo) error {
+	severity := scanInfo.FailThresholdSeverity
+
+	if scanInfo.Submit && scanInfo.OmitRawResources {
+		return fmt.Errorf("you can use `omit-raw-resources` or `submit`, but not both")
+	}
+
+	if err := validateSeverity(severity); severity != "" && err != nil {
+		return err
+	}
+	return nil
+}

cmd/scan/framework.go

@@ -0,0 +1,213 @@
+package scan
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/meta"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	frameworkExample = `
+  # Scan all frameworks
+  kubescape scan framework all
+  
+  # Scan the NSA framework
+  kubescape scan framework nsa
+  
+  # Scan the NSA and MITRE framework
+  kubescape scan framework nsa,mitre
+  
+  # Scan all frameworks
+  kubescape scan framework all
+
+  # Scan kubernetes YAML manifest files (single file or glob)
+  kubescape scan framework nsa .
+
+  Run 'kubescape list frameworks' for the list of supported frameworks
+`
+
+	ErrUnknownSeverity = errors.New("unknown severity")
+)
+
+func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
+
+	return &cobra.Command{
+		Use:     "framework <framework names list> [`<glob pattern>`/`-`] [flags]",
+		Short:   "The framework you wish to use. Run 'kubescape list frameworks' for the list of supported frameworks",
+		Example: frameworkExample,
+		Long:    "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) > 0 {
+				frameworks := strings.Split(args[0], ",")
+				if len(frameworks) > 1 {
+					for _, framework := range frameworks {
+						if framework == "" {
+							return fmt.Errorf("usage: <framework-0>,<framework-1>")
+						}
+					}
+				}
+			} else {
+				return fmt.Errorf("requires at least one framework name")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := validateFrameworkScanInfo(scanInfo); err != nil {
+				return err
+			}
+			scanInfo.FrameworkScan = true
+
+			var frameworks []string
+
+			if len(args) == 0 { // scan all frameworks
+				scanInfo.ScanAll = true
+			} else {
+				// Read frameworks from input args
+				frameworks = strings.Split(args[0], ",")
+				if cautils.StringInSlice(frameworks, "all") != cautils.ValueNotFound {
+					scanInfo.ScanAll = true
+					frameworks = []string{}
+				}
+				if len(args) > 1 {
+					if len(args[1:]) == 0 || args[1] != "-" {
+						scanInfo.InputPatterns = args[1:]
+					} else { // store stdin to file - do NOT move to separate function !!
+						tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
+						if err != nil {
+							return err
+						}
+						defer os.Remove(tempFile.Name())
+
+						if _, err := io.Copy(tempFile, os.Stdin); err != nil {
+							return err
+						}
+						scanInfo.InputPatterns = []string{tempFile.Name()}
+					}
+				}
+			}
+			scanInfo.FrameworkScan = true
+
+			scanInfo.SetPolicyIdentifiers(frameworks, apisv1.KindFramework)
+
+			results, err := ks.Scan(scanInfo)
+			if err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
+			if err = results.HandleResults(); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			if !scanInfo.VerboseMode {
+				cautils.SimpleDisplay(os.Stderr, "Run with '--verbose'/'-v' flag for detailed resources view\n\n")
+			}
+			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
+				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
+			}
+
+			enforceSeverityThresholds(results.GetData().Report.SummaryDetails.GetResourcesSeverityCounters(), scanInfo, terminateOnExceedingSeverity)
+			return nil
+		},
+	}
+}
+
+// countersExceedSeverityThreshold returns true if severity of failed controls exceed the set severity threshold, else returns false
+func countersExceedSeverityThreshold(severityCounters reportsummary.ISeverityCounters, scanInfo *cautils.ScanInfo) (bool, error) {
+	targetSeverity := scanInfo.FailThresholdSeverity
+	if err := validateSeverity(targetSeverity); err != nil {
+		return false, err
+	}
+
+	getFailedResourcesFuncsBySeverity := []struct {
+		SeverityName       string
+		GetFailedResources func() int
+	}{
+		{reporthandlingapis.SeverityLowString, severityCounters.NumberOfLowSeverity},
+		{reporthandlingapis.SeverityMediumString, severityCounters.NumberOfMediumSeverity},
+		{reporthandlingapis.SeverityHighString, severityCounters.NumberOfHighSeverity},
+		{reporthandlingapis.SeverityCriticalString, severityCounters.NumberOfCriticalSeverity},
+	}
+
+	targetSeverityIdx := 0
+	for idx, description := range getFailedResourcesFuncsBySeverity {
+		if strings.EqualFold(description.SeverityName, targetSeverity) {
+			targetSeverityIdx = idx
+			break
+		}
+	}
+
+	for _, description := range getFailedResourcesFuncsBySeverity[targetSeverityIdx:] {
+		failedResourcesCount := description.GetFailedResources()
+		if failedResourcesCount > 0 {
+			return true, nil
+		}
+	}
+
+	return false, nil
+
+}
+
+// terminateOnExceedingSeverity terminates the application on exceeding severity
+func terminateOnExceedingSeverity(scanInfo *cautils.ScanInfo, l logger.ILogger) {
+	l.Fatal("result exceeds severity threshold", helpers.String("set severity threshold", scanInfo.FailThresholdSeverity))
+}
+
+// enforceSeverityThresholds ensures that the scan results are below the defined severity threshold
+//
+// The function forces the application to terminate with an exit code 1 if at least one control failed control that exceeds the set severity threshold
+func enforceSeverityThresholds(severityCounters reportsummary.ISeverityCounters, scanInfo *cautils.ScanInfo, onExceed func(*cautils.ScanInfo, logger.ILogger)) {
+	// If a severity threshold is not set, we don’t need to enforce it
+	if scanInfo.FailThresholdSeverity == "" {
+		return
+	}
+
+	if val, err := countersExceedSeverityThreshold(severityCounters, scanInfo); val && err == nil {
+		onExceed(scanInfo, logger.L())
+	} else if err != nil {
+		logger.L().Fatal(err.Error())
+	}
+}
+
+// validateSeverity returns an error if a given severity is not known, nil otherwise
+func validateSeverity(severity string) error {
+	for _, val := range reporthandlingapis.GetSupportedSeverities() {
+		if strings.EqualFold(severity, val) {
+			return nil
+		}
+	}
+	return ErrUnknownSeverity
+
+}
+
+// validateFrameworkScanInfo validates the scan info struct for the `scan framework` command
+func validateFrameworkScanInfo(scanInfo *cautils.ScanInfo) error {
+	if scanInfo.Submit && scanInfo.Local {
+		return fmt.Errorf("you can use `keep-local` or `submit`, but not both")
+	}
+	if 100 < scanInfo.FailThreshold || 0 > scanInfo.FailThreshold {
+		return fmt.Errorf("bad argument: out of range threshold")
+	}
+	if scanInfo.Submit && scanInfo.OmitRawResources {
+		return fmt.Errorf("you can use `omit-raw-resources` or `submit`, but not both")
+	}
+	severity := scanInfo.FailThresholdSeverity
+	if err := validateSeverity(severity); severity != "" && err != nil {
+		return err
+	}
+
+	// Validate the user's credentials
+	return scanInfo.Credentials.Validate()
+}

cmd/scan/scan.go

@@ -0,0 +1,114 @@
+package scan
+
+import (
+	"flag"
+	"fmt"
+
+	"github.com/kubescape/k8s-interface/k8sinterface"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	"github.com/spf13/cobra"
+)
+
+var scanCmdExamples = `
+  Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks 
+  
+  # Scan current cluster with all frameworks
+  kubescape scan --enable-host-scan --verbose
+
+  # Scan kubernetes YAML manifest files
+  kubescape scan .
+
+  # Scan and save the results in the JSON format
+  kubescape scan --format json --output results.json --format-version=v2
+
+  # Display all resources
+  kubescape scan --verbose
+
+  # Scan different clusters from the kubectl context 
+  kubescape scan --kube-context <kubernetes context>
+  
+`
+
+func GetScanCommand(ks meta.IKubescape) *cobra.Command {
+	var scanInfo cautils.ScanInfo
+
+	// scanCmd represents the scan command
+	scanCmd := &cobra.Command{
+		Use:     "scan",
+		Short:   "Scan the current running cluster or yaml files",
+		Long:    `The action you want to perform`,
+		Example: scanCmdExamples,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) > 0 {
+				if args[0] != "framework" && args[0] != "control" {
+					scanInfo.ScanAll = true
+					return getFrameworkCmd(ks, &scanInfo).RunE(cmd, append([]string{"all"}, args...))
+				}
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if len(args) == 0 {
+				scanInfo.ScanAll = true
+				return getFrameworkCmd(ks, &scanInfo).RunE(cmd, []string{"all"})
+			}
+			return nil
+		},
+		PreRun: func(cmd *cobra.Command, args []string) {
+			k8sinterface.SetClusterContextName(scanInfo.KubeContext)
+
+		},
+		PostRun: func(cmd *cobra.Command, args []string) {
+			// TODO - revert context
+		},
+	}
+
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	scanCmd.PersistentFlags().BoolVar(&scanInfo.CreateAccount, "create-account", false, "Create a Kubescape SaaS account ID account ID is not found in cache. After creating the account, the account ID will be saved in cache. In addition, the scanning results will be uploaded to the Kubescape SaaS")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.KubeContext, "kube-context", "", "", "Kube context. Default will use the current-context")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.UseArtifactsFrom, "use-artifacts-from", "", "Load artifacts from local directory. If not used will download them")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Notice, when running with `exclude-namespace` kubescape does not scan cluster-scoped objects.")
+
+	scanCmd.PersistentFlags().Float32VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 100, "Failure threshold is the percent above which the command fails and returns exit code 1")
+
+	scanCmd.PersistentFlags().StringVar(&scanInfo.FailThresholdSeverity, "severity-threshold", "", "Severity threshold is the severity of failed controls at which the command fails and returns exit code 1")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "", `Output file format. Supported formats: "pretty-printer", "json", "junit", "prometheus", "pdf", "html", "sarif"`)
+	scanCmd.PersistentFlags().StringVar(&scanInfo.IncludeNamespaces, "include-namespaces", "", "scan specific namespaces. e.g: --include-namespaces ns-a,ns-b")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to configured backend.")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.VerboseMode, "verbose", "v", false, "Display all of the input resources and not only failed resources")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.View, "view", string(cautils.ResourceViewType), fmt.Sprintf("View results based on the %s/%s. default is --view=%s", cautils.ResourceViewType, cautils.ControlViewType, cautils.ResourceViewType))
+	scanCmd.PersistentFlags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local policy object from default path. If not used will download latest")
+	scanCmd.PersistentFlags().StringSliceVar(&scanInfo.UseFrom, "use-from", nil, "Load local policy object from specified path. If not used will download latest")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.HostSensorYamlPath, "host-scan-yaml", "", "Override default host scanner DaemonSet. Use this flag cautiously")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.FormatVersion, "format-version", "v1", "Output object can be different between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.CustomClusterName, "cluster-name", "", "Set the custom name of the cluster. Not same as the kube-context flag")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Submit the scan results to Kubescape SaaS where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.OmitRawResources, "omit-raw-resources", "", false, "Omit raw resources from the output. By default the raw resources are included in the output")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.PrintAttackTree, "print-attack-tree", "", false, "Print attack tree")
+
+	scanCmd.PersistentFlags().MarkDeprecated("silent", "use '--logger' flag instead. Flag will be removed at 1.May.2022")
+
+	// hidden flags
+	scanCmd.PersistentFlags().MarkHidden("host-scan-yaml") // this flag should be used very cautiously. We prefer users will not use it at all unless the DaemonSet can not run pods on the nodes
+	scanCmd.PersistentFlags().MarkHidden("omit-raw-resources")
+	scanCmd.PersistentFlags().MarkHidden("print-attack-tree")
+
+	// Retrieve --kubeconfig flag from https://github.com/kubernetes/kubectl/blob/master/pkg/cmd/cmd.go
+	scanCmd.PersistentFlags().AddGoFlag(flag.Lookup("kubeconfig"))
+
+	hostF := scanCmd.PersistentFlags().VarPF(&scanInfo.HostSensorEnabled, "enable-host-scan", "", "Deploy Kubescape host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valuable data from cluster nodes for certain controls. Yaml file: https://github.com/kubescape/kubescape/blob/master/core/pkg/hostsensorutils/hostsensor.yaml")
+	hostF.NoOptDefVal = "true"
+	hostF.DefValue = "false, for no TTY in stdin"
+
+	scanCmd.AddCommand(getControlCmd(ks, &scanInfo))
+	scanCmd.AddCommand(getFrameworkCmd(ks, &scanInfo))
+
+	return scanCmd
+}

cmd/scan/scan_test.go

@@ -0,0 +1,254 @@
+package scan
+
+import (
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
+
+	"os"
+	"reflect"
+	"testing"
+)
+
+func TestExceedsSeverity(t *testing.T) {
+	testCases := []struct {
+		Description      string
+		ScanInfo         *cautils.ScanInfo
+		SeverityCounters reportsummary.ISeverityCounters
+		Want             bool
+		Error            error
+	}{
+		{
+			Description:      "Critical failed resource should exceed Critical threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "critical"},
+			SeverityCounters: &reportsummary.SeverityCounters{CriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Critical failed resource should exceed Critical threshold set as constant",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: apis.SeverityCriticalString},
+			SeverityCounters: &reportsummary.SeverityCounters{CriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "High failed resource should not exceed Critical threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "critical"},
+			SeverityCounters: &reportsummary.SeverityCounters{HighSeverityCounter: 1},
+			Want:             false,
+		},
+		{
+			Description:      "Critical failed resource exceeds High threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "high"},
+			SeverityCounters: &reportsummary.SeverityCounters{CriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "High failed resource exceeds High threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "high"},
+			SeverityCounters: &reportsummary.SeverityCounters{HighSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Medium failed resource does not exceed High threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "high"},
+			SeverityCounters: &reportsummary.SeverityCounters{MediumSeverityCounter: 1},
+			Want:             false,
+		},
+		{
+			Description:      "Critical failed resource exceeds Medium threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
+			SeverityCounters: &reportsummary.SeverityCounters{CriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "High failed resource exceeds Medium threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
+			SeverityCounters: &reportsummary.SeverityCounters{HighSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Medium failed resource exceeds Medium threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
+			SeverityCounters: &reportsummary.SeverityCounters{MediumSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Low failed resource does not exceed Medium threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
+			SeverityCounters: &reportsummary.SeverityCounters{LowSeverityCounter: 1},
+			Want:             false,
+		},
+		{
+			Description:      "Critical failed resource exceeds Low threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
+			SeverityCounters: &reportsummary.SeverityCounters{CriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "High failed resource exceeds Low threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
+			SeverityCounters: &reportsummary.SeverityCounters{HighSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Medium failed resource exceeds Low threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
+			SeverityCounters: &reportsummary.SeverityCounters{MediumSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Low failed resource exceeds Low threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
+			SeverityCounters: &reportsummary.SeverityCounters{LowSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Unknown severity returns an error",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "unknown"},
+			SeverityCounters: &reportsummary.SeverityCounters{LowSeverityCounter: 1},
+			Want:             false,
+			Error:            ErrUnknownSeverity,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.Description, func(t *testing.T) {
+			got, err := countersExceedSeverityThreshold(testCase.SeverityCounters, testCase.ScanInfo)
+			want := testCase.Want
+
+			if got != want {
+				t.Errorf("got: %v, want: %v", got, want)
+			}
+
+			if err != testCase.Error {
+				t.Errorf(`got error "%v", want "%v"`, err, testCase.Error)
+			}
+		})
+	}
+}
+
+func Test_enforceSeverityThresholds(t *testing.T) {
+	testCases := []struct {
+		Description      string
+		SeverityCounters *reportsummary.SeverityCounters
+		ScanInfo         *cautils.ScanInfo
+		Want             bool
+	}{
+		{
+			"Exceeding Critical severity counter should call the terminating function",
+			&reportsummary.SeverityCounters{CriticalSeverityCounter: 1},
+			&cautils.ScanInfo{FailThresholdSeverity: apis.SeverityCriticalString},
+			true,
+		},
+		{
+			"Non-exceeding severity counter should call not the terminating function",
+			&reportsummary.SeverityCounters{},
+			&cautils.ScanInfo{FailThresholdSeverity: apis.SeverityCriticalString},
+			false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				severityCounters := tc.SeverityCounters
+				scanInfo := tc.ScanInfo
+				want := tc.Want
+
+				got := false
+				onExceed := func(*cautils.ScanInfo, logger.ILogger) {
+					got = true
+				}
+
+				enforceSeverityThresholds(severityCounters, scanInfo, onExceed)
+
+				if got != want {
+					t.Errorf("got: %v, want %v", got, want)
+				}
+			},
+		)
+	}
+}
+
+type spyLogMessage struct {
+	Message string
+	Details map[string]string
+}
+
+type spyLogger struct {
+	setItems []spyLogMessage
+}
+
+func (l *spyLogger) Error(msg string, details ...helpers.IDetails)   {}
+func (l *spyLogger) Success(msg string, details ...helpers.IDetails) {}
+func (l *spyLogger) Warning(msg string, details ...helpers.IDetails) {}
+func (l *spyLogger) Info(msg string, details ...helpers.IDetails)    {}
+func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)   {}
+func (l *spyLogger) SetLevel(level string) error                     { return nil }
+func (l *spyLogger) GetLevel() string                                { return "" }
+func (l *spyLogger) SetWriter(w *os.File)                            {}
+func (l *spyLogger) GetWriter() *os.File                             { return &os.File{} }
+func (l *spyLogger) LoggerName() string                              { return "" }
+
+func (l *spyLogger) Fatal(msg string, details ...helpers.IDetails) {
+	firstDetail := details[0]
+	detailsMap := map[string]string{firstDetail.Key(): firstDetail.Value().(string)}
+
+	newMsg := spyLogMessage{msg, detailsMap}
+	l.setItems = append(l.setItems, newMsg)
+}
+
+func (l *spyLogger) GetSpiedItems() []spyLogMessage {
+	return l.setItems
+}
+
+func Test_terminateOnExceedingSeverity(t *testing.T) {
+	expectedMessage := "result exceeds severity threshold"
+	expectedKey := "set severity threshold"
+
+	testCases := []struct {
+		Description     string
+		ExpectedMessage string
+		ExpectedKey     string
+		ExpectedValue   string
+		Logger          *spyLogger
+	}{
+		{
+			"Should log the Critical threshold that was set in scan info",
+			expectedMessage,
+			expectedKey,
+			apis.SeverityCriticalString,
+			&spyLogger{},
+		},
+		{
+			"Should log the High threshold that was set in scan info",
+			expectedMessage,
+			expectedKey,
+			apis.SeverityHighString,
+			&spyLogger{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				want := []spyLogMessage{
+					{tc.ExpectedMessage, map[string]string{tc.ExpectedKey: tc.ExpectedValue}},
+				}
+				scanInfo := &cautils.ScanInfo{FailThresholdSeverity: tc.ExpectedValue}
+
+				terminateOnExceedingSeverity(scanInfo, tc.Logger)
+
+				got := tc.Logger.GetSpiedItems()
+				if !reflect.DeepEqual(got, want) {
+					t.Errorf("got: %v, want: %v", got, want)
+				}
+			},
+		)
+	}
+}

cmd/scan/validators_test.go

@@ -0,0 +1,116 @@
+package scan
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
+)
+
+// Test_validateControlScanInfo tests how scan info is validated for the `scan control` command
+func Test_validateControlScanInfo(t *testing.T) {
+	testCases := []struct {
+		Description string
+		ScanInfo    *cautils.ScanInfo
+		Want        error
+	}{
+		{
+			"Empty severity should be valid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: ""},
+			nil,
+		},
+		{
+			"High severity should be valid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: "High"},
+			nil,
+		},
+		{
+			"Unknown severity should be invalid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: "Unknown"},
+			ErrUnknownSeverity,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				var want error = tc.Want
+
+				got := validateControlScanInfo(tc.ScanInfo)
+
+				if got != want {
+					t.Errorf("got: %v, want: %v", got, want)
+				}
+			},
+		)
+	}
+}
+
+// Test_validateFrameworkScanInfo tests how scan info is validated for the `scan framework` command
+func Test_validateFrameworkScanInfo(t *testing.T) {
+	testCases := []struct {
+		Description string
+		ScanInfo    *cautils.ScanInfo
+		Want        error
+	}{
+		{
+			"Empty severity should be valid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: ""},
+			nil,
+		},
+		{
+			"High severity should be valid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: "High"},
+			nil,
+		},
+		{
+			"Unknown severity should be invalid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: "Unknown"},
+			ErrUnknownSeverity,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				var want error = tc.Want
+
+				got := validateFrameworkScanInfo(tc.ScanInfo)
+
+				if got != want {
+					t.Errorf("got: %v, want: %v", got, want)
+				}
+			},
+		)
+	}
+}
+
+func Test_validateSeverity(t *testing.T) {
+	testCases := []struct {
+		Description string
+		Input       string
+		Want        error
+	}{
+		{"low should be a valid severity", "low", nil},
+		{"Low should be a valid severity", "Low", nil},
+		{"medium should be a valid severity", "medium", nil},
+		{"Medium should be a valid severity", "Medium", nil},
+		{"high should be a valid severity", "high", nil},
+		{"Critical should be a valid severity", "Critical", nil},
+		{"critical should be a valid severity", "critical", nil},
+		{"Unknown should be an invalid severity", "Unknown", ErrUnknownSeverity},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.Description, func(t *testing.T) {
+			input := testCase.Input
+			want := testCase.Want
+			got := validateSeverity(input)
+
+			if got != want {
+				t.Errorf("got: %v, want: %v", got, want)
+			}
+		})
+	}
+}

cmd/submit/exceptions.go

@@ -0,0 +1,34 @@
+package submit
+
+import (
+	"fmt"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+
+	"github.com/spf13/cobra"
+)
+
+func getExceptionsCmd(ks meta.IKubescape, submitInfo *metav1.Submit) *cobra.Command {
+	return &cobra.Command{
+		Use:   "exceptions <full path to exceptions file>",
+		Short: "Submit exceptions to the Kubescape SaaS version",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("missing full path to exceptions file")
+			}
+			return nil
+		},
+		Run: func(cmd *cobra.Command, args []string) {
+
+			if err := flagValidationSubmit(submitInfo); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
+			if err := ks.SubmitExceptions(&submitInfo.Credentials, args[0]); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+		},
+	}
+}

cmd/submit/rbac.go

@@ -0,0 +1,97 @@
+package submit
+
+import (
+	"fmt"
+
+	"github.com/google/uuid"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/k8sinterface"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/cautils/getter"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	"github.com/kubescape/kubescape/v2/core/meta/cliinterfaces"
+	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	reporterv2 "github.com/kubescape/kubescape/v2/core/pkg/resultshandling/reporter/v2"
+
+	"github.com/kubescape/rbac-utils/rbacscanner"
+	"github.com/spf13/cobra"
+)
+
+var (
+	rbacExamples = `
+	# Submit cluster's Role-Based Access Control(RBAC)
+	kubescape submit rbac
+
+	# Submit cluster's Role-Based Access Control(RBAC) with account ID 
+	kubescape submit rbac --account <account-id>
+	`
+)
+
+// getRBACCmd represents the RBAC command
+func getRBACCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
+	return &cobra.Command{
+		Use:        "rbac",
+		Deprecated: "This command is deprecated and will not be supported after 1/Jan/2023. Please use the 'scan' command instead.",
+		Example:    rbacExamples,
+		Short:      "Submit cluster's Role-Based Access Control(RBAC)",
+		Long:       ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := flagValidationSubmit(submitInfo); err != nil {
+				return err
+			}
+
+			k8s := k8sinterface.NewKubernetesApi()
+
+			// get config
+			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", "", k8s)
+			if err := clusterConfig.SetTenant(); err != nil {
+				logger.L().Error("failed setting account ID", helpers.Error(err))
+			}
+
+			if clusterConfig.GetAccountID() == "" {
+				return fmt.Errorf("account ID is not set, run 'kubescape submit rbac --account <account-id>'")
+			}
+
+			// list RBAC
+			rbacObjects := cautils.NewRBACObjects(rbacscanner.NewRbacScannerFromK8sAPI(k8s, clusterConfig.GetAccountID(), clusterConfig.GetContextName()))
+
+			// submit resources
+			r := reporterv2.NewReportEventReceiver(clusterConfig.GetConfigObj(), uuid.NewString(), reporterv2.SubmitContextRBAC)
+
+			submitInterfaces := cliinterfaces.SubmitInterfaces{
+				ClusterConfig: clusterConfig,
+				SubmitObjects: rbacObjects,
+				Reporter:      r,
+			}
+
+			if err := ks.Submit(submitInterfaces); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			return nil
+		},
+	}
+
+}
+
+// getKubernetesApi
+func getKubernetesApi() *k8sinterface.KubernetesApi {
+	if !k8sinterface.IsConnectedToCluster() {
+		return nil
+	}
+	return k8sinterface.NewKubernetesApi()
+}
+func getTenantConfig(credentials *cautils.Credentials, clusterName string, customClusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
+	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
+		return cautils.NewLocalConfig(getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
+	}
+	return cautils.NewClusterConfig(k8s, getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
+}
+
+// Check if the flag entered are valid
+func flagValidationSubmit(submitInfo *v1.Submit) error {
+
+	// Validate the user's credentials
+	return submitInfo.Credentials.Validate()
+}

cmd/submit/results.go

@@ -0,0 +1,104 @@
+package submit
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/google/uuid"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/workloadinterface"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	"github.com/kubescape/kubescape/v2/core/meta/cliinterfaces"
+	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	reporterv2 "github.com/kubescape/kubescape/v2/core/pkg/resultshandling/reporter/v2"
+
+	"github.com/spf13/cobra"
+)
+
+var formatVersion string
+
+type ResultsObject struct {
+	filePath     string
+	customerGUID string
+	clusterName  string
+}
+
+func NewResultsObject(customerGUID, clusterName, filePath string) *ResultsObject {
+	return &ResultsObject{
+		filePath:     filePath,
+		customerGUID: customerGUID,
+		clusterName:  clusterName,
+	}
+}
+
+func (resultsObject *ResultsObject) SetResourcesReport() (*reporthandlingv2.PostureReport, error) {
+	// load framework results from json file
+	report, err := loadResultsFromFile(resultsObject.filePath)
+	if err != nil {
+		return nil, err
+	}
+	return report, nil
+}
+
+func (resultsObject *ResultsObject) ListAllResources() (map[string]workloadinterface.IMetadata, error) {
+	return map[string]workloadinterface.IMetadata{}, nil
+}
+
+func getResultsCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
+	var resultsCmd = &cobra.Command{
+		Use:   "results <json file>\nExample:\n$ kubescape submit results path/to/results.json --format-version v2",
+		Short: "Submit a pre scanned results file. The file must be in json format",
+		Long:  ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := flagValidationSubmit(submitInfo); err != nil {
+				return err
+			}
+
+			if len(args) == 0 {
+				return fmt.Errorf("missing results file")
+			}
+
+			k8s := getKubernetesApi()
+
+			// get config
+			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", "", k8s)
+			if err := clusterConfig.SetTenant(); err != nil {
+				logger.L().Error("failed setting account ID", helpers.Error(err))
+			}
+
+			resultsObjects := NewResultsObject(clusterConfig.GetAccountID(), clusterConfig.GetContextName(), args[0])
+
+			r := reporterv2.NewReportEventReceiver(clusterConfig.GetConfigObj(), uuid.NewString(), reporterv2.SubmitContextScan)
+
+			submitInterfaces := cliinterfaces.SubmitInterfaces{
+				ClusterConfig: clusterConfig,
+				SubmitObjects: resultsObjects,
+				Reporter:      r,
+			}
+
+			if err := ks.Submit(submitInterfaces); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			return nil
+		},
+	}
+	resultsCmd.PersistentFlags().StringVar(&formatVersion, "format-version", "v1", "Output object can be differnet between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
+
+	return resultsCmd
+}
+func loadResultsFromFile(filePath string) (*reporthandlingv2.PostureReport, error) {
+	report := &reporthandlingv2.PostureReport{}
+	f, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, err
+	}
+	if err = json.Unmarshal(f, report); err != nil {
+		return report, fmt.Errorf("failed to unmarshal results file: %s, make sure you run kubescape with '--format=json --format-version=v2'", err.Error())
+	}
+	return report, nil
+}

cmd/submit/submit.go

@@ -0,0 +1,37 @@
+package submit
+
+import (
+	"github.com/kubescape/kubescape/v2/core/meta"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+)
+
+var submitCmdExamples = `
+# Submit Kubescape scan results file
+kubescape submit results
+
+# Submit exceptions file to Kubescape SaaS
+kubescape submit exceptions
+`
+
+func GetSubmitCmd(ks meta.IKubescape) *cobra.Command {
+	var submitInfo metav1.Submit
+
+	submitCmd := &cobra.Command{
+		Use:     "submit <command>",
+		Short:   "Submit an object to the Kubescape SaaS version",
+		Long:    ``,
+		Example: submitCmdExamples,
+		Run: func(cmd *cobra.Command, args []string) {
+		},
+	}
+	submitCmd.PersistentFlags().StringVarP(&submitInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	submitCmd.PersistentFlags().StringVarP(&submitInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
+	submitCmd.PersistentFlags().StringVarP(&submitInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
+
+	submitCmd.AddCommand(getExceptionsCmd(ks, &submitInfo))
+	submitCmd.AddCommand(getResultsCmd(ks, &submitInfo))
+	submitCmd.AddCommand(getRBACCmd(ks, &submitInfo))
+
+	return submitCmd
+}

cmd/update/update.go

@@ -0,0 +1,59 @@
+package update
+
+//This update command updates to the latest kubescape release.
+//Example:-
+//          kubescape update
+
+import (
+	"os/exec"
+	"runtime"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/spf13/cobra"
+)
+
+func GetUpdateCmd() *cobra.Command {
+	updateCmd := &cobra.Command{
+		Use:   "update",
+		Short: "Update your version",
+		Long:  ``,
+		RunE: func(_ *cobra.Command, args []string) error {
+			//Checking the user's version of kubescape to the latest release
+			if cautils.BuildNumber == cautils.LatestReleaseVersion {
+				//your version == latest version
+				logger.L().Info(("You are in the latest version"))
+			} else {
+
+				const OSTYPE string = runtime.GOOS
+				var ShellToUse string
+				switch OSTYPE {
+
+				case "windows":
+					cautils.StartSpinner()
+					//run the installation command for windows
+					ShellToUse = "powershell"
+					_, err := exec.Command(ShellToUse, "-c", "iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex").Output()
+
+					if err != nil {
+						logger.L().Fatal(err.Error())
+					}
+					cautils.StopSpinner()
+
+				default:
+					ShellToUse = "bash"
+					cautils.StartSpinner()
+					//run the installation command for linux and macOS
+					_, err := exec.Command(ShellToUse, "-c", "curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash").Output()
+					if err != nil {
+						logger.L().Fatal(err.Error())
+					}
+
+					cautils.StopSpinner()
+				}
+			}
+			return nil
+		},
+	}
+	return updateCmd
+}

cmd/version/git_native_disabled.go

@@ -0,0 +1,7 @@
+//go:build !gitenabled
+
+package version
+
+func isGitEnabled() bool {
+	return false
+}

cmd/version/git_native_enabled.go

@@ -0,0 +1,7 @@
+//go:build gitenabled
+
+package version
+
+func isGitEnabled() bool {
+	return true
+}

cmd/version/version.go

@@ -0,0 +1,28 @@
+package version
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/spf13/cobra"
+)
+
+func GetVersionCmd() *cobra.Command {
+	versionCmd := &cobra.Command{
+		Use:   "version",
+		Short: "Get current version",
+		Long:  ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			v := cautils.NewIVersionCheckHandler()
+			v.CheckLatestVersion(cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "version"))
+			fmt.Fprintf(os.Stdout,
+				"Your current version is: %s [git enabled in build: %t]\n",
+				cautils.BuildNumber,
+				isGitEnabled(),
+			)
+			return nil
+		},
+	}
+	return versionCmd
+}

core/README.md

@@ -0,0 +1,14 @@
+# Kubescape core package
+
+```go
+
+// initialize kubescape
+ks := core.NewKubescape()
+
+// scan cluster
+results, err := ks.Scan(&cautils.ScanInfo{})
+
+// convert scan results to json
+jsonRes, err := results.ToJson()
+
+```

core/cautils/controllink.go

@@ -0,0 +1,12 @@
+package cautils
+
+import (
+	"fmt"
+	"strings"
+)
+
+func GetControlLink(controlID string) string {
+	// For CIS Controls, cis-1.1.3 will be transformed to cis-1-1-3 in documentation link.
+	docLinkID := strings.ReplaceAll(controlID, ".", "-")
+	return fmt.Sprintf("https://hub.armosec.io/docs/%s", strings.ToLower(docLinkID))
+}

core/cautils/customerloader.go

@@ -0,0 +1,624 @@
+package cautils
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"regexp"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/k8sinterface"
+	"github.com/kubescape/kubescape/v2/core/cautils/getter"
+	corev1 "k8s.io/api/core/v1"
+)
+
+const configFileName = "config"
+
+func ConfigFileFullPath() string { return getter.GetDefaultPath(configFileName + ".json") }
+
+// ======================================================================================
+// =============================== Config structure =====================================
+// ======================================================================================
+
+type ConfigObj struct {
+	AccountID          string `json:"accountID,omitempty"`
+	ClientID           string `json:"clientID,omitempty"`
+	SecretKey          string `json:"secretKey,omitempty"`
+	CustomerGUID       string `json:"customerGUID,omitempty"` // Deprecated
+	Token              string `json:"invitationParam,omitempty"`
+	CustomerAdminEMail string `json:"adminMail,omitempty"`
+	ClusterName        string `json:"clusterName,omitempty"`
+	CloudReportURL     string `json:"cloudReportURL,omitempty"`
+	CloudAPIURL        string `json:"cloudAPIURL,omitempty"`
+	CloudUIURL         string `json:"cloudUIURL,omitempty"`
+	CloudAuthURL       string `json:"cloudAuthURL,omitempty"`
+}
+
+// Config - convert ConfigObj to config file
+func (co *ConfigObj) Config() []byte {
+
+	// remove cluster name before saving to file
+	clusterName := co.ClusterName
+	customerAdminEMail := co.CustomerAdminEMail
+	token := co.Token
+	co.ClusterName = ""
+	co.Token = ""
+	co.CustomerAdminEMail = ""
+
+	b, err := json.MarshalIndent(co, "", "  ")
+
+	co.ClusterName = clusterName
+	co.CustomerAdminEMail = customerAdminEMail
+	co.Token = token
+
+	if err == nil {
+		return b
+	}
+
+	return []byte{}
+}
+
+// ======================================================================================
+// =============================== interface ============================================
+// ======================================================================================
+type ITenantConfig interface {
+	// set
+	SetTenant() error
+	UpdateCachedConfig() error
+	DeleteCachedConfig() error
+
+	// getters
+	GetContextName() string
+	GetAccountID() string
+	GetTenantEmail() string
+	GetToken() string
+	GetClientID() string
+	GetSecretKey() string
+	GetConfigObj() *ConfigObj
+	GetCloudReportURL() string
+	GetCloudAPIURL() string
+	GetCloudUIURL() string
+	GetCloudAuthURL() string
+	// GetBackendAPI() getter.IBackend
+	// GenerateURL()
+
+	IsConfigFound() bool
+}
+
+// ======================================================================================
+// ============================ Local Config ============================================
+// ======================================================================================
+// Config when scanning YAML files or URL but not a Kubernetes cluster
+type LocalConfig struct {
+	backendAPI getter.IBackend
+	configObj  *ConfigObj
+}
+
+func NewLocalConfig(
+	backendAPI getter.IBackend, credentials *Credentials, clusterName string, customClusterName string) *LocalConfig {
+
+	lc := &LocalConfig{
+		backendAPI: backendAPI,
+		configObj:  &ConfigObj{},
+	}
+	// get from configMap
+	if existsConfigFile() { // get from file
+		loadConfigFromFile(lc.configObj)
+	}
+
+	updateCredentials(lc.configObj, credentials)
+	updateCloudURLs(lc.configObj)
+
+	// If a custom cluster name is provided then set that name, else use the cluster's original name
+	if customClusterName != "" {
+		lc.configObj.ClusterName = AdoptClusterName(customClusterName)
+	} else if clusterName != "" {
+		lc.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
+	}
+
+	lc.backendAPI.SetAccountID(lc.configObj.AccountID)
+	lc.backendAPI.SetClientID(lc.configObj.ClientID)
+	lc.backendAPI.SetSecretKey(lc.configObj.SecretKey)
+	if lc.configObj.CloudAPIURL != "" {
+		lc.backendAPI.SetCloudAPIURL(lc.configObj.CloudAPIURL)
+	} else {
+		lc.configObj.CloudAPIURL = lc.backendAPI.GetCloudAPIURL()
+	}
+	if lc.configObj.CloudAuthURL != "" {
+		lc.backendAPI.SetCloudAuthURL(lc.configObj.CloudAuthURL)
+	} else {
+		lc.configObj.CloudAuthURL = lc.backendAPI.GetCloudAuthURL()
+	}
+	if lc.configObj.CloudReportURL != "" {
+		lc.backendAPI.SetCloudReportURL(lc.configObj.CloudReportURL)
+	} else {
+		lc.configObj.CloudReportURL = lc.backendAPI.GetCloudReportURL()
+	}
+	if lc.configObj.CloudUIURL != "" {
+		lc.backendAPI.SetCloudUIURL(lc.configObj.CloudUIURL)
+	} else {
+		lc.configObj.CloudUIURL = lc.backendAPI.GetCloudUIURL()
+	}
+	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", lc.backendAPI.GetCloudAPIURL()), helpers.String("auth", lc.backendAPI.GetCloudAuthURL()), helpers.String("report", lc.backendAPI.GetCloudReportURL()), helpers.String("UI", lc.backendAPI.GetCloudUIURL()))
+
+	return lc
+}
+
+func (lc *LocalConfig) GetConfigObj() *ConfigObj  { return lc.configObj }
+func (lc *LocalConfig) GetTenantEmail() string    { return lc.configObj.CustomerAdminEMail }
+func (lc *LocalConfig) GetAccountID() string      { return lc.configObj.AccountID }
+func (lc *LocalConfig) GetClientID() string       { return lc.configObj.ClientID }
+func (lc *LocalConfig) GetSecretKey() string      { return lc.configObj.SecretKey }
+func (lc *LocalConfig) GetContextName() string    { return lc.configObj.ClusterName }
+func (lc *LocalConfig) GetToken() string          { return lc.configObj.Token }
+func (lc *LocalConfig) GetCloudReportURL() string { return lc.configObj.CloudReportURL }
+func (lc *LocalConfig) GetCloudAPIURL() string    { return lc.configObj.CloudAPIURL }
+func (lc *LocalConfig) GetCloudUIURL() string     { return lc.configObj.CloudUIURL }
+func (lc *LocalConfig) GetCloudAuthURL() string   { return lc.configObj.CloudAuthURL }
+func (lc *LocalConfig) IsConfigFound() bool       { return existsConfigFile() }
+func (lc *LocalConfig) SetTenant() error {
+
+	// Kubescape Cloud tenant GUID
+	if err := getTenantConfigFromBE(lc.backendAPI, lc.configObj); err != nil {
+		return err
+	}
+	lc.UpdateCachedConfig()
+	return nil
+
+}
+func (lc *LocalConfig) UpdateCachedConfig() error {
+	return updateConfigFile(lc.configObj)
+}
+
+func (lc *LocalConfig) DeleteCachedConfig() error {
+	if err := DeleteConfigFile(); err != nil {
+		logger.L().Warning(err.Error())
+	}
+	return nil
+}
+
+func getTenantConfigFromBE(backendAPI getter.IBackend, configObj *ConfigObj) error {
+
+	// get from Kubescape Cloud API
+	tenantResponse, err := backendAPI.GetTenant()
+	if err == nil && tenantResponse != nil {
+		if tenantResponse.AdminMail != "" { // registered tenant
+			configObj.CustomerAdminEMail = tenantResponse.AdminMail
+		} else { // new tenant
+			configObj.Token = tenantResponse.Token
+			configObj.AccountID = tenantResponse.TenantID
+		}
+	} else {
+		if err != nil && !strings.Contains(err.Error(), "already exists") {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// ======================================================================================
+// ========================== Cluster Config ============================================
+// ======================================================================================
+
+// ClusterConfig configuration of specific cluster
+/*
+
+Supported environments variables:
+KS_DEFAULT_CONFIGMAP_NAME  // name of configmap, if not set default is 'kubescape'
+KS_DEFAULT_CONFIGMAP_NAMESPACE   // configmap namespace, if not set default is 'default'
+
+KS_ACCOUNT_ID
+KS_CLIENT_ID
+KS_SECRET_KEY
+
+TODO - support:
+KS_CACHE // path to cached files
+*/
+type ClusterConfig struct {
+	backendAPI         getter.IBackend
+	k8s                *k8sinterface.KubernetesApi
+	configObj          *ConfigObj
+	configMapName      string
+	configMapNamespace string
+}
+
+func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend, credentials *Credentials, clusterName string, customClusterName string) *ClusterConfig {
+	// var configObj *ConfigObj
+	c := &ClusterConfig{
+		k8s:                k8s,
+		backendAPI:         backendAPI,
+		configObj:          &ConfigObj{},
+		configMapName:      getConfigMapName(),
+		configMapNamespace: getConfigMapNamespace(),
+	}
+
+	// first, load from configMap
+	if c.existsConfigMap() {
+		c.loadConfigFromConfigMap()
+	}
+
+	// second, load from file
+	if existsConfigFile() { // get from file
+		loadConfigFromFile(c.configObj)
+	}
+	updateCredentials(c.configObj, credentials)
+	updateCloudURLs(c.configObj)
+
+	// If a custom cluster name is provided then set that name, else use the cluster's original name
+	if customClusterName != "" {
+		c.configObj.ClusterName = AdoptClusterName(customClusterName)
+	} else if clusterName != "" {
+		c.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
+	}
+
+	if c.configObj.ClusterName == "" {
+		c.configObj.ClusterName = AdoptClusterName(k8sinterface.GetContextName())
+	} else { // override the cluster name if it has unwanted characters
+		c.configObj.ClusterName = AdoptClusterName(c.configObj.ClusterName)
+	}
+
+	c.backendAPI.SetAccountID(c.configObj.AccountID)
+	c.backendAPI.SetClientID(c.configObj.ClientID)
+	c.backendAPI.SetSecretKey(c.configObj.SecretKey)
+	if c.configObj.CloudAPIURL != "" {
+		c.backendAPI.SetCloudAPIURL(c.configObj.CloudAPIURL)
+	} else {
+		c.configObj.CloudAPIURL = c.backendAPI.GetCloudAPIURL()
+	}
+	if c.configObj.CloudAuthURL != "" {
+		c.backendAPI.SetCloudAuthURL(c.configObj.CloudAuthURL)
+	} else {
+		c.configObj.CloudAuthURL = c.backendAPI.GetCloudAuthURL()
+	}
+	if c.configObj.CloudReportURL != "" {
+		c.backendAPI.SetCloudReportURL(c.configObj.CloudReportURL)
+	} else {
+		c.configObj.CloudReportURL = c.backendAPI.GetCloudReportURL()
+	}
+	if c.configObj.CloudUIURL != "" {
+		c.backendAPI.SetCloudUIURL(c.configObj.CloudUIURL)
+	} else {
+		c.configObj.CloudUIURL = c.backendAPI.GetCloudUIURL()
+	}
+	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", c.backendAPI.GetCloudAPIURL()), helpers.String("auth", c.backendAPI.GetCloudAuthURL()), helpers.String("report", c.backendAPI.GetCloudReportURL()), helpers.String("UI", c.backendAPI.GetCloudUIURL()))
+
+	return c
+}
+
+func (c *ClusterConfig) GetConfigObj() *ConfigObj  { return c.configObj }
+func (c *ClusterConfig) GetDefaultNS() string      { return c.configMapNamespace }
+func (c *ClusterConfig) GetAccountID() string      { return c.configObj.AccountID }
+func (c *ClusterConfig) GetClientID() string       { return c.configObj.ClientID }
+func (c *ClusterConfig) GetSecretKey() string      { return c.configObj.SecretKey }
+func (c *ClusterConfig) GetTenantEmail() string    { return c.configObj.CustomerAdminEMail }
+func (c *ClusterConfig) GetToken() string          { return c.configObj.Token }
+func (c *ClusterConfig) GetCloudReportURL() string { return c.configObj.CloudReportURL }
+func (c *ClusterConfig) GetCloudAPIURL() string    { return c.configObj.CloudAPIURL }
+func (c *ClusterConfig) GetCloudUIURL() string     { return c.configObj.CloudUIURL }
+func (c *ClusterConfig) GetCloudAuthURL() string   { return c.configObj.CloudAuthURL }
+
+func (c *ClusterConfig) IsConfigFound() bool { return existsConfigFile() || c.existsConfigMap() }
+
+func (c *ClusterConfig) SetTenant() error {
+
+	// ARMO tenant GUID
+	if err := getTenantConfigFromBE(c.backendAPI, c.configObj); err != nil {
+		return err
+	}
+	c.UpdateCachedConfig()
+	return nil
+
+}
+
+func (c *ClusterConfig) UpdateCachedConfig() error {
+	// update/create config
+	if c.existsConfigMap() {
+		if err := c.updateConfigMap(); err != nil {
+			return err
+		}
+	} else {
+		if err := c.createConfigMap(); err != nil {
+			return err
+		}
+	}
+	return updateConfigFile(c.configObj)
+}
+
+func (c *ClusterConfig) DeleteCachedConfig() error {
+	if err := c.deleteConfigMap(); err != nil {
+		logger.L().Warning(err.Error())
+	}
+	if err := DeleteConfigFile(); err != nil {
+		logger.L().Warning(err.Error())
+	}
+	return nil
+}
+func (c *ClusterConfig) GetContextName() string {
+	return c.configObj.ClusterName
+}
+
+func (c *ClusterConfig) ToMapString() map[string]interface{} {
+	m := map[string]interface{}{}
+	if bc, err := json.Marshal(c.configObj); err == nil {
+		json.Unmarshal(bc, &m)
+	}
+	return m
+}
+func (c *ClusterConfig) loadConfigFromConfigMap() error {
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	return loadConfigFromData(c.configObj, configMap.Data)
+}
+
+func loadConfigFromData(co *ConfigObj, data map[string]string) error {
+	var e error
+	if jsonConf, ok := data["config.json"]; ok {
+		e = readConfig([]byte(jsonConf), co)
+	}
+	if bData, err := json.Marshal(data); err == nil {
+		e = readConfig(bData, co)
+	}
+
+	return e
+}
+func (c *ClusterConfig) existsConfigMap() bool {
+	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
+	// TODO - check if has customerGUID
+	return err == nil
+}
+
+func (c *ClusterConfig) GetValueByKeyFromConfigMap(key string) (string, error) {
+
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
+
+	if err != nil {
+		return "", err
+	}
+	if val, ok := configMap.Data[key]; ok {
+		return val, nil
+	} else {
+		return "", fmt.Errorf("value does not exist")
+	}
+}
+
+func GetValueFromConfigJson(key string) (string, error) {
+	data, err := os.ReadFile(ConfigFileFullPath())
+	if err != nil {
+		return "", err
+	}
+	var obj map[string]interface{}
+	if err := json.Unmarshal(data, &obj); err != nil {
+		return "", err
+	}
+	if val, ok := obj[key]; ok {
+		return fmt.Sprint(val), nil
+	} else {
+		return "", fmt.Errorf("value does not exist")
+	}
+
+}
+
+func (c *ClusterConfig) SetKeyValueInConfigmap(key string, value string) error {
+
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
+	if err != nil {
+		configMap = &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: c.configMapName,
+			},
+		}
+	}
+
+	if len(configMap.Data) == 0 {
+		configMap.Data = make(map[string]string)
+	}
+
+	configMap.Data[key] = value
+
+	if err != nil {
+		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Create(context.Background(), configMap, metav1.CreateOptions{})
+	} else {
+		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
+	}
+
+	return err
+}
+
+func existsConfigFile() bool {
+	_, err := os.ReadFile(ConfigFileFullPath())
+	return err == nil
+}
+
+func (c *ClusterConfig) createConfigMap() error {
+	if c.k8s == nil {
+		return nil
+	}
+	configMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: c.configMapName,
+		},
+	}
+	c.updateConfigData(configMap)
+
+	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Create(context.Background(), configMap, metav1.CreateOptions{})
+	return err
+}
+
+func (c *ClusterConfig) updateConfigMap() error {
+	if c.k8s == nil {
+		return nil
+	}
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
+
+	if err != nil {
+		return err
+	}
+
+	c.updateConfigData(configMap)
+
+	_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
+	return err
+}
+
+func updateConfigFile(configObj *ConfigObj) error {
+	return os.WriteFile(ConfigFileFullPath(), configObj.Config(), 0664) //nolint:gosec
+}
+
+func (c *ClusterConfig) updateConfigData(configMap *corev1.ConfigMap) {
+	if len(configMap.Data) == 0 {
+		configMap.Data = make(map[string]string)
+	}
+	m := c.ToMapString()
+	for k, v := range m {
+		if s, ok := v.(string); ok {
+			configMap.Data[k] = s
+		}
+	}
+}
+func loadConfigFromFile(configObj *ConfigObj) error {
+	dat, err := os.ReadFile(ConfigFileFullPath())
+	if err != nil {
+		return err
+	}
+	return readConfig(dat, configObj)
+}
+func readConfig(dat []byte, configObj *ConfigObj) error {
+
+	if len(dat) == 0 {
+		return nil
+	}
+
+	if err := json.Unmarshal(dat, configObj); err != nil {
+		return err
+	}
+	if configObj.AccountID == "" {
+		configObj.AccountID = configObj.CustomerGUID
+	}
+	configObj.CustomerGUID = ""
+	return nil
+}
+
+// Check if the customer is submitted
+func (clusterConfig *ClusterConfig) IsSubmitted() bool {
+	return clusterConfig.existsConfigMap() || existsConfigFile()
+}
+
+// Check if the customer is registered
+func (clusterConfig *ClusterConfig) IsRegistered() bool {
+
+	// get from armoBE
+	tenantResponse, err := clusterConfig.backendAPI.GetTenant()
+	if err == nil && tenantResponse != nil {
+		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
+			return true
+		}
+	}
+	return false
+}
+
+func (clusterConfig *ClusterConfig) deleteConfigMap() error {
+	return clusterConfig.k8s.KubernetesClient.CoreV1().ConfigMaps(clusterConfig.configMapNamespace).Delete(context.Background(), clusterConfig.configMapName, metav1.DeleteOptions{})
+}
+
+func DeleteConfigFile() error {
+	return os.Remove(ConfigFileFullPath())
+}
+
+func AdoptClusterName(clusterName string) string {
+	re, err := regexp.Compile(`[^\w]+`)
+	if err != nil {
+		return clusterName
+	}
+	return re.ReplaceAllString(clusterName, "-")
+}
+
+func getConfigMapName() string {
+	if n := os.Getenv("KS_DEFAULT_CONFIGMAP_NAME"); n != "" {
+		return n
+	}
+	return "kubescape"
+}
+
+func getConfigMapNamespace() string {
+	if n := os.Getenv("KS_DEFAULT_CONFIGMAP_NAMESPACE"); n != "" {
+		return n
+	}
+	return "default"
+}
+
+func getAccountFromEnv(credentials *Credentials) {
+	// load from env
+	if accountID := os.Getenv("KS_ACCOUNT_ID"); credentials.Account == "" && accountID != "" {
+		credentials.Account = accountID
+	}
+	if clientID := os.Getenv("KS_CLIENT_ID"); credentials.ClientID == "" && clientID != "" {
+		credentials.ClientID = clientID
+	}
+	if secretKey := os.Getenv("KS_SECRET_KEY"); credentials.SecretKey == "" && secretKey != "" {
+		credentials.SecretKey = secretKey
+	}
+}
+
+func updateCredentials(configObj *ConfigObj, credentials *Credentials) {
+
+	if credentials == nil {
+		credentials = &Credentials{}
+	}
+	getAccountFromEnv(credentials)
+
+	if credentials.Account != "" {
+		configObj.AccountID = credentials.Account // override config Account
+	}
+	if credentials.ClientID != "" {
+		configObj.ClientID = credentials.ClientID // override config ClientID
+	}
+	if credentials.SecretKey != "" {
+		configObj.SecretKey = credentials.SecretKey // override config SecretKey
+	}
+
+}
+
+func getCloudURLsFromEnv(cloudURLs *CloudURLs) {
+	// load from env
+	if cloudAPIURL := os.Getenv("KS_CLOUD_API_URL"); cloudAPIURL != "" {
+		cloudURLs.CloudAPIURL = cloudAPIURL
+	}
+	if cloudAuthURL := os.Getenv("KS_CLOUD_AUTH_URL"); cloudAuthURL != "" {
+		cloudURLs.CloudAuthURL = cloudAuthURL
+	}
+	if cloudReportURL := os.Getenv("KS_CLOUD_REPORT_URL"); cloudReportURL != "" {
+		cloudURLs.CloudReportURL = cloudReportURL
+	}
+	if cloudUIURL := os.Getenv("KS_CLOUD_UI_URL"); cloudUIURL != "" {
+		cloudURLs.CloudUIURL = cloudUIURL
+	}
+}
+
+func updateCloudURLs(configObj *ConfigObj) {
+	cloudURLs := &CloudURLs{}
+
+	getCloudURLsFromEnv(cloudURLs)
+
+	if cloudURLs.CloudAPIURL != "" {
+		configObj.CloudAPIURL = cloudURLs.CloudAPIURL // override config CloudAPIURL
+	}
+	if cloudURLs.CloudAuthURL != "" {
+		configObj.CloudAuthURL = cloudURLs.CloudAuthURL // override config CloudAuthURL
+	}
+	if cloudURLs.CloudReportURL != "" {
+		configObj.CloudReportURL = cloudURLs.CloudReportURL // override config CloudReportURL
+	}
+	if cloudURLs.CloudUIURL != "" {
+		configObj.CloudUIURL = cloudURLs.CloudUIURL // override config CloudUIURL
+	}
+
+}

core/cautils/customerloader_test.go

@@ -0,0 +1,270 @@
+package cautils
+
+import (
+	"encoding/json"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func mockConfigObj() *ConfigObj {
+	return &ConfigObj{
+		AccountID:          "aaa",
+		ClientID:           "bbb",
+		SecretKey:          "ccc",
+		ClusterName:        "ddd",
+		CustomerAdminEMail: "ab@cd",
+		Token:              "eee",
+		CloudReportURL:     "report.armo.cloud",
+		CloudAPIURL:        "api.armosec.io",
+		CloudUIURL:         "cloud.armosec.io",
+		CloudAuthURL:       "auth.armosec.io",
+	}
+}
+func mockLocalConfig() *LocalConfig {
+	return &LocalConfig{
+		backendAPI: nil,
+		configObj:  mockConfigObj(),
+	}
+}
+
+func mockClusterConfig() *ClusterConfig {
+	return &ClusterConfig{
+		backendAPI: nil,
+		configObj:  mockConfigObj(),
+	}
+}
+func TestConfig(t *testing.T) {
+	co := mockConfigObj()
+	cop := ConfigObj{}
+
+	assert.NoError(t, json.Unmarshal(co.Config(), &cop))
+	assert.Equal(t, co.AccountID, cop.AccountID)
+	assert.Equal(t, co.ClientID, cop.ClientID)
+	assert.Equal(t, co.SecretKey, cop.SecretKey)
+	assert.Equal(t, co.CloudReportURL, cop.CloudReportURL)
+	assert.Equal(t, co.CloudAPIURL, cop.CloudAPIURL)
+	assert.Equal(t, co.CloudUIURL, cop.CloudUIURL)
+	assert.Equal(t, co.CloudAuthURL, cop.CloudAuthURL)
+	assert.Equal(t, "", cop.ClusterName)        // Not copied to bytes
+	assert.Equal(t, "", cop.CustomerAdminEMail) // Not copied to bytes
+	assert.Equal(t, "", cop.Token)              // Not copied to bytes
+
+}
+
+func TestITenantConfig(t *testing.T) {
+	var lc ITenantConfig
+	var c ITenantConfig
+	lc = mockLocalConfig()
+	c = mockClusterConfig()
+
+	co := mockConfigObj()
+
+	// test LocalConfig methods
+	assert.Equal(t, co.AccountID, lc.GetAccountID())
+	assert.Equal(t, co.ClientID, lc.GetClientID())
+	assert.Equal(t, co.SecretKey, lc.GetSecretKey())
+	assert.Equal(t, co.ClusterName, lc.GetContextName())
+	assert.Equal(t, co.CustomerAdminEMail, lc.GetTenantEmail())
+	assert.Equal(t, co.Token, lc.GetToken())
+	assert.Equal(t, co.CloudReportURL, lc.GetCloudReportURL())
+	assert.Equal(t, co.CloudAPIURL, lc.GetCloudAPIURL())
+	assert.Equal(t, co.CloudUIURL, lc.GetCloudUIURL())
+	assert.Equal(t, co.CloudAuthURL, lc.GetCloudAuthURL())
+
+	// test ClusterConfig methods
+	assert.Equal(t, co.AccountID, c.GetAccountID())
+	assert.Equal(t, co.ClientID, c.GetClientID())
+	assert.Equal(t, co.SecretKey, c.GetSecretKey())
+	assert.Equal(t, co.ClusterName, c.GetContextName())
+	assert.Equal(t, co.CustomerAdminEMail, c.GetTenantEmail())
+	assert.Equal(t, co.Token, c.GetToken())
+	assert.Equal(t, co.CloudReportURL, c.GetCloudReportURL())
+	assert.Equal(t, co.CloudAPIURL, c.GetCloudAPIURL())
+	assert.Equal(t, co.CloudUIURL, c.GetCloudUIURL())
+	assert.Equal(t, co.CloudAuthURL, c.GetCloudAuthURL())
+}
+
+func TestUpdateConfigData(t *testing.T) {
+	c := mockClusterConfig()
+
+	configMap := &corev1.ConfigMap{}
+
+	c.updateConfigData(configMap)
+
+	assert.Equal(t, c.GetAccountID(), configMap.Data["accountID"])
+	assert.Equal(t, c.GetClientID(), configMap.Data["clientID"])
+	assert.Equal(t, c.GetSecretKey(), configMap.Data["secretKey"])
+	assert.Equal(t, c.GetCloudReportURL(), configMap.Data["cloudReportURL"])
+	assert.Equal(t, c.GetCloudAPIURL(), configMap.Data["cloudAPIURL"])
+	assert.Equal(t, c.GetCloudUIURL(), configMap.Data["cloudUIURL"])
+	assert.Equal(t, c.GetCloudAuthURL(), configMap.Data["cloudAuthURL"])
+}
+
+func TestReadConfig(t *testing.T) {
+	com := mockConfigObj()
+	co := &ConfigObj{}
+
+	b, e := json.Marshal(com)
+	assert.NoError(t, e)
+
+	readConfig(b, co)
+
+	assert.Equal(t, com.AccountID, co.AccountID)
+	assert.Equal(t, com.ClientID, co.ClientID)
+	assert.Equal(t, com.SecretKey, co.SecretKey)
+	assert.Equal(t, com.ClusterName, co.ClusterName)
+	assert.Equal(t, com.CustomerAdminEMail, co.CustomerAdminEMail)
+	assert.Equal(t, com.Token, co.Token)
+	assert.Equal(t, com.CloudReportURL, co.CloudReportURL)
+	assert.Equal(t, com.CloudAPIURL, co.CloudAPIURL)
+	assert.Equal(t, com.CloudUIURL, co.CloudUIURL)
+	assert.Equal(t, com.CloudAuthURL, co.CloudAuthURL)
+}
+
+func TestLoadConfigFromData(t *testing.T) {
+
+	// use case: all data is in base config
+	{
+		c := mockClusterConfig()
+		co := mockConfigObj()
+
+		configMap := &corev1.ConfigMap{}
+
+		c.updateConfigData(configMap)
+
+		c.configObj = &ConfigObj{}
+
+		loadConfigFromData(c.configObj, configMap.Data)
+
+		assert.Equal(t, c.GetAccountID(), co.AccountID)
+		assert.Equal(t, c.GetClientID(), co.ClientID)
+		assert.Equal(t, c.GetSecretKey(), co.SecretKey)
+		assert.Equal(t, c.GetContextName(), co.ClusterName)
+		assert.Equal(t, c.GetTenantEmail(), co.CustomerAdminEMail)
+		assert.Equal(t, c.GetToken(), co.Token)
+		assert.Equal(t, c.GetCloudReportURL(), co.CloudReportURL)
+		assert.Equal(t, c.GetCloudAPIURL(), co.CloudAPIURL)
+		assert.Equal(t, c.GetCloudUIURL(), co.CloudUIURL)
+		assert.Equal(t, c.GetCloudAuthURL(), co.CloudAuthURL)
+	}
+
+	// use case: all data is in config.json
+	{
+		c := mockClusterConfig()
+
+		co := mockConfigObj()
+		configMap := &corev1.ConfigMap{
+			Data: make(map[string]string),
+		}
+
+		configMap.Data["config.json"] = string(c.GetConfigObj().Config())
+		c.configObj = &ConfigObj{}
+
+		loadConfigFromData(c.configObj, configMap.Data)
+
+		assert.Equal(t, c.GetAccountID(), co.AccountID)
+		assert.Equal(t, c.GetClientID(), co.ClientID)
+		assert.Equal(t, c.GetSecretKey(), co.SecretKey)
+		assert.Equal(t, c.GetCloudReportURL(), co.CloudReportURL)
+		assert.Equal(t, c.GetCloudAPIURL(), co.CloudAPIURL)
+		assert.Equal(t, c.GetCloudUIURL(), co.CloudUIURL)
+		assert.Equal(t, c.GetCloudAuthURL(), co.CloudAuthURL)
+	}
+
+	// use case: some data is in config.json
+	{
+		c := mockClusterConfig()
+		configMap := &corev1.ConfigMap{
+			Data: make(map[string]string),
+		}
+
+		// add to map
+		configMap.Data["clientID"] = c.configObj.ClientID
+		configMap.Data["secretKey"] = c.configObj.SecretKey
+		configMap.Data["cloudReportURL"] = c.configObj.CloudReportURL
+
+		// delete the content
+		c.configObj.ClientID = ""
+		c.configObj.SecretKey = ""
+		c.configObj.CloudReportURL = ""
+
+		configMap.Data["config.json"] = string(c.GetConfigObj().Config())
+		loadConfigFromData(c.configObj, configMap.Data)
+
+		assert.NotEmpty(t, c.GetAccountID())
+		assert.NotEmpty(t, c.GetClientID())
+		assert.NotEmpty(t, c.GetSecretKey())
+		assert.NotEmpty(t, c.GetCloudReportURL())
+	}
+
+	// use case: some data is in config.json
+	{
+		c := mockClusterConfig()
+		configMap := &corev1.ConfigMap{
+			Data: make(map[string]string),
+		}
+
+		c.configObj.AccountID = "tttt"
+
+		// add to map
+		configMap.Data["accountID"] = mockConfigObj().AccountID
+		configMap.Data["clientID"] = c.configObj.ClientID
+		configMap.Data["secretKey"] = c.configObj.SecretKey
+
+		// delete the content
+		c.configObj.ClientID = ""
+		c.configObj.SecretKey = ""
+
+		configMap.Data["config.json"] = string(c.GetConfigObj().Config())
+		loadConfigFromData(c.configObj, configMap.Data)
+
+		assert.Equal(t, mockConfigObj().AccountID, c.GetAccountID())
+		assert.NotEmpty(t, c.GetClientID())
+		assert.NotEmpty(t, c.GetSecretKey())
+	}
+
+}
+
+func TestAdoptClusterName(t *testing.T) {
+	tests := []struct {
+		name        string
+		clusterName string
+		want        string
+	}{
+		{
+			name:        "replace 1",
+			clusterName: "my-name__is--ks",
+			want:        "my-name__is-ks",
+		},
+		{
+			name:        "replace 2",
+			clusterName: "my-name1",
+			want:        "my-name1",
+		},
+		{
+			name:        "replace 3",
+			clusterName: "my:name",
+			want:        "my-name",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := AdoptClusterName(tt.clusterName); got != tt.want {
+				t.Errorf("AdoptClusterName() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestUpdateCloudURLs(t *testing.T) {
+	co := mockConfigObj()
+	mockCloudAPIURL := "1-2-3-4.com"
+	os.Setenv("KS_CLOUD_API_URL", mockCloudAPIURL)
+
+	assert.NotEqual(t, co.CloudAPIURL, mockCloudAPIURL)
+	updateCloudURLs(co)
+	assert.Equal(t, co.CloudAPIURL, mockCloudAPIURL)
+}

core/cautils/datastructures.go

@@ -0,0 +1,110 @@
+package cautils
+
+import (
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/k8s-interface/workloadinterface"
+	"github.com/kubescape/opa-utils/reporthandling"
+	apis "github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/prioritization"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/resourcesresults"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+)
+
+// K8SResources map[<api group>/<api version>/<resource>][]<resourceID>
+type K8SResources map[string][]string
+type KSResources map[string][]string
+
+type OPASessionObj struct {
+	K8SResources          *K8SResources                                 // input k8s objects
+	ArmoResource          *KSResources                                  // input ARMO objects
+	AllPolicies           *Policies                                     // list of all frameworks
+	AllResources          map[string]workloadinterface.IMetadata        // all scanned resources, map[<resource ID>]<resource>
+	ResourcesResult       map[string]resourcesresults.Result            // resources scan results, map[<resource ID>]<resource result>
+	ResourceSource        map[string]reporthandling.Source              // resources sources, map[<resource ID>]<resource result>
+	ResourcesPrioritized  map[string]prioritization.PrioritizedResource // resources prioritization information, map[<resource ID>]<prioritized resource>
+	ResourceAttackTracks  map[string]v1alpha1.IAttackTrack              // resources attack tracks, map[<resource ID>]<attack track>
+	AttackTracks          map[string]v1alpha1.IAttackTrack
+	Report                *reporthandlingv2.PostureReport // scan results v2 - Remove
+	RegoInputData         RegoInputData                   // input passed to rego for scanning. map[<control name>][<input arguments>]
+	Metadata              *reporthandlingv2.Metadata
+	InfoMap               map[string]apis.StatusInfo         // Map errors of resources to StatusInfo
+	ResourceToControlsMap map[string][]string                // map[<apigroup/apiversion/resource>] = [<control_IDs>]
+	SessionID             string                             // SessionID
+	Policies              []reporthandling.Framework         // list of frameworks to scan
+	Exceptions            []armotypes.PostureExceptionPolicy // list of exceptions to apply on scan results
+	OmitRawResources      bool                               // omit raw resources from output
+}
+
+func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SResources, scanInfo *ScanInfo) *OPASessionObj {
+	return &OPASessionObj{
+		Report:                &reporthandlingv2.PostureReport{},
+		Policies:              frameworks,
+		K8SResources:          k8sResources,
+		AllResources:          make(map[string]workloadinterface.IMetadata),
+		ResourcesResult:       make(map[string]resourcesresults.Result),
+		ResourcesPrioritized:  make(map[string]prioritization.PrioritizedResource),
+		InfoMap:               make(map[string]apis.StatusInfo),
+		ResourceToControlsMap: make(map[string][]string),
+		ResourceSource:        make(map[string]reporthandling.Source),
+		SessionID:             scanInfo.ScanID,
+		Metadata:              scanInfoToScanMetadata(scanInfo),
+		OmitRawResources:      scanInfo.OmitRawResources,
+	}
+}
+
+func (sessionObj *OPASessionObj) SetMapNamespaceToNumberOfResources(mapNamespaceToNumberOfResources map[string]int) {
+	if sessionObj.Metadata.ContextMetadata.ClusterContextMetadata == nil {
+		sessionObj.Metadata.ContextMetadata.ClusterContextMetadata = &reporthandlingv2.ClusterMetadata{}
+	}
+	if sessionObj.Metadata.ContextMetadata.ClusterContextMetadata.MapNamespaceToNumberOfResources == nil {
+		sessionObj.Metadata.ContextMetadata.ClusterContextMetadata.MapNamespaceToNumberOfResources = make(map[string]int)
+	}
+	sessionObj.Metadata.ContextMetadata.ClusterContextMetadata.MapNamespaceToNumberOfResources = mapNamespaceToNumberOfResources
+}
+
+func (sessionObj *OPASessionObj) SetNumberOfWorkerNodes(n int) {
+	if sessionObj.Metadata.ContextMetadata.ClusterContextMetadata == nil {
+		sessionObj.Metadata.ContextMetadata.ClusterContextMetadata = &reporthandlingv2.ClusterMetadata{}
+	}
+	sessionObj.Metadata.ContextMetadata.ClusterContextMetadata.NumberOfWorkerNodes = n
+}
+
+func NewOPASessionObjMock() *OPASessionObj {
+	return &OPASessionObj{
+		Policies:             nil,
+		K8SResources:         nil,
+		AllResources:         make(map[string]workloadinterface.IMetadata),
+		ResourcesResult:      make(map[string]resourcesresults.Result),
+		ResourcesPrioritized: make(map[string]prioritization.PrioritizedResource),
+		Report:               &reporthandlingv2.PostureReport{},
+		Metadata: &reporthandlingv2.Metadata{
+			ScanMetadata: reporthandlingv2.ScanMetadata{
+				ScanningTarget: 0,
+			},
+		},
+	}
+}
+
+type ComponentConfig struct {
+	Exceptions Exception `json:"exceptions"`
+}
+
+type Exception struct {
+	Ignore        *bool                      `json:"ignore"`        // ignore test results
+	MultipleScore *reporthandling.AlertScore `json:"multipleScore"` // MultipleScore number - float32
+	Namespaces    []string                   `json:"namespaces"`
+	Regex         string                     `json:"regex"` // not supported
+}
+
+type RegoInputData struct {
+	PostureControlInputs map[string][]string `json:"postureControlInputs"`
+	DataControlInputs    map[string]string   `json:"dataControlInputs"`
+	// ClusterName          string              `json:"clusterName"`
+	// K8sConfig            RegoK8sConfig       `json:"k8sconfig"`
+}
+
+type Policies struct {
+	Controls   map[string]reporthandling.Control // map[<control ID>]<control>
+	Frameworks []string
+}

core/cautils/datastructuresmethods.go

@@ -0,0 +1,68 @@
+package cautils
+
+import (
+	"golang.org/x/mod/semver"
+
+	"github.com/armosec/utils-go/boolutils"
+	"github.com/kubescape/opa-utils/reporthandling"
+)
+
+func NewPolicies() *Policies {
+	return &Policies{
+		Frameworks: make([]string, 0),
+		Controls:   make(map[string]reporthandling.Control),
+	}
+}
+
+func (policies *Policies) Set(frameworks []reporthandling.Framework, version string) {
+	for i := range frameworks {
+		if frameworks[i].Name != "" && len(frameworks[i].Controls) > 0 {
+			policies.Frameworks = append(policies.Frameworks, frameworks[i].Name)
+		}
+		for j := range frameworks[i].Controls {
+			compatibleRules := []reporthandling.PolicyRule{}
+			for r := range frameworks[i].Controls[j].Rules {
+				if !ruleWithKSOpaDependency(frameworks[i].Controls[j].Rules[r].Attributes) && isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) {
+					compatibleRules = append(compatibleRules, frameworks[i].Controls[j].Rules[r])
+				}
+			}
+			if len(compatibleRules) > 0 {
+				frameworks[i].Controls[j].Rules = compatibleRules
+				policies.Controls[frameworks[i].Controls[j].ControlID] = frameworks[i].Controls[j]
+			}
+		}
+
+	}
+}
+
+func ruleWithKSOpaDependency(attributes map[string]interface{}) bool {
+	if attributes == nil {
+		return false
+	}
+	if s, ok := attributes["armoOpa"]; ok { // TODO - make global
+		return boolutils.StringToBool(s.(string))
+	}
+	return false
+}
+
+// Checks that kubescape version is in range of use for this rule
+// In local build (BuildNumber = ""):
+// returns true only if rule doesn't have the "until" attribute
+func isRuleKubescapeVersionCompatible(attributes map[string]interface{}, version string) bool {
+	if from, ok := attributes["useFromKubescapeVersion"]; ok && from != nil {
+		if version != "" {
+			if semver.Compare(version, from.(string)) == -1 {
+				return false
+			}
+		}
+	}
+	if until, ok := attributes["useUntilKubescapeVersion"]; ok && until != nil {
+		if version == "" {
+			return false
+		}
+		if semver.Compare(version, until.(string)) >= 0 {
+			return false
+		}
+	}
+	return true
+}

core/cautils/display.go

@@ -0,0 +1,41 @@
+package cautils
+
+import (
+	"os"
+	"time"
+
+	spinnerpkg "github.com/briandowns/spinner"
+	"github.com/fatih/color"
+	"github.com/mattn/go-isatty"
+)
+
+var FailureDisplay = color.New(color.Bold, color.FgHiRed).FprintfFunc()
+var WarningDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
+var FailureTextDisplay = color.New(color.Faint, color.FgHiRed).FprintfFunc()
+var InfoDisplay = color.New(color.Bold, color.FgCyan).FprintfFunc()
+var InfoTextDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
+var SimpleDisplay = color.New().FprintfFunc()
+var SuccessDisplay = color.New(color.Bold, color.FgHiGreen).FprintfFunc()
+var DescriptionDisplay = color.New(color.Faint, color.FgWhite).FprintfFunc()
+
+var spinner *spinnerpkg.Spinner
+
+func StartSpinner() {
+	if spinner != nil {
+		if !spinner.Active() {
+			spinner.Start()
+		}
+		return
+	}
+	if isatty.IsTerminal(os.Stdout.Fd()) {
+		spinner = spinnerpkg.New(spinnerpkg.CharSets[7], 100*time.Millisecond) // Build our new spinner
+		spinner.Start()
+	}
+}
+
+func StopSpinner() {
+	if spinner == nil || !spinner.Active() {
+		return
+	}
+	spinner.Stop()
+}

core/cautils/environments.go

@@ -0,0 +1,7 @@
+package cautils
+
+// Kubescape Cloud environment vars
+var (
+	CustomerGUID = ""
+	ClusterName  = ""
+)

core/cautils/fileutils.go

@@ -0,0 +1,362 @@
+package cautils
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/workloadinterface"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/opa-utils/objectsenvelopes"
+	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
+
+	"gopkg.in/yaml.v3"
+)
+
+var (
+	YAML_PREFIX = []string{"yaml", "yml"}
+	JSON_PREFIX = []string{"json"}
+)
+
+type FileFormat string
+
+const (
+	YAML_FILE_FORMAT FileFormat = "yaml"
+	JSON_FILE_FORMAT FileFormat = "json"
+)
+
+// LoadResourcesFromHelmCharts scans a given path (recursively) for helm charts, renders the templates and returns a map of workloads and a map of chart names
+func LoadResourcesFromHelmCharts(basePath string) (map[string][]workloadinterface.IMetadata, map[string]string) {
+	directories, _ := listDirs(basePath)
+	helmDirectories := make([]string, 0)
+	for _, dir := range directories {
+		if ok, _ := IsHelmDirectory(dir); ok {
+			helmDirectories = append(helmDirectories, dir)
+		}
+	}
+
+	sourceToWorkloads := map[string][]workloadinterface.IMetadata{}
+	sourceToChartName := map[string]string{}
+	for _, helmDir := range helmDirectories {
+		chart, err := NewHelmChart(helmDir)
+		if err == nil {
+			wls, errs := chart.GetWorkloadsWithDefaultValues()
+			if len(errs) > 0 {
+				logger.L().Error(fmt.Sprintf("Rendering of Helm chart template '%s', failed: %v", chart.GetName(), errs))
+				continue
+			}
+
+			chartName := chart.GetName()
+			for k, v := range wls {
+				sourceToWorkloads[k] = v
+				sourceToChartName[k] = chartName
+			}
+		}
+	}
+	return sourceToWorkloads, sourceToChartName
+}
+
+// If the contents at given path is a Kustomize Directory, LoadResourcesFromKustomizeDirectory will
+// generate yaml files using "Kustomize" & renders a map of workloads from those yaml files
+func LoadResourcesFromKustomizeDirectory(basePath string) (map[string][]workloadinterface.IMetadata, string) {
+	isKustomizeDirectory := IsKustomizeDirectory(basePath)
+	isKustomizeFile := IsKustomizeFile(basePath)
+	if ok := isKustomizeDirectory || isKustomizeFile; !ok {
+		return nil, ""
+	}
+
+	sourceToWorkloads := map[string][]workloadinterface.IMetadata{}
+	kustomizeDirectory := NewKustomizeDirectory(basePath)
+
+	var newBasePath string
+
+	if isKustomizeFile {
+		newBasePath = filepath.Dir(basePath)
+		logger.L().Info("Kustomize File Detected, Scanning the rendered Kubernetes Objects...")
+	} else {
+		newBasePath = basePath
+		logger.L().Info("Kustomize Directory Detected, Scanning the rendered Kubernetes Objects...")
+	}
+
+	wls, errs := kustomizeDirectory.GetWorkloads(newBasePath)
+	kustomizeDirectoryName := GetKustomizeDirectoryName(newBasePath)
+
+	if len(errs) > 0 {
+		logger.L().Error(fmt.Sprintf("Rendering yaml from Kustomize failed: %v", errs))
+	}
+
+	for k, v := range wls {
+		sourceToWorkloads[k] = v
+	}
+	return sourceToWorkloads, kustomizeDirectoryName
+}
+
+func LoadResourcesFromFiles(input, rootPath string) map[string][]workloadinterface.IMetadata {
+	files, errs := listFiles(input)
+	if len(errs) > 0 {
+		logger.L().Error(fmt.Sprintf("%v", errs))
+	}
+	if len(files) == 0 {
+		return nil
+	}
+
+	workloads, errs := loadFiles(rootPath, files)
+	if len(errs) > 0 {
+		logger.L().Error(fmt.Sprintf("%v", errs))
+	}
+
+	return workloads
+}
+
+func loadFiles(rootPath string, filePaths []string) (map[string][]workloadinterface.IMetadata, []error) {
+	workloads := make(map[string][]workloadinterface.IMetadata, 0)
+	errs := []error{}
+	for i := range filePaths {
+		f, err := loadFile(filePaths[i])
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		}
+		if len(f) == 0 {
+			continue // empty file
+		}
+
+		w, e := ReadFile(f, GetFileFormat(filePaths[i]))
+		if e != nil {
+			logger.L().Debug("failed to read file", helpers.String("file", filePaths[i]), helpers.Error(e))
+		}
+		if len(w) != 0 {
+			path := filePaths[i]
+			if _, ok := workloads[path]; !ok {
+				workloads[path] = []workloadinterface.IMetadata{}
+			}
+			wSlice := workloads[path]
+			for j := range w {
+				lw := localworkload.NewLocalWorkload(w[j].GetObject())
+				if relPath, err := filepath.Rel(rootPath, path); err == nil {
+					lw.SetPath(fmt.Sprintf("%s:%d", relPath, j))
+				} else {
+					lw.SetPath(fmt.Sprintf("%s:%d", path, j))
+				}
+				wSlice = append(wSlice, lw)
+			}
+			workloads[path] = wSlice
+		}
+	}
+	return workloads, errs
+}
+
+func loadFile(filePath string) ([]byte, error) {
+	return os.ReadFile(filePath)
+}
+func ReadFile(fileContent []byte, fileFormat FileFormat) ([]workloadinterface.IMetadata, error) {
+
+	switch fileFormat {
+	case YAML_FILE_FORMAT:
+		return readYamlFile(fileContent)
+	case JSON_FILE_FORMAT:
+		return readJsonFile(fileContent)
+	default:
+		return nil, nil
+	}
+}
+
+// listFiles returns the list of absolute paths, full file path and list of errors. The list of abs paths and full path have the same length
+func listFiles(pattern string) ([]string, []error) {
+	return listFilesOrDirectories(pattern, false)
+}
+
+// listDirs returns the list of absolute paths, full directories path and list of errors. The list of abs paths and full path have the same length
+func listDirs(pattern string) ([]string, []error) {
+	return listFilesOrDirectories(pattern, true)
+}
+
+func listFilesOrDirectories(pattern string, onlyDirectories bool) ([]string, []error) {
+	var paths []string
+	errs := []error{}
+
+	if !filepath.IsAbs(pattern) {
+		o, _ := os.Getwd()
+		pattern = filepath.Join(o, pattern)
+	}
+
+	if !onlyDirectories && IsFile(pattern) {
+		paths = append(paths, pattern)
+		return paths, errs
+	}
+
+	root, shouldMatch := filepath.Split(pattern)
+
+	if IsDir(pattern) {
+		root = pattern
+		shouldMatch = "*"
+	}
+	if shouldMatch == "" {
+		shouldMatch = "*"
+	}
+
+	f, err := glob(root, shouldMatch, onlyDirectories)
+	if err != nil {
+		errs = append(errs, err)
+	} else {
+		paths = append(paths, f...)
+	}
+
+	return paths, errs
+}
+
+func readYamlFile(yamlFile []byte) ([]workloadinterface.IMetadata, error) {
+	defer recover()
+
+	r := bytes.NewReader(yamlFile)
+	dec := yaml.NewDecoder(r)
+	yamlObjs := []workloadinterface.IMetadata{}
+
+	var t interface{}
+	for dec.Decode(&t) == nil {
+		j := convertYamlToJson(t)
+		if j == nil {
+			continue
+		}
+		if obj, ok := j.(map[string]interface{}); ok {
+			if o := objectsenvelopes.NewObject(obj); o != nil {
+				if o.GetObjectType() == workloadinterface.TypeListWorkloads {
+					if list := workloadinterface.NewListWorkloadsObj(o.GetObject()); list != nil {
+						yamlObjs = append(yamlObjs, list.GetItems()...)
+					}
+				} else {
+					yamlObjs = append(yamlObjs, o)
+				}
+			}
+		}
+	}
+
+	return yamlObjs, nil
+}
+
+func readJsonFile(jsonFile []byte) ([]workloadinterface.IMetadata, error) {
+	workloads := []workloadinterface.IMetadata{}
+	var jsonObj interface{}
+	if err := json.Unmarshal(jsonFile, &jsonObj); err != nil {
+		return workloads, err
+	}
+
+	convertJsonToWorkload(jsonObj, &workloads)
+
+	return workloads, nil
+}
+func convertJsonToWorkload(jsonObj interface{}, workloads *[]workloadinterface.IMetadata) {
+
+	switch x := jsonObj.(type) {
+	case map[string]interface{}:
+		if o := objectsenvelopes.NewObject(x); o != nil {
+			(*workloads) = append(*workloads, o)
+		}
+	case []interface{}:
+		for i := range x {
+			convertJsonToWorkload(x[i], workloads)
+		}
+	}
+}
+func convertYamlToJson(i interface{}) interface{} {
+	switch x := i.(type) {
+	case map[interface{}]interface{}:
+		m2 := map[string]interface{}{}
+		for k, v := range x {
+			if s, ok := k.(string); ok {
+				m2[s] = convertYamlToJson(v)
+			}
+		}
+		return m2
+	case []interface{}:
+		for i, v := range x {
+			x[i] = convertYamlToJson(v)
+		}
+	}
+	return i
+}
+
+func IsYaml(filePath string) bool {
+	return StringInSlice(YAML_PREFIX, strings.ReplaceAll(filepath.Ext(filePath), ".", "")) != ValueNotFound
+}
+
+func IsJson(filePath string) bool {
+	return StringInSlice(JSON_PREFIX, strings.ReplaceAll(filepath.Ext(filePath), ".", "")) != ValueNotFound
+}
+
+func glob(root, pattern string, onlyDirectories bool) ([]string, error) {
+	var matches []string
+
+	err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// listing only directories
+		if onlyDirectories {
+			if info.IsDir() {
+				if matched, err := filepath.Match(pattern, filepath.Base(path)); err != nil {
+					return err
+				} else if matched {
+					matches = append(matches, path)
+				}
+			}
+			return nil
+		}
+
+		// listing only files
+		if info.IsDir() {
+			return nil
+		}
+		fileFormat := GetFileFormat(path)
+		if !(fileFormat == JSON_FILE_FORMAT || fileFormat == YAML_FILE_FORMAT) {
+			return nil
+		}
+		if matched, err := filepath.Match(pattern, filepath.Base(path)); err != nil {
+			return err
+		} else if matched {
+			matches = append(matches, path)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return matches, nil
+}
+
+// IsFile checks if a given path is a file
+func IsFile(name string) bool {
+	if fi, err := os.Stat(name); err == nil {
+		if fi.Mode().IsRegular() {
+			return true
+		}
+	}
+	return false
+}
+
+// IsDir checks if a given path is a directory
+func IsDir(name string) bool {
+	if info, err := os.Stat(name); err == nil {
+		if info.IsDir() {
+			return true
+		}
+	}
+	return false
+}
+
+func GetFileFormat(filePath string) FileFormat {
+	if IsYaml(filePath) {
+		return YAML_FILE_FORMAT
+	} else if IsJson(filePath) {
+		return JSON_FILE_FORMAT
+	} else {
+		return FileFormat(filePath)
+	}
+}

core/cautils/fileutils_test.go

@@ -0,0 +1,105 @@
+package cautils
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
+	"github.com/stretchr/testify/assert"
+)
+
+func onlineBoutiquePath() string {
+	o, _ := os.Getwd()
+	return filepath.Join(filepath.Dir(o), "..", "examples", "online-boutique")
+}
+
+func helmChartPath() string {
+	o, _ := os.Getwd()
+	return filepath.Join(filepath.Dir(o), "..", "examples", "helm_chart")
+}
+
+func TestListFiles(t *testing.T) {
+
+	filesPath := onlineBoutiquePath()
+
+	files, errs := listFiles(filesPath)
+	assert.Equal(t, 0, len(errs))
+	assert.Equal(t, 12, len(files))
+}
+
+func TestLoadResourcesFromFiles(t *testing.T) {
+	workloads := LoadResourcesFromFiles(onlineBoutiquePath(), "")
+	assert.Equal(t, 12, len(workloads))
+
+	for i, w := range workloads {
+		switch filepath.Base(i) {
+		case "adservice.yaml":
+			assert.Equal(t, 2, len(w))
+			assert.Equal(t, "apps/v1//Deployment/adservice", getRelativePath(w[0].GetID()))
+			assert.Equal(t, "/v1//Service/adservice", getRelativePath(w[1].GetID()))
+		}
+	}
+}
+
+func TestLoadResourcesFromHelmCharts(t *testing.T) {
+	sourceToWorkloads, sourceToChartName := LoadResourcesFromHelmCharts(helmChartPath())
+	assert.Equal(t, 6, len(sourceToWorkloads))
+
+	for file, workloads := range sourceToWorkloads {
+		assert.Equalf(t, 1, len(workloads), "expected 1 workload in file %s", file)
+
+		w := workloads[0]
+		assert.True(t, localworkload.IsTypeLocalWorkload(w.GetObject()), "Expected localworkload as object type")
+		assert.Equal(t, "kubescape", sourceToChartName[file])
+
+		switch filepath.Base(file) {
+		case "serviceaccount.yaml":
+			assert.Equal(t, "/v1//ServiceAccount/kubescape-discovery", getRelativePath(w.GetID()))
+		case "clusterrole.yaml":
+			assert.Equal(t, "rbac.authorization.k8s.io/v1//ClusterRole/-kubescape", getRelativePath(w.GetID()))
+		case "cronjob.yaml":
+			assert.Equal(t, "batch/v1//CronJob/-kubescape", getRelativePath(w.GetID()))
+		case "role.yaml":
+			assert.Equal(t, "rbac.authorization.k8s.io/v1//Role/-kubescape", getRelativePath(w.GetID()))
+		case "rolebinding.yaml":
+			assert.Equal(t, "rbac.authorization.k8s.io/v1//RoleBinding/-kubescape", getRelativePath(w.GetID()))
+		case "clusterrolebinding.yaml":
+			assert.Equal(t, "rbac.authorization.k8s.io/v1//ClusterRoleBinding/-kubescape", getRelativePath(w.GetID()))
+		default:
+			assert.Failf(t, "missing case for file: %s", filepath.Base(file))
+		}
+	}
+}
+
+func TestLoadFiles(t *testing.T) {
+	files, _ := listFiles(onlineBoutiquePath())
+	_, err := loadFiles("", files)
+	assert.Equal(t, 0, len(err))
+}
+
+func TestListDirs(t *testing.T) {
+	dirs, _ := listDirs(filepath.Join(onlineBoutiquePath(), "adservice.yaml"))
+	assert.Equal(t, 0, len(dirs))
+
+	expectedDirs := []string{filepath.Join("examples", "helm_chart"), filepath.Join("examples", "helm_chart", "templates")}
+	dirs, _ = listDirs(helmChartPath())
+	assert.Equal(t, len(expectedDirs), len(dirs))
+	for i := range expectedDirs {
+		assert.Contains(t, dirs[i], expectedDirs[i])
+	}
+}
+
+func TestLoadFile(t *testing.T) {
+	files, _ := listFiles(filepath.Join(onlineBoutiquePath(), "adservice.yaml"))
+	assert.Equal(t, 1, len(files))
+
+	_, err := loadFile(files[0])
+	assert.NoError(t, err)
+}
+
+func getRelativePath(p string) string {
+	pp := strings.SplitAfter(p, "api=")
+	return pp[1]
+}

core/cautils/floatutils.go

@@ -0,0 +1,18 @@
+package cautils
+
+import "math"
+
+// Float64ToInt convert float64 to int
+func Float64ToInt(x float64) int {
+	return int(math.Round(x))
+}
+
+// Float32ToInt convert float32 to int
+func Float32ToInt(x float32) int {
+	return Float64ToInt(float64(x))
+}
+
+// Float16ToInt convert float16 to int
+func Float16ToInt(x float32) int {
+	return Float64ToInt(float64(x))
+}

core/cautils/floatutils_test.go

@@ -0,0 +1,24 @@
+package cautils
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFloat64ToInt(t *testing.T) {
+	assert.Equal(t, 3, Float64ToInt(3.49))
+	assert.Equal(t, 4, Float64ToInt(3.5))
+	assert.Equal(t, 4, Float64ToInt(3.51))
+}
+
+func TestFloat32ToInt(t *testing.T) {
+	assert.Equal(t, 3, Float32ToInt(3.49))
+	assert.Equal(t, 4, Float32ToInt(3.5))
+	assert.Equal(t, 4, Float32ToInt(3.51))
+}
+func TestFloat16ToInt(t *testing.T) {
+	assert.Equal(t, 3, Float16ToInt(3.49))
+	assert.Equal(t, 4, Float16ToInt(3.5))
+	assert.Equal(t, 4, Float16ToInt(3.51))
+}

core/cautils/getter/datastructures.go

@@ -0,0 +1,24 @@
+package getter
+
+type FeLoginData struct {
+	Secret   string `json:"secret"`
+	ClientId string `json:"clientId"`
+}
+
+type FeLoginResponse struct {
+	Token        string `json:"accessToken"`
+	RefreshToken string `json:"refreshToken"`
+	Expires      string `json:"expires"`
+	ExpiresIn    int32  `json:"expiresIn"`
+}
+
+type KSCloudSelectCustomer struct {
+	SelectedCustomerGuid string `json:"selectedCustomer"`
+}
+
+type TenantResponse struct {
+	TenantID  string `json:"tenantId"`
+	Token     string `json:"token"`
+	Expires   string `json:"expires"`
+	AdminMail string `json:"adminMail,omitempty"`
+}

core/cautils/getter/downloadreleasedpolicy.go

@@ -0,0 +1,127 @@
+package getter
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/opa-utils/gitregostore"
+	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
+)
+
+// =======================================================================================================================
+// ======================================== DownloadReleasedPolicy =======================================================
+// =======================================================================================================================
+
+// Use gitregostore to get policies from github release
+type DownloadReleasedPolicy struct {
+	gs *gitregostore.GitRegoStore
+}
+
+func NewDownloadReleasedPolicy() *DownloadReleasedPolicy {
+	return &DownloadReleasedPolicy{
+		gs: gitregostore.NewDefaultGitRegoStore(-1),
+	}
+}
+
+func (drp *DownloadReleasedPolicy) GetControl(ID string) (*reporthandling.Control, error) {
+	var control *reporthandling.Control
+	var err error
+
+	control, err = drp.gs.GetOPAControlByID(ID)
+	if err != nil {
+		return nil, err
+	}
+	return control, nil
+}
+
+func (drp *DownloadReleasedPolicy) GetFramework(name string) (*reporthandling.Framework, error) {
+	framework, err := drp.gs.GetOPAFrameworkByName(name)
+	if err != nil {
+		return nil, err
+	}
+	return framework, err
+}
+
+func (drp *DownloadReleasedPolicy) GetFrameworks() ([]reporthandling.Framework, error) {
+	frameworks, err := drp.gs.GetOPAFrameworks()
+	if err != nil {
+		return nil, err
+	}
+	return frameworks, err
+}
+
+func (drp *DownloadReleasedPolicy) ListFrameworks() ([]string, error) {
+	return drp.gs.GetOPAFrameworksNamesList()
+}
+
+func (drp *DownloadReleasedPolicy) ListControls() ([]string, error) {
+	controlsIDsList, err := drp.gs.GetOPAControlsIDsList()
+	if err != nil {
+		return []string{}, err
+	}
+	controlsNamesList, err := drp.gs.GetOPAControlsNamesList()
+	if err != nil {
+		return []string{}, err
+	}
+	controls, err := drp.gs.GetOPAControls()
+	if err != nil {
+		return []string{}, err
+	}
+	var controlsFrameworksList [][]string
+	for _, control := range controls {
+		controlsFrameworksList = append(controlsFrameworksList, control.FrameworkNames)
+	}
+	controlsNamesWithIDsandFrameworksList := make([]string, len(controlsIDsList))
+	// by design all slices have the same lengt
+	for i := range controlsIDsList {
+		controlsNamesWithIDsandFrameworksList[i] = fmt.Sprintf("%v|%v|%v", controlsIDsList[i], controlsNamesList[i], strings.Join(controlsFrameworksList[i], ","))
+	}
+	return controlsNamesWithIDsandFrameworksList, nil
+}
+
+func (drp *DownloadReleasedPolicy) GetControlsInputs(clusterName string) (map[string][]string, error) {
+	defaultConfigInputs, err := drp.gs.GetDefaultConfigInputs()
+	if err != nil {
+		return nil, err
+	}
+	return defaultConfigInputs.Settings.PostureControlInputs, err
+}
+
+func (drp *DownloadReleasedPolicy) GetAttackTracks() ([]v1alpha1.AttackTrack, error) {
+	attackTracks, err := drp.gs.GetAttackTracks()
+	if err != nil {
+		return nil, err
+	}
+	return attackTracks, err
+}
+
+func (drp *DownloadReleasedPolicy) SetRegoObjects() error {
+	fwNames, err := drp.gs.GetOPAFrameworksNamesList()
+	if len(fwNames) != 0 && err == nil {
+		return nil
+	}
+	return drp.gs.SetRegoObjects()
+}
+
+func isNativeFramework(framework string) bool {
+	return contains(NativeFrameworks, framework)
+}
+
+func contains(s []string, str string) bool {
+	for _, v := range s {
+		if strings.EqualFold(v, str) {
+			return true
+		}
+	}
+	return false
+}
+
+func (drp *DownloadReleasedPolicy) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
+	exceptions, err := drp.gs.GetSystemPostureExceptionPolicies()
+	if err != nil {
+		return nil, err
+	}
+	return exceptions, nil
+}

core/cautils/getter/gcpcloudapi.go

@@ -0,0 +1,42 @@
+package getter
+
+import (
+	"context"
+	"os"
+
+	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
+)
+
+type GCPCloudAPI struct {
+	credentialsPath  string
+	context          context.Context
+	client           *containeranalysis.Client
+	projectID        string
+	credentialsCheck bool
+}
+
+func GetGlobalGCPCloudAPIConnector() *GCPCloudAPI {
+
+	if os.Getenv("KS_GCP_CREDENTIALS_PATH") == "" || os.Getenv("KS_GCP_PROJECT_ID") == "" {
+		return &GCPCloudAPI{
+			credentialsCheck: false,
+		}
+	} else {
+		return &GCPCloudAPI{
+			context:          context.Background(),
+			credentialsPath:  os.Getenv("KS_GCP_CREDENTIALS_PATH"),
+			projectID:        os.Getenv("KS_GCP_PROJECT_ID"),
+			credentialsCheck: true,
+		}
+	}
+}
+
+func (api *GCPCloudAPI) SetClient(client *containeranalysis.Client) {
+	api.client = client
+}
+
+func (api *GCPCloudAPI) GetCredentialsPath() string           { return api.credentialsPath }
+func (api *GCPCloudAPI) GetClient() *containeranalysis.Client { return api.client }
+func (api *GCPCloudAPI) GetProjectID() string                 { return api.projectID }
+func (api *GCPCloudAPI) GetCredentialsCheck() bool            { return api.credentialsCheck }
+func (api *GCPCloudAPI) GetContext() context.Context          { return api.context }

core/cautils/getter/getpolicies.go

@@ -0,0 +1,47 @@
+package getter
+
+import (
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
+)
+
+type IPolicyGetter interface {
+	GetFramework(name string) (*reporthandling.Framework, error)
+	GetFrameworks() ([]reporthandling.Framework, error)
+	GetControl(ID string) (*reporthandling.Control, error)
+
+	ListFrameworks() ([]string, error)
+	ListControls() ([]string, error)
+}
+
+type IExceptionsGetter interface {
+	GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error)
+}
+type IBackend interface {
+	GetAccountID() string
+	GetClientID() string
+	GetSecretKey() string
+	GetCloudReportURL() string
+	GetCloudAPIURL() string
+	GetCloudUIURL() string
+	GetCloudAuthURL() string
+
+	SetAccountID(accountID string)
+	SetClientID(clientID string)
+	SetSecretKey(secretKey string)
+	SetCloudReportURL(cloudReportURL string)
+	SetCloudAPIURL(cloudAPIURL string)
+	SetCloudUIURL(cloudUIURL string)
+	SetCloudAuthURL(cloudAuthURL string)
+
+	GetTenant() (*TenantResponse, error)
+}
+
+type IControlsInputsGetter interface {
+	GetControlsInputs(clusterName string) (map[string][]string, error)
+}
+
+type IAttackTracksGetter interface {
+	GetAttackTracks() ([]v1alpha1.AttackTrack, error)
+}

core/cautils/getter/getpoliciesutils.go

@@ -0,0 +1,136 @@
+package getter
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+)
+
+func GetDefaultPath(name string) string {
+	return filepath.Join(DefaultLocalStore, name)
+}
+
+func SaveInFile(policy interface{}, pathStr string) error {
+	encodedData, err := json.MarshalIndent(policy, "", "  ")
+	if err != nil {
+		return err
+	}
+	err = os.WriteFile(pathStr, encodedData, 0644) //nolint:gosec
+	if err != nil {
+		if os.IsNotExist(err) {
+			pathDir := path.Dir(pathStr)
+			// pathDir could contain subdirectories
+			if erm := os.MkdirAll(pathDir, 0755); erm != nil {
+				return erm
+			}
+		} else {
+			return err
+
+		}
+		err = os.WriteFile(pathStr, encodedData, 0644) //nolint:gosec
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func HttpDelete(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) {
+
+	req, err := http.NewRequest("DELETE", fullURL, nil)
+	if err != nil {
+		return "", err
+	}
+	setHeaders(req, headers)
+
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	respStr, err := httpRespToString(resp)
+	if err != nil {
+		return "", err
+	}
+	return respStr, nil
+}
+
+func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) {
+
+	req, err := http.NewRequest("GET", fullURL, nil)
+	if err != nil {
+		return "", err
+	}
+	setHeaders(req, headers)
+
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	respStr, err := httpRespToString(resp)
+	if err != nil {
+		return "", err
+	}
+	return respStr, nil
+}
+
+func HttpPost(httpClient *http.Client, fullURL string, headers map[string]string, body []byte) (string, error) {
+
+	req, err := http.NewRequest("POST", fullURL, bytes.NewReader(body))
+	if err != nil {
+		return "", err
+	}
+	setHeaders(req, headers)
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	respStr, err := httpRespToString(resp)
+	if err != nil {
+		return "", err
+	}
+	return respStr, nil
+}
+
+func setHeaders(req *http.Request, headers map[string]string) {
+	if len(headers) >= 0 { // might be nil
+		for k, v := range headers {
+			req.Header.Set(k, v)
+		}
+	}
+}
+
+// HTTPRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
+func httpRespToString(resp *http.Response) (string, error) {
+	if resp == nil || resp.Body == nil {
+		return "", nil
+	}
+	strBuilder := strings.Builder{}
+	defer resp.Body.Close()
+	if resp.ContentLength > 0 {
+		strBuilder.Grow(int(resp.ContentLength))
+	}
+	_, err := io.Copy(&strBuilder, resp.Body)
+	respStr := strBuilder.String()
+	if err != nil {
+		respStrNewLen := len(respStr)
+		if respStrNewLen > 1024 {
+			respStrNewLen = 1024
+		}
+		return "", fmt.Errorf("http-error: '%s', reason: '%s'", resp.Status, respStr[:respStrNewLen])
+		// return "", fmt.Errorf("HTTP request failed. URL: '%s', Read-ERROR: '%s', HTTP-CODE: '%s', BODY(top): '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), err, resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
+	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		respStrNewLen := len(respStr)
+		if respStrNewLen > 1024 {
+			respStrNewLen = 1024
+		}
+		err = fmt.Errorf("http-error: '%s', reason: '%s'", resp.Status, respStr[:respStrNewLen])
+	}
+
+	return respStr, err
+}

core/cautils/getter/json.go

@@ -0,0 +1,26 @@
+package getter
+
+import (
+	"strings"
+
+	stdjson "encoding/json"
+
+	jsoniter "github.com/json-iterator/go"
+)
+
+var (
+	json jsoniter.API
+)
+
+func init() {
+	// NOTE(fredbi): attention, this configuration rounds floats down to 6 digits
+	// For finer-grained config, see: https://pkg.go.dev/github.com/json-iterator/go#section-readme
+	json = jsoniter.ConfigFastest
+}
+
+// JSONDecoder returns JSON decoder for given string
+func JSONDecoder(origin string) *stdjson.Decoder {
+	dec := stdjson.NewDecoder(strings.NewReader(origin))
+	dec.UseNumber()
+	return dec
+}

core/cautils/getter/json_test.go

@@ -0,0 +1,32 @@
+package getter
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestJSONDecoder(t *testing.T) {
+	t.Run("should decode json string", func(t *testing.T) {
+		const input = `"xyz"`
+		d := JSONDecoder(input)
+		var receiver string
+		require.NoError(t, d.Decode(&receiver))
+		require.Equal(t, "xyz", receiver)
+	})
+
+	t.Run("should decode json number", func(t *testing.T) {
+		const input = `123.01`
+		d := JSONDecoder(input)
+		var receiver float64
+		require.NoError(t, d.Decode(&receiver))
+		require.Equal(t, 123.01, receiver)
+	})
+
+	t.Run("requires json quotes", func(t *testing.T) {
+		const input = `xyz`
+		d := JSONDecoder(input)
+		var receiver string
+		require.Error(t, d.Decode(&receiver))
+	})
+}

core/cautils/getter/kscloudapi.go

@@ -0,0 +1,379 @@
+package getter
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
+)
+
+var (
+	ksCloudERURL   = "report.armo.cloud"
+	ksCloudBEURL   = "api.armosec.io"
+	ksCloudFEURL   = "cloud.armosec.io"
+	ksCloudAUTHURL = "auth.armosec.io"
+
+	ksCloudStageERURL   = "report-ks.eustage2.cyberarmorsoft.com"
+	ksCloudStageBEURL   = "api-stage.armosec.io"
+	ksCloudStageFEURL   = "armoui-stage.armosec.io"
+	ksCloudStageAUTHURL = "eggauth-stage.armosec.io"
+
+	ksCloudDevERURL   = "report.eudev3.cyberarmorsoft.com"
+	ksCloudDevBEURL   = "api-dev.armosec.io"
+	ksCloudDevFEURL   = "cloud-dev.armosec.io"
+	ksCloudDevAUTHURL = "eggauth-dev.armosec.io"
+)
+
+// KSCloudAPI allows accessing the API of the Kubescape Cloud offering
+type KSCloudAPI struct {
+	httpClient     *http.Client
+	cloudAPIURL    string
+	cloudAuthURL   string
+	cloudReportURL string
+	cloudUIURL     string
+	accountID      string
+	clientID       string
+	secretKey      string
+	authCookie     string
+	feToken        FeLoginResponse
+	loggedIn       bool
+}
+
+var globalKSCloudAPIConnector *KSCloudAPI
+
+func SetKSCloudAPIConnector(ksCloudAPI *KSCloudAPI) {
+	globalKSCloudAPIConnector = ksCloudAPI
+}
+
+func GetKSCloudAPIConnector() *KSCloudAPI {
+	if globalKSCloudAPIConnector == nil {
+		SetKSCloudAPIConnector(NewKSCloudAPIProd())
+	}
+	return globalKSCloudAPIConnector
+}
+
+func NewKSCloudAPIDev() *KSCloudAPI {
+	apiObj := newKSCloudAPI()
+
+	apiObj.cloudAPIURL = ksCloudDevBEURL
+	apiObj.cloudAuthURL = ksCloudDevAUTHURL
+	apiObj.cloudReportURL = ksCloudDevERURL
+	apiObj.cloudUIURL = ksCloudDevFEURL
+
+	return apiObj
+}
+
+func NewKSCloudAPIProd() *KSCloudAPI {
+	apiObj := newKSCloudAPI()
+
+	apiObj.cloudAPIURL = ksCloudBEURL
+	apiObj.cloudReportURL = ksCloudERURL
+	apiObj.cloudUIURL = ksCloudFEURL
+	apiObj.cloudAuthURL = ksCloudAUTHURL
+
+	return apiObj
+}
+
+func NewKSCloudAPIStaging() *KSCloudAPI {
+	apiObj := newKSCloudAPI()
+
+	apiObj.cloudAPIURL = ksCloudStageBEURL
+	apiObj.cloudReportURL = ksCloudStageERURL
+	apiObj.cloudUIURL = ksCloudStageFEURL
+	apiObj.cloudAuthURL = ksCloudStageAUTHURL
+
+	return apiObj
+}
+
+func NewKSCloudAPICustomized(ksCloudERURL, ksCloudBEURL, ksCloudFEURL, ksCloudAUTHURL string) *KSCloudAPI {
+	apiObj := newKSCloudAPI()
+
+	apiObj.cloudReportURL = ksCloudERURL
+	apiObj.cloudAPIURL = ksCloudBEURL
+	apiObj.cloudUIURL = ksCloudFEURL
+	apiObj.cloudAuthURL = ksCloudAUTHURL
+
+	return apiObj
+}
+
+func newKSCloudAPI() *KSCloudAPI {
+	return &KSCloudAPI{
+		httpClient: &http.Client{Timeout: time.Duration(61) * time.Second},
+		loggedIn:   false,
+	}
+}
+
+func (api *KSCloudAPI) Post(fullURL string, headers map[string]string, body []byte) (string, error) {
+	if headers == nil {
+		headers = make(map[string]string)
+	}
+	api.appendAuthHeaders(headers)
+	return HttpPost(api.httpClient, fullURL, headers, body)
+}
+
+func (api *KSCloudAPI) Delete(fullURL string, headers map[string]string) (string, error) {
+	if headers == nil {
+		headers = make(map[string]string)
+	}
+	api.appendAuthHeaders(headers)
+	return HttpDelete(api.httpClient, fullURL, headers)
+}
+func (api *KSCloudAPI) Get(fullURL string, headers map[string]string) (string, error) {
+	if headers == nil {
+		headers = make(map[string]string)
+	}
+	api.appendAuthHeaders(headers)
+	return HttpGetter(api.httpClient, fullURL, headers)
+}
+
+func (api *KSCloudAPI) GetAccountID() string      { return api.accountID }
+func (api *KSCloudAPI) IsLoggedIn() bool          { return api.loggedIn }
+func (api *KSCloudAPI) GetClientID() string       { return api.clientID }
+func (api *KSCloudAPI) GetSecretKey() string      { return api.secretKey }
+func (api *KSCloudAPI) GetCloudReportURL() string { return api.cloudReportURL }
+func (api *KSCloudAPI) GetCloudAPIURL() string    { return api.cloudAPIURL }
+func (api *KSCloudAPI) GetCloudUIURL() string     { return api.cloudUIURL }
+func (api *KSCloudAPI) GetCloudAuthURL() string   { return api.cloudAuthURL }
+
+func (api *KSCloudAPI) SetAccountID(accountID string)           { api.accountID = accountID }
+func (api *KSCloudAPI) SetClientID(clientID string)             { api.clientID = clientID }
+func (api *KSCloudAPI) SetSecretKey(secretKey string)           { api.secretKey = secretKey }
+func (api *KSCloudAPI) SetCloudReportURL(cloudReportURL string) { api.cloudReportURL = cloudReportURL }
+func (api *KSCloudAPI) SetCloudAPIURL(cloudAPIURL string)       { api.cloudAPIURL = cloudAPIURL }
+func (api *KSCloudAPI) SetCloudUIURL(cloudUIURL string)         { api.cloudUIURL = cloudUIURL }
+func (api *KSCloudAPI) SetCloudAuthURL(cloudAuthURL string)     { api.cloudAuthURL = cloudAuthURL }
+
+func (api *KSCloudAPI) GetAttackTracks() ([]v1alpha1.AttackTrack, error) {
+	respStr, err := api.Get(api.getAttackTracksURL(), nil)
+	if err != nil {
+		return nil, nil
+	}
+
+	attackTracks := []v1alpha1.AttackTrack{}
+	if err = JSONDecoder(respStr).Decode(&attackTracks); err != nil {
+		return nil, err
+	}
+
+	return attackTracks, err
+}
+
+func (api *KSCloudAPI) GetFramework(name string) (*reporthandling.Framework, error) {
+	respStr, err := api.Get(api.getFrameworkURL(name), nil)
+	if err != nil {
+		return nil, nil
+	}
+
+	framework := &reporthandling.Framework{}
+	if err = JSONDecoder(respStr).Decode(framework); err != nil {
+		return nil, err
+	}
+
+	return framework, err
+}
+
+func (api *KSCloudAPI) GetFrameworks() ([]reporthandling.Framework, error) {
+	respStr, err := api.Get(api.getListFrameworkURL(), nil)
+	if err != nil {
+		return nil, nil
+	}
+
+	frameworks := []reporthandling.Framework{}
+	if err = JSONDecoder(respStr).Decode(&frameworks); err != nil {
+		return nil, err
+	}
+
+	return frameworks, err
+}
+
+func (api *KSCloudAPI) GetControl(ID string) (*reporthandling.Control, error) {
+	return nil, fmt.Errorf("control api is not public")
+}
+
+func (api *KSCloudAPI) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
+	exceptions := []armotypes.PostureExceptionPolicy{}
+
+	respStr, err := api.Get(api.getExceptionsURL(clusterName), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = JSONDecoder(respStr).Decode(&exceptions); err != nil {
+		return nil, err
+	}
+
+	return exceptions, nil
+}
+
+func (api *KSCloudAPI) GetTenant() (*TenantResponse, error) {
+	url := api.getAccountURL()
+	if api.accountID != "" {
+		url = fmt.Sprintf("%s?customerGUID=%s", url, api.accountID)
+	}
+	respStr, err := api.Get(url, nil)
+	if err != nil {
+		return nil, err
+	}
+	tenant := &TenantResponse{}
+	if err = JSONDecoder(respStr).Decode(tenant); err != nil {
+		return nil, err
+	}
+	if tenant.TenantID != "" {
+		api.accountID = tenant.TenantID
+	}
+	return tenant, nil
+}
+
+// ControlsInputs  // map[<control name>][<input arguments>]
+func (api *KSCloudAPI) GetAccountConfig(clusterName string) (*armotypes.CustomerConfig, error) {
+	accountConfig := &armotypes.CustomerConfig{}
+	if api.accountID == "" {
+		return accountConfig, nil
+	}
+	respStr, err := api.Get(api.getAccountConfig(clusterName), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = JSONDecoder(respStr).Decode(&accountConfig); err != nil {
+		// try with default scope
+		respStr, err = api.Get(api.getAccountConfigDefault(clusterName), nil)
+		if err != nil {
+			return nil, err
+		}
+		if err = JSONDecoder(respStr).Decode(&accountConfig); err != nil {
+			return nil, err
+		}
+	}
+
+	return accountConfig, nil
+}
+
+// ControlsInputs  // map[<control name>][<input arguments>]
+func (api *KSCloudAPI) GetControlsInputs(clusterName string) (map[string][]string, error) {
+	accountConfig, err := api.GetAccountConfig(clusterName)
+	if err == nil {
+		return accountConfig.Settings.PostureControlInputs, nil
+	}
+	return nil, err
+}
+
+func (api *KSCloudAPI) ListCustomFrameworks() ([]string, error) {
+	respStr, err := api.Get(api.getListFrameworkURL(), nil)
+	if err != nil {
+		return nil, err
+	}
+	frs := []reporthandling.Framework{}
+	if err = json.Unmarshal([]byte(respStr), &frs); err != nil {
+		return nil, err
+	}
+
+	frameworkList := []string{}
+	for _, fr := range frs {
+		if !isNativeFramework(fr.Name) {
+			frameworkList = append(frameworkList, fr.Name)
+		}
+	}
+
+	return frameworkList, nil
+}
+
+func (api *KSCloudAPI) ListFrameworks() ([]string, error) {
+	respStr, err := api.Get(api.getListFrameworkURL(), nil)
+	if err != nil {
+		return nil, err
+	}
+	frs := []reporthandling.Framework{}
+	if err = json.Unmarshal([]byte(respStr), &frs); err != nil {
+		return nil, err
+	}
+
+	frameworkList := []string{}
+	for _, fr := range frs {
+		if isNativeFramework(fr.Name) {
+			frameworkList = append(frameworkList, strings.ToLower(fr.Name))
+		} else {
+			frameworkList = append(frameworkList, fr.Name)
+		}
+	}
+
+	return frameworkList, nil
+}
+
+func (api *KSCloudAPI) ListControls() ([]string, error) {
+	return nil, fmt.Errorf("control api is not public")
+}
+
+func (api *KSCloudAPI) PostExceptions(exceptions []armotypes.PostureExceptionPolicy) error {
+
+	for i := range exceptions {
+		ex, err := json.Marshal(exceptions[i])
+		if err != nil {
+			return err
+		}
+		_, err = api.Post(api.exceptionsURL(""), map[string]string{"Content-Type": "application/json"}, ex)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (api *KSCloudAPI) DeleteException(exceptionName string) error {
+
+	_, err := api.Delete(api.exceptionsURL(exceptionName), nil)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+func (api *KSCloudAPI) Login() error {
+	if api.accountID == "" {
+		return fmt.Errorf("failed to login, missing accountID")
+	}
+	if api.clientID == "" {
+		return fmt.Errorf("failed to login, missing clientID")
+	}
+	if api.secretKey == "" {
+		return fmt.Errorf("failed to login, missing secretKey")
+	}
+
+	// init URLs
+	feLoginData := FeLoginData{ClientId: api.clientID, Secret: api.secretKey}
+	body, _ := json.Marshal(feLoginData)
+
+	resp, err := http.Post(api.getApiToken(), "application/json", bytes.NewBuffer(body))
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("error authenticating: %d", resp.StatusCode)
+	}
+
+	responseBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+	var feLoginResponse FeLoginResponse
+
+	if err = json.Unmarshal(responseBody, &feLoginResponse); err != nil {
+		return err
+	}
+	api.feToken = feLoginResponse
+
+	/* Now we have JWT */
+
+	api.authCookie, err = api.getAuthCookie()
+	if err != nil {
+		return err
+	}
+	api.loggedIn = true
+	return nil
+}

core/cautils/getter/kscloudapiutils.go

@@ -0,0 +1,186 @@
+package getter
+
+import (
+	"bytes"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+var NativeFrameworks = []string{"nsa", "mitre", "armobest", "devopsbest"}
+
+func (api *KSCloudAPI) getFrameworkURL(frameworkName string) string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
+	u.Path = "api/v1/armoFrameworks"
+	q := u.Query()
+	q.Add("customerGUID", api.getCustomerGUIDFallBack())
+	if isNativeFramework(frameworkName) {
+		q.Add("frameworkName", strings.ToUpper(frameworkName))
+	} else {
+		// For customer framework has to be the way it was added
+		q.Add("frameworkName", frameworkName)
+	}
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
+func (api *KSCloudAPI) getAttackTracksURL() string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
+	u.Path = "api/v1/attackTracks"
+	q := u.Query()
+	q.Add("customerGUID", api.getCustomerGUIDFallBack())
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
+func (api *KSCloudAPI) getListFrameworkURL() string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
+	u.Path = "api/v1/armoFrameworks"
+	q := u.Query()
+	q.Add("customerGUID", api.getCustomerGUIDFallBack())
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+func (api *KSCloudAPI) getExceptionsURL(clusterName string) string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
+	u.Path = "api/v1/armoPostureExceptions"
+
+	q := u.Query()
+	q.Add("customerGUID", api.getCustomerGUIDFallBack())
+	// if clusterName != "" { // TODO - fix customer name support in Armo BE
+	// 	q.Add("clusterName", clusterName)
+	// }
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
+func (api *KSCloudAPI) exceptionsURL(exceptionsPolicyName string) string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
+	u.Path = "api/v1/postureExceptionPolicy"
+
+	q := u.Query()
+	q.Add("customerGUID", api.getCustomerGUIDFallBack())
+	if exceptionsPolicyName != "" { // for delete
+		q.Add("policyName", exceptionsPolicyName)
+	}
+
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
+func (api *KSCloudAPI) getAccountConfigDefault(clusterName string) string {
+	config := api.getAccountConfig(clusterName)
+	url := config + "&scope=customer"
+	return url
+}
+
+func (api *KSCloudAPI) getAccountConfig(clusterName string) string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
+	u.Path = "api/v1/armoCustomerConfiguration"
+
+	q := u.Query()
+	q.Add("customerGUID", api.getCustomerGUIDFallBack())
+	if clusterName != "" { // TODO - fix customer name support in Armo BE
+		q.Add("clusterName", clusterName)
+	}
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
+func (api *KSCloudAPI) getAccountURL() string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
+	u.Path = "api/v1/createTenant"
+	return u.String()
+}
+
+func (api *KSCloudAPI) getApiToken() string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetCloudAuthURL())
+	u.Path = "identity/resources/auth/v1/api-token"
+	return u.String()
+}
+
+func (api *KSCloudAPI) getOpenidCustomers() string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
+	u.Path = "api/v1/openid_customers"
+	return u.String()
+}
+
+func (api *KSCloudAPI) getAuthCookie() (string, error) {
+	selectCustomer := KSCloudSelectCustomer{SelectedCustomerGuid: api.accountID}
+	requestBody, _ := json.Marshal(selectCustomer)
+	client := &http.Client{}
+	httpRequest, err := http.NewRequest(http.MethodPost, api.getOpenidCustomers(), bytes.NewBuffer(requestBody))
+	if err != nil {
+		return "", err
+	}
+	httpRequest.Header.Set("Content-Type", "application/json")
+	httpRequest.Header.Set("Authorization", fmt.Sprintf("Bearer %s", api.feToken.Token))
+	httpResponse, err := client.Do(httpRequest)
+	if err != nil {
+		return "", err
+	}
+	defer httpResponse.Body.Close()
+	if httpResponse.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("failed to get cookie from %s: status %d", api.getOpenidCustomers(), httpResponse.StatusCode)
+	}
+
+	cookies := httpResponse.Header.Get("set-cookie")
+	if len(cookies) == 0 {
+		return "", fmt.Errorf("no cookie field in response from %s", api.getOpenidCustomers())
+	}
+
+	authCookie := ""
+	for _, cookie := range strings.Split(cookies, ";") {
+		kv := strings.Split(cookie, "=")
+		if kv[0] == "auth" {
+			authCookie = kv[1]
+		}
+	}
+
+	if len(authCookie) == 0 {
+		return "", fmt.Errorf("no auth cookie field in response from %s", api.getOpenidCustomers())
+	}
+
+	return authCookie, nil
+}
+func (api *KSCloudAPI) appendAuthHeaders(headers map[string]string) {
+
+	if api.feToken.Token != "" {
+		headers["Authorization"] = fmt.Sprintf("Bearer %s", api.feToken.Token)
+	}
+	if api.authCookie != "" {
+		headers["Cookie"] = fmt.Sprintf("auth=%s", api.authCookie)
+	}
+}
+
+func (api *KSCloudAPI) getCustomerGUIDFallBack() string {
+	if api.accountID != "" {
+		return api.accountID
+	}
+	return "11111111-1111-1111-1111-111111111111"
+}
+
+func parseHost(host string) (string, string) {
+	if strings.HasPrefix(host, "http://") {
+		return "http", strings.Replace(host, "http://", "", 1)
+	}
+
+	// default scheme
+	return "https", strings.Replace(host, "https://", "", 1)
+}