Merge pull request #959 from suhasgumma/fix-command

fix: keep user formatting when autofixing

.github/workflows/build.yaml

@@ -78,14 +78,14 @@ jobs:
           asset_name: kubescape-${{ matrix.os }}-sha256
           asset_content_type: application/octet-stream
   
-  # publish-image:
-  #   if: ${{ github.repository == 'kubescape/kubescape' }} # TODO
-  #   uses: ./.github/workflows/build-image.yaml
-  #   needs: create-release
-  #   with:
-  #     client: "image-release"
-  #     image_name: "quay.io/${{ github.repository_owner }}/kubescape"
-  #     image_tag: "v2.0.${{ github.run_number }}"
-  #     support_platforms: true
-  #     cosign: true
-  #   secrets: inherit
+  publish-image:
+    if: ${{ github.repository == 'kubescape/kubescape' }} # TODO
+    uses: ./.github/workflows/build-image.yaml
+    needs: create-release
+    with:
+      client: "image-release"
+      image_name: "quay.io/${{ github.repository_owner }}/kubescape"
+      image_tag: "v2.0.${{ github.run_number }}"
+      support_platforms: false
+      cosign: true
+    secrets: inherit

README.md

@@ -40,7 +40,7 @@ curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh
 
 ## Run:
 ```sh
-kubescape scan --submit --enable-host-scan --verbose
+kubescape scan --enable-host-scan --verbose
 ```
 
 <img src="docs/summary.png">
@@ -96,6 +96,7 @@ We hold community meetings in [Zoom](https://us02web.zoom.us/j/84020231442) on t
 * [Overview](https://youtu.be/wdBkt_0Qhbg)
 * [How To Secure Kubernetes Clusters With Kubescape And Armo](https://youtu.be/ZATGiDIDBQk)
 * [Scan Kubernetes YAML files](https://youtu.be/Ox6DaR7_4ZI)
+* [Scan container image registry](https://youtu.be/iQ_k8EnK-3s)
 * [Scan Kubescape on an air-gapped environment (offline support)](https://youtu.be/IGXL9s37smM)
 * [Managing exceptions in the Kubescape SaaS version](https://youtu.be/OzpvxGmCR80)
 * [Configure and run customized frameworks](https://youtu.be/12Sanq_rEhs)
@@ -174,22 +175,22 @@ Or to your profile (not preferred): `nix-env --install -A nixpkgs.kubescape`
 ### Examples
 
 
-#### Scan a running Kubernetes cluster and submit results to the [Kubescape SaaS version](https://cloud.armosec.io?utm_source=github&utm_medium=repository)
+#### Scan a running Kubernetes cluster
 ```
-kubescape scan --submit --enable-host-scan  --verbose
+kubescape scan --enable-host-scan  --verbose
 ```
 
 > Read [here](https://hub.armosec.io/docs/host-sensor?utm_source=github&utm_medium=repository) more about the `enable-host-scan` flag
 
-#### Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework and submit results to the [Kubescape SaaS version](https://cloud.armosec.io?utm_source=github&utm_medium=repository)
+#### Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework
 ```
-kubescape scan framework nsa --submit
+kubescape scan framework nsa
 ```
 
 
-#### Scan a running Kubernetes cluster with [`MITRE ATT&CK®`](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) framework and submit results to the [Kubescape SaaS version](https://cloud.armosec.io?utm_source=github&utm_medium=repository)
+#### Scan a running Kubernetes cluster with [`MITRE ATT&CK®`](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) framework
 ```
-kubescape scan framework mitre --submit
+kubescape scan framework mitre
 ```
 
 
@@ -213,14 +214,13 @@ kubescape scan --include-namespaces development,staging,production
 kubescape scan --exclude-namespaces kube-system,kube-public
 ```
 
-#### Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI). Submit the results in case the directory is a git repo. [docs](https://hub.armosec.io/docs/repository-scanning?utm_source=github&utm_medium=repository)
+#### Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI).
 ```
-kubescape scan *.yaml --submit
+kubescape scan *.yaml
 ```
 
-#### Scan Kubernetes manifest files from a git repository [and submit the results](https://hub.armosec.io/docs/repository-scanning?utm_source=github&utm_medium=repository)
-```
-kubescape scan https://github.com/kubescape/kubescape --submit
+#### Scan Kubernetes manifest files from a git repository 
+kubescape scan https://github.com/kubescape/kubescape
 ```
 
 #### Display all scanned resources (including the resources which passed) 
@@ -267,13 +267,13 @@ kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
 
 #### Scan Helm charts 
 ```
-kubescape scan </path/to/directory> --submit
+kubescape scan </path/to/directory>
 ```
 > Kubescape will load the default value file
 
 #### Scan Kustomize Directory 
 ```
-kubescape scan </path/to/directory> --submit
+kubescape scan </path/to/directory>
 ```
 > Kubescape will generate Kubernetes Yaml Objects using 'Kustomize' file and scans them for security.
 

cmd/fix/fix.go

@@ -0,0 +1,45 @@
+package fix
+
+import (
+	"errors"
+
+	"github.com/kubescape/kubescape/v2/core/meta"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+
+	"github.com/spf13/cobra"
+)
+
+var fixCmdExamples = `
+  Fix command is for fixing kubernetes manifest files based on a scan command output.
+  Use with caution, this command will change your files in-place.
+
+  # Fix kubernetes YAML manifest files based on a scan command output (output.json)
+  1) kubescape scan --format json --format-version v2 --output output.json
+  2) kubescape fix output.json
+
+`
+
+func GetFixCmd(ks meta.IKubescape) *cobra.Command {
+	var fixInfo metav1.FixInfo
+
+	fixCmd := &cobra.Command{
+		Use:     "fix <report output file>",
+		Short:   "Fix misconfiguration in files",
+		Long:    ``,
+		Example: fixCmdExamples,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) < 1 {
+				return errors.New("report output file is required")
+			}
+			fixInfo.ReportFile = args[0]
+
+			return ks.Fix(&fixInfo)
+		},
+	}
+
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.NoConfirm, "no-confirm", false, "No confirmation will be given to the user before applying the fix (default false)")
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.DryRun, "dry-run", false, "No changes will be applied (default false)")
+	fixCmd.PersistentFlags().BoolVar(&fixInfo.SkipUserValues, "skip-user-values", true, "Changes which involve user-defined values will be skipped")
+
+	return fixCmd
+}

cmd/root.go

@@ -10,9 +10,11 @@ import (
 	"github.com/kubescape/kubescape/v2/cmd/config"
 	"github.com/kubescape/kubescape/v2/cmd/delete"
 	"github.com/kubescape/kubescape/v2/cmd/download"
+	"github.com/kubescape/kubescape/v2/cmd/fix"
 	"github.com/kubescape/kubescape/v2/cmd/list"
 	"github.com/kubescape/kubescape/v2/cmd/scan"
 	"github.com/kubescape/kubescape/v2/cmd/submit"
+	"github.com/kubescape/kubescape/v2/cmd/update"
 	"github.com/kubescape/kubescape/v2/cmd/version"
 	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/cautils/getter"
@@ -76,6 +78,8 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 	rootCmd.AddCommand(completion.GetCompletionCmd())
 	rootCmd.AddCommand(version.GetVersionCmd())
 	rootCmd.AddCommand(config.GetConfigCmd(ks))
+	rootCmd.AddCommand(update.GetUpdateCmd())
+	rootCmd.AddCommand(fix.GetFixCmd(ks))
 
 	return rootCmd
 }

cmd/scan/scan.go

@@ -14,7 +14,7 @@ var scanCmdExamples = `
   Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks 
   
   # Scan current cluster with all frameworks
-  kubescape scan --submit --enable-host-scan --verbose
+  kubescape scan --enable-host-scan --verbose
 
   # Scan kubernetes YAML manifest files
   kubescape scan *.yaml
@@ -71,37 +71,33 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseArtifactsFrom, "use-artifacts-from", "", "Load artifacts from local directory. If not used will download them")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Recommended: kube-system,kube-public")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Notice, when running with `exclude-namespace` kubescape does not scan cluster-scoped objects.")
 
 	scanCmd.PersistentFlags().Float32VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 100, "Failure threshold is the percent above which the command fails and returns exit code 1")
 
 	scanCmd.PersistentFlags().StringVar(&scanInfo.FailThresholdSeverity, "severity-threshold", "", "Severity threshold is the severity of failed controls at which the command fails and returns exit code 1")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer", "json", "junit", "prometheus", "pdf", "html"`)
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer", "json", "junit", "prometheus", "pdf", "html", "sarif"`)
 	scanCmd.PersistentFlags().StringVar(&scanInfo.IncludeNamespaces, "include-namespaces", "", "scan specific namespaces. e.g: --include-namespaces ns-a,ns-b")
-	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to ARMO backend. Use this flag if you ran with the '--submit' flag in the past and you do not want to submit your current scan results")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to configured backend.")
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.VerboseMode, "verbose", "v", false, "Display all of the input resources and not only failed resources")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.View, "view", string(cautils.ResourceViewType), fmt.Sprintf("View results based on the %s/%s. default is --view=%s", cautils.ResourceViewType, cautils.ControlViewType, cautils.ResourceViewType))
 	scanCmd.PersistentFlags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local policy object from default path. If not used will download latest")
 	scanCmd.PersistentFlags().StringSliceVar(&scanInfo.UseFrom, "use-from", nil, "Load local policy object from specified path. If not used will download latest")
-	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Send the scan results to ARMO management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.HostSensorYamlPath, "host-scan-yaml", "", "Override default host scanner DaemonSet. Use this flag cautiously")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.FormatVersion, "format-version", "v1", "Output object can be different between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.CustomClusterName, "cluster-name", "", "Set the custom name of the cluster. Not same as the kube-context flag")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Submit the scan results to Kubescape SaaS where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
 
-	// Deprecated flags - remove 1.May.2022
-	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "Silent progress messages")
 	scanCmd.PersistentFlags().MarkDeprecated("silent", "use '--logger' flag instead. Flag will be removed at 1.May.2022")
 
 	// hidden flags
 	scanCmd.PersistentFlags().MarkHidden("host-scan-yaml") // this flag should be used very cautiously. We prefer users will not use it at all unless the DaemonSet can not run pods on the nodes
-	scanCmd.PersistentFlags().MarkHidden("silent")         // this flag should be deprecated since we added the --logger support
-	// scanCmd.PersistentFlags().MarkHidden("format-version") // meant for testing different output approaches and not for common use
 
 	// Retrieve --kubeconfig flag from https://github.com/kubernetes/kubectl/blob/master/pkg/cmd/cmd.go
 	scanCmd.PersistentFlags().AddGoFlag(flag.Lookup("kubeconfig"))
 
-	hostF := scanCmd.PersistentFlags().VarPF(&scanInfo.HostSensorEnabled, "enable-host-scan", "", "Deploy ARMO K8s host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valuable data from cluster nodes for certain controls. Yaml file: https://github.com/kubescape/kubescape/blob/master/core/pkg/hostsensorutils/hostsensor.yaml")
+	hostF := scanCmd.PersistentFlags().VarPF(&scanInfo.HostSensorEnabled, "enable-host-scan", "", "Deploy Kubescape host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valuable data from cluster nodes for certain controls. Yaml file: https://github.com/kubescape/kubescape/blob/master/core/pkg/hostsensorutils/hostsensor.yaml")
 	hostF.NoOptDefVal = "true"
 	hostF.DefValue = "false, for no TTY in stdin"
 

cmd/update/update.go

@@ -0,0 +1,59 @@
+package update
+
+//This update command updates to the latest kubescape release.
+//Example:-
+//          kubescape update
+
+import (
+	"os/exec"
+	"runtime"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/spf13/cobra"
+)
+
+func GetUpdateCmd() *cobra.Command {
+	updateCmd := &cobra.Command{
+		Use:   "update",
+		Short: "Update your version",
+		Long:  ``,
+		RunE: func(_ *cobra.Command, args []string) error {
+			//Checking the user's version of kubescape to the latest release
+			if cautils.BuildNumber == cautils.LatestReleaseVersion {
+				//your version == latest version
+				logger.L().Info(("You are in the latest version"))
+			} else {
+
+				const OSTYPE string = runtime.GOOS
+				var ShellToUse string
+				switch OSTYPE {
+
+				case "windows":
+					cautils.StartSpinner()
+					//run the installation command for windows
+					ShellToUse = "powershell"
+					_, err := exec.Command(ShellToUse, "-c", "iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex").Output()
+
+					if err != nil {
+						logger.L().Fatal(err.Error())
+					}
+					cautils.StopSpinner()
+
+				default:
+					ShellToUse = "bash"
+					cautils.StartSpinner()
+					//run the installation command for linux and macOS
+					_, err := exec.Command(ShellToUse, "-c", "curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash").Output()
+					if err != nil {
+						logger.L().Fatal(err.Error())
+					}
+
+					cautils.StopSpinner()
+				}
+			}
+			return nil
+		},
+	}
+	return updateCmd
+}

core/cautils/fileutils.go

@@ -15,7 +15,7 @@ import (
 	"github.com/kubescape/opa-utils/objectsenvelopes"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 var (
@@ -139,9 +139,9 @@ func loadFiles(rootPath string, filePaths []string) (map[string][]workloadinterf
 			for j := range w {
 				lw := localworkload.NewLocalWorkload(w[j].GetObject())
 				if relPath, err := filepath.Rel(rootPath, path); err == nil {
-					lw.SetPath(relPath)
+					lw.SetPath(fmt.Sprintf("%s:%d", relPath, j))
 				} else {
-					lw.SetPath(path)
+					lw.SetPath(fmt.Sprintf("%s:%d", path, j))
 				}
 				wSlice = append(wSlice, lw)
 			}

core/cautils/getter/downloadreleasedpolicy.go

@@ -3,6 +3,7 @@ package getter
 import (
 	"strings"
 
+	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/opa-utils/gitregostore"
 	"github.com/kubescape/opa-utils/reporthandling"
 	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
@@ -99,3 +100,11 @@ func contains(s []string, str string) bool {
 	}
 	return false
 }
+
+func (drp *DownloadReleasedPolicy) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
+	exceptions, err := drp.gs.GetSystemPostureExceptionPolicies()
+	if err != nil {
+		return nil, err
+	}
+	return exceptions, nil
+}

core/cautils/getter/gcpcloudapi.go

@@ -0,0 +1,42 @@
+package getter
+
+import (
+	"context"
+	"os"
+
+	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
+)
+
+type GCPCloudAPI struct {
+	credentialsPath  string
+	context          context.Context
+	client           *containeranalysis.Client
+	projectID        string
+	credentialsCheck bool
+}
+
+func GetGlobalGCPCloudAPIConnector() *GCPCloudAPI {
+
+	if os.Getenv("KS_GCP_CREDENTIALS_PATH") == "" || os.Getenv("KS_GCP_PROJECT_ID") == "" {
+		return &GCPCloudAPI{
+			credentialsCheck: false,
+		}
+	} else {
+		return &GCPCloudAPI{
+			context:          context.Background(),
+			credentialsPath:  os.Getenv("KS_GCP_CREDENTIALS_PATH"),
+			projectID:        os.Getenv("KS_GCP_PROJECT_ID"),
+			credentialsCheck: true,
+		}
+	}
+}
+
+func (api *GCPCloudAPI) SetClient(client *containeranalysis.Client) {
+	api.client = client
+}
+
+func (api *GCPCloudAPI) GetCredentialsPath() string           { return api.credentialsPath }
+func (api *GCPCloudAPI) GetClient() *containeranalysis.Client { return api.client }
+func (api *GCPCloudAPI) GetProjectID() string                 { return api.projectID }
+func (api *GCPCloudAPI) GetCredentialsCheck() bool            { return api.credentialsCheck }
+func (api *GCPCloudAPI) GetContext() context.Context          { return api.context }

core/cautils/getter/loadpolicy.go

@@ -65,16 +65,16 @@ func (lp *LoadPolicy) GetControl(controlName string) (*reporthandling.Control, e
 }
 
 func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framework, error) {
-	framework := &reporthandling.Framework{}
+	var framework reporthandling.Framework
 	var err error
 	for _, filePath := range lp.filePaths {
+		framework = reporthandling.Framework{}
 		f, err := os.ReadFile(filePath)
 		if err != nil {
 			return nil, err
 		}
-
-		if err = json.Unmarshal(f, framework); err != nil {
-			return framework, err
+		if err = json.Unmarshal(f, &framework); err != nil {
+			return nil, err
 		}
 		if strings.EqualFold(frameworkName, framework.Name) {
 			break
@@ -84,7 +84,7 @@ func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framew
 
 		return nil, fmt.Errorf("framework from file not matching")
 	}
-	return framework, err
+	return &framework, err
 }
 
 func (lp *LoadPolicy) GetFrameworks() ([]reporthandling.Framework, error) {
@@ -130,14 +130,19 @@ func (lp *LoadPolicy) GetControlsInputs(clusterName string) (map[string][]string
 	filePath := lp.filePath()
 	accountConfig := &armotypes.CustomerConfig{}
 	f, err := os.ReadFile(filePath)
+	fileName := filepath.Base(filePath)
 	if err != nil {
-		return nil, err
+		formattedError := fmt.Errorf("Error opening %s file, \"controls-config\" will be downloaded from ARMO management portal", fileName)
+		return nil, formattedError
 	}
 
 	if err = json.Unmarshal(f, &accountConfig.Settings.PostureControlInputs); err == nil {
 		return accountConfig.Settings.PostureControlInputs, nil
 	}
-	return nil, err
+
+	formattedError := fmt.Errorf("Error reading %s file, %s, \"controls-config\" will be downloaded from ARMO management portal", fileName, err.Error())
+
+	return nil, formattedError
 }
 
 // temporary support for a list of files

core/cautils/rootinfo.go

@@ -15,7 +15,6 @@ type RootInfo struct {
 
 	KSCloudBEURLs    string // Kubescape Cloud URL
 	KSCloudBEURLsDep string // Kubescape Cloud URL
-
 }
 type CloudURLs struct {
 	CloudReportURL string

core/cautils/scaninfo.go

@@ -419,6 +419,7 @@ func metadataGitLocal(input string) (*reporthandlingv2.RepoContextMetadata, erro
 		Date:          commit.Committer.Date,
 		CommitterName: commit.Committer.Name,
 	}
+	context.LocalRootPath, _ = gitParser.GetRootDir()
 
 	return context, nil
 }

core/cautils/scaninfo_test.go

@@ -18,7 +18,8 @@ func TestSetContextMetadata(t *testing.T) {
 		assert.Nil(t, ctx.HelmContextMetadata)
 		assert.Nil(t, ctx.RepoContextMetadata)
 	}
-	{
+	// TODO: tests were commented out due to actual http calls ; http calls should be mocked.
+	/*{
 		ctx := reporthandlingv2.ContextMetadata{}
 		setContextMetadata(&ctx, "https://github.com/kubescape/kubescape")
 
@@ -31,7 +32,7 @@ func TestSetContextMetadata(t *testing.T) {
 		assert.Equal(t, "kubescape", ctx.RepoContextMetadata.Repo)
 		assert.Equal(t, "kubescape", ctx.RepoContextMetadata.Owner)
 		assert.Equal(t, "master", ctx.RepoContextMetadata.Branch)
-	}
+	}*/
 }
 
 func TestGetHostname(t *testing.T) {

core/cautils/versioncheck.go

@@ -19,6 +19,7 @@ const SKIP_VERSION_CHECK = "KS_SKIP_UPDATE_CHECK"
 
 var BuildNumber string
 var Client string
+var LatestReleaseVersion string
 
 const UnknownBuildNumber = "unknown"
 
@@ -108,9 +109,11 @@ func (v *VersionCheckHandler) CheckLatestVersion(versionData *VersionCheckReques
 		return fmt.Errorf("failed to get latest version")
 	}
 
+	LatestReleaseVersion := latestVersion.ClientUpdate
+
 	if latestVersion.ClientUpdate != "" {
-		if BuildNumber != "" && semver.Compare(BuildNumber, latestVersion.ClientUpdate) == -1 {
-			logger.L().Warning(warningMessage(latestVersion.ClientUpdate))
+		if BuildNumber != "" && semver.Compare(BuildNumber, LatestReleaseVersion) == -1 {
+			logger.L().Warning(warningMessage(LatestReleaseVersion))
 		}
 	}
 

core/cautils/workloadmappingutils.go

@@ -3,6 +3,7 @@ package cautils
 import (
 	"strings"
 
+	"github.com/kubescape/k8s-interface/cloudsupport"
 	"github.com/kubescape/opa-utils/reporthandling/apis"
 )
 
@@ -19,7 +20,10 @@ var (
 		"KubeProxyInfo",
 		"ControlPlaneInfo",
 	}
-	CloudResources = []string{"ClusterDescribe"}
+	CloudResources = []string{
+		"ClusterDescribe",
+		string(cloudsupport.TypeApiServerInfo),
+	}
 )
 
 func MapKSResource(ksResourceMap *KSResources, resources []string) []string {

core/core/download.go

@@ -106,7 +106,7 @@ func downloadExceptions(downloadInfo *metav1.DownloadInfo) error {
 	var err error
 	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
 
-	exceptionsGetter := getExceptionsGetter("")
+	exceptionsGetter := getExceptionsGetter("", tenant.GetAccountID(), nil)
 	exceptions := []armotypes.PostureExceptionPolicy{}
 	if tenant.GetAccountID() != "" {
 		exceptions, err = exceptionsGetter.GetExceptions(tenant.GetContextName())

core/core/fix.go

@@ -0,0 +1,72 @@
+package core
+
+import (
+	"fmt"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+
+	"github.com/kubescape/kubescape/v2/core/pkg/fixhandler"
+)
+
+const NoChangesApplied = "No changes were applied."
+const NoResourcesToFix = "No issues to fix."
+const ConfirmationQuestion = "Would you like to apply the changes to the files above? [y|n]: "
+
+func (ks *Kubescape) Fix(fixInfo *metav1.FixInfo) error {
+	logger.L().Info("Reading report file...")
+	handler, err := fixhandler.NewFixHandler(fixInfo)
+	if err != nil {
+		return err
+	}
+
+	resourcesToFix := handler.PrepareResourcesToFix()
+
+	if len(resourcesToFix) == 0 {
+		logger.L().Info(NoResourcesToFix)
+		return nil
+	}
+
+	handler.PrintExpectedChanges(resourcesToFix)
+
+	if fixInfo.DryRun {
+		logger.L().Info(NoChangesApplied)
+		return nil
+	}
+
+	if !fixInfo.NoConfirm && !userConfirmed() {
+		logger.L().Info(NoChangesApplied)
+		return nil
+	}
+
+	updatedFilesCount, errors := handler.ApplyChanges(resourcesToFix)
+	logger.L().Info(fmt.Sprintf("Fixed resources in %d files.", updatedFilesCount))
+
+	if len(errors) > 0 {
+		for _, err := range errors {
+			logger.L().Error(err.Error())
+		}
+		return fmt.Errorf("Failed to fix some resources, check the logs for more details")
+	}
+
+	return nil
+}
+
+func userConfirmed() bool {
+	var input string
+
+	for {
+		fmt.Printf(ConfirmationQuestion)
+		if _, err := fmt.Scanln(&input); err != nil {
+			continue
+		}
+
+		input = strings.ToLower(input)
+		if input == "y" || input == "yes" {
+			return true
+		} else if input == "n" || input == "no" {
+			return false
+		}
+	}
+}

core/core/initutils.go

@@ -32,13 +32,24 @@ func getTenantConfig(credentials *cautils.Credentials, clusterName string, custo
 	return cautils.NewClusterConfig(k8s, getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
 }
 
-func getExceptionsGetter(useExceptions string) getter.IExceptionsGetter {
+func getExceptionsGetter(useExceptions string, accountID string, downloadReleasedPolicy *getter.DownloadReleasedPolicy) getter.IExceptionsGetter {
 	if useExceptions != "" {
 		// load exceptions from file
 		return getter.NewLoadPolicy([]string{useExceptions})
-	} else {
+	}
+	if accountID != "" {
+		// download exceptions from Kubescape Cloud backend
 		return getter.GetKSCloudAPIConnector()
 	}
+	// download exceptions from GitHub
+	if downloadReleasedPolicy == nil {
+		downloadReleasedPolicy = getter.NewDownloadReleasedPolicy()
+	}
+	if err := downloadReleasedPolicy.SetRegoObjects(); err != nil {
+		logger.L().Warning("failed to get exceptions from github release, this may affect the scanning results", helpers.Error(err))
+	}
+	return downloadReleasedPolicy
+
 }
 
 func getRBACHandler(tenantConfig cautils.ITenantConfig, k8s *k8sinterface.KubernetesApi, submit bool) *cautils.RBACObjects {
@@ -58,7 +69,7 @@ func getReporter(tenantConfig cautils.ITenantConfig, reportID string, submit, fw
 	}
 	if tenantConfig.GetAccountID() == "" {
 		// Add link only when scanning a cluster using a framework
-		return reporterv2.NewReportMock(reporterv2.NO_SUBMIT_QUERY, "run kubescape with the '--submit' flag")
+		return reporterv2.NewReportMock("https://hub.armosec.io/docs/installing-kubescape", "run kubescape with the '--account' flag")
 	}
 	var message string
 	if !fwScan {
@@ -130,13 +141,11 @@ func setSubmitBehavior(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantC
 	/*
 		If CloudReportURL not set - Do not send report
 
-		If "First run (local config not found)" -
-			Default/keep-local - Do not send report
-			Submit - Create tenant & Submit report
+		If There is no account - Do not send report
 
-		If "Submitted" -
+		If There is account -
 			keep-local - Do not send report
-			Default/Submit - Submit report
+			Default - Submit report
 
 	*/
 
@@ -157,17 +166,16 @@ func setSubmitBehavior(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantC
 		return
 	}
 
-	if tenantConfig.IsConfigFound() { // config found in cache (submitted)
-		if !scanInfo.Local {
-			if tenantConfig.GetAccountID() != "" {
-				if _, err := uuid.Parse(tenantConfig.GetAccountID()); err != nil {
-					scanInfo.Submit = false
-					return
-				}
-			}
-			// Submit report
-			scanInfo.Submit = true
-		}
+	if scanInfo.Local {
+		scanInfo.Submit = false
+		return
+	}
+
+	// If There is no account, or if the account is not legal, do not submit
+	if _, err := uuid.Parse(tenantConfig.GetAccountID()); err != nil {
+		scanInfo.Submit = false
+	} else {
+		scanInfo.Submit = true
 	}
 
 }

core/core/list.go

@@ -63,10 +63,10 @@ func listControls(listPolicies *metav1.ListPolicies) ([]string, error) {
 
 func listExceptions(listPolicies *metav1.ListPolicies) ([]string, error) {
 	// load tenant metav1
-	getTenantConfig(&listPolicies.Credentials, "", "", getKubernetesApi())
+	tenant := getTenantConfig(&listPolicies.Credentials, "", "", getKubernetesApi())
 
 	var exceptionsNames []string
-	ksCloudAPI := getExceptionsGetter("")
+	ksCloudAPI := getExceptionsGetter("", tenant.GetAccountID(), nil)
 	exceptions, err := ksCloudAPI.GetExceptions("")
 	if err != nil {
 		return exceptionsNames, err

core/core/scan.go

@@ -122,7 +122,7 @@ func (ks *Kubescape) Scan(scanInfo *cautils.ScanInfo) (*resultshandling.ResultsH
 	// set policy getter only after setting the customerGUID
 	scanInfo.Getters.PolicyGetter = getPolicyGetter(scanInfo.UseFrom, interfaces.tenantConfig.GetTenantEmail(), scanInfo.FrameworkScan, downloadReleasedPolicy)
 	scanInfo.Getters.ControlsInputsGetter = getConfigInputsGetter(scanInfo.ControlsInputs, interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
-	scanInfo.Getters.ExceptionsGetter = getExceptionsGetter(scanInfo.UseExceptions)
+	scanInfo.Getters.ExceptionsGetter = getExceptionsGetter(scanInfo.UseExceptions, interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
 	scanInfo.Getters.AttackTracksGetter = getAttackTracksGetter(interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
 
 	// TODO - list supported frameworks/controls

core/meta/datastructures/v1/fix.go

@@ -0,0 +1,8 @@
+package v1
+
+type FixInfo struct {
+	ReportFile     string // path to report file (mandatory)
+	NoConfirm      bool   // if true, no confirmation will be given to the user before applying the fix
+	SkipUserValues bool   // if true, user values will not be changed
+	DryRun         bool   // if true, no changes will be applied
+}

core/meta/ksinterface.go

@@ -25,4 +25,7 @@ type IKubescape interface {
 
 	// delete
 	DeleteExceptions(deleteexceptions *metav1.DeleteExceptions) error
+
+	// fix
+	Fix(fixInfo *metav1.FixInfo) error
 }

core/pkg/fixhandler/datastructures.go

@@ -0,0 +1,63 @@
+package fixhandler
+
+import (
+	"github.com/armosec/armoapi-go/armotypes"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/kubescape/opa-utils/reporthandling"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+	"gopkg.in/yaml.v3"
+)
+
+// FixHandler is a struct that holds the information of the report to be fixed
+type FixHandler struct {
+	fixInfo       *metav1.FixInfo
+	reportObj     *reporthandlingv2.PostureReport
+	localBasePath string
+}
+
+// ResourceFixInfo is a struct that holds the information about the resource that needs to be fixed
+type ResourceFixInfo struct {
+	YamlExpressions map[string]*armotypes.FixPath
+	Resource        *reporthandling.Resource
+	FilePath        string
+	DocumentIndex   int
+}
+
+// NodeInfo holds extra information about the node
+type nodeInfo struct {
+	node   *yaml.Node
+	parent *yaml.Node
+
+	// position of the node among siblings
+	index int
+}
+
+// FixInfoMetadata holds the arguments "getFixInfo" function needs to pass to the
+// functions it uses
+type fixInfoMetadata struct {
+	originalList        *[]nodeInfo
+	fixedList           *[]nodeInfo
+	originalListTracker int
+	fixedListTracker    int
+	contentToAdd        *[]contentToAdd
+	linesToRemove       *[]linesToRemove
+}
+
+// ContentToAdd holds the information about where to insert the new changes in the existing yaml file
+type contentToAdd struct {
+	// Line where the fix should be applied to
+	line int
+	// Content is a string representation of the YAML node that describes a suggested fix
+	content string
+}
+
+// LinesToRemove holds the line numbers to remove from the existing yaml file
+type linesToRemove struct {
+	startLine int
+	endLine   int
+}
+
+type fileFixInfo struct {
+	contentsToAdd *[]contentToAdd
+	linesToRemove *[]linesToRemove
+}

core/pkg/fixhandler/fixhandler.go

@@ -0,0 +1,346 @@
+package fixhandler
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"strconv"
+	"strings"
+
+	"github.com/armosec/armoapi-go/armotypes"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/opa-utils/objectsenvelopes"
+	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
+	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/resourcesresults"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+	"github.com/mikefarah/yq/v4/pkg/yqlib"
+	"gopkg.in/op/go-logging.v1"
+)
+
+const UserValuePrefix = "YOUR_"
+
+func NewFixHandler(fixInfo *metav1.FixInfo) (*FixHandler, error) {
+	jsonFile, err := os.Open(fixInfo.ReportFile)
+	if err != nil {
+		return nil, err
+	}
+	defer jsonFile.Close()
+	byteValue, _ := ioutil.ReadAll(jsonFile)
+
+	var reportObj reporthandlingv2.PostureReport
+	if err = json.Unmarshal(byteValue, &reportObj); err != nil {
+		return nil, err
+	}
+
+	if err = isSupportedScanningTarget(&reportObj); err != nil {
+		return nil, err
+	}
+
+	localPath := getLocalPath(&reportObj)
+	if _, err = os.Stat(localPath); err != nil {
+		return nil, err
+	}
+
+	backendLoggerLeveled := logging.AddModuleLevel(logging.NewLogBackend(logger.L().GetWriter(), "", 0))
+	backendLoggerLeveled.SetLevel(logging.ERROR, "")
+	yqlib.GetLogger().SetBackend(backendLoggerLeveled)
+
+	return &FixHandler{
+		fixInfo:       fixInfo,
+		reportObj:     &reportObj,
+		localBasePath: localPath,
+	}, nil
+}
+
+func isSupportedScanningTarget(report *reporthandlingv2.PostureReport) error {
+	if report.Metadata.ScanMetadata.ScanningTarget == reporthandlingv2.GitLocal || report.Metadata.ScanMetadata.ScanningTarget == reporthandlingv2.Directory {
+		return nil
+	}
+
+	return fmt.Errorf("unsupported scanning target. Only local git and directory scanning targets are supported")
+}
+
+func getLocalPath(report *reporthandlingv2.PostureReport) string {
+	if report.Metadata.ScanMetadata.ScanningTarget == reporthandlingv2.GitLocal {
+		return report.Metadata.ContextMetadata.RepoContextMetadata.LocalRootPath
+	}
+
+	if report.Metadata.ScanMetadata.ScanningTarget == reporthandlingv2.Directory {
+		return report.Metadata.ContextMetadata.DirectoryContextMetadata.BasePath
+	}
+
+	return ""
+}
+
+func (h *FixHandler) buildResourcesMap() map[string]*reporthandling.Resource {
+	resourceIdToRawResource := make(map[string]*reporthandling.Resource)
+	for i := range h.reportObj.Resources {
+		resourceIdToRawResource[h.reportObj.Resources[i].GetID()] = &h.reportObj.Resources[i]
+	}
+	for i := range h.reportObj.Results {
+		if h.reportObj.Results[i].RawResource == nil {
+			continue
+		}
+		resourceIdToRawResource[h.reportObj.Results[i].RawResource.GetID()] = h.reportObj.Results[i].RawResource
+	}
+
+	return resourceIdToRawResource
+}
+
+func (h *FixHandler) getPathFromRawResource(obj map[string]interface{}) string {
+	if localworkload.IsTypeLocalWorkload(obj) {
+		localwork := localworkload.NewLocalWorkload(obj)
+		return localwork.GetPath()
+	} else if objectsenvelopes.IsTypeRegoResponseVector(obj) {
+		regoResponseVectorObject := objectsenvelopes.NewRegoResponseVectorObject(obj)
+		relatedObjects := regoResponseVectorObject.GetRelatedObjects()
+		for _, relatedObject := range relatedObjects {
+			if localworkload.IsTypeLocalWorkload(relatedObject.GetObject()) {
+				return relatedObject.(*localworkload.LocalWorkload).GetPath()
+			}
+		}
+	}
+
+	return ""
+}
+
+func (h *FixHandler) PrepareResourcesToFix() []ResourceFixInfo {
+	resourceIdToResource := h.buildResourcesMap()
+
+	resourcesToFix := make([]ResourceFixInfo, 0)
+	for _, result := range h.reportObj.Results {
+		if !result.GetStatus(nil).IsFailed() {
+			continue
+		}
+
+		resourceID := result.ResourceID
+		resourceObj := resourceIdToResource[resourceID]
+		resourcePath := h.getPathFromRawResource(resourceObj.GetObject())
+		if resourcePath == "" {
+			continue
+		}
+
+		if resourceObj.Source == nil || resourceObj.Source.FileType != reporthandling.SourceTypeYaml {
+			continue
+		}
+
+		relativePath, documentIndex, err := h.getFilePathAndIndex(resourcePath)
+		if err != nil {
+			logger.L().Error("Skipping invalid resource path: " + resourcePath)
+			continue
+		}
+
+		absolutePath := path.Join(h.localBasePath, relativePath)
+		if _, err := os.Stat(absolutePath); err != nil {
+			logger.L().Error("Skipping missing file: " + absolutePath)
+			continue
+		}
+
+		rfi := ResourceFixInfo{
+			FilePath:        absolutePath,
+			Resource:        resourceObj,
+			YamlExpressions: make(map[string]*armotypes.FixPath, 0),
+			DocumentIndex:   documentIndex,
+		}
+
+		for i := range result.AssociatedControls {
+			if result.AssociatedControls[i].GetStatus(nil).IsFailed() {
+				rfi.addYamlExpressionsFromResourceAssociatedControl(documentIndex, &result.AssociatedControls[i], h.fixInfo.SkipUserValues)
+			}
+		}
+
+		if len(rfi.YamlExpressions) > 0 {
+			resourcesToFix = append(resourcesToFix, rfi)
+		}
+	}
+
+	return resourcesToFix
+}
+
+func (h *FixHandler) PrintExpectedChanges(resourcesToFix []ResourceFixInfo) {
+	var sb strings.Builder
+	sb.WriteString("The following changes will be applied:\n")
+
+	for _, resourceFixInfo := range resourcesToFix {
+		sb.WriteString(fmt.Sprintf("File: %s\n", resourceFixInfo.FilePath))
+		sb.WriteString(fmt.Sprintf("Resource: %s\n", resourceFixInfo.Resource.GetName()))
+		sb.WriteString(fmt.Sprintf("Kind: %s\n", resourceFixInfo.Resource.GetKind()))
+		sb.WriteString("Changes:\n")
+
+		i := 1
+		for _, fixPath := range resourceFixInfo.YamlExpressions {
+			sb.WriteString(fmt.Sprintf("\t%d) %s = %s\n", i, (*fixPath).Path, (*fixPath).Value))
+			i++
+		}
+		sb.WriteString("\n------\n")
+	}
+
+	logger.L().Info(sb.String())
+}
+
+func (h *FixHandler) ApplyChanges(resourcesToFix []ResourceFixInfo) (int, []error) {
+	updatedFiles := make(map[string]bool)
+	errors := make([]error, 0)
+
+	fileYamlExpressions := h.getFileYamlExpressions(resourcesToFix)
+
+	for filepath, yamlExpression := range fileYamlExpressions {
+		fileAsString, err := getFileString(filepath)
+
+		if err != nil {
+			errors = append(errors, err)
+			continue
+		}
+
+		fixedYamlString, err := h.ApplyFixToContent(fileAsString, yamlExpression)
+
+		if err != nil {
+			errors = append(errors, fmt.Errorf("Failed to fix file %s: %w ", filepath, err))
+			continue
+		} else {
+			updatedFiles[filepath] = true
+		}
+
+		err = writeFixesToFile(filepath, fixedYamlString)
+
+		if err != nil {
+			logger.L().Error(fmt.Sprintf("Failed to write fixes to file %s, %v", filepath, err.Error()))
+			errors = append(errors, err)
+		}
+	}
+
+	return len(updatedFiles), errors
+}
+
+func (h *FixHandler) getFilePathAndIndex(filePathWithIndex string) (filePath string, documentIndex int, err error) {
+	splittedPath := strings.Split(filePathWithIndex, ":")
+	if len(splittedPath) <= 1 {
+		return "", 0, fmt.Errorf("expected to find ':' in file path")
+	}
+
+	filePath = splittedPath[0]
+	if documentIndex, err := strconv.Atoi(splittedPath[1]); err != nil {
+		return "", 0, err
+	} else {
+		return filePath, documentIndex, nil
+	}
+}
+
+func (h *FixHandler) ApplyFixToContent(yamlAsString, yamlExpression string) (fixedString string, err error) {
+	yamlLines := strings.Split(yamlAsString, "\n")
+
+	originalRootNodes, err := decodeDocumentRoots(yamlAsString)
+
+	if err != nil {
+		return "", err
+	}
+
+	fixedRootNodes, err := getFixedNodes(yamlAsString, yamlExpression)
+
+	if err != nil {
+		return "", err
+	}
+
+	fileFixInfo := getFixInfo(originalRootNodes, fixedRootNodes)
+
+	fixedYamlLines := getFixedYamlLines(yamlLines, fileFixInfo)
+
+	fixedString = getStringFromSlice(fixedYamlLines)
+
+	return fixedString, nil
+}
+
+func (h *FixHandler) getFileYamlExpressions(resourcesToFix []ResourceFixInfo) map[string]string {
+	fileYamlExpressions := make(map[string]string, 0)
+	for _, resourceToFix := range resourcesToFix {
+		singleExpression := reduceYamlExpressions(&resourceToFix)
+		resourceFilePath := resourceToFix.FilePath
+
+		if _, pathExistsInMap := fileYamlExpressions[resourceFilePath]; !pathExistsInMap {
+			fileYamlExpressions[resourceFilePath] = singleExpression
+		} else {
+			fileYamlExpressions[resourceFilePath] = joinStrings(fileYamlExpressions[resourceFilePath], " | ", singleExpression)
+		}
+
+	}
+
+	return fileYamlExpressions
+}
+
+func (rfi *ResourceFixInfo) addYamlExpressionsFromResourceAssociatedControl(documentIndex int, ac *resourcesresults.ResourceAssociatedControl, skipUserValues bool) {
+	for _, rule := range ac.ResourceAssociatedRules {
+		if !rule.GetStatus(nil).IsFailed() {
+			continue
+		}
+
+		for _, rulePaths := range rule.Paths {
+			if rulePaths.FixPath.Path == "" {
+				continue
+			}
+			if strings.HasPrefix(rulePaths.FixPath.Value, UserValuePrefix) && skipUserValues {
+				continue
+			}
+
+			yamlExpression := fixPathToValidYamlExpression(rulePaths.FixPath.Path, rulePaths.FixPath.Value, documentIndex)
+			rfi.YamlExpressions[yamlExpression] = &rulePaths.FixPath
+		}
+	}
+}
+
+// reduceYamlExpressions reduces the number of yaml expressions to a single one
+func reduceYamlExpressions(resource *ResourceFixInfo) string {
+	expressions := make([]string, 0, len(resource.YamlExpressions))
+	for expr := range resource.YamlExpressions {
+		expressions = append(expressions, expr)
+	}
+
+	return strings.Join(expressions, " | ")
+}
+
+func fixPathToValidYamlExpression(fixPath, value string, documentIndexInYaml int) string {
+	isStringValue := true
+	if _, err := strconv.ParseBool(value); err == nil {
+		isStringValue = false
+	} else if _, err := strconv.ParseFloat(value, 64); err == nil {
+		isStringValue = false
+	} else if _, err := strconv.Atoi(value); err == nil {
+		isStringValue = false
+	}
+
+	// Strings should be quoted
+	if isStringValue {
+		value = fmt.Sprintf("\"%s\"", value)
+	}
+
+	// select document index and add a dot for the root node
+	return fmt.Sprintf("select(di==%d).%s |= %s", documentIndexInYaml, fixPath, value)
+}
+
+func joinStrings(inputStrings ...string) string {
+	return strings.Join(inputStrings, "")
+}
+
+func getFileString(filepath string) (string, error) {
+	bytes, err := ioutil.ReadFile(filepath)
+
+	if err != nil {
+		return "", fmt.Errorf("Error reading file %s", filepath)
+	}
+
+	return string(bytes), nil
+}
+
+func writeFixesToFile(filepath, content string) error {
+	err := ioutil.WriteFile(filepath, []byte(content), 0644)
+
+	if err != nil {
+		return fmt.Errorf("Error writing fixes to file: %w", err)
+	}
+
+	return nil
+}

core/pkg/fixhandler/fixhandler_test.go

@@ -0,0 +1,248 @@
+package fixhandler
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	logger "github.com/kubescape/go-logger"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+	"github.com/mikefarah/yq/v4/pkg/yqlib"
+	"github.com/stretchr/testify/assert"
+	"gopkg.in/op/go-logging.v1"
+)
+
+type indentationTestCase struct {
+	inputFile      string
+	yamlExpression string
+	expectedFile   string
+}
+
+func NewFixHandlerMock() (*FixHandler, error) {
+	backendLoggerLeveled := logging.AddModuleLevel(logging.NewLogBackend(logger.L().GetWriter(), "", 0))
+	backendLoggerLeveled.SetLevel(logging.ERROR, "")
+	yqlib.GetLogger().SetBackend(backendLoggerLeveled)
+
+	return &FixHandler{
+		fixInfo:       &metav1.FixInfo{},
+		reportObj:     &reporthandlingv2.PostureReport{},
+		localBasePath: "",
+	}, nil
+}
+
+func getTestdataPath() string {
+	currentDir, _ := os.Getwd()
+	return filepath.Join(currentDir, "testdata")
+}
+
+func getTestCases() []indentationTestCase {
+	indentationTestCases := []indentationTestCase{
+		// Insertion Scenarios
+		{
+			"inserts/tc-01-00-input-mapping-insert-mapping.yaml",
+			"select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false",
+			"inserts/tc-01-01-expected.yaml",
+		},
+		{
+			"inserts/tc-02-00-input-mapping-insert-mapping-with-list.yaml",
+			"select(di==0).spec.containers[0].securityContext.capabilities.drop += [\"NET_RAW\"]",
+			"inserts/tc-02-01-expected.yaml",
+		},
+		{
+			"inserts/tc-03-00-input-list-append-scalar.yaml",
+			"select(di==0).spec.containers[0].securityContext.capabilities.drop += [\"SYS_ADM\"]",
+			"inserts/tc-03-01-expected.yaml",
+		},
+		{
+			"inserts/tc-04-00-input-multiple-inserts.yaml",
+
+			`select(di==0).spec.template.spec.securityContext.allowPrivilegeEscalation |= false |
+			 select(di==0).spec.template.spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"] |
+			 select(di==0).spec.template.spec.containers[0].securityContext.seccompProfile.type |= "RuntimeDefault" |
+			 select(di==0).spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation |= false |
+			 select(di==0).spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem |= true`,
+
+			"inserts/tc-04-01-expected.yaml",
+		},
+		{
+			"inserts/tc-05-00-input-comment-blank-line-single-insert.yaml",
+			"select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false",
+			"inserts/tc-05-01-expected.yaml",
+		},
+		{
+			"inserts/tc-06-00-input-list-append-scalar-oneline.yaml",
+			"select(di==0).spec.containers[0].securityContext.capabilities.drop += [\"SYS_ADM\"]",
+			"inserts/tc-06-01-expected.yaml",
+		},
+		{
+			"inserts/tc-07-00-input-multiple-documents.yaml",
+
+			`select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false |
+			 select(di==1).spec.containers[0].securityContext.allowPrivilegeEscalation |= false`,
+
+			"inserts/tc-07-01-expected.yaml",
+		},
+		{
+			"inserts/tc-08-00-input-mapping-insert-mapping-indented.yaml",
+			"select(di==0).spec.containers[0].securityContext.capabilities.drop += [\"NET_RAW\"]",
+			"inserts/tc-08-01-expected.yaml",
+		},
+		{
+			"inserts/tc-09-00-input-list-insert-new-mapping-indented.yaml",
+			`select(di==0).spec.containers += {"name": "redis", "image": "redis"}`,
+			"inserts/tc-09-01-expected.yaml",
+		},
+		{
+			"inserts/tc-10-00-input-list-insert-new-mapping.yaml",
+			`select(di==0).spec.containers += {"name": "redis", "image": "redis"}`,
+			"inserts/tc-10-01-expected.yaml",
+		},
+
+		// Removal Scenarios
+		{
+			"removals/tc-01-00-input.yaml",
+			"del(select(di==0).spec.containers[0].securityContext)",
+			"removals/tc-01-01-expected.yaml",
+		},
+		{
+			"removals/tc-02-00-input.yaml",
+			"del(select(di==0).spec.containers[1])",
+			"removals/tc-02-01-expected.yaml",
+		},
+		{
+			"removals/tc-03-00-input.yaml",
+			"del(select(di==0).spec.containers[0].securityContext.capabilities.drop[1])",
+			"removals/tc-03-01-expected.yaml",
+		},
+		{
+			"removes/tc-04-00-input.yaml",
+			`del(select(di==0).spec.containers[0].securityContext) | 
+			 del(select(di==1).spec.containers[1])`,
+			"removes/tc-04-01-expected.yaml",
+		},
+
+		// Replace Scenarios
+		{
+			"replaces/tc-01-00-input.yaml",
+			"select(di==0).spec.containers[0].securityContext.runAsRoot |= false",
+			"replaces/tc-01-01-expected.yaml",
+		},
+		{
+			"replaces/tc-02-00-input.yaml",
+			`select(di==0).spec.containers[0].securityContext.capabilities.drop[0] |= "SYS_ADM" |
+			 select(di==0).spec.containers[0].securityContext.capabilities.add[0] |= "NET_RAW"`,
+			"replaces/tc-02-01-expected.yaml",
+		},
+
+		// Hybrid Scenarios
+		{
+			"hybrids/tc-01-00-input.yaml",
+			`del(select(di==0).spec.containers[0].securityContext) |
+			 select(di==0).spec.securityContext.runAsRoot |= false`,
+			"hybrids/tc-01-01-expected.yaml",
+		},
+		{
+			"hybrids/tc-02-00-input-indented-list.yaml",
+			`del(select(di==0).spec.containers[0].securityContext) |
+			 select(di==0).spec.securityContext.runAsRoot |= false`,
+			"hybrids/tc-02-01-expected.yaml",
+		},
+		{
+			"hybrids/tc-03-00-input-comments.yaml",
+			`del(select(di==0).spec.containers[0].securityContext) |
+			 select(di==0).spec.securityContext.runAsRoot |= false`,
+			"hybrids/tc-03-01-expected.yaml",
+		},
+		{
+			"hybrids/tc-04-00-input-separated-keys.yaml",
+			`del(select(di==0).spec.containers[0].securityContext) |
+			 select(di==0).spec.securityContext.runAsRoot |= false`,
+			"hybrids/tc-04-01-expected.yaml",
+		},
+	}
+
+	return indentationTestCases
+}
+
+func TestApplyFixKeepsFormatting(t *testing.T) {
+	testCases := getTestCases()
+
+	for _, tc := range testCases {
+		t.Run(tc.inputFile, func(t *testing.T) {
+			getTestDataPath := func(filename string) string {
+				currentDir, _ := os.Getwd()
+				currentFile := "testdata/" + filename
+				return filepath.Join(currentDir, currentFile)
+			}
+
+			input, _ := os.ReadFile(getTestDataPath(tc.inputFile))
+			wantRaw, _ := os.ReadFile(getTestDataPath(tc.expectedFile))
+			want := string(wantRaw)
+			expression := tc.yamlExpression
+
+			h, _ := NewFixHandlerMock()
+
+			got, _ := h.ApplyFixToContent(string(input), expression)
+
+			assert.Equalf(
+				t, want, got,
+				"Contents of the fixed file don't match the expectation.\n"+
+					"Input file: %s\n\n"+
+					"Got: <%s>\n\n"+
+					"Want: <%s>",
+				tc.inputFile, got, want,
+			)
+		},
+		)
+
+	}
+}
+
+func Test_fixPathToValidYamlExpression(t *testing.T) {
+	type args struct {
+		fixPath             string
+		value               string
+		documentIndexInYaml int
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{
+			name: "fix path with boolean value",
+			args: args{
+				fixPath:             "spec.template.spec.containers[0].securityContext.privileged",
+				value:               "true",
+				documentIndexInYaml: 2,
+			},
+			want: "select(di==2).spec.template.spec.containers[0].securityContext.privileged |= true",
+		},
+		{
+			name: "fix path with string value",
+			args: args{
+				fixPath:             "metadata.namespace",
+				value:               "YOUR_NAMESPACE",
+				documentIndexInYaml: 0,
+			},
+			want: "select(di==0).metadata.namespace |= \"YOUR_NAMESPACE\"",
+		},
+		{
+			name: "fix path with number",
+			args: args{
+				fixPath:             "xxx.yyy",
+				value:               "123",
+				documentIndexInYaml: 0,
+			},
+			want: "select(di==0).xxx.yyy |= 123",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := fixPathToValidYamlExpression(tt.args.fixPath, tt.args.value, tt.args.documentIndexInYaml); got != tt.want {
+				t.Errorf("fixPathToValidYamlExpression() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

core/pkg/fixhandler/testdata/hybrids/tc-01-00-input.yaml

@@ -0,0 +1,19 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      runAsRoot: true

core/pkg/fixhandler/testdata/hybrids/tc-01-01-expected.yaml

@@ -0,0 +1,19 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+  securityContext:
+    runAsRoot: false

core/pkg/fixhandler/testdata/hybrids/tc-02-00-input-indented-list.yaml

@@ -0,0 +1,19 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+    - name: nginx_container
+      image: nginx
+      securityContext:
+        runAsRoot: true

core/pkg/fixhandler/testdata/hybrids/tc-02-01-expected.yaml

@@ -0,0 +1,19 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+    - name: nginx_container
+      image: nginx
+  securityContext:
+    runAsRoot: false

core/pkg/fixhandler/testdata/hybrids/tc-03-00-input-comments.yaml

@@ -0,0 +1,21 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  # These are the container comments
+  containers:
+    # These are the first containers comments
+    - name: nginx_container
+      image: nginx
+      securityContext:
+        runAsRoot: true

core/pkg/fixhandler/testdata/hybrids/tc-03-01-expected.yaml

@@ -0,0 +1,21 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  # These are the container comments
+  containers:
+    # These are the first containers comments
+    - name: nginx_container
+      image: nginx
+  securityContext:
+    runAsRoot: false

core/pkg/fixhandler/testdata/hybrids/tc-04-00-input-separated-keys.yaml

@@ -0,0 +1,21 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+    - name: nginx_container
+
+      image: nginx
+
+      securityContext:
+        runAsRoot: true

core/pkg/fixhandler/testdata/hybrids/tc-04-01-expected.yaml

@@ -0,0 +1,21 @@
+# Fix to Apply:
+# REMOVE:
+# "del(select(di==0).spec.containers[0].securityContext)"
+
+# INSERT:
+# select(di==0).spec.securityContext.runAsRoot: false
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+    - name: nginx_container
+
+      image: nginx
+  securityContext:
+    runAsRoot: false
+

core/pkg/fixhandler/testdata/inserts/tc-01-00-input-mapping-insert-mapping.yaml

@@ -0,0 +1,12 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx

core/pkg/fixhandler/testdata/inserts/tc-01-01-expected.yaml

@@ -0,0 +1,14 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      allowPrivilegeEscalation: false

core/pkg/fixhandler/testdata/inserts/tc-02-00-input-mapping-insert-mapping-with-list.yaml

@@ -0,0 +1,11 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx

core/pkg/fixhandler/testdata/inserts/tc-02-01-expected.yaml

@@ -0,0 +1,15 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      capabilities:
+        drop:
+          - NET_RAW

core/pkg/fixhandler/testdata/inserts/tc-03-00-input-list-append-scalar.yaml

@@ -0,0 +1,15 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["SYS_ADM"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      capabilities:
+        drop:
+        - NET_RAW

core/pkg/fixhandler/testdata/inserts/tc-03-01-expected.yaml

@@ -0,0 +1,16 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["SYS_ADM"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      capabilities:
+        drop:
+        - NET_RAW
+        - SYS_ADM

core/pkg/fixhandler/testdata/inserts/tc-04-00-input-multiple-inserts.yaml

@@ -0,0 +1,47 @@
+# Fixes to Apply:
+# 1) select(di==0).spec.template.spec.securityContext.allowPrivilegeEscalation = false
+# 2) select(di==0).spec.template.spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"]
+# 3) select(di==0).spec.template.spec.containers[0].securityContext.seccompProfile.type = RuntimeDefault
+# 4) select(di==0).spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation |= false
+# 5) select(di==0).spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem |= true
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: multiple_inserts
+spec:
+  selector:
+    matchLabels:
+      app: example_4
+  template:
+    metadata:
+      labels:
+        app: example_4
+    spec:
+      serviceAccountName: default
+      terminationGracePeriodSeconds: 5
+      containers:
+      - name: example_4
+        image: nginx
+        ports:
+        - containerPort: 3000
+        env:
+        - name: PORT
+          value: "3000"
+        resources:
+          requests:
+            cpu: 200m
+            memory: 180Mi
+          limits:
+            cpu: 300m
+            memory: 300Mi
+        readinessProbe:
+          initialDelaySeconds: 20
+          periodSeconds: 15
+          exec:
+            command: ["/bin/grpc_health_probe", "-addr=:3000"]
+        livenessProbe:
+          initialDelaySeconds: 20
+          periodSeconds: 15
+          exec:
+            command: ["/bin/grpc_health_probe", "-addr=:3000"]

core/pkg/fixhandler/testdata/inserts/tc-04-01-expected.yaml

@@ -0,0 +1,57 @@
+# Fixes to Apply:
+# 1) select(di==0).spec.template.spec.securityContext.allowPrivilegeEscalation = false
+# 2) select(di==0).spec.template.spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"]
+# 3) select(di==0).spec.template.spec.containers[0].securityContext.seccompProfile.type = RuntimeDefault
+# 4) select(di==0).spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation |= false
+# 5) select(di==0).spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem |= true
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: multiple_inserts
+spec:
+  selector:
+    matchLabels:
+      app: example_4
+  template:
+    metadata:
+      labels:
+        app: example_4
+    spec:
+      serviceAccountName: default
+      terminationGracePeriodSeconds: 5
+      containers:
+      - name: example_4
+        image: nginx
+        ports:
+        - containerPort: 3000
+        env:
+        - name: PORT
+          value: "3000"
+        resources:
+          requests:
+            cpu: 200m
+            memory: 180Mi
+          limits:
+            cpu: 300m
+            memory: 300Mi
+        readinessProbe:
+          initialDelaySeconds: 20
+          periodSeconds: 15
+          exec:
+            command: ["/bin/grpc_health_probe", "-addr=:3000"]
+        livenessProbe:
+          initialDelaySeconds: 20
+          periodSeconds: 15
+          exec:
+            command: ["/bin/grpc_health_probe", "-addr=:3000"]
+        securityContext:
+          capabilities:
+            drop:
+              - NET_RAW
+          seccompProfile:
+            type: RuntimeDefault
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+      securityContext:
+        allowPrivilegeEscalation: false

core/pkg/fixhandler/testdata/inserts/tc-05-00-input-comment-blank-line-single-insert.yaml

@@ -0,0 +1,16 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+
+  # Testing if comments are retained as intended
+  securityContext:
+    runAsRoot: false

core/pkg/fixhandler/testdata/inserts/tc-05-01-expected.yaml

@@ -0,0 +1,18 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      allowPrivilegeEscalation: false
+
+  # Testing if comments are retained as intended
+  securityContext:
+    runAsRoot: false

core/pkg/fixhandler/testdata/inserts/tc-06-00-input-list-append-scalar-oneline.yaml

@@ -0,0 +1,14 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["SYS_ADM"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx1
+    image: nginx
+    securityContext:
+      capabilities:
+        drop: [NET_RAW]

core/pkg/fixhandler/testdata/inserts/tc-06-01-expected.yaml

@@ -0,0 +1,14 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["SYS_ADM"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx1
+    image: nginx
+    securityContext:
+      capabilities:
+        drop: [NET_RAW, SYS_ADM]

core/pkg/fixhandler/testdata/inserts/tc-07-00-input-multiple-documents.yaml

@@ -0,0 +1,27 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+
+---
+
+# Fix to Apply:
+# "select(di==1).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx

core/pkg/fixhandler/testdata/inserts/tc-07-01-expected.yaml

@@ -0,0 +1,31 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      allowPrivilegeEscalation: false
+
+---
+
+# Fix to Apply:
+# "select(di==1).spec.containers[0].securityContext.allowPrivilegeEscalation |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      allowPrivilegeEscalation: false

core/pkg/fixhandler/testdata/inserts/tc-08-00-input-mapping-insert-mapping-indented.yaml

@@ -0,0 +1,11 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: indented-parent-list-insert-list-value
+spec:
+  containers:
+    - name: nginx_container
+      image: nginx

core/pkg/fixhandler/testdata/inserts/tc-08-01-expected.yaml

@@ -0,0 +1,15 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop += ["NET_RAW"]
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: indented-parent-list-insert-list-value
+spec:
+  containers:
+    - name: nginx_container
+      image: nginx
+      securityContext:
+        capabilities:
+          drop:
+            - NET_RAW

core/pkg/fixhandler/testdata/inserts/tc-09-00-input-list-insert-new-mapping-indented.yaml

@@ -0,0 +1,11 @@
+# Fix to Apply:
+# select(di==0).spec.containers += {"name": "redis", "image": "redis"}
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: indented-parent-list-insert-list-value
+spec:
+  containers:
+    - name: nginx_container
+      image: nginx

core/pkg/fixhandler/testdata/inserts/tc-09-01-expected.yaml

@@ -0,0 +1,13 @@
+# Fix to Apply:
+# select(di==0).spec.containers += {"name": "redis", "image": "redis"}
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: indented-parent-list-insert-list-value
+spec:
+  containers:
+    - name: nginx_container
+      image: nginx
+    - name: redis
+      image: redis

core/pkg/fixhandler/testdata/inserts/tc-10-00-input-list-insert-new-mapping.yaml

@@ -0,0 +1,11 @@
+# Fix to Apply:
+# select(di==0).spec.containers += {"name": "redis", "image": "redis"}
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: indented-list-insert-new-object
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx

core/pkg/fixhandler/testdata/inserts/tc-10-01-expected.yaml

@@ -0,0 +1,13 @@
+# Fix to Apply:
+# select(di==0).spec.containers += {"name": "redis", "image": "redis"}
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: indented-list-insert-new-object
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+  - name: redis
+    image: redis

core/pkg/fixhandler/testdata/removals/tc-01-00-input.yaml

@@ -0,0 +1,14 @@
+# Fix to Apply:
+# del(select(di==0).spec.containers[0].securityContext)
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: remove_example
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      runAsRoot: false

core/pkg/fixhandler/testdata/removals/tc-01-01-expected.yaml

@@ -0,0 +1,12 @@
+# Fix to Apply:
+# del(select(di==0).spec.containers[0].securityContext)
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: remove_example
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx

core/pkg/fixhandler/testdata/removals/tc-02-00-input.yaml

@@ -0,0 +1,15 @@
+# Fix to Apply:
+# del(select(di==0).spec.containers[1])
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: remove_example
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+
+  - name: container_with_security_issues
+    image: image_with_security_issues

core/pkg/fixhandler/testdata/removals/tc-02-01-expected.yaml

@@ -0,0 +1,12 @@
+# Fix to Apply:
+# del(select(di==0).spec.containers[1])
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: remove_example
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx

core/pkg/fixhandler/testdata/removals/tc-03-00-input.yaml

@@ -0,0 +1,14 @@
+# Fix to Apply:
+# del(select(di==0).spec.containers[0].securityContext.capabilities.drop[1])
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx1
+    image: nginx
+    securityContext:
+      capabilities:
+        drop: ["NET_RAW", "SYS_ADM"]

core/pkg/fixhandler/testdata/removals/tc-03-01-expected.yaml

@@ -0,0 +1,14 @@
+# Fix to Apply:
+# del(select(di==0).spec.containers[0].securityContext.capabilities.drop[1])
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx1
+    image: nginx
+    securityContext:
+      capabilities:
+        drop: ["NET_RAW"]

core/pkg/fixhandler/testdata/removals/tc-04-00-input.yaml

@@ -0,0 +1,32 @@
+# Fix to Apply:
+# del(select(di==0).spec.containers[0].securityContext)
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: remove_example
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      runAsRoot: false
+
+---
+
+# Fix to Apply:
+# del(select(di==0).spec.containers[1])
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: remove_example
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+
+  - name: container_with_security_issues
+    image: image_with_security_issues

core/pkg/fixhandler/testdata/removals/tc-04-01-expected.yaml

@@ -0,0 +1,27 @@
+# Fix to Apply:
+# del(select(di==0).spec.containers[0].securityContext)
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: remove_example
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+
+---
+
+# Fix to Apply:
+# del(select(di==0).spec.containers[1])
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: remove_example
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx

core/pkg/fixhandler/testdata/replaces/tc-01-00-input.yaml

@@ -0,0 +1,14 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.runAsRoot |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      runAsRoot: true

core/pkg/fixhandler/testdata/replaces/tc-01-01-expected.yaml

@@ -0,0 +1,14 @@
+# Fix to Apply:
+# "select(di==0).spec.containers[0].securityContext.runAsRoot |= false"
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_to_mapping_node_1
+
+spec:
+  containers:
+  - name: nginx_container
+    image: nginx
+    securityContext:
+      runAsRoot: false

core/pkg/fixhandler/testdata/replaces/tc-02-00-input.yaml

@@ -0,0 +1,18 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop[0] |= "SYS_ADM"
+# select(di==0).spec.containers[0].securityContext.capabilities.add[0] |= "NET_RAW"
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx1
+    image: nginx
+    securityContext:
+      capabilities:
+        drop:
+        - "NET_RAW"
+        add: ["SYS_ADM"]

core/pkg/fixhandler/testdata/replaces/tc-02-01-expected.yaml

@@ -0,0 +1,18 @@
+# Fix to Apply:
+# select(di==0).spec.containers[0].securityContext.capabilities.drop[0] |= "SYS_ADM"
+# select(di==0).spec.containers[0].securityContext.capabilities.add[0] |= "NET_RAW"
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: insert_list
+spec:
+  containers:
+  - name: nginx1
+    image: nginx
+    securityContext:
+      capabilities:
+        drop:
+        - "SYS_ADM"
+        add: ["NET_RAW"]

core/pkg/fixhandler/yamlhandler.go

@@ -0,0 +1,286 @@
+package fixhandler
+
+import (
+	"container/list"
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/mikefarah/yq/v4/pkg/yqlib"
+
+	"gopkg.in/yaml.v3"
+)
+
+// decodeDocumentRoots decodes all YAML documents stored in a given `filepath` and returns a slice of their root nodes
+func decodeDocumentRoots(yamlAsString string) ([]yaml.Node, error) {
+	fileReader := strings.NewReader(yamlAsString)
+	dec := yaml.NewDecoder(fileReader)
+
+	nodes := make([]yaml.Node, 0)
+	for {
+		var node yaml.Node
+		err := dec.Decode(&node)
+
+		nodes = append(nodes, node)
+
+		if errors.Is(err, io.EOF) {
+			break
+		}
+		if err != nil {
+			return nil, fmt.Errorf("Cannot Decode File as YAML")
+
+		}
+	}
+
+	return nodes, nil
+}
+
+func getFixedNodes(yamlAsString, yamlExpression string) ([]yaml.Node, error) {
+	preferences := yqlib.ConfiguredYamlPreferences
+	preferences.EvaluateTogether = true
+	decoder := yqlib.NewYamlDecoder(preferences)
+
+	var allDocuments = list.New()
+	reader := strings.NewReader(yamlAsString)
+
+	fileDocuments, err := readDocuments(reader, decoder)
+	if err != nil {
+		return nil, err
+	}
+	allDocuments.PushBackList(fileDocuments)
+
+	allAtOnceEvaluator := yqlib.NewAllAtOnceEvaluator()
+
+	fixedCandidateNodes, err := allAtOnceEvaluator.EvaluateCandidateNodes(yamlExpression, allDocuments)
+
+	if err != nil {
+		return nil, fmt.Errorf("Error fixing YAML, %w", err)
+	}
+
+	fixedNodes := make([]yaml.Node, 0)
+	var fixedNode *yaml.Node
+	for fixedCandidateNode := fixedCandidateNodes.Front(); fixedCandidateNode != nil; fixedCandidateNode = fixedCandidateNode.Next() {
+		fixedNode = fixedCandidateNode.Value.(*yqlib.CandidateNode).Node
+		fixedNodes = append(fixedNodes, *fixedNode)
+	}
+
+	return fixedNodes, nil
+}
+
+func flattenWithDFS(node *yaml.Node) *[]nodeInfo {
+	dfsOrder := make([]nodeInfo, 0)
+	flattenWithDFSHelper(node, nil, &dfsOrder, 0)
+	return &dfsOrder
+}
+
+func flattenWithDFSHelper(node *yaml.Node, parent *yaml.Node, dfsOrder *[]nodeInfo, index int) {
+	dfsNode := nodeInfo{
+		node:   node,
+		parent: parent,
+		index:  index,
+	}
+	*dfsOrder = append(*dfsOrder, dfsNode)
+
+	for idx, child := range node.Content {
+		flattenWithDFSHelper(child, node, dfsOrder, idx)
+	}
+}
+
+func getFixInfo(originalRootNodes, fixedRootNodes []yaml.Node) fileFixInfo {
+	contentToAdd := make([]contentToAdd, 0)
+	linesToRemove := make([]linesToRemove, 0)
+
+	for idx := 0; idx < len(fixedRootNodes); idx++ {
+		originalList := flattenWithDFS(&originalRootNodes[idx])
+		fixedList := flattenWithDFS(&fixedRootNodes[idx])
+		nodeContentToAdd, nodeLinesToRemove := getFixInfoHelper(*originalList, *fixedList)
+		contentToAdd = append(contentToAdd, nodeContentToAdd...)
+		linesToRemove = append(linesToRemove, nodeLinesToRemove...)
+	}
+
+	return fileFixInfo{
+		contentsToAdd: &contentToAdd,
+		linesToRemove: &linesToRemove,
+	}
+}
+
+func getFixInfoHelper(originalList, fixedList []nodeInfo) ([]contentToAdd, []linesToRemove) {
+
+	// While obtaining fixedYamlNode, comments and empty lines at the top are ignored.
+	// This causes a difference in Line numbers across the tree structure. In order to
+	// counter this, line numbers are adjusted in fixed list.
+	adjustFixedListLines(&originalList, &fixedList)
+
+	contentToAdd := make([]contentToAdd, 0)
+	linesToRemove := make([]linesToRemove, 0)
+
+	originalListTracker, fixedListTracker := 0, 0
+
+	fixInfoMetadata := &fixInfoMetadata{
+		originalList:        &originalList,
+		fixedList:           &fixedList,
+		originalListTracker: originalListTracker,
+		fixedListTracker:    fixedListTracker,
+		contentToAdd:        &contentToAdd,
+		linesToRemove:       &linesToRemove,
+	}
+
+	for originalListTracker < len(originalList) && fixedListTracker < len(fixedList) {
+		matchNodeResult := matchNodes(originalList[originalListTracker].node, fixedList[fixedListTracker].node)
+
+		fixInfoMetadata.originalListTracker = originalListTracker
+		fixInfoMetadata.fixedListTracker = fixedListTracker
+
+		switch matchNodeResult {
+		case sameNodes:
+			originalListTracker += 1
+			fixedListTracker += 1
+
+		case removedNode:
+			originalListTracker, fixedListTracker = addLinesToRemove(fixInfoMetadata)
+
+		case insertedNode:
+			originalListTracker, fixedListTracker = addLinesToInsert(fixInfoMetadata)
+
+		case replacedNode:
+			originalListTracker, fixedListTracker = updateLinesToReplace(fixInfoMetadata)
+		}
+	}
+
+	// Some nodes are still not visited if they are removed at the end of the list
+	for originalListTracker < len(originalList) {
+		fixInfoMetadata.originalListTracker = originalListTracker
+		originalListTracker, _ = addLinesToRemove(fixInfoMetadata)
+	}
+
+	// Some nodes are still not visited if they are inserted at the end of the list
+	for fixedListTracker < len(fixedList) {
+		// Use negative index of last node in original list as a placeholder to determine the last line number later
+		fixInfoMetadata.originalListTracker = -(len(originalList) - 1)
+		fixInfoMetadata.fixedListTracker = fixedListTracker
+		_, fixedListTracker = addLinesToInsert(fixInfoMetadata)
+	}
+
+	return contentToAdd, linesToRemove
+
+}
+
+// Adds the lines to remove and returns the updated originalListTracker
+func addLinesToRemove(fixInfoMetadata *fixInfoMetadata) (int, int) {
+	isOneLine, line := isOneLineSequenceNode(fixInfoMetadata.originalList, fixInfoMetadata.originalListTracker)
+
+	if isOneLine {
+		// Remove the entire line and replace it with the sequence node in fixed info. This way,
+		// the original formatting is not lost.
+		return replaceSingleLineSequence(fixInfoMetadata, line)
+	}
+
+	currentDFSNode := (*fixInfoMetadata.originalList)[fixInfoMetadata.originalListTracker]
+
+	newOriginalListTracker := updateTracker(fixInfoMetadata.originalList, fixInfoMetadata.originalListTracker)
+	*fixInfoMetadata.linesToRemove = append(*fixInfoMetadata.linesToRemove, linesToRemove{
+		startLine: currentDFSNode.node.Line,
+		endLine:   getNodeLine(fixInfoMetadata.originalList, newOriginalListTracker),
+	})
+
+	return newOriginalListTracker, fixInfoMetadata.fixedListTracker
+}
+
+// Adds the lines to insert and returns the updated fixedListTracker
+func addLinesToInsert(fixInfoMetadata *fixInfoMetadata) (int, int) {
+
+	isOneLine, line := isOneLineSequenceNode(fixInfoMetadata.fixedList, fixInfoMetadata.fixedListTracker)
+
+	if isOneLine {
+		return replaceSingleLineSequence(fixInfoMetadata, line)
+	}
+
+	currentDFSNode := (*fixInfoMetadata.fixedList)[fixInfoMetadata.fixedListTracker]
+
+	lineToInsert := getLineToInsert(fixInfoMetadata)
+	contentToInsert := getContent(currentDFSNode.parent, fixInfoMetadata.fixedList, fixInfoMetadata.fixedListTracker)
+
+	newFixedTracker := updateTracker(fixInfoMetadata.fixedList, fixInfoMetadata.fixedListTracker)
+
+	*fixInfoMetadata.contentToAdd = append(*fixInfoMetadata.contentToAdd, contentToAdd{
+		line:    lineToInsert,
+		content: contentToInsert,
+	})
+
+	return fixInfoMetadata.originalListTracker, newFixedTracker
+}
+
+// Adds the lines to remove and insert and updates the fixedListTracker and originalListTracker
+func updateLinesToReplace(fixInfoMetadata *fixInfoMetadata) (int, int) {
+
+	isOneLine, line := isOneLineSequenceNode(fixInfoMetadata.fixedList, fixInfoMetadata.fixedListTracker)
+
+	if isOneLine {
+		return replaceSingleLineSequence(fixInfoMetadata, line)
+	}
+
+	currentDFSNode := (*fixInfoMetadata.fixedList)[fixInfoMetadata.fixedListTracker]
+
+	// If only the value node is changed, entire "key-value" pair is replaced
+	if isValueNodeinMapping(&currentDFSNode) {
+		fixInfoMetadata.originalListTracker -= 1
+		fixInfoMetadata.fixedListTracker -= 1
+	}
+
+	addLinesToRemove(fixInfoMetadata)
+	updatedOriginalTracker, updatedFixedTracker := addLinesToInsert(fixInfoMetadata)
+
+	return updatedOriginalTracker, updatedFixedTracker
+}
+
+func removeNewLinesAtTheEnd(yamlLines []string) []string {
+	for idx := 1; idx < len(yamlLines); idx++ {
+		if yamlLines[len(yamlLines)-idx] != "\n" {
+			yamlLines = yamlLines[:len(yamlLines)-idx+1]
+			break
+		}
+	}
+	return yamlLines
+}
+
+func getFixedYamlLines(yamlLines []string, fileFixInfo fileFixInfo) (fixedYamlLines []string) {
+
+	// Determining last line requires original yaml lines slice. The placeholder for last line is replaced with the real last line
+	assignLastLine(fileFixInfo.contentsToAdd, fileFixInfo.linesToRemove, &yamlLines)
+
+	removeLines(fileFixInfo.linesToRemove, &yamlLines)
+
+	fixedYamlLines = make([]string, 0)
+	lineIdx, lineToAddIdx := 1, 0
+
+	// Ideally, new node is inserted at line before the next node in DFS order. But, when the previous line contains a
+	// comment or empty line, we need to insert new nodes before them.
+	adjustContentLines(fileFixInfo.contentsToAdd, &yamlLines)
+
+	for lineToAddIdx < len(*fileFixInfo.contentsToAdd) {
+		for lineIdx <= (*fileFixInfo.contentsToAdd)[lineToAddIdx].line {
+			// Check if the current line is not removed
+			if yamlLines[lineIdx-1] != "*" {
+				fixedYamlLines = append(fixedYamlLines, yamlLines[lineIdx-1])
+			}
+			lineIdx += 1
+		}
+
+		content := (*fileFixInfo.contentsToAdd)[lineToAddIdx].content
+		fixedYamlLines = append(fixedYamlLines, content)
+
+		lineToAddIdx += 1
+	}
+
+	for lineIdx <= len(yamlLines) {
+		if yamlLines[lineIdx-1] != "*" {
+			fixedYamlLines = append(fixedYamlLines, yamlLines[lineIdx-1])
+		}
+		lineIdx += 1
+	}
+
+	fixedYamlLines = removeNewLinesAtTheEnd(fixedYamlLines)
+
+	return fixedYamlLines
+}

core/pkg/fixhandler/yamlhelper.go

@@ -0,0 +1,406 @@
+package fixhandler
+
+import (
+	"bufio"
+	"bytes"
+	"container/list"
+	"errors"
+	"fmt"
+	"io"
+	"math"
+	"os"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/mikefarah/yq/v4/pkg/yqlib"
+	"gopkg.in/yaml.v3"
+)
+
+type NodeRelation int
+
+const (
+	sameNodes NodeRelation = iota
+	insertedNode
+	removedNode
+	replacedNode
+)
+
+func matchNodes(nodeOne, nodeTwo *yaml.Node) NodeRelation {
+
+	isNewNode := nodeTwo.Line == 0 && nodeTwo.Column == 0
+	sameLines := nodeOne.Line == nodeTwo.Line
+	sameColumns := nodeOne.Column == nodeTwo.Column
+
+	isSameNode := isSameNode(nodeOne, nodeTwo)
+
+	switch {
+	case isSameNode:
+		return sameNodes
+	case isNewNode:
+		return insertedNode
+	case sameLines && sameColumns:
+		return replacedNode
+	default:
+		return removedNode
+	}
+}
+
+func adjustContentLines(contentToAdd *[]contentToAdd, linesSlice *[]string) {
+	for contentIdx, content := range *contentToAdd {
+		line := content.line
+
+		// Adjust line numbers such that there are no "empty lines or comment lines of next nodes" before them
+		for idx := line - 1; idx >= 0; idx-- {
+			if isEmptyLineOrComment((*linesSlice)[idx]) {
+				(*contentToAdd)[contentIdx].line -= 1
+			} else {
+				break
+			}
+		}
+	}
+}
+
+func adjustFixedListLines(originalList, fixedList *[]nodeInfo) {
+	differenceAtTop := (*originalList)[0].node.Line - (*fixedList)[0].node.Line
+
+	if differenceAtTop <= 0 {
+		return
+	}
+
+	for _, node := range *fixedList {
+		// line numbers should not be changed for new nodes.
+		if node.node.Line != 0 {
+			node.node.Line += differenceAtTop
+		}
+	}
+
+	return
+
+}
+
+func enocodeIntoYaml(parentNode *yaml.Node, nodeList *[]nodeInfo, tracker int) (string, error) {
+	content := make([]*yaml.Node, 0)
+	currentNode := (*nodeList)[tracker].node
+	content = append(content, currentNode)
+
+	// Add the value in "key-value" pair to construct if the parent is mapping node
+	if parentNode.Kind == yaml.MappingNode {
+		valueNode := (*nodeList)[tracker+1].node
+		content = append(content, valueNode)
+	}
+
+	// The parent is added at the top to encode into YAML
+	parentForContent := yaml.Node{
+		Kind:    parentNode.Kind,
+		Content: content,
+	}
+
+	buf := new(bytes.Buffer)
+
+	encoder := yaml.NewEncoder(buf)
+	encoder.SetIndent(2)
+
+	errorEncoding := encoder.Encode(parentForContent)
+	if errorEncoding != nil {
+		return "", fmt.Errorf("Error debugging node, %v", errorEncoding.Error())
+	}
+	errorClosingEncoder := encoder.Close()
+	if errorClosingEncoder != nil {
+		return "", fmt.Errorf("Error closing encoder: %v", errorClosingEncoder.Error())
+	}
+	return fmt.Sprintf(`%v`, buf.String()), nil
+}
+
+func getContent(parentNode *yaml.Node, nodeList *[]nodeInfo, tracker int) string {
+	content, err := enocodeIntoYaml(parentNode, nodeList, tracker)
+	if err != nil {
+		logger.L().Fatal("Cannot Encode into YAML")
+	}
+
+	indentationSpaces := parentNode.Column - 1
+
+	content = indentContent(content, indentationSpaces)
+
+	return strings.TrimSuffix(content, "\n")
+}
+
+func indentContent(content string, indentationSpaces int) string {
+	indentedContent := ""
+	indentSpaces := strings.Repeat(" ", indentationSpaces)
+
+	scanner := bufio.NewScanner(strings.NewReader(content))
+	for scanner.Scan() {
+		line := scanner.Text()
+		indentedContent += (indentSpaces + line + "\n")
+	}
+	return indentedContent
+}
+
+func getLineToInsert(fixInfoMetadata *fixInfoMetadata) int {
+	var lineToInsert int
+	// Check if lineToInsert is last line
+	if fixInfoMetadata.originalListTracker < 0 {
+		originalListTracker := int(math.Abs(float64(fixInfoMetadata.originalListTracker)))
+		// Storing the negative value of line of last node as a placeholder to determine the last line later.
+		lineToInsert = -(*fixInfoMetadata.originalList)[originalListTracker].node.Line
+	} else {
+		lineToInsert = (*fixInfoMetadata.originalList)[fixInfoMetadata.originalListTracker].node.Line - 1
+	}
+	return lineToInsert
+}
+
+func assignLastLine(contentsToAdd *[]contentToAdd, linesToRemove *[]linesToRemove, linesSlice *[]string) {
+	for idx, contentToAdd := range *contentsToAdd {
+		if contentToAdd.line < 0 {
+			currentLine := int(math.Abs(float64(contentToAdd.line)))
+			(*contentsToAdd)[idx].line, _ = getLastLineOfResource(linesSlice, currentLine)
+		}
+	}
+
+	for idx, lineToRemove := range *linesToRemove {
+		if lineToRemove.endLine < 0 {
+			endLine, _ := getLastLineOfResource(linesSlice, lineToRemove.startLine)
+			(*linesToRemove)[idx].endLine = endLine
+		}
+	}
+}
+
+func getLastLineOfResource(linesSlice *[]string, currentLine int) (int, error) {
+	// Get lastlines of all resources...
+	lastLinesOfResources := make([]int, 0)
+	for lineNumber, lineContent := range *linesSlice {
+		if lineContent == "---" {
+			for lastLine := lineNumber - 1; lastLine >= 0; lastLine-- {
+				if !isEmptyLineOrComment((*linesSlice)[lastLine]) {
+					lastLinesOfResources = append(lastLinesOfResources, lastLine+1)
+					break
+				}
+			}
+		}
+	}
+
+	lastLine := len(*linesSlice)
+	for lastLine >= 0 {
+		if !isEmptyLineOrComment((*linesSlice)[lastLine-1]) {
+			lastLinesOfResources = append(lastLinesOfResources, lastLine)
+			break
+		} else {
+			lastLine--
+		}
+	}
+
+	// Get last line of the resource we need
+	for _, endLine := range lastLinesOfResources {
+		if currentLine <= endLine {
+			return endLine, nil
+		}
+	}
+
+	return 0, fmt.Errorf("Provided line is greater than the length of YAML file")
+}
+
+func getNodeLine(nodeList *[]nodeInfo, tracker int) int {
+	if tracker < len(*nodeList) {
+		return (*nodeList)[tracker].node.Line
+	} else {
+		return -1
+	}
+}
+
+// Checks if the node is value node in "key-value" pairs of mapping node
+func isValueNodeinMapping(node *nodeInfo) bool {
+	if node.parent.Kind == yaml.MappingNode && node.index%2 != 0 {
+		return true
+	}
+	return false
+}
+
+// Checks if the node is part of single line sequence node and returns the line
+func isOneLineSequenceNode(list *[]nodeInfo, currentTracker int) (bool, int) {
+	parentNode := (*list)[currentTracker].parent
+	if parentNode.Kind != yaml.SequenceNode {
+		return false, -1
+	}
+
+	var currentNode, prevNode nodeInfo
+	currentTracker -= 1
+
+	for (*list)[currentTracker].node != parentNode {
+		currentNode = (*list)[currentTracker]
+		prevNode = (*list)[currentTracker-1]
+
+		if currentNode.node.Line != prevNode.node.Line {
+			return false, -1
+		}
+		currentTracker -= 1
+	}
+
+	parentNodeInfo := (*list)[currentTracker]
+
+	if parentNodeInfo.parent.Kind == yaml.MappingNode {
+		keyNodeInfo := (*list)[currentTracker-1]
+		if keyNodeInfo.node.Line == parentNode.Line {
+			return true, parentNode.Line
+		} else {
+			return false, -1
+		}
+	} else {
+		if parentNodeInfo.parent.Line == parentNode.Line {
+			return true, parentNode.Line
+		} else {
+			return false, -1
+		}
+	}
+}
+
+// Checks if nodes are of same kind, value, line and column
+func isSameNode(nodeOne, nodeTwo *yaml.Node) bool {
+	sameLines := nodeOne.Line == nodeTwo.Line
+	sameColumns := nodeOne.Column == nodeTwo.Column
+	sameKinds := nodeOne.Kind == nodeTwo.Kind
+	sameValues := nodeOne.Value == nodeTwo.Value
+
+	return sameKinds && sameValues && sameLines && sameColumns
+}
+
+// Checks if the line is empty or a comment
+func isEmptyLineOrComment(lineContent string) bool {
+	lineContent = strings.TrimSpace(lineContent)
+	if lineContent == "" {
+		return true
+	} else if lineContent[0:1] == "#" {
+		return true
+	}
+	return false
+}
+
+func readDocuments(reader io.Reader, decoder yqlib.Decoder) (*list.List, error) {
+	err := decoder.Init(reader)
+	if err != nil {
+		return nil, fmt.Errorf("Error Initializing the decoder, %w", err)
+	}
+	inputList := list.New()
+
+	var currentIndex uint
+
+	for {
+		candidateNode, errorReading := decoder.Decode()
+
+		if errors.Is(errorReading, io.EOF) {
+			switch reader := reader.(type) {
+			case *os.File:
+				safelyCloseFile(reader)
+			}
+			return inputList, nil
+		} else if errorReading != nil {
+			return nil, fmt.Errorf("Error Decoding YAML file, %w", errorReading)
+		}
+
+		candidateNode.Document = currentIndex
+		candidateNode.EvaluateTogether = true
+
+		inputList.PushBack(candidateNode)
+
+		currentIndex = currentIndex + 1
+	}
+}
+
+func safelyCloseFile(file *os.File) {
+	err := file.Close()
+	if err != nil {
+		logger.L().Error("Error Closing File")
+	}
+}
+
+// Remove the entire line and replace it with the sequence node in fixed info. This way,
+// the original formatting is lost.
+func replaceSingleLineSequence(fixInfoMetadata *fixInfoMetadata, line int) (int, int) {
+	originalListTracker := getFirstNodeInLine(fixInfoMetadata.originalList, line)
+	fixedListTracker := getFirstNodeInLine(fixInfoMetadata.fixedList, line)
+
+	currentDFSNode := (*fixInfoMetadata.fixedList)[fixedListTracker]
+	contentToInsert := getContent(currentDFSNode.parent, fixInfoMetadata.fixedList, fixedListTracker)
+
+	// Remove the Single line
+	*fixInfoMetadata.linesToRemove = append(*fixInfoMetadata.linesToRemove, linesToRemove{
+		startLine: line,
+		endLine:   line,
+	})
+
+	// Encode entire Sequence Node and Insert
+	*fixInfoMetadata.contentToAdd = append(*fixInfoMetadata.contentToAdd, contentToAdd{
+		line:    line,
+		content: contentToInsert,
+	})
+
+	originalListTracker = updateTracker(fixInfoMetadata.originalList, originalListTracker)
+	fixedListTracker = updateTracker(fixInfoMetadata.fixedList, fixedListTracker)
+
+	return originalListTracker, fixedListTracker
+}
+
+// Returns the first node in the given line that is not mapping node
+func getFirstNodeInLine(list *[]nodeInfo, line int) int {
+	tracker := 0
+
+	currentNode := (*list)[tracker].node
+	for currentNode.Line != line || currentNode.Kind == yaml.MappingNode {
+		tracker += 1
+		currentNode = (*list)[tracker].node
+	}
+
+	return tracker
+}
+
+// To not mess with the line number while inserting, removed lines are not deleted but replaced with "*"
+func removeLines(linesToRemove *[]linesToRemove, linesSlice *[]string) {
+	var startLine, endLine int
+	for _, lineToRemove := range *linesToRemove {
+		startLine = lineToRemove.startLine - 1
+		endLine = lineToRemove.endLine - 1
+
+		for line := startLine; line <= endLine; line++ {
+			lineContent := (*linesSlice)[line]
+			// When determining the endLine, empty lines and comments which are not intended to be removed are included.
+			// To deal with that, we need to refrain from removing empty lines and comments
+			if isEmptyLineOrComment(lineContent) {
+				break
+			}
+			(*linesSlice)[line] = "*"
+		}
+	}
+}
+
+// Skips the current node including it's children in DFS order and returns the new tracker.
+func skipCurrentNode(node *yaml.Node, currentTracker int) int {
+	updatedTracker := currentTracker + getChildrenCount(node)
+	return updatedTracker
+}
+
+func getChildrenCount(node *yaml.Node) int {
+	totalChildren := 1
+	for _, child := range node.Content {
+		totalChildren += getChildrenCount(child)
+	}
+	return totalChildren
+}
+
+// The current node along with it's children is skipped and the tracker is moved to next sibling
+// of current node. If parent is mapping node, "value" in "key-value" pairs is also skipped.
+func updateTracker(nodeList *[]nodeInfo, tracker int) int {
+	currentNode := (*nodeList)[tracker]
+	var updatedTracker int
+
+	if currentNode.parent.Kind == yaml.MappingNode {
+		valueNode := (*nodeList)[tracker+1]
+		updatedTracker = skipCurrentNode(valueNode.node, tracker+1)
+	} else {
+		updatedTracker = skipCurrentNode(currentNode.node, tracker)
+	}
+
+	return updatedTracker
+}
+
+func getStringFromSlice(yamlLines []string) (fixedYamlString string) {
+	return strings.Join(yamlLines, "\n")
+}

core/pkg/hostsensorutils/hostsensor.yaml

@@ -36,7 +36,7 @@ spec:
         effect: NoSchedule
       containers:
       - name: host-sensor
-        image: quay.io/kubescape/host-scanner:v1.0.28
+        image: quay.io/kubescape/host-scanner:v1.0.32
         securityContext:
           privileged: true
           readOnlyRootFilesystem: true
@@ -72,4 +72,4 @@ spec:
         name: host-filesystem
       hostNetwork: true
       hostPID: true
-      hostIPC: true
+      hostIPC: true

core/pkg/policyhandler/handlepullpolicies.go

@@ -41,6 +41,8 @@ func (policyHandler *PolicyHandler) getPolicies(policyIdentifier []cautils.Polic
 	controlsInputs, err := policyHandler.getters.ControlsInputsGetter.GetControlsInputs(cautils.ClusterName)
 	if err == nil {
 		policiesAndResources.RegoInputData.PostureControlInputs = controlsInputs
+	} else {
+		logger.L().Error(err.Error())
 	}
 	cautils.StopSpinner()
 

core/pkg/registryadaptors/gcp/v1/Readme.md

@@ -0,0 +1,33 @@
+# GCP Adaptor
+
+### How we add gcp adaptor
+
+As there can be possiblities of use of multiple registries we check for each adaptor if we have required credentias. For every adaptor having credentials we append the adaptor to the adaptors slice.
+
+Particularly for gcp, we frstly bring the `gcpCloudAPI` from the connector. We still haven't created a proper function that initiats the gcpCloudAPI with projectId, credentialsPath, credentialsCheck fields. We check for `credentialsCheck` bool which is set true when we have credentials(to be set when initializing the gcpCloudAPI) 
+
+### How we fetch vulnerabilities for images
+
+Step 1: 
+    Get container analysis client 
+    For this we needs credentials of the service account. Out of few approaches here we are using [JSON key file](https://cloud.google.com/container-registry/docs/advanced-authentication#json-key) for credentials and path to this file should be stored in `credentialsPath`
+
+Step 2: 
+    Do ListOccurrenceRequest 
+    For this we need the `projectID` and the `resourceUrl`. ProjectID should be provided by the users and resourceUrl is processed imageTag that we get from kubescape resources
+  
+Step 3:
+    Get Occurrence iterator
+    We use context and the request from the ListOccurenceRequest to get the iterators
+
+
+### How we convert the response to Vulnerabilities
+
+Response from the iterator has two type of kinds i.e. Discovery and Vulnerabilties and both has differnent struct
+
+### How can this adaptor be used by the user 
+
+To know about GCR service accounts follow https://cloud.google.com/container-registry/docs/gcr-service-account
+export variables 
+    `export KS_GCP_CREDENTIALS_PATH=<path to service account credentials file>`
+    `export KS_GCP_PROJECT_ID=<your project ID>`

core/pkg/registryadaptors/gcp/v1/datastructure.go

@@ -0,0 +1,24 @@
+package v1
+
+import (
+	"github.com/kubescape/kubescape/v2/core/cautils/getter"
+)
+
+type GCPAdaptor struct {
+	GCPCloudAPI *getter.GCPCloudAPI
+}
+
+type Mock struct {
+	Name             string
+	Notename         string
+	CvssScore        float32
+	CreatedTime      int64
+	UpdatedTime      int64
+	Type             string
+	ShortDescription string
+	AffectedCPEURI   string
+	AffectedPackage  string
+	FixAvailable     bool
+	AffectedVersion  string
+	FixedVersion     string
+}

core/pkg/registryadaptors/gcp/v1/gcpadaptor.go

@@ -0,0 +1,88 @@
+package v1
+
+import (
+	"fmt"
+
+	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/core/cautils/getter"
+	"github.com/kubescape/kubescape/v2/core/pkg/registryadaptors/registryvulnerabilities"
+	"google.golang.org/api/iterator"
+	"google.golang.org/api/option"
+	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
+)
+
+func NewGCPAdaptor(GCPCloudAPI *getter.GCPCloudAPI) *GCPAdaptor {
+	return &GCPAdaptor{
+		GCPCloudAPI: GCPCloudAPI,
+	}
+}
+
+func (GCPAdaptor *GCPAdaptor) Login() error {
+	client, err := containeranalysis.NewClient(GCPAdaptor.GCPCloudAPI.GetContext(), option.WithCredentialsFile(GCPAdaptor.GCPCloudAPI.GetCredentialsPath()))
+	if err != nil {
+		return err
+	}
+	GCPAdaptor.GCPCloudAPI.SetClient(client)
+	return nil
+}
+
+func (GCPAdaptor *GCPAdaptor) GetImagesVulnerabilities(imageIDs []registryvulnerabilities.ContainerImageIdentifier) ([]registryvulnerabilities.ContainerImageVulnerabilityReport, error) {
+	resultList := make([]registryvulnerabilities.ContainerImageVulnerabilityReport, 0)
+	for _, imageID := range imageIDs {
+		result, err := GCPAdaptor.GetImageVulnerability(&imageID)
+		if err == nil {
+			resultList = append(resultList, *result)
+		} else {
+			logger.L().Debug("failed to get image vulnerabilities", helpers.String("image", imageID.Tag), helpers.Error(err))
+		}
+	}
+	return resultList, nil
+}
+
+func (GCPAdaptor *GCPAdaptor) GetImageVulnerability(imageID *registryvulnerabilities.ContainerImageIdentifier) (*registryvulnerabilities.ContainerImageVulnerabilityReport, error) {
+
+	resourceUrl := fmt.Sprintf("https://%s", imageID.Tag)
+
+	req := &grafeaspb.ListOccurrencesRequest{
+		Parent: fmt.Sprintf("projects/%s", GCPAdaptor.GCPCloudAPI.GetProjectID()),
+		Filter: fmt.Sprintf(`resourceUrl=%q`, resourceUrl),
+	}
+
+	it := GCPAdaptor.GCPCloudAPI.GetClient().GetGrafeasClient().ListOccurrences(GCPAdaptor.GCPCloudAPI.GetContext(), req)
+	occs := []*grafeaspb.Occurrence{}
+	var count int
+	for {
+		occ, err := it.Next()
+		if err == iterator.Done {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+		occs = append(occs, occ)
+		count++
+	}
+	vulnerabilities := responseObjectToVulnerabilities(occs, count)
+
+	resultImageVulnerabilityReport := registryvulnerabilities.ContainerImageVulnerabilityReport{
+		ImageID:         *imageID,
+		Vulnerabilities: vulnerabilities,
+	}
+	return &resultImageVulnerabilityReport, nil
+}
+
+func (GCPAdaptor *GCPAdaptor) DescribeAdaptor() string {
+	return "GCP image vulnerabilities scanner, docs: https://cloud.google.com/container-analysis/docs/container-analysis"
+}
+
+func (GCPAdaptor *GCPAdaptor) GetImagesInformation(imageIDs []registryvulnerabilities.ContainerImageIdentifier) ([]registryvulnerabilities.ContainerImageInformation, error) {
+	// TODO
+	return []registryvulnerabilities.ContainerImageInformation{}, nil
+}
+
+func (GCPAdaptor *GCPAdaptor) GetImagesScanStatus(imageIDs []registryvulnerabilities.ContainerImageIdentifier) ([]registryvulnerabilities.ContainerImageScanStatus, error) {
+	// TODO
+	return []registryvulnerabilities.ContainerImageScanStatus{}, nil
+}

core/pkg/registryadaptors/gcp/v1/gcpadaptor_test.go

@@ -0,0 +1,31 @@
+package v1
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v2/core/pkg/registryadaptors/registryvulnerabilities"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSum(t *testing.T) {
+	var err error
+	var adaptor registryvulnerabilities.IContainerImageVulnerabilityAdaptor
+
+	adaptor, err = NewGCPAdaptorMock()
+	assert.NoError(t, err)
+
+	assert.NoError(t, adaptor.Login())
+
+	imageVulnerabilityReports, err := adaptor.GetImagesVulnerabilities([]registryvulnerabilities.ContainerImageIdentifier{{Tag: "gcr.io/myproject/nginx@sha256:1XXXXX"}, {Tag: "gcr.io/myproject/nginx@sha256:2XXXXX"}})
+	assert.NoError(t, err)
+
+	for i := range imageVulnerabilityReports {
+		var length int
+		if i == 0 {
+			length = 5
+		} else if i == 1 {
+			length = 3
+		}
+		assert.Equal(t, length, len(imageVulnerabilityReports[i].Vulnerabilities))
+	}
+}

core/pkg/registryadaptors/gcp/v1/gcpadaptormock.go

@@ -0,0 +1,185 @@
+package v1
+
+import (
+	"github.com/kubescape/kubescape/v2/core/pkg/registryadaptors/registryvulnerabilities"
+	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
+	"google.golang.org/protobuf/types/known/timestamppb"
+)
+
+type GCPAdaptorMock struct {
+	resultList []registryvulnerabilities.ContainerImageVulnerabilityReport
+}
+
+func NewGCPAdaptorMock() (*GCPAdaptorMock, error) {
+	return &GCPAdaptorMock{}, nil
+}
+
+func (GCPAdaptorMock *GCPAdaptorMock) Login() error {
+	return nil
+}
+
+func (GCPAdaptorMock *GCPAdaptorMock) GetImagesVulnerabilities(imageIDs []registryvulnerabilities.ContainerImageIdentifier) ([]registryvulnerabilities.ContainerImageVulnerabilityReport, error) {
+	resultList := make([]registryvulnerabilities.ContainerImageVulnerabilityReport, 0)
+	for _, imageID := range imageIDs {
+		result, err := GCPAdaptorMock.GetImageVulnerability(&imageID)
+		if err == nil {
+			resultList = append(resultList, *result)
+		} else {
+			return nil, err
+		}
+
+		return resultList, nil
+	}
+
+	GCPAdaptorMock.resultList = resultList
+	return GCPAdaptorMock.resultList, nil
+}
+
+func (GCPAdaptorMock *GCPAdaptorMock) GetImageVulnerability(imageID *registryvulnerabilities.ContainerImageIdentifier) (*registryvulnerabilities.ContainerImageVulnerabilityReport, error) {
+	vulnerability := []*grafeaspb.Occurrence_Vulnerability{}
+	occurrence := []*grafeaspb.Occurrence{}
+	arr := GetMockData()
+
+	for i, _ := range arr {
+		if imageID.Tag == "gcr.io/myproject/nginx@sha256:2XXXXX" && i == 4 {
+			break
+		}
+		vulnerability = append(vulnerability, &grafeaspb.Occurrence_Vulnerability{
+			Vulnerability: &grafeaspb.VulnerabilityOccurrence{
+				Type:             arr[i].Type,
+				CvssScore:        arr[i].CvssScore,
+				ShortDescription: arr[i].ShortDescription,
+				PackageIssue: []*grafeaspb.VulnerabilityOccurrence_PackageIssue{
+					{
+						FixedVersion: &grafeaspb.Version{
+							FullName: arr[i].FixedVersion,
+						},
+						AffectedVersion: &grafeaspb.Version{
+							FullName: arr[i].AffectedVersion,
+						},
+						AffectedCpeUri:  arr[i].AffectedCPEURI,
+						AffectedPackage: arr[i].AffectedPackage,
+					},
+				},
+				FixAvailable: arr[i].FixAvailable,
+			},
+		})
+
+		occurrence = append(occurrence, &grafeaspb.Occurrence{
+			Name:     arr[i].Name,
+			Kind:     grafeaspb.NoteKind_ATTESTATION,
+			NoteName: arr[i].Notename,
+			CreateTime: &timestamppb.Timestamp{
+				Seconds: arr[i].CreatedTime,
+			},
+			UpdateTime: &timestamppb.Timestamp{
+				Seconds: arr[i].UpdatedTime,
+			},
+			Details: vulnerability[i],
+		})
+	}
+
+	vulnerabilities := responseObjectToVulnerabilities(occurrence, 5)
+
+	resultImageVulnerabilityReport := registryvulnerabilities.ContainerImageVulnerabilityReport{
+		ImageID:         *imageID,
+		Vulnerabilities: vulnerabilities,
+	}
+	return &resultImageVulnerabilityReport, nil
+}
+
+func (GCPAdaptorMock *GCPAdaptorMock) DescribeAdaptor() string {
+	// TODO
+	return ""
+}
+
+func (GCPAdaptorMock *GCPAdaptorMock) GetImagesInformation(imageIDs []registryvulnerabilities.ContainerImageIdentifier) ([]registryvulnerabilities.ContainerImageInformation, error) {
+	// TODO
+	return []registryvulnerabilities.ContainerImageInformation{}, nil
+}
+
+func (GCPAdaptorMock *GCPAdaptorMock) GetImagesScanStatus(imageIDs []registryvulnerabilities.ContainerImageIdentifier) ([]registryvulnerabilities.ContainerImageScanStatus, error) {
+	// TODO
+	return []registryvulnerabilities.ContainerImageScanStatus{}, nil
+}
+
+//==============================================================================================================================
+//==============================================================================================================================
+//==============================================================================================================================
+
+func GetMockData() []Mock {
+	arr := []Mock{
+		{
+			Name:             "projects/stable-furnace-356005/occurrences/41fd9fec-6fab-4531-a4ee-e7b97d518554",
+			Notename:         "projects/goog-vulnz/notes/CVE-2009-4487",
+			CvssScore:        6.8,
+			CreatedTime:      1661061853,
+			UpdatedTime:      1661061853,
+			Type:             "OS",
+			ShortDescription: "CVE-2009-4487",
+			AffectedCPEURI:   "cpe:/o:debian:debian_linux:11",
+			AffectedPackage:  "nginx",
+			FixAvailable:     true,
+			AffectedVersion:  "1.23.1-1~bullseye",
+			FixedVersion:     "",
+		},
+		{
+			Name:             "projects/stable-furnace-356005/occurrences/b28fa29f-5c2b-45c7-9727-2f1f02ed1957",
+			Notename:         "projects/goog-vulnz/notes/CVE-2017-17740",
+			CvssScore:        2.3,
+			CreatedTime:      3237628,
+			UpdatedTime:      5989893,
+			Type:             "OS",
+			ShortDescription: "CVE-2017-17740",
+			AffectedCPEURI:   "cpe:/o:debian:debian_linux:11",
+			AffectedPackage:  "openldap",
+			FixAvailable:     false,
+			AffectedVersion:  "1.3.5",
+			FixedVersion:     "1.3.5",
+		},
+		{
+			Name:             "projects/stable-furnace-356005/occurrences/b28fa29f-5c2b-45c7-9727-2f1f02ed1957",
+			Notename:         "projects/goog-vulnz/notes/CVE-2017-17740",
+			CvssScore:        2.3,
+			CreatedTime:      3237628,
+			UpdatedTime:      5989893,
+			Type:             "OS",
+			ShortDescription: "CVE-2017-17740",
+			AffectedCPEURI:   "cpe:/o:debian:debian_linux:11",
+			AffectedPackage:  "openldap",
+			FixAvailable:     false,
+			AffectedVersion:  "1.3.5",
+			FixedVersion:     "1.3.5",
+		},
+		{
+			Name:             "projects/stable-furnace-356005/occurrences/b28fa29f-5c2b-45c7-9727-2f1f02ed1957",
+			Notename:         "projects/goog-vulnz/notes/CVE-2017-17740",
+			CvssScore:        2.3,
+			CreatedTime:      3237628,
+			UpdatedTime:      5989893,
+			Type:             "OS",
+			ShortDescription: "CVE-2017-17740",
+			AffectedCPEURI:   "cpe:/o:debian:debian_linux:11",
+			AffectedPackage:  "openldap",
+			FixAvailable:     false,
+			AffectedVersion:  "1.3.5",
+			FixedVersion:     "1.3.5",
+		},
+		{
+			Name:             "projects/stable-furnace-356005/occurrences/b28fa29f-5c2b-45c7-9727-2f1f02ed1957",
+			Notename:         "projects/goog-vulnz/notes/CVE-2017-17740",
+			CvssScore:        2.3,
+			CreatedTime:      3237628,
+			UpdatedTime:      5989893,
+			Type:             "OS",
+			ShortDescription: "CVE-2017-17740",
+			AffectedCPEURI:   "cpe:/o:debian:debian_linux:11",
+			AffectedPackage:  "openldap",
+			FixAvailable:     false,
+			AffectedVersion:  "1.3.5",
+			FixedVersion:     "1.3.5",
+		},
+	}
+
+	return arr
+}

core/pkg/registryadaptors/gcp/v1/gcpadaptorutils.go

@@ -0,0 +1,36 @@
+package v1
+
+import (
+	"github.com/kubescape/kubescape/v2/core/pkg/registryadaptors/registryvulnerabilities"
+	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
+)
+
+func responseObjectToVulnerabilities(vulnerabilityList []*grafeaspb.Occurrence, count int) []registryvulnerabilities.Vulnerability {
+	vulnerabilities := make([]registryvulnerabilities.Vulnerability, count)
+	for i, vulnerabilityEntry := range vulnerabilityList {
+		if vulnerabilityEntry.GetKind().String() != "DISCOVERY" {
+			vulnerabilities[i].Name = vulnerabilityEntry.Name
+			vulnerabilities[i].NoteName = vulnerabilityEntry.NoteName
+			vulnerabilities[i].CreateTime = vulnerabilityEntry.CreateTime.AsTime()
+			vulnerabilities[i].UpdateTime = vulnerabilityEntry.UpdateTime.AsTime()
+			vulnerabilities[i].CVSS = vulnerabilityEntry.GetVulnerability().CvssScore
+			vulnerabilities[i].AffectedCPEURI = vulnerabilityEntry.GetVulnerability().PackageIssue[0].AffectedCpeUri
+			vulnerabilities[i].AffectedPackage = vulnerabilityEntry.GetVulnerability().PackageIssue[0].AffectedPackage
+			vulnerabilities[i].AffectedVersion = vulnerabilityEntry.GetVulnerability().PackageIssue[0].AffectedVersion.FullName
+			vulnerabilities[i].FixedVersion = vulnerabilityEntry.GetVulnerability().PackageIssue[0].FixedVersion.FullName
+			vulnerabilities[i].FixedCPEURI = vulnerabilityEntry.GetVulnerability().PackageIssue[0].FixedCpeUri
+			vulnerabilities[i].FixedPackege = vulnerabilityEntry.GetVulnerability().PackageIssue[0].FixedPackage
+			vulnerabilities[i].FixAvailablePackage = vulnerabilityEntry.GetVulnerability().PackageIssue[0].GetFixAvailable()
+			vulnerabilities[i].PackageType = vulnerabilityEntry.GetVulnerability().PackageIssue[0].PackageType
+			vulnerabilities[i].EffectiveSeverityPackage = vulnerabilityEntry.GetVulnerability().PackageIssue[0].EffectiveSeverity.String()
+			vulnerabilities[i].AffectedPackage = vulnerabilityEntry.GetVulnerability().PackageIssue[0].AffectedPackage
+			vulnerabilities[i].Severity = vulnerabilityEntry.GetVulnerability().Severity.Enum().String()
+			vulnerabilities[i].ShortDescription = vulnerabilityEntry.GetVulnerability().ShortDescription
+			vulnerabilities[i].LongDescription = vulnerabilityEntry.GetVulnerability().LongDescription
+		} else {
+			vulnerabilities[i].Description = vulnerabilityEntry.GetDiscovery().String()
+		}
+	}
+
+	return vulnerabilities
+}

core/pkg/registryadaptors/registryvulnerabilities/datastructures.go

@@ -28,19 +28,36 @@ type Categories struct {
 }
 
 type Vulnerability struct {
-	Name               string      `json:"name"`
-	RelatedPackageName string      `json:"packageName"`
-	PackageVersion     string      `json:"packageVersion"`
-	Link               string      `json:"link"`
-	Description        string      `json:"description"`
-	Severity           string      `json:"severity"`
-	Metadata           interface{} `json:"metadata"`
-	Fixes              []FixedIn   `json:"fixedIn"`
-	Relevancy          string      `json:"relevant"` // use the related enum
-	UrgentCount        int         `json:"urgent"`
-	NeglectedCount     int         `json:"neglected"`
-	HealthStatus       string      `json:"healthStatus"`
-	Categories         Categories  `json:"categories"`
+	Name                     string      `json:"name"`
+	RelatedPackageName       string      `json:"packageName"`
+	PackageVersion           string      `json:"packageVersion"`
+	Link                     string      `json:"link"`
+	Description              string      `json:"description"`
+	Severity                 string      `json:"severity"`
+	Metadata                 interface{} `json:"metadata"`
+	Fixes                    []FixedIn   `json:"fixedIn"`
+	Relevancy                string      `json:"relevant"` // use the related enum
+	UrgentCount              int         `json:"urgent"`
+	NeglectedCount           int         `json:"neglected"`
+	HealthStatus             string      `json:"healthStatus"`
+	Categories               Categories  `json:"categories"`
+	NoteName                 string      `json:",omitempty"`
+	CreateTime               time.Time   `json:",omitempty"`
+	UpdateTime               time.Time      `json:",omitempty"` // Vulnerablity started
+	CVSS                     float32     `json:",omitempty"` // other cvss versions are available
+	AffectedCPEURI           string      `json:",omitempty"` // Package issue
+	AffectedPackage          string      `json:",omitempty"`
+	AffectedVersion          string      `json:",omitempty"`
+	FixedVersion             string      `json:",omitempty"`
+	FixedCPEURI              string      `json:",omitempty"`
+	FixedPackege             string      `json:",omitempty"`
+	FixAvailablePackage      bool        `json:",omitempty"`
+	PackageType              string      `json:",omitempty"`
+	EffectiveSeverityPackage string      `json:",omitempty"`
+	ShortDescription         string      `json:",omitempty"` // Package issue ends
+	LongDescription          string      `json:",omitempty"`
+	EffectiveSeverity        string      `json:",omitempty"`
+	FixAvailable             bool        `json:",omitempty"`
 }
 
 type ContainerImageVulnerabilityReport struct {

core/pkg/resourcehandler/fieldselector.go

@@ -10,6 +10,7 @@ import (
 
 type IFieldSelector interface {
 	GetNamespacesSelectors(*schema.GroupVersionResource) []string
+	GetClusterScope(*schema.GroupVersionResource) bool
 }
 
 type EmptySelector struct {
@@ -19,6 +20,10 @@ func (es *EmptySelector) GetNamespacesSelectors(resource *schema.GroupVersionRes
 	return []string{""} //
 }
 
+func (es *EmptySelector) GetClusterScope(*schema.GroupVersionResource) bool {
+	return true
+}
+
 type ExcludeSelector struct {
 	namespace string
 }
@@ -27,6 +32,14 @@ func NewExcludeSelector(ns string) *ExcludeSelector {
 	return &ExcludeSelector{namespace: ns}
 }
 
+func (es *ExcludeSelector) GetClusterScope(resource *schema.GroupVersionResource) bool {
+	// for selector, 'namespace' is in Namespaced scope
+	if resource.Resource == "namespaces" {
+		return true
+	}
+	return false
+}
+
 type IncludeSelector struct {
 	namespace string
 }
@@ -34,6 +47,15 @@ type IncludeSelector struct {
 func NewIncludeSelector(ns string) *IncludeSelector {
 	return &IncludeSelector{namespace: ns}
 }
+
+func (is *IncludeSelector) GetClusterScope(resource *schema.GroupVersionResource) bool {
+	// for selector, 'namespace' is in Namespaced scope
+	if resource.Resource == "namespaces" {
+		return true
+	}
+	return false
+}
+
 func (es *ExcludeSelector) GetNamespacesSelectors(resource *schema.GroupVersionResource) []string {
 	fieldSelectors := ""
 	for _, n := range strings.Split(es.namespace, ",") {

core/pkg/resourcehandler/filesloader.go

@@ -103,6 +103,8 @@ func getResourcesFromPath(path string) (map[string]reporthandling.Source, []work
 	gitRepo, err := cautils.NewLocalGitRepository(path)
 	if err == nil && gitRepo != nil {
 		repoRoot, _ = gitRepo.GetRootDir()
+	} else {
+		repoRoot, _ = filepath.Abs(path)
 	}
 
 	// load resource from local file system
@@ -141,7 +143,7 @@ func getResourcesFromPath(path string) (map[string]reporthandling.Source, []work
 		}
 
 		workloadSource := reporthandling.Source{
-			RelativePath: source,
+			RelativePath: relSource,
 			FileType:     filetype,
 			LastCommit:   lastCommit,
 		}

core/pkg/resourcehandler/k8sresources.go

@@ -134,8 +134,6 @@ func (k8sHandler *K8sResourceHandler) GetResources(sessionObj *cautils.OPASessio
 
 	// check that controls use cloud resources
 	if len(cloudResources) > 0 {
-		logger.L().Info("Requesting cloud provider data")
-		cautils.StartSpinner()
 		provider, err := getCloudProviderDescription(allResources, ksResourceMap)
 		if err != nil {
 			cautils.SetInfoMapForResources(err.Error(), cloudResources, sessionObj.InfoMap)
@@ -146,13 +144,29 @@ func (k8sHandler *K8sResourceHandler) GetResources(sessionObj *cautils.OPASessio
 				sessionObj.Metadata.ContextMetadata.ClusterContextMetadata.CloudProvider = provider
 			}
 		}
-		cautils.StopSpinner()
-		logger.L().Info("Requested cloud provider data")
+
+		// api server info resource
+		err = k8sHandler.collectAPIServerInfoResource(allResources, ksResourceMap)
+		if err != nil {
+			logger.L().Warning("failed to collect api server info resource", helpers.Error(err))
+		}
 	}
 
 	return k8sResourcesMap, allResources, ksResourceMap, nil
 }
 
+func (k8sHandler *K8sResourceHandler) collectAPIServerInfoResource(allResources map[string]workloadinterface.IMetadata, ksResourceMap *cautils.KSResources) error {
+	clusterAPIServerInfo, err := k8sHandler.k8s.DiscoveryClient.ServerVersion()
+	if err != nil {
+		return err
+	}
+	resource := cloudsupport.NewApiServerVersionInfo(clusterAPIServerInfo)
+	allResources[resource.GetID()] = resource
+	(*ksResourceMap)[fmt.Sprintf("%s/%s", resource.GetApiVersion(), resource.GetKind())] = []string{resource.GetID()}
+
+	return nil
+}
+
 func (k8sHandler *K8sResourceHandler) GetClusterAPIServerInfo() *version.Info {
 	clusterAPIServerInfo, err := k8sHandler.k8s.DiscoveryClient.ServerVersion()
 	if err != nil {
@@ -230,10 +244,14 @@ func (k8sHandler *K8sResourceHandler) pullSingleResource(resource *schema.GroupV
 
 		// set dynamic object
 		var clientResource dynamic.ResourceInterface
-		if namespace != "" && k8sinterface.IsNamespaceScope(resource) {
-			clientResource = k8sHandler.k8s.DynamicClient.Resource(*resource).Namespace(namespace)
-		} else {
+		if namespace != "" {
 			clientResource = k8sHandler.k8s.DynamicClient.Resource(*resource)
+		} else if k8sinterface.IsNamespaceScope(resource) {
+			clientResource = k8sHandler.k8s.DynamicClient.Resource(*resource).Namespace(namespace)
+		} else if k8sHandler.fieldSelector.GetClusterScope(*&resource) {
+			clientResource = k8sHandler.k8s.DynamicClient.Resource(*resource)
+		} else {
+			continue
 		}
 
 		// list resources

core/pkg/resourcehandler/registrydata.go

@@ -8,6 +8,7 @@ import (
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/cautils/getter"
+	gcpadaptorv1 "github.com/kubescape/kubescape/v2/core/pkg/registryadaptors/gcp/v1"
 	armosecadaptorv1 "github.com/kubescape/kubescape/v2/core/pkg/registryadaptors/armosec/v1"
 	"github.com/kubescape/kubescape/v2/core/pkg/registryadaptors/registryvulnerabilities"
 
@@ -158,5 +159,12 @@ func listAdaptores() ([]registryvulnerabilities.IContainerImageVulnerabilityAdap
 		}
 	}
 
+	gcpCloudAPI := getter.GetGlobalGCPCloudAPIConnector()
+	if gcpCloudAPI != nil {
+		if gcpCloudAPI.GetCredentialsCheck() {
+			adaptors = append(adaptors, gcpadaptorv1.NewGCPAdaptor(getter.GetGlobalGCPCloudAPIConnector()))
+		}
+	}
+
 	return adaptors, nil
 }

core/pkg/resourcehandler/repositoryscanner_test.go

@@ -13,6 +13,10 @@ var (
 	urlD = "https://raw.githubusercontent.com/kubescape/kubescape/master/examples/online-boutique/adservice.yaml"
 )
 
+/*
+
+TODO: tests were commented out due to actual http calls ; http calls should be mocked.
+
 func TestScanRepository(t *testing.T) {
 	{
 		files, err := ScanRepository(urlA, "")
@@ -112,6 +116,7 @@ func TestGithubGetYamlFromTree(t *testing.T) {
 		assert.Equal(t, 12, len(files))
 	}
 }
+*/
 
 func TestGithubParse(t *testing.T) {
 	{

core/pkg/resourcehandler/urlloader_test.go

@@ -2,12 +2,11 @@ package resourcehandler
 
 import (
 	"testing"
-
-	"github.com/stretchr/testify/assert"
 )
 
 func TestLoadResourcesFromUrl(t *testing.T) {
-	{
+	//TODO: tests were commented out due to actual http calls ; http calls should be mocked.
+	/*{
 		workloads, err := loadResourcesFromUrl([]string{"https://github.com/kubescape/kubescape/tree/master/examples/online-boutique"})
 		assert.NoError(t, err)
 		assert.Equal(t, 12, len(workloads))
@@ -62,5 +61,5 @@ func TestLoadResourcesFromUrl(t *testing.T) {
 				assert.Equal(t, "/v1//Service/adservice", w[1].GetID())
 			}
 		}
-	}
+	}*/
 }

core/pkg/resultshandling/locationresolver/locationresolver.go

@@ -0,0 +1,94 @@
+package locationresolver
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"regexp"
+	"strings"
+
+	"github.com/kubescape/go-logger"
+	"github.com/mikefarah/yq/v4/pkg/yqlib"
+
+	"gopkg.in/op/go-logging.v1"
+	"gopkg.in/yaml.v3"
+)
+
+type FixPathLocationResolver struct {
+	yqlibEvaluator yqlib.Evaluator
+	yamlPath       string
+	yamlNodes      []*yaml.Node
+}
+
+type Location struct {
+	Line   int
+	Column int
+}
+
+func NewFixPathLocationResolver(yamlPath string) (*FixPathLocationResolver, error) {
+	file, err := os.Open(yamlPath)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	yamlNodes := make([]*yaml.Node, 0)
+
+	yamlDecoder := yaml.NewDecoder(file)
+	for {
+		var yamlNode yaml.Node
+		err = yamlDecoder.Decode(&yamlNode)
+		if errors.Is(err, io.EOF) {
+			break
+		} else if err != nil {
+			return nil, err
+		} else {
+			yamlNodes = append(yamlNodes, &yamlNode)
+		}
+	}
+
+	evaluator := yqlib.NewAllAtOnceEvaluator()
+	backendLoggerLeveled := logging.AddModuleLevel(logging.NewLogBackend(logger.L().GetWriter(), "", 0))
+	backendLoggerLeveled.SetLevel(logging.ERROR, "")
+	yqlib.GetLogger().SetBackend(backendLoggerLeveled)
+
+	return &FixPathLocationResolver{
+		yamlPath:       yamlPath,
+		yqlibEvaluator: evaluator,
+		yamlNodes:      yamlNodes,
+	}, nil
+}
+
+func (l *FixPathLocationResolver) ResolveLocation(fixPath string, nodeIndex int) (Location, error) {
+	if nodeIndex >= len(l.yamlNodes) {
+		return Location{}, fmt.Errorf("node index [%d] out of range [%d]", nodeIndex, len(l.yamlNodes))
+	}
+
+	yamlExpression := FixPathToValidYamlExpression(fixPath)
+	for strings.HasPrefix(yamlExpression, ".") && len(yamlExpression) > 1 {
+		candidateNodes, err := l.yqlibEvaluator.EvaluateNodes(yamlExpression, l.yamlNodes[nodeIndex])
+		if err != nil {
+			return Location{}, err
+		}
+
+		candidateNode := candidateNodes.Back().Value.(*yqlib.CandidateNode).Node
+
+		if candidateNode.Line != 0 || len(yamlExpression) <= 1 {
+			return Location{Line: candidateNode.Line, Column: candidateNode.Column}, nil
+		}
+
+		// for non-existent yaml expressions, remove the last part of the expression and try again
+		yamlExpression = regexp.MustCompile(`(.*)(\.[^.]*)`).ReplaceAllString(yamlExpression, `${1}`)
+	}
+	return Location{}, nil
+}
+
+func FixPathToValidYamlExpression(fixPath string) string {
+	// remove everything after the first =
+	yamlExpression := regexp.MustCompile(`(.*)=.*`).ReplaceAllString(fixPath, `${1}`)
+
+	// add a dot for the root node
+	yamlExpression = "." + yamlExpression
+	return yamlExpression
+}

core/pkg/resultshandling/locationresolver/locationresolver_test.go

@@ -0,0 +1,64 @@
+package locationresolver
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func onlineBoutiquePath() string {
+	o, _ := os.Getwd()
+	return filepath.Join(filepath.Dir(o), "..", "..", "..", "examples", "online-boutique")
+}
+
+func TestResolveLocation(t *testing.T) {
+	yamlFilePath := filepath.Join(onlineBoutiquePath(), "adservice.yaml")
+	fixPathToExpectedLineAndColumn := map[string]Location{
+		"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true":        {Line: 31, Column: 9},
+		"spec.template.spec.containers[0].securityContext.runAsNonRoot=true":                  {Line: 31, Column: 9},
+		"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false":     {Line: 31, Column: 9},
+		"spec.template.spec.containers[0].securityContext.capabilities.drop=NET_RAW":          {Line: 31, Column: 9},
+		"spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE":          {Line: 31, Column: 9},
+		"spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE":          {Line: 31, Column: 9},
+		"spec.template.spec.securityContext.runAsNonRoot=true":                                {Line: 28, Column: 7},
+		"spec.template.spec.securityContext.allowPrivilegeEscalation=false":                   {Line: 28, Column: 7},
+		"spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault": {Line: 31, Column: 9},
+		"spec.template.spec.containers[0].image":                                              {Line: 32, Column: 16},
+		"spec.template.spec.containers[0].seccompProfile=YOUR_VALUE":                          {Line: 31, Column: 9},
+		"spec.template.spec.containers[0].seLinuxOptions=YOUR_VALUE":                          {Line: 31, Column: 9},
+		"spec.template.spec.containers[0].capabilities.drop=YOUR_VALUE":                       {Line: 31, Column: 9},
+		"metadata.namespace=YOUR_NAMESPACE":                                                   {Line: 18, Column: 3},
+		"metadata.labels=YOUR_VALUE":                                                          {Line: 18, Column: 3},
+		"spec.template.metadata.labels=YOUR_VALUE":                                            {Line: 26, Column: 9},
+		"spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE":                    {Line: 49, Column: 18},
+	}
+
+	resolver, _ := NewFixPathLocationResolver(yamlFilePath)
+
+	for fixPath, expected := range fixPathToExpectedLineAndColumn {
+		location, err := resolver.ResolveLocation(fixPath, 0)
+		assert.NoError(t, err)
+
+		assert.Equalf(t, expected.Line, location.Line, "fixPath %s, expected line: %d, actual line: %d", fixPath, expected.Line, location.Line)
+		assert.Equalf(t, expected.Column, location.Column, "fixPath %s, expected column: %d, actual column: %d", fixPath, expected.Column, location.Column)
+	}
+
+	fixPathToExpectedLineAndColumn = map[string]Location{
+		"metadata.namespace=YOUR_NAMESPACE": {Line: 65, Column: 3},
+		"metadata.labels=YOUR_VALUE":        {Line: 65, Column: 3},
+	}
+
+	for fixPath, expected := range fixPathToExpectedLineAndColumn {
+		location, err := resolver.ResolveLocation(fixPath, 1)
+		assert.NoError(t, err)
+
+		assert.Equalf(t, expected.Line, location.Line, "fixPath %s, expected line: %d, actual line: %d", fixPath, expected.Line, location.Line)
+		assert.Equalf(t, expected.Column, location.Column, "fixPath %s, expected column: %d, actual column: %d", fixPath, expected.Column, location.Column)
+	}
+
+	_, err := resolver.ResolveLocation("some invalid string as an input", 0)
+	assert.ErrorContains(t, err, "invalid input")
+
+}

core/pkg/resultshandling/printer/printresults.go

@@ -18,6 +18,7 @@ const (
 	PrometheusFormat  string = "prometheus"
 	PdfFormat         string = "pdf"
 	HtmlFormat        string = "html"
+	SARIFFormat       string = "sarif"
 )
 
 type IPrinter interface {

core/pkg/resultshandling/printer/v2/sarifprinter.go

@@ -0,0 +1,198 @@
+package v2
+
+import (
+	"os"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/pkg/resultshandling/locationresolver"
+	"github.com/kubescape/kubescape/v2/core/pkg/resultshandling/printer"
+	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/resourcesresults"
+	v2 "github.com/kubescape/opa-utils/reporthandling/v2"
+	"github.com/owenrumney/go-sarif/v2/sarif"
+)
+
+const (
+	sarifOutputFile = "report"
+	sarifOutputExt  = ".sarif"
+
+	toolName    = "kubescape"
+	toolInfoURI = "https://armosec.io"
+)
+
+// sarifSeverityLevel is a SARIF-specific severity level for Rules and Results
+type sarifSeverityLevel string
+
+const (
+	sarifSeverityLevelNote    sarifSeverityLevel = "note"
+	sarifSeverityLevelWarning sarifSeverityLevel = "warning"
+	sarifSeverityLevelError   sarifSeverityLevel = "error"
+)
+
+// scoreFactorToSARIFSeverityLevel returns a SARIF severity level that matches
+// a given Kubescape severity score
+func scoreFactorToSARIFSeverityLevel(score float32) sarifSeverityLevel {
+	switch {
+	case score >= 9.0:
+		return sarifSeverityLevelError
+	case score >= 4.0:
+		return sarifSeverityLevelWarning
+	}
+
+	return sarifSeverityLevelNote
+}
+
+// SARIFPrinter is a printer that emits the report in the SARIF format
+type SARIFPrinter struct {
+	// outputFile is the name of the output file
+	writer *os.File
+}
+
+// NewSARIFPrinter returns a new SARIF printer instance
+func NewSARIFPrinter() *SARIFPrinter {
+	return &SARIFPrinter{}
+}
+
+func (sp *SARIFPrinter) Score(score float32) {
+	return
+}
+
+func (sp *SARIFPrinter) SetWriter(outputFile string) {
+	if outputFile == "" {
+		outputFile = sarifOutputFile
+	}
+	if filepath.Ext(strings.TrimSpace(outputFile)) != sarifOutputExt {
+		outputFile = outputFile + sarifOutputExt
+	}
+	sp.writer = printer.GetWriter(outputFile)
+}
+
+// addRule adds a rule description to the scan run based on the given control summary
+func (sp *SARIFPrinter) addRule(scanRun *sarif.Run, control reportsummary.IControlSummary) {
+	controlSARIFSeverity := string(scoreFactorToSARIFSeverityLevel(control.GetScoreFactor()))
+
+	configuration := sarif.NewReportingConfiguration().WithLevel(controlSARIFSeverity)
+
+	scanRun.AddRule(control.GetID()).
+		WithDefaultConfiguration(configuration).
+		WithShortDescription(sarif.NewMultiformatMessageString(control.GetName())).
+		WithFullDescription(sarif.NewMultiformatMessageString(control.GetDescription())).
+		WithHelp(sarif.NewMultiformatMessageString(control.GetRemediation()))
+}
+
+// addResult adds a result of checking a rule to the scan run based on the given control summary
+func (sp *SARIFPrinter) addResult(scanRun *sarif.Run, ctl reportsummary.IControlSummary, filepath string, location locationresolver.Location) {
+	scanRun.CreateResultForRule(ctl.GetID()).
+		WithMessage(sarif.NewTextMessage(ctl.GetDescription())).
+		AddLocation(
+			sarif.NewLocationWithPhysicalLocation(
+				sarif.NewPhysicalLocation().
+					WithArtifactLocation(
+						sarif.NewSimpleArtifactLocation(filepath),
+					).WithRegion(
+					sarif.NewRegion().WithStartLine(location.Line).WithStartColumn(location.Column),
+				),
+			),
+		)
+}
+
+func (sp *SARIFPrinter) ActionPrint(opaSessionObj *cautils.OPASessionObj) {
+	report, err := sarif.New(sarif.Version210)
+	if err != nil {
+		panic(err)
+	}
+
+	run := sarif.NewRunWithInformationURI(toolName, toolInfoURI)
+	basePath := getBasePathFromMetadata(*opaSessionObj)
+
+	for resourceID, result := range opaSessionObj.ResourcesResult {
+		if result.GetStatus(nil).IsFailed() {
+			resourceSource := opaSessionObj.ResourceSource[resourceID]
+			filepath := resourceSource.RelativePath
+
+			// Github Code Scanning considers results not associated to a file path meaningless and invalid when uploading
+			if filepath == "" || basePath == "" {
+				continue
+			}
+
+			rsrcAbsPath := path.Join(basePath, filepath)
+			locationResolver, err := locationresolver.NewFixPathLocationResolver(rsrcAbsPath)
+			if err != nil {
+				logger.L().Debug("failed to create location resolver", helpers.Error(err))
+			}
+
+			for _, ac := range result.AssociatedControls {
+				if ac.GetStatus(nil).IsFailed() {
+					ctl := opaSessionObj.Report.SummaryDetails.Controls.GetControl(reportsummary.EControlCriteriaID, ac.GetID())
+					location := sp.resolveFixLocation(opaSessionObj, locationResolver, &ac, resourceID)
+
+					sp.addRule(run, ctl)
+					sp.addResult(run, ctl, filepath, location)
+				}
+			}
+		}
+	}
+
+	report.AddRun(run)
+
+	report.PrettyWrite(sp.writer)
+}
+
+func (sp *SARIFPrinter) resolveFixLocation(opaSessionObj *cautils.OPASessionObj, locationResolver *locationresolver.FixPathLocationResolver, ac *resourcesresults.ResourceAssociatedControl, resourceID string) locationresolver.Location {
+	defaultLocation := locationresolver.Location{Line: 1, Column: 1}
+	if locationResolver == nil {
+		return defaultLocation
+	}
+
+	fixPaths := failedPathsToString(ac)
+	if len(fixPaths) == 0 {
+		fixPaths = fixPathsToString(ac)
+	}
+	var fixPath string
+	if len(fixPaths) > 0 {
+		fixPath = fixPaths[0]
+	}
+
+	var location locationresolver.Location
+	if fixPath == "" {
+		return defaultLocation
+	}
+
+	resource := opaSessionObj.AllResources[resourceID]
+	localworkload, ok := resource.(*localworkload.LocalWorkload)
+	if !ok {
+		return defaultLocation
+	}
+
+	splittedPath := strings.Split(localworkload.GetPath(), ":")
+	if len(splittedPath) <= 1 {
+		return defaultLocation
+	}
+
+	docIndex, _ := strconv.Atoi(splittedPath[1])
+	location, _ = locationResolver.ResolveLocation(fixPath, docIndex)
+	if location.Line == 0 {
+		return defaultLocation
+	}
+
+	return location
+}
+
+func getBasePathFromMetadata(opaSessionObj cautils.OPASessionObj) string {
+	if opaSessionObj.Metadata.ScanMetadata.ScanningTarget == v2.GitLocal {
+		return opaSessionObj.Metadata.ContextMetadata.RepoContextMetadata.LocalRootPath
+	}
+
+	if opaSessionObj.Metadata.ScanMetadata.ScanningTarget == v2.Directory {
+		return opaSessionObj.Metadata.ContextMetadata.DirectoryContextMetadata.BasePath
+	}
+
+	return ""
+}

core/pkg/resultshandling/printer/v2/sarifprinter_test.go

@@ -0,0 +1,27 @@
+package v2
+
+import "testing"
+
+func Test_scoreToSeverityLevel(t *testing.T) {
+	tc := []struct {
+		Name               string
+		ScoreFactor              float32
+		ExpectedSARIFLevel sarifSeverityLevel
+	}{
+		{"Score factor 1.0 should map to 'note' SARIF level", 1.0, sarifSeverityLevelNote},
+		{"Score facore 4.0 should map to 'warning' SARIF level", 4.0, sarifSeverityLevelWarning},
+		{"Score facore 7.0 should map to 'warning' SARIF level", 7.0, sarifSeverityLevelWarning},
+		{"Score facore 9.0 should map to 'error' SARIF level", 9.0, sarifSeverityLevelError},
+	}
+
+	for _, testCase := range tc {
+		t.Run(testCase.Name, func(t *testing.T) {
+			got := scoreFactorToSARIFSeverityLevel(testCase.ScoreFactor)
+			want := testCase.ExpectedSARIFLevel
+
+			if got != want {
+				t.Errorf("got %s, want %s", got, want)
+			}
+		})
+	}
+}

core/pkg/resultshandling/printer/v2/utils.go

@@ -16,6 +16,7 @@ import (
 func FinalizeResults(data *cautils.OPASessionObj) *reporthandlingv2.PostureReport {
 	report := reporthandlingv2.PostureReport{
 		SummaryDetails:       data.Report.SummaryDetails,
+		Metadata:             *data.Metadata,
 		ClusterAPIServerInfo: data.Report.ClusterAPIServerInfo,
 		ReportGenerationTime: data.Report.ReportGenerationTime,
 		Attributes:           data.Report.Attributes,

core/pkg/resultshandling/reporter/v2/mockreporter.go

@@ -44,8 +44,9 @@ func (reportMock *ReportMock) DisplayReportURL() {
 	sep := "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
 	message := sep + "\n"
 	message += "Scan results have not been submitted: " + reportMock.message + "\n"
-	message += "Sign up for free: "
-	message += reportMock.GetURL() + "\n"
+	if reportMock.query != "" {
+		message += "For more details: " + reportMock.query + "\n"
+	}
 	message += sep + "\n"
 	cautils.InfoTextDisplay(os.Stderr, fmt.Sprintf("\n%s\n", message))
 }

core/pkg/resultshandling/reporter/v2/reporteventreceiver_test.go

@@ -105,14 +105,4 @@ func TestGetURL(t *testing.T) {
 		)
 		assert.Equal(t, "https://cloud.armosec.io/account/sign-up?customerGUID=1234&invitationToken=token&utm_campaign=Submit&utm_medium=CLI&utm_source=GitHub", reporter.GetURL())
 	}
-	// Test None submit url
-	{
-		reporter := NewReportMock(NO_SUBMIT_QUERY, "")
-		assert.Equal(t, "https://cloud.armosec.io/account/sign-up?utm_source=GitHub&utm_medium=CLI&utm_campaign=no_submit", reporter.GetURL())
-	}
-	// Test None report url
-	{
-		reporter := NewReportMock("", "")
-		assert.Equal(t, "https://cloud.armosec.io/account/sign-up", reporter.GetURL())
-	}
 }

core/pkg/resultshandling/results.go

@@ -97,6 +97,8 @@ func NewPrinter(printFormat, formatVersion string, verboseMode bool, viewType ca
 		return printerv2.NewPdfPrinter()
 	case printer.HtmlFormat:
 		return printerv2.NewHtmlPrinter()
+	case printer.SARIFFormat:
+		return printerv2.NewSARIFPrinter()
 	default:
 		return printerv2.NewPrettyPrinter(verboseMode, formatVersion, viewType)
 	}

go.mod

@@ -3,7 +3,8 @@ module github.com/kubescape/kubescape/v2
 go 1.18
 
 require (
-	github.com/armosec/armoapi-go v0.0.115
+	cloud.google.com/go/containeranalysis v0.4.0
+	github.com/armosec/armoapi-go v0.0.119
 	github.com/armosec/go-git-url v0.0.15
 	github.com/armosec/utils-go v0.0.12
 	github.com/armosec/utils-k8s-go v0.0.12
@@ -15,18 +16,24 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/johnfercher/maroto v0.37.0
 	github.com/kubescape/go-logger v0.0.6
-	github.com/kubescape/k8s-interface v0.0.83
-	github.com/kubescape/opa-utils v0.0.194
+	github.com/kubescape/k8s-interface v0.0.84
+	github.com/kubescape/opa-utils v0.0.200
 	github.com/kubescape/rbac-utils v0.0.17
 	github.com/libgit2/git2go/v33 v33.0.9
 	github.com/mattn/go-isatty v0.0.14
+	github.com/mikefarah/yq/v4 v4.29.1
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/open-policy-agent/opa v0.45.0
-	github.com/spf13/cobra v1.5.0
+	github.com/owenrumney/go-sarif/v2 v2.1.2
+	github.com/spf13/cobra v1.6.1
 	github.com/stretchr/testify v1.8.0
 	github.com/whilp/git-urls v1.0.0
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3
-	gopkg.in/yaml.v2 v2.4.0
+	google.golang.org/api v0.85.0
+	google.golang.org/genproto v0.0.0-20220708155623-50e5f4832e73
+	google.golang.org/protobuf v1.28.1
+	gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473
+	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.9.0
 	k8s.io/api v0.24.3
 	k8s.io/apimachinery v0.24.3
@@ -37,9 +44,12 @@ require (
 	sigs.k8s.io/yaml v1.3.0
 )
 
+require github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+
 require (
 	cloud.google.com/go/compute v1.7.0 // indirect
 	cloud.google.com/go/container v1.2.0 // indirect
+	cloud.google.com/go/grafeas v0.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go v66.0.0+incompatible // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.24 // indirect
@@ -60,8 +70,10 @@ require (
 	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
+	github.com/a8m/envsubst v1.3.0 // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/alecthomas/participle/v2 v2.0.0-beta.5 // indirect
 	github.com/aws/aws-sdk-go v1.44.51 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.16.7 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.15.13 // indirect
@@ -83,6 +95,7 @@ require (
 	github.com/docker/docker v20.10.17+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
+	github.com/elliotchance/orderedmap v1.5.0 // indirect
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
@@ -96,6 +109,8 @@ require (
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/goccy/go-json v0.9.11 // indirect
+	github.com/goccy/go-yaml v1.9.6 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -103,18 +118,19 @@ require (
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
 	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jinzhu/copier v0.3.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/jung-kurt/gofpdf v1.16.2 // indirect
 	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
+	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-runewidth v0.0.9 // indirect
@@ -156,16 +172,14 @@ require (
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
+	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
 	gonum.org/v1/gonum v0.9.1 // indirect
-	google.golang.org/api v0.84.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220708155623-50e5f4832e73 // indirect
 	google.golang.org/grpc v1.49.0 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/apiextensions-apiserver v0.24.2 // indirect
 	k8s.io/klog/v2 v2.60.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect

go.sum

@@ -29,8 +29,9 @@ cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW
 cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
 cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
 cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A=
-cloud.google.com/go v0.102.0 h1:DAq3r8y4mDgyB/ZPJ9v/5VJNqjgJAxTn6ZYLlUywOu8=
 cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
+cloud.google.com/go v0.102.1 h1:vpK6iQWv/2uUeFJth4/cBHsQAGjn1iIE6AAlxipRaA0=
+cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
@@ -46,9 +47,13 @@ cloud.google.com/go/compute v1.7.0 h1:v/k9Eueb8aAJ0vZuxKMrgm6kPhCLZU9HxFU+AFDs9U
 cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U=
 cloud.google.com/go/container v1.2.0 h1:LPKlQa4XfBTWdaBSDx/KQ/v45l8FDRzSV0tDpU6e/38=
 cloud.google.com/go/container v1.2.0/go.mod h1:Cj2AgMsCUfMVfbGh0Fx7u5Ah/qeC0ajLrqqGGiAdCGw=
+cloud.google.com/go/containeranalysis v0.4.0 h1:c5CWooB4TRWj8YnmPkpqr9H23pMdsUAusWEcJUXYWAY=
+cloud.google.com/go/containeranalysis v0.4.0/go.mod h1:hOn3xipfw3nPoCD4E2kBD4pCsTJja0nfGxdrv0DV77I=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
+cloud.google.com/go/grafeas v0.2.0 h1:CYjC+xzdPvbV65gi6Dr4YowKcmLo045pm18L0DhdELM=
+cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc=
 cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
@@ -119,9 +124,17 @@ github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tN
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/a8m/envsubst v1.3.0 h1:GmXKmVssap0YtlU3E230W98RWtWCyIZzjtf1apWWyAg=
+github.com/a8m/envsubst v1.3.0/go.mod h1:MVUTQNGQ3tsjOOtKCNd+fl8RzhsXcDvvAEzkhGtlsbY=
 github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk=
 github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
+github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
+github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
 github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
+github.com/alecthomas/assert/v2 v2.0.3 h1:WKqJODfOiQG0nEJKFKzDIG3E29CN2/4zR9XGJzKIkbg=
+github.com/alecthomas/participle/v2 v2.0.0-beta.5 h1:y6dsSYVb1G5eK6mgmy+BgI3Mw35a3WghArZ/Hbebrjo=
+github.com/alecthomas/participle/v2 v2.0.0-beta.5/go.mod h1:RC764t6n4L8D8ITAJv0qdokritYSNR3wV5cVwmIEaMM=
+github.com/alecthomas/repr v0.1.1 h1:87P60cSmareLAxMc4Hro0r2RBY4ROm0dYwkJNpS4pPs=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -131,13 +144,16 @@ github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20210826220005-b48c857c3a0e/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
+github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
+github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
+github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/armosec/armoapi-go v0.0.115 h1:KpxcACULFwX0BScYSS2u7DLO3D5Rlea3WNUKQpdCfJw=
-github.com/armosec/armoapi-go v0.0.115/go.mod h1:2zoNzb3Fy9ZByeczJZ47ftDRLRzTykVdTISS3GTc/JU=
+github.com/armosec/armoapi-go v0.0.119 h1:7XbvBbOKp26Bpp72LQ8Spw4FBpbXu3+qZFQyPEwTPFk=
+github.com/armosec/armoapi-go v0.0.119/go.mod h1:2zoNzb3Fy9ZByeczJZ47ftDRLRzTykVdTISS3GTc/JU=
 github.com/armosec/go-git-url v0.0.15 h1:sDtu0WNvAhrDJ2begTyWP8T4tE1j1K6D0ZJ6t3Cx8k4=
 github.com/armosec/go-git-url v0.0.15/go.mod h1:GzfssG3IW9KiURSpK7c/bySBRTlghpObQ7NQ1O4hcMI=
 github.com/armosec/utils-go v0.0.12 h1:NXkG/BhbSVAmTVXr0qqsK02CmxEiXuJyPmdTRcZ4jAo=
@@ -189,6 +205,7 @@ github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBT
 github.com/briandowns/spinner v1.18.1 h1:yhQmQtM1zsqFsouh09Bk/jCjd50pC3EOGsh28gLVvwY=
 github.com/briandowns/spinner v1.18.1/go.mod h1:mQak9GHqbspjC/5iUx3qMlIho8xBS/ppAL/hX5SmPJU=
 github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
+github.com/bytecodealliance/wasmtime-go v1.0.0 h1:9u9gqaUiaJeN5IoD1L7egD8atOnTGyJcNp8BhkL9cUU=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
 github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
@@ -237,6 +254,8 @@ github.com/dgraph-io/badger/v3 v3.2103.2 h1:dpyM5eCJAtQCBcMCZcT4UBZchuTJgCywerHH
 github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g=
+github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
 github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U=
 github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
 github.com/docker/docker v20.10.17+incompatible h1:JYCuMrWaVNophQTOrMMoSwudOVEfcegoZZrleKc1xwE=
@@ -249,6 +268,8 @@ github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/elliotchance/orderedmap v1.5.0 h1:1IsExUsjv5XNBD3ZdC7jkAAqLWOOKdbPTmkHx63OsBg=
+github.com/elliotchance/orderedmap v1.5.0/go.mod h1:wsDwEaX5jEoyhbs7x93zk2H/qv0zwuhg4inXhDkYqys=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
@@ -270,6 +291,7 @@ github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQL
 github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
 github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
@@ -335,9 +357,17 @@ github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng=
 github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
+github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
+github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
+github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
+github.com/goccy/go-json v0.9.11 h1:/pAaQDLHEoCq/5FFmSKBswWmK6H0e8g4159Kc/X/nqk=
+github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-yaml v1.9.6 h1:KhAu1zf9JXnm3vbG49aDE0E5uEBUsM4uwD31/58ZWyI=
+github.com/goccy/go-yaml v1.9.6/go.mod h1:JubOolP3gh0HpiBc4BLRD4YmjEjHAmIIB2aaXKkTfoE=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
@@ -441,8 +471,9 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa h1:7MYGT2XEMam7Mtzv1yDUYXANedWvwk3HKkR3MyGowy8=
 github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
+github.com/googleapis/enterprise-certificate-proxy v0.1.0 h1:zO8WHNx/MYiAKJ3d5spxZXZE6KHmIQGQcAzwUzV7qQw=
+github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
 github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
 github.com/googleapis/gax-go/v2 v2.0.3/go.mod h1:LLvjysVCY1JZeum8Z6l8qUty8fiNwE08qbEPm1M08qg=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
@@ -485,6 +516,7 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
+github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
@@ -495,12 +527,15 @@ github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
 github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
+github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU=
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
+github.com/jinzhu/copier v0.3.5 h1:GlvfUwHk62RokgqVNvYsku0TATCF7bAHVwEXoBh3iJg=
+github.com/jinzhu/copier v0.3.5/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
@@ -548,15 +583,18 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kubescape/go-logger v0.0.6 h1:ynhAmwrz0O7Jtqq1CdmCZUrKveji25hVP+B/FAb3QrA=
 github.com/kubescape/go-logger v0.0.6/go.mod h1:DnVWEvC90LFY1nNMaNo6nBVOcqkLMK3S0qzXP1fzRvI=
-github.com/kubescape/k8s-interface v0.0.83 h1:yQ1kWNZmKfBim/+NmxpPI/j7L9ASDq2h3mCNdmYgzqY=
-github.com/kubescape/k8s-interface v0.0.83/go.mod h1:ihX96yqar+xogHl45mFE8zT9DLI06iy7XQPAP+j5KJE=
-github.com/kubescape/opa-utils v0.0.194 h1:DroUvGV1R/PXsLPF6H4GB9LzcEylEMUKULs8vQBOU3w=
-github.com/kubescape/opa-utils v0.0.194/go.mod h1:frMpD9wuK6rE3tMRIy6EM1X9zi+sSbXoDWjcSaq11og=
+github.com/kubescape/k8s-interface v0.0.84 h1:k7YzpQ3SaN+bJCtpXzMj60WWIK9RkQQrU8dFQutr3LA=
+github.com/kubescape/k8s-interface v0.0.84/go.mod h1:ihX96yqar+xogHl45mFE8zT9DLI06iy7XQPAP+j5KJE=
+github.com/kubescape/opa-utils v0.0.200 h1:7EhE9FTabzkUxicvxdchXuaTWW0J2mFj04vK4jTrxN0=
+github.com/kubescape/opa-utils v0.0.200/go.mod h1:rDC3PANuk8gU5lSDO/WPFTluypBQ+/6qiuZLye+slYg=
 github.com/kubescape/rbac-utils v0.0.17 h1:B78kjlTKqjYK/PXwmi4GPysHsFxIwVz1KFb4+IGT29w=
 github.com/kubescape/rbac-utils v0.0.17/go.mod h1:pBwjpcrVeuH/no+DiCZWvlhYtCDzd3U0o/hEZKi+eM8=
+github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
 github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
+github.com/magiconair/properties v1.8.6 h1:5ibWZ6iY0NctNGWo87LalDlEZ6R41TqbbDamhfG/Qzo=
+github.com/magiconair/properties v1.8.6/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -567,6 +605,7 @@ github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
@@ -583,6 +622,8 @@ github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182aff
 github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
+github.com/mikefarah/yq/v4 v4.29.1 h1:P5O/V7nP4a3ahx/tddwpu3DPL5JgyyH4qG+DAEfJvPg=
+github.com/mikefarah/yq/v4 v4.29.1/go.mod h1:5W3SgDwOG0zBPSjGf7ecreDiFlH16fd7Qj43F2UFCvU=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
@@ -635,12 +676,17 @@ github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGV
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
+github.com/open-policy-agent/opa v0.45.0 h1:P5nuhVRtR+e58fk3CMMbiqr6ZFyWQPNOC3otsorGsFs=
+github.com/open-policy-agent/opa v0.45.0/go.mod h1:/OnsYljNEWJ6DXeFOOnoGn8CvwZGMUS4iRqzYdJvmBI=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec=
 github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
+github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
+github.com/owenrumney/go-sarif/v2 v2.1.2 h1:PMDK7tXShJ9zsB7bfvlpADH5NEw1dfA9xwU8Xtdj73U=
+github.com/owenrumney/go-sarif/v2 v2.1.2/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
@@ -648,6 +694,7 @@ github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR
 github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY=
 github.com/phpdave11/gofpdi v1.0.7/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
 github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e h1:aoZm08cpOy4WuID//EZDgcC4zIxODThtZNPirFr42+A=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -666,6 +713,7 @@ github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5Fsn
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
+github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -678,6 +726,7 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
+github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE=
 github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
@@ -685,6 +734,7 @@ github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsT
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
+github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ=
 github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
@@ -732,6 +782,7 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
@@ -749,8 +800,8 @@ github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkU
 github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
 github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
 github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g=
-github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU=
-github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM=
+github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
+github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
@@ -776,10 +827,14 @@ github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PK
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA=
+github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes=
+github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU=
 github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM=
+github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
+github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
 github.com/whilp/git-urls v1.0.0 h1:95f6UMWN5FKW71ECsXRUd3FVYiXdrE7aX4NZKcPmIjU=
 github.com/whilp/git-urls v1.0.0/go.mod h1:J16SAmobsqc3Qcy98brfl5f5+e0clUvg1krgwk/qCfE=
 github.com/xanzy/ssh-agent v0.3.0 h1:wUMzuKtKilRgBAD1sUb8gOwwRr2FGoBVumcjoOACClI=
@@ -802,6 +857,7 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
@@ -982,6 +1038,9 @@ golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220909164309-bea034e7d591 h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI=
+golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -1106,11 +1165,13 @@ golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220406163625-3f8b81556e12/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220829200755-d48e67d00261 h1:v6hYoSR9T5oet+pMXwUWkbiVqx/63mlHjefrHmxwfeY=
 golang.org/x/sys v0.0.0-20220829200755-d48e67d00261/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
@@ -1206,6 +1267,7 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
+golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0=
 golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo=
 gonum.org/v1/gonum v0.8.2/go.mod h1:oe/vMfY3deqTw+1EZJhuvEW2iwGF1bW9wwu7XCu0+v0=
@@ -1257,8 +1319,9 @@ google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRR
 google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
 google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw=
 google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg=
-google.golang.org/api v0.84.0 h1:NMB9J4cCxs9xEm+1Z9QiO3eFvn7EnQj3Eo3hN6ugVlg=
 google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o=
+google.golang.org/api v0.85.0 h1:8rJoHuRxx+vCmZtAO/3k1dRLvYNVyTJtZ5oaFZvhgvc=
+google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1355,6 +1418,7 @@ google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP
 google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
 google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/genproto v0.0.0-20220708155623-50e5f4832e73 h1:sdZWfcGN37Dv0QWIhuasQGMzAQJOL2oqnvot4/kPgfQ=
 google.golang.org/genproto v0.0.0-20220708155623-50e5f4832e73/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
@@ -1391,6 +1455,8 @@ google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11
 google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
+google.golang.org/grpc v1.49.0 h1:WTLtQzmQori5FUH25Pq4WT22oCsv8USpQ+F6rqtsmxw=
+google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@@ -1406,6 +1472,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
+google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -1420,6 +1488,8 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
+gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473 h1:6D+BvnJ/j6e222UW8s2qTSe3wGBtvo0MbVQG/c5k8RE=
+gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473/go.mod h1:N1eN2tsCx0Ydtgjl4cqmbRCsY4/+z4cYDeqwZTk6zog=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
@@ -1506,24 +1576,3 @@ sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
 sourcegraph.com/sourcegraph/go-diff v0.5.0/go.mod h1:kuch7UrkMzY0X+p9CRK03kfuPQ2zzQcaEFbx8wA8rck=
 sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0=
-github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
-github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
-github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
-github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
-github.com/bytecodealliance/wasmtime-go v1.0.0 h1:9u9gqaUiaJeN5IoD1L7egD8atOnTGyJcNp8BhkL9cUU=
-github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g=
-github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
-github.com/open-policy-agent/opa v0.45.0 h1:P5nuhVRtR+e58fk3CMMbiqr6ZFyWQPNOC3otsorGsFs=
-github.com/open-policy-agent/opa v0.45.0/go.mod h1:/OnsYljNEWJ6DXeFOOnoGn8CvwZGMUS4iRqzYdJvmBI=
-github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU=
-github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE=
-github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo=
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
-github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes=
-github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=
-golang.org/x/net v0.0.0-20220909164309-bea034e7d591 h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI=
-golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-google.golang.org/grpc v1.49.0 h1:WTLtQzmQori5FUH25Pq4WT22oCsv8USpQ+F6rqtsmxw=
-google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=

httphandler/README.md

@@ -55,7 +55,7 @@ When scanning is in progress
 }
 ```
 ### Check scanning progress status
-Check the scanning status - is the scanning in progress or done? This is meant for a waiting mechanize since the API does not return the entire results object when the scanning is done
+Check the scanning status - is the scanning in progress or done. This is meant for a waiting mechanize since the API does not return the entire results object when the scanning is done
 
 * GET `/v1/status` -  Request kubescape scan status
 * * query `id=<string>` -> Check status of a specific scan. If empty, it will check if any scan is still in progress
@@ -101,7 +101,6 @@ When scanning is not in progress
   "excludedNamespaces": [<str>], // list of namespaces to exclude (same as 'kubescape scan --excluded-namespaces')
   "includeNamespaces": [<str>],  // list of namespaces to include (same as 'kubescape scan --include-namespaces')
   "useCachedArtifacts"`: <bool>, // use the cached artifacts instead of downloading (offline support)
-  "submit": <bool>,              // submit results to Kubescape cloud (same as 'kubescape scan --submit')
   "hostScanner": <bool>,         // deploy Kubescape K8s host-scanner DaemonSet in the scanned cluster (same as 'kubescape scan --enable-host-scan')
   "keepLocal": <bool>,           // do not submit results to Kubescape cloud (same as 'kubescape scan --keep-local')
   "account": <str>,              // account ID (same as 'kubescape scan --account')
@@ -132,7 +131,7 @@ When scanning is not in progress
 
 1. Trigger kubescape scan
   ```bash
-  curl --header "Content-Type: application/json" --request POST --data '{"hostScanner":true, "submit": true}' http://127.0.0.1:8080/v1/scan
+  curl --header "Content-Type: application/json" --request POST --data '{"hostScanner":true}' http://127.0.0.1:8080/v1/scan
   ```
 
 2. Get kubescape scan results
@@ -143,13 +142,13 @@ When scanning is not in progress
 #### Trigger scan and wait for the scan to end  
 
 ```bash
-curl --header "Content-Type: application/json" --request POST --data '{"hostScanner":true, "submit": true}' http://127.0.0.1:8080/v1/scan?wait -o scan_results.json
+curl --header "Content-Type: application/json" --request POST --data '{"hostScanner":true}' http://127.0.0.1:8080/v1/scan?wait -o scan_results.json
 ```
 #### Scan single namespace with a specific framework
 ```bash
 curl --header "Content-Type: application/json" \
   --request POST \
-  --data '{"hostScanner":true, "submit":true, "includeNamespaces": ["kubescape"], "targetType": "framework", "targetNames": ["nsa"] }' \
+  --data '{"hostScanner":true, "includeNamespaces": ["kubescape"], "targetType": "framework", "targetNames": ["nsa"] }' \
   http://127.0.0.1:8080/v1/scan
 ```
 
@@ -171,7 +170,6 @@ go tool pprof http://localhost:6060/debug/pprof/heap
 ## Supported environment variables
 
 * `KS_ACCOUNT`: Account ID
-* `KS_SUBMIT`: Submit the results to the Kubescape SaaS version
 * `KS_EXCLUDE_NAMESPACES`: List of namespaces to exclude, e.g. `KS_EXCLUDE_NAMESPACES=kube-system,kube-public`
 * `KS_INCLUDE_NAMESPACES`: List of namespaces to include, rest of the namespaces will be ignored. e.g. `KS_INCLUDE_NAMESPACES=dev,prod`
 * `KS_HOST_SCAN_YAML`: Full path to the host scanner YAML

httphandler/examples/microservice/README.md

@@ -10,7 +10,7 @@
     ```bash
     curl --header "Content-Type: application/json" \
     --request POST \
-    --data '{"account":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","hostScanner":true, "submit":true}' \
+    --data '{"account":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","hostScanner":true}' \
     http://127.0.0.1:8080/v1/scan
     ```
 

httphandler/go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/gorilla/schema v1.2.0
 	github.com/kubescape/go-logger v0.0.6
 	github.com/kubescape/kubescape/v2 v2.0.0-00010101000000-000000000000
-	github.com/kubescape/opa-utils v0.0.194
+	github.com/kubescape/opa-utils v0.0.200
 	github.com/stretchr/testify v1.8.0
 	k8s.io/utils v0.0.0-20220706174534-f6158b442e7c
 )
@@ -20,6 +20,8 @@ require (
 require (
 	cloud.google.com/go/compute v1.7.0 // indirect
 	cloud.google.com/go/container v1.2.0 // indirect
+	cloud.google.com/go/containeranalysis v0.4.0 // indirect
+	cloud.google.com/go/grafeas v0.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go v66.0.0+incompatible // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.24 // indirect
@@ -40,9 +42,11 @@ require (
 	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
+	github.com/a8m/envsubst v1.3.0 // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
-	github.com/armosec/armoapi-go v0.0.115 // indirect
+	github.com/alecthomas/participle/v2 v2.0.0-beta.5 // indirect
+	github.com/armosec/armoapi-go v0.0.119 // indirect
 	github.com/armosec/go-git-url v0.0.15 // indirect
 	github.com/armosec/utils-k8s-go v0.0.12 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
@@ -68,6 +72,7 @@ require (
 	github.com/docker/docker v20.10.17+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
+	github.com/elliotchance/orderedmap v1.5.0 // indirect
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
 	github.com/enescakir/emoji v1.0.0 // indirect
@@ -92,6 +97,8 @@ require (
 	github.com/go-openapi/validate v0.21.0 // indirect
 	github.com/go-stack/stack v1.8.1 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/goccy/go-json v0.9.11 // indirect
+	github.com/goccy/go-yaml v1.9.6 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -100,24 +107,27 @@ require (
 	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
 	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jinzhu/copier v0.3.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/johnfercher/maroto v0.37.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/jung-kurt/gofpdf v1.16.2 // indirect
 	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
-	github.com/kubescape/k8s-interface v0.0.83 // indirect
+	github.com/kubescape/k8s-interface v0.0.84 // indirect
 	github.com/kubescape/rbac-utils v0.0.17 // indirect
 	github.com/libgit2/git2go/v33 v33.0.9 // indirect
+	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.9 // indirect
+	github.com/mikefarah/yq/v4 v4.29.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
@@ -131,6 +141,7 @@ require (
 	github.com/open-policy-agent/opa v0.45.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
+	github.com/owenrumney/go-sarif/v2 v2.1.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/pquerna/cachecontrol v0.1.0 // indirect
@@ -162,13 +173,15 @@ require (
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
+	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
 	gonum.org/v1/gonum v0.9.1 // indirect
-	google.golang.org/api v0.84.0 // indirect
+	google.golang.org/api v0.85.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220708155623-50e5f4832e73 // indirect
 	google.golang.org/grpc v1.49.0 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

httphandler/go.sum

@@ -29,8 +29,9 @@ cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW
 cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
 cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
 cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A=
-cloud.google.com/go v0.102.0 h1:DAq3r8y4mDgyB/ZPJ9v/5VJNqjgJAxTn6ZYLlUywOu8=
 cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
+cloud.google.com/go v0.102.1 h1:vpK6iQWv/2uUeFJth4/cBHsQAGjn1iIE6AAlxipRaA0=
+cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
@@ -46,9 +47,13 @@ cloud.google.com/go/compute v1.7.0 h1:v/k9Eueb8aAJ0vZuxKMrgm6kPhCLZU9HxFU+AFDs9U
 cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U=
 cloud.google.com/go/container v1.2.0 h1:LPKlQa4XfBTWdaBSDx/KQ/v45l8FDRzSV0tDpU6e/38=
 cloud.google.com/go/container v1.2.0/go.mod h1:Cj2AgMsCUfMVfbGh0Fx7u5Ah/qeC0ajLrqqGGiAdCGw=
+cloud.google.com/go/containeranalysis v0.4.0 h1:c5CWooB4TRWj8YnmPkpqr9H23pMdsUAusWEcJUXYWAY=
+cloud.google.com/go/containeranalysis v0.4.0/go.mod h1:hOn3xipfw3nPoCD4E2kBD4pCsTJja0nfGxdrv0DV77I=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
+cloud.google.com/go/grafeas v0.2.0 h1:CYjC+xzdPvbV65gi6Dr4YowKcmLo045pm18L0DhdELM=
+cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc=
 cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
@@ -119,11 +124,17 @@ github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tN
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/a8m/envsubst v1.3.0 h1:GmXKmVssap0YtlU3E230W98RWtWCyIZzjtf1apWWyAg=
+github.com/a8m/envsubst v1.3.0/go.mod h1:MVUTQNGQ3tsjOOtKCNd+fl8RzhsXcDvvAEzkhGtlsbY=
 github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk=
 github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
 github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
 github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
 github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
+github.com/alecthomas/assert/v2 v2.0.3 h1:WKqJODfOiQG0nEJKFKzDIG3E29CN2/4zR9XGJzKIkbg=
+github.com/alecthomas/participle/v2 v2.0.0-beta.5 h1:y6dsSYVb1G5eK6mgmy+BgI3Mw35a3WghArZ/Hbebrjo=
+github.com/alecthomas/participle/v2 v2.0.0-beta.5/go.mod h1:RC764t6n4L8D8ITAJv0qdokritYSNR3wV5cVwmIEaMM=
+github.com/alecthomas/repr v0.1.1 h1:87P60cSmareLAxMc4Hro0r2RBY4ROm0dYwkJNpS4pPs=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -133,6 +144,7 @@ github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20210826220005-b48c857c3a0e/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
+github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
@@ -140,8 +152,8 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/armosec/armoapi-go v0.0.115 h1:KpxcACULFwX0BScYSS2u7DLO3D5Rlea3WNUKQpdCfJw=
-github.com/armosec/armoapi-go v0.0.115/go.mod h1:2zoNzb3Fy9ZByeczJZ47ftDRLRzTykVdTISS3GTc/JU=
+github.com/armosec/armoapi-go v0.0.119 h1:7XbvBbOKp26Bpp72LQ8Spw4FBpbXu3+qZFQyPEwTPFk=
+github.com/armosec/armoapi-go v0.0.119/go.mod h1:2zoNzb3Fy9ZByeczJZ47ftDRLRzTykVdTISS3GTc/JU=
 github.com/armosec/go-git-url v0.0.15 h1:sDtu0WNvAhrDJ2begTyWP8T4tE1j1K6D0ZJ6t3Cx8k4=
 github.com/armosec/go-git-url v0.0.15/go.mod h1:GzfssG3IW9KiURSpK7c/bySBRTlghpObQ7NQ1O4hcMI=
 github.com/armosec/utils-go v0.0.12 h1:NXkG/BhbSVAmTVXr0qqsK02CmxEiXuJyPmdTRcZ4jAo=
@@ -258,6 +270,8 @@ github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/elliotchance/orderedmap v1.5.0 h1:1IsExUsjv5XNBD3ZdC7jkAAqLWOOKdbPTmkHx63OsBg=
+github.com/elliotchance/orderedmap v1.5.0/go.mod h1:wsDwEaX5jEoyhbs7x93zk2H/qv0zwuhg4inXhDkYqys=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
@@ -279,6 +293,7 @@ github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQL
 github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
 github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
@@ -365,6 +380,10 @@ github.com/go-openapi/swag v0.21.1 h1:wm0rhTb5z7qpJRHBdPOMuY4QjVUMbF6/kwoYeRAOrK
 github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-openapi/validate v0.21.0 h1:+Wqk39yKOhfpLqNLEC0/eViCkzM5FVXVqrvt526+wcI=
 github.com/go-openapi/validate v0.21.0/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg=
+github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
+github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
+github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-stack/stack v1.8.1 h1:ntEHSVwIt7PNXNpgPmVfMrNhLtgjlmnZha2kOpuRiDw=
 github.com/go-stack/stack v1.8.1/go.mod h1:dcoOX6HbPZSZptuspn9bctJ+N/CnF5gGygcUP3XYfe4=
@@ -394,6 +413,10 @@ github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/V
 github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
+github.com/goccy/go-json v0.9.11 h1:/pAaQDLHEoCq/5FFmSKBswWmK6H0e8g4159Kc/X/nqk=
+github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-yaml v1.9.6 h1:KhAu1zf9JXnm3vbG49aDE0E5uEBUsM4uwD31/58ZWyI=
+github.com/goccy/go-yaml v1.9.6/go.mod h1:JubOolP3gh0HpiBc4BLRD4YmjEjHAmIIB2aaXKkTfoE=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
@@ -498,8 +521,9 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa h1:7MYGT2XEMam7Mtzv1yDUYXANedWvwk3HKkR3MyGowy8=
 github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
+github.com/googleapis/enterprise-certificate-proxy v0.1.0 h1:zO8WHNx/MYiAKJ3d5spxZXZE6KHmIQGQcAzwUzV7qQw=
+github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
 github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
 github.com/googleapis/gax-go/v2 v2.0.3/go.mod h1:LLvjysVCY1JZeum8Z6l8qUty8fiNwE08qbEPm1M08qg=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
@@ -545,6 +569,7 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
+github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
@@ -560,6 +585,8 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU=
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
+github.com/jinzhu/copier v0.3.5 h1:GlvfUwHk62RokgqVNvYsku0TATCF7bAHVwEXoBh3iJg=
+github.com/jinzhu/copier v0.3.5/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
@@ -612,15 +639,18 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kubescape/go-logger v0.0.6 h1:ynhAmwrz0O7Jtqq1CdmCZUrKveji25hVP+B/FAb3QrA=
 github.com/kubescape/go-logger v0.0.6/go.mod h1:DnVWEvC90LFY1nNMaNo6nBVOcqkLMK3S0qzXP1fzRvI=
-github.com/kubescape/k8s-interface v0.0.83 h1:yQ1kWNZmKfBim/+NmxpPI/j7L9ASDq2h3mCNdmYgzqY=
-github.com/kubescape/k8s-interface v0.0.83/go.mod h1:ihX96yqar+xogHl45mFE8zT9DLI06iy7XQPAP+j5KJE=
-github.com/kubescape/opa-utils v0.0.194 h1:DroUvGV1R/PXsLPF6H4GB9LzcEylEMUKULs8vQBOU3w=
-github.com/kubescape/opa-utils v0.0.194/go.mod h1:frMpD9wuK6rE3tMRIy6EM1X9zi+sSbXoDWjcSaq11og=
+github.com/kubescape/k8s-interface v0.0.84 h1:k7YzpQ3SaN+bJCtpXzMj60WWIK9RkQQrU8dFQutr3LA=
+github.com/kubescape/k8s-interface v0.0.84/go.mod h1:ihX96yqar+xogHl45mFE8zT9DLI06iy7XQPAP+j5KJE=
+github.com/kubescape/opa-utils v0.0.200 h1:7EhE9FTabzkUxicvxdchXuaTWW0J2mFj04vK4jTrxN0=
+github.com/kubescape/opa-utils v0.0.200/go.mod h1:rDC3PANuk8gU5lSDO/WPFTluypBQ+/6qiuZLye+slYg=
 github.com/kubescape/rbac-utils v0.0.17 h1:B78kjlTKqjYK/PXwmi4GPysHsFxIwVz1KFb4+IGT29w=
 github.com/kubescape/rbac-utils v0.0.17/go.mod h1:pBwjpcrVeuH/no+DiCZWvlhYtCDzd3U0o/hEZKi+eM8=
+github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
 github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
+github.com/magiconair/properties v1.8.6 h1:5ibWZ6iY0NctNGWo87LalDlEZ6R41TqbbDamhfG/Qzo=
+github.com/magiconair/properties v1.8.6/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -634,6 +664,7 @@ github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
@@ -650,6 +681,8 @@ github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182aff
 github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
+github.com/mikefarah/yq/v4 v4.29.1 h1:P5O/V7nP4a3ahx/tddwpu3DPL5JgyyH4qG+DAEfJvPg=
+github.com/mikefarah/yq/v4 v4.29.1/go.mod h1:5W3SgDwOG0zBPSjGf7ecreDiFlH16fd7Qj43F2UFCvU=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
@@ -715,6 +748,9 @@ github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799/go.mod
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
+github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
+github.com/owenrumney/go-sarif/v2 v2.1.2 h1:PMDK7tXShJ9zsB7bfvlpADH5NEw1dfA9xwU8Xtdj73U=
+github.com/owenrumney/go-sarif/v2 v2.1.2/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
@@ -723,6 +759,7 @@ github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR
 github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY=
 github.com/phpdave11/gofpdi v1.0.7/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
 github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e h1:aoZm08cpOy4WuID//EZDgcC4zIxODThtZNPirFr42+A=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -865,6 +902,8 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1
 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU=
 github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM=
+github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
+github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
 github.com/whilp/git-urls v1.0.0 h1:95f6UMWN5FKW71ECsXRUd3FVYiXdrE7aX4NZKcPmIjU=
 github.com/whilp/git-urls v1.0.0/go.mod h1:J16SAmobsqc3Qcy98brfl5f5+e0clUvg1krgwk/qCfE=
 github.com/xanzy/ssh-agent v0.3.0 h1:wUMzuKtKilRgBAD1sUb8gOwwRr2FGoBVumcjoOACClI=
@@ -891,6 +930,7 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
@@ -1079,6 +1119,7 @@ golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220909164309-bea034e7d591 h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI=
 golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -1210,11 +1251,13 @@ golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220406163625-3f8b81556e12/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220829200755-d48e67d00261 h1:v6hYoSR9T5oet+pMXwUWkbiVqx/63mlHjefrHmxwfeY=
 golang.org/x/sys v0.0.0-20220829200755-d48e67d00261/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
@@ -1314,6 +1357,7 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
+golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0=
 golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo=
 gonum.org/v1/gonum v0.8.2/go.mod h1:oe/vMfY3deqTw+1EZJhuvEW2iwGF1bW9wwu7XCu0+v0=
@@ -1365,8 +1409,9 @@ google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRR
 google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
 google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw=
 google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg=
-google.golang.org/api v0.84.0 h1:NMB9J4cCxs9xEm+1Z9QiO3eFvn7EnQj3Eo3hN6ugVlg=
 google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o=
+google.golang.org/api v0.85.0 h1:8rJoHuRxx+vCmZtAO/3k1dRLvYNVyTJtZ5oaFZvhgvc=
+google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1463,6 +1508,7 @@ google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP
 google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
 google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/genproto v0.0.0-20220708155623-50e5f4832e73 h1:sdZWfcGN37Dv0QWIhuasQGMzAQJOL2oqnvot4/kPgfQ=
 google.golang.org/genproto v0.0.0-20220708155623-50e5f4832e73/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
@@ -1532,6 +1578,8 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
+gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473 h1:6D+BvnJ/j6e222UW8s2qTSe3wGBtvo0MbVQG/c5k8RE=
+gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473/go.mod h1:N1eN2tsCx0Ydtgjl4cqmbRCsY4/+z4cYDeqwZTk6zog=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=

install.sh

@@ -66,6 +66,6 @@ echo -e "\033[0m"
 $KUBESCAPE_EXEC version
 echo
 
-echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan --submit --enable-host-scan --verbose"
+echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan --enable-host-scan --verbose"
 
 echo -e "\033[0m"

main.go

@@ -3,10 +3,12 @@ package main
 import (
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v2/cmd"
+	
 )
 
 func main() {
 	if err := cmd.Execute(); err != nil {
 		logger.L().Fatal(err.Error())
 	}
+
 }