use ks namespace

refactor: Rename branded entities to Kubescape

.github/workflows/build.yaml

@@ -2,7 +2,10 @@ name: build
 
 on:
   push:
-    branches: [ master ] 
+    branches: [ master ]
+    paths-ignore:
+      # Do not run the pipeline if only Markdown files changed
+      - '**.md'
 jobs:
   once:
     name: Create release
@@ -16,8 +19,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: v1.0.${{ github.run_number }}
-          release_name: Release v1.0.${{ github.run_number }}
+          tag_name: v2.0.${{ github.run_number }}
+          release_name: Release v2.0.${{ github.run_number }}
           draft: false
           prerelease: false
   build:
@@ -28,25 +31,85 @@ jobs:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
-      - uses: actions/checkout@v1
-      - name: Set up Go
-        uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
         with:
-          go-version: 1.17
+          submodules: recursive
 
-      - name: Test
-        run: go test -v ./...
+      - name: Cache Go modules (Linux)
+        if: matrix.os == 'ubuntu-latest' 
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Cache Go modules (macOS)
+        if: matrix.os == 'macos-latest' 
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/Library/Caches/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Cache Go modules (Windows)
+        if: matrix.os == 'windows-latest'
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~\AppData\Local\go-build
+            ~\go\pkg\mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.18
+      # - name: Test cmd pkg
+      #   run: cd cmd && go test -v ./...
+
+      - name: Install MSYS2 & libgit2 (Windows)
+        shell: cmd
+        run: .\build.bat all
+        if: matrix.os == 'windows-latest'
+
+      - name: Install libgit2 (Linux/macOS)
+        run: make libgit2
+        if: matrix.os != 'windows-latest'
+
+      - name: Test core pkg
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: go test -tags=static -v ./...
+
+      - name: Test httphandler pkg
+        run: cd httphandler && go test -tags=static -v ./...
 
       - name: Build
         env:
-          RELEASE: v1.0.${{ github.run_number }} 
+          RELEASE: v2.0.${{ github.run_number }} 
+          CLIENT: release
           ArmoBEServer: api.armo.cloud
+          ArmoAuthServer: auth.armo.cloud
           ArmoERServer: report.armo.cloud
           ArmoWebsite: portal.armo.cloud
-          CGO_ENABLED: 0
+          CGO_ENABLED: 1
         run: python3 --version && python3 build.py
       
-      - name: Upload Release binaries
+      - name: Smoke Testing
+        env:
+          RELEASE: v2.0.${{ github.run_number }} 
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
+
+      - name: Upload release binaries
         id: upload-release-asset
         uses: actions/upload-release-asset@v1
         env:
@@ -57,32 +120,70 @@ jobs:
           asset_name: kubescape-${{ matrix.os }}
           asset_content_type: application/octet-stream
 
-
+      - name: Upload release hash
+        id: upload-release-hash
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.once.outputs.upload_url }}
+          asset_path: build/${{ matrix.os }}/kubescape.sha256
+          asset_name: kubescape-${{ matrix.os }}-sha256
+          asset_content_type: application/octet-stream
   build-docker:
     name: Build docker container, tag and upload to registry
     needs: build
-    if: ${{ github.repository == 'armosec/kubescape' }}
     runs-on: ubuntu-latest
+    if: ${{ github.repository == 'armosec/kubescape' }} # TODO
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v2
+        with:
+          submodules: recursive
 
-      - name: Set name
-        run: echo quay.io/armosec/kubescape:v1.0.${{ github.run_number }} > build_tag.txt
+      - name: Set image version
+        id: image-version
+        run: echo '::set-output name=IMAGE_VERSION::v2.0.${{ github.run_number }}'
 
-      - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt)
-      
-      - name: Re-Tag Image to latest
-        run: docker tag $(cat build_tag.txt) quay.io/armosec/kubescape:latest
+      - name: Set image name
+        id: image-name
+        run: echo '::set-output name=IMAGE_NAME::quay.io/${{ github.repository_owner }}/kubescape'
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
 
       - name: Login to Quay.io
-        env: # Or as an environment variable
+        env:
           QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
           QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
         run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-      - name: Push Docker image
-        run: |
-          docker push $(cat build_tag.txt)
-          docker push quay.io/armosec/kubescape:latest
-        
+
+      - name: Build the Docker image
+        run: docker buildx build . --file build/Dockerfile --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:latest --build-arg image_version=${{ steps.image-version.outputs.IMAGE_VERSION }} --build-arg client=image-release --push --platform linux/amd64,linux/arm64
+
+      # - name: Login to GitHub Container Registry
+      #   uses: docker/login-action@v1
+      #   with:
+      #     registry: ghcr.io
+      #     username: ${{ github.actor }}
+      #     password: ${{ secrets.GITHUB_TOKEN }}
+    
+      # TODO - Wait for casign to support fixed tags -> https://github.com/sigstore/cosign/issues/1424
+      # - name: Install cosign
+      #   uses: sigstore/cosign-installer@main
+      #   with:
+      #     cosign-release: 'v1.5.1' # optional
+      # - name: sign kubescape container image
+      #   env:
+      #     COSIGN_EXPERIMENTAL: "true"
+      #   run: |
+      #       cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:latest
+      #       cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }}
+

.github/workflows/build_dev.yaml

@@ -3,6 +3,9 @@ name: build-dev
 on:
   push:
     branches: [ dev ]
+    paths-ignore:
+      # Do not run the pipeline if only Markdown files changed
+      - '**.md'
 jobs:
   build:
     name: Create cross-platform dev build
@@ -11,55 +14,133 @@ jobs:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+      
+      - name: Cache Go modules (Linux)
+        if: matrix.os == 'ubuntu-latest' 
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Cache Go modules (macOS)
+        if: matrix.os == 'macos-latest' 
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/Library/Caches/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Cache Go modules (Windows)
+        if: matrix.os == 'windows-latest'
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~\AppData\Local\go-build
+            ~\go\pkg\mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
 
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.17
+          go-version: 1.18
           
-      - name: Test
-        run: go test -v ./...
+      # - name: Test cmd pkg
+      #   run: cd cmd && go test -v ./...
+      
+      # - name: Test core pkg
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #   run: cd core && go test -v ./...
+
+      # - name: Test cmd pkg
+      #   run: cd cmd && go test -v ./...
+
+      - name: Install MSYS2 & libgit2 (Windows)
+        shell: cmd
+        run: .\build.bat all
+        if: matrix.os == 'windows-latest'
+
+      - name: Install libgit2 (Linux/macOS)
+        run: make libgit2
+        if: matrix.os != 'windows-latest'
+
+      - name: Test core pkg
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: go test -tags=static -v ./...
+
+      - name: Test httphandler pkg
+        run: cd httphandler && go test -tags=static -v ./...
 
       - name: Build
         env:
-          RELEASE: v1.0.${{ github.run_number }} 
+          RELEASE: v2.0.${{ github.run_number }} 
+          CLIENT: release-dev
           ArmoBEServer: api.armo.cloud
-          ArmoERServer: report.euprod1.cyberarmorsoft.com
+          ArmoAuthServer: auth.armo.cloud
+          ArmoERServer: report.armo.cloud
           ArmoWebsite: portal.armo.cloud
-          CGO_ENABLED: 0
+          CGO_ENABLED: 1
         run: python3 --version && python3 build.py
       
+      - name: Smoke Testing
+        env:
+          RELEASE: v2.0.${{ github.run_number }}
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
+
       - name: Upload build artifacts 
         uses: actions/upload-artifact@v2
         with:
           name: kubescape-${{ matrix.os }}
           path: build/${{ matrix.os }}/kubescape 
 
-
   build-docker:
     name: Build docker container, tag and upload to registry
     needs: build
-    if: ${{ github.repository == 'armosec/kubescape' }}
+    if: ${{ github.repository == 'armosec/kubescape' }} # TODO
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v2
+        with:
+          submodules: recursive
 
-      - name: Set name
-        run: echo quay.io/armosec/kubescape:dev-v1.0.${{ github.run_number }} > build_tag.txt
+      - name: Set image version
+        id: image-version
+        run: echo '::set-output name=IMAGE_VERSION::dev-v2.0.${{ github.run_number }}'
+
+      - name: Set image name
+        id: image-name
+        run: echo '::set-output name=IMAGE_NAME::quay.io/${{ github.repository_owner }}/kubescape'
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
 
-      - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt)
-      
       - name: Login to Quay.io
-        env: # Or as an environment variable
+        env:
           QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
           QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
         run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-        
-      - name: Push Docker image
-        run: |
-          docker push $(cat build_tag.txt)
-    
-        
+
+      - name: Build the Docker image
+        run: docker buildx build . --file build/Dockerfile --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} --build-arg image_version=${{ steps.image-version.outputs.IMAGE_VERSION }} --build-arg client=image-dev --push --platform linux/amd64,linux/arm64

.github/workflows/master_pr_checks.yaml

@@ -1,38 +0,0 @@
-name: master-pr
-
-on:
-  pull_request:
-    branches: [ master ]
-    types: [ edited, opened, synchronize, reopened ]
-jobs:
-  build:
-    name: Create cross-platform build
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    steps:
-      - uses: actions/checkout@v1
-
-      - name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.17
-
-      - name: Test
-        run: go test -v ./...
-
-      - name: Build
-        env:
-          RELEASE: v1.0.${{ github.run_number }} 
-          ArmoBEServer: api.armo.cloud
-          ArmoERServer: report.armo.cloud
-          ArmoWebsite: portal.armo.cloud
-          CGO_ENABLED: 0
-        run: python3 --version && python3 build.py
-
-      - name: Upload build artifacts 
-        uses: actions/upload-artifact@v2
-        with:
-          name: kubescape-${{ matrix.os }}
-          path: build/${{ matrix.os }}/kubescape 

.github/workflows/post-release.yaml

@@ -0,0 +1,17 @@
+name: create release digests
+
+on:
+  release:
+    types: [ published]
+    branches: [ master ]
+  
+jobs:
+  once:
+    name: Creating digests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Digest
+        uses: MCJack123/ghaction-generate-release-hashes@v1
+        with:
+          hash-type: sha1
+          file-name: kubescape-release-digests

.github/workflows/pr_checks.yaml

@@ -0,0 +1,96 @@
+name: pr-checks
+
+on:
+  pull_request:
+    branches: [ master, dev ]
+    types: [ edited, opened, synchronize, reopened ]
+    paths-ignore:
+      # Do not run the pipeline if only Markdown files changed
+      - '**.md'
+jobs:
+  build:
+    name: Create cross-platform build
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Cache Go modules (Linux)
+        if: matrix.os == 'ubuntu-latest' 
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Cache Go modules (macOS)
+        if: matrix.os == 'macos-latest' 
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/Library/Caches/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Cache Go modules (Windows)
+        if: matrix.os == 'windows-latest'
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~\AppData\Local\go-build
+            ~\go\pkg\mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.18
+
+      - name: Install MSYS2 & libgit2 (Windows)
+        shell: cmd
+        run: .\build.bat all
+        if: matrix.os == 'windows-latest'
+
+      - name: Install libgit2 (Linux/macOS)
+        run: make libgit2
+        if: matrix.os != 'windows-latest'
+
+      # - name: Test cmd pkg
+      #   run: cd cmd && go test -v ./...
+      
+      - name: Test core pkg
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: go test -tags=static -v ./...
+
+      - name: Test httphandler pkg
+        run: cd httphandler && go test -tags=static -v ./...
+
+      - name: Build
+        env:
+          RELEASE: v2.0.${{ github.run_number }} 
+          CLIENT: test
+          ArmoBEServer: api.armo.cloud
+          ArmoAuthServer: auth.armo.cloud
+          ArmoERServer: report.armo.cloud
+          ArmoWebsite: portal.armo.cloud
+          CGO_ENABLED: 1
+        run: python3 --version && python3 build.py
+
+      - name: Smoke Testing
+        env:
+          RELEASE: v2.0.${{ github.run_number }} 
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
+        

.gitignore

@@ -2,4 +2,7 @@
 *kubescape*
 *debug*
 *vender*
-.idea
+*.pyc*
+.idea
+.history
+ca.srl

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "git2go"]
+	path = git2go
+	url = https://github.com/libgit2/git2go.git

CODE_OF_CONDUCT.md

@@ -0,0 +1,127 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement [here](mailto:ben@armosec.io).
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

CONTRIBUTING.md

@@ -19,7 +19,8 @@ Please note we have a code of conduct, please follow it in all your interactions
    build.
 2. Update the README.md with details of changes to the interface, this includes new environment 
    variables, exposed ports, useful file locations and container parameters.
-3. We will merge the Pull Request in once you have the sign-off.
+3. Open Pull Request to `dev` branch - we test the component before merging into the `master` branch
+4. We will merge the Pull Request in once you have the sign-off.
 
 ## Code of Conduct
 

MAINTAINERS.md

@@ -0,0 +1,10 @@
+# Maintainers
+
+The following table lists Kubescape project maintainers 
+
+| Name | GitHub | Email | Organization | Role | Added/Renewed On |
+| --- | --- | --- | --- | --- | --- |
+| [Ben Hirschberg](https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890) | [@slashben](https://github.com/slashben) | ben@armosec.io | [ARMO](https://www.armosec.io/) | VP R&D | 2021-09-01 |
+| [Rotem Refael](https://www.linkedin.com/in/rotem-refael) | [@rotemamsa](https://github.com/rotemamsa) | rrefael@armosec.io | [ARMO](https://www.armosec.io/) | Team Leader | 2021-10-11 |
+| [David Wertenteil](https://www.linkedin.com/in/david-wertenteil-0ba277b9) | [@dwertent](https://github.com/dwertent) | dwertent@armosec.io | [ARMO](https://www.armosec.io/) | Kubescape CLI Developer | 2021-09-01 |
+| [Bezalel Brandwine](https://www.linkedin.com/in/bezalel-brandwine) | [@Bezbran](https://github.com/Bezbran) | bbrandwine@armosec.io | [ARMO](https://www.armosec.io/) | Kubescape SaaS Developer | 2021-09-01 |

Makefile

@@ -0,0 +1,20 @@
+.PHONY: test all build libgit2
+
+# default task invoked while running make
+all: libgit2 build
+
+export CGO_ENABLED=1
+
+# build and install libgit2
+libgit2:
+	git submodule update --init --recursive
+	cd git2go; make install-static
+
+# go build tags
+TAGS = "static"
+
+build:
+	go build -v -tags=$(TAGS) .
+
+test:
+	go test -v -tags=$(TAGS) ./...

README.md

@@ -3,18 +3,32 @@
 [![build](https://github.com/armosec/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/armosec/kubescape/actions/workflows/build.yaml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/armosec/kubescape)](https://goreportcard.com/report/github.com/armosec/kubescape)
 
-Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks:
-regulatory, customized company policies and DevSecOps best practices, such as the  [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo) and the [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) .  
-Kubescape scans K8s clusters, YAML files, and HELM charts, and detect misconfigurations and software vulnerabilities at early stages of the CI/CD pipeline and provides a risk score instantly and risk trends over time.
-Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI and Github workflows.
+
+
+Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning. 
+Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/)), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time.
+It became one of the fastest-growing Kubernetes tools among developers due to its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins’ precious time, effort, and resources.
+Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Prometheus, and Slack, and supports multi-cloud K8s deployments like EKS, GKE, and AKS.
 
 </br>
 
+<!-- # Kubescape Coverage
+<img src="docs/ksfromcodetodeploy.png">
+
+</br> -->
+
+
+# Kubescape CLI:
 <img src="docs/demo.gif">
 
+</br>
+
+<!-- # Kubescape overview:
+<img src="docs/ARMO-header-2022.gif"> -->
+
 # TL;DR
 ## Install:
-```
+```sh
 curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
 ```
 
@@ -22,28 +36,61 @@ curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh |
 
 [Install on macOS](#install-on-macos)
 
+[Install on NixOS or Linux/macOS via nix](#install-on-nixos-or-with-nix-community)
+
+[Install using Go](#install-using-go)
+
 ## Run:
-```
-kubescape scan framework nsa
+```sh
+kubescape scan --submit --enable-host-scan --verbose
 ```
 
 <img src="docs/summary.png">
 
+</br>
+
+> Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
+
+</br>
+
 ### Click [👍](https://github.com/armosec/kubescape/stargazers) if you want us to continue to develop and improve Kubescape 😀
 
+</br>
+
+
 # Being part of the team
 
 We invite you to our team! We are excited about this project and want to return the love we get.
 
 Want to contribute? Want to discuss something? Have an issue?
 
+* Feel free to pick a task from the [roadmap](docs/roadmap.md) or suggest a feature of your own. [Contact us](MAINTAINERS.md) directly for more information :) 
 * Open a issue, we are trying to respond within 48 hours
-* [Join us](https://armosec.github.io/kubescape/) in a discussion on our discord server!
+* [Join us](https://armosec.github.io/kubescape) in a discussion on our discord server!
 
 [<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://armosec.github.io/kubescape/)
+![discord](https://img.shields.io/discord/893048809884643379)
+
 
 # Options and examples
 
+[Kubescape docs](https://hub.armosec.io/docs?utm_source=github&utm_medium=repository)
+
+## Playground
+* [Kubescape playground](https://killercoda.com/saiyampathak/scenario/kubescape)
+
+## Tutorials
+
+* [Overview](https://youtu.be/wdBkt_0Qhbg)
+* [How To Secure Kubernetes Clusters With Kubescape And Armo](https://youtu.be/ZATGiDIDBQk)
+* [Scan Kubernetes YAML files](https://youtu.be/Ox6DaR7_4ZI)
+* [Scan Kubescape on an air-gapped environment (offline support)](https://youtu.be/IGXL9s37smM)
+* [Managing exceptions in the Kubescape SaaS version](https://youtu.be/OzpvxGmCR80)
+* [Configure and run customized frameworks](https://youtu.be/12Sanq_rEhs)
+* Customize controls configurations. [Kubescape CLI](https://youtu.be/955psg6TVu4), [Kubescape SaaS](https://youtu.be/lIMVSVhH33o)
+
+<details><summary>Windows</summary>
+
 ## Install on Windows
 
 **Requires powershell v5.0+**
@@ -57,203 +104,314 @@ Note: if you get an error you might need to change the execution policy (i.e. en
 ``` powershell
 Set-ExecutionPolicy RemoteSigned -scope CurrentUser
 ```
+</details>
+
+<details><summary>MacOS</summary>
 
 ## Install on macOS
 
-1. ```
-    brew tap armosec/kubescape
+1. ```sh
+    brew tap kubescape/tap
     ```
-2. ```
-    brew install kubescape
+2. ```sh
+    brew install kubescape-cli
     ```
+</details>
 
-## Flags
+<details><summary>Nix/NixOS</summary>
 
-| flag |  default | description | options |
-| --- | --- | --- | --- |
-| `-e`/`--exclude-namespaces` | Scan all namespaces | Namespaces to exclude from scanning. Recommended to exclude `kube-system` and `kube-public` namespaces |
-| `-s`/`--silent` | Display progress messages | Silent progress messages |
-| `-t`/`--fail-threshold` | `0` (do not fail) | fail command (return exit code 1) if result bellow threshold| `0` -> `100` |
-| `-f`/`--format` | `pretty-printer` | Output format | `pretty-printer`/`json`/`junit` |
-| `-o`/`--output` | print to stdout | Save scan result in file |
-| `--use-from` | | Load local framework object from specified path. If not used will download latest |
-| `--use-default` | `false` | Load local framework object from default path. If not used will download latest | `true`/`false` |
-| `--exceptions` | | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal |
-| `--submit` | `false` | If set, Kubescape will send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not sent | `true`/`false`|
-| `--keep-local` | `false` | Kubescape will not send scan results to Armo management portal. Use this flag if you ran with the `--submit` flag in the past and you do not want to submit your current scan results | `true`/`false`|
-| `--account` | | Armo portal account ID. Default will load account ID from configMap or config file | |
+## Install on NixOS or with nix (Community)
+
+Direct issues installing `kubescape` via `nix` through the channels mentioned [here](https://nixos.wiki/wiki/Support)
+
+You can use `nix` on Linux or macOS and on other platforms unofficially.
+
+Try it out in an ephemeral shell: `nix-shell -p kubescape`
+
+Install declarative as usual
+
+NixOS:
+
+```nix
+  # your other config ...
+  environment.systemPackages = with pkgs; [
+    # your other packages ...
+    kubescape
+  ];
+```
+
+home-manager:
+
+```nix
+  # your other config ...
+  home.packages = with pkgs; [
+    # your other packages ...
+    kubescape
+  ];
+```
+
+Or to your profile (not preferred): `nix-env --install -A nixpkgs.kubescape`
+
+</details>
 
 ## Usage & Examples
 
 ### Examples
 
-* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework and submit results to the [Kubescape SaaS version](https://portal.armo.cloud/)
+
+#### Scan a running Kubernetes cluster and submit results to the [Kubescape SaaS version](https://cloud.armosec.io?utm_source=github&utm_medium=repository)
+```
+kubescape scan --submit --enable-host-scan  --verbose
+```
+
+> Read [here](https://hub.armosec.io/docs/host-sensor?utm_source=github&utm_medium=repository) more about the `enable-host-scan` flag
+
+#### Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework and submit results to the [Kubescape SaaS version](https://cloud.armosec.io?utm_source=github&utm_medium=repository)
 ```
 kubescape scan framework nsa --submit
 ```
 
 
-* Scan a running Kubernetes cluster with [`MITRE ATT&CK®`](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) framework and submit results to the [Kubescape SaaS version](https://portal.armo.cloud/)
+#### Scan a running Kubernetes cluster with [`MITRE ATT&CK®`](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) framework and submit results to the [Kubescape SaaS version](https://cloud.armosec.io?utm_source=github&utm_medium=repository)
 ```
 kubescape scan framework mitre --submit
 ```
 
 
-* Scan a running Kubernetes cluster with a specific control using the control name or control ID. [List of controls](https://hub.armo.cloud/docs/controls) 
+#### Scan a running Kubernetes cluster with a specific control using the control name or control ID. [List of controls](https://hub.armosec.io/docs/controls?utm_source=github&utm_medium=repository) 
 ```
 kubescape scan control "Privileged container"
 ```
 
-* Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI)
+#### Scan specific namespaces
 ```
-kubescape scan framework nsa *.yaml
+kubescape scan --include-namespaces development,staging,production
 ```
 
-
-* Scan kubernetes manifest files from a public github repository 
+#### Scan cluster and exclude some namespaces
 ```
-kubescape scan framework nsa https://github.com/armosec/kubescape
+kubescape scan --exclude-namespaces kube-system,kube-public
 ```
 
-* Output in `json` format
+#### Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI) Submit the results in case the directory is a git repo. [docs](https://hub.armosec.io/docs/repository-scanning?utm_source=github&utm_medium=repository)
 ```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format json --output results.json
+kubescape scan *.yaml --submit
 ```
 
-* Output in `junit xml` format
+#### Scan kubernetes manifest files from a git repository [and submit the results](https://hub.armosec.io/docs/repository-scanning?utm_source=github&utm_medium=repository)
 ```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml
+kubescape scan https://github.com/armosec/kubescape --submit
 ```
 
-* Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`
+#### Display all scanned resources (including the resources who passed) 
 ```
-kubescape scan framework nsa --exceptions examples/exceptions.json
+kubescape scan --verbose
 ```
 
-### Repeatedly Kubescape Scanning using a CronJob
+#### Output in `json` format
 
-For setting up a cronJob please follow the [instructions](examples/cronJob-support/README.md) 
+> Add the `--format-version v2` flag 
 
-### Helm Support
-
-* Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout
 ```
-helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
+kubescape scan --format json --format-version v2 --output results.json
 ```
 
-for example:
+#### Output in `junit xml` format
 ```
-helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
+kubescape scan --format junit --output results.xml
 ```
-### Offline Support
+
+#### Output in `pdf` format - Contributed by [@alegrey91](https://github.com/alegrey91)
+
+```
+kubescape scan --format pdf --output results.pdf
+```
+
+#### Output in `prometheus` metrics format - Contributed by [@Joibel](https://github.com/Joibel)
+
+```
+kubescape scan --format prometheus
+```
+
+#### Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`
+[Full documentation](examples/exceptions/README.md)
+```
+kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
+```
+
+#### Scan Helm charts 
+```
+kubescape scan </path/to/directory> --submit
+```
+> Kubescape will load the default values file
+
+### Offline/Air-gaped Environment Support
+
+[Video tutorial](https://youtu.be/IGXL9s37smM)
 
 It is possible to run Kubescape offline!
+#### Download all artifacts
 
-First download the framework and then scan with `--use-from` flag
-
-1. Download and save in file, if file name not specified, will store save to `~/.kubescape/<framework name>.json`
+1. Download and save in local directory, if path not specified, will save all in `~/.kubescape`
 ```
-kubescape download framework nsa --output nsa.json
+kubescape download artifacts --output path/to/local/dir
+```
+2. Copy the downloaded artifacts to the air-gaped/offline environment
+
+3. Scan using the downloaded artifacts
+```
+kubescape scan --use-artifacts-from path/to/local/dir
 ```
 
-2. Scan using the downloaded framework
+#### Download a single artifacts
+
+You can also download a single artifacts and scan with the `--use-from` flag
+
+1. Download and save in file, if file name not specified, will save in `~/.kubescape/<framework name>.json`
 ```
-kubescape scan framework nsa --use-from nsa.json
+kubescape download framework nsa --output /path/nsa.json
+```
+2. Copy the downloaded artifacts to the air-gaped/offline environment
+
+3. Scan using the downloaded framework
+```
+kubescape scan framework nsa --use-from /path/nsa.json
 ```
 
-Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
 
-# How to build
+## Scan Periodically using Helm 
+[Please follow the instructions here](https://hub.armosec.io/docs/installation-of-armo-in-cluster?utm_source=github&utm_medium=repository)
+[helm chart repo](https://github.com/armosec/armo-helm)
 
-## Build using python (3.7^) script
+# Integrations
 
-Kubescpae can be built using:
+## VS Code Extension 
 
-``` sh
-python build.py
+![Visual Studio Marketplace Downloads](https://img.shields.io/visual-studio-marketplace/d/kubescape.kubescape?label=VScode) ![Open VSX](https://img.shields.io/open-vsx/dt/kubescape/kubescape?label=openVSX&color=yellowgreen)
+
+Scan the YAML files while writing them using the [vs code extension](https://github.com/armosec/vscode-kubescape/blob/master/README.md) 
+
+## Lens Extension
+
+View Kubescape scan results directly in [Lens IDE](https://k8slens.dev/) using kubescape [Lens extension](https://github.com/armosec/lens-kubescape/blob/master/README.md)
+
+
+# Building Kubescape
+
+<details><summary>Windows</summary>
+
+## Windows
+
+1. Install MSYS2 & build libgit _(needed only for the first time)_
+
+    ```
+    build.bat all
+    ```
+
+> You can install MSYS2 separately by running `build.bat install` and build libgit2 separately by running `build.bat build`
+
+2. Build kubescape
+
+    ```
+    make build
+    ```
+
+    OR 
+
+    ```
+    go build -tags=static .
+    ```
+</details>
+
+<details><summary>Linux / MacOS</summary>
+
+## Linux / MacOS
+
+1. Install libgit2 dependency _(needed only for the first time)_
+   
+    ```
+    make libgit2
+    ```
+
+> `cmake` is required to build libgit2. You can install it by running `sudo apt-get install cmake` (Linux) or `brew install cmake` (macOS)
+
+2. Build kubescape
+
+    ```
+    make build
+    ```
+
+    OR 
+
+    ```
+    go build -tags=static .
+    ```
+
+3. Test
+
+    ```
+    make test
+    ```
+
+</details>
+
+## VS code configuration samples
+
+You can use the samples files below to setup your VS code environment for building and debugging purposes.
+
+
+<details><summary>.vscode/settings.json</summary>
+
+```json5
+// .vscode/settings.json
+{
+    "go.testTags": "static",
+    "go.buildTags": "static",
+    "go.toolsEnvVars": {
+        "CGO_ENABLED": "1"
+    }
+}
 ```
+</details>
 
-Note: In order to built using the above script, one must set the environment
-variables in this script:
+<details><summary>.vscode/launch.json</summary>
 
-+ RELEASE
-+ ArmoBEServer
-+ ArmoERServer
-+ ArmoWebsite
-
-
-## Build using go
-
-Note: development (and the release process) is done with Go `1.17`
-
-1. Clone Project
-```
-git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
-```
-
-2. Build
-```
-go build -o kubescape .
-```
-
-3. Run
-```
-./kubescape scan framework nsa
-```
-
-4. Enjoy :zany_face:
-
-## Docker Support
-
-### Official Docker image
-```
-quay.io/armosec/kubescape
-```
-### Build your own Docker image
-
-1. Clone Project
-```
-git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
-```
-
-2. Build
-```
-docker build -t kubescape -f build/Dockerfile .
+```json5
+// .vscode/launch.json
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Launch Package",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/main.go",
+            "args": [
+                "scan",
+                "--logger",
+                "debug"
+            ],
+            "buildFlags": "-tags=static"
+        }
+    ]
+}
 ```
+</details>
 
 # Under the hood
 
-## Tests
-Kubescape is running the following tests according to what is defined by [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
-* Non-root containers
-* Immutable container filesystem
-* Privileged containers
-* hostPID, hostIPC privileges
-* hostNetwork access
-* allowedHostPaths field
-* Protecting pod service account tokens
-* Resource policies
-* Control plane hardening
-* Exposed dashboard
-* Allow privilege escalation
-* Applications credentials in configuration files
-* Cluster-admin binding
-* Exec into container
-* Dangerous capabilities
-* Insecure capabilities
-* Linux hardening
-* Ingress and Egress blocked
-* Container hostPort
-* Network policies
-* Symlink Exchange Can Allow Host Filesystem Access (CVE-2021-25741)
-
-
-
 ## Technology
-Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO's posture controls.
+Kubescape based on [OPA engine](https://github.com/open-policy-agent/opa) and ARMO's posture controls.
 
-The tools retrieves Kubernetes objects from the API server and runs a set of [regos snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io/).
+The tools retrieves Kubernetes objects from the API server and runs a set of [rego's snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io?utm_source=github&utm_medium=repository).
 
 The results by default printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.
 
 Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
+
+## Thanks to all the contributors ❤️
+<a href = "https://github.com/armosec/kubescape/graphs/contributors">
+  <img src = "https://contrib.rocks/image?repo=armosec/kubescape"/>
+</a>
+

build.bat

@@ -0,0 +1,51 @@
+@ECHO OFF
+
+IF "%1"=="install" goto Install
+IF "%1"=="build" goto Build
+IF "%1"=="all" goto All
+IF "%1"=="" goto Error ELSE goto Error
+
+:Install
+
+if exist C:\MSYS64\ (
+    echo "MSYS2 already installed"
+) else (
+    mkdir temp_install & cd temp_install
+
+    echo "Downloading MSYS2..."
+    curl -L https://github.com/msys2/msys2-installer/releases/download/2022-06-03/msys2-x86_64-20220603.exe > msys2-x86_64-20220603.exe
+
+    echo "Installing MSYS2..."
+    msys2-x86_64-20220603.exe install --root C:\MSYS64 --confirm-command
+
+    cd .. && rmdir /s /q temp_install
+)
+
+
+echo "Adding MSYS2 to path..."
+SET "PATH=C:\MSYS64\mingw64\bin;C:\MSYS64\usr\bin;%PATH%"
+echo %PATH%
+
+echo "Installing MSYS2 packages..."
+pacman -S --needed --noconfirm make
+pacman -S --needed --noconfirm mingw-w64-x86_64-cmake
+pacman -S --needed --noconfirm mingw-w64-x86_64-gcc
+pacman -S --needed --noconfirm mingw-w64-x86_64-pkg-config
+pacman -S --needed --noconfirm msys2-w32api-runtime
+
+IF "%1"=="all" GOTO Build
+GOTO End
+
+:Build
+SET "PATH=C:\MSYS2\mingw64\bin;C:\MSYS2\usr\bin;%PATH%"
+make libgit2
+GOTO End
+
+:All
+GOTO Install
+
+:Error
+echo "Error: Unknown option"
+GOTO End
+
+:End

build.py

@@ -4,79 +4,77 @@ import hashlib
 import platform
 import subprocess
 
-BASE_GETTER_CONST = "github.com/armosec/kubescape/cautils/getter"
-BE_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoBEURL"
-ER_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoERURL"
-WEBSITE_CONST     = BASE_GETTER_CONST + ".ArmoFEURL"
+BASE_GETTER_CONST = "github.com/armosec/kubescape/v2/core/cautils/getter"
 
-def checkStatus(status, msg):
+def check_status(status, msg):
     if status != 0:
         sys.stderr.write(msg)
         exit(status)
 
 
-def getBuildDir():
-    currentPlatform = platform.system()
-    buildDir = "build/"
+def get_build_dir():
+    current_platform = platform.system()
+    build_dir = "./build/"
 
-    if currentPlatform == "Windows": buildDir += "windows-latest"
-    elif currentPlatform == "Linux": buildDir += "ubuntu-latest"
-    elif currentPlatform == "Darwin": buildDir += "macos-latest"
-    else: raise OSError("Platform %s is not supported!" % (currentPlatform))
+    if current_platform == "Windows": build_dir += "windows-latest"
+    elif current_platform == "Linux": build_dir += "ubuntu-latest"
+    elif current_platform == "Darwin": build_dir += "macos-latest"
+    else: raise OSError("Platform %s is not supported!" % (current_platform))
 
-    return buildDir
+    return build_dir
 
-def getPackageName():
-    packageName = "kubescape"
-    # if platform.system() == "Windows": packageName += ".exe"
+def get_package_name():
+    package_name = "kubescape"
+    # if platform.system() == "Windows": package_name += ".exe"
 
-    return packageName
+    return package_name
 
 
 def main():
     print("Building Kubescape")
 
-    # print environment variables
-    print(os.environ)
-
     # Set some variables
-    packageName = getPackageName()
-    buildUrl = "github.com/armosec/kubescape/clihandler/cmd.BuildNumber"
-    releaseVersion = os.getenv("RELEASE")
-    ArmoBEServer = os.getenv("ArmoBEServer")
-    ArmoERServer = os.getenv("ArmoERServer")
-    ArmoWebsite = os.getenv("ArmoWebsite")
+    package_name = get_package_name()
+    build_url = "github.com/armosec/kubescape/v2/core/cautils.BuildNumber"
+    release_version = os.getenv("RELEASE")
 
+    client_var = "github.com/armosec/kubescape/v2/core/cautils.Client"
+    client_name = os.getenv("CLIENT")
+    
     # Create build directory
-    buildDir = getBuildDir()
+    build_dir = get_build_dir()
 
-    if not os.path.isdir(buildDir):
-        os.makedirs(buildDir)
+    ks_file = os.path.join(build_dir, package_name)
+    hash_file = ks_file + ".sha256"
+
+    if not os.path.isdir(build_dir):
+        os.makedirs(build_dir)
 
     # Build kubescape
-    ldflags = "-w -s -X %s=%s -X %s=%s -X %s=%s -X %s=%s" \
-        % (buildUrl, releaseVersion, BE_SERVER_CONST, ArmoBEServer,
-           ER_SERVER_CONST, ArmoERServer, WEBSITE_CONST, ArmoWebsite)
-    status = subprocess.call(["go", "build", "-o", "%s/%s" % (buildDir, packageName), "-ldflags" ,ldflags])
-    checkStatus(status, "Failed to build kubescape")
+    ldflags = "-w -s"
+    if release_version:
+        ldflags += " -X {}={}".format(build_url, release_version)
+    if client_name:
+        ldflags += " -X {}={}".format(client_var, client_name)
+ 
+    build_command = ["go", "build", "-tags=static", "-o", ks_file, "-ldflags" ,ldflags]
+
+    print("Building kubescape and saving here: {}".format(ks_file))
+    print("Build command: {}".format(" ".join(build_command)))
+
+    status = subprocess.call(build_command)
+    check_status(status, "Failed to build kubescape")
     
-    test_cli_prints(buildDir,packageName)
-
-
-    sha1 = hashlib.sha1()
-    with open(buildDir + "/" + packageName, "rb") as kube:
-        sha1.update(kube.read())
-        with open(buildDir + "/" + packageName + ".sha1", "w") as kube_sha:
-            kube_sha.write(sha1.hexdigest())
+    sha256 = hashlib.sha256()
+    with open(ks_file, "rb") as kube:
+        sha256.update(kube.read())
+        with open(hash_file, "w") as kube_sha:
+            hash = sha256.hexdigest()
+            print("kubescape hash: {}, file: {}".format(hash, hash_file))
+            kube_sha.write(sha256.hexdigest())
 
     print("Build Done")
-
-def test_cli_prints(buildDir,packageName):
-    bin_cli = os.path.abspath(os.path.join(buildDir,packageName))
-
-    print(f"testing CLI prints on {bin_cli}")
-    status = str(subprocess.check_output([bin_cli, "-h"]))
-    assert "download" in status, "download is missing: " + status    
-
+ 
+ 
 if __name__ == "__main__":
     main()

build/Dockerfile

@@ -1,27 +1,52 @@
-FROM golang:1.17-alpine as builder
-#ENV GOPROXY=https://goproxy.io,direct
+FROM golang:1.18-alpine as builder
+
+ARG image_version
+ARG client
+
+ENV RELEASE=$image_version
+ENV CLIENT=$client
+
 ENV GO111MODULE=
 
-ENV CGO_ENABLED=0
+ENV CGO_ENABLED=1
 
 # Install required python/pip
 ENV PYTHONUNBUFFERED=1
-RUN apk add --update --no-cache python3 && ln -sf python3 /usr/bin/python
+RUN apk add --update --no-cache python3 git openssl-dev musl-dev gcc make cmake pkgconfig && ln -sf python3 /usr/bin/python
 RUN python3 -m ensurepip
 RUN pip3 install --no-cache --upgrade pip setuptools
 
 WORKDIR /work
 ADD . .
 
+# install libgit2
+WORKDIR /work
+RUN rm -rf git2go && make libgit2
+
+# build kubescape server
+WORKDIR /work/httphandler
+RUN python build.py
+RUN ls -ltr build/ubuntu-latest
+
+# build kubescape cmd
+WORKDIR /work
 RUN python build.py
 
-RUN ls -ltr build/ubuntu-latest
-RUN cat /work/build/ubuntu-latest/kubescape.sha1
+RUN /work/build/ubuntu-latest/kubescape download artifacts -o /work/artifacts
 
 FROM alpine
+
+RUN addgroup -S armo && adduser -S armo -G armo
+
+RUN mkdir /home/armo/.kubescape
+COPY --from=builder /work/artifacts/ /home/armo/.kubescape
+
+RUN chown -R armo:armo /home/armo/.kubescape
+
+USER armo
+WORKDIR /home/armo
+
+COPY --from=builder /work/httphandler/build/ubuntu-latest/kubescape /usr/bin/ksserver
 COPY --from=builder /work/build/ubuntu-latest/kubescape /usr/bin/kubescape
 
-# # Download the frameworks. Use the "--use-default" flag when running kubescape
-# RUN kubescape download framework nsa && kubescape download framework mitre
-
-ENTRYPOINT ["kubescape"]
+ENTRYPOINT ["ksserver"]

build/README.md

@@ -0,0 +1,13 @@
+## Docker Build
+
+### Build your own Docker image
+
+1. Clone Project
+```
+git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
+```
+
+2. Build
+```
+docker build -t kubescape -f build/Dockerfile .
+```

cautils/customerloader.go

@@ -1,478 +0,0 @@
-package cautils
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/url"
-	"os"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils/getter"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	"github.com/armosec/k8s-interface/k8sinterface"
-	corev1 "k8s.io/api/core/v1"
-)
-
-const (
-	configMapName  = "kubescape"
-	configFileName = "config"
-)
-
-func ConfigFileFullPath() string { return getter.GetDefaultPath(configFileName + ".json") }
-
-// ======================================================================================
-// =============================== Config structure =====================================
-// ======================================================================================
-
-type ConfigObj struct {
-	CustomerGUID       string `json:"customerGUID"`
-	Token              string `json:"invitationParam"`
-	CustomerAdminEMail string `json:"adminMail"`
-	ClusterName        string `json:"clusterName"`
-}
-
-func (co *ConfigObj) Json() []byte {
-	if b, err := json.Marshal(co); err == nil {
-		return b
-	}
-	return []byte{}
-}
-
-// Config - convert ConfigObj to config file
-func (co *ConfigObj) Config() []byte {
-	clusterName := co.ClusterName
-	co.ClusterName = "" // remove cluster name before saving to file
-	b, err := json.Marshal(co)
-	co.ClusterName = clusterName
-
-	if err == nil {
-		return b
-	}
-
-	return []byte{}
-}
-
-// ======================================================================================
-// =============================== interface ============================================
-// ======================================================================================
-type IClusterConfig interface {
-
-	// set
-	SetConfig(customerGUID string) error
-
-	// getters
-	GetClusterName() string
-	GetCustomerGUID() string
-	GetConfigObj() *ConfigObj
-	GetK8sAPI() *k8sinterface.KubernetesApi
-	GetBackendAPI() getter.IBackend
-	GetDefaultNS() string
-	GenerateURL()
-}
-
-// ClusterConfigSetup - Setup the desired cluster behavior regarding submittion to the Armo BE
-func ClusterConfigSetup(scanInfo *ScanInfo, k8s *k8sinterface.KubernetesApi, beAPI getter.IBackend) IClusterConfig {
-	/*
-
-		If "First run (local config not found)" -
-			Default - Do not send report (local)
-			Local - Do not send report
-			Submit - Create tenant & Submit report
-
-		If "Submitted but not signed up" -
-			Default	- Delete local config & Do not send report (local)
-			Local - Delete local config & Do not send report
-			Submit - Submit report
-
-		If "Signed up user" -
-			Default	- Submit report (submit)
-			Local - Do not send report
-			Submit - Submit report
-
-	*/
-	clusterConfig := NewClusterConfig(k8s, beAPI)
-	clusterConfig.LoadConfig()
-
-	if !IsSubmitted(clusterConfig) {
-		if scanInfo.Submit {
-			return clusterConfig // submit - Create tenant & Submit report
-		}
-		return NewEmptyConfig() // local/default - Do not send report
-	}
-	if !IsRegistered(clusterConfig) {
-		if scanInfo.Submit {
-			return clusterConfig // submit/default - Submit report
-		}
-		DeleteConfig(k8s)
-		return NewEmptyConfig() // local - Delete local config & Do not send report
-	}
-	if scanInfo.Local {
-		scanInfo.Submit = false
-		return NewEmptyConfig() // local - Do not send report
-	}
-	scanInfo.Submit = true
-	return clusterConfig // submit/default -  Submit report
-}
-
-// ======================================================================================
-// ============================= Mock Config ============================================
-// ======================================================================================
-type EmptyConfig struct {
-}
-
-func NewEmptyConfig() *EmptyConfig                            { return &EmptyConfig{} }
-func (c *EmptyConfig) SetConfig(customerGUID string) error    { return nil }
-func (c *EmptyConfig) GetConfigObj() *ConfigObj               { return &ConfigObj{} }
-func (c *EmptyConfig) GetCustomerGUID() string                { return "" }
-func (c *EmptyConfig) GetK8sAPI() *k8sinterface.KubernetesApi { return nil } // TODO: return mock obj
-func (c *EmptyConfig) GetDefaultNS() string                   { return k8sinterface.GetDefaultNamespace() }
-func (c *EmptyConfig) GetBackendAPI() getter.IBackend         { return nil } // TODO: return mock obj
-func (c *EmptyConfig) GetClusterName() string                 { return adoptClusterName(k8sinterface.GetClusterName()) }
-func (c *EmptyConfig) GenerateURL() {
-	message := fmt.Sprintf("\nCheckout for more cool features: https://%s\n", getter.GetArmoAPIConnector().GetFrontendURL())
-	InfoTextDisplay(os.Stdout, fmt.Sprintf("\n%s\n", message))
-}
-
-// ======================================================================================
-// ========================== Cluster Config ============================================
-// ======================================================================================
-
-type ClusterConfig struct {
-	k8s        *k8sinterface.KubernetesApi
-	defaultNS  string
-	backendAPI getter.IBackend
-	configObj  *ConfigObj
-}
-
-func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend) *ClusterConfig {
-	return &ClusterConfig{
-		k8s:        k8s,
-		backendAPI: backendAPI,
-		configObj:  &ConfigObj{},
-		defaultNS:  k8sinterface.GetDefaultNamespace(),
-	}
-}
-func (c *ClusterConfig) GetConfigObj() *ConfigObj               { return c.configObj }
-func (c *ClusterConfig) GetK8sAPI() *k8sinterface.KubernetesApi { return c.k8s }
-func (c *ClusterConfig) GetDefaultNS() string                   { return c.defaultNS }
-func (c *ClusterConfig) GetBackendAPI() getter.IBackend         { return c.backendAPI }
-
-func (c *ClusterConfig) GenerateURL() {
-	message := "Checkout for more cool features: "
-
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = getter.GetArmoAPIConnector().GetFrontendURL()
-	if c.configObj == nil {
-		return
-	}
-	if c.configObj.CustomerAdminEMail != "" {
-		InfoTextDisplay(os.Stdout, "\n\n"+message+u.String()+"\n\n")
-		return
-	}
-	u.Path = "account/sign-up"
-	q := u.Query()
-	q.Add("invitationToken", c.configObj.Token)
-	q.Add("customerGUID", c.configObj.CustomerGUID)
-
-	u.RawQuery = q.Encode()
-	InfoTextDisplay(os.Stdout, "\n\n"+message+u.String()+"\n\n")
-}
-
-func (c *ClusterConfig) GetCustomerGUID() string {
-	if c.configObj != nil {
-		return c.configObj.CustomerGUID
-	}
-	return ""
-}
-
-func (c *ClusterConfig) SetConfig(customerGUID string) error {
-	if c.configObj == nil {
-		c.configObj = &ConfigObj{}
-	}
-
-	// cluster name
-	if c.GetClusterName() == "" {
-		c.setClusterName(k8sinterface.GetClusterName())
-	}
-
-	// ARMO customer GUID
-	if customerGUID != "" && c.GetCustomerGUID() != customerGUID {
-		c.setCustomerGUID(customerGUID) // override config customerGUID
-	}
-
-	customerGUID = c.GetCustomerGUID()
-
-	// get from armoBE
-	tenantResponse, err := c.backendAPI.GetCustomerGUID(customerGUID)
-	if err == nil && tenantResponse != nil {
-		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
-			c.setCustomerAdminEMail(tenantResponse.AdminMail)
-		} else {
-			c.setToken(tenantResponse.Token)
-			c.setCustomerGUID(tenantResponse.TenantID)
-		}
-	} else {
-		if err != nil && !strings.Contains(err.Error(), "already exists") {
-			return err
-		}
-	}
-
-	// update/create config
-	if c.existsConfigMap() {
-		c.updateConfigMap()
-	} else {
-		c.createConfigMap()
-	}
-	c.updateConfigFile()
-
-	return nil
-}
-
-func (c *ClusterConfig) setToken(token string) {
-	c.configObj.Token = token
-}
-
-func (c *ClusterConfig) setCustomerAdminEMail(customerAdminEMail string) {
-	c.configObj.CustomerAdminEMail = customerAdminEMail
-}
-func (c *ClusterConfig) setCustomerGUID(customerGUID string) {
-	c.configObj.CustomerGUID = customerGUID
-}
-
-func (c *ClusterConfig) setClusterName(clusterName string) {
-	c.configObj.ClusterName = adoptClusterName(clusterName)
-}
-func (c *ClusterConfig) GetClusterName() string {
-	return c.configObj.ClusterName
-}
-func (c *ClusterConfig) LoadConfig() {
-	// get from configMap
-	if c.existsConfigMap() {
-		c.configObj, _ = c.loadConfigFromConfigMap()
-	} else if existsConfigFile() { // get from file
-		c.configObj, _ = loadConfigFromFile()
-	} else {
-		c.configObj = &ConfigObj{}
-	}
-}
-
-func (c *ClusterConfig) ToMapString() map[string]interface{} {
-	m := map[string]interface{}{}
-	if bc, err := json.Marshal(c.configObj); err == nil {
-		json.Unmarshal(bc, &m)
-	}
-	return m
-}
-func (c *ClusterConfig) loadConfigFromConfigMap() (*ConfigObj, error) {
-	if c.k8s == nil {
-		return nil, nil
-	}
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-	if err != nil {
-		return nil, err
-	}
-
-	if bData, err := json.Marshal(configMap.Data); err == nil {
-		return readConfig(bData)
-	}
-	return nil, nil
-}
-
-func (c *ClusterConfig) existsConfigMap() bool {
-	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-	// TODO - check if has customerGUID
-	return err == nil
-}
-
-func (c *ClusterConfig) GetValueByKeyFromConfigMap(key string) (string, error) {
-
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-
-	if err != nil {
-		return "", err
-	}
-	if val, ok := configMap.Data[key]; ok {
-		return val, nil
-	} else {
-		return "", fmt.Errorf("value does not exist")
-	}
-}
-
-func GetValueFromConfigJson(key string) (string, error) {
-	data, err := os.ReadFile(ConfigFileFullPath())
-	if err != nil {
-		return "", err
-	}
-	var obj map[string]interface{}
-	if err := json.Unmarshal(data, &obj); err != nil {
-		return "", err
-	}
-	if val, ok := obj[key]; ok {
-		return fmt.Sprint(val), nil
-	} else {
-		return "", fmt.Errorf("value does not exist")
-	}
-
-}
-
-func SetKeyValueInConfigJson(key string, value string) error {
-	data, err := os.ReadFile(ConfigFileFullPath())
-	if err != nil {
-		return err
-	}
-	var obj map[string]interface{}
-	err = json.Unmarshal(data, &obj)
-
-	if err != nil {
-		return err
-	}
-	obj[key] = value
-	newData, err := json.Marshal(obj)
-	if err != nil {
-		return err
-	}
-
-	return os.WriteFile(ConfigFileFullPath(), newData, 0664)
-
-}
-
-func (c *ClusterConfig) SetKeyValueInConfigmap(key string, value string) error {
-
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-	if err != nil {
-		configMap = &corev1.ConfigMap{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: configMapName,
-			},
-		}
-	}
-
-	if len(configMap.Data) == 0 {
-		configMap.Data = make(map[string]string)
-	}
-
-	configMap.Data[key] = value
-
-	if err != nil {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Create(context.Background(), configMap, metav1.CreateOptions{})
-	} else {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(configMap.Namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
-	}
-
-	return err
-}
-
-func existsConfigFile() bool {
-	_, err := os.ReadFile(ConfigFileFullPath())
-	return err == nil
-}
-
-func (c *ClusterConfig) createConfigMap() error {
-	if c.k8s == nil {
-		return nil
-	}
-	configMap := &corev1.ConfigMap{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: configMapName,
-		},
-	}
-	c.updateConfigData(configMap)
-
-	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Create(context.Background(), configMap, metav1.CreateOptions{})
-	return err
-}
-
-func (c *ClusterConfig) updateConfigMap() error {
-	if c.k8s == nil {
-		return nil
-	}
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
-
-	if err != nil {
-		return err
-	}
-
-	c.updateConfigData(configMap)
-
-	_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(configMap.Namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
-	return err
-}
-
-func (c *ClusterConfig) updateConfigFile() error {
-	if err := os.WriteFile(ConfigFileFullPath(), c.configObj.Config(), 0664); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (c *ClusterConfig) updateConfigData(configMap *corev1.ConfigMap) {
-	if len(configMap.Data) == 0 {
-		configMap.Data = make(map[string]string)
-	}
-	m := c.ToMapString()
-	for k, v := range m {
-		if s, ok := v.(string); ok {
-			configMap.Data[k] = s
-		}
-	}
-}
-func loadConfigFromFile() (*ConfigObj, error) {
-	dat, err := os.ReadFile(ConfigFileFullPath())
-	if err != nil {
-		return nil, err
-	}
-
-	return readConfig(dat)
-}
-func readConfig(dat []byte) (*ConfigObj, error) {
-
-	if len(dat) == 0 {
-		return nil, nil
-	}
-	configObj := &ConfigObj{}
-	err := json.Unmarshal(dat, configObj)
-
-	return configObj, err
-}
-
-// Check if the customer is submitted
-func IsSubmitted(clusterConfig *ClusterConfig) bool {
-	return clusterConfig.existsConfigMap() || existsConfigFile()
-}
-
-// Check if the customer is registered
-func IsRegistered(clusterConfig *ClusterConfig) bool {
-
-	// get from armoBE
-	tenantResponse, err := clusterConfig.backendAPI.GetCustomerGUID(clusterConfig.GetCustomerGUID())
-	if err == nil && tenantResponse != nil {
-		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
-			return true
-		}
-	}
-	return false
-}
-
-func DeleteConfig(k8s *k8sinterface.KubernetesApi) error {
-	if err := DeleteConfigMap(k8s); err != nil {
-		return err
-	}
-	if err := DeleteConfigFile(); err != nil {
-		return err
-	}
-	return nil
-}
-func DeleteConfigMap(k8s *k8sinterface.KubernetesApi) error {
-	return k8s.KubernetesClient.CoreV1().ConfigMaps(k8sinterface.GetDefaultNamespace()).Delete(context.Background(), configMapName, metav1.DeleteOptions{})
-}
-
-func DeleteConfigFile() error {
-	return os.Remove(ConfigFileFullPath())
-}
-
-func adoptClusterName(clusterName string) string {
-	return strings.ReplaceAll(clusterName, "/", "-")
-}

cautils/datastructures.go

@@ -1,51 +0,0 @@
-package cautils
-
-import (
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-// K8SResources map[<api group>/<api version>/<resource>]<resource object>
-type K8SResources map[string]interface{}
-
-type OPASessionObj struct {
-	Frameworks    []reporthandling.Framework
-	K8SResources  *K8SResources
-	Exceptions    []armotypes.PostureExceptionPolicy
-	PostureReport *reporthandling.PostureReport
-}
-
-func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SResources) *OPASessionObj {
-	return &OPASessionObj{
-		Frameworks:   frameworks,
-		K8SResources: k8sResources,
-		PostureReport: &reporthandling.PostureReport{
-			ClusterName:  ClusterName,
-			CustomerGUID: CustomerGUID,
-		},
-	}
-}
-
-func NewOPASessionObjMock() *OPASessionObj {
-	return &OPASessionObj{
-		Frameworks:   nil,
-		K8SResources: nil,
-		PostureReport: &reporthandling.PostureReport{
-			ClusterName:  "",
-			CustomerGUID: "",
-			ReportID:     "",
-			JobID:        "",
-		},
-	}
-}
-
-type ComponentConfig struct {
-	Exceptions Exception `json:"exceptions"`
-}
-
-type Exception struct {
-	Ignore        *bool                      `json:"ignore"`        // ignore test results
-	MultipleScore *reporthandling.AlertScore `json:"multipleScore"` // MultipleScore number - float32
-	Namespaces    []string                   `json:"namespaces"`
-	Regex         string                     `json:"regex"` // not supported
-}

cautils/display.go

@@ -1,79 +0,0 @@
-package cautils
-
-import (
-	"fmt"
-	"os"
-	"time"
-
-	"github.com/briandowns/spinner"
-	"github.com/fatih/color"
-	"github.com/mattn/go-isatty"
-)
-
-var silent = false
-
-func SetSilentMode(s bool) {
-	silent = s
-}
-
-func IsSilent() bool {
-	return silent
-}
-
-var FailureDisplay = color.New(color.Bold, color.FgHiRed).FprintfFunc()
-var WarningDisplay = color.New(color.Bold, color.FgCyan).FprintfFunc()
-var FailureTextDisplay = color.New(color.Faint, color.FgHiRed).FprintfFunc()
-var InfoDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
-var InfoTextDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
-var SimpleDisplay = color.New().FprintfFunc()
-var SuccessDisplay = color.New(color.Bold, color.FgHiGreen).FprintfFunc()
-var DescriptionDisplay = color.New(color.Faint, color.FgWhite).FprintfFunc()
-
-var Spinner *spinner.Spinner
-
-func ScanStartDisplay() {
-	if IsSilent() {
-		return
-	}
-	InfoDisplay(os.Stdout, "ARMO security scanner starting\n")
-}
-
-func SuccessTextDisplay(str string) {
-	if IsSilent() {
-		return
-	}
-	SuccessDisplay(os.Stdout, "[success] ")
-	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))
-
-}
-
-func ErrorDisplay(str string) {
-	if IsSilent() {
-		return
-	}
-	SuccessDisplay(os.Stdout, "[Error] ")
-	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))
-
-}
-
-func ProgressTextDisplay(str string) {
-	if IsSilent() {
-		return
-	}
-	InfoDisplay(os.Stdout, "[progress] ")
-	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))
-
-}
-func StartSpinner() {
-	if !IsSilent() && isatty.IsTerminal(os.Stdout.Fd()) {
-		Spinner = spinner.New(spinner.CharSets[7], 100*time.Millisecond) // Build our new spinner
-		Spinner.Start()
-	}
-}
-
-func StopSpinner() {
-	if Spinner == nil {
-		return
-	}
-	Spinner.Stop()
-}

cautils/downloadinfo.go

@@ -1,7 +0,0 @@
-package cautils
-
-type DownloadInfo struct {
-	Path          string
-	FrameworkName string
-	ControlName   string
-}

cautils/environments.go

@@ -1,11 +0,0 @@
-package cautils
-
-// CA environment vars
-var (
-	CustomerGUID          = ""
-	ClusterName           = ""
-	EventReceiverURL      = ""
-	NotificationServerURL = ""
-	DashboardBackendURL   = ""
-	RestAPIPort           = "4001"
-)

cautils/getter/armoapi.go

@@ -1,148 +0,0 @@
-package getter
-
-import (
-	"fmt"
-	"net/http"
-	"time"
-
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/golang/glog"
-)
-
-// =======================================================================================================================
-// =============================================== ArmoAPI ===============================================================
-// =======================================================================================================================
-
-var (
-	// ATTENTION!!!
-	// Changes in this URLs variable names, or in the usage is affecting the build process! BE CAREFULL
-	armoERURL = "report.armo.cloud"
-	armoBEURL = "api.armo.cloud"
-	armoFEURL = "portal.armo.cloud"
-
-	armoDevERURL = "report.eudev3.cyberarmorsoft.com"
-	armoDevBEURL = "eggdashbe.eudev3.cyberarmorsoft.com"
-	armoDevFEURL = "armoui.eudev3.cyberarmorsoft.com"
-)
-
-// Armo API for downloading policies
-type ArmoAPI struct {
-	httpClient *http.Client
-	apiURL     string
-	erURL      string
-	feURL      string
-}
-
-var globalArmoAPIConnecctor *ArmoAPI
-
-func SetARMOAPIConnector(armoAPI *ArmoAPI) {
-	globalArmoAPIConnecctor = armoAPI
-}
-
-func GetArmoAPIConnector() *ArmoAPI {
-	if globalArmoAPIConnecctor == nil {
-		glog.Error("returning nil API connector")
-	}
-	return globalArmoAPIConnecctor
-}
-
-func NewARMOAPIDev() *ArmoAPI {
-	apiObj := newArmoAPI()
-
-	apiObj.apiURL = armoDevBEURL
-	apiObj.erURL = armoDevERURL
-	apiObj.feURL = armoDevFEURL
-
-	return apiObj
-}
-
-func NewARMOAPIProd() *ArmoAPI {
-	apiObj := newArmoAPI()
-
-	apiObj.apiURL = armoBEURL
-	apiObj.erURL = armoERURL
-	apiObj.feURL = armoFEURL
-
-	return apiObj
-}
-
-func NewARMOAPICustomized(armoERURL, armoBEURL, armoFEURL string) *ArmoAPI {
-	apiObj := newArmoAPI()
-
-	apiObj.erURL = armoERURL
-	apiObj.apiURL = armoBEURL
-	apiObj.feURL = armoFEURL
-
-	return apiObj
-}
-
-func newArmoAPI() *ArmoAPI {
-	return &ArmoAPI{
-		httpClient: &http.Client{Timeout: time.Duration(61) * time.Second},
-	}
-}
-
-func (armoAPI *ArmoAPI) GetFrontendURL() string {
-	return armoAPI.feURL
-}
-
-func (armoAPI *ArmoAPI) GetReportReceiverURL() string {
-	return armoAPI.erURL
-}
-
-func (armoAPI *ArmoAPI) GetFramework(name string) (*reporthandling.Framework, error) {
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getFrameworkURL(name))
-	if err != nil {
-		return nil, err
-	}
-
-	framework := &reporthandling.Framework{}
-	if err = JSONDecoder(respStr).Decode(framework); err != nil {
-		return nil, err
-	}
-	SaveFrameworkInFile(framework, GetDefaultPath(name+".json"))
-
-	return framework, err
-}
-
-func (armoAPI *ArmoAPI) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
-	exceptions := []armotypes.PostureExceptionPolicy{}
-	if customerGUID == "" {
-		return exceptions, nil
-	}
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getExceptionsURL(customerGUID, clusterName))
-	if err != nil {
-		return nil, err
-	}
-
-	if err = JSONDecoder(respStr).Decode(&exceptions); err != nil {
-		return nil, err
-	}
-
-	return exceptions, nil
-}
-
-func (armoAPI *ArmoAPI) GetCustomerGUID(customerGUID string) (*TenantResponse, error) {
-	url := armoAPI.getCustomerURL()
-	if customerGUID != "" {
-		url = fmt.Sprintf("%s?customerGUID=%s", url, customerGUID)
-	}
-	respStr, err := HttpGetter(armoAPI.httpClient, url)
-	if err != nil {
-		return nil, err
-	}
-	tenant := &TenantResponse{}
-	if err = JSONDecoder(respStr).Decode(tenant); err != nil {
-		return nil, err
-	}
-
-	return tenant, nil
-}
-
-type TenantResponse struct {
-	TenantID  string `json:"tenantId"`
-	Token     string `json:"token"`
-	Expires   string `json:"expires"`
-	AdminMail string `json:"adminMail,omitempty"`
-}

cautils/getter/armoapiutils.go

@@ -1,44 +0,0 @@
-package getter
-
-import (
-	"net/url"
-	"strings"
-)
-
-func (armoAPI *ArmoAPI) getFrameworkURL(frameworkName string) string {
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
-	u.Path = "v1/armoFrameworks"
-	q := u.Query()
-	q.Add("customerGUID", "11111111-1111-1111-1111-111111111111")
-	q.Add("frameworkName", strings.ToUpper(frameworkName))
-	q.Add("getRules", "true")
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (armoAPI *ArmoAPI) getExceptionsURL(customerGUID, clusterName string) string {
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
-	u.Path = "api/v1/armoPostureExceptions"
-
-	q := u.Query()
-	q.Add("customerGUID", customerGUID)
-	// if clusterName != "" { // TODO - fix customer name support in Armo BE
-	// 	q.Add("clusterName", clusterName)
-	// }
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (armoAPI *ArmoAPI) getCustomerURL() string {
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
-	u.Path = "api/v1/createTenant"
-	return u.String()
-}

cautils/getter/downloadreleasedpolicy.go

@@ -1,46 +0,0 @@
-package getter
-
-import (
-	"strings"
-
-	"github.com/armosec/opa-utils/gitregostore"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-// =======================================================================================================================
-// ======================================== DownloadReleasedPolicy =======================================================
-// =======================================================================================================================
-
-// Download released version
-type DownloadReleasedPolicy struct {
-	gs *gitregostore.GitRegoStore
-}
-
-func NewDownloadReleasedPolicy() *DownloadReleasedPolicy {
-	return &DownloadReleasedPolicy{
-		gs: gitregostore.InitDefaultGitRegoStore(-1),
-	}
-}
-
-// Return control per name/id using ARMO api
-func (drp *DownloadReleasedPolicy) GetControl(policyName string) (*reporthandling.Control, error) {
-	var control *reporthandling.Control
-	var err error
-	if strings.HasPrefix(policyName, "C-") || strings.HasPrefix(policyName, "c-") {
-		control, err = drp.gs.GetOPAControlByID(policyName)
-	} else {
-		control, err = drp.gs.GetOPAControlByName(policyName)
-	}
-	if err != nil {
-		return nil, err
-	}
-	return control, nil
-}
-
-func (drp *DownloadReleasedPolicy) GetFramework(name string) (*reporthandling.Framework, error) {
-	framework, err := drp.gs.GetOPAFrameworkByName(name)
-	if err != nil {
-		return nil, err
-	}
-	return framework, err
-}

cautils/getter/getpolicies.go

@@ -1,18 +0,0 @@
-package getter
-
-import (
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-type IPolicyGetter interface {
-	GetFramework(name string) (*reporthandling.Framework, error)
-	GetControl(policyName string) (*reporthandling.Control, error)
-}
-
-type IExceptionsGetter interface {
-	GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error)
-}
-type IBackend interface {
-	GetCustomerGUID(customerGUID string) (*TenantResponse, error)
-}

cautils/reporterutils.go

@@ -1,5 +0,0 @@
-package cautils
-
-const (
-	ComponentIdentifier = "Posture"
-)

cautils/scaninfo.go

@@ -1,84 +0,0 @@
-package cautils
-
-import (
-	"path/filepath"
-
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-type ScanInfo struct {
-	Getters
-	PolicyIdentifier   []reporthandling.PolicyIdentifier
-	UseExceptions      string   // Load exceptions configuration
-	UseFrom            []string // Load framework from local file (instead of download). Use when running offline
-	UseDefault         bool     // Load framework from cached file (instead of download). Use when running offline
-	Format             string   // Format results (table, json, junit ...)
-	Output             string   // Store results in an output file, Output file name
-	ExcludedNamespaces string   // DEPRECATED?
-	InputPatterns      []string // Yaml files input patterns
-	Silent             bool     // Silent mode - Do not print progress logs
-	FailThreshold      uint16   // Failure score threshold
-	Submit             bool     // Submit results to Armo BE
-	Local              bool     // Do not submit results
-	Account            string   // account ID
-	FrameworkScan      bool     // false if scanning control
-}
-
-type Getters struct {
-	ExceptionsGetter getter.IExceptionsGetter
-	PolicyGetter     getter.IPolicyGetter
-}
-
-func (scanInfo *ScanInfo) Init() {
-	scanInfo.setUseFrom()
-	scanInfo.setUseExceptions()
-	scanInfo.setOutputFile()
-	scanInfo.setGetter()
-
-}
-
-func (scanInfo *ScanInfo) setUseExceptions() {
-	if scanInfo.UseExceptions != "" {
-		// load exceptions from file
-		scanInfo.ExceptionsGetter = getter.NewLoadPolicy([]string{scanInfo.UseExceptions})
-	} else {
-		scanInfo.ExceptionsGetter = getter.GetArmoAPIConnector()
-	}
-
-}
-func (scanInfo *ScanInfo) setUseFrom() {
-	if scanInfo.UseDefault {
-		for _, policy := range scanInfo.PolicyIdentifier {
-			scanInfo.UseFrom = append(scanInfo.UseFrom, getter.GetDefaultPath(policy.Name+".json"))
-		}
-	}
-}
-func (scanInfo *ScanInfo) setGetter() {
-	if len(scanInfo.UseFrom) > 0 {
-		// load from file
-		scanInfo.PolicyGetter = getter.NewLoadPolicy(scanInfo.UseFrom)
-	} else {
-		scanInfo.PolicyGetter = getter.NewDownloadReleasedPolicy()
-	}
-}
-
-func (scanInfo *ScanInfo) setOutputFile() {
-	if scanInfo.Output == "" {
-		return
-	}
-	if scanInfo.Format == "json" {
-		if filepath.Ext(scanInfo.Output) != ".json" {
-			scanInfo.Output += ".json"
-		}
-	}
-	if scanInfo.Format == "junit" {
-		if filepath.Ext(scanInfo.Output) != ".xml" {
-			scanInfo.Output += ".xml"
-		}
-	}
-}
-
-func (scanInfo *ScanInfo) ScanRunningCluster() bool {
-	return len(scanInfo.InputPatterns) == 0
-}

clihandler/cmd/cluster.go

@@ -1,18 +0,0 @@
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-)
-
-// clusterCmd represents the cluster command
-var clusterCmd = &cobra.Command{
-	Use:   "cluster",
-	Short: "Set configuration for cluster",
-	Long:  ``,
-	Run: func(cmd *cobra.Command, args []string) {
-	},
-}
-
-func init() {
-	configCmd.AddCommand(clusterCmd)
-}

clihandler/cmd/cluster_get.go

@@ -1,51 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/clihandler"
-	"github.com/spf13/cobra"
-)
-
-var getCmd = &cobra.Command{
-	Use:       "get <key>",
-	Short:     "Get configuration in cluster",
-	Long:      ``,
-	ValidArgs: clihandler.SupportedFrameworks,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 || len(args) > 1 {
-			return fmt.Errorf("requires  one argument")
-		}
-
-		keyValue := strings.Split(args[0], "=")
-		if len(keyValue) != 1 {
-			return fmt.Errorf("requires  one argument")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		keyValue := strings.Split(args[0], "=")
-		key := keyValue[0]
-
-		k8s := k8sinterface.NewKubernetesApi()
-		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector())
-		val, err := clusterConfig.GetValueByKeyFromConfigMap(key)
-		if err != nil {
-			if err.Error() == "value does not exist." {
-				fmt.Printf("Could net get value from configmap, reason: %s\n", err)
-				return nil
-			}
-			return err
-		}
-		fmt.Println(key + "=" + val)
-		return nil
-	},
-}
-
-func init() {
-	clusterCmd.AddCommand(getCmd)
-}

clihandler/cmd/cluster_set.go

@@ -1,44 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/spf13/cobra"
-)
-
-var setCmd = &cobra.Command{
-	Use:   "set <key>=<value>",
-	Short: "Set configuration in cluster",
-	Long:  ``,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 || len(args) > 1 {
-			return fmt.Errorf("requires  one argument: <key>=<value>")
-		}
-		keyValue := strings.Split(args[0], "=")
-		if len(keyValue) != 2 {
-			return fmt.Errorf("requires  one argument: <key>=<value>")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		keyValue := strings.Split(args[0], "=")
-		key := keyValue[0]
-		data := keyValue[1]
-
-		k8s := k8sinterface.NewKubernetesApi()
-		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector())
-		if err := clusterConfig.SetKeyValueInConfigmap(key, data); err != nil {
-			return err
-		}
-		fmt.Println("Value added successfully.")
-		return nil
-	},
-}
-
-func init() {
-	clusterCmd.AddCommand(setCmd)
-}

clihandler/cmd/config.go

@@ -1,18 +0,0 @@
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-)
-
-// configCmd represents the config command
-var configCmd = &cobra.Command{
-	Use:   "config",
-	Short: "Set configuration",
-	Long:  ``,
-	Run: func(cmd *cobra.Command, args []string) {
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(configCmd)
-}

clihandler/cmd/control.go

@@ -1,90 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"os"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/clihandler"
-	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/spf13/cobra"
-)
-
-// controlCmd represents the control command
-var controlCmd = &cobra.Command{
-	Use:   "control <control names list>/<control ids list>.\nExamples:\n$ kubescape scan control C-0058,C-0057 [flags]\n$ kubescape scan contol C-0058 [flags]\n$ kubescape scan control 'privileged container,allowed hostpath' [flags]",
-	Short: fmt.Sprintf("The control you wish to use for scan. It must be present in at least one of the folloiwng frameworks: %s", clihandler.ValidFrameworks),
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) > 0 {
-			controls := strings.Split(args[0], ",")
-			if len(controls) > 1 {
-				if controls[1] == "" {
-					return fmt.Errorf("usage: <control_one>,<control_two>")
-				}
-			}
-		} else {
-			return fmt.Errorf("requires at least one control name")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		flagValidationControl()
-		scanInfo.PolicyIdentifier = []reporthandling.PolicyIdentifier{}
-
-		if len(args) < 1 {
-			scanInfo.PolicyIdentifier = SetScanForGivenFrameworks(clihandler.SupportedFrameworks)
-		} else {
-			var controls []string
-			if len(args) > 0 {
-				controls = strings.Split(args[0], ",")
-				scanInfo.PolicyIdentifier = []reporthandling.PolicyIdentifier{}
-				scanInfo.PolicyIdentifier = setScanForFirstControl(controls)
-			}
-
-			if len(controls) > 1 {
-				scanInfo.PolicyIdentifier = SetScanForGivenControls(controls[1:])
-			}
-		}
-		scanInfo.FrameworkScan = false
-		scanInfo.Init()
-		cautils.SetSilentMode(scanInfo.Silent)
-		err := clihandler.CliSetup(&scanInfo)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n", err)
-			os.Exit(1)
-		}
-		return nil
-	},
-}
-
-func init() {
-	scanInfo = cautils.ScanInfo{}
-	scanCmd.AddCommand(controlCmd)
-}
-
-func flagValidationControl() {
-	if 100 < scanInfo.FailThreshold {
-		fmt.Println("bad argument: out of range threshold")
-		os.Exit(1)
-	}
-}
-
-func setScanForFirstControl(controls []string) []reporthandling.PolicyIdentifier {
-	newPolicy := reporthandling.PolicyIdentifier{}
-	newPolicy.Kind = reporthandling.KindControl
-	newPolicy.Name = controls[0]
-	scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
-	return scanInfo.PolicyIdentifier
-}
-
-func SetScanForGivenControls(controls []string) []reporthandling.PolicyIdentifier {
-	for _, control := range controls {
-		control := strings.TrimLeft(control, " ")
-		newPolicy := reporthandling.PolicyIdentifier{}
-		newPolicy.Kind = reporthandling.KindControl
-		newPolicy.Name = control
-		scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
-	}
-	return scanInfo.PolicyIdentifier
-}

clihandler/cmd/download.go

@@ -1,67 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/clihandler"
-	"github.com/spf13/cobra"
-)
-
-var downloadInfo cautils.DownloadInfo
-
-var downloadCmd = &cobra.Command{
-	Use:   fmt.Sprintf("download framework/control <framework-name>/<control-name> [flags]\nSupported frameworks: %s", clihandler.ValidFrameworks),
-	Short: "Download framework/control",
-	Long:  ``,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) != 2 {
-			return fmt.Errorf("requires two arguments : framework/control <framework-name>/<control-name>")
-		}
-		if !strings.EqualFold(args[0], "framework") && !strings.EqualFold(args[0], "control") {
-			return fmt.Errorf("invalid parameter '%s'. Supported parameters: framework, control", args[0])
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		if strings.EqualFold(args[0], "framework") {
-			downloadInfo.FrameworkName = strings.ToLower(args[1])
-			g := getter.NewDownloadReleasedPolicy()
-			if downloadInfo.Path == "" {
-				downloadInfo.Path = getter.GetDefaultPath(downloadInfo.FrameworkName + ".json")
-			}
-			frameworks, err := g.GetFramework(downloadInfo.FrameworkName)
-			if err != nil {
-				return err
-			}
-			err = getter.SaveFrameworkInFile(frameworks, downloadInfo.Path)
-			if err != nil {
-				return err
-			}
-		} else if strings.EqualFold(args[0], "control") {
-			downloadInfo.ControlName = strings.ToLower(args[1])
-			g := getter.NewDownloadReleasedPolicy()
-			if downloadInfo.Path == "" {
-				downloadInfo.Path = getter.GetDefaultPath(downloadInfo.ControlName + ".json")
-			}
-			controls, err := g.GetControl(downloadInfo.ControlName)
-			if err != nil {
-				return err
-			}
-			err = getter.SaveControlInFile(controls, downloadInfo.Path)
-			if err != nil {
-				return err
-			}
-		}
-
-		return nil
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(downloadCmd)
-	downloadInfo = cautils.DownloadInfo{}
-	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If specified, will store save to `~/.kubescape/<framework name>.json`")
-}

clihandler/cmd/framework.go

@@ -1,115 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/clihandler"
-	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/spf13/cobra"
-)
-
-var frameworkCmd = &cobra.Command{
-	Use:       fmt.Sprintf("framework <framework names list> [`<glob pattern>`/`-`] [flags]\nExamples:\n$ kubescape scan framework nsa [flags]\n$ kubescape scan framework mitre,nsa [flags]\n$ kubescape scan framework 'nsa, mitre' [flags]\nSupported frameworks: %s", clihandler.ValidFrameworks),
-	Short:     fmt.Sprintf("The framework you wish to use. Supported frameworks: %s", strings.Join(clihandler.SupportedFrameworks, ", ")),
-	Long:      "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
-	ValidArgs: clihandler.SupportedFrameworks,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) > 0 {
-			// "nsa, mitre" -> ["nsa", "mitre"] and nsa,mitre -> ["nsa", "mitre"]
-			frameworks := strings.Split(strings.Join(strings.Fields(args[0]), ""), ",")
-			for _, framework := range frameworks {
-				if !isValidFramework(strings.ToLower(framework)) {
-					return fmt.Errorf(fmt.Sprintf("supported frameworks: %s", strings.Join(clihandler.SupportedFrameworks, ", ")))
-				}
-			}
-		} else {
-			return fmt.Errorf("requires at least one framework name")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		flagValidationFramework()
-		scanInfo.PolicyIdentifier = []reporthandling.PolicyIdentifier{}
-		// If no framework provided, use all
-		if len(args) < 1 {
-			scanInfo.PolicyIdentifier = SetScanForGivenFrameworks(clihandler.SupportedFrameworks)
-		} else {
-			// Read frameworks from input args
-			scanInfo.PolicyIdentifier = []reporthandling.PolicyIdentifier{}
-			frameworks := strings.Split(strings.Join(strings.Fields(args[0]), ""), ",")
-			scanInfo.PolicyIdentifier = SetScanForFirstFramework(frameworks)
-			if len(frameworks) > 1 {
-				scanInfo.PolicyIdentifier = SetScanForGivenFrameworks(frameworks[1:])
-			}
-		}
-		if len(args) > 0 {
-			if len(args[1:]) == 0 || args[1] != "-" {
-				scanInfo.InputPatterns = args[1:]
-			} else { // store stout to file
-				tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
-				if err != nil {
-					return err
-				}
-				defer os.Remove(tempFile.Name())
-
-				if _, err := io.Copy(tempFile, os.Stdin); err != nil {
-					return err
-				}
-				scanInfo.InputPatterns = []string{tempFile.Name()}
-			}
-		}
-		scanInfo.Init()
-		cautils.SetSilentMode(scanInfo.Silent)
-		err := clihandler.CliSetup(&scanInfo)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n", err)
-			os.Exit(1)
-		}
-		return nil
-	},
-}
-
-func isValidFramework(framework string) bool {
-	return cautils.StringInSlice(clihandler.SupportedFrameworks, framework) != cautils.ValueNotFound
-}
-
-func init() {
-	scanCmd.AddCommand(frameworkCmd)
-	scanInfo = cautils.ScanInfo{}
-	scanInfo.FrameworkScan = true
-	frameworkCmd.Flags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
-	frameworkCmd.Flags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to Armo backend. Use this flag if you ran with the '--submit' flag in the past and you do not want to submit your current scan results")
-	frameworkCmd.Flags().StringVarP(&scanInfo.Account, "account", "", "", "Armo portal account ID. Default will load account ID from configMap or config file")
-}
-func SetScanForGivenFrameworks(frameworks []string) []reporthandling.PolicyIdentifier {
-	for _, framework := range frameworks {
-		newPolicy := reporthandling.PolicyIdentifier{}
-		newPolicy.Kind = reporthandling.KindFramework
-		newPolicy.Name = framework
-		scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
-	}
-	return scanInfo.PolicyIdentifier
-}
-
-func SetScanForFirstFramework(frameworks []string) []reporthandling.PolicyIdentifier {
-	newPolicy := reporthandling.PolicyIdentifier{}
-	newPolicy.Kind = reporthandling.KindFramework
-	newPolicy.Name = frameworks[0]
-	scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
-	return scanInfo.PolicyIdentifier
-}
-
-func flagValidationFramework() {
-	if scanInfo.Submit && scanInfo.Local {
-		fmt.Println("You can use `keep-local` or `submit`, but not both")
-		os.Exit(1)
-	}
-	if 100 < scanInfo.FailThreshold {
-		fmt.Println("bad argument: out of range threshold")
-		os.Exit(1)
-	}
-}

clihandler/cmd/local.go

@@ -1,17 +0,0 @@
-package cmd
-
-import (
-	"github.com/spf13/cobra"
-)
-
-var localCmd = &cobra.Command{
-	Use:   "local",
-	Short: "Set configuration locally (for config.json)",
-	Long:  ``,
-	Run: func(cmd *cobra.Command, args []string) {
-	},
-}
-
-func init() {
-	configCmd.AddCommand(localCmd)
-}

clihandler/cmd/local_get.go

@@ -1,45 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/spf13/cobra"
-)
-
-var localGetCmd = &cobra.Command{
-	Use:   "get <key>",
-	Short: "Get configuration locally",
-	Long:  ``,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 || len(args) > 1 {
-			return fmt.Errorf("requires  one argument")
-		}
-
-		keyValue := strings.Split(args[0], "=")
-		if len(keyValue) != 1 {
-			return fmt.Errorf("requires  one argument")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		keyValue := strings.Split(args[0], "=")
-		key := keyValue[0]
-
-		val, err := cautils.GetValueFromConfigJson(key)
-		if err != nil {
-			if err.Error() == "value does not exist." {
-				fmt.Printf("Could net get value from: %s, reason: %s\n", cautils.ConfigFileFullPath(), err)
-				return nil
-			}
-			return err
-		}
-		fmt.Println(key + "=" + val)
-		return nil
-	},
-}
-
-func init() {
-	localCmd.AddCommand(localGetCmd)
-}

clihandler/cmd/local_set.go

@@ -1,40 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/spf13/cobra"
-)
-
-var localSetCmd = &cobra.Command{
-	Use:   "set <key>=<value>",
-	Short: "Set configuration locally",
-	Long:  ``,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 || len(args) > 1 {
-			return fmt.Errorf("requires  one argument: <key>=<value>")
-		}
-		keyValue := strings.Split(args[0], "=")
-		if len(keyValue) != 2 {
-			return fmt.Errorf("requires  one argument: <key>=<value>")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		keyValue := strings.Split(args[0], "=")
-		key := keyValue[0]
-		data := keyValue[1]
-
-		if err := cautils.SetKeyValueInConfigJson(key, data); err != nil {
-			return err
-		}
-		fmt.Println("Value added successfully.")
-		return nil
-	},
-}
-
-func init() {
-	localCmd.AddCommand(localSetCmd)
-}

clihandler/cmd/root.go

@@ -1,68 +0,0 @@
-package cmd
-
-import (
-	"flag"
-	"os"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/golang/glog"
-	"github.com/spf13/cobra"
-)
-
-var cfgFile string
-var armoBEURLs = ""
-
-const envFlagUsage = "Send report results to specific URL. Format:<ReportReceiver>,<Backend>,<Frontend>.\n\t\tExample:report.armo.cloud,api.armo.cloud,portal.armo.cloud"
-
-var rootCmd = &cobra.Command{
-	Use:   "kubescape",
-	Short: "Kubescape is a tool for testing Kubernetes security posture",
-	Long:  `Kubescape is a tool for testing Kubernetes security posture based on NSA \ MITRE ATT&CK® specifications.`,
-	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-		flag.Parse()
-		InitArmoBEConnector()
-		return nil
-	},
-}
-
-func Execute() {
-	rootCmd.Execute()
-}
-
-func init() {
-	flag.CommandLine.StringVar(&armoBEURLs, "environment", "", envFlagUsage)
-	rootCmd.PersistentFlags().StringVar(&armoBEURLs, "environment", "", envFlagUsage)
-	rootCmd.PersistentFlags().MarkHidden("environment")
-	cobra.OnInitialize(initConfig)
-
-}
-
-// initConfig reads in config file and ENV variables if set.
-func initConfig() {
-}
-
-func InitArmoBEConnector() {
-	urlSlices := strings.Split(armoBEURLs, ",")
-	if len(urlSlices) > 3 {
-		glog.Errorf("Too many URLs")
-		os.Exit(1)
-	}
-	switch len(urlSlices) {
-	case 1:
-		switch urlSlices[0] {
-		case "dev":
-			getter.SetARMOAPIConnector(getter.NewARMOAPIDev())
-		case "":
-			getter.SetARMOAPIConnector(getter.NewARMOAPIProd())
-		default:
-			glog.Errorf("--environment flag usage: %s", envFlagUsage)
-			os.Exit(1)
-		}
-	case 2:
-		glog.Errorf("--environment flag usage: %s", envFlagUsage)
-		os.Exit(1)
-	case 3:
-		getter.SetARMOAPIConnector(getter.NewARMOAPICustomized(urlSlices[0], urlSlices[1], urlSlices[2]))
-	}
-}

clihandler/cmd/scan.go

@@ -1,46 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/clihandler"
-	"github.com/spf13/cobra"
-)
-
-var scanInfo cautils.ScanInfo
-
-// scanCmd represents the scan command
-var scanCmd = &cobra.Command{
-	Use:   "scan <command>",
-	Short: "Scan the current running cluster or yaml files",
-	Long:  `The action you want to perform`,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) > 0 {
-			if !strings.EqualFold(args[0], "framework") && !strings.EqualFold(args[0], "control") {
-				return fmt.Errorf("invalid parameter '%s'. Supported parameters: framework, control", args[0])
-			}
-		}
-		return nil
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		if len(args) == 0 {
-			frameworkArgs := []string{clihandler.ValidFrameworks}
-			frameworkArgs = append(frameworkArgs, args...)
-			frameworkCmd.RunE(cmd, frameworkArgs)
-		}
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(scanCmd)
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Recommended: kube-system, kube-public")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer"/"json"/"junit"`)
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
-	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "Silent progress messages")
-	scanCmd.PersistentFlags().Uint16VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 0, "Failure threshold is the percent bellow which the command fails and returns exit code 1")
-	scanCmd.PersistentFlags().StringSliceVar(&scanInfo.UseFrom, "use-from", nil, "Load local policy object from specified path. If not used will download latest")
-	scanCmd.PersistentFlags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local policy object from default path. If not used will download latest")
-	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from Armo management portal")
-}

clihandler/cmd/version.go

@@ -1,49 +0,0 @@
-package cmd
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-
-	"github.com/spf13/cobra"
-)
-
-var BuildNumber string
-
-var versionCmd = &cobra.Command{
-	Use:   "version",
-	Short: "Get current version",
-	Long:  ``,
-	RunE: func(cmd *cobra.Command, args []string) error {
-		fmt.Println("Your current version is: " + BuildNumber)
-		return nil
-	},
-}
-
-func GetLatestVersion() (string, error) {
-	latestVersion := "https://api.github.com/repos/armosec/kubescape/releases/latest"
-	resp, err := http.Get(latestVersion)
-	if err != nil {
-		return "unknown", fmt.Errorf("failed to get latest releases from '%s', reason: %s", latestVersion, err.Error())
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode < 200 || 301 < resp.StatusCode {
-		return "unknown", nil
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "unknown", fmt.Errorf("failed to read response body from '%s', reason: %s", latestVersion, err.Error())
-	}
-	var data map[string]interface{}
-	err = json.Unmarshal(body, &data)
-	if err != nil {
-		return "unknown", fmt.Errorf("failed to unmarshal response body from '%s', reason: %s", latestVersion, err.Error())
-	}
-	return fmt.Sprintf("%v", data["tag_name"]), nil
-}
-
-func init() {
-	rootCmd.AddCommand(versionCmd)
-}

clihandler/initcli.go

@@ -1,151 +0,0 @@
-package clihandler
-
-import (
-	"fmt"
-	"os"
-	"strings"
-
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/opaprocessor"
-	"github.com/armosec/kubescape/policyhandler"
-	"github.com/armosec/kubescape/resourcehandler"
-	"github.com/armosec/kubescape/resultshandling"
-	"github.com/armosec/kubescape/resultshandling/printer"
-	"github.com/armosec/kubescape/resultshandling/reporter"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-type CLIHandler struct {
-	policyHandler *policyhandler.PolicyHandler
-	scanInfo      *cautils.ScanInfo
-}
-
-var SupportedFrameworks = []string{"nsa", "mitre"}
-var ValidFrameworks = strings.Join(SupportedFrameworks, ", ")
-
-type componentInterfaces struct {
-	clusterConfig   cautils.IClusterConfig
-	resourceHandler resourcehandler.IResourceHandler
-	report          reporter.IReport
-	printerHandler  printer.IPrinter
-}
-
-func getReporter(scanInfo *cautils.ScanInfo) reporter.IReport {
-	if !scanInfo.Submit {
-		return reporter.NewReportMock()
-	}
-	if !scanInfo.FrameworkScan {
-		return reporter.NewReportMock()
-	}
-
-	return reporter.NewReportEventReceiver()
-}
-func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
-	var resourceHandler resourcehandler.IResourceHandler
-	var clusterConfig cautils.IClusterConfig
-	var reportHandler reporter.IReport
-
-	if !scanInfo.ScanRunningCluster() {
-		k8sinterface.ConnectedToCluster = false
-		clusterConfig = cautils.NewEmptyConfig()
-
-		// load fom file
-		resourceHandler = resourcehandler.NewFileResourceHandler(scanInfo.InputPatterns)
-
-		// set mock report (do not send report)
-		reportHandler = reporter.NewReportMock()
-	} else {
-		k8s := k8sinterface.NewKubernetesApi()
-		resourceHandler = resourcehandler.NewK8sResourceHandler(k8s, scanInfo.ExcludedNamespaces)
-		clusterConfig = cautils.ClusterConfigSetup(scanInfo, k8s, getter.GetArmoAPIConnector())
-
-		// setup reporter
-		reportHandler = getReporter(scanInfo)
-	}
-
-	// setup printer
-	printerHandler := printer.GetPrinter(scanInfo.Format)
-	printerHandler.SetWriter(scanInfo.Output)
-
-	return componentInterfaces{
-		clusterConfig:   clusterConfig,
-		resourceHandler: resourceHandler,
-		report:          reportHandler,
-		printerHandler:  printerHandler,
-	}
-}
-
-func CliSetup(scanInfo *cautils.ScanInfo) error {
-
-	interfaces := getInterfaces(scanInfo)
-
-	processNotification := make(chan *cautils.OPASessionObj)
-	reportResults := make(chan *cautils.OPASessionObj)
-
-	if err := interfaces.clusterConfig.SetConfig(scanInfo.Account); err != nil {
-		fmt.Println(err)
-	}
-
-	cautils.ClusterName = interfaces.clusterConfig.GetClusterName()   // TODO - Deprecated
-	cautils.CustomerGUID = interfaces.clusterConfig.GetCustomerGUID() // TODO - Deprecated
-	interfaces.report.SetClusterName(interfaces.clusterConfig.GetClusterName())
-	interfaces.report.SetCustomerGUID(interfaces.clusterConfig.GetCustomerGUID())
-	// cli handler setup
-	go func() {
-		// policy handler setup
-		policyHandler := policyhandler.NewPolicyHandler(&processNotification, interfaces.resourceHandler)
-		cli := NewCLIHandler(policyHandler, scanInfo)
-		if err := cli.Scan(); err != nil {
-			fmt.Println(err)
-			os.Exit(1)
-		}
-	}()
-
-	// processor setup - rego run
-	go func() {
-		opaprocessorObj := opaprocessor.NewOPAProcessorHandler(&processNotification, &reportResults)
-		opaprocessorObj.ProcessRulesListenner()
-	}()
-
-	resultsHandling := resultshandling.NewResultsHandler(&reportResults, interfaces.report, interfaces.printerHandler)
-	score := resultsHandling.HandleResults(scanInfo)
-
-	// print report url
-	interfaces.clusterConfig.GenerateURL()
-
-	adjustedFailThreshold := float32(scanInfo.FailThreshold) / 100
-	if score < adjustedFailThreshold {
-		return fmt.Errorf("Scan score is bellow threshold")
-	}
-
-	return nil
-}
-
-func NewCLIHandler(policyHandler *policyhandler.PolicyHandler, scanInfo *cautils.ScanInfo) *CLIHandler {
-	return &CLIHandler{
-		scanInfo:      scanInfo,
-		policyHandler: policyHandler,
-	}
-}
-
-func (clihandler *CLIHandler) Scan() error {
-	cautils.ScanStartDisplay()
-	policyNotification := &reporthandling.PolicyNotification{
-		NotificationType: reporthandling.TypeExecPostureScan,
-		Rules:            clihandler.scanInfo.PolicyIdentifier,
-		Designators:      armotypes.PortalDesignator{},
-	}
-	switch policyNotification.NotificationType {
-	case reporthandling.TypeExecPostureScan:
-		if err := clihandler.policyHandler.HandleNotificationRequest(policyNotification, clihandler.scanInfo); err != nil {
-			return err
-		}
-
-	default:
-		return fmt.Errorf("notification type '%s' Unknown", policyNotification.NotificationType)
-	}
-	return nil
-}

cmd/completion/completion.go

@@ -0,0 +1,49 @@
+package completion
+
+import (
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+)
+
+var completionCmdExamples = `
+
+  # Enable BASH shell autocompletion 
+  $ source <(kubescape completion bash) 
+  $ echo 'source <(kubescape completion bash)' >> ~/.bashrc
+
+  # Enable ZSH shell autocompletion 
+  $ source <(kubectl completion zsh)
+  $ echo 'source <(kubectl completion zsh)' >> "${fpath[1]}/_kubectl"
+
+`
+
+func GetCompletionCmd() *cobra.Command {
+	completionCmd := &cobra.Command{
+		Use:                   "completion [bash|zsh|fish|powershell]",
+		Short:                 "Generate autocompletion script",
+		Long:                  "To load completions",
+		Example:               completionCmdExamples,
+		DisableFlagsInUseLine: true,
+		ValidArgs:             []string{"bash", "zsh", "fish", "powershell"},
+		Args:                  cobra.ExactValidArgs(1),
+		Run: func(cmd *cobra.Command, args []string) {
+			switch strings.ToLower(args[0]) {
+			case "bash":
+				cmd.Root().GenBashCompletion(os.Stdout)
+			case "zsh":
+				cmd.Root().GenZshCompletion(os.Stdout)
+			case "fish":
+				cmd.Root().GenFishCompletion(os.Stdout, true)
+			case "powershell":
+				cmd.Root().GenPowerShellCompletionWithDesc(os.Stdout)
+			}
+		},
+	}
+	return completionCmd
+}
+
+// func init() {
+// 	rootCmd.AddCommand(completionCmd)
+// }

cmd/config/config.go

@@ -0,0 +1,45 @@
+package config
+
+import (
+	"github.com/armosec/kubescape/v2/core/meta"
+	"github.com/spf13/cobra"
+)
+
+var (
+	configExample = `
+  # View cached configurations 
+  kubescape config view
+
+  # Delete cached configurations
+  kubescape config delete
+
+  # Set cached configurations
+  kubescape config set --help
+`
+	setConfigExample = `
+  # Set account id
+  kubescape config set accountID <account id>
+
+  # Set client id
+  kubescape config set clientID <client id> 
+
+  # Set access key
+  kubescape config set secretKey <access key>
+`
+)
+
+func GetConfigCmd(ks meta.IKubescape) *cobra.Command {
+
+	// configCmd represents the config command
+	configCmd := &cobra.Command{
+		Use:     "config",
+		Short:   "Handle cached configurations",
+		Example: configExample,
+	}
+
+	configCmd.AddCommand(getDeleteCmd(ks))
+	configCmd.AddCommand(getSetCmd(ks))
+	configCmd.AddCommand(getViewCmd(ks))
+
+	return configCmd
+}

cmd/config/delete.go

@@ -0,0 +1,21 @@
+package config
+
+import (
+	"github.com/armosec/kubescape/v2/core/meta"
+	v1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+	logger "github.com/kubescape/go-logger"
+	"github.com/spf13/cobra"
+)
+
+func getDeleteCmd(ks meta.IKubescape) *cobra.Command {
+	return &cobra.Command{
+		Use:   "delete",
+		Short: "Delete cached configurations",
+		Long:  ``,
+		Run: func(cmd *cobra.Command, args []string) {
+			if err := ks.DeleteCachedConfig(&v1.DeleteConfig{}); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+		},
+	}
+}

cmd/config/set.go

@@ -0,0 +1,69 @@
+package config
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/kubescape/v2/core/meta"
+	metav1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+	logger "github.com/kubescape/go-logger"
+	"github.com/spf13/cobra"
+)
+
+func getSetCmd(ks meta.IKubescape) *cobra.Command {
+
+	// configCmd represents the config command
+	configSetCmd := &cobra.Command{
+		Use:       "set",
+		Short:     fmt.Sprintf("Set configurations, supported: %s", strings.Join(stringKeysToSlice(supportConfigSet), "/")),
+		Example:   setConfigExample,
+		ValidArgs: stringKeysToSlice(supportConfigSet),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			setConfig, err := parseSetArgs(args)
+			if err != nil {
+				return err
+			}
+			if err := ks.SetCachedConfig(setConfig); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			return nil
+		},
+	}
+	return configSetCmd
+}
+
+var supportConfigSet = map[string]func(*metav1.SetConfig, string){
+	"accountID": func(s *metav1.SetConfig, account string) { s.Account = account },
+	"clientID":  func(s *metav1.SetConfig, clientID string) { s.ClientID = clientID },
+	"secretKey": func(s *metav1.SetConfig, secretKey string) { s.SecretKey = secretKey },
+}
+
+func stringKeysToSlice(m map[string]func(*metav1.SetConfig, string)) []string {
+	l := []string{}
+	for i := range m {
+		l = append(l, i)
+	}
+	return l
+}
+
+func parseSetArgs(args []string) (*metav1.SetConfig, error) {
+	var key string
+	var value string
+	if len(args) == 1 {
+		if keyValue := strings.Split(args[0], "="); len(keyValue) == 2 {
+			key = keyValue[0]
+			value = keyValue[1]
+		}
+	} else if len(args) == 2 {
+		key = args[0]
+		value = args[1]
+	}
+	setConfig := &metav1.SetConfig{}
+
+	if setConfigFunc, ok := supportConfigSet[key]; ok {
+		setConfigFunc(setConfig, value)
+	} else {
+		return setConfig, fmt.Errorf("key '%s' unknown . supported: %s", key, strings.Join(stringKeysToSlice(supportConfigSet), "/"))
+	}
+	return setConfig, nil
+}

cmd/config/view.go

@@ -0,0 +1,25 @@
+package config
+
+import (
+	"os"
+
+	"github.com/armosec/kubescape/v2/core/meta"
+	v1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+	logger "github.com/kubescape/go-logger"
+	"github.com/spf13/cobra"
+)
+
+func getViewCmd(ks meta.IKubescape) *cobra.Command {
+
+	// configCmd represents the config command
+	return &cobra.Command{
+		Use:   "view",
+		Short: "View cached configurations",
+		Long:  ``,
+		Run: func(cmd *cobra.Command, args []string) {
+			if err := ks.ViewCachedConfig(&v1.ViewConfig{Writer: os.Stdout}); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+		},
+	}
+}

cmd/delete/delete.go

@@ -0,0 +1,34 @@
+package delete
+
+import (
+	"github.com/armosec/kubescape/v2/core/meta"
+	v1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+)
+
+var deleteExceptionsExamples = `
+  # Delete single exception
+  kubescape delete exceptions "exception name"
+
+  # Delete multiple exceptions
+  kubescape delete exceptions "first exception;second exception;third exception"
+`
+
+func GetDeleteCmd(ks meta.IKubescape) *cobra.Command {
+	var deleteInfo v1.Delete
+
+	var deleteCmd = &cobra.Command{
+		Use:   "delete <command>",
+		Short: "Delete configurations in Kubescape SaaS version",
+		Long:  ``,
+		Run: func(cmd *cobra.Command, args []string) {
+		},
+	}
+	deleteCmd.PersistentFlags().StringVarP(&deleteInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	deleteCmd.PersistentFlags().StringVarP(&deleteInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
+	deleteCmd.PersistentFlags().StringVarP(&deleteInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
+
+	deleteCmd.AddCommand(getExceptionsCmd(ks, &deleteInfo))
+
+	return deleteCmd
+}

cmd/delete/exceptions.go

@@ -0,0 +1,34 @@
+package delete
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/kubescape/v2/core/meta"
+	v1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+	logger "github.com/kubescape/go-logger"
+	"github.com/spf13/cobra"
+)
+
+func getExceptionsCmd(ks meta.IKubescape, deleteInfo *v1.Delete) *cobra.Command {
+	return &cobra.Command{
+		Use:     "exceptions <exception name>",
+		Short:   "Delete exceptions from Kubescape SaaS version. Run 'kubescape list exceptions' for all exceptions names",
+		Example: deleteExceptionsExamples,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("missing exceptions names")
+			}
+			return nil
+		},
+		Run: func(cmd *cobra.Command, args []string) {
+			exceptionsNames := strings.Split(args[0], ";")
+			if len(exceptionsNames) == 0 {
+				logger.L().Fatal("missing exceptions names")
+			}
+			if err := ks.DeleteExceptions(&v1.DeleteExceptions{Credentials: deleteInfo.Credentials, Exceptions: exceptionsNames}); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+		},
+	}
+}

cmd/download/download.go

@@ -0,0 +1,82 @@
+package download
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"github.com/armosec/kubescape/v2/core/cautils"
+	"github.com/armosec/kubescape/v2/core/core"
+	"github.com/armosec/kubescape/v2/core/meta"
+	v1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+	logger "github.com/kubescape/go-logger"
+	"github.com/spf13/cobra"
+)
+
+var (
+	downloadExample = `
+  # Download all artifacts and save them in the default path (~/.kubescape)
+  kubescape download artifacts
+  download
+  # Download all artifacts and save them in /tmp path
+  kubescape download artifacts --output /tmp
+  
+  # Download the NSA framework. Run 'kubescape list frameworks' for all frameworks names
+  kubescape download framework nsa
+
+  # Download the "Allowed hostPath" control. Run 'kubescape list controls' for all controls names
+  kubescape download control "Allowed hostPath"
+
+  # Download the "C-0001" control. Run 'kubescape list controls --id' for all controls ids
+  kubescape download control C-0001
+
+  # Download the configured exceptions
+  kubescape download exceptions 
+
+  # Download the configured controls-inputs 
+  kubescape download controls-inputs 
+
+`
+)
+
+func GeDownloadCmd(ks meta.IKubescape) *cobra.Command {
+	var downloadInfo = v1.DownloadInfo{}
+
+	downloadCmd := &cobra.Command{
+		Use:     "download <policy> <policy name>",
+		Short:   fmt.Sprintf("Download %s", strings.Join(core.DownloadSupportCommands(), ",")),
+		Long:    ``,
+		Example: downloadExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			supported := strings.Join(core.DownloadSupportCommands(), ",")
+			if len(args) < 1 {
+				return fmt.Errorf("policy type required, supported: %v", supported)
+			}
+			if cautils.StringInSlice(core.DownloadSupportCommands(), args[0]) == cautils.ValueNotFound {
+				return fmt.Errorf("invalid parameter '%s'. Supported parameters: %s", args[0], supported)
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if filepath.Ext(downloadInfo.Path) == ".json" {
+				downloadInfo.Path, downloadInfo.FileName = filepath.Split(downloadInfo.Path)
+			}
+			downloadInfo.Target = args[0]
+			if len(args) >= 2 {
+				downloadInfo.Name = args[1]
+			}
+			if err := ks.Download(&downloadInfo); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			return nil
+		},
+	}
+
+	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
+	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
+	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If not specified, will save in `~/.kubescape/<policy name>.json`")
+
+	return downloadCmd
+}

cmd/list/list.go

@@ -0,0 +1,69 @@
+package list
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/kubescape/v2/core/cautils"
+	"github.com/armosec/kubescape/v2/core/core"
+	"github.com/armosec/kubescape/v2/core/meta"
+	v1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+	logger "github.com/kubescape/go-logger"
+	"github.com/spf13/cobra"
+)
+
+var (
+	listExample = `
+  # List default supported frameworks names
+  kubescape list frameworks
+  
+  # List all supported frameworks names
+  kubescape list frameworks --account <account id>
+	
+  # List all supported controls names
+  kubescape list controls
+
+  # List all supported controls ids
+  kubescape list controls --id 
+  
+  Control documentation:
+  https://hub.armosec.io/docs/controls
+`
+)
+
+func GetListCmd(ks meta.IKubescape) *cobra.Command {
+	var listPolicies = v1.ListPolicies{}
+
+	listCmd := &cobra.Command{
+		Use:     "list <policy> [flags]",
+		Short:   "List frameworks/controls will list the supported frameworks and controls",
+		Long:    ``,
+		Example: listExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			supported := strings.Join(core.ListSupportActions(), ",")
+
+			if len(args) < 1 {
+				return fmt.Errorf("policy type requeued, supported: %s", supported)
+			}
+			if cautils.StringInSlice(core.ListSupportActions(), args[0]) == cautils.ValueNotFound {
+				return fmt.Errorf("invalid parameter '%s'. Supported parameters: %s", args[0], supported)
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			listPolicies.Target = args[0]
+
+			if err := ks.List(&listPolicies); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			return nil
+		},
+	}
+	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
+	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
+	listCmd.PersistentFlags().StringVar(&listPolicies.Format, "format", "pretty-print", "output format. supported: 'pretty-printer'/'json'")
+	listCmd.PersistentFlags().BoolVarP(&listPolicies.ListIDs, "id", "", false, "List control ID's instead of controls names")
+
+	return listCmd
+}

cmd/root.go

@@ -0,0 +1,85 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/kubescape/v2/cmd/completion"
+	"github.com/armosec/kubescape/v2/cmd/config"
+	"github.com/armosec/kubescape/v2/cmd/delete"
+	"github.com/armosec/kubescape/v2/cmd/download"
+	"github.com/armosec/kubescape/v2/cmd/list"
+	"github.com/armosec/kubescape/v2/cmd/scan"
+	"github.com/armosec/kubescape/v2/cmd/submit"
+	"github.com/armosec/kubescape/v2/cmd/version"
+	"github.com/armosec/kubescape/v2/core/cautils"
+	"github.com/armosec/kubescape/v2/core/cautils/getter"
+	"github.com/armosec/kubescape/v2/core/core"
+	"github.com/armosec/kubescape/v2/core/meta"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+
+	"github.com/spf13/cobra"
+)
+
+var rootInfo cautils.RootInfo
+
+var ksExamples = `
+  # Scan command
+  kubescape scan --submit
+
+  # List supported frameworks
+  kubescape list frameworks
+
+  # Download artifacts (air-gapped environment support)
+  kubescape download artifacts
+
+  # View cached configurations
+  kubescape config view
+`
+
+func NewDefaultKubescapeCommand() *cobra.Command {
+	ks := core.NewKubescape()
+	return getRootCmd(ks)
+}
+
+func getRootCmd(ks meta.IKubescape) *cobra.Command {
+
+	rootCmd := &cobra.Command{
+		Use:     "kubescape",
+		Short:   "Kubescape is a tool for testing Kubernetes security posture. Docs: https://hub.armosec.io/docs",
+		Example: ksExamples,
+	}
+
+	rootCmd.PersistentFlags().StringVar(&rootInfo.KSCloudBEURLsDep, "environment", "", envFlagUsage)
+	rootCmd.PersistentFlags().StringVar(&rootInfo.KSCloudBEURLs, "env", "", envFlagUsage)
+	rootCmd.PersistentFlags().MarkDeprecated("environment", "use 'env' instead")
+	rootCmd.PersistentFlags().MarkHidden("environment")
+	rootCmd.PersistentFlags().MarkHidden("env")
+
+	rootCmd.PersistentFlags().StringVar(&rootInfo.LoggerName, "logger-name", "", fmt.Sprintf("Logger name. Supported: %s [$KS_LOGGER_NAME]", strings.Join(logger.ListLoggersNames(), "/")))
+	rootCmd.PersistentFlags().MarkHidden("logger-name")
+
+	rootCmd.PersistentFlags().StringVarP(&rootInfo.Logger, "logger", "l", helpers.InfoLevel.String(), fmt.Sprintf("Logger level. Supported: %s [$KS_LOGGER]", strings.Join(helpers.SupportedLevels(), "/")))
+	rootCmd.PersistentFlags().StringVar(&rootInfo.CacheDir, "cache-dir", getter.DefaultLocalStore, "Cache directory [$KS_CACHE_DIR]")
+	rootCmd.PersistentFlags().BoolVarP(&rootInfo.DisableColor, "disable-color", "", false, "Disable Color output for logging")
+
+	cobra.OnInitialize(initLogger, initLoggerLevel, initEnvironment, initCacheDir)
+
+	// Supported commands
+	rootCmd.AddCommand(scan.GetScanCommand(ks))
+	rootCmd.AddCommand(download.GeDownloadCmd(ks))
+	rootCmd.AddCommand(delete.GetDeleteCmd(ks))
+	rootCmd.AddCommand(list.GetListCmd(ks))
+	rootCmd.AddCommand(submit.GetSubmitCmd(ks))
+	rootCmd.AddCommand(completion.GetCompletionCmd())
+	rootCmd.AddCommand(version.GetVersionCmd())
+	rootCmd.AddCommand(config.GetConfigCmd(ks))
+
+	return rootCmd
+}
+
+func Execute() error {
+	ks := NewDefaultKubescapeCommand()
+	return ks.Execute()
+}

cmd/rootutils.go

@@ -0,0 +1,89 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/armosec/kubescape/v2/core/cautils/getter"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+
+	"github.com/mattn/go-isatty"
+)
+
+const envFlagUsage = "Send report results to specific URL. Format:<ReportReceiver>,<Backend>,<Frontend>.\n\t\tExample:report.armo.cloud,api.armo.cloud,portal.armo.cloud"
+
+func initLogger() {
+	logger.DisableColor(rootInfo.DisableColor)
+
+	if rootInfo.LoggerName == "" {
+		if l := os.Getenv("KS_LOGGER_NAME"); l != "" {
+			rootInfo.LoggerName = l
+		} else {
+			if isatty.IsTerminal(os.Stdout.Fd()) {
+				rootInfo.LoggerName = "pretty"
+			} else {
+				rootInfo.LoggerName = "zap"
+			}
+		}
+	}
+
+	logger.InitLogger(rootInfo.LoggerName)
+
+}
+func initLoggerLevel() {
+	if rootInfo.Logger == helpers.InfoLevel.String() {
+	} else if l := os.Getenv("KS_LOGGER"); l != "" {
+		rootInfo.Logger = l
+	}
+
+	if err := logger.L().SetLevel(rootInfo.Logger); err != nil {
+		logger.L().Fatal(fmt.Sprintf("supported levels: %s", strings.Join(helpers.SupportedLevels(), "/")), helpers.Error(err))
+	}
+}
+
+func initCacheDir() {
+	if rootInfo.CacheDir != getter.DefaultLocalStore {
+		getter.DefaultLocalStore = rootInfo.CacheDir
+	} else if cacheDir := os.Getenv("KS_CACHE_DIR"); cacheDir != "" {
+		getter.DefaultLocalStore = cacheDir
+	} else {
+		return // using default cache dir location
+	}
+
+	logger.L().Debug("cache dir updated", helpers.String("path", getter.DefaultLocalStore))
+}
+func initEnvironment() {
+	if rootInfo.KSCloudBEURLs == "" {
+		rootInfo.KSCloudBEURLs = rootInfo.KSCloudBEURLsDep
+	}
+	urlSlices := strings.Split(rootInfo.KSCloudBEURLs, ",")
+	if len(urlSlices) != 1 && len(urlSlices) < 3 {
+		logger.L().Fatal("expected at least 3 URLs (report, api, frontend, auth)")
+	}
+	switch len(urlSlices) {
+	case 1:
+		switch urlSlices[0] {
+		case "dev", "development":
+			getter.SetKSCloudAPIConnector(getter.NewKSCloudAPIDev())
+		case "stage", "staging":
+			getter.SetKSCloudAPIConnector(getter.NewKSCloudAPIStaging())
+		case "":
+			getter.SetKSCloudAPIConnector(getter.NewKSCloudAPIProd())
+		default:
+			logger.L().Fatal("--environment flag usage: " + envFlagUsage)
+		}
+	case 2:
+		logger.L().Fatal("--environment flag usage: " + envFlagUsage)
+	case 3, 4:
+		var ksAuthURL string
+		ksEventReceiverURL := urlSlices[0] // mandatory
+		ksBackendURL := urlSlices[1]       // mandatory
+		ksFrontendURL := urlSlices[2]      // mandatory
+		if len(urlSlices) >= 4 {
+			ksAuthURL = urlSlices[3]
+		}
+		getter.SetKSCloudAPIConnector(getter.NewKSCloudAPICustomized(ksEventReceiverURL, ksBackendURL, ksFrontendURL, ksAuthURL))
+	}
+}

cmd/scan/control.go

@@ -0,0 +1,107 @@
+package scan
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+
+	"github.com/armosec/kubescape/v2/core/cautils"
+	"github.com/armosec/kubescape/v2/core/meta"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+
+	"github.com/enescakir/emoji"
+	"github.com/spf13/cobra"
+)
+
+var (
+	controlExample = `
+  # Scan the 'privileged container' control
+  kubescape scan control "privileged container"
+	
+  # Scan list of controls separated with a comma
+  kubescape scan control "privileged container","allowed hostpath"
+  
+  # Scan list of controls using the control ID separated with a comma
+  kubescape scan control C-0058,C-0057
+  
+  Run 'kubescape list controls' for the list of supported controls
+  
+  Control documentation:
+  https://hub.armosec.io/docs/controls
+`
+)
+
+// controlCmd represents the control command
+func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
+	return &cobra.Command{
+		Use:     "control <control names list>/<control ids list>",
+		Short:   "The controls you wish to use. Run 'kubescape list controls' for the list of supported controls",
+		Example: controlExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) > 0 {
+				controls := strings.Split(args[0], ",")
+				if len(controls) > 1 {
+					for _, control := range controls {
+						if control == "" {
+							return fmt.Errorf("usage: <control-0>,<control-1>")
+						}
+					}
+				}
+			} else {
+				return fmt.Errorf("requires at least one control name")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			// flagValidationControl(scanInfo)
+			scanInfo.PolicyIdentifier = []cautils.PolicyIdentifier{}
+
+			if len(args) == 0 {
+				scanInfo.ScanAll = true
+			} else { // expected control or list of control sepparated by ","
+
+				// Read controls from input args
+				scanInfo.SetPolicyIdentifiers(strings.Split(args[0], ","), apisv1.KindControl)
+
+				if len(args) > 1 {
+					if len(args[1:]) == 0 || args[1] != "-" {
+						scanInfo.InputPatterns = []string{args[1]}
+					} else { // store stdin to file - do NOT move to separate function !!
+						tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
+						if err != nil {
+							return err
+						}
+						defer os.Remove(tempFile.Name())
+
+						if _, err := io.Copy(tempFile, os.Stdin); err != nil {
+							return err
+						}
+						scanInfo.InputPatterns = []string{tempFile.Name()}
+					}
+				}
+			}
+
+			scanInfo.FrameworkScan = false
+
+			results, err := ks.Scan(scanInfo)
+			if err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			if err := results.HandleResults(); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			if !scanInfo.VerboseMode {
+				cautils.SimpleDisplay(os.Stderr, "%s  Run with '--verbose'/'-v' flag for detailed resources view\n\n", emoji.Detective)
+			}
+			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
+				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
+			}
+			return nil
+		},
+	}
+}

cmd/scan/framework.go

@@ -0,0 +1,129 @@
+package scan
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+
+	"github.com/armosec/kubescape/v2/core/cautils"
+	"github.com/armosec/kubescape/v2/core/meta"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+
+	"github.com/enescakir/emoji"
+	"github.com/spf13/cobra"
+)
+
+var (
+	frameworkExample = `
+  # Scan all frameworks and submit the results
+  kubescape scan framework all --submit
+  
+  # Scan the NSA framework
+  kubescape scan framework nsa
+  
+  # Scan the NSA and MITRE framework
+  kubescape scan framework nsa,mitre
+  
+  # Scan all frameworks
+  kubescape scan framework all
+
+  # Scan kubernetes YAML manifest files (single file or glob)
+  kubescape scan framework nsa *.yaml
+
+  Run 'kubescape list frameworks' for the list of supported frameworks
+`
+)
+
+func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
+
+	return &cobra.Command{
+		Use:     "framework <framework names list> [`<glob pattern>`/`-`] [flags]",
+		Short:   "The framework you wish to use. Run 'kubescape list frameworks' for the list of supported frameworks",
+		Example: frameworkExample,
+		Long:    "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) > 0 {
+				frameworks := strings.Split(args[0], ",")
+				if len(frameworks) > 1 {
+					for _, framework := range frameworks {
+						if framework == "" {
+							return fmt.Errorf("usage: <framework-0>,<framework-1>")
+						}
+					}
+				}
+			} else {
+				return fmt.Errorf("requires at least one framework name")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := flagValidationFramework(scanInfo); err != nil {
+				return err
+			}
+			scanInfo.FrameworkScan = true
+
+			var frameworks []string
+
+			if len(args) == 0 { // scan all frameworks
+				scanInfo.ScanAll = true
+			} else {
+				// Read frameworks from input args
+				frameworks = strings.Split(args[0], ",")
+				if cautils.StringInSlice(frameworks, "all") != cautils.ValueNotFound {
+					scanInfo.ScanAll = true
+					frameworks = []string{}
+				}
+				if len(args) > 1 {
+					if len(args[1:]) == 0 || args[1] != "-" {
+						scanInfo.InputPatterns = []string{args[1]}
+					} else { // store stdin to file - do NOT move to separate function !!
+						tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
+						if err != nil {
+							return err
+						}
+						defer os.Remove(tempFile.Name())
+
+						if _, err := io.Copy(tempFile, os.Stdin); err != nil {
+							return err
+						}
+						scanInfo.InputPatterns = []string{tempFile.Name()}
+					}
+				}
+			}
+			scanInfo.FrameworkScan = true
+
+			scanInfo.SetPolicyIdentifiers(frameworks, apisv1.KindFramework)
+
+			results, err := ks.Scan(scanInfo)
+			if err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
+			if err = results.HandleResults(); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			if !scanInfo.VerboseMode {
+				cautils.SimpleDisplay(os.Stderr, "%s  Run with '--verbose'/'-v' flag for detailed resources view\n\n", emoji.Detective)
+			}
+			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
+				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
+			}
+			return nil
+		},
+	}
+}
+
+func flagValidationFramework(scanInfo *cautils.ScanInfo) error {
+	if scanInfo.Submit && scanInfo.Local {
+		return fmt.Errorf("you can use `keep-local` or `submit`, but not both")
+	}
+	if 100 < scanInfo.FailThreshold || 0 > scanInfo.FailThreshold {
+		return fmt.Errorf("bad argument: out of range threshold")
+	}
+	return nil
+}

cmd/scan/scan.go

@@ -0,0 +1,104 @@
+package scan
+
+import (
+	"fmt"
+
+	"github.com/armosec/kubescape/v2/core/cautils"
+	"github.com/armosec/kubescape/v2/core/meta"
+	"github.com/kubescape/k8s-interface/k8sinterface"
+	"github.com/spf13/cobra"
+)
+
+var scanCmdExamples = `
+  Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defind frameworks 
+  
+  # Scan current cluster with all frameworks
+  kubescape scan --submit --enable-host-scan --verbose
+
+  # Scan kubernetes YAML manifest files
+  kubescape scan *.yaml
+
+  # Scan and save the results in the JSON format
+  kubescape scan --format json --output results.json
+
+  # Display all resources
+  kubescape scan --verbose
+
+  # Scan different clusters from the kubectl context 
+  kubescape scan --kube-context <kubernetes context>
+  
+`
+
+func GetScanCommand(ks meta.IKubescape) *cobra.Command {
+	var scanInfo cautils.ScanInfo
+
+	// scanCmd represents the scan command
+	scanCmd := &cobra.Command{
+		Use:     "scan",
+		Short:   "Scan the current running cluster or yaml files",
+		Long:    `The action you want to perform`,
+		Example: scanCmdExamples,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) > 0 {
+				if args[0] != "framework" && args[0] != "control" {
+					scanInfo.ScanAll = true
+					return getFrameworkCmd(ks, &scanInfo).RunE(cmd, append([]string{"all"}, args...))
+				}
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if len(args) == 0 {
+				scanInfo.ScanAll = true
+				return getFrameworkCmd(ks, &scanInfo).RunE(cmd, []string{"all"})
+			}
+			return nil
+		},
+		PreRun: func(cmd *cobra.Command, args []string) {
+			k8sinterface.SetClusterContextName(scanInfo.KubeContext)
+		},
+		PostRun: func(cmd *cobra.Command, args []string) {
+			// TODO - revert context
+		},
+	}
+
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.KubeContext, "kube-context", "", "", "Kube context. Default will use the current-context")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.UseArtifactsFrom, "use-artifacts-from", "", "Load artifacts from local directory. If not used will download them")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Recommended: kube-system,kube-public")
+	scanCmd.PersistentFlags().Float32VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 100, "Failure threshold is the percent above which the command fails and returns exit code 1")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer", "json", "junit", "prometheus", "pdf", "html"`)
+	scanCmd.PersistentFlags().StringVar(&scanInfo.IncludeNamespaces, "include-namespaces", "", "scan specific namespaces. e.g: --include-namespaces ns-a,ns-b")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to ARMO backend. Use this flag if you ran with the '--submit' flag in the past and you do not want to submit your current scan results")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.VerboseMode, "verbose", "v", false, "Display all of the input resources and not only failed resources")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.View, "view", string(cautils.ResourceViewType), fmt.Sprintf("View results based on the %s/%s. default is --view=%s", cautils.ResourceViewType, cautils.ControlViewType, cautils.ResourceViewType))
+	scanCmd.PersistentFlags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local policy object from default path. If not used will download latest")
+	scanCmd.PersistentFlags().StringSliceVar(&scanInfo.UseFrom, "use-from", nil, "Load local policy object from specified path. If not used will download latest")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Send the scan results to ARMO management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.HostSensorYamlPath, "host-scan-yaml", "", "Override default host scanner DaemonSet. Use this flag cautiously")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.FormatVersion, "format-version", "v1", "Output object can be differnet between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
+
+	// Deprecated flags - remove 1.May.2022
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "Silent progress messages")
+	scanCmd.PersistentFlags().MarkDeprecated("silent", "use '--logger' flag instead. Flag will be removed at 1.May.2022")
+
+	// hidden flags
+	scanCmd.PersistentFlags().MarkHidden("host-scan-yaml") // this flag should be used very cautiously. We prefer users will not use it at all unless the DaemonSet can not run pods on the nodes
+	scanCmd.PersistentFlags().MarkHidden("silent")         // this flag should be deprecated since we added the --logger support
+	// scanCmd.PersistentFlags().MarkHidden("format-version") // meant for testing different output approaches and not for common use
+
+	hostF := scanCmd.PersistentFlags().VarPF(&scanInfo.HostSensorEnabled, "enable-host-scan", "", "Deploy ARMO K8s host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valuable data from cluster nodes for certain controls. Yaml file: https://github.com/armosec/kubescape/blob/master/core/pkg/hostsensorutils/hostsensor.yaml")
+	hostF.NoOptDefVal = "true"
+	hostF.DefValue = "false, for no TTY in stdin"
+
+	scanCmd.AddCommand(getControlCmd(ks, &scanInfo))
+	scanCmd.AddCommand(getFrameworkCmd(ks, &scanInfo))
+
+	return scanCmd
+}

cmd/submit/exceptions.go

@@ -0,0 +1,29 @@
+package submit
+
+import (
+	"fmt"
+
+	"github.com/armosec/kubescape/v2/core/meta"
+	metav1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+	logger "github.com/kubescape/go-logger"
+
+	"github.com/spf13/cobra"
+)
+
+func getExceptionsCmd(ks meta.IKubescape, submitInfo *metav1.Submit) *cobra.Command {
+	return &cobra.Command{
+		Use:   "exceptions <full path to exceptions file>",
+		Short: "Submit exceptions to the Kubescape SaaS version",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("missing full path to exceptions file")
+			}
+			return nil
+		},
+		Run: func(cmd *cobra.Command, args []string) {
+			if err := ks.SubmitExceptions(&submitInfo.Credentials, args[0]); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+		},
+	}
+}

cmd/submit/rbac.go

@@ -0,0 +1,85 @@
+package submit
+
+import (
+	"fmt"
+
+	"github.com/armosec/kubescape/v2/core/cautils"
+	"github.com/armosec/kubescape/v2/core/cautils/getter"
+	"github.com/armosec/kubescape/v2/core/meta"
+	"github.com/armosec/kubescape/v2/core/meta/cliinterfaces"
+	v1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+	reporterv2 "github.com/armosec/kubescape/v2/core/pkg/resultshandling/reporter/v2"
+	"github.com/google/uuid"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/k8sinterface"
+
+	"github.com/kubescape/rbac-utils/rbacscanner"
+	"github.com/spf13/cobra"
+)
+
+var (
+	rbacExamples = `
+	# Submit cluster's Role-Based Access Control(RBAC)
+	kubescape submit rbac
+
+	# Submit cluster's Role-Based Access Control(RBAC) with account ID 
+	kubescape submit rbac --account <account-id>
+	`
+)
+
+// getRBACCmd represents the RBAC command
+func getRBACCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
+	return &cobra.Command{
+		Use:     "rbac",
+		Example: rbacExamples,
+		Short:   "Submit cluster's Role-Based Access Control(RBAC)",
+		Long:    ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			k8s := k8sinterface.NewKubernetesApi()
+
+			// get config
+			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", k8s)
+			if err := clusterConfig.SetTenant(); err != nil {
+				logger.L().Error("failed setting account ID", helpers.Error(err))
+			}
+
+			if clusterConfig.GetAccountID() == "" {
+				return fmt.Errorf("account ID is not set, run 'kubescape submit rbac --account <account-id>'")
+			}
+
+			// list RBAC
+			rbacObjects := cautils.NewRBACObjects(rbacscanner.NewRbacScannerFromK8sAPI(k8s, clusterConfig.GetAccountID(), clusterConfig.GetContextName()))
+
+			// submit resources
+			r := reporterv2.NewReportEventReceiver(clusterConfig.GetConfigObj(), uuid.NewString(), reporterv2.SubmitContextRBAC)
+
+			submitInterfaces := cliinterfaces.SubmitInterfaces{
+				ClusterConfig: clusterConfig,
+				SubmitObjects: rbacObjects,
+				Reporter:      r,
+			}
+
+			if err := ks.Submit(submitInterfaces); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			return nil
+		},
+	}
+
+}
+
+// getKubernetesApi
+func getKubernetesApi() *k8sinterface.KubernetesApi {
+	if !k8sinterface.IsConnectedToCluster() {
+		return nil
+	}
+	return k8sinterface.NewKubernetesApi()
+}
+func getTenantConfig(credentials *cautils.Credentials, clusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
+	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
+		return cautils.NewLocalConfig(getter.GetKSCloudAPIConnector(), credentials, clusterName)
+	}
+	return cautils.NewClusterConfig(k8s, getter.GetKSCloudAPIConnector(), credentials, clusterName)
+}

cmd/submit/results.go

@@ -0,0 +1,99 @@
+package submit
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/google/uuid"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+
+	"github.com/armosec/kubescape/v2/core/meta"
+	"github.com/armosec/kubescape/v2/core/meta/cliinterfaces"
+	v1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+	reporterv2 "github.com/armosec/kubescape/v2/core/pkg/resultshandling/reporter/v2"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/workloadinterface"
+
+	"github.com/spf13/cobra"
+)
+
+var formatVersion string
+
+type ResultsObject struct {
+	filePath     string
+	customerGUID string
+	clusterName  string
+}
+
+func NewResultsObject(customerGUID, clusterName, filePath string) *ResultsObject {
+	return &ResultsObject{
+		filePath:     filePath,
+		customerGUID: customerGUID,
+		clusterName:  clusterName,
+	}
+}
+
+func (resultsObject *ResultsObject) SetResourcesReport() (*reporthandlingv2.PostureReport, error) {
+	// load framework results from json file
+	report, err := loadResultsFromFile(resultsObject.filePath)
+	if err != nil {
+		return nil, err
+	}
+	return report, nil
+}
+
+func (resultsObject *ResultsObject) ListAllResources() (map[string]workloadinterface.IMetadata, error) {
+	return map[string]workloadinterface.IMetadata{}, nil
+}
+
+func getResultsCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
+	var resultsCmd = &cobra.Command{
+		Use:   "results <json file>\nExample:\n$ kubescape submit results path/to/results.json --format-version v2",
+		Short: "Submit a pre scanned results file. The file must be in json format",
+		Long:  ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 0 {
+				return fmt.Errorf("missing results file")
+			}
+
+			k8s := getKubernetesApi()
+
+			// get config
+			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", k8s)
+			if err := clusterConfig.SetTenant(); err != nil {
+				logger.L().Error("failed setting account ID", helpers.Error(err))
+			}
+
+			resultsObjects := NewResultsObject(clusterConfig.GetAccountID(), clusterConfig.GetContextName(), args[0])
+
+			r := reporterv2.NewReportEventReceiver(clusterConfig.GetConfigObj(), uuid.NewString(), reporterv2.SubmitContextScan)
+
+			submitInterfaces := cliinterfaces.SubmitInterfaces{
+				ClusterConfig: clusterConfig,
+				SubmitObjects: resultsObjects,
+				Reporter:      r,
+			}
+
+			if err := ks.Submit(submitInterfaces); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+			return nil
+		},
+	}
+	resultsCmd.PersistentFlags().StringVar(&formatVersion, "format-version", "v1", "Output object can be differnet between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
+
+	return resultsCmd
+}
+func loadResultsFromFile(filePath string) (*reporthandlingv2.PostureReport, error) {
+	report := &reporthandlingv2.PostureReport{}
+	f, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, err
+	}
+	if err = json.Unmarshal(f, report); err != nil {
+		return report, fmt.Errorf("failed to unmarshal results file: %s, make sure you run kubescape with '--format=json --format-version=v2'", err.Error())
+	}
+	return report, nil
+}

cmd/submit/submit.go

@@ -0,0 +1,32 @@
+package submit
+
+import (
+	"github.com/armosec/kubescape/v2/core/meta"
+	metav1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/spf13/cobra"
+)
+
+var submitCmdExamples = `
+
+`
+
+func GetSubmitCmd(ks meta.IKubescape) *cobra.Command {
+	var submitInfo metav1.Submit
+
+	submitCmd := &cobra.Command{
+		Use:   "submit <command>",
+		Short: "Submit an object to the Kubescape SaaS version",
+		Long:  ``,
+		Run: func(cmd *cobra.Command, args []string) {
+		},
+	}
+	submitCmd.PersistentFlags().StringVarP(&submitInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	submitCmd.PersistentFlags().StringVarP(&submitInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
+	submitCmd.PersistentFlags().StringVarP(&submitInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
+
+	submitCmd.AddCommand(getExceptionsCmd(ks, &submitInfo))
+	submitCmd.AddCommand(getResultsCmd(ks, &submitInfo))
+	submitCmd.AddCommand(getRBACCmd(ks, &submitInfo))
+
+	return submitCmd
+}

cmd/version/version.go

@@ -0,0 +1,24 @@
+package version
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/armosec/kubescape/v2/core/cautils"
+	"github.com/spf13/cobra"
+)
+
+func GetVersionCmd() *cobra.Command {
+	versionCmd := &cobra.Command{
+		Use:   "version",
+		Short: "Get current version",
+		Long:  ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			v := cautils.NewIVersionCheckHandler()
+			v.CheckLatestVersion(cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "version"))
+			fmt.Fprintln(os.Stdout, "Your current version is: "+cautils.BuildNumber)
+			return nil
+		},
+	}
+	return versionCmd
+}

core/README.md

@@ -0,0 +1,14 @@
+# Kubescape core package
+
+```go
+
+// initialize kubescape
+ks := core.NewKubescape()
+
+// scan cluster
+results, err := ks.Scan(&cautils.ScanInfo{})
+
+// convert scan results to json
+jsonRes, err := results.ToJson()
+
+```

core/cautils/customerloader.go

@@ -0,0 +1,518 @@
+package cautils
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/armosec/kubescape/v2/core/cautils/getter"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/k8s-interface/k8sinterface"
+	corev1 "k8s.io/api/core/v1"
+)
+
+const configFileName = "config"
+
+func ConfigFileFullPath() string { return getter.GetDefaultPath(configFileName + ".json") }
+
+// ======================================================================================
+// =============================== Config structure =====================================
+// ======================================================================================
+
+type ConfigObj struct {
+	AccountID          string `json:"accountID,omitempty"`
+	ClientID           string `json:"clientID,omitempty"`
+	SecretKey          string `json:"secretKey,omitempty"`
+	CustomerGUID       string `json:"customerGUID,omitempty"` // Deprecated
+	Token              string `json:"invitationParam,omitempty"`
+	CustomerAdminEMail string `json:"adminMail,omitempty"`
+	ClusterName        string `json:"clusterName,omitempty"`
+}
+
+// Config - convert ConfigObj to config file
+func (co *ConfigObj) Config() []byte {
+
+	// remove cluster name before saving to file
+	clusterName := co.ClusterName
+	customerAdminEMail := co.CustomerAdminEMail
+	token := co.Token
+	co.ClusterName = ""
+	co.Token = ""
+	co.CustomerAdminEMail = ""
+
+	b, err := json.MarshalIndent(co, "", "  ")
+
+	co.ClusterName = clusterName
+	co.CustomerAdminEMail = customerAdminEMail
+	co.Token = token
+
+	if err == nil {
+		return b
+	}
+
+	return []byte{}
+}
+
+// ======================================================================================
+// =============================== interface ============================================
+// ======================================================================================
+type ITenantConfig interface {
+	// set
+	SetTenant() error
+	UpdateCachedConfig() error
+	DeleteCachedConfig() error
+
+	// getters
+	GetContextName() string
+	GetAccountID() string
+	GetTenantEmail() string
+	GetToken() string
+	GetClientID() string
+	GetSecretKey() string
+	GetConfigObj() *ConfigObj
+	// GetBackendAPI() getter.IBackend
+	// GenerateURL()
+
+	IsConfigFound() bool
+}
+
+// ======================================================================================
+// ============================ Local Config ============================================
+// ======================================================================================
+// Config when scanning YAML files or URL but not a Kubernetes cluster
+type LocalConfig struct {
+	backendAPI getter.IBackend
+	configObj  *ConfigObj
+}
+
+func NewLocalConfig(
+	backendAPI getter.IBackend, credentials *Credentials, clusterName string) *LocalConfig {
+
+	lc := &LocalConfig{
+		backendAPI: backendAPI,
+		configObj:  &ConfigObj{},
+	}
+	// get from configMap
+	if existsConfigFile() { // get from file
+		loadConfigFromFile(lc.configObj)
+	}
+
+	updateCredentials(lc.configObj, credentials)
+
+	if clusterName != "" {
+		lc.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
+	}
+
+	lc.backendAPI.SetAccountID(lc.configObj.AccountID)
+	lc.backendAPI.SetClientID(lc.configObj.ClientID)
+	lc.backendAPI.SetSecretKey(lc.configObj.SecretKey)
+
+	return lc
+}
+
+func (lc *LocalConfig) GetConfigObj() *ConfigObj { return lc.configObj }
+func (lc *LocalConfig) GetTenantEmail() string   { return lc.configObj.CustomerAdminEMail }
+func (lc *LocalConfig) GetAccountID() string     { return lc.configObj.AccountID }
+func (lc *LocalConfig) GetClientID() string      { return lc.configObj.ClientID }
+func (lc *LocalConfig) GetSecretKey() string     { return lc.configObj.SecretKey }
+func (lc *LocalConfig) GetContextName() string   { return lc.configObj.ClusterName }
+func (lc *LocalConfig) GetToken() string         { return lc.configObj.Token }
+func (lc *LocalConfig) IsConfigFound() bool      { return existsConfigFile() }
+func (lc *LocalConfig) SetTenant() error {
+
+	// Kubescape Cloud tenant GUID
+	if err := getTenantConfigFromBE(lc.backendAPI, lc.configObj); err != nil {
+		return err
+	}
+	lc.UpdateCachedConfig()
+	return nil
+
+}
+func (lc *LocalConfig) UpdateCachedConfig() error {
+	return updateConfigFile(lc.configObj)
+}
+
+func (lc *LocalConfig) DeleteCachedConfig() error {
+	if err := DeleteConfigFile(); err != nil {
+		logger.L().Warning(err.Error())
+	}
+	return nil
+}
+
+func getTenantConfigFromBE(backendAPI getter.IBackend, configObj *ConfigObj) error {
+
+	// get from Kubescape Cloud API
+	tenantResponse, err := backendAPI.GetTenant()
+	if err == nil && tenantResponse != nil {
+		if tenantResponse.AdminMail != "" { // registered tenant
+			configObj.CustomerAdminEMail = tenantResponse.AdminMail
+		} else { // new tenant
+			configObj.Token = tenantResponse.Token
+			configObj.AccountID = tenantResponse.TenantID
+		}
+	} else {
+		if err != nil && !strings.Contains(err.Error(), "already exists") {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// ======================================================================================
+// ========================== Cluster Config ============================================
+// ======================================================================================
+
+// ClusterConfig configuration of specific cluster
+/*
+
+Supported environments variables:
+KS_DEFAULT_CONFIGMAP_NAME  // name of configmap, if not set default is 'kubescape'
+KS_DEFAULT_CONFIGMAP_NAMESPACE   // configmap namespace, if not set default is 'default'
+
+KS_ACCOUNT_ID
+KS_CLIENT_ID
+KS_SECRET_KEY
+
+TODO - supprot:
+KS_CACHE // path to cached files
+*/
+type ClusterConfig struct {
+	k8s                *k8sinterface.KubernetesApi
+	configMapName      string
+	configMapNamespace string
+	backendAPI         getter.IBackend
+	configObj          *ConfigObj
+}
+
+func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend, credentials *Credentials, clusterName string) *ClusterConfig {
+	// var configObj *ConfigObj
+	c := &ClusterConfig{
+		k8s:                k8s,
+		backendAPI:         backendAPI,
+		configObj:          &ConfigObj{},
+		configMapName:      getConfigMapName(),
+		configMapNamespace: getConfigMapNamespace(),
+	}
+
+	// first, load from configMap
+	if c.existsConfigMap() {
+		c.loadConfigFromConfigMap()
+	}
+
+	// second, load from file
+	if existsConfigFile() { // get from file
+		loadConfigFromFile(c.configObj)
+	}
+	updateCredentials(c.configObj, credentials)
+
+	if clusterName != "" {
+		c.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
+	}
+
+	if c.configObj.ClusterName == "" {
+		c.configObj.ClusterName = AdoptClusterName(k8sinterface.GetContextName())
+	} else { // override the cluster name if it has unwanted characters
+		c.configObj.ClusterName = AdoptClusterName(c.configObj.ClusterName)
+	}
+
+	c.backendAPI.SetAccountID(c.configObj.AccountID)
+	c.backendAPI.SetClientID(c.configObj.ClientID)
+	c.backendAPI.SetSecretKey(c.configObj.SecretKey)
+
+	return c
+}
+
+func (c *ClusterConfig) GetConfigObj() *ConfigObj { return c.configObj }
+func (c *ClusterConfig) GetDefaultNS() string     { return c.configMapNamespace }
+func (c *ClusterConfig) GetAccountID() string     { return c.configObj.AccountID }
+func (c *ClusterConfig) GetClientID() string      { return c.configObj.ClientID }
+func (c *ClusterConfig) GetSecretKey() string     { return c.configObj.SecretKey }
+func (c *ClusterConfig) GetTenantEmail() string   { return c.configObj.CustomerAdminEMail }
+func (c *ClusterConfig) GetToken() string         { return c.configObj.Token }
+func (c *ClusterConfig) IsConfigFound() bool      { return existsConfigFile() || c.existsConfigMap() }
+
+func (c *ClusterConfig) SetTenant() error {
+
+	// ARMO tenant GUID
+	if err := getTenantConfigFromBE(c.backendAPI, c.configObj); err != nil {
+		return err
+	}
+	c.UpdateCachedConfig()
+	return nil
+
+}
+
+func (c *ClusterConfig) UpdateCachedConfig() error {
+	// update/create config
+	if c.existsConfigMap() {
+		if err := c.updateConfigMap(); err != nil {
+			return err
+		}
+	} else {
+		if err := c.createConfigMap(); err != nil {
+			return err
+		}
+	}
+	return updateConfigFile(c.configObj)
+}
+
+func (c *ClusterConfig) DeleteCachedConfig() error {
+	if err := c.deleteConfigMap(); err != nil {
+		logger.L().Warning(err.Error())
+	}
+	if err := DeleteConfigFile(); err != nil {
+		logger.L().Warning(err.Error())
+	}
+	return nil
+}
+func (c *ClusterConfig) GetContextName() string {
+	return c.configObj.ClusterName
+}
+
+func (c *ClusterConfig) ToMapString() map[string]interface{} {
+	m := map[string]interface{}{}
+	if bc, err := json.Marshal(c.configObj); err == nil {
+		json.Unmarshal(bc, &m)
+	}
+	return m
+}
+func (c *ClusterConfig) loadConfigFromConfigMap() error {
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	return loadConfigFromData(c.configObj, configMap.Data)
+}
+
+func loadConfigFromData(co *ConfigObj, data map[string]string) error {
+	var e error
+	if jsonConf, ok := data["config.json"]; ok {
+		e = readConfig([]byte(jsonConf), co)
+	}
+	if bData, err := json.Marshal(data); err == nil {
+		e = readConfig(bData, co)
+	}
+
+	return e
+}
+func (c *ClusterConfig) existsConfigMap() bool {
+	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
+	// TODO - check if has customerGUID
+	return err == nil
+}
+
+func (c *ClusterConfig) GetValueByKeyFromConfigMap(key string) (string, error) {
+
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
+
+	if err != nil {
+		return "", err
+	}
+	if val, ok := configMap.Data[key]; ok {
+		return val, nil
+	} else {
+		return "", fmt.Errorf("value does not exist")
+	}
+}
+
+func GetValueFromConfigJson(key string) (string, error) {
+	data, err := os.ReadFile(ConfigFileFullPath())
+	if err != nil {
+		return "", err
+	}
+	var obj map[string]interface{}
+	if err := json.Unmarshal(data, &obj); err != nil {
+		return "", err
+	}
+	if val, ok := obj[key]; ok {
+		return fmt.Sprint(val), nil
+	} else {
+		return "", fmt.Errorf("value does not exist")
+	}
+
+}
+
+func (c *ClusterConfig) SetKeyValueInConfigmap(key string, value string) error {
+
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
+	if err != nil {
+		configMap = &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: c.configMapName,
+			},
+		}
+	}
+
+	if len(configMap.Data) == 0 {
+		configMap.Data = make(map[string]string)
+	}
+
+	configMap.Data[key] = value
+
+	if err != nil {
+		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Create(context.Background(), configMap, metav1.CreateOptions{})
+	} else {
+		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
+	}
+
+	return err
+}
+
+func existsConfigFile() bool {
+	_, err := os.ReadFile(ConfigFileFullPath())
+	return err == nil
+}
+
+func (c *ClusterConfig) createConfigMap() error {
+	if c.k8s == nil {
+		return nil
+	}
+	configMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: c.configMapName,
+		},
+	}
+	c.updateConfigData(configMap)
+
+	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Create(context.Background(), configMap, metav1.CreateOptions{})
+	return err
+}
+
+func (c *ClusterConfig) updateConfigMap() error {
+	if c.k8s == nil {
+		return nil
+	}
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
+
+	if err != nil {
+		return err
+	}
+
+	c.updateConfigData(configMap)
+
+	_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
+	return err
+}
+
+func updateConfigFile(configObj *ConfigObj) error {
+	if err := os.WriteFile(ConfigFileFullPath(), configObj.Config(), 0664); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *ClusterConfig) updateConfigData(configMap *corev1.ConfigMap) {
+	if len(configMap.Data) == 0 {
+		configMap.Data = make(map[string]string)
+	}
+	m := c.ToMapString()
+	for k, v := range m {
+		if s, ok := v.(string); ok {
+			configMap.Data[k] = s
+		}
+	}
+}
+func loadConfigFromFile(configObj *ConfigObj) error {
+	dat, err := os.ReadFile(ConfigFileFullPath())
+	if err != nil {
+		return err
+	}
+	return readConfig(dat, configObj)
+}
+func readConfig(dat []byte, configObj *ConfigObj) error {
+
+	if len(dat) == 0 {
+		return nil
+	}
+
+	if err := json.Unmarshal(dat, configObj); err != nil {
+		return err
+	}
+	if configObj.AccountID == "" {
+		configObj.AccountID = configObj.CustomerGUID
+	}
+	configObj.CustomerGUID = ""
+	return nil
+}
+
+// Check if the customer is submitted
+func (clusterConfig *ClusterConfig) IsSubmitted() bool {
+	return clusterConfig.existsConfigMap() || existsConfigFile()
+}
+
+// Check if the customer is registered
+func (clusterConfig *ClusterConfig) IsRegistered() bool {
+
+	// get from armoBE
+	tenantResponse, err := clusterConfig.backendAPI.GetTenant()
+	if err == nil && tenantResponse != nil {
+		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
+			return true
+		}
+	}
+	return false
+}
+
+func (clusterConfig *ClusterConfig) deleteConfigMap() error {
+	return clusterConfig.k8s.KubernetesClient.CoreV1().ConfigMaps(clusterConfig.configMapNamespace).Delete(context.Background(), clusterConfig.configMapName, metav1.DeleteOptions{})
+}
+
+func DeleteConfigFile() error {
+	return os.Remove(ConfigFileFullPath())
+}
+
+func AdoptClusterName(clusterName string) string {
+	return strings.ReplaceAll(clusterName, "/", "-")
+}
+
+func getConfigMapName() string {
+	if n := os.Getenv("KS_DEFAULT_CONFIGMAP_NAME"); n != "" {
+		return n
+	}
+	return "kubescape"
+}
+
+func getConfigMapNamespace() string {
+	if n := os.Getenv("KS_DEFAULT_CONFIGMAP_NAMESPACE"); n != "" {
+		return n
+	}
+	return "default"
+}
+
+func getAccountFromEnv(credentials *Credentials) {
+	// load from env
+	if accountID := os.Getenv("KS_ACCOUNT_ID"); credentials.Account == "" && accountID != "" {
+		credentials.Account = accountID
+	}
+	if clientID := os.Getenv("KS_CLIENT_ID"); credentials.ClientID == "" && clientID != "" {
+		credentials.ClientID = clientID
+	}
+	if secretKey := os.Getenv("KS_SECRET_KEY"); credentials.SecretKey == "" && secretKey != "" {
+		credentials.SecretKey = secretKey
+	}
+}
+
+func updateCredentials(configObj *ConfigObj, credentials *Credentials) {
+
+	if credentials == nil {
+		credentials = &Credentials{}
+	}
+	getAccountFromEnv(credentials)
+
+	if credentials.Account != "" {
+		configObj.AccountID = credentials.Account // override config Account
+	}
+	if credentials.ClientID != "" {
+		configObj.ClientID = credentials.ClientID // override config ClientID
+	}
+	if credentials.SecretKey != "" {
+		configObj.SecretKey = credentials.SecretKey // override config SecretKey
+	}
+
+}

core/cautils/customerloader_test.go

@@ -0,0 +1,193 @@
+package cautils
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func mockConfigObj() *ConfigObj {
+	return &ConfigObj{
+		AccountID:          "aaa",
+		ClientID:           "bbb",
+		SecretKey:          "ccc",
+		ClusterName:        "ddd",
+		CustomerAdminEMail: "ab@cd",
+		Token:              "eee",
+	}
+}
+func mockLocalConfig() *LocalConfig {
+	return &LocalConfig{
+		backendAPI: nil,
+		configObj:  mockConfigObj(),
+	}
+}
+
+func mockClusterConfig() *ClusterConfig {
+	return &ClusterConfig{
+		backendAPI: nil,
+		configObj:  mockConfigObj(),
+	}
+}
+func TestConfig(t *testing.T) {
+	co := mockConfigObj()
+	cop := ConfigObj{}
+
+	assert.NoError(t, json.Unmarshal(co.Config(), &cop))
+	assert.Equal(t, co.AccountID, cop.AccountID)
+	assert.Equal(t, co.ClientID, cop.ClientID)
+	assert.Equal(t, co.SecretKey, cop.SecretKey)
+	assert.Equal(t, "", cop.ClusterName)        // Not copied to bytes
+	assert.Equal(t, "", cop.CustomerAdminEMail) // Not copied to bytes
+	assert.Equal(t, "", cop.Token)              // Not copied to bytes
+
+}
+
+func TestITenantConfig(t *testing.T) {
+	var lc ITenantConfig
+	var c ITenantConfig
+	lc = mockLocalConfig()
+	c = mockClusterConfig()
+
+	co := mockConfigObj()
+
+	// test LocalConfig methods
+	assert.Equal(t, co.AccountID, lc.GetAccountID())
+	assert.Equal(t, co.ClientID, lc.GetClientID())
+	assert.Equal(t, co.SecretKey, lc.GetSecretKey())
+	assert.Equal(t, co.ClusterName, lc.GetContextName())
+	assert.Equal(t, co.CustomerAdminEMail, lc.GetTenantEmail())
+	assert.Equal(t, co.Token, lc.GetToken())
+
+	// test ClusterConfig methods
+	assert.Equal(t, co.AccountID, c.GetAccountID())
+	assert.Equal(t, co.ClientID, c.GetClientID())
+	assert.Equal(t, co.SecretKey, c.GetSecretKey())
+	assert.Equal(t, co.ClusterName, c.GetContextName())
+	assert.Equal(t, co.CustomerAdminEMail, c.GetTenantEmail())
+	assert.Equal(t, co.Token, c.GetToken())
+}
+
+func TestUpdateConfigData(t *testing.T) {
+	c := mockClusterConfig()
+
+	configMap := &corev1.ConfigMap{}
+
+	c.updateConfigData(configMap)
+
+	assert.Equal(t, c.GetAccountID(), configMap.Data["accountID"])
+	assert.Equal(t, c.GetClientID(), configMap.Data["clientID"])
+	assert.Equal(t, c.GetSecretKey(), configMap.Data["secretKey"])
+}
+
+func TestReadConfig(t *testing.T) {
+	com := mockConfigObj()
+	co := &ConfigObj{}
+
+	b, e := json.Marshal(com)
+	assert.NoError(t, e)
+
+	readConfig(b, co)
+
+	assert.Equal(t, com.AccountID, co.AccountID)
+	assert.Equal(t, com.ClientID, co.ClientID)
+	assert.Equal(t, com.SecretKey, co.SecretKey)
+	assert.Equal(t, com.ClusterName, co.ClusterName)
+	assert.Equal(t, com.CustomerAdminEMail, co.CustomerAdminEMail)
+	assert.Equal(t, com.Token, co.Token)
+}
+
+func TestLoadConfigFromData(t *testing.T) {
+
+	// use case: all data is in base config
+	{
+		c := mockClusterConfig()
+		co := mockConfigObj()
+
+		configMap := &corev1.ConfigMap{}
+
+		c.updateConfigData(configMap)
+
+		c.configObj = &ConfigObj{}
+
+		loadConfigFromData(c.configObj, configMap.Data)
+
+		assert.Equal(t, c.GetAccountID(), co.AccountID)
+		assert.Equal(t, c.GetClientID(), co.ClientID)
+		assert.Equal(t, c.GetSecretKey(), co.SecretKey)
+		assert.Equal(t, c.GetContextName(), co.ClusterName)
+		assert.Equal(t, c.GetTenantEmail(), co.CustomerAdminEMail)
+		assert.Equal(t, c.GetToken(), co.Token)
+	}
+
+	// use case: all data is in config.json
+	{
+		c := mockClusterConfig()
+
+		co := mockConfigObj()
+		configMap := &corev1.ConfigMap{
+			Data: make(map[string]string),
+		}
+
+		configMap.Data["config.json"] = string(c.GetConfigObj().Config())
+		c.configObj = &ConfigObj{}
+
+		loadConfigFromData(c.configObj, configMap.Data)
+
+		assert.Equal(t, c.GetAccountID(), co.AccountID)
+		assert.Equal(t, c.GetClientID(), co.ClientID)
+		assert.Equal(t, c.GetSecretKey(), co.SecretKey)
+	}
+
+	// use case: some data is in config.json
+	{
+		c := mockClusterConfig()
+		configMap := &corev1.ConfigMap{
+			Data: make(map[string]string),
+		}
+
+		// add to map
+		configMap.Data["clientID"] = c.configObj.ClientID
+		configMap.Data["secretKey"] = c.configObj.SecretKey
+
+		// delete the content
+		c.configObj.ClientID = ""
+		c.configObj.SecretKey = ""
+
+		configMap.Data["config.json"] = string(c.GetConfigObj().Config())
+		loadConfigFromData(c.configObj, configMap.Data)
+
+		assert.NotEmpty(t, c.GetAccountID())
+		assert.NotEmpty(t, c.GetClientID())
+		assert.NotEmpty(t, c.GetSecretKey())
+	}
+
+	// use case: some data is in config.json
+	{
+		c := mockClusterConfig()
+		configMap := &corev1.ConfigMap{
+			Data: make(map[string]string),
+		}
+
+		c.configObj.AccountID = "tttt"
+
+		// add to map
+		configMap.Data["accountID"] = mockConfigObj().AccountID
+		configMap.Data["clientID"] = c.configObj.ClientID
+		configMap.Data["secretKey"] = c.configObj.SecretKey
+
+		// delete the content
+		c.configObj.ClientID = ""
+		c.configObj.SecretKey = ""
+
+		configMap.Data["config.json"] = string(c.GetConfigObj().Config())
+		loadConfigFromData(c.configObj, configMap.Data)
+
+		assert.Equal(t, mockConfigObj().AccountID, c.GetAccountID())
+		assert.NotEmpty(t, c.GetClientID())
+		assert.NotEmpty(t, c.GetSecretKey())
+	}
+
+}

core/cautils/datastructures.go

@@ -0,0 +1,82 @@
+package cautils
+
+import (
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/k8s-interface/workloadinterface"
+	"github.com/kubescape/opa-utils/reporthandling"
+	apis "github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/resourcesresults"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+)
+
+// K8SResources map[<api group>/<api version>/<resource>][]<resourceID>
+type K8SResources map[string][]string
+type KSResources map[string][]string
+
+type OPASessionObj struct {
+	K8SResources          *K8SResources                          // input k8s objects
+	ArmoResource          *KSResources                           // input ARMO objects
+	Policies              []reporthandling.Framework             // list of frameworks to scan
+	AllResources          map[string]workloadinterface.IMetadata // all scanned resources, map[<rtesource ID>]<resource>
+	ResourcesResult       map[string]resourcesresults.Result     // resources scan results, map[<rtesource ID>]<resource result>
+	ResourceSource        map[string]reporthandling.Source       // resources sources, map[<rtesource ID>]<resource result>
+	Report                *reporthandlingv2.PostureReport        // scan results v2 - Remove
+	Exceptions            []armotypes.PostureExceptionPolicy     // list of exceptions to apply on scan results
+	RegoInputData         RegoInputData                          // input passed to rgo for scanning. map[<control name>][<input arguments>]
+	Metadata              *reporthandlingv2.Metadata
+	InfoMap               map[string]apis.StatusInfo // Map errors of resources to StatusInfo
+	ResourceToControlsMap map[string][]string        // map[<apigroup/apiversion/resource>] = [<control_IDs>]
+	SessionID             string                     // SessionID
+}
+
+func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SResources, scanInfo *ScanInfo) *OPASessionObj {
+	return &OPASessionObj{
+		Report:                &reporthandlingv2.PostureReport{},
+		Policies:              frameworks,
+		K8SResources:          k8sResources,
+		AllResources:          make(map[string]workloadinterface.IMetadata),
+		ResourcesResult:       make(map[string]resourcesresults.Result),
+		InfoMap:               make(map[string]apis.StatusInfo),
+		ResourceToControlsMap: make(map[string][]string),
+		ResourceSource:        make(map[string]reporthandling.Source),
+		SessionID:             scanInfo.ScanID,
+		Metadata:              scanInfoToScanMetadata(scanInfo),
+	}
+}
+
+func NewOPASessionObjMock() *OPASessionObj {
+	return &OPASessionObj{
+		Policies:        nil,
+		K8SResources:    nil,
+		AllResources:    make(map[string]workloadinterface.IMetadata),
+		ResourcesResult: make(map[string]resourcesresults.Result),
+		Report:          &reporthandlingv2.PostureReport{},
+		Metadata: &reporthandlingv2.Metadata{
+			ScanMetadata: reporthandlingv2.ScanMetadata{
+				ScanningTarget: 0,
+			},
+		},
+	}
+}
+
+type ComponentConfig struct {
+	Exceptions Exception `json:"exceptions"`
+}
+
+type Exception struct {
+	Ignore        *bool                      `json:"ignore"`        // ignore test results
+	MultipleScore *reporthandling.AlertScore `json:"multipleScore"` // MultipleScore number - float32
+	Namespaces    []string                   `json:"namespaces"`
+	Regex         string                     `json:"regex"` // not supported
+}
+
+type RegoInputData struct {
+	PostureControlInputs map[string][]string `json:"postureControlInputs"`
+	// ClusterName          string              `json:"clusterName"`
+	// K8sConfig            RegoK8sConfig       `json:"k8sconfig"`
+}
+
+type Policies struct {
+	Frameworks []string
+	Controls   map[string]reporthandling.Control // map[<control ID>]<control>
+}

core/cautils/datastructuresmethods.go

@@ -0,0 +1,68 @@
+package cautils
+
+import (
+	"golang.org/x/mod/semver"
+
+	"github.com/armosec/utils-go/boolutils"
+	"github.com/kubescape/opa-utils/reporthandling"
+)
+
+func NewPolicies() *Policies {
+	return &Policies{
+		Frameworks: make([]string, 0),
+		Controls:   make(map[string]reporthandling.Control),
+	}
+}
+
+func (policies *Policies) Set(frameworks []reporthandling.Framework, version string) {
+	for i := range frameworks {
+		if frameworks[i].Name != "" && len(frameworks[i].Controls) > 0 {
+			policies.Frameworks = append(policies.Frameworks, frameworks[i].Name)
+		}
+		for j := range frameworks[i].Controls {
+			compatibleRules := []reporthandling.PolicyRule{}
+			for r := range frameworks[i].Controls[j].Rules {
+				if !ruleWithKSOpaDependency(frameworks[i].Controls[j].Rules[r].Attributes) && isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) {
+					compatibleRules = append(compatibleRules, frameworks[i].Controls[j].Rules[r])
+				}
+			}
+			if len(compatibleRules) > 0 {
+				frameworks[i].Controls[j].Rules = compatibleRules
+				policies.Controls[frameworks[i].Controls[j].ControlID] = frameworks[i].Controls[j]
+			}
+		}
+
+	}
+}
+
+func ruleWithKSOpaDependency(attributes map[string]interface{}) bool {
+	if attributes == nil {
+		return false
+	}
+	if s, ok := attributes["armoOpa"]; ok { // TODO - make global
+		return boolutils.StringToBool(s.(string))
+	}
+	return false
+}
+
+// Checks that kubescape version is in range of use for this rule
+// In local build (BuildNumber = ""):
+// returns true only if rule doesn't have the "until" attribute
+func isRuleKubescapeVersionCompatible(attributes map[string]interface{}, version string) bool {
+	if from, ok := attributes["useFromKubescapeVersion"]; ok && from != nil {
+		if version != "" {
+			if semver.Compare(version, from.(string)) == -1 {
+				return false
+			}
+		}
+	}
+	if until, ok := attributes["useUntilKubescapeVersion"]; ok && until != nil {
+		if version == "" {
+			return false
+		}
+		if semver.Compare(version, until.(string)) >= 0 {
+			return false
+		}
+	}
+	return true
+}

core/cautils/display.go

@@ -0,0 +1,41 @@
+package cautils
+
+import (
+	"os"
+	"time"
+
+	spinnerpkg "github.com/briandowns/spinner"
+	"github.com/fatih/color"
+	"github.com/mattn/go-isatty"
+)
+
+var FailureDisplay = color.New(color.Bold, color.FgHiRed).FprintfFunc()
+var WarningDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
+var FailureTextDisplay = color.New(color.Faint, color.FgHiRed).FprintfFunc()
+var InfoDisplay = color.New(color.Bold, color.FgCyan).FprintfFunc()
+var InfoTextDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
+var SimpleDisplay = color.New().FprintfFunc()
+var SuccessDisplay = color.New(color.Bold, color.FgHiGreen).FprintfFunc()
+var DescriptionDisplay = color.New(color.Faint, color.FgWhite).FprintfFunc()
+
+var spinner *spinnerpkg.Spinner
+
+func StartSpinner() {
+	if spinner != nil {
+		if !spinner.Active() {
+			spinner.Start()
+		}
+		return
+	}
+	if isatty.IsTerminal(os.Stdout.Fd()) {
+		spinner = spinnerpkg.New(spinnerpkg.CharSets[7], 100*time.Millisecond) // Build our new spinner
+		spinner.Start()
+	}
+}
+
+func StopSpinner() {
+	if spinner == nil || !spinner.Active() {
+		return
+	}
+	spinner.Stop()
+}

core/cautils/environments.go

@@ -0,0 +1,7 @@
+package cautils
+
+// Kubescape Cloud environment vars
+var (
+	CustomerGUID = ""
+	ClusterName  = ""
+)

core/cautils/fileutils.go

@@ -0,0 +1,342 @@
+package cautils
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/workloadinterface"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/opa-utils/objectsenvelopes"
+	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
+
+	"gopkg.in/yaml.v2"
+)
+
+var (
+	YAML_PREFIX = []string{"yaml", "yml"}
+	JSON_PREFIX = []string{"json"}
+)
+
+type FileFormat string
+
+const (
+	YAML_FILE_FORMAT FileFormat = "yaml"
+	JSON_FILE_FORMAT FileFormat = "json"
+)
+
+// LoadResourcesFromHelmCharts scans a given path (recuresively) for helm charts, renders the templates and returns a map of workloads and a map of chart names
+func LoadResourcesFromHelmCharts(basePath string) (map[string][]workloadinterface.IMetadata, map[string]string) {
+	directories, _ := listDirs(basePath)
+	helmDirectories := make([]string, 0)
+	for _, dir := range directories {
+		if ok, _ := IsHelmDirectory(dir); ok {
+			helmDirectories = append(helmDirectories, dir)
+		}
+	}
+
+	sourceToWorkloads := map[string][]workloadinterface.IMetadata{}
+	sourceToChartName := map[string]string{}
+	for _, helmDir := range helmDirectories {
+		chart, err := NewHelmChart(helmDir)
+		if err == nil {
+			wls, errs := chart.GetWorkloadsWithDefaultValues()
+			if len(errs) > 0 {
+				logger.L().Error(fmt.Sprintf("Rendering of Helm chart template failed: %v", errs))
+				continue
+			}
+
+			chartName := chart.GetName()
+			for k, v := range wls {
+				sourceToWorkloads[k] = v
+				sourceToChartName[k] = chartName
+			}
+		}
+	}
+	return sourceToWorkloads, sourceToChartName
+}
+
+func LoadResourcesFromFiles(input, rootPath string) map[string][]workloadinterface.IMetadata {
+	files, errs := listFiles(input)
+	if len(errs) > 0 {
+		logger.L().Error(fmt.Sprintf("%v", errs))
+	}
+	if len(files) == 0 {
+		return nil
+	}
+
+	workloads, errs := loadFiles(rootPath, files)
+	if len(errs) > 0 {
+		logger.L().Error(fmt.Sprintf("%v", errs))
+	}
+
+	return workloads
+}
+
+func loadFiles(rootPath string, filePaths []string) (map[string][]workloadinterface.IMetadata, []error) {
+	workloads := make(map[string][]workloadinterface.IMetadata, 0)
+	errs := []error{}
+	for i := range filePaths {
+		f, err := loadFile(filePaths[i])
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		}
+		if len(f) == 0 {
+			continue // empty file
+		}
+
+		w, e := ReadFile(f, GetFileFormat(filePaths[i]))
+		if e != nil {
+			logger.L().Debug("failed to read file", helpers.String("file", filePaths[i]), helpers.Error(e))
+		}
+		if len(w) != 0 {
+			path := filePaths[i]
+			if _, ok := workloads[path]; !ok {
+				workloads[path] = []workloadinterface.IMetadata{}
+			}
+			wSlice := workloads[path]
+			for j := range w {
+				lw := localworkload.NewLocalWorkload(w[j].GetObject())
+				if relPath, err := filepath.Rel(rootPath, path); err == nil {
+					lw.SetPath(relPath)
+				} else {
+					lw.SetPath(path)
+				}
+				wSlice = append(wSlice, lw)
+			}
+			workloads[path] = wSlice
+		}
+	}
+	return workloads, errs
+}
+
+func loadFile(filePath string) ([]byte, error) {
+	return os.ReadFile(filePath)
+}
+func ReadFile(fileContent []byte, fileFormat FileFormat) ([]workloadinterface.IMetadata, error) {
+
+	switch fileFormat {
+	case YAML_FILE_FORMAT:
+		return readYamlFile(fileContent)
+	case JSON_FILE_FORMAT:
+		return readJsonFile(fileContent)
+	default:
+		return nil, nil
+	}
+}
+
+// listFiles returns the list of absolute paths, full file path and list of errors. The list of abs paths and full path have the same length
+func listFiles(pattern string) ([]string, []error) {
+	return listFilesOrDirectories(pattern, false)
+}
+
+// listDirs returns the list of absolute paths, full directories path and list of errors. The list of abs paths and full path have the same length
+func listDirs(pattern string) ([]string, []error) {
+	return listFilesOrDirectories(pattern, true)
+}
+
+func listFilesOrDirectories(pattern string, onlyDirectories bool) ([]string, []error) {
+	var paths []string
+	errs := []error{}
+
+	if !filepath.IsAbs(pattern) {
+		o, _ := os.Getwd()
+		pattern = filepath.Join(o, pattern)
+	}
+
+	if !onlyDirectories && IsFile(pattern) {
+		paths = append(paths, pattern)
+		return paths, errs
+	}
+
+	root, shouldMatch := filepath.Split(pattern)
+
+	if IsDir(pattern) {
+		root = pattern
+		shouldMatch = "*"
+	}
+	if shouldMatch == "" {
+		shouldMatch = "*"
+	}
+
+	f, err := glob(root, shouldMatch, onlyDirectories)
+	if err != nil {
+		errs = append(errs, err)
+	} else {
+		paths = append(paths, f...)
+	}
+
+	return paths, errs
+}
+
+func readYamlFile(yamlFile []byte) ([]workloadinterface.IMetadata, error) {
+	defer recover()
+
+	r := bytes.NewReader(yamlFile)
+	dec := yaml.NewDecoder(r)
+	yamlObjs := []workloadinterface.IMetadata{}
+
+	var t interface{}
+	for dec.Decode(&t) == nil {
+		j := convertYamlToJson(t)
+		if j == nil {
+			continue
+		}
+		if obj, ok := j.(map[string]interface{}); ok {
+			if o := objectsenvelopes.NewObject(obj); o != nil {
+				if o.GetKind() == "List" {
+					yamlObjs = append(yamlObjs, handleListObject(o)...)
+				} else {
+					yamlObjs = append(yamlObjs, o)
+				}
+			}
+		}
+	}
+
+	return yamlObjs, nil
+}
+
+func readJsonFile(jsonFile []byte) ([]workloadinterface.IMetadata, error) {
+	workloads := []workloadinterface.IMetadata{}
+	var jsonObj interface{}
+	if err := json.Unmarshal(jsonFile, &jsonObj); err != nil {
+		return workloads, err
+	}
+
+	convertJsonToWorkload(jsonObj, &workloads)
+
+	return workloads, nil
+}
+func convertJsonToWorkload(jsonObj interface{}, workloads *[]workloadinterface.IMetadata) {
+
+	switch x := jsonObj.(type) {
+	case map[string]interface{}:
+		if o := objectsenvelopes.NewObject(x); o != nil {
+			(*workloads) = append(*workloads, o)
+		}
+	case []interface{}:
+		for i := range x {
+			convertJsonToWorkload(x[i], workloads)
+		}
+	}
+}
+func convertYamlToJson(i interface{}) interface{} {
+	switch x := i.(type) {
+	case map[interface{}]interface{}:
+		m2 := map[string]interface{}{}
+		for k, v := range x {
+			if s, ok := k.(string); ok {
+				m2[s] = convertYamlToJson(v)
+			}
+		}
+		return m2
+	case []interface{}:
+		for i, v := range x {
+			x[i] = convertYamlToJson(v)
+		}
+	}
+	return i
+}
+
+func IsYaml(filePath string) bool {
+	return StringInSlice(YAML_PREFIX, strings.ReplaceAll(filepath.Ext(filePath), ".", "")) != ValueNotFound
+}
+
+func IsJson(filePath string) bool {
+	return StringInSlice(JSON_PREFIX, strings.ReplaceAll(filepath.Ext(filePath), ".", "")) != ValueNotFound
+}
+
+func glob(root, pattern string, onlyDirectories bool) ([]string, error) {
+	var matches []string
+
+	err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// listing only directotries
+		if onlyDirectories {
+			if info.IsDir() {
+				if matched, err := filepath.Match(pattern, filepath.Base(path)); err != nil {
+					return err
+				} else if matched {
+					matches = append(matches, path)
+				}
+			}
+			return nil
+		}
+
+		// listing only files
+		if info.IsDir() {
+			return nil
+		}
+		fileFormat := GetFileFormat(path)
+		if !(fileFormat == JSON_FILE_FORMAT || fileFormat == YAML_FILE_FORMAT) {
+			return nil
+		}
+		if matched, err := filepath.Match(pattern, filepath.Base(path)); err != nil {
+			return err
+		} else if matched {
+			matches = append(matches, path)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return matches, nil
+}
+
+// IsFile checks if a given path is a file
+func IsFile(name string) bool {
+	if fi, err := os.Stat(name); err == nil {
+		if fi.Mode().IsRegular() {
+			return true
+		}
+	}
+	return false
+}
+
+// IsDir checks if a given path is a directory
+func IsDir(name string) bool {
+	if info, err := os.Stat(name); err == nil {
+		if info.IsDir() {
+			return true
+		}
+	}
+	return false
+}
+
+func GetFileFormat(filePath string) FileFormat {
+	if IsYaml(filePath) {
+		return YAML_FILE_FORMAT
+	} else if IsJson(filePath) {
+		return JSON_FILE_FORMAT
+	} else {
+		return FileFormat(filePath)
+	}
+}
+
+// handleListObject handle a List manifest
+func handleListObject(obj workloadinterface.IMetadata) []workloadinterface.IMetadata {
+	yamlObjs := []workloadinterface.IMetadata{}
+	if i, ok := workloadinterface.InspectMap(obj.GetObject(), "items"); ok && i != nil {
+		if items, ok := i.([]interface{}); ok && items != nil {
+			for item := range items {
+				if m, ok := items[item].(map[string]interface{}); ok && m != nil {
+					if o := objectsenvelopes.NewObject(m); o != nil {
+						yamlObjs = append(yamlObjs, o)
+					}
+				}
+			}
+		}
+	}
+	return yamlObjs
+}

core/cautils/fileutils_test.go

@@ -0,0 +1,105 @@
+package cautils
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
+	"github.com/stretchr/testify/assert"
+)
+
+func onlineBoutiquePath() string {
+	o, _ := os.Getwd()
+	return filepath.Join(filepath.Dir(o), "..", "examples", "online-boutique")
+}
+
+func helmChartPath() string {
+	o, _ := os.Getwd()
+	return filepath.Join(filepath.Dir(o), "..", "examples", "helm_chart")
+}
+
+func TestListFiles(t *testing.T) {
+
+	filesPath := onlineBoutiquePath()
+
+	files, errs := listFiles(filesPath)
+	assert.Equal(t, 0, len(errs))
+	assert.Equal(t, 12, len(files))
+}
+
+func TestLoadResourcesFromFiles(t *testing.T) {
+	workloads := LoadResourcesFromFiles(onlineBoutiquePath(), "")
+	assert.Equal(t, 12, len(workloads))
+
+	for i, w := range workloads {
+		switch filepath.Base(i) {
+		case "adservice.yaml":
+			assert.Equal(t, 2, len(w))
+			assert.Equal(t, "apps/v1//Deployment/adservice", getRelativePath(w[0].GetID()))
+			assert.Equal(t, "/v1//Service/adservice", getRelativePath(w[1].GetID()))
+		}
+	}
+}
+
+func TestLoadResourcesFromHelmCharts(t *testing.T) {
+	sourceToWorkloads, sourceToChartName := LoadResourcesFromHelmCharts(helmChartPath())
+	assert.Equal(t, 6, len(sourceToWorkloads))
+
+	for file, workloads := range sourceToWorkloads {
+		assert.Equalf(t, 1, len(workloads), "expected 1 workload in file %s", file)
+
+		w := workloads[0]
+		assert.True(t, localworkload.IsTypeLocalWorkload(w.GetObject()), "Expected localworkload as object type")
+		assert.Equal(t, "kubescape", sourceToChartName[file])
+
+		switch filepath.Base(file) {
+		case "serviceaccount.yaml":
+			assert.Equal(t, "/v1//ServiceAccount/kubescape-discovery", getRelativePath(w.GetID()))
+		case "clusterrole.yaml":
+			assert.Equal(t, "rbac.authorization.k8s.io/v1//ClusterRole/-kubescape", getRelativePath(w.GetID()))
+		case "cronjob.yaml":
+			assert.Equal(t, "batch/v1//CronJob/-kubescape", getRelativePath(w.GetID()))
+		case "role.yaml":
+			assert.Equal(t, "rbac.authorization.k8s.io/v1//Role/-kubescape", getRelativePath(w.GetID()))
+		case "rolebinding.yaml":
+			assert.Equal(t, "rbac.authorization.k8s.io/v1//RoleBinding/-kubescape", getRelativePath(w.GetID()))
+		case "clusterrolebinding.yaml":
+			assert.Equal(t, "rbac.authorization.k8s.io/v1//ClusterRoleBinding/-kubescape", getRelativePath(w.GetID()))
+		default:
+			assert.Failf(t, "missing case for file: %s", filepath.Base(file))
+		}
+	}
+}
+
+func TestLoadFiles(t *testing.T) {
+	files, _ := listFiles(onlineBoutiquePath())
+	_, err := loadFiles("", files)
+	assert.Equal(t, 0, len(err))
+}
+
+func TestListDirs(t *testing.T) {
+	dirs, _ := listDirs(filepath.Join(onlineBoutiquePath(), "adservice.yaml"))
+	assert.Equal(t, 0, len(dirs))
+
+	expectedDirs := []string{filepath.Join("examples", "helm_chart"), filepath.Join("examples", "helm_chart", "templates")}
+	dirs, _ = listDirs(helmChartPath())
+	assert.Equal(t, len(expectedDirs), len(dirs))
+	for i := range expectedDirs {
+		assert.Contains(t, dirs[i], expectedDirs[i])
+	}
+}
+
+func TestLoadFile(t *testing.T) {
+	files, _ := listFiles(filepath.Join(onlineBoutiquePath(), "adservice.yaml"))
+	assert.Equal(t, 1, len(files))
+
+	_, err := loadFile(files[0])
+	assert.NoError(t, err)
+}
+
+func getRelativePath(p string) string {
+	pp := strings.SplitAfter(p, "api=")
+	return pp[1]
+}

core/cautils/floatutils.go

@@ -0,0 +1,18 @@
+package cautils
+
+import "math"
+
+// Float64ToInt convert float64 to int
+func Float64ToInt(x float64) int {
+	return int(math.Round(x))
+}
+
+// Float32ToInt convert float32 to int
+func Float32ToInt(x float32) int {
+	return Float64ToInt(float64(x))
+}
+
+// Float16ToInt convert float16 to int
+func Float16ToInt(x float32) int {
+	return Float64ToInt(float64(x))
+}

core/cautils/floatutils_test.go

@@ -0,0 +1,24 @@
+package cautils
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFloat64ToInt(t *testing.T) {
+	assert.Equal(t, 3, Float64ToInt(3.49))
+	assert.Equal(t, 4, Float64ToInt(3.5))
+	assert.Equal(t, 4, Float64ToInt(3.51))
+}
+
+func TestFloat32ToInt(t *testing.T) {
+	assert.Equal(t, 3, Float32ToInt(3.49))
+	assert.Equal(t, 4, Float32ToInt(3.5))
+	assert.Equal(t, 4, Float32ToInt(3.51))
+}
+func TestFloat16ToInt(t *testing.T) {
+	assert.Equal(t, 3, Float16ToInt(3.49))
+	assert.Equal(t, 4, Float16ToInt(3.5))
+	assert.Equal(t, 4, Float16ToInt(3.51))
+}

core/cautils/getter/datastructures.go

@@ -0,0 +1,24 @@
+package getter
+
+type FeLoginData struct {
+	Secret   string `json:"secret"`
+	ClientId string `json:"clientId"`
+}
+
+type FeLoginResponse struct {
+	Token        string `json:"accessToken"`
+	RefreshToken string `json:"refreshToken"`
+	ExpiresIn    int32  `json:"expiresIn"`
+	Expires      string `json:"expires"`
+}
+
+type KSCloudSelectCustomer struct {
+	SelectedCustomerGuid string `json:"selectedCustomer"`
+}
+
+type TenantResponse struct {
+	TenantID  string `json:"tenantId"`
+	Token     string `json:"token"`
+	Expires   string `json:"expires"`
+	AdminMail string `json:"adminMail,omitempty"`
+}

core/cautils/getter/downloadreleasedpolicy.go

@@ -0,0 +1,92 @@
+package getter
+
+import (
+	"strings"
+
+	"github.com/kubescape/opa-utils/gitregostore"
+	"github.com/kubescape/opa-utils/reporthandling"
+)
+
+// =======================================================================================================================
+// ======================================== DownloadReleasedPolicy =======================================================
+// =======================================================================================================================
+
+// Use gitregostore to get policies from github release
+type DownloadReleasedPolicy struct {
+	gs *gitregostore.GitRegoStore
+}
+
+func NewDownloadReleasedPolicy() *DownloadReleasedPolicy {
+	return &DownloadReleasedPolicy{
+		gs: gitregostore.NewDefaultGitRegoStore(-1),
+	}
+}
+
+func (drp *DownloadReleasedPolicy) GetControl(policyName string) (*reporthandling.Control, error) {
+	var control *reporthandling.Control
+	var err error
+
+	control, err = drp.gs.GetOPAControl(policyName)
+	if err != nil {
+		return nil, err
+	}
+	return control, nil
+}
+
+func (drp *DownloadReleasedPolicy) GetFramework(name string) (*reporthandling.Framework, error) {
+	framework, err := drp.gs.GetOPAFrameworkByName(name)
+	if err != nil {
+		return nil, err
+	}
+	return framework, err
+}
+
+func (drp *DownloadReleasedPolicy) GetFrameworks() ([]reporthandling.Framework, error) {
+	frameworks, err := drp.gs.GetOPAFrameworks()
+	if err != nil {
+		return nil, err
+	}
+	return frameworks, err
+}
+
+func (drp *DownloadReleasedPolicy) ListFrameworks() ([]string, error) {
+	return drp.gs.GetOPAFrameworksNamesList()
+}
+
+func (drp *DownloadReleasedPolicy) ListControls(listType ListType) ([]string, error) {
+	switch listType {
+	case ListID:
+		return drp.gs.GetOPAControlsIDsList()
+	default:
+		return drp.gs.GetOPAControlsNamesList()
+	}
+}
+
+func (drp *DownloadReleasedPolicy) GetControlsInputs(clusterName string) (map[string][]string, error) {
+	defaultConfigInputs, err := drp.gs.GetDefaultConfigInputs()
+	if err != nil {
+		return nil, err
+	}
+	return defaultConfigInputs.Settings.PostureControlInputs, err
+}
+
+func (drp *DownloadReleasedPolicy) SetRegoObjects() error {
+	fwNames, err := drp.gs.GetOPAFrameworksNamesList()
+	if len(fwNames) != 0 && err == nil {
+		return nil
+	}
+	return drp.gs.SetRegoObjects()
+}
+
+func isNativeFramework(framework string) bool {
+	return contains(NativeFrameworks, framework)
+}
+
+func contains(s []string, str string) bool {
+	for _, v := range s {
+		if strings.EqualFold(v, str) {
+			return true
+		}
+	}
+	return false
+}

core/cautils/getter/getpolicies.go

@@ -0,0 +1,40 @@
+package getter
+
+import (
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/opa-utils/reporthandling"
+)
+
+// supported listing
+type ListType string
+
+const ListID ListType = "id"
+const ListName ListType = "name"
+
+type IPolicyGetter interface {
+	GetFramework(name string) (*reporthandling.Framework, error)
+	GetFrameworks() ([]reporthandling.Framework, error)
+	GetControl(name string) (*reporthandling.Control, error)
+
+	ListFrameworks() ([]string, error)
+	ListControls(ListType) ([]string, error)
+}
+
+type IExceptionsGetter interface {
+	GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error)
+}
+type IBackend interface {
+	GetAccountID() string
+	GetClientID() string
+	GetSecretKey() string
+
+	SetAccountID(accountID string)
+	SetClientID(clientID string)
+	SetSecretKey(secretKey string)
+
+	GetTenant() (*TenantResponse, error)
+}
+
+type IControlsInputsGetter interface {
+	GetControlsInputs(clusterName string) (map[string][]string, error)
+}

core/cautils/getter/getpoliciesutils.go

@@ -1,6 +1,7 @@
 package getter
 
 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -9,45 +10,14 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
-
-	"github.com/armosec/opa-utils/reporthandling"
 )
 
 func GetDefaultPath(name string) string {
-	defaultfilePath := filepath.Join(DefaultLocalStore, name)
-	if homeDir, err := os.UserHomeDir(); err == nil {
-		defaultfilePath = filepath.Join(homeDir, defaultfilePath)
-	}
-	return defaultfilePath
+	return filepath.Join(DefaultLocalStore, name)
 }
 
-// Save control as json in file
-func SaveControlInFile(control *reporthandling.Control, pathStr string) error {
-	encodedData, err := json.Marshal(control)
-	if err != nil {
-		return err
-	}
-	err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
-	if err != nil {
-		if os.IsNotExist(err) {
-			pathDir := path.Dir(pathStr)
-			if err := os.Mkdir(pathDir, 0744); err != nil {
-				return err
-			}
-		} else {
-			return err
-
-		}
-		err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func SaveFrameworkInFile(framework *reporthandling.Framework, pathStr string) error {
-	encodedData, err := json.Marshal(framework)
+func SaveInFile(policy interface{}, pathStr string) error {
+	encodedData, err := json.MarshalIndent(policy, "", "  ")
 	if err != nil {
 		return err
 	}
@@ -77,12 +47,14 @@ func JSONDecoder(origin string) *json.Decoder {
 	return dec
 }
 
-func HttpGetter(httpClient *http.Client, fullURL string) (string, error) {
+func HttpDelete(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) {
 
-	req, err := http.NewRequest("GET", fullURL, nil)
+	req, err := http.NewRequest("DELETE", fullURL, nil)
 	if err != nil {
 		return "", err
 	}
+	setHeaders(req, headers)
+
 	resp, err := httpClient.Do(req)
 	if err != nil {
 		return "", err
@@ -93,6 +65,50 @@ func HttpGetter(httpClient *http.Client, fullURL string) (string, error) {
 	}
 	return respStr, nil
 }
+func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) {
+
+	req, err := http.NewRequest("GET", fullURL, nil)
+	if err != nil {
+		return "", err
+	}
+	setHeaders(req, headers)
+
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	respStr, err := httpRespToString(resp)
+	if err != nil {
+		return "", err
+	}
+	return respStr, nil
+}
+
+func HttpPost(httpClient *http.Client, fullURL string, headers map[string]string, body []byte) (string, error) {
+
+	req, err := http.NewRequest("POST", fullURL, bytes.NewReader(body))
+	if err != nil {
+		return "", err
+	}
+	setHeaders(req, headers)
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	respStr, err := httpRespToString(resp)
+	if err != nil {
+		return "", err
+	}
+	return respStr, nil
+}
+
+func setHeaders(req *http.Request, headers map[string]string) {
+	if len(headers) >= 0 { // might be nil
+		for k, v := range headers {
+			req.Header.Set(k, v)
+		}
+	}
+}
 
 // HTTPRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
 func httpRespToString(resp *http.Response) (string, error) {
@@ -104,21 +120,22 @@ func httpRespToString(resp *http.Response) (string, error) {
 	if resp.ContentLength > 0 {
 		strBuilder.Grow(int(resp.ContentLength))
 	}
-	bytesNum, err := io.Copy(&strBuilder, resp.Body)
+	_, err := io.Copy(&strBuilder, resp.Body)
 	respStr := strBuilder.String()
 	if err != nil {
 		respStrNewLen := len(respStr)
 		if respStrNewLen > 1024 {
 			respStrNewLen = 1024
 		}
-		return "", fmt.Errorf("HTTP request failed. URL: '%s', Read-ERROR: '%s', HTTP-CODE: '%s', BODY(top): '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), err, resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
+		return "", fmt.Errorf("http-error: '%s', reason: '%s'", resp.Status, respStr[:respStrNewLen])
+		// return "", fmt.Errorf("HTTP request failed. URL: '%s', Read-ERROR: '%s', HTTP-CODE: '%s', BODY(top): '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), err, resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
 	}
 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
 		respStrNewLen := len(respStr)
 		if respStrNewLen > 1024 {
 			respStrNewLen = 1024
 		}
-		err = fmt.Errorf("HTTP request failed. URL: '%s', HTTP-ERROR: '%s', BODY: '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
+		err = fmt.Errorf("http-error: '%s', reason: '%s'", resp.Status, respStr[:respStrNewLen])
 	}
 
 	return respStr, err

core/cautils/getter/kscloudapi.go

@@ -0,0 +1,363 @@
+package getter
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/armosec/armoapi-go/armotypes"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/opa-utils/reporthandling"
+)
+
+var (
+	ksCloudERURL   = "report.armo.cloud"
+	ksCloudBEURL   = "api.armosec.io"
+	ksCloudFEURL   = "cloud.armosec.io"
+	ksCloudAUTHURL = "auth.armosec.io"
+
+	ksCloudStageERURL   = "report-ks.eustage2.cyberarmorsoft.com"
+	ksCloudStageBEURL   = "api-stage.armosec.io"
+	ksCloudStageFEURL   = "armoui-stage.armosec.io"
+	ksCloudStageAUTHURL = "eggauth-stage.armosec.io"
+
+	ksCloudDevERURL   = "report.eudev3.cyberarmorsoft.com"
+	ksCloudDevBEURL   = "api-dev.armosec.io"
+	ksCloudDevFEURL   = "cloud-dev.armosec.io"
+	ksCloudDevAUTHURL = "eggauth-dev.armosec.io"
+)
+
+// KSCloudAPI allows accessing the API of the Kubescape Cloud offering
+type KSCloudAPI struct {
+	httpClient *http.Client
+	apiURL     string
+	authURL    string
+	erURL      string
+	feURL      string
+	accountID  string
+	clientID   string
+	secretKey  string
+	feToken    FeLoginResponse
+	authCookie string
+	loggedIn   bool
+}
+
+var globalKSCloudAPIConnector *KSCloudAPI
+
+func SetKSCloudAPIConnector(ksCloudAPI *KSCloudAPI) {
+	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", ksCloudAPI.apiURL), helpers.String("auth", ksCloudAPI.authURL), helpers.String("report", ksCloudAPI.erURL), helpers.String("UI", ksCloudAPI.feURL))
+	globalKSCloudAPIConnector = ksCloudAPI
+}
+
+func GetKSCloudAPIConnector() *KSCloudAPI {
+	if globalKSCloudAPIConnector == nil {
+		SetKSCloudAPIConnector(NewKSCloudAPIProd())
+	}
+	return globalKSCloudAPIConnector
+}
+
+func NewKSCloudAPIDev() *KSCloudAPI {
+	apiObj := newKSCloudAPI()
+
+	apiObj.apiURL = ksCloudDevBEURL
+	apiObj.authURL = ksCloudDevAUTHURL
+	apiObj.erURL = ksCloudDevERURL
+	apiObj.feURL = ksCloudDevFEURL
+
+	return apiObj
+}
+
+func NewKSCloudAPIProd() *KSCloudAPI {
+	apiObj := newKSCloudAPI()
+
+	apiObj.apiURL = ksCloudBEURL
+	apiObj.erURL = ksCloudERURL
+	apiObj.feURL = ksCloudFEURL
+	apiObj.authURL = ksCloudAUTHURL
+
+	return apiObj
+}
+
+func NewKSCloudAPIStaging() *KSCloudAPI {
+	apiObj := newKSCloudAPI()
+
+	apiObj.apiURL = ksCloudStageBEURL
+	apiObj.erURL = ksCloudStageERURL
+	apiObj.feURL = ksCloudStageFEURL
+	apiObj.authURL = ksCloudStageAUTHURL
+
+	return apiObj
+}
+
+func NewKSCloudAPICustomized(ksCloudERURL, ksCloudBEURL, ksCloudFEURL, ksCloudAUTHURL string) *KSCloudAPI {
+	apiObj := newKSCloudAPI()
+
+	apiObj.erURL = ksCloudERURL
+	apiObj.apiURL = ksCloudBEURL
+	apiObj.feURL = ksCloudFEURL
+	apiObj.authURL = ksCloudAUTHURL
+
+	return apiObj
+}
+
+func newKSCloudAPI() *KSCloudAPI {
+	return &KSCloudAPI{
+		httpClient: &http.Client{Timeout: time.Duration(61) * time.Second},
+		loggedIn:   false,
+	}
+}
+
+func (api *KSCloudAPI) Post(fullURL string, headers map[string]string, body []byte) (string, error) {
+	if headers == nil {
+		headers = make(map[string]string)
+	}
+	api.appendAuthHeaders(headers)
+	return HttpPost(api.httpClient, fullURL, headers, body)
+}
+
+func (api *KSCloudAPI) Delete(fullURL string, headers map[string]string) (string, error) {
+	if headers == nil {
+		headers = make(map[string]string)
+	}
+	api.appendAuthHeaders(headers)
+	return HttpDelete(api.httpClient, fullURL, headers)
+}
+func (api *KSCloudAPI) Get(fullURL string, headers map[string]string) (string, error) {
+	if headers == nil {
+		headers = make(map[string]string)
+	}
+	api.appendAuthHeaders(headers)
+	return HttpGetter(api.httpClient, fullURL, headers)
+}
+
+func (api *KSCloudAPI) GetAccountID() string          { return api.accountID }
+func (api *KSCloudAPI) IsLoggedIn() bool              { return api.loggedIn }
+func (api *KSCloudAPI) GetClientID() string           { return api.clientID }
+func (api *KSCloudAPI) GetSecretKey() string          { return api.secretKey }
+func (api *KSCloudAPI) GetFrontendURL() string        { return api.feURL }
+func (api *KSCloudAPI) GetApiURL() string             { return api.apiURL }
+func (api *KSCloudAPI) GetAuthURL() string            { return api.authURL }
+func (api *KSCloudAPI) GetReportReceiverURL() string  { return api.erURL }
+func (api *KSCloudAPI) SetAccountID(accountID string) { api.accountID = accountID }
+func (api *KSCloudAPI) SetClientID(clientID string)   { api.clientID = clientID }
+func (api *KSCloudAPI) SetSecretKey(secretKey string) { api.secretKey = secretKey }
+
+func (api *KSCloudAPI) GetFramework(name string) (*reporthandling.Framework, error) {
+	respStr, err := api.Get(api.getFrameworkURL(name), nil)
+	if err != nil {
+		return nil, nil
+	}
+
+	framework := &reporthandling.Framework{}
+	if err = JSONDecoder(respStr).Decode(framework); err != nil {
+		return nil, err
+	}
+
+	return framework, err
+}
+
+func (api *KSCloudAPI) GetFrameworks() ([]reporthandling.Framework, error) {
+	respStr, err := api.Get(api.getListFrameworkURL(), nil)
+	if err != nil {
+		return nil, nil
+	}
+
+	frameworks := []reporthandling.Framework{}
+	if err = JSONDecoder(respStr).Decode(&frameworks); err != nil {
+		return nil, err
+	}
+
+	return frameworks, err
+}
+
+func (api *KSCloudAPI) GetControl(policyName string) (*reporthandling.Control, error) {
+	return nil, fmt.Errorf("control api is not public")
+}
+
+func (api *KSCloudAPI) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
+	exceptions := []armotypes.PostureExceptionPolicy{}
+
+	respStr, err := api.Get(api.getExceptionsURL(clusterName), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = JSONDecoder(respStr).Decode(&exceptions); err != nil {
+		return nil, err
+	}
+
+	return exceptions, nil
+}
+
+func (api *KSCloudAPI) GetTenant() (*TenantResponse, error) {
+	url := api.getAccountURL()
+	if api.accountID != "" {
+		url = fmt.Sprintf("%s?customerGUID=%s", url, api.accountID)
+	}
+	respStr, err := api.Get(url, nil)
+	if err != nil {
+		return nil, err
+	}
+	tenant := &TenantResponse{}
+	if err = JSONDecoder(respStr).Decode(tenant); err != nil {
+		return nil, err
+	}
+	if tenant.TenantID != "" {
+		api.accountID = tenant.TenantID
+	}
+	return tenant, nil
+}
+
+// ControlsInputs  // map[<control name>][<input arguments>]
+func (api *KSCloudAPI) GetAccountConfig(clusterName string) (*armotypes.CustomerConfig, error) {
+	accountConfig := &armotypes.CustomerConfig{}
+	if api.accountID == "" {
+		return accountConfig, nil
+	}
+	respStr, err := api.Get(api.getAccountConfig(clusterName), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = JSONDecoder(respStr).Decode(&accountConfig); err != nil {
+		// try with default scope
+		respStr, err = api.Get(api.getAccountConfigDefault(clusterName), nil)
+		if err != nil {
+			return nil, err
+		}
+		if err = JSONDecoder(respStr).Decode(&accountConfig); err != nil {
+			return nil, err
+		}
+	}
+
+	return accountConfig, nil
+}
+
+// ControlsInputs  // map[<control name>][<input arguments>]
+func (api *KSCloudAPI) GetControlsInputs(clusterName string) (map[string][]string, error) {
+	accountConfig, err := api.GetAccountConfig(clusterName)
+	if err == nil {
+		return accountConfig.Settings.PostureControlInputs, nil
+	}
+	return nil, err
+}
+
+func (api *KSCloudAPI) ListCustomFrameworks() ([]string, error) {
+	respStr, err := api.Get(api.getListFrameworkURL(), nil)
+	if err != nil {
+		return nil, err
+	}
+	frs := []reporthandling.Framework{}
+	if err = json.Unmarshal([]byte(respStr), &frs); err != nil {
+		return nil, err
+	}
+
+	frameworkList := []string{}
+	for _, fr := range frs {
+		if !isNativeFramework(fr.Name) {
+			frameworkList = append(frameworkList, fr.Name)
+		}
+	}
+
+	return frameworkList, nil
+}
+
+func (api *KSCloudAPI) ListFrameworks() ([]string, error) {
+	respStr, err := api.Get(api.getListFrameworkURL(), nil)
+	if err != nil {
+		return nil, err
+	}
+	frs := []reporthandling.Framework{}
+	if err = json.Unmarshal([]byte(respStr), &frs); err != nil {
+		return nil, err
+	}
+
+	frameworkList := []string{}
+	for _, fr := range frs {
+		if isNativeFramework(fr.Name) {
+			frameworkList = append(frameworkList, strings.ToLower(fr.Name))
+		} else {
+			frameworkList = append(frameworkList, fr.Name)
+		}
+	}
+
+	return frameworkList, nil
+}
+
+func (api *KSCloudAPI) ListControls(l ListType) ([]string, error) {
+	return nil, fmt.Errorf("control api is not public")
+}
+
+func (api *KSCloudAPI) PostExceptions(exceptions []armotypes.PostureExceptionPolicy) error {
+
+	for i := range exceptions {
+		ex, err := json.Marshal(exceptions[i])
+		if err != nil {
+			return err
+		}
+		_, err = api.Post(api.exceptionsURL(""), map[string]string{"Content-Type": "application/json"}, ex)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (api *KSCloudAPI) DeleteException(exceptionName string) error {
+
+	_, err := api.Delete(api.exceptionsURL(exceptionName), nil)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+func (api *KSCloudAPI) Login() error {
+	if api.accountID == "" {
+		return fmt.Errorf("failed to login, missing accountID")
+	}
+	if api.clientID == "" {
+		return fmt.Errorf("failed to login, missing clientID")
+	}
+	if api.secretKey == "" {
+		return fmt.Errorf("failed to login, missing secretKey")
+	}
+
+	// init URLs
+	feLoginData := FeLoginData{ClientId: api.clientID, Secret: api.secretKey}
+	body, _ := json.Marshal(feLoginData)
+
+	resp, err := http.Post(api.getApiToken(), "application/json", bytes.NewBuffer(body))
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("error authenticating: %d", resp.StatusCode)
+	}
+
+	responseBody, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+	var feLoginResponse FeLoginResponse
+
+	if err = json.Unmarshal(responseBody, &feLoginResponse); err != nil {
+		return err
+	}
+	api.feToken = feLoginResponse
+
+	/* Now we have JWT */
+
+	api.authCookie, err = api.getAuthCookie()
+	if err != nil {
+		return err
+	}
+	api.loggedIn = true
+	return nil
+}

core/cautils/getter/kscloudapiutils.go

@@ -0,0 +1,176 @@
+package getter
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+var NativeFrameworks = []string{"nsa", "mitre", "armobest", "devopsbest"}
+
+func (api *KSCloudAPI) getFrameworkURL(frameworkName string) string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Path = "api/v1/armoFrameworks"
+	q := u.Query()
+	q.Add("customerGUID", api.getCustomerGUIDFallBack())
+	if isNativeFramework(frameworkName) {
+		q.Add("frameworkName", strings.ToUpper(frameworkName))
+	} else {
+		// For customer framework has to be the way it was added
+		q.Add("frameworkName", frameworkName)
+	}
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
+func (api *KSCloudAPI) getListFrameworkURL() string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Path = "api/v1/armoFrameworks"
+	q := u.Query()
+	q.Add("customerGUID", api.getCustomerGUIDFallBack())
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+func (api *KSCloudAPI) getExceptionsURL(clusterName string) string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Path = "api/v1/armoPostureExceptions"
+
+	q := u.Query()
+	q.Add("customerGUID", api.getCustomerGUIDFallBack())
+	// if clusterName != "" { // TODO - fix customer name support in Armo BE
+	// 	q.Add("clusterName", clusterName)
+	// }
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
+func (api *KSCloudAPI) exceptionsURL(exceptionsPolicyName string) string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Path = "api/v1/postureExceptionPolicy"
+
+	q := u.Query()
+	q.Add("customerGUID", api.getCustomerGUIDFallBack())
+	if exceptionsPolicyName != "" { // for delete
+		q.Add("policyName", exceptionsPolicyName)
+	}
+
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
+func (api *KSCloudAPI) getAccountConfigDefault(clusterName string) string {
+	config := api.getAccountConfig(clusterName)
+	url := config + "&scope=customer"
+	return url
+}
+
+func (api *KSCloudAPI) getAccountConfig(clusterName string) string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Path = "api/v1/armoCustomerConfiguration"
+
+	q := u.Query()
+	q.Add("customerGUID", api.getCustomerGUIDFallBack())
+	if clusterName != "" { // TODO - fix customer name support in Armo BE
+		q.Add("clusterName", clusterName)
+	}
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
+func (api *KSCloudAPI) getAccountURL() string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Path = "api/v1/createTenant"
+	return u.String()
+}
+
+func (api *KSCloudAPI) getApiToken() string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetAuthURL())
+	u.Path = "identity/resources/auth/v1/api-token"
+	return u.String()
+}
+
+func (api *KSCloudAPI) getOpenidCustomers() string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Path = "api/v1/openid_customers"
+	return u.String()
+}
+
+func (api *KSCloudAPI) getAuthCookie() (string, error) {
+	selectCustomer := KSCloudSelectCustomer{SelectedCustomerGuid: api.accountID}
+	requestBody, _ := json.Marshal(selectCustomer)
+	client := &http.Client{}
+	httpRequest, err := http.NewRequest(http.MethodPost, api.getOpenidCustomers(), bytes.NewBuffer(requestBody))
+	if err != nil {
+		return "", err
+	}
+	httpRequest.Header.Set("Content-Type", "application/json")
+	httpRequest.Header.Set("Authorization", fmt.Sprintf("Bearer %s", api.feToken.Token))
+	httpResponse, err := client.Do(httpRequest)
+	if err != nil {
+		return "", err
+	}
+	defer httpResponse.Body.Close()
+	if httpResponse.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("failed to get cookie from %s: status %d", api.getOpenidCustomers(), httpResponse.StatusCode)
+	}
+
+	cookies := httpResponse.Header.Get("set-cookie")
+	if len(cookies) == 0 {
+		return "", fmt.Errorf("no cookie field in response from %s", api.getOpenidCustomers())
+	}
+
+	authCookie := ""
+	for _, cookie := range strings.Split(cookies, ";") {
+		kv := strings.Split(cookie, "=")
+		if kv[0] == "auth" {
+			authCookie = kv[1]
+		}
+	}
+
+	if len(authCookie) == 0 {
+		return "", fmt.Errorf("no auth cookie field in response from %s", api.getOpenidCustomers())
+	}
+
+	return authCookie, nil
+}
+func (api *KSCloudAPI) appendAuthHeaders(headers map[string]string) {
+
+	if api.feToken.Token != "" {
+		headers["Authorization"] = fmt.Sprintf("Bearer %s", api.feToken.Token)
+	}
+	if api.authCookie != "" {
+		headers["Cookie"] = fmt.Sprintf("auth=%s", api.authCookie)
+	}
+}
+
+func (api *KSCloudAPI) getCustomerGUIDFallBack() string {
+	if api.accountID != "" {
+		return api.accountID
+	}
+	return "11111111-1111-1111-1111-111111111111"
+}
+
+func parseHost(host string) (string, string) {
+	if strings.HasPrefix(host, "http://") {
+		return "http", strings.Replace(host, "http://", "", 1)
+	}
+
+	// default scheme
+	return "https", strings.Replace(host, "https://", "", 1)
+}

core/cautils/getter/loadpolicy.go

@@ -4,16 +4,25 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling"
 )
 
 // =======================================================================================================================
 // ============================================== LoadPolicy =============================================================
 // =======================================================================================================================
-const DefaultLocalStore = ".kubescape"
+var DefaultLocalStore = getCacheDir()
+
+func getCacheDir() string {
+	defaultDirPath := ".kubescape"
+	if homeDir, err := os.UserHomeDir(); err == nil {
+		defaultDirPath = filepath.Join(homeDir, defaultDirPath)
+	}
+	return defaultDirPath
+}
 
 // Load policies from a local repository
 type LoadPolicy struct {
@@ -30,7 +39,7 @@ func NewLoadPolicy(filePaths []string) *LoadPolicy {
 func (lp *LoadPolicy) GetControl(controlName string) (*reporthandling.Control, error) {
 
 	control := &reporthandling.Control{}
-	filePath := lp.getFileForControl()
+	filePath := lp.filePath()
 	f, err := os.ReadFile(filePath)
 	if err != nil {
 		return nil, err
@@ -40,7 +49,7 @@ func (lp *LoadPolicy) GetControl(controlName string) (*reporthandling.Control, e
 		return control, err
 	}
 	if controlName != "" && !strings.EqualFold(controlName, control.Name) && !strings.EqualFold(controlName, control.ControlID) {
-		framework, err := lp.GetFramework(controlName)
+		framework, err := lp.GetFramework(control.Name)
 		if err != nil {
 			return nil, fmt.Errorf("control from file not matching")
 		} else {
@@ -78,8 +87,35 @@ func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framew
 	return framework, err
 }
 
-func (lp *LoadPolicy) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
-	filePath := lp.getFileForException()
+func (lp *LoadPolicy) GetFrameworks() ([]reporthandling.Framework, error) {
+	frameworks := []reporthandling.Framework{}
+	var err error
+	return frameworks, err
+}
+
+func (lp *LoadPolicy) ListFrameworks() ([]string, error) {
+	fwNames := []string{}
+	framework := &reporthandling.Framework{}
+	for _, f := range lp.filePaths {
+		file, err := os.ReadFile(f)
+		if err == nil {
+			if err := json.Unmarshal(file, framework); err == nil {
+				if !contains(fwNames, framework.Name) {
+					fwNames = append(fwNames, framework.Name)
+				}
+			}
+		}
+	}
+	return fwNames, nil
+}
+
+func (lp *LoadPolicy) ListControls(listType ListType) ([]string, error) {
+	// TODO - Support
+	return []string{}, fmt.Errorf("loading controls list from file is not supported")
+}
+
+func (lp *LoadPolicy) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
+	filePath := lp.filePath()
 	exception := []armotypes.PostureExceptionPolicy{}
 	f, err := os.ReadFile(filePath)
 	if err != nil {
@@ -90,10 +126,24 @@ func (lp *LoadPolicy) GetExceptions(customerGUID, clusterName string) ([]armotyp
 	return exception, err
 }
 
-func (lp *LoadPolicy) getFileForException() string {
-	return lp.filePaths[0]
+func (lp *LoadPolicy) GetControlsInputs(clusterName string) (map[string][]string, error) {
+	filePath := lp.filePath()
+	accountConfig := &armotypes.CustomerConfig{}
+	f, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = json.Unmarshal(f, &accountConfig.Settings.PostureControlInputs); err == nil {
+		return accountConfig.Settings.PostureControlInputs, nil
+	}
+	return nil, err
 }
 
-func (lp *LoadPolicy) getFileForControl() string {
-	return lp.filePaths[0]
+// temporary support for a list of files
+func (lp *LoadPolicy) filePath() string {
+	if len(lp.filePaths) > 0 {
+		return lp.filePaths[0]
+	}
+	return ""
 }

core/cautils/getter/loadpolicy_test.go

@@ -0,0 +1,13 @@
+package getter
+
+import (
+	"path/filepath"
+)
+
+var mockFrameworkBasePath = filepath.Join("examples", "mocks", "frameworks")
+
+func MockNewLoadPolicy() *LoadPolicy {
+	return &LoadPolicy{
+		filePaths: []string{""},
+	}
+}

core/cautils/helmchart.go

@@ -0,0 +1,92 @@
+package cautils
+
+import (
+	"path/filepath"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/workloadinterface"
+	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
+
+	helmchart "helm.sh/helm/v3/pkg/chart"
+	helmloader "helm.sh/helm/v3/pkg/chart/loader"
+	helmchartutil "helm.sh/helm/v3/pkg/chartutil"
+	helmengine "helm.sh/helm/v3/pkg/engine"
+)
+
+type HelmChart struct {
+	chart *helmchart.Chart
+	path  string
+}
+
+func IsHelmDirectory(path string) (bool, error) {
+	return helmchartutil.IsChartDir(path)
+}
+
+func NewHelmChart(path string) (*HelmChart, error) {
+	chart, err := helmloader.Load(path)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HelmChart{
+		chart: chart,
+		path:  path,
+	}, nil
+}
+
+func (hc *HelmChart) GetName() string {
+	return hc.chart.Name()
+}
+
+func (hc *HelmChart) GetDefaultValues() map[string]interface{} {
+	return hc.chart.Values
+}
+
+// GetWorkloads renders chart template using the default values and returns a map of source file to its workloads
+func (hc *HelmChart) GetWorkloadsWithDefaultValues() (map[string][]workloadinterface.IMetadata, []error) {
+	return hc.GetWorkloads(hc.GetDefaultValues())
+}
+
+// GetWorkloads renders chart template using the provided values and returns a map of source (absolute) file path to its workloads
+func (hc *HelmChart) GetWorkloads(values map[string]interface{}) (map[string][]workloadinterface.IMetadata, []error) {
+	vals, err := helmchartutil.ToRenderValues(hc.chart, values, helmchartutil.ReleaseOptions{}, nil)
+	if err != nil {
+		return nil, []error{err}
+	}
+
+	sourceToFile, err := helmengine.Render(hc.chart, vals)
+	if err != nil {
+		return nil, []error{err}
+	}
+
+	workloads := make(map[string][]workloadinterface.IMetadata, 0)
+	errs := []error{}
+
+	for path, renderedYaml := range sourceToFile {
+		if !IsYaml(strings.ToLower(path)) {
+			continue
+		}
+
+		wls, e := ReadFile([]byte(renderedYaml), YAML_FILE_FORMAT)
+		if e != nil {
+			logger.L().Debug("failed to read rendered yaml file", helpers.String("file", path), helpers.Error(e))
+		}
+		if len(wls) == 0 {
+			continue
+		}
+		// separate base path and file name. We do not use the os.Separator because the paths returned from the helm engine are not OS specific (e.g. mychart/templates/myfile.yaml)
+		if firstPathSeparatorIndex := strings.Index(path, string("/")); firstPathSeparatorIndex != -1 {
+			absPath := filepath.Join(hc.path, path[firstPathSeparatorIndex:])
+
+			workloads[absPath] = []workloadinterface.IMetadata{}
+			for i := range wls {
+				lw := localworkload.NewLocalWorkload(wls[i].GetObject())
+				lw.SetPath(absPath)
+				workloads[absPath] = append(workloads[absPath], lw)
+			}
+		}
+	}
+	return workloads, errs
+}

core/cautils/helmchart_test.go

@@ -0,0 +1,133 @@
+package cautils
+
+import (
+	_ "embed"
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
+	"github.com/stretchr/testify/suite"
+)
+
+type HelmChartTestSuite struct {
+	suite.Suite
+	helmChartPath         string
+	expectedFiles         []string
+	expectedDefaultValues map[string]interface{}
+}
+
+func TestHelmChartTestSuite(t *testing.T) {
+	suite.Run(t, new(HelmChartTestSuite))
+}
+
+func (s *HelmChartTestSuite) SetupSuite() {
+	o, _ := os.Getwd()
+
+	s.helmChartPath = filepath.Join(filepath.Dir(o), "..", "examples", "helm_chart")
+
+	s.expectedFiles = []string{
+		filepath.Join(s.helmChartPath, "templates", "clusterrolebinding.yaml"),
+		filepath.Join(s.helmChartPath, "templates", "clusterrole.yaml"),
+		filepath.Join(s.helmChartPath, "templates", "serviceaccount.yaml"),
+		filepath.Join(s.helmChartPath, "templates", "rolebinding.yaml"),
+		filepath.Join(s.helmChartPath, "templates", "role.yaml"),
+		filepath.Join(s.helmChartPath, "templates", "cronjob.yaml"),
+	}
+
+	var obj interface{}
+	file, _ := ioutil.ReadFile(filepath.Join("testdata", "helm_expected_default_values.json"))
+	_ = json.Unmarshal([]byte(file), &obj)
+	s.expectedDefaultValues = obj.(map[string]interface{})
+}
+
+func (s *HelmChartTestSuite) TestInvalidHelmDirectory() {
+	_, err := NewHelmChart("/invalid_path")
+	s.Error(err)
+}
+
+func (s *HelmChartTestSuite) TestValidHelmDirectory() {
+	chart, err := NewHelmChart(s.helmChartPath)
+	s.NoError(err)
+	s.NotNil(chart)
+}
+
+func (s *HelmChartTestSuite) TestGetName() {
+	chart, _ := NewHelmChart(s.helmChartPath)
+	s.Equal("kubescape", chart.GetName())
+}
+
+func (s *HelmChartTestSuite) TestGetDefaultValues() {
+	chart, _ := NewHelmChart(s.helmChartPath)
+
+	values := chart.GetDefaultValues()
+
+	valuesJson, _ := json.Marshal(values)
+	expectedValuesJson, _ := json.Marshal(s.expectedDefaultValues)
+
+	s.JSONEq(string(valuesJson), string(expectedValuesJson))
+}
+
+func (s *HelmChartTestSuite) TestGetWorkloadsWithOverride() {
+	chart, err := NewHelmChart(s.helmChartPath)
+	s.NoError(err, "Expected a valid helm chart")
+
+	values := chart.GetDefaultValues()
+
+	// Default pullPolicy value = Always
+	pullPolicyValue := values["image"].(map[string]interface{})["pullPolicy"].(string)
+	s.Equal(pullPolicyValue, "Always")
+
+	// Override default value
+	values["image"].(map[string]interface{})["pullPolicy"] = "Never"
+
+	fileToWorkloads, errs := chart.GetWorkloads(values)
+	s.Len(errs, 0)
+
+	s.Lenf(fileToWorkloads, len(s.expectedFiles), "Expected %d files", len(s.expectedFiles))
+
+	for _, expectedFile := range s.expectedFiles {
+		s.Contains(fileToWorkloads, expectedFile)
+		s.FileExists(expectedFile)
+		s.GreaterOrEqualf(len(fileToWorkloads[expectedFile]), 1, "Expected at least one workload in %q", expectedFile)
+
+		for i := range fileToWorkloads[expectedFile] {
+			pathInWorkload := fileToWorkloads[expectedFile][i].(*localworkload.LocalWorkload).GetPath()
+			s.Equal(pathInWorkload, expectedFile, "Expected GetPath() to return a valid path on workload")
+		}
+
+		if strings.Contains(expectedFile, "cronjob.yaml") {
+			jsonBytes, _ := json.Marshal(fileToWorkloads[expectedFile][0].GetObject())
+			s.Contains(string(jsonBytes), "\"imagePullPolicy\":\"Never\"", "Expected to overriden value of imagePullPolicy to be 'Never'")
+		}
+	}
+}
+
+func (s *HelmChartTestSuite) TestGetWorkloadsMissingValue() {
+	chart, _ := NewHelmChart(s.helmChartPath)
+
+	values := chart.GetDefaultValues()
+	delete(values, "image")
+
+	fileToWorkloads, errs := chart.GetWorkloads(values)
+	s.Nil(fileToWorkloads)
+	s.Len(errs, 1, "Expected an error due to missing value")
+
+	expectedErrMsg := "<.Values.image.repository>: nil pointer"
+	s.Containsf(errs[0].Error(), expectedErrMsg, "expected error containing %q, got %q", expectedErrMsg, errs[0])
+}
+
+func (s *HelmChartTestSuite) TestIsHelmDirectory() {
+	ok, err := IsHelmDirectory(s.helmChartPath)
+	s.True(ok)
+	s.NoError(err)
+
+	o, _ := os.Getwd()
+	nonHelmDir := filepath.Join(filepath.Dir(o), "../examples/online-boutique")
+	ok, err = IsHelmDirectory(nonHelmDir)
+	s.False(ok)
+	s.Contains(err.Error(), "no Chart.yaml exists in directory")
+}

core/cautils/localgitrepository.go

@@ -0,0 +1,246 @@
+package cautils
+
+import (
+	"fmt"
+	"path"
+	"strings"
+	"time"
+
+	"github.com/armosec/go-git-url/apis"
+	gitv5 "github.com/go-git/go-git/v5"
+	configv5 "github.com/go-git/go-git/v5/config"
+	plumbingv5 "github.com/go-git/go-git/v5/plumbing"
+	git2go "github.com/libgit2/git2go/v33"
+)
+
+type LocalGitRepository struct {
+	goGitRepo        *gitv5.Repository
+	git2GoRepo       *git2go.Repository
+	head             *plumbingv5.Reference
+	config           *configv5.Config
+	fileToLastCommit map[string]*git2go.Commit
+}
+
+func NewLocalGitRepository(path string) (*LocalGitRepository, error) {
+	goGitRepo, err := gitv5.PlainOpenWithOptions(path, &gitv5.PlainOpenOptions{DetectDotGit: true})
+	if err != nil {
+		return nil, err
+	}
+
+	head, err := goGitRepo.Head()
+	if err != nil {
+		return nil, err
+	}
+
+	if !head.Name().IsBranch() {
+		return nil, fmt.Errorf("current HEAD reference is not a branch")
+	}
+
+	config, err := goGitRepo.Config()
+	if err != nil {
+		return nil, err
+	}
+
+	if len(config.Remotes) == 0 {
+		return nil, fmt.Errorf("no remotes found")
+	}
+
+	l := &LocalGitRepository{
+		goGitRepo: goGitRepo,
+		head:      head,
+		config:    config,
+	}
+
+	if repoRoot, err := l.GetRootDir(); err == nil {
+		git2GoRepo, err := git2go.OpenRepository(repoRoot)
+		if err != nil {
+			return l, err
+		}
+		l.git2GoRepo = git2GoRepo
+	}
+
+	return l, nil
+}
+
+// GetBranchName get current branch name
+func (g *LocalGitRepository) GetBranchName() string {
+	return g.head.Name().Short()
+}
+
+// GetRemoteUrl get default remote URL
+func (g *LocalGitRepository) GetRemoteUrl() (string, error) {
+	branchName := g.GetBranchName()
+	if branchRef, branchFound := g.config.Branches[branchName]; branchFound {
+		remoteName := branchRef.Remote
+		if len(g.config.Remotes[remoteName].URLs) == 0 {
+			return "", fmt.Errorf("expected to find URLs for remote '%s', branch '%s'", remoteName, branchName)
+		}
+		return g.config.Remotes[remoteName].URLs[0], nil
+	}
+
+	const defaultRemoteName string = "origin"
+	if len(g.config.Remotes[defaultRemoteName].URLs) == 0 {
+		return "", fmt.Errorf("expected to find URLs for remote '%s'", defaultRemoteName)
+	}
+	return g.config.Remotes[defaultRemoteName].URLs[0], nil
+}
+
+// GetName get origin name without the .git suffix
+func (g *LocalGitRepository) GetName() (string, error) {
+	originUrl, err := g.GetRemoteUrl()
+	if err != nil {
+		return "", err
+	}
+	baseName := path.Base(originUrl)
+	// remove .git
+	return strings.TrimSuffix(baseName, ".git"), nil
+}
+
+// GetLastCommit get latest commit object
+func (g *LocalGitRepository) GetLastCommit() (*apis.Commit, error) {
+	cIter, err := g.goGitRepo.Log(&gitv5.LogOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	commit, err := cIter.Next()
+	defer cIter.Close()
+	if err != nil {
+		return nil, err
+	}
+
+	return &apis.Commit{
+		SHA: commit.Hash.String(),
+		Author: apis.Committer{
+			Name:  commit.Author.Name,
+			Email: commit.Author.Email,
+			Date:  commit.Author.When,
+		},
+		Message:   commit.Message,
+		Committer: apis.Committer{},
+		Files:     []apis.Files{},
+	}, nil
+}
+
+func (g *LocalGitRepository) getAllCommits() ([]*git2go.Commit, error) {
+	logItr, itrErr := g.git2GoRepo.Walk()
+	if itrErr != nil {
+
+		return nil, itrErr
+	}
+
+	pushErr := logItr.PushHead()
+	if pushErr != nil {
+		return nil, pushErr
+	}
+
+	var allCommits []*git2go.Commit
+	err := logItr.Iterate(func(commit *git2go.Commit) bool {
+		if commit != nil {
+			allCommits = append(allCommits, commit)
+			return true
+		}
+		return false
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	return allCommits, nil
+}
+
+func (g *LocalGitRepository) GetFileLastCommit(filePath string) (*apis.Commit, error) {
+	if len(g.fileToLastCommit) == 0 {
+		filePathToCommitTime := map[string]time.Time{}
+		filePathToCommit := map[string]*git2go.Commit{}
+		allCommits, _ := g.getAllCommits()
+
+		// builds a map of all files to their last commit
+		for _, commit := range allCommits {
+			// Ignore merge commits (2+ parents)
+			if commit.ParentCount() <= 1 {
+				tree, err := commit.Tree()
+				if err != nil {
+					continue
+				}
+
+				// ParentCount can be either 1 or 0 (initial commit)
+				// In case it's the initial commit, prevTree is nil
+				var prevTree *git2go.Tree
+				if commit.ParentCount() == 1 {
+					prevCommit := commit.Parent(0)
+					prevTree, err = prevCommit.Tree()
+					if err != nil {
+						continue
+					}
+				}
+
+				diff, err := g.git2GoRepo.DiffTreeToTree(prevTree, tree, nil)
+				if err != nil {
+					continue
+				}
+
+				numDeltas, err := diff.NumDeltas()
+				if err != nil {
+					continue
+				}
+
+				for i := 0; i < numDeltas; i++ {
+					delta, err := diff.Delta(i)
+					if err != nil {
+						continue
+					}
+
+					deltaFilePath := delta.NewFile.Path
+					commitTime := commit.Author().When
+
+					// In case we have the commit information for the file which is not the latest - we override it
+					if currentCommitTime, exists := filePathToCommitTime[deltaFilePath]; exists {
+						if currentCommitTime.Before(commitTime) {
+							filePathToCommitTime[deltaFilePath] = commitTime
+							filePathToCommit[deltaFilePath] = commit
+						}
+					} else {
+						filePathToCommitTime[deltaFilePath] = commitTime
+						filePathToCommit[deltaFilePath] = commit
+					}
+				}
+			}
+		}
+		g.fileToLastCommit = filePathToCommit
+	}
+
+	if relevantCommit, exists := g.fileToLastCommit[filePath]; exists {
+		return g.getCommit(relevantCommit), nil
+	}
+
+	return nil, fmt.Errorf("failed to get commit information for file: %s", filePath)
+}
+
+func (g *LocalGitRepository) getCommit(commit *git2go.Commit) *apis.Commit {
+	return &apis.Commit{
+		SHA: commit.Id().String(),
+		Author: apis.Committer{
+			Name:  commit.Author().Name,
+			Email: commit.Author().Email,
+			Date:  commit.Author().When,
+		},
+		Message:   commit.Message(),
+		Committer: apis.Committer{},
+		Files:     []apis.Files{},
+	}
+}
+
+func (g *LocalGitRepository) GetRootDir() (string, error) {
+	wt, err := g.goGitRepo.Worktree()
+	if err != nil {
+		return "", fmt.Errorf("failed to get repo root")
+	}
+
+	return wt.Filesystem.Root(), nil
+}

core/cautils/localgitrepository_test.go

@@ -0,0 +1,175 @@
+package cautils
+
+import (
+	"archive/zip"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+)
+
+var TEST_REPOS = [...]string{"localrepo", "withoutremotes"}
+
+type LocalGitRepositoryTestSuite struct {
+	suite.Suite
+	archives           map[string]*zip.ReadCloser
+	gitRepositoryPaths map[string]string
+	destinationPath    string
+}
+
+func unzipFile(zipPath, destinationFolder string) (*zip.ReadCloser, error) {
+	archive, err := zip.OpenReader(zipPath)
+	if err != nil {
+		return nil, err
+	}
+	for _, f := range archive.File {
+		filePath := filepath.Join(destinationFolder, f.Name)
+		if !strings.HasPrefix(filePath, filepath.Clean(destinationFolder)+string(os.PathSeparator)) {
+			return nil, fmt.Errorf("invalid file path")
+		}
+		if f.FileInfo().IsDir() {
+			os.MkdirAll(filePath, os.ModePerm)
+			continue
+		}
+
+		if err := os.MkdirAll(filepath.Dir(filePath), os.ModePerm); err != nil {
+			return nil, err
+		}
+
+		dstFile, err := os.OpenFile(filePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
+		if err != nil {
+			return nil, err
+		}
+
+		fileInArchive, err := f.Open()
+		if err != nil {
+			return nil, err
+		}
+
+		if _, err := io.Copy(dstFile, fileInArchive); err != nil {
+			return nil, err
+		}
+
+		dstFile.Close()
+		fileInArchive.Close()
+	}
+
+	return archive, err
+
+}
+
+func (s *LocalGitRepositoryTestSuite) SetupSuite() {
+	s.archives = make(map[string]*zip.ReadCloser)
+	s.gitRepositoryPaths = make(map[string]string)
+
+	destinationPath := filepath.Join(".", "testdata", "temp")
+	s.destinationPath = destinationPath
+	os.RemoveAll(destinationPath)
+	for _, repo := range TEST_REPOS {
+		zippedFixturePath := filepath.Join(".", "testdata", repo+".git")
+		gitRepositoryPath := filepath.Join(destinationPath, repo)
+		archive, err := unzipFile(zippedFixturePath, destinationPath)
+
+		if err == nil {
+			s.archives[repo] = archive
+			s.gitRepositoryPaths[repo] = gitRepositoryPath
+		}
+	}
+}
+
+func TestLocalGitRepositoryTestSuite(t *testing.T) {
+	suite.Run(t, new(LocalGitRepositoryTestSuite))
+}
+
+func (s *LocalGitRepositoryTestSuite) TearDownSuite() {
+	if s.archives != nil {
+		for _, archive := range s.archives {
+			if archive != nil {
+				archive.Close()
+			}
+		}
+	}
+
+	os.RemoveAll(s.destinationPath)
+}
+
+func (s *LocalGitRepositoryTestSuite) TestInvalidRepositoryPath() {
+	if _, err := NewLocalGitRepository("/invalidpath"); s.Error(err) {
+		s.Equal("repository does not exist", err.Error())
+	}
+}
+
+func (s *LocalGitRepositoryTestSuite) TestRepositoryWithoutRemotes() {
+	if _, err := NewLocalGitRepository(s.gitRepositoryPaths["withoutremotes"]); s.Error(err) {
+		s.Equal("no remotes found", err.Error())
+	}
+}
+
+func (s *LocalGitRepositoryTestSuite) TestGetBranchName() {
+	if localRepo, err := NewLocalGitRepository(s.gitRepositoryPaths["localrepo"]); s.NoError(err) {
+		s.Equal("master", localRepo.GetBranchName())
+	}
+}
+
+func (s *LocalGitRepositoryTestSuite) TestGetName() {
+	if localRepo, err := NewLocalGitRepository(s.gitRepositoryPaths["localrepo"]); s.NoError(err) {
+		if name, err := localRepo.GetName(); s.NoError(err) {
+			s.Equal("localrepo", name)
+		}
+
+	}
+}
+
+func (s *LocalGitRepositoryTestSuite) TestGetOriginUrl() {
+	if localRepo, err := NewLocalGitRepository(s.gitRepositoryPaths["localrepo"]); s.NoError(err) {
+		if url, err := localRepo.GetRemoteUrl(); s.NoError(err) {
+			s.Equal("git@github.com:testuser/localrepo", url)
+		}
+	}
+}
+
+func (s *LocalGitRepositoryTestSuite) TestGetLastCommit() {
+	if localRepo, err := NewLocalGitRepository(s.gitRepositoryPaths["localrepo"]); s.NoError(err) {
+		if commit, err := localRepo.GetLastCommit(); s.NoError(err) {
+			s.Equal("7e09312b8017695fadcd606882e3779f10a5c832", commit.SHA)
+			s.Equal("Amir Malka", commit.Author.Name)
+			s.Equal("amirm@armosec.io", commit.Author.Email)
+			s.Equal("2022-05-22 19:11:57 +0300 +0300", commit.Author.Date.String())
+			s.Equal("added file B\n", commit.Message)
+		}
+	}
+}
+
+func (s *LocalGitRepositoryTestSuite) TestGetFileLastCommit() {
+	s.Run("fileA", func() {
+		if localRepo, err := NewLocalGitRepository(s.gitRepositoryPaths["localrepo"]); s.NoError(err) {
+
+			if commit, err := localRepo.GetFileLastCommit("fileA"); s.NoError(err) {
+				s.Equal("9fae4be19624297947d2b605cefbff516628612d", commit.SHA)
+				s.Equal("Amir Malka", commit.Author.Name)
+				s.Equal("amirm@armosec.io", commit.Author.Email)
+				s.Equal("2022-05-22 18:55:48 +0300 +0300", commit.Author.Date.String())
+				s.Equal("added file A\n", commit.Message)
+			}
+
+		}
+	})
+
+	s.Run("fileB", func() {
+		if localRepo, err := NewLocalGitRepository(s.gitRepositoryPaths["localrepo"]); s.NoError(err) {
+
+			if commit, err := localRepo.GetFileLastCommit("dirA/fileB"); s.NoError(err) {
+				s.Equal("7e09312b8017695fadcd606882e3779f10a5c832", commit.SHA)
+				s.Equal("Amir Malka", commit.Author.Name)
+				s.Equal("amirm@armosec.io", commit.Author.Email)
+				s.Equal("2022-05-22 19:11:57 +0300 +0300", commit.Author.Date.String())
+				s.Equal("added file B\n", commit.Message)
+			}
+
+		}
+	})
+}

core/cautils/rbac.go

@@ -0,0 +1,137 @@
+package cautils
+
+import (
+	"encoding/json"
+	"time"
+
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+
+	"github.com/google/uuid"
+	"github.com/kubescape/k8s-interface/workloadinterface"
+	"github.com/kubescape/rbac-utils/rbacscanner"
+	"github.com/kubescape/rbac-utils/rbacutils"
+)
+
+type RBACObjects struct {
+	scanner *rbacscanner.RbacScannerFromK8sAPI
+}
+
+func NewRBACObjects(scanner *rbacscanner.RbacScannerFromK8sAPI) *RBACObjects {
+	return &RBACObjects{scanner: scanner}
+}
+
+func (rbacObjects *RBACObjects) SetResourcesReport() (*reporthandlingv2.PostureReport, error) {
+	return &reporthandlingv2.PostureReport{
+		ReportID:             uuid.NewString(),
+		ReportGenerationTime: time.Now().UTC(),
+		CustomerGUID:         rbacObjects.scanner.CustomerGUID,
+		ClusterName:          rbacObjects.scanner.ClusterName,
+		Metadata: reporthandlingv2.Metadata{
+			ContextMetadata: reporthandlingv2.ContextMetadata{
+				ClusterContextMetadata: &reporthandlingv2.ClusterMetadata{
+					ContextName: rbacObjects.scanner.ClusterName,
+				},
+			},
+		},
+	}, nil
+}
+
+func (rbacObjects *RBACObjects) ListAllResources() (map[string]workloadinterface.IMetadata, error) {
+	resources, err := rbacObjects.scanner.ListResources()
+	if err != nil {
+		return nil, err
+	}
+	allresources, err := rbacObjects.rbacObjectsToResources(resources)
+	if err != nil {
+		return nil, err
+	}
+	return allresources, nil
+}
+
+func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.RbacObjects) (map[string]workloadinterface.IMetadata, error) {
+	allresources := map[string]workloadinterface.IMetadata{}
+
+	/*
+		************************************************************************************************************************
+			This code is adding a non valid ID ->
+				(github.com/kubescape/opa-utils v0.0.11): "//SA2WLIDmap/SA2WLIDmap"
+				(github.com/kubescape/opa-utils v0.0.12): "armo.rbac.com/v0beta1//SAID2WLIDmap/SAID2WLIDmap"
+
+			Should be investigated
+		************************************************************************************************************************
+	*/
+
+	// wrap rbac aggregated objects in IMetadata and add to AllResources
+	// TODO - DEPRECATE SA2WLIDmap
+	m, err := rbacutils.SA2WLIDmapIMetadataWrapper(resources.SA2WLIDmap)
+	if err != nil {
+		return nil, err
+	}
+
+	sa2WLIDmapIMeta := workloadinterface.NewBaseObject(m)
+	allresources[sa2WLIDmapIMeta.GetID()] = sa2WLIDmapIMeta
+
+	m2, err := rbacutils.SAID2WLIDmapIMetadataWrapper(resources.SAID2WLIDmap)
+	if err != nil {
+		return nil, err
+	}
+
+	saID2WLIDmapIMeta := workloadinterface.NewBaseObject(m2)
+	allresources[saID2WLIDmapIMeta.GetID()] = saID2WLIDmapIMeta
+
+	// convert rbac k8s resources to IMetadata and add to allresources
+	for _, cr := range resources.ClusterRoles.Items {
+		crmap, err := convertToMap(cr)
+		if err != nil {
+			return nil, err
+		}
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the the correct apiVersion?
+		crIMeta := workloadinterface.NewWorkloadObj(crmap)
+		crIMeta.SetKind("ClusterRole")
+		allresources[crIMeta.GetID()] = crIMeta
+	}
+	for _, cr := range resources.Roles.Items {
+		crmap, err := convertToMap(cr)
+		if err != nil {
+			return nil, err
+		}
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the the correct apiVersion?
+		crIMeta := workloadinterface.NewWorkloadObj(crmap)
+		crIMeta.SetKind("Role")
+		allresources[crIMeta.GetID()] = crIMeta
+	}
+	for _, cr := range resources.ClusterRoleBindings.Items {
+		crmap, err := convertToMap(cr)
+		if err != nil {
+			return nil, err
+		}
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the the correct apiVersion?
+		crIMeta := workloadinterface.NewWorkloadObj(crmap)
+		crIMeta.SetKind("ClusterRoleBinding")
+		allresources[crIMeta.GetID()] = crIMeta
+	}
+	for _, cr := range resources.RoleBindings.Items {
+		crmap, err := convertToMap(cr)
+		if err != nil {
+			return nil, err
+		}
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the the correct apiVersion?
+		crIMeta := workloadinterface.NewWorkloadObj(crmap)
+		crIMeta.SetKind("RoleBinding")
+		allresources[crIMeta.GetID()] = crIMeta
+	}
+	return allresources, nil
+}
+
+func convertToMap(obj interface{}) (map[string]interface{}, error) {
+	var inInterface map[string]interface{}
+	inrec, err := json.Marshal(obj)
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(inrec, &inInterface)
+	if err != nil {
+		return nil, err
+	}
+	return inInterface, nil
+}

core/cautils/reportv2tov1.go

@@ -0,0 +1,117 @@
+package cautils
+
+import (
+	"github.com/kubescape/k8s-interface/workloadinterface"
+	"github.com/kubescape/opa-utils/reporthandling"
+	helpersv1 "github.com/kubescape/opa-utils/reporthandling/helpers/v1"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
+)
+
+func ReportV2ToV1(opaSessionObj *OPASessionObj) *reporthandling.PostureReport {
+	report := &reporthandling.PostureReport{}
+
+	frameworks := []reporthandling.FrameworkReport{}
+
+	if len(opaSessionObj.Report.SummaryDetails.Frameworks) > 0 {
+		for _, fwv2 := range opaSessionObj.Report.SummaryDetails.Frameworks {
+			fwv1 := reporthandling.FrameworkReport{}
+			fwv1.Name = fwv2.GetName()
+			fwv1.Score = fwv2.GetScore()
+			fwv1.ControlReports = append(fwv1.ControlReports, controlReportV2ToV1(opaSessionObj, fwv2.GetName(), fwv2.Controls)...)
+			frameworks = append(frameworks, fwv1)
+
+		}
+	} else {
+		fwv1 := reporthandling.FrameworkReport{}
+		fwv1.Name = ""
+
+		fwv1.ControlReports = append(fwv1.ControlReports, controlReportV2ToV1(opaSessionObj, "", opaSessionObj.Report.SummaryDetails.Controls)...)
+		frameworks = append(frameworks, fwv1)
+		fwv1.Score = opaSessionObj.Report.SummaryDetails.Score
+	}
+
+	// setup counters and score
+	for f := range frameworks {
+		// set counters
+		reporthandling.SetUniqueResourcesCounter(&frameworks[f])
+	}
+
+	report.FrameworkReports = frameworks
+	return report
+}
+
+func controlReportV2ToV1(opaSessionObj *OPASessionObj, frameworkName string, controls map[string]reportsummary.ControlSummary) []reporthandling.ControlReport {
+	controlRepors := []reporthandling.ControlReport{}
+	for controlID, crv2 := range controls {
+		crv1 := reporthandling.ControlReport{}
+		crv1.ControlID = controlID
+		crv1.BaseScore = crv2.ScoreFactor
+		crv1.Name = crv2.GetName()
+		crv1.Score = crv2.GetScore()
+		crv1.Control_ID = controlID
+
+		// TODO - add fields
+		crv1.Description = crv2.Description
+		crv1.Remediation = crv2.Remediation
+
+		rulesv1 := map[string]reporthandling.RuleReport{}
+
+		for _, resourceID := range crv2.ListResourcesIDs().All() {
+			if result, ok := opaSessionObj.ResourcesResult[resourceID]; ok {
+				for _, rulev2 := range result.ListRulesOfControl(crv2.GetID(), "") {
+
+					if _, ok := rulesv1[rulev2.GetName()]; !ok {
+						rulesv1[rulev2.GetName()] = reporthandling.RuleReport{
+							Name: rulev2.GetName(),
+							RuleStatus: reporthandling.RuleStatus{
+								Status: "success",
+							},
+						}
+					}
+
+					rulev1 := rulesv1[rulev2.GetName()]
+					status := rulev2.GetStatus(&helpersv1.Filters{FrameworkNames: []string{frameworkName}})
+
+					if status.IsFailed() || status.IsExcluded() {
+
+						// rule response
+						ruleResponse := reporthandling.RuleResponse{}
+						ruleResponse.Rulename = rulev2.GetName()
+						for i := range rulev2.Paths {
+							if rulev2.Paths[i].FailedPath != "" {
+								ruleResponse.FailedPaths = append(ruleResponse.FailedPaths, rulev2.Paths[i].FailedPath)
+							}
+							if rulev2.Paths[i].FixPath.Path != "" {
+								ruleResponse.FixPaths = append(ruleResponse.FixPaths, rulev2.Paths[i].FixPath)
+							}
+						}
+						ruleResponse.RuleStatus = string(status.Status())
+						if len(rulev2.Exception) > 0 {
+							ruleResponse.Exception = &rulev2.Exception[0]
+						}
+
+						if fullRessource, ok := opaSessionObj.AllResources[resourceID]; ok {
+							tmp := fullRessource.GetObject()
+							workloadinterface.RemoveFromMap(tmp, "spec")
+							ruleResponse.AlertObject.K8SApiObjects = append(ruleResponse.AlertObject.K8SApiObjects, tmp)
+						}
+						rulev1.RuleResponses = append(rulev1.RuleResponses, ruleResponse)
+					}
+
+					rulev1.ListInputKinds = append(rulev1.ListInputKinds, resourceID)
+					rulesv1[rulev2.GetName()] = rulev1
+				}
+			}
+		}
+		if len(rulesv1) > 0 {
+			for i := range rulesv1 {
+				crv1.RuleReports = append(crv1.RuleReports, rulesv1[i])
+			}
+		}
+		if len(crv1.RuleReports) == 0 {
+			crv1.RuleReports = []reporthandling.RuleReport{}
+		}
+		controlRepors = append(controlRepors, crv1)
+	}
+	return controlRepors
+}

core/cautils/rootinfo.go

@@ -0,0 +1,18 @@
+package cautils
+
+type RootInfo struct {
+	Logger       string // logger level
+	LoggerName   string // logger name ("pretty"/"zap"/"none")
+	CacheDir     string // cached dir
+	DisableColor bool   // Disable Color
+
+	KSCloudBEURLs    string // Kubescape Cloud URL
+	KSCloudBEURLsDep string // Kubescape Cloud URL
+
+}
+
+type Credentials struct {
+	Account   string
+	ClientID  string
+	SecretKey string
+}

core/cautils/scaninfo.go

@@ -0,0 +1,451 @@
+package cautils
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/armosec/armoapi-go/armotypes"
+	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+
+	giturl "github.com/armosec/go-git-url"
+	"github.com/armosec/kubescape/v2/core/cautils/getter"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/k8sinterface"
+	"github.com/kubescape/opa-utils/reporthandling"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+
+	"github.com/google/uuid"
+)
+
+type ScanningContext string
+
+const (
+	ContextCluster  ScanningContext = "cluster"
+	ContextFile     ScanningContext = "single-file"
+	ContextDir      ScanningContext = "local-dir"
+	ContextGitURL   ScanningContext = "git-url"
+	ContextGitLocal ScanningContext = "git-local"
+)
+
+const ( // deprecated
+	ScopeCluster = "cluster"
+	ScopeYAML    = "yaml"
+)
+const (
+	// ScanCluster                string = "cluster"
+	// ScanLocalFiles             string = "yaml"
+	localControlInputsFilename string = "controls-inputs.json"
+	localExceptionsFilename    string = "exceptions.json"
+)
+
+type BoolPtrFlag struct {
+	valPtr *bool
+}
+
+func NewBoolPtr(b *bool) BoolPtrFlag {
+	return BoolPtrFlag{valPtr: b}
+}
+
+func (bpf *BoolPtrFlag) Type() string {
+	return "bool"
+}
+
+func (bpf *BoolPtrFlag) String() string {
+	if bpf.valPtr != nil {
+		return fmt.Sprintf("%v", *bpf.valPtr)
+	}
+	return ""
+}
+func (bpf *BoolPtrFlag) Get() *bool {
+	return bpf.valPtr
+}
+func (bpf *BoolPtrFlag) GetBool() bool {
+	if bpf.valPtr == nil {
+		return false
+	}
+	return *bpf.valPtr
+}
+
+func (bpf *BoolPtrFlag) SetBool(val bool) {
+	bpf.valPtr = &val
+}
+
+func (bpf *BoolPtrFlag) Set(val string) error {
+	switch val {
+	case "true":
+		bpf.SetBool(true)
+	case "false":
+		bpf.SetBool(false)
+	}
+	return nil
+}
+
+// TODO - UPDATE
+type ViewTypes string
+
+const (
+	ResourceViewType ViewTypes = "resource"
+	ControlViewType  ViewTypes = "control"
+)
+
+type PolicyIdentifier struct {
+	Name        string                        // policy name e.g. nsa,mitre,c-0012
+	Kind        apisv1.NotificationPolicyKind // policy kind e.g. Framework,Control,Rule
+	Designators armotypes.PortalDesignator
+}
+
+type ScanInfo struct {
+	Getters                               // TODO - remove from object
+	PolicyIdentifier   []PolicyIdentifier // TODO - remove from object
+	UseExceptions      string             // Load file with exceptions configuration
+	ControlsInputs     string             // Load file with inputs for controls
+	UseFrom            []string           // Load framework from local file (instead of download). Use when running offline
+	UseDefault         bool               // Load framework from cached file (instead of download). Use when running offline
+	UseArtifactsFrom   string             // Load artifacts from local path. Use when running offline
+	VerboseMode        bool               // Display all of the input resources and not only failed resources
+	View               string             // Display all of the input resources and not only failed resources
+	Format             string             // Format results (table, json, junit ...)
+	Output             string             // Store results in an output file, Output file name
+	FormatVersion      string             // Output object can be differnet between versions, this is for testing and backward compatibility
+	ExcludedNamespaces string             // used for host scanner namespace
+	IncludeNamespaces  string             //
+	InputPatterns      []string           // Yaml files input patterns
+	Silent             bool               // Silent mode - Do not print progress logs
+	FailThreshold      float32            // Failure score threshold
+	Submit             bool               // Submit results to Kubescape Cloud BE
+	ScanID             string             // Report id of the current scan
+	HostSensorEnabled  BoolPtrFlag        // Deploy Kubescape K8s host scanner to collect data from certain controls
+	HostSensorYamlPath string             // Path to hostsensor file
+	Local              bool               // Do not submit results
+	Credentials        Credentials        // account ID
+	KubeContext        string             // context name
+	FrameworkScan      bool               // false if scanning control
+	ScanAll            bool               // true if scan all frameworks
+}
+
+type Getters struct {
+	ExceptionsGetter     getter.IExceptionsGetter
+	ControlsInputsGetter getter.IControlsInputsGetter
+	PolicyGetter         getter.IPolicyGetter
+}
+
+func (scanInfo *ScanInfo) Init() {
+	scanInfo.setUseFrom()
+	scanInfo.setOutputFile()
+	scanInfo.setUseArtifactsFrom()
+	if scanInfo.ScanID == "" {
+		scanInfo.ScanID = uuid.NewString()
+	}
+
+}
+
+func (scanInfo *ScanInfo) setUseArtifactsFrom() {
+	if scanInfo.UseArtifactsFrom == "" {
+		return
+	}
+	// UseArtifactsFrom must be a path without a filename
+	dir, file := filepath.Split(scanInfo.UseArtifactsFrom)
+	if dir == "" {
+		scanInfo.UseArtifactsFrom = file
+	} else if strings.Contains(file, ".json") {
+		scanInfo.UseArtifactsFrom = dir
+	}
+	// set frameworks files
+	files, err := ioutil.ReadDir(scanInfo.UseArtifactsFrom)
+	if err != nil {
+		logger.L().Fatal("failed to read files from directory", helpers.String("dir", scanInfo.UseArtifactsFrom), helpers.Error(err))
+	}
+	framework := &reporthandling.Framework{}
+	for _, f := range files {
+		filePath := filepath.Join(scanInfo.UseArtifactsFrom, f.Name())
+		file, err := os.ReadFile(filePath)
+		if err == nil {
+			if err := json.Unmarshal(file, framework); err == nil {
+				scanInfo.UseFrom = append(scanInfo.UseFrom, filepath.Join(scanInfo.UseArtifactsFrom, f.Name()))
+			}
+		}
+	}
+	// set config-inputs file
+	scanInfo.ControlsInputs = filepath.Join(scanInfo.UseArtifactsFrom, localControlInputsFilename)
+	// set exceptions
+	scanInfo.UseExceptions = filepath.Join(scanInfo.UseArtifactsFrom, localExceptionsFilename)
+}
+
+func (scanInfo *ScanInfo) setUseFrom() {
+	if scanInfo.UseDefault {
+		for _, policy := range scanInfo.PolicyIdentifier {
+			scanInfo.UseFrom = append(scanInfo.UseFrom, getter.GetDefaultPath(policy.Name+".json"))
+		}
+	}
+}
+
+func (scanInfo *ScanInfo) setOutputFile() {
+	if scanInfo.Output == "" {
+		return
+	}
+	if scanInfo.Format == "json" {
+		if filepath.Ext(scanInfo.Output) != ".json" {
+			scanInfo.Output += ".json"
+		}
+	}
+	if scanInfo.Format == "junit" {
+		if filepath.Ext(scanInfo.Output) != ".xml" {
+			scanInfo.Output += ".xml"
+		}
+	}
+	if scanInfo.Format == "pdf" {
+		if filepath.Ext(scanInfo.Output) != ".pdf" {
+			scanInfo.Output += ".pdf"
+		}
+	}
+}
+
+// func (scanInfo *ScanInfo) GetScanningEnvironment() string {
+// 	if len(scanInfo.InputPatterns) != 0 {
+// 		return ScanLocalFiles
+// 	}
+// 	return ScanCluster
+// }
+
+func (scanInfo *ScanInfo) SetPolicyIdentifiers(policies []string, kind apisv1.NotificationPolicyKind) {
+	for _, policy := range policies {
+		if !scanInfo.contains(policy) {
+			newPolicy := PolicyIdentifier{}
+			newPolicy.Kind = kind
+			newPolicy.Name = policy
+			scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
+		}
+	}
+}
+
+func (scanInfo *ScanInfo) contains(policyName string) bool {
+	for _, policy := range scanInfo.PolicyIdentifier {
+		if policy.Name == policyName {
+			return true
+		}
+	}
+	return false
+}
+
+func scanInfoToScanMetadata(scanInfo *ScanInfo) *reporthandlingv2.Metadata {
+	metadata := &reporthandlingv2.Metadata{}
+
+	metadata.ScanMetadata.Format = scanInfo.Format
+	metadata.ScanMetadata.FormatVersion = scanInfo.FormatVersion
+	metadata.ScanMetadata.Submit = scanInfo.Submit
+
+	// TODO - Add excluded and included namespaces
+	// if len(scanInfo.ExcludedNamespaces) > 1 {
+	// 	opaSessionObj.Metadata.ScanMetadata.ExcludedNamespaces = strings.Split(scanInfo.ExcludedNamespaces[1:], ",")
+	// }
+	// if len(scanInfo.IncludeNamespaces) > 1 {
+	// 	opaSessionObj.Metadata.ScanMetadata.IncludeNamespaces = strings.Split(scanInfo.IncludeNamespaces[1:], ",")
+	// }
+
+	// scan type
+	if len(scanInfo.PolicyIdentifier) > 0 {
+		metadata.ScanMetadata.TargetType = string(scanInfo.PolicyIdentifier[0].Kind)
+	}
+	// append frameworks
+	for _, policy := range scanInfo.PolicyIdentifier {
+		metadata.ScanMetadata.TargetNames = append(metadata.ScanMetadata.TargetNames, policy.Name)
+	}
+
+	metadata.ScanMetadata.KubescapeVersion = BuildNumber
+	metadata.ScanMetadata.VerboseMode = scanInfo.VerboseMode
+	metadata.ScanMetadata.FailThreshold = scanInfo.FailThreshold
+	metadata.ScanMetadata.HostScanner = scanInfo.HostSensorEnabled.GetBool()
+	metadata.ScanMetadata.VerboseMode = scanInfo.VerboseMode
+	metadata.ScanMetadata.ControlsInputs = scanInfo.ControlsInputs
+
+	inputFiles := ""
+	if len(scanInfo.InputPatterns) > 0 {
+		inputFiles = scanInfo.InputPatterns[0]
+	}
+	switch GetScanningContext(inputFiles) {
+	case ContextCluster:
+		// cluster
+		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.Cluster
+	case ContextFile:
+		// local file
+		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.File
+	case ContextGitURL:
+		// url
+		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.Repo
+	case ContextGitLocal:
+		// local-git
+		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.GitLocal
+	case ContextDir:
+		// directory
+		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.Directory
+
+	}
+
+	setContextMetadata(&metadata.ContextMetadata, inputFiles)
+
+	return metadata
+}
+
+func (scanInfo *ScanInfo) GetScanningContext() ScanningContext {
+	input := ""
+	if len(scanInfo.InputPatterns) > 0 {
+		input = scanInfo.InputPatterns[0]
+	}
+	return GetScanningContext(input)
+}
+
+// GetScanningContext get scanning context from the input param
+func GetScanningContext(input string) ScanningContext {
+	//  cluster
+	if input == "" {
+		return ContextCluster
+	}
+
+	// url
+	if _, err := giturl.NewGitURL(input); err == nil {
+		return ContextGitURL
+	}
+
+	if !filepath.IsAbs(input) { // parse path
+		if o, err := os.Getwd(); err == nil {
+			input = filepath.Join(o, input)
+		}
+	}
+
+	// local git repo
+	if _, err := NewLocalGitRepository(input); err == nil {
+		return ContextGitLocal
+	}
+
+	//  single file
+	if IsFile(input) {
+		return ContextFile
+	}
+
+	//  dir/glob
+	return ContextDir
+}
+func setContextMetadata(contextMetadata *reporthandlingv2.ContextMetadata, input string) {
+	switch GetScanningContext(input) {
+	case ContextCluster:
+		contextMetadata.ClusterContextMetadata = &reporthandlingv2.ClusterMetadata{
+			ContextName: k8sinterface.GetContextName(),
+		}
+	case ContextGitURL:
+		// url
+		context, err := metadataGitURL(input)
+		if err != nil {
+			logger.L().Warning("in setContextMetadata", helpers.Interface("case", ContextGitURL), helpers.Error(err))
+		}
+		contextMetadata.RepoContextMetadata = context
+	case ContextDir:
+		contextMetadata.DirectoryContextMetadata = &reporthandlingv2.DirectoryContextMetadata{
+			BasePath: getAbsPath(input),
+			HostName: getHostname(),
+		}
+	case ContextFile:
+		contextMetadata.FileContextMetadata = &reporthandlingv2.FileContextMetadata{
+			FilePath: getAbsPath(input),
+			HostName: getHostname(),
+		}
+	case ContextGitLocal:
+		// local
+		context, err := metadataGitLocal(input)
+		if err != nil {
+			logger.L().Warning("in setContextMetadata", helpers.Interface("case", ContextGitURL), helpers.Error(err))
+		}
+		contextMetadata.RepoContextMetadata = context
+	}
+}
+
+func metadataGitURL(input string) (*reporthandlingv2.RepoContextMetadata, error) {
+	context := &reporthandlingv2.RepoContextMetadata{}
+	gitParser, err := giturl.NewGitAPI(input)
+	if err != nil {
+		return context, fmt.Errorf("%w", err)
+	}
+	if gitParser.GetBranchName() == "" {
+		gitParser.SetDefaultBranchName()
+	}
+	context.Provider = gitParser.GetProvider()
+	context.Repo = gitParser.GetRepoName()
+	context.Owner = gitParser.GetOwnerName()
+	context.Branch = gitParser.GetBranchName()
+	context.RemoteURL = gitParser.GetURL().String()
+
+	commit, err := gitParser.GetLatestCommit()
+	if err != nil {
+		return context, fmt.Errorf("%w", err)
+	}
+
+	context.LastCommit = reporthandling.LastCommit{
+		Hash:          commit.SHA,
+		Date:          commit.Committer.Date,
+		CommitterName: commit.Committer.Name,
+	}
+
+	return context, nil
+}
+
+func metadataGitLocal(input string) (*reporthandlingv2.RepoContextMetadata, error) {
+	gitParser, err := NewLocalGitRepository(input)
+	if err != nil {
+		return nil, fmt.Errorf("%w", err)
+	}
+	remoteURL, err := gitParser.GetRemoteUrl()
+	if err != nil {
+		return nil, fmt.Errorf("%w", err)
+	}
+	context := &reporthandlingv2.RepoContextMetadata{}
+	gitParserURL, err := giturl.NewGitURL(remoteURL)
+	if err != nil {
+		return context, fmt.Errorf("%w", err)
+	}
+	gitParserURL.SetBranchName(gitParser.GetBranchName())
+
+	context.Provider = gitParserURL.GetProvider()
+	context.Repo = gitParserURL.GetRepoName()
+	context.Owner = gitParserURL.GetOwnerName()
+	context.Branch = gitParserURL.GetBranchName()
+	context.RemoteURL = gitParserURL.GetURL().String()
+
+	commit, err := gitParser.GetLastCommit()
+	if err != nil {
+		return context, fmt.Errorf("%w", err)
+	}
+	context.LastCommit = reporthandling.LastCommit{
+		Hash:          commit.SHA,
+		Date:          commit.Committer.Date,
+		CommitterName: commit.Committer.Name,
+	}
+
+	return context, nil
+}
+func getHostname() string {
+	if h, e := os.Hostname(); e == nil {
+		return h
+	}
+	return ""
+}
+
+func getAbsPath(p string) string {
+	if !filepath.IsAbs(p) { // parse path
+		if o, err := os.Getwd(); err == nil {
+			return filepath.Join(o, p)
+		}
+	}
+	return p
+}
+
+// ScanningContextToScanningScope convert the context to the deprecated scope
+func ScanningContextToScanningScope(scanningContext ScanningContext) string {
+	if scanningContext == ContextCluster {
+		return ScopeCluster
+	}
+	return ScopeYAML
+}

core/cautils/scaninfo_test.go

@@ -0,0 +1,44 @@
+package cautils
+
+import (
+	"testing"
+
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSetContextMetadata(t *testing.T) {
+	{
+		ctx := reporthandlingv2.ContextMetadata{}
+		setContextMetadata(&ctx, "")
+
+		assert.NotNil(t, ctx.ClusterContextMetadata)
+		assert.Nil(t, ctx.DirectoryContextMetadata)
+		assert.Nil(t, ctx.FileContextMetadata)
+		assert.Nil(t, ctx.HelmContextMetadata)
+		assert.Nil(t, ctx.RepoContextMetadata)
+	}
+	{
+		ctx := reporthandlingv2.ContextMetadata{}
+		setContextMetadata(&ctx, "https://github.com/armosec/kubescape")
+
+		assert.Nil(t, ctx.ClusterContextMetadata)
+		assert.Nil(t, ctx.DirectoryContextMetadata)
+		assert.Nil(t, ctx.FileContextMetadata)
+		assert.Nil(t, ctx.HelmContextMetadata)
+		assert.NotNil(t, ctx.RepoContextMetadata)
+
+		assert.Equal(t, "kubescape", ctx.RepoContextMetadata.Repo)
+		assert.Equal(t, "armosec", ctx.RepoContextMetadata.Owner)
+		assert.Equal(t, "master", ctx.RepoContextMetadata.Branch)
+	}
+}
+
+func TestGetHostname(t *testing.T) {
+	assert.NotEqual(t, "", getHostname())
+}
+
+func TestGetScanningContext(t *testing.T) {
+	assert.Equal(t, ContextCluster, GetScanningContext(""))
+	assert.Equal(t, ContextGitURL, GetScanningContext("https://github.com/armosec/kubescape"))
+}

core/cautils/testdata/helm_expected_default_values.json

@@ -0,0 +1,40 @@
+{
+    "affinity": {},
+    "configMap": {
+      "create": false,
+      "params": {
+        "clusterName": "<MyK8sClusterName>",
+        "customerGUID": "<MyGUID>"
+      }
+    },
+    "fullnameOverride": "",
+    "image": {
+      "imageName": "kubescape",
+      "pullPolicy": "Always",
+      "repository": "quay.io/armosec",
+      "tag": "latest"
+    },
+    "imagePullSecrets": [],
+    "nameOverride": "",
+    "nodeSelector": {},
+    "podAnnotations": {},
+    "podSecurityContext": {},
+    "resources": {
+      "limits": {
+        "cpu": "500m",
+        "memory": "512Mi"
+      },
+      "requests": {
+        "cpu": "200m",
+        "memory": "256Mi"
+      }
+    },
+    "schedule": "* * 1 * *",
+    "securityContext": {},
+    "serviceAccount": {
+      "annotations": {},
+      "create": true,
+      "name": "kubescape-discovery"
+    },
+    "tolerations": []
+}

core/cautils/versioncheck.go

@@ -0,0 +1,150 @@
+package cautils
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os"
+
+	"github.com/armosec/kubescape/v2/core/cautils/getter"
+	"github.com/armosec/utils-go/boolutils"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+
+	"golang.org/x/mod/semver"
+)
+
+const SKIP_VERSION_CHECK_DEPRECATED = "KUBESCAPE_SKIP_UPDATE_CHECK"
+const SKIP_VERSION_CHECK = "KS_SKIP_UPDATE_CHECK"
+
+var BuildNumber string
+var Client string
+
+const UnknownBuildNumber = "unknown"
+
+type IVersionCheckHandler interface {
+	CheckLatestVersion(*VersionCheckRequest) error
+}
+
+func NewIVersionCheckHandler() IVersionCheckHandler {
+	if BuildNumber == "" {
+		logger.L().Warning("unknown build number, this might affect your scan results. Please make sure you are updated to latest version")
+	}
+	if v, ok := os.LookupEnv(SKIP_VERSION_CHECK); ok && boolutils.StringToBool(v) {
+		return NewVersionCheckHandlerMock()
+	} else if v, ok := os.LookupEnv(SKIP_VERSION_CHECK_DEPRECATED); ok && boolutils.StringToBool(v) {
+		return NewVersionCheckHandlerMock()
+	}
+	return NewVersionCheckHandler()
+}
+
+type VersionCheckHandlerMock struct {
+}
+
+func NewVersionCheckHandlerMock() *VersionCheckHandlerMock {
+	return &VersionCheckHandlerMock{}
+}
+
+type VersionCheckHandler struct {
+	versionURL string
+}
+type VersionCheckRequest struct {
+	Client           string `json:"client"`           // kubescape
+	ClientBuild      string `json:"clientBuild"`      // client build environment
+	ClientVersion    string `json:"clientVersion"`    // kubescape version
+	Framework        string `json:"framework"`        // framework name
+	FrameworkVersion string `json:"frameworkVersion"` // framework version
+	ScanningTarget   string `json:"target"`           // Deprecated
+	ScanningContext  string `json:"context"`          // scanning context- cluster/file/gitURL/localGit/dir
+}
+
+type VersionCheckResponse struct {
+	Client          string `json:"client"`          // kubescape
+	ClientUpdate    string `json:"clientUpdate"`    // kubescape latest version
+	Framework       string `json:"framework"`       // framework name
+	FrameworkUpdate string `json:"frameworkUpdate"` // framework latest version
+	Message         string `json:"message"`         // alert message
+}
+
+func NewVersionCheckHandler() *VersionCheckHandler {
+	return &VersionCheckHandler{
+		versionURL: "https://us-central1-elated-pottery-310110.cloudfunctions.net/ksgf1v1",
+	}
+}
+func NewVersionCheckRequest(buildNumber, frameworkName, frameworkVersion, scanningTarget string) *VersionCheckRequest {
+	if buildNumber == "" {
+		buildNumber = UnknownBuildNumber
+	}
+	if scanningTarget == "" {
+		scanningTarget = "unknown"
+	}
+	if Client == "" {
+		Client = "local-build"
+	}
+	return &VersionCheckRequest{
+		Client:           "kubescape",
+		ClientBuild:      Client,
+		ClientVersion:    buildNumber,
+		Framework:        frameworkName,
+		FrameworkVersion: frameworkVersion,
+		ScanningTarget:   scanningTarget,
+	}
+}
+
+func (v *VersionCheckHandlerMock) CheckLatestVersion(versionData *VersionCheckRequest) error {
+	logger.L().Info("Skipping version check")
+	return nil
+}
+
+func (v *VersionCheckHandler) CheckLatestVersion(versionData *VersionCheckRequest) error {
+	defer func() {
+		if err := recover(); err != nil {
+			logger.L().Warning("failed to get latest version", helpers.Interface("error", err))
+		}
+	}()
+
+	latestVersion, err := v.getLatestVersion(versionData)
+	if err != nil || latestVersion == nil {
+		return fmt.Errorf("failed to get latest version")
+	}
+
+	if latestVersion.ClientUpdate != "" {
+		if BuildNumber != "" && semver.Compare(BuildNumber, latestVersion.ClientUpdate) == -1 {
+			logger.L().Warning(warningMessage(latestVersion.ClientUpdate))
+		}
+	}
+
+	// TODO - Enable after supporting framework version
+	// if latestVersion.FrameworkUpdate != "" {
+	// 	fmt.Println(warningMessage(latestVersion.Framework, latestVersion.FrameworkUpdate))
+	// }
+
+	if latestVersion.Message != "" {
+		logger.L().Info(latestVersion.Message)
+	}
+
+	return nil
+}
+
+func (v *VersionCheckHandler) getLatestVersion(versionData *VersionCheckRequest) (*VersionCheckResponse, error) {
+
+	reqBody, err := json.Marshal(*versionData)
+	if err != nil {
+		return nil, fmt.Errorf("in 'CheckLatestVersion' failed to json.Marshal, reason: %s", err.Error())
+	}
+
+	resp, err := getter.HttpPost(http.DefaultClient, v.versionURL, map[string]string{"Content-Type": "application/json"}, reqBody)
+	if err != nil {
+		return nil, err
+	}
+
+	vResp := &VersionCheckResponse{}
+	if err = getter.JSONDecoder(resp).Decode(vResp); err != nil {
+		return nil, err
+	}
+	return vResp, nil
+}
+
+func warningMessage(release string) string {
+	return fmt.Sprintf("current version '%s' is not updated to the latest release: '%s'", BuildNumber, release)
+}

core/cautils/versioncheck_test.go

@@ -0,0 +1,68 @@
+package cautils
+
+import (
+	"testing"
+
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/mod/semver"
+)
+
+func TestGetKubernetesObjects(t *testing.T) {
+}
+
+var rule_v1_0_131 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useUntilKubescapeVersion": "v1.0.132"}}}
+var rule_v1_0_132 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.132", "useUntilKubescapeVersion": "v1.0.133"}}}
+var rule_v1_0_133 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.133", "useUntilKubescapeVersion": "v1.0.134"}}}
+var rule_v1_0_134 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.134"}}}
+
+func TestIsRuleKubescapeVersionCompatible(t *testing.T) {
+	// local build- no build number
+	// should use only rules that don't have "until"
+	buildNumberMock := ""
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.130"
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.132"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.133"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.135"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+}
+
+func TestCheckLatestVersion(t *testing.T) {
+	assert.Equal(t, -1, semver.Compare("v2.0.150", "v2.0.151"))
+	assert.Equal(t, 0, semver.Compare("v2.0.150", "v2.0.150"))
+	assert.Equal(t, 1, semver.Compare("v2.0.150", "v2.0.149"))
+	assert.Equal(t, -1, semver.Compare("v2.0.150", "v3.0.150"))
+
+}

core/cautils/workloadmappingutils.go

@@ -0,0 +1,55 @@
+package cautils
+
+import (
+	"strings"
+
+	"github.com/kubescape/opa-utils/reporthandling/apis"
+)
+
+var (
+	ImageVulnResources  = []string{"ImageVulnerabilities"}
+	HostSensorResources = []string{"KubeletConfiguration",
+		"KubeletCommandLine",
+		"OsReleaseFile",
+		"KernelVersion",
+		"LinuxSecurityHardeningStatus",
+		"OpenPortsList",
+		"LinuxKernelVariables",
+		"KubeletInfo",
+		"KubeProxyInfo",
+	}
+	CloudResources = []string{"ClusterDescribe"}
+)
+
+func MapKSResource(ksResourceMap *KSResources, resources []string) []string {
+	var hostResources []string
+	for k := range *ksResourceMap {
+		for _, resource := range resources {
+			if strings.Contains(k, resource) {
+				hostResources = append(hostResources, k)
+			}
+		}
+	}
+	return hostResources
+}
+
+func MapHostResources(ksResourceMap *KSResources) []string {
+	return MapKSResource(ksResourceMap, HostSensorResources)
+}
+
+func MapImageVulnResources(ksResourceMap *KSResources) []string {
+	return MapKSResource(ksResourceMap, ImageVulnResources)
+}
+
+func MapCloudResources(ksResourceMap *KSResources) []string {
+	return MapKSResource(ksResourceMap, CloudResources)
+}
+
+func SetInfoMapForResources(info string, resources []string, errorMap map[string]apis.StatusInfo) {
+	for _, resource := range resources {
+		errorMap[resource] = apis.StatusInfo{
+			InnerInfo:   info,
+			InnerStatus: apis.StatusSkipped,
+		}
+	}
+}

core/core/cachedconfig.go

@@ -0,0 +1,37 @@
+package core
+
+import (
+	"fmt"
+
+	metav1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+)
+
+func (ks *Kubescape) SetCachedConfig(setConfig *metav1.SetConfig) error {
+
+	tenant := getTenantConfig(nil, "", getKubernetesApi())
+
+	if setConfig.Account != "" {
+		tenant.GetConfigObj().AccountID = setConfig.Account
+	}
+	if setConfig.SecretKey != "" {
+		tenant.GetConfigObj().SecretKey = setConfig.SecretKey
+	}
+	if setConfig.ClientID != "" {
+		tenant.GetConfigObj().ClientID = setConfig.ClientID
+	}
+
+	return tenant.UpdateCachedConfig()
+}
+
+// View cached configurations
+func (ks *Kubescape) ViewCachedConfig(viewConfig *metav1.ViewConfig) error {
+	tenant := getTenantConfig(nil, "", getKubernetesApi()) // change k8sinterface
+	fmt.Fprintf(viewConfig.Writer, "%s\n", tenant.GetConfigObj().Config())
+	return nil
+}
+
+func (ks *Kubescape) DeleteCachedConfig(deleteConfig *metav1.DeleteConfig) error {
+
+	tenant := getTenantConfig(nil, "", getKubernetesApi()) // change k8sinterface
+	return tenant.DeleteCachedConfig()
+}

core/core/delete.go

@@ -0,0 +1,36 @@
+package core
+
+import (
+	"fmt"
+
+	"github.com/armosec/kubescape/v2/core/cautils/getter"
+	v1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+)
+
+func (ks *Kubescape) DeleteExceptions(delExceptions *v1.DeleteExceptions) error {
+
+	// load cached config
+	getTenantConfig(&delExceptions.Credentials, "", getKubernetesApi())
+
+	// login kubescape SaaS
+	ksCloudAPI := getter.GetKSCloudAPIConnector()
+	if err := ksCloudAPI.Login(); err != nil {
+		return err
+	}
+
+	for i := range delExceptions.Exceptions {
+		exceptionName := delExceptions.Exceptions[i]
+		if exceptionName == "" {
+			continue
+		}
+		logger.L().Info("Deleting exception", helpers.String("name", exceptionName))
+		if err := ksCloudAPI.DeleteException(exceptionName); err != nil {
+			return fmt.Errorf("failed to delete exception '%s', reason: %s", exceptionName, err.Error())
+		}
+		logger.L().Success("Exception deleted successfully")
+	}
+
+	return nil
+}

core/core/download.go

@@ -0,0 +1,198 @@
+package core
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/kubescape/v2/core/cautils/getter"
+	metav1 "github.com/armosec/kubescape/v2/core/meta/datastructures/v1"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+)
+
+var downloadFunc = map[string]func(*metav1.DownloadInfo) error{
+	"controls-inputs": downloadConfigInputs,
+	"exceptions":      downloadExceptions,
+	"control":         downloadControl,
+	"framework":       downloadFramework,
+	"artifacts":       downloadArtifacts,
+}
+
+func DownloadSupportCommands() []string {
+	commands := []string{}
+	for k := range downloadFunc {
+		commands = append(commands, k)
+	}
+	return commands
+}
+
+func (ks *Kubescape) Download(downloadInfo *metav1.DownloadInfo) error {
+	setPathandFilename(downloadInfo)
+	if err := os.MkdirAll(downloadInfo.Path, os.ModePerm); err != nil {
+		return err
+	}
+	if err := downloadArtifact(downloadInfo, downloadFunc); err != nil {
+		return err
+	}
+	return nil
+}
+
+func downloadArtifact(downloadInfo *metav1.DownloadInfo, downloadArtifactFunc map[string]func(*metav1.DownloadInfo) error) error {
+	if f, ok := downloadArtifactFunc[downloadInfo.Target]; ok {
+		if err := f(downloadInfo); err != nil {
+			return err
+		}
+		return nil
+	}
+	return fmt.Errorf("unknown command to download")
+}
+
+func setPathandFilename(downloadInfo *metav1.DownloadInfo) {
+	if downloadInfo.Path == "" {
+		downloadInfo.Path = getter.GetDefaultPath("")
+	} else {
+		dir, file := filepath.Split(downloadInfo.Path)
+		if dir == "" {
+			downloadInfo.Path = file
+		} else if strings.Contains(file, ".json") {
+			downloadInfo.Path = dir
+			downloadInfo.FileName = file
+		}
+	}
+}
+
+func downloadArtifacts(downloadInfo *metav1.DownloadInfo) error {
+	downloadInfo.FileName = ""
+	var artifacts = map[string]func(*metav1.DownloadInfo) error{
+		"controls-inputs": downloadConfigInputs,
+		"exceptions":      downloadExceptions,
+		"framework":       downloadFramework,
+	}
+	for artifact := range artifacts {
+		if err := downloadArtifact(&metav1.DownloadInfo{Target: artifact, Path: downloadInfo.Path, FileName: fmt.Sprintf("%s.json", artifact)}, artifacts); err != nil {
+			logger.L().Error("error downloading", helpers.String("artifact", artifact), helpers.Error(err))
+		}
+	}
+	return nil
+}
+
+func downloadConfigInputs(downloadInfo *metav1.DownloadInfo) error {
+	tenant := getTenantConfig(&downloadInfo.Credentials, "", getKubernetesApi())
+
+	controlsInputsGetter := getConfigInputsGetter(downloadInfo.Name, tenant.GetAccountID(), nil)
+	controlInputs, err := controlsInputsGetter.GetControlsInputs(tenant.GetContextName())
+	if err != nil {
+		return err
+	}
+	if downloadInfo.FileName == "" {
+		downloadInfo.FileName = fmt.Sprintf("%s.json", downloadInfo.Target)
+	}
+	if controlInputs == nil {
+		return fmt.Errorf("failed to download controlInputs - received an empty objects")
+	}
+	// save in file
+	err = getter.SaveInFile(controlInputs, filepath.Join(downloadInfo.Path, downloadInfo.FileName))
+	if err != nil {
+		return err
+	}
+	logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("path", filepath.Join(downloadInfo.Path, downloadInfo.FileName)))
+	return nil
+}
+
+func downloadExceptions(downloadInfo *metav1.DownloadInfo) error {
+	var err error
+	tenant := getTenantConfig(&downloadInfo.Credentials, "", getKubernetesApi())
+
+	exceptionsGetter := getExceptionsGetter("")
+	exceptions := []armotypes.PostureExceptionPolicy{}
+	if tenant.GetAccountID() != "" {
+		exceptions, err = exceptionsGetter.GetExceptions(tenant.GetContextName())
+		if err != nil {
+			return err
+		}
+	}
+	if downloadInfo.FileName == "" {
+		downloadInfo.FileName = fmt.Sprintf("%s.json", downloadInfo.Target)
+	}
+	// save in file
+	err = getter.SaveInFile(exceptions, filepath.Join(downloadInfo.Path, downloadInfo.FileName))
+	if err != nil {
+		return err
+	}
+	logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("path", filepath.Join(downloadInfo.Path, downloadInfo.FileName)))
+	return nil
+}
+
+func downloadFramework(downloadInfo *metav1.DownloadInfo) error {
+
+	tenant := getTenantConfig(&downloadInfo.Credentials, "", getKubernetesApi())
+
+	g := getPolicyGetter(nil, tenant.GetTenantEmail(), true, nil)
+
+	if downloadInfo.Name == "" {
+		// if framework name not specified - download all frameworks
+		frameworks, err := g.GetFrameworks()
+		if err != nil {
+			return err
+		}
+		for _, fw := range frameworks {
+			downloadTo := filepath.Join(downloadInfo.Path, (strings.ToLower(fw.Name) + ".json"))
+			err = getter.SaveInFile(fw, downloadTo)
+			if err != nil {
+				return err
+			}
+			logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("name", fw.Name), helpers.String("path", downloadTo))
+		}
+		// return fmt.Errorf("missing framework name")
+	} else {
+		if downloadInfo.FileName == "" {
+			downloadInfo.FileName = fmt.Sprintf("%s.json", downloadInfo.Name)
+		}
+		framework, err := g.GetFramework(downloadInfo.Name)
+		if err != nil {
+			return err
+		}
+		if framework == nil {
+			return fmt.Errorf("failed to download framework - received an empty objects")
+		}
+		downloadTo := filepath.Join(downloadInfo.Path, downloadInfo.FileName)
+		err = getter.SaveInFile(framework, downloadTo)
+		if err != nil {
+			return err
+		}
+		logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("name", framework.Name), helpers.String("path", downloadTo))
+	}
+	return nil
+}
+
+func downloadControl(downloadInfo *metav1.DownloadInfo) error {
+
+	tenant := getTenantConfig(&downloadInfo.Credentials, "", getKubernetesApi())
+
+	g := getPolicyGetter(nil, tenant.GetTenantEmail(), false, nil)
+
+	if downloadInfo.Name == "" {
+		// TODO - support
+		return fmt.Errorf("missing control name")
+	}
+	if downloadInfo.FileName == "" {
+		downloadInfo.FileName = fmt.Sprintf("%s.json", downloadInfo.Name)
+	}
+	controls, err := g.GetControl(downloadInfo.Name)
+	if err != nil {
+		return err
+	}
+	if controls == nil {
+		return fmt.Errorf("failed to download control - received an empty objects")
+	}
+	downloadTo := filepath.Join(downloadInfo.Path, downloadInfo.FileName)
+	err = getter.SaveInFile(controls, downloadTo)
+	if err != nil {
+		return err
+	}
+	logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("name", downloadInfo.Name), helpers.String("path", downloadTo))
+	return nil
+}