update after scan messgae

[housekeeper] add readiness checks

.github/workflows/build.yaml

@@ -2,7 +2,7 @@ name: build
 
 on:
   push:
-    branches: [ master ] 
+    branches: [ master ]
 jobs:
   once:
     name: Create release
@@ -41,6 +41,7 @@ jobs:
         env:
           RELEASE: v2.0.${{ github.run_number }} 
           ArmoBEServer: api.armo.cloud
+          ArmoAuthServer: auth.armo.cloud
           ArmoERServer: report.armo.cloud
           ArmoWebsite: portal.armo.cloud
           CGO_ENABLED: 0
@@ -67,28 +68,55 @@ jobs:
   build-docker:
     name: Build docker container, tag and upload to registry
     needs: build
-    if: ${{ github.repository == 'armosec/kubescape' }}
     runs-on: ubuntu-latest
+    if: ${{ github.repository == 'armosec/kubescape' }} # TODO
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v2
 
-      - name: Set name
-        run: echo quay.io/armosec/kubescape:v2.0.${{ github.run_number }} > build_tag.txt
+      - name: Set image version
+        id: image-version
+        run: echo '::set-output name=IMAGE_VERSION::v2.0.${{ github.run_number }}'
+
+      - name: Set image name
+        id: image-name
+        run: echo '::set-output name=IMAGE_NAME::quay.io/${{ github.repository_owner }}/kubescape'
 
       - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt) --build-arg run_number=${{ github.run_number }}
-
+        run: docker build . --file build/Dockerfile --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} --build-arg image_version=${{ steps.image-version.outputs.IMAGE_VERSION }}
+      
       - name: Re-Tag Image to latest
-        run: docker tag $(cat build_tag.txt) quay.io/armosec/kubescape:latest
-
+        run: docker tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} ${{ steps.image-name.outputs.IMAGE_NAME }}:latest
+      
       - name: Login to Quay.io
         env: # Or as an environment variable
           QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
           QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
         run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
+      # - name: Login to GitHub Container Registry
+      #   uses: docker/login-action@v1
+      #   with:
+      #     registry: ghcr.io
+      #     username: ${{ github.actor }}
+      #     password: ${{ secrets.GITHUB_TOKEN }}
       - name: Push Docker image
         run: |
-          docker push $(cat build_tag.txt)
-          docker push quay.io/armosec/kubescape:latest
-        
+          docker push ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }}
+          docker push ${{ steps.image-name.outputs.IMAGE_NAME }}:latest
+      
+      # TODO - Wait for casign to support fixed tags -> https://github.com/sigstore/cosign/issues/1424
+      # - name: Install cosign
+      #   uses: sigstore/cosign-installer@main
+      #   with:
+      #     cosign-release: 'v1.5.1' # optional
+      # - name: sign kubescape container image
+      #   env:
+      #     COSIGN_EXPERIMENTAL: "true"
+      #   run: |
+      #       cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:latest
+      #       cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }}
+

.github/workflows/build_dev.yaml

@@ -25,7 +25,8 @@ jobs:
         env:
           RELEASE: v2.0.${{ github.run_number }} 
           ArmoBEServer: api.armo.cloud
-          ArmoERServer: report.euprod1.cyberarmorsoft.com
+          ArmoAuthServer: auth.armo.cloud
+          ArmoERServer: report.armo.cloud
           ArmoWebsite: portal.armo.cloud
           CGO_ENABLED: 0
         run: python3 --version && python3 build.py
@@ -42,30 +43,42 @@ jobs:
           name: kubescape-${{ matrix.os }}
           path: build/${{ matrix.os }}/kubescape 
 
-
   build-docker:
     name: Build docker container, tag and upload to registry
     needs: build
-    if: ${{ github.repository == 'armosec/kubescape' }}
+    if: ${{ github.repository == 'armosec/kubescape' }} # TODO
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v2
 
-      - name: Set name
-        run: echo quay.io/armosec/kubescape:dev-v2.0.${{ github.run_number }} > build_tag.txt
+      - name: Set image version
+        id: image-version
+        run: echo '::set-output name=IMAGE_VERSION::dev-v2.0.${{ github.run_number }}'
+
+      - name: Set image name
+        id: image-name
+        run: echo '::set-output name=IMAGE_NAME::quay.io/${{ github.repository_owner }}/kubescape'
 
       - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt) --build-arg run_number=${{ github.run_number }}
+        run: docker build . --file build/Dockerfile --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} --build-arg image_version=${{ steps.image-version.outputs.IMAGE_VERSION }}
       
       - name: Login to Quay.io
-        env: # Or as an environment variable
+        env:
           QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
           QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
         run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-        
+      # - name: Login to GitHub Container Registry
+      #   uses: docker/login-action@v1
+      #   with:
+      #     registry: ghcr.io
+      #     username: ${{ github.actor }}
+      #     password: ${{ secrets.GITHUB_TOKEN }}
       - name: Push Docker image
         run: |
-          docker push $(cat build_tag.txt)
-    
-        
+          docker push ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }}
+      

.github/workflows/master_pr_checks.yaml

@@ -26,6 +26,7 @@ jobs:
         env:
           RELEASE: v2.0.${{ github.run_number }} 
           ArmoBEServer: api.armo.cloud
+          ArmoAuthServer: auth.armo.cloud
           ArmoERServer: report.armo.cloud
           ArmoWebsite: portal.armo.cloud
           CGO_ENABLED: 0

.github/workflows/post-release.yaml

@@ -0,0 +1,17 @@
+name: create release digests
+
+on:
+  release:
+    types: [ published]
+    branches: [ master ]
+  
+jobs:
+  once:
+    name: Creating digests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Digest
+        uses: MCJack123/ghaction-generate-release-hashes@v1
+        with:
+          hash-type: sha1
+          file-name: kubescape-release-digests

.gitignore

@@ -3,4 +3,5 @@
 *debug*
 *vender*
 *.pyc*
-.idea
+.idea
+ca.srl

README.md

@@ -101,19 +101,26 @@ Set-ExecutionPolicy RemoteSigned -scope CurrentUser
 | `--use-from`                |                           | Load local framework object from specified path. If not used will download latest                                                                                                                                                                                                                                    | 
 | `--use-artifacts-from`                |                           | Load artifacts (frameworks, control-config, exceptions) from local directory. If not used will download them                                                                                                                                                                                                                                    |                                              |
 | `--use-default`             | `false`                   | Load local framework object from default path. If not used will download latest                                                                                                                                                                                                                                      | `true`/`false`                               |
-| `--exceptions`              |                           | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal                                                                                                                                                                                               |  
+| `--exceptions`              |                           | Path to an exceptions obj, [examples](examples/exceptions/README.md). Default will download exceptions from Kubescape SaaS                                                                                                                                                                                               |  
 | `--controls-config`              |                           | Path to a controls-config obj. If not set will download controls-config from ARMO management portal                                                                                                                                                                                               |                                            |
 | `--submit`                  | `false`                   | If set, Kubescape will send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not sent | `true`/`false`                               |
 | `--keep-local`              | `false`                   | Kubescape will not send scan results to Armo management portal. Use this flag if you ran with the `--submit` flag in the past and you do not want to submit your current scan results                                                                                                                                | `true`/`false`                               |
 | `--account`                 |                           | Armo portal account ID. Default will load account ID from configMap or config file                                                                                                                                                                                                                                   |                                              |
 | `--kube-context`                 |        current-context               |  Cluster context to scan                                                                                                                                                                                                                              |                                              |
 | `--verbose`                 | `false`                   | Display all of the input resources and not only failed resources                                                                                                                                                                                                                                                     | `true`/`false`                               |
+| `--logger`                 | `info`                   | Set the logger level                                                                                                                                                                                                                                                 | `debug`/`info`/`success`/`warning`/`error`/`fatal`                               |
 
 
 ## Usage & Examples
 
 ### Examples
 
+
+#### Scan a running Kubernetes cluster and submit results to the [Kubescape SaaS version](https://portal.armo.cloud/)
+```
+kubescape scan --submit
+```
+
 #### Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework and submit results to the [Kubescape SaaS version](https://portal.armo.cloud/)
 ```
 kubescape scan framework nsa --submit
@@ -133,107 +140,105 @@ kubescape scan control "Privileged container"
 
 #### Scan specific namespaces
 ```
-kubescape scan framework nsa --include-namespaces development,staging,production
+kubescape scan --include-namespaces development,staging,production
 ```
 
 #### Scan cluster and exclude some namespaces
 ```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
+kubescape scan --exclude-namespaces kube-system,kube-public
 ```
 
 #### Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI)
 ```
-kubescape scan framework nsa *.yaml
+kubescape scan *.yaml
 ```
 
 #### Scan kubernetes manifest files from a public github repository 
 ```
-kubescape scan framework nsa https://github.com/armosec/kubescape
+kubescape scan https://github.com/armosec/kubescape
 ```
 
 #### Display all scanned resources (including the resources who passed) 
 ```
-kubescape scan framework nsa --verbose
+kubescape scan --verbose
 ```
 
 #### Output in `json` format
 ```
-kubescape scan framework nsa --format json --output results.json
+kubescape scan --format json --output results.json
 ```
 
 #### Output in `junit xml` format
 ```
-kubescape scan framework nsa --format junit --output results.xml
+kubescape scan --format junit --output results.xml
 ```
 
 #### Output in `prometheus` metrics format - Contributed by [@Joibel](https://github.com/Joibel)
 ```
-kubescape scan framework nsa --format prometheus
+kubescape scan --format prometheus
 ```
 
 #### Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`
 [Full documentation](examples/exceptions/README.md)
 ```
-kubescape scan framework nsa --exceptions examples/exceptions/exclude-kube-namespaces.json
+kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
 ```
 
 #### Scan Helm charts - Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout
 ```
-helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
+helm template [NAME] [CHART] [flags] --dry-run | kubescape scan -
 ```
 
 e.g.
 ```
-helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
+helm template bitnami/mysql --generate-name --dry-run | kubescape scan -
 ```
 
 
-### Offline Support
+### Offline/Air-gaped Environment Support
 
 [Video tutorial](https://youtu.be/IGXL9s37smM)
 
 It is possible to run Kubescape offline!
-
-First download the framework and then scan with `--use-from` flag
-
-1. Download and save in file, if file name not specified, will save in `~/.kubescape/<framework name>.json`
-```
-kubescape download framework nsa --output nsa.json
-```
-
-2. Scan using the downloaded framework
-```
-kubescape scan framework nsa --use-from nsa.json
-```
-
-
-
-You can also download all artifacts to a local path and then load them using `--use-artifacts-from` flag
+#### Download all artifacts
 
 1. Download and save in local directory, if path not specified, will save all in `~/.kubescape`
 ```
 kubescape download artifacts --output path/to/local/dir
 ```
+2. Copy the downloaded artifacts to the air-gaped/offline environment
 
-2. Scan using the downloaded artifacts
+3. Scan using the downloaded artifacts
 ```
-kubescape scan framework nsa --use-artifacts-from path/to/local/dir
+kubescape scan --use-artifacts-from path/to/local/dir
 ```
 
+#### Download a single artifacts
+
+You can also download a single artifacts and scan with the `--use-from` flag
+
+1. Download and save in file, if file name not specified, will save in `~/.kubescape/<framework name>.json`
+```
+kubescape download framework nsa --output /path/nsa.json
+```
+2. Copy the downloaded artifacts to the air-gaped/offline environment
+
+3. Scan using the downloaded framework
+```
+kubescape scan framework nsa --use-from /path/nsa.json
+```
+
+
 ## Scan Periodically using Helm - Contributed by [@yonahd](https://github.com/yonahd)  
- 
-You can scan your cluster periodically by adding a `CronJob` that will repeatedly trigger kubescape
-
-```
-helm install kubescape examples/helm_chart/
-```
+[Please follow the instructions here](https://hub.armo.cloud/docs/installation-of-armo-in-cluster)
+[helm chart repo](https://github.com/armosec/armo-helm)
 
 ## Scan using docker image
 
 Official Docker image `quay.io/armosec/kubescape`
 
 ```
-docker run -v "$(pwd)/example.yaml:/app/example.yaml  quay.io/armosec/kubescape scan framework nsa /app/example.yaml
+docker run -v "$(pwd)/example.yaml:/app/example.yaml  quay.io/armosec/kubescape scan /app/example.yaml
 ```
 
 # Submit data manually
@@ -265,6 +270,7 @@ variables in this script:
 + ArmoBEServer
 + ArmoERServer
 + ArmoWebsite
++ ArmoAuthServer
 
 
 ## Build using go

build.py

@@ -8,6 +8,7 @@ BASE_GETTER_CONST = "github.com/armosec/kubescape/cautils/getter"
 BE_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoBEURL"
 ER_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoERURL"
 WEBSITE_CONST     = BASE_GETTER_CONST + ".ArmoFEURL"
+AUTH_SERVER_CONST = BASE_GETTER_CONST + ".armoAUTHURL"
 
 def checkStatus(status, msg):
     if status != 0:
@@ -37,7 +38,7 @@ def main():
     print("Building Kubescape")
 
     # print environment variables
-    print(os.environ)
+    # print(os.environ)
 
     # Set some variables
     packageName = getPackageName()
@@ -46,6 +47,7 @@ def main():
     ArmoBEServer = os.getenv("ArmoBEServer")
     ArmoERServer = os.getenv("ArmoERServer")
     ArmoWebsite = os.getenv("ArmoWebsite")
+    ArmoAuthServer = os.getenv("ArmoAuthServer")
 
     # Create build directory
     buildDir = getBuildDir()
@@ -54,9 +56,10 @@ def main():
         os.makedirs(buildDir)
 
     # Build kubescape
-    ldflags = "-w -s -X %s=%s -X %s=%s -X %s=%s -X %s=%s" \
+    ldflags = "-w -s -X %s=%s -X %s=%s -X %s=%s -X %s=%s -X %s=%s" \
         % (buildUrl, releaseVersion, BE_SERVER_CONST, ArmoBEServer,
-           ER_SERVER_CONST, ArmoERServer, WEBSITE_CONST, ArmoWebsite)
+           ER_SERVER_CONST, ArmoERServer, WEBSITE_CONST, ArmoWebsite,
+           AUTH_SERVER_CONST, ArmoAuthServer)
     status = subprocess.call(["go", "build", "-o", "%s/%s" % (buildDir, packageName), "-ldflags" ,ldflags])
     checkStatus(status, "Failed to build kubescape")
     

build/Dockerfile

@@ -1,9 +1,9 @@
 FROM golang:1.17-alpine as builder
 #ENV GOPROXY=https://goproxy.io,direct
 
-ARG run_number
+ARG image_version
 
-ENV RELEASE=v1.0.${run_number}
+ENV RELEASE=image_version
 
 ENV GO111MODULE=
 

cautils/customerloader.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/logger"
 	corev1 "k8s.io/api/core/v1"
 )
 
@@ -23,25 +24,31 @@ func ConfigFileFullPath() string { return getter.GetDefaultPath(configFileName +
 // ======================================================================================
 
 type ConfigObj struct {
-	CustomerGUID       string `json:"customerGUID"`
-	Token              string `json:"invitationParam"`
-	CustomerAdminEMail string `json:"adminMail"`
-	ClusterName        string `json:"clusterName"`
-}
-
-func (co *ConfigObj) Json() []byte {
-	if b, err := json.Marshal(co); err == nil {
-		return b
-	}
-	return []byte{}
+	AccountID          string `json:"accountID,omitempty"`
+	ClientID           string `json:"clientID,omitempty"`
+	SecretKey          string `json:"secretKey,omitempty"`
+	CustomerGUID       string `json:"customerGUID,omitempty"` // Deprecated
+	Token              string `json:"invitationParam,omitempty"`
+	CustomerAdminEMail string `json:"adminMail,omitempty"`
+	ClusterName        string `json:"clusterName,omitempty"`
 }
 
 // Config - convert ConfigObj to config file
 func (co *ConfigObj) Config() []byte {
+
+	// remove cluster name before saving to file
 	clusterName := co.ClusterName
-	co.ClusterName = "" // remove cluster name before saving to file
-	b, err := json.Marshal(co)
+	customerAdminEMail := co.CustomerAdminEMail
+	token := co.Token
+	co.ClusterName = ""
+	co.Token = ""
+	co.CustomerAdminEMail = ""
+
+	b, err := json.MarshalIndent(co, "", "  ")
+
 	co.ClusterName = clusterName
+	co.CustomerAdminEMail = customerAdminEMail
+	co.Token = token
 
 	if err == nil {
 		return b
@@ -56,10 +63,12 @@ func (co *ConfigObj) Config() []byte {
 type ITenantConfig interface {
 	// set
 	SetTenant() error
+	UpdateCachedConfig() error
+	DeleteCachedConfig() error
 
 	// getters
 	GetClusterName() string
-	GetCustomerGUID() string
+	GetAccountID() string
 	GetConfigObj() *ConfigObj
 	// GetBackendAPI() getter.IBackend
 	// GenerateURL()
@@ -93,46 +102,58 @@ func NewLocalConfig(backendAPI getter.IBackend, customerGUID, clusterName string
 		lc.configObj = configObj
 	}
 	if customerGUID != "" {
-		lc.configObj.CustomerGUID = customerGUID // override config customerGUID
+		lc.configObj.AccountID = customerGUID // override config customerGUID
 	}
 	if clusterName != "" {
 		lc.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
 	}
-	if lc.configObj.CustomerGUID != "" {
+	getAccountFromEnv(lc.configObj)
+
+	lc.backendAPI.SetAccountID(lc.configObj.AccountID)
+	lc.backendAPI.SetClientID(lc.configObj.ClientID)
+	lc.backendAPI.SetSecretKey(lc.configObj.SecretKey)
+
+	if lc.configObj.AccountID != "" {
 		if err := lc.SetTenant(); err != nil {
-			fmt.Println(err)
+			logger.L().Error(err.Error())
 		}
 	}
 
 	return lc
 }
 
-func (lc *LocalConfig) GetConfigObj() *ConfigObj            { return lc.configObj }
-func (lc *LocalConfig) GetCustomerGUID() string             { return lc.configObj.CustomerGUID }
-func (lc *LocalConfig) SetCustomerGUID(customerGUID string) { lc.configObj.CustomerGUID = customerGUID }
-func (lc *LocalConfig) GetClusterName() string              { return lc.configObj.ClusterName }
-func (lc *LocalConfig) IsConfigFound() bool                 { return existsConfigFile() }
+func (lc *LocalConfig) GetConfigObj() *ConfigObj { return lc.configObj }
+func (lc *LocalConfig) GetAccountID() string     { return lc.configObj.AccountID }
+func (lc *LocalConfig) GetClusterName() string   { return lc.configObj.ClusterName }
+func (lc *LocalConfig) IsConfigFound() bool      { return existsConfigFile() }
 func (lc *LocalConfig) SetTenant() error {
+
 	// ARMO tenant GUID
 	if err := getTenantConfigFromBE(lc.backendAPI, lc.configObj); err != nil {
 		return err
 	}
-	updateConfigFile(lc.configObj)
+	lc.UpdateCachedConfig()
 	return nil
 
 }
+func (lc *LocalConfig) UpdateCachedConfig() error {
+	return updateConfigFile(lc.configObj)
+}
+
+func (lc *LocalConfig) DeleteCachedConfig() error {
+	return DeleteConfigFile()
+}
 
 func getTenantConfigFromBE(backendAPI getter.IBackend, configObj *ConfigObj) error {
 
 	// get from armoBE
-	backendAPI.SetCustomerGUID(configObj.CustomerGUID)
-	tenantResponse, err := backendAPI.GetCustomerGUID()
+	tenantResponse, err := backendAPI.GetTenant()
 	if err == nil && tenantResponse != nil {
 		if tenantResponse.AdminMail != "" { // registered tenant
 			configObj.CustomerAdminEMail = tenantResponse.AdminMail
 		} else { // new tenant
 			configObj.Token = tenantResponse.Token
-			configObj.CustomerGUID = tenantResponse.TenantID
+			configObj.AccountID = tenantResponse.TenantID
 		}
 	} else {
 		if err != nil && !strings.Contains(err.Error(), "already exists") {
@@ -154,8 +175,11 @@ Supported environments variables:
 KS_DEFAULT_CONFIGMAP_NAME  // name of configmap, if not set default is 'kubescape'
 KS_DEFAULT_CONFIGMAP_NAMESPACE   // configmap namespace, if not set default is 'default'
 
+KS_ACCOUNT_ID
+KS_CLIENT_ID
+KS_SECRET_KEY
+
 TODO - supprot:
-KS_ACCOUNT // Account ID
 KS_CACHE // path to cached files
 */
 type ClusterConfig struct {
@@ -187,32 +211,36 @@ func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBacken
 		c.configObj = configObj
 	}
 	if customerGUID != "" {
-		c.configObj.CustomerGUID = customerGUID // override config customerGUID
+		c.configObj.AccountID = customerGUID // override config customerGUID
 	}
 	if clusterName != "" {
 		c.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
 	}
-	if c.configObj.CustomerGUID != "" {
-		if err := c.SetTenant(); err != nil {
-			fmt.Println(err)
-		}
-	}
+	getAccountFromEnv(c.configObj)
+
 	if c.configObj.ClusterName == "" {
 		c.configObj.ClusterName = AdoptClusterName(k8sinterface.GetClusterName())
 	} else { // override the cluster name if it has unwanted characters
 		c.configObj.ClusterName = AdoptClusterName(c.configObj.ClusterName)
 	}
 
+	c.backendAPI.SetAccountID(c.configObj.AccountID)
+	c.backendAPI.SetClientID(c.configObj.ClientID)
+	c.backendAPI.SetSecretKey(c.configObj.SecretKey)
+
+	if c.configObj.AccountID != "" {
+		if err := c.SetTenant(); err != nil {
+			logger.L().Error(err.Error())
+		}
+	}
+
 	return c
 }
 
-func (c *ClusterConfig) GetConfigObj() *ConfigObj            { return c.configObj }
-func (c *ClusterConfig) GetDefaultNS() string                { return c.configMapNamespace }
-func (c *ClusterConfig) GetCustomerGUID() string             { return c.configObj.CustomerGUID }
-func (c *ClusterConfig) SetCustomerGUID(customerGUID string) { c.configObj.CustomerGUID = customerGUID }
-func (c *ClusterConfig) IsConfigFound() bool {
-	return existsConfigFile() || c.existsConfigMap()
-}
+func (c *ClusterConfig) GetConfigObj() *ConfigObj { return c.configObj }
+func (c *ClusterConfig) GetDefaultNS() string     { return c.configMapNamespace }
+func (c *ClusterConfig) GetAccountID() string     { return c.configObj.AccountID }
+func (c *ClusterConfig) IsConfigFound() bool      { return existsConfigFile() || c.existsConfigMap() }
 
 func (c *ClusterConfig) SetTenant() error {
 
@@ -220,17 +248,34 @@ func (c *ClusterConfig) SetTenant() error {
 	if err := getTenantConfigFromBE(c.backendAPI, c.configObj); err != nil {
 		return err
 	}
-	// update/create config
-	if c.existsConfigMap() {
-		c.updateConfigMap()
-	} else {
-		c.createConfigMap()
-	}
-	updateConfigFile(c.configObj)
+	c.UpdateCachedConfig()
 	return nil
 
 }
 
+func (c *ClusterConfig) UpdateCachedConfig() error {
+	// update/create config
+	if c.existsConfigMap() {
+		if err := c.updateConfigMap(); err != nil {
+			return err
+		}
+	} else {
+		if err := c.createConfigMap(); err != nil {
+			return err
+		}
+	}
+	return updateConfigFile(c.configObj)
+}
+
+func (c *ClusterConfig) DeleteCachedConfig() error {
+	if err := c.deleteConfigMap(); err != nil {
+		return err
+	}
+	if err := DeleteConfigFile(); err != nil {
+		return err
+	}
+	return nil
+}
 func (c *ClusterConfig) GetClusterName() string {
 	return c.configObj.ClusterName
 }
@@ -409,6 +454,10 @@ func readConfig(dat []byte) (*ConfigObj, error) {
 	if err := json.Unmarshal(dat, configObj); err != nil {
 		return nil, err
 	}
+	if configObj.AccountID == "" {
+		configObj.AccountID = configObj.CustomerGUID
+	}
+	configObj.CustomerGUID = ""
 	return configObj, nil
 }
 
@@ -421,8 +470,7 @@ func (clusterConfig *ClusterConfig) IsSubmitted() bool {
 func (clusterConfig *ClusterConfig) IsRegistered() bool {
 
 	// get from armoBE
-	clusterConfig.backendAPI.SetCustomerGUID(clusterConfig.GetCustomerGUID())
-	tenantResponse, err := clusterConfig.backendAPI.GetCustomerGUID()
+	tenantResponse, err := clusterConfig.backendAPI.GetTenant()
 	if err == nil && tenantResponse != nil {
 		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
 			return true
@@ -431,16 +479,7 @@ func (clusterConfig *ClusterConfig) IsRegistered() bool {
 	return false
 }
 
-func (clusterConfig *ClusterConfig) DeleteConfig() error {
-	if err := clusterConfig.DeleteConfigMap(); err != nil {
-		return err
-	}
-	if err := DeleteConfigFile(); err != nil {
-		return err
-	}
-	return nil
-}
-func (clusterConfig *ClusterConfig) DeleteConfigMap() error {
+func (clusterConfig *ClusterConfig) deleteConfigMap() error {
 	return clusterConfig.k8s.KubernetesClient.CoreV1().ConfigMaps(clusterConfig.configMapNamespace).Delete(context.Background(), clusterConfig.configMapName, metav1.DeleteOptions{})
 }
 
@@ -465,3 +504,16 @@ func getConfigMapNamespace() string {
 	}
 	return "default"
 }
+
+func getAccountFromEnv(configObj *ConfigObj) {
+	// load from env
+	if accountID := os.Getenv("KS_ACCOUNT_ID"); accountID != "" {
+		configObj.AccountID = accountID
+	}
+	if clientID := os.Getenv("KS_CLIENT_ID"); clientID != "" {
+		configObj.ClientID = clientID
+	}
+	if secretKey := os.Getenv("KS_SECRET_KEY"); secretKey != "" {
+		configObj.SecretKey = secretKey
+	}
+}

cautils/display.go

@@ -1,7 +1,6 @@
 package cautils
 
 import (
-	"fmt"
 	"os"
 	"time"
 
@@ -21,9 +20,9 @@ func IsSilent() bool {
 }
 
 var FailureDisplay = color.New(color.Bold, color.FgHiRed).FprintfFunc()
-var WarningDisplay = color.New(color.Bold, color.FgCyan).FprintfFunc()
+var WarningDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
 var FailureTextDisplay = color.New(color.Faint, color.FgHiRed).FprintfFunc()
-var InfoDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
+var InfoDisplay = color.New(color.Bold, color.FgCyan).FprintfFunc()
 var InfoTextDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
 var SimpleDisplay = color.New().FprintfFunc()
 var SuccessDisplay = color.New(color.Bold, color.FgHiGreen).FprintfFunc()
@@ -31,39 +30,6 @@ var DescriptionDisplay = color.New(color.Faint, color.FgWhite).FprintfFunc()
 
 var Spinner *spinner.Spinner
 
-func ScanStartDisplay() {
-	if IsSilent() {
-		return
-	}
-	InfoDisplay(os.Stderr, "ARMO security scanner starting\n")
-}
-
-func SuccessTextDisplay(str string) {
-	if IsSilent() {
-		return
-	}
-	SuccessDisplay(os.Stderr, "[success] ")
-	SimpleDisplay(os.Stderr, fmt.Sprintf("%s\n", str))
-
-}
-
-func ErrorDisplay(str string) {
-	if IsSilent() {
-		return
-	}
-	FailureDisplay(os.Stderr, "[Error] ")
-	SimpleDisplay(os.Stderr, fmt.Sprintf("%s\n", str))
-
-}
-
-func ProgressTextDisplay(str string) {
-	if IsSilent() {
-		return
-	}
-	InfoDisplay(os.Stderr, "[progress] ")
-	SimpleDisplay(os.Stderr, fmt.Sprintf("%s\n", str))
-
-}
 func StartSpinner() {
 	if !IsSilent() && isatty.IsTerminal(os.Stdout.Fd()) {
 		Spinner = spinner.New(spinner.CharSets[7], 100*time.Millisecond) // Build our new spinner

cautils/getter/armoapi.go

@@ -1,15 +1,18 @@
 package getter
 
 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"strings"
 	"time"
 
 	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
 	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/golang/glog"
 )
 
 // =======================================================================================================================
@@ -19,41 +22,51 @@ import (
 var (
 	// ATTENTION!!!
 	// Changes in this URLs variable names, or in the usage is affecting the build process! BE CAREFULL
-	armoERURL = "report.armo.cloud"
-	armoBEURL = "api.armo.cloud"
-	armoFEURL = "portal.armo.cloud"
+	armoERURL   = "report.armo.cloud"
+	armoBEURL   = "api.armo.cloud"
+	armoFEURL   = "portal.armo.cloud"
+	armoAUTHURL = "auth.armo.cloud"
 
-	armoDevERURL = "report.eudev3.cyberarmorsoft.com"
-	armoDevBEURL = "eggdashbe.eudev3.cyberarmorsoft.com"
-	armoDevFEURL = "armoui-dev.eudev3.cyberarmorsoft.com"
+	armoDevERURL   = "report.eudev3.cyberarmorsoft.com"
+	armoDevBEURL   = "api-dev.armo.cloud"
+	armoDevFEURL   = "armoui-dev.eudev3.cyberarmorsoft.com"
+	armoDevAUTHURL = "eggauth.eudev3.cyberarmorsoft.com"
 )
 
 // Armo API for downloading policies
 type ArmoAPI struct {
-	httpClient   *http.Client
-	apiURL       string
-	erURL        string
-	feURL        string
-	customerGUID string
+	httpClient *http.Client
+	apiURL     string
+	authURL    string
+	erURL      string
+	feURL      string
+	accountID  string
+	clientID   string
+	secretKey  string
+	feToken    FeLoginResponse
+	authCookie string
+	loggedIn   bool
 }
 
-var globalArmoAPIConnecctor *ArmoAPI
+var globalArmoAPIConnector *ArmoAPI
 
 func SetARMOAPIConnector(armoAPI *ArmoAPI) {
-	globalArmoAPIConnecctor = armoAPI
+	logger.L().Debug("Armo URLs", helpers.String("api", armoAPI.apiURL), helpers.String("auth", armoAPI.authURL), helpers.String("report", armoAPI.erURL), helpers.String("UI", armoAPI.feURL))
+	globalArmoAPIConnector = armoAPI
 }
 
 func GetArmoAPIConnector() *ArmoAPI {
-	if globalArmoAPIConnecctor == nil {
-		glog.Error("returning nil API connector")
+	if globalArmoAPIConnector == nil {
+		logger.L().Error("returning nil API connector")
 	}
-	return globalArmoAPIConnecctor
+	return globalArmoAPIConnector
 }
 
 func NewARMOAPIDev() *ArmoAPI {
 	apiObj := newArmoAPI()
 
 	apiObj.apiURL = armoDevBEURL
+	apiObj.authURL = armoDevAUTHURL
 	apiObj.erURL = armoDevERURL
 	apiObj.feURL = armoDevFEURL
 
@@ -66,16 +79,18 @@ func NewARMOAPIProd() *ArmoAPI {
 	apiObj.apiURL = armoBEURL
 	apiObj.erURL = armoERURL
 	apiObj.feURL = armoFEURL
+	apiObj.authURL = armoAUTHURL
 
 	return apiObj
 }
 
-func NewARMOAPICustomized(armoERURL, armoBEURL, armoFEURL string) *ArmoAPI {
+func NewARMOAPICustomized(armoERURL, armoBEURL, armoFEURL, armoAUTHURL string) *ArmoAPI {
 	apiObj := newArmoAPI()
 
 	apiObj.erURL = armoERURL
 	apiObj.apiURL = armoBEURL
 	apiObj.feURL = armoFEURL
+	apiObj.authURL = armoAUTHURL
 
 	return apiObj
 }
@@ -83,22 +98,39 @@ func NewARMOAPICustomized(armoERURL, armoBEURL, armoFEURL string) *ArmoAPI {
 func newArmoAPI() *ArmoAPI {
 	return &ArmoAPI{
 		httpClient: &http.Client{Timeout: time.Duration(61) * time.Second},
+		loggedIn:   false,
 	}
 }
-func (armoAPI *ArmoAPI) SetCustomerGUID(customerGUID string) {
-	armoAPI.customerGUID = customerGUID
 
-}
-func (armoAPI *ArmoAPI) GetFrontendURL() string {
-	return armoAPI.feURL
+func (armoAPI *ArmoAPI) Post(fullURL string, headers map[string]string, body []byte) (string, error) {
+	if headers == nil {
+		headers = make(map[string]string)
+	}
+	armoAPI.appendAuthHeaders(headers)
+	return HttpPost(armoAPI.httpClient, fullURL, headers, body)
 }
 
-func (armoAPI *ArmoAPI) GetReportReceiverURL() string {
-	return armoAPI.erURL
+func (armoAPI *ArmoAPI) Get(fullURL string, headers map[string]string) (string, error) {
+	if headers == nil {
+		headers = make(map[string]string)
+	}
+	armoAPI.appendAuthHeaders(headers)
+	return HttpGetter(armoAPI.httpClient, fullURL, headers)
 }
 
+func (armoAPI *ArmoAPI) GetAccountID() string          { return armoAPI.accountID }
+func (armoAPI *ArmoAPI) IsLoggedIn() bool              { return armoAPI.loggedIn }
+func (armoAPI *ArmoAPI) GetClientID() string           { return armoAPI.clientID }
+func (armoAPI *ArmoAPI) GetSecretKey() string          { return armoAPI.secretKey }
+func (armoAPI *ArmoAPI) GetFrontendURL() string        { return armoAPI.feURL }
+func (armoAPI *ArmoAPI) GetAPIURL() string             { return armoAPI.apiURL }
+func (armoAPI *ArmoAPI) GetReportReceiverURL() string  { return armoAPI.erURL }
+func (armoAPI *ArmoAPI) SetAccountID(accountID string) { armoAPI.accountID = accountID }
+func (armoAPI *ArmoAPI) SetClientID(clientID string)   { armoAPI.clientID = clientID }
+func (armoAPI *ArmoAPI) SetSecretKey(secretKey string) { armoAPI.secretKey = secretKey }
+
 func (armoAPI *ArmoAPI) GetFramework(name string) (*reporthandling.Framework, error) {
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getFrameworkURL(name), nil)
+	respStr, err := armoAPI.Get(armoAPI.getFrameworkURL(name), nil)
 	if err != nil {
 		return nil, nil
 	}
@@ -113,7 +145,7 @@ func (armoAPI *ArmoAPI) GetFramework(name string) (*reporthandling.Framework, er
 }
 
 func (armoAPI *ArmoAPI) GetFrameworks() ([]reporthandling.Framework, error) {
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getListFrameworkURL(), nil)
+	respStr, err := armoAPI.Get(armoAPI.getListFrameworkURL(), nil)
 	if err != nil {
 		return nil, nil
 	}
@@ -134,7 +166,7 @@ func (armoAPI *ArmoAPI) GetControl(policyName string) (*reporthandling.Control,
 func (armoAPI *ArmoAPI) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
 	exceptions := []armotypes.PostureExceptionPolicy{}
 
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getExceptionsURL(clusterName), nil)
+	respStr, err := armoAPI.Get(armoAPI.getExceptionsURL(clusterName), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -146,12 +178,12 @@ func (armoAPI *ArmoAPI) GetExceptions(clusterName string) ([]armotypes.PostureEx
 	return exceptions, nil
 }
 
-func (armoAPI *ArmoAPI) GetCustomerGUID() (*TenantResponse, error) {
-	url := armoAPI.getCustomerURL()
-	if armoAPI.customerGUID != "" {
-		url = fmt.Sprintf("%s?customerGUID=%s", url, armoAPI.customerGUID)
+func (armoAPI *ArmoAPI) GetTenant() (*TenantResponse, error) {
+	url := armoAPI.getAccountURL()
+	if armoAPI.accountID != "" {
+		url = fmt.Sprintf("%s?customerGUID=%s", url, armoAPI.accountID)
 	}
-	respStr, err := HttpGetter(armoAPI.httpClient, url, nil)
+	respStr, err := armoAPI.Get(url, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -159,17 +191,19 @@ func (armoAPI *ArmoAPI) GetCustomerGUID() (*TenantResponse, error) {
 	if err = JSONDecoder(respStr).Decode(tenant); err != nil {
 		return nil, err
 	}
-
+	if tenant.TenantID != "" {
+		armoAPI.accountID = tenant.TenantID
+	}
 	return tenant, nil
 }
 
 // ControlsInputs  // map[<control name>][<input arguments>]
 func (armoAPI *ArmoAPI) GetAccountConfig(clusterName string) (*armotypes.CustomerConfig, error) {
 	accountConfig := &armotypes.CustomerConfig{}
-	if armoAPI.customerGUID == "" {
+	if armoAPI.accountID == "" {
 		return accountConfig, nil
 	}
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getAccountConfig(clusterName), nil)
+	respStr, err := armoAPI.Get(armoAPI.getAccountConfig(clusterName), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -191,7 +225,7 @@ func (armoAPI *ArmoAPI) GetControlsInputs(clusterName string) (map[string][]stri
 }
 
 func (armoAPI *ArmoAPI) ListCustomFrameworks() ([]string, error) {
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getListFrameworkURL(), nil)
+	respStr, err := armoAPI.Get(armoAPI.getListFrameworkURL(), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -211,7 +245,7 @@ func (armoAPI *ArmoAPI) ListCustomFrameworks() ([]string, error) {
 }
 
 func (armoAPI *ArmoAPI) ListFrameworks() ([]string, error) {
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getListFrameworkURL(), nil)
+	respStr, err := armoAPI.Get(armoAPI.getListFrameworkURL(), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -236,9 +270,63 @@ func (armoAPI *ArmoAPI) ListControls(l ListType) ([]string, error) {
 	return nil, fmt.Errorf("control api is not public")
 }
 
-type TenantResponse struct {
-	TenantID  string `json:"tenantId"`
-	Token     string `json:"token"`
-	Expires   string `json:"expires"`
-	AdminMail string `json:"adminMail,omitempty"`
+func (armoAPI *ArmoAPI) PostExceptions(exceptions []armotypes.PostureExceptionPolicy) error {
+
+	for i := range exceptions {
+		ex, err := json.Marshal(exceptions[i])
+		if err != nil {
+			return err
+		}
+		_, err = armoAPI.Post(armoAPI.postExceptionsURL(), map[string]string{"Content-Type": "application/json"}, ex)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (armoAPI *ArmoAPI) Login() error {
+	if armoAPI.accountID == "" {
+		return fmt.Errorf("failed to login, missing accountID")
+	}
+	if armoAPI.clientID == "" {
+		return fmt.Errorf("failed to login, missing clientID")
+	}
+	if armoAPI.secretKey == "" {
+		return fmt.Errorf("failed to login, missing secretKey")
+	}
+
+	// init URLs
+	feLoginData := FeLoginData{ClientId: armoAPI.clientID, Secret: armoAPI.secretKey}
+	body, _ := json.Marshal(feLoginData)
+
+	resp, err := http.Post(armoAPI.getApiToken(), "application/json", bytes.NewBuffer(body))
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("error authenticating: %d", resp.StatusCode)
+	}
+
+	responseBody, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+	var feLoginResponse FeLoginResponse
+
+	if err = json.Unmarshal(responseBody, &feLoginResponse); err != nil {
+		return err
+	}
+	armoAPI.feToken = feLoginResponse
+
+	/* Now we have JWT */
+
+	armoAPI.authCookie, err = armoAPI.getAuthCookie()
+	if err != nil {
+		return err
+	}
+	armoAPI.loggedIn = true
+	return nil
 }

cautils/getter/armoapiutils.go

@@ -1,6 +1,10 @@
 package getter
 
 import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
 	"net/url"
 	"strings"
 )
@@ -13,7 +17,7 @@ func (armoAPI *ArmoAPI) getFrameworkURL(frameworkName string) string {
 	u.Host = armoAPI.apiURL
 	u.Path = "api/v1/armoFrameworks"
 	q := u.Query()
-	q.Add("customerGUID", armoAPI.customerGUID)
+	q.Add("customerGUID", armoAPI.accountID)
 	if isNativeFramework(frameworkName) {
 		q.Add("frameworkName", strings.ToUpper(frameworkName))
 	} else {
@@ -31,7 +35,7 @@ func (armoAPI *ArmoAPI) getListFrameworkURL() string {
 	u.Host = armoAPI.apiURL
 	u.Path = "api/v1/armoFrameworks"
 	q := u.Query()
-	q.Add("customerGUID", armoAPI.customerGUID)
+	q.Add("customerGUID", armoAPI.accountID)
 	u.RawQuery = q.Encode()
 
 	return u.String()
@@ -43,7 +47,7 @@ func (armoAPI *ArmoAPI) getExceptionsURL(clusterName string) string {
 	u.Path = "api/v1/armoPostureExceptions"
 
 	q := u.Query()
-	q.Add("customerGUID", armoAPI.customerGUID)
+	q.Add("customerGUID", armoAPI.accountID)
 	// if clusterName != "" { // TODO - fix customer name support in Armo BE
 	// 	q.Add("clusterName", clusterName)
 	// }
@@ -52,6 +56,19 @@ func (armoAPI *ArmoAPI) getExceptionsURL(clusterName string) string {
 	return u.String()
 }
 
+func (armoAPI *ArmoAPI) postExceptionsURL() string {
+	u := url.URL{}
+	u.Scheme = "https"
+	u.Host = armoAPI.apiURL
+	u.Path = "api/v1/postureExceptionPolicy"
+
+	q := u.Query()
+	q.Add("customerGUID", armoAPI.accountID)
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
 func (armoAPI *ArmoAPI) getAccountConfig(clusterName string) string {
 	u := url.URL{}
 	u.Scheme = "https"
@@ -59,7 +76,7 @@ func (armoAPI *ArmoAPI) getAccountConfig(clusterName string) string {
 	u.Path = "api/v1/armoCustomerConfiguration"
 
 	q := u.Query()
-	q.Add("customerGUID", armoAPI.customerGUID)
+	q.Add("customerGUID", armoAPI.accountID)
 	if clusterName != "" { // TODO - fix customer name support in Armo BE
 		q.Add("clusterName", clusterName)
 	}
@@ -68,10 +85,74 @@ func (armoAPI *ArmoAPI) getAccountConfig(clusterName string) string {
 	return u.String()
 }
 
-func (armoAPI *ArmoAPI) getCustomerURL() string {
+func (armoAPI *ArmoAPI) getAccountURL() string {
 	u := url.URL{}
 	u.Scheme = "https"
 	u.Host = armoAPI.apiURL
 	u.Path = "api/v1/createTenant"
 	return u.String()
 }
+
+func (armoAPI *ArmoAPI) getApiToken() string {
+	u := url.URL{}
+	u.Scheme = "https"
+	u.Host = armoAPI.authURL
+	u.Path = "frontegg/identity/resources/auth/v1/api-token"
+	return u.String()
+}
+
+func (armoAPI *ArmoAPI) getOpenidCustomers() string {
+	u := url.URL{}
+	u.Scheme = "https"
+	u.Host = armoAPI.apiURL
+	u.Path = "api/v1/openid_customers"
+	return u.String()
+}
+
+func (armoAPI *ArmoAPI) getAuthCookie() (string, error) {
+	selectCustomer := ArmoSelectCustomer{SelectedCustomerGuid: armoAPI.accountID}
+	requestBody, _ := json.Marshal(selectCustomer)
+	client := &http.Client{}
+	httpRequest, err := http.NewRequest(http.MethodPost, armoAPI.getOpenidCustomers(), bytes.NewBuffer(requestBody))
+	if err != nil {
+		return "", err
+	}
+	httpRequest.Header.Set("Content-Type", "application/json")
+	httpRequest.Header.Set("Authorization", fmt.Sprintf("Bearer %s", armoAPI.feToken.Token))
+	httpResponse, err := client.Do(httpRequest)
+	if err != nil {
+		return "", err
+	}
+	defer httpResponse.Body.Close()
+	if httpResponse.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("failed to get cookie from %s: status %d", armoAPI.getOpenidCustomers(), httpResponse.StatusCode)
+	}
+
+	cookies := httpResponse.Header.Get("set-cookie")
+	if len(cookies) == 0 {
+		return "", fmt.Errorf("no cookie field in response from %s", armoAPI.getOpenidCustomers())
+	}
+
+	authCookie := ""
+	for _, cookie := range strings.Split(cookies, ";") {
+		kv := strings.Split(cookie, "=")
+		if kv[0] == "auth" {
+			authCookie = kv[1]
+		}
+	}
+
+	if len(authCookie) == 0 {
+		return "", fmt.Errorf("no auth cookie field in response from %s", armoAPI.getOpenidCustomers())
+	}
+
+	return authCookie, nil
+}
+func (armoAPI *ArmoAPI) appendAuthHeaders(headers map[string]string) {
+
+	if armoAPI.feToken.Token != "" {
+		headers["Authorization"] = fmt.Sprintf("Bearer %s", armoAPI.feToken.Token)
+	}
+	if armoAPI.authCookie != "" {
+		headers["Cookie"] = fmt.Sprintf("auth=%s", armoAPI.authCookie)
+	}
+}

cautils/getter/datastructures.go

@@ -0,0 +1,24 @@
+package getter
+
+type FeLoginData struct {
+	Secret   string `json:"secret"`
+	ClientId string `json:"clientId"`
+}
+
+type FeLoginResponse struct {
+	Token        string `json:"accessToken"`
+	RefreshToken string `json:"refreshToken"`
+	ExpiresIn    int32  `json:"expiresIn"`
+	Expires      string `json:"expires"`
+}
+
+type ArmoSelectCustomer struct {
+	SelectedCustomerGuid string `json:"selectedCustomer"`
+}
+
+type TenantResponse struct {
+	TenantID  string `json:"tenantId"`
+	Token     string `json:"token"`
+	Expires   string `json:"expires"`
+	AdminMail string `json:"adminMail,omitempty"`
+}

cautils/getter/getpolicies.go

@@ -24,8 +24,15 @@ type IExceptionsGetter interface {
 	GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error)
 }
 type IBackend interface {
-	GetCustomerGUID() (*TenantResponse, error)
-	SetCustomerGUID(customerGUID string)
+	GetAccountID() string
+	GetClientID() string
+	GetSecretKey() string
+
+	SetAccountID(accountID string)
+	SetClientID(clientID string)
+	SetSecretKey(secretKey string)
+
+	GetTenant() (*TenantResponse, error)
 }
 
 type IControlsInputsGetter interface {

cautils/getter/getpoliciesutils.go

@@ -21,7 +21,7 @@ func GetDefaultPath(name string) string {
 }
 
 func SaveInFile(policy interface{}, pathStr string) error {
-	encodedData, err := json.Marshal(policy)
+	encodedData, err := json.MarshalIndent(policy, "", "  ")
 	if err != nil {
 		return err
 	}
@@ -57,7 +57,7 @@ func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]stri
 	if err != nil {
 		return "", err
 	}
-	addHeaders(req, headers)
+	setHeaders(req, headers)
 
 	resp, err := httpClient.Do(req)
 	if err != nil {
@@ -76,7 +76,7 @@ func HttpPost(httpClient *http.Client, fullURL string, headers map[string]string
 	if err != nil {
 		return "", err
 	}
-	addHeaders(req, headers)
+	setHeaders(req, headers)
 	resp, err := httpClient.Do(req)
 	if err != nil {
 		return "", err
@@ -88,10 +88,10 @@ func HttpPost(httpClient *http.Client, fullURL string, headers map[string]string
 	return respStr, nil
 }
 
-func addHeaders(req *http.Request, headers map[string]string) {
+func setHeaders(req *http.Request, headers map[string]string) {
 	if len(headers) >= 0 { // might be nil
 		for k, v := range headers {
-			req.Header.Add(k, v)
+			req.Header.Set(k, v)
 		}
 	}
 }
@@ -106,21 +106,22 @@ func httpRespToString(resp *http.Response) (string, error) {
 	if resp.ContentLength > 0 {
 		strBuilder.Grow(int(resp.ContentLength))
 	}
-	bytesNum, err := io.Copy(&strBuilder, resp.Body)
+	_, err := io.Copy(&strBuilder, resp.Body)
 	respStr := strBuilder.String()
 	if err != nil {
 		respStrNewLen := len(respStr)
 		if respStrNewLen > 1024 {
 			respStrNewLen = 1024
 		}
-		return "", fmt.Errorf("HTTP request failed. URL: '%s', Read-ERROR: '%s', HTTP-CODE: '%s', BODY(top): '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), err, resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
+		return "", fmt.Errorf("http-error: '%s', reason: '%s'", resp.Status, respStr[:respStrNewLen])
+		// return "", fmt.Errorf("HTTP request failed. URL: '%s', Read-ERROR: '%s', HTTP-CODE: '%s', BODY(top): '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), err, resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
 	}
 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
 		respStrNewLen := len(respStr)
 		if respStrNewLen > 1024 {
 			respStrNewLen = 1024
 		}
-		err = fmt.Errorf("HTTP request failed. URL: '%s', HTTP-ERROR: '%s', BODY: '%s', HTTP-HEADERS: %v, HTTP-BODY-BUFFER-LENGTH: %v", resp.Request.URL.RequestURI(), resp.Status, respStr[:respStrNewLen], resp.Header, bytesNum)
+		err = fmt.Errorf("http-error: '%s', reason: '%s'", resp.Status, respStr[:respStrNewLen])
 	}
 
 	return respStr, err

cautils/logger/helpers/datastructures.go

@@ -0,0 +1,26 @@
+package helpers
+
+type StringObj struct {
+	key   string
+	value string
+}
+
+type ErrorObj struct {
+	key   string
+	value error
+}
+
+type IntObj struct {
+	key   string
+	value int
+}
+
+type InterfaceObj struct {
+	key   string
+	value interface{}
+}
+
+func Error(e error) *ErrorObj                         { return &ErrorObj{key: "error", value: e} }
+func Int(k string, v int) *IntObj                     { return &IntObj{key: k, value: v} }
+func String(k, v string) *StringObj                   { return &StringObj{key: k, value: v} }
+func Interface(k string, v interface{}) *InterfaceObj { return &InterfaceObj{key: k, value: v} }

cautils/logger/helpers/level.go

@@ -0,0 +1,69 @@
+package helpers
+
+import (
+	"strings"
+)
+
+type Level int8
+
+const (
+	UnknownLevel Level = iota - -1
+	DebugLevel
+	InfoLevel //default
+	SuccessLevel
+	WarningLevel
+	ErrorLevel
+	FatalLevel
+
+	_defaultLevel = InfoLevel
+	_minLevel     = DebugLevel
+	_maxLevel     = FatalLevel
+)
+
+func ToLevel(level string) Level {
+	switch strings.ToLower(level) {
+	case "debug":
+		return DebugLevel
+	case "info":
+		return InfoLevel
+	case "success":
+		return SuccessLevel
+	case "warning", "warn":
+		return WarningLevel
+	case "error":
+		return ErrorLevel
+	case "fatal":
+		return FatalLevel
+	default:
+		return UnknownLevel
+	}
+}
+func (l Level) String() string {
+	switch l {
+	case DebugLevel:
+		return "debug"
+	case InfoLevel:
+		return "info"
+	case SuccessLevel:
+		return "success"
+	case WarningLevel:
+		return "warning"
+	case ErrorLevel:
+		return "error"
+	case FatalLevel:
+		return "fatal"
+	}
+	return ""
+}
+
+func (l Level) Skip(l2 Level) bool {
+	return l < l2
+}
+
+func SupportedLevels() []string {
+	levels := []string{}
+	for i := _minLevel; i <= _maxLevel; i++ {
+		levels = append(levels, i.String())
+	}
+	return levels
+}

cautils/logger/helpers/methods.go

@@ -0,0 +1,62 @@
+package helpers
+
+type IDetails interface {
+	Key() string
+	Value() interface{}
+}
+
+// ======================================================================================
+// ============================== String ================================================
+// ======================================================================================
+
+// Key
+func (s *StringObj) Key() string {
+	return s.key
+}
+
+// Value
+func (s *StringObj) Value() interface{} {
+	return s.value
+}
+
+// ======================================================================================
+// =============================== Error ================================================
+// ======================================================================================
+
+// Key
+func (s *ErrorObj) Key() string {
+	return s.key
+}
+
+// Value
+func (s *ErrorObj) Value() interface{} {
+	return s.value
+}
+
+// ======================================================================================
+// ================================= Int ================================================
+// ======================================================================================
+
+// Key
+func (s *IntObj) Key() string {
+	return s.key
+}
+
+// Value
+func (s *IntObj) Value() interface{} {
+	return s.value
+}
+
+// ======================================================================================
+// =========================== Interface ================================================
+// ======================================================================================
+
+// Key
+func (s *InterfaceObj) Key() string {
+	return s.key
+}
+
+// Value
+func (s *InterfaceObj) Value() interface{} {
+	return s.value
+}

cautils/logger/methods.go

@@ -0,0 +1,41 @@
+package logger
+
+import (
+	"os"
+
+	"github.com/armosec/kubescape/cautils/logger/helpers"
+	"github.com/armosec/kubescape/cautils/logger/prettylogger"
+)
+
+type ILogger interface {
+	Fatal(msg string, details ...helpers.IDetails) // print log and exit 1
+	Error(msg string, details ...helpers.IDetails)
+	Success(msg string, details ...helpers.IDetails)
+	Warning(msg string, details ...helpers.IDetails)
+	Info(msg string, details ...helpers.IDetails)
+	Debug(msg string, details ...helpers.IDetails)
+
+	SetLevel(level string) error
+	GetLevel() string
+
+	SetWriter(w *os.File)
+	GetWriter() *os.File
+}
+
+var l ILogger
+
+func L() ILogger {
+	if l == nil {
+		InitializeLogger()
+	}
+	return l
+}
+
+func InitializeLogger() {
+	initializeLogger()
+}
+
+func initializeLogger() {
+	// TODO - support zap logger
+	l = prettylogger.NewPrettyLogger()
+}

cautils/logger/prettylogger/colors.go

@@ -0,0 +1,31 @@
+package prettylogger
+
+import (
+	"io"
+
+	"github.com/armosec/kubescape/cautils/logger/helpers"
+	"github.com/fatih/color"
+)
+
+var prefixError = color.New(color.Bold, color.FgHiRed).FprintfFunc()
+var prefixWarning = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
+var prefixInfo = color.New(color.Bold, color.FgCyan).FprintfFunc()
+var prefixSuccess = color.New(color.Bold, color.FgHiGreen).FprintfFunc()
+var prefixDebug = color.New(color.Bold, color.FgWhite).FprintfFunc()
+var message = color.New().FprintfFunc()
+
+func prefix(l helpers.Level) func(w io.Writer, format string, a ...interface{}) {
+	switch l {
+	case helpers.DebugLevel:
+		return prefixDebug
+	case helpers.InfoLevel:
+		return prefixInfo
+	case helpers.SuccessLevel:
+		return prefixSuccess
+	case helpers.WarningLevel:
+		return prefixWarning
+	case helpers.ErrorLevel, helpers.FatalLevel:
+		return prefixError
+	}
+	return message
+}

cautils/logger/prettylogger/logger.go

@@ -0,0 +1,78 @@
+package prettylogger
+
+import (
+	"fmt"
+	"os"
+	"sync"
+
+	"github.com/armosec/kubescape/cautils/logger/helpers"
+)
+
+type PrettyLogger struct {
+	writer *os.File
+	level  helpers.Level
+	mutex  sync.Mutex
+}
+
+func NewPrettyLogger() *PrettyLogger {
+	return &PrettyLogger{
+		writer: os.Stderr, // default to stderr
+		level:  helpers.InfoLevel,
+		mutex:  sync.Mutex{},
+	}
+}
+
+func (pl *PrettyLogger) GetLevel() string     { return pl.level.String() }
+func (pl *PrettyLogger) SetWriter(w *os.File) { pl.writer = w }
+func (pl *PrettyLogger) GetWriter() *os.File  { return pl.writer }
+
+func (pl *PrettyLogger) SetLevel(level string) error {
+	pl.level = helpers.ToLevel(level)
+	if pl.level == helpers.UnknownLevel {
+		return fmt.Errorf("level '%s' unknown", level)
+	}
+	return nil
+}
+func (pl *PrettyLogger) Fatal(msg string, details ...helpers.IDetails) {
+	pl.print(helpers.FatalLevel, msg, details...)
+	os.Exit(1)
+}
+func (pl *PrettyLogger) Error(msg string, details ...helpers.IDetails) {
+	pl.print(helpers.ErrorLevel, msg, details...)
+}
+func (pl *PrettyLogger) Warning(msg string, details ...helpers.IDetails) {
+	pl.print(helpers.WarningLevel, msg, details...)
+}
+func (pl *PrettyLogger) Info(msg string, details ...helpers.IDetails) {
+	pl.print(helpers.InfoLevel, msg, details...)
+}
+func (pl *PrettyLogger) Debug(msg string, details ...helpers.IDetails) {
+	pl.print(helpers.DebugLevel, msg, details...)
+}
+func (pl *PrettyLogger) Success(msg string, details ...helpers.IDetails) {
+	pl.print(helpers.SuccessLevel, msg, details...)
+}
+
+func (pl *PrettyLogger) print(level helpers.Level, msg string, details ...helpers.IDetails) {
+	if !level.Skip(pl.level) {
+		pl.mutex.Lock()
+		prefix(level)(pl.writer, "[%s] ", level.String())
+		if d := detailsToString(details); d != "" {
+			msg = fmt.Sprintf("%s. %s", msg, d)
+		}
+		message(pl.writer, fmt.Sprintf("%s\n", msg))
+		pl.mutex.Unlock()
+	}
+
+}
+
+func detailsToString(details []helpers.IDetails) string {
+	s := ""
+	for i := range details {
+		s += fmt.Sprintf("%s: %s", details[i].Key(), details[i].Value())
+		if i < len(details)-1 {
+			s += "; "
+		}
+	}
+	return s
+}

cautils/logger/zaplogger/logger.go

@@ -0,0 +1,58 @@
+package zaplogger
+
+import (
+	"os"
+
+	"github.com/armosec/kubescape/cautils/logger/helpers"
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+)
+
+type ZapLogger struct {
+	zapL *zap.Logger
+}
+
+func NewZapLogger() *ZapLogger {
+	return &ZapLogger{
+		zapL: zap.L(),
+	}
+}
+
+func (zl *ZapLogger) GetLevel() string     { return "" }
+func (zl *ZapLogger) SetWriter(w *os.File) {}
+func GetWriter() *os.File                  { return nil }
+
+func (zl *ZapLogger) SetLevel(level string) error {
+	return nil
+}
+func (zl *ZapLogger) Fatal(msg string, details ...helpers.IDetails) {
+	zl.zapL.Fatal(msg, detailsToZapFields(details)...)
+}
+
+func (zl *ZapLogger) Error(msg string, details ...helpers.IDetails) {
+	zl.zapL.Error(msg, detailsToZapFields(details)...)
+}
+
+func (zl *ZapLogger) Warning(msg string, details ...helpers.IDetails) {
+	zl.zapL.Warn(msg, detailsToZapFields(details)...)
+}
+
+func (zl *ZapLogger) Success(msg string, details ...helpers.IDetails) {
+	zl.zapL.Info(msg, detailsToZapFields(details)...)
+}
+
+func (zl *ZapLogger) Info(msg string, details ...helpers.IDetails) {
+	zl.zapL.Info(msg, detailsToZapFields(details)...)
+}
+
+func (zl *ZapLogger) Debug(msg string, details ...helpers.IDetails) {
+	zl.zapL.Debug(msg, detailsToZapFields(details)...)
+}
+
+func detailsToZapFields(details []helpers.IDetails) []zapcore.Field {
+	zapFields := []zapcore.Field{}
+	for i := range details {
+		zapFields = append(zapFields, zap.Any(details[i].Key(), details[i].Value()))
+	}
+	return zapFields
+}

cautils/reportv2tov1.go

@@ -120,7 +120,12 @@ func controlReportV2ToV1(opaSessionObj *OPASessionObj, frameworkName string, con
 						ruleResponse := reporthandling.RuleResponse{}
 						ruleResponse.Rulename = rulev2.GetName()
 						for i := range rulev2.Paths {
-							ruleResponse.FailedPaths = append(ruleResponse.FailedPaths, rulev2.Paths[i].FailedPath)
+							if rulev2.Paths[i].FailedPath != "" {
+								ruleResponse.FailedPaths = append(ruleResponse.FailedPaths, rulev2.Paths[i].FailedPath)
+							}
+							if rulev2.Paths[i].FixPath.Path != "" {
+								ruleResponse.FixPaths = append(ruleResponse.FixPaths, rulev2.Paths[i].FixPath)
+							}
 						}
 						ruleResponse.RuleStatus = string(status.Status())
 						if len(rulev2.Exception) > 0 {

cautils/scaninfo.go

@@ -72,6 +72,7 @@ type ScanInfo struct {
 	HostSensor         BoolPtrFlag // Deploy ARMO K8s host sensor to collect data from certain controls
 	Local              bool        // Do not submit results
 	Account            string      // account ID
+	Logger             string      // logger level
 	KubeContext        string      // context name
 	FrameworkScan      bool        // false if scanning control
 	ScanAll            bool        // true if scan all frameworks

cautils/versioncheck.go

@@ -7,6 +7,8 @@ import (
 	"os"
 
 	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
 	pkgutils "github.com/armosec/utils-go/utils"
 )
 
@@ -22,7 +24,7 @@ type IVersionCheckHandler interface {
 
 func NewIVersionCheckHandler() IVersionCheckHandler {
 	if BuildNumber == "" {
-		WarningDisplay(os.Stderr, "Warning: unknown build number, this might affect your scan results. Please make sure you are updated to latest version.\n")
+		logger.L().Warning("unknown build number, this might affect your scan results. Please make sure you are updated to latest version")
 	}
 	if v, ok := os.LookupEnv(SKIP_VERSION_CHECK); ok && pkgutils.StringToBool(v) {
 		return NewVersionCheckHandlerMock()
@@ -78,14 +80,14 @@ func NewVersionCheckRequest(buildNumber, frameworkName, frameworkVersion, scanni
 }
 
 func (v *VersionCheckHandlerMock) CheckLatestVersion(versionData *VersionCheckRequest) error {
-	fmt.Println("Skipping version check")
+	logger.L().Info("Skipping version check")
 	return nil
 }
 
 func (v *VersionCheckHandler) CheckLatestVersion(versionData *VersionCheckRequest) error {
 	defer func() {
 		if err := recover(); err != nil {
-			WarningDisplay(os.Stderr, "failed to get latest version\n")
+			logger.L().Warning("failed to get latest version", helpers.Interface("error", err))
 		}
 	}()
 
@@ -96,7 +98,7 @@ func (v *VersionCheckHandler) CheckLatestVersion(versionData *VersionCheckReques
 
 	if latestVersion.ClientUpdate != "" {
 		if BuildNumber != "" && BuildNumber < latestVersion.ClientUpdate {
-			WarningDisplay(os.Stderr, warningMessage(latestVersion.Client, latestVersion.ClientUpdate), "\n")
+			logger.L().Warning(warningMessage(latestVersion.Client, latestVersion.ClientUpdate))
 		}
 	}
 
@@ -106,7 +108,7 @@ func (v *VersionCheckHandler) CheckLatestVersion(versionData *VersionCheckReques
 	// }
 
 	if latestVersion.Message != "" {
-		InfoDisplay(os.Stderr, latestVersion.Message, "\n")
+		logger.L().Info(latestVersion.Message)
 	}
 
 	return nil
@@ -132,5 +134,5 @@ func (v *VersionCheckHandler) getLatestVersion(versionData *VersionCheckRequest)
 }
 
 func warningMessage(kind, release string) string {
-	return fmt.Sprintf("Warning: '%s' is not updated to the latest release: '%s'", kind, release)
+	return fmt.Sprintf("'%s' is not updated to the latest release: '%s'", kind, release)
 }

clihandler/clidelete.go

@@ -0,0 +1,7 @@
+package clihandler
+
+func CliDelete() error {
+
+	tenant := getTenantConfig("", "", getKubernetesApi()) // change k8sinterface
+	return tenant.DeleteCachedConfig()
+}

clihandler/clidownload.go

@@ -8,6 +8,8 @@ import (
 	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
 )
 
 var downloadFunc = map[string]func(*cautils.DownloadInfo) error{
@@ -67,7 +69,7 @@ func downloadArtifacts(downloadInfo *cautils.DownloadInfo) error {
 	}
 	for artifact := range artifacts {
 		if err := downloadArtifact(&cautils.DownloadInfo{Target: artifact, Path: downloadInfo.Path, FileName: fmt.Sprintf("%s.json", artifact)}, artifacts); err != nil {
-			fmt.Printf("error downloading %s, error: %s", artifact, err)
+			logger.L().Error("error downloading", helpers.String("artifact", artifact), helpers.Error(err))
 		}
 	}
 	return nil
@@ -75,7 +77,7 @@ func downloadArtifacts(downloadInfo *cautils.DownloadInfo) error {
 
 func downloadConfigInputs(downloadInfo *cautils.DownloadInfo) error {
 	tenant := getTenantConfig(downloadInfo.Account, "", getKubernetesApi())
-	controlsInputsGetter := getConfigInputsGetter(downloadInfo.Name, tenant.GetCustomerGUID(), nil)
+	controlsInputsGetter := getConfigInputsGetter(downloadInfo.Name, tenant.GetAccountID(), nil)
 	controlInputs, err := controlsInputsGetter.GetControlsInputs(tenant.GetClusterName())
 	if err != nil {
 		return err
@@ -88,7 +90,7 @@ func downloadConfigInputs(downloadInfo *cautils.DownloadInfo) error {
 	if err != nil {
 		return err
 	}
-	fmt.Printf("'%s' downloaded successfully and saved at: '%s'\n", downloadInfo.Target, filepath.Join(downloadInfo.Path, downloadInfo.FileName))
+	logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("path", filepath.Join(downloadInfo.Path, downloadInfo.FileName)))
 	return nil
 }
 
@@ -97,7 +99,7 @@ func downloadExceptions(downloadInfo *cautils.DownloadInfo) error {
 	tenant := getTenantConfig(downloadInfo.Account, "", getKubernetesApi())
 	exceptionsGetter := getExceptionsGetter("")
 	exceptions := []armotypes.PostureExceptionPolicy{}
-	if tenant.GetCustomerGUID() != "" {
+	if tenant.GetAccountID() != "" {
 		exceptions, err = exceptionsGetter.GetExceptions(tenant.GetClusterName())
 		if err != nil {
 			return err
@@ -111,14 +113,14 @@ func downloadExceptions(downloadInfo *cautils.DownloadInfo) error {
 	if err != nil {
 		return err
 	}
-	fmt.Printf("'%s' downloaded successfully and saved at: '%s'\n", downloadInfo.Target, filepath.Join(downloadInfo.Path, downloadInfo.FileName))
+	logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("path", filepath.Join(downloadInfo.Path, downloadInfo.FileName)))
 	return nil
 }
 
 func downloadFramework(downloadInfo *cautils.DownloadInfo) error {
 
 	tenant := getTenantConfig(downloadInfo.Account, "", getKubernetesApi())
-	g := getPolicyGetter(nil, tenant.GetCustomerGUID(), true, nil)
+	g := getPolicyGetter(nil, tenant.GetAccountID(), true, nil)
 
 	if downloadInfo.Name == "" {
 		// if framework name not specified - download all frameworks
@@ -131,7 +133,7 @@ func downloadFramework(downloadInfo *cautils.DownloadInfo) error {
 			if err != nil {
 				return err
 			}
-			fmt.Printf("'%s': '%s' downloaded successfully and saved at: '%s'\n", downloadInfo.Target, fw.Name, filepath.Join(downloadInfo.Path, (strings.ToLower(fw.Name)+".json")))
+			logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("name", fw.Name), helpers.String("path", filepath.Join(downloadInfo.Path, downloadInfo.FileName)))
 		}
 		// return fmt.Errorf("missing framework name")
 	} else {
@@ -146,7 +148,7 @@ func downloadFramework(downloadInfo *cautils.DownloadInfo) error {
 		if err != nil {
 			return err
 		}
-		fmt.Printf("'%s' downloaded successfully and saved at: '%s'\n", downloadInfo.Target, filepath.Join(downloadInfo.Path, downloadInfo.FileName))
+		logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("name", framework.Name), helpers.String("path", filepath.Join(downloadInfo.Path, downloadInfo.FileName)))
 	}
 	return nil
 }
@@ -154,7 +156,7 @@ func downloadFramework(downloadInfo *cautils.DownloadInfo) error {
 func downloadControl(downloadInfo *cautils.DownloadInfo) error {
 
 	tenant := getTenantConfig(downloadInfo.Account, "", getKubernetesApi())
-	g := getPolicyGetter(nil, tenant.GetCustomerGUID(), false, nil)
+	g := getPolicyGetter(nil, tenant.GetAccountID(), false, nil)
 
 	if downloadInfo.Name == "" {
 		// TODO - support
@@ -171,6 +173,6 @@ func downloadControl(downloadInfo *cautils.DownloadInfo) error {
 	if err != nil {
 		return err
 	}
-	fmt.Printf("'%s' downloaded successfully and saved at: '%s'\n", downloadInfo.Target, filepath.Join(downloadInfo.Path, downloadInfo.FileName))
+	logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("name", downloadInfo.Name), helpers.String("path", filepath.Join(downloadInfo.Path, downloadInfo.FileName)))
 	return nil
 }

clihandler/clilist.go

@@ -5,11 +5,11 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/clihandler/cliobjects"
 )
 
-var listFunc = map[string]func(*cautils.ListPolicies) ([]string, error){
+var listFunc = map[string]func(*cliobjects.ListPolicies) ([]string, error){
 	"controls":   listControls,
 	"frameworks": listFrameworks,
 }
@@ -21,7 +21,7 @@ func ListSupportCommands() []string {
 	}
 	return commands
 }
-func CliList(listPolicies *cautils.ListPolicies) error {
+func CliList(listPolicies *cliobjects.ListPolicies) error {
 	if f, ok := listFunc[listPolicies.Target]; ok {
 		policies, err := f(listPolicies)
 		if err != nil {
@@ -40,16 +40,16 @@ func CliList(listPolicies *cautils.ListPolicies) error {
 	return fmt.Errorf("unknown command to download")
 }
 
-func listFrameworks(listPolicies *cautils.ListPolicies) ([]string, error) {
+func listFrameworks(listPolicies *cliobjects.ListPolicies) ([]string, error) {
 	tenant := getTenantConfig(listPolicies.Account, "", getKubernetesApi()) // change k8sinterface
-	g := getPolicyGetter(nil, tenant.GetCustomerGUID(), true, nil)
+	g := getPolicyGetter(nil, tenant.GetAccountID(), true, nil)
 
 	return listFrameworksNames(g), nil
 }
 
-func listControls(listPolicies *cautils.ListPolicies) ([]string, error) {
+func listControls(listPolicies *cliobjects.ListPolicies) ([]string, error) {
 	tenant := getTenantConfig(listPolicies.Account, "", getKubernetesApi()) // change k8sinterface
-	g := getPolicyGetter(nil, tenant.GetCustomerGUID(), false, nil)
+	g := getPolicyGetter(nil, tenant.GetAccountID(), false, nil)
 	l := getter.ListName
 	if listPolicies.ListIDs {
 		l = getter.ListID

clihandler/cliobjects/listpolicies.go

@@ -1,4 +1,4 @@
-package cautils
+package cliobjects
 
 type ListPolicies struct {
 	Target  string

clihandler/cliobjects/set.go

@@ -0,0 +1,7 @@
+package cliobjects
+
+type SetConfig struct {
+	Account   string
+	ClientID  string
+	SecretKey string
+}

clihandler/cliobjects/submit.go

@@ -0,0 +1,5 @@
+package cliobjects
+
+type Submit struct {
+	Account string
+}

clihandler/cliset.go

@@ -0,0 +1,22 @@
+package clihandler
+
+import (
+	"github.com/armosec/kubescape/clihandler/cliobjects"
+)
+
+func CliSetConfig(setConfig *cliobjects.SetConfig) error {
+
+	tenant := getTenantConfig("", "", getKubernetesApi())
+
+	if setConfig.Account != "" {
+		tenant.GetConfigObj().AccountID = setConfig.Account
+	}
+	if setConfig.SecretKey != "" {
+		tenant.GetConfigObj().SecretKey = setConfig.SecretKey
+	}
+	if setConfig.ClientID != "" {
+		tenant.GetConfigObj().ClientID = setConfig.ClientID
+	}
+
+	return tenant.UpdateCachedConfig()
+}

clihandler/clisubmit.go

@@ -0,0 +1,57 @@
+package clihandler
+
+import (
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
+	"github.com/armosec/kubescape/clihandler/cliinterfaces"
+)
+
+func Submit(submitInterfaces cliinterfaces.SubmitInterfaces) error {
+
+	// list resources
+	postureReport, err := submitInterfaces.SubmitObjects.SetResourcesReport()
+	if err != nil {
+		return err
+	}
+	allresources, err := submitInterfaces.SubmitObjects.ListAllResources()
+	if err != nil {
+		return err
+	}
+	// report
+	if err := submitInterfaces.Reporter.ActionSendReport(&cautils.OPASessionObj{PostureReport: postureReport, AllResources: allresources}); err != nil {
+		return err
+	}
+	logger.L().Success("Data has been submitted successfully")
+	submitInterfaces.Reporter.DisplayReportURL()
+
+	return nil
+}
+
+func SubmitExceptions(accountID, excPath string) error {
+	logger.L().Info("submitting exceptions", helpers.String("path", excPath))
+
+	// load cached config
+	getTenantConfig(accountID, "", getKubernetesApi())
+
+	// load exceptions from file
+	loader := getter.NewLoadPolicy([]string{excPath})
+	exceptions, err := loader.GetExceptions("")
+	if err != nil {
+		return err
+	}
+
+	// login kubescape SaaS
+	armoAPI := getter.GetArmoAPIConnector()
+	if err := armoAPI.Login(); err != nil {
+		return err
+	}
+
+	if err := armoAPI.PostExceptions(exceptions); err != nil {
+		return err
+	}
+	logger.L().Success("Exceptions submitted successfully")
+
+	return nil
+}

clihandler/cliview.go

@@ -0,0 +1,12 @@
+package clihandler
+
+import (
+	"fmt"
+	"os"
+)
+
+func CliView() error {
+	tenant := getTenantConfig("", "", getKubernetesApi()) // change k8sinterface
+	fmt.Fprintf(os.Stderr, "%s\n", tenant.GetConfigObj().Config())
+	return nil
+}

clihandler/cmd/cluster.go

@@ -6,9 +6,10 @@ import (
 
 // clusterCmd represents the cluster command
 var clusterCmd = &cobra.Command{
-	Use:   "cluster",
-	Short: "Set configuration for cluster",
-	Long:  ``,
+	Use:        "cluster",
+	Short:      "Set configuration for cluster",
+	Long:       ``,
+	Deprecated: "use the 'set' command instead",
 	Run: func(cmd *cobra.Command, args []string) {
 	},
 }

clihandler/cmd/cluster_get.go

@@ -7,13 +7,15 @@ import (
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/logger"
 	"github.com/spf13/cobra"
 )
 
 var getCmd = &cobra.Command{
-	Use:   "get <key>",
-	Short: "Get configuration in cluster",
-	Long:  ``,
+	Use:        "get <key>",
+	Short:      "Get configuration in cluster",
+	Long:       ``,
+	Deprecated: "use the 'view' command instead",
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) < 1 || len(args) > 1 {
 			return fmt.Errorf("requires  one argument")
@@ -34,12 +36,11 @@ var getCmd = &cobra.Command{
 		val, err := clusterConfig.GetValueByKeyFromConfigMap(key)
 		if err != nil {
 			if err.Error() == "value does not exist." {
-				fmt.Printf("Could net get value from configmap, reason: %s\n", err)
-				return nil
+				return fmt.Errorf("failed to get value from configmap, reason: %s", err.Error())
 			}
 			return err
 		}
-		fmt.Println(key + "=" + val)
+		logger.L().Info(key + "=" + val)
 		return nil
 	},
 }

clihandler/cmd/cluster_set.go

@@ -7,13 +7,15 @@ import (
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/logger"
 	"github.com/spf13/cobra"
 )
 
-var setCmd = &cobra.Command{
-	Use:   "set <key>=<value>",
-	Short: "Set configuration in cluster",
-	Long:  ``,
+var setClusterCmd = &cobra.Command{
+	Use:        "set <key>=<value>",
+	Short:      "Set configuration in cluster",
+	Long:       ``,
+	Deprecated: "use the 'set' command instead",
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) < 1 || len(args) > 1 {
 			return fmt.Errorf("requires  one argument: <key>=<value>")
@@ -34,11 +36,11 @@ var setCmd = &cobra.Command{
 		if err := clusterConfig.SetKeyValueInConfigmap(key, data); err != nil {
 			return err
 		}
-		fmt.Println("Value added successfully.")
+		logger.L().Info("value added successfully.")
 		return nil
 	},
 }
 
 func init() {
-	clusterCmd.AddCommand(setCmd)
+	clusterCmd.AddCommand(setClusterCmd)
 }

clihandler/cmd/config.go

@@ -1,18 +1,127 @@
 package cmd
 
 import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/armosec/kubescape/clihandler"
+	"github.com/armosec/kubescape/clihandler/cliobjects"
 	"github.com/spf13/cobra"
 )
 
+var (
+	configExample = `
+  # View cached configurations 
+  kubescape config view
+
+  # Delete cached configurations
+  kubescape config delete
+
+  # Set cached configurations
+  kubescape config set --help
+`
+	setConfigExample = `
+  # Set account id
+  kubescape config set accountID <account id>
+
+  # Set client id
+  kubescape config set clientID <client id> 
+
+  # Set access key
+  kubescape config set secretKey <access key>
+`
+)
+
 // configCmd represents the config command
 var configCmd = &cobra.Command{
-	Use:   "config",
-	Short: "Set configuration",
+	Use:     "config",
+	Short:   "handle cached configurations",
+	Example: configExample,
+}
+
+var setConfig = cliobjects.SetConfig{}
+
+// configCmd represents the config command
+var configSetCmd = &cobra.Command{
+	Use:       "set",
+	Short:     fmt.Sprintf("Set configurations, supported: %s", strings.Join(stringKeysToSlice(supportConfigSet), "/")),
+	Example:   setConfigExample,
+	ValidArgs: stringKeysToSlice(supportConfigSet),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if err := parseSetArgs(args); err != nil {
+			return err
+		}
+		if err := clihandler.CliSetConfig(&setConfig); err != nil {
+			fmt.Fprintf(os.Stderr, "error: %v\n", err)
+			os.Exit(1)
+		}
+		return nil
+	},
+}
+
+var supportConfigSet = map[string]func(*cliobjects.SetConfig, string){
+	"accountID": func(s *cliobjects.SetConfig, account string) { s.Account = account },
+	"clientID":  func(s *cliobjects.SetConfig, clientID string) { s.ClientID = clientID },
+	"secretKey": func(s *cliobjects.SetConfig, secretKey string) { s.SecretKey = secretKey },
+}
+
+func stringKeysToSlice(m map[string]func(*cliobjects.SetConfig, string)) []string {
+	l := []string{}
+	for i := range m {
+		l = append(l, i)
+	}
+	return l
+}
+
+func parseSetArgs(args []string) error {
+	var key string
+	var value string
+	if len(args) == 1 {
+		if keyValue := strings.Split(args[0], "="); len(keyValue) == 2 {
+			key = keyValue[0]
+			value = keyValue[1]
+		}
+	} else if len(args) == 2 {
+		key = args[0]
+		value = args[1]
+	}
+	if setConfigFunc, ok := supportConfigSet[key]; ok {
+		setConfigFunc(&setConfig, value)
+	} else {
+		return fmt.Errorf("key '%s' unknown . supported: %s", key, strings.Join(stringKeysToSlice(supportConfigSet), "/"))
+	}
+	return nil
+}
+
+var configDeleteCmd = &cobra.Command{
+	Use:   "delete",
+	Short: "Delete cached configurations",
 	Long:  ``,
 	Run: func(cmd *cobra.Command, args []string) {
+		if err := clihandler.CliDelete(); err != nil {
+			fmt.Fprintf(os.Stderr, "error: %v\n", err)
+			os.Exit(1)
+		}
+	},
+}
+
+// configCmd represents the config command
+var configViewCmd = &cobra.Command{
+	Use:   "view",
+	Short: "View cached configurations",
+	Long:  ``,
+	Run: func(cmd *cobra.Command, args []string) {
+		if err := clihandler.CliView(); err != nil {
+			fmt.Fprintf(os.Stderr, "error: %v\n", err)
+			os.Exit(1)
+		}
 	},
 }
 
 func init() {
 	rootCmd.AddCommand(configCmd)
+	configCmd.AddCommand(configSetCmd)
+	configCmd.AddCommand(configDeleteCmd)
+	configCmd.AddCommand(configViewCmd)
 }

clihandler/cmd/control.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/logger"
 	"github.com/armosec/kubescape/clihandler"
 	"github.com/armosec/opa-utils/reporthandling"
 	"github.com/spf13/cobra"
@@ -53,7 +54,6 @@ var controlCmd = &cobra.Command{
 		scanInfo.PolicyIdentifier = []reporthandling.PolicyIdentifier{}
 
 		if len(args) == 0 {
-			// scanInfo.SetPolicyIdentifiers(getter.NativeFrameworks, reporthandling.KindFramework)
 			scanInfo.ScanAll = true
 		} else { // expected control or list of control sepparated by ","
 
@@ -83,8 +83,7 @@ var controlCmd = &cobra.Command{
 		cautils.SetSilentMode(scanInfo.Silent)
 		err := clihandler.ScanCliSetup(&scanInfo)
 		if err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n", err)
-			os.Exit(1)
+			logger.L().Fatal(err.Error())
 		}
 		return nil
 	},
@@ -97,8 +96,7 @@ func init() {
 
 func flagValidationControl() {
 	if 100 < scanInfo.FailThreshold {
-		fmt.Println("bad argument: out of range threshold")
-		os.Exit(1)
+		logger.L().Fatal("bad argument: out of range threshold")
 	}
 }
 

clihandler/cmd/download.go

@@ -2,10 +2,11 @@ package cmd
 
 import (
 	"fmt"
-	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/logger"
 	"github.com/armosec/kubescape/clihandler"
 	"github.com/spf13/cobra"
 )
@@ -21,7 +22,7 @@ var (
   kubescape download artifacts --output /tmp
   
   # Download the NSA framework. Run 'kubescape list frameworks' for all frameworks names
-  kubescape download frameworks nsa
+  kubescape download framework nsa
 
   # Download the "Allowed hostPath" control. Run 'kubescape list controls' for all controls names
   kubescape download control "Allowed hostPath"
@@ -58,18 +59,23 @@ var downloadCmd = &cobra.Command{
 			downloadInfo.Name = args[1]
 		}
 		if err := clihandler.CliDownload(&downloadInfo); err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n", err)
-			os.Exit(1)
+			logger.L().Fatal(err.Error())
 		}
 		return nil
 	},
 }
 
 func init() {
-	// cobra.OnInitialize(initConfig)
+	cobra.OnInitialize(initDownload)
 
 	rootCmd.AddCommand(downloadCmd)
-	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If not specified, will save in `~/.kubescape/<policy name>.json`")
 	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Account, "account", "", "", "Armo portal account ID. Default will load account ID from configMap or config file")
+	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If not specified, will save in `~/.kubescape/<policy name>.json`")
 
 }
+
+func initDownload() {
+	if filepath.Ext(downloadInfo.Path) == ".json" {
+		downloadInfo.Path, downloadInfo.FileName = filepath.Split(downloadInfo.Path)
+	}
+}

clihandler/cmd/framework.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/logger"
 	"github.com/armosec/kubescape/clihandler"
 	"github.com/armosec/opa-utils/reporthandling"
 	"github.com/spf13/cobra"
@@ -46,7 +47,6 @@ var frameworkCmd = &cobra.Command{
 	Short:   "The framework you wish to use. Run 'kubescape list frameworks' for the list of supported frameworks",
 	Example: frameworkExample,
 	Long:    "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
-	// ValidArgs: getter.NativeFrameworks,
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) > 0 {
 			frameworks := strings.Split(args[0], ",")
@@ -65,7 +65,6 @@ var frameworkCmd = &cobra.Command{
 		var frameworks []string
 
 		if len(args) == 0 { // scan all frameworks
-			// frameworks = getter.NativeFrameworks
 			scanInfo.ScanAll = true
 		} else {
 			// Read frameworks from input args
@@ -99,8 +98,7 @@ var frameworkCmd = &cobra.Command{
 		cautils.SetSilentMode(scanInfo.Silent)
 		err := clihandler.ScanCliSetup(&scanInfo)
 		if err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n\n", err)
-			os.Exit(1)
+			logger.L().Fatal(err.Error())
 		}
 		return nil
 	},
@@ -122,11 +120,9 @@ func init() {
 
 func flagValidationFramework() {
 	if scanInfo.Submit && scanInfo.Local {
-		fmt.Println("You can use `keep-local` or `submit`, but not both")
-		os.Exit(1)
+		logger.L().Fatal("you can use `keep-local` or `submit`, but not both")
 	}
 	if 100 < scanInfo.FailThreshold {
-		fmt.Println("bad argument: out of range threshold")
-		os.Exit(1)
+		logger.L().Fatal("bad argument: out of range threshold")
 	}
 }

clihandler/cmd/list.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/clihandler"
+	"github.com/armosec/kubescape/clihandler/cliobjects"
 	"github.com/spf13/cobra"
 )
 
@@ -28,7 +29,7 @@ var (
   https://hub.armo.cloud/docs/controls
 `
 )
-var listPolicies = cautils.ListPolicies{}
+var listPolicies = cliobjects.ListPolicies{}
 
 var listCmd = &cobra.Command{
 	Use:     "list <policy> [flags]",

clihandler/cmd/local.go

@@ -5,9 +5,10 @@ import (
 )
 
 var localCmd = &cobra.Command{
-	Use:   "local",
-	Short: "Set configuration locally (for config.json)",
-	Long:  ``,
+	Use:        "local",
+	Short:      "Set configuration locally (for config.json)",
+	Long:       ``,
+	Deprecated: "use the 'set' command instead",
 	Run: func(cmd *cobra.Command, args []string) {
 	},
 }

clihandler/cmd/local_get.go

@@ -9,9 +9,10 @@ import (
 )
 
 var localGetCmd = &cobra.Command{
-	Use:   "get <key>",
-	Short: "Get configuration locally",
-	Long:  ``,
+	Use:        "get <key>",
+	Short:      "Get configuration locally",
+	Long:       ``,
+	Deprecated: "use the 'view' command instead",
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) < 1 || len(args) > 1 {
 			return fmt.Errorf("requires  one argument")
@@ -30,8 +31,7 @@ var localGetCmd = &cobra.Command{
 		val, err := cautils.GetValueFromConfigJson(key)
 		if err != nil {
 			if err.Error() == "value does not exist." {
-				fmt.Printf("Could net get value from: %s, reason: %s\n", cautils.ConfigFileFullPath(), err)
-				return nil
+				return fmt.Errorf("failed to get value from: %s, reason: %s", cautils.ConfigFileFullPath(), err.Error())
 			}
 			return err
 		}

clihandler/cmd/local_set.go

@@ -9,9 +9,10 @@ import (
 )
 
 var localSetCmd = &cobra.Command{
-	Use:   "set <key>=<value>",
-	Short: "Set configuration locally",
-	Long:  ``,
+	Use:        "set <key>=<value>",
+	Short:      "Set configuration locally",
+	Long:       ``,
+	Deprecated: "use the 'set' command instead",
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) < 1 || len(args) > 1 {
 			return fmt.Errorf("requires  one argument: <key>=<value>")

clihandler/cmd/rbac.go

@@ -1,11 +1,10 @@
 package cmd
 
 import (
-	"fmt"
-	"os"
-
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/logger"
 	"github.com/armosec/kubescape/clihandler"
 	"github.com/armosec/kubescape/clihandler/cliinterfaces"
 	reporterv1 "github.com/armosec/kubescape/resultshandling/reporter/v1"
@@ -23,13 +22,10 @@ var rabcCmd = &cobra.Command{
 		k8s := k8sinterface.NewKubernetesApi()
 
 		// get config
-		clusterConfig, err := getSubmittedClusterConfig(k8s)
-		if err != nil {
-			return err
-		}
+		clusterConfig := getTenantConfig(submitInfo.Account, "", k8s)
 
 		// list RBAC
-		rbacObjects := cautils.NewRBACObjects(rbacscanner.NewRbacScannerFromK8sAPI(k8s, clusterConfig.GetCustomerGUID(), clusterConfig.GetClusterName()))
+		rbacObjects := cautils.NewRBACObjects(rbacscanner.NewRbacScannerFromK8sAPI(k8s, clusterConfig.GetAccountID(), clusterConfig.GetClusterName()))
 
 		// submit resources
 		r := reporterv1.NewReportEventReceiver(clusterConfig.GetConfigObj())
@@ -41,8 +37,7 @@ var rabcCmd = &cobra.Command{
 		}
 
 		if err := clihandler.Submit(submitInterfaces); err != nil {
-			fmt.Println(err)
-			os.Exit(1)
+			logger.L().Fatal(err.Error())
 		}
 		return nil
 	},
@@ -51,3 +46,17 @@ var rabcCmd = &cobra.Command{
 func init() {
 	submitCmd.AddCommand(rabcCmd)
 }
+
+// getKubernetesApi
+func getKubernetesApi() *k8sinterface.KubernetesApi {
+	if !k8sinterface.IsConnectedToCluster() {
+		return nil
+	}
+	return k8sinterface.NewKubernetesApi()
+}
+func getTenantConfig(Account, clusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
+	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
+		return cautils.NewLocalConfig(getter.GetArmoAPIConnector(), Account, clusterName)
+	}
+	return cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), Account, clusterName)
+}

clihandler/cmd/results.go

@@ -6,8 +6,8 @@ import (
 	"os"
 	"time"
 
-	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/k8s-interface/workloadinterface"
+	"github.com/armosec/kubescape/cautils/logger"
 	"github.com/armosec/kubescape/clihandler"
 	"github.com/armosec/kubescape/clihandler/cliinterfaces"
 	reporterv1 "github.com/armosec/kubescape/resultshandling/reporter/v1"
@@ -59,15 +59,12 @@ var resultsCmd = &cobra.Command{
 			return fmt.Errorf("missing results file")
 		}
 
-		k8s := k8sinterface.NewKubernetesApi()
+		k8s := getKubernetesApi()
 
 		// get config
-		clusterConfig, err := getSubmittedClusterConfig(k8s)
-		if err != nil {
-			return err
-		}
+		clusterConfig := getTenantConfig(submitInfo.Account, "", k8s)
 
-		resultsObjects := NewResultsObject(clusterConfig.GetCustomerGUID(), clusterConfig.GetClusterName(), args[0])
+		resultsObjects := NewResultsObject(clusterConfig.GetAccountID(), clusterConfig.GetClusterName(), args[0])
 
 		// submit resources
 		r := reporterv1.NewReportEventReceiver(clusterConfig.GetConfigObj())
@@ -79,8 +76,7 @@ var resultsCmd = &cobra.Command{
 		}
 
 		if err := clihandler.Submit(submitInterfaces); err != nil {
-			fmt.Println(err)
-			os.Exit(1)
+			logger.L().Fatal(err.Error())
 		}
 		return nil
 	},

clihandler/cmd/root.go

@@ -2,47 +2,62 @@ package cmd
 
 import (
 	"flag"
-	"os"
+	"fmt"
 	"strings"
 
 	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/golang/glog"
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
 	"github.com/spf13/cobra"
 )
 
-var cfgFile string
 var armoBEURLs = ""
 
 const envFlagUsage = "Send report results to specific URL. Format:<ReportReceiver>,<Backend>,<Frontend>.\n\t\tExample:report.armo.cloud,api.armo.cloud,portal.armo.cloud"
 
+var ksExamples = `
+  # Scan command
+  kubescape scan --submit
+
+  # List supported frameworks
+  kubescape list frameworks
+
+  # Download artifacts (air-gapped environment support)
+  kubescape download artifacts
+
+  # View cached configurations
+  kubescape config view
+`
+
 var rootCmd = &cobra.Command{
-	Use:   "kubescape",
-	Short: "Kubescape is a tool for testing Kubernetes security posture",
-	Long:  `Kubescape is a tool for testing Kubernetes security posture based on NSA \ MITRE ATT&CK® specifications.`,
-	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-		flag.Parse()
-		InitArmoBEConnector()
-		return nil
-	},
+	Use:     "kubescape",
+	Short:   "Kubescape is a tool for testing Kubernetes security posture",
+	Long:    `Kubescape is a tool for testing Kubernetes security posture based on NSA \ MITRE ATT&CK® and other frameworks specifications`,
+	Example: ksExamples,
 }
 
 func Execute() {
 	rootCmd.Execute()
 }
-
 func init() {
-	rootCmd.PersistentFlags().StringVarP(&scanInfo.Account, "account", "", "", "Armo portal account ID. Default will load account ID from configMap or config file")
+	cobra.OnInitialize(initLogger, initEnvironment)
+
 	flag.CommandLine.StringVar(&armoBEURLs, "environment", "", envFlagUsage)
 	rootCmd.PersistentFlags().StringVar(&armoBEURLs, "environment", "", envFlagUsage)
 	rootCmd.PersistentFlags().MarkHidden("environment")
-
+	rootCmd.PersistentFlags().StringVar(&scanInfo.Logger, "logger", "info", fmt.Sprintf("Logger level. Supported: %s", strings.Join(helpers.SupportedLevels(), "/")))
+	flag.Parse()
 }
 
-func InitArmoBEConnector() {
+func initLogger() {
+	if err := logger.L().SetLevel(scanInfo.Logger); err != nil {
+		logger.L().Fatal(fmt.Sprintf("supported levels: %s", strings.Join(helpers.SupportedLevels(), "/")), helpers.Error(err))
+	}
+}
+func initEnvironment() {
 	urlSlices := strings.Split(armoBEURLs, ",")
-	if len(urlSlices) > 3 {
-		glog.Errorf("Too many URLs")
-		os.Exit(1)
+	if len(urlSlices) != 1 && len(urlSlices) < 3 {
+		logger.L().Fatal("expected at least 3 URLs (report, api, frontend, auth)")
 	}
 	switch len(urlSlices) {
 	case 1:
@@ -52,13 +67,18 @@ func InitArmoBEConnector() {
 		case "":
 			getter.SetARMOAPIConnector(getter.NewARMOAPIProd())
 		default:
-			glog.Errorf("--environment flag usage: %s", envFlagUsage)
-			os.Exit(1)
+			logger.L().Fatal("--environment flag usage: " + envFlagUsage)
 		}
 	case 2:
-		glog.Errorf("--environment flag usage: %s", envFlagUsage)
-		os.Exit(1)
-	case 3:
-		getter.SetARMOAPIConnector(getter.NewARMOAPICustomized(urlSlices[0], urlSlices[1], urlSlices[2]))
+		logger.L().Fatal("--environment flag usage: " + envFlagUsage)
+	case 3, 4:
+		var armoAUTHURL string
+		armoERURL := urlSlices[0] // mandatory
+		armoBEURL := urlSlices[1] // mandatory
+		armoFEURL := urlSlices[2] // mandatory
+		if len(urlSlices) <= 4 {
+			armoAUTHURL = urlSlices[3]
+		}
+		getter.SetARMOAPIConnector(getter.NewARMOAPICustomized(armoERURL, armoBEURL, armoFEURL, armoAUTHURL))
 	}
 }

clihandler/cmd/scan.go

@@ -1,9 +1,6 @@
 package cmd
 
 import (
-	"fmt"
-	"strings"
-
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
 	"github.com/spf13/cobra"
@@ -13,24 +10,24 @@ var scanInfo cautils.ScanInfo
 
 // scanCmd represents the scan command
 var scanCmd = &cobra.Command{
-	Use:   "scan <command>",
+	Use:   "scan [command]",
 	Short: "Scan the current running cluster or yaml files",
 	Long:  `The action you want to perform`,
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) > 0 {
-			if !strings.EqualFold(args[0], "framework") && !strings.EqualFold(args[0], "control") {
-				return fmt.Errorf("invalid parameter '%s'. Supported parameters: framework, control", args[0])
+			if args[0] != "framework" && args[0] != "control" {
+				scanInfo.ScanAll = true
+				return frameworkCmd.RunE(cmd, append([]string{"all"}, args...))
 			}
 		}
 		return nil
 	},
-	Run: func(cmd *cobra.Command, args []string) {
+	RunE: func(cmd *cobra.Command, args []string) error {
 		if len(args) == 0 {
 			scanInfo.ScanAll = true
-			// frameworks := getter.NativeFrameworks
-			// frameworkArgs := []string{strings.Join(frameworks, ",")}
-			frameworkCmd.RunE(cmd, []string{"all"})
+			return frameworkCmd.RunE(cmd, []string{"all"})
 		}
+		return nil
 	},
 }
 
@@ -39,10 +36,13 @@ func frameworkInitConfig() {
 }
 
 func init() {
+
 	cobra.OnInitialize(frameworkInitConfig)
 
 	rootCmd.AddCommand(scanCmd)
-	rootCmd.PersistentFlags().StringVarP(&scanInfo.KubeContext, "kube-context", "", "", "Kube context. Default will use the current-context")
+
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Account, "account", "", "", "Armo portal account ID. Default will load account ID from configMap or config file")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.KubeContext, "kube-context", "", "", "Kube context. Default will use the current-context")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseArtifactsFrom, "use-artifacts-from", "", "Load artifacts from local directory. If not used will download them")
@@ -61,4 +61,5 @@ func init() {
 	hostF := scanCmd.PersistentFlags().VarPF(&scanInfo.HostSensor, "enable-host-scan", "", "Deploy ARMO K8s host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valueable data from cluster nodes for certain controls")
 	hostF.NoOptDefVal = "true"
 	hostF.DefValue = "false, for no TTY in stdin"
+
 }

clihandler/cmd/submit.go

@@ -1,12 +1,19 @@
 package cmd
 
 import (
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
+	"fmt"
+
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/clihandler"
+	"github.com/armosec/kubescape/clihandler/cliobjects"
 	"github.com/spf13/cobra"
 )
 
+var submitInfo cliobjects.Submit
+
+var submitCmdExamples = `
+
+`
 var submitCmd = &cobra.Command{
 	Use:   "submit <command>",
 	Short: "Submit an object to the Kubescape SaaS version",
@@ -15,17 +22,25 @@ var submitCmd = &cobra.Command{
 	},
 }
 
-func init() {
-	rootCmd.AddCommand(submitCmd)
-}
-
-func getSubmittedClusterConfig(k8s *k8sinterface.KubernetesApi) (*cautils.ClusterConfig, error) {
-	clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account, scanInfo.KubeContext) // TODO - support none cluster env submit
-	if clusterConfig.GetCustomerGUID() != "" {
-		if err := clusterConfig.SetTenant(); err != nil {
-			return clusterConfig, err
+var submitExceptionsCmd = &cobra.Command{
+	Use:   "exceptions <full path to exceptins file>",
+	Short: "Submit exceptions to the Kubescape SaaS version",
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) != 1 {
+			return fmt.Errorf("missing full path to exceptions file")
 		}
-	}
-
-	return clusterConfig, nil
+		return nil
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		if err := clihandler.SubmitExceptions(submitInfo.Account, args[0]); err != nil {
+			logger.L().Fatal(err.Error())
+		}
+	},
+}
+
+func init() {
+	submitCmd.PersistentFlags().StringVarP(&submitInfo.Account, "account", "", "", "Armo portal account ID. Default will load account ID from configMap or config file")
+	rootCmd.AddCommand(submitCmd)
+
+	submitCmd.AddCommand(submitExceptionsCmd)
 }

clihandler/cmd/version.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"fmt"
+	"os"
 
 	"github.com/armosec/kubescape/cautils"
 	"github.com/spf13/cobra"
@@ -14,7 +15,7 @@ var versionCmd = &cobra.Command{
 	RunE: func(cmd *cobra.Command, args []string) error {
 		v := cautils.NewIVersionCheckHandler()
 		v.CheckLatestVersion(cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "version"))
-		fmt.Println("Your current version is: " + cautils.BuildNumber)
+		fmt.Fprintln(os.Stdout, "Your current version is: "+cautils.BuildNumber)
 		return nil
 	},
 }

clihandler/initcli.go

@@ -5,16 +5,17 @@ import (
 	"io/fs"
 	"os"
 
+	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/resultshandling/printer"
 	printerv1 "github.com/armosec/kubescape/resultshandling/printer/v1"
 
 	// printerv2 "github.com/armosec/kubescape/resultshandling/printer/v2"
 
-	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/clihandler/cliinterfaces"
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
 	"github.com/armosec/kubescape/hostsensorutils"
 	"github.com/armosec/kubescape/opaprocessor"
 	"github.com/armosec/kubescape/policyhandler"
@@ -35,27 +36,32 @@ type componentInterfaces struct {
 
 func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
 
+	// ================== setup k8s interface object ======================================
 	var k8s *k8sinterface.KubernetesApi
 	if scanInfo.GetScanningEnvironment() == cautils.ScanCluster {
 		k8s = getKubernetesApi()
 		if k8s == nil {
-			fmt.Println("Failed connecting to Kubernetes cluster")
-			os.Exit(1)
+			logger.L().Fatal("failed connecting to Kubernetes cluster")
 		}
 	}
 
+	// ================== setup tenant object ======================================
+
 	tenantConfig := getTenantConfig(scanInfo.Account, scanInfo.KubeContext, k8s)
 
 	// Set submit behavior AFTER loading tenant config
 	setSubmitBehavior(scanInfo, tenantConfig)
 
+	// ================== version testing ======================================
+
+	v := cautils.NewIVersionCheckHandler()
+	v.CheckLatestVersion(cautils.NewVersionCheckRequest(cautils.BuildNumber, policyIdentifierNames(scanInfo.PolicyIdentifier), "", scanInfo.GetScanningEnvironment()))
+
+	// ================== setup host sensor object ======================================
+
 	hostSensorHandler := getHostSensorHandler(scanInfo, k8s)
 	if err := hostSensorHandler.Init(); err != nil {
-		errMsg := "failed to init host sensor"
-		if scanInfo.VerboseMode {
-			errMsg = fmt.Sprintf("%s: %v", errMsg, err)
-		}
-		cautils.ErrorDisplay(errMsg)
+		logger.L().Error("failed to init host sensor", helpers.Error(err))
 		hostSensorHandler = &hostsensorutils.HostSensorHandlerMock{}
 	}
 	// excluding hostsensor namespace
@@ -63,19 +69,29 @@ func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
 		scanInfo.ExcludedNamespaces = fmt.Sprintf("%s,%s", scanInfo.ExcludedNamespaces, hostSensorHandler.GetNamespace())
 	}
 
-	resourceHandler := getResourceHandler(scanInfo, tenantConfig, k8s, hostSensorHandler)
+	// ================== setup registry adaptors ======================================
+
+	registryAdaptors, err := resourcehandler.NewRegistryAdaptors()
+	if err != nil {
+		logger.L().Error("failed to initialize registry adaptors", helpers.Error(err))
+	}
+
+	// ================== setup resource collector object ======================================
+
+	resourceHandler := getResourceHandler(scanInfo, tenantConfig, k8s, hostSensorHandler, registryAdaptors)
+
+	// ================== setup reporter & printer objects ======================================
 
 	// reporting behavior - setup reporter
 	reportHandler := getReporter(tenantConfig, scanInfo.Submit)
 
-	v := cautils.NewIVersionCheckHandler()
-	v.CheckLatestVersion(cautils.NewVersionCheckRequest(cautils.BuildNumber, policyIdentifierNames(scanInfo.PolicyIdentifier), "", scanInfo.GetScanningEnvironment()))
-
 	// setup printer
 	printerHandler := printerv1.GetPrinter(scanInfo.Format, scanInfo.VerboseMode)
 	// printerHandler = printerv2.GetPrinter(scanInfo.Format, scanInfo.VerboseMode)
 	printerHandler.SetWriter(scanInfo.Output)
 
+	// ================== return interface ======================================
+
 	return componentInterfaces{
 		tenantConfig:      tenantConfig,
 		resourceHandler:   resourceHandler,
@@ -86,7 +102,7 @@ func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
 }
 
 func ScanCliSetup(scanInfo *cautils.ScanInfo) error {
-	cautils.ScanStartDisplay()
+	logger.L().Info("ARMO security scanner starting")
 
 	interfaces := getInterfaces(scanInfo)
 	// setPolicyGetter(scanInfo, interfaces.clusterConfig.GetCustomerGUID())
@@ -94,16 +110,16 @@ func ScanCliSetup(scanInfo *cautils.ScanInfo) error {
 	processNotification := make(chan *cautils.OPASessionObj)
 	reportResults := make(chan *cautils.OPASessionObj)
 
-	cautils.ClusterName = interfaces.tenantConfig.GetClusterName()   // TODO - Deprecated
-	cautils.CustomerGUID = interfaces.tenantConfig.GetCustomerGUID() // TODO - Deprecated
+	cautils.ClusterName = interfaces.tenantConfig.GetClusterName() // TODO - Deprecated
+	cautils.CustomerGUID = interfaces.tenantConfig.GetAccountID()  // TODO - Deprecated
 	interfaces.report.SetClusterName(interfaces.tenantConfig.GetClusterName())
-	interfaces.report.SetCustomerGUID(interfaces.tenantConfig.GetCustomerGUID())
+	interfaces.report.SetCustomerGUID(interfaces.tenantConfig.GetAccountID())
 
 	downloadReleasedPolicy := getter.NewDownloadReleasedPolicy() // download config inputs from github release
 
 	// set policy getter only after setting the customerGUID
-	scanInfo.Getters.PolicyGetter = getPolicyGetter(scanInfo.UseFrom, interfaces.tenantConfig.GetCustomerGUID(), scanInfo.FrameworkScan, downloadReleasedPolicy)
-	scanInfo.Getters.ControlsInputsGetter = getConfigInputsGetter(scanInfo.ControlsInputs, interfaces.tenantConfig.GetCustomerGUID(), downloadReleasedPolicy)
+	scanInfo.Getters.PolicyGetter = getPolicyGetter(scanInfo.UseFrom, interfaces.tenantConfig.GetAccountID(), scanInfo.FrameworkScan, downloadReleasedPolicy)
+	scanInfo.Getters.ControlsInputsGetter = getConfigInputsGetter(scanInfo.ControlsInputs, interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
 	scanInfo.Getters.ExceptionsGetter = getExceptionsGetter(scanInfo.UseExceptions)
 
 	// TODO - list supported frameworks/controls
@@ -114,11 +130,7 @@ func ScanCliSetup(scanInfo *cautils.ScanInfo) error {
 	//
 	defer func() {
 		if err := interfaces.hostSensorHandler.TearDown(); err != nil {
-			errMsg := "failed to tear down host sensor"
-			if scanInfo.VerboseMode {
-				errMsg = fmt.Sprintf("%s: %v", errMsg, err)
-			}
-			cautils.ErrorDisplay(errMsg)
+			logger.L().Error("failed to tear down host sensor", helpers.Error(err))
 		}
 	}()
 
@@ -128,8 +140,7 @@ func ScanCliSetup(scanInfo *cautils.ScanInfo) error {
 		policyHandler := policyhandler.NewPolicyHandler(&processNotification, interfaces.resourceHandler)
 
 		if err := Scan(policyHandler, scanInfo); err != nil {
-			fmt.Println(err)
-			os.Exit(1)
+			logger.L().Fatal(err.Error())
 		}
 	}()
 
@@ -154,43 +165,24 @@ func ScanCliSetup(scanInfo *cautils.ScanInfo) error {
 
 func Scan(policyHandler *policyhandler.PolicyHandler, scanInfo *cautils.ScanInfo) error {
 	policyNotification := &reporthandling.PolicyNotification{
-		NotificationType: reporthandling.TypeExecPostureScan,
-		Rules:            scanInfo.PolicyIdentifier,
-		Designators:      armotypes.PortalDesignator{},
+		Rules: scanInfo.PolicyIdentifier,
+		KubescapeNotification: reporthandling.KubescapeNotification{
+			Designators:      armotypes.PortalDesignator{},
+			NotificationType: reporthandling.TypeExecPostureScan,
+		},
 	}
-	switch policyNotification.NotificationType {
+	switch policyNotification.KubescapeNotification.NotificationType {
 	case reporthandling.TypeExecPostureScan:
 		if err := policyHandler.HandleNotificationRequest(policyNotification, scanInfo); err != nil {
 			return err
 		}
 
 	default:
-		return fmt.Errorf("notification type '%s' Unknown", policyNotification.NotificationType)
+		return fmt.Errorf("notification type '%s' Unknown", policyNotification.KubescapeNotification.NotificationType)
 	}
 	return nil
 }
 
-func Submit(submitInterfaces cliinterfaces.SubmitInterfaces) error {
-
-	// list resources
-	postureReport, err := submitInterfaces.SubmitObjects.SetResourcesReport()
-	if err != nil {
-		return err
-	}
-	allresources, err := submitInterfaces.SubmitObjects.ListAllResources()
-	if err != nil {
-		return err
-	}
-	// report
-	if err := submitInterfaces.Reporter.ActionSendReport(&cautils.OPASessionObj{PostureReport: postureReport, AllResources: allresources}); err != nil {
-		return err
-	}
-	fmt.Printf("\nData has been submitted successfully")
-	submitInterfaces.Reporter.DisplayReportURL()
-
-	return nil
-}
-
 func askUserForHostSensor() bool {
 	return false
 
@@ -200,8 +192,8 @@ func askUserForHostSensor() bool {
 	if ssss, err := os.Stdin.Stat(); err == nil {
 		// fmt.Printf("Found stdin type: %s\n", ssss.Mode().Type())
 		if ssss.Mode().Type()&(fs.ModeDevice|fs.ModeCharDevice) > 0 { //has TTY
-			fmt.Printf("Would you like to scan K8s nodes? [y/N]. This is required to collect valuable data for certain controls\n")
-			fmt.Printf("Use --enable-host-scan flag to suppress this message\n")
+			fmt.Fprintf(os.Stderr, "Would you like to scan K8s nodes? [y/N]. This is required to collect valuable data for certain controls\n")
+			fmt.Fprintf(os.Stderr, "Use --enable-host-scan flag to suppress this message\n")
 			var b []byte = make([]byte, 1)
 			if n, err := os.Stdin.Read(b); err == nil {
 				if n > 0 && len(b) > 0 && (b[0] == 'y' || b[0] == 'Y') {

clihandler/initcliutils.go

@@ -7,6 +7,8 @@ import (
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
 	"github.com/armosec/kubescape/hostsensorutils"
 	"github.com/armosec/kubescape/resourcehandler"
 	"github.com/armosec/kubescape/resultshandling/reporter"
@@ -42,7 +44,7 @@ func getExceptionsGetter(useExceptions string) getter.IExceptionsGetter {
 
 func getRBACHandler(tenantConfig cautils.ITenantConfig, k8s *k8sinterface.KubernetesApi, submit bool) *cautils.RBACObjects {
 	if submit {
-		return cautils.NewRBACObjects(rbacscanner.NewRbacScannerFromK8sAPI(k8s, tenantConfig.GetCustomerGUID(), tenantConfig.GetClusterName()))
+		return cautils.NewRBACObjects(rbacscanner.NewRbacScannerFromK8sAPI(k8s, tenantConfig.GetAccountID(), tenantConfig.GetClusterName()))
 	}
 	return nil
 }
@@ -55,12 +57,14 @@ func getReporter(tenantConfig cautils.ITenantConfig, submit bool) reporter.IRepo
 	return reporterv1.NewReportMock()
 }
 
-func getResourceHandler(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantConfig, k8s *k8sinterface.KubernetesApi, hostSensorHandler hostsensorutils.IHostSensor) resourcehandler.IResourceHandler {
+func getResourceHandler(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantConfig, k8s *k8sinterface.KubernetesApi, hostSensorHandler hostsensorutils.IHostSensor, registryAdaptors *resourcehandler.RegistryAdaptors) resourcehandler.IResourceHandler {
 	if len(scanInfo.InputPatterns) > 0 || k8s == nil {
-		return resourcehandler.NewFileResourceHandler(scanInfo.InputPatterns)
+		// scanInfo.HostSensor.SetBool(false)
+		return resourcehandler.NewFileResourceHandler(scanInfo.InputPatterns, registryAdaptors)
 	}
+	getter.GetArmoAPIConnector()
 	rbacObjects := getRBACHandler(tenantConfig, k8s, scanInfo.Submit)
-	return resourcehandler.NewK8sResourceHandler(k8s, getFieldSelector(scanInfo), hostSensorHandler, rbacObjects)
+	return resourcehandler.NewK8sResourceHandler(k8s, getFieldSelector(scanInfo), hostSensorHandler, rbacObjects, registryAdaptors)
 }
 
 func getHostSensorHandler(scanInfo *cautils.ScanInfo, k8s *k8sinterface.KubernetesApi) hostsensorutils.IHostSensor {
@@ -72,12 +76,12 @@ func getHostSensorHandler(scanInfo *cautils.ScanInfo, k8s *k8sinterface.Kubernet
 	// we need to determined which controls needs host sensor
 	if scanInfo.HostSensor.Get() == nil && hasHostSensorControls {
 		scanInfo.HostSensor.SetBool(askUserForHostSensor())
-		cautils.WarningDisplay(os.Stderr, "Warning: Kubernetes cluster nodes scanning is disabled. This is required to collect valuable data for certain controls. You can enable it using  the --enable-host-scan flag\n")
+		logger.L().Warning("Kubernetes cluster nodes scanning is disabled. This is required to collect valuable data for certain controls. You can enable it using  the --enable-host-scan flag")
 	}
 	if hostSensorVal := scanInfo.HostSensor.Get(); hostSensorVal != nil && *hostSensorVal {
 		hostSensorHandler, err := hostsensorutils.NewHostSensorHandler(k8s)
 		if err != nil {
-			cautils.WarningDisplay(os.Stderr, fmt.Sprintf("Warning: failed to create host sensor: %v\n", err.Error()))
+			logger.L().Warning(fmt.Sprintf("failed to create host sensor: %s", err.Error()))
 			return &hostsensorutils.HostSensorHandlerMock{}
 		}
 		return hostSensorHandler
@@ -139,7 +143,7 @@ func setSubmitBehavior(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantC
 		if scanInfo.Submit {
 			// submit - Create tenant & Submit report
 			if err := tenantConfig.SetTenant(); err != nil {
-				fmt.Println(err)
+				logger.L().Error(err.Error())
 			}
 		}
 	}
@@ -152,7 +156,6 @@ func getPolicyGetter(loadPoliciesFromFile []string, accountID string, frameworkS
 	}
 	if accountID != "" && frameworkScope {
 		g := getter.GetArmoAPIConnector() // download policy from ARMO backend
-		g.SetCustomerGUID(accountID)
 		return g
 	}
 	if downloadReleasedPolicy == nil {
@@ -183,7 +186,6 @@ func getConfigInputsGetter(ControlsInputs string, accountID string, downloadRele
 	}
 	if accountID != "" {
 		g := getter.GetArmoAPIConnector() // download config from ARMO backend
-		g.SetCustomerGUID(accountID)
 		return g
 	}
 	if downloadReleasedPolicy == nil {
@@ -197,7 +199,7 @@ func getConfigInputsGetter(ControlsInputs string, accountID string, downloadRele
 
 func getDownloadReleasedPolicy(downloadReleasedPolicy *getter.DownloadReleasedPolicy) getter.IPolicyGetter {
 	if err := downloadReleasedPolicy.SetRegoObjects(); err != nil { // if failed to pull policy, fallback to cache
-		cautils.WarningDisplay(os.Stderr, "Warning: failed to get policies from github release, loading policies from cache\n")
+		logger.L().Warning("failed to get policies from github release, loading policies from cache", helpers.Error(err))
 		return getter.NewLoadPolicy(getDefaultFrameworksPaths())
 	} else {
 		return downloadReleasedPolicy
@@ -214,8 +216,8 @@ func getDefaultFrameworksPaths() []string {
 
 func listFrameworksNames(policyGetter getter.IPolicyGetter) []string {
 	fw, err := policyGetter.ListFrameworks()
-	if err != nil {
-		fw = getDefaultFrameworksPaths()
+	if err == nil {
+		return fw
 	}
-	return fw
+	return getter.NativeFrameworks
 }

containerscan/containerscan_mock.go

@@ -0,0 +1,90 @@
+package containerscan
+
+import (
+	"bytes"
+	"math/rand"
+	"time"
+
+	"github.com/francoispqt/gojay"
+)
+
+// GenerateContainerScanReportMock - generate a scan result
+func GenerateContainerScanReportMock() ScanResultReport {
+	ds := ScanResultReport{
+		WLID:         "wlid://cluster-k8s-geriatrix-k8s-demo3/namespace-whisky-app/deployment-whisky4all-shipping",
+		CustomerGUID: "1231bcb1-49ce-4a67-bdd3-5da7a393ae08",
+		ImgTag:       "dreg.armo.cloud:443/demoservice:v16",
+		ImgHash:      "docker-pullable://dreg.armo.cloud:443/demoservice@sha256:754f3cfca915a07ed10655a301dd7a8dc5526a06f9bd06e7c932f4d4108a8296",
+		Timestamp:    time.Now().UnixNano(),
+	}
+
+	ds.Layers = make(LayersList, 0)
+	layer := ScanResultLayer{}
+	GenerateContainerScanLayer(&layer)
+	ds.Layers = append(ds.Layers, layer)
+	return ds
+}
+
+// GenerateContainerScanReportMock - generate a scan result
+func GenerateContainerScanReportNoVulMock() ScanResultReport {
+	ds := ScanResultReport{
+		WLID:          "wlid://cluster-k8s-geriatrix-k8s-demo3/namespace-whisky-app/deployment-whisky4all-shipping",
+		CustomerGUID:  "1231bcb1-49ce-4a67-bdd3-5da7a393ae08",
+		ImgTag:        "dreg.armo.cloud:443/demoservice:v16",
+		ImgHash:       "docker-pullable://dreg.armo.cloud:443/demoservice@sha256:754f3cfca915a07ed10655a301dd7a8dc5526a06f9bd06e7c932f4d4108a8296",
+		Timestamp:     time.Now().UnixNano(),
+		ContainerName: "shipping",
+	}
+
+	ds.Layers = make(LayersList, 0)
+	layer := ScanResultLayer{LayerHash: "aaa"}
+	ds.Layers = append(ds.Layers, layer)
+	return ds
+}
+
+var hash = []rune("abcdef0123456789")
+var nums = []rune("0123456789")
+
+func randSeq(n int, bank []rune) string {
+	rand.Seed(time.Now().UnixNano())
+
+	b := make([]rune, n)
+	for i := range b {
+		b[i] = bank[rand.Intn(len(bank))]
+	}
+	return string(b)
+}
+
+// GenerateContainerScanLayer - generate a layer with random vuls
+func GenerateContainerScanLayer(layer *ScanResultLayer) {
+	layer.LayerHash = randSeq(32, hash)
+	layer.Vulnerabilities = make(VulnerabilitiesList, 0)
+	layer.Packages = make(LinuxPkgs, 0)
+	vuls := rand.Intn(10) + 1
+
+	for i := 0; i < vuls; i++ {
+		v := Vulnerability{}
+		GenerateVulnerability(&v)
+		layer.Vulnerabilities = append(layer.Vulnerabilities, v)
+	}
+
+	pkg := LinuxPackage{PackageName: "coreutils"}
+	pkg.Files = make(PkgFiles, 0)
+	pf := PackageFile{Filename: "aa"}
+	pkg.Files = append(pkg.Files, pf)
+	layer.Packages = append(layer.Packages, pkg)
+}
+
+// GenerateVulnerability - generate a vul (just diff "cve"'s)
+func GenerateVulnerability(v *Vulnerability) error {
+	baseVul := " { \"name\": \"CVE-2014-9471\", \"imageTag\": \"debian:8\", \"link\": \"https://security-tracker.debian.org/tracker/CVE-2014-9471\", \"description\": \"The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the sdf\", \"severity\": \"Low\", \"metadata\": { \"NVD\": { \"CVSSv2\": { \"Score\": 7.5, \"Vectors\": \"AV:N/AC:L/Au:N/C:P/I:P\" } } }, \"fixedIn\": [ { \"name\": \"coreutils\", \"imageTag\": \"debian:8\", \"version\": \"8.23-1\" } ] }"
+	b := []byte(baseVul)
+	r := bytes.NewReader(b)
+	er := gojay.NewDecoder(r).DecodeObject(v)
+	v.RelatedPackageName = "coreutils"
+	v.Severity = HighSeverity
+	v.Relevancy = Irelevant
+	v.Name = "CVE-" + randSeq(4, nums) + "-" + randSeq(4, nums)
+	return er
+
+}

containerscan/containerscan_test.go

@@ -0,0 +1,90 @@
+package containerscan
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/francoispqt/gojay"
+)
+
+func TestDecodeScanWIthDangearousArtifacts(t *testing.T) {
+	rhs := &ScanResultReport{}
+	er := gojay.NewDecoder(strings.NewReader(nginxScanJSON)).DecodeObject(rhs)
+	if er != nil {
+		t.Errorf("decode failed due to: %v", er.Error())
+	}
+	sumObj := rhs.Summarize()
+	if sumObj.Registry != "" {
+		t.Errorf("sumObj.Registry = %v", sumObj.Registry)
+	}
+	if sumObj.VersionImage != "nginx:1.18.0" {
+		t.Errorf("sumObj.VersionImage = %v", sumObj.Registry)
+	}
+	if sumObj.ImgTag != "nginx:1.18.0" {
+		t.Errorf("sumObj.ImgTag = %v", sumObj.ImgTag)
+	}
+	if sumObj.Status != "Success" {
+		t.Errorf("sumObj.Status = %v", sumObj.Status)
+	}
+	if len(sumObj.ListOfDangerousArtifcats) != 3 {
+		t.Errorf("sumObj.ListOfDangerousArtifcats = %v", sumObj.ListOfDangerousArtifcats)
+	}
+}
+
+func TestUnmarshalScanReport(t *testing.T) {
+	ds := GenerateContainerScanReportMock()
+	str1 := ds.AsFNVHash()
+	rhs := &ScanResultReport{}
+
+	bolB, _ := json.Marshal(ds)
+	r := bytes.NewReader(bolB)
+
+	er := gojay.NewDecoder(r).DecodeObject(rhs)
+	if er != nil {
+		t.Errorf("marshalling failed due to: %v", er.Error())
+	}
+
+	if rhs.AsFNVHash() != str1 {
+		t.Errorf("marshalling failed different values after marshal:\nOriginal:\n%v\nParsed:\n%v\n\n===\n", string(bolB), rhs)
+	}
+}
+
+func TestUnmarshalScanReport1(t *testing.T) {
+	ds := Vulnerability{}
+	if err := GenerateVulnerability(&ds); err != nil {
+		t.Errorf("%v\n%v\n", ds, err)
+	}
+}
+
+func TestGetByPkgNameSuccess(t *testing.T) {
+	ds := GenerateContainerScanReportMock()
+	a := ds.Layers[0].GetFilesByPackage("coreutils")
+	if a != nil {
+
+		fmt.Printf("%+v\n", *a)
+	}
+
+}
+
+func TestGetByPkgNameMissing(t *testing.T) {
+	ds := GenerateContainerScanReportMock()
+	a := ds.Layers[0].GetFilesByPackage("s")
+	if a != nil && len(*a) > 0 {
+		t.Errorf("expected - no such package should be in that layer %v\n\n; found - %v", ds, a)
+	}
+
+}
+
+func TestCalculateFixed(t *testing.T) {
+	res := CalculateFixed([]FixedIn{{
+		Name:    "",
+		ImgTag:  "",
+		Version: "",
+	}})
+	if 0 != res {
+		t.Errorf("wrong fix status: %v", res)
+	}
+}

containerscan/datastructures.go

@@ -0,0 +1,37 @@
+package containerscan
+
+const (
+	//defines Relevancy as enum-like
+	Unknown   = "Unknown"
+	Relevant  = "Relevant"
+	Irelevant = "Irelevant"
+	NoSP      = "No signature profile to compare"
+
+	//Clair Severities
+	UnknownSeverity    = "Unknown"
+	NegligibleSeverity = "Negligible"
+	LowSeverity        = "Low"
+	MediumSeverity     = "Medium"
+	HighSeverity       = "High"
+	CriticalSeverity   = "Critical"
+
+	ContainerScanRedisPrefix = "_containerscan"
+)
+
+var KnownSeverities = map[string]bool{
+	UnknownSeverity:    true,
+	NegligibleSeverity: true,
+	LowSeverity:        true,
+	MediumSeverity:     true,
+	HighSeverity:       true,
+	CriticalSeverity:   true,
+}
+
+func CalculateFixed(Fixes []FixedIn) int {
+	for _, fix := range Fixes {
+		if fix.Version != "None" && fix.Version != "" {
+			return 1
+		}
+	}
+	return 0
+}

containerscan/datastructuresmethods.go

@@ -0,0 +1,51 @@
+package containerscan
+
+import (
+	"strings"
+
+	"github.com/armosec/armoapi-go/armotypes"
+)
+
+func (layer *ScanResultLayer) GetFilesByPackage(pkgname string) (files *PkgFiles) {
+	for _, pkg := range layer.Packages {
+		if pkg.PackageName == pkgname {
+			return &pkg.Files
+		}
+	}
+
+	return &PkgFiles{}
+}
+
+func (layer *ScanResultLayer) GetPackagesNames() []string {
+	pkgsNames := []string{}
+	for _, pkg := range layer.Packages {
+		pkgsNames = append(pkgsNames, pkg.PackageName)
+	}
+	return pkgsNames
+}
+
+func (scanresult *ScanResultReport) GetDesignatorsNContext() (*armotypes.PortalDesignator, []armotypes.ArmoContext) {
+	designatorsObj := armotypes.AttributesDesignatorsFromWLID(scanresult.WLID)
+	designatorsObj.Attributes["containerName"] = scanresult.ContainerName
+	designatorsObj.Attributes["customerGUID"] = scanresult.CustomerGUID
+	contextObj := armotypes.DesignatorToArmoContext(designatorsObj, "designators")
+	return designatorsObj, contextObj
+}
+
+func (scanresult *ScanResultReport) Validate() bool {
+	if scanresult.CustomerGUID == "" || (scanresult.ImgHash == "" && scanresult.ImgTag == "") || scanresult.Timestamp <= 0 {
+		return false
+	}
+
+	//TODO validate layers & vuls
+
+	return true
+}
+
+func (v *Vulnerability) IsRCE() bool {
+	desc := strings.ToLower(v.Description)
+
+	isRCE := strings.Contains(v.Description, "RCE")
+
+	return isRCE || strings.Contains(desc, "remote code execution") || strings.Contains(desc, "remote command execution") || strings.Contains(desc, "arbitrary code") || strings.Contains(desc, "code execution") || strings.Contains(desc, "code injection") || strings.Contains(desc, "command injection") || strings.Contains(desc, "inject arbitrary commands")
+}

containerscan/elasticadapters.go

@@ -0,0 +1,141 @@
+package containerscan
+
+import (
+	"github.com/armosec/armoapi-go/armotypes"
+	cautils "github.com/armosec/utils-k8s-go/armometadata"
+)
+
+// ToFlatVulnerabilities - returnsgit p
+func (scanresult *ScanResultReport) ToFlatVulnerabilities() []*ElasticContainerVulnerabilityResult {
+	vuls := make([]*ElasticContainerVulnerabilityResult, 0)
+	vul2indx := make(map[string]int)
+	scanID := scanresult.AsFNVHash()
+	designatorsObj, ctxList := scanresult.GetDesignatorsNContext()
+	for _, layer := range scanresult.Layers {
+		for _, vul := range layer.Vulnerabilities {
+			esLayer := ESLayer{LayerHash: layer.LayerHash, ParentLayerHash: layer.ParentLayerHash}
+			if indx, isOk := vul2indx[vul.Name]; isOk {
+				vuls[indx].Layers = append(vuls[indx].Layers, esLayer)
+				continue
+			}
+			result := &ElasticContainerVulnerabilityResult{WLID: scanresult.WLID,
+				Timestamp:   scanresult.Timestamp,
+				Designators: *designatorsObj,
+				Context:     ctxList}
+
+			result.Vulnerability = vul
+			result.Layers = make([]ESLayer, 0)
+			result.Layers = append(result.Layers, esLayer)
+			result.ContainerScanID = scanID
+
+			result.IsFixed = CalculateFixed(vul.Fixes)
+			result.RelevantLinks = append(result.RelevantLinks, "https://nvd.nist.gov/vuln/detail/"+vul.Name)
+			result.RelevantLinks = append(result.RelevantLinks, vul.Link)
+			result.Vulnerability.Link = "https://nvd.nist.gov/vuln/detail/" + vul.Name
+
+			result.Categories.IsRCE = result.IsRCE()
+			vuls = append(vuls, result)
+			vul2indx[vul.Name] = len(vuls) - 1
+
+		}
+	}
+	// find first introduced
+	for i, v := range vuls {
+		earlyLayer := ""
+		for _, layer := range v.Layers {
+			if layer.ParentLayerHash == earlyLayer {
+				earlyLayer = layer.LayerHash
+			}
+		}
+		vuls[i].IntroducedInLayer = earlyLayer
+
+	}
+
+	return vuls
+}
+
+func (scanresult *ScanResultReport) Summarize() *ElasticContainerScanSummaryResult {
+	designatorsObj, ctxList := scanresult.GetDesignatorsNContext()
+	summary := &ElasticContainerScanSummaryResult{
+		Designators:              *designatorsObj,
+		Context:                  ctxList,
+		CustomerGUID:             scanresult.CustomerGUID,
+		ImgTag:                   scanresult.ImgTag,
+		ImgHash:                  scanresult.ImgHash,
+		WLID:                     scanresult.WLID,
+		Timestamp:                scanresult.Timestamp,
+		ContainerName:            scanresult.ContainerName,
+		ContainerScanID:          scanresult.AsFNVHash(),
+		ListOfDangerousArtifcats: scanresult.ListOfDangerousArtifcats,
+	}
+
+	summary.Cluster = designatorsObj.Attributes[armotypes.AttributeCluster]
+	summary.Namespace = designatorsObj.Attributes[armotypes.AttributeNamespace]
+
+	imageInfo, e2 := cautils.ImageTagToImageInfo(scanresult.ImgTag)
+	if e2 == nil {
+		summary.Registry = imageInfo.Registry
+		summary.VersionImage = imageInfo.VersionImage
+	}
+
+	summary.PackagesName = make([]string, 0)
+
+	severitiesStats := map[string]SeverityStats{}
+
+	uniqueVulsMap := make(map[string]bool)
+	for _, layer := range scanresult.Layers {
+		summary.PackagesName = append(summary.PackagesName, (layer.GetPackagesNames())...)
+		for _, vul := range layer.Vulnerabilities {
+			if _, isOk := uniqueVulsMap[vul.Name]; isOk {
+				continue
+			}
+			uniqueVulsMap[vul.Name] = true
+
+			// TODO: maybe add all severities just to have a placeholders
+			if !KnownSeverities[vul.Severity] {
+				vul.Severity = UnknownSeverity
+			}
+
+			vulnSeverityStats, ok := severitiesStats[vul.Severity]
+			if !ok {
+				vulnSeverityStats = SeverityStats{Severity: vul.Severity}
+			}
+
+			vulnSeverityStats.TotalCount++
+			summary.TotalCount++
+			isFixed := CalculateFixed(vul.Fixes) > 0
+			if isFixed {
+				vulnSeverityStats.FixAvailableOfTotalCount++
+				summary.FixAvailableOfTotalCount++
+			}
+			isRCE := vul.IsRCE()
+			if isRCE {
+				vulnSeverityStats.RCECount++
+				summary.RCECount++
+			}
+			if vul.Relevancy == Relevant {
+				vulnSeverityStats.RelevantCount++
+				summary.RelevantCount++
+				if isFixed {
+					vulnSeverityStats.FixAvailableForRelevantCount++
+					summary.FixAvailableForRelevantCount++
+				}
+
+			}
+			severitiesStats[vul.Severity] = vulnSeverityStats
+		}
+	}
+	summary.Status = "Success"
+
+	// if criticalStats, hasCritical := severitiesStats[CriticalSeverity]; hasCritical && criticalStats.TotalCount > 0 {
+	// 	summary.Status = "Fail"
+	// }
+	// if highStats, hasHigh := severitiesStats[HighSeverity]; hasHigh && highStats.RelevantCount > 0 {
+	// 	summary.Status = "Fail"
+	// }
+
+	for sever := range severitiesStats {
+		summary.SeveritiesStats = append(summary.SeveritiesStats, severitiesStats[sever])
+	}
+	return summary
+}

containerscan/elasticdatastructures.go

@@ -0,0 +1,89 @@
+package containerscan
+
+import "github.com/armosec/armoapi-go/armotypes"
+
+type ElasticContainerVulnerabilityResult struct {
+	Designators armotypes.PortalDesignator `json:"designators"`
+	Context     []armotypes.ArmoContext    `json:"context"`
+
+	WLID              string    `json:"wlid"`
+	ContainerScanID   string    `json:"containersScanID"`
+	Layers            []ESLayer `json:"layers"`
+	Timestamp         int64     `json:"timestamp"`
+	IsFixed           int       `json:"isFixed"`
+	IntroducedInLayer string    `json:"layerHash"`
+	RelevantLinks     []string  `json:"links"` // shitty SE practice
+
+	Vulnerability `json:",inline"`
+}
+
+type ESLayer struct {
+	LayerHash       string `json:"layerHash"`
+	ParentLayerHash string `json:"parentLayerHash"`
+}
+
+type SeverityStats struct {
+	Severity                     string `json:"severity,omitempty"`
+	TotalCount                   int64  `json:"total"`
+	FixAvailableOfTotalCount     int64  `json:"fixedTotal"`
+	RelevantCount                int64  `json:"totalRelevant"`
+	FixAvailableForRelevantCount int64  `json:"fixedRelevant"`
+	RCECount                     int64  `json:"rceTotal"`
+	UrgentCount                  int64  `json:"urgent"`
+	NeglectedCount               int64  `json:"neglected"`
+	HealthStatus                 string `json:"healthStatus"`
+}
+
+type ElasticContainerScanSeveritySummary struct {
+	Designators armotypes.PortalDesignator `json:"designators"`
+	Context     []armotypes.ArmoContext    `json:"context"`
+
+	SeverityStats
+	CustomerGUID    string `json:"customerGUID"`
+	ContainerScanID string `json:"containersScanID"`
+	Timestamp       int64  `json:"timestamp"`
+	WLID            string `json:"wlid"`
+	ImgTag          string `json:"imageTag"`
+	ImgHash         string `json:"imageHash"`
+	Cluster         string `json:"cluster"`
+	Namespace       string `json:"namespace"`
+	ContainerName   string `json:"containerName"`
+	Status          string `json:"status"`
+	Registry        string `json:"registry"`
+	VersionImage    string `json:"versionImage"`
+	Version         string `json:"version"`
+	DayDate         string `json:"dayDate"`
+}
+
+type ElasticContainerScanSummaryResult struct {
+	SeverityStats
+	Designators armotypes.PortalDesignator `json:"designators"`
+	Context     []armotypes.ArmoContext    `json:"context"`
+
+	CustomerGUID    string `json:"customerGUID"`
+	ContainerScanID string `json:"containersScanID"`
+
+	Timestamp     int64    `json:"timestamp"`
+	WLID          string   `json:"wlid"`
+	ImgTag        string   `json:"imageTag"`
+	ImgHash       string   `json:"imageHash"`
+	Cluster       string   `json:"cluster"`
+	Namespace     string   `json:"namespace"`
+	ContainerName string   `json:"containerName"`
+	PackagesName  []string `json:"packages"`
+
+	ListOfDangerousArtifcats []string `json:"listOfDangerousArtifcats"`
+
+	Status string `json:"status"`
+
+	Registry     string `json:"registry"`
+	VersionImage string `json:"versionImage"`
+
+	SeveritiesStats []SeverityStats `json:"severitiesStats"`
+
+	Version string `json:"version"`
+}
+
+func (summary *ElasticContainerScanSummaryResult) Validate() bool {
+	return summary.CustomerGUID != "" && summary.ContainerScanID != "" && (summary.ImgTag != "" || summary.ImgHash != "") && summary.Timestamp > 0
+}

containerscan/gojayunmarshaller.go

@@ -0,0 +1,246 @@
+package containerscan
+
+import (
+	"github.com/francoispqt/gojay"
+)
+
+/*
+  responsible on fast unmarshaling of various COMMON containerscan structures and substructures
+
+*/
+
+// UnmarshalJSONObject - File inside a pkg
+func (file *PackageFile) UnmarshalJSONObject(dec *gojay.Decoder, key string) (err error) {
+
+	switch key {
+	case "name":
+		err = dec.String(&(file.Filename))
+	}
+	return err
+
+}
+
+func (files *PkgFiles) UnmarshalJSONArray(dec *gojay.Decoder) error {
+	lae := PackageFile{}
+	if err := dec.Object(&lae); err != nil {
+		return err
+	}
+
+	*files = append(*files, lae)
+	return nil
+}
+
+func (file *PackageFile) NKeys() int {
+	return 0
+}
+
+// UnmarshalJSONObject--- Package
+func (pkgnx *LinuxPackage) UnmarshalJSONObject(dec *gojay.Decoder, key string) (err error) {
+
+	switch key {
+	case "packageName":
+		err = dec.String(&(pkgnx.PackageName))
+
+	case "version":
+		err = dec.String(&(pkgnx.PackageVersion))
+
+	case "files":
+		err = dec.Array(&(pkgnx.Files))
+	}
+	return err
+}
+
+func (file *LinuxPackage) NKeys() int {
+	return 0
+}
+
+func (pkgs *LinuxPkgs) UnmarshalJSONArray(dec *gojay.Decoder) error {
+	lae := LinuxPackage{}
+	if err := dec.Object(&lae); err != nil {
+		return err
+	}
+
+	*pkgs = append(*pkgs, lae)
+	return nil
+}
+
+//--------Vul fixed in----------------------------------
+func (fx *FixedIn) UnmarshalJSONObject(dec *gojay.Decoder, key string) (err error) {
+
+	switch key {
+	case "name":
+		err = dec.String(&(fx.Name))
+
+	case "imageTag":
+		err = dec.String(&(fx.ImgTag))
+	case "version":
+		err = dec.String(&(fx.Version))
+	}
+	return err
+}
+
+func (t *VulFixes) UnmarshalJSONArray(dec *gojay.Decoder) error {
+	lae := FixedIn{}
+	if err := dec.Object(&lae); err != nil {
+		return err
+	}
+
+	*t = append(*t, lae)
+	return nil
+}
+
+func (file *FixedIn) NKeys() int {
+	return 0
+}
+
+//------ VULNERABIlITy ---------------------
+
+// Name               string      `json:"name"`
+// ImgHash            string      `json:"imageHash"`
+// ImgTag             string      `json:"imageTag",omitempty`
+// RelatedPackageName string      `json:"packageName"`
+// PackageVersion     string      `json:"packageVersion"`
+// Link               string      `json:"link"`
+// Description        string      `json:"description"`
+// Severity           string      `json:"severity"`
+// Metadata           interface{} `json:"metadata",omitempty`
+// Fixes              VulFixes    `json:"fixedIn",omitempty`
+// Relevancy          string      `json:"relevant"` // use the related enum
+
+func (v *Vulnerability) UnmarshalJSONObject(dec *gojay.Decoder, key string) (err error) {
+
+	switch key {
+	case "name":
+		err = dec.String(&(v.Name))
+
+	case "imageTag":
+		err = dec.String(&(v.ImgTag))
+	case "imageHash":
+		err = dec.String(&(v.ImgHash))
+
+	case "packageName":
+		err = dec.String(&(v.RelatedPackageName))
+
+	case "packageVersion":
+		err = dec.String(&(v.PackageVersion))
+
+	case "link":
+		err = dec.String(&(v.Link))
+
+	case "description":
+		err = dec.String(&(v.Description))
+
+	case "severity":
+		err = dec.String(&(v.Severity))
+
+	case "relevant":
+		err = dec.String(&(v.Relevancy))
+
+	case "fixedIn":
+		err = dec.Array(&(v.Fixes))
+
+	case "metadata":
+		err = dec.Interface(&(v.Metadata))
+	}
+
+	return err
+}
+
+func (t *VulnerabilitiesList) UnmarshalJSONArray(dec *gojay.Decoder) error {
+	lae := Vulnerability{}
+	if err := dec.Object(&lae); err != nil {
+		return err
+	}
+
+	*t = append(*t, lae)
+	return nil
+}
+
+func (v *Vulnerability) NKeys() int {
+	return 0
+}
+
+//---------Layer Object----------------------------------
+// type ScanResultLayer struct {
+// 	LayerHash       string          `json:layerHash`
+// 	Vulnerabilities []Vulnerability `json:vulnerabilities`
+// 	Packages        []LinuxPackage  `json:packageToFile`
+// }
+
+func (scan *ScanResultLayer) UnmarshalJSONObject(dec *gojay.Decoder, key string) (err error) {
+
+	switch key {
+	// case "timestamp":
+	// err = dec.Time(&(reporter.Timestamp), time.RFC3339)
+	// reporter.Timestamp = reporter.Timestamp.Local()
+	case "layerHash":
+		err = dec.String(&(scan.LayerHash))
+
+	case "parentLayerHash":
+		err = dec.String(&(scan.ParentLayerHash))
+
+	case "vulnerabilities":
+		err = dec.Array(&(scan.Vulnerabilities))
+	case "packageToFile":
+		err = dec.Array(&(scan.Packages))
+	}
+	return err
+}
+
+func (t *LayersList) UnmarshalJSONArray(dec *gojay.Decoder) error {
+	lae := ScanResultLayer{}
+	if err := dec.Object(&lae); err != nil {
+		return err
+	}
+
+	*t = append(*t, lae)
+	return nil
+}
+
+func (scan *ScanResultLayer) NKeys() int {
+	return 0
+}
+
+//---------------------SCAN RESULT--------------------------------------------------------------------------
+
+// type ScanResultReport struct {
+// 	CustomerGUID string            `json:customerGuid`
+// 	ImgTag       string            `json:imageTag,omitempty`
+// 	ImgHash      string            `json:imageHash`
+// 	WLID         string            `json:wlid`
+// 	Timestamp    int               `json:customerGuid`
+// 	Layers       []ScanResultLayer `json:layers`
+// ContainerName
+// }
+
+func (scan *ScanResultReport) UnmarshalJSONObject(dec *gojay.Decoder, key string) (err error) {
+
+	switch key {
+	// case "timestamp":
+	// err = dec.Time(&(reporter.Timestamp), time.RFC3339)
+	// reporter.Timestamp = reporter.Timestamp.Local()
+	case "customerGUID":
+		err = dec.String(&(scan.CustomerGUID))
+	case "imageTag":
+		err = dec.String(&(scan.ImgTag))
+	case "imageHash":
+		err = dec.String(&(scan.ImgHash))
+	case "wlid":
+		err = dec.String(&(scan.WLID))
+	case "containerName":
+		err = dec.String(&(scan.ContainerName))
+	case "timestamp":
+		err = dec.Int64(&(scan.Timestamp))
+	case "layers":
+		err = dec.Array(&(scan.Layers))
+
+	case "listOfDangerousArtifcats":
+		err = dec.SliceString(&(scan.ListOfDangerousArtifcats))
+
+	}
+	return err
+}
+
+func (scan *ScanResultReport) NKeys() int {
+	return 0
+}

containerscan/jsonrawscan.go

@@ -0,0 +1,525 @@
+package containerscan
+
+var nginxScanJSON = `
+{
+    "customerGUID": "1e3a88bf-92ce-44f8-914e-cbe71830d566",
+    "imageTag": "nginx:1.18.0",
+    "imageHash": "",
+    "wlid": "wlid://cluster-test/namespace-test/deployment-davidg",
+    "containerName": "nginx-1",
+    "timestamp": 1628091365,
+    "layers": [
+        {
+            "layerHash": "sha256:f7ec5a41d630a33a2d1db59b95d89d93de7ae5a619a3a8571b78457e48266eba",
+            "parentLayerHash": "",
+            "vulnerabilities": [
+                {
+                    "name": "CVE-2009-0854",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "dash",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0854",
+                    "description": "Untrusted search path vulnerability in dash 0.5.4, when used as a login shell, allows local users to execute arbitrary code via a Trojan horse .profile file in the current working directory.",
+                    "severity": "Medium",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2019-13627",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "libgcrypt20",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13627",
+                    "description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.",
+                    "severity": "Medium",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2021-33560",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "libgcrypt20",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33560",
+                    "description": "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.",
+                    "severity": "High",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:1.8.4-5+deb10u1"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2021-3345",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "libgcrypt20",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3345",
+                    "description": "_gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later.",
+                    "severity": "High",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2010-0834",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "base-files",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0834",
+                    "description": "The base-files package before 5.0.0ubuntu7.1 on Ubuntu 9.10 and before 5.0.0ubuntu20.10.04.2 on Ubuntu 10.04 LTS, as shipped on Dell Latitude 2110 netbooks, does not require authentication for package installation, which allows remote archive servers and man-in-the-middle attackers to execute arbitrary code via a crafted package.",
+                    "severity": "High",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2018-6557",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "base-files",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6557",
+                    "description": "The MOTD update script in the base-files package in Ubuntu 18.04 LTS before 10.1ubuntu2.2, and Ubuntu 18.10 before 10.1ubuntu6 incorrectly handled temporary files. A local attacker could use this issue to cause a denial of service, or possibly escalate privileges if kernel symlink restrictions were disabled.",
+                    "severity": "High",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2013-0223",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "coreutils",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0223",
+                    "description": "The SUSE coreutils-i18n.patch for GNU coreutils allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string to the join command, when using the -i switch, which triggers a stack-based buffer overflow in the alloca function.",
+                    "severity": "Low",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2015-4041",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "coreutils",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4041",
+                    "description": "The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings.",
+                    "severity": "High",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2009-4135",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "coreutils",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4135",
+                    "description": "The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 allows local users to gain privileges via a symlink attack on a file in a directory tree under /tmp.",
+                    "severity": "Medium",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2015-4042",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "coreutils",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4042",
+                    "description": "Integer overflow in the keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 might allow attackers to cause a denial of service (application crash) or possibly have unspecified other impact via long strings.",
+                    "severity": "Critical",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2013-0221",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "coreutils",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0221",
+                    "description": "The SUSE coreutils-i18n.patch for GNU coreutils allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string to the sort command, when using the (1) -d or (2) -M switch, which triggers a stack-based buffer overflow in the alloca function.",
+                    "severity": "Medium",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2013-0222",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "coreutils",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0222",
+                    "description": "The SUSE coreutils-i18n.patch for GNU coreutils allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string to the uniq command, which triggers a stack-based buffer overflow in the alloca function.",
+                    "severity": "Low",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2016-2781",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "coreutils",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2781",
+                    "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
+                    "severity": "Medium",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2017-18018",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "coreutils",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018",
+                    "description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.",
+                    "severity": "Medium",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2021-20193",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "tar",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20193",
+                    "description": "A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.",
+                    "severity": "Medium",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2005-2541",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "tar",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2541",
+                    "description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.",
+                    "severity": "High",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2019-9923",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "tar",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9923",
+                    "description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.",
+                    "severity": "High",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2018-1000654",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "libtasn1-6",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000654",
+                    "description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.",
+                    "severity": "High",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2011-3374",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "apt",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3374",
+                    "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.",
+                    "severity": "Medium",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2021-37600",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "util-linux",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37600",
+                    "description": "An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file.",
+                    "severity": "Unknown",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2007-0822",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "util-linux",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0822",
+                    "description": "umount, when running with the Linux 2.6.15 kernel on Slackware Linux 10.2, allows local users to trigger a NULL dereference and application crash by invoking the program with a pathname for a USB pen drive that was mounted and then physically removed, which might allow the users to obtain sensitive information, including core file contents.",
+                    "severity": "Low",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2004-1349",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "gzip",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1349",
+                    "description": "gzip before 1.3 in Solaris 8, when called with the -f or -force flags, will change the permissions of files that are hard linked to the target files, which allows local users to view or modify these files.",
+                    "severity": "Low",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2004-0603",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "gzip",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0603",
+                    "description": "gzexe in gzip 1.3.3 and earlier will execute an argument when the creation of a temp file fails instead of exiting the program, which could allow remote attackers or local users to execute arbitrary commands, a different vulnerability than CVE-1999-1332.",
+                    "severity": "High",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2010-0002",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "bash",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0002",
+                    "description": "The /etc/profile.d/60alias.sh script in the Mandriva bash package for Bash 2.05b, 3.0, 3.2, 3.2.48, and 4.0 enables the --show-control-chars option in LS_OPTIONS, which allows local users to send escape sequences to terminal emulators, or hide the existence of a file, via a crafted filename.",
+                    "severity": "Low",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                },
+                {
+                    "name": "CVE-2019-18276",
+                    "imageHash": "sha256:c2c45d506085d300b72a6d4b10e3dce104228080a2cf095fc38333afe237e2be",
+                    "imageTag": "",
+                    "packageName": "bash",
+                    "packageVersion": "",
+                    "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276",
+                    "description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
+                    "severity": "High",
+                    "metadata": null,
+                    "fixedIn": [
+                        {
+                            "name": "",
+                            "imageTag": "",
+                            "version": "0:0"
+                        }
+                    ],
+                    "relevant": ""
+                }
+            ],
+            "packageToFile": null
+        },
+        {
+            "layerHash": "sha256:0b20d28b5eb3007f70c43cdd8efcdb04016aa193192e5911cda5b7590ffaa635",
+            "parentLayerHash": "sha256:f7ec5a41d630a33a2d1db59b95d89d93de7ae5a619a3a8571b78457e48266eba",
+            "vulnerabilities": [],
+            "packageToFile": null
+        },
+        {
+            "layerHash": "sha256:1576642c97761adf346890bf67c43473217160a9a203ef47d0bc6020af652798",
+            "parentLayerHash": "sha256:0b20d28b5eb3007f70c43cdd8efcdb04016aa193192e5911cda5b7590ffaa635",
+            "vulnerabilities": [],
+            "packageToFile": null
+        },
+        {
+            "layerHash": "sha256:c12a848bad84d57e3f5faafab5880484434aee3bf8bdde4d519753b7c81254fd",
+            "parentLayerHash": "sha256:1576642c97761adf346890bf67c43473217160a9a203ef47d0bc6020af652798",
+            "vulnerabilities": [],
+            "packageToFile": null
+        },
+        {
+            "layerHash": "sha256:03f221d9cf00a7077231c6dcac3c95182727c7e7fd44fd2b2e882a01dcda2d70",
+            "parentLayerHash": "sha256:c12a848bad84d57e3f5faafab5880484434aee3bf8bdde4d519753b7c81254fd",
+            "vulnerabilities": [],
+            "packageToFile": null
+        }
+    ],
+    "listOfDangerousArtifcats": [
+        "bin/dash",
+        "bin/bash",
+        "usr/bin/curl"
+    ]
+}
+`

containerscan/rawdatastrucutres.go

@@ -0,0 +1,93 @@
+package containerscan
+
+import (
+	"fmt"
+	"hash/fnv"
+)
+
+//!!!!!!!!!!!!EVERY CHANGE IN THESE STRUCTURES => CHANGE gojayunmarshaller ASWELL!!!!!!!!!!!!!!!!!!!!!!!!
+
+// ScanResultReport - the report given from scanner to event receiver
+type ScanResultReport struct {
+	CustomerGUID             string     `json:"customerGUID"`
+	ImgTag                   string     `json:"imageTag"`
+	ImgHash                  string     `json:"imageHash"`
+	WLID                     string     `json:"wlid"`
+	ContainerName            string     `json:"containerName"`
+	Timestamp                int64      `json:"timestamp"`
+	Layers                   LayersList `json:"layers"`
+	ListOfDangerousArtifcats []string   `json:"listOfDangerousArtifcats"`
+}
+
+// ScanResultLayer - represents a single layer from container scan result
+type ScanResultLayer struct {
+	LayerHash       string              `json:"layerHash"`
+	ParentLayerHash string              `json:"parentLayerHash"`
+	Vulnerabilities VulnerabilitiesList `json:"vulnerabilities"`
+	Packages        LinuxPkgs           `json:"packageToFile"`
+}
+
+type VulnerabilityCategory struct {
+	IsRCE bool `json:"isRce"`
+}
+
+// Vulnerability - a vul object
+type Vulnerability struct {
+	Name               string                `json:"name"`
+	ImgHash            string                `json:"imageHash"`
+	ImgTag             string                `json:"imageTag"`
+	RelatedPackageName string                `json:"packageName"`
+	PackageVersion     string                `json:"packageVersion"`
+	Link               string                `json:"link"`
+	Description        string                `json:"description"`
+	Severity           string                `json:"severity"`
+	Metadata           interface{}           `json:"metadata"`
+	Fixes              VulFixes              `json:"fixedIn"`
+	Relevancy          string                `json:"relevant"` // use the related enum
+	UrgentCount        int                   `json:"urgent"`
+	NeglectedCount     int                   `json:"neglected"`
+	HealthStatus       string                `json:"healthStatus"`
+	Categories         VulnerabilityCategory `json:"categories"`
+}
+
+// FixedIn when and which pkg was fixed (which version as well)
+type FixedIn struct {
+	Name    string `json:"name"`
+	ImgTag  string `json:"imageTag"`
+	Version string `json:"version"`
+}
+
+// LinuxPackage- Linux package representation
+type LinuxPackage struct {
+	PackageName    string   `json:"packageName"`
+	Files          PkgFiles `json:"files"`
+	PackageVersion string   `json:"version"`
+}
+
+// PackageFile - s.e
+type PackageFile struct {
+	Filename string `json:"name"`
+}
+
+// types to provide unmarshalling:
+
+//VulnerabilitiesList -s.e
+type LayersList []ScanResultLayer
+
+//VulnerabilitiesList -s.e
+type VulnerabilitiesList []Vulnerability
+
+//LinuxPkgs - slice of linux pkgs
+type LinuxPkgs []LinuxPackage
+
+//VulFixes - information bout when/how this vul was fixed
+type VulFixes []FixedIn
+
+//PkgFiles - slice of files belong to specific pkg
+type PkgFiles []PackageFile
+
+func (v *ScanResultReport) AsFNVHash() string {
+	hasher := fnv.New64a()
+	hasher.Write([]byte(fmt.Sprintf("%v", *v)))
+	return fmt.Sprintf("%v", hasher.Sum64())
+}

docs/proposals/container-image-vulnerability-adaptor.md

@@ -89,7 +89,7 @@ type ContainerImageScanStatus struct {
 	LastScanDate    time.Time
 }
 
-type ContainerImageVulnerability struct {
+type ContainerImageVulnerabilityReport struct {
 	ImageID ContainerImageIdentifier
 	// TBD
 }
@@ -110,7 +110,7 @@ type IContainerImageVulnerabilityAdaptor interface {
 
 	GetImagesScanStatus(imageIDs []ContainerImageIdentifier) ([]ContainerImageScanStatus, error)
 
-	GetImagesVulnerabilties(imageIDs []ContainerImageIdentifier) ([]ContainerImageVulnerability, error)
+	GetImagesVulnerabilties(imageIDs []ContainerImageIdentifier) ([]ContainerImageVulnerabilityReport, error)
 
 	GetImagesInformation(imageIDs []ContainerImageIdentifier) ([]ContainerImageInformation, error)
 }

examples/cronJob-support/README.md

@@ -1,85 +0,0 @@
-# Periodically Kubescape Scanning
-
-You can scan your cluster periodically by adding a `CronJob` that will repeatedly trigger kubescape
-
-* Setup [scanning & submitting](#scanning-and-submitting)
-* Setup [scanning without submitting](#scanning-without-submitting)
-
-## Scanning And Submitting
-
-If you wish to periodically scan and submit the result to the [Kubescape SaaS version](https://portal.armo.cloud/) where you can benefit the features the SaaS version provides, please follow this instructions ->
-
-1. Apply kubescape namespace
-    ```
-    kubectl apply ks-namespace.yaml
-    ```
-
-2. Apply serviceAccount and roles
-    ```
-    kubectl apply ks-serviceAccount.yaml
-    ```
-
-3. Setup and apply configMap
-   
-    Before you apply the configMap you need to set the account ID and cluster name in the `ks-configMap.yaml` file.
-
-    * Set cluster name:
-        Run `kubectl config current-context` and set the result in the `data.clusterName` field
-    * Set account ID:
-        1. Navigate to the [Kubescape SaaS version](https://portal.armo.cloud/) and login/sign up for free 
-        2. Click the `Add Cluster` button on the top right of the page 
-            </br>
-            <img src="screenshots/add-cluster.png"  alt="add-cluster">
-        3. Copy the value of `--account` and set it in the `data.customerGUID` field
-            </br>
-            <img src="screenshots/account.png"  alt="account">
-
-        Make sure the configMap looks as following;
-        ```
-        kind: ConfigMap 
-        apiVersion: v1 
-        metadata:
-        name: kubescape 
-        labels:
-            app: kubescape
-        namespace: kubescape
-        data:
-        config.json: |
-            {
-                "customerGUID": "XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX",
-                "clusterName": "my-awesome-cluster-name"
-            }
-        ```
-
-    Finally, apply the configMap
-    ```
-    kubectl apply ks-configMap.yaml
-    ```
-
-4. Apply CronJob
-
-    Before you apply the cronJob, make sure the scanning frequency suites your needs
-    ```
-    kubectl apply ks-cronJob-submit.yaml
-    ```
-
-## Scanning Without Submitting
-
-If you wish to periodically scan but not submit the scan results, follow this instructions ->
-
-1. Apply kubescape namespace
-    ```
-    kubectl apply ks-namespace.yaml
-    ```
-
-2. Apply serviceAccount and roles
-    ```
-    kubectl apply ks-serviceAccount.yaml
-    ```
-
-3. Apply CronJob
-
-    Before you apply the cronJob, make sure the scanning frequency suites your needs
-    ```
-    kubectl apply ks-cronJob-non-submit.yaml
-    ```

examples/cronJob-support/ks-configMap.yaml

@@ -1,14 +0,0 @@
-# ------------------- Kubescape User/Customer ID ------------------- #
-kind: ConfigMap 
-apiVersion: v1 
-metadata:
-  name: kubescape 
-  labels:
-    app: kubescape
-  namespace: kubescape
-data:
-  config.json: |
-    {
-      "customerGUID": "<ID>",
-      "clusterName": "<cluster name>"
-    }

examples/cronJob-support/ks-cronJob-non-submit.yaml

@@ -1,32 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: kubescape
-  labels:
-    app: kubescape
-  namespace: kubescape
-spec:
-  #      ┌────────────────── timezone (optional)
-  #      |      ┌───────────── minute (0 - 59)
-  #      |      │ ┌───────────── hour (0 - 23)
-  #      |      │ │ ┌───────────── day of the month (1 - 31)
-  #      |      │ │ │ ┌───────────── month (1 - 12)
-  #      |      │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday;
-  #      |      │ │ │ │ │                         7 is also Sunday on some systems)
-  #      |      │ │ │ │ │
-  #      |      │ │ │ │ │
-  # CRON_TZ=UTC * * * * *
-  schedule: "0 0 1 * *"
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-          - name: kubescape
-            image: quay.io/armosec/kubescape:latest
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh","-c"]
-            args: 
-            - kubescape scan framework nsa
-          restartPolicy: OnFailure
-          serviceAccountName: kubescape-discovery

examples/cronJob-support/ks-cronJob-submit.yaml

@@ -1,40 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: kubescape
-  labels:
-    app: kubescape
-  namespace: kubescape
-spec:
-  #      ┌────────────────── timezone (optional)
-  #      |      ┌───────────── minute (0 - 59)
-  #      |      │ ┌───────────── hour (0 - 23)
-  #      |      │ │ ┌───────────── day of the month (1 - 31)
-  #      |      │ │ │ ┌───────────── month (1 - 12)
-  #      |      │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday;
-  #      |      │ │ │ │ │                         7 is also Sunday on some systems)
-  #      |      │ │ │ │ │
-  #      |      │ │ │ │ │
-  # CRON_TZ=UTC * * * * *
-  schedule: "0 0 1 * *"
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-          - name: kubescape
-            image: quay.io/armosec/kubescape:latest
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh","-c"]
-            args: 
-            - kubescape scan framework nsa --submit
-            volumeMounts:
-            - name: kubescape-config-volume
-              mountPath: /root/.kubescape/config.json
-              subPath: config.json
-          restartPolicy: OnFailure
-          serviceAccountName: kubescape-discovery
-          volumes:
-          - name: kubescape-config-volume
-            configMap:
-              name: kubescape

examples/cronJob-support/ks-namespace.yaml

@@ -1,7 +0,0 @@
-# ------------------- Kubescape User/Customer ID ------------------- #
-kind: Namespace 
-apiVersion: v1 
-metadata:
-  name: kubescape
-  labels:
-    app: kubescape

examples/cronJob-support/ks-serviceAccount.yaml

@@ -1,61 +0,0 @@
----
-# ------------------- Kubescape Service Account ------------------- #
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app: kubescape
-  name: kubescape-discovery
-  namespace: kubescape
-
----
-# ------------------- Kubescape Role & Role Binding ------------------- #
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubescape-discovery-role
-  namespace: kubescape
-rules:
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["get", "list", "describe"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: kubescape-discovery-binding
-  namespace: kubescape
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kubescape-discovery-role
-subjects:
-- kind: ServiceAccount
-  name: kubescape-discovery
-
----
-# ------------------- Kubescape Cluster Role & Cluster Role Binding ------------------- #
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubescape-discovery-clusterroles
-  # "namespace" omitted since ClusterRoles are not namespaced
-rules:
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["get", "list", "describe"]
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubescape-discovery-role-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kubescape-discovery-clusterroles
-subjects:
-- kind: ServiceAccount
-  name: kubescape-discovery
-  namespace: kubescape

examples/cronjob/ks-cronjob.yaml

@@ -1,130 +0,0 @@
-# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-# 
-# This file is DEPRECATE, please navigate to the official docs ->
-# https://github.com/armosec/kubescape/tree/master/examples/cronJob-support/README.md
-#
-# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-
----
-# ------------------- Kubescape Service Account ------------------- #
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app: kubescape
-  name: kubescape-discovery
-  namespace: kubescape
-
----
-# ------------------- Kubescape Role & Role Binding ------------------- #
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubescape-discovery-role
-  namespace: kubescape
-rules:
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["get", "list", "describe"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: kubescape-discovery-binding
-  namespace: kubescape
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kubescape-discovery-role
-subjects:
-- kind: ServiceAccount
-  name: kubescape-discovery
-
----
-# ------------------- Kubescape Cluster Role & Cluster Role Binding ------------------- #
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubescape-discovery-clusterroles
-  # "namespace" omitted since ClusterRoles are not namespaced
-rules:
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["get", "list", "describe"]
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubescape-discovery-role-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kubescape-discovery-clusterroles
-subjects:
-- kind: ServiceAccount
-  name: kubescape-discovery
-  namespace: kubescape
-
----
-# ------------------- Kubescape User/Customer GUID ------------------- #
-kind: ConfigMap 
-apiVersion: v1 
-metadata:
-  name: kubescape-configmap 
-  labels:
-    app: kubescape
-  namespace: kubescape
-data:
-  config.json: |
-    {
-      "customerGUID": <MyGUID>,
-      "clusterName": <MyK8sClusterName>
-    }
-
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: kubescape
-  labels:
-    app: kubescape
-  namespace: kubescape
-spec:
-  #      ┌────────────────── timezone (optional)
-  #      |      ┌───────────── minute (0 - 59)
-  #      |      │ ┌───────────── hour (0 - 23)
-  #      |      │ │ ┌───────────── day of the month (1 - 31)
-  #      |      │ │ │ ┌───────────── month (1 - 12)
-  #      |      │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday;
-  #      |      │ │ │ │ │                         7 is also Sunday on some systems)
-  #      |      │ │ │ │ │
-  #      |      │ │ │ │ │
-  # CRON_TZ=UTC * * * * *
-  schedule: "0 0 1 * *"
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-          - name: kubescape
-            image: quay.io/armosec/kubescape:latest
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh","-c"]
-            args: 
-            - kubescape scan framework nsa --submit
-            volumeMounts:
-            - name: kubescape-config-volume
-              mountPath: /root/.kubescape/config.json
-              subPath: config.json
-          restartPolicy: OnFailure
-          serviceAccountName: kubescape-discovery
-          volumes:
-          - name: kubescape-config-volume
-            configMap:
-              name: kubescape-configmap
-
----
-
-

examples/helm_chart/README.md

@@ -1,8 +1,7 @@
-# kubescape
+# Helm chart - DEPRECATED
 
-![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.128](https://img.shields.io/badge/AppVersion-v1.0.128-informational?style=flat-square)
+[helm chart repo](https://github.com/armosec/armo-helm)
 
-Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks regulatory, customized company policies and DevSecOps best practices, such as the  [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo) and the [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) . Kubescape scans K8s clusters, YAML files, and HELM charts, and detect misconfigurations and software vulnerabilities at early stages of the CI/CD pipeline and provides a risk score instantly and risk trends over time. Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI and Github workflows.
 
 ## Values
 

go.mod

@@ -3,16 +3,17 @@ module github.com/armosec/kubescape
 go 1.17
 
 require (
-	github.com/armosec/armoapi-go v0.0.41
-	github.com/armosec/k8s-interface v0.0.56
-	github.com/armosec/opa-utils v0.0.99
-	github.com/armosec/rbac-utils v0.0.12
+	github.com/armosec/armoapi-go v0.0.49
+	github.com/armosec/k8s-interface v0.0.60
+	github.com/armosec/opa-utils v0.0.110
+	github.com/armosec/rbac-utils v0.0.14
 	github.com/armosec/utils-go v0.0.3
+	github.com/armosec/utils-k8s-go v0.0.1
 	github.com/briandowns/spinner v1.18.0
 	github.com/enescakir/emoji v1.0.0
 	github.com/fatih/color v1.13.0
+	github.com/francoispqt/gojay v1.2.13
 	github.com/gofrs/uuid v4.1.0+incompatible
-	github.com/golang/glog v1.0.0
 	github.com/mattn/go-isatty v0.0.14
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/open-policy-agent/opa v0.33.1
@@ -36,24 +37,34 @@ require (
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
-	github.com/armosec/armo-interfaces v0.0.3 // indirect
-	github.com/armosec/utils-k8s-go v0.0.1 // indirect
 	github.com/aws/aws-sdk-go v1.41.11 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.12.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.12.0 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.7.0 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.9.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.1.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/eks v1.17.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.6.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.13.0 // indirect
+	github.com/aws/smithy-go v1.9.1 // indirect
 	github.com/coreos/go-oidc v2.2.1+incompatible // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/docker v20.10.9+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
-	github.com/francoispqt/gojay v1.2.13 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-gota/gota v0.12.0 // indirect
 	github.com/go-logr/logr v0.4.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/glog v1.0.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/go-cmp v0.5.5 // indirect
+	github.com/google/go-cmp v0.5.6 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/googleapis/gax-go/v2 v2.0.5 // indirect
 	github.com/googleapis/gnostic v0.5.5 // indirect

go.sum

@@ -83,23 +83,21 @@ github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hC
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/armosec/armo-interfaces v0.0.3 h1:kG4mJIPgWBJvQFDDy8JzdqX3ASbyl8t32IuJYqB31Pk=
-github.com/armosec/armo-interfaces v0.0.3/go.mod h1:7XYefhcBCFYoF5LflCZHWuUHu+JrSJbmzk0zoNv2WlU=
 github.com/armosec/armoapi-go v0.0.2/go.mod h1:vIK17yoKbJRQyZXWWLe3AqfqCRITxW8qmSkApyq5xFs=
 github.com/armosec/armoapi-go v0.0.23/go.mod h1:iaVVGyc23QGGzAdv4n+szGQg3Rbpixn9yQTU3qWRpaw=
-github.com/armosec/armoapi-go v0.0.41 h1:iMkaCsME+zhE6vnCOMaqfqc0cp7pste8QFHojeGKfGg=
-github.com/armosec/armoapi-go v0.0.41/go.mod h1:exk1O3rK6V+X8SSyxc06lwb0j9ILQuKAoIdz9hs6Ndw=
+github.com/armosec/armoapi-go v0.0.49 h1:b3gvZ5YB5DSEfk8pt7x0705b4Pcuahd3wI/ZmGYmB3Y=
+github.com/armosec/armoapi-go v0.0.49/go.mod h1:iaVVGyc23QGGzAdv4n+szGQg3Rbpixn9yQTU3qWRpaw=
 github.com/armosec/k8s-interface v0.0.8/go.mod h1:xxS+V5QT3gVQTwZyAMMDrYLWGrfKOpiJ7Jfhfa0w9sM=
 github.com/armosec/k8s-interface v0.0.37/go.mod h1:vHxGWqD/uh6+GQb9Sqv7OGMs+Rvc2dsFVc0XtgRh1ZU=
 github.com/armosec/k8s-interface v0.0.50/go.mod h1:vHxGWqD/uh6+GQb9Sqv7OGMs+Rvc2dsFVc0XtgRh1ZU=
-github.com/armosec/k8s-interface v0.0.56 h1:7dOgc3qZaI7ReLRZcJa2JZKk0rliyYi05l1vuHc6gcE=
-github.com/armosec/k8s-interface v0.0.56/go.mod h1:vHxGWqD/uh6+GQb9Sqv7OGMs+Rvc2dsFVc0XtgRh1ZU=
+github.com/armosec/k8s-interface v0.0.60 h1:jTCiO15QQbHVuxFQ928rp4srf1rQoUzeybfcbv/cuss=
+github.com/armosec/k8s-interface v0.0.60/go.mod h1:g0jv/fG+VqpT5ivO6D2gJcJ/w68BiffDz+PcU9YFbL4=
 github.com/armosec/opa-utils v0.0.64/go.mod h1:6tQP8UDq2EvEfSqh8vrUdr/9QVSCG4sJfju1SXQOn4c=
-github.com/armosec/opa-utils v0.0.99 h1:ZuoIPg6vbgO4J09xJZDO/yIRD59odwmK2Bm55uTvkU8=
-github.com/armosec/opa-utils v0.0.99/go.mod h1:BNTjeianyXlflJMz3bZM0GimBWqmzirUf1whWR6Os04=
+github.com/armosec/opa-utils v0.0.110 h1:qncGcbnYjiGULP3yK+4geRNNpRoWqKXQL+Xg+iXc1cM=
+github.com/armosec/opa-utils v0.0.110/go.mod h1:Wc1P4gkB6UQeGW8I76zCuitGGl15Omp0bKw7N0tR9dk=
 github.com/armosec/rbac-utils v0.0.1/go.mod h1:pQ8CBiij8kSKV7aeZm9FMvtZN28VgA7LZcYyTWimq40=
-github.com/armosec/rbac-utils v0.0.12 h1:uJpMGDyLAX129PrKHp6NPNB6lVRhE0OZIwV6ywzSDrs=
-github.com/armosec/rbac-utils v0.0.12/go.mod h1:Ex/IdGWhGv9HZq6Hs8N/ApzCKSIvpNe/ETqDfnuyah0=
+github.com/armosec/rbac-utils v0.0.14 h1:CKYKcgqJEXWF2Hen/B1pVGtS3nDAG1wp9dDv6oNtq90=
+github.com/armosec/rbac-utils v0.0.14/go.mod h1:Ex/IdGWhGv9HZq6Hs8N/ApzCKSIvpNe/ETqDfnuyah0=
 github.com/armosec/utils-go v0.0.2/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
 github.com/armosec/utils-go v0.0.3 h1:uyQI676yRciQM0sSN9uPoqHkbspTxHO0kmzXhBeE/xU=
 github.com/armosec/utils-go v0.0.3/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
@@ -109,6 +107,30 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:l
 github.com/aws/aws-sdk-go v1.41.1/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/aws/aws-sdk-go v1.41.11 h1:QLouWsiYQ8i22kD8k58Dpdhio1A0MpT7bg9ZNXqEjuI=
 github.com/aws/aws-sdk-go v1.41.11/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
+github.com/aws/aws-sdk-go-v2 v1.12.0 h1:z5bijqy+eXLK/QqF6eQcwCN2qw1k+m9OUDicqCZygu0=
+github.com/aws/aws-sdk-go-v2 v1.12.0/go.mod h1:tWhQI5N5SiMawto3uMAQJU5OUN/1ivhDDHq7HTsJvZ0=
+github.com/aws/aws-sdk-go-v2/config v1.12.0 h1:WOhIzj5HdixjlvQ4SLYAOk6OUUsuu88RwcsTzexa9cg=
+github.com/aws/aws-sdk-go-v2/config v1.12.0/go.mod h1:GQONFVSDdG6RRho1C730SGNyDhS1kSTnxpOE76ptBqo=
+github.com/aws/aws-sdk-go-v2/credentials v1.7.0 h1:KFuKwPs7i5SE5a0LxqAxz75qxSjr2HnHnhu0UPGlvpM=
+github.com/aws/aws-sdk-go-v2/credentials v1.7.0/go.mod h1:Kmq64kahHJtXfmnEwnvRKeNjLBqkdP++Itln9BmQerE=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.9.0 h1:fPq3oloONbHaA0O8KX/KYUQk7pG9JjKBwYQvQsQDK84=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.9.0/go.mod h1:19SxQ+9zANyJCnNaoF3ovl8bFil4TaqCYEDdqNGKM+A=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.3 h1:YPNiEXnuWdkpNOwBFHhcLwkSmewwQRcPFO9dHmxU0qg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.3/go.mod h1:L72JSFj9OwHwyukeuKFFyTj6uFWE4AjB0IQp97bd9Lc=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.1.0 h1:ArRd27pSm66f7cCBDPS77wvxiS4IRjFatpzVBD7Aojc=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.1.0/go.mod h1:KdVvdk4gb7iatuHZgIkIqvJlWHBtjCJLUtD/uO/FkWw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.3 h1:fmGqMNlFTHr9Y48qmYYv2qIo+TAsST3qZa2d1HcwBeo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.3/go.mod h1:N4dv+zawriMFZBO/6UKg3zt+XO6xWOQo1neAA0lFbo4=
+github.com/aws/aws-sdk-go-v2/service/eks v1.17.0 h1:lal3erO1VVVSnw3a47pRiCTne+9mGh9IyJDIgwWD02o=
+github.com/aws/aws-sdk-go-v2/service/eks v1.17.0/go.mod h1:YHVf/zIAi9lGVhG1TakeJp7LaUHFS99yme9e78+r+8A=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.6.0 h1:rwE0kWa5qm0yEoNPwC3zhrt1tFVXTmkWRlUxLayAwyc=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.6.0/go.mod h1:wTgFkG6t7jS/6Y0SILXwfspV3IXowb6ngsAlSajW0Kc=
+github.com/aws/aws-sdk-go-v2/service/sso v1.8.0 h1:X77LUt6Djy3Z02r6tW7Z+4FNr6GCnEG54EXfskc19M4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.8.0/go.mod h1:AB6v3BedyhVRIbPQbJnUsBmtup2pFiikpp5n3YyB6Ac=
+github.com/aws/aws-sdk-go-v2/service/sts v1.13.0 h1:n8+dZMOvwkGtmhub8B2wYvRHut45/NB7DeNhNcUnBpg=
+github.com/aws/aws-sdk-go-v2/service/sts v1.13.0/go.mod h1:jQto17aC9pJ6xRa1g29uXZhbcS6qNT3PSnKfPShq4sY=
+github.com/aws/smithy-go v1.9.1 h1:5vetTooLk4hPWV8q6ym6+lXKAT1Urnm49YkrRKo2J8o=
+github.com/aws/smithy-go v1.9.1/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
@@ -316,8 +338,9 @@ github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=

hostsensorutils/hostsensor.yaml

@@ -42,7 +42,7 @@ spec:
             containerPort: 7888
         resources:
           limits:
-            cpu: 1m
+            cpu: 0.1m
             memory: 200Mi
           requests:
             cpu: 1m
@@ -50,6 +50,12 @@ spec:
         volumeMounts:
         - mountPath: /host_fs
           name: host-filesystem
+        readinessProbe:
+          httpGet:
+            path: /kernelVersion
+            port: 7888
+            initialDelaySeconds: 1
+            periodSeconds: 1
       terminationGracePeriodSeconds: 120
       dnsPolicy: ClusterFirstWithHostNet
       automountServiceAccountToken: false

hostsensorutils/hostsensordeploy.go

@@ -10,6 +10,8 @@ import (
 
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -25,13 +27,14 @@ var (
 )
 
 type HostSensorHandler struct {
-	HostSensorPort     int32
-	HostSensorPodNames map[string]string //map from pod names to node names
-	IsReady            <-chan bool       //readonly chan
-	k8sObj             *k8sinterface.KubernetesApi
-	DaemonSet          *appsv1.DaemonSet
-	podListLock        sync.RWMutex
-	gracePeriod        int64
+	HostSensorPort              int32
+	HostSensorPodNames          map[string]string //map from pod names to node names
+	HostSensorUnshedulePodNames map[string]string //map from pod names to node names
+	IsReady                     <-chan bool       //readonly chan
+	k8sObj                      *k8sinterface.KubernetesApi
+	DaemonSet                   *appsv1.DaemonSet
+	podListLock                 sync.RWMutex
+	gracePeriod                 int64
 }
 
 func NewHostSensorHandler(k8sObj *k8sinterface.KubernetesApi) (*HostSensorHandler, error) {
@@ -40,9 +43,10 @@ func NewHostSensorHandler(k8sObj *k8sinterface.KubernetesApi) (*HostSensorHandle
 		return nil, fmt.Errorf("nil k8s interface received")
 	}
 	hsh := &HostSensorHandler{
-		k8sObj:             k8sObj,
-		HostSensorPodNames: map[string]string{},
-		gracePeriod:        int64(15),
+		k8sObj:                      k8sObj,
+		HostSensorPodNames:          map[string]string{},
+		HostSensorUnshedulePodNames: map[string]string{},
+		gracePeriod:                 int64(15),
 	}
 	// Don't deploy on cluster with no nodes. Some cloud providers prevents termination of K8s objects for cluster with no nodes!!!
 	if nodeList, err := k8sObj.KubernetesClient.CoreV1().Nodes().List(k8sObj.Context, metav1.ListOptions{}); err != nil || len(nodeList.Items) == 0 {
@@ -60,15 +64,17 @@ func (hsh *HostSensorHandler) Init() error {
 	// store namespace + port
 	// store pod names
 	// make sure all pods are running, after X seconds treat has running anyway, and log an error on the pods not running yet
-	cautils.ProgressTextDisplay("Installing host sensor")
+	logger.L().Info("Installing host sensor")
+
 	cautils.StartSpinner()
 	defer cautils.StopSpinner()
+
 	if err := hsh.applyYAML(); err != nil {
 		return fmt.Errorf("in HostSensorHandler init failed to apply YAML: %v", err)
 	}
 	hsh.populatePodNamesToNodeNames()
 	if err := hsh.checkPodForEachNode(); err != nil {
-		fmt.Printf("failed to validate host-sensor pods status: %v", err)
+		logger.L().Error("failed to validate host-sensor pods status", helpers.Error(err))
 	}
 	return nil
 }
@@ -136,12 +142,17 @@ func (hsh *HostSensorHandler) checkPodForEachNode() error {
 		}
 		hsh.podListLock.RLock()
 		podsNum := len(hsh.HostSensorPodNames)
+		unschedPodNum := len(hsh.HostSensorUnshedulePodNames)
 		hsh.podListLock.RUnlock()
-		if len(nodesList.Items) == podsNum {
+		if len(nodesList.Items) <= podsNum+unschedPodNum {
 			break
 		}
 		if time.Now().After(deadline) {
-			return fmt.Errorf("host-sensor pods number (%d) differ than nodes number (%d) after deadline exceded", podsNum, len(nodesList.Items))
+			hsh.podListLock.RLock()
+			podsMap := hsh.HostSensorPodNames
+			hsh.podListLock.RUnlock()
+			return fmt.Errorf("host-sensor pods number (%d) differ than nodes number (%d) after deadline exceded. We will take data only from the pods below: %v",
+				podsNum, len(nodesList.Items), podsMap)
 		}
 		time.Sleep(100 * time.Millisecond)
 	}
@@ -152,12 +163,17 @@ func (hsh *HostSensorHandler) checkPodForEachNode() error {
 func (hsh *HostSensorHandler) populatePodNamesToNodeNames() {
 
 	go func() {
-		watchRes, err := hsh.k8sObj.KubernetesClient.CoreV1().Pods(hsh.DaemonSet.Namespace).Watch(hsh.k8sObj.Context, metav1.ListOptions{
+		var watchRes watch.Interface
+		var err error
+		watchRes, err = hsh.k8sObj.KubernetesClient.CoreV1().Pods(hsh.DaemonSet.Namespace).Watch(hsh.k8sObj.Context, metav1.ListOptions{
 			Watch:         true,
 			LabelSelector: fmt.Sprintf("name=%s", hsh.DaemonSet.Spec.Template.Labels["name"]),
 		})
 		if err != nil {
-			fmt.Printf("Failed to watch over daemonset pods")
+			logger.L().Error("failed to watch over daemonset pods - are we missing watch pods permissions?", helpers.Error(err))
+		}
+		if watchRes == nil {
+			return
 		}
 		for eve := range watchRes.ResultChan() {
 			pod, ok := eve.Object.(*corev1.Pod)
@@ -175,10 +191,31 @@ func (hsh *HostSensorHandler) updatePodInListAtomic(eventType watch.EventType, p
 
 	switch eventType {
 	case watch.Added, watch.Modified:
-		if podObj.Status.Phase == corev1.PodRunning {
+		if podObj.Status.Phase == corev1.PodRunning && len(podObj.Status.ContainerStatuses) > 0 &&
+			podObj.Status.ContainerStatuses[0].Ready {
 			hsh.HostSensorPodNames[podObj.ObjectMeta.Name] = podObj.Spec.NodeName
+			delete(hsh.HostSensorUnshedulePodNames, podObj.ObjectMeta.Name)
 		} else {
-			delete(hsh.HostSensorPodNames, podObj.ObjectMeta.Name)
+			if podObj.Status.Phase == corev1.PodPending && len(podObj.Status.Conditions) > 0 &&
+				podObj.Status.Conditions[0].Reason == corev1.PodReasonUnschedulable {
+				nodeName := ""
+				if podObj.Spec.Affinity != nil && podObj.Spec.Affinity.NodeAffinity != nil &&
+					podObj.Spec.Affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution != nil &&
+					len(podObj.Spec.Affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms) > 0 &&
+					len(podObj.Spec.Affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms[0].MatchFields) > 0 &&
+					len(podObj.Spec.Affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms[0].MatchFields[0].Values) > 0 {
+					nodeName = podObj.Spec.Affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms[0].MatchFields[0].Values[0]
+				}
+				logger.L().Warning("One host-sensor pod is unable to schedule on node. We will fail to collect the data from this node",
+					helpers.String("message", podObj.Status.Conditions[0].Message),
+					helpers.String("nodeName", nodeName),
+					helpers.String("podName", podObj.ObjectMeta.Name))
+				if nodeName != "" {
+					hsh.HostSensorUnshedulePodNames[podObj.ObjectMeta.Name] = nodeName
+				}
+			} else {
+				delete(hsh.HostSensorPodNames, podObj.ObjectMeta.Name)
+			}
 		}
 	default:
 		delete(hsh.HostSensorPodNames, podObj.ObjectMeta.Name)

hostsensorutils/hostsensorgetfrompod.go

@@ -7,6 +7,8 @@ import (
 
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
 	"github.com/armosec/opa-utils/objectsenvelopes/hostsensor"
 	"sigs.k8s.io/yaml"
 )
@@ -71,7 +73,7 @@ func (hsh *HostSensorHandler) sendAllPodsHTTPGETRequest(path, requestKind string
 			defer wg.Done()
 			resBytes, err := hsh.HTTPGetToPod(podName, path)
 			if err != nil {
-				fmt.Printf("In sendAllPodsHTTPGETRequest failed to get data '%s' from pod '%s': %v", path, podName, err)
+				logger.L().Error("failed to get data", helpers.String("path", path), helpers.String("podName", podName), helpers.Error(err))
 			} else {
 				resLock.Lock()
 				defer resLock.Unlock()
@@ -141,7 +143,7 @@ func (hsh *HostSensorHandler) GetKubeletConfigurations() ([]hostsensor.HostSenso
 	for resIdx := range res {
 		jsonBytes, err := yaml.YAMLToJSON(res[resIdx].Data)
 		if err != nil {
-			fmt.Printf("In GetKubeletConfigurations failed to YAMLToJSON: %v;\n%v", err, res[resIdx])
+			logger.L().Error("failed to convert kubelet configurations from yaml to json", helpers.Error(err))
 			continue
 		}
 		res[resIdx].SetData(jsonBytes)
@@ -154,7 +156,8 @@ func (hsh *HostSensorHandler) CollectResources() ([]hostsensor.HostSensorDataEnv
 	if hsh.DaemonSet == nil {
 		return res, nil
 	}
-	cautils.ProgressTextDisplay("Accessing host sensor")
+
+	logger.L().Debug("Accessing host sensor")
 	cautils.StartSpinner()
 	defer cautils.StopSpinner()
 	kcData, err := hsh.GetKubeletConfigurations()
@@ -193,6 +196,7 @@ func (hsh *HostSensorHandler) CollectResources() ([]hostsensor.HostSensorDataEnv
 	}
 	res = append(res, kcData...)
 	// finish
-	cautils.SuccessTextDisplay("Read host information from host sensor")
+
+	logger.L().Debug("Done reading information from host sensor")
 	return res, nil
 }

install.sh

@@ -6,6 +6,7 @@ echo
  
 BASE_DIR=~/.kubescape
 KUBESCAPE_EXEC=kubescape
+KUBESCAPE_ZIP=kubescape.zip
 
 osName=$(uname -s)
 if [[ $osName == *"MINGW"* ]]; then
@@ -53,6 +54,6 @@ echo -e "\033[0m"
 $KUBESCAPE_EXEC version
 echo
 
-echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan --submit"
+echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan --submit --enable-host-scan"
 
 echo -e "\033[0m"

opaprocessor/processorhandler.go

@@ -5,7 +5,9 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/logger"
 	ksscore "github.com/armosec/kubescape/score"
 	"github.com/armosec/opa-utils/objectsenvelopes"
 	"github.com/armosec/opa-utils/reporthandling"
@@ -13,8 +15,6 @@ import (
 	"github.com/armosec/opa-utils/reporthandling/results/v1/resourcesresults"
 	"github.com/open-policy-agent/opa/storage"
 
-	"github.com/golang/glog"
-
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/k8s-interface/workloadinterface"
 
@@ -66,7 +66,7 @@ func (opaHandler *OPAProcessorHandler) ProcessRulesListenner() {
 
 		// process
 		if err := opap.Process(policies); err != nil {
-			// fmt.Println(err)
+			logger.L().Error(err.Error())
 		}
 
 		// edit results
@@ -81,8 +81,8 @@ func (opaHandler *OPAProcessorHandler) ProcessRulesListenner() {
 }
 
 func (opap *OPAProcessor) Process(policies *cautils.Policies) error {
-	// glog.Infof(fmt.Sprintf("Starting 'Process'. reportID: %s", opap.PostureReport.ReportID))
-	cautils.ProgressTextDisplay(fmt.Sprintf("Scanning cluster %s", cautils.ClusterName))
+	logger.L().Info(fmt.Sprintf("Scanning cluster %s", cautils.ClusterName))
+
 	cautils.StartSpinner()
 
 	var errs error
@@ -90,7 +90,7 @@ func (opap *OPAProcessor) Process(policies *cautils.Policies) error {
 
 		resourcesAssociatedControl, err := opap.processControl(&control)
 		if err != nil {
-			appendError(&errs, err)
+			logger.L().Error(err.Error())
 		}
 		// update resources with latest results
 		if len(resourcesAssociatedControl) != 0 {
@@ -108,21 +108,10 @@ func (opap *OPAProcessor) Process(policies *cautils.Policies) error {
 	opap.Report.ReportGenerationTime = time.Now().UTC()
 
 	cautils.StopSpinner()
-	cautils.SuccessTextDisplay(fmt.Sprintf("Done scanning cluster %s", cautils.ClusterName))
+	logger.L().Success(fmt.Sprintf("Done scanning cluster %s", cautils.ClusterName))
 	return errs
 }
 
-func appendError(errs *error, err error) {
-	if err == nil {
-		return
-	}
-	if errs == nil {
-		errs = &err
-	} else {
-		*errs = fmt.Errorf("%v\n%s", *errs, err.Error())
-	}
-}
-
 func (opap *OPAProcessor) processControl(control *reporthandling.Control) (map[string]resourcesresults.ResourceAssociatedControl, error) {
 	var errs error
 
@@ -132,7 +121,7 @@ func (opap *OPAProcessor) processControl(control *reporthandling.Control) (map[s
 	for i := range control.Rules {
 		resourceAssociatedRule, err := opap.processRule(&control.Rules[i])
 		if err != nil {
-			appendError(&errs, err)
+			logger.L().Error(err.Error())
 			continue
 		}
 
@@ -191,7 +180,7 @@ func (opap *OPAProcessor) processRule(rule *reporthandling.PolicyRule) (map[stri
 	ruleResponses, err := opap.runOPAOnSingleRule(rule, inputRawResources, ruleData, postureControlInputs)
 	if err != nil {
 		// TODO - Handle error
-		glog.Error(err)
+		logger.L().Error(err.Error())
 	} else {
 		// ruleResponse to ruleResult
 		for i := range ruleResponses {
@@ -204,7 +193,10 @@ func (opap *OPAProcessor) processRule(rule *reporthandling.PolicyRule) (map[stri
 
 				ruleResult.Status = apis.StatusFailed
 				for j := range ruleResponses[i].FailedPaths {
-					ruleResult.Paths = append(ruleResult.Paths, resourcesresults.Path{FailedPath: ruleResponses[i].FailedPaths[j]})
+					ruleResult.Paths = append(ruleResult.Paths, armotypes.PosturePaths{FailedPath: ruleResponses[i].FailedPaths[j]})
+				}
+				for j := range ruleResponses[i].FixPaths {
+					ruleResult.Paths = append(ruleResult.Paths, armotypes.PosturePaths{FixPath: ruleResponses[i].FixPaths[j]})
 				}
 				resources[failedResources[j].GetID()] = ruleResult
 			}
@@ -224,7 +216,6 @@ func (opap *OPAProcessor) runOPAOnSingleRule(rule *reporthandling.PolicyRule, k8
 }
 
 func (opap *OPAProcessor) runRegoOnK8s(rule *reporthandling.PolicyRule, k8sObjects []map[string]interface{}, getRuleData func(*reporthandling.PolicyRule) string, postureControlInputs map[string][]string) ([]reporthandling.RuleResponse, error) {
-	var errs error
 
 	// compile modules
 	modules, err := getRuleDependencies()
@@ -245,10 +236,10 @@ func (opap *OPAProcessor) runRegoOnK8s(rule *reporthandling.PolicyRule, k8sObjec
 	// Eval
 	results, err := opap.regoEval(k8sObjects, compiled, &store)
 	if err != nil {
-		errs = fmt.Errorf("rule: '%s', %s", rule.Name, err.Error())
+		logger.L().Error(err.Error())
 	}
 
-	return results, errs
+	return results, nil
 }
 
 func (opap *OPAProcessor) regoEval(inputObj []map[string]interface{}, compiledRego *ast.Compiler, store *storage.Store) ([]reporthandling.RuleResponse, error) {

opaprocessor/processorhandlerutils.go

@@ -1,16 +1,17 @@
 package opaprocessor
 
 import (
+	"fmt"
+
 	pkgcautils "github.com/armosec/utils-go/utils"
 
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/logger"
 
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/k8s-interface/workloadinterface"
 	"github.com/armosec/opa-utils/reporthandling"
 	resources "github.com/armosec/opa-utils/resources"
-
-	"github.com/golang/glog"
 )
 
 // updateResults update the results objects and report objects. This is a critical function - DO NOT CHANGE
@@ -79,8 +80,7 @@ func getKubernetesObjects(k8sResources *cautils.K8SResources, allResources map[s
 					for _, groupResource := range groupResources {
 						if k8sObj, ok := (*k8sResources)[groupResource]; ok {
 							if k8sObj == nil {
-								continue
-								// glog.Errorf("Resource '%s' is nil, probably failed to pull the resource", groupResource)
+								logger.L().Debug(fmt.Sprintf("resource '%s' is nil, probably failed to pull the resource", groupResource))
 							}
 							for i := range k8sObj {
 								k8sObjects = append(k8sObjects, allResources[k8sObj[i]])
@@ -122,7 +122,7 @@ func filterOutChildResources(objects []workloadinterface.IMetadata, match []repo
 func getRuleDependencies() (map[string]string, error) {
 	modules := resources.LoadRegoModules()
 	if len(modules) == 0 {
-		glog.Warningf("failed to load rule dependencies")
+		logger.L().Warning("failed to load rule dependencies")
 	}
 	return modules, nil
 }

policyhandler/handlenotification.go

@@ -50,7 +50,7 @@ func (policyHandler *PolicyHandler) HandleNotificationRequest(notification *repo
 
 func (policyHandler *PolicyHandler) getResources(notification *reporthandling.PolicyNotification, opaSessionObj *cautils.OPASessionObj, scanInfo *cautils.ScanInfo) error {
 
-	opaSessionObj.PostureReport.ClusterAPIServerInfo = policyHandler.resourceHandler.GetClusterAPIServerInfo()
+	opaSessionObj.Report.ClusterAPIServerInfo = policyHandler.resourceHandler.GetClusterAPIServerInfo()
 	resourcesMap, allResources, err := policyHandler.resourceHandler.GetResources(opaSessionObj.Frameworks, &notification.Designators)
 	if err != nil {
 		return err

policyhandler/handlepullpolicies.go

@@ -5,18 +5,19 @@ import (
 	"strings"
 
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/logger"
 	"github.com/armosec/opa-utils/reporthandling"
 )
 
 func (policyHandler *PolicyHandler) getPolicies(notification *reporthandling.PolicyNotification, policiesAndResources *cautils.OPASessionObj) error {
-	cautils.ProgressTextDisplay("Downloading/Loading policy definitions")
+	logger.L().Info("Downloading/Loading policy definitions")
 
 	frameworks, err := policyHandler.getScanPolicies(notification)
 	if err != nil {
 		return err
 	}
 	if len(frameworks) == 0 {
-		return fmt.Errorf("failed to download policies: '%s'. Make sure the policy exist and you spelled it correctly. For more information, please feel free to contact ARMO team", strings.Join(policyIdentifierToSlice(notification.Rules), ","))
+		return fmt.Errorf("failed to download policies: '%s'. Make sure the policy exist and you spelled it correctly. For more information, please feel free to contact ARMO team", strings.Join(policyIdentifierToSlice(notification.Rules), ", "))
 	}
 
 	policiesAndResources.Frameworks = frameworks
@@ -32,8 +33,7 @@ func (policyHandler *PolicyHandler) getPolicies(notification *reporthandling.Pol
 	if err == nil {
 		policiesAndResources.RegoInputData.PostureControlInputs = controlsInputs
 	}
-
-	cautils.SuccessTextDisplay("Downloaded/Loaded policy")
+	logger.L().Success("Downloaded/Loaded policy")
 	return nil
 }
 

registryadaptors/README.md

@@ -0,0 +1,38 @@
+# Integrate With Vulnerability Server
+
+There are some controls that check the relation between the kubernetes manifest and vulnerabilities.
+For these controls to work properly, it is necasery to 
+## Supported Servers
+* Armosec
+
+# Integrate With Armosec Server
+
+1. Navigate to the [armosec.io](https://portal.armo.cloud/)
+2. Click Profile(top right icon)->"User Management"->"API Tokens" and Generate a token
+3. Copy the clientID and secretKey and run:
+```
+kubescape config set clientID <>
+```
+```
+kubescape config set secretKey <>
+```
+4. Confirm the keys are set
+```
+kubescape config view
+```
+Expecting:
+```
+{
+  "accountID": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+  "clientID": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+  "secretKey": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+}
+```
+> If you are missing the `accountID` field, set it by running `kubescape config set accountID <>`
+
+For CICD, set environments variables as following:
+```
+KS_ACCOUNT_ID  // account id
+KS_CLIENT_ID   // client id
+KS_SECRET_KEY  // access key
+```

registryadaptors/armosec/v1/civarmoadaptor.go

@@ -0,0 +1,98 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
+	"github.com/armosec/kubescape/containerscan"
+	"github.com/armosec/kubescape/registryadaptors/registryvulnerabilities"
+)
+
+func NewArmoAdaptor(armoAPI *getter.ArmoAPI) *ArmoCivAdaptor {
+	return &ArmoCivAdaptor{
+		armoAPI: armoAPI,
+	}
+}
+
+func (armoCivAdaptor *ArmoCivAdaptor) Login() error {
+	if armoCivAdaptor.armoAPI.IsLoggedIn() {
+		return nil
+	}
+	return armoCivAdaptor.armoAPI.Login()
+}
+func (armoCivAdaptor *ArmoCivAdaptor) GetImagesVulnerabilities(imageIDs []registryvulnerabilities.ContainerImageIdentifier) ([]registryvulnerabilities.ContainerImageVulnerabilityReport, error) {
+	resultList := make([]registryvulnerabilities.ContainerImageVulnerabilityReport, 0)
+	for _, imageID := range imageIDs {
+		result, err := armoCivAdaptor.GetImageVulnerability(&imageID)
+		if err == nil {
+			resultList = append(resultList, *result)
+		} else {
+			logger.L().Debug("failed to get image vulnerabilities", helpers.String("image", imageID.Tag), helpers.Error(err))
+		}
+	}
+	return resultList, nil
+}
+
+func (armoCivAdaptor *ArmoCivAdaptor) GetImageVulnerability(imageID *registryvulnerabilities.ContainerImageIdentifier) (*registryvulnerabilities.ContainerImageVulnerabilityReport, error) {
+	// First
+	containerScanId, err := armoCivAdaptor.getImageLastScanId(imageID)
+	if err != nil {
+		return nil, err
+	}
+	if containerScanId == "" {
+		return nil, fmt.Errorf("last scan ID is empty")
+	}
+
+	filter := []map[string]string{{"containersScanID": containerScanId}}
+	pageSize := 300
+	pageNumber := 1
+	request := V2ListRequest{PageSize: &pageSize, PageNum: &pageNumber, InnerFilters: filter, OrderBy: "timestamp:desc"}
+	requestBody, _ := json.Marshal(request)
+	requestUrl := fmt.Sprintf("https://%s/api/v1/vulnerability/scanResultsDetails?customerGUID=%s", armoCivAdaptor.armoAPI.GetAPIURL(), armoCivAdaptor.armoAPI.GetAccountID())
+
+	resp, err := armoCivAdaptor.armoAPI.Post(requestUrl, map[string]string{"Content-Type": "application/json"}, requestBody)
+	if err != nil {
+		return nil, err
+	}
+
+	scanDetailsResult := struct {
+		Total struct {
+			Value    int    `json:"value"`
+			Relation string `json:"relation"`
+		} `json:"total"`
+		Response containerscan.VulnerabilitiesList `json:"response"`
+		Cursor   string                            `json:"cursor"`
+	}{}
+
+	err = json.Unmarshal([]byte(resp), &scanDetailsResult)
+	if err != nil {
+		return nil, err
+	}
+
+	vulnerabilities := responseObjectToVulnerabilities(scanDetailsResult.Response)
+
+	resultImageVulnerabilityReport := registryvulnerabilities.ContainerImageVulnerabilityReport{
+		ImageID:         *imageID,
+		Vulnerabilities: vulnerabilities,
+	}
+
+	return &resultImageVulnerabilityReport, nil
+}
+
+func (armoCivAdaptor *ArmoCivAdaptor) DescribeAdaptor() string {
+	// TODO
+	return ""
+}
+
+func (armoCivAdaptor *ArmoCivAdaptor) GetImagesInformation(imageIDs []registryvulnerabilities.ContainerImageIdentifier) ([]registryvulnerabilities.ContainerImageInformation, error) {
+	// TODO
+	return []registryvulnerabilities.ContainerImageInformation{}, nil
+}
+
+func (armoCivAdaptor *ArmoCivAdaptor) GetImagesScanStatus(imageIDs []registryvulnerabilities.ContainerImageIdentifier) ([]registryvulnerabilities.ContainerImageScanStatus, error) {
+	// TODO
+	return []registryvulnerabilities.ContainerImageScanStatus{}, nil
+}

registryadaptors/armosec/v1/civarmoadaptor_test.go

@@ -0,0 +1,23 @@
+package v1
+
+import (
+	"testing"
+
+	"github.com/armosec/kubescape/registryadaptors/registryvulnerabilities"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSum(t *testing.T) {
+	var err error
+	var adaptor registryvulnerabilities.IContainerImageVulnerabilityAdaptor
+
+	adaptor, err = NewArmoAdaptorMock()
+	assert.NoError(t, err)
+
+	assert.NoError(t, adaptor.Login())
+
+	imageVulnerabilityReport, err := adaptor.GetImageVulnerability(&registryvulnerabilities.ContainerImageIdentifier{Tag: "gke.gcr.io/gcp-compute-persistent-disk-csi-driver:v1.3.4-gke.0"})
+	assert.NoError(t, err)
+
+	assert.Equal(t, 25, len(imageVulnerabilityReport.Vulnerabilities))
+}

registryadaptors/armosec/v1/civarmoadaptorutils.go

@@ -0,0 +1,65 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/armosec/kubescape/containerscan"
+	"github.com/armosec/kubescape/registryadaptors/registryvulnerabilities"
+)
+
+func (armoCivAdaptor *ArmoCivAdaptor) getImageLastScanId(imageID *registryvulnerabilities.ContainerImageIdentifier) (string, error) {
+	filter := []map[string]string{{"imageTag": imageID.Tag, "status": "Success"}}
+	pageSize := 1
+	pageNumber := 1
+	request := V2ListRequest{PageSize: &pageSize, PageNum: &pageNumber, InnerFilters: filter, OrderBy: "timestamp:desc"}
+	requestBody, _ := json.Marshal(request)
+	requestUrl := fmt.Sprintf("https://%s/api/v1/vulnerability/scanResultsSumSummary?customerGUID=%s", armoCivAdaptor.armoAPI.GetAPIURL(), armoCivAdaptor.armoAPI.GetAccountID())
+
+	resp, err := armoCivAdaptor.armoAPI.Post(requestUrl, map[string]string{"Content-Type": "application/json"}, requestBody)
+	if err != nil {
+		return "", err
+	}
+
+	scanSummartResult := struct {
+		Total struct {
+			Value    int    `json:"value"`
+			Relation string `json:"relation"`
+		} `json:"total"`
+		Response []containerscan.ElasticContainerScanSummaryResult `json:"response"`
+		Cursor   string                                            `json:"cursor"`
+	}{}
+	err = json.Unmarshal([]byte(resp), &scanSummartResult)
+	if err != nil {
+		return "", err
+	}
+
+	if len(scanSummartResult.Response) < pageSize {
+		return "", fmt.Errorf("did not get response for image %s", imageID.Tag)
+	}
+
+	return scanSummartResult.Response[0].ContainerScanID, nil
+}
+
+func responseObjectToVulnerabilities(vulnerabilitiesList containerscan.VulnerabilitiesList) []registryvulnerabilities.Vulnerability {
+	vulnerabilities := make([]registryvulnerabilities.Vulnerability, len(vulnerabilitiesList))
+	for i, vulnerabilityEntry := range vulnerabilitiesList {
+		vulnerabilities[i].Description = vulnerabilityEntry.Description
+		vulnerabilities[i].Fixes = make([]registryvulnerabilities.FixedIn, len(vulnerabilityEntry.Fixes))
+		for j, fix := range vulnerabilityEntry.Fixes {
+			vulnerabilities[i].Fixes[j].ImgTag = fix.ImgTag
+			vulnerabilities[i].Fixes[j].Name = fix.Name
+			vulnerabilities[i].Fixes[j].Version = fix.Version
+		}
+		vulnerabilities[i].HealthStatus = vulnerabilityEntry.HealthStatus
+		vulnerabilities[i].Link = vulnerabilityEntry.Link
+		vulnerabilities[i].Metadata = vulnerabilityEntry.Metadata
+		vulnerabilities[i].Name = vulnerabilityEntry.Name
+		vulnerabilities[i].PackageVersion = vulnerabilityEntry.PackageVersion
+		vulnerabilities[i].RelatedPackageName = vulnerabilityEntry.RelatedPackageName
+		vulnerabilities[i].Relevancy = vulnerabilityEntry.Relevancy
+		vulnerabilities[i].Severity = vulnerabilityEntry.Severity
+		vulnerabilities[i].UrgentCount = vulnerabilityEntry.UrgentCount
+	}
+	return vulnerabilities
+}

registryadaptors/armosec/v1/datastructures.go

@@ -0,0 +1,35 @@
+package v1
+
+import (
+	"time"
+
+	"github.com/armosec/kubescape/cautils/getter"
+)
+
+type V2ListRequest struct {
+	// properties of the requested next page
+	// Use ValidatePageProperties to set PageSize field
+	PageSize *int `json:"pageSize,omitempty"`
+	// One can leave it empty for 0, then call ValidatePageProperties
+	PageNum *int `json:"pageNum,omitempty"`
+	// The time window of the list to return. Default: since - begining og the time, until - now.
+	Since *time.Time `json:"since,omitempty"`
+	Until *time.Time `json:"until,omitempty"`
+	// Which elements of the list to return, each field can hold multiple values separated by comma
+	// Example: ": {"severity": "High,Medium",		"type": "61539,30303"}
+	// An empty map means "return the complete list"
+	InnerFilters []map[string]string `json:"innerFilters,omitempty"`
+	// How to order (sort) the list, field name + sort order (asc/desc), like https://www.w3schools.com/sql/sql_orderby.asp
+	// Example: "timestamp:asc,severity:desc"
+	OrderBy string `json:"orderBy,omitempty"`
+	// Cursor to the next page of former requset. Not supported yet
+	// Cursor cannot be used with another parameters of this struct
+	Cursor string `json:"cursor,omitempty"`
+	// FieldsList allow us to return only subset of the source document fields
+	// Don't expose FieldsList outside without well designed decision
+	FieldsList              []string          `json:"includeFields,omitempty"`
+	FieldsReverseKeywordMap map[string]string `json:"-,omitempty"`
+}
+type ArmoCivAdaptor struct {
+	armoAPI *getter.ArmoAPI
+}

registryadaptors/contribute.md

@@ -0,0 +1,164 @@
+# Container image vulnerability adaptor interface
+
+## High level design of Kubescape
+
+### Layers
+
+* Controls and Rules: that actual control logic implementation, the "tests" themselves. Implemented in rego
+* OPA engine: the [OPA](https://github.com/open-policy-agent/opa) rego interpreter 
+* Rules processor: Kubescape component, it enumerates and runs the controls while also preparing the all the input data that the controls need for running
+* Data sources: set of different modules providing data to the Rules processor so it can run the controls with them. Examples: Kubernetes objects, cloud vendor API objects and adding in this proposal the vulnerability infomration
+* Cloud Image Vulnerability adaption interface: the subject of this proposal, it gives a common interface for different registry/vulnerabilty vendors to adapt to.
+* CIV adaptors: specific implementation of the CIV interface, example Harbor adaption
+```
+ -----------------------
+| Controls/Rules (rego) |
+ -----------------------
+            |
+ -----------------------
+|      OPA engine       |
+ -----------------------
+            |
+ -----------------------
+|    Rules processor    |
+ ----------------------- 
+            |
+ -----------------------
+|     Data sources      |
+ -----------------------              
+            |
+ =======================
+| CIV adaption interface|    <- Adding this layer in this proposal
+ ======================= 
+            |
+ -----------------------
+| Specific CIV adaptors |    <- Will be implemented based on this proposal
+ -----------------------      
+
+        
+
+```
+
+## Functionalities to cover
+
+The interface needs to cover the following functionalities:
+
+* Authentication against the information source (abstracted login)
+* Triggering image scan (if applicable, the source might store vulnerabilities for images but cannot scan alone)
+* Reading image scan status (with last scan date and etc.)
+* Getting vulnerability information for a given image
+* Getting image information
+  * Image manifests
+  * Image BOMs (bill of material)
+
+## Go API proposal
+
+```
+
+/*type ContainerImageRegistryCredentials struct {
+	Password string
+	Tag        string
+	Hash       string
+}*/
+
+type ContainerImageIdentifier struct {
+	Registry   string
+	Repository string
+	Tag        string
+	Hash       string
+}
+
+type ContainerImageScanStatus struct {
+	ImageID         ContainerImageIdentifier
+	IsScanAvailable bool
+	IsBomAvailable  bool
+	LastScanDate    time.Time
+}
+
+type ContainerImageVulnerabilityReport struct {
+	ImageID ContainerImageIdentifier
+	// TBD
+}
+
+type ContainerImageInformation struct {
+	ImageID       ContainerImageIdentifier
+	Bom           []string
+	ImageManifest Manifest // will use here Docker package definition
+}
+
+type IContainerImageVulnerabilityAdaptor interface {
+	// Credentials are coming from user input (CLI or configuration file) and they are abstracted at string to string map level
+	// so and example use would be like registry: "simpledockerregistry:80" and credentials like {"username":"joedoe","password":"abcd1234"}
+	Login(registry string, credentials map[string]string) error
+
+	// For "help" purposes
+	DescribeAdaptor() string
+
+	GetImagesScanStatus(imageIDs []ContainerImageIdentifier) ([]ContainerImageScanStatus, error)
+
+	GetImagesVulnerabilties(imageIDs []ContainerImageIdentifier) ([]ContainerImageVulnerabilityReport, error)
+
+	GetImagesInformation(imageIDs []ContainerImageIdentifier) ([]ContainerImageInformation, error)
+}
+```
+
+
+
+# Integration
+
+# Input
+
+The objects received from the interface will be converted to an IMetadata compatible objects as following
+
+```
+{
+    "apiVersion": "image.vulnscan.com/v1",
+    "kind": "ImageVulnerabilities",
+    "metadata": {
+        "name": "nginx:latest"
+    },
+    "data": {
+        // list of vulnerabilities
+    }
+}
+```
+
+
+# Output
+
+The rego results will be a combination of the k8s artifact and the list of relevant CVEs for the control
+
+```
+{
+    "apiVersion": "result.vulnscan.com/v1",
+    "kind": "Pod",
+    "metadata": {
+        "name": "nginx"
+        "namespace": "default"
+
+    },
+    "relatedObjects": [
+        {
+            "apiVersion": "v1",
+            "kind": "Pod",
+            "metadata": {
+                "name": "nginx"
+                "namespace": "default"
+            },
+            "spec": {
+                // podSpec
+            },
+        },
+        {
+            "apiVersion": "image.vulnscan.com/v1",
+            "kind": "ImageVulnerabilities",
+            "metadata": {
+                "name": "nginx:latest",
+            },
+            "data": {
+                // list of vulnerabilities
+            }
+        }
+    ]
+}
+```

registryadaptors/registryvulnerabilities/datastructures.go

@@ -0,0 +1,50 @@
+package registryvulnerabilities
+
+import (
+	"time"
+)
+
+type ContainerImageIdentifier struct {
+	Registry   string
+	Repository string
+	Tag        string
+	Hash       string
+}
+
+type ContainerImageScanStatus struct {
+	ImageID         ContainerImageIdentifier
+	IsScanAvailable bool
+	IsBomAvailable  bool
+	LastScanDate    time.Time
+}
+
+type FixedIn struct {
+	Name    string `json:"name"`
+	ImgTag  string `json:"imageTag"`
+	Version string `json:"version"`
+}
+type Vulnerability struct {
+	Name               string      `json:"name"`
+	RelatedPackageName string      `json:"packageName"`
+	PackageVersion     string      `json:"packageVersion"`
+	Link               string      `json:"link"`
+	Description        string      `json:"description"`
+	Severity           string      `json:"severity"`
+	Metadata           interface{} `json:"metadata"`
+	Fixes              []FixedIn   `json:"fixedIn"`
+	Relevancy          string      `json:"relevant"` // use the related enum
+	UrgentCount        int         `json:"urgent"`
+	NeglectedCount     int         `json:"neglected"`
+	HealthStatus       string      `json:"healthStatus"`
+}
+
+type ContainerImageVulnerabilityReport struct {
+	ImageID         ContainerImageIdentifier
+	Vulnerabilities []Vulnerability
+}
+
+type ContainerImageInformation struct {
+	ImageID ContainerImageIdentifier
+	Bom     []string
+	//ImageManifest Manifest // will use here Docker package definition
+}

registryadaptors/registryvulnerabilities/interfaces.go

@@ -0,0 +1,17 @@
+package registryvulnerabilities
+
+type IContainerImageVulnerabilityAdaptor interface {
+	// Credentials are coming from user input (CLI or configuration file) and they are abstracted at string to string map level
+	// so and example use would be like registry: "simpledockerregistry:80" and credentials like {"username":"joedoe","password":"abcd1234"}
+	Login() error
+
+	// For "help" purposes
+	DescribeAdaptor() string
+
+	GetImagesScanStatus(imageIDs []ContainerImageIdentifier) ([]ContainerImageScanStatus, error)
+
+	GetImagesVulnerabilities(imageIDs []ContainerImageIdentifier) ([]ContainerImageVulnerabilityReport, error)
+	GetImageVulnerability(imageID *ContainerImageIdentifier) (*ContainerImageVulnerabilityReport, error)
+
+	GetImagesInformation(imageIDs []ContainerImageIdentifier) ([]ContainerImageInformation, error)
+}

resourcehandler/cloudproviderhandler.go

@@ -26,8 +26,14 @@ func initCloudProvider() ICloudProvider {
 
 	switch getCloudProvider() {
 	case "gke", "gcp":
+		if isEnvVars() {
+			return NewGKEProviderEnvVar()
+		}
 		return NewGKEProviderContext()
 	case "eks", "aws":
+		if isEnvVars() {
+			return NewEKSProviderEnvVar()
+		}
 		return NewEKSProviderContext()
 	}
 	return NewEmptyCloudProvider()

resourcehandler/ekssupport.go

@@ -58,15 +58,18 @@ func NewEKSProviderContext() *EKSProviderContext {
 }
 
 func (eksProviderContext *EKSProviderContext) getKubeClusterName() string {
-	cluster := k8sinterface.GetCurrentContext().Cluster
-	var splittedCluster []string
+	context := k8sinterface.GetCurrentContext()
+	if context == nil {
+		return ""
+	}
+	cluster := context.Cluster
 	if cluster != "" {
-		splittedCluster = strings.Split(cluster, ".")
+		splittedCluster := strings.Split(cluster, ".")
 		if len(splittedCluster) > 1 {
 			return splittedCluster[0]
 		}
 	}
-	splittedCluster = strings.Split(k8sinterface.GetClusterName(), ".")
+	splittedCluster := strings.Split(k8sinterface.GetClusterName(), ".")
 	if len(splittedCluster) > 1 {
 		return splittedCluster[0]
 	}
@@ -74,9 +77,12 @@ func (eksProviderContext *EKSProviderContext) getKubeClusterName() string {
 }
 
 func (eksProviderContext *EKSProviderContext) getKubeCluster() string {
-	cluster := k8sinterface.GetCurrentContext().Cluster
-	if cluster != "" {
-		return cluster
+	context := k8sinterface.GetCurrentContext()
+	if context == nil {
+		return ""
+	}
+	if context.Cluster != "" {
+		return context.Cluster
 	}
 	return k8sinterface.GetClusterName()
 }

resourcehandler/filesloader.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/logger"
 	"github.com/armosec/opa-utils/objectsenvelopes"
 	"github.com/armosec/opa-utils/reporthandling"
 
@@ -34,13 +35,15 @@ const (
 
 // FileResourceHandler handle resources from files and URLs
 type FileResourceHandler struct {
-	inputPatterns []string
+	inputPatterns    []string
+	registryAdaptors *RegistryAdaptors
 }
 
-func NewFileResourceHandler(inputPatterns []string) *FileResourceHandler {
+func NewFileResourceHandler(inputPatterns []string, registryAdaptors *RegistryAdaptors) *FileResourceHandler {
 	k8sinterface.InitializeMapResourcesMock() // initialize the resource map
 	return &FileResourceHandler{
-		inputPatterns: inputPatterns,
+		inputPatterns:    inputPatterns,
+		registryAdaptors: registryAdaptors,
 	}
 }
 
@@ -90,6 +93,10 @@ func (fileHandler *FileResourceHandler) GetResources(frameworks []reporthandling
 		}
 	}
 
+	if err := fileHandler.registryAdaptors.collectImagesVulnerabilities(k8sResources, allResources); err != nil {
+		cautils.WarningDisplay(os.Stderr, "Warning: failed to collect images vulnerabilities: %s\n", err.Error())
+	}
+
 	return k8sResources, allResources, nil
 
 }
@@ -101,7 +108,7 @@ func (fileHandler *FileResourceHandler) GetClusterAPIServerInfo() *version.Info
 func loadResourcesFromFiles(inputPatterns []string) ([]workloadinterface.IMetadata, error) {
 	files, errs := listFiles(inputPatterns)
 	if len(errs) > 0 {
-		cautils.ErrorDisplay(fmt.Sprintf("%v", errs)) // TODO - print error
+		logger.L().Error(fmt.Sprintf("%v", errs))
 	}
 	if len(files) == 0 {
 		return nil, nil
@@ -109,7 +116,7 @@ func loadResourcesFromFiles(inputPatterns []string) ([]workloadinterface.IMetada
 
 	workloads, errs := loadFiles(files)
 	if len(errs) > 0 {
-		cautils.ErrorDisplay(fmt.Sprintf("%v", errs)) // TODO - print error
+		logger.L().Error(fmt.Sprintf("%v", errs))
 	}
 	return workloads, nil
 }
@@ -188,11 +195,15 @@ func listFiles(patterns []string) ([]string, []error) {
 			o, _ := os.Getwd()
 			patterns[i] = filepath.Join(o, patterns[i])
 		}
-		f, err := glob(filepath.Split(patterns[i])) //filepath.Glob(patterns[i])
-		if err != nil {
-			errs = append(errs, err)
+		if isFile(patterns[i]) {
+			files = append(files, patterns[i])
 		} else {
-			files = append(files, f...)
+			f, err := glob(filepath.Split(patterns[i])) //filepath.Glob(patterns[i])
+			if err != nil {
+				errs = append(errs, err)
+			} else {
+				files = append(files, f...)
+			}
 		}
 	}
 	return files, errs
@@ -269,8 +280,17 @@ func convertYamlToJson(i interface{}) interface{} {
 	return i
 }
 
+func isYaml(filePath string) bool {
+	return cautils.StringInSlice(YAML_PREFIX, filepath.Ext(filePath)) != cautils.ValueNotFound
+}
+
+func isJson(filePath string) bool {
+	return cautils.StringInSlice(JSON_PREFIX, filepath.Ext(filePath)) != cautils.ValueNotFound
+}
+
 func glob(root, pattern string) ([]string, error) {
 	var matches []string
+
 	err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
 			return err
@@ -290,12 +310,13 @@ func glob(root, pattern string) ([]string, error) {
 	}
 	return matches, nil
 }
-func isYaml(filePath string) bool {
-	return cautils.StringInSlice(YAML_PREFIX, filepath.Ext(filePath)) != cautils.ValueNotFound
-}
-
-func isJson(filePath string) bool {
-	return cautils.StringInSlice(YAML_PREFIX, filepath.Ext(filePath)) != cautils.ValueNotFound
+func isFile(name string) bool {
+	if fi, err := os.Stat(name); err == nil {
+		if fi.Mode().IsRegular() {
+			return true
+		}
+	}
+	return false
 }
 
 func getFileFormat(filePath string) FileFormat {

resourcehandler/filesloader_test.go

@@ -1,11 +1,12 @@
 package resourcehandler
 
 import (
-	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func onlineBoutiquePath() string {
@@ -14,32 +15,26 @@ func onlineBoutiquePath() string {
 }
 
 func TestListFiles(t *testing.T) {
-	workDir, err := os.Getwd()
-	fmt.Printf("\n------------------\n%s,%v\n--------------\n", workDir, err)
+
 	filesPath := onlineBoutiquePath()
-	fmt.Printf("\n------------------\n%s\n--------------\n", filesPath)
 
 	files, errs := listFiles([]string{filesPath})
-	if len(errs) > 0 {
-		t.Error(errs)
-	}
-	expected := 12
-	if len(files) != expected {
-		t.Errorf("wrong number of files, expected: %d, found: %d", expected, len(files))
-	}
+	assert.Equal(t, 0, len(errs))
+	assert.Equal(t, 12, len(files))
 }
 
 func TestLoadFiles(t *testing.T) {
 	files, _ := listFiles([]string{onlineBoutiquePath()})
-	loadFiles(files)
+	_, err := loadFiles(files)
+	assert.Equal(t, 0, len(err))
 }
 
 func TestLoadFile(t *testing.T) {
 	files, _ := listFiles([]string{strings.Replace(onlineBoutiquePath(), "*", "adservice.yaml", 1)})
+	assert.Equal(t, 1, len(files))
+
 	_, err := loadFile(files[0])
-	if err != nil {
-		t.Errorf("%v", err)
-	}
+	assert.NoError(t, err)
 }
 func TestMapResources(t *testing.T) {
 	// policyHandler := &PolicyHandler{}

resourcehandler/gkesupport.go

@@ -41,7 +41,7 @@ func (gkeProvider *GKEProviderEnvVar) getProjectForGKE(cluster string) (string,
 	}
 	parsedName := strings.Split(cluster, "_")
 	if len(parsedName) < 3 {
-		return "", fmt.Errorf("error: failed to parse cluster name")
+		return "", fmt.Errorf("failed to parse project name from cluster name: '%s'", cluster)
 	}
 	project = parsedName[1]
 	return project, nil
@@ -54,7 +54,7 @@ func (gkeProvider *GKEProviderEnvVar) getRegionForGKE(cluster string) (string, e
 	}
 	parsedName := strings.Split(cluster, "_")
 	if len(parsedName) < 3 {
-		return "", fmt.Errorf("error: failed to parse cluster name")
+		return "", fmt.Errorf("failed to parse region name from cluster name: '%s'", cluster)
 	}
 	region = parsedName[2]
 	return region, nil
@@ -71,7 +71,11 @@ func NewGKEProviderContext() *GKEProviderContext {
 }
 
 func (gkeProviderContext *GKEProviderContext) getKubeClusterName() string {
-	cluster := k8sinterface.GetCurrentContext().Cluster
+	context := k8sinterface.GetCurrentContext()
+	if context == nil {
+		return ""
+	}
+	cluster := context.Cluster
 	parsedName := strings.Split(cluster, "_")
 	if len(parsedName) < 3 {
 		return ""
@@ -85,14 +89,16 @@ func (gkeProviderContext *GKEProviderContext) getKubeClusterName() string {
 	if len(parsedName) < 3 {
 		return ""
 	}
-	clusterName = parsedName[3]
-	return clusterName
+	return parsedName[3]
 }
 
 func (gkeProviderContext *GKEProviderContext) getKubeCluster() string {
-	cluster := k8sinterface.GetCurrentContext().Cluster
-	if cluster != "" {
-		return cluster
+	context := k8sinterface.GetCurrentContext()
+	if context == nil {
+		return ""
+	}
+	if context.Cluster != "" {
+		return context.Cluster
 	}
 	return k8sinterface.GetClusterName()
 
@@ -109,7 +115,7 @@ func (gkeProviderContext *GKEProviderContext) getProject(cluster string, provide
 func (gkeProviderContext *GKEProviderContext) getProjectForGKE(cluster string) (string, error) {
 	parsedName := strings.Split(cluster, "_")
 	if len(parsedName) < 3 {
-		return "", fmt.Errorf("error: failed to parse cluster name")
+		return "", fmt.Errorf("failed to parse project name from cluster name: '%s'", cluster)
 	}
 	project := parsedName[1]
 	return project, nil
@@ -118,7 +124,7 @@ func (gkeProviderContext *GKEProviderContext) getProjectForGKE(cluster string) (
 func (gkeProviderContext *GKEProviderContext) getRegionForGKE(cluster string) (string, error) {
 	parsedName := strings.Split(cluster, "_")
 	if len(parsedName) < 3 {
-		return "", fmt.Errorf("error: failed to parse cluster name")
+		return "", fmt.Errorf("failed to parse region name from cluster name: '%s'", cluster)
 	}
 	region := parsedName[2]
 	return region, nil

resourcehandler/k8sresources.go

@@ -3,10 +3,11 @@ package resourcehandler
 import (
 	"context"
 	"fmt"
-	"os"
 	"strings"
 
 	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
 	"github.com/armosec/kubescape/hostsensorutils"
 	"github.com/armosec/opa-utils/objectsenvelopes"
 	"github.com/armosec/opa-utils/reporthandling"
@@ -30,14 +31,16 @@ type K8sResourceHandler struct {
 	hostSensorHandler hostsensorutils.IHostSensor
 	fieldSelector     IFieldSelector
 	rbacObjectsAPI    *cautils.RBACObjects
+	registryAdaptors  *RegistryAdaptors
 }
 
-func NewK8sResourceHandler(k8s *k8sinterface.KubernetesApi, fieldSelector IFieldSelector, hostSensorHandler hostsensorutils.IHostSensor, rbacObjects *cautils.RBACObjects) *K8sResourceHandler {
+func NewK8sResourceHandler(k8s *k8sinterface.KubernetesApi, fieldSelector IFieldSelector, hostSensorHandler hostsensorutils.IHostSensor, rbacObjects *cautils.RBACObjects, registryAdaptors *RegistryAdaptors) *K8sResourceHandler {
 	return &K8sResourceHandler{
 		k8s:               k8s,
 		fieldSelector:     fieldSelector,
 		hostSensorHandler: hostSensorHandler,
 		rbacObjectsAPI:    rbacObjects,
+		registryAdaptors:  registryAdaptors,
 	}
 }
 
@@ -45,7 +48,7 @@ func (k8sHandler *K8sResourceHandler) GetResources(frameworks []reporthandling.F
 	allResources := map[string]workloadinterface.IMetadata{}
 
 	// get k8s resources
-	cautils.ProgressTextDisplay("Accessing Kubernetes objects")
+	logger.L().Info("Accessing Kubernetes objects")
 
 	cautils.StartSpinner()
 
@@ -60,33 +63,39 @@ func (k8sHandler *K8sResourceHandler) GetResources(frameworks []reporthandling.F
 	if err := k8sHandler.pullResources(k8sResourcesMap, allResources, namespace, labels); err != nil {
 		return k8sResourcesMap, allResources, err
 	}
+
+	if err := k8sHandler.registryAdaptors.collectImagesVulnerabilities(k8sResourcesMap, allResources); err != nil {
+		logger.L().Warning("failed to collect image vulnerabilities", helpers.Error(err))
+	}
+
 	if err := k8sHandler.collectHostResources(allResources, k8sResourcesMap); err != nil {
-		cautils.WarningDisplay(os.Stderr, "Warning: failed to collect host sensor resources\n")
+		logger.L().Warning("failed to collect host sensor resources", helpers.Error(err))
 	}
 
 	if err := k8sHandler.collectRbacResources(allResources); err != nil {
-		cautils.WarningDisplay(os.Stderr, "Warning: failed to collect rbac resources\n")
+		logger.L().Warning("failed to collect rbac resources", helpers.Error(err))
 	}
 	if err := getCloudProviderDescription(allResources, k8sResourcesMap); err != nil {
-		cautils.WarningDisplay(os.Stderr, fmt.Sprintf("Warning: %v\n", err.Error()))
+		logger.L().Warning("failed to collect cloud data", helpers.Error(err))
 	}
 
 	cautils.StopSpinner()
+	logger.L().Success("Accessed to Kubernetes objects")
 
-	cautils.SuccessTextDisplay("Accessed successfully to Kubernetes objects")
 	return k8sResourcesMap, allResources, nil
 }
 
 func (k8sHandler *K8sResourceHandler) GetClusterAPIServerInfo() *version.Info {
 	clusterAPIServerInfo, err := k8sHandler.k8s.DiscoveryClient.ServerVersion()
 	if err != nil {
-		cautils.ErrorDisplay(fmt.Sprintf("Failed to discover API server information: %v", err))
+		logger.L().Error("failed to discover API server information", helpers.Error(err))
 		return nil
 	}
 	return clusterAPIServerInfo
 }
 
 func (k8sHandler *K8sResourceHandler) pullResources(k8sResources *cautils.K8SResources, allResources map[string]workloadinterface.IMetadata, namespace string, labels map[string]string) error {
+	logger.L().Debug("Accessing Kubernetes objects")
 
 	var errs error
 	for groupResource := range *k8sResources {
@@ -99,7 +108,7 @@ func (k8sHandler *K8sResourceHandler) pullResources(k8sResources *cautils.K8SRes
 				if errs == nil {
 					errs = err
 				} else {
-					errs = fmt.Errorf("%s\n%s", errs, err.Error())
+					errs = fmt.Errorf("%s; %s", errs, err.Error())
 				}
 			}
 			continue
@@ -159,11 +168,26 @@ func ConvertMapListToMeta(resourceMap []map[string]interface{}) []workloadinterf
 	return workloads
 }
 
+// func (k8sHandler *K8sResourceHandler) collectHostResourcesAPI(allResources map[string]workloadinterface.IMetadata, resourcesMap *cautils.K8SResources) error {
+
+// 	HostSensorAPI := map[string]string{
+// 		"bla/v1": "",
+// 	}
+// 	for apiVersion := range allResources {
+// 		if HostSensorAPI == apiVersion {
+// 			k8sHandler.collectHostResources()
+// 		}
+// 	}
+// 	return nil
+// }
 func (k8sHandler *K8sResourceHandler) collectHostResources(allResources map[string]workloadinterface.IMetadata, resourcesMap *cautils.K8SResources) error {
+	logger.L().Debug("Collecting host sensor resources")
+
 	hostResources, err := k8sHandler.hostSensorHandler.CollectResources()
 	if err != nil {
 		return err
 	}
+
 	for rscIdx := range hostResources {
 		group, version := getGroupNVersion(hostResources[rscIdx].GetApiVersion())
 		groupResource := k8sinterface.JoinResourceTriplets(group, version, hostResources[rscIdx].GetKind())
@@ -179,6 +203,8 @@ func (k8sHandler *K8sResourceHandler) collectHostResources(allResources map[stri
 }
 
 func (k8sHandler *K8sResourceHandler) collectRbacResources(allResources map[string]workloadinterface.IMetadata) error {
+	logger.L().Debug("Collecting rbac resources")
+
 	if k8sHandler.rbacObjectsAPI == nil {
 		return nil
 	}
@@ -193,6 +219,8 @@ func (k8sHandler *K8sResourceHandler) collectRbacResources(allResources map[stri
 }
 
 func getCloudProviderDescription(allResources map[string]workloadinterface.IMetadata, k8sResourcesMap *cautils.K8SResources) error {
+	logger.L().Debug("Collecting cloud data")
+
 	cloudProvider := initCloudProvider()
 	cluster := cloudProvider.getKubeCluster()
 	clusterName := cloudProvider.getKubeClusterName()
@@ -205,7 +233,10 @@ func getCloudProviderDescription(allResources map[string]workloadinterface.IMeta
 	if err != nil {
 		return err
 	}
+
 	if provider != "" {
+		logger.L().Debug("cloud", helpers.String("cluster", cluster), helpers.String("clusterName", clusterName), helpers.String("provider", provider), helpers.String("region", region), helpers.String("project", project))
+
 		wl, err := cloudsupport.GetDescriptiveInfoFromCloudProvider(clusterName, provider, region, project)
 		if err != nil {
 			// Return error with useful info on how to configure credentials for getting cloud provider info

resourcehandler/registrydata.go

@@ -0,0 +1,150 @@
+package resourcehandler
+
+import (
+	"github.com/armosec/k8s-interface/k8sinterface"
+	"github.com/armosec/k8s-interface/workloadinterface"
+	"github.com/armosec/kubescape/cautils"
+	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
+	armosecadaptorv1 "github.com/armosec/kubescape/registryadaptors/armosec/v1"
+	"github.com/armosec/kubescape/registryadaptors/registryvulnerabilities"
+	"github.com/armosec/opa-utils/shared"
+)
+
+const (
+	ImagevulnerabilitiesObjectGroup   = "image.vulnscan.com"
+	ImagevulnerabilitiesObjectVersion = "v1"
+	ImagevulnerabilitiesObjectKind    = "ImageVulnerabilities"
+)
+
+type RegistryAdaptors struct {
+	adaptors []registryvulnerabilities.IContainerImageVulnerabilityAdaptor
+}
+
+func NewRegistryAdaptors() (*RegistryAdaptors, error) {
+	// list supported adaptors
+	registryAdaptors := &RegistryAdaptors{}
+	adaptors, err := listAdaptores()
+	if err != nil {
+		return registryAdaptors, err
+	}
+	registryAdaptors.adaptors = adaptors
+	return registryAdaptors, nil
+}
+
+func (registryAdaptors *RegistryAdaptors) collectImagesVulnerabilities(k8sResourcesMap *cautils.K8SResources, allResources map[string]workloadinterface.IMetadata) error {
+	logger.L().Debug("Collecting images vulnerabilities")
+
+	// list cluster images
+	images := listImagesTags(k8sResourcesMap, allResources)
+	imagesIdentifiers := imageTagsToContainerImageIdentifier(images)
+
+	imagesVulnerability := map[string][]registryvulnerabilities.Vulnerability{}
+	for i := range registryAdaptors.adaptors { // login and and get vulnerabilities
+
+		if err := registryAdaptors.adaptors[i].Login(); err != nil {
+			logger.L().Error("failed to login", helpers.Error(err))
+			continue
+		}
+		vulnerabilities, err := registryAdaptors.adaptors[i].GetImagesVulnerabilities(imagesIdentifiers)
+		if err != nil {
+			return err
+		}
+		for j := range vulnerabilities {
+			imagesVulnerability[vulnerabilities[j].ImageID.Tag] = vulnerabilities[j].Vulnerabilities
+		}
+	}
+
+	// convert result to IMetadata object
+	metaObjs := vulnerabilitiesToIMetadata(imagesVulnerability)
+
+	// save in resources map
+	for i := range metaObjs {
+		allResources[metaObjs[i].GetID()] = metaObjs[i]
+	}
+	(*k8sResourcesMap)[k8sinterface.JoinResourceTriplets(ImagevulnerabilitiesObjectGroup, ImagevulnerabilitiesObjectVersion, ImagevulnerabilitiesObjectKind)] = workloadinterface.ListMetaIDs(metaObjs)
+
+	return nil
+}
+
+func vulnerabilitiesToIMetadata(vulnerabilities map[string][]registryvulnerabilities.Vulnerability) []workloadinterface.IMetadata {
+	objs := []workloadinterface.IMetadata{}
+	for i := range vulnerabilities {
+		objs = append(objs, vulnerabilityToIMetadata(i, vulnerabilities[i]))
+	}
+	return objs
+}
+
+func vulnerabilityToIMetadata(imageTag string, vulnerabilities []registryvulnerabilities.Vulnerability) workloadinterface.IMetadata {
+	obj := map[string]interface{}{}
+	metadata := map[string]interface{}{}
+	metadata["name"] = imageTag // store image tag as object name
+	obj["kind"] = ImagevulnerabilitiesObjectKind
+	obj["apiVersion"] = k8sinterface.JoinGroupVersion(ImagevulnerabilitiesObjectGroup, ImagevulnerabilitiesObjectVersion)
+	obj["data"] = vulnerabilities
+	obj["metadata"] = metadata
+
+	return workloadinterface.NewWorkloadObj(obj)
+}
+
+// list all images tags
+func listImagesTags(k8sResourcesMap *cautils.K8SResources, allResources map[string]workloadinterface.IMetadata) []string {
+	images := []string{}
+	for _, resources := range *k8sResourcesMap {
+		for j := range resources {
+			if resource, ok := allResources[resources[j]]; ok {
+				if resource.GetObjectType() == workloadinterface.TypeWorkloadObject {
+					workload := workloadinterface.NewWorkloadObj(resource.GetObject())
+					if contianers, err := workload.GetContainers(); err == nil {
+						for i := range contianers {
+							images = append(images, contianers[i].Image)
+						}
+					}
+					if contianers, err := workload.GetInitContainers(); err == nil {
+						for i := range contianers {
+							images = append(images, contianers[i].Image)
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return shared.SliceStringToUnique(images)
+}
+
+func imageTagsToContainerImageIdentifier(images []string) []registryvulnerabilities.ContainerImageIdentifier {
+	imagesIdentifiers := make([]registryvulnerabilities.ContainerImageIdentifier, len(images))
+	for i := range images {
+		imageIdentifier := registryvulnerabilities.ContainerImageIdentifier{
+			Tag: images[i],
+		}
+		// splitted := strings.Split(images[i], "/")
+		// if len(splitted) == 1 {
+		// 	imageIdentifier.Tag = splitted[0]
+		// } else if len(splitted) == 2 {
+		// 	imageIdentifier.Registry = splitted[0]
+		// 	imageIdentifier.Tag = splitted[1]
+		// } else if len(splitted) >= 3 {
+		// 	imageIdentifier.Registry = splitted[0]
+		// 	imageIdentifier.Repository = strings.Join(splitted[1:len(splitted)-1], "/")
+		// 	imageIdentifier.Tag = splitted[len(splitted)-1]
+		// }
+		imagesIdentifiers[i] = imageIdentifier
+	}
+	return imagesIdentifiers
+}
+func listAdaptores() ([]registryvulnerabilities.IContainerImageVulnerabilityAdaptor, error) {
+
+	adaptors := []registryvulnerabilities.IContainerImageVulnerabilityAdaptor{}
+
+	armoAPI := getter.GetArmoAPIConnector()
+	if armoAPI != nil {
+		if armoAPI.GetSecretKey() != "" && armoAPI.GetClientID() != "" && armoAPI.GetAccountID() != "" {
+			adaptors = append(adaptors, armosecadaptorv1.NewArmoAdaptor(getter.GetArmoAPIConnector()))
+		}
+	}
+
+	return adaptors, nil
+}