Merge remote-tracking branch 'armosec/dev'

return response object

build/Dockerfile

@@ -31,14 +31,17 @@ RUN /work/build/ubuntu-latest/kubescape download artifacts -o /work/artifacts
 
 FROM alpine
 
-RUN addgroup -S ks && adduser -S ks -G ks
-USER ks
-WORKDIR /home/ks/
+RUN addgroup -S armo && adduser -S armo -G armo
+
+RUN mkdir /home/armo/.kubescape
+COPY --from=builder /work/artifacts/ /home/armo/.kubescape
+
+RUN chown -R armo:armo /home/armo/.kubescape
+
+USER armo
+WORKDIR /home/armo
 
 COPY --from=builder /work/httphandler/build/ubuntu-latest/kubescape /usr/bin/ksserver
 COPY --from=builder /work/build/ubuntu-latest/kubescape /usr/bin/kubescape
 
-RUN mkdir /home/ks/.kubescape && chmod 777 -R /home/ks/.kubescape 
-COPY --from=builder /work/artifacts/ /home/ks/.kubescape
-
 ENTRYPOINT ["ksserver"]

cmd/scan/control.go

@@ -6,6 +6,8 @@ import (
 	"os"
 	"strings"
 
+	apisv1 "github.com/armosec/opa-utils/httpserver/apis/v1"
+
 	"github.com/armosec/kubescape/v2/core/cautils"
 	"github.com/armosec/kubescape/v2/core/cautils/logger"
 	"github.com/armosec/kubescape/v2/core/cautils/logger/helpers"
@@ -64,7 +66,7 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 			} else { // expected control or list of control sepparated by ","
 
 				// Read controls from input args
-				scanInfo.SetPolicyIdentifiers(strings.Split(args[0], ","), reporthandling.KindControl)
+				scanInfo.SetPolicyIdentifiers(strings.Split(args[0], ","), apisv1.KindControl)
 
 				if len(args) > 1 {
 					if len(args[1:]) == 0 || args[1] != "-" {

cmd/scan/framework.go

@@ -6,11 +6,12 @@ import (
 	"os"
 	"strings"
 
+	apisv1 "github.com/armosec/opa-utils/httpserver/apis/v1"
+
 	"github.com/armosec/kubescape/v2/core/cautils"
 	"github.com/armosec/kubescape/v2/core/cautils/logger"
 	"github.com/armosec/kubescape/v2/core/cautils/logger/helpers"
 	"github.com/armosec/kubescape/v2/core/meta"
-	"github.com/armosec/opa-utils/reporthandling"
 	"github.com/enescakir/emoji"
 	"github.com/spf13/cobra"
 )
@@ -95,7 +96,7 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 			}
 			scanInfo.FrameworkScan = true
 
-			scanInfo.SetPolicyIdentifiers(frameworks, reporthandling.KindFramework)
+			scanInfo.SetPolicyIdentifiers(frameworks, apisv1.KindFramework)
 
 			results, err := ks.Scan(scanInfo)
 			if err != nil {

core/cautils/datastructuresmethods.go

@@ -1,10 +1,10 @@
 package cautils
 
 import (
-	pkgcautils "github.com/armosec/utils-go/utils"
 	"golang.org/x/mod/semver"
 
 	"github.com/armosec/opa-utils/reporthandling"
+	"github.com/armosec/utils-go/boolutils"
 )
 
 func NewPolicies() *Policies {
@@ -40,7 +40,7 @@ func ruleWithArmoOpaDependency(attributes map[string]interface{}) bool {
 		return false
 	}
 	if s, ok := attributes["armoOpa"]; ok { // TODO - make global
-		return pkgcautils.StringToBool(s.(string))
+		return boolutils.StringToBool(s.(string))
 	}
 	return false
 }

core/cautils/scaninfo.go

@@ -8,6 +8,8 @@ import (
 	"path/filepath"
 	"strings"
 
+	apisv1 "github.com/armosec/opa-utils/httpserver/apis/v1"
+
 	giturl "github.com/armosec/go-git-url"
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/v2/core/cautils/getter"
@@ -29,6 +31,10 @@ type BoolPtrFlag struct {
 	valPtr *bool
 }
 
+func NewBoolPtr(b *bool) BoolPtrFlag {
+	return BoolPtrFlag{valPtr: b}
+}
+
 func (bpf *BoolPtrFlag) Type() string {
 	return "bool"
 }
@@ -176,11 +182,11 @@ func (scanInfo *ScanInfo) GetScanningEnvironment() string {
 	return ScanCluster
 }
 
-func (scanInfo *ScanInfo) SetPolicyIdentifiers(policies []string, kind reporthandling.NotificationPolicyKind) {
+func (scanInfo *ScanInfo) SetPolicyIdentifiers(policies []string, kind apisv1.NotificationPolicyKind) {
 	for _, policy := range policies {
 		if !scanInfo.contains(policy) {
 			newPolicy := reporthandling.PolicyIdentifier{}
-			newPolicy.Kind = kind // reporthandling.KindFramework
+			newPolicy.Kind = reporthandling.NotificationPolicyKind(kind) // reporthandling.KindFramework
 			newPolicy.Name = policy
 			scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
 		}
@@ -220,6 +226,7 @@ func scanInfoToScanMetadata(scanInfo *ScanInfo) *reporthandlingv2.Metadata {
 		metadata.ScanMetadata.TargetNames = append(metadata.ScanMetadata.TargetNames, policy.Name)
 	}
 
+	metadata.ScanMetadata.KubescapeVersion = BuildNumber
 	metadata.ScanMetadata.VerboseMode = scanInfo.VerboseMode
 	metadata.ScanMetadata.FailThreshold = scanInfo.FailThreshold
 	metadata.ScanMetadata.HostScanner = scanInfo.HostSensorEnabled.GetBool()

core/cautils/versioncheck.go

@@ -9,7 +9,7 @@ import (
 	"github.com/armosec/kubescape/v2/core/cautils/getter"
 	"github.com/armosec/kubescape/v2/core/cautils/logger"
 	"github.com/armosec/kubescape/v2/core/cautils/logger/helpers"
-	pkgutils "github.com/armosec/utils-go/utils"
+	"github.com/armosec/utils-go/boolutils"
 	"golang.org/x/mod/semver"
 )
 
@@ -28,9 +28,9 @@ func NewIVersionCheckHandler() IVersionCheckHandler {
 	if BuildNumber == "" {
 		logger.L().Warning("unknown build number, this might affect your scan results. Please make sure you are updated to latest version")
 	}
-	if v, ok := os.LookupEnv(SKIP_VERSION_CHECK); ok && pkgutils.StringToBool(v) {
+	if v, ok := os.LookupEnv(SKIP_VERSION_CHECK); ok && boolutils.StringToBool(v) {
 		return NewVersionCheckHandlerMock()
-	} else if v, ok := os.LookupEnv(SKIP_VERSION_CHECK_DEPRECATED); ok && pkgutils.StringToBool(v) {
+	} else if v, ok := os.LookupEnv(SKIP_VERSION_CHECK_DEPRECATED); ok && boolutils.StringToBool(v) {
 		return NewVersionCheckHandlerMock()
 	}
 	return NewVersionCheckHandler()

core/core/scan.go

@@ -3,6 +3,8 @@ package core
 import (
 	"fmt"
 
+	apisv1 "github.com/armosec/opa-utils/httpserver/apis/v1"
+
 	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/armosec/k8s-interface/k8sinterface"
 
@@ -130,7 +132,7 @@ func (ks *Kubescape) Scan(scanInfo *cautils.ScanInfo) (*resultshandling.ResultsH
 
 	// TODO - list supported frameworks/controls
 	if scanInfo.ScanAll {
-		scanInfo.SetPolicyIdentifiers(listFrameworksNames(scanInfo.Getters.PolicyGetter), reporthandling.KindFramework)
+		scanInfo.SetPolicyIdentifiers(listFrameworksNames(scanInfo.Getters.PolicyGetter), apisv1.KindFramework)
 	}
 
 	// remove host scanner components

core/pkg/opaprocessor/processorhandler.go

@@ -180,6 +180,9 @@ func (opap *OPAProcessor) processRule(rule *reporthandling.PolicyRule) (map[stri
 				for j := range ruleResponses[i].FixPaths {
 					ruleResult.Paths = append(ruleResult.Paths, armotypes.PosturePaths{FixPath: ruleResponses[i].FixPaths[j]})
 				}
+				if ruleResponses[i].FixCommand != "" {
+					ruleResult.Paths = append(ruleResult.Paths, armotypes.PosturePaths{FixCommand: ruleResponses[i].FixCommand})
+				}
 				resources[failedResources[j].GetID()] = ruleResult
 			}
 		}

core/pkg/opaprocessor/processorhandlerutils.go

@@ -8,6 +8,7 @@ import (
 	"github.com/armosec/k8s-interface/workloadinterface"
 	"github.com/armosec/opa-utils/reporthandling"
 	"github.com/armosec/opa-utils/reporthandling/apis"
+	"github.com/armosec/opa-utils/reporthandling/results/v1/reportsummary"
 	resources "github.com/armosec/opa-utils/resources"
 )
 
@@ -46,7 +47,7 @@ func (opap *OPAProcessor) updateResults() {
 
 	// set result summary
 	// map control to error
-	controlToInfoMap := mapControlToInfo(opap.ResourceToControlsMap, opap.InfoMap)
+	controlToInfoMap := mapControlToInfo(opap.ResourceToControlsMap, opap.InfoMap, opap.Report.SummaryDetails.Controls)
 	opap.Report.SummaryDetails.InitResourcesSummary(controlToInfoMap)
 	// for f := range opap.PostureReport.FrameworkReports {
 	// 	// set exceptions
@@ -60,17 +61,29 @@ func (opap *OPAProcessor) updateResults() {
 	// }
 }
 
-func mapControlToInfo(mapResourceToControls map[string][]string, infoMap map[string]apis.StatusInfo) map[string]apis.StatusInfo {
+func mapControlToInfo(mapResourceToControls map[string][]string, infoMap map[string]apis.StatusInfo, controlSummary reportsummary.ControlSummaries) map[string]apis.StatusInfo {
 	controlToInfoMap := make(map[string]apis.StatusInfo)
 	for resource, statusInfo := range infoMap {
-		controls := mapResourceToControls[resource]
-		for _, control := range controls {
-			controlToInfoMap[control] = statusInfo
+		controlIDs := mapResourceToControls[resource]
+		for _, controlID := range controlIDs {
+			ctrl := controlSummary.GetControl(reportsummary.EControlCriteriaID, controlID)
+			if ctrl != nil {
+				resources := ctrl.NumberOfResources()
+				// Check that there are no K8s resources too
+				if isEmptyResources(resources) {
+					controlToInfoMap[controlID] = statusInfo
+				}
+			}
+
 		}
 	}
 	return controlToInfoMap
 }
 
+func isEmptyResources(counters reportsummary.ICounters) bool {
+	return counters.Failed() == 0 && counters.Excluded() == 0 && counters.Passed() == 0
+}
+
 func getAllSupportedObjects(k8sResources *cautils.K8SResources, armoResources *cautils.ArmoResources, allResources map[string]workloadinterface.IMetadata, rule *reporthandling.PolicyRule) []workloadinterface.IMetadata {
 	k8sObjects := []workloadinterface.IMetadata{}
 	k8sObjects = append(k8sObjects, getKubernetesObjects(k8sResources, allResources, rule.Match)...)

core/pkg/resultshandling/reporter/v2/reporteventreceiver.go

@@ -113,6 +113,7 @@ func (report *ReportEventReceiver) GetURL() string {
 }
 func (report *ReportEventReceiver) sendResources(host string, opaSessionObj *cautils.OPASessionObj) error {
 	splittedPostureReport := report.setSubReport(opaSessionObj)
+
 	counter := 0
 	reportCounter := 0
 	if err := report.setResources(splittedPostureReport, opaSessionObj.AllResources, opaSessionObj.ResourceSource, &counter, &reportCounter, host); err != nil {
@@ -121,7 +122,6 @@ func (report *ReportEventReceiver) sendResources(host string, opaSessionObj *cau
 	if err := report.setResults(splittedPostureReport, opaSessionObj.ResourcesResult, &counter, &reportCounter, host); err != nil {
 		return err
 	}
-
 	return report.sendReport(host, splittedPostureReport, reportCounter, true)
 }
 func (report *ReportEventReceiver) setResults(reportObj *reporthandlingv2.PostureReport, results map[string]resourcesresults.Result, counter, reportCounter *int, host string) error {

go.mod

@@ -3,13 +3,13 @@ module github.com/armosec/kubescape/v2
 go 1.17
 
 require (
-	github.com/armosec/armoapi-go v0.0.66
+	github.com/armosec/armoapi-go v0.0.73
 	github.com/armosec/go-git-url v0.0.4
-	github.com/armosec/k8s-interface v0.0.69
-	github.com/armosec/opa-utils v0.0.130
+	github.com/armosec/k8s-interface v0.0.70
+	github.com/armosec/opa-utils v0.0.137
 	github.com/armosec/rbac-utils v0.0.14
-	github.com/armosec/utils-go v0.0.3
-	github.com/armosec/utils-k8s-go v0.0.5
+	github.com/armosec/utils-go v0.0.5
+	github.com/armosec/utils-k8s-go v0.0.6
 	github.com/briandowns/spinner v1.18.1
 	github.com/enescakir/emoji v1.0.0
 	github.com/fatih/color v1.13.0

go.sum

@@ -113,28 +113,29 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armosec/armoapi-go v0.0.2/go.mod h1:vIK17yoKbJRQyZXWWLe3AqfqCRITxW8qmSkApyq5xFs=
 github.com/armosec/armoapi-go v0.0.23/go.mod h1:iaVVGyc23QGGzAdv4n+szGQg3Rbpixn9yQTU3qWRpaw=
-github.com/armosec/armoapi-go v0.0.58/go.mod h1:U/Axd+D5N00x9Ekr7t+5HXqLCMO+98NfJSVAggqJftI=
-github.com/armosec/armoapi-go v0.0.66 h1:SEm4nTwtexlMqYQr7sj3rWIrDYZj3BQ76FvKLA8hiLo=
-github.com/armosec/armoapi-go v0.0.66/go.mod h1:U/Axd+D5N00x9Ekr7t+5HXqLCMO+98NfJSVAggqJftI=
+github.com/armosec/armoapi-go v0.0.67/go.mod h1:/9SQAgtLbYkfFneRRm/zkIn3zz+4Y2xv6N3vtFcyF8s=
+github.com/armosec/armoapi-go v0.0.73 h1:LMf+eCkkf+W9NVvOzHKFgVUEpBMvh27M7//UQP3aiO8=
+github.com/armosec/armoapi-go v0.0.73/go.mod h1:/9SQAgtLbYkfFneRRm/zkIn3zz+4Y2xv6N3vtFcyF8s=
 github.com/armosec/go-git-url v0.0.4 h1:emG9Yfl53rHpuX41fXLD92ehzhRoNSSnGT6Pr7ogWMY=
 github.com/armosec/go-git-url v0.0.4/go.mod h1:PJqdEyJyFxTQvawBcyOM0Ies6+uezire5gpwfr1XX5M=
 github.com/armosec/k8s-interface v0.0.8/go.mod h1:xxS+V5QT3gVQTwZyAMMDrYLWGrfKOpiJ7Jfhfa0w9sM=
 github.com/armosec/k8s-interface v0.0.37/go.mod h1:vHxGWqD/uh6+GQb9Sqv7OGMs+Rvc2dsFVc0XtgRh1ZU=
-github.com/armosec/k8s-interface v0.0.66/go.mod h1:vwprS8qn/iowd5yf0JHpqDsLA5I8W2muqX9AxKhkb0Q=
-github.com/armosec/k8s-interface v0.0.69 h1:rpZElGJjt9xlYrBc5IGKECybf7mZeu+rMEVEQyJOmbg=
-github.com/armosec/k8s-interface v0.0.69/go.mod h1:MmpOS7RselE+tZgojx5PcBXVbKjWBfHHd/hZ2tWXBdQ=
+github.com/armosec/k8s-interface v0.0.70 h1:NU3UIaNl7H3hsRecwggiaQbZXTwXtOKg3GOBjq6/XJw=
+github.com/armosec/k8s-interface v0.0.70/go.mod h1:8NX4xWXh8mwW7QyZdZea1czNdM2azCK9BbUNmiZYXW0=
 github.com/armosec/opa-utils v0.0.64/go.mod h1:6tQP8UDq2EvEfSqh8vrUdr/9QVSCG4sJfju1SXQOn4c=
-github.com/armosec/opa-utils v0.0.130 h1:uP60M0PzmDtLqvsA/jX8BED9/Ava4n2QG7VCkuI+hwI=
-github.com/armosec/opa-utils v0.0.130/go.mod h1:gap+EaLG5rnyqvIRGxtdNDC9y7VvoGNm90zK8Ls7avQ=
+github.com/armosec/opa-utils v0.0.137 h1:KAkxWYnnTef8ofixJ198Zs4Xs7MOh32+yMUyFY7I8DA=
+github.com/armosec/opa-utils v0.0.137/go.mod h1:mCFQzz4E227f7V2jQVQ9XCivkNNK3UWCTaZ0HE5rBWk=
 github.com/armosec/rbac-utils v0.0.1/go.mod h1:pQ8CBiij8kSKV7aeZm9FMvtZN28VgA7LZcYyTWimq40=
 github.com/armosec/rbac-utils v0.0.14 h1:CKYKcgqJEXWF2Hen/B1pVGtS3nDAG1wp9dDv6oNtq90=
 github.com/armosec/rbac-utils v0.0.14/go.mod h1:Ex/IdGWhGv9HZq6Hs8N/ApzCKSIvpNe/ETqDfnuyah0=
 github.com/armosec/utils-go v0.0.2/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
-github.com/armosec/utils-go v0.0.3 h1:uyQI676yRciQM0sSN9uPoqHkbspTxHO0kmzXhBeE/xU=
 github.com/armosec/utils-go v0.0.3/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
+github.com/armosec/utils-go v0.0.4/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
+github.com/armosec/utils-go v0.0.5 h1:+pfZirWrOvfqvVYlL7OG1wMQD4T4YMwC78zzosB+mlQ=
+github.com/armosec/utils-go v0.0.5/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
 github.com/armosec/utils-k8s-go v0.0.1/go.mod h1:qrU4pmY2iZsOb39Eltpm0sTTNM3E4pmeyWx4dgDUC2U=
-github.com/armosec/utils-k8s-go v0.0.5 h1:zlw6lidAVbUs4cxlm30BOhxKWA/iuVUZTgZMhDC2wtQ=
-github.com/armosec/utils-k8s-go v0.0.5/go.mod h1:n6V42HYZZBDzMZMiAgUHROZcp4/Wz+wrBm+L6/m6Sdg=
+github.com/armosec/utils-k8s-go v0.0.6 h1:GriAQZeKsVdlM64lwRnh4EDKlb2R9tK7WXtRYQOrPwk=
+github.com/armosec/utils-k8s-go v0.0.6/go.mod h1:YFdWi3rEQQLbN6mZO21TSdoda8kGQYRV4rs5CRp8Kjs=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/aws/aws-sdk-go v1.41.1/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/aws/aws-sdk-go v1.41.11 h1:QLouWsiYQ8i22kD8k58Dpdhio1A0MpT7bg9ZNXqEjuI=
@@ -1149,7 +1150,6 @@ golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211029165221-6e7872819dc8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

httphandler/README.md

@@ -6,10 +6,11 @@ Running `kubescape` will start up a webserver on port `8080` which will serve th
 
 * POST `/v1/scan` - Trigger a kubescape scan. The server will return an ID and will execute the scanning asynchronously 
 * * `wait`: scan synchronously (return results and not ID). Use only in small clusters are with an increased timeout
+* * `keep`: Do not delete results from local storage after returning
 * GET `/v1/results` -  Request kubescape scan results
-* * query `id=<string>` -> ID returned when triggering the scan action. ~If empty will return latest results~ (not supported)
-* * query `remove` -> Remove results from storage after reading the results
-* DELETE `/v1/results` - Delete kubescape scan results from storage. ~If empty will delete latest results~ (not supported)
+* * query `id=<string>` -> ID returned when triggering the scan action. If empty will return latest results
+* * query `keep` -> Do not delete results from local storage after returning
+* DELETE `/v1/results` - Delete kubescape scan results from storage. If empty will delete latest results
 * * query `id=<string>`: Delete ID of specific results 
 * * query `all`: Delete all cached results
 * GET/POST `/v1/metrics` - will trigger cluster scan. will respond with prometheus metrics once they have been scanned. This will respond 503 if the scan failed.
@@ -23,25 +24,50 @@ body:
 ```
 {
     "format": <str>,               // results format [default: json] (same as 'kubescape scan --format')
-    "excludedNamespaces": <[]str>, // list of namespaces to exclude (same as 'kubescape scan --excluded-namespaces')
-    "includeNamespaces": <[]str>,  // list of namespaces to include (same as 'kubescape scan --include-namespaces')
+    "excludedNamespaces": [<str>], // list of namespaces to exclude (same as 'kubescape scan --excluded-namespaces')
+    "includeNamespaces": [<str>],  // list of namespaces to include (same as 'kubescape scan --include-namespaces')
     "useCachedArtifacts"`: <bool>, // use the cached artifacts instead of downloading (offline support)
     "submit": <bool>,              // submit results to Kubescape cloud (same as 'kubescape scan --submit')
     "hostScanner": <bool>,         // deploy kubescape K8s host-scanner DaemonSet in the scanned cluster (same as 'kubescape scan --enable-host-scan')
     "keepLocal": <bool>,           // do not submit results to Kubescape cloud (same as 'kubescape scan --keep-local')
-    "account": <str>               // account ID (same as 'kubescape scan --account')
+    "account": <str>,              // account ID (same as 'kubescape scan --account')
+    "targetType": <str>,           // framework/control
+    "targetNames": [<str>]         // names. e.g. when targetType==framework, targetNames=["nsa", "mitre"]
 }
 ```
 
-e.g.:
+#### Default scan  
 
+1. Trigger kubescape scan
+  ```bash
+  curl --header "Content-Type: application/json" --request POST --data '{"hostScanner":true}' http://127.0.0.1:8080/v1/scan -o scan_id
+  ```
+
+2. Get kubescape scan results
+  ```bash
+  curl --request GET http://127.0.0.1:8080/v1/results?id=$(cat scan_id)
+  ```
+
+#### Scan single namespace with a specific framework
 ```bash
 curl --header "Content-Type: application/json" \
   --request POST \
-  --data '{"hostScanner":true, "submit":true}' \
+  --data '{"hostScanner":true, "submit":true, "includeNamespaces": ["ks-scanner"], "targetType": "framework", "targetNames": ["nsa"] }' \
   http://127.0.0.1:8080/v1/scan
 ```
 ## Examples
 
 * [Prometheus](examples/prometheus/README.md)
 * [Microservice](examples/microservice/README.md)
+
+
+## Supported environment variables
+
+* `KS_ACCOUNT`: Account ID
+* `KS_SUBMIT`: Submit the results to Kubescape SaaS version
+* `KS_EXCLUDE_NAMESPACES`: List of namespaces to exclude, e.g. `KS_EXCLUDE_NAMESPACES=kube-system,kube-public`
+* `KS_INCLUDE_NAMESPACES`: List of namespaces to include, rest of the namespaces will be ignored. e.g. `KS_INCLUDE_NAMESPACES=dev,prod`
+* `KS_HOST_SCAN_YAML`: Full path to the host scanner YAML
+* `KS_FORMAT`: Output file format. default is json
+* `KS_ENABLE_HOST_SCANNER`: Enable the host scanner feature
+* `KS_DOWNLOAD_ARTIFACTS`: Download the artifacts every scan

httphandler/examples/microservice/ks-deployment.yaml

@@ -43,10 +43,10 @@ subjects:
 apiVersion: v1
 kind: Service
 metadata:
-  name: kubescape-service
+  name: kubescape
   namespace: ks-scanner
   labels:
-    app: kubescape-service
+    app: kubescape
 spec:
   type: NodePort
   ports:
@@ -89,13 +89,20 @@ spec:
             port: 8080
           initialDelaySeconds: 3
           periodSeconds: 3
-        image: quay.io/armosec/kubescape:prometheus.v2
+        image: quay.io/armosec/kubescape:latest
+        imagePullPolicy: Always
         env:
         - name: KS_DEFAULT_CONFIGMAP_NAMESPACE
           valueFrom:
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.namespace
+        - name: "KS_SKIP_UPDATE_CHECK" # do not check latest version
+          value: "true"
+        - name: KS_ENABLE_HOST_SCANNER # enable host scanner -> https://hub.armo.cloud/docs/host-sensor
+          value: "true"              
+        - name: KS_DOWNLOAD_ARTIFACTS  # When set to true the artifacts will be downloaded every scan execution
+          value: "true" 
         ports:
         - containerPort: 8080
           name: http

httphandler/examples/prometheus/ks-deployment.yaml

@@ -43,12 +43,12 @@ subjects:
 apiVersion: v1
 kind: Service
 metadata:
-  name: kubescape-service
+  name: kubescape
   namespace: ks-scanner
   labels:
-    app: kubescape-service
+    app: kubescape
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 8080
       name: http

httphandler/go.mod

@@ -6,8 +6,8 @@ replace github.com/armosec/kubescape/v2 => ../
 
 require (
 	github.com/armosec/kubescape/v2 v2.0.0-00010101000000-000000000000
-	github.com/armosec/opa-utils v0.0.130
-	github.com/armosec/utils-go v0.0.3
+	github.com/armosec/opa-utils v0.0.137
+	github.com/armosec/utils-go v0.0.5
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/mux v1.8.0
 	github.com/stretchr/testify v1.7.1
@@ -28,10 +28,11 @@ require (
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
-	github.com/armosec/armoapi-go v0.0.66 // indirect
-	github.com/armosec/k8s-interface v0.0.69 // indirect
+	github.com/armosec/armoapi-go v0.0.73 // indirect
+	github.com/armosec/go-git-url v0.0.4 // indirect
+	github.com/armosec/k8s-interface v0.0.70 // indirect
 	github.com/armosec/rbac-utils v0.0.14 // indirect
-	github.com/armosec/utils-k8s-go v0.0.5 // indirect
+	github.com/armosec/utils-k8s-go v0.0.6 // indirect
 	github.com/aws/aws-sdk-go v1.41.11 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.12.0 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.12.0 // indirect

httphandler/go.sum

@@ -113,26 +113,29 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armosec/armoapi-go v0.0.2/go.mod h1:vIK17yoKbJRQyZXWWLe3AqfqCRITxW8qmSkApyq5xFs=
 github.com/armosec/armoapi-go v0.0.23/go.mod h1:iaVVGyc23QGGzAdv4n+szGQg3Rbpixn9yQTU3qWRpaw=
-github.com/armosec/armoapi-go v0.0.58/go.mod h1:U/Axd+D5N00x9Ekr7t+5HXqLCMO+98NfJSVAggqJftI=
-github.com/armosec/armoapi-go v0.0.66 h1:SEm4nTwtexlMqYQr7sj3rWIrDYZj3BQ76FvKLA8hiLo=
-github.com/armosec/armoapi-go v0.0.66/go.mod h1:U/Axd+D5N00x9Ekr7t+5HXqLCMO+98NfJSVAggqJftI=
+github.com/armosec/armoapi-go v0.0.67/go.mod h1:/9SQAgtLbYkfFneRRm/zkIn3zz+4Y2xv6N3vtFcyF8s=
+github.com/armosec/armoapi-go v0.0.73 h1:LMf+eCkkf+W9NVvOzHKFgVUEpBMvh27M7//UQP3aiO8=
+github.com/armosec/armoapi-go v0.0.73/go.mod h1:/9SQAgtLbYkfFneRRm/zkIn3zz+4Y2xv6N3vtFcyF8s=
+github.com/armosec/go-git-url v0.0.4 h1:emG9Yfl53rHpuX41fXLD92ehzhRoNSSnGT6Pr7ogWMY=
+github.com/armosec/go-git-url v0.0.4/go.mod h1:PJqdEyJyFxTQvawBcyOM0Ies6+uezire5gpwfr1XX5M=
 github.com/armosec/k8s-interface v0.0.8/go.mod h1:xxS+V5QT3gVQTwZyAMMDrYLWGrfKOpiJ7Jfhfa0w9sM=
 github.com/armosec/k8s-interface v0.0.37/go.mod h1:vHxGWqD/uh6+GQb9Sqv7OGMs+Rvc2dsFVc0XtgRh1ZU=
-github.com/armosec/k8s-interface v0.0.66/go.mod h1:vwprS8qn/iowd5yf0JHpqDsLA5I8W2muqX9AxKhkb0Q=
-github.com/armosec/k8s-interface v0.0.69 h1:rpZElGJjt9xlYrBc5IGKECybf7mZeu+rMEVEQyJOmbg=
-github.com/armosec/k8s-interface v0.0.69/go.mod h1:MmpOS7RselE+tZgojx5PcBXVbKjWBfHHd/hZ2tWXBdQ=
+github.com/armosec/k8s-interface v0.0.70 h1:NU3UIaNl7H3hsRecwggiaQbZXTwXtOKg3GOBjq6/XJw=
+github.com/armosec/k8s-interface v0.0.70/go.mod h1:8NX4xWXh8mwW7QyZdZea1czNdM2azCK9BbUNmiZYXW0=
 github.com/armosec/opa-utils v0.0.64/go.mod h1:6tQP8UDq2EvEfSqh8vrUdr/9QVSCG4sJfju1SXQOn4c=
-github.com/armosec/opa-utils v0.0.130 h1:uP60M0PzmDtLqvsA/jX8BED9/Ava4n2QG7VCkuI+hwI=
-github.com/armosec/opa-utils v0.0.130/go.mod h1:gap+EaLG5rnyqvIRGxtdNDC9y7VvoGNm90zK8Ls7avQ=
+github.com/armosec/opa-utils v0.0.137 h1:KAkxWYnnTef8ofixJ198Zs4Xs7MOh32+yMUyFY7I8DA=
+github.com/armosec/opa-utils v0.0.137/go.mod h1:mCFQzz4E227f7V2jQVQ9XCivkNNK3UWCTaZ0HE5rBWk=
 github.com/armosec/rbac-utils v0.0.1/go.mod h1:pQ8CBiij8kSKV7aeZm9FMvtZN28VgA7LZcYyTWimq40=
 github.com/armosec/rbac-utils v0.0.14 h1:CKYKcgqJEXWF2Hen/B1pVGtS3nDAG1wp9dDv6oNtq90=
 github.com/armosec/rbac-utils v0.0.14/go.mod h1:Ex/IdGWhGv9HZq6Hs8N/ApzCKSIvpNe/ETqDfnuyah0=
 github.com/armosec/utils-go v0.0.2/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
-github.com/armosec/utils-go v0.0.3 h1:uyQI676yRciQM0sSN9uPoqHkbspTxHO0kmzXhBeE/xU=
 github.com/armosec/utils-go v0.0.3/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
+github.com/armosec/utils-go v0.0.4/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
+github.com/armosec/utils-go v0.0.5 h1:+pfZirWrOvfqvVYlL7OG1wMQD4T4YMwC78zzosB+mlQ=
+github.com/armosec/utils-go v0.0.5/go.mod h1:itWmRLzRdsnwjpEOomL0mBWGnVNNIxSjDAdyc+b0iUo=
 github.com/armosec/utils-k8s-go v0.0.1/go.mod h1:qrU4pmY2iZsOb39Eltpm0sTTNM3E4pmeyWx4dgDUC2U=
-github.com/armosec/utils-k8s-go v0.0.5 h1:zlw6lidAVbUs4cxlm30BOhxKWA/iuVUZTgZMhDC2wtQ=
-github.com/armosec/utils-k8s-go v0.0.5/go.mod h1:n6V42HYZZBDzMZMiAgUHROZcp4/Wz+wrBm+L6/m6Sdg=
+github.com/armosec/utils-k8s-go v0.0.6 h1:GriAQZeKsVdlM64lwRnh4EDKlb2R9tK7WXtRYQOrPwk=
+github.com/armosec/utils-k8s-go v0.0.6/go.mod h1:YFdWi3rEQQLbN6mZO21TSdoda8kGQYRV4rs5CRp8Kjs=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/aws/aws-sdk-go v1.41.1/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/aws/aws-sdk-go v1.41.11 h1:QLouWsiYQ8i22kD8k58Dpdhio1A0MpT7bg9ZNXqEjuI=
@@ -1146,7 +1149,6 @@ golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211029165221-6e7872819dc8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

httphandler/handlerequests/v1/datastructure.go

@@ -1,24 +0,0 @@
-package v1
-
-import (
-	"github.com/armosec/kubescape/v2/core/cautils"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-type PostScanRequest struct {
-	Format             string                                 `json:"format"`             // Format results (table, json, junit ...) - default json
-	Account            string                                 `json:"account"`            // account ID
-	Logger             string                                 `json:"-"`                  // logger level - debug/info/error - default is debug
-	FailThreshold      float32                                `json:"failThreshold"`      // Failure score threshold
-	ExcludedNamespaces []string                               `json:"excludedNamespaces"` // used for host scanner namespace
-	IncludeNamespaces  []string                               `json:"includeNamespaces"`  // DEPRECATED?
-	TargetNames        []string                               `json:"targetNames"`        // default is all
-	TargetType         *reporthandling.NotificationPolicyKind `json:"targetType"`         // framework/control - default is framework
-	Submit             cautils.BoolPtrFlag                    `json:"submit"`             // Submit results to Armo BE - default will
-	HostScanner        cautils.BoolPtrFlag                    `json:"hostScanner"`        // Deploy ARMO K8s host scanner to collect data from certain controls
-	KeepLocal          cautils.BoolPtrFlag                    `json:"keepLocal"`          // Do not submit results
-	UseCachedArtifacts cautils.BoolPtrFlag                    `json:"useCachedArtifacts"` // Use the cached artifacts instead of downloading
-	// UseExceptions      string      // Load file with exceptions configuration
-	// ControlsInputs     string      // Load file with inputs for controls
-	// VerboseMode        bool        // Display all of the input resources and not only failed resources
-}

httphandler/handlerequests/v1/datastructuremethods.go

@@ -3,23 +3,18 @@ package v1
 import (
 	"strings"
 
+	apisv1 "github.com/armosec/opa-utils/httpserver/apis/v1"
+	utilsmetav1 "github.com/armosec/opa-utils/httpserver/meta/v1"
+
 	"github.com/armosec/kubescape/v2/core/cautils"
 	"github.com/armosec/kubescape/v2/core/cautils/getter"
 	"github.com/armosec/opa-utils/reporthandling"
 )
 
-func (scanRequest *PostScanRequest) ToScanInfo() *cautils.ScanInfo {
+func ToScanInfo(scanRequest *utilsmetav1.PostScanRequest) *cautils.ScanInfo {
 	scanInfo := defaultScanInfo()
 
-	if scanRequest.TargetType != nil && len(scanRequest.TargetNames) > 0 {
-		if *scanRequest.TargetType == reporthandling.KindFramework {
-			scanInfo.FrameworkScan = true
-		}
-		scanInfo.SetPolicyIdentifiers(scanRequest.TargetNames, *scanRequest.TargetType)
-		scanInfo.ScanAll = false
-	} else {
-		scanInfo.ScanAll = true
-	}
+	setTargetInScanInfo(scanRequest, scanInfo)
 
 	if scanRequest.Account != "" {
 		scanInfo.Account = scanRequest.Account
@@ -31,21 +26,61 @@ func (scanRequest *PostScanRequest) ToScanInfo() *cautils.ScanInfo {
 		scanInfo.IncludeNamespaces = strings.Join(scanRequest.IncludeNamespaces, ",")
 	}
 
-	if scanRequest.Format == "" {
-		scanInfo.Format = scanRequest.Format // TODO - handle default
+	if scanRequest.Format != "" {
+		scanInfo.Format = scanRequest.Format
 	}
 
-	if scanRequest.UseCachedArtifacts.Get() != nil && !*scanRequest.UseCachedArtifacts.Get() {
-		scanInfo.UseArtifactsFrom = getter.DefaultLocalStore // Load files from cache (this will prevent kubescape fom downloading the artifacts every time)
+	// UseCachedArtifacts
+	if scanRequest.UseCachedArtifacts != nil {
+		if useCachedArtifacts := cautils.NewBoolPtr(scanRequest.UseCachedArtifacts); useCachedArtifacts.Get() != nil && !*useCachedArtifacts.Get() {
+			scanInfo.UseArtifactsFrom = getter.DefaultLocalStore // Load files from cache (this will prevent kubescape fom downloading the artifacts every time)
+		}
 	}
 
-	if scanRequest.KeepLocal.Get() != nil {
-		scanInfo.Local = *scanRequest.KeepLocal.Get() // Load files from cache (this will prevent kubescape fom downloading the artifacts every time)
+	// KeepLocal
+	if scanRequest.KeepLocal != nil {
+		if keepLocal := cautils.NewBoolPtr(scanRequest.KeepLocal); keepLocal.Get() != nil {
+			scanInfo.Local = *keepLocal.Get() // Load files from cache (this will prevent kubescape fom downloading the artifacts every time)
+		}
 	}
-	if scanRequest.Submit.Get() != nil {
-		scanInfo.Submit = *scanRequest.Submit.Get()
+
+	// submit
+	if scanRequest.Submit != nil {
+		if submit := cautils.NewBoolPtr(scanRequest.Submit); submit.Get() != nil {
+			scanInfo.Submit = *submit.Get()
+		}
+	}
+
+	// host scanner
+	if scanRequest.HostScanner != nil {
+		scanInfo.HostSensorEnabled = cautils.NewBoolPtr(scanRequest.HostScanner)
 	}
-	scanInfo.HostSensorEnabled = scanRequest.HostScanner
 
 	return scanInfo
 }
+
+func setTargetInScanInfo(scanRequest *utilsmetav1.PostScanRequest, scanInfo *cautils.ScanInfo) {
+	if scanRequest.TargetType != "" && len(scanRequest.TargetNames) > 0 {
+		if strings.EqualFold(string(scanRequest.TargetType), string(reporthandling.KindFramework)) {
+			scanRequest.TargetType = apisv1.KindFramework
+			scanInfo.FrameworkScan = true
+			scanInfo.ScanAll = false
+			if cautils.StringInSlice(scanRequest.TargetNames, "all") != cautils.ValueNotFound { // if scan all frameworks
+				scanRequest.TargetNames = []string{}
+				scanInfo.ScanAll = true
+			}
+		} else if strings.EqualFold(string(scanRequest.TargetType), string(reporthandling.KindControl)) {
+			scanRequest.TargetType = apisv1.KindControl
+			scanInfo.ScanAll = false
+		} else {
+			// unknown policy kind - set scan all
+			scanInfo.FrameworkScan = true
+			scanInfo.ScanAll = true
+			scanRequest.TargetNames = []string{}
+		}
+		scanInfo.SetPolicyIdentifiers(scanRequest.TargetNames, scanRequest.TargetType)
+	} else {
+		scanInfo.FrameworkScan = true
+		scanInfo.ScanAll = true
+	}
+}

httphandler/handlerequests/v1/datastructuremethods_test.go

@@ -0,0 +1,106 @@
+package v1
+
+import (
+	"testing"
+
+	"github.com/armosec/kubescape/v2/core/cautils"
+	apisv1 "github.com/armosec/opa-utils/httpserver/apis/v1"
+	utilsmetav1 "github.com/armosec/opa-utils/httpserver/meta/v1"
+	"github.com/armosec/opa-utils/reporthandling"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestToScanInfo(t *testing.T) {
+	{
+		req := &utilsmetav1.PostScanRequest{
+			TargetType:         apisv1.KindFramework,
+			Account:            "abc",
+			Logger:             "info",
+			Format:             "pdf",
+			FailThreshold:      50,
+			ExcludedNamespaces: []string{"kube-system", "kube-public"},
+			TargetNames:        []string{"nsa", "mitre"},
+		}
+		s := ToScanInfo(req)
+		assert.Equal(t, "abc", s.Account)
+		assert.Equal(t, "v2", s.FormatVersion)
+		assert.Equal(t, "pdf", s.Format)
+		assert.Equal(t, 2, len(s.PolicyIdentifier))
+		assert.Equal(t, "kube-system,kube-public", s.ExcludedNamespaces)
+
+		assert.False(t, s.HostSensorEnabled.GetBool())
+		assert.False(t, s.Local)
+		assert.False(t, s.Submit)
+		assert.False(t, s.ScanAll)
+		assert.True(t, s.FrameworkScan)
+		assert.Equal(t, "nsa", s.PolicyIdentifier[0].Name)
+		assert.Equal(t, reporthandling.KindFramework, s.PolicyIdentifier[0].Kind)
+		assert.Equal(t, "mitre", s.PolicyIdentifier[1].Name)
+		assert.Equal(t, reporthandling.KindFramework, s.PolicyIdentifier[1].Kind)
+	}
+	{
+		req := &utilsmetav1.PostScanRequest{
+			TargetType:        apisv1.KindControl,
+			TargetNames:       []string{"c-0001"},
+			IncludeNamespaces: []string{"kube-system", "kube-public"},
+		}
+		s := ToScanInfo(req)
+		assert.False(t, s.ScanAll)
+		assert.False(t, s.FrameworkScan)
+		assert.Equal(t, "kube-system,kube-public", s.IncludeNamespaces)
+		assert.Equal(t, "", s.ExcludedNamespaces)
+		assert.Equal(t, 1, len(s.PolicyIdentifier))
+		assert.Equal(t, "c-0001", s.PolicyIdentifier[0].Name)
+		assert.Equal(t, reporthandling.KindControl, s.PolicyIdentifier[0].Kind)
+	}
+	{
+		req := &utilsmetav1.PostScanRequest{}
+		s := ToScanInfo(req)
+		assert.True(t, s.ScanAll)
+		assert.True(t, s.FrameworkScan)
+	}
+}
+
+func TestSetTargetInScanInfo(t *testing.T) {
+	{
+		req := &utilsmetav1.PostScanRequest{
+			TargetType:  apisv1.KindFramework,
+			TargetNames: []string{"nsa", "mitre"},
+		}
+		scanInfo := &cautils.ScanInfo{}
+		setTargetInScanInfo(req, scanInfo)
+		assert.True(t, scanInfo.FrameworkScan)
+		assert.False(t, scanInfo.ScanAll)
+		assert.Equal(t, 2, len(scanInfo.PolicyIdentifier))
+	}
+	{
+		req := &utilsmetav1.PostScanRequest{
+			TargetType:  apisv1.KindFramework,
+			TargetNames: []string{"all"},
+		}
+		scanInfo := &cautils.ScanInfo{}
+		setTargetInScanInfo(req, scanInfo)
+		assert.True(t, scanInfo.FrameworkScan)
+		assert.True(t, scanInfo.ScanAll)
+		assert.Equal(t, 0, len(scanInfo.PolicyIdentifier))
+	}
+	{
+		req := &utilsmetav1.PostScanRequest{}
+		scanInfo := &cautils.ScanInfo{}
+		setTargetInScanInfo(req, scanInfo)
+		assert.True(t, scanInfo.FrameworkScan)
+		assert.True(t, scanInfo.ScanAll)
+		assert.Equal(t, 0, len(scanInfo.PolicyIdentifier))
+	}
+	{
+		req := &utilsmetav1.PostScanRequest{
+			TargetType:  apisv1.KindControl,
+			TargetNames: []string{"c-0001"},
+		}
+		scanInfo := &cautils.ScanInfo{}
+		setTargetInScanInfo(req, scanInfo)
+		assert.False(t, scanInfo.FrameworkScan)
+		assert.False(t, scanInfo.ScanAll)
+		assert.Equal(t, 1, len(scanInfo.PolicyIdentifier))
+	}
+}

httphandler/handlerequests/v1/prometheus.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"path/filepath"
 
 	"github.com/armosec/kubescape/v2/core/cautils"
 	"github.com/armosec/kubescape/v2/core/cautils/logger"
@@ -28,10 +29,12 @@ func (handler *HTTPHandler) Metrics(w http.ResponseWriter, r *http.Request) {
 	scanID := uuid.NewString()
 	handler.state.setID(scanID)
 
+	resultsFile := filepath.Join(OutputDir, scanID)
+
 	// trigger scanning
 	logger.L().Info(handler.state.getID(), helpers.String("action", "triggering scan"), helpers.Time())
 	ks := core.NewKubescape()
-	results, err := ks.Scan(getPrometheusDefaultScanCommand(scanID))
+	results, err := ks.Scan(getPrometheusDefaultScanCommand(scanID, resultsFile))
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		w.Write([]byte(fmt.Sprintf("failed to complete scan. reason: %s", err.Error())))
@@ -40,26 +43,25 @@ func (handler *HTTPHandler) Metrics(w http.ResponseWriter, r *http.Request) {
 	results.HandleResults()
 	logger.L().Info(handler.state.getID(), helpers.String("action", "done scanning"), helpers.Time())
 
-	f, err := os.ReadFile(scanID)
-	// res, err := results.ToJson()
+	f, err := os.ReadFile(resultsFile)
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		w.Write([]byte(fmt.Sprintf("failed read results from file. reason: %s", err.Error())))
 		return
 	}
-	os.Remove(scanID)
+	os.Remove(resultsFile)
 
 	w.WriteHeader(http.StatusOK)
 	w.Write(f)
 }
 
-func getPrometheusDefaultScanCommand(scanID string) *cautils.ScanInfo {
+func getPrometheusDefaultScanCommand(scanID, resultsFile string) *cautils.ScanInfo {
 	scanInfo := defaultScanInfo()
 	scanInfo.FrameworkScan = true
 	scanInfo.ScanAll = true                                                        // scan all frameworks
 	scanInfo.ScanID = scanID                                                       // scan ID
 	scanInfo.FailThreshold = 100                                                   // Do not fail scanning
-	scanInfo.Output = scanID                                                       // results output
+	scanInfo.Output = resultsFile                                                  // results output
 	scanInfo.Format = envToString("KS_FORMAT", "prometheus")                       // default output should be json
 	scanInfo.HostSensorEnabled.SetBool(envToBool("KS_ENABLE_HOST_SCANNER", false)) // enable host scanner
 	return scanInfo

httphandler/handlerequests/v1/prometheus_test.go

@@ -1,6 +1,7 @@
 package v1
 
 import (
+	"path/filepath"
 	"testing"
 
 	"github.com/armosec/kubescape/v2/core/cautils/getter"
@@ -9,10 +10,11 @@ import (
 
 func TestGetPrometheusDefaultScanCommand(t *testing.T) {
 	scanID := "1234"
-	scanInfo := getPrometheusDefaultScanCommand(scanID)
+	outputFile := filepath.Join(OutputDir, scanID)
+	scanInfo := getPrometheusDefaultScanCommand(scanID, outputFile)
 
 	assert.Equal(t, scanID, scanInfo.ScanID)
-	assert.Equal(t, scanID, scanInfo.Output)
+	assert.Equal(t, outputFile, scanInfo.Output)
 	assert.Equal(t, "prometheus", scanInfo.Format)
 	// assert.False(t, *scanInfo.HostSensorEnabled.Get())
 	assert.Equal(t, getter.DefaultLocalStore, scanInfo.UseArtifactsFrom)

httphandler/handlerequests/v1/requestshandler.go

@@ -7,6 +7,9 @@ import (
 	"net/http"
 	"sync"
 
+	utilsapisv1 "github.com/armosec/opa-utils/httpserver/apis/v1"
+	utilsmetav1 "github.com/armosec/opa-utils/httpserver/meta/v1"
+
 	"github.com/armosec/kubescape/v2/core/cautils/logger"
 	"github.com/armosec/kubescape/v2/core/cautils/logger/helpers"
 	"github.com/google/uuid"
@@ -26,21 +29,16 @@ func NewHTTPHandler() *HTTPHandler {
 }
 
 func (handler *HTTPHandler) Scan(w http.ResponseWriter, r *http.Request) {
-	defer func() {
-		if err := recover(); err != nil {
-			handler.state.setNotBusy()
-			logger.L().Error("Scan recover", helpers.Error(fmt.Errorf("%v", err)))
-			w.WriteHeader(http.StatusInternalServerError)
-			w.Write([]byte(fmt.Sprintf("%v", err)))
-		}
-	}()
+	response := utilsmetav1.Response{}
+	w.Header().Set("Content-Type", "application/json")
+
+	defer handler.recover(w)
 
 	defer r.Body.Close()
 
 	switch r.Method {
 	case http.MethodGet: // return request template
-		json.NewEncoder(w).Encode(PostScanRequest{})
-		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(utilsmetav1.PostScanRequest{})
 		w.WriteHeader(http.StatusOK)
 		return
 	case http.MethodPost:
@@ -50,8 +48,11 @@ func (handler *HTTPHandler) Scan(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if handler.state.isBusy() {
-		w.Write([]byte(handler.state.getID()))
 		w.WriteHeader(http.StatusOK)
+		response.Response = []byte(handler.state.getID())
+		response.ID = handler.state.getID()
+		response.Type = utilsapisv1.IDScanResponseType
+		w.Write(responseToBytes(&response))
 		return
 	}
 
@@ -60,32 +61,30 @@ func (handler *HTTPHandler) Scan(w http.ResponseWriter, r *http.Request) {
 	// generate id
 	scanID := uuid.NewString()
 	handler.state.setID(scanID)
+	response.ID = scanID
+	response.Type = utilsapisv1.IDScanResponseType
 
 	readBuffer, err := ioutil.ReadAll(r.Body)
 	if err != nil {
-		defer handler.state.setNotBusy()
-		w.WriteHeader(http.StatusBadRequest)
-		w.Write([]byte(fmt.Sprintf("failed to read request body, reason: %s", err.Error())))
+		handler.writeError(w, fmt.Errorf("failed to read request body, reason: %s", err.Error()))
 		return
 	}
-	scanRequest := PostScanRequest{}
+	scanRequest := utilsmetav1.PostScanRequest{}
 	if err := json.Unmarshal(readBuffer, &scanRequest); err != nil {
-		defer handler.state.setNotBusy()
-		w.WriteHeader(http.StatusBadRequest)
-		w.Write([]byte(fmt.Sprintf("failed to parse request payload, reason: %s", err.Error())))
+		handler.writeError(w, fmt.Errorf("failed to parse request payload, reason: %s", err.Error()))
 		return
 	}
 
-	response := []byte(scanID)
-
 	returnResults := r.URL.Query().Has("wait")
+	keepResults := r.URL.Query().Has("keep")
+
 	var wg sync.WaitGroup
 	if returnResults {
 		wg.Add(1)
 	} else {
 		wg.Add(0)
 	}
-
+	statusCode := http.StatusOK
 	go func() {
 		// execute scan in the background
 
@@ -95,46 +94,58 @@ func (handler *HTTPHandler) Scan(w http.ResponseWriter, r *http.Request) {
 		if err != nil {
 			logger.L().Error("scanning failed", helpers.String("ID", scanID), helpers.Error(err))
 			if returnResults {
-				response = []byte(err.Error())
-				w.WriteHeader(http.StatusInternalServerError)
+				response.Type = utilsapisv1.ErrorScanResponseType
+				response.Response = []byte(err.Error())
+				statusCode = http.StatusInternalServerError
 			}
 		} else {
 			logger.L().Success("done scanning", helpers.String("ID", scanID))
 			if returnResults {
-				w.Header().Set("Content-Type", "application/json")
-				response = results
+				response.Type = utilsapisv1.ResultsV1ScanResponseType
+				response.Response = results
 				wg.Done()
 			}
 		}
+		if !keepResults {
+			logger.L().Debug("deleting results", helpers.String("ID", scanID))
+			removeResultsFile(scanID)
+		}
 		handler.state.setNotBusy()
 	}()
 
 	wg.Wait()
-	w.WriteHeader(http.StatusOK)
-	w.Write(response)
+
+	w.WriteHeader(statusCode)
+	w.Write(responseToBytes(&response))
 }
 func (handler *HTTPHandler) Results(w http.ResponseWriter, r *http.Request) {
-	defer func() {
-		if err := recover(); err != nil {
-			handler.state.setNotBusy()
-			logger.L().Error("Results recover", helpers.Error(fmt.Errorf("%v", err)))
-			w.WriteHeader(http.StatusInternalServerError)
-			w.Write([]byte(fmt.Sprintf("%v", err)))
-		}
-	}()
+	response := utilsmetav1.Response{}
+	w.Header().Set("Content-Type", "application/json")
+
+	defer handler.recover(w)
 
 	defer r.Body.Close()
 
 	var scanID string
-	if scanID = r.URL.Query().Get("scanID"); scanID == "" {
+	if scanID = r.URL.Query().Get("id"); scanID == "" {
 		scanID = handler.state.getLatestID()
 	}
+	if scanID == "" { // if no scan found
+		logger.L().Info("empty scan ID")
+		w.WriteHeader(http.StatusBadRequest) // Should we return ok?
+		response.Response = []byte("latest scan not found. trigger again")
+		response.Type = utilsapisv1.ErrorScanResponseType
+		w.Write(responseToBytes(&response))
+		return
+	}
+	response.ID = scanID
 
 	if handler.state.isBusy() { // if requested ID is still scanning
 		if scanID == handler.state.getID() {
 			logger.L().Info("scan in process", helpers.String("ID", scanID))
-			w.WriteHeader(http.StatusOK) // Should we return ok?
-			w.Write([]byte(handler.state.getID()))
+			w.WriteHeader(http.StatusOK)
+			response.Response = []byte("scanning in progress")
+			w.Write(responseToBytes(&response))
 			return
 		}
 	}
@@ -143,16 +154,20 @@ func (handler *HTTPHandler) Results(w http.ResponseWriter, r *http.Request) {
 	case http.MethodGet:
 		logger.L().Info("requesting results", helpers.String("ID", scanID))
 
-		if r.URL.Query().Has("remove") {
+		if !r.URL.Query().Has("keep") {
+			logger.L().Info("deleting results", helpers.String("ID", scanID))
 			defer removeResultsFile(scanID)
 		}
 		if res, err := readResultsFile(scanID); err != nil {
+			logger.L().Info("scan result not found", helpers.String("ID", scanID))
 			w.WriteHeader(http.StatusNoContent)
-			w.Write([]byte(err.Error()))
+			response.Response = []byte(err.Error())
 		} else {
+			logger.L().Info("scan result found", helpers.String("ID", scanID))
 			w.WriteHeader(http.StatusOK)
-			w.Write(res)
+			response.Response = res
 		}
+		w.Write(responseToBytes(&response))
 	case http.MethodDelete:
 		logger.L().Info("deleting results", helpers.String("ID", scanID))
 
@@ -175,3 +190,29 @@ func (handler *HTTPHandler) Live(w http.ResponseWriter, r *http.Request) {
 func (handler *HTTPHandler) Ready(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusOK)
 }
+
+func responseToBytes(res *utilsmetav1.Response) []byte {
+	b, _ := json.Marshal(res)
+	return b
+}
+
+func (handler *HTTPHandler) recover(w http.ResponseWriter) {
+	response := utilsmetav1.Response{}
+	if err := recover(); err != nil {
+		handler.state.setNotBusy()
+		logger.L().Error("recover", helpers.Error(fmt.Errorf("%v", err)))
+		w.WriteHeader(http.StatusInternalServerError)
+		response.Response = []byte(fmt.Sprintf("%v", err))
+		response.Type = utilsapisv1.ErrorScanResponseType
+		w.Write(responseToBytes(&response))
+	}
+}
+
+func (handler *HTTPHandler) writeError(w http.ResponseWriter, err error) {
+	response := utilsmetav1.Response{}
+	w.WriteHeader(http.StatusBadRequest)
+	response.Response = []byte(err.Error())
+	response.Type = utilsapisv1.ErrorScanResponseType
+	w.Write(responseToBytes(&response))
+	handler.state.setNotBusy()
+}

httphandler/handlerequests/v1/requestshandlerutil_test.go

@@ -0,0 +1,34 @@
+package v1
+
+import (
+	"testing"
+
+	apisv1 "github.com/armosec/opa-utils/httpserver/apis/v1"
+	utilsmetav1 "github.com/armosec/opa-utils/httpserver/meta/v1"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDefaultScanInfo(t *testing.T) {
+	s := defaultScanInfo()
+
+	assert.Equal(t, "", s.Account)
+	assert.Equal(t, "v2", s.FormatVersion)
+	assert.Equal(t, "json", s.Format)
+	assert.False(t, s.HostSensorEnabled.GetBool())
+	assert.False(t, s.Local)
+	assert.False(t, s.Submit)
+}
+
+func TestGetScanCommand(t *testing.T) {
+	req := utilsmetav1.PostScanRequest{
+		TargetType: apisv1.KindFramework,
+	}
+	s := getScanCommand(&req, "abc")
+	assert.Equal(t, "", s.Account)
+	assert.Equal(t, "abc", s.ScanID)
+	assert.Equal(t, "v2", s.FormatVersion)
+	assert.Equal(t, "json", s.Format)
+	assert.False(t, s.HostSensorEnabled.GetBool())
+	assert.False(t, s.Local)
+	assert.False(t, s.Submit)
+}

httphandler/handlerequests/v1/requestshandlerutils.go

@@ -4,32 +4,29 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-
-	pkgcautils "github.com/armosec/utils-go/utils"
+	"strings"
 
 	"github.com/armosec/kubescape/v2/core/cautils"
 	"github.com/armosec/kubescape/v2/core/cautils/getter"
 	"github.com/armosec/kubescape/v2/core/core"
+	utilsmetav1 "github.com/armosec/opa-utils/httpserver/meta/v1"
+	"github.com/armosec/utils-go/boolutils"
 )
 
-func scan(scanRequest *PostScanRequest, scanID string) ([]byte, error) {
+func scan(scanRequest *utilsmetav1.PostScanRequest, scanID string) ([]byte, error) {
 	scanInfo := getScanCommand(scanRequest, scanID)
 
 	ks := core.NewKubescape()
 	result, err := ks.Scan(scanInfo)
 	if err != nil {
-		f, e := os.Open(filepath.Join(FailedOutputDir, scanID))
-		if e != nil {
-			return []byte{}, fmt.Errorf("failed to scan. reason: '%s'. failed to save error in file. reason: %s", err.Error(), e.Error())
-		}
-		defer f.Close()
-		f.Write([]byte(e.Error()))
-
+		return []byte{}, writeScanErrorToFile(err, scanID)
+	}
+	if err := result.HandleResults(); err != nil {
+		return nil, err
 	}
-	result.HandleResults()
 	b, err := result.ToJson()
 	if err != nil {
-		err = fmt.Errorf("failed to parse results to json, reason: %s", err.Error())
+		err = fmt.Errorf("failed to parse scan results to json, reason: %s", err.Error())
 	}
 	return b, err
 }
@@ -62,21 +59,25 @@ func searchFile(fileID string) string {
 }
 
 func findFile(targetDir string, fileName string) (string, error) {
-
-	matches, err := filepath.Glob(filepath.Join(targetDir, fileName))
+	var files []string
+	err := filepath.Walk(targetDir, func(path string, info os.FileInfo, err error) error {
+		files = append(files, path)
+		return nil
+	})
 	if err != nil {
 		return "", err
 	}
-
-	if len(matches) != 0 {
-		return matches[0], nil
+	for i := range files {
+		if strings.Contains(files[i], fileName) {
+			return files[i], nil
+		}
 	}
 	return "", nil
 }
 
-func getScanCommand(scanRequest *PostScanRequest, scanID string) *cautils.ScanInfo {
+func getScanCommand(scanRequest *utilsmetav1.PostScanRequest, scanID string) *cautils.ScanInfo {
 
-	scanInfo := scanRequest.ToScanInfo()
+	scanInfo := ToScanInfo(scanRequest)
 	scanInfo.ScanID = scanID
 
 	// *** start ***
@@ -98,14 +99,15 @@ func getScanCommand(scanRequest *PostScanRequest, scanID string) *cautils.ScanIn
 func defaultScanInfo() *cautils.ScanInfo {
 	scanInfo := &cautils.ScanInfo{}
 	scanInfo.FailThreshold = 100
-	scanInfo.Account = envToString("KS_ACCOUNT", "")                              // publish results to Kubescape SaaS
-	scanInfo.ExcludedNamespaces = envToString("KS_EXCLUDE_NAMESPACES", "")        // namespace to exclude
-	scanInfo.IncludeNamespaces = envToString("KS_INCLUDE_NAMESPACES", "")         // namespace to include
-	scanInfo.FormatVersion = envToString("KS_FORMAT_VERSION", "v2")               // output format version
-	scanInfo.Format = envToString("KS_FORMAT", "json")                            // default output should be json
-	scanInfo.Submit = envToBool("KS_SUBMIT", false)                               // publish results to Kubescape SaaS
-	scanInfo.HostSensorEnabled.SetBool(envToBool("KS_ENABLE_HOST_SCANNER", true)) // enable host scanner
-	scanInfo.Local = envToBool("KS_KEEP_LOCAL", false)                            // do not publish results to Kubescape SaaS
+	scanInfo.Account = envToString("KS_ACCOUNT", "")                               // publish results to Kubescape SaaS
+	scanInfo.ExcludedNamespaces = envToString("KS_EXCLUDE_NAMESPACES", "")         // namespace to exclude
+	scanInfo.HostSensorYamlPath = envToString("KS_HOST_SCAN_YAML", "")             // namespace to exclude
+	scanInfo.IncludeNamespaces = envToString("KS_INCLUDE_NAMESPACES", "")          // namespace to include
+	scanInfo.FormatVersion = envToString("KS_FORMAT_VERSION", "v2")                // output format version
+	scanInfo.Format = envToString("KS_FORMAT", "json")                             // default output should be json
+	scanInfo.Submit = envToBool("KS_SUBMIT", false)                                // publish results to Kubescape SaaS
+	scanInfo.HostSensorEnabled.SetBool(envToBool("KS_ENABLE_HOST_SCANNER", false)) // enable host scanner
+	scanInfo.Local = envToBool("KS_KEEP_LOCAL", false)                             // do not publish results to Kubescape SaaS
 	if !envToBool("KS_DOWNLOAD_ARTIFACTS", false) {
 		scanInfo.UseArtifactsFrom = getter.DefaultLocalStore // Load files from cache (this will prevent kubescape fom downloading the artifacts every time)
 	}
@@ -114,7 +116,7 @@ func defaultScanInfo() *cautils.ScanInfo {
 
 func envToBool(env string, defaultValue bool) bool {
 	if d, ok := os.LookupEnv(env); ok {
-		return pkgcautils.StringToBool(d)
+		return boolutils.StringToBool(d)
 	}
 	return defaultValue
 }
@@ -125,3 +127,19 @@ func envToString(env string, defaultValue string) string {
 	}
 	return defaultValue
 }
+
+func writeScanErrorToFile(err error, scanID string) error {
+	if e := os.MkdirAll(filepath.Dir(FailedOutputDir), os.ModePerm); e != nil {
+		return fmt.Errorf("failed to scan. reason: '%s'. failed to save error in file - failed to create directory. reason: %s", err.Error(), e.Error())
+	}
+	f, e := os.Create(filepath.Join(FailedOutputDir, scanID))
+	if e != nil {
+		return fmt.Errorf("failed to scan. reason: '%s'. failed to save error in file - failed to open file for writing. reason: %s", err.Error(), e.Error())
+	}
+	defer f.Close()
+
+	if _, e := f.Write([]byte(err.Error())); e != nil {
+		return fmt.Errorf("failed to scan. reason: '%s'. failed to save error in file - failed to write. reason: %s", err.Error(), e.Error())
+	}
+	return fmt.Errorf("failed to scan. reason: '%s'", err.Error())
+}

httphandler/listener/init.go

@@ -0,0 +1,32 @@
+package listener
+
+import (
+	"os"
+
+	"github.com/armosec/kubescape/v2/core/cautils/getter"
+	"github.com/armosec/kubescape/v2/core/cautils/logger"
+	"github.com/armosec/kubescape/v2/core/cautils/logger/zaplogger"
+)
+
+func initialize() error {
+	logger.InitLogger(zaplogger.LoggerName)
+
+	initializeSaaSEnv()
+	return nil
+}
+
+func initializeSaaSEnv() {
+
+	saasEnv := os.Getenv("KS_SAAS_ENV")
+	switch saasEnv {
+	case "dev", "development":
+		logger.L().Debug("setting dev env")
+		getter.SetARMOAPIConnector(getter.NewARMOAPIDev())
+	case "stage", "staging":
+		logger.L().Debug("setting staging env")
+		getter.SetARMOAPIConnector(getter.NewARMOAPIStaging())
+	default:
+		logger.L().Debug("setting prod env")
+		getter.SetARMOAPIConnector(getter.NewARMOAPIProd())
+	}
+}

httphandler/listener/setup.go

@@ -9,7 +9,6 @@ import (
 	"github.com/armosec/kubescape/v2/core/cautils"
 	"github.com/armosec/kubescape/v2/core/cautils/logger"
 	"github.com/armosec/kubescape/v2/core/cautils/logger/helpers"
-	"github.com/armosec/kubescape/v2/core/cautils/logger/zaplogger"
 	handlerequestsv1 "github.com/armosec/kubescape/v2/httphandler/handlerequests/v1"
 	"github.com/gorilla/mux"
 )
@@ -24,7 +23,7 @@ const (
 
 // SetupHTTPListener set up listening http servers
 func SetupHTTPListener() error {
-	logger.InitLogger(zaplogger.LoggerName)
+	initialize()
 
 	keyPair, err := loadTLSKey("", "") // TODO - support key and crt files
 	if err != nil {