Merge remote-tracking branch 'armosec/dev'

* Correcting Punctuation

* Recorrect

.github/workflows/community.yml

@@ -17,6 +17,6 @@ jobs:
       - uses: EddieHubCommunity/gh-action-community/src/welcome@main
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          issue-message: '<h3>Hey, Welcome to this repo, Congratulations on opening your issue. Keep Contributing to Kubescape</h3>'
-          pr-message: '<h3>Hey, Welcome to this repo, Congratulations on opening your Pull Request. Keep Contributing to Kubescape</h3>'
-          footer: '<h4>We''ll try to review and add you work as soon as possible and a maintainer will get back to you soon!</h4>'
+          issue-message: '<h3>Hi! Welcome to Kubescape. Thank you for taking the time and reporting an issue</h3>'
+          pr-message: '<h3>Hi! Welcome to Kubescape. Thank you for taking the time and contributing to the open source community</h3>'
+          footer: '<h4>We will try to review as soon as possible!</h4>'

.gitignore

@@ -1,7 +1,7 @@
 *.vs*
 *kubescape*
 *debug*
-*vender*
+*vendor*
 *.pyc*
 .idea
 .history

README.md

@@ -11,7 +11,7 @@
 :sunglasses: [Want to contribute?](#being-a-part-of-the-team) :innocent: 
 
 
-Kubescape is a K8s open-source tool providing a Kubernetes single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerabilities scanning. 
+Kubescape is a K8s open-source tool providing a Kubernetes single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerability scanning. 
 Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/)), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time.
 
 It has become one of the fastest-growing Kubernetes tools among developers due to its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins precious time, effort, and resources.
@@ -30,14 +30,14 @@ Kubescape integrates natively with other DevOps tools, including Jenkins, Circle
 curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
 ```
 
+*OR:*
+
 [Install on windows](#install-on-windows)
 
 [Install on macOS](#install-on-macos)
 
 [Install on NixOS or Linux/macOS via nix](#install-on-nixos-or-with-nix-community)
 
-[Install using Go](#install-using-go)
-
 ## Run:
 ```sh
 kubescape scan --submit --enable-host-scan --verbose
@@ -57,8 +57,12 @@ kubescape scan --submit --enable-host-scan --verbose
 
 # Being a part of the team
 
-We invite you to our team! We are excited about this project and want to return the love we get.
+## Community
+We invite you to our community! We are excited about this project and want to return the love we get.
 
+We hold community meetings in [Zoom](https://us02web.zoom.us/j/84020231442) on the first Tuesday of every month at 14:00 GMT! :sunglasses:
+
+## Contributions 
 [Want to contribute?](https://github.com/kubescape/kubescape/blob/master/CONTRIBUTING.md) Want to discuss something? Have an issue? Please make sure that you follow our [Code Of Conduct](https://github.com/kubescape/kubescape/blob/master/CODE_OF_CONDUCT.md) . 
 
 * Feel free to pick a task from the [issues](https://github.com/kubescape/kubescape/issues?q=is%3Aissue+is%3Aopen+label%3A%22open+for+contribution%22), [roadmap](docs/roadmap.md) or suggest a feature of your own. [Contact us](MAINTAINERS.md) directly for more information :) 
@@ -233,6 +237,12 @@ kubescape scan --format pdf --output results.pdf
 kubescape scan --format prometheus
 ```
 
+#### Output in `html` format
+
+```
+kubescape scan --format html --output results.html
+```
+
 #### Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`
 [Full documentation](examples/exceptions/README.md)
 ```
@@ -245,6 +255,12 @@ kubescape scan </path/to/directory> --submit
 ```
 > Kubescape will load the default value file
 
+#### Scan Kustomize Directory 
+```
+kubescape scan </path/to/directory> --submit
+```
+> Kubescape will generate Kubernetes Yaml Objects using 'Kustomize' file and scans them for security.
+
 ### Offline/Air-gaped Environment Support
 
 [Video tutorial](https://youtu.be/IGXL9s37smM)
@@ -355,6 +371,28 @@ View Kubescape scan results directly in [Lens IDE](https://k8slens.dev/) using k
 
 </details>
 
+## Build on pre-configured killercoda's ubuntu playground
+
+* [Pre-configured Killercoda's Ubuntu Playground](https://killercoda.com/suhas-gumma/scenario/kubescape-build-for-development)
+
+<details><summary> Pre-programmed actions executed by the playground </summary>
+
+
+* Clone the official GitHub repository of `Kubescape`.
+* [Automate the build process on Linux](https://github.com/kubescape/kubescape#build-on-linuxmacos)
+* The entire process involves executing multiple commands in order and it takes around 5-6 minutes to execute them all.
+
+</details>
+
+<details>
+<summary>Instructions to use the playground</summary>
+
+* Apply changes you wish to make to the kubescape directory using text editors like `Vim`.
+* [Build on Linux](https://github.com/kubescape/kubescape#build-on-linuxmacos)
+* Now, you can use Kubescape just like a normal user. Instead of using `kubescape`, use `./kubescape`. (Make sure you are inside kubescape directory because the command will execute the binary named `kubescape` in `kubescape directory`)
+
+</details>
+
 ## VS code configuration samples
 
 You can use the sample files below to setup your VS code environment for building and debugging purposes.

build/Dockerfile

@@ -35,15 +35,15 @@ RUN /work/build/ubuntu-latest/kubescape download artifacts -o /work/artifacts
 
 FROM alpine:3.16.2
 
-RUN addgroup -S armo && adduser -S armo -G armo
+RUN addgroup -S ks && adduser -S ks -G ks
 
-COPY --from=builder /work/artifacts/ /home/armo/.kubescape
+COPY --from=builder /work/artifacts/ /home/ks/.kubescape
 
-RUN chown -R armo:armo /home/armo/.kubescape
+RUN chown -R ks:ks /home/ks/.kubescape
 
-USER armo
+USER ks
 
-WORKDIR /home/armo
+WORKDIR /home/ks
 
 COPY --from=builder /work/httphandler/build/ubuntu-latest/kubescape /usr/bin/ksserver
 COPY --from=builder /work/build/ubuntu-latest/kubescape /usr/bin/kubescape

cmd/delete/exceptions.go

@@ -22,6 +22,11 @@ func getExceptionsCmd(ks meta.IKubescape, deleteInfo *v1.Delete) *cobra.Command
 			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
+
+			if err := flagValidationDelete(deleteInfo); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
 			exceptionsNames := strings.Split(args[0], ";")
 			if len(exceptionsNames) == 0 {
 				logger.L().Fatal("missing exceptions names")
@@ -32,3 +37,10 @@ func getExceptionsCmd(ks meta.IKubescape, deleteInfo *v1.Delete) *cobra.Command
 		},
 	}
 }
+
+// Check if the flag entered are valid
+func flagValidationDelete(deleteInfo *v1.Delete) error {
+
+	// Validate the user's credentials
+	return deleteInfo.Credentials.Validate()
+}

cmd/download/download.go

@@ -17,7 +17,7 @@ var (
 	downloadExample = `
   # Download all artifacts and save them in the default path (~/.kubescape)
   kubescape download artifacts
-  download
+  
   # Download all artifacts and save them in /tmp path
   kubescape download artifacts --output /tmp
   
@@ -59,6 +59,10 @@ func GeDownloadCmd(ks meta.IKubescape) *cobra.Command {
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 
+			if err := flagValidationDownload(&downloadInfo); err != nil {
+				return err
+			}
+
 			if filepath.Ext(downloadInfo.Path) == ".json" {
 				downloadInfo.Path, downloadInfo.FileName = filepath.Split(downloadInfo.Path)
 			}
@@ -80,3 +84,10 @@ func GeDownloadCmd(ks meta.IKubescape) *cobra.Command {
 
 	return downloadCmd
 }
+
+// Check if the flag entered are valid
+func flagValidationDownload(downloadInfo *v1.DownloadInfo) error {
+
+	// Validate the user's credentials
+	return downloadInfo.Credentials.Validate()
+}

cmd/list/list.go

@@ -51,6 +51,11 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {
 			return nil
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := flagValidationList(&listPolicies); err != nil {
+				return err
+			}
+
 			listPolicies.Target = args[0]
 
 			if err := ks.List(&listPolicies); err != nil {
@@ -67,3 +72,10 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {
 
 	return listCmd
 }
+
+// Check if the flag entered are valid
+func flagValidationList(listPolicies *v1.ListPolicies) error {
+
+	// Validate the user's credentials
+	return listPolicies.Credentials.Validate()
+}

cmd/scan/control.go

@@ -58,6 +58,10 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 
+			if err := validateFrameworkScanInfo(scanInfo); err != nil {
+				return err
+			}
+			
 			// flagValidationControl(scanInfo)
 			scanInfo.PolicyIdentifier = []cautils.PolicyIdentifier{}
 
@@ -88,6 +92,10 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 
 			scanInfo.FrameworkScan = false
 
+			if err := validateControlScanInfo(scanInfo); err != nil {
+				return err
+			}
+
 			results, err := ks.Scan(scanInfo)
 			if err != nil {
 				logger.L().Fatal(err.Error())
@@ -101,7 +109,19 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
 				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
 			}
+			enforceSeverityThresholds(&results.GetResults().SummaryDetails.SeverityCounters, scanInfo, terminateOnExceedingSeverity)
+
 			return nil
 		},
 	}
 }
+
+// validateControlScanInfo validates the ScanInfo struct for the `control` command
+func validateControlScanInfo(scanInfo *cautils.ScanInfo) error {
+	severity := scanInfo.FailThresholdSeverity
+
+	if err := validateSeverity(severity); severity != "" && err != nil {
+		return err
+	}
+	return nil
+}

cmd/scan/framework.go

@@ -1,12 +1,15 @@
 package scan
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"os"
 	"strings"
 
 	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
 
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
@@ -36,6 +39,8 @@ var (
 
   Run 'kubescape list frameworks' for the list of supported frameworks
 `
+
+	ErrUnknownSeverity = errors.New("unknown severity")
 )
 
 func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
@@ -62,7 +67,7 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 
-			if err := flagValidationFramework(scanInfo); err != nil {
+			if err := validateFrameworkScanInfo(scanInfo); err != nil {
 				return err
 			}
 			scanInfo.FrameworkScan = true
@@ -113,17 +118,95 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
 				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
 			}
+
+			enforceSeverityThresholds(&results.GetData().Report.SummaryDetails.SeverityCounters, scanInfo, terminateOnExceedingSeverity)
 			return nil
 		},
 	}
 }
 
-func flagValidationFramework(scanInfo *cautils.ScanInfo) error {
+// countersExceedSeverityThreshold returns true if severity of failed controls exceed the set severity threshold, else returns false
+func countersExceedSeverityThreshold(severityCounters reportsummary.ISeverityCounters, scanInfo *cautils.ScanInfo) (bool, error) {
+	targetSeverity := scanInfo.FailThresholdSeverity
+	if err := validateSeverity(targetSeverity); err != nil {
+		return false, err
+	}
+
+	getFailedResourcesFuncsBySeverity := []struct {
+		SeverityName       string
+		GetFailedResources func() int
+	}{
+		{reporthandlingapis.SeverityLowString, severityCounters.NumberOfResourcesWithLowSeverity},
+		{reporthandlingapis.SeverityMediumString, severityCounters.NumberOfResourcesWithMediumSeverity},
+		{reporthandlingapis.SeverityHighString, severityCounters.NumberOfResourcesWithHighSeverity},
+		{reporthandlingapis.SeverityCriticalString, severityCounters.NumberOfResourcesWithCriticalSeverity},
+	}
+
+	targetSeverityIdx := 0
+	for idx, description := range getFailedResourcesFuncsBySeverity {
+		if strings.EqualFold(description.SeverityName, targetSeverity) {
+			targetSeverityIdx = idx
+			break
+		}
+	}
+
+	for _, description := range getFailedResourcesFuncsBySeverity[targetSeverityIdx:] {
+		failedResourcesCount := description.GetFailedResources()
+		if failedResourcesCount > 0 {
+			return true, nil
+		}
+	}
+
+	return false, nil
+
+}
+
+// terminateOnExceedingSeverity terminates the application on exceeding severity
+func terminateOnExceedingSeverity(scanInfo *cautils.ScanInfo, l logger.ILogger) {
+	l.Fatal("result exceeds severity threshold", helpers.String("set severity threshold", scanInfo.FailThresholdSeverity))
+}
+
+// enforceSeverityThresholds ensures that the scan results are below the defined severity threshold
+//
+// The function forces the application to terminate with an exit code 1 if at least one control failed control that exceeds the set severity threshold
+func enforceSeverityThresholds(severityCounters reportsummary.ISeverityCounters, scanInfo *cautils.ScanInfo, onExceed func(*cautils.ScanInfo, logger.ILogger)) {
+	// If a severity threshold is not set, we don’t need to enforce it
+	if scanInfo.FailThresholdSeverity == "" {
+		return
+	}
+
+	if val, err := countersExceedSeverityThreshold(severityCounters, scanInfo); val && err == nil {
+		onExceed(scanInfo, logger.L())
+	} else if err != nil {
+		logger.L().Fatal(err.Error())
+	}
+}
+
+// validateSeverity returns an error if a given severity is not known, nil otherwise
+func validateSeverity(severity string) error {
+	for _, val := range reporthandlingapis.GetSupportedSeverities() {
+		if strings.EqualFold(severity, val) {
+			return nil
+		}
+	}
+	return ErrUnknownSeverity
+
+}
+
+// validateFrameworkScanInfo validates the scan info struct for the `scan framework` command
+func validateFrameworkScanInfo(scanInfo *cautils.ScanInfo) error {
 	if scanInfo.Submit && scanInfo.Local {
 		return fmt.Errorf("you can use `keep-local` or `submit`, but not both")
 	}
 	if 100 < scanInfo.FailThreshold || 0 > scanInfo.FailThreshold {
 		return fmt.Errorf("bad argument: out of range threshold")
 	}
-	return nil
+
+	severity := scanInfo.FailThresholdSeverity
+	if err := validateSeverity(severity); severity != "" && err != nil {
+		return err
+	}
+
+	// Validate the user's credentials
+	return scanInfo.Credentials.Validate()
 }

cmd/scan/scan.go

@@ -10,7 +10,7 @@ import (
 )
 
 var scanCmdExamples = `
-  Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defind frameworks 
+  Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks 
   
   # Scan current cluster with all frameworks
   kubescape scan --submit --enable-host-scan --verbose
@@ -71,7 +71,10 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseArtifactsFrom, "use-artifacts-from", "", "Load artifacts from local directory. If not used will download them")
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Recommended: kube-system,kube-public")
+
 	scanCmd.PersistentFlags().Float32VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 100, "Failure threshold is the percent above which the command fails and returns exit code 1")
+
+	scanCmd.PersistentFlags().StringVar(&scanInfo.FailThresholdSeverity, "severity-threshold", "", "Severity threshold is the severity of failed controls at which the command fails and returns exit code 1")
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer", "json", "junit", "prometheus", "pdf", "html"`)
 	scanCmd.PersistentFlags().StringVar(&scanInfo.IncludeNamespaces, "include-namespaces", "", "scan specific namespaces. e.g: --include-namespaces ns-a,ns-b")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to ARMO backend. Use this flag if you ran with the '--submit' flag in the past and you do not want to submit your current scan results")
@@ -82,7 +85,8 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	scanCmd.PersistentFlags().StringSliceVar(&scanInfo.UseFrom, "use-from", nil, "Load local policy object from specified path. If not used will download latest")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Send the scan results to ARMO management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.HostSensorYamlPath, "host-scan-yaml", "", "Override default host scanner DaemonSet. Use this flag cautiously")
-	scanCmd.PersistentFlags().StringVar(&scanInfo.FormatVersion, "format-version", "v1", "Output object can be differnet between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.FormatVersion, "format-version", "v1", "Output object can be different between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
+	scanCmd.PersistentFlags().StringVar(&scanInfo.CustomClusterName, "cluster-name", "", "Set the custom name of the cluster. Not same as the kube-context flag")
 
 	// Deprecated flags - remove 1.May.2022
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "Silent progress messages")

cmd/scan/scan_test.go

@@ -0,0 +1,254 @@
+package scan
+
+import (
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
+
+	"os"
+	"reflect"
+	"testing"
+)
+
+func TestExceedsSeverity(t *testing.T) {
+	testCases := []struct {
+		Description      string
+		ScanInfo         *cautils.ScanInfo
+		SeverityCounters reportsummary.ISeverityCounters
+		Want             bool
+		Error            error
+	}{
+		{
+			Description:      "Critical failed resource should exceed Critical threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "critical"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Critical failed resource should exceed Critical threshold set as constant",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: apis.SeverityCriticalString},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "High failed resource should not exceed Critical threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "critical"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithHighSeverityCounter: 1},
+			Want:             false,
+		},
+		{
+			Description:      "Critical failed resource exceeds High threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "high"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "High failed resource exceeds High threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "high"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithHighSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Medium failed resource does not exceed High threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "high"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithMediumSeverityCounter: 1},
+			Want:             false,
+		},
+		{
+			Description:      "Critical failed resource exceeds Medium threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "High failed resource exceeds Medium threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithHighSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Medium failed resource exceeds Medium threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithMediumSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Low failed resource does not exceed Medium threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "medium"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithLowSeverityCounter: 1},
+			Want:             false,
+		},
+		{
+			Description:      "Critical failed resource exceeds Low threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "High failed resource exceeds Low threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithHighSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Medium failed resource exceeds Low threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithMediumSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Low failed resource exceeds Low threshold",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "low"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithLowSeverityCounter: 1},
+			Want:             true,
+		},
+		{
+			Description:      "Unknown severity returns an error",
+			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "unknown"},
+			SeverityCounters: &reportsummary.SeverityCounters{ResourcesWithLowSeverityCounter: 1},
+			Want:             false,
+			Error:            ErrUnknownSeverity,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.Description, func(t *testing.T) {
+			got, err := countersExceedSeverityThreshold(testCase.SeverityCounters, testCase.ScanInfo)
+			want := testCase.Want
+
+			if got != want {
+				t.Errorf("got: %v, want: %v", got, want)
+			}
+
+			if err != testCase.Error {
+				t.Errorf(`got error "%v", want "%v"`, err, testCase.Error)
+			}
+		})
+	}
+}
+
+func Test_enforceSeverityThresholds(t *testing.T) {
+	testCases := []struct {
+		Description      string
+		SeverityCounters *reportsummary.SeverityCounters
+		ScanInfo         *cautils.ScanInfo
+		Want             bool
+	}{
+		{
+			"Exceeding Critical severity counter should call the terminating function",
+			&reportsummary.SeverityCounters{ResourcesWithCriticalSeverityCounter: 1},
+			&cautils.ScanInfo{FailThresholdSeverity: apis.SeverityCriticalString},
+			true,
+		},
+		{
+			"Non-exceeding severity counter should call not the terminating function",
+			&reportsummary.SeverityCounters{},
+			&cautils.ScanInfo{FailThresholdSeverity: apis.SeverityCriticalString},
+			false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				severityCounters := tc.SeverityCounters
+				scanInfo := tc.ScanInfo
+				want := tc.Want
+
+				got := false
+				onExceed := func(*cautils.ScanInfo, logger.ILogger) {
+					got = true
+				}
+
+				enforceSeverityThresholds(severityCounters, scanInfo, onExceed)
+
+				if got != want {
+					t.Errorf("got: %v, want %v", got, want)
+				}
+			},
+		)
+	}
+}
+
+type spyLogMessage struct {
+	Message string
+	Details map[string]string
+}
+
+type spyLogger struct {
+	setItems []spyLogMessage
+}
+
+func (l *spyLogger) Error(msg string, details ...helpers.IDetails)   {}
+func (l *spyLogger) Success(msg string, details ...helpers.IDetails) {}
+func (l *spyLogger) Warning(msg string, details ...helpers.IDetails) {}
+func (l *spyLogger) Info(msg string, details ...helpers.IDetails)    {}
+func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)   {}
+func (l *spyLogger) SetLevel(level string) error                     { return nil }
+func (l *spyLogger) GetLevel() string                                { return "" }
+func (l *spyLogger) SetWriter(w *os.File)                            {}
+func (l *spyLogger) GetWriter() *os.File                             { return &os.File{} }
+func (l *spyLogger) LoggerName() string                              { return "" }
+
+func (l *spyLogger) Fatal(msg string, details ...helpers.IDetails) {
+	firstDetail := details[0]
+	detailsMap := map[string]string{firstDetail.Key(): firstDetail.Value().(string)}
+
+	newMsg := spyLogMessage{msg, detailsMap}
+	l.setItems = append(l.setItems, newMsg)
+}
+
+func (l *spyLogger) GetSpiedItems() []spyLogMessage {
+	return l.setItems
+}
+
+func Test_terminateOnExceedingSeverity(t *testing.T) {
+	expectedMessage := "result exceeds severity threshold"
+	expectedKey := "set severity threshold"
+
+	testCases := []struct {
+		Description     string
+		ExpectedMessage string
+		ExpectedKey     string
+		ExpectedValue   string
+		Logger          *spyLogger
+	}{
+		{
+			"Should log the Critical threshold that was set in scan info",
+			expectedMessage,
+			expectedKey,
+			apis.SeverityCriticalString,
+			&spyLogger{},
+		},
+		{
+			"Should log the High threshold that was set in scan info",
+			expectedMessage,
+			expectedKey,
+			apis.SeverityHighString,
+			&spyLogger{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				want := []spyLogMessage{
+					{tc.ExpectedMessage, map[string]string{tc.ExpectedKey: tc.ExpectedValue}},
+				}
+				scanInfo := &cautils.ScanInfo{FailThresholdSeverity: tc.ExpectedValue}
+
+				terminateOnExceedingSeverity(scanInfo, tc.Logger)
+
+				got := tc.Logger.GetSpiedItems()
+				if !reflect.DeepEqual(got, want) {
+					t.Errorf("got: %v, want: %v", got, want)
+				}
+			},
+		)
+	}
+}

cmd/scan/validators_test.go

@@ -0,0 +1,115 @@
+package scan
+
+import (
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"testing"
+)
+
+// Test_validateControlScanInfo tests how scan info is validated for the `scan control` command
+func Test_validateControlScanInfo(t *testing.T) {
+	testCases := []struct {
+		Description string
+		ScanInfo    *cautils.ScanInfo
+		Want        error
+	}{
+		{
+			"Empty severity should be valid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: ""},
+			nil,
+		},
+		{
+			"High severity should be valid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: "High"},
+			nil,
+		},
+		{
+			"Unknown severity should be invalid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: "Unknown"},
+			ErrUnknownSeverity,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				var want error = tc.Want
+
+				got := validateControlScanInfo(tc.ScanInfo)
+
+				if got != want {
+					t.Errorf("got: %v, want: %v", got, want)
+				}
+			},
+		)
+	}
+}
+
+// Test_validateFrameworkScanInfo tests how scan info is validated for the `scan framework` command
+func Test_validateFrameworkScanInfo(t *testing.T) {
+	testCases := []struct {
+		Description string
+		ScanInfo    *cautils.ScanInfo
+		Want        error
+	}{
+		{
+			"Empty severity should be valid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: ""},
+			nil,
+		},
+		{
+			"High severity should be valid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: "High"},
+			nil,
+		},
+		{
+			"Unknown severity should be invalid for scan info",
+			&cautils.ScanInfo{FailThresholdSeverity: "Unknown"},
+			ErrUnknownSeverity,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				var want error = tc.Want
+
+				got := validateFrameworkScanInfo(tc.ScanInfo)
+
+				if got != want {
+					t.Errorf("got: %v, want: %v", got, want)
+				}
+			},
+		)
+	}
+}
+
+func Test_validateSeverity(t *testing.T) {
+	testCases := []struct {
+		Description string
+		Input       string
+		Want        error
+	}{
+		{"low should be a valid severity", "low", nil},
+		{"Low should be a valid severity", "Low", nil},
+		{"medium should be a valid severity", "medium", nil},
+		{"Medium should be a valid severity", "Medium", nil},
+		{"high should be a valid severity", "high", nil},
+		{"Critical should be a valid severity", "Critical", nil},
+		{"critical should be a valid severity", "critical", nil},
+		{"Unknown should be an invalid severity", "Unknown", ErrUnknownSeverity},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.Description, func(t *testing.T) {
+			input := testCase.Input
+			want := testCase.Want
+			got := validateSeverity(input)
+
+			if got != want {
+				t.Errorf("got: %v, want: %v", got, want)
+			}
+		})
+	}
+}

cmd/submit/exceptions.go

@@ -21,6 +21,11 @@ func getExceptionsCmd(ks meta.IKubescape, submitInfo *metav1.Submit) *cobra.Comm
 			return nil
 		},
 		Run: func(cmd *cobra.Command, args []string) {
+
+			if err := flagValidationSubmit(submitInfo); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
 			if err := ks.SubmitExceptions(&submitInfo.Credentials, args[0]); err != nil {
 				logger.L().Fatal(err.Error())
 			}

cmd/submit/rbac.go

@@ -37,10 +37,14 @@ func getRBACCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
 		Long:    ``,
 		RunE: func(cmd *cobra.Command, args []string) error {
 
+			if err := flagValidationSubmit(submitInfo); err != nil {
+				return err
+			}
+
 			k8s := k8sinterface.NewKubernetesApi()
 
 			// get config
-			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", k8s)
+			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", "", k8s)
 			if err := clusterConfig.SetTenant(); err != nil {
 				logger.L().Error("failed setting account ID", helpers.Error(err))
 			}
@@ -77,9 +81,16 @@ func getKubernetesApi() *k8sinterface.KubernetesApi {
 	}
 	return k8sinterface.NewKubernetesApi()
 }
-func getTenantConfig(credentials *cautils.Credentials, clusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
+func getTenantConfig(credentials *cautils.Credentials, clusterName string, customClusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
 	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
-		return cautils.NewLocalConfig(getter.GetKSCloudAPIConnector(), credentials, clusterName)
+		return cautils.NewLocalConfig(getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
 	}
-	return cautils.NewClusterConfig(k8s, getter.GetKSCloudAPIConnector(), credentials, clusterName)
+	return cautils.NewClusterConfig(k8s, getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
+}
+
+// Check if the flag entered are valid
+func flagValidationSubmit(submitInfo *v1.Submit) error {
+
+	// Validate the user's credentials
+	return submitInfo.Credentials.Validate()
 }

cmd/submit/results.go

@@ -54,6 +54,11 @@ func getResultsCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
 		Short: "Submit a pre scanned results file. The file must be in json format",
 		Long:  ``,
 		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := flagValidationSubmit(submitInfo); err != nil {
+				return err
+			}
+
 			if len(args) == 0 {
 				return fmt.Errorf("missing results file")
 			}
@@ -61,7 +66,7 @@ func getResultsCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
 			k8s := getKubernetesApi()
 
 			// get config
-			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", k8s)
+			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", "", k8s)
 			if err := clusterConfig.SetTenant(); err != nil {
 				logger.L().Error("failed setting account ID", helpers.Error(err))
 			}

core/cautils/customerloader.go

@@ -91,7 +91,7 @@ type LocalConfig struct {
 }
 
 func NewLocalConfig(
-	backendAPI getter.IBackend, credentials *Credentials, clusterName string) *LocalConfig {
+	backendAPI getter.IBackend, credentials *Credentials, clusterName string, customClusterName string) *LocalConfig {
 
 	lc := &LocalConfig{
 		backendAPI: backendAPI,
@@ -104,7 +104,10 @@ func NewLocalConfig(
 
 	updateCredentials(lc.configObj, credentials)
 
-	if clusterName != "" {
+	// If a custom cluster name is provided then set that name, else use the cluster's original name
+	if customClusterName != "" {
+		lc.configObj.ClusterName = AdoptCustomClusterName(customClusterName)
+	} else if clusterName != "" {
 		lc.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
 	}
 
@@ -179,7 +182,7 @@ KS_ACCOUNT_ID
 KS_CLIENT_ID
 KS_SECRET_KEY
 
-TODO - supprot:
+TODO - support:
 KS_CACHE // path to cached files
 */
 type ClusterConfig struct {
@@ -190,7 +193,7 @@ type ClusterConfig struct {
 	configMapNamespace string
 }
 
-func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend, credentials *Credentials, clusterName string) *ClusterConfig {
+func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend, credentials *Credentials, clusterName string, customClusterName string) *ClusterConfig {
 	// var configObj *ConfigObj
 	c := &ClusterConfig{
 		k8s:                k8s,
@@ -211,7 +214,10 @@ func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBacken
 	}
 	updateCredentials(c.configObj, credentials)
 
-	if clusterName != "" {
+	// If a custom cluster name is provided then set that name, else use the cluster's original name
+	if customClusterName != "" {
+		c.configObj.ClusterName = AdoptCustomClusterName(customClusterName)
+	} else if clusterName != "" {
 		c.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
 	}
 
@@ -468,6 +474,19 @@ func DeleteConfigFile() error {
 	return os.Remove(ConfigFileFullPath())
 }
 
+// To check if the custom cluster name is valid:
+func AdoptCustomClusterName(customClusterName string) string {
+	is_alphanumeric := regexp.MustCompile(`^[a-zA-Z0-9]*$`).MatchString(customClusterName)
+
+	// Check it does not contain special-characters
+	if is_alphanumeric == false {
+		logger.L().Fatal("custom cluster name cannot contain special characters")
+	} else if len(customClusterName) >= 256 { // Check it contains less than 256 characters
+		logger.L().Fatal("custom cluster name cannot contain more than 255 characters")
+	}
+	return customClusterName
+}
+
 func AdoptClusterName(clusterName string) string {
 	re, err := regexp.Compile(`[^\w]+`)
 	if err != nil {

core/cautils/datastructures.go

@@ -17,6 +17,7 @@ type KSResources map[string][]string
 type OPASessionObj struct {
 	K8SResources          *K8SResources                                 // input k8s objects
 	ArmoResource          *KSResources                                  // input ARMO objects
+	AllPolicies           *Policies                                     // list of all frameworks
 	Policies              []reporthandling.Framework                    // list of frameworks to scan
 	AllResources          map[string]workloadinterface.IMetadata        // all scanned resources, map[<resource ID>]<resource>
 	ResourcesResult       map[string]resourcesresults.Result            // resources scan results, map[<resource ID>]<resource result>
@@ -24,7 +25,7 @@ type OPASessionObj struct {
 	ResourcesPrioritized  map[string]prioritization.PrioritizedResource // resources prioritization information, map[<resource ID>]<prioritized resource>
 	Report                *reporthandlingv2.PostureReport               // scan results v2 - Remove
 	Exceptions            []armotypes.PostureExceptionPolicy            // list of exceptions to apply on scan results
-	RegoInputData         RegoInputData                                 // input passed to rgo for scanning. map[<control name>][<input arguments>]
+	RegoInputData         RegoInputData                                 // input passed to rego for scanning. map[<control name>][<input arguments>]
 	Metadata              *reporthandlingv2.Metadata
 	InfoMap               map[string]apis.StatusInfo // Map errors of resources to StatusInfo
 	ResourceToControlsMap map[string][]string        // map[<apigroup/apiversion/resource>] = [<control_IDs>]

core/cautils/fileutils.go

@@ -30,7 +30,7 @@ const (
 	JSON_FILE_FORMAT FileFormat = "json"
 )
 
-// LoadResourcesFromHelmCharts scans a given path (recuresively) for helm charts, renders the templates and returns a map of workloads and a map of chart names
+// LoadResourcesFromHelmCharts scans a given path (recursively) for helm charts, renders the templates and returns a map of workloads and a map of chart names
 func LoadResourcesFromHelmCharts(basePath string) (map[string][]workloadinterface.IMetadata, map[string]string) {
 	directories, _ := listDirs(basePath)
 	helmDirectories := make([]string, 0)
@@ -61,6 +61,41 @@ func LoadResourcesFromHelmCharts(basePath string) (map[string][]workloadinterfac
 	return sourceToWorkloads, sourceToChartName
 }
 
+// If the contents at given path is a Kustomize Directory, LoadResourcesFromKustomizeDirectory will
+// generate yaml files using "Kustomize" & renders a map of workloads from those yaml files
+func LoadResourcesFromKustomizeDirectory(basePath string) (map[string][]workloadinterface.IMetadata, string) {
+	isKustomizeDirectory := IsKustomizeDirectory(basePath)
+	isKustomizeFile := IsKustomizeFile(basePath)
+	if ok := isKustomizeDirectory || isKustomizeFile; !ok {
+		return nil, ""
+	}
+
+	sourceToWorkloads := map[string][]workloadinterface.IMetadata{}
+	kustomizeDirectory := NewKustomizeDirectory(basePath)
+
+	var newBasePath string
+
+	if isKustomizeFile {
+		newBasePath = filepath.Dir(basePath)
+		logger.L().Info("Kustomize File Detected, Scanning the rendered Kubernetes Objects...")
+	} else {
+		newBasePath = basePath
+		logger.L().Info("Kustomize Directory Detected, Scanning the rendered Kubernetes Objects...")
+	}
+
+	wls, errs := kustomizeDirectory.GetWorkloads(newBasePath)
+	kustomizeDirectoryName := GetKustomizeDirectoryName(newBasePath)
+
+	if len(errs) > 0 {
+		logger.L().Error(fmt.Sprintf("Rendering yaml from Kustomize failed: %v", errs))
+	}
+
+	for k, v := range wls {
+		sourceToWorkloads[k] = v
+	}
+	return sourceToWorkloads, kustomizeDirectoryName
+}
+
 func LoadResourcesFromFiles(input, rootPath string) map[string][]workloadinterface.IMetadata {
 	files, errs := listFiles(input)
 	if len(errs) > 0 {
@@ -262,7 +297,7 @@ func glob(root, pattern string, onlyDirectories bool) ([]string, error) {
 			return err
 		}
 
-		// listing only directotries
+		// listing only directories
 		if onlyDirectories {
 			if info.IsDir() {
 				if matched, err := filepath.Match(pattern, filepath.Base(path)); err != nil {

core/cautils/getter/downloadreleasedpolicy.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/kubescape/opa-utils/gitregostore"
 	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
 )
 
 // =======================================================================================================================
@@ -70,6 +71,14 @@ func (drp *DownloadReleasedPolicy) GetControlsInputs(clusterName string) (map[st
 	return defaultConfigInputs.Settings.PostureControlInputs, err
 }
 
+func (drp *DownloadReleasedPolicy) GetAttackTracks() ([]v1alpha1.AttackTrack, error) {
+	attackTracks, err := drp.gs.GetAttackTracks()
+	if err != nil {
+		return nil, err
+	}
+	return attackTracks, err
+}
+
 func (drp *DownloadReleasedPolicy) SetRegoObjects() error {
 	fwNames, err := drp.gs.GetOPAFrameworksNamesList()
 	if len(fwNames) != 0 && err == nil {

core/cautils/getter/getpolicies.go

@@ -3,6 +3,7 @@ package getter
 import (
 	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
 )
 
 // supported listing
@@ -38,3 +39,7 @@ type IBackend interface {
 type IControlsInputsGetter interface {
 	GetControlsInputs(clusterName string) (map[string][]string, error)
 }
+
+type IAttackTracksGetter interface {
+	GetAttackTracks() ([]v1alpha1.AttackTrack, error)
+}

core/cautils/getter/kscloudapi.go

@@ -13,6 +13,7 @@ import (
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
 )
 
 var (
@@ -147,6 +148,20 @@ func (api *KSCloudAPI) SetAccountID(accountID string) { api.accountID = accountI
 func (api *KSCloudAPI) SetClientID(clientID string)   { api.clientID = clientID }
 func (api *KSCloudAPI) SetSecretKey(secretKey string) { api.secretKey = secretKey }
 
+func (api *KSCloudAPI) GetAttackTracks() ([]v1alpha1.AttackTrack, error) {
+	respStr, err := api.Get(api.getAttackTracksURL(), nil)
+	if err != nil {
+		return nil, nil
+	}
+
+	attackTracks := []v1alpha1.AttackTrack{}
+	if err = JSONDecoder(respStr).Decode(&attackTracks); err != nil {
+		return nil, err
+	}
+
+	return attackTracks, err
+}
+
 func (api *KSCloudAPI) GetFramework(name string) (*reporthandling.Framework, error) {
 	respStr, err := api.Get(api.getFrameworkURL(name), nil)
 	if err != nil {

core/cautils/getter/kscloudapiutils.go

@@ -28,6 +28,17 @@ func (api *KSCloudAPI) getFrameworkURL(frameworkName string) string {
 	return u.String()
 }
 
+func (api *KSCloudAPI) getAttackTracksURL() string {
+	u := url.URL{}
+	u.Scheme, u.Host = parseHost(api.GetApiURL())
+	u.Path = "api/v1/attackTracks"
+	q := u.Query()
+	q.Add("customerGUID", api.getCustomerGUIDFallBack())
+	u.RawQuery = q.Encode()
+
+	return u.String()
+}
+
 func (api *KSCloudAPI) getListFrameworkURL() string {
 	u := url.URL{}
 	u.Scheme, u.Host = parseHost(api.GetApiURL())

core/cautils/kustomizedirectory.go

@@ -0,0 +1,115 @@
+package cautils
+
+import (
+	"os"
+	"path/filepath"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/workloadinterface"
+	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
+
+	"sigs.k8s.io/kustomize/api/krusty"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+type KustomizeDirectory struct {
+	path string
+}
+
+// Used for checking if there is "Kustomization" file in the given Directory
+var kustomizationFileMatchers = [3]string{"kustomization.yml", "kustomization.yaml", "Kustomization"}
+
+func IsKustomizeDirectory(path string) bool {
+	if isDir := IsDir(path); !isDir {
+		return false
+	}
+
+	if lastChar := path[len(path)-1:]; lastChar != "/" {
+		path += "/"
+	}
+
+	matches := 0
+	for _, kustomizationFileMatcher := range kustomizationFileMatchers {
+		checkPath := path + kustomizationFileMatcher
+		if _, err := os.Stat(checkPath); err == nil {
+			matches++
+		}
+	}
+
+	switch matches {
+	case 0:
+		return false
+	case 1:
+		return true
+	default:
+		logger.L().Info("Multiple kustomize files found while checking Kustomize Directory")
+		return false
+	}
+}
+
+// Used for checking if the path is Kustomization file.
+func IsKustomizeFile(path string) bool {
+	fileName := filepath.Base(path)
+
+	for _, kustomizationFileMatcher := range kustomizationFileMatchers {
+		if fileName == kustomizationFileMatcher {
+			return true
+		}
+	}
+
+	return false
+}
+
+func NewKustomizeDirectory(path string) *KustomizeDirectory {
+	return &KustomizeDirectory{
+		path: path,
+	}
+}
+
+func GetKustomizeDirectoryName(path string) string {
+	if isKustomizeDirectory := IsKustomizeDirectory(path); !isKustomizeDirectory {
+		return ""
+	}
+	return filepath.Dir(path)
+}
+
+// Get Workloads, creates the yaml files(K8s resources) using Kustomize and
+// renders the workloads from the yaml files (k8s resources)
+func (kd *KustomizeDirectory) GetWorkloads(kustomizeDirectoryPath string) (map[string][]workloadinterface.IMetadata, []error) {
+
+	fSys := filesys.MakeFsOnDisk()
+	kustomizer := krusty.MakeKustomizer(krusty.MakeDefaultOptions())
+	resmap, err := kustomizer.Run(fSys, kustomizeDirectoryPath)
+
+	if err != nil {
+		return nil, []error{err}
+	}
+
+	yml, err := resmap.AsYaml()
+
+	if err != nil {
+		return nil, []error{err}
+	}
+
+	workloads := make(map[string][]workloadinterface.IMetadata, 0)
+	errs := []error{}
+
+	wls, e := ReadFile(yml, YAML_FILE_FORMAT)
+
+	if e != nil {
+		logger.L().Debug("failed to read rendered yaml file", helpers.String("file", kustomizeDirectoryPath), helpers.Error(e))
+	}
+
+	if len(wls) != 0 {
+		workloads[kustomizeDirectoryPath] = []workloadinterface.IMetadata{}
+		for i := range wls {
+			lw := localworkload.NewLocalWorkload(wls[i].GetObject())
+			lw.SetPath(kustomizeDirectoryPath)
+			workloads[kustomizeDirectoryPath] = append(workloads[kustomizeDirectoryPath], lw)
+		}
+	}
+
+	return workloads, errs
+
+}

core/cautils/rootinfo.go

@@ -1,5 +1,11 @@
 package cautils
 
+import (
+	"fmt"
+
+	"github.com/google/uuid"
+)
+
 type RootInfo struct {
 	Logger       string // logger level
 	LoggerName   string // logger name ("pretty"/"zap"/"none")
@@ -17,3 +23,23 @@ type Credentials struct {
 	ClientID  string
 	SecretKey string
 }
+
+// To check if the user's credentials: accountID / clientID / secretKey are valid.
+func (credentials *Credentials) Validate() error {
+
+	// Check if the Account-ID is valid
+	if _, err := uuid.Parse(credentials.Account); credentials.Account != "" && err != nil {
+		return fmt.Errorf("bad argument: account must be a valid UUID")
+	}
+	// Check if the Client-ID is valid
+	if _, err := uuid.Parse(credentials.ClientID); credentials.ClientID != "" && err != nil {
+		return fmt.Errorf("bad argument: account must be a valid UUID")
+	}
+
+	// Check if the Secret-Key is valid
+	if _, err := uuid.Parse(credentials.SecretKey); credentials.SecretKey != "" && err != nil {
+		return fmt.Errorf("bad argument: account must be a valid UUID")
+	}
+
+	return nil
+}

core/cautils/rootinfo_test.go

@@ -0,0 +1,71 @@
+package cautils
+
+import "testing"
+
+func TestCredentials_Validate(t *testing.T) {
+	type fields struct {
+		Account   string
+		ClientID  string
+		SecretKey string
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		wantErr bool
+	}{
+		{
+			name: "valid account ID",
+			fields: fields{
+				Account: "22019933-feac-4012-a8eb-e81461ba6655",
+			},
+			wantErr: false,
+		},
+		{
+			name: "invalid account ID",
+			fields: fields{
+				Account: "22019933-feac-4012-a8eb-e81461ba665",
+			},
+			wantErr: true,
+		},
+		{
+			name: "valid client ID",
+			fields: fields{
+				ClientID: "22019933-feac-4012-a8eb-e81461ba6655",
+			},
+			wantErr: false,
+		},
+		{
+			name: "invalid client ID",
+			fields: fields{
+				ClientID: "22019933-feac-4012-a8eb-e81461ba665",
+			},
+			wantErr: true,
+		},
+		{
+			name: "valid secret key",
+			fields: fields{
+				SecretKey: "22019933-feac-4012-a8eb-e81461ba6655",
+			},
+			wantErr: false,
+		},
+		{
+			name: "invalid secret key",
+			fields: fields{
+				SecretKey: "22019933-feac-4012-a8eb-e81461ba665",
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			credentials := &Credentials{
+				Account:   tt.fields.Account,
+				ClientID:  tt.fields.ClientID,
+				SecretKey: tt.fields.SecretKey,
+			}
+			if err := credentials.Validate(); (err != nil) != tt.wantErr {
+				t.Errorf("Credentials.Validate() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}

core/cautils/scaninfo.go

@@ -100,38 +100,41 @@ type PolicyIdentifier struct {
 }
 
 type ScanInfo struct {
-	Getters                               // TODO - remove from object
-	PolicyIdentifier   []PolicyIdentifier // TODO - remove from object
-	UseExceptions      string             // Load file with exceptions configuration
-	ControlsInputs     string             // Load file with inputs for controls
-	UseFrom            []string           // Load framework from local file (instead of download). Use when running offline
-	UseDefault         bool               // Load framework from cached file (instead of download). Use when running offline
-	UseArtifactsFrom   string             // Load artifacts from local path. Use when running offline
-	VerboseMode        bool               // Display all of the input resources and not only failed resources
-	View               string             // Display all of the input resources and not only failed resources
-	Format             string             // Format results (table, json, junit ...)
-	Output             string             // Store results in an output file, Output file name
-	FormatVersion      string             // Output object can be differnet between versions, this is for testing and backward compatibility
-	ExcludedNamespaces string             // used for host scanner namespace
-	IncludeNamespaces  string             //
-	InputPatterns      []string           // Yaml files input patterns
-	Silent             bool               // Silent mode - Do not print progress logs
-	FailThreshold      float32            // Failure score threshold
-	Submit             bool               // Submit results to Kubescape Cloud BE
-	ScanID             string             // Report id of the current scan
-	HostSensorEnabled  BoolPtrFlag        // Deploy Kubescape K8s host scanner to collect data from certain controls
-	HostSensorYamlPath string             // Path to hostsensor file
-	Local              bool               // Do not submit results
-	Credentials        Credentials        // account ID
-	KubeContext        string             // context name
-	FrameworkScan      bool               // false if scanning control
-	ScanAll            bool               // true if scan all frameworks
+	Getters                                  // TODO - remove from object
+	PolicyIdentifier      []PolicyIdentifier // TODO - remove from object
+	UseExceptions         string             // Load file with exceptions configuration
+	ControlsInputs        string             // Load file with inputs for controls
+	UseFrom               []string           // Load framework from local file (instead of download). Use when running offline
+	UseDefault            bool               // Load framework from cached file (instead of download). Use when running offline
+	UseArtifactsFrom      string             // Load artifacts from local path. Use when running offline
+	VerboseMode           bool               // Display all of the input resources and not only failed resources
+	View                  string             // Display all of the input resources and not only failed resources
+	Format                string             // Format results (table, json, junit ...)
+	Output                string             // Store results in an output file, Output file name
+	FormatVersion         string             // Output object can be differnet between versions, this is for testing and backward compatibility
+	CustomClusterName     string             // Set the custom name of the cluster
+	ExcludedNamespaces    string             // used for host scanner namespace
+	IncludeNamespaces     string             //
+	InputPatterns         []string           // Yaml files input patterns
+	Silent                bool               // Silent mode - Do not print progress logs
+	FailThreshold         float32            // Failure score threshold
+	FailThresholdSeverity string             // Severity at and above which the command should fail
+	Submit                bool               // Submit results to Kubescape Cloud BE
+	ScanID                string             // Report id of the current scan
+	HostSensorEnabled     BoolPtrFlag        // Deploy Kubescape K8s host scanner to collect data from certain controls
+	HostSensorYamlPath    string             // Path to hostsensor file
+	Local                 bool               // Do not submit results
+	Credentials           Credentials        // account ID
+	KubeContext           string             // context name
+	FrameworkScan         bool               // false if scanning control
+	ScanAll               bool               // true if scan all frameworks
 }
 
 type Getters struct {
 	ExceptionsGetter     getter.IExceptionsGetter
 	ControlsInputsGetter getter.IControlsInputsGetter
 	PolicyGetter         getter.IPolicyGetter
+	AttackTracksGetter   getter.IAttackTracksGetter
 }
 
 func (scanInfo *ScanInfo) Init() {
@@ -205,13 +208,6 @@ func (scanInfo *ScanInfo) setOutputFile() {
 	}
 }
 
-// func (scanInfo *ScanInfo) GetScanningEnvironment() string {
-// 	if len(scanInfo.InputPatterns) != 0 {
-// 		return ScanLocalFiles
-// 	}
-// 	return ScanCluster
-// }
-
 func (scanInfo *ScanInfo) SetPolicyIdentifiers(policies []string, kind apisv1.NotificationPolicyKind) {
 	for _, policy := range policies {
 		if !scanInfo.contains(policy) {

core/core/cachedconfig.go

@@ -8,7 +8,7 @@ import (
 
 func (ks *Kubescape) SetCachedConfig(setConfig *metav1.SetConfig) error {
 
-	tenant := getTenantConfig(nil, "", getKubernetesApi())
+	tenant := getTenantConfig(nil, "", "", getKubernetesApi())
 
 	if setConfig.Account != "" {
 		tenant.GetConfigObj().AccountID = setConfig.Account
@@ -25,13 +25,13 @@ func (ks *Kubescape) SetCachedConfig(setConfig *metav1.SetConfig) error {
 
 // View cached configurations
 func (ks *Kubescape) ViewCachedConfig(viewConfig *metav1.ViewConfig) error {
-	tenant := getTenantConfig(nil, "", getKubernetesApi()) // change k8sinterface
+	tenant := getTenantConfig(nil, "", "", getKubernetesApi()) // change k8sinterface
 	fmt.Fprintf(viewConfig.Writer, "%s\n", tenant.GetConfigObj().Config())
 	return nil
 }
 
 func (ks *Kubescape) DeleteCachedConfig(deleteConfig *metav1.DeleteConfig) error {
 
-	tenant := getTenantConfig(nil, "", getKubernetesApi()) // change k8sinterface
+	tenant := getTenantConfig(nil, "", "", getKubernetesApi()) // change k8sinterface
 	return tenant.DeleteCachedConfig()
 }

core/core/delete.go

@@ -12,7 +12,7 @@ import (
 func (ks *Kubescape) DeleteExceptions(delExceptions *v1.DeleteExceptions) error {
 
 	// load cached config
-	getTenantConfig(&delExceptions.Credentials, "", getKubernetesApi())
+	getTenantConfig(&delExceptions.Credentials, "", "", getKubernetesApi())
 
 	// login kubescape SaaS
 	ksCloudAPI := getter.GetKSCloudAPIConnector()

core/core/download.go

@@ -80,7 +80,7 @@ func downloadArtifacts(downloadInfo *metav1.DownloadInfo) error {
 }
 
 func downloadConfigInputs(downloadInfo *metav1.DownloadInfo) error {
-	tenant := getTenantConfig(&downloadInfo.Credentials, "", getKubernetesApi())
+	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
 
 	controlsInputsGetter := getConfigInputsGetter(downloadInfo.Name, tenant.GetAccountID(), nil)
 	controlInputs, err := controlsInputsGetter.GetControlsInputs(tenant.GetContextName())
@@ -104,7 +104,7 @@ func downloadConfigInputs(downloadInfo *metav1.DownloadInfo) error {
 
 func downloadExceptions(downloadInfo *metav1.DownloadInfo) error {
 	var err error
-	tenant := getTenantConfig(&downloadInfo.Credentials, "", getKubernetesApi())
+	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
 
 	exceptionsGetter := getExceptionsGetter("")
 	exceptions := []armotypes.PostureExceptionPolicy{}
@@ -128,7 +128,7 @@ func downloadExceptions(downloadInfo *metav1.DownloadInfo) error {
 
 func downloadFramework(downloadInfo *metav1.DownloadInfo) error {
 
-	tenant := getTenantConfig(&downloadInfo.Credentials, "", getKubernetesApi())
+	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
 
 	g := getPolicyGetter(nil, tenant.GetTenantEmail(), true, nil)
 
@@ -170,7 +170,7 @@ func downloadFramework(downloadInfo *metav1.DownloadInfo) error {
 
 func downloadControl(downloadInfo *metav1.DownloadInfo) error {
 
-	tenant := getTenantConfig(&downloadInfo.Credentials, "", getKubernetesApi())
+	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
 
 	g := getPolicyGetter(nil, tenant.GetTenantEmail(), false, nil)
 

core/core/initutils.go

@@ -25,11 +25,11 @@ func getKubernetesApi() *k8sinterface.KubernetesApi {
 	}
 	return k8sinterface.NewKubernetesApi()
 }
-func getTenantConfig(credentials *cautils.Credentials, clusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
+func getTenantConfig(credentials *cautils.Credentials, clusterName string, customClusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
 	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
-		return cautils.NewLocalConfig(getter.GetKSCloudAPIConnector(), credentials, clusterName)
+		return cautils.NewLocalConfig(getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
 	}
-	return cautils.NewClusterConfig(k8s, getter.GetKSCloudAPIConnector(), credentials, clusterName)
+	return cautils.NewClusterConfig(k8s, getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
 }
 
 func getExceptionsGetter(useExceptions string) getter.IExceptionsGetter {
@@ -223,3 +223,17 @@ func listFrameworksNames(policyGetter getter.IPolicyGetter) []string {
 	}
 	return getter.NativeFrameworks
 }
+
+func getAttackTracksGetter(accountID string, downloadReleasedPolicy *getter.DownloadReleasedPolicy) getter.IAttackTracksGetter {
+	if accountID != "" {
+		g := getter.GetKSCloudAPIConnector() // download attack tracks from Kubescape Cloud backend
+		return g
+	}
+	if downloadReleasedPolicy == nil {
+		downloadReleasedPolicy = getter.NewDownloadReleasedPolicy()
+	}
+	if err := downloadReleasedPolicy.SetRegoObjects(); err != nil {
+		logger.L().Warning("failed to get attack tracks from github release, this may affect the scanning results", helpers.Error(err))
+	}
+	return downloadReleasedPolicy
+}

core/core/list.go

@@ -44,14 +44,14 @@ func (ks *Kubescape) List(listPolicies *metav1.ListPolicies) error {
 }
 
 func listFrameworks(listPolicies *metav1.ListPolicies) ([]string, error) {
-	tenant := getTenantConfig(&listPolicies.Credentials, "", getKubernetesApi()) // change k8sinterface
+	tenant := getTenantConfig(&listPolicies.Credentials, "", "", getKubernetesApi()) // change k8sinterface
 	g := getPolicyGetter(nil, tenant.GetTenantEmail(), true, nil)
 
 	return listFrameworksNames(g), nil
 }
 
 func listControls(listPolicies *metav1.ListPolicies) ([]string, error) {
-	tenant := getTenantConfig(&listPolicies.Credentials, "", getKubernetesApi()) // change k8sinterface
+	tenant := getTenantConfig(&listPolicies.Credentials, "", "", getKubernetesApi()) // change k8sinterface
 
 	g := getPolicyGetter(nil, tenant.GetTenantEmail(), false, nil)
 	l := getter.ListName
@@ -63,7 +63,7 @@ func listControls(listPolicies *metav1.ListPolicies) ([]string, error) {
 
 func listExceptions(listPolicies *metav1.ListPolicies) ([]string, error) {
 	// load tenant metav1
-	getTenantConfig(&listPolicies.Credentials, "", getKubernetesApi())
+	getTenantConfig(&listPolicies.Credentials, "", "", getKubernetesApi())
 
 	var exceptionsNames []string
 	ksCloudAPI := getExceptionsGetter("")

core/core/scan.go

@@ -15,6 +15,7 @@ import (
 	"github.com/kubescape/kubescape/v2/core/pkg/opaprocessor"
 	"github.com/kubescape/kubescape/v2/core/pkg/policyhandler"
 	"github.com/kubescape/kubescape/v2/core/pkg/resourcehandler"
+	"github.com/kubescape/kubescape/v2/core/pkg/resourcesprioritization"
 	"github.com/kubescape/kubescape/v2/core/pkg/resultshandling"
 	"github.com/kubescape/kubescape/v2/core/pkg/resultshandling/printer"
 	"github.com/kubescape/kubescape/v2/core/pkg/resultshandling/reporter"
@@ -43,7 +44,7 @@ func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
 
 	// ================== setup tenant object ======================================
 
-	tenantConfig := getTenantConfig(&scanInfo.Credentials, scanInfo.KubeContext, k8s)
+	tenantConfig := getTenantConfig(&scanInfo.Credentials, scanInfo.KubeContext, scanInfo.CustomClusterName, k8s)
 
 	// Set submit behavior AFTER loading tenant config
 	setSubmitBehavior(scanInfo, tenantConfig)
@@ -122,6 +123,7 @@ func (ks *Kubescape) Scan(scanInfo *cautils.ScanInfo) (*resultshandling.ResultsH
 	scanInfo.Getters.PolicyGetter = getPolicyGetter(scanInfo.UseFrom, interfaces.tenantConfig.GetTenantEmail(), scanInfo.FrameworkScan, downloadReleasedPolicy)
 	scanInfo.Getters.ControlsInputsGetter = getConfigInputsGetter(scanInfo.ControlsInputs, interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
 	scanInfo.Getters.ExceptionsGetter = getExceptionsGetter(scanInfo.UseExceptions)
+	scanInfo.Getters.AttackTracksGetter = getAttackTracksGetter(interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
 
 	// TODO - list supported frameworks/controls
 	if scanInfo.ScanAll {
@@ -152,15 +154,13 @@ func (ks *Kubescape) Scan(scanInfo *cautils.ScanInfo) (*resultshandling.ResultsH
 		return resultsHandling, fmt.Errorf("%w", err)
 	}
 
-	/*
+	// ======================== prioritization ===================
 
-		// ======================== prioritization ===================
-		priotizationHandler := resourcesprioritization.NewResourcesPrioritizationHandler(true)
-		if err := priotizationHandler.PrioritizeResources(scanData); err != nil {
-			return resultsHandling, fmt.Errorf("%w", err)
-		}
-
-	*/
+	if priotizationHandler, err := resourcesprioritization.NewResourcesPrioritizationHandler(scanInfo.Getters.AttackTracksGetter); err != nil {
+		logger.L().Warning("failed to get attack tracks, this may affect the scanning results", helpers.Error(err))
+	} else if err := priotizationHandler.PrioritizeResources(scanData); err != nil {
+		return resultsHandling, fmt.Errorf("%w", err)
+	}
 
 	// ========================= results handling =====================
 	resultsHandling.SetData(scanData)

core/core/submit.go

@@ -39,7 +39,7 @@ func (ks *Kubescape) SubmitExceptions(credentials *cautils.Credentials, excPath
 	logger.L().Info("submitting exceptions", helpers.String("path", excPath))
 
 	// load cached config
-	tenantConfig := getTenantConfig(credentials, "", getKubernetesApi())
+	tenantConfig := getTenantConfig(credentials, "", "", getKubernetesApi())
 	if err := tenantConfig.SetTenant(); err != nil {
 		logger.L().Error("failed setting account ID", helpers.Error(err))
 	}

core/pkg/containerscan/elasticdatastructures.go

@@ -12,7 +12,7 @@ type ElasticContainerVulnerabilityResult struct {
 	Timestamp         int64     `json:"timestamp"`
 	IsFixed           int       `json:"isFixed"`
 	IntroducedInLayer string    `json:"layerHash"`
-	RelevantLinks     []string  `json:"links"` // shitty SE practice
+	RelevantLinks     []string  `json:"links"` // Bad SE practice
 
 	Vulnerability `json:",inline"`
 }

core/pkg/opaprocessor/processorhandler.go

@@ -43,12 +43,12 @@ func NewOPAProcessor(sessionObj *cautils.OPASessionObj, regoDependenciesData *re
 }
 func (opap *OPAProcessor) ProcessRulesListenner() error {
 
-	policies := ConvertFrameworksToPolicies(opap.Policies, cautils.BuildNumber)
+	opap.OPASessionObj.AllPolicies = ConvertFrameworksToPolicies(opap.Policies, cautils.BuildNumber)
 
-	ConvertFrameworksToSummaryDetails(&opap.Report.SummaryDetails, opap.Policies, policies)
+	ConvertFrameworksToSummaryDetails(&opap.Report.SummaryDetails, opap.Policies, opap.OPASessionObj.AllPolicies)
 
 	// process
-	if err := opap.Process(policies); err != nil {
+	if err := opap.Process(opap.OPASessionObj.AllPolicies); err != nil {
 		logger.L().Error(err.Error())
 		// Return error?
 	}

core/pkg/opaprocessor/processorhandlerutils.go

@@ -12,12 +12,12 @@ import (
 	resources "github.com/kubescape/opa-utils/resources"
 )
 
-// updateResults update the results objects and report objects. This is a critical function - DO NOT CHANGE
-/*
-	- remove sensible data
-	- adding exceptions
-	- summarize results
-*/
+// updateResults updates the results objects and report objects. This is a critical function - DO NOT CHANGE
+//
+// The function:
+//  - removes sensible data
+//  - adds exceptions
+//  - summarizes results
 func (opap *OPAProcessor) updateResults() {
 
 	// remove data from all objects
@@ -49,16 +49,6 @@ func (opap *OPAProcessor) updateResults() {
 	// map control to error
 	controlToInfoMap := mapControlToInfo(opap.ResourceToControlsMap, opap.InfoMap, opap.Report.SummaryDetails.Controls)
 	opap.Report.SummaryDetails.InitResourcesSummary(controlToInfoMap)
-	// for f := range opap.PostureReport.FrameworkReports {
-	// 	// set exceptions
-	// 	exceptions.SetFrameworkExceptions(&opap.PostureReport.FrameworkReports[f], opap.Exceptions, cautils.ClusterName)
-
-	// 	// set counters
-	// 	reporthandling.SetUniqueResourcesCounter(&opap.PostureReport.FrameworkReports[f])
-
-	// 	// set default score
-	// 	// reporthandling.SetDefaultScore(&opap.PostureReport.FrameworkReports[f])
-	// }
 }
 
 func mapControlToInfo(mapResourceToControls map[string][]string, infoMap map[string]apis.StatusInfo, controlSummary reportsummary.ControlSummaries) map[string]apis.StatusInfo {

core/pkg/registryadaptors/armosec/v1/datastructures.go

@@ -22,7 +22,7 @@ type V2ListRequest struct {
 	// How to order (sort) the list, field name + sort order (asc/desc), like https://www.w3schools.com/sql/sql_orderby.asp
 	// Example: "timestamp:asc,severity:desc"
 	OrderBy string `json:"orderBy,omitempty"`
-	// Cursor to the next page of former requset. Not supported yet
+	// Cursor to the next page of former request. Not supported yet
 	// Cursor cannot be used with another parameters of this struct
 	Cursor string `json:"cursor,omitempty"`
 	// FieldsList allow us to return only subset of the source document fields

core/pkg/registryadaptors/contribute.md

@@ -4,12 +4,12 @@
 
 ### Layers
 
-* Controls and Rules: that actual control logic implementation, the "tests" themselves. Implemented in rego
-* OPA engine: the [OPA](https://github.com/open-policy-agent/opa) rego interpreter 
-* Rules processor: Kubescape component, it enumerates and runs the controls while also preparing the all the input data that the controls need for running
-* Data sources: set of different modules providing data to the Rules processor so it can run the controls with them. Examples: Kubernetes objects, cloud vendor API objects and adding in this proposal the vulnerability infomration
+* Controls and Rules: that actual control logic implementation, the "tests" themselves. Implemented in rego.
+* OPA engine: the [OPA](https://github.com/open-policy-agent/opa) rego interpreter.
+* Rules processor: Kubescape component, it enumerates and runs the controls while preparing all of the input data that the controls need for running.
+* Data sources: set of different modules providing data to the Rules processor so it can run the controls with them. Examples: Kubernetes objects, cloud vendor API objects and adding in this proposal the vulnerability information.
 * Cloud Image Vulnerability adaption interface: the subject of this proposal, it gives a common interface for different registry/vulnerability vendors to adapt to.
-* CIV adaptors: specific implementation of the CIV interface, example Harbor adaption
+* CIV adaptors: specific implementation of the CIV interface, example Harbor adaption.
 ```
  -----------------------
 | Controls/Rules (rego) |
@@ -88,7 +88,7 @@ type ContainerImageInformation struct {
 
 type IContainerImageVulnerabilityAdaptor interface {
 	// Credentials are coming from user input (CLI or configuration file) and they are abstracted at string to string map level
-	// so and example use would be like registry: "simpledockerregistry:80" and credentials like {"username":"joedoe","password":"abcd1234"}
+	// so an example use would be like registry: "simpledockerregistry:80" and credentials like {"username":"joedoe","password":"abcd1234"}
 	Login(registry string, credentials map[string]string) error
 
 	// For "help" purposes
@@ -161,4 +161,4 @@ The rego results will be a combination of the k8s artifact and the list of relev
         }
     ]
 }
-```
+```

core/pkg/registryadaptors/registryvulnerabilities/interfaces.go

@@ -1,11 +1,11 @@
 package registryvulnerabilities
 
 type IContainerImageVulnerabilityAdaptor interface {
-	// Credentials are coming from user input (CLI or configuration file) and they are abstracted at string to string map level
+	// Login Credentials are coming from user input (CLI or configuration file) and they are abstracted at string to string map level
 	// so and example use would be like registry: "simpledockerregistry:80" and credentials like {"username":"joedoe","password":"abcd1234"}
 	Login() error
 
-	// For "help" purposes
+	// DescribeAdaptor For "help" purposes
 	DescribeAdaptor() string
 
 	GetImagesScanStatus(imageIDs []ContainerImageIdentifier) ([]ContainerImageScanStatus, error)

core/pkg/resourcehandler/filesloader.go

@@ -196,6 +196,44 @@ func getResourcesFromPath(path string) (map[string]reporthandling.Source, []work
 		logger.L().Debug("helm templates found in local storage", helpers.Int("helmTemplates", len(helmSourceToWorkloads)), helpers.Int("workloads", len(workloads)))
 	}
 
+	// Load resources from Kustomize directory
+	kustomizeSourceToWorkloads, kustomizeDirectoryName := cautils.LoadResourcesFromKustomizeDirectory(path)
+
+	// update workloads and workloadIDToSource with workloads from Kustomize Directory
+	for source, ws := range kustomizeSourceToWorkloads {
+		workloads = append(workloads, ws...)
+		relSource, err := filepath.Rel(repoRoot, source)
+
+		if err == nil {
+			source = relSource
+		}
+
+		var lastCommit reporthandling.LastCommit
+		if gitRepo != nil {
+			commitInfo, _ := gitRepo.GetFileLastCommit(source)
+			if commitInfo != nil {
+				lastCommit = reporthandling.LastCommit{
+					Hash:           commitInfo.SHA,
+					Date:           commitInfo.Author.Date,
+					CommitterName:  commitInfo.Author.Name,
+					CommitterEmail: commitInfo.Author.Email,
+					Message:        commitInfo.Message,
+				}
+			}
+		}
+
+		workloadSource := reporthandling.Source{
+			RelativePath:           source,
+			FileType:               reporthandling.SourceTypeKustomizeDirectory,
+			KustomizeDirectoryName: kustomizeDirectoryName,
+			LastCommit:             lastCommit,
+		}
+
+		for i := range ws {
+			workloadIDToSource[ws[i].GetID()] = workloadSource
+		}
+	}
+
 	return workloadIDToSource, workloads, nil
 }
 

core/pkg/resourcehandler/k8sresources.go

@@ -79,9 +79,14 @@ func (k8sHandler *K8sResourceHandler) GetResources(sessionObj *cautils.OPASessio
 		sessionObj.SetNumberOfWorkerNodes(numberOfWorkerNodes)
 	}
 
+	cautils.StopSpinner()
+	logger.L().Success("Accessed to Kubernetes objects")
+
 	imgVulnResources := cautils.MapImageVulnResources(ksResourceMap)
 	// check that controls use image vulnerability resources
-	if len(imgVulnResources) > 0 {
+	if false { //len(imgVulnResources) > 0 {
+		logger.L().Info("Requesting images vulnerabilities results")
+		cautils.StartSpinner()
 		if err := k8sHandler.registryAdaptors.collectImagesVulnerabilities(k8sResourcesMap, allResources, ksResourceMap); err != nil {
 			logger.L().Warning("failed to collect image vulnerabilities", helpers.Error(err))
 			cautils.SetInfoMapForResources(fmt.Sprintf("failed to pull image scanning data: %s. for more information: https://hub.armosec.io/docs/configuration-of-image-vulnerabilities", err.Error()), imgVulnResources, sessionObj.InfoMap)
@@ -90,11 +95,15 @@ func (k8sHandler *K8sResourceHandler) GetResources(sessionObj *cautils.OPASessio
 				cautils.SetInfoMapForResources("image scanning is not configured. for more information: https://hub.armosec.io/docs/configuration-of-image-vulnerabilities", imgVulnResources, sessionObj.InfoMap)
 			}
 		}
+		cautils.StopSpinner()
+		logger.L().Success("Requested images vulnerabilities results")
 	}
 
 	hostResources := cautils.MapHostResources(ksResourceMap)
 	// check that controls use host sensor resources
 	if len(hostResources) > 0 {
+		logger.L().Info("Requesting Host scanner data")
+		cautils.StartSpinner()
 		if sessionObj.Metadata.ScanMetadata.HostScanner {
 			infoMap, err := k8sHandler.collectHostResources(allResources, ksResourceMap)
 			if err != nil {
@@ -108,6 +117,8 @@ func (k8sHandler *K8sResourceHandler) GetResources(sessionObj *cautils.OPASessio
 					sessionObj.InfoMap = infoMap
 				}
 			}
+			cautils.StopSpinner()
+			logger.L().Success("Requested Host scanner data")
 		} else {
 			cautils.SetInfoMapForResources("enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor", hostResources, sessionObj.InfoMap)
 		}
@@ -123,6 +134,8 @@ func (k8sHandler *K8sResourceHandler) GetResources(sessionObj *cautils.OPASessio
 
 	// check that controls use cloud resources
 	if len(cloudResources) > 0 {
+		logger.L().Info("Requesting cloud provider data")
+		cautils.StartSpinner()
 		provider, err := getCloudProviderDescription(allResources, ksResourceMap)
 		if err != nil {
 			cautils.SetInfoMapForResources(err.Error(), cloudResources, sessionObj.InfoMap)
@@ -133,11 +146,10 @@ func (k8sHandler *K8sResourceHandler) GetResources(sessionObj *cautils.OPASessio
 				sessionObj.Metadata.ContextMetadata.ClusterContextMetadata.CloudProvider = provider
 			}
 		}
+		cautils.StopSpinner()
+		logger.L().Info("Requested cloud provider data")
 	}
 
-	cautils.StopSpinner()
-	logger.L().Success("Accessed to Kubernetes objects")
-
 	return k8sResourcesMap, allResources, ksResourceMap, nil
 }
 

core/pkg/resourcesprioritization/prioritizationhandler.go

@@ -5,21 +5,52 @@ import (
 
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/kubescape/v2/core/cautils/getter"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/prioritization"
 )
 
 type ResourcesPrioritizationHandler struct {
-	skipZeroScores bool
+	attackTracks []v1alpha1.IAttackTrack
 }
 
-func NewResourcesPrioritizationHandler(skipZeroScore bool) *ResourcesPrioritizationHandler {
-	return &ResourcesPrioritizationHandler{
-		skipZeroScores: skipZeroScore,
+func NewResourcesPrioritizationHandler(attackTracksGetter getter.IAttackTracksGetter) (*ResourcesPrioritizationHandler, error) {
+	handler := &ResourcesPrioritizationHandler{
+		attackTracks: make([]v1alpha1.IAttackTrack, 0),
 	}
+
+	if tracks, err := attackTracksGetter.GetAttackTracks(); err != nil {
+		return nil, err
+	} else {
+		for _, attackTrack := range tracks {
+			if !attackTrack.IsValid() {
+				return nil, fmt.Errorf("invalid attack track: %s", attackTrack.GetName())
+			}
+
+			t := attackTrack
+			handler.attackTracks = append(handler.attackTracks, &t)
+		}
+	}
+
+	if len(handler.attackTracks) == 0 {
+		return nil, fmt.Errorf("expected to find at least one attack track")
+	}
+
+	return handler, nil
 }
 
 func (handler *ResourcesPrioritizationHandler) PrioritizeResources(sessionObj *cautils.OPASessionObj) error {
+	if sessionObj.AllPolicies == nil {
+		return fmt.Errorf("expected to find policies map")
+	} else if len(sessionObj.AllPolicies.Controls) == 0 {
+		return fmt.Errorf("expected to find controls in policies map")
+	}
+	allControls := make(map[string]v1alpha1.IAttackTrackControl, len(sessionObj.AllPolicies.Controls))
+	for id := range sessionObj.AllPolicies.Controls {
+		ctrl := sessionObj.AllPolicies.Controls[id]
+		allControls[id] = &ctrl
+	}
+
 	for resourceId, result := range sessionObj.ResourcesResult {
 		resourcePriorityVector := []prioritization.ControlsVector{}
 		resource, exist := sessionObj.AllResources[resourceId]
@@ -30,31 +61,48 @@ func (handler *ResourcesPrioritizationHandler) PrioritizeResources(sessionObj *c
 		workload := workloadinterface.NewWorkloadObj(resource.GetObject())
 
 		if workload != nil && handler.isSupportedKind(workload) {
-			for _, resourceAssociatedControl := range result.ListControls() {
-				if !resourceAssociatedControl.GetStatus(nil).IsFailed() {
-					continue
+			// build a map of attack track categories to a list of failed controls for the specific resource
+			failedControls := result.ListControlsIDs(nil).Failed()
+			if len(failedControls) > 0 {
+
+				controlsLookup := v1alpha1.NewAttackTrackControlsLookup(handler.attackTracks, failedControls, allControls)
+				replicaCount := workload.GetReplicas()
+
+				for _, attackTrack := range handler.attackTracks {
+					if !controlsLookup.HasAssociatedControls(attackTrack.GetName()) {
+						continue
+					}
+
+					// Load the failed controls into the attack track
+					allPathsHandler := v1alpha1.NewAttackTrackAllPathsHandler(attackTrack, &controlsLookup)
+
+					// Calculate all the paths for the attack track
+					allAttackPaths := allPathsHandler.CalculateAllPaths()
+
+					// Create priority vectors from every attack path
+					controlsVectors := prioritization.ControlsVectorFromAttackTrackPaths(attackTrack, allAttackPaths)
+
+					// Calculate the score and severity for every priority vector, and add it to the resource priority vector
+					for _, controlsVector := range controlsVectors {
+						if score, err := controlsVector.CalculateScore(allControls, replicaCount); err == nil {
+							controlsVector.SetScore(score)
+						} else {
+							return err
+						}
+
+						if severity, err := controlsVector.CalculateSeverity(allControls); err == nil {
+							controlsVector.SetSeverity(severity)
+						} else {
+							return err
+						}
+
+						resourcePriorityVector = append(resourcePriorityVector, controlsVector)
+					}
 				}
-
-				controlSummary := sessionObj.Report.SummaryDetails.Controls.GetControl("ID", resourceAssociatedControl.ControlID)
-				if controlSummary == nil {
-					return fmt.Errorf("expected to find control id '%s' in summary details", resourceAssociatedControl.ControlID)
-				}
-
-				controlScoreFactor := controlSummary.GetScoreFactor()
-				replicaCount := float64(workload.GetReplicas())
-
-				cVector := prioritization.NewControlsVector()
-				cVector.AddControl(prioritization.PriorityVectorControl{
-					ControlID: resourceAssociatedControl.ControlID,
-					Category:  "",
-				})
-
-				cVector.SetSeverity(apis.ControlSeverityToInt(controlScoreFactor))
-				cVector.SetScore(float64(controlScoreFactor) + (replicaCount / 10))
-				resourcePriorityVector = append(resourcePriorityVector, *cVector)
 			}
 		}
 
+		// Resource priority vector is ready, add it to the session object
 		prioritizedResource := prioritization.PrioritizedResource{
 			ResourceID:     resourceId,
 			PriorityVector: resourcePriorityVector,
@@ -63,7 +111,7 @@ func (handler *ResourcesPrioritizationHandler) PrioritizeResources(sessionObj *c
 		prioritizedResource.SetSeverity(prioritizedResource.CalculateSeverity())
 		prioritizedResource.SetScore(prioritizedResource.CalculateScore())
 
-		if handler.skipZeroScores && prioritizedResource.GetScore() == 0 {
+		if prioritizedResource.GetScore() == 0 {
 			continue
 		}
 

core/pkg/resourcesprioritization/prioritizationhandler_test.go

@@ -4,19 +4,74 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/opa-utils/reporthandling"
 	"github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/resourcesresults"
 	"github.com/stretchr/testify/assert"
 )
 
-func OPASessionObjMock(mockResults map[string]resourcesresults.Result, mockControlsSummary map[string]reportsummary.ControlSummary, mockAllResources map[string]workloadinterface.IMetadata) *cautils.OPASessionObj {
+type AttackTracksGetterMock struct{}
+
+func (mock *AttackTracksGetterMock) GetAttackTracks() ([]v1alpha1.AttackTrack, error) {
+	mock_1 := v1alpha1.AttackTrackMock(v1alpha1.AttackTrackStep{
+		Name: "A",
+		SubSteps: []v1alpha1.AttackTrackStep{
+			{
+				Name: "B",
+				SubSteps: []v1alpha1.AttackTrackStep{
+					{
+						Name: "C",
+					},
+					{
+						Name: "D",
+					},
+				},
+			},
+			{
+				Name: "E",
+			},
+		},
+	})
+
+	mock_2 := v1alpha1.AttackTrackMock(v1alpha1.AttackTrackStep{
+		Name: "Z",
+	})
+	mock_2.Metadata["name"] = "TestAttackTrack_2"
+
+	return []v1alpha1.AttackTrack{*mock_1, *mock_2}, nil
+}
+
+func ControlMock(id string, baseScore float32, tags, categories []string) reporthandling.Control {
+	return reporthandling.Control{
+		ControlID: id,
+		BaseScore: baseScore,
+		PortalBase: armotypes.PortalBase{
+			Attributes: map[string]interface{}{
+				"controlTypeTags": tags,
+				"attackTracks": []reporthandling.AttackTrackCategories{
+					{
+						AttackTrack: "TestAttackTrack",
+						Categories:  categories,
+					},
+				},
+			},
+		},
+	}
+}
+
+func OPASessionObjMock(allPoliciesControls map[string]reporthandling.Control, mockResults map[string]resourcesresults.Result, mockControlsSummary map[string]reportsummary.ControlSummary, mockAllResources map[string]workloadinterface.IMetadata) *cautils.OPASessionObj {
 	mock := cautils.NewOPASessionObjMock()
 	mock.Report.SummaryDetails.Controls = mockControlsSummary
 	mock.ResourcesResult = mockResults
 	mock.AllResources = mockAllResources
+	mock.AllPolicies = cautils.NewPolicies()
+	mock.AllPolicies.Controls = allPoliciesControls
+
 	return mock
 }
 
@@ -41,9 +96,18 @@ func ResourceAssociatedControlMock(controlID string, status apis.ScanningStatus)
 	}
 }
 
+func TestNewResourcesPrioritizationHandler(t *testing.T) {
+	handler, err := NewResourcesPrioritizationHandler(&AttackTracksGetterMock{})
+	assert.NoError(t, err)
+	assert.Len(t, handler.attackTracks, 2)
+	assert.Equal(t, handler.attackTracks[0].GetName(), "TestAttackTrack")
+	assert.Equal(t, handler.attackTracks[1].GetName(), "TestAttackTrack_2")
+}
+
 func TestResourcesPrioritizationHandler_PrioritizeResources(t *testing.T) {
 	tests := []struct {
 		name                     string
+		allPoliciesControls      map[string]reporthandling.Control
 		results                  map[string]resourcesresults.Result
 		controls                 map[string]reportsummary.ControlSummary
 		resources                map[string]workloadinterface.IMetadata
@@ -53,6 +117,11 @@ func TestResourcesPrioritizationHandler_PrioritizeResources(t *testing.T) {
 	}{
 		{
 			name: "non-empty report",
+			allPoliciesControls: map[string]reporthandling.Control{
+				"C-001": ControlMock("C-001", 3, []string{"security"}, []string{"D"}),
+				"C-002": ControlMock("C-002", 4, []string{"security"}, []string{"B", "C"}),
+				"C-003": ControlMock("C-003", 10, []string{"security", "compliance"}, []string{"E"}),
+			},
 			results: map[string]resourcesresults.Result{
 				"resource1": {
 					AssociatedControls: []resourcesresults.ResourceAssociatedControl{
@@ -95,9 +164,9 @@ func TestResourcesPrioritizationHandler_PrioritizeResources(t *testing.T) {
 				"resource3": DeploymentWorkloadMock(1),
 			},
 			expectedScores: map[string]float64{
-				"resource1": float64(11),
-				"resource2": float64(7.199999999999999),
-				"resource3": float64(10.1),
+				"resource1": float64(84),
+				"resource2": float64(30.8),
+				"resource3": float64(11),
 			},
 			expectedSeverity: map[string]int{
 				"resource1": apis.SeverityMedium,
@@ -105,25 +174,23 @@ func TestResourcesPrioritizationHandler_PrioritizeResources(t *testing.T) {
 				"resource3": apis.SeverityCritical,
 			},
 			expectedControlsInVector: map[string][]string{
-				"resource1": {"C-001", "C-002"},
-				"resource2": {"C-001", "C-002"},
+				"resource1": {"C-002", "C-002", "C-002", "C-001"},
+				"resource2": {"C-002", "C-002", "C-002", "C-001"},
 				"resource3": {"C-003"},
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			handler := &ResourcesPrioritizationHandler{
-				skipZeroScores: false,
-			}
-			sessionObj := OPASessionObjMock(tt.results, tt.controls, tt.resources)
+			handler, _ := NewResourcesPrioritizationHandler(&AttackTracksGetterMock{})
+			sessionObj := OPASessionObjMock(tt.allPoliciesControls, tt.results, tt.controls, tt.resources)
 			err := handler.PrioritizeResources(sessionObj)
 			assert.NoError(t, err, "expected to have no errors in PrioritizeResources()")
 
 			assert.Equalf(t, len(tt.results), len(sessionObj.ResourcesPrioritized), "expected prioritized resources to be not empty")
 			for rId, resource := range sessionObj.ResourcesPrioritized {
 				expectedScore := tt.expectedScores[rId]
-				assert.Equalf(t, expectedScore, resource.GetScore(), "expected score of resourceID '%s' to be '%v', got '%v'", rId, expectedScore, resource.GetScore())
+				assert.InDeltaf(t, expectedScore, resource.GetScore(), 0.01, "expected score of resourceID '%s' to be '%v', got '%v'", rId, expectedScore, resource.GetScore())
 
 				expectedSeverity := tt.expectedSeverity[rId]
 				assert.Equalf(t, expectedSeverity, resource.GetSeverity(), "expected severity of resourceID '%s' to be '%v', got '%v'", rId, expectedSeverity, resource.GetSeverity())

core/pkg/resultshandling/printer/v2/junit.go

@@ -200,9 +200,8 @@ func testsCases(results *cautils.OPASessionObj, resourcesResult []resourcesresul
 	severityCounter := make([]int, apis.NumberOfSeverities, apis.NumberOfSeverities)
 
 	for i := range resourcesResult {
-		message += lineSeparator
 		if failedControls := failedControlsToFailureMessage(results, resourcesResult[i].ListControls(), severityCounter); failedControls != "" {
-			message += fmt.Sprintf("Resource: %s\n\n%s", resourceNameToString(results.AllResources[resourcesResult[i].GetResourceID()]), failedControls)
+			message += fmt.Sprintf("%sResource: %s\n\n%s", lineSeparator, resourceNameToString(results.AllResources[resourcesResult[i].GetResourceID()]), failedControls)
 		}
 	}
 	testCaseFailure.Message += fmt.Sprintf("%s\n%s", getSummaryMessage(severityCounter), message)

core/pkg/resultshandling/printer/v2/prettyprinter.go

@@ -192,7 +192,10 @@ func (prettyPrinter *PrettyPrinter) printSummaryTable(summaryDetails *reportsumm
 		fmt.Fprintf(prettyPrinter.writer, "\nKubescape did not scan any of the resources, make sure you are scanning valid kubernetes manifests (Deployments, Pods, etc.)\n")
 		return
 	}
-	cautils.InfoTextDisplay(prettyPrinter.writer, "\n"+controlCountersForSummary(summaryDetails.NumberOfControls())+"\n\n")
+	cautils.InfoTextDisplay(prettyPrinter.writer, "\n"+controlCountersForSummary(summaryDetails.NumberOfControls())+"\n")
+	cautils.InfoTextDisplay(prettyPrinter.writer, renderSeverityCountersSummary(&summaryDetails.SeverityCounters)+"\n\n")
+
+	// cautils.InfoTextDisplay(prettyPrinter.writer, "\n"+"Severities: SOME OTHER"+"\n\n")
 
 	summaryTable := tablewriter.NewWriter(prettyPrinter.writer)
 	summaryTable.SetAutoWrapText(false)
@@ -256,6 +259,19 @@ func getControlLink(controlID string) string {
 	return fmt.Sprintf("https://hub.armosec.io/docs/%s", strings.ToLower(controlID))
 }
 
+// renderSeverityCountersSummary renders the string that reports severity counters summary
+func renderSeverityCountersSummary(counters reportsummary.ISeverityCounters) string {
+	critical := counters.NumberOfResourcesWithCriticalSeverity()
+	high := counters.NumberOfResourcesWithHighSeverity()
+	medium := counters.NumberOfResourcesWithMediumSeverity()
+	low := counters.NumberOfResourcesWithLowSeverity()
+
+	return fmt.Sprintf(
+		"Failed Resources by Severity: Critical — %d, High — %d, Medium — %d, Low — %d",
+		critical, high, medium, low,
+	)
+}
+
 func controlCountersForSummary(counters reportsummary.ICounters) string {
 	return fmt.Sprintf("Controls: %d (Failed: %d, Excluded: %d, Skipped: %d)", counters.All(), counters.Failed(), counters.Excluded(), counters.Skipped())
 }

core/pkg/resultshandling/reporter/v2/reporteventreceiver.go

@@ -139,24 +139,21 @@ func (report *ReportEventReceiver) sendResources(host string, opaSessionObj *cau
 
 func (report *ReportEventReceiver) setResults(reportObj *reporthandlingv2.PostureReport, results map[string]resourcesresults.Result, allResources map[string]workloadinterface.IMetadata, resourcesSource map[string]reporthandling.Source, prioritizedResources map[string]prioritization.PrioritizedResource, counter, reportCounter *int, host string) error {
 	for _, v := range results {
-		/*
+		// set result.RawResource
+		resourceID := v.GetResourceID()
+		if _, ok := allResources[resourceID]; !ok {
+			return fmt.Errorf("expected to find raw resource object for '%s'", resourceID)
+		}
+		resource := reporthandling.NewResourceIMetadata(allResources[resourceID])
+		if r, ok := resourcesSource[resourceID]; ok {
+			resource.SetSource(&r)
+		}
+		v.RawResource = resource
 
-			// set result.RawResource
-			resourceID := v.GetResourceID()
-			if _, ok := allResources[resourceID]; !ok {
-				return fmt.Errorf("expected to find raw resource object for '%s'", resourceID)
-			}
-			resource := reporthandling.NewResourceIMetadata(allResources[resourceID])
-			if r, ok := resourcesSource[resourceID]; ok {
-				resource.SetSource(&r)
-			}
-			v.RawResource = resource
-
-			// set result.PrioritizedResource
-			if resource, ok := prioritizedResources[resourceID]; ok {
-				v.PrioritizedResource = &resource
-			}
-		*/
+		// set result.PrioritizedResource
+		if results, ok := prioritizedResources[resourceID]; ok {
+			v.PrioritizedResource = &results
+		}
 
 		r, err := json.Marshal(v)
 		if err != nil {

core/pkg/resultshandling/results.go

@@ -61,7 +61,7 @@ func (resultsHandler *ResultsHandler) GetResults() *reporthandlingv2.PostureRepo
 	return printerv2.FinalizeResults(resultsHandler.scanData)
 }
 
-// HandleResults handle the scan results according to the pre defind interfaces
+// HandleResults handle the scan results according to the pre defined interfaces
 func (resultsHandler *ResultsHandler) HandleResults() error {
 
 	resultsHandler.printerObj.ActionPrint(resultsHandler.scanData)
@@ -77,7 +77,7 @@ func (resultsHandler *ResultsHandler) HandleResults() error {
 	return nil
 }
 
-// NewPrinter defind output format
+// NewPrinter defined output format
 func NewPrinter(printFormat, formatVersion string, verboseMode bool, viewType cautils.ViewTypes) printer.IPrinter {
 
 	switch printFormat {

core/pkg/score/score.go

@@ -28,8 +28,7 @@ const (
 )
 
 func (su *ScoreWrapper) Calculate(reportVersion PostureReportVersion) error {
-	switch reportVersion {
-	case EPostureReportV2:
+	if reportVersion == EPostureReportV2 {
 		return su.scoreUtil.CalculatePostureReportV2(su.opaSessionObj.Report)
 	}
 

docs/proposals/container-image-vulnerability-adaptor.md

@@ -6,12 +6,12 @@ source #287
 
 ### Big picture
 
-* Kubescape team is planning to create controls which take into account image vulnerabilities, example: looking for public internet facing workloads with critical vulnerabilities. These are seriously affecting the security health of a cluster and therefore we think it is important to cover it. We think that most container registries are/will support image scanning like Harbor and therefore, the ability to get information from them is important.
-* There is information in the image repository which is important for the existing controls as well. They are incomplete without it, example see this issue: Non-root containers check is broken #19 . These are not necessarily image vulnerability related. Can be information in the image manifest (like the issue before), but it can be the image BOM related.
+* Kubescape team is planning to create controls which take into account image vulnerabilities, for example: looking for public internet facing workloads with critical vulnerabilities. These are seriously affecting the security health of a cluster and therefore we think it is important to cover it. We think that most container registries are/will support image scanning like Harbor and therefore, the ability to get information from them is important.
+* There is information in the image repository which is important for the existing controls as well. They are incomplete without it, this example sees this issue: Non-root containers check is broken #19. These are not necessarily image vulnerability related. These can be information in the image manifest (like the issue before), but it can also be the image BOM related.
 
 ### Relation to this proposal
 
-Multiple changes and design decisions need to be made before Kubescape will support the above outlined controls. However, a focal point in the whole picture is the ability to access vulnerability of databases of container images. We anticipate that most container image repositories will support image vulnerability scanning, like some major players already do. Since there is no single API available which all of these data sources support, it is important to create an adaption layer within Kubescape so that different datasources can serve Kubescape's goals.
+Multiple changes and design decisions need to be made before Kubescape will support the above outlined controls. However, a focal point in the whole picture is the ability to access vulnerability of databases of container images. We anticipate that most container image repositories will support image vulnerability scanning, like some major players already do. Since there is no single API available which all of these data sources support, it is important to create an adaption layer within Kubescape so that different data sources can serve Kubescape's goals.
 
 ## High level design of Kubescape
 
@@ -22,7 +22,7 @@ Multiple changes and design decisions need to be made before Kubescape will supp
 * Rules processor: Kubescape component, it enumerates and runs the controls while also preparing all the input data that the controls need for running
 * Data sources: Set of different modules providing data to the Rules processor so that it can run the controls with them. Examples: Kubernetes objects, cloud vendor API objects and adding the vulnerability information in this proposal 
 * Cloud Image Vulnerability adaption interface: The subject of this proposal, it gives a common interface for different registry/vulnerability vendors to adapt to.
-* CIV adaptors: Specific implementation of the CIV interface, example Harbor adaption
+* CIV adaptors: Specific implementation of the CIV interface, for example Harbor adaption
 ```
  -----------------------
 | Controls/Rules (rego) |

docs/roadmap.md

@@ -5,63 +5,92 @@
 Kubescape roadmap items are labeled based on where the feature is used and by their maturity.
 
 The features serve different stages of the workflow of the users:
+
 * **Development phase** (writing Kubernetes manifests) - example: The VS Code extension is used while editing YAMLs.
-* **CI phase** (integrating manifests to GIT repo) - example: GitHub action validating HELM charts on PRs
-* **CD phase** (deploying applications in Kubernetes) - example: running a cluster scan after a new deployment
-* **Monitoring phase** (scanning application in Kubernetes) - example: Prometheus scraping the cluster security risk
+* **CI phase** (integrating manifests to GIT repo) - example: GitHub action validating HELM charts on PRs.
+* **CD phase** (deploying applications in Kubernetes) - example: running a cluster scan after a new deployment.
+* **Monitoring phase** (scanning application in Kubernetes) - example: Prometheus scraping the cluster security risk.
 
 The items in the Kubescape roadmap are split into 3 major groups based on the feature planning maturity:
 
 * [Planning](#planning-) - we have tickets open for these issues with a more or less clear vision of design.
-* [Backlog](#backlog-)  -  features that were discussed at a high level but are not ready for development 
-* [Wishlist](#wishlist-) -  features we are dreaming of in 😀 and want to push them gradually forward
+* [Backlog](#backlog-)  -  features that were discussed at a high level but are not ready for development. 
+* [Wishlist](#wishlist-) -  features that we are dreaming of in 😀 and want to push them gradually forward.
 
 
 ## Planning 👷
 
-* ##### Storing scan results in cluster
-  We want Kubescape scan results (both cluster and image scan) to be stored in the cluster locally as `CRD`s. This will enable easier integration with results by other projects as well as with scripting via `kubectl`. This will also make image scan based controls to avoid accessing external resources for image vulnerability scan results.
+* ### Storing scan results in cluster
+
+  We want the Kubescape scan results (both cluster and image scan) to be stored in the cluster locally as `CRD`s. This will lead to an easier integration with results by other projects as well as with scripting via `kubectl`. Along with this, the image scan based controls will be able to avoid accessing external resources for image vulnerability scan results.
+
+* ### Vulnerability prioritization based on workload file activity
 
-* ##### Vulnerability prioritization based on workload file activity
   Implementing an eBPF agent (based on Falco or Tracee) which tracks file activity in workloads to prioritize container image vulnerabilities.
 
-* ##### Prioritization engine using MITRE Attack matrix based attack chains
+* ### Prioritization engine using MITRE Attack matrix based attack chains
+
   Create a security issue prioritization engine that scores resources based on control based attack chains. All Kubescape controls can be arranged into attack categories of the MITRE Attack matrix. The Attack matrix categories can be connected to each other based on a theoretical attack (ie. you can't have privilege escalation without initial access). Each of the Kubescape controls is to be categorized in these system and Kubescape will calculate a priority score based on the interconnections between failed controls.
 
-* ##### Integration with image registries 
- We want to expand Kubescape to integrate with different image registries and read image vulnerability information from there. This will allow Kubescape to give contextual security information about vulnerabilities. Container registry integration
-* ##### Kubescape CLI control over cluster operations 
-  Add functionality to Kubescape CLI to trigger operations in Kubescape cluster components (example: trigger image scans, etc.)
-* ##### Git integration for pull requests 
-  Create insightful GitHub actions for Kubescape
+* ### Integration with image registries
 
+ We want to expand Kubescape to integrate with different image registries and read image vulnerability information from there. This will allow Kubescape to give contextual security information about vulnerabilities. Container registry integration.
+
+* ### Kubescape CLI control over cluster operations
+
+  Add functionality to Kubescape CLI to trigger operations in Kubescape cluster components (example: trigger image scans, etc.)
+  
+* ### Git integration for pull requests
+
+  Create insightful GitHub actions for Kubescape.
 
 ## Backlog 📅
-* ##### JSON path for HELM charts 
+
+* ### JSON path for HELM charts
+
   Today, Kubescape can point to issues in the Kubernetes object. We want to develop this feature so Kubescape will be able to point to the misconfigured source file (HELM).
-* ##### Create Kubescape HELM plugin
-  Producing scan results in the context of HELM
-* ##### Kubescape based admission controller 
-  Implement admission controller API for Kubescape microservice to enable users to use Kubescape rules as policies
+
+* ### Create Kubescape HELM plugin
+
+  Producing scan results in the context of HELM.
+
+* ### Kubescape based admission controller
+
+  Implement admission controller API for Kubescape microservice to enable users to use Kubescape rules as policies.
 
 ## Wishlist 💭
-* ##### Integrate with other Kubernetes CLI tools
+
+* ### Integrate with other Kubernetes CLI tools
+
   Use Kubescape as a YAML validator for `kubectl` and others.
-* ##### Kubernetes audit log integration 
+
+* ### Kubernetes audit log integration
+
   Connect Kubescape to the audit log stream to enable it to produce more contextual security information based on how the API service is used.
-* ##### TUI for Kubescape 
-  Interactive terminal based user interface which helps to analyze and fix issues
-* ##### Scanning images with GO for vulnerabilities
-  Images scanners cannot determine which packages were used to build Go executables and we want to scan them for vulnerabilities
-* ##### Scanning Dockerfile-s for security best practices
-  Scan image or Dockerfile to determine whether it is using security best practices (like root containers)
-* ##### Custom controls and rules
-  Enable users to define their own Rego base rules
-* ##### More CI/CD tool integration
+
+* ### TUI for Kubescape
+
+  Interactive terminal based user interface which helps to analyze and fix issues.
+
+* ### Scanning images with GO for vulnerabilities
+
+  Images scanners cannot determine which packages were used to build Go executables and we want to scan them for vulnerabilities.
+
+* ### Scanning Dockerfile-s for security best practices
+
+  Scan image or Dockerfile to determine whether it is using security best practices (like root containers).
+
+* ### Custom controls and rules
+
+  Enable users to define their own Rego base rules.
+
+* ### More CI/CD tool integration
+
   Jenkins and etc. 😀
 
 
 ## Completed features 🎓
+
 * Kubelet configuration validation 
 * API server configuration validation
 * Image vulnerability scanning based controls 

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/johnfercher/maroto v0.37.0
 	github.com/kubescape/go-logger v0.0.6
 	github.com/kubescape/k8s-interface v0.0.83
-	github.com/kubescape/opa-utils v0.0.186
+	github.com/kubescape/opa-utils v0.0.194
 	github.com/kubescape/rbac-utils v0.0.17
 	github.com/libgit2/git2go/v33 v33.0.9
 	github.com/mattn/go-isatty v0.0.14
@@ -32,6 +32,8 @@ require (
 	k8s.io/apimachinery v0.24.3
 	k8s.io/client-go v0.24.3
 	k8s.io/utils v0.0.0-20220706174534-f6158b442e7c
+	sigs.k8s.io/kustomize/api v0.11.4
+	sigs.k8s.io/kustomize/kyaml v0.13.6
 	sigs.k8s.io/yaml v1.3.0
 )
 
@@ -83,7 +85,9 @@ require (
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-errors/errors v1.0.1 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
 	github.com/go-git/go-billy/v5 v5.3.1 // indirect
 	github.com/go-gota/gota v0.12.0 // indirect
@@ -99,6 +103,7 @@ require (
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa // indirect
 	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
@@ -115,9 +120,11 @@ require (
 	github.com/mattn/go-runewidth v0.0.9 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
@@ -135,8 +142,10 @@ require (
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
 	github.com/yashtewari/glob-intersection v0.1.0 // indirect
 	go.opencensus.io v0.23.0 // indirect
+	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.22.0 // indirect

go.sum

@@ -228,6 +228,7 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB
 github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
 github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
+github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
 github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
@@ -518,6 +519,7 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME
 github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
+github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
 github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g=
 github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks=
@@ -839,14 +841,15 @@ github.com/kubescape/go-logger v0.0.6 h1:ynhAmwrz0O7Jtqq1CdmCZUrKveji25hVP+B/FAb
 github.com/kubescape/go-logger v0.0.6/go.mod h1:DnVWEvC90LFY1nNMaNo6nBVOcqkLMK3S0qzXP1fzRvI=
 github.com/kubescape/k8s-interface v0.0.83 h1:yQ1kWNZmKfBim/+NmxpPI/j7L9ASDq2h3mCNdmYgzqY=
 github.com/kubescape/k8s-interface v0.0.83/go.mod h1:ihX96yqar+xogHl45mFE8zT9DLI06iy7XQPAP+j5KJE=
-github.com/kubescape/opa-utils v0.0.186 h1:3T0lD3x1/hweXY/HeNM2I4h8Ugh9SacXPo1AaOPBrAs=
-github.com/kubescape/opa-utils v0.0.186/go.mod h1:jC5QrhS6WiFj/tXP2/YSDBnFlGsYUQokDGbKwMBgMpw=
+github.com/kubescape/opa-utils v0.0.194 h1:DroUvGV1R/PXsLPF6H4GB9LzcEylEMUKULs8vQBOU3w=
+github.com/kubescape/opa-utils v0.0.194/go.mod h1:frMpD9wuK6rE3tMRIy6EM1X9zi+sSbXoDWjcSaq11og=
 github.com/kubescape/rbac-utils v0.0.17 h1:B78kjlTKqjYK/PXwmi4GPysHsFxIwVz1KFb4+IGT29w=
 github.com/kubescape/rbac-utils v0.0.17/go.mod h1:pBwjpcrVeuH/no+DiCZWvlhYtCDzd3U0o/hEZKi+eM8=
 github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
 github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -899,6 +902,8 @@ github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0Qu
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
@@ -921,6 +926,8 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
@@ -1146,10 +1153,12 @@ github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
 github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
 github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
+github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
 github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g=
 github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU=
 github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
@@ -1159,6 +1168,7 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
+github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
 github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -1221,6 +1231,8 @@ github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf
 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca h1:1CFlNzQhALwjS9mBAUkycX616GzgsuYUOCHA5+HSlXI=
+github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca/go.mod h1:ce1O1j6UtZfjr22oyGxGLbauSBp2YVXpARAosm7dHBg=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 github.com/yashtewari/glob-intersection v0.1.0 h1:6gJvMYQlTDOL3dMsPF6J0+26vwX9MB8/1q3uAdhmTrg=
 github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok=
@@ -1288,6 +1300,8 @@ go.opentelemetry.io/otel/trace v1.7.0/go.mod h1:fzLSB9nqR2eXzxPXb2JW9IKE+ScyXA48
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.opentelemetry.io/proto/otlp v0.11.0/go.mod h1:QpEjXPrNQzrFDZgoTo49dgHR9RYRSrg3NAKnUGl9YpQ=
 go.opentelemetry.io/proto/otlp v0.16.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
+go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc=
+go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
@@ -1473,6 +1487,7 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
@@ -1531,6 +1546,7 @@ golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1766,6 +1782,7 @@ google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34q
 google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
 google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
 google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
+google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8=
 google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo=
 google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4=
 google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw=
@@ -1961,6 +1978,7 @@ gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKW
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
@@ -2083,6 +2101,10 @@ sigs.k8s.io/controller-runtime v0.12.3 h1:FCM8xeY/FI8hoAfh/V4XbbYMY20gElh9yh+A98
 sigs.k8s.io/controller-runtime v0.12.3/go.mod h1:qKsk4WE6zW2Hfj0G4v10EnNB2jMG1C+NTb8h+DwCoU0=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY=
+sigs.k8s.io/kustomize/api v0.11.4 h1:/0Mr3kfBBNcNPOW5Qwk/3eb8zkswCwnqQxxKtmrTkRo=
+sigs.k8s.io/kustomize/api v0.11.4/go.mod h1:k+8RsqYbgpkIrJ4p9jcdPqe8DprLxFUUO0yNOq8C+xI=
+sigs.k8s.io/kustomize/kyaml v0.13.6 h1:eF+wsn4J7GOAXlvajv6OknSunxpcOBQQqsnPxObtkGs=
+sigs.k8s.io/kustomize/kyaml v0.13.6/go.mod h1:yHP031rn1QX1lr/Xd934Ri/xdVNG8BE2ECa78Ht/kEg=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=

httphandler/README.md

@@ -4,9 +4,9 @@ Running `kubescape` will start up a web-server on port `8080` which will serve t
 
 ### Trigger scan
 
-* POST `/v1/scan` - trigger a kubescape scan. The server will return an ID and will execute the scanning asynchronously. the request body should look [as followed](#trigger-scan-object).
-* * `wait=true`: scan synchronously (return results and not ID). Use only in small clusters or with an increased timeout. default is `wait=false`
-* * `keep=true`: do not delete results from local storage after returning. default is `keep=false`
+* POST `/v1/scan` - triggers a Kubescape scan. The server will return an ID and will execute the scanning asynchronously. The request body should look [as follows](#trigger-scan-object).
+* * `wait=true`: scan synchronously (return results and not ID). Use only in small clusters or with an increased timeout. Default is `wait=false`
+* * `keep=true`: do not delete results from local storage after returning. Default is `keep=false`
 * POST `/v1/metrics` - trigger kubescape for Prometheus support. [read more](examples/prometheus/README.md)
 
 [Response](#response-object):
@@ -15,7 +15,7 @@ Running `kubescape` will start up a web-server on port `8080` which will serve t
 {
   "id": <str>,                      // scan ID
   "type": "busy",                   // response object type
-  "response": <message:string>      // message indicating scanning is still in process
+  "response": <message:string>      // message indicating scanning is still in progress
 }
 ```
 
@@ -23,7 +23,7 @@ Running `kubescape` will start up a web-server on port `8080` which will serve t
 
 ### Get results
 * GET `/v1/results` -  request kubescape scan results
-* * query `id=<string>` -> request results of a specific scan ID. If empty will return latest results
+* * query `id=<string>` -> request results of a specific scan ID. If empty will return the latest results
 * * query `keep=true` -> keep the results in the local storage after returning. default is `keep=false` - the results will be deleted from local storage after they are returned
 
 [Response](#response-object):
@@ -51,14 +51,14 @@ When scanning is in progress
 {
   "id": <str>,                    // scan ID
   "type": "busy",                 // response object type
-  "response": <message:string>    // message indicating scanning is still in process
+  "response": <message:string>    // message indicating scanning is still in progress
 }
 ```
 ### Check scanning progress status
-Check the scanning status - is the scanning in progress or done. This is meant for a waiting mechanize since the API does not return the entire results object when the scanning is done
+Check the scanning status - is the scanning in progress or done? This is meant for a waiting mechanize since the API does not return the entire results object when the scanning is done
 
 * GET `/v1/status` -  Request kubescape scan status
-* * query `id=<string>` -> Check status of a specific scan. If empty will check if any scan is in progress
+* * query `id=<string>` -> Check status of a specific scan. If empty, it will check if any scan is still in progress
 
 [Response](#response-object):
 
@@ -76,20 +76,20 @@ When scanning is not in progress
 {
   "id": <str>,                    // scan ID
   "type": "notBusy",              // response object type
-  "response": <message:string>    // message indicating scanning is done in process
+  "response": <message:string>    // message indicating scanning is successfully done
 }
 ```
 
 ### Delete cached results
-* DELETE `/v1/results` - Delete kubescape scan results from storage. If empty will delete latest results
+* DELETE `/v1/results` - Delete kubescape scan results from storage. If empty will delete the latest results
 * * query `id=<string>`: Delete ID of specific results 
 * * query `all`: Delete all cached results
 
 ### Prometheus support API
 
 * GET/POST `/v1/metrics` - will trigger cluster scan. will respond with prometheus metrics once they have been scanned. This will respond 503 if the scan failed.
-* `/livez` - will respond 200 is server is alive
-* `/readyz` - will respond 200 if server can receive requests 
+* `/livez` - will respond 200 if the server is alive
+* `/readyz` - will respond 200 if the server can receive requests 
 
 ## Objects
 
@@ -102,7 +102,7 @@ When scanning is not in progress
   "includeNamespaces": [<str>],  // list of namespaces to include (same as 'kubescape scan --include-namespaces')
   "useCachedArtifacts"`: <bool>, // use the cached artifacts instead of downloading (offline support)
   "submit": <bool>,              // submit results to Kubescape cloud (same as 'kubescape scan --submit')
-  "hostScanner": <bool>,         // deploy kubescape K8s host-scanner DaemonSet in the scanned cluster (same as 'kubescape scan --enable-host-scan')
+  "hostScanner": <bool>,         // deploy Kubescape K8s host-scanner DaemonSet in the scanned cluster (same as 'kubescape scan --enable-host-scan')
   "keepLocal": <bool>,           // do not submit results to Kubescape cloud (same as 'kubescape scan --keep-local')
   "account": <str>,              // account ID (same as 'kubescape scan --account')
   "targetType": <str>,           // framework/control
@@ -140,7 +140,7 @@ When scanning is not in progress
   curl --request GET http://127.0.0.1:8080/v1/results -o response.json
   ```
 
-#### Trigger scan and wait for scan to end  
+#### Trigger scan and wait for the scan to end  
 
 ```bash
 curl --header "Content-Type: application/json" --request POST --data '{"hostScanner":true, "submit": true}' http://127.0.0.1:8080/v1/scan?wait -o scan_results.json
@@ -171,7 +171,7 @@ go tool pprof http://localhost:6060/debug/pprof/heap
 ## Supported environment variables
 
 * `KS_ACCOUNT`: Account ID
-* `KS_SUBMIT`: Submit the results to Kubescape SaaS version
+* `KS_SUBMIT`: Submit the results to the Kubescape SaaS version
 * `KS_EXCLUDE_NAMESPACES`: List of namespaces to exclude, e.g. `KS_EXCLUDE_NAMESPACES=kube-system,kube-public`
 * `KS_INCLUDE_NAMESPACES`: List of namespaces to include, rest of the namespaces will be ignored. e.g. `KS_INCLUDE_NAMESPACES=dev,prod`
 * `KS_HOST_SCAN_YAML`: Full path to the host scanner YAML

httphandler/go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/gorilla/schema v1.2.0
 	github.com/kubescape/go-logger v0.0.6
 	github.com/kubescape/kubescape/v2 v2.0.0-00010101000000-000000000000
-	github.com/kubescape/opa-utils v0.0.186
+	github.com/kubescape/opa-utils v0.0.194
 	github.com/stretchr/testify v1.8.0
 	k8s.io/utils v0.0.0-20220706174534-f6158b442e7c
 )
@@ -71,9 +71,11 @@ require (
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
 	github.com/enescakir/emoji v1.0.0 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/francoispqt/gojay v1.2.13 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-errors/errors v1.0.1 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
 	github.com/go-git/go-billy/v5 v5.3.1 // indirect
 	github.com/go-git/go-git/v5 v5.4.2 // indirect
@@ -97,6 +99,7 @@ require (
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa // indirect
 	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
@@ -117,10 +120,11 @@ require (
 	github.com/mattn/go-runewidth v0.0.9 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.4.3 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
@@ -142,9 +146,11 @@ require (
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
 	github.com/yashtewari/glob-intersection v0.1.0 // indirect
 	go.mongodb.org/mongo-driver v1.8.3 // indirect
 	go.opencensus.io v0.23.0 // indirect
+	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.22.0 // indirect
@@ -176,6 +182,8 @@ require (
 	k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect
 	sigs.k8s.io/controller-runtime v0.12.3 // indirect
 	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
+	sigs.k8s.io/kustomize/api v0.11.4 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.13.6 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )

httphandler/go.sum

@@ -231,6 +231,7 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB
 github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
 github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
+github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
 github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
@@ -521,6 +522,7 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME
 github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
+github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
 github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g=
 github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks=
@@ -895,14 +897,15 @@ github.com/kubescape/go-logger v0.0.6 h1:ynhAmwrz0O7Jtqq1CdmCZUrKveji25hVP+B/FAb
 github.com/kubescape/go-logger v0.0.6/go.mod h1:DnVWEvC90LFY1nNMaNo6nBVOcqkLMK3S0qzXP1fzRvI=
 github.com/kubescape/k8s-interface v0.0.83 h1:yQ1kWNZmKfBim/+NmxpPI/j7L9ASDq2h3mCNdmYgzqY=
 github.com/kubescape/k8s-interface v0.0.83/go.mod h1:ihX96yqar+xogHl45mFE8zT9DLI06iy7XQPAP+j5KJE=
-github.com/kubescape/opa-utils v0.0.186 h1:3T0lD3x1/hweXY/HeNM2I4h8Ugh9SacXPo1AaOPBrAs=
-github.com/kubescape/opa-utils v0.0.186/go.mod h1:jC5QrhS6WiFj/tXP2/YSDBnFlGsYUQokDGbKwMBgMpw=
+github.com/kubescape/opa-utils v0.0.194 h1:DroUvGV1R/PXsLPF6H4GB9LzcEylEMUKULs8vQBOU3w=
+github.com/kubescape/opa-utils v0.0.194/go.mod h1:frMpD9wuK6rE3tMRIy6EM1X9zi+sSbXoDWjcSaq11og=
 github.com/kubescape/rbac-utils v0.0.17 h1:B78kjlTKqjYK/PXwmi4GPysHsFxIwVz1KFb4+IGT29w=
 github.com/kubescape/rbac-utils v0.0.17/go.mod h1:pBwjpcrVeuH/no+DiCZWvlhYtCDzd3U0o/hEZKi+eM8=
 github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
 github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -959,8 +962,9 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.4.3 h1:OVowDSCllw/YjdLkam3/sm7wEtOy59d8ndGgCcyj8cs=
 github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
@@ -983,6 +987,8 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
 github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
@@ -1215,9 +1221,11 @@ github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
 github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
 github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
+github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
 github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g=
 github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
@@ -1227,6 +1235,7 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
+github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
 github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -1294,6 +1303,8 @@ github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf
 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca h1:1CFlNzQhALwjS9mBAUkycX616GzgsuYUOCHA5+HSlXI=
+github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca/go.mod h1:ce1O1j6UtZfjr22oyGxGLbauSBp2YVXpARAosm7dHBg=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 github.com/yashtewari/glob-intersection v0.1.0 h1:6gJvMYQlTDOL3dMsPF6J0+26vwX9MB8/1q3uAdhmTrg=
 github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok=
@@ -1366,6 +1377,8 @@ go.opentelemetry.io/otel/trace v1.7.0/go.mod h1:fzLSB9nqR2eXzxPXb2JW9IKE+ScyXA48
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.opentelemetry.io/proto/otlp v0.11.0/go.mod h1:QpEjXPrNQzrFDZgoTo49dgHR9RYRSrg3NAKnUGl9YpQ=
 go.opentelemetry.io/proto/otlp v0.16.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
+go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc=
+go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
@@ -1555,6 +1568,7 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
@@ -1617,6 +1631,7 @@ golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1857,6 +1872,7 @@ google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34q
 google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
 google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
 google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
+google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8=
 google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo=
 google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4=
 google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw=
@@ -2052,6 +2068,7 @@ gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKW
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
@@ -2175,6 +2192,10 @@ sigs.k8s.io/controller-runtime v0.12.3 h1:FCM8xeY/FI8hoAfh/V4XbbYMY20gElh9yh+A98
 sigs.k8s.io/controller-runtime v0.12.3/go.mod h1:qKsk4WE6zW2Hfj0G4v10EnNB2jMG1C+NTb8h+DwCoU0=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY=
+sigs.k8s.io/kustomize/api v0.11.4 h1:/0Mr3kfBBNcNPOW5Qwk/3eb8zkswCwnqQxxKtmrTkRo=
+sigs.k8s.io/kustomize/api v0.11.4/go.mod h1:k+8RsqYbgpkIrJ4p9jcdPqe8DprLxFUUO0yNOq8C+xI=
+sigs.k8s.io/kustomize/kyaml v0.13.6 h1:eF+wsn4J7GOAXlvajv6OknSunxpcOBQQqsnPxObtkGs=
+sigs.k8s.io/kustomize/kyaml v0.13.6/go.mod h1:yHP031rn1QX1lr/Xd934Ri/xdVNG8BE2ECa78Ht/kEg=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=