Merge pull request #959 from suhasgumma/fix-command

fix: keep user formatting when autofixing

.github/ISSUE_TEMPLATE/feature_request.md

@@ -6,15 +6,14 @@ labels: ''
 assignees: ''
 
 ---
+**Is your feature request related to a problem? Please describe.**</br>
+ > A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+**Describe the solution you'd like.**</br>
+ > A clear and concise description of what you want to happen.
 
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
+**Describe alternatives you've considered.**</br>
+ > A clear and concise description of any alternative solutions or features you've considered.
 
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.
+**Additional context.**</br>
+ > Add any other context or screenshots about the feature request here.

.github/PULL_REQUEST_TEMPLATE.md

@@ -2,11 +2,15 @@
 
 ## Screenshots - If Any (Optional)
 
-## Issue ticket number and link
+## This PR fixes:
+
+* Resolved #
 
 ## Checklist before requesting a review
+<!-- put an [x] in the box to get it checked -->
+
 - [ ] My code follows the style guidelines of this project
-- [ ] I have commented my code, particularly in hard-to-understand areas
+- [ ] I have commented on my code, particularly in hard-to-understand areas
 - [ ] I have performed a self-review of my code
 - [ ] If it is a core feature, I have added thorough tests.
 - [ ] New and existing unit tests pass locally with my changes

.github/workflows/build-image.yaml

@@ -0,0 +1,80 @@
+name: build
+
+on:
+  workflow_call:
+    inputs:
+      client:
+        description: 'client name'
+        required: true
+        type: string
+      image_tag:
+        description: 'image tag'
+        required: true
+        type: string
+      image_name:
+        description: 'image registry and name'
+        required: true
+        type: string
+      cosign:
+        required: false
+        default: false
+        type: boolean
+        description: 'run cosign on released image'
+      support_platforms:
+        required: false
+        default: true
+        type: boolean
+        description: 'support amd64/arm64'
+
+    secrets:
+      QUAYIO_REGISTRY_USERNAME:
+        required: true
+      QUAYIO_REGISTRY_PASSWORD:
+        required: true
+
+jobs:
+  build-image:
+    name: Build image and upload to registry
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to Quay.io
+        env:
+          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
+
+      - name: Build and push image
+        if: ${{ inputs.support_platforms }}
+        run: docker buildx build . --file build/Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push --platform linux/amd64,linux/arm64
+     
+      - name: Build and push image without amd64/arm64 support
+        if: ${{ !inputs.support_platforms }}
+        run: docker buildx build . --file build/Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.12.0'
+      - name: sign kubescape container image
+        if: ${{ inputs.cosign }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: |
+            cosign sign --force ${{ inputs.image_name }}:latest
+            cosign sign --force ${{ inputs.image_name }}:${{ inputs.image_tag }}
+

.github/workflows/build.yaml

@@ -7,26 +7,26 @@ on:
       # Do not run the pipeline if only Markdown files changed
       - '**.md'
 jobs:
-  once:
-    name: Create release
-    runs-on: ubuntu-latest
-    outputs:
-      upload_url: ${{ steps.create_release.outputs.upload_url }}
-    steps:
-      - name: Create a release
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: v2.0.${{ github.run_number }}
-          release_name: Release v2.0.${{ github.run_number }}
-          draft: false
-          prerelease: false
-  build:
-    name: Create cross-platform release build, tag and upload binaries
-    needs: once
+  test:
+    uses: ./.github/workflows/test.yaml
+    with:
+      release: "v2.0.${{ github.run_number }}"
+      client: test
+
+  create-release:
+    uses: ./.github/workflows/release.yaml
+    needs: test
+    with:
+      release_name: "Release v2.0.${{ github.run_number }}"
+      tag_name: "v2.0.${{ github.run_number }}"
+    secrets: inherit
+
+  publish-artifacts:
+    name: Build and publish artifacts
+    needs: create-release
     runs-on: ${{ matrix.os }}
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
@@ -34,46 +34,11 @@ jobs:
       - uses: actions/checkout@v3
         with:
           submodules: recursive
-
-      - name: Cache Go modules (Linux)
-        if: matrix.os == 'ubuntu-latest' 
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Cache Go modules (macOS)
-        if: matrix.os == 'macos-latest' 
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/Library/Caches/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Cache Go modules (Windows)
-        if: matrix.os == 'windows-latest'
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
+ 
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
           go-version: 1.18
-      # - name: Test cmd pkg
-      #   run: cd cmd && go test -v ./...
 
       - name: Install MSYS2 & libgit2 (Windows)
         shell: cmd
@@ -84,34 +49,20 @@ jobs:
         run: make libgit2
         if: matrix.os != 'windows-latest'
 
-      - name: Test core pkg
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: go test -tags=static -v ./...
-
-      - name: Test httphandler pkg
-        run: cd httphandler && go test -tags=static -v ./...
-
       - name: Build
         env:
-          RELEASE: v2.0.${{ github.run_number }} 
+          RELEASE: v2.0.${{ github.run_number }}
           CLIENT: release
           CGO_ENABLED: 1
         run: python3 --version && python3 build.py
-      
-      - name: Smoke Testing
-        env:
-          RELEASE: v2.0.${{ github.run_number }} 
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
-
+ 
       - name: Upload release binaries
         id: upload-release-asset
         uses: actions/upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          upload_url: ${{ needs.once.outputs.upload_url }}
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
           asset_path: build/${{ matrix.os }}/kubescape
           asset_name: kubescape-${{ matrix.os }}
           asset_content_type: application/octet-stream
@@ -122,64 +73,19 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          upload_url: ${{ needs.once.outputs.upload_url }}
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
           asset_path: build/${{ matrix.os }}/kubescape.sha256
           asset_name: kubescape-${{ matrix.os }}-sha256
           asset_content_type: application/octet-stream
-  build-docker:
-    name: Build docker container, tag and upload to registry
-    needs: build
-    runs-on: ubuntu-latest
+  
+  publish-image:
     if: ${{ github.repository == 'kubescape/kubescape' }} # TODO
-    permissions:
-      id-token: write
-      packages: write
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          submodules: recursive
-
-      - name: Set image version
-        id: image-version
-        run: echo '::set-output name=IMAGE_VERSION::v2.0.${{ github.run_number }}'
-
-      - name: Set image name
-        id: image-name
-        run: echo '::set-output name=IMAGE_NAME::quay.io/${{ github.repository_owner }}/kubescape'
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Login to Quay.io
-        env:
-          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-
-      - name: Build the Docker image
-        run: docker buildx build . --file build/Dockerfile --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:latest --build-arg image_version=${{ steps.image-version.outputs.IMAGE_VERSION }} --build-arg client=image-release --push --platform linux/amd64,linux/arm64
-
-      # - name: Login to GitHub Container Registry
-      #   uses: docker/login-action@v1
-      #   with:
-      #     registry: ghcr.io
-      #     username: ${{ github.actor }}
-      #     password: ${{ secrets.GITHUB_TOKEN }}
-    
-      # TODO - Wait for casign to support fixed tags -> https://github.com/sigstore/cosign/issues/1424
-      # - name: Install cosign
-      #   uses: sigstore/cosign-installer@main
-      #   with:
-      #     cosign-release: 'v1.5.1' # optional
-      # - name: sign kubescape container image
-      #   env:
-      #     COSIGN_EXPERIMENTAL: "true"
-      #   run: |
-      #       cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:latest
-      #       cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }}
-
+    uses: ./.github/workflows/build-image.yaml
+    needs: create-release
+    with:
+      client: "image-release"
+      image_name: "quay.io/${{ github.repository_owner }}/kubescape"
+      image_tag: "v2.0.${{ github.run_number }}"
+      support_platforms: false
+      cosign: true
+    secrets: inherit

.github/workflows/build_dev.yaml

@@ -7,136 +7,20 @@ on:
       # Do not run the pipeline if only Markdown files changed
       - '**.md'
 jobs:
-  build:
-    name: Create cross-platform dev build
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          submodules: recursive
-      
-      - name: Cache Go modules (Linux)
-        if: matrix.os == 'ubuntu-latest' 
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Cache Go modules (macOS)
-        if: matrix.os == 'macos-latest' 
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/Library/Caches/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Cache Go modules (Windows)
-        if: matrix.os == 'windows-latest'
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.18
-          
-      # - name: Test cmd pkg
-      #   run: cd cmd && go test -v ./...
-      
-      # - name: Test core pkg
-      #   env:
-      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      #   run: cd core && go test -v ./...
-
-      # - name: Test cmd pkg
-      #   run: cd cmd && go test -v ./...
-
-      - name: Install MSYS2 & libgit2 (Windows)
-        shell: cmd
-        run: .\build.bat all
-        if: matrix.os == 'windows-latest'
-
-      - name: Install libgit2 (Linux/macOS)
-        run: make libgit2
-        if: matrix.os != 'windows-latest'
-
-      - name: Test core pkg
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: go test -tags=static -v ./...
-
-      - name: Test httphandler pkg
-        run: cd httphandler && go test -tags=static -v ./...
-
-      - name: Build
-        env:
-          RELEASE: v2.0.${{ github.run_number }} 
-          CLIENT: release-dev
-          CGO_ENABLED: 1
-        run: python3 --version && python3 build.py
-      
-      - name: Smoke Testing
-        env:
-          RELEASE: v2.0.${{ github.run_number }}
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
-
-      - name: Upload build artifacts 
-        uses: actions/upload-artifact@v2
-        with:
-          name: kubescape-${{ matrix.os }}
-          path: build/${{ matrix.os }}/kubescape 
-
-  build-docker:
-    name: Build docker container, tag and upload to registry
-    needs: build
+  test:
+    uses: ./.github/workflows/test.yaml
+    with:
+      release: "v2.0.${{ github.run_number }}"
+      client: test
+ 
+  publish-dev-image:
     if: ${{ github.repository == 'kubescape/kubescape' }} # TODO
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      packages: write
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          submodules: recursive
-
-      - name: Set image version
-        id: image-version
-        run: echo '::set-output name=IMAGE_VERSION::dev-v2.0.${{ github.run_number }}'
-
-      - name: Set image name
-        id: image-name
-        run: echo '::set-output name=IMAGE_NAME::quay.io/${{ github.repository_owner }}/kubescape'
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Login to Quay.io
-        env:
-          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-
-      - name: Build the Docker image
-        run: docker buildx build . --file build/Dockerfile --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} --build-arg image_version=${{ steps.image-version.outputs.IMAGE_VERSION }} --build-arg client=image-dev --push --platform linux/amd64,linux/arm64
+    uses: ./.github/workflows/build-image.yaml
+    needs: test
+    with:
+      client: "image-dev"
+      image_name: "quay.io/${{ github.repository_owner }}/kubescape"
+      image_tag: "dev-v2.0.${{ github.run_number }}"
+      support_platforms: false
+      cosign: true
+    secrets: inherit

.github/workflows/close-typos-issues.yaml

@@ -0,0 +1,23 @@
+on:
+  issues:
+    types: [opened, labeled]
+
+jobs:
+  open_PR_message:
+    if: github.event.label.name == 'typo'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ben-z/actions-comment-on-issue@1.0.2
+        with:
+          message: "Hello! :wave:\n\nThis issue is being automatically closed, Please open a PR with a relevant fix."
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          
+          
+  auto_close_issues:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: lee-dohm/close-matching-issues@v2
+        with:
+          query: 'label:typo'
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/community.yml

@@ -0,0 +1,22 @@
+on:
+  fork:
+  issues:
+    types: [opened]
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened]
+  pull_request_review_comment:
+    types: [created]
+
+jobs:
+  welcome:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: EddieHubCommunity/gh-action-community/src/welcome@main
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          issue-message: '<h3>Hi! Welcome to Kubescape. Thank you for taking the time and reporting an issue</h3>'
+          pr-message: '<h3>Hi! Welcome to Kubescape. Thank you for taking the time and contributing to the open source community</h3>'
+          footer: '<h4>We will try to review as soon as possible!</h4>'

.github/workflows/pr_checks.yaml

@@ -6,87 +6,11 @@ on:
     types: [ edited, opened, synchronize, reopened ]
     paths-ignore:
       # Do not run the pipeline if only Markdown files changed
+      - '**.yaml'
       - '**.md'
 jobs:
-  build:
-    name: Create cross-platform build
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          submodules: recursive
-
-      - name: Cache Go modules (Linux)
-        if: matrix.os == 'ubuntu-latest' 
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Cache Go modules (macOS)
-        if: matrix.os == 'macos-latest' 
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/Library/Caches/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Cache Go modules (Windows)
-        if: matrix.os == 'windows-latest'
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.18
-
-      - name: Install MSYS2 & libgit2 (Windows)
-        shell: cmd
-        run: .\build.bat all
-        if: matrix.os == 'windows-latest'
-
-      - name: Install libgit2 (Linux/macOS)
-        run: make libgit2
-        if: matrix.os != 'windows-latest'
-
-      # - name: Test cmd pkg
-      #   run: cd cmd && go test -v ./...
-      
-      - name: Test core pkg
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: go test -tags=static -v ./...
-
-      - name: Test httphandler pkg
-        run: cd httphandler && go test -tags=static -v ./...
-
-      - name: Build
-        env:
-          RELEASE: v2.0.${{ github.run_number }} 
-          CLIENT: test
-          CGO_ENABLED: 1
-        run: python3 --version && python3 build.py
-
-      - name: Smoke Testing
-        env:
-          RELEASE: v2.0.${{ github.run_number }} 
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
-        
+  test:
+    uses: ./.github/workflows/test.yaml
+    with:
+      release: "v2.0.${{ github.run_number }}"
+      client: test

.github/workflows/release.yaml

@@ -0,0 +1,41 @@
+name: build
+
+on:
+  workflow_call:
+    inputs:
+      release_name:
+        description: 'release'
+        required: true
+        type: string
+      tag_name:
+        description: 'tag'
+        required: true
+        type: string
+      draft:
+        description: 'create draft release'
+        required: false
+        type: boolean
+        default: false
+    outputs:
+      upload_url:
+        description: "The first output string"
+        value: ${{ jobs.release.outputs.upload_url }}
+
+jobs:
+  release:
+    name: Create release
+    runs-on: ubuntu-latest
+    outputs:
+      upload_url: ${{ steps.create_release.outputs.upload_url }}
+    steps:
+      - name: Create a release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ inputs.tag_name }}
+          release_name: ${{ inputs.release_name }}
+          draft: ${{ inputs.draft }}
+          prerelease: false
+   

.github/workflows/test.yaml

@@ -0,0 +1,93 @@
+name: test
+
+on:
+  workflow_call:
+    inputs:
+      release:
+        description: 'release'
+        required: true
+        type: string
+      client:
+        description: 'Client name'
+        required: true
+        type: string
+jobs:
+  build:
+    name: Create cross-platform build
+    runs-on: ${{ matrix.os }}
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Cache Go modules (Linux)
+        if: matrix.os == 'ubuntu-latest' 
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Cache Go modules (macOS)
+        if: matrix.os == 'macos-latest' 
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/Library/Caches/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Cache Go modules (Windows)
+        if: matrix.os == 'windows-latest'
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~\AppData\Local\go-build
+            ~\go\pkg\mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.18
+
+      - name: Install MSYS2 & libgit2 (Windows)
+        shell: cmd
+        run: .\build.bat all
+        if: matrix.os == 'windows-latest'
+
+      - name: Install libgit2 (Linux/macOS)
+        run: make libgit2
+        if: matrix.os != 'windows-latest'
+ 
+      - name: Test core pkg
+        run: go test -tags=static -v ./...
+
+      - name: Test httphandler pkg
+        run: cd httphandler && go test -tags=static -v ./...
+
+      - name: Build
+        env:
+          RELEASE: ${{ inputs.release }}
+          CLIENT: test
+          CGO_ENABLED: 1
+        run: python3 --version && python3 build.py
+
+      - name: Smoke Testing
+        env:
+          RELEASE: ${{ inputs.release }} 
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
+        

.gitignore

@@ -1,7 +1,7 @@
 *.vs*
 *kubescape*
 *debug*
-*vender*
+*vendor*
 *.pyc*
 .idea
 .history

CONTRIBUTING.md

@@ -3,13 +3,13 @@
 First, it is awesome that you are considering contributing to Kubescape! Contributing is important and fun and we welcome your efforts.
 
 When contributing, we categorize contributions into two:
-* Small code changes or fixes, whose scope are limited to a single or two files
-* Complex features and improvements, whose are not limited
+* Small code changes or fixes, whose scope is limited to a single or two files
+* Complex features and improvements, that are not limited
 
 If you have a small change, feel free to fire up a Pull Request.
 
 When planning a bigger change, please first discuss the change you wish to make via issue,
-email, or any other method with the owners of this repository before making a change. Most likely your changes or features are great, but sometimes we might already going to this direction (or the exact opposite ;-) ) and we don't want to waste your time.
+email, or any other method with the owners of this repository before making a change. Most likely your changes or features are great, but sometimes we might be already going in this direction (or the exact opposite ;-) ) and we don't want to waste your time.
 
 Please note we have a code of conduct, please follow it in all your interactions with the project.
 
@@ -20,14 +20,14 @@ Please note we have a code of conduct, please follow it in all your interactions
 2. Update the README.md with details of changes to the interface, this includes new environment 
    variables, exposed ports, useful file locations and container parameters.
 3. Open Pull Request to `dev` branch - we test the component before merging into the `master` branch
-4. We will merge the Pull Request in once you have the sign-off.
+4. We will merge the Pull Request once you have the sign-off.
 
 ## Code of Conduct
 
 ### Our Pledge
 
 In the interest of fostering an open and welcoming environment, we as
-contributors and maintainers pledge to making participation in our project and
+contributors and maintainers pledge to make participation in our project and
 our community a harassment-free experience for everyone, regardless of age, body
 size, disability, ethnicity, gender identity and expression, level of experience,
 nationality, personal appearance, race, religion, or sexual identity and
@@ -55,12 +55,12 @@ advances
 * Other conduct which could reasonably be considered inappropriate in a
   professional setting
 
-We will distance those who are constantly adhere to unacceptable behavior.
+We will distance those who constantly adhere to unacceptable behavior.
 
 ### Our Responsibilities
 
 Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in
+behavior and are expected to take appropriate and fair corrective actions in
 response to any instances of unacceptable behavior.
 
 Project maintainers have the right and responsibility to remove, edit, or
@@ -97,4 +97,4 @@ This Code of Conduct is adapted from the [Contributor Covenant][homepage], versi
 available at [http://contributor-covenant.org/version/1/4][version]
 
 [homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+[version]: http://contributor-covenant.org/version/1/4/

README.md

@@ -1,11 +1,17 @@
-<img src="docs/kubescape.png" width="300" alt="logo" align="center">
+<div align="center">
+    <img src="docs/kubescape.png" width="300" alt="logo">
+</div>
+
+---
 
 [![build](https://github.com/kubescape/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/kubescape/kubescape/actions/workflows/build.yaml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubescape/kubescape)](https://goreportcard.com/report/github.com/kubescape/kubescape)
+[![Gitpod Ready-to-Code](https://img.shields.io/badge/Gitpod-Ready--to--Code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/kubescape/kubescape)
+
+:sunglasses: [Want to contribute?](#being-a-part-of-the-team) :innocent: 
 
 
-
-Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerabilities scanning. 
+Kubescape is a K8s open-source tool providing a Kubernetes single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerability scanning. 
 Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/)), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time.
 
 It has become one of the fastest-growing Kubernetes tools among developers due to its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins precious time, effort, and resources.
@@ -24,17 +30,17 @@ Kubescape integrates natively with other DevOps tools, including Jenkins, Circle
 curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
 ```
 
+*OR:*
+
 [Install on windows](#install-on-windows)
 
 [Install on macOS](#install-on-macos)
 
 [Install on NixOS or Linux/macOS via nix](#install-on-nixos-or-with-nix-community)
 
-[Install using Go](#install-using-go)
-
 ## Run:
 ```sh
-kubescape scan --submit --enable-host-scan --verbose
+kubescape scan --enable-host-scan --verbose
 ```
 
 <img src="docs/summary.png">
@@ -45,19 +51,33 @@ kubescape scan --submit --enable-host-scan --verbose
 
 </br>
 
-### Click [👍](https://github.com/kubescape/kubescape/stargazers) if you want us to continue to develop and improve Kubescape 😀
+## Architecture in short
+### [CLI](#kubescape-cli)
+<div align="center">
+    <img src="docs/ks-cli-arch.png" width="300" alt="cli-diagram">
+</div>
+
+### [Operator](https://github.com/kubescape/helm-charts#readme)
+<div align="center">
+    <img src="docs/ks-operator-arch.png" width="300" alt="operator-diagram">
+</div>
+
+### Please [star ⭐](https://github.com/kubescape/kubescape/stargazers) the repo if you want us to continue developing and improving Kubescape 😀
 
 </br>
 
-
 # Being a part of the team
 
-We invite you to our team! We are excited about this project and want to return the love we get.
+## Community
+We invite you to our community! We are excited about this project and want to return the love we get.
 
-Want to contribute? Want to discuss something? Have an issue?
+We hold community meetings in [Zoom](https://us02web.zoom.us/j/84020231442) on the first Tuesday of every month at 14:00 GMT! :sunglasses:
 
-* Feel free to pick a task from the [roadmap](docs/roadmap.md) or suggest a feature of your own. [Contact us](MAINTAINERS.md) directly for more information :) 
-* Open an issue, we are trying to respond within 48 hours
+## Contributions 
+[Want to contribute?](https://github.com/kubescape/kubescape/blob/master/CONTRIBUTING.md) Want to discuss something? Have an issue? Please make sure that you follow our [Code Of Conduct](https://github.com/kubescape/kubescape/blob/master/CODE_OF_CONDUCT.md) . 
+
+* Feel free to pick a task from the [issues](https://github.com/kubescape/kubescape/issues?q=is%3Aissue+is%3Aopen+label%3A%22open+for+contribution%22), [roadmap](docs/roadmap.md) or suggest a feature of your own. [Contact us](MAINTAINERS.md) directly for more information :) 
+* [Open an issue](https://github.com/kubescape/kubescape/issues/new/choose) , we are trying to respond within 48 hours
 * [Join us](https://discord.com/invite/WKZRaCtBxN) in the discussion on our discord server!
 
 [<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://discord.com/invite/WKZRaCtBxN)
@@ -76,10 +96,13 @@ Want to contribute? Want to discuss something? Have an issue?
 * [Overview](https://youtu.be/wdBkt_0Qhbg)
 * [How To Secure Kubernetes Clusters With Kubescape And Armo](https://youtu.be/ZATGiDIDBQk)
 * [Scan Kubernetes YAML files](https://youtu.be/Ox6DaR7_4ZI)
+* [Scan container image registry](https://youtu.be/iQ_k8EnK-3s)
 * [Scan Kubescape on an air-gapped environment (offline support)](https://youtu.be/IGXL9s37smM)
 * [Managing exceptions in the Kubescape SaaS version](https://youtu.be/OzpvxGmCR80)
 * [Configure and run customized frameworks](https://youtu.be/12Sanq_rEhs)
-* Customize control configurations. [Kubescape CLI](https://youtu.be/955psg6TVu4), [Kubescape SaaS](https://youtu.be/lIMVSVhH33o)
+* Customize control configurations: 
+  - [Kubescape CLI](https://youtu.be/955psg6TVu4) 
+  - [Kubescape SaaS](https://youtu.be/lIMVSVhH33o)
 
 ## Install on Windows
 
@@ -152,22 +175,22 @@ Or to your profile (not preferred): `nix-env --install -A nixpkgs.kubescape`
 ### Examples
 
 
-#### Scan a running Kubernetes cluster and submit results to the [Kubescape SaaS version](https://cloud.armosec.io?utm_source=github&utm_medium=repository)
+#### Scan a running Kubernetes cluster
 ```
-kubescape scan --submit --enable-host-scan  --verbose
+kubescape scan --enable-host-scan  --verbose
 ```
 
 > Read [here](https://hub.armosec.io/docs/host-sensor?utm_source=github&utm_medium=repository) more about the `enable-host-scan` flag
 
-#### Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework and submit results to the [Kubescape SaaS version](https://cloud.armosec.io?utm_source=github&utm_medium=repository)
+#### Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework
 ```
-kubescape scan framework nsa --submit
+kubescape scan framework nsa
 ```
 
 
-#### Scan a running Kubernetes cluster with [`MITRE ATT&CK®`](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) framework and submit results to the [Kubescape SaaS version](https://cloud.armosec.io?utm_source=github&utm_medium=repository)
+#### Scan a running Kubernetes cluster with [`MITRE ATT&CK®`](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) framework
 ```
-kubescape scan framework mitre --submit
+kubescape scan framework mitre
 ```
 
 
@@ -176,6 +199,11 @@ kubescape scan framework mitre --submit
 kubescape scan control "Privileged container"
 ```
 
+#### Scan using an alternative kubeconfig file
+```
+kubescape scan --kubeconfig cluster.conf
+```
+
 #### Scan specific namespaces
 ```
 kubescape scan --include-namespaces development,staging,production
@@ -186,14 +214,13 @@ kubescape scan --include-namespaces development,staging,production
 kubescape scan --exclude-namespaces kube-system,kube-public
 ```
 
-#### Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI) Submit the results in case the directory is a git repo. [docs](https://hub.armosec.io/docs/repository-scanning?utm_source=github&utm_medium=repository)
+#### Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI).
 ```
-kubescape scan *.yaml --submit
+kubescape scan *.yaml
 ```
 
-#### Scan kubernetes manifest files from a git repository [and submit the results](https://hub.armosec.io/docs/repository-scanning?utm_source=github&utm_medium=repository)
-```
-kubescape scan https://github.com/kubescape/kubescape --submit
+#### Scan Kubernetes manifest files from a git repository 
+kubescape scan https://github.com/kubescape/kubescape
 ```
 
 #### Display all scanned resources (including the resources which passed) 
@@ -226,6 +253,12 @@ kubescape scan --format pdf --output results.pdf
 kubescape scan --format prometheus
 ```
 
+#### Output in `html` format
+
+```
+kubescape scan --format html --output results.html
+```
+
 #### Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`
 [Full documentation](examples/exceptions/README.md)
 ```
@@ -234,10 +267,16 @@ kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
 
 #### Scan Helm charts 
 ```
-kubescape scan </path/to/directory> --submit
+kubescape scan </path/to/directory>
 ```
 > Kubescape will load the default value file
 
+#### Scan Kustomize Directory 
+```
+kubescape scan </path/to/directory>
+```
+> Kubescape will generate Kubernetes Yaml Objects using 'Kustomize' file and scans them for security.
+
 ### Offline/Air-gaped Environment Support
 
 [Video tutorial](https://youtu.be/IGXL9s37smM)
@@ -260,7 +299,7 @@ kubescape scan --use-artifacts-from path/to/local/dir
 
 You can also download a single artifact and scan with the `--use-from` flag
 
-1. Download and save in file, if file name is not specified, will save in `~/.kubescape/<framework name>.json`
+1. Download and save in a file, if the file name is not specified, will save in `~/.kubescape/<framework name>.json`
 ```
 kubescape download framework nsa --output /path/nsa.json
 ```
@@ -348,6 +387,28 @@ View Kubescape scan results directly in [Lens IDE](https://k8slens.dev/) using k
 
 </details>
 
+## Build on pre-configured killercoda's ubuntu playground
+
+* [Pre-configured Killercoda's Ubuntu Playground](https://killercoda.com/suhas-gumma/scenario/kubescape-build-for-development)
+
+<details><summary> Pre-programmed actions executed by the playground </summary>
+
+
+* Clone the official GitHub repository of `Kubescape`.
+* [Automate the build process on Linux](https://github.com/kubescape/kubescape#build-on-linuxmacos)
+* The entire process involves executing multiple commands in order and it takes around 5-6 minutes to execute them all.
+
+</details>
+
+<details>
+<summary>Instructions to use the playground</summary>
+
+* Apply changes you wish to make to the kubescape directory using text editors like `Vim`.
+* [Build on Linux](https://github.com/kubescape/kubescape#build-on-linuxmacos)
+* Now, you can use Kubescape just like a normal user. Instead of using `kubescape`, use `./kubescape`. (Make sure you are inside kubescape directory because the command will execute the binary named `kubescape` in `kubescape directory`)
+
+</details>
+
 ## VS code configuration samples
 
 You can use the sample files below to setup your VS code environment for building and debugging purposes.

build.py

@@ -14,18 +14,18 @@ def check_status(status, msg):
 
 def get_build_dir():
     current_platform = platform.system()
-    build_dir = "./build/"
+    build_dir = ""
 
-    if current_platform == "Windows": build_dir += "windows-latest"
-    elif current_platform == "Linux": build_dir += "ubuntu-latest"
-    elif current_platform == "Darwin": build_dir += "macos-latest"
+    if current_platform == "Windows": build_dir = "windows-latest"
+    elif current_platform == "Linux": build_dir = "ubuntu-latest"
+    elif current_platform == "Darwin": build_dir = "macos-latest"
     else: raise OSError("Platform %s is not supported!" % (current_platform))
 
-    return build_dir
+    return os.path.join("build", build_dir)
+
 
 def get_package_name():
     package_name = "kubescape"
-    # if platform.system() == "Windows": package_name += ".exe"
 
     return package_name
 

build/Dockerfile

@@ -20,7 +20,6 @@ WORKDIR /work
 ADD . .
 
 # install libgit2
-WORKDIR /work
 RUN rm -rf git2go && make libgit2
 
 # build kubescape server
@@ -34,17 +33,17 @@ RUN python build.py
 
 RUN /work/build/ubuntu-latest/kubescape download artifacts -o /work/artifacts
 
-FROM alpine
+FROM alpine:3.16.2
 
-RUN addgroup -S armo && adduser -S armo -G armo
+RUN addgroup -S ks && adduser -S ks -G ks
 
-RUN mkdir /home/armo/.kubescape
-COPY --from=builder /work/artifacts/ /home/armo/.kubescape
+COPY --from=builder /work/artifacts/ /home/ks/.kubescape
 
-RUN chown -R armo:armo /home/armo/.kubescape
+RUN chown -R ks:ks /home/ks/.kubescape
 
-USER armo
-WORKDIR /home/armo
+USER ks
+
+WORKDIR /home/ks
 
 COPY --from=builder /work/httphandler/build/ubuntu-latest/kubescape /usr/bin/ksserver
 COPY --from=builder /work/build/ubuntu-latest/kubescape /usr/bin/kubescape

cmd/completion/completion.go

@@ -43,7 +43,3 @@ func GetCompletionCmd() *cobra.Command {
 	}
 	return completionCmd
 }
-
-// func init() {
-// 	rootCmd.AddCommand(completionCmd)
-// }

cmd/config/config.go

@@ -25,6 +25,9 @@ var (
 
   # Set access key
   kubescape config set secretKey <access key>
+
+  # Set cloudAPIURL
+  kubescape config set cloudAPIURL <cloud API URL>
 `
 )
 

cmd/config/set.go

@@ -33,9 +33,13 @@ func getSetCmd(ks meta.IKubescape) *cobra.Command {
 }
 
 var supportConfigSet = map[string]func(*metav1.SetConfig, string){
-	"accountID": func(s *metav1.SetConfig, account string) { s.Account = account },
-	"clientID":  func(s *metav1.SetConfig, clientID string) { s.ClientID = clientID },
-	"secretKey": func(s *metav1.SetConfig, secretKey string) { s.SecretKey = secretKey },
+	"accountID":      func(s *metav1.SetConfig, account string) { s.Account = account },
+	"clientID":       func(s *metav1.SetConfig, clientID string) { s.ClientID = clientID },
+	"secretKey":      func(s *metav1.SetConfig, secretKey string) { s.SecretKey = secretKey },
+	"cloudAPIURL":    func(s *metav1.SetConfig, cloudAPIURL string) { s.CloudAPIURL = cloudAPIURL },
+	"cloudAuthURL":   func(s *metav1.SetConfig, cloudAuthURL string) { s.CloudAuthURL = cloudAuthURL },
+	"cloudReportURL": func(s *metav1.SetConfig, cloudReportURL string) { s.CloudReportURL = cloudReportURL },
+	"cloudUIURL":     func(s *metav1.SetConfig, cloudUIURL string) { s.CloudUIURL = cloudUIURL },
 }
 
 func stringKeysToSlice(m map[string]func(*metav1.SetConfig, string)) []string {

cmd/delete/exceptions.go

@@ -22,6 +22,11 @@ func getExceptionsCmd(ks meta.IKubescape, deleteInfo *v1.Delete) *cobra.Command
 			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
+
+			if err := flagValidationDelete(deleteInfo); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
 			exceptionsNames := strings.Split(args[0], ";")
 			if len(exceptionsNames) == 0 {
 				logger.L().Fatal("missing exceptions names")
@@ -32,3 +37,10 @@ func getExceptionsCmd(ks meta.IKubescape, deleteInfo *v1.Delete) *cobra.Command
 		},
 	}
 }
+
+// Check if the flag entered are valid
+func flagValidationDelete(deleteInfo *v1.Delete) error {
+
+	// Validate the user's credentials
+	return deleteInfo.Credentials.Validate()
+}

cmd/download/download.go

@@ -17,7 +17,7 @@ var (
 	downloadExample = `
   # Download all artifacts and save them in the default path (~/.kubescape)
   kubescape download artifacts
-  download
+  
   # Download all artifacts and save them in /tmp path
   kubescape download artifacts --output /tmp
   
@@ -59,6 +59,10 @@ func GeDownloadCmd(ks meta.IKubescape) *cobra.Command {
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 
+			if err := flagValidationDownload(&downloadInfo); err != nil {
+				return err
+			}
+
 			if filepath.Ext(downloadInfo.Path) == ".json" {
 				downloadInfo.Path, downloadInfo.FileName = filepath.Split(downloadInfo.Path)
 			}
@@ -80,3 +84,10 @@ func GeDownloadCmd(ks meta.IKubescape) *cobra.Command {
 
 	return downloadCmd
 }
+
+// Check if the flag entered are valid
+func flagValidationDownload(downloadInfo *v1.DownloadInfo) error {
+
+	// Validate the user's credentials
+	return downloadInfo.Credentials.Validate()
+}

cmd/fix/fix.go

@@ -0,0 +1,45 @@
+package fix
+
+import (
+	"errors"
+
+	"github.com/kubescape/kubescape/v2/core/meta"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+
+	"github.com/spf13/cobra"
+)
+
+var fixCmdExamples = `
+  Fix command is for fixing kubernetes manifest files based on a scan command output.
+  Use with caution, this command will change your files in-place.
+
+  # Fix kubernetes YAML manifest files based on a scan command output (output.json)
+  1) kubescape scan --format json --format-version v2 --output output.json
+  2) kubescape fix output.json
+
+`
+
+func GetFixCmd(ks meta.IKubescape) *cobra.Command {
+	var fixInfo metav1.FixInfo
+
+	fixCmd := &cobra.Command{
+		Use:     "fix <report output file>",
+		Short:   "Fix misconfiguration in files",
+		Long:    ``,
+		Example: fixCmdExamples,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) < 1 {
+				return errors.New("report output file is required")
+			}
+			fixInfo.ReportFile = args[0]
+
+			return ks.Fix(&fixInfo)
+		},
+	}
+
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.NoConfirm, "no-confirm", false, "No confirmation will be given to the user before applying the fix (default false)")
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.DryRun, "dry-run", false, "No changes will be applied (default false)")
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.SkipUserValues, "skip-user-values", true, "Changes which involve user-defined values will be skipped")
+
+	return fixCmd
+}

cmd/list/list.go

@@ -51,6 +51,11 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {
 			return nil
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := flagValidationList(&listPolicies); err != nil {
+				return err
+			}
+
 			listPolicies.Target = args[0]
 
 			if err := ks.List(&listPolicies); err != nil {
@@ -67,3 +72,10 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {
 
 	return listCmd
 }
+
+// Check if the flag entered are valid
+func flagValidationList(listPolicies *v1.ListPolicies) error {
+
+	// Validate the user's credentials
+	return listPolicies.Credentials.Validate()
+}

cmd/root.go

@@ -10,9 +10,11 @@ import (
 	"github.com/kubescape/kubescape/v2/cmd/config"
 	"github.com/kubescape/kubescape/v2/cmd/delete"
 	"github.com/kubescape/kubescape/v2/cmd/download"
+	"github.com/kubescape/kubescape/v2/cmd/fix"
 	"github.com/kubescape/kubescape/v2/cmd/list"
 	"github.com/kubescape/kubescape/v2/cmd/scan"
 	"github.com/kubescape/kubescape/v2/cmd/submit"
+	"github.com/kubescape/kubescape/v2/cmd/update"
 	"github.com/kubescape/kubescape/v2/cmd/version"
 	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/cautils/getter"
@@ -63,6 +65,7 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 	rootCmd.PersistentFlags().StringVarP(&rootInfo.Logger, "logger", "l", helpers.InfoLevel.String(), fmt.Sprintf("Logger level. Supported: %s [$KS_LOGGER]", strings.Join(helpers.SupportedLevels(), "/")))
 	rootCmd.PersistentFlags().StringVar(&rootInfo.CacheDir, "cache-dir", getter.DefaultLocalStore, "Cache directory [$KS_CACHE_DIR]")
 	rootCmd.PersistentFlags().BoolVarP(&rootInfo.DisableColor, "disable-color", "", false, "Disable Color output for logging")
+	rootCmd.PersistentFlags().BoolVarP(&rootInfo.EnableColor, "enable-color", "", false, "Force enable Color output for logging")
 
 	cobra.OnInitialize(initLogger, initLoggerLevel, initEnvironment, initCacheDir)
 
@@ -75,6 +78,8 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 	rootCmd.AddCommand(completion.GetCompletionCmd())
 	rootCmd.AddCommand(version.GetVersionCmd())
 	rootCmd.AddCommand(config.GetConfigCmd(ks))
+	rootCmd.AddCommand(update.GetUpdateCmd())
+	rootCmd.AddCommand(fix.GetFixCmd(ks))
 
 	return rootCmd
 }

cmd/rootutils.go

@@ -16,6 +16,7 @@ const envFlagUsage = "Send report results to specific URL. Format:<ReportReceive
 
 func initLogger() {
 	logger.DisableColor(rootInfo.DisableColor)
+	logger.EnableColor(rootInfo.EnableColor)
 
 	if rootInfo.LoggerName == "" {
 		if l := os.Getenv("KS_LOGGER_NAME"); l != "" {

cmd/scan/control.go

@@ -58,6 +58,10 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 
+			if err := validateFrameworkScanInfo(scanInfo); err != nil {
+				return err
+			}
+			
 			// flagValidationControl(scanInfo)
 			scanInfo.PolicyIdentifier = []cautils.PolicyIdentifier{}
 
@@ -70,7 +74,7 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 
 				if len(args) > 1 {
 					if len(args[1:]) == 0 || args[1] != "-" {
-						scanInfo.InputPatterns = []string{args[1]}
+						scanInfo.InputPatterns = args[1:]
 					} else { // store stdin to file - do NOT move to separate function !!
 						tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
 						if err != nil {
@@ -88,6 +92,10 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 
 			scanInfo.FrameworkScan = false
 
+			if err := validateControlScanInfo(scanInfo); err != nil {
+				return err
+			}
+
 			results, err := ks.Scan(scanInfo)
 			if err != nil {
 				logger.L().Fatal(err.Error())
@@ -101,7 +109,19 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
 				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
 			}
+			enforceSeverityThresholds(&results.GetResults().SummaryDetails.SeverityCounters, scanInfo, terminateOnExceedingSeverity)
+
 			return nil
 		},
 	}
 }
+
+// validateControlScanInfo validates the ScanInfo struct for the `control` command
+func validateControlScanInfo(scanInfo *cautils.ScanInfo) error {
+	severity := scanInfo.FailThresholdSeverity
+
+	if err := validateSeverity(severity); severity != "" && err != nil {
+		return err
+	}
+	return nil
+}

cmd/scan/framework.go

@@ -1,12 +1,15 @@
 package scan
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"os"
 	"strings"
 
 	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
 
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
@@ -36,6 +39,8 @@ var (
 
   Run 'kubescape list frameworks' for the list of supported frameworks
 `
+
+	ErrUnknownSeverity = errors.New("unknown severity")
 )
 
 func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
@@ -62,7 +67,7 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 
-			if err := flagValidationFramework(scanInfo); err != nil {
+			if err := validateFrameworkScanInfo(scanInfo); err != nil {
 				return err
 			}
 			scanInfo.FrameworkScan = true
@@ -80,7 +85,7 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 				}
 				if len(args) > 1 {
 					if len(args[1:]) == 0 || args[1] != "-" {
-						scanInfo.InputPatterns = []string{args[1]}
+						scanInfo.InputPatterns = args[1:]
 					} else { // store stdin to file - do NOT move to separate function !!
 						tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
 						if err != nil {
@@ -113,17 +118,95 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
 				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
 			}
+
+			enforceSeverityThresholds(&results.GetData().Report.SummaryDetails.SeverityCounters, scanInfo, terminateOnExceedingSeverity)
 			return nil
 		},
 	}
 }
 
-func flagValidationFramework(scanInfo *cautils.ScanInfo) error {
+// countersExceedSeverityThreshold returns true if severity of failed controls exceed the set severity threshold, else returns false
+func countersExceedSeverityThreshold(severityCounters reportsummary.ISeverityCounters, scanInfo *cautils.ScanInfo) (bool, error) {
+	targetSeverity := scanInfo.FailThresholdSeverity
+	if err := validateSeverity(targetSeverity); err != nil {
+		return false, err
+	}
+
+	getFailedResourcesFuncsBySeverity := []struct {
+		SeverityName       string
+		GetFailedResources func() int
+	}{
+		{reporthandlingapis.SeverityLowString, severityCounters.NumberOfResourcesWithLowSeverity},
+		{reporthandlingapis.SeverityMediumString, severityCounters.NumberOfResourcesWithMediumSeverity},
+		{reporthandlingapis.SeverityHighString, severityCounters.NumberOfResourcesWithHighSeverity},
+		{reporthandlingapis.SeverityCriticalString, severityCounters.NumberOfResourcesWithCriticalSeverity},
+	}
+
+	targetSeverityIdx := 0
+	for idx, description := range getFailedResourcesFuncsBySeverity {
+		if strings.EqualFold(description.SeverityName, targetSeverity) {
+			targetSeverityIdx = idx
+			break
+		}
+	}
+
+	for _, description := range getFailedResourcesFuncsBySeverity[targetSeverityIdx:] {
+		failedResourcesCount := description.GetFailedResources()
+		if failedResourcesCount > 0 {
+			return true, nil
+		}
+	}
+
+	return false, nil
+
+}
+
+// terminateOnExceedingSeverity terminates the application on exceeding severity
+func terminateOnExceedingSeverity(scanInfo *cautils.ScanInfo, l logger.ILogger) {
+	l.Fatal("result exceeds severity threshold", helpers.String("set severity threshold", scanInfo.FailThresholdSeverity))
+}
+
+// enforceSeverityThresholds ensures that the scan results are below the defined severity threshold
+//
+// The function forces the application to terminate with an exit code 1 if at least one control failed control that exceeds the set severity threshold
+func enforceSeverityThresholds(severityCounters reportsummary.ISeverityCounters, scanInfo *cautils.ScanInfo, onExceed func(*cautils.ScanInfo, logger.ILogger)) {
+	// If a severity threshold is not set, we don’t need to enforce it
+	if scanInfo.FailThresholdSeverity == "" {
+		return
+	}
+
+	if val, err := countersExceedSeverityThreshold(severityCounters, scanInfo); val && err == nil {
+		onExceed(scanInfo, logger.L())
+	} else if err != nil {
+		logger.L().Fatal(err.Error())
+	}
+}
+
+// validateSeverity returns an error if a given severity is not known, nil otherwise
+func validateSeverity(severity string) error {
+	for _, val := range reporthandlingapis.GetSupportedSeverities() {
+		if strings.EqualFold(severity, val) {
+			return nil
+		}
+	}
+	return ErrUnknownSeverity
+
+}
+
+// validateFrameworkScanInfo validates the scan info struct for the `scan framework` command
+func validateFrameworkScanInfo(scanInfo *cautils.ScanInfo) error {
 	if scanInfo.Submit && scanInfo.Local {
 		return fmt.Errorf("you can use `keep-local` or `submit`, but not both")
 	}
 	if 100 < scanInfo.FailThreshold || 0 > scanInfo.FailThreshold {
 		return fmt.Errorf("bad argument: out of range threshold")
 	}
-	return nil
+
+	severity := scanInfo.FailThresholdSeverity
+	if err := validateSeverity(severity); severity != "" && err != nil {
+		return err
+	}
+
+	// Validate the user's credentials
+	return scanInfo.Credentials.Validate()
 }

cmd/scan/scan.go

@@ -1,6 +1,7 @@
 package scan
 
 import (
+	"flag"
 	"fmt"
 
 	"github.com/kubescape/k8s-interface/k8sinterface"
@@ -10,10 +11,10 @@ import (
 )
 
 var scanCmdExamples = `
-  Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defind frameworks 
+  Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks 
   
   # Scan current cluster with all frameworks
-  kubescape scan --submit --enable-host-scan --verbose
+  kubescape scan --enable-host-scan --verbose
 
   # Scan kubernetes YAML manifest files
   kubescape scan *.yaml
@@ -70,30 +71,33 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseArtifactsFrom, "use-artifacts-from", "", "Load artifacts from local directory. If not used will download them")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Recommended: kube-system,kube-public")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Notice, when running with `exclude-namespace` kubescape does not scan cluster-scoped objects.")
+
 	scanCmd.PersistentFlags().Float32VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 100, "Failure threshold is the percent above which the command fails and returns exit code 1")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer", "json", "junit", "prometheus", "pdf", "html"`)
+
+	scanCmd.PersistentFlags().StringVar(&scanInfo.FailThresholdSeverity, "severity-threshold", "", "Severity threshold is the severity of failed controls at which the command fails and returns exit code 1")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer", "json", "junit", "prometheus", "pdf", "html", "sarif"`)
 	scanCmd.PersistentFlags().StringVar(&scanInfo.IncludeNamespaces, "include-namespaces", "", "scan specific namespaces. e.g: --include-namespaces ns-a,ns-b")
-	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to ARMO backend. Use this flag if you ran with the '--submit' flag in the past and you do not want to submit your current scan results")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to configured backend.")
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.VerboseMode, "verbose", "v", false, "Display all of the input resources and not only failed resources")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.View, "view", string(cautils.ResourceViewType), fmt.Sprintf("View results based on the %s/%s. default is --view=%s", cautils.ResourceViewType, cautils.ControlViewType, cautils.ResourceViewType))
 	scanCmd.PersistentFlags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local policy object from default path. If not used will download latest")
 	scanCmd.PersistentFlags().StringSliceVar(&scanInfo.UseFrom, "use-from", nil, "Load local policy object from specified path. If not used will download latest")
-	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Send the scan results to ARMO management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.HostSensorYamlPath, "host-scan-yaml", "", "Override default host scanner DaemonSet. Use this flag cautiously")
-	scanCmd.PersistentFlags().StringVar(&scanInfo.FormatVersion, "format-version", "v1", "Output object can be differnet between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.FormatVersion, "format-version", "v1", "Output object can be different between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.CustomClusterName, "cluster-name", "", "Set the custom name of the cluster. Not same as the kube-context flag")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Submit the scan results to Kubescape SaaS where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
 
-	// Deprecated flags - remove 1.May.2022
-	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "Silent progress messages")
 	scanCmd.PersistentFlags().MarkDeprecated("silent", "use '--logger' flag instead. Flag will be removed at 1.May.2022")
 
 	// hidden flags
 	scanCmd.PersistentFlags().MarkHidden("host-scan-yaml") // this flag should be used very cautiously. We prefer users will not use it at all unless the DaemonSet can not run pods on the nodes
-	scanCmd.PersistentFlags().MarkHidden("silent")         // this flag should be deprecated since we added the --logger support
-	// scanCmd.PersistentFlags().MarkHidden("format-version") // meant for testing different output approaches and not for common use
 
-	hostF := scanCmd.PersistentFlags().VarPF(&scanInfo.HostSensorEnabled, "enable-host-scan", "", "Deploy ARMO K8s host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valuable data from cluster nodes for certain controls. Yaml file: https://github.com/kubescape/kubescape/blob/master/core/pkg/hostsensorutils/hostsensor.yaml")
+	// Retrieve --kubeconfig flag from https://github.com/kubernetes/kubectl/blob/master/pkg/cmd/cmd.go
+	scanCmd.PersistentFlags().AddGoFlag(flag.Lookup("kubeconfig"))
+
+	hostF := scanCmd.PersistentFlags().VarPF(&scanInfo.HostSensorEnabled, "enable-host-scan", "", "Deploy Kubescape host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valuable data from cluster nodes for certain controls. Yaml file: https://github.com/kubescape/kubescape/blob/master/core/pkg/hostsensorutils/hostsensor.yaml")
 	hostF.NoOptDefVal = "true"
 	hostF.DefValue = "false, for no TTY in stdin"
 

cmd/scan/scan_test.go

@@ -0,0 +1,254 @@
+package scan
+
+import (
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
+
+	"os"
+	"reflect"
+	"testing"
+)
+
+func TestExceedsSeverity(t *testing.T) {
+	testCases := []struct {
+		Description      string
+		ScanInfo         *cautils.ScanInfo
+		SeverityCounters reportsummary.ISeverityCounters
+		Want             bool
+		Error            error
+	}{
+		{
+			Description:      "Critical failed resource should exceed Critical threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "critical"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Critical failed resource should exceed Critical threshold set as constant",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: apis.SeverityCriticalString},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "High failed resource should not exceed Critical threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "critical"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithHighSeverityCounter: 1},
+			Want:             false,
+		},
+		{
+			Description:      "Critical failed resource exceeds High threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "high"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "High failed resource exceeds High threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "high"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithHighSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Medium failed resource does not exceed High threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "high"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithMediumSeverityCounter: 1},
+			Want:             false,
+		},
+		{
+			Description:      "Critical failed resource exceeds Medium threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "High failed resource exceeds Medium threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithHighSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Medium failed resource exceeds Medium threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithMediumSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Low failed resource does not exceed Medium threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithLowSeverityCounter: 1},
+			Want:             false,
+		},
+		{
+			Description:      "Critical failed resource exceeds Low threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "High failed resource exceeds Low threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithHighSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Medium failed resource exceeds Low threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithMediumSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Low failed resource exceeds Low threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithLowSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Unknown severity returns an error",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "unknown"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithLowSeverityCounter: 1},
+			Want:             false,
+			Error:            ErrUnknownSeverity,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.Description, func(t *testing.T) {
+			got, err := countersExceedSeverityThreshold(testCase.SeverityCounters, testCase.ScanInfo)
+			want := testCase.Want
+
+			if got != want {
+				t.Errorf("got: %v, want: %v", got, want)
+			}
+
+			if err != testCase.Error {
+				t.Errorf(`got error "%v", want "%v"`, err, testCase.Error)
+			}
+		})
+	}
+}
+
+func Test_enforceSeverityThresholds(t *testing.T) {
+	testCases := []struct {
+		Description      string
+		SeverityCounters *reportsummary.SeverityCounters
+		ScanInfo         *cautils.ScanInfo
+		Want             bool
+	}{
+		{
+			"Exceeding Critical severity counter should call the terminating function",
+			&reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			&cautils.ScanInfo{FailThresholdSeverity: apis.SeverityCriticalString},
+			true,
+		},
+		{
+			"Non-exceeding severity counter should call not the terminating function",
+			&reportsummary.SeverityCounters{},
+			&cautils.ScanInfo{FailThresholdSeverity: apis.SeverityCriticalString},
+			false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				severityCounters := tc.SeverityCounters
+				scanInfo := tc.ScanInfo
+				want := tc.Want
+
+				got := false
+				onExceed := func(*cautils.ScanInfo, logger.ILogger) {
+					got = true
+				}
+
+				enforceSeverityThresholds(severityCounters, scanInfo, onExceed)
+
+				if got != want {
+					t.Errorf("got: %v, want %v", got, want)
+				}
+			},
+		)
+	}
+}
+
+type spyLogMessage struct {
+	Message string
+	Details map[string]string
+}
+
+type spyLogger struct {
+	setItems []spyLogMessage
+}
+
+func (l *spyLogger) Error(msg string, details ...helpers.IDetails)   {}
+func (l *spyLogger) Success(msg string, details ...helpers.IDetails) {}
+func (l *spyLogger) Warning(msg string, details ...helpers.IDetails) {}
+func (l *spyLogger) Info(msg string, details ...helpers.IDetails)    {}
+func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)   {}
+func (l *spyLogger) SetLevel(level string) error                     { return nil }
+func (l *spyLogger) GetLevel() string                                { return "" }
+func (l *spyLogger) SetWriter(w *os.File)                            {}
+func (l *spyLogger) GetWriter() *os.File                             { return &os.File{} }
+func (l *spyLogger) LoggerName() string                              { return "" }
+
+func (l *spyLogger) Fatal(msg string, details ...helpers.IDetails) {
+	firstDetail := details[0]
+	detailsMap := map[string]string{firstDetail.Key(): firstDetail.Value().(string)}
+
+	newMsg := spyLogMessage{msg, detailsMap}
+	l.setItems = append(l.setItems, newMsg)
+}
+
+func (l *spyLogger) GetSpiedItems() []spyLogMessage {
+	return l.setItems
+}
+
+func Test_terminateOnExceedingSeverity(t *testing.T) {
+	expectedMessage := "result exceeds severity threshold"
+	expectedKey := "set severity threshold"
+
+	testCases := []struct {
+		Description     string
+		ExpectedMessage string
+		ExpectedKey     string
+		ExpectedValue   string
+		Logger          *spyLogger
+	}{
+		{
+			"Should log the Critical threshold that was set in scan info",
+			expectedMessage,
+			expectedKey,
+			apis.SeverityCriticalString,
+			&spyLogger{},
+		},
+		{
+			"Should log the High threshold that was set in scan info",
+			expectedMessage,
+			expectedKey,
+			apis.SeverityHighString,
+			&spyLogger{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				want := []spyLogMessage{
+					{tc.ExpectedMessage, map[string]string{tc.ExpectedKey: tc.ExpectedValue}},
+				}
+				scanInfo := &cautils.ScanInfo{FailThresholdSeverity: tc.ExpectedValue}
+
+				terminateOnExceedingSeverity(scanInfo, tc.Logger)
+
+				got := tc.Logger.GetSpiedItems()
+				if !reflect.DeepEqual(got, want) {
+					t.Errorf("got: %v, want: %v", got, want)
+				}
+			},
+		)
+	}
+}

cmd/scan/validators_test.go

@@ -0,0 +1,115 @@
+package scan
+
+import (
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"testing"
+)
+
+// Test_validateControlScanInfo tests how scan info is validated for the `scan control` command
+func Test_validateControlScanInfo(t *testing.T) {
+	testCases := []struct {
+		Description string
+		ScanInfo    *cautils.ScanInfo
+		Want        error
+	}{
+		{
+			"Empty severity should be valid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: ""},
+			nil,
+		},
+		{
+			"High severity should be valid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: "High"},
+			nil,
+		},
+		{
+			"Unknown severity should be invalid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: "Unknown"},
+			ErrUnknownSeverity,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				var want error = tc.Want
+
+				got := validateControlScanInfo(tc.ScanInfo)
+
+				if got != want {
+					t.Errorf("got: %v, want: %v", got, want)
+				}
+			},
+		)
+	}
+}
+
+// Test_validateFrameworkScanInfo tests how scan info is validated for the `scan framework` command
+func Test_validateFrameworkScanInfo(t *testing.T) {
+	testCases := []struct {
+		Description string
+		ScanInfo    *cautils.ScanInfo
+		Want        error
+	}{
+		{
+			"Empty severity should be valid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: ""},
+			nil,
+		},
+		{
+			"High severity should be valid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: "High"},
+			nil,
+		},
+		{
+			"Unknown severity should be invalid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: "Unknown"},
+			ErrUnknownSeverity,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				var want error = tc.Want
+
+				got := validateFrameworkScanInfo(tc.ScanInfo)
+
+				if got != want {
+					t.Errorf("got: %v, want: %v", got, want)
+				}
+			},
+		)
+	}
+}
+
+func Test_validateSeverity(t *testing.T) {
+	testCases := []struct {
+		Description string
+		Input       string
+		Want        error
+	}{
+		{"low should be a valid severity", "low", nil},
+		{"Low should be a valid severity", "Low", nil},
+		{"medium should be a valid severity", "medium", nil},
+		{"Medium should be a valid severity", "Medium", nil},
+		{"high should be a valid severity", "high", nil},
+		{"Critical should be a valid severity", "Critical", nil},
+		{"critical should be a valid severity", "critical", nil},
+		{"Unknown should be an invalid severity", "Unknown", ErrUnknownSeverity},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.Description, func(t *testing.T) {
+			input := testCase.Input
+			want := testCase.Want
+			got := validateSeverity(input)
+
+			if got != want {
+				t.Errorf("got: %v, want: %v", got, want)
+			}
+		})
+	}
+}

cmd/submit/exceptions.go

@@ -21,6 +21,11 @@ func getExceptionsCmd(ks meta.IKubescape, submitInfo *metav1.Submit) *cobra.Comm
 			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
+
+			if err := flagValidationSubmit(submitInfo); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
 			if err := ks.SubmitExceptions(&submitInfo.Credentials, args[0]); err != nil {
 				logger.L().Fatal(err.Error())
 			}

cmd/submit/rbac.go

@@ -37,10 +37,14 @@ func getRBACCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
 		Long:    ``,
 		RunE: func(cmd *cobra.Command, args []string) error {
 
+			if err := flagValidationSubmit(submitInfo); err != nil {
+				return err
+			}
+
 			k8s := k8sinterface.NewKubernetesApi()
 
 			// get config
-			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", k8s)
+			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", "", k8s)
 			if err := clusterConfig.SetTenant(); err != nil {
 				logger.L().Error("failed setting account ID", helpers.Error(err))
 			}
@@ -77,9 +81,16 @@ func getKubernetesApi() *k8sinterface.KubernetesApi {
 	}
 	return k8sinterface.NewKubernetesApi()
 }
-func getTenantConfig(credentials *cautils.Credentials, clusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
+func getTenantConfig(credentials *cautils.Credentials, clusterName string, customClusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
 	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
-		return cautils.NewLocalConfig(getter.GetKSCloudAPIConnector(), credentials, clusterName)
+		return cautils.NewLocalConfig(getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
 	}
-	return cautils.NewClusterConfig(k8s, getter.GetKSCloudAPIConnector(), credentials, clusterName)
+	return cautils.NewClusterConfig(k8s, getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
+}
+
+// Check if the flag entered are valid
+func flagValidationSubmit(submitInfo *v1.Submit) error {
+
+	// Validate the user's credentials
+	return submitInfo.Credentials.Validate()
 }

cmd/submit/results.go

@@ -54,6 +54,11 @@ func getResultsCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
 		Short: "Submit a pre scanned results file. The file must be in json format",
 		Long:  ``,
 		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := flagValidationSubmit(submitInfo); err != nil {
+				return err
+			}
+
 			if len(args) == 0 {
 				return fmt.Errorf("missing results file")
 			}
@@ -61,7 +66,7 @@ func getResultsCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
 			k8s := getKubernetesApi()
 
 			// get config
-			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", k8s)
+			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", "", k8s)
 			if err := clusterConfig.SetTenant(); err != nil {
 				logger.L().Error("failed setting account ID", helpers.Error(err))
 			}

cmd/update/update.go

@@ -0,0 +1,59 @@
+package update
+
+//This update command updates to the latest kubescape release.
+//Example:-
+//          kubescape update
+
+import (
+	"os/exec"
+	"runtime"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/spf13/cobra"
+)
+
+func GetUpdateCmd() *cobra.Command {
+	updateCmd := &cobra.Command{
+		Use:   "update",
+		Short: "Update your version",
+		Long:  ``,
+		RunE: func(_ *cobra.Command, args []string) error {
+			//Checking the user's version of kubescape to the latest release
+			if cautils.BuildNumber == cautils.LatestReleaseVersion {
+				//your version == latest version
+				logger.L().Info(("You are in the latest version"))
+			} else {
+
+				const OSTYPE string = runtime.GOOS
+				var ShellToUse string
+				switch OSTYPE {
+
+				case "windows":
+					cautils.StartSpinner()
+					//run the installation command for windows
+					ShellToUse = "powershell"
+					_, err := exec.Command(ShellToUse, "-c", "iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex").Output()
+
+					if err != nil {
+						logger.L().Fatal(err.Error())
+					}
+					cautils.StopSpinner()
+
+				default:
+					ShellToUse = "bash"
+					cautils.StartSpinner()
+					//run the installation command for linux and macOS
+					_, err := exec.Command(ShellToUse, "-c", "curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash").Output()
+					if err != nil {
+						logger.L().Fatal(err.Error())
+					}
+
+					cautils.StopSpinner()
+				}
+			}
+			return nil
+		},
+	}
+	return updateCmd
+}

core/cautils/customerloader.go

@@ -5,11 +5,13 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"regexp"
 	"strings"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/kubescape/v2/core/cautils/getter"
 	corev1 "k8s.io/api/core/v1"
@@ -31,6 +33,10 @@ type ConfigObj struct {
 	Token              string `json:"invitationParam,omitempty"`
 	CustomerAdminEMail string `json:"adminMail,omitempty"`
 	ClusterName        string `json:"clusterName,omitempty"`
+	CloudReportURL     string `json:"cloudReportURL,omitempty"`
+	CloudAPIURL        string `json:"cloudAPIURL,omitempty"`
+	CloudUIURL         string `json:"cloudUIURL,omitempty"`
+	CloudAuthURL       string `json:"cloudAuthURL,omitempty"`
 }
 
 // Config - convert ConfigObj to config file
@@ -74,6 +80,10 @@ type ITenantConfig interface {
 	GetClientID() string
 	GetSecretKey() string
 	GetConfigObj() *ConfigObj
+	GetCloudReportURL() string
+	GetCloudAPIURL() string
+	GetCloudUIURL() string
+	GetCloudAuthURL() string
 	// GetBackendAPI() getter.IBackend
 	// GenerateURL()
 
@@ -90,7 +100,7 @@ type LocalConfig struct {
 }
 
 func NewLocalConfig(
-	backendAPI getter.IBackend, credentials *Credentials, clusterName string) *LocalConfig {
+	backendAPI getter.IBackend, credentials *Credentials, clusterName string, customClusterName string) *LocalConfig {
 
 	lc := &LocalConfig{
 		backendAPI: backendAPI,
@@ -102,26 +112,55 @@ func NewLocalConfig(
 	}
 
 	updateCredentials(lc.configObj, credentials)
+	updateCloudURLs(lc.configObj)
 
-	if clusterName != "" {
+	// If a custom cluster name is provided then set that name, else use the cluster's original name
+	if customClusterName != "" {
+		lc.configObj.ClusterName = AdoptClusterName(customClusterName)
+	} else if clusterName != "" {
 		lc.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
 	}
 
 	lc.backendAPI.SetAccountID(lc.configObj.AccountID)
 	lc.backendAPI.SetClientID(lc.configObj.ClientID)
 	lc.backendAPI.SetSecretKey(lc.configObj.SecretKey)
+	if lc.configObj.CloudAPIURL != "" {
+		lc.backendAPI.SetCloudAPIURL(lc.configObj.CloudAPIURL)
+	} else {
+		lc.configObj.CloudAPIURL = lc.backendAPI.GetCloudAPIURL()
+	}
+	if lc.configObj.CloudAuthURL != "" {
+		lc.backendAPI.SetCloudAuthURL(lc.configObj.CloudAuthURL)
+	} else {
+		lc.configObj.CloudAuthURL = lc.backendAPI.GetCloudAuthURL()
+	}
+	if lc.configObj.CloudReportURL != "" {
+		lc.backendAPI.SetCloudReportURL(lc.configObj.CloudReportURL)
+	} else {
+		lc.configObj.CloudReportURL = lc.backendAPI.GetCloudReportURL()
+	}
+	if lc.configObj.CloudUIURL != "" {
+		lc.backendAPI.SetCloudUIURL(lc.configObj.CloudUIURL)
+	} else {
+		lc.configObj.CloudUIURL = lc.backendAPI.GetCloudUIURL()
+	}
+	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", lc.backendAPI.GetCloudAPIURL()), helpers.String("auth", lc.backendAPI.GetCloudAuthURL()), helpers.String("report", lc.backendAPI.GetCloudReportURL()), helpers.String("UI", lc.backendAPI.GetCloudUIURL()))
 
 	return lc
 }
 
-func (lc *LocalConfig) GetConfigObj() *ConfigObj { return lc.configObj }
-func (lc *LocalConfig) GetTenantEmail() string   { return lc.configObj.CustomerAdminEMail }
-func (lc *LocalConfig) GetAccountID() string     { return lc.configObj.AccountID }
-func (lc *LocalConfig) GetClientID() string      { return lc.configObj.ClientID }
-func (lc *LocalConfig) GetSecretKey() string     { return lc.configObj.SecretKey }
-func (lc *LocalConfig) GetContextName() string   { return lc.configObj.ClusterName }
-func (lc *LocalConfig) GetToken() string         { return lc.configObj.Token }
-func (lc *LocalConfig) IsConfigFound() bool      { return existsConfigFile() }
+func (lc *LocalConfig) GetConfigObj() *ConfigObj  { return lc.configObj }
+func (lc *LocalConfig) GetTenantEmail() string    { return lc.configObj.CustomerAdminEMail }
+func (lc *LocalConfig) GetAccountID() string      { return lc.configObj.AccountID }
+func (lc *LocalConfig) GetClientID() string       { return lc.configObj.ClientID }
+func (lc *LocalConfig) GetSecretKey() string      { return lc.configObj.SecretKey }
+func (lc *LocalConfig) GetContextName() string    { return lc.configObj.ClusterName }
+func (lc *LocalConfig) GetToken() string          { return lc.configObj.Token }
+func (lc *LocalConfig) GetCloudReportURL() string { return lc.configObj.CloudReportURL }
+func (lc *LocalConfig) GetCloudAPIURL() string    { return lc.configObj.CloudAPIURL }
+func (lc *LocalConfig) GetCloudUIURL() string     { return lc.configObj.CloudUIURL }
+func (lc *LocalConfig) GetCloudAuthURL() string   { return lc.configObj.CloudAuthURL }
+func (lc *LocalConfig) IsConfigFound() bool       { return existsConfigFile() }
 func (lc *LocalConfig) SetTenant() error {
 
 	// Kubescape Cloud tenant GUID
@@ -178,18 +217,18 @@ KS_ACCOUNT_ID
 KS_CLIENT_ID
 KS_SECRET_KEY
 
-TODO - supprot:
+TODO - support:
 KS_CACHE // path to cached files
 */
 type ClusterConfig struct {
+	backendAPI         getter.IBackend
 	k8s                *k8sinterface.KubernetesApi
+	configObj          *ConfigObj
 	configMapName      string
 	configMapNamespace string
-	backendAPI         getter.IBackend
-	configObj          *ConfigObj
 }
 
-func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend, credentials *Credentials, clusterName string) *ClusterConfig {
+func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend, credentials *Credentials, clusterName string, customClusterName string) *ClusterConfig {
 	// var configObj *ConfigObj
 	c := &ClusterConfig{
 		k8s:                k8s,
@@ -209,8 +248,12 @@ func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBacken
 		loadConfigFromFile(c.configObj)
 	}
 	updateCredentials(c.configObj, credentials)
+	updateCloudURLs(c.configObj)
 
-	if clusterName != "" {
+	// If a custom cluster name is provided then set that name, else use the cluster's original name
+	if customClusterName != "" {
+		c.configObj.ClusterName = AdoptClusterName(customClusterName)
+	} else if clusterName != "" {
 		c.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
 	}
 
@@ -223,18 +266,44 @@ func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBacken
 	c.backendAPI.SetAccountID(c.configObj.AccountID)
 	c.backendAPI.SetClientID(c.configObj.ClientID)
 	c.backendAPI.SetSecretKey(c.configObj.SecretKey)
+	if c.configObj.CloudAPIURL != "" {
+		c.backendAPI.SetCloudAPIURL(c.configObj.CloudAPIURL)
+	} else {
+		c.configObj.CloudAPIURL = c.backendAPI.GetCloudAPIURL()
+	}
+	if c.configObj.CloudAuthURL != "" {
+		c.backendAPI.SetCloudAuthURL(c.configObj.CloudAuthURL)
+	} else {
+		c.configObj.CloudAuthURL = c.backendAPI.GetCloudAuthURL()
+	}
+	if c.configObj.CloudReportURL != "" {
+		c.backendAPI.SetCloudReportURL(c.configObj.CloudReportURL)
+	} else {
+		c.configObj.CloudReportURL = c.backendAPI.GetCloudReportURL()
+	}
+	if c.configObj.CloudUIURL != "" {
+		c.backendAPI.SetCloudUIURL(c.configObj.CloudUIURL)
+	} else {
+		c.configObj.CloudUIURL = c.backendAPI.GetCloudUIURL()
+	}
+	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", c.backendAPI.GetCloudAPIURL()), helpers.String("auth", c.backendAPI.GetCloudAuthURL()), helpers.String("report", c.backendAPI.GetCloudReportURL()), helpers.String("UI", c.backendAPI.GetCloudUIURL()))
 
 	return c
 }
 
-func (c *ClusterConfig) GetConfigObj() *ConfigObj { return c.configObj }
-func (c *ClusterConfig) GetDefaultNS() string     { return c.configMapNamespace }
-func (c *ClusterConfig) GetAccountID() string     { return c.configObj.AccountID }
-func (c *ClusterConfig) GetClientID() string      { return c.configObj.ClientID }
-func (c *ClusterConfig) GetSecretKey() string     { return c.configObj.SecretKey }
-func (c *ClusterConfig) GetTenantEmail() string   { return c.configObj.CustomerAdminEMail }
-func (c *ClusterConfig) GetToken() string         { return c.configObj.Token }
-func (c *ClusterConfig) IsConfigFound() bool      { return existsConfigFile() || c.existsConfigMap() }
+func (c *ClusterConfig) GetConfigObj() *ConfigObj  { return c.configObj }
+func (c *ClusterConfig) GetDefaultNS() string      { return c.configMapNamespace }
+func (c *ClusterConfig) GetAccountID() string      { return c.configObj.AccountID }
+func (c *ClusterConfig) GetClientID() string       { return c.configObj.ClientID }
+func (c *ClusterConfig) GetSecretKey() string      { return c.configObj.SecretKey }
+func (c *ClusterConfig) GetTenantEmail() string    { return c.configObj.CustomerAdminEMail }
+func (c *ClusterConfig) GetToken() string          { return c.configObj.Token }
+func (c *ClusterConfig) GetCloudReportURL() string { return c.configObj.CloudReportURL }
+func (c *ClusterConfig) GetCloudAPIURL() string    { return c.configObj.CloudAPIURL }
+func (c *ClusterConfig) GetCloudUIURL() string     { return c.configObj.CloudUIURL }
+func (c *ClusterConfig) GetCloudAuthURL() string   { return c.configObj.CloudAuthURL }
+
+func (c *ClusterConfig) IsConfigFound() bool { return existsConfigFile() || c.existsConfigMap() }
 
 func (c *ClusterConfig) SetTenant() error {
 
@@ -468,7 +537,11 @@ func DeleteConfigFile() error {
 }
 
 func AdoptClusterName(clusterName string) string {
-	return strings.ReplaceAll(clusterName, "/", "-")
+	re, err := regexp.Compile(`[^\w]+`)
+	if err != nil {
+		return clusterName
+	}
+	return re.ReplaceAllString(clusterName, "-")
 }
 
 func getConfigMapName() string {
@@ -516,3 +589,39 @@ func updateCredentials(configObj *ConfigObj, credentials *Credentials) {
 	}
 
 }
+
+func getCloudURLsFromEnv(cloudURLs *CloudURLs) {
+	// load from env
+	if cloudAPIURL := os.Getenv("KS_CLOUD_API_URL"); cloudAPIURL != "" {
+		cloudURLs.CloudAPIURL = cloudAPIURL
+	}
+	if cloudAuthURL := os.Getenv("KS_CLOUD_AUTH_URL"); cloudAuthURL != "" {
+		cloudURLs.CloudAuthURL = cloudAuthURL
+	}
+	if cloudReportURL := os.Getenv("KS_CLOUD_REPORT_URL"); cloudReportURL != "" {
+		cloudURLs.CloudReportURL = cloudReportURL
+	}
+	if cloudUIURL := os.Getenv("KS_CLOUD_UI_URL"); cloudUIURL != "" {
+		cloudURLs.CloudUIURL = cloudUIURL
+	}
+}
+
+func updateCloudURLs(configObj *ConfigObj) {
+	cloudURLs := &CloudURLs{}
+
+	getCloudURLsFromEnv(cloudURLs)
+
+	if cloudURLs.CloudAPIURL != "" {
+		configObj.CloudAPIURL = cloudURLs.CloudAPIURL // override config CloudAPIURL
+	}
+	if cloudURLs.CloudAuthURL != "" {
+		configObj.CloudAuthURL = cloudURLs.CloudAuthURL // override config CloudAuthURL
+	}
+	if cloudURLs.CloudReportURL != "" {
+		configObj.CloudReportURL = cloudURLs.CloudReportURL // override config CloudReportURL
+	}
+	if cloudURLs.CloudUIURL != "" {
+		configObj.CloudUIURL = cloudURLs.CloudUIURL // override config CloudUIURL
+	}
+
+}

core/cautils/customerloader_test.go

@@ -2,6 +2,7 @@ package cautils
 
 import (
 	"encoding/json"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -16,6 +17,10 @@ func mockConfigObj() *ConfigObj {
 		ClusterName:        "ddd",
 		CustomerAdminEMail: "ab@cd",
 		Token:              "eee",
+		CloudReportURL:     "report.armo.cloud",
+		CloudAPIURL:        "api.armosec.io",
+		CloudUIURL:         "cloud.armosec.io",
+		CloudAuthURL:       "auth.armosec.io",
 	}
 }
 func mockLocalConfig() *LocalConfig {
@@ -39,6 +44,10 @@ func TestConfig(t *testing.T) {
 	assert.Equal(t, co.AccountID, cop.AccountID)
 	assert.Equal(t, co.ClientID, cop.ClientID)
 	assert.Equal(t, co.SecretKey, cop.SecretKey)
+	assert.Equal(t, co.CloudReportURL, cop.CloudReportURL)
+	assert.Equal(t, co.CloudAPIURL, cop.CloudAPIURL)
+	assert.Equal(t, co.CloudUIURL, cop.CloudUIURL)
+	assert.Equal(t, co.CloudAuthURL, cop.CloudAuthURL)
 	assert.Equal(t, "", cop.ClusterName)        // Not copied to bytes
 	assert.Equal(t, "", cop.CustomerAdminEMail) // Not copied to bytes
 	assert.Equal(t, "", cop.Token)              // Not copied to bytes
@@ -60,6 +69,10 @@ func TestITenantConfig(t *testing.T) {
 	assert.Equal(t, co.ClusterName, lc.GetContextName())
 	assert.Equal(t, co.CustomerAdminEMail, lc.GetTenantEmail())
 	assert.Equal(t, co.Token, lc.GetToken())
+	assert.Equal(t, co.CloudReportURL, lc.GetCloudReportURL())
+	assert.Equal(t, co.CloudAPIURL, lc.GetCloudAPIURL())
+	assert.Equal(t, co.CloudUIURL, lc.GetCloudUIURL())
+	assert.Equal(t, co.CloudAuthURL, lc.GetCloudAuthURL())
 
 	// test ClusterConfig methods
 	assert.Equal(t, co.AccountID, c.GetAccountID())
@@ -68,6 +81,10 @@ func TestITenantConfig(t *testing.T) {
 	assert.Equal(t, co.ClusterName, c.GetContextName())
 	assert.Equal(t, co.CustomerAdminEMail, c.GetTenantEmail())
 	assert.Equal(t, co.Token, c.GetToken())
+	assert.Equal(t, co.CloudReportURL, c.GetCloudReportURL())
+	assert.Equal(t, co.CloudAPIURL, c.GetCloudAPIURL())
+	assert.Equal(t, co.CloudUIURL, c.GetCloudUIURL())
+	assert.Equal(t, co.CloudAuthURL, c.GetCloudAuthURL())
 }
 
 func TestUpdateConfigData(t *testing.T) {
@@ -80,6 +97,10 @@ func TestUpdateConfigData(t *testing.T) {
 	assert.Equal(t, c.GetAccountID(), configMap.Data["accountID"])
 	assert.Equal(t, c.GetClientID(), configMap.Data["clientID"])
 	assert.Equal(t, c.GetSecretKey(), configMap.Data["secretKey"])
+	assert.Equal(t, c.GetCloudReportURL(), configMap.Data["cloudReportURL"])
+	assert.Equal(t, c.GetCloudAPIURL(), configMap.Data["cloudAPIURL"])
+	assert.Equal(t, c.GetCloudUIURL(), configMap.Data["cloudUIURL"])
+	assert.Equal(t, c.GetCloudAuthURL(), configMap.Data["cloudAuthURL"])
 }
 
 func TestReadConfig(t *testing.T) {
@@ -97,6 +118,10 @@ func TestReadConfig(t *testing.T) {
 	assert.Equal(t, com.ClusterName, co.ClusterName)
 	assert.Equal(t, com.CustomerAdminEMail, co.CustomerAdminEMail)
 	assert.Equal(t, com.Token, co.Token)
+	assert.Equal(t, com.CloudReportURL, co.CloudReportURL)
+	assert.Equal(t, com.CloudAPIURL, co.CloudAPIURL)
+	assert.Equal(t, com.CloudUIURL, co.CloudUIURL)
+	assert.Equal(t, com.CloudAuthURL, co.CloudAuthURL)
 }
 
 func TestLoadConfigFromData(t *testing.T) {
@@ -120,6 +145,10 @@ func TestLoadConfigFromData(t *testing.T) {
 		assert.Equal(t, c.GetContextName(), co.ClusterName)
 		assert.Equal(t, c.GetTenantEmail(), co.CustomerAdminEMail)
 		assert.Equal(t, c.GetToken(), co.Token)
+		assert.Equal(t, c.GetCloudReportURL(), co.CloudReportURL)
+		assert.Equal(t, c.GetCloudAPIURL(), co.CloudAPIURL)
+		assert.Equal(t, c.GetCloudUIURL(), co.CloudUIURL)
+		assert.Equal(t, c.GetCloudAuthURL(), co.CloudAuthURL)
 	}
 
 	// use case: all data is in config.json
@@ -139,6 +168,10 @@ func TestLoadConfigFromData(t *testing.T) {
 		assert.Equal(t, c.GetAccountID(), co.AccountID)
 		assert.Equal(t, c.GetClientID(), co.ClientID)
 		assert.Equal(t, c.GetSecretKey(), co.SecretKey)
+		assert.Equal(t, c.GetCloudReportURL(), co.CloudReportURL)
+		assert.Equal(t, c.GetCloudAPIURL(), co.CloudAPIURL)
+		assert.Equal(t, c.GetCloudUIURL(), co.CloudUIURL)
+		assert.Equal(t, c.GetCloudAuthURL(), co.CloudAuthURL)
 	}
 
 	// use case: some data is in config.json
@@ -151,10 +184,12 @@ func TestLoadConfigFromData(t *testing.T) {
 		// add to map
 		configMap.Data["clientID"] = c.configObj.ClientID
 		configMap.Data["secretKey"] = c.configObj.SecretKey
+		configMap.Data["cloudReportURL"] = c.configObj.CloudReportURL
 
 		// delete the content
 		c.configObj.ClientID = ""
 		c.configObj.SecretKey = ""
+		c.configObj.CloudReportURL = ""
 
 		configMap.Data["config.json"] = string(c.GetConfigObj().Config())
 		loadConfigFromData(c.configObj, configMap.Data)
@@ -162,6 +197,7 @@ func TestLoadConfigFromData(t *testing.T) {
 		assert.NotEmpty(t, c.GetAccountID())
 		assert.NotEmpty(t, c.GetClientID())
 		assert.NotEmpty(t, c.GetSecretKey())
+		assert.NotEmpty(t, c.GetCloudReportURL())
 	}
 
 	// use case: some data is in config.json
@@ -191,3 +227,44 @@ func TestLoadConfigFromData(t *testing.T) {
 	}
 
 }
+
+func TestAdoptClusterName(t *testing.T) {
+	tests := []struct {
+		name        string
+		clusterName string
+		want        string
+	}{
+		{
+			name:        "replace 1",
+			clusterName: "my-name__is--ks",
+			want:        "my-name__is-ks",
+		},
+		{
+			name:        "replace 2",
+			clusterName: "my-name1",
+			want:        "my-name1",
+		},
+		{
+			name:        "replace 3",
+			clusterName: "my:name",
+			want:        "my-name",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := AdoptClusterName(tt.clusterName); got != tt.want {
+				t.Errorf("AdoptClusterName() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestUpdateCloudURLs(t *testing.T) {
+	co := mockConfigObj()
+	mockCloudAPIURL := "1-2-3-4.com"
+	os.Setenv("KS_CLOUD_API_URL", mockCloudAPIURL)
+
+	assert.NotEqual(t, co.CloudAPIURL, mockCloudAPIURL)
+	updateCloudURLs(co)
+	assert.Equal(t, co.CloudAPIURL, mockCloudAPIURL)
+}

core/cautils/datastructures.go

@@ -5,6 +5,7 @@ import (
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/opa-utils/reporthandling"
 	apis "github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/prioritization"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/resourcesresults"
 	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
 )
@@ -14,15 +15,17 @@ type K8SResources map[string][]string
 type KSResources map[string][]string
 
 type OPASessionObj struct {
-	K8SResources          *K8SResources                          // input k8s objects
-	ArmoResource          *KSResources                           // input ARMO objects
-	Policies              []reporthandling.Framework             // list of frameworks to scan
-	AllResources          map[string]workloadinterface.IMetadata // all scanned resources, map[<rtesource ID>]<resource>
-	ResourcesResult       map[string]resourcesresults.Result     // resources scan results, map[<rtesource ID>]<resource result>
-	ResourceSource        map[string]reporthandling.Source       // resources sources, map[<rtesource ID>]<resource result>
-	Report                *reporthandlingv2.PostureReport        // scan results v2 - Remove
-	Exceptions            []armotypes.PostureExceptionPolicy     // list of exceptions to apply on scan results
-	RegoInputData         RegoInputData                          // input passed to rgo for scanning. map[<control name>][<input arguments>]
+	K8SResources          *K8SResources                                 // input k8s objects
+	ArmoResource          *KSResources                                  // input ARMO objects
+	AllPolicies           *Policies                                     // list of all frameworks
+	Policies              []reporthandling.Framework                    // list of frameworks to scan
+	AllResources          map[string]workloadinterface.IMetadata        // all scanned resources, map[<resource ID>]<resource>
+	ResourcesResult       map[string]resourcesresults.Result            // resources scan results, map[<resource ID>]<resource result>
+	ResourceSource        map[string]reporthandling.Source              // resources sources, map[<resource ID>]<resource result>
+	ResourcesPrioritized  map[string]prioritization.PrioritizedResource // resources prioritization information, map[<resource ID>]<prioritized resource>
+	Report                *reporthandlingv2.PostureReport               // scan results v2 - Remove
+	Exceptions            []armotypes.PostureExceptionPolicy            // list of exceptions to apply on scan results
+	RegoInputData         RegoInputData                                 // input passed to rego for scanning. map[<control name>][<input arguments>]
 	Metadata              *reporthandlingv2.Metadata
 	InfoMap               map[string]apis.StatusInfo // Map errors of resources to StatusInfo
 	ResourceToControlsMap map[string][]string        // map[<apigroup/apiversion/resource>] = [<control_IDs>]
@@ -36,6 +39,7 @@ func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SRe
 		K8SResources:          k8sResources,
 		AllResources:          make(map[string]workloadinterface.IMetadata),
 		ResourcesResult:       make(map[string]resourcesresults.Result),
+		ResourcesPrioritized:  make(map[string]prioritization.PrioritizedResource),
 		InfoMap:               make(map[string]apis.StatusInfo),
 		ResourceToControlsMap: make(map[string][]string),
 		ResourceSource:        make(map[string]reporthandling.Source),
@@ -63,11 +67,12 @@ func (sessionObj *OPASessionObj) SetNumberOfWorkerNodes(n int) {
 
 func NewOPASessionObjMock() *OPASessionObj {
 	return &OPASessionObj{
-		Policies:        nil,
-		K8SResources:    nil,
-		AllResources:    make(map[string]workloadinterface.IMetadata),
-		ResourcesResult: make(map[string]resourcesresults.Result),
-		Report:          &reporthandlingv2.PostureReport{},
+		Policies:             nil,
+		K8SResources:         nil,
+		AllResources:         make(map[string]workloadinterface.IMetadata),
+		ResourcesResult:      make(map[string]resourcesresults.Result),
+		ResourcesPrioritized: make(map[string]prioritization.PrioritizedResource),
+		Report:               &reporthandlingv2.PostureReport{},
 		Metadata: &reporthandlingv2.Metadata{
 			ScanMetadata: reporthandlingv2.ScanMetadata{
 				ScanningTarget: 0,
@@ -94,6 +99,6 @@ type RegoInputData struct {
 }
 
 type Policies struct {
-	Frameworks []string
 	Controls   map[string]reporthandling.Control // map[<control ID>]<control>
+	Frameworks []string
 }

core/cautils/fileutils.go

@@ -15,7 +15,7 @@ import (
 	"github.com/kubescape/opa-utils/objectsenvelopes"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 var (
@@ -30,7 +30,7 @@ const (
 	JSON_FILE_FORMAT FileFormat = "json"
 )
 
-// LoadResourcesFromHelmCharts scans a given path (recuresively) for helm charts, renders the templates and returns a map of workloads and a map of chart names
+// LoadResourcesFromHelmCharts scans a given path (recursively) for helm charts, renders the templates and returns a map of workloads and a map of chart names
 func LoadResourcesFromHelmCharts(basePath string) (map[string][]workloadinterface.IMetadata, map[string]string) {
 	directories, _ := listDirs(basePath)
 	helmDirectories := make([]string, 0)
@@ -47,7 +47,7 @@ func LoadResourcesFromHelmCharts(basePath string) (map[string][]workloadinterfac
 		if err == nil {
 			wls, errs := chart.GetWorkloadsWithDefaultValues()
 			if len(errs) > 0 {
-				logger.L().Error(fmt.Sprintf("Rendering of Helm chart template failed: %v", errs))
+				logger.L().Error(fmt.Sprintf("Rendering of Helm chart template '%s', failed: %v", chart.GetName(), errs))
 				continue
 			}
 
@@ -61,6 +61,41 @@ func LoadResourcesFromHelmCharts(basePath string) (map[string][]workloadinterfac
 	return sourceToWorkloads, sourceToChartName
 }
 
+// If the contents at given path is a Kustomize Directory, LoadResourcesFromKustomizeDirectory will
+// generate yaml files using "Kustomize" & renders a map of workloads from those yaml files
+func LoadResourcesFromKustomizeDirectory(basePath string) (map[string][]workloadinterface.IMetadata, string) {
+	isKustomizeDirectory := IsKustomizeDirectory(basePath)
+	isKustomizeFile := IsKustomizeFile(basePath)
+	if ok := isKustomizeDirectory || isKustomizeFile; !ok {
+		return nil, ""
+	}
+
+	sourceToWorkloads := map[string][]workloadinterface.IMetadata{}
+	kustomizeDirectory := NewKustomizeDirectory(basePath)
+
+	var newBasePath string
+
+	if isKustomizeFile {
+		newBasePath = filepath.Dir(basePath)
+		logger.L().Info("Kustomize File Detected, Scanning the rendered Kubernetes Objects...")
+	} else {
+		newBasePath = basePath
+		logger.L().Info("Kustomize Directory Detected, Scanning the rendered Kubernetes Objects...")
+	}
+
+	wls, errs := kustomizeDirectory.GetWorkloads(newBasePath)
+	kustomizeDirectoryName := GetKustomizeDirectoryName(newBasePath)
+
+	if len(errs) > 0 {
+		logger.L().Error(fmt.Sprintf("Rendering yaml from Kustomize failed: %v", errs))
+	}
+
+	for k, v := range wls {
+		sourceToWorkloads[k] = v
+	}
+	return sourceToWorkloads, kustomizeDirectoryName
+}
+
 func LoadResourcesFromFiles(input, rootPath string) map[string][]workloadinterface.IMetadata {
 	files, errs := listFiles(input)
 	if len(errs) > 0 {
@@ -104,9 +139,9 @@ func loadFiles(rootPath string, filePaths []string) (map[string][]workloadinterf
 			for j := range w {
 				lw := localworkload.NewLocalWorkload(w[j].GetObject())
 				if relPath, err := filepath.Rel(rootPath, path); err == nil {
-					lw.SetPath(relPath)
+					lw.SetPath(fmt.Sprintf("%s:%d", relPath, j))
 				} else {
-					lw.SetPath(path)
+					lw.SetPath(fmt.Sprintf("%s:%d", path, j))
 				}
 				wSlice = append(wSlice, lw)
 			}
@@ -190,8 +225,10 @@ func readYamlFile(yamlFile []byte) ([]workloadinterface.IMetadata, error) {
 		}
 		if obj, ok := j.(map[string]interface{}); ok {
 			if o := objectsenvelopes.NewObject(obj); o != nil {
-				if o.GetKind() == "List" {
-					yamlObjs = append(yamlObjs, handleListObject(o)...)
+				if o.GetObjectType() == workloadinterface.TypeListWorkloads {
+					if list := workloadinterface.NewListWorkloadsObj(o.GetObject()); list != nil {
+						yamlObjs = append(yamlObjs, list.GetItems()...)
+					}
 				} else {
 					yamlObjs = append(yamlObjs, o)
 				}
@@ -260,7 +297,7 @@ func glob(root, pattern string, onlyDirectories bool) ([]string, error) {
 			return err
 		}
 
-		// listing only directotries
+		// listing only directories
 		if onlyDirectories {
 			if info.IsDir() {
 				if matched, err := filepath.Match(pattern, filepath.Base(path)); err != nil {
@@ -323,20 +360,3 @@ func GetFileFormat(filePath string) FileFormat {
 		return FileFormat(filePath)
 	}
 }
-
-// handleListObject handle a List manifest
-func handleListObject(obj workloadinterface.IMetadata) []workloadinterface.IMetadata {
-	yamlObjs := []workloadinterface.IMetadata{}
-	if i, ok := workloadinterface.InspectMap(obj.GetObject(), "items"); ok && i != nil {
-		if items, ok := i.([]interface{}); ok && items != nil {
-			for item := range items {
-				if m, ok := items[item].(map[string]interface{}); ok && m != nil {
-					if o := objectsenvelopes.NewObject(m); o != nil {
-						yamlObjs = append(yamlObjs, o)
-					}
-				}
-			}
-		}
-	}
-	return yamlObjs
-}

core/cautils/getter/datastructures.go

@@ -8,8 +8,8 @@ type FeLoginData struct {
 type FeLoginResponse struct {
 	Token        string `json:"accessToken"`
 	RefreshToken string `json:"refreshToken"`
-	ExpiresIn    int32  `json:"expiresIn"`
 	Expires      string `json:"expires"`
+	ExpiresIn    int32  `json:"expiresIn"`
 }
 
 type KSCloudSelectCustomer struct {

core/cautils/getter/downloadreleasedpolicy.go

@@ -3,8 +3,10 @@ package getter
 import (
 	"strings"
 
+	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/opa-utils/gitregostore"
 	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
 )
 
 // =======================================================================================================================
@@ -70,6 +72,14 @@ func (drp *DownloadReleasedPolicy) GetControlsInputs(clusterName string) (map[st
 	return defaultConfigInputs.Settings.PostureControlInputs, err
 }
 
+func (drp *DownloadReleasedPolicy) GetAttackTracks() ([]v1alpha1.AttackTrack, error) {
+	attackTracks, err := drp.gs.GetAttackTracks()
+	if err != nil {
+		return nil, err
+	}
+	return attackTracks, err
+}
+
 func (drp *DownloadReleasedPolicy) SetRegoObjects() error {
 	fwNames, err := drp.gs.GetOPAFrameworksNamesList()
 	if len(fwNames) != 0 && err == nil {
@@ -90,3 +100,11 @@ func contains(s []string, str string) bool {
 	}
 	return false
 }
+
+func (drp *DownloadReleasedPolicy) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
+	exceptions, err := drp.gs.GetSystemPostureExceptionPolicies()
+	if err != nil {
+		return nil, err
+	}
+	return exceptions, nil
+}

core/cautils/getter/gcpcloudapi.go

@@ -0,0 +1,42 @@
+package getter
+
+import (
+	"context"
+	"os"
+
+	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
+)
+
+type GCPCloudAPI struct {
+	credentialsPath  string
+	context          context.Context
+	client           *containeranalysis.Client
+	projectID        string
+	credentialsCheck bool
+}
+
+func GetGlobalGCPCloudAPIConnector() *GCPCloudAPI {
+
+	if os.Getenv("KS_GCP_CREDENTIALS_PATH") == "" || os.Getenv("KS_GCP_PROJECT_ID") == "" {
+		return &GCPCloudAPI{
+			credentialsCheck: false,
+		}
+	} else {
+		return &GCPCloudAPI{
+			context:          context.Background(),
+			credentialsPath:  os.Getenv("KS_GCP_CREDENTIALS_PATH"),
+			projectID:        os.Getenv("KS_GCP_PROJECT_ID"),
+			credentialsCheck: true,
+		}
+	}
+}
+
+func (api *GCPCloudAPI) SetClient(client *containeranalysis.Client) {
+	api.client = client
+}
+
+func (api *GCPCloudAPI) GetCredentialsPath() string           { return api.credentialsPath }
+func (api *GCPCloudAPI) GetClient() *containeranalysis.Client { return api.client }
+func (api *GCPCloudAPI) GetProjectID() string                 { return api.projectID }
+func (api *GCPCloudAPI) GetCredentialsCheck() bool            { return api.credentialsCheck }
+func (api *GCPCloudAPI) GetContext() context.Context          { return api.context }

core/cautils/getter/getpolicies.go

@@ -3,6 +3,7 @@ package getter
 import (
 	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
 )
 
 // supported listing
@@ -27,10 +28,18 @@ type IBackend interface {
 	GetAccountID() string
 	GetClientID() string
 	GetSecretKey() string
+	GetCloudReportURL() string
+	GetCloudAPIURL() string
+	GetCloudUIURL() string
+	GetCloudAuthURL() string
 
 	SetAccountID(accountID string)
 	SetClientID(clientID string)
 	SetSecretKey(secretKey string)
+	SetCloudReportURL(cloudReportURL string)
+	SetCloudAPIURL(cloudAPIURL string)
+	SetCloudUIURL(cloudUIURL string)
+	SetCloudAuthURL(cloudAuthURL string)
 
 	GetTenant() (*TenantResponse, error)
 }
@@ -38,3 +47,7 @@ type IBackend interface {
 type IControlsInputsGetter interface {
 	GetControlsInputs(clusterName string) (map[string][]string, error)
 }
+
+type IAttackTracksGetter interface {
+	GetAttackTracks() ([]v1alpha1.AttackTrack, error)
+}

core/cautils/getter/kscloudapi.go

@@ -10,9 +10,8 @@ import (
 	"time"
 
 	"github.com/armosec/armoapi-go/armotypes"
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
 )
 
 var (
@@ -34,23 +33,22 @@ var (
 
 // KSCloudAPI allows accessing the API of the Kubescape Cloud offering
 type KSCloudAPI struct {
-	httpClient *http.Client
-	apiURL     string
-	authURL    string
-	erURL      string
-	feURL      string
-	accountID  string
-	clientID   string
-	secretKey  string
-	feToken    FeLoginResponse
-	authCookie string
-	loggedIn   bool
+	httpClient     *http.Client
+	cloudAPIURL    string
+	cloudAuthURL   string
+	cloudReportURL string
+	cloudUIURL     string
+	accountID      string
+	clientID       string
+	secretKey      string
+	authCookie     string
+	feToken        FeLoginResponse
+	loggedIn       bool
 }
 
 var globalKSCloudAPIConnector *KSCloudAPI
 
 func SetKSCloudAPIConnector(ksCloudAPI *KSCloudAPI) {
-	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", ksCloudAPI.apiURL), helpers.String("auth", ksCloudAPI.authURL), helpers.String("report", ksCloudAPI.erURL), helpers.String("UI", ksCloudAPI.feURL))
 	globalKSCloudAPIConnector = ksCloudAPI
 }
 
@@ -64,10 +62,10 @@ func GetKSCloudAPIConnector() *KSCloudAPI {
 func NewKSCloudAPIDev() *KSCloudAPI {
 	apiObj := newKSCloudAPI()
 
-	apiObj.apiURL = ksCloudDevBEURL
-	apiObj.authURL = ksCloudDevAUTHURL
-	apiObj.erURL = ksCloudDevERURL
-	apiObj.feURL = ksCloudDevFEURL
+	apiObj.cloudAPIURL = ksCloudDevBEURL
+	apiObj.cloudAuthURL = ksCloudDevAUTHURL
+	apiObj.cloudReportURL = ksCloudDevERURL
+	apiObj.cloudUIURL = ksCloudDevFEURL
 
 	return apiObj
 }
@@ -75,10 +73,10 @@ func NewKSCloudAPIDev() *KSCloudAPI {
 func NewKSCloudAPIProd() *KSCloudAPI {
 	apiObj := newKSCloudAPI()
 
-	apiObj.apiURL = ksCloudBEURL
-	apiObj.erURL = ksCloudERURL
-	apiObj.feURL = ksCloudFEURL
-	apiObj.authURL = ksCloudAUTHURL
+	apiObj.cloudAPIURL = ksCloudBEURL
+	apiObj.cloudReportURL = ksCloudERURL
+	apiObj.cloudUIURL = ksCloudFEURL
+	apiObj.cloudAuthURL = ksCloudAUTHURL
 
 	return apiObj
 }
@@ -86,10 +84,10 @@ func NewKSCloudAPIProd() *KSCloudAPI {
 func NewKSCloudAPIStaging() *KSCloudAPI {
 	apiObj := newKSCloudAPI()
 
-	apiObj.apiURL = ksCloudStageBEURL
-	apiObj.erURL = ksCloudStageERURL
-	apiObj.feURL = ksCloudStageFEURL
-	apiObj.authURL = ksCloudStageAUTHURL
+	apiObj.cloudAPIURL = ksCloudStageBEURL
+	apiObj.cloudReportURL = ksCloudStageERURL
+	apiObj.cloudUIURL = ksCloudStageFEURL
+	apiObj.cloudAuthURL = ksCloudStageAUTHURL
 
 	return apiObj
 }
@@ -97,10 +95,10 @@ func NewKSCloudAPIStaging() *KSCloudAPI {
 func NewKSCloudAPICustomized(ksCloudERURL, ksCloudBEURL, ksCloudFEURL, ksCloudAUTHURL string) *KSCloudAPI {
 	apiObj := newKSCloudAPI()
 
-	apiObj.erURL = ksCloudERURL
-	apiObj.apiURL = ksCloudBEURL
-	apiObj.feURL = ksCloudFEURL
-	apiObj.authURL = ksCloudAUTHURL
+	apiObj.cloudReportURL = ksCloudERURL
+	apiObj.cloudAPIURL = ksCloudBEURL
+	apiObj.cloudUIURL = ksCloudFEURL
+	apiObj.cloudAuthURL = ksCloudAUTHURL
 
 	return apiObj
 }
@@ -135,17 +133,36 @@ func (api *KSCloudAPI) Get(fullURL string, headers map[string]string) (string, e
 	return HttpGetter(api.httpClient, fullURL, headers)
 }
 
-func (api *KSCloudAPI) GetAccountID() string          { return api.accountID }
-func (api *KSCloudAPI) IsLoggedIn() bool              { return api.loggedIn }
-func (api *KSCloudAPI) GetClientID() string           { return api.clientID }
-func (api *KSCloudAPI) GetSecretKey() string          { return api.secretKey }
-func (api *KSCloudAPI) GetFrontendURL() string        { return api.feURL }
-func (api *KSCloudAPI) GetApiURL() string             { return api.apiURL }
-func (api *KSCloudAPI) GetAuthURL() string            { return api.authURL }
-func (api *KSCloudAPI) GetReportReceiverURL() string  { return api.erURL }
-func (api *KSCloudAPI) SetAccountID(accountID string) { api.accountID = accountID }
-func (api *KSCloudAPI) SetClientID(clientID string)   { api.clientID = clientID }
-func (api *KSCloudAPI) SetSecretKey(secretKey string) { api.secretKey = secretKey }
+func (api *KSCloudAPI) GetAccountID() string      { return api.accountID }
+func (api *KSCloudAPI) IsLoggedIn() bool          { return api.loggedIn }
+func (api *KSCloudAPI) GetClientID() string       { return api.clientID }
+func (api *KSCloudAPI) GetSecretKey() string      { return api.secretKey }
+func (api *KSCloudAPI) GetCloudReportURL() string { return api.cloudReportURL }
+func (api *KSCloudAPI) GetCloudAPIURL() string    { return api.cloudAPIURL }
+func (api *KSCloudAPI) GetCloudUIURL() string     { return api.cloudUIURL }
+func (api *KSCloudAPI) GetCloudAuthURL() string   { return api.cloudAuthURL }
+
+func (api *KSCloudAPI) SetAccountID(accountID string)           { api.accountID = accountID }
+func (api *KSCloudAPI) SetClientID(clientID string)             { api.clientID = clientID }
+func (api *KSCloudAPI) SetSecretKey(secretKey string)           { api.secretKey = secretKey }
+func (api *KSCloudAPI) SetCloudReportURL(cloudReportURL string) { api.cloudReportURL = cloudReportURL }
+func (api *KSCloudAPI) SetCloudAPIURL(cloudAPIURL string)       { api.cloudAPIURL = cloudAPIURL }
+func (api *KSCloudAPI) SetCloudUIURL(cloudUIURL string)         { api.cloudUIURL = cloudUIURL }
+func (api *KSCloudAPI) SetCloudAuthURL(cloudAuthURL string)     { api.cloudAuthURL = cloudAuthURL }
+
+func (api *KSCloudAPI) GetAttackTracks() ([]v1alpha1.AttackTrack, error) {
+	respStr, err := api.Get(api.getAttackTracksURL(), nil)
+	if err != nil {
+		return nil, nil
+	}
+
+	attackTracks := []v1alpha1.AttackTrack{}
+	if err = JSONDecoder(respStr).Decode(&attackTracks); err != nil {
+		return nil, err
+	}
+
+	return attackTracks, err
+}
 
 func (api *KSCloudAPI) GetFramework(name string) (*reporthandling.Framework, error) {
 	respStr, err := api.Get(api.getFrameworkURL(name), nil)

core/cautils/getter/kscloudapiutils.go

@@ -13,7 +13,7 @@ var NativeFrameworks = []string{"nsa", "mitre", "armobest", "devopsbest"}
 
 func (api *KSCloudAPI) getFrameworkURL(frameworkName string) string {
 	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
 	u.Path = "api/v1/armoFrameworks"
 	q := u.Query()
 	q.Add("customerGUID", api.getCustomerGUIDFallBack())
@@ -28,9 +28,20 @@ func (api *KSCloudAPI) getFrameworkURL(frameworkName string) string {
 	return u.String()
 }
 
+func (api *KSCloudAPI) getAttackTracksURL() string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
+	u.Path = "api/v1/attackTracks"
+	q := u.Query()
+	q.Add("customerGUID", api.getCustomerGUIDFallBack())
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
 func (api *KSCloudAPI) getListFrameworkURL() string {
 	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
 	u.Path = "api/v1/armoFrameworks"
 	q := u.Query()
 	q.Add("customerGUID", api.getCustomerGUIDFallBack())
@@ -40,7 +51,7 @@ func (api *KSCloudAPI) getListFrameworkURL() string {
 }
 func (api *KSCloudAPI) getExceptionsURL(clusterName string) string {
 	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
 	u.Path = "api/v1/armoPostureExceptions"
 
 	q := u.Query()
@@ -55,7 +66,7 @@ func (api *KSCloudAPI) getExceptionsURL(clusterName string) string {
 
 func (api *KSCloudAPI) exceptionsURL(exceptionsPolicyName string) string {
 	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
 	u.Path = "api/v1/postureExceptionPolicy"
 
 	q := u.Query()
@@ -77,7 +88,7 @@ func (api *KSCloudAPI) getAccountConfigDefault(clusterName string) string {
 
 func (api *KSCloudAPI) getAccountConfig(clusterName string) string {
 	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
 	u.Path = "api/v1/armoCustomerConfiguration"
 
 	q := u.Query()
@@ -92,21 +103,21 @@ func (api *KSCloudAPI) getAccountConfig(clusterName string) string {
 
 func (api *KSCloudAPI) getAccountURL() string {
 	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
 	u.Path = "api/v1/createTenant"
 	return u.String()
 }
 
 func (api *KSCloudAPI) getApiToken() string {
 	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetAuthURL())
+	u.Scheme, u.Host = parseHost(api.GetCloudAuthURL())
 	u.Path = "identity/resources/auth/v1/api-token"
 	return u.String()
 }
 
 func (api *KSCloudAPI) getOpenidCustomers() string {
 	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
 	u.Path = "api/v1/openid_customers"
 	return u.String()
 }

core/cautils/getter/loadpolicy.go

@@ -65,16 +65,16 @@ func (lp *LoadPolicy) GetControl(controlName string) (*reporthandling.Control, e
 }
 
 func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framework, error) {
-	framework := &reporthandling.Framework{}
+	var framework reporthandling.Framework
 	var err error
 	for _, filePath := range lp.filePaths {
+		framework = reporthandling.Framework{}
 		f, err := os.ReadFile(filePath)
 		if err != nil {
 			return nil, err
 		}
-
-		if err = json.Unmarshal(f, framework); err != nil {
-			return framework, err
+		if err = json.Unmarshal(f, &framework); err != nil {
+			return nil, err
 		}
 		if strings.EqualFold(frameworkName, framework.Name) {
 			break
@@ -84,7 +84,7 @@ func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framew
 
 		return nil, fmt.Errorf("framework from file not matching")
 	}
-	return framework, err
+	return &framework, err
 }
 
 func (lp *LoadPolicy) GetFrameworks() ([]reporthandling.Framework, error) {
@@ -130,14 +130,19 @@ func (lp *LoadPolicy) GetControlsInputs(clusterName string) (map[string][]string
 	filePath := lp.filePath()
 	accountConfig := &armotypes.CustomerConfig{}
 	f, err := os.ReadFile(filePath)
+	fileName := filepath.Base(filePath)
 	if err != nil {
-		return nil, err
+		formattedError := fmt.Errorf("Error opening %s file, \"controls-config\" will be downloaded from ARMO management portal", fileName)
+		return nil, formattedError
 	}
 
 	if err = json.Unmarshal(f, &accountConfig.Settings.PostureControlInputs); err == nil {
 		return accountConfig.Settings.PostureControlInputs, nil
 	}
-	return nil, err
+
+	formattedError := fmt.Errorf("Error reading %s file, %s, \"controls-config\" will be downloaded from ARMO management portal", fileName, err.Error())
+
+	return nil, formattedError
 }
 
 // temporary support for a list of files

core/cautils/kustomizedirectory.go

@@ -0,0 +1,115 @@
+package cautils
+
+import (
+	"os"
+	"path/filepath"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/workloadinterface"
+	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
+
+	"sigs.k8s.io/kustomize/api/krusty"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+type KustomizeDirectory struct {
+	path string
+}
+
+// Used for checking if there is "Kustomization" file in the given Directory
+var kustomizationFileMatchers = [3]string{"kustomization.yml", "kustomization.yaml", "Kustomization"}
+
+func IsKustomizeDirectory(path string) bool {
+	if isDir := IsDir(path); !isDir {
+		return false
+	}
+
+	if lastChar := path[len(path)-1:]; lastChar != "/" {
+		path += "/"
+	}
+
+	matches := 0
+	for _, kustomizationFileMatcher := range kustomizationFileMatchers {
+		checkPath := path + kustomizationFileMatcher
+		if _, err := os.Stat(checkPath); err == nil {
+			matches++
+		}
+	}
+
+	switch matches {
+	case 0:
+		return false
+	case 1:
+		return true
+	default:
+		logger.L().Info("Multiple kustomize files found while checking Kustomize Directory")
+		return false
+	}
+}
+
+// Used for checking if the path is Kustomization file.
+func IsKustomizeFile(path string) bool {
+	fileName := filepath.Base(path)
+
+	for _, kustomizationFileMatcher := range kustomizationFileMatchers {
+		if fileName == kustomizationFileMatcher {
+			return true
+		}
+	}
+
+	return false
+}
+
+func NewKustomizeDirectory(path string) *KustomizeDirectory {
+	return &KustomizeDirectory{
+		path: path,
+	}
+}
+
+func GetKustomizeDirectoryName(path string) string {
+	if isKustomizeDirectory := IsKustomizeDirectory(path); !isKustomizeDirectory {
+		return ""
+	}
+	return filepath.Dir(path)
+}
+
+// Get Workloads, creates the yaml files(K8s resources) using Kustomize and
+// renders the workloads from the yaml files (k8s resources)
+func (kd *KustomizeDirectory) GetWorkloads(kustomizeDirectoryPath string) (map[string][]workloadinterface.IMetadata, []error) {
+
+	fSys := filesys.MakeFsOnDisk()
+	kustomizer := krusty.MakeKustomizer(krusty.MakeDefaultOptions())
+	resmap, err := kustomizer.Run(fSys, kustomizeDirectoryPath)
+
+	if err != nil {
+		return nil, []error{err}
+	}
+
+	yml, err := resmap.AsYaml()
+
+	if err != nil {
+		return nil, []error{err}
+	}
+
+	workloads := make(map[string][]workloadinterface.IMetadata, 0)
+	errs := []error{}
+
+	wls, e := ReadFile(yml, YAML_FILE_FORMAT)
+
+	if e != nil {
+		logger.L().Debug("failed to read rendered yaml file", helpers.String("file", kustomizeDirectoryPath), helpers.Error(e))
+	}
+
+	if len(wls) != 0 {
+		workloads[kustomizeDirectoryPath] = []workloadinterface.IMetadata{}
+		for i := range wls {
+			lw := localworkload.NewLocalWorkload(wls[i].GetObject())
+			lw.SetPath(kustomizeDirectoryPath)
+			workloads[kustomizeDirectoryPath] = append(workloads[kustomizeDirectoryPath], lw)
+		}
+	}
+
+	return workloads, errs
+
+}

core/cautils/reportv2tov1.go

@@ -56,7 +56,9 @@ func controlReportV2ToV1(opaSessionObj *OPASessionObj, frameworkName string, con
 
 		rulesv1 := map[string]reporthandling.RuleReport{}
 
-		for _, resourceID := range crv2.ListResourcesIDs().All() {
+		iter := crv2.ListResourcesIDs().All()
+		for iter.HasNext() {
+			resourceID := iter.Next()
 			if result, ok := opaSessionObj.ResourcesResult[resourceID]; ok {
 				for _, rulev2 := range result.ListRulesOfControl(crv2.GetID(), "") {
 

core/cautils/rootinfo.go

@@ -1,14 +1,26 @@
 package cautils
 
+import (
+	"fmt"
+
+	"github.com/google/uuid"
+)
+
 type RootInfo struct {
 	Logger       string // logger level
 	LoggerName   string // logger name ("pretty"/"zap"/"none")
 	CacheDir     string // cached dir
 	DisableColor bool   // Disable Color
+	EnableColor  bool   // Force enable Color
 
 	KSCloudBEURLs    string // Kubescape Cloud URL
 	KSCloudBEURLsDep string // Kubescape Cloud URL
-
+}
+type CloudURLs struct {
+	CloudReportURL string
+	CloudAPIURL    string
+	CloudUIURL     string
+	CloudAuthURL   string
 }
 
 type Credentials struct {
@@ -16,3 +28,23 @@ type Credentials struct {
 	ClientID  string
 	SecretKey string
 }
+
+// To check if the user's credentials: accountID / clientID / secretKey are valid.
+func (credentials *Credentials) Validate() error {
+
+	// Check if the Account-ID is valid
+	if _, err := uuid.Parse(credentials.Account); credentials.Account != "" && err != nil {
+		return fmt.Errorf("bad argument: account must be a valid UUID")
+	}
+	// Check if the Client-ID is valid
+	if _, err := uuid.Parse(credentials.ClientID); credentials.ClientID != "" && err != nil {
+		return fmt.Errorf("bad argument: account must be a valid UUID")
+	}
+
+	// Check if the Secret-Key is valid
+	if _, err := uuid.Parse(credentials.SecretKey); credentials.SecretKey != "" && err != nil {
+		return fmt.Errorf("bad argument: account must be a valid UUID")
+	}
+
+	return nil
+}

core/cautils/rootinfo_test.go

@@ -0,0 +1,71 @@
+package cautils
+
+import "testing"
+
+func TestCredentials_Validate(t *testing.T) {
+	type fields struct {
+		Account   string
+		ClientID  string
+		SecretKey string
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		wantErr bool
+	}{
+		{
+			name: "valid account ID",
+			fields: fields{
+				Account: "22019933-feac-4012-a8eb-e81461ba6655",
+			},
+			wantErr: false,
+		},
+		{
+			name: "invalid account ID",
+			fields: fields{
+				Account: "22019933-feac-4012-a8eb-e81461ba665",
+			},
+			wantErr: true,
+		},
+		{
+			name: "valid client ID",
+			fields: fields{
+				ClientID: "22019933-feac-4012-a8eb-e81461ba6655",
+			},
+			wantErr: false,
+		},
+		{
+			name: "invalid client ID",
+			fields: fields{
+				ClientID: "22019933-feac-4012-a8eb-e81461ba665",
+			},
+			wantErr: true,
+		},
+		{
+			name: "valid secret key",
+			fields: fields{
+				SecretKey: "22019933-feac-4012-a8eb-e81461ba6655",
+			},
+			wantErr: false,
+		},
+		{
+			name: "invalid secret key",
+			fields: fields{
+				SecretKey: "22019933-feac-4012-a8eb-e81461ba665",
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			credentials := &Credentials{
+				Account:   tt.fields.Account,
+				ClientID:  tt.fields.ClientID,
+				SecretKey: tt.fields.SecretKey,
+			}
+			if err := credentials.Validate(); (err != nil) != tt.wantErr {
+				t.Errorf("Credentials.Validate() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}

core/cautils/scaninfo.go

@@ -100,38 +100,41 @@ type PolicyIdentifier struct {
 }
 
 type ScanInfo struct {
-	Getters                               // TODO - remove from object
-	PolicyIdentifier   []PolicyIdentifier // TODO - remove from object
-	UseExceptions      string             // Load file with exceptions configuration
-	ControlsInputs     string             // Load file with inputs for controls
-	UseFrom            []string           // Load framework from local file (instead of download). Use when running offline
-	UseDefault         bool               // Load framework from cached file (instead of download). Use when running offline
-	UseArtifactsFrom   string             // Load artifacts from local path. Use when running offline
-	VerboseMode        bool               // Display all of the input resources and not only failed resources
-	View               string             // Display all of the input resources and not only failed resources
-	Format             string             // Format results (table, json, junit ...)
-	Output             string             // Store results in an output file, Output file name
-	FormatVersion      string             // Output object can be differnet between versions, this is for testing and backward compatibility
-	ExcludedNamespaces string             // used for host scanner namespace
-	IncludeNamespaces  string             //
-	InputPatterns      []string           // Yaml files input patterns
-	Silent             bool               // Silent mode - Do not print progress logs
-	FailThreshold      float32            // Failure score threshold
-	Submit             bool               // Submit results to Kubescape Cloud BE
-	ScanID             string             // Report id of the current scan
-	HostSensorEnabled  BoolPtrFlag        // Deploy Kubescape K8s host scanner to collect data from certain controls
-	HostSensorYamlPath string             // Path to hostsensor file
-	Local              bool               // Do not submit results
-	Credentials        Credentials        // account ID
-	KubeContext        string             // context name
-	FrameworkScan      bool               // false if scanning control
-	ScanAll            bool               // true if scan all frameworks
+	Getters                                  // TODO - remove from object
+	PolicyIdentifier      []PolicyIdentifier // TODO - remove from object
+	UseExceptions         string             // Load file with exceptions configuration
+	ControlsInputs        string             // Load file with inputs for controls
+	UseFrom               []string           // Load framework from local file (instead of download). Use when running offline
+	UseDefault            bool               // Load framework from cached file (instead of download). Use when running offline
+	UseArtifactsFrom      string             // Load artifacts from local path. Use when running offline
+	VerboseMode           bool               // Display all of the input resources and not only failed resources
+	View                  string             // Display all of the input resources and not only failed resources
+	Format                string             // Format results (table, json, junit ...)
+	Output                string             // Store results in an output file, Output file name
+	FormatVersion         string             // Output object can be differnet between versions, this is for testing and backward compatibility
+	CustomClusterName     string             // Set the custom name of the cluster
+	ExcludedNamespaces    string             // used for host scanner namespace
+	IncludeNamespaces     string             //
+	InputPatterns         []string           // Yaml files input patterns
+	Silent                bool               // Silent mode - Do not print progress logs
+	FailThreshold         float32            // Failure score threshold
+	FailThresholdSeverity string             // Severity at and above which the command should fail
+	Submit                bool               // Submit results to Kubescape Cloud BE
+	ScanID                string             // Report id of the current scan
+	HostSensorEnabled     BoolPtrFlag        // Deploy Kubescape K8s host scanner to collect data from certain controls
+	HostSensorYamlPath    string             // Path to hostsensor file
+	Local                 bool               // Do not submit results
+	Credentials           Credentials        // account ID
+	KubeContext           string             // context name
+	FrameworkScan         bool               // false if scanning control
+	ScanAll               bool               // true if scan all frameworks
 }
 
 type Getters struct {
 	ExceptionsGetter     getter.IExceptionsGetter
 	ControlsInputsGetter getter.IControlsInputsGetter
 	PolicyGetter         getter.IPolicyGetter
+	AttackTracksGetter   getter.IAttackTracksGetter
 }
 
 func (scanInfo *ScanInfo) Init() {
@@ -205,13 +208,6 @@ func (scanInfo *ScanInfo) setOutputFile() {
 	}
 }
 
-// func (scanInfo *ScanInfo) GetScanningEnvironment() string {
-// 	if len(scanInfo.InputPatterns) != 0 {
-// 		return ScanLocalFiles
-// 	}
-// 	return ScanCluster
-// }
-
 func (scanInfo *ScanInfo) SetPolicyIdentifiers(policies []string, kind apisv1.NotificationPolicyKind) {
 	for _, policy := range policies {
 		if !scanInfo.contains(policy) {
@@ -423,6 +419,7 @@ func metadataGitLocal(input string) (*reporthandlingv2.RepoContextMetadata, erro
 		Date:          commit.Committer.Date,
 		CommitterName: commit.Committer.Name,
 	}
+	context.LocalRootPath, _ = gitParser.GetRootDir()
 
 	return context, nil
 }

core/cautils/scaninfo_test.go

@@ -18,7 +18,8 @@ func TestSetContextMetadata(t *testing.T) {
 		assert.Nil(t, ctx.HelmContextMetadata)
 		assert.Nil(t, ctx.RepoContextMetadata)
 	}
-	{
+	// TODO: tests were commented out due to actual http calls ; http calls should be mocked.
+	/*{
 		ctx := reporthandlingv2.ContextMetadata{}
 		setContextMetadata(&ctx, "https://github.com/kubescape/kubescape")
 
@@ -31,7 +32,7 @@ func TestSetContextMetadata(t *testing.T) {
 		assert.Equal(t, "kubescape", ctx.RepoContextMetadata.Repo)
 		assert.Equal(t, "kubescape", ctx.RepoContextMetadata.Owner)
 		assert.Equal(t, "master", ctx.RepoContextMetadata.Branch)
-	}
+	}*/
 }
 
 func TestGetHostname(t *testing.T) {

core/cautils/versioncheck.go

@@ -19,6 +19,7 @@ const SKIP_VERSION_CHECK = "KS_SKIP_UPDATE_CHECK"
 
 var BuildNumber string
 var Client string
+var LatestReleaseVersion string
 
 const UnknownBuildNumber = "unknown"
 
@@ -108,9 +109,11 @@ func (v *VersionCheckHandler) CheckLatestVersion(versionData *VersionCheckReques
 		return fmt.Errorf("failed to get latest version")
 	}
 
+	LatestReleaseVersion := latestVersion.ClientUpdate
+
 	if latestVersion.ClientUpdate != "" {
-		if BuildNumber != "" && semver.Compare(BuildNumber, latestVersion.ClientUpdate) == -1 {
-			logger.L().Warning(warningMessage(latestVersion.ClientUpdate))
+		if BuildNumber != "" && semver.Compare(BuildNumber, LatestReleaseVersion) == -1 {
+			logger.L().Warning(warningMessage(LatestReleaseVersion))
 		}
 	}
 

core/cautils/workloadmappingutils.go

@@ -3,6 +3,7 @@ package cautils
 import (
 	"strings"
 
+	"github.com/kubescape/k8s-interface/cloudsupport"
 	"github.com/kubescape/opa-utils/reporthandling/apis"
 )
 
@@ -17,8 +18,12 @@ var (
 		"LinuxKernelVariables",
 		"KubeletInfo",
 		"KubeProxyInfo",
+		"ControlPlaneInfo",
+	}
+	CloudResources = []string{
+		"ClusterDescribe",
+		string(cloudsupport.TypeApiServerInfo),
 	}
-	CloudResources = []string{"ClusterDescribe"}
 )
 
 func MapKSResource(ksResourceMap *KSResources, resources []string) []string {

core/core/cachedconfig.go

@@ -8,7 +8,7 @@ import (
 
 func (ks *Kubescape) SetCachedConfig(setConfig *metav1.SetConfig) error {
 
-	tenant := getTenantConfig(nil, "", getKubernetesApi())
+	tenant := getTenantConfig(nil, "", "", getKubernetesApi())
 
 	if setConfig.Account != "" {
 		tenant.GetConfigObj().AccountID = setConfig.Account
@@ -19,19 +19,31 @@ func (ks *Kubescape) SetCachedConfig(setConfig *metav1.SetConfig) error {
 	if setConfig.ClientID != "" {
 		tenant.GetConfigObj().ClientID = setConfig.ClientID
 	}
+	if setConfig.CloudAPIURL != "" {
+		tenant.GetConfigObj().CloudAPIURL = setConfig.CloudAPIURL
+	}
+	if setConfig.CloudAuthURL != "" {
+		tenant.GetConfigObj().CloudAuthURL = setConfig.CloudAuthURL
+	}
+	if setConfig.CloudReportURL != "" {
+		tenant.GetConfigObj().CloudReportURL = setConfig.CloudReportURL
+	}
+	if setConfig.CloudUIURL != "" {
+		tenant.GetConfigObj().CloudUIURL = setConfig.CloudUIURL
+	}
 
 	return tenant.UpdateCachedConfig()
 }
 
 // View cached configurations
 func (ks *Kubescape) ViewCachedConfig(viewConfig *metav1.ViewConfig) error {
-	tenant := getTenantConfig(nil, "", getKubernetesApi()) // change k8sinterface
+	tenant := getTenantConfig(nil, "", "", getKubernetesApi()) // change k8sinterface
 	fmt.Fprintf(viewConfig.Writer, "%s\n", tenant.GetConfigObj().Config())
 	return nil
 }
 
 func (ks *Kubescape) DeleteCachedConfig(deleteConfig *metav1.DeleteConfig) error {
 
-	tenant := getTenantConfig(nil, "", getKubernetesApi()) // change k8sinterface
+	tenant := getTenantConfig(nil, "", "", getKubernetesApi()) // change k8sinterface
 	return tenant.DeleteCachedConfig()
 }

core/core/delete.go

@@ -12,7 +12,7 @@ import (
 func (ks *Kubescape) DeleteExceptions(delExceptions *v1.DeleteExceptions) error {
 
 	// load cached config
-	getTenantConfig(&delExceptions.Credentials, "", getKubernetesApi())
+	getTenantConfig(&delExceptions.Credentials, "", "", getKubernetesApi())
 
 	// login kubescape SaaS
 	ksCloudAPI := getter.GetKSCloudAPIConnector()

core/core/download.go

@@ -80,7 +80,7 @@ func downloadArtifacts(downloadInfo *metav1.DownloadInfo) error {
 }
 
 func downloadConfigInputs(downloadInfo *metav1.DownloadInfo) error {
-	tenant := getTenantConfig(&downloadInfo.Credentials, "", getKubernetesApi())
+	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
 
 	controlsInputsGetter := getConfigInputsGetter(downloadInfo.Name, tenant.GetAccountID(), nil)
 	controlInputs, err := controlsInputsGetter.GetControlsInputs(tenant.GetContextName())
@@ -104,9 +104,9 @@ func downloadConfigInputs(downloadInfo *metav1.DownloadInfo) error {
 
 func downloadExceptions(downloadInfo *metav1.DownloadInfo) error {
 	var err error
-	tenant := getTenantConfig(&downloadInfo.Credentials, "", getKubernetesApi())
+	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
 
-	exceptionsGetter := getExceptionsGetter("")
+	exceptionsGetter := getExceptionsGetter("", tenant.GetAccountID(), nil)
 	exceptions := []armotypes.PostureExceptionPolicy{}
 	if tenant.GetAccountID() != "" {
 		exceptions, err = exceptionsGetter.GetExceptions(tenant.GetContextName())
@@ -128,7 +128,7 @@ func downloadExceptions(downloadInfo *metav1.DownloadInfo) error {
 
 func downloadFramework(downloadInfo *metav1.DownloadInfo) error {
 
-	tenant := getTenantConfig(&downloadInfo.Credentials, "", getKubernetesApi())
+	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
 
 	g := getPolicyGetter(nil, tenant.GetTenantEmail(), true, nil)
 
@@ -170,7 +170,7 @@ func downloadFramework(downloadInfo *metav1.DownloadInfo) error {
 
 func downloadControl(downloadInfo *metav1.DownloadInfo) error {
 
-	tenant := getTenantConfig(&downloadInfo.Credentials, "", getKubernetesApi())
+	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
 
 	g := getPolicyGetter(nil, tenant.GetTenantEmail(), false, nil)
 

core/core/fix.go

@@ -0,0 +1,72 @@
+package core
+
+import (
+	"fmt"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+
+	"github.com/kubescape/kubescape/v2/core/pkg/fixhandler"
+)
+
+const NoChangesApplied = "No changes were applied."
+const NoResourcesToFix = "No issues to fix."
+const ConfirmationQuestion = "Would you like to apply the changes to the files above? [y|n]: "
+
+func (ks *Kubescape) Fix(fixInfo *metav1.FixInfo) error {
+	logger.L().Info("Reading report file...")
+	handler, err := fixhandler.NewFixHandler(fixInfo)
+	if err != nil {
+		return err
+	}
+
+	resourcesToFix := handler.PrepareResourcesToFix()
+
+	if len(resourcesToFix) == 0 {
+		logger.L().Info(NoResourcesToFix)
+		return nil
+	}
+
+	handler.PrintExpectedChanges(resourcesToFix)
+
+	if fixInfo.DryRun {
+		logger.L().Info(NoChangesApplied)
+		return nil
+	}
+
+	if !fixInfo.NoConfirm && !userConfirmed() {
+		logger.L().Info(NoChangesApplied)
+		return nil
+	}
+
+	updatedFilesCount, errors := handler.ApplyChanges(resourcesToFix)
+	logger.L().Info(fmt.Sprintf("Fixed resources in %d files.", updatedFilesCount))
+
+	if len(errors) > 0 {
+		for _, err := range errors {
+			logger.L().Error(err.Error())
+		}
+		return fmt.Errorf("Failed to fix some resources, check the logs for more details")
+	}
+
+	return nil
+}
+
+func userConfirmed() bool {
+	var input string
+
+	for {
+		fmt.Printf(ConfirmationQuestion)
+		if _, err := fmt.Scanln(&input); err != nil {
+			continue
+		}
+
+		input = strings.ToLower(input)
+		if input == "y" || input == "yes" {
+			return true
+		} else if input == "n" || input == "no" {
+			return false
+		}
+	}
+}

core/core/initutils.go

@@ -25,20 +25,31 @@ func getKubernetesApi() *k8sinterface.KubernetesApi {
 	}
 	return k8sinterface.NewKubernetesApi()
 }
-func getTenantConfig(credentials *cautils.Credentials, clusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
+func getTenantConfig(credentials *cautils.Credentials, clusterName string, customClusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
 	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
-		return cautils.NewLocalConfig(getter.GetKSCloudAPIConnector(), credentials, clusterName)
+		return cautils.NewLocalConfig(getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
 	}
-	return cautils.NewClusterConfig(k8s, getter.GetKSCloudAPIConnector(), credentials, clusterName)
+	return cautils.NewClusterConfig(k8s, getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
 }
 
-func getExceptionsGetter(useExceptions string) getter.IExceptionsGetter {
+func getExceptionsGetter(useExceptions string, accountID string, downloadReleasedPolicy *getter.DownloadReleasedPolicy) getter.IExceptionsGetter {
 	if useExceptions != "" {
 		// load exceptions from file
 		return getter.NewLoadPolicy([]string{useExceptions})
-	} else {
+	}
+	if accountID != "" {
+		// download exceptions from Kubescape Cloud backend
 		return getter.GetKSCloudAPIConnector()
 	}
+	// download exceptions from GitHub
+	if downloadReleasedPolicy == nil {
+		downloadReleasedPolicy = getter.NewDownloadReleasedPolicy()
+	}
+	if err := downloadReleasedPolicy.SetRegoObjects(); err != nil {
+		logger.L().Warning("failed to get exceptions from github release, this may affect the scanning results", helpers.Error(err))
+	}
+	return downloadReleasedPolicy
+
 }
 
 func getRBACHandler(tenantConfig cautils.ITenantConfig, k8s *k8sinterface.KubernetesApi, submit bool) *cautils.RBACObjects {
@@ -58,7 +69,7 @@ func getReporter(tenantConfig cautils.ITenantConfig, reportID string, submit, fw
 	}
 	if tenantConfig.GetAccountID() == "" {
 		// Add link only when scanning a cluster using a framework
-		return reporterv2.NewReportMock(reporterv2.NO_SUBMIT_QUERY, "run kubescape with the '--submit' flag")
+		return reporterv2.NewReportMock("https://hub.armosec.io/docs/installing-kubescape", "run kubescape with the '--account' flag")
 	}
 	var message string
 	if !fwScan {
@@ -128,16 +139,21 @@ func policyIdentifierNames(pi []cautils.PolicyIdentifier) string {
 func setSubmitBehavior(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantConfig) {
 
 	/*
-		If "First run (local config not found)" -
-			Default/keep-local - Do not send report
-			Submit - Create tenant & Submit report
+		If CloudReportURL not set - Do not send report
 
-		If "Submitted" -
+		If There is no account - Do not send report
+
+		If There is account -
 			keep-local - Do not send report
-			Default/Submit - Submit report
+			Default - Submit report
 
 	*/
 
+	if getter.GetKSCloudAPIConnector().GetCloudAPIURL() == "" {
+		scanInfo.Submit = false
+		return
+	}
+
 	// do not submit control scanning
 	if !scanInfo.FrameworkScan {
 		scanInfo.Submit = false
@@ -150,27 +166,26 @@ func setSubmitBehavior(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantC
 		return
 	}
 
-	if tenantConfig.IsConfigFound() { // config found in cache (submitted)
-		if !scanInfo.Local {
-			if tenantConfig.GetAccountID() != "" {
-				if _, err := uuid.Parse(tenantConfig.GetAccountID()); err != nil {
-					scanInfo.Submit = false
-					return
-				}
-			}
-			// Submit report
-			scanInfo.Submit = true
-		}
+	if scanInfo.Local {
+		scanInfo.Submit = false
+		return
+	}
+
+	// If There is no account, or if the account is not legal, do not submit
+	if _, err := uuid.Parse(tenantConfig.GetAccountID()); err != nil {
+		scanInfo.Submit = false
+	} else {
+		scanInfo.Submit = true
 	}
 
 }
 
 // setPolicyGetter set the policy getter - local file/github release/Kubescape Cloud API
-func getPolicyGetter(loadPoliciesFromFile []string, tennatEmail string, frameworkScope bool, downloadReleasedPolicy *getter.DownloadReleasedPolicy) getter.IPolicyGetter {
+func getPolicyGetter(loadPoliciesFromFile []string, tenantEmail string, frameworkScope bool, downloadReleasedPolicy *getter.DownloadReleasedPolicy) getter.IPolicyGetter {
 	if len(loadPoliciesFromFile) > 0 {
 		return getter.NewLoadPolicy(loadPoliciesFromFile)
 	}
-	if tennatEmail != "" && frameworkScope {
+	if tenantEmail != "" && getter.GetKSCloudAPIConnector().GetCloudAPIURL() != "" && frameworkScope {
 		g := getter.GetKSCloudAPIConnector() // download policy from Kubescape Cloud backend
 		return g
 	}
@@ -223,3 +238,17 @@ func listFrameworksNames(policyGetter getter.IPolicyGetter) []string {
 	}
 	return getter.NativeFrameworks
 }
+
+func getAttackTracksGetter(accountID string, downloadReleasedPolicy *getter.DownloadReleasedPolicy) getter.IAttackTracksGetter {
+	if accountID != "" {
+		g := getter.GetKSCloudAPIConnector() // download attack tracks from Kubescape Cloud backend
+		return g
+	}
+	if downloadReleasedPolicy == nil {
+		downloadReleasedPolicy = getter.NewDownloadReleasedPolicy()
+	}
+	if err := downloadReleasedPolicy.SetRegoObjects(); err != nil {
+		logger.L().Warning("failed to get attack tracks from github release, this may affect the scanning results", helpers.Error(err))
+	}
+	return downloadReleasedPolicy
+}

core/core/list.go

@@ -44,14 +44,14 @@ func (ks *Kubescape) List(listPolicies *metav1.ListPolicies) error {
 }
 
 func listFrameworks(listPolicies *metav1.ListPolicies) ([]string, error) {
-	tenant := getTenantConfig(&listPolicies.Credentials, "", getKubernetesApi()) // change k8sinterface
+	tenant := getTenantConfig(&listPolicies.Credentials, "", "", getKubernetesApi()) // change k8sinterface
 	g := getPolicyGetter(nil, tenant.GetTenantEmail(), true, nil)
 
 	return listFrameworksNames(g), nil
 }
 
 func listControls(listPolicies *metav1.ListPolicies) ([]string, error) {
-	tenant := getTenantConfig(&listPolicies.Credentials, "", getKubernetesApi()) // change k8sinterface
+	tenant := getTenantConfig(&listPolicies.Credentials, "", "", getKubernetesApi()) // change k8sinterface
 
 	g := getPolicyGetter(nil, tenant.GetTenantEmail(), false, nil)
 	l := getter.ListName
@@ -63,10 +63,10 @@ func listControls(listPolicies *metav1.ListPolicies) ([]string, error) {
 
 func listExceptions(listPolicies *metav1.ListPolicies) ([]string, error) {
 	// load tenant metav1
-	getTenantConfig(&listPolicies.Credentials, "", getKubernetesApi())
+	tenant := getTenantConfig(&listPolicies.Credentials, "", "", getKubernetesApi())
 
 	var exceptionsNames []string
-	ksCloudAPI := getExceptionsGetter("")
+	ksCloudAPI := getExceptionsGetter("", tenant.GetAccountID(), nil)
 	exceptions, err := ksCloudAPI.GetExceptions("")
 	if err != nil {
 		return exceptionsNames, err

core/core/scan.go

@@ -15,6 +15,7 @@ import (
 	"github.com/kubescape/kubescape/v2/core/pkg/opaprocessor"
 	"github.com/kubescape/kubescape/v2/core/pkg/policyhandler"
 	"github.com/kubescape/kubescape/v2/core/pkg/resourcehandler"
+	"github.com/kubescape/kubescape/v2/core/pkg/resourcesprioritization"
 	"github.com/kubescape/kubescape/v2/core/pkg/resultshandling"
 	"github.com/kubescape/kubescape/v2/core/pkg/resultshandling/printer"
 	"github.com/kubescape/kubescape/v2/core/pkg/resultshandling/reporter"
@@ -43,7 +44,7 @@ func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
 
 	// ================== setup tenant object ======================================
 
-	tenantConfig := getTenantConfig(&scanInfo.Credentials, scanInfo.KubeContext, k8s)
+	tenantConfig := getTenantConfig(&scanInfo.Credentials, scanInfo.KubeContext, scanInfo.CustomClusterName, k8s)
 
 	// Set submit behavior AFTER loading tenant config
 	setSubmitBehavior(scanInfo, tenantConfig)
@@ -121,7 +122,8 @@ func (ks *Kubescape) Scan(scanInfo *cautils.ScanInfo) (*resultshandling.ResultsH
 	// set policy getter only after setting the customerGUID
 	scanInfo.Getters.PolicyGetter = getPolicyGetter(scanInfo.UseFrom, interfaces.tenantConfig.GetTenantEmail(), scanInfo.FrameworkScan, downloadReleasedPolicy)
 	scanInfo.Getters.ControlsInputsGetter = getConfigInputsGetter(scanInfo.ControlsInputs, interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
-	scanInfo.Getters.ExceptionsGetter = getExceptionsGetter(scanInfo.UseExceptions)
+	scanInfo.Getters.ExceptionsGetter = getExceptionsGetter(scanInfo.UseExceptions, interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
+	scanInfo.Getters.AttackTracksGetter = getAttackTracksGetter(interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
 
 	// TODO - list supported frameworks/controls
 	if scanInfo.ScanAll {
@@ -152,6 +154,14 @@ func (ks *Kubescape) Scan(scanInfo *cautils.ScanInfo) (*resultshandling.ResultsH
 		return resultsHandling, fmt.Errorf("%w", err)
 	}
 
+	// ======================== prioritization ===================
+
+	if priotizationHandler, err := resourcesprioritization.NewResourcesPrioritizationHandler(scanInfo.Getters.AttackTracksGetter); err != nil {
+		logger.L().Warning("failed to get attack tracks, this may affect the scanning results", helpers.Error(err))
+	} else if err := priotizationHandler.PrioritizeResources(scanData); err != nil {
+		return resultsHandling, fmt.Errorf("%w", err)
+	}
+
 	// ========================= results handling =====================
 	resultsHandling.SetData(scanData)
 

core/core/submit.go

@@ -39,7 +39,7 @@ func (ks *Kubescape) SubmitExceptions(credentials *cautils.Credentials, excPath
 	logger.L().Info("submitting exceptions", helpers.String("path", excPath))
 
 	// load cached config
-	tenantConfig := getTenantConfig(credentials, "", getKubernetesApi())
+	tenantConfig := getTenantConfig(credentials, "", "", getKubernetesApi())
 	if err := tenantConfig.SetTenant(); err != nil {
 		logger.L().Error("failed setting account ID", helpers.Error(err))
 	}

core/meta/datastructures/v1/config.go

@@ -3,9 +3,13 @@ package v1
 import "io"
 
 type SetConfig struct {
-	Account   string
-	ClientID  string
-	SecretKey string
+	Account        string
+	ClientID       string
+	SecretKey      string
+	CloudReportURL string
+	CloudAPIURL    string
+	CloudUIURL     string
+	CloudAuthURL   string
 }
 
 type ViewConfig struct {

core/meta/datastructures/v1/fix.go

@@ -0,0 +1,8 @@
+package v1
+
+type FixInfo struct {
+	ReportFile     string // path to report file (mandatory)
+	NoConfirm      bool   // if true, no confirmation will be given to the user before applying the fix
+	SkipUserValues bool   // if true, user values will not be changed
+	DryRun         bool   // if true, no changes will be applied
+}

core/meta/ksinterface.go

@@ -25,4 +25,7 @@ type IKubescape interface {
 
 	// delete
 	DeleteExceptions(deleteexceptions *metav1.DeleteExceptions) error
+
+	// fix
+	Fix(fixInfo *metav1.FixInfo) error
 }

core/pkg/containerscan/elasticdatastructures.go

@@ -12,7 +12,7 @@ type ElasticContainerVulnerabilityResult struct {
 	Timestamp         int64     `json:"timestamp"`
 	IsFixed           int       `json:"isFixed"`
 	IntroducedInLayer string    `json:"layerHash"`
-	RelevantLinks     []string  `json:"links"` // shitty SE practice
+	RelevantLinks     []string  `json:"links"` // Bad SE practice
 
 	Vulnerability `json:",inline"`
 }

core/pkg/fixhandler/datastructures.go

@@ -0,0 +1,63 @@
+package fixhandler
+
+import (
+	"github.com/armosec/armoapi-go/armotypes"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/kubescape/opa-utils/reporthandling"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+	"gopkg.in/yaml.v3"
+)
+
+// FixHandler is a struct that holds the information of the report to be fixed
+type FixHandler struct {
+	fixInfo       *metav1.FixInfo
+	reportObj     *reporthandlingv2.PostureReport
+	localBasePath string
+}
+
+// ResourceFixInfo is a struct that holds the information about the resource that needs to be fixed
+type ResourceFixInfo struct {
+	YamlExpressions map[string]*armotypes.FixPath
+	Resource        *reporthandling.Resource
+	FilePath        string
+	DocumentIndex   int
+}
+
+// NodeInfo holds extra information about the node
+type nodeInfo struct {
+	node   *yaml.Node
+	parent *yaml.Node
+
+	// position of the node among siblings
+	index int
+}
+
+// FixInfoMetadata holds the arguments "getFixInfo" function needs to pass to the
+// functions it uses
+type fixInfoMetadata struct {
+	originalList        *[]nodeInfo
+	fixedList           *[]nodeInfo
+	originalListTracker int
+	fixedListTracker    int
+	contentToAdd        *[]contentToAdd
+	linesToRemove       *[]linesToRemove
+}
+
+// ContentToAdd holds the information about where to insert the new changes in the existing yaml file
+type contentToAdd struct {
+	// Line where the fix should be applied to
+	line int
+	// Content is a string representation of the YAML node that describes a suggested fix
+	content string
+}
+
+// LinesToRemove holds the line numbers to remove from the existing yaml file
+type linesToRemove struct {
+	startLine int
+	endLine   int
+}
+
+type fileFixInfo struct {
+	contentsToAdd *[]contentToAdd
+	linesToRemove *[]linesToRemove
+}

core/pkg/fixhandler/fixhandler.go

@@ -0,0 +1,346 @@
+package fixhandler
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"strconv"
+	"strings"
+
+	"github.com/armosec/armoapi-go/armotypes"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/opa-utils/objectsenvelopes"
+	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
+	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/resourcesresults"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+	"github.com/mikefarah/yq/v4/pkg/yqlib"
+	"gopkg.in/op/go-logging.v1"
+)
+
+const UserValuePrefix = "YOUR_"
+
+func NewFixHandler(fixInfo *metav1.FixInfo) (*FixHandler, error) {
+	jsonFile, err := os.Open(fixInfo.ReportFile)
+	if err != nil {
+		return nil, err
+	}
+	defer jsonFile.Close()
+	byteValue, _ := ioutil.ReadAll(jsonFile)
+
+	var reportObj reporthandlingv2.PostureReport
+	if err = json.Unmarshal(byteValue, &reportObj); err != nil {
+		return nil, err
+	}
+
+	if err = isSupportedScanningTarget(&reportObj); err != nil {
+		return nil, err
+	}
+
+	localPath := getLocalPath(&reportObj)
+	if _, err = os.Stat(localPath); err != nil {
+		return nil, err
+	}
+
+	backendLoggerLeveled := logging.AddModuleLevel(logging.NewLogBackend(logger.L().GetWriter(), "", 0))
+	backendLoggerLeveled.SetLevel(logging.ERROR, "")
+	yqlib.GetLogger().SetBackend(backendLoggerLeveled)
+
+	return &FixHandler{
+		fixInfo:       fixInfo,
+		reportObj:     &reportObj,
+		localBasePath: localPath,
+	}, nil
+}
+
+func isSupportedScanningTarget(report *reporthandlingv2.PostureReport) error {
+	if report.Metadata.ScanMetadata.ScanningTarget == reporthandlingv2.GitLocal || report.Metadata.ScanMetadata.ScanningTarget == reporthandlingv2.Directory {
+		return nil
+	}
+
+	return fmt.Errorf("unsupported scanning target. Only local git and directory scanning targets are supported")
+}
+
+func getLocalPath(report *reporthandlingv2.PostureReport) string {
+	if report.Metadata.ScanMetadata.ScanningTarget == reporthandlingv2.GitLocal {
+		return report.Metadata.ContextMetadata.RepoContextMetadata.LocalRootPath
+	}
+
+	if report.Metadata.ScanMetadata.ScanningTarget == reporthandlingv2.Directory {
+		return report.Metadata.ContextMetadata.DirectoryContextMetadata.BasePath
+	}
+
+	return ""
+}
+
+func (h *FixHandler) buildResourcesMap() map[string]*reporthandling.Resource {
+	resourceIdToRawResource := make(map[string]*reporthandling.Resource)
+	for i := range h.reportObj.Resources {
+		resourceIdToRawResource[h.reportObj.Resources[i].GetID()] = &h.reportObj.Resources[i]
+	}
+	for i := range h.reportObj.Results {
+		if h.reportObj.Results[i].RawResource == nil {
+			continue
+		}
+		resourceIdToRawResource[h.reportObj.Results[i].RawResource.GetID()] = h.reportObj.Results[i].RawResource
+	}
+
+	return resourceIdToRawResource
+}
+
+func (h *FixHandler) getPathFromRawResource(obj map[string]interface{}) string {
+	if localworkload.IsTypeLocalWorkload(obj) {
+		localwork := localworkload.NewLocalWorkload(obj)
+		return localwork.GetPath()
+	} else if objectsenvelopes.IsTypeRegoResponseVector(obj) {
+		regoResponseVectorObject := objectsenvelopes.NewRegoResponseVectorObject(obj)
+		relatedObjects := regoResponseVectorObject.GetRelatedObjects()
+		for _, relatedObject := range relatedObjects {
+			if localworkload.IsTypeLocalWorkload(relatedObject.GetObject()) {
+				return relatedObject.(*localworkload.LocalWorkload).GetPath()
+			}
+		}
+	}
+
+	return ""
+}
+
+func (h *FixHandler) PrepareResourcesToFix() []ResourceFixInfo {
+	resourceIdToResource := h.buildResourcesMap()
+
+	resourcesToFix := make([]ResourceFixInfo, 0)
+	for _, result := range h.reportObj.Results {
+		if !result.GetStatus(nil).IsFailed() {
+			continue
+		}
+
+		resourceID := result.ResourceID
+		resourceObj := resourceIdToResource[resourceID]
+		resourcePath := h.getPathFromRawResource(resourceObj.GetObject())
+		if resourcePath == "" {
+			continue
+		}
+
+		if resourceObj.Source == nil || resourceObj.Source.FileType != reporthandling.SourceTypeYaml {
+			continue
+		}
+
+		relativePath, documentIndex, err := h.getFilePathAndIndex(resourcePath)
+		if err != nil {
+			logger.L().Error("Skipping invalid resource path: " + resourcePath)
+			continue
+		}
+
+		absolutePath := path.Join(h.localBasePath, relativePath)
+		if _, err := os.Stat(absolutePath); err != nil {
+			logger.L().Error("Skipping missing file: " + absolutePath)
+			continue
+		}
+
+		rfi := ResourceFixInfo{
+			FilePath:        absolutePath,
+			Resource:        resourceObj,
+			YamlExpressions: make(map[string]*armotypes.FixPath, 0),
+			DocumentIndex:   documentIndex,
+		}
+
+		for i := range result.AssociatedControls {
+			if result.AssociatedControls[i].GetStatus(nil).IsFailed() {
+				rfi.addYamlExpressionsFromResourceAssociatedControl(documentIndex, &result.AssociatedControls[i], h.fixInfo.SkipUserValues)
+			}
+		}
+
+		if len(rfi.YamlExpressions) > 0 {
+			resourcesToFix = append(resourcesToFix, rfi)
+		}
+	}
+
+	return resourcesToFix
+}
+
+func (h *FixHandler) PrintExpectedChanges(resourcesToFix []ResourceFixInfo) {
+	var sb strings.Builder
+	sb.WriteString("The following changes will be applied:\n")
+
+	for _, resourceFixInfo := range resourcesToFix {
+		sb.WriteString(fmt.Sprintf("File: %s\n", resourceFixInfo.FilePath))
+		sb.WriteString(fmt.Sprintf("Resource: %s\n", resourceFixInfo.Resource.GetName()))
+		sb.WriteString(fmt.Sprintf("Kind: %s\n", resourceFixInfo.Resource.GetKind()))
+		sb.WriteString("Changes:\n")
+
+		i := 1
+		for _, fixPath := range resourceFixInfo.YamlExpressions {
+			sb.WriteString(fmt.Sprintf("\t%d) %s = %s\n", i, (*fixPath).Path, (*fixPath).Value))
+			i++
+		}
+		sb.WriteString("\n------\n")
+	}
+
+	logger.L().Info(sb.String())
+}
+
+func (h *FixHandler) ApplyChanges(resourcesToFix []ResourceFixInfo) (int, []error) {
+	updatedFiles := make(map[string]bool)
+	errors := make([]error, 0)
+
+	fileYamlExpressions := h.getFileYamlExpressions(resourcesToFix)
+
+	for filepath, yamlExpression := range fileYamlExpressions {
+		fileAsString, err := getFileString(filepath)
+
+		if err != nil {
+			errors = append(errors, err)
+			continue
+		}
+
+		fixedYamlString, err := h.ApplyFixToContent(fileAsString, yamlExpression)
+
+		if err != nil {
+			errors = append(errors, fmt.Errorf("Failed to fix file %s: %w ", filepath, err))
+			continue
+		} else {
+			updatedFiles[filepath] = true
+		}
+
+		err = writeFixesToFile(filepath, fixedYamlString)
+
+		if err != nil {
+			logger.L().Error(fmt.Sprintf("Failed to write fixes to file %s, %v", filepath, err.Error()))
+			errors = append(errors, err)
+		}
+	}
+
+	return len(updatedFiles), errors
+}
+
+func (h *FixHandler) getFilePathAndIndex(filePathWithIndex string) (filePath string, documentIndex int, err error) {
+	splittedPath := strings.Split(filePathWithIndex, ":")
+	if len(splittedPath) <= 1 {
+		return "", 0, fmt.Errorf("expected to find ':' in file path")
+	}
+
+	filePath = splittedPath[0]
+	if documentIndex, err := strconv.Atoi(splittedPath[1]); err != nil {
+		return "", 0, err
+	} else {
+		return filePath, documentIndex, nil
+	}
+}
+
+func (h *FixHandler) ApplyFixToContent(yamlAsString, yamlExpression string) (fixedString string, err error) {
+	yamlLines := strings.Split(yamlAsString, "\n")
+
+	originalRootNodes, err := decodeDocumentRoots(yamlAsString)
+
+	if err != nil {
+		return "", err
+	}
+
+	fixedRootNodes, err := getFixedNodes(yamlAsString, yamlExpression)
+
+	if err != nil {
+		return "", err
+	}
+
+	fileFixInfo := getFixInfo(originalRootNodes, fixedRootNodes)
+
+	fixedYamlLines := getFixedYamlLines(yamlLines, fileFixInfo)
+
+	fixedString = getStringFromSlice(fixedYamlLines)
+
+	return fixedString, nil
+}
+
+func (h *FixHandler) getFileYamlExpressions(resourcesToFix []ResourceFixInfo) map[string]string {
+	fileYamlExpressions := make(map[string]string, 0)
+	for _, resourceToFix := range resourcesToFix {
+		singleExpression := reduceYamlExpressions(&resourceToFix)
+		resourceFilePath := resourceToFix.FilePath
+
+		if _, pathExistsInMap := fileYamlExpressions[resourceFilePath]; !pathExistsInMap {
+			fileYamlExpressions[resourceFilePath] = singleExpression
+		} else {
+			fileYamlExpressions[resourceFilePath] = joinStrings(fileYamlExpressions[resourceFilePath], " | ", singleExpression)
+		}
+
+	}
+
+	return fileYamlExpressions
+}
+
+func (rfi *ResourceFixInfo) addYamlExpressionsFromResourceAssociatedControl(documentIndex int, ac *resourcesresults.ResourceAssociatedControl, skipUserValues bool) {
+	for _, rule := range ac.ResourceAssociatedRules {
+		if !rule.GetStatus(nil).IsFailed() {
+			continue
+		}
+
+		for _, rulePaths := range rule.Paths {
+			if rulePaths.FixPath.Path == "" {
+				continue
+			}
+			if strings.HasPrefix(rulePaths.FixPath.Value, UserValuePrefix) && skipUserValues {
+				continue
+			}
+
+			yamlExpression := fixPathToValidYamlExpression(rulePaths.FixPath.Path, rulePaths.FixPath.Value, documentIndex)
+			rfi.YamlExpressions[yamlExpression] = &rulePaths.FixPath
+		}
+	}
+}
+
+// reduceYamlExpressions reduces the number of yaml expressions to a single one
+func reduceYamlExpressions(resource *ResourceFixInfo) string {
+	expressions := make([]string, 0, len(resource.YamlExpressions))
+	for expr := range resource.YamlExpressions {
+		expressions = append(expressions, expr)
+	}
+
+	return strings.Join(expressions, " | ")
+}
+
+func fixPathToValidYamlExpression(fixPath, value string, documentIndexInYaml int) string {
+	isStringValue := true
+	if _, err := strconv.ParseBool(value); err == nil {
+		isStringValue = false
+	} else if _, err := strconv.ParseFloat(value, 64); err == nil {
+		isStringValue = false
+	} else if _, err := strconv.Atoi(value); err == nil {
+		isStringValue = false
+	}
+
+	// Strings should be quoted
+	if isStringValue {
+		value = fmt.Sprintf("\"%s\"", value)
+	}
+
+	// select document index and add a dot for the root node
+	return fmt.Sprintf("select(di==%d).%s |= %s", documentIndexInYaml, fixPath, value)
+}
+
+func joinStrings(inputStrings ...string) string {
+	return strings.Join(inputStrings, "")
+}
+
+func getFileString(filepath string) (string, error) {
+	bytes, err := ioutil.ReadFile(filepath)
+
+	if err != nil {
+		return "", fmt.Errorf("Error reading file %s", filepath)
+	}
+
+	return string(bytes), nil
+}
+
+func writeFixesToFile(filepath, content string) error {
+	err := ioutil.WriteFile(filepath, []byte(content), 0644)
+
+	if err != nil {
+		return fmt.Errorf("Error writing fixes to file: %w", err)
+	}
+
+	return nil
+}

core/pkg/fixhandler/fixhandler_test.go

@@ -0,0 +1,248 @@
+package fixhandler
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	logger "github.com/kubescape/go-logger"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+	"github.com/mikefarah/yq/v4/pkg/yqlib"
+	"github.com/stretchr/testify/assert"
+	"gopkg.in/op/go-logging.v1"
+)
+
+type indentationTestCase struct {
+	inputFile      string
+	yamlExpression string
+	expectedFile   string
+}
+
+func NewFixHandlerMock() (*FixHandler, error) {
+	backendLoggerLeveled := logging.AddModuleLevel(logging.NewLogBackend(logger.L().GetWriter(), "", 0))
+	backendLoggerLeveled.SetLevel(logging.ERROR, "")
+	yqlib.GetLogger().SetBackend(backendLoggerLeveled)
+
+	return &FixHandler{
+		fixInfo:       &metav1.FixInfo{},
+		reportObj:     &reporthandlingv2.PostureReport{},
+		localBasePath: "",
+	}, nil
+}
+
+func getTestdataPath() string {
+	currentDir, _ := os.Getwd()
+	return filepath.Join(currentDir, "testdata")
+}
+
+func getTestCases() []indentationTestCase {
+	indentationTestCases := []indentationTestCase{
+		// Insertion Scenarios
+		{
+			"inserts/tc-01-00-input-mapping-insert-mapping.yaml",
+			"select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false",
+			"inserts/tc-01-01-expected.yaml",
+		},
+		{
+			"inserts/tc-02-00-input-mapping-insert-mapping-with-list.yaml",
+			"select(di==0).spec.containers[0].securityContext.capabilities.drop += [\"NET_RAW\"]",
+			"inserts/tc-02-01-expected.yaml",
+		},
+		{
+			"inserts/tc-03-00-input-list-append-scalar.yaml",
+			"select(di==0).spec.containers[0].securityContext.capabilities.drop += [\"SYS_ADM\"]",
+			"inserts/tc-03-01-expected.yaml",
+		},
+		{
+			"inserts/tc-04-00-input-multiple-inserts.yaml",
+
+			`select(di==0).spec.template.spec.securityContext.allowPrivilegeEscalation |= false |
+			 select(di==0).spec.template.spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"] |
+			 select(di==0).spec.template.spec.containers[0].securityContext.seccompProfile.type |= "RuntimeDefault" |
+			 select(di==0).spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation |= false |
+			 select(di==0).spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem |= true`,
+
+			"inserts/tc-04-01-expected.yaml",
+		},
+		{
+			"inserts/tc-05-00-input-comment-blank-line-single-insert.yaml",
+			"select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false",
+			"inserts/tc-05-01-expected.yaml",
+		},
+		{
+			"inserts/tc-06-00-input-list-append-scalar-oneline.yaml",
+			"select(di==0).spec.containers[0].securityContext.capabilities.drop += [\"SYS_ADM\"]",
+			"inserts/tc-06-01-expected.yaml",
+		},
+		{
+			"inserts/tc-07-00-input-multiple-documents.yaml",
+
+			`select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false |
+			 select(di==1).spec.containers[0].securityContext.allowPrivilegeEscalation |= false`,
+
+			"inserts/tc-07-01-expected.yaml",
+		},
+		{
+			"inserts/tc-08-00-input-mapping-insert-mapping-indented.yaml",
+			"select(di==0).spec.containers[0].securityContext.capabilities.drop += [\"NET_RAW\"]",
+			"inserts/tc-08-01-expected.yaml",
+		},
+		{
+			"inserts/tc-09-00-input-list-insert-new-mapping-indented.yaml",
+			`select(di==0).spec.containers += {"name": "redis", "image": "redis"}`,
+			"inserts/tc-09-01-expected.yaml",
+		},
+		{
+			"inserts/tc-10-00-input-list-insert-new-mapping.yaml",
+			`select(di==0).spec.containers += {"name": "redis", "image": "redis"}`,
+			"inserts/tc-10-01-expected.yaml",
+		},
+
+		// Removal Scenarios
+		{
+			"removals/tc-01-00-input.yaml",
+			"del(select(di==0).spec.containers[0].securityContext)",
+			"removals/tc-01-01-expected.yaml",
+		},
+		{
+			"removals/tc-02-00-input.yaml",
+			"del(select(di==0).spec.containers[1])",
+			"removals/tc-02-01-expected.yaml",
+		},
+		{
+			"removals/tc-03-00-input.yaml",
+			"del(select(di==0).spec.containers[0].securityContext.capabilities.drop[1])",
+			"removals/tc-03-01-expected.yaml",
+		},
+		{
+			"removes/tc-04-00-input.yaml",
+			`del(select(di==0).spec.containers[0].securityContext) | 
+			 del(select(di==1).spec.containers[1])`,
+			"removes/tc-04-01-expected.yaml",
+		},
+
+		// Replace Scenarios
+		{
+			"replaces/tc-01-00-input.yaml",
+			"select(di==0).spec.containers[0].securityContext.runAsRoot |= false",
+			"replaces/tc-01-01-expected.yaml",
+		},
+		{
+			"replaces/tc-02-00-input.yaml",
+			`select(di==0).spec.containers[0].securityContext.capabilities.drop[0] |= "SYS_ADM" |
+			 select(di==0).spec.containers[0].securityContext.capabilities.add[0] |= "NET_RAW"`,
+			"replaces/tc-02-01-expected.yaml",
+		},
+
+		// Hybrid Scenarios
+		{
+			"hybrids/tc-01-00-input.yaml",
+			`del(select(di==0).spec.containers[0].securityContext) |
+			 select(di==0).spec.securityContext.runAsRoot |= false`,
+			"hybrids/tc-01-01-expected.yaml",
+		},
+		{
+			"hybrids/tc-02-00-input-indented-list.yaml",
+			`del(select(di==0).spec.containers[0].securityContext) |
+			 select(di==0).spec.securityContext.runAsRoot |= false`,
+			"hybrids/tc-02-01-expected.yaml",
+		},
+		{
+			"hybrids/tc-03-00-input-comments.yaml",
+			`del(select(di==0).spec.containers[0].securityContext) |
+			 select(di==0).spec.securityContext.runAsRoot |= false`,
+			"hybrids/tc-03-01-expected.yaml",
+		},
+		{
+			"hybrids/tc-04-00-input-separated-keys.yaml",
+			`del(select(di==0).spec.containers[0].securityContext) |
+			 select(di==0).spec.securityContext.runAsRoot |= false`,
+			"hybrids/tc-04-01-expected.yaml",
+		},
+	}
+
+	return indentationTestCases
+}
+
+func TestApplyFixKeepsFormatting(t *testing.T) {
+	testCases := getTestCases()
+
+	for _, tc := range testCases {
+		t.Run(tc.inputFile, func(t *testing.T) {
+			getTestDataPath := func(filename string) string {
+				currentDir, _ := os.Getwd()
+				currentFile := "testdata/" + filename
+				return filepath.Join(currentDir, currentFile)
+			}
+
+			input, _ := os.ReadFile(getTestDataPath(tc.inputFile))
+			wantRaw, _ := os.ReadFile(getTestDataPath(tc.expectedFile))
+			want := string(wantRaw)
+			expression := tc.yamlExpression
+
+			h, _ := NewFixHandlerMock()
+
+			got, _ := h.ApplyFixToContent(string(input), expression)
+
+			assert.Equalf(
+				t, want, got,
+				"Contents of the fixed file don't match the expectation.\n"+
+					"Input file: %s\n\n"+
+					"Got: <%s>\n\n"+
+					"Want: <%s>",
+				tc.inputFile, got, want,
+			)
+		},
+		)
+
+	}
+}
+
+func Test_fixPathToValidYamlExpression(t *testing.T) {
+	type args struct {
+		fixPath             string
+		value               string
+		documentIndexInYaml int
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{
+			name: "fix path with boolean value",
+			args: args{
+				fixPath:             "spec.template.spec.containers[0].securityContext.privileged",
+				value:               "true",
+				documentIndexInYaml: 2,
+			},
+			want: "select(di==2).spec.template.spec.containers[0].securityContext.privileged |= true",
+		},
+		{
+			name: "fix path with string value",
+			args: args{
+				fixPath:             "metadata.namespace",
+				value:               "YOUR_NAMESPACE",
+				documentIndexInYaml: 0,
+			},
+			want: "select(di==0).metadata.namespace |= \"YOUR_NAMESPACE\"",
+		},
+		{
+			name: "fix path with number",
+			args: args{
+				fixPath:             "xxx.yyy",
+				value:               "123",
+				documentIndexInYaml: 0,
+			},
+			want: "select(di==0).xxx.yyy |= 123",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := fixPathToValidYamlExpression(tt.args.fixPath, tt.args.value, tt.args.documentIndexInYaml); got != tt.want {
+				t.Errorf("fixPathToValidYamlExpression() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

core/pkg/fixhandler/testdata/hybrids/tc-01-00-input.yaml

@@ -0,0 +1,19 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      runAsRoot: true

core/pkg/fixhandler/testdata/hybrids/tc-01-01-expected.yaml

@@ -0,0 +1,19 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+  securityContext:
+    runAsRoot: false

core/pkg/fixhandler/testdata/hybrids/tc-02-00-input-indented-list.yaml

@@ -0,0 +1,19 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+    - name: nginx_container
+      image: nginx
+      securityContext:
+        runAsRoot: true

core/pkg/fixhandler/testdata/hybrids/tc-02-01-expected.yaml

@@ -0,0 +1,19 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+    - name: nginx_container
+      image: nginx
+  securityContext:
+    runAsRoot: false

core/pkg/fixhandler/testdata/hybrids/tc-03-00-input-comments.yaml

@@ -0,0 +1,21 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  # These are the container comments
+  containers:
+    # These are the first containers comments
+    - name: nginx_container
+      image: nginx
+      securityContext:
+        runAsRoot: true

core/pkg/fixhandler/testdata/hybrids/tc-03-01-expected.yaml

@@ -0,0 +1,21 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  # These are the container comments
+  containers:
+    # These are the first containers comments
+    - name: nginx_container
+      image: nginx
+  securityContext:
+    runAsRoot: false

core/pkg/fixhandler/testdata/hybrids/tc-04-00-input-separated-keys.yaml

@@ -0,0 +1,21 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+    - name: nginx_container
+
+      image: nginx
+
+      securityContext:
+        runAsRoot: true

core/pkg/fixhandler/testdata/hybrids/tc-04-01-expected.yaml

@@ -0,0 +1,21 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+    - name: nginx_container
+
+      image: nginx
+  securityContext:
+    runAsRoot: false
+

core/pkg/fixhandler/testdata/inserts/tc-01-00-input-mapping-insert-mapping.yaml

@@ -0,0 +1,12 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx

core/pkg/fixhandler/testdata/inserts/tc-01-01-expected.yaml

@@ -0,0 +1,14 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      allowPrivilegeEscalation: false

core/pkg/fixhandler/testdata/inserts/tc-02-00-input-mapping-insert-mapping-with-list.yaml

@@ -0,0 +1,11 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx

core/pkg/fixhandler/testdata/inserts/tc-02-01-expected.yaml

@@ -0,0 +1,15 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      capabilities:
+        drop:
+          - NET_RAW

core/pkg/fixhandler/testdata/inserts/tc-03-00-input-list-append-scalar.yaml

@@ -0,0 +1,15 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["SYS_ADM"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      capabilities:
+        drop:
+        - NET_RAW

core/pkg/fixhandler/testdata/inserts/tc-03-01-expected.yaml

@@ -0,0 +1,16 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["SYS_ADM"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      capabilities:
+        drop:
+        - NET_RAW
+        - SYS_ADM

core/pkg/fixhandler/testdata/inserts/tc-04-00-input-multiple-inserts.yaml

@@ -0,0 +1,47 @@
+# Fixes to Apply:
+# 1) select(di==0).spec.template.spec.securityContext.allowPrivilegeEscalation = false
+# 2) select(di==0).spec.template.spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"]
+# 3) select(di==0).spec.template.spec.containers[0].securityContext.seccompProfile.type = RuntimeDefault
+# 4) select(di==0).spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation |= false
+# 5) select(di==0).spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem |= true
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: multiple_inserts
+spec:
+  selector:
+    matchLabels:
+      app: example_4
+  template:
+    metadata:
+      labels:
+        app: example_4
+    spec:
+      serviceAccountName: default
+      terminationGracePeriodSeconds: 5
+      containers:
+      - name: example_4
+        image: nginx
+        ports:
+        - containerPort: 3000
+        env:
+        - name: PORT
+          value: "3000"
+        resources:
+          requests:
+            cpu: 200m
+            memory: 180Mi
+          limits:
+            cpu: 300m
+            memory: 300Mi
+        readinessProbe:
+          initialDelaySeconds: 20
+          periodSeconds: 15
+          exec:
+            command: ["/bin/grpc_health_probe", "-addr=:3000"]
+        livenessProbe:
+          initialDelaySeconds: 20
+          periodSeconds: 15
+          exec:
+            command: ["/bin/grpc_health_probe", "-addr=:3000"]

core/pkg/fixhandler/testdata/inserts/tc-04-01-expected.yaml

@@ -0,0 +1,57 @@
+# Fixes to Apply:
+# 1) select(di==0).spec.template.spec.securityContext.allowPrivilegeEscalation = false
+# 2) select(di==0).spec.template.spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"]
+# 3) select(di==0).spec.template.spec.containers[0].securityContext.seccompProfile.type = RuntimeDefault
+# 4) select(di==0).spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation |= false
+# 5) select(di==0).spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem |= true
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: multiple_inserts
+spec:
+  selector:
+    matchLabels:
+      app: example_4
+  template:
+    metadata:
+      labels:
+        app: example_4
+    spec:
+      serviceAccountName: default
+      terminationGracePeriodSeconds: 5
+      containers:
+      - name: example_4
+        image: nginx
+        ports:
+        - containerPort: 3000
+        env:
+        - name: PORT
+          value: "3000"
+        resources:
+          requests:
+            cpu: 200m
+            memory: 180Mi
+          limits:
+            cpu: 300m
+            memory: 300Mi
+        readinessProbe:
+          initialDelaySeconds: 20
+          periodSeconds: 15
+          exec:
+            command: ["/bin/grpc_health_probe", "-addr=:3000"]
+        livenessProbe:
+          initialDelaySeconds: 20
+          periodSeconds: 15
+          exec:
+            command: ["/bin/grpc_health_probe", "-addr=:3000"]
+        securityContext:
+          capabilities:
+            drop:
+              - NET_RAW
+          seccompProfile:
+            type: RuntimeDefault
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+      securityContext:
+        allowPrivilegeEscalation: false

core/pkg/fixhandler/testdata/inserts/tc-05-00-input-comment-blank-line-single-insert.yaml

@@ -0,0 +1,16 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+
+  # Testing if comments are retained as intended
+  securityContext:
+    runAsRoot: false

core/pkg/fixhandler/testdata/inserts/tc-05-01-expected.yaml

@@ -0,0 +1,18 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      allowPrivilegeEscalation: false
+
+  # Testing if comments are retained as intended
+  securityContext:
+    runAsRoot: false

core/pkg/fixhandler/testdata/inserts/tc-06-00-input-list-append-scalar-oneline.yaml

@@ -0,0 +1,14 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["SYS_ADM"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx1
+    image: nginx
+    securityContext:
+      capabilities:
+        drop: [NET_RAW]

core/pkg/fixhandler/testdata/inserts/tc-06-01-expected.yaml

@@ -0,0 +1,14 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["SYS_ADM"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx1
+    image: nginx
+    securityContext:
+      capabilities:
+        drop: [NET_RAW, SYS_ADM]

core/pkg/fixhandler/testdata/inserts/tc-07-00-input-multiple-documents.yaml

@@ -0,0 +1,27 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+
+---
+
+# Fix to Apply:
+# "select(di==1).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx

core/pkg/fixhandler/testdata/inserts/tc-07-01-expected.yaml

@@ -0,0 +1,31 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      allowPrivilegeEscalation: false
+
+---
+
+# Fix to Apply:
+# "select(di==1).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      allowPrivilegeEscalation: false

core/pkg/fixhandler/testdata/inserts/tc-08-00-input-mapping-insert-mapping-indented.yaml

@@ -0,0 +1,11 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: indented-parent-list-insert-list-value
+spec:
+  containers:
+    - name: nginx_container
+      image: nginx

core/pkg/fixhandler/testdata/inserts/tc-08-01-expected.yaml

@@ -0,0 +1,15 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: indented-parent-list-insert-list-value
+spec:
+  containers:
+    - name: nginx_container
+      image: nginx
+      securityContext:
+        capabilities:
+          drop:
+            - NET_RAW

core/pkg/fixhandler/testdata/inserts/tc-09-00-input-list-insert-new-mapping-indented.yaml

@@ -0,0 +1,11 @@
+# Fix to Apply:
+# select(di==0).spec.containers += {"name": "redis", "image": "redis"}
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: indented-parent-list-insert-list-value
+spec:
+  containers:
+    - name: nginx_container
+      image: nginx

core/pkg/fixhandler/testdata/inserts/tc-09-01-expected.yaml

@@ -0,0 +1,13 @@
+# Fix to Apply:
+# select(di==0).spec.containers += {"name": "redis", "image": "redis"}
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: indented-parent-list-insert-list-value
+spec:
+  containers:
+    - name: nginx_container
+      image: nginx
+    - name: redis
+      image: redis

core/pkg/fixhandler/testdata/inserts/tc-10-00-input-list-insert-new-mapping.yaml

@@ -0,0 +1,11 @@
+# Fix to Apply:
+# select(di==0).spec.containers += {"name": "redis", "image": "redis"}
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: indented-list-insert-new-object
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx

core/pkg/fixhandler/testdata/inserts/tc-10-01-expected.yaml

@@ -0,0 +1,13 @@
+# Fix to Apply:
+# select(di==0).spec.containers += {"name": "redis", "image": "redis"}
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: indented-list-insert-new-object
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+  - name: redis
+    image: redis

core/pkg/fixhandler/testdata/removals/tc-01-00-input.yaml

@@ -0,0 +1,14 @@
+# Fix to Apply:
+# del(select(di==0).spec.containers[0].securityContext)
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: remove_example
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      runAsRoot: false

core/pkg/fixhandler/testdata/removals/tc-01-01-expected.yaml

@@ -0,0 +1,12 @@
+# Fix to Apply:
+# del(select(di==0).spec.containers[0].securityContext)
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: remove_example
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx

core/pkg/fixhandler/testdata/removals/tc-02-00-input.yaml

@@ -0,0 +1,15 @@
+# Fix to Apply:
+# del(select(di==0).spec.containers[1])
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: remove_example
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+
+  - name: container_with_security_issues
+    image: image_with_security_issues

core/pkg/fixhandler/testdata/removals/tc-02-01-expected.yaml

@@ -0,0 +1,12 @@
+# Fix to Apply:
+# del(select(di==0).spec.containers[1])
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: remove_example
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx

core/pkg/fixhandler/testdata/removals/tc-03-00-input.yaml

@@ -0,0 +1,14 @@
+# Fix to Apply:
+# del(select(di==0).spec.containers[0].securityContext.capabilities.drop[1])
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx1
+    image: nginx
+    securityContext:
+      capabilities:
+        drop: ["NET_RAW", "SYS_ADM"]