go lint

Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io>

.dockerignore

@@ -0,0 +1,2 @@
+git2go
+kubescape

.github/actions/tag-action/action.yaml

@@ -17,7 +17,14 @@ runs:
   using: "composite"
   steps:
     - run: |
-        SUB='-rc'
+        if [[ -z "${{ inputs.ORIGINAL_TAG }}" ]]; then
+          echo "The value of ORIGINAL_TAG is ${{ inputs.ORIGINAL_TAG }}"
+          echo "Setting the value of ORIGINAL_TAG to ${{ github.ref_name }}"
+          echo ORIGINAL_TAG="${{ github.ref_name }}" >> $GITHUB_ENV
+        fi
+      shell: bash
+
+    - run: |
         if [[ "${{ inputs.ORIGINAL_TAG }}" == *"${{ inputs.SUB_STRING }}"* ]]; then
             echo "Release candidate tag found."
         else

.github/dependabot.yaml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

.github/workflows/00-pr-scanner.yaml

@@ -1,14 +1,10 @@
 name: 00-pr_scanner
-
 on:
   pull_request:
     types: [opened, reopened, synchronize, ready_for_review]
-    branches: 
-      - 'master'
-      - 'main'
-      - 'dev'
     paths-ignore:
       - '**.yaml'
+      - '**.yml'
       - '**.md'
       - '**.sh'
       - 'website/*'
@@ -16,18 +12,30 @@ on:
       - 'docs/*'
       - 'build/*'
       - '.github/*'
-
+      
 concurrency:
-  group: ${{ github.head_ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-  
 jobs:
   pr-scanner:
-    permissions: 
+    permissions:
       pull-requests: write
     uses: ./.github/workflows/a-pr-scanner.yaml
     with:
       RELEASE: ""
       CLIENT: test
     secrets: inherit
+ 
+  binary-build:
+    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
+    with:
+      COMPONENT_NAME: kubescape
+      CGO_ENABLED: 1
+      GO111MODULE: ""
+      GO_VERSION: "1.20"
+      RELEASE: ""
+      CLIENT: test
+      ARCH_MATRIX: '[ "" ]'
+      OS_MATRIX: '[ "ubuntu-20.04" ]'
+    secrets: inherit

.github/workflows/01-code-review-approved.yaml

@@ -1,57 +0,0 @@
-name: 01-code_review_approved
-on:
-  pull_request_review:
-    types: [submitted]
-    branches:
-      - 'master'
-      - 'main'
-    paths-ignore:
-      - '**.yaml'
-      - '**.md'
-      - '**.sh'
-      - 'website/*'
-      - 'examples/*'
-      - 'docs/*'
-      - 'build/*'
-      - '.github/*'
-
-
-concurrency:
-  group: code-review-approved
-  cancel-in-progress: true
-
-jobs:
-
-  binary-build:
-    if: ${{ github.event.review.state == 'approved' && 
-            contains( github.event.pull_request.labels.*.name, 'trigger-integration-test') && 
-            github.event.pull_request.base.ref == 'master' }} ## run only if labeled as "trigger-integration-test" and base branch is master
-    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
-    with:
-      COMPONENT_NAME: kubescape
-      CGO_ENABLED: 1
-      GO111MODULE: ""
-      GO_VERSION: "1.19"
-      RELEASE: ""
-      CLIENT: test
-    secrets: inherit
-
-
-  merge-to-master:
-    needs: binary-build
-    env:
-      GH_PERSONAL_ACCESS_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
-    if: ${{ (github.event.review.state == 'approved' && github.event.pull_request.base.ref == 'master') && 
-            (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: merge-to-master
-        if: ${{ env.GH_PERSONAL_ACCESS_TOKEN }}
-        uses: pascalgn/automerge-action@v0.15.5
-        env:
-          GITHUB_TOKEN: "${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}"
-          MERGE_COMMIT_MESSAGE: "Merge to master - PR number: {pullRequest.number}"
-          MERGE_ERROR_FAIL: "true"
-          MERGE_METHOD: "merge"
-          MERGE_LABELS: ""
-          UPDATE_LABELS: ""

.github/workflows/02-release.yaml

@@ -1,23 +1,19 @@
 name: 02-create_release
-
 on:
   push:
     tags:
-    - 'v*.*.*-rc.*'
-
+      - 'v*.*.*-rc.*'
 jobs:
   retag:
     outputs:
       NEW_TAG: ${{ steps.tag-calculator.outputs.NEW_TAG }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
       - id: tag-calculator
         uses: ./.github/actions/tag-action
         with:
           SUB_STRING: "-rc"
-
   binary-build:
     needs: [retag]
     uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
@@ -25,41 +21,27 @@ jobs:
       COMPONENT_NAME: kubescape
       CGO_ENABLED: 1
       GO111MODULE: ""
-      GO_VERSION: "1.19"
+      GO_VERSION: "1.20"
       RELEASE: ${{ needs.retag.outputs.NEW_TAG }}
       CLIENT: release
     secrets: inherit
-
   create-release:
     permissions:
-      contents: write    
+      contents: write
     needs: [retag, binary-build]
     uses: ./.github/workflows/c-create-release.yaml
     with:
       RELEASE_NAME: "Release ${{ needs.retag.outputs.NEW_TAG }}"
       TAG: ${{ needs.retag.outputs.NEW_TAG }}
       DRAFT: false
-    secrets: inherit    
-
-  publish-krew-plugin:
-    name: Publish Krew plugin
-    runs-on: ubuntu-latest
-    if: "${{ github.repository_owner }} == kubescape"
-    needs: create-release
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          submodules: recursive
-      - name: Update new version in krew-index
-        uses: rajatjindal/krew-release-bot@v0.0.43
-
+    secrets: inherit
   publish-image:
     permissions:
       id-token: write
       packages: write
-      contents: read    
+      contents: read
     uses: ./.github/workflows/d-publish-image.yaml
-    needs: [ create-release, retag ]
+    needs: [create-release, retag]
     with:
       client: "image-release"
       image_name: "quay.io/${{ github.repository_owner }}/kubescape"

.github/workflows/03-post-release.yaml

@@ -1,19 +1,41 @@
-name: 03-create_release_digests
-
+name: 03-post_release
 on:
   release:
-    types: [ published ]
+    types: [published]
     branches:
-    - 'master'
-    - 'main'
-  
+      - 'master'
+      - 'main'
 jobs:
-  create_release_digests:
-    name: Creating digests
+  post_release:
+    name: Post release jobs
     runs-on: ubuntu-latest
     steps:
       - name: Digest
-        uses: MCJack123/ghaction-generate-release-hashes@v1
+        uses: MCJack123/ghaction-generate-release-hashes@c03f3111b39432dde3edebe401c5a8d1ffbbf917 # ratchet:MCJack123/ghaction-generate-release-hashes@v1
         with:
           hash-type: sha1
           file-name: kubescape-release-digests
+      - name: Invoke workflow to update packaging
+        uses: benc-uk/workflow-dispatch@v1
+        if: github.repository_owner == 'kubescape'
+        with:
+          workflow: release.yml
+          repo: kubescape/packaging
+          ref: refs/heads/main
+          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+      - name: Invoke workflow to update homebrew tap
+        uses: benc-uk/workflow-dispatch@v1
+        if: github.repository_owner == 'kubescape'
+        with:
+          workflow: release.yml
+          repo: kubescape/homebrew-tap
+          ref: refs/heads/main
+          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+      - name: Invoke workflow to update github action
+        uses: benc-uk/workflow-dispatch@v1
+        if: github.repository_owner == 'kubescape'
+        with:
+          workflow: release.yaml
+          repo: kubescape/github-action
+          ref: refs/heads/main
+          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}

.github/workflows/04-publish-krew-plugin.yaml

@@ -0,0 +1,16 @@
+name: 04-publish_krew_plugin
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+jobs:
+  publish_krew_plugin:
+    name: Publish Krew plugin
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'kubescape'
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+        with:
+          submodules: recursive
+      - name: Update new version in krew-index
+        uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # ratchet:rajatjindal/krew-release-bot@v0.0.43

.github/workflows/a-pr-scanner.yaml

@@ -1,5 +1,4 @@
 name: a-pr-scanner
-
 on:
   workflow_call:
     inputs:
@@ -11,27 +10,27 @@ on:
         description: 'Client name'
         required: true
         type: string
-
-
+      UNIT_TESTS_PATH:
+        required: false
+        type: string
+        default: "./..."
 jobs:
   scanners:
     env:
-       GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
-       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
     name: PR Scanner
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
         with:
           fetch-depth: 0
           submodules: recursive
-
-      - uses: actions/setup-go@v3 # Install go because go-licenses use it
+      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # Install go because go-licenses use it ratchet:actions/setup-go@v3
         name: Installing go
         with:
-          go-version: '1.19'
+          go-version: '1.20'
           cache: true
-
       - name: Scanning - Forbidden Licenses (go-licenses)
         id: licenses-scan
         continue-on-error: true
@@ -40,142 +39,51 @@ jobs:
           go install github.com/google/go-licenses@latest
           echo "## Scanning for forbiden licenses ##"
           go-licenses check .
-
       - name: Scanning - Credentials (GitGuardian)
         if: ${{ env.GITGUARDIAN_API_KEY }}
-        continue-on-error: true      
+        continue-on-error: true
         id: credentials-scan
-        uses: GitGuardian/ggshield-action@master
+        uses: GitGuardian/ggshield-action@4ab2994172fadab959240525e6b833d9ae3aca61 # ratchet:GitGuardian/ggshield-action@master
         with:
-          args: -v --all-policies        
+          args: -v --all-policies
         env:
           GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
           GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
           GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
           GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
           GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
-
       - name: Scanning - Vulnerabilities (Snyk)
         if: ${{ env.SNYK_TOKEN }}
         id: vulnerabilities-scan
         continue-on-error: true
-        uses: snyk/actions/golang@master
+        uses: snyk/actions/golang@806182742461562b67788a64410098c9d9b96adb # ratchet:snyk/actions/golang@master
         with:
           command: test --all-projects
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
+      - name: Test coverage
+        id: unit-test
+        run: go test -v ${{ inputs.UNIT_TESTS_PATH }} -covermode=count -coverprofile=coverage.out
+
+      - name: Convert coverage count to lcov format
+        uses: jandelgado/gcov2lcov-action@v1
+        
+      - name: Submit coverage tests to Coveralls
+        continue-on-error: true
+        uses: coverallsapp/github-action@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          path-to-lcov: coverage.lcov
+
       - name: Comment results to PR
         continue-on-error: true # Warning: This might break opening PRs from forks
-        uses: peter-evans/create-or-update-comment@v2.1.0
+        uses: peter-evans/create-or-update-comment@5adcb0bb0f9fb3f95ef05400558bdb3f329ee808 # ratchet:peter-evans/create-or-update-comment@v2.1.0
         with:
-          issue-number:  ${{ github.event.pull_request.number }}
+          issue-number: ${{ github.event.pull_request.number }}
           body: |
             Scan results:
             - License scan: ${{ steps.licenses-scan.outcome }}
             - Credentials scan: ${{ steps.credentials-scan.outcome }}
             - Vulnerabilities scan: ${{ steps.vulnerabilities-scan.outcome }}
           reactions: 'eyes'
-
-  basic-tests:
-    needs: scanners
-    name: Create cross-platform build
-    runs-on: ${{ matrix.os }}
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      RELEASE: ${{ inputs.RELEASE }}
-      CLIENT: ${{ inputs.CLIENT }}
-    strategy:
-      matrix:
-        os: [ubuntu-20.04, macos-latest, windows-latest]
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          submodules: recursive
-
-      - name: Cache Go modules (Linux)
-        if: matrix.os == 'ubuntu-latest'
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Cache Go modules (macOS)
-        if: matrix.os == 'macos-latest' 
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/Library/Caches/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Cache Go modules (Windows)
-        if: matrix.os == 'windows-latest'
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.19
-
-      - name: Install MSYS2 & libgit2 (Windows)
-        shell: cmd
-        run: .\build.bat all
-        if: matrix.os == 'windows-latest'
-
-      - name: Install pkg-config (macOS)
-        run: brew install pkg-config
-        if: matrix.os == 'macos-latest'
-
-      - name: Install libgit2 (Linux/macOS)
-        run: make libgit2
-        if: matrix.os != 'windows-latest'
- 
-      - name: Test core pkg
-        run: go test "-tags=static,gitenabled" -v ./...
-
-      - name: Test httphandler pkg
-        run: cd httphandler && go test "-tags=static,gitenabled" -v ./...
-
-      - name: Build
-        env:
-          RELEASE: ${{ inputs.RELEASE }}
-          CLIENT: ${{ inputs.CLIENT }}
-          CGO_ENABLED: 1
-        run: python3 --version && python3 build.py
-
-      - name: Smoke Testing (Windows / MacOS)
-        env:
-          RELEASE: ${{ inputs.RELEASE }} 
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/kubescape-${{ matrix.os }}
-        if: matrix.os != 'ubuntu-20.04'
-
-      - name: Smoke Testing (Linux)
-        env:
-          RELEASE: ${{ inputs.RELEASE }} 
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/kubescape-ubuntu-latest
-        if: matrix.os == 'ubuntu-20.04'      
-
-      - name: golangci-lint
-        if: matrix.os == 'ubuntu-20.04'      
-        continue-on-error: true
-        uses: golangci/golangci-lint-action@v3
-        with:
-          version: latest
-          args: --timeout 10m --build-tags=static
-          only-new-issues: true

.github/workflows/b-binary-build-and-e2e-tests.yaml

@@ -1,5 +1,45 @@
 name: b-binary-build-and-e2e-tests
+
 on:
+  workflow_dispatch:
+    inputs:
+      COMPONENT_NAME:
+        required: false
+        type: string
+        default: "kubescape"
+      RELEASE:
+        required: false
+        type: string
+        default: ""
+      CLIENT:
+        required: false
+        type: string
+        default: "test"
+      GO_VERSION:
+        required: false
+        type: string
+        default: "1.20"
+      GO111MODULE:
+        required: false
+        type: string
+        default: ""
+      CGO_ENABLED:
+        type: number
+        default: 1
+        required: false
+      OS_MATRIX:
+        type: string
+        required: false
+        default: '[ "ubuntu-20.04", "macos-latest", "windows-latest"]'
+      ARCH_MATRIX:
+        type: string
+        required: false
+        default: '[ "", "arm64"]'
+      BINARY_TESTS:
+        type: string
+        required: false
+        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score" ]'
+
   workflow_call:
     inputs:
       COMPONENT_NAME:
@@ -13,7 +53,7 @@ on:
         type: string
       GO_VERSION:
         type: string
-        default: "1.19"
+        default: "1.20"
       GO111MODULE:
         required: true
         type: string
@@ -22,73 +62,85 @@ on:
         default: 1
       BINARY_TESTS:
         type: string
-        default: '[
-                    "scan_nsa",                                                                                            
-                    "scan_mitre",                                                                                          
-                    "scan_with_exceptions",                                                                                
-                    "scan_repository",                                                                                     
-                    "scan_local_file",                                                                                     
-                    "scan_local_glob_files",                                                                               
-                    "scan_local_list_of_files",                                                                            
-                    "scan_nsa_and_submit_to_backend",                                                                      
-                    "scan_mitre_and_submit_to_backend",                                                                    
-                    "scan_local_repository_and_submit_to_backend",                                                         
-                    "scan_repository_from_url_and_submit_to_backend",                                                      
-                    "scan_with_exception_to_backend",                                                                      
-                    "scan_with_custom_framework",                                                                                                                                                                
-                    "scan_customer_configuration",                                                                         
-                    "host_scanner"
-                  ]'
-
+        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score", "scan_custom_framework_scanning_file_scope_testing", "scan_custom_framework_scanning_cluster_scope_testing", "scan_custom_framework_scanning_cluster_and_file_scope_testing", "unified_configuration_config_view", "unified_configuration_config_set", "unified_configuration_config_delete" ]'
+      OS_MATRIX:
+        type: string
+        required: false
+        default: '[ "ubuntu-20.04", "macos-latest", "windows-latest"]'
+      ARCH_MATRIX:
+        type: string
+        required: false
+        default: '[ "", "arm64"]'
+  
 jobs:
-
-  check-secret:
+  wf-preparation:
     name: secret-validator
     runs-on: ubuntu-latest
     outputs:
+      TEST_NAMES: ${{ steps.export_tests_to_env.outputs.TEST_NAMES }}
+      OS_MATRIX: ${{ steps.export_os_to_env.outputs.OS_MATRIX }}
+      ARCH_MATRIX: ${{ steps.export_arch_to_env.outputs.ARCH_MATRIX }}
       is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
+
     steps:
       - name: check if the necessary secrets are set in github secrets
         id: check-secret-set
         env:
-            CUSTOMER: ${{ secrets.CUSTOMER }}
-            USERNAME: ${{ secrets.USERNAME }}
-            PASSWORD: ${{ secrets.PASSWORD }}
-            CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
-            SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
-            REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
-            REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-        run: |
-            echo "is-secret-set=${{ env.CUSTOMER != '' && 
-                                    env.USERNAME != '' &&
-                                    env.PASSWORD != '' &&
-                                    env.CLIENT_ID != '' &&
-                                    env.SECRET_KEY != '' &&
-                                    env.REGISTRY_USERNAME != '' &&
-                                    env.REGISTRY_PASSWORD != ''
-                                  }}" >> $GITHUB_OUTPUT
+          CUSTOMER: ${{ secrets.CUSTOMER }}
+          USERNAME: ${{ secrets.USERNAME }}
+          PASSWORD: ${{ secrets.PASSWORD }}
+          CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
+          SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: "echo \"is-secret-set=${{ env.CUSTOMER != '' && \n                        env.USERNAME != '' &&\n                        env.PASSWORD != '' &&\n                        env.CLIENT_ID != '' &&\n                        env.SECRET_KEY != '' &&\n                        env.REGISTRY_USERNAME != '' &&\n                        env.REGISTRY_PASSWORD != ''\n                      }}\" >> $GITHUB_OUTPUT\n"
 
+      - id: export_os_to_env
+        name: set test name
+        run: |
+          echo "OS_MATRIX=$input" >> $GITHUB_OUTPUT
+        env:
+          input: ${{ inputs.OS_MATRIX }}
+
+      - id: export_tests_to_env
+        name: set test name
+        run: |
+          echo "TEST_NAMES=$input" >> $GITHUB_OUTPUT
+        env:
+          input: ${{ inputs.BINARY_TESTS }}
+
+      - id: export_arch_to_env
+        name: set test name
+        run: |
+          echo "ARCH_MATRIX=$input" >> $GITHUB_OUTPUT
+        env:
+          input: ${{ inputs.ARCH_MATRIX }}
+      
 
   binary-build:
     name: Create cross-platform build
-    outputs:
-      TEST_NAMES: ${{ steps.export_tests_to_env.outputs.TEST_NAMES }}    
+    needs: wf-preparation
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GOARCH: ${{ matrix.arch }}
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-20.04, macos-latest, windows-latest]
+        os: ${{ fromJson(needs.wf-preparation.outputs.OS_MATRIX) }}
+        arch: ${{ fromJson(needs.wf-preparation.outputs.ARCH_MATRIX) }}
+        exclude:
+        - os: windows-latest
+          arch: arm64
     steps:
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
         with:
           fetch-depth: 0
           submodules: recursive
 
       - name: Cache Go modules (Linux)
-        if: matrix.os == 'ubuntu-20.04' 
-        uses: actions/cache@v3
+        if: matrix.os == 'ubuntu-20.04'
+        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
         with:
           path: |
             ~/.cache/go-build
@@ -98,8 +150,8 @@ jobs:
             ${{ runner.os }}-go-
 
       - name: Cache Go modules (macOS)
-        if: matrix.os == 'macos-latest' 
-        uses: actions/cache@v3
+        if: matrix.os == 'macos-latest'
+        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
         with:
           path: |
             ~/Library/Caches/go-build
@@ -110,7 +162,7 @@ jobs:
 
       - name: Cache Go modules (Windows)
         if: matrix.os == 'windows-latest'
-        uses: actions/cache@v3
+        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
         with:
           path: |
             ~\AppData\Local\go-build
@@ -119,15 +171,32 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-go-
 
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3
         name: Installing go
         with:
           go-version: ${{ inputs.GO_VERSION }}
           cache: true
 
+      - name: start ${{ matrix.arch }} environment in container
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y binfmt-support qemu-user-static
+          sudo docker run --platform linux/${{ matrix.arch }} -e RELEASE=${{ inputs.RELEASE }} \
+          -e CLIENT=${{ inputs.CLIENT }} -e CGO_ENABLED=${{ inputs.CGO_ENABLED }} \
+          -e KUBESCAPE_SKIP_UPDATE_CHECK=true -e GOARCH=${{ matrix.arch }} -v ${PWD}:/work \
+          -w /work -v ~/go/pkg/mod:/root/go/pkg/mod -v ~/.cache/go-build:/root/.cache/go-build \
+          -d --name build golang:${{ inputs.GO_VERSION }}-bullseye sleep 21600
+          sudo docker ps
+          DOCKER_CMD="sudo docker exec build"
+          ${DOCKER_CMD} apt update
+          ${DOCKER_CMD} apt install -y cmake python3
+          ${DOCKER_CMD} git config --global --add safe.directory '*'
+          echo "DOCKER_CMD=${DOCKER_CMD}" >> $GITHUB_ENV;
+        if: matrix.os == 'ubuntu-20.04' && matrix.arch != ''
+
       - name: Install MSYS2 & libgit2 (Windows)
-        shell: cmd
-        run: .\build.bat all
+        shell: pwsh
+        run: .\build.ps1 all
         if: matrix.os == 'windows-latest'
 
       - name: Install pkg-config (macOS)
@@ -135,79 +204,80 @@ jobs:
         if: matrix.os == 'macos-latest'
 
       - name: Install libgit2 (Linux/macOS)
-        run: make libgit2
+        run: ${{ env.DOCKER_CMD }} make libgit2${{ matrix.arch }}
         if: matrix.os != 'windows-latest'
- 
+
       - name: Test core pkg
-        run: go test "-tags=static,gitenabled" -v ./...
+        run: ${{ env.DOCKER_CMD }} go test "-tags=static,gitenabled" -v ./...
+        if: "!startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch == '' || startsWith(github.ref, 'refs/tags') && (matrix.os != 'macos-latest' || matrix.arch != 'arm64')"
 
       - name: Test httphandler pkg
-        run: cd httphandler && go test "-tags=static,gitenabled" -v ./...
+        run: ${{ env.DOCKER_CMD }} sh -c 'cd httphandler && go test "-tags=static,gitenabled" -v ./...'
+        if: "!startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch == '' || startsWith(github.ref, 'refs/tags') && (matrix.os != 'macos-latest' || matrix.arch != 'arm64')"
 
       - name: Build
         env:
           RELEASE: ${{ inputs.RELEASE }}
           CLIENT: ${{ inputs.CLIENT }}
           CGO_ENABLED: ${{ inputs.CGO_ENABLED }}
-        run: python3 --version && python3 build.py
+        run: ${{ env.DOCKER_CMD }} python3 --version && ${{ env.DOCKER_CMD }} python3 build.py
 
       - name: Smoke Testing (Windows / MacOS)
         env:
-          RELEASE: ${{ inputs.RELEASE }} 
+          RELEASE: ${{ inputs.RELEASE }}
           KUBESCAPE_SKIP_UPDATE_CHECK: "true"
         run: python3 smoke_testing/init.py ${PWD}/build/kubescape-${{ matrix.os }}
-        if: matrix.os != 'ubuntu-20.04'
+        if: startsWith(github.ref, 'refs/tags') && matrix.os != 'ubuntu-20.04' && matrix.arch == ''
 
-      - name: Smoke Testing (Linux)
+      - name: Smoke Testing (Linux amd64)
         env:
-          RELEASE: ${{ inputs.RELEASE }} 
+          RELEASE: ${{ inputs.RELEASE }}
           KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/kubescape-ubuntu-latest
-        if: matrix.os == 'ubuntu-20.04'      
+        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ${PWD}/build/kubescape-ubuntu-latest
+        if: matrix.os == 'ubuntu-20.04' && matrix.arch == ''
+
+      - name: Smoke Testing (Linux ${{ matrix.arch }})
+        env:
+          RELEASE: ${{ inputs.RELEASE }}
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ./build/kubescape-${{ matrix.arch }}-ubuntu-latest
+        if: startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch != ''
 
       - name: golangci-lint
-        if: matrix.os == 'ubuntu-20.04'      
+        if: matrix.os == 'ubuntu-20.04'
         continue-on-error: true
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # ratchet:golangci/golangci-lint-action@v3
         with:
           version: latest
           args: --timeout 10m --build-tags=static
           only-new-issues: true
 
-      - id: export_tests_to_env
-        name: set test name
-        run: |
-          echo "TEST_NAMES=$input" >> $GITHUB_OUTPUT
-        env:
-          input: ${{ inputs.BINARY_TESTS }}
-
-      - uses: actions/upload-artifact@v3.1.1
+      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1
         name: Upload artifact (Linux)
         if: matrix.os == 'ubuntu-20.04'
         with:
-          name: kubescape-ubuntu-latest
+          name: kubescape${{ matrix.arch }}-ubuntu-latest
           path: build/
           if-no-files-found: error
 
-      - uses: actions/upload-artifact@v3.1.1
+      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1
         name: Upload artifact (MacOS, Win)
         if: matrix.os != 'ubuntu-20.04'
         with:
-          name: kubescape-${{ matrix.os }}
+          name: kubescape${{ matrix.arch }}-${{ matrix.os }}
           path: build/
           if-no-files-found: error
 
   run-tests:
     strategy:
-      fail-fast: false    
+      fail-fast: false
       matrix:
-        TEST: ${{ fromJson(needs.binary-build.outputs.TEST_NAMES) }}
-    needs: [check-secret, binary-build]
-    if: needs.check-secret.outputs.is-secret-set == 'true'
+        TEST: ${{ fromJson(needs.wf-preparation.outputs.TEST_NAMES) }}
+    needs: [wf-preparation, binary-build]
+    if: ${{ (needs.wf-preparation.outputs.is-secret-set == 'true') && (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }}
     runs-on: ubuntu-latest # This cannot change
     steps:
-
-      - uses: actions/download-artifact@v3.0.2
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
         id: download-artifact
         with:
           name: kubescape-ubuntu-latest
@@ -219,12 +289,13 @@ jobs:
         run: chmod +x -R ${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest
 
       - name: Checkout systests repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
         with:
           repository: armosec/system-tests
+          ref: remove-urls
           path: .
-          
-      - uses: actions/setup-python@v4
+
+      - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # ratchet:actions/setup-python@v4
         with:
           python-version: '3.8.13'
           cache: 'pip'
@@ -234,16 +305,16 @@ jobs:
 
       - name: Generate uuid
         id: uuid
-        run: | 
+        run: |
           echo "RANDOM_UUID=$(uuidgen)" >> $GITHUB_OUTPUT
 
       - name: Create k8s Kind Cluster
         id: kind-cluster-install
-        uses: helm/kind-action@v1.3.0
+        uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d # ratchet:helm/kind-action@v1.3.0
         with:
           cluster_name: ${{ steps.uuid.outputs.RANDOM_UUID }}
 
-      - name: run-tests
+      - name: run-tests-on-local-built-kubescape
         env:
           CUSTOMER: ${{ secrets.CUSTOMER }}
           USERNAME: ${{ secrets.USERNAME }}
@@ -252,7 +323,6 @@ jobs:
           SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
           REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
           REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-
         run: |
           echo "Test history:"
           echo " ${{ matrix.TEST }} " >/tmp/testhistory
@@ -266,14 +336,12 @@ jobs:
             --duration 3                     \
             --logger DEBUG                   \
             --kwargs kubescape=${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest
-          
+
           deactivate
-          
+
       - name: Test Report
-        uses: mikepenz/action-junit-report@v3.6.1
+        uses: mikepenz/action-junit-report@6e9933f4a97f4d2b99acef4d7b97924466037882 # ratchet:mikepenz/action-junit-report@v3.6.1
         if: always() # always run even if the previous step fails
         with:
           report_paths: '**/results_xml_format/**.xml'
           commit: ${{github.event.workflow_run.head_sha}}
-
-          

.github/workflows/build-image.yaml

@@ -0,0 +1,34 @@
+name: build-image
+
+on:
+    workflow_dispatch:
+      inputs:
+        CLIENT:
+          required: false
+          type: string
+          default: "test"
+        IMAGE_TAG:
+          required: true
+          type: string
+        CO_SIGN:
+          type: boolean
+          required: false
+          default: false
+        PLATFORMS:
+            type: boolean
+            required: false
+            default: false
+jobs:
+  publish-image:
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+    uses: ./.github/workflows/d-publish-image.yaml
+    with:
+      client: ${{ inputs.CLIENT }}
+      image_name: "quay.io/${{ github.repository_owner }}/kubescape"
+      image_tag: ${{ inputs.IMAGE_TAG }}
+      support_platforms: ${{ inputs.PLATFORMS }}
+      cosign: ${{ inputs.CO_SIGN }}
+    secrets: inherit

.github/workflows/c-create-release.yaml

@@ -15,43 +15,58 @@ on:
         required: false
         type: boolean
         default: false
-
 jobs:
-
   create-release:
     name: create-release
     runs-on: ubuntu-latest
+    env:
+      MAC_OS: macos-latest
+      UBUNTU_OS: ubuntu-latest
+      WINDOWS_OS: windows-latest
     # permissions:
-    #   contents: write    
+    #   contents: write
     steps:
-      - uses: actions/download-artifact@v3.0.2
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
         id: download-artifact
         with:
           path: .
 
+      # TODO: kubescape-windows-latest is deprecated and should be removed
+      - name: Get kubescape.exe from kubescape-windows-latest
+        run: cp ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }} ./kubescape-${{ env.WINDOWS_OS }}/kubescape.exe
+
+      - name: Set release token
+        run: |
+          if [ "${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" != "" ]; then
+            echo "TOKEN=${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" >> $GITHUB_ENV;
+          else
+            echo "TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV;
+          fi
       - name: Release
-        uses: softprops/action-gh-release@v1
-        env:
-          MAC_OS: macos-latest
-          UBUNTU_OS: ubuntu-latest
-          WINDOWS_OS: windows-latest
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # ratchet:softprops/action-gh-release@v1
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ env.TOKEN }}
           name: ${{ inputs.RELEASE_NAME }}
           tag_name: ${{ inputs.TAG }}
           body: ${{ github.event.pull_request.body }}
           draft: ${{ inputs.DRAFT }}
           fail_on_unmatched_files: true
           prerelease: false
+          # TODO: kubescape-windows-latest is deprecated and should be removed
           files: |
+            ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }}
             ./kubescape-${{ env.MAC_OS }}/kubescape-${{ env.MAC_OS }}
             ./kubescape-${{ env.MAC_OS }}/kubescape-${{ env.MAC_OS }}.sha256
             ./kubescape-${{ env.MAC_OS }}/kubescape-${{ env.MAC_OS }}.tar.gz
             ./kubescape-${{ env.UBUNTU_OS }}/kubescape-${{ env.UBUNTU_OS }}
             ./kubescape-${{ env.UBUNTU_OS }}/kubescape-${{ env.UBUNTU_OS }}.sha256
             ./kubescape-${{ env.UBUNTU_OS }}/kubescape-${{ env.UBUNTU_OS }}.tar.gz
-            ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }}
+            ./kubescape-${{ env.WINDOWS_OS }}/kubescape.exe
             ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }}.sha256
             ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }}.tar.gz
- 
-            
+            ./kubescapearm64-${{ env.MAC_OS }}/kubescape-arm64-${{ env.MAC_OS }}
+            ./kubescapearm64-${{ env.MAC_OS }}/kubescape-arm64-${{ env.MAC_OS }}.sha256
+            ./kubescapearm64-${{ env.MAC_OS }}/kubescape-arm64-${{ env.MAC_OS }}.tar.gz
+            ./kubescapearm64-${{ env.UBUNTU_OS }}/kubescape-arm64-${{ env.UBUNTU_OS }}
+            ./kubescapearm64-${{ env.UBUNTU_OS }}/kubescape-arm64-${{ env.UBUNTU_OS }}.sha256
+            ./kubescapearm64-${{ env.UBUNTU_OS }}/kubescape-arm64-${{ env.UBUNTU_OS }}.tar.gz

.github/workflows/codesee-arch-diagram.yml

@@ -0,0 +1,30 @@
+# This workflow was added by CodeSee. Learn more at https://codesee.io/
+# This is v2.0 of this workflow file
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+    paths-ignore:
+    - '**.yaml'
+    - '**.yml'
+    - '**.md'
+    - '**.sh'
+    - 'website/*'
+    - 'examples/*'
+    - 'docs/*'
+    - 'build/*'
+    - '.github/*'  
+
+name: CodeSee
+
+permissions: read-all
+
+jobs:
+  codesee:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    name: Analyze the repo with CodeSee
+    steps:
+      - uses: Codesee-io/codesee-action@v2
+        with:
+          codesee-token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
+          codesee-url: https://app.codesee.io

.github/workflows/comments.yaml

@@ -0,0 +1,23 @@
+name: pr-agent
+
+on:
+  issue_comment:
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  pr_agent:
+    runs-on: ubuntu-latest
+    name: Run pr agent on every pull request, respond to user comments
+    steps:
+      - name: PR Agent action step
+        continue-on-error: true
+        id: pragent
+        uses: Codium-ai/pr-agent@main
+        env:
+          OPENAI_KEY: ${{ secrets.OPENAI_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+   
+

.github/workflows/d-publish-image.yaml

@@ -1,5 +1,4 @@
 name: d-publish-image
-
 on:
   workflow_call:
     inputs:
@@ -25,7 +24,6 @@ on:
         default: true
         type: boolean
         description: 'support amd64/arm64'
-
 jobs:
   check-secret:
     name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
@@ -36,44 +34,36 @@ jobs:
       - name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
         id: check-secret-set
         env:
-            QUAYIO_REGISTRY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-            QUAYIO_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+          QUAYIO_REGISTRY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+          QUAYIO_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
         run: |
-            echo "is-secret-set=${{ env.QUAYIO_REGISTRY_USERNAME != '' && env.QUAYIO_REGISTRY_PASSWORD != '' }}" >> $GITHUB_OUTPUT
-
+          echo "is-secret-set=${{ env.QUAYIO_REGISTRY_USERNAME != '' && env.QUAYIO_REGISTRY_PASSWORD != '' }}" >> $GITHUB_OUTPUT
   build-image:
     needs: [check-secret]
     if: needs.check-secret.outputs.is-secret-set == 'true'
     name: Build image and upload to registry
     runs-on: ubuntu-latest
-
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
         with:
           submodules: recursive
-
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-
+        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # ratchet:docker/setup-buildx-action@v2
       - name: Login to Quay.io
         env:
           QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
           QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
         run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-
       - name: Build and push image
         if: ${{ inputs.support_platforms }}
         run: docker buildx build . --file build/Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push --platform linux/amd64,linux/arm64
-
       - name: Build and push image without amd64/arm64 support
         if: ${{ !inputs.support_platforms }}
-        run: docker buildx build . --file build/Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push 
-
+        run: docker buildx build . --file build/Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push
       - name: Install cosign
-        uses: sigstore/cosign-installer@main
+        uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 # ratchet:sigstore/cosign-installer@main
         with:
           cosign-release: 'v1.12.0'
       - name: sign kubescape container image
@@ -81,5 +71,4 @@ jobs:
         env:
           COSIGN_EXPERIMENTAL: "true"
         run: |
-            cosign sign --force ${{ inputs.image_name }}
-
+          cosign sign --force ${{ inputs.image_name }}

.github/workflows/z-close-typos-issues.yaml

@@ -1,23 +1,19 @@
 on:
   issues:
     types: [opened, labeled]
-
 jobs:
   open_PR_message:
     if: github.event.label.name == 'typo'
     runs-on: ubuntu-latest
     steps:
-      - uses: ben-z/actions-comment-on-issue@1.0.2
+      - uses: ben-z/actions-comment-on-issue@10be23f9c43ac792663043420fda29dde07e2f0f # ratchet:ben-z/actions-comment-on-issue@1.0.2
         with:
           message: "Hello! :wave:\n\nThis issue is being automatically closed, Please open a PR with a relevant fix."
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-          
-          
   auto_close_issues:
     runs-on: ubuntu-latest
     steps:
-      - uses: lee-dohm/close-matching-issues@v2
+      - uses: lee-dohm/close-matching-issues@e9e43aad2fa6f06a058cedfd8fb975fd93b56d8f # ratchet:lee-dohm/close-matching-issues@v2
         with:
           query: 'label:typo'
           token: ${{ secrets.GITHUB_TOKEN }}

.krew.yaml

@@ -16,15 +16,27 @@ spec:
         arch: amd64
     {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-macos-latest.tar.gz" .TagName }}
     bin: kubescape
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: arm64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-arm64-macos-latest.tar.gz" .TagName }}
+    bin: kubescape
   - selector:
       matchLabels:
         os: linux
         arch: amd64
     {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-ubuntu-latest.tar.gz" .TagName }}
     bin: kubescape
+  - selector:
+      matchLabels:
+        os: linux
+        arch: arm64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-arm64-ubuntu-latest.tar.gz" .TagName }}
+    bin: kubescape
   - selector:
       matchLabels:
         os: windows
         arch: amd64
     {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-windows-latest.tar.gz" .TagName }}
-    bin: kubescape
+    bin: kubescape.exe

CONTRIBUTING.md

@@ -15,6 +15,10 @@ so the maintainers are able to help guide you and let you know if you are going
 
 Please follow our [code of conduct](CODE_OF_CONDUCT.md) in all of your interactions within the project.
 
+## Build and test locally
+
+Please follow the [instructions here](https://github.com/kubescape/kubescape/wiki/Building).
+
 ## Pull Request Process
 
 1. Ensure any install or build dependencies are removed before the end of the layer when doing a 
@@ -47,7 +51,7 @@ Add [`-s`](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s)
 
 ```git commit -s -m "Fix issue 64738"```
 
-This is tedious, and if you forget, you'll have to [amend your commit](#f)
+This is tedious, and if you forget, you'll have to [amend your commit](#fixing-a-commit-where-the-dco-failed).
 
 ### Configure a repository to always include sign off
 

Makefile

@@ -10,6 +10,14 @@ libgit2:
 	-git submodule update --init --recursive
 	cd git2go; make install-static
 
+# build and install libgit2 for macOS m1
+libgit2arm64:
+	git submodule update --init --recursive
+	if [ "$(shell uname -s)" = "Darwin" ]; then \
+		sed -i '' 's/cmake -D/cmake -DCMAKE_OSX_ARCHITECTURES="arm64" -D/' git2go/script/build-libgit2.sh; \
+	fi
+	cd git2go; make install-static
+
 # go build tags
 TAGS = "gitenabled,static"
 

README.md

@@ -37,11 +37,11 @@ curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh
 
 Learn more about:
 
-* [Installing Kubescape](docs/getting-started.md#install-kubescape)
+* [Installing Kubescape](docs/installation.md)
 * [Running your first scan](docs/getting-started.md#run-your-first-scan)
 * [Usage](docs/getting-started.md#examples)
 * [Architecture](docs/architecture.md)
-* [Building Kubescape from source](docs/building.md)
+* [Building Kubescape from source](https://github.com/kubescape/kubescape/wiki/Building)
 
 _Did you know you can use Kubescape in all these places?_
 
@@ -65,7 +65,7 @@ It retrieves Kubernetes objects from the API server and runs a set of [Rego snip
 
 Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the Kubernetes community and are building more tests and controls as the ecosystem develops.
 
-We hold [community meetings](https://us02web.zoom.us/j/84020231442) on Zoom, on the first Tuesday of every month, at 14:00 GMT.
+We hold [community meetings](https://zoom.us/j/95174063585) on Zoom, on the first Tuesday of every month, at 14:00 GMT. ([See that in your local time zone](https://time.is/compare/1400_in_GMT)).
 
 The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
 

build.bat

@@ -1,51 +0,0 @@
-@ECHO OFF
-
-IF "%1"=="install" goto Install
-IF "%1"=="build" goto Build
-IF "%1"=="all" goto All
-IF "%1"=="" goto Error ELSE goto Error
-
-:Install
-
-if exist C:\MSYS64\ (
-    echo "MSYS2 already installed"
-) else (
-    mkdir temp_install & cd temp_install
-
-    echo "Downloading MSYS2..."
-    curl -L https://github.com/msys2/msys2-installer/releases/download/2022-06-03/msys2-x86_64-20220603.exe > msys2-x86_64-20220603.exe
-
-    echo "Installing MSYS2..."
-    msys2-x86_64-20220603.exe install --root C:\MSYS64 --confirm-command
-
-    cd .. && rmdir /s /q temp_install
-)
-
-
-echo "Adding MSYS2 to path..."
-SET "PATH=C:\MSYS64\mingw64\bin;C:\MSYS64\usr\bin;%PATH%"
-echo %PATH%
-
-echo "Installing MSYS2 packages..."
-pacman -S --needed --noconfirm make
-pacman -S --needed --noconfirm mingw-w64-x86_64-cmake
-pacman -S --needed --noconfirm mingw-w64-x86_64-gcc
-pacman -S --needed --noconfirm mingw-w64-x86_64-pkg-config
-pacman -S --needed --noconfirm msys2-w32api-runtime
-
-IF "%1"=="all" GOTO Build
-GOTO End
-
-:Build
-SET "PATH=C:\MSYS2\mingw64\bin;C:\MSYS2\usr\bin;%PATH%"
-make libgit2
-GOTO End
-
-:All
-GOTO Install
-
-:Error
-echo "Error: Unknown option"
-GOTO End
-
-:End

build.ps1

@@ -0,0 +1,78 @@
+# Defining input params
+param (
+    [string]$mode = "error"
+)
+
+# Function to install MSYS
+function Install {
+    Write-Host "Starting install..." -ForegroundColor Cyan
+
+    # Check to see if already installed
+    if (Test-Path "C:\MSYS64\") {
+        Write-Host "MSYS2 already installed" -ForegroundColor Green
+    } else {
+        # Create a temp directory
+        New-Item -Path "$PSScriptRoot\temp_install" -ItemType Directory > $null
+        
+        # Download MSYS
+        Write-Host "Downloading MSYS2..." -ForegroundColor Cyan
+        $bitsJobObj = Start-BitsTransfer "https://github.com/msys2/msys2-installer/releases/download/2022-06-03/msys2-x86_64-20220603.exe" -Destination "$PSScriptRoot\temp_install\msys2-x86_64-20220603.exe"
+        switch ($bitsJobObj.JobState) {
+            "Transferred" {
+                Complete-BitsTransfer -BitsJob $bitsJobObj
+                break
+            }
+            "Error" {
+                throw "Error downloading"
+            }
+        }
+        Write-Host "MSYS2 download complete" -ForegroundColor Green
+
+        # Install MSYS
+        Write-Host "Installing MSYS2..." -ForegroundColor Cyan
+        Start-Process -Filepath "$PSScriptRoot\temp_install\msys2-x86_64-20220603.exe" -ArgumentList @("install", "--root", "C:\MSYS64", "--confirm-command") -Wait
+        Write-Host "MSYS2 install complete" -ForegroundColor Green
+
+        # Remove temp directory
+        Remove-Item "$PSScriptRoot\temp_install" -Recurse
+    }
+
+    # Set PATH
+    $env:Path = "C:\MSYS64\mingw64\bin;C:\MSYS64\usr\bin;" + $env:Path
+
+    # Install MSYS packages
+    Write-Host "Installing MSYS2 packages..." -ForegroundColor Cyan
+    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "make") -Wait
+    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "mingw-w64-x86_64-cmake") -Wait
+    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "mingw-w64-x86_64-gcc") -Wait
+    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "mingw-w64-x86_64-pkg-config") -Wait
+    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "msys2-w32api-runtime") -Wait
+    Write-Host "MSYS2 packages install complete" -ForegroundColor Green
+
+    Write-Host "Install complete" -ForegroundColor Green
+}
+
+# Function to build libgit2
+function Build {
+    Write-Host "Starting build..." -ForegroundColor Cyan
+
+    # Set PATH
+    $env:Path = "C:\MSYS64\mingw64\bin;C:\MSYS64\usr\bin;" + $env:Path
+
+    # Build
+    Start-Process -Filepath "make" -ArgumentList @("libgit2") -Wait -NoNewWindow
+
+    Write-Host "Build complete" -ForegroundColor Green
+}
+
+# Check user call mode
+if ($mode -eq "all") {
+    Install
+    Build
+} elseif ($mode -eq "install") {
+    Install
+} elseif ($mode -eq "build") {
+    Build
+} else {
+    Write-Host "Error: -mode should be one of (all|install|build)" -ForegroundColor Red
+}

build.py

@@ -6,6 +6,7 @@ import subprocess
 import tarfile
 
 BASE_GETTER_CONST = "github.com/kubescape/kubescape/v2/core/cautils/getter"
+CURRENT_PLATFORM = platform.system()
 
 platformSuffixes = {
     "Windows": "windows-latest",
@@ -24,11 +25,15 @@ def get_build_dir():
 
 
 def get_package_name():
-    current_platform = platform.system()
+    if CURRENT_PLATFORM not in platformSuffixes: raise OSError("Platform %s is not supported!" % (CURRENT_PLATFORM))
 
-    if current_platform not in platformSuffixes: raise OSError("Platform %s is not supported!" % (current_platform))
+    # # TODO: kubescape-windows-latest is deprecated and should be removed
+    # if CURRENT_PLATFORM == "Windows": return "kubescape.exe"
 
-    return "kubescape-" + platformSuffixes[current_platform]
+    package_name = "kubescape-"
+    if os.getenv("GOARCH"):
+        package_name += os.getenv("GOARCH") + "-"
+    return package_name + platformSuffixes[CURRENT_PLATFORM]
 
 
 def main():
@@ -76,7 +81,10 @@ def main():
             kube_sha.write(sha256.hexdigest())
 
     with tarfile.open(tar_file, 'w:gz') as archive:
-        archive.add(ks_file, "kubescape")
+        name = "kubescape"
+        if CURRENT_PLATFORM == "Windows":
+            name += ".exe"
+        archive.add(ks_file, name)
         archive.add("LICENSE", "LICENSE")
 
     print("Build Done")

build/Dockerfile

@@ -1,50 +1,38 @@
-FROM golang:1.19-alpine as builder
-
-ARG image_version
-ARG client
-
-ENV RELEASE=$image_version
-ENV CLIENT=$client
-
-ENV GO111MODULE=
-
-ENV CGO_ENABLED=1
+FROM golang:1.20-bullseye as builder
+ARG image_version client
+ENV GO111MODULE=on CGO_ENABLED=1 PYTHONUNBUFFERED=1 RELEASE=$image_version CLIENT=$client
 
 # Install required python/pip
-ENV PYTHONUNBUFFERED=1
-RUN apk add --update --no-cache python3 gcc make git libc-dev binutils-gold cmake pkgconfig && ln -sf python3 /usr/bin/python
-RUN python3 -m ensurepip
+RUN apt update
+RUN apt install -y cmake python3-pip
 RUN pip3 install --no-cache --upgrade pip setuptools
 
 WORKDIR /work
 ADD . .
 
 # install libgit2
-RUN rm -rf git2go && make libgit2
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    make libgit2
 
 # build kubescape server
 WORKDIR /work/httphandler
-RUN python build.py
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    python3 build.py
 RUN ls -ltr build/
 
 # build kubescape cmd
 WORKDIR /work
-RUN python build.py
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    python3 build.py
 
 RUN /work/build/kubescape-ubuntu-latest download artifacts -o /work/artifacts
 
-FROM alpine:3.16.2
-
-RUN addgroup -S ks && adduser -S ks -G ks
-
-COPY --from=builder /work/artifacts/ /home/ks/.kubescape
-
-RUN chown -R ks:ks /home/ks/.kubescape
-
-USER ks
-
-WORKDIR /home/ks
+FROM gcr.io/distroless/base-debian11:nonroot
 
+COPY --from=builder /work/artifacts/ /home/nonroot/.kubescape
 COPY --from=builder /work/httphandler/build/kubescape-ubuntu-latest /usr/bin/ksserver
 COPY --from=builder /work/build/kubescape-ubuntu-latest /usr/bin/kubescape
 

cmd/completion/completion.go

@@ -15,8 +15,8 @@ var completionCmdExamples = fmt.Sprintf(`
   $ echo 'source <(%[1]s completion bash)' >> ~/.bashrc
 
   # Enable ZSH shell autocompletion
-  $ source <(kubectl completion zsh)
-  $ echo 'source <(kubectl completion zsh)' >> "${fpath[1]}/_kubectl"
+  $ source <(%[1]s completion zsh)
+  $ echo 'source <(%[1]s completion zsh)' >> "${fpath[1]}/_%[1]s"
 `, cautils.ExecName())
 
 func GetCompletionCmd() *cobra.Command {

cmd/config/config.go

@@ -23,14 +23,8 @@ var (
   # Set account id
   %[1]s config set accountID <account id>
 
-  # Set client id
-  %[1]s config set clientID <client id> 
-
-  # Set access key
-  %[1]s config set secretKey <access key>
-
-  # Set cloudAPIURL
-  %[1]s config set cloudAPIURL <cloud API URL>
+  # Set cloud report URL
+  %[1]s config set cloudReportURL <cloud Report URL>
 `, cautils.ExecName())
 )
 

cmd/config/set.go

@@ -34,12 +34,8 @@ func getSetCmd(ks meta.IKubescape) *cobra.Command {
 
 var supportConfigSet = map[string]func(*metav1.SetConfig, string){
 	"accountID":      func(s *metav1.SetConfig, account string) { s.Account = account },
-	"clientID":       func(s *metav1.SetConfig, clientID string) { s.ClientID = clientID },
-	"secretKey":      func(s *metav1.SetConfig, secretKey string) { s.SecretKey = secretKey },
 	"cloudAPIURL":    func(s *metav1.SetConfig, cloudAPIURL string) { s.CloudAPIURL = cloudAPIURL },
-	"cloudAuthURL":   func(s *metav1.SetConfig, cloudAuthURL string) { s.CloudAuthURL = cloudAuthURL },
 	"cloudReportURL": func(s *metav1.SetConfig, cloudReportURL string) { s.CloudReportURL = cloudReportURL },
-	"cloudUIURL":     func(s *metav1.SetConfig, cloudUIURL string) { s.CloudUIURL = cloudUIURL },
 }
 
 func stringKeysToSlice(m map[string]func(*metav1.SetConfig, string)) []string {

cmd/delete/delete.go

@@ -1,37 +0,0 @@
-package delete
-
-import (
-	"fmt"
-
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-	"github.com/spf13/cobra"
-)
-
-var deleteExceptionsExamples = fmt.Sprintf(`
-  # Delete single exception
-  %[1]s delete exceptions "exception name"
-
-  # Delete multiple exceptions
-  %[1]s delete exceptions "first exception;second exception;third exception"
-`, cautils.ExecName())
-
-func GetDeleteCmd(ks meta.IKubescape) *cobra.Command {
-	var deleteInfo v1.Delete
-
-	var deleteCmd = &cobra.Command{
-		Use:   "delete <command>",
-		Short: "Delete configurations in Kubescape SaaS version",
-		Long:  ``,
-		Run: func(cmd *cobra.Command, args []string) {
-		},
-	}
-	deleteCmd.PersistentFlags().StringVarP(&deleteInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
-	deleteCmd.PersistentFlags().StringVarP(&deleteInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
-	deleteCmd.PersistentFlags().StringVarP(&deleteInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
-
-	deleteCmd.AddCommand(getExceptionsCmd(ks, &deleteInfo))
-
-	return deleteCmd
-}

cmd/delete/exceptions.go

@@ -1,47 +0,0 @@
-package delete
-
-import (
-	"fmt"
-	"strings"
-
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-	"github.com/spf13/cobra"
-)
-
-func getExceptionsCmd(ks meta.IKubescape, deleteInfo *v1.Delete) *cobra.Command {
-	return &cobra.Command{
-		Use:     "exceptions <exception name>",
-		Short:   fmt.Sprintf("Delete exceptions from Kubescape SaaS version. Run '%[1]s list exceptions' for all exceptions names", cautils.ExecName()),
-		Example: deleteExceptionsExamples,
-		Args: func(cmd *cobra.Command, args []string) error {
-			if len(args) != 1 {
-				return fmt.Errorf("missing exceptions names")
-			}
-			return nil
-		},
-		Run: func(cmd *cobra.Command, args []string) {
-
-			if err := flagValidationDelete(deleteInfo); err != nil {
-				logger.L().Fatal(err.Error())
-			}
-
-			exceptionsNames := strings.Split(args[0], ";")
-			if len(exceptionsNames) == 0 {
-				logger.L().Fatal("missing exceptions names")
-			}
-			if err := ks.DeleteExceptions(&v1.DeleteExceptions{Credentials: deleteInfo.Credentials, Exceptions: exceptionsNames}); err != nil {
-				logger.L().Fatal(err.Error())
-			}
-		},
-	}
-}
-
-// Check if the flag entered are valid
-func flagValidationDelete(deleteInfo *v1.Delete) error {
-
-	// Validate the user's credentials
-	return deleteInfo.Credentials.Validate()
-}

cmd/download/download.go

@@ -12,6 +12,7 @@ import (
 	"github.com/kubescape/kubescape/v2/core/meta"
 	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
 )
 
 var (
@@ -55,7 +56,7 @@ func GetDownloadCmd(ks meta.IKubescape) *cobra.Command {
 			if len(args) < 1 {
 				return fmt.Errorf("policy type required, supported: %v", supported)
 			}
-			if cautils.StringInSlice(core.DownloadSupportCommands(), args[0]) == cautils.ValueNotFound {
+			if !slices.Contains(core.DownloadSupportCommands(), args[0]) {
 				return fmt.Errorf("invalid parameter '%s'. Supported parameters: %s", args[0], supported)
 			}
 			return nil
@@ -82,9 +83,9 @@ func GetDownloadCmd(ks meta.IKubescape) *cobra.Command {
 		},
 	}
 
-	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
-	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
-	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
+	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.AccountID, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	downloadCmd.PersistentFlags().MarkDeprecated("client-id", "Client ID is no longer supported. Feel free to contact the Kubescape maintainers for more information.")
+	downloadCmd.PersistentFlags().MarkDeprecated("secret-key", "Secret Key is no longer supported. Feel free to contact the Kubescape maintainers for more information.")
 	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If not specified, will save in `~/.kubescape/<policy name>.json`")
 
 	return downloadCmd
@@ -94,5 +95,5 @@ func GetDownloadCmd(ks meta.IKubescape) *cobra.Command {
 func flagValidationDownload(downloadInfo *v1.DownloadInfo) error {
 
 	// Validate the user's credentials
-	return downloadInfo.Credentials.Validate()
+	return cautils.ValidateAccountID(downloadInfo.AccountID)
 }

cmd/fix/fix.go

@@ -17,7 +17,7 @@ var fixCmdExamples = fmt.Sprintf(`
   Use with caution, this command will change your files in-place.
 
   # Fix kubernetes YAML manifest files based on a scan command output (output.json)
-  1) %[1]s scan --format json --format-version v2 --output output.json
+  1) %[1]s scan . --format json --output output.json
   2) %[1]s fix output.json
 
 `, cautils.ExecName())
@@ -27,7 +27,7 @@ func GetFixCmd(ks meta.IKubescape) *cobra.Command {
 
 	fixCmd := &cobra.Command{
 		Use:     "fix <report output file>",
-		Short:   "Fix misconfiguration in files",
+		Short:   "Propose a fix for the misconfiguration found when scanning Kubernetes manifest files",
 		Long:    ``,
 		Example: fixCmdExamples,
 		RunE: func(cmd *cobra.Command, args []string) error {

cmd/image/README.md

@@ -0,0 +1,231 @@
+# Scan Command
+
+The scan command is used for scanning container images for vulnerabilities.
+It uses [grype](https://github.com/anchore/grype) under the hood for scanning the images.
+
+## Usage
+
+
+```bash
+kubescape image scan <image:tag> [flags]
+```
+
+### Flags
+| Flag                      | Description                                            | Required | Default |
+| ------------------------- | ------------------------------------------------------ |--------- | --------|
+| -u, --username            | Username for the image registry login                  | No       |         |
+| -p, --password            | Password for the image registry login                  | No       |         |
+| -f, --format              | Output file format.                                    | No       |         |
+| -o, --output              | Output file. Print output to file and not stdout       | No       |         |
+| -v, --verbose             | Display full report                                    | No       |  false  |
+| -s, --severity-threshold  | Maximum severity of a vulnerability                    | No       |         |
+| -h, --help                | help for scan                                          | No       |         |
+
+
+## Example
+
+We will demonstrate how to use the scan command with an example of [nginx](https://www.nginx.com/) image.
+
+### Steps
+
+1. In a terminal, run the `kubescape image scan` command: 
+    
+    ```bash
+    kubescape image scan nginx:1.22
+    ```
+
+2. You will get an output like below:
+
+    ```bash
+    ✅  Successfully scanned image: nginx:1.22
+    | Severity | Vulnerability  | Component     | Version                 | Fixed In |
+    | -------- | -------------- | ------------- | ----------------------- | -------- |
+    | Critical | CVE-2023-23914 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | Critical | CVE-2019-8457  | libdb5.3      | 5.3.28+dfsg1-0.8        | wont-fix |
+    | High     | CVE-2022-42916 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-1304  | libext2fs2    | 1.46.2-2                | wont-fix |
+    | High     | CVE-2022-42916 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-1304  | e2fsprogs     | 1.46.2-2                | wont-fix |
+    | High     | CVE-2022-1304  | libcom-err2   | 1.46.2-2                | wont-fix |
+    | High     | CVE-2023-27533 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2023-27534 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2023-27533 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-43551 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-3715  | bash          | 5.1-2+deb11u1           | wont-fix |
+    | High     | CVE-2023-27534 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-43551 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2021-33560 | libgcrypt20   | 1.8.7-6                 | wont-fix |
+    | High     | CVE-2023-2953  | libldap-2.4-2 | 2.4.57+dfsg-3+deb11u1   | wont-fix |
+    | High     | CVE-2022-1304  | libss2        | 1.46.2-2                | wont-fix |
+    | High     | CVE-2020-22218 | libssh2-1     | 1.9.0-2                 | wont-fix |
+    | High     | CVE-2023-29491 | libtinfo6     | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2022-2309  | libxml2       | 2.9.10+dfsg-6.7+deb11u4 | wont-fix |
+    | High     | CVE-2022-4899  | libzstd1      | 1.4.8+dfsg-2.1          | wont-fix |
+    | High     | CVE-2022-1304  | logsave       | 1.46.2-2                | wont-fix |
+    | High     | CVE-2023-29491 | ncurses-base  | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2023-29491 | ncurses-bin   | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2023-31484 | perl-base     | 5.32.1-4+deb11u2        | wont-fix |
+    | High     | CVE-2020-16156 | perl-base     | 5.32.1-4+deb11u2        | wont-fix |
+    
+    Vulnerability summary - 184 vulnerabilities found:
+    ──────────────────────────────────────────────────
+    Image: nginx:1.22
+    * 3 Critical
+    * 35 High
+    * 43 Medium
+    * 103 Other
+
+    Most vulnerable components:
+    * curl (7.74.0-1.3+deb11u7) - 1 Critical, 4 High, 5 Medium, 1 Low, 3 Negligible
+    * libcurl4 (7.74.0-1.3+deb11u7) - 1 Critical, 4 High, 5 Medium, 1 Low, 3 Negligible
+    * libtiff5 (4.2.0-1+deb11u4) - 7 Medium, 10 Negligible, 2 Unknown
+    * libssl1.1 (1.1.1n-0+deb11u4) - 1 High, 5 Medium, 2 Negligible
+    * openssl (1.1.1n-0+deb11u4) - 1 High, 5 Medium, 2 Negligible
+    
+    What now?
+    ─────────
+    * Run with '--verbose'/'-v' flag for detailed vulnerabilities view
+    * Install Kubescape in your cluster for continuous monitoring and a full vulnerability report: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-operator
+    ```
+
+
+# Patch Command
+
+The patch command is used for patching container images with vulnerabilities.  
+It uses [copa](https://github.com/project-copacetic/copacetic) and [buildkit](https://github.com/moby/buildkit) under the hood for patching the container images, and [grype](https://github.com/anchore/grype) as the engine for scanning the images.
+
+## Usage
+
+```bash
+kubescape image patch <image:tag> [flags]
+```
+### Pre-requisites
+
+- [docker](https://docs.docker.com/desktop/install/linux-install/#generic-installation-steps) daemon must be installed and running.
+- [buildkit](https://github.com/moby/buildkit) daemon must be installed
+
+### Running the patch command
+
+The patch command can be run in 2 ways:
+1. **With sudo privileges**
+
+    You will need to start `buildkitd` if it is not already running
+
+    ```bash
+    sudo buildkitd & 
+    sudo kubescape image patch <image>
+    ```
+
+2. **Without sudo privileges**
+   ```bash
+    export BUILDKIT_VERSION=v0.11.4
+    export BUILDKIT_PORT=8888
+
+    docker run \
+        --detach \
+        --rm \
+        --privileged \
+        -p 127.0.0.1:$BUILDKIT_PORT:$BUILDKIT_PORT/tcp \
+        --name buildkitd \
+        --entrypoint buildkitd \
+        "moby/buildkit:$BUILDKIT_VERSION" \
+        --addr tcp://0.0.0.0:$BUILDKIT_PORT
+
+    kubescape image patch <image-name> \
+        -a tcp://0.0.0.0:$BUILDKIT_PORT
+   ```
+
+### Flags
+
+| Flag           | Description                                            | Required | Default                             |
+| -------------- | ------------------------------------------------------ | -------- | ----------------------------------- |
+| -a, --addr     | Address of the buildkitd service                       | No       | unix:///run/buildkit/buildkitd.sock |
+| -t, --tag      | Tag of the resultant patched image                     | No       | image_name-patched                  |
+| --timeout      | Timeout for the patching process                       | No       | 5m                                  |
+| -u, --username | Username for the image registry login                  | No       |                                     |
+| -p, --password | Password for the image registry login                  | No       |                                     |
+| -f, --format   | Output file format.                                    | No       |                                     |
+| -o, --output   | Output file. Print output to file and not stdout       | No       |                                     |
+| -v, --verbose  | Display full report. Default to false                  | No       |                                     |
+| -h, --help     | help for patch                                         | No       |                                     |
+
+
+## Example
+
+We will demonstrate how to use the patch command with an example of [nginx](https://www.nginx.com/) image.
+
+### Steps
+
+1. Run `buildkitd` service:
+
+    ```bash
+    sudo buildkitd
+    ```
+
+2. In a seperate terminal, run the `kubescape image patch` command: 
+    
+    ```bash
+    sudo kubescape image patch docker.io/library/nginx:1.22
+    ```
+
+3. You will get an output like below:
+
+    ```bash
+    ✅  Successfully scanned image: docker.io/library/nginx:1.22
+    ✅  Patched image successfully. Loaded image: nginx:1.22-patched
+    ✅  Successfully re-scanned image: nginx:1.22-patched
+
+    | Severity | Vulnerability  | Component     | Version                 | Fixed In |
+    | -------- | -------------- | ------------- | ----------------------- | -------- |
+    | Critical | CVE-2023-23914 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | Critical | CVE-2019-8457  | libdb5.3      | 5.3.28+dfsg1-0.8        | wont-fix |
+    | High     | CVE-2022-42916 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-1304  | libext2fs2    | 1.46.2-2                | wont-fix |
+    | High     | CVE-2022-42916 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-1304  | e2fsprogs     | 1.46.2-2                | wont-fix |
+    | High     | CVE-2022-1304  | libcom-err2   | 1.46.2-2                | wont-fix |
+    | High     | CVE-2023-27533 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2023-27534 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2023-27533 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-43551 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-3715  | bash          | 5.1-2+deb11u1           | wont-fix |
+    | High     | CVE-2023-27534 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-43551 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2021-33560 | libgcrypt20   | 1.8.7-6                 | wont-fix |
+    | High     | CVE-2023-2953  | libldap-2.4-2 | 2.4.57+dfsg-3+deb11u1   | wont-fix |
+    | High     | CVE-2022-1304  | libss2        | 1.46.2-2                | wont-fix |
+    | High     | CVE-2020-22218 | libssh2-1     | 1.9.0-2                 | wont-fix |
+    | High     | CVE-2023-29491 | libtinfo6     | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2022-2309  | libxml2       | 2.9.10+dfsg-6.7+deb11u4 | wont-fix |
+    | High     | CVE-2022-4899  | libzstd1      | 1.4.8+dfsg-2.1          | wont-fix |
+    | High     | CVE-2022-1304  | logsave       | 1.46.2-2                | wont-fix |
+    | High     | CVE-2023-29491 | ncurses-base  | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2023-29491 | ncurses-bin   | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2023-31484 | perl-base     | 5.32.1-4+deb11u2        | wont-fix |
+    | High     | CVE-2020-16156 | perl-base     | 5.32.1-4+deb11u2        | wont-fix |
+    
+    Vulnerability summary - 161 vulnerabilities found:
+    Image: nginx:1.22-patched
+      * 3 Critical
+      * 24 High
+      * 31 Medium
+      * 103 Other
+
+    Most vulnerable components:
+      * curl (7.74.0-1.3+deb11u7) - 1 Critical, 4 High, 5 Medium, 1 Low, 3 Negligible
+      * libcurl4 (7.74.0-1.3+deb11u7) - 1 Critical, 4 High, 5 Medium, 1 Low, 3 Negligible
+      * libtiff5 (4.2.0-1+deb11u4) - 7 Medium, 10 Negligible, 2 Unknown
+      * libxml2 (2.9.10+dfsg-6.7+deb11u4) - 1 High, 2 Medium
+      * perl-base (5.32.1-4+deb11u2) - 2 High, 2 Negligible
+    
+    What now?
+    ─────────
+    * Run with '--verbose'/'-v' flag for detailed vulnerabilities view
+    * Install Kubescape in your cluster for continuous monitoring and a full vulnerability report: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator
+    ```
+
+## Limitations
+
+- The patch command can only fix OS-level vulnerability. It cannot fix application-level vulnerabilities. This is a limitation of copa. The reason behind this is that application level vulnerabilities are best suited to be fixed by the developers of the application.
+Hence, this is not really a limitation but a design decision.
+- No support for windows containers given the dependency on buildkit.

cmd/image/image.go

@@ -0,0 +1,61 @@
+package image
+
+import (
+	"fmt"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	"github.com/spf13/cobra"
+)
+
+type imageCredentials struct {
+	Username string
+	Password string
+}
+
+var imageCmdExamples = fmt.Sprintf(`
+# Scan an image
+%[1]s image scan <image>:<tag>
+
+# Patch an image
+%[1]s image patch  <image>:<tag>
+`, cautils.ExecName())
+
+func GetImageCmd(ks meta.IKubescape) *cobra.Command {
+	var scanInfo cautils.ScanInfo
+	var imgCredentials imageCredentials
+
+	imageCmd := &cobra.Command{
+		Use:     "image",
+		Short:   "Scan or patch an image",
+		Example: imageCmdExamples,
+	}
+
+	imageCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "", `Output file format. Supported formats: "pretty-printer", "json", "sarif"`)
+	imageCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
+	imageCmd.PersistentFlags().BoolVarP(&scanInfo.VerboseMode, "verbose", "v", false, "Display full report. Default to false")
+
+	imageCmd.PersistentFlags().StringVarP(&scanInfo.FailThresholdSeverity, "severity-threshold", "s", "", "Severity threshold is the severity of a vulnerability at which the command fails and returns exit code 1")
+
+	imageCmd.PersistentFlags().StringVarP(&imgCredentials.Username, "username", "u", "", "Username for registry login")
+	imageCmd.PersistentFlags().StringVarP(&imgCredentials.Password, "password", "p", "", "Password for registry login")
+
+	imageCmd.AddCommand(getScanCmd(ks, &scanInfo, &imgCredentials))
+	imageCmd.AddCommand(getPatchCmd(ks, &scanInfo, &imgCredentials))
+
+	imageCmd.SetHelpFunc(func(command *cobra.Command, strings []string) {
+		// hide kube-context and server flags
+		command.Flags().MarkHidden("kube-context")
+		command.Flags().MarkHidden("server")
+
+		// this will prevent an infinite recursive call for the sub-commands of 'image'
+		if parent := command.Parent().Parent(); parent != nil {
+			parent.HelpFunc()(command, strings)
+			return
+		}
+
+		command.Parent().HelpFunc()(command, strings)
+	})
+
+	return imageCmd
+}

cmd/image/patch.go

@@ -0,0 +1,138 @@
+package image
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	ref "github.com/distribution/distribution/reference"
+	"github.com/docker/distribution/reference"
+
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/cmd/utils"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/kubescape/kubescape/v2/pkg/imagescan"
+
+	"github.com/spf13/cobra"
+)
+
+var patchCmdExamples = fmt.Sprintf(`
+  # Patch the nginx:1.22 image
+  1) sudo buildkitd        # start buildkitd service, run in seperate terminal
+  2) sudo %[1]s patch nginx:1.22   # patch the image
+
+  # The patch command can also be run without sudo privileges
+  # Documentation: https://github.com/kubescape/kubescape/tree/master/cmd/image/README.md
+`, cautils.ExecName())
+
+func getPatchCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo, imgCredentials *imageCredentials) *cobra.Command {
+
+	var patchInfo metav1.PatchInfo
+	patchCmd := &cobra.Command{
+		Use:     "patch <image>:<tag> [flags]",
+		Short:   "Patch container images with vulnerabilities ",
+		Long:    `Automatically patch container images with vulnerabilities`,
+		Example: patchCmdExamples,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("the command takes exactly one image name as an argument")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			if err := validateImageScanInfo(scanInfo); err != nil {
+				return err
+			}
+
+			patchInfo.Username = imgCredentials.Username
+			patchInfo.Password = imgCredentials.Password
+			patchInfo.Image = args[0]
+
+			if err := validateImagePatchInfo(&patchInfo); err != nil {
+				return err
+			}
+
+			results, err := ks.Patch(context.Background(), &patchInfo, scanInfo)
+			if err != nil {
+				return err
+			}
+
+			if imagescan.ExceedsSeverityThreshold(results, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)) {
+				utils.TerminateOnExceedingSeverity(scanInfo, logger.L())
+			}
+
+			return nil
+		},
+	}
+
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.PatchedImageTag, "tag", "t", "", "Tag for the patched image. Defaults to '<image-tag>-patched' ")
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.BuildkitAddress, "address", "a", "unix:///run/buildkit/buildkitd.sock", "Address of buildkitd service, defaults to local buildkitd.sock")
+	patchCmd.PersistentFlags().DurationVar(&patchInfo.Timeout, "timeout", 5*time.Minute, "Timeout for the operation, defaults to '5m'")
+
+	return patchCmd
+}
+
+// validateImagePatchInfo validates the image patch info for the `patch` command
+func validateImagePatchInfo(patchInfo *metav1.PatchInfo) error {
+
+	if patchInfo.Image == "" {
+		return errors.New("image tag is required")
+	}
+
+	// Convert image to canonical format (required by copacetic for patching images)
+	patchInfoImage, err := cautils.NormalizeImageName(patchInfo.Image)
+	if err != nil {
+		return nil
+	}
+
+	// Parse the image full name to get image name and tag
+	named, err := ref.ParseNamed(patchInfoImage)
+	if err != nil {
+		return err
+	}
+
+	// If no tag or digest is provided, default to 'latest'
+	if ref.IsNameOnly(named) {
+		logger.L().Warning("Image name has no tag or digest, using latest as tag")
+		named = ref.TagNameOnly(named)
+	}
+	patchInfo.Image = named.String()
+
+	// If no patched image tag is provided, default to '<image-tag>-patched'
+	if patchInfo.PatchedImageTag == "" {
+
+		taggedName, ok := named.(ref.Tagged)
+		if !ok {
+			return errors.New("unexpected error while parsing image tag")
+		}
+
+		patchInfo.ImageTag = taggedName.Tag()
+
+		if patchInfo.ImageTag == "" {
+			logger.L().Warning("No tag provided, defaulting to 'patched'")
+			patchInfo.PatchedImageTag = "patched"
+		} else {
+			patchInfo.PatchedImageTag = fmt.Sprintf("%s-%s", patchInfo.ImageTag, "patched")
+		}
+
+	}
+
+	// Extract the "image" name from the canonical Image URL
+	// If it's an official docker image, we store just the "image-name". Else if a docker repo then we store as "repo/image". Else complete URL
+	ref, _ := reference.ParseNormalizedNamed(patchInfo.Image)
+	imageName := named.Name()
+	if strings.Contains(imageName, "docker.io/library/") {
+		imageName = reference.Path(ref)
+		imageName = imageName[strings.LastIndex(imageName, "/")+1:]
+	} else if strings.Contains(imageName, "docker.io/") {
+		imageName = reference.Path(ref)
+	}
+	patchInfo.ImageName = imageName
+
+	return nil
+}

cmd/image/scan.go

@@ -0,0 +1,73 @@
+package image
+
+import (
+	"context"
+	"fmt"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/cmd/utils"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/kubescape/kubescape/v2/pkg/imagescan"
+	"github.com/spf13/cobra"
+)
+
+// TODO(vladklokun): document image scanning on the Kubescape Docs Hub?
+var (
+	imageExample = fmt.Sprintf(`
+  Scan an image for vulnerabilities. 
+
+  # Scan the 'nginx' image
+  %[1]s image scan "nginx"
+`, cautils.ExecName())
+)
+
+// imageCmd represents the image command
+func getScanCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo, imgCredentials *imageCredentials) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "scan <image>:<tag> [flags]",
+		Short:   "Scan container images for vulnerabilities",
+		Example: imageExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("the command takes exactly one image name as an argument")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := validateImageScanInfo(scanInfo); err != nil {
+				return err
+			}
+
+			imgScanInfo := &metav1.ImageScanInfo{
+				Image:    args[0],
+				Username: imgCredentials.Username,
+				Password: imgCredentials.Password,
+			}
+
+			results, err := ks.ScanImage(context.Background(), imgScanInfo, scanInfo)
+			if err != nil {
+				return err
+			}
+
+			if imagescan.ExceedsSeverityThreshold(results, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)) {
+				utils.TerminateOnExceedingSeverity(scanInfo, logger.L())
+			}
+
+			return nil
+		},
+	}
+
+	return cmd
+}
+
+// validateImageScanInfo validates the ScanInfo struct for the `image` command
+func validateImageScanInfo(scanInfo *cautils.ScanInfo) error {
+	severity := scanInfo.FailThresholdSeverity
+
+	if err := utils.ValidateSeverity(severity); severity != "" && err != nil {
+		return err
+	}
+	return nil
+}

cmd/list/list.go

@@ -11,6 +11,7 @@ import (
 	"github.com/kubescape/kubescape/v2/core/meta"
 	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
 )
 
 var (
@@ -43,7 +44,7 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {
 			if len(args) < 1 {
 				return fmt.Errorf("policy type requeued, supported: %s", supported)
 			}
-			if cautils.StringInSlice(core.ListSupportActions(), args[0]) == cautils.ValueNotFound {
+			if !slices.Contains(core.ListSupportActions(), args[0]) {
 				return fmt.Errorf("invalid parameter '%s'. Supported parameters: %s", args[0], supported)
 			}
 			return nil
@@ -62,9 +63,7 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {
 			return nil
 		},
 	}
-	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
-	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
-	listCmd.PersistentFlags().StringVarP(&listPolicies.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
+	listCmd.PersistentFlags().StringVarP(&listPolicies.AccountID, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
 	listCmd.PersistentFlags().StringVar(&listPolicies.Format, "format", "pretty-print", "output format. supported: 'pretty-print'/'json'")
 	listCmd.PersistentFlags().MarkDeprecated("id", "Control ID's are included in list outputs")
 
@@ -75,5 +74,5 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {
 func flagValidationList(listPolicies *v1.ListPolicies) error {
 
 	// Validate the user's credentials
-	return listPolicies.Credentials.Validate()
+	return cautils.ValidateAccountID(listPolicies.AccountID)
 }

cmd/root.go

@@ -6,14 +6,14 @@ import (
 
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/kubescape/v2/cmd/completion"
 	"github.com/kubescape/kubescape/v2/cmd/config"
-	"github.com/kubescape/kubescape/v2/cmd/delete"
 	"github.com/kubescape/kubescape/v2/cmd/download"
 	"github.com/kubescape/kubescape/v2/cmd/fix"
+	"github.com/kubescape/kubescape/v2/cmd/image"
 	"github.com/kubescape/kubescape/v2/cmd/list"
 	"github.com/kubescape/kubescape/v2/cmd/scan"
-	"github.com/kubescape/kubescape/v2/cmd/submit"
 	"github.com/kubescape/kubescape/v2/cmd/update"
 	"github.com/kubescape/kubescape/v2/cmd/version"
 	"github.com/kubescape/kubescape/v2/core/cautils"
@@ -27,11 +27,11 @@ import (
 var rootInfo cautils.RootInfo
 
 var ksExamples = fmt.Sprintf(`
-  # Scan command
+  # Scan a Kubernetes cluster or YAML files for image vulnerabilities and misconfigurations
   %[1]s scan
 
-  # List supported frameworks
-  %[1]s list frameworks
+  # List supported controls
+  %[1]s list controls
 
   # Download artifacts (air-gapped environment support)
   %[1]s download artifacts
@@ -51,6 +51,13 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 		Use:     "kubescape",
 		Short:   "Kubescape is a tool for testing Kubernetes security posture. Docs: https://hub.armosec.io/docs",
 		Example: ksExamples,
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+			k8sinterface.SetClusterContextName(rootInfo.KubeContext)
+			initLogger()
+			initLoggerLevel()
+			initEnvironment()
+			initCacheDir()
+		},
 	}
 
 	if cautils.IsKrewPlugin() {
@@ -63,9 +70,10 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 		rootCmd.SetUsageTemplate(newUsageTemplate)
 	}
 
-	rootCmd.PersistentFlags().StringVar(&rootInfo.KSCloudBEURLsDep, "environment", "", envFlagUsage)
-	rootCmd.PersistentFlags().StringVar(&rootInfo.KSCloudBEURLs, "env", "", envFlagUsage)
-	rootCmd.PersistentFlags().MarkDeprecated("environment", "use 'env' instead")
+	rootCmd.PersistentFlags().StringVar(&rootInfo.DiscoveryServerURL, "server", "api.armosec.io", "Backend discovery server URL") // TODO: remove default value
+
+	rootCmd.PersistentFlags().MarkDeprecated("environment", "'environment' is no longer supported, Use 'server' instead. Feel free to contact the Kubescape maintainers for more information.")
+	rootCmd.PersistentFlags().MarkDeprecated("env", "'env' is no longer supported, Use 'server' instead. Feel free to contact the Kubescape maintainers for more information.")
 	rootCmd.PersistentFlags().MarkHidden("environment")
 	rootCmd.PersistentFlags().MarkHidden("env")
 
@@ -74,22 +82,30 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 
 	rootCmd.PersistentFlags().StringVarP(&rootInfo.Logger, "logger", "l", helpers.InfoLevel.String(), fmt.Sprintf("Logger level. Supported: %s [$KS_LOGGER]", strings.Join(helpers.SupportedLevels(), "/")))
 	rootCmd.PersistentFlags().StringVar(&rootInfo.CacheDir, "cache-dir", getter.DefaultLocalStore, "Cache directory [$KS_CACHE_DIR]")
-	rootCmd.PersistentFlags().BoolVarP(&rootInfo.DisableColor, "disable-color", "", false, "Disable Color output for logging")
-	rootCmd.PersistentFlags().BoolVarP(&rootInfo.EnableColor, "enable-color", "", false, "Force enable Color output for logging")
-
-	cobra.OnInitialize(initLogger, initLoggerLevel, initEnvironment, initCacheDir)
+	rootCmd.PersistentFlags().BoolVarP(&rootInfo.DisableColor, "disable-color", "", false, "Disable color output for logging")
+	rootCmd.PersistentFlags().BoolVarP(&rootInfo.EnableColor, "enable-color", "", false, "Force enable color output for logging")
 
+	rootCmd.PersistentFlags().StringVarP(&rootInfo.KubeContext, "kube-context", "", "", "Kube context. Default will use the current-context")
 	// Supported commands
 	rootCmd.AddCommand(scan.GetScanCommand(ks))
 	rootCmd.AddCommand(download.GetDownloadCmd(ks))
-	rootCmd.AddCommand(delete.GetDeleteCmd(ks))
 	rootCmd.AddCommand(list.GetListCmd(ks))
-	rootCmd.AddCommand(submit.GetSubmitCmd(ks))
 	rootCmd.AddCommand(completion.GetCompletionCmd())
 	rootCmd.AddCommand(version.GetVersionCmd())
 	rootCmd.AddCommand(config.GetConfigCmd(ks))
 	rootCmd.AddCommand(update.GetUpdateCmd())
 	rootCmd.AddCommand(fix.GetFixCmd(ks))
+	rootCmd.AddCommand(image.GetImageCmd(ks))
+
+	// deprecated commands
+	rootCmd.AddCommand(&cobra.Command{
+		Use:        "submit",
+		Deprecated: "This command is deprecated. Contact Kubescape maintainers for more information.",
+	})
+	rootCmd.AddCommand(&cobra.Command{
+		Use:        "delete",
+		Deprecated: "This command is deprecated. Contact Kubescape maintainers for more information.",
+	})
 
 	return rootCmd
 }

cmd/rootutils.go

@@ -5,15 +5,19 @@ import (
 	"os"
 	"strings"
 
+	v1 "github.com/kubescape/backend/pkg/client/v1"
+	"github.com/kubescape/backend/pkg/servicediscovery"
+	sdClientV1 "github.com/kubescape/backend/pkg/servicediscovery/v1"
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/go-logger/iconlogger"
+	"github.com/kubescape/go-logger/zaplogger"
+	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/cautils/getter"
 
 	"github.com/mattn/go-isatty"
 )
 
-const envFlagUsage = "Send report results to specific URL. Format:<ReportReceiver>,<Backend>,<Frontend>.\n\t\tExample:report.armo.cloud,api.armo.cloud,portal.armo.cloud"
-
 func initLogger() {
 	logger.DisableColor(rootInfo.DisableColor)
 	logger.EnableColor(rootInfo.EnableColor)
@@ -23,9 +27,9 @@ func initLogger() {
 			rootInfo.LoggerName = l
 		} else {
 			if isatty.IsTerminal(os.Stdout.Fd()) {
-				rootInfo.LoggerName = "pretty"
+				rootInfo.LoggerName = iconlogger.LoggerName
 			} else {
-				rootInfo.LoggerName = "zap"
+				rootInfo.LoggerName = zaplogger.LoggerName
 			}
 		}
 	}
@@ -56,35 +60,50 @@ func initCacheDir() {
 	logger.L().Debug("cache dir updated", helpers.String("path", getter.DefaultLocalStore))
 }
 func initEnvironment() {
-	if rootInfo.KSCloudBEURLs == "" {
-		rootInfo.KSCloudBEURLs = rootInfo.KSCloudBEURLsDep
+	if rootInfo.DiscoveryServerURL == "" {
+		return
 	}
-	urlSlices := strings.Split(rootInfo.KSCloudBEURLs, ",")
-	if len(urlSlices) != 1 && len(urlSlices) < 3 {
-		logger.L().Fatal("expected at least 3 URLs (report, api, frontend, auth)")
+
+	logger.L().Debug("fetching URLs from service discovery server", helpers.String("server", rootInfo.DiscoveryServerURL))
+
+	client, err := sdClientV1.NewServiceDiscoveryClientV1(rootInfo.DiscoveryServerURL)
+	if err != nil {
+		logger.L().Fatal("failed to create service discovery client", helpers.Error(err), helpers.String("server", rootInfo.DiscoveryServerURL))
+		return
 	}
-	switch len(urlSlices) {
-	case 1:
-		switch urlSlices[0] {
-		case "dev", "development":
-			getter.SetKSCloudAPIConnector(getter.NewKSCloudAPIDev())
-		case "stage", "staging":
-			getter.SetKSCloudAPIConnector(getter.NewKSCloudAPIStaging())
-		case "":
-			getter.SetKSCloudAPIConnector(getter.NewKSCloudAPIProd())
-		default:
-			logger.L().Fatal("--environment flag usage: " + envFlagUsage)
-		}
-	case 2:
-		logger.L().Fatal("--environment flag usage: " + envFlagUsage)
-	case 3, 4:
-		var ksAuthURL string
-		ksEventReceiverURL := urlSlices[0] // mandatory
-		ksBackendURL := urlSlices[1]       // mandatory
-		ksFrontendURL := urlSlices[2]      // mandatory
-		if len(urlSlices) >= 4 {
-			ksAuthURL = urlSlices[3]
-		}
-		getter.SetKSCloudAPIConnector(getter.NewKSCloudAPICustomized(ksEventReceiverURL, ksBackendURL, ksFrontendURL, ksAuthURL))
+
+	services, err := servicediscovery.GetServices(
+		client,
+	)
+
+	if err != nil {
+		logger.L().Fatal("failed to to get services from server", helpers.Error(err), helpers.String("server", rootInfo.DiscoveryServerURL))
+		return
 	}
+
+	logger.L().Debug("configuring service discovery URLs", helpers.String("cloudAPIURL", services.GetApiServerUrl()), helpers.String("cloudReportURL", services.GetReportReceiverHttpUrl()))
+
+	tenant := cautils.GetTenantConfig("", "", "", nil)
+	if services.GetApiServerUrl() != "" {
+		tenant.GetConfigObj().CloudAPIURL = services.GetApiServerUrl()
+	}
+	if services.GetReportReceiverHttpUrl() != "" {
+		tenant.GetConfigObj().CloudReportURL = services.GetReportReceiverHttpUrl()
+	}
+
+	if err = tenant.UpdateCachedConfig(); err != nil {
+		logger.L().Error("failed to update cached config", helpers.Error(err))
+	}
+
+	ksCloud, err := v1.NewKSCloudAPI(
+		services.GetApiServerUrl(),
+		services.GetReportReceiverHttpUrl(),
+		"",
+	)
+	if err != nil {
+		logger.L().Fatal("failed to create KS Cloud client", helpers.Error(err))
+		return
+	}
+
+	getter.SetKSCloudAPIConnector(ksCloud)
 }

cmd/scan/control.go

@@ -11,10 +11,10 @@ import (
 
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/cmd/utils"
 	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/meta"
 
-	"github.com/enescakir/emoji"
 	"github.com/spf13/cobra"
 )
 
@@ -92,6 +92,7 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 			}
 
 			scanInfo.FrameworkScan = false
+			scanInfo.SetScanType(cautils.ScanTypeControl)
 
 			if err := validateControlScanInfo(scanInfo); err != nil {
 				return err
@@ -106,12 +107,15 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 				logger.L().Fatal(err.Error())
 			}
 			if !scanInfo.VerboseMode {
-				cautils.SimpleDisplay(os.Stderr, "%s  Run with '--verbose'/'-v' flag for detailed resources view\n\n", emoji.Detective)
+				logger.L().Info("Run with '--verbose'/'-v' flag for detailed resources view\n")
 			}
 			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
 				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
 			}
-			enforceSeverityThresholds(results.GetResults().SummaryDetails.GetResourcesSeverityCounters(), scanInfo, terminateOnExceedingSeverity)
+			if results.GetComplianceScore() < float32(scanInfo.ComplianceThreshold) {
+				logger.L().Fatal("scan compliance-score is below permitted threshold", helpers.String("compliance score", fmt.Sprintf("%.2f", results.GetComplianceScore())), helpers.String("compliance-threshold", fmt.Sprintf("%.2f", scanInfo.ComplianceThreshold)))
+			}
+			enforceSeverityThresholds(results.GetResults().SummaryDetails.GetResourcesSeverityCounters(), scanInfo, utils.TerminateOnExceedingSeverity)
 
 			return nil
 		},
@@ -126,7 +130,7 @@ func validateControlScanInfo(scanInfo *cautils.ScanInfo) error {
 		return fmt.Errorf("you can use `omit-raw-resources` or `submit`, but not both")
 	}
 
-	if err := validateSeverity(severity); severity != "" && err != nil {
+	if err := utils.ValidateSeverity(severity); severity != "" && err != nil {
 		return err
 	}
 	return nil

cmd/scan/framework.go

@@ -11,9 +11,11 @@ import (
 	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
+	"golang.org/x/exp/slices"
 
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/cmd/utils"
 	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/cautils/getter"
 	"github.com/kubescape/kubescape/v2/core/meta"
@@ -41,7 +43,10 @@ var (
   Run '%[1]s list frameworks' for the list of supported frameworks
 `, cautils.ExecName())
 
-	ErrUnknownSeverity = errors.New("unknown severity")
+	ErrSecurityViewNotSupported = errors.New("security view is not supported for framework scan")
+	ErrBadThreshold             = errors.New("bad argument: out of range threshold")
+	ErrKeepLocalOrSubmit        = errors.New("you can use `keep-local` or `submit`, but not both")
+	ErrOmitRawResourcesOrSubmit = errors.New("you can use `omit-raw-resources` or `submit`, but not both")
 )
 
 func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
@@ -78,14 +83,15 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 
 			var frameworks []string
 
-			if len(args) == 0 { // scan all frameworks
+			if len(args) == 0 {
 				scanInfo.ScanAll = true
 			} else {
 				// Read frameworks from input args
 				frameworks = strings.Split(args[0], ",")
-				if cautils.StringInSlice(frameworks, "all") != cautils.ValueNotFound {
+				if slices.Contains(frameworks, "all") {
 					scanInfo.ScanAll = true
 					frameworks = getter.NativeFrameworks
+
 				}
 				if len(args) > 1 {
 					if len(args[1:]) == 0 || args[1] != "-" {
@@ -105,6 +111,7 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 					}
 				}
 			}
+			scanInfo.SetScanType(cautils.ScanTypeFramework)
 			scanInfo.FrameworkScan = true
 
 			scanInfo.SetPolicyIdentifiers(frameworks, apisv1.KindFramework)
@@ -118,14 +125,18 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 			if err = results.HandleResults(ctx); err != nil {
 				logger.L().Fatal(err.Error())
 			}
-			if !scanInfo.VerboseMode {
-				cautils.SimpleDisplay(os.Stderr, "Run with '--verbose'/'-v' flag for detailed resources view\n\n")
+
+			if !scanInfo.VerboseMode && scanInfo.ScanType == cautils.ScanTypeFramework {
+				logger.L().Info("Run with '--verbose'/'-v' flag for detailed resources view\n")
 			}
 			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
 				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
 			}
+			if results.GetComplianceScore() < float32(scanInfo.ComplianceThreshold) {
+				logger.L().Fatal("scan compliance-score is below permitted threshold", helpers.String("compliance-score", fmt.Sprintf("%.2f", results.GetComplianceScore())), helpers.String("compliance-threshold", fmt.Sprintf("%.2f", scanInfo.ComplianceThreshold)))
+			}
 
-			enforceSeverityThresholds(results.GetData().Report.SummaryDetails.GetResourcesSeverityCounters(), scanInfo, terminateOnExceedingSeverity)
+			enforceSeverityThresholds(results.GetData().Report.SummaryDetails.GetResourcesSeverityCounters(), scanInfo, utils.TerminateOnExceedingSeverity)
 			return nil
 		},
 	}
@@ -134,7 +145,7 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 // countersExceedSeverityThreshold returns true if severity of failed controls exceed the set severity threshold, else returns false
 func countersExceedSeverityThreshold(severityCounters reportsummary.ISeverityCounters, scanInfo *cautils.ScanInfo) (bool, error) {
 	targetSeverity := scanInfo.FailThresholdSeverity
-	if err := validateSeverity(targetSeverity); err != nil {
+	if err := utils.ValidateSeverity(targetSeverity); err != nil {
 		return false, err
 	}
 
@@ -167,11 +178,6 @@ func countersExceedSeverityThreshold(severityCounters reportsummary.ISeverityCou
 
 }
 
-// terminateOnExceedingSeverity terminates the application on exceeding severity
-func terminateOnExceedingSeverity(scanInfo *cautils.ScanInfo, l helpers.ILogger) {
-	l.Fatal("result exceeds severity threshold", helpers.String("set severity threshold", scanInfo.FailThresholdSeverity))
-}
-
 // enforceSeverityThresholds ensures that the scan results are below the defined severity threshold
 //
 // The function forces the application to terminate with an exit code 1 if at least one control failed control that exceeds the set severity threshold
@@ -188,33 +194,29 @@ func enforceSeverityThresholds(severityCounters reportsummary.ISeverityCounters,
 	}
 }
 
-// validateSeverity returns an error if a given severity is not known, nil otherwise
-func validateSeverity(severity string) error {
-	for _, val := range reporthandlingapis.GetSupportedSeverities() {
-		if strings.EqualFold(severity, val) {
-			return nil
-		}
-	}
-	return ErrUnknownSeverity
-
-}
-
 // validateFrameworkScanInfo validates the scan info struct for the `scan framework` command
 func validateFrameworkScanInfo(scanInfo *cautils.ScanInfo) error {
+	if scanInfo.View == string(cautils.SecurityViewType) {
+		return ErrSecurityViewNotSupported
+	}
+
 	if scanInfo.Submit && scanInfo.Local {
-		return fmt.Errorf("you can use `keep-local` or `submit`, but not both")
+		return ErrKeepLocalOrSubmit
+	}
+	if 100 < scanInfo.ComplianceThreshold || 0 > scanInfo.ComplianceThreshold {
+		return ErrBadThreshold
 	}
 	if 100 < scanInfo.FailThreshold || 0 > scanInfo.FailThreshold {
-		return fmt.Errorf("bad argument: out of range threshold")
+		return ErrBadThreshold
 	}
 	if scanInfo.Submit && scanInfo.OmitRawResources {
-		return fmt.Errorf("you can use `omit-raw-resources` or `submit`, but not both")
+		return ErrOmitRawResourcesOrSubmit
 	}
 	severity := scanInfo.FailThresholdSeverity
-	if err := validateSeverity(severity); severity != "" && err != nil {
+	if err := utils.ValidateSeverity(severity); severity != "" && err != nil {
 		return err
 	}
 
 	// Validate the user's credentials
-	return scanInfo.Credentials.Validate()
+	return cautils.ValidateAccountID(scanInfo.AccountID)
 }

cmd/scan/scan.go

@@ -1,28 +1,30 @@
 package scan
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"strings"
 
-	"github.com/kubescape/k8s-interface/k8sinterface"
+	"github.com/kubescape/kubescape/v2/cmd/utils"
 	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/cautils/getter"
 	"github.com/kubescape/kubescape/v2/core/meta"
+	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/spf13/cobra"
 )
 
 var scanCmdExamples = fmt.Sprintf(`
   Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks 
   
-  # Scan current cluster with all frameworks
-  %[1]s scan --enable-host-scan --verbose
+  # Scan current cluster
+  %[1]s scan
 
-  # Scan kubernetes YAML manifest files
+  # Scan kubernetes manifest files 
   %[1]s scan .
 
   # Scan and save the results in the JSON format
-  %[1]s scan --format json --output results.json --format-version=v2
+  %[1]s scan --format json --output results.json
 
   # Display all resources
   %[1]s scan --verbose
@@ -37,44 +39,34 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	// scanCmd represents the scan command
 	scanCmd := &cobra.Command{
 		Use:     "scan",
-		Short:   "Scan the current running cluster or yaml files",
+		Short:   "Scan a Kubernetes cluster or YAML files for image vulnerabilities and misconfigurations",
 		Long:    `The action you want to perform`,
 		Example: scanCmdExamples,
-		Args: func(cmd *cobra.Command, args []string) error {
-			if len(args) > 0 {
-				if args[0] != "framework" && args[0] != "control" {
-					return getFrameworkCmd(ks, &scanInfo).RunE(cmd, append([]string{"all"}, args...))
-				}
-			}
-			return nil
-		},
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if scanInfo.View == string(cautils.SecurityViewType) {
+				setSecurityViewScanInfo(args, &scanInfo)
 
-			if len(args) == 0 {
-				return getFrameworkCmd(ks, &scanInfo).RunE(cmd, []string{strings.Join(getter.NativeFrameworks, ",")})
+				return securityScan(scanInfo, ks)
+			}
+
+			if len(args) == 0 || (args[0] != "framework" && args[0] != "control") {
+				return getFrameworkCmd(ks, &scanInfo).RunE(cmd, append([]string{strings.Join(getter.NativeFrameworks, ",")}, args...))
 			}
 			return nil
 		},
-		PreRun: func(cmd *cobra.Command, args []string) {
-			k8sinterface.SetClusterContextName(scanInfo.KubeContext)
-
-		},
 		PostRun: func(cmd *cobra.Command, args []string) {
 			// TODO - revert context
 		},
 	}
 
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
-	scanCmd.PersistentFlags().BoolVar(&scanInfo.CreateAccount, "create-account", false, "Create a Kubescape SaaS account ID account ID is not found in cache. After creating the account, the account ID will be saved in cache. In addition, the scanning results will be uploaded to the Kubescape SaaS")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.KubeContext, "kube-context", "", "", "Kube context. Default will use the current-context")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.AccountID, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseArtifactsFrom, "use-artifacts-from", "", "Load artifacts from local directory. If not used will download them")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Notice, when running with `exclude-namespace` kubescape does not scan cluster-scoped objects.")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. e.g: --exclude-namespaces ns-a,ns-b. Notice, when running with `exclude-namespace` kubescape does not scan cluster-scoped objects.")
 
 	scanCmd.PersistentFlags().Float32VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 100, "Failure threshold is the percent above which the command fails and returns exit code 1")
+	scanCmd.PersistentFlags().Float32VarP(&scanInfo.ComplianceThreshold, "compliance-threshold", "", 0, "Compliance threshold is the percent below which the command fails and returns exit code 1")
 
 	scanCmd.PersistentFlags().StringVar(&scanInfo.FailThresholdSeverity, "severity-threshold", "", "Severity threshold is the severity of failed controls at which the command fails and returns exit code 1")
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "", `Output file format. Supported formats: "pretty-printer", "json", "junit", "prometheus", "pdf", "html", "sarif"`)
@@ -82,7 +74,7 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to configured backend.")
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.VerboseMode, "verbose", "v", false, "Display all of the input resources and not only failed resources")
-	scanCmd.PersistentFlags().StringVar(&scanInfo.View, "view", string(cautils.ResourceViewType), fmt.Sprintf("View results based on the %s/%s. default is --view=%s", cautils.ResourceViewType, cautils.ControlViewType, cautils.ResourceViewType))
+	scanCmd.PersistentFlags().StringVar(&scanInfo.View, "view", string(cautils.ResourceViewType), fmt.Sprintf("View results based on the %s/%s/%s. default is --view=%s", cautils.ResourceViewType, cautils.ControlViewType, cautils.SecurityViewType, cautils.ResourceViewType))
 	scanCmd.PersistentFlags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local policy object from default path. If not used will download latest")
 	scanCmd.PersistentFlags().StringSliceVar(&scanInfo.UseFrom, "use-from", nil, "Load local policy object from specified path. If not used will download latest")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.HostSensorYamlPath, "host-scan-yaml", "", "Override default host scanner DaemonSet. Use this flag cautiously")
@@ -91,11 +83,16 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Submit the scan results to Kubescape SaaS where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.OmitRawResources, "omit-raw-resources", "", false, "Omit raw resources from the output. By default the raw resources are included in the output")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.PrintAttackTree, "print-attack-tree", "", false, "Print attack tree")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.ScanImages, "scan-images", "", false, "Scan resources images")
 
 	scanCmd.PersistentFlags().MarkDeprecated("silent", "use '--logger' flag instead. Flag will be removed at 1.May.2022")
+	scanCmd.PersistentFlags().MarkDeprecated("fail-threshold", "use '--compliance-threshold' flag instead. Flag will be removed at 1.Dec.2023")
+
+	scanCmd.PersistentFlags().MarkDeprecated("client-id", "Client ID is no longer supported. Feel free to contact the Kubescape maintainers for more information.")
+	scanCmd.PersistentFlags().MarkDeprecated("create-account", "Create account is no longer supported. In case of a missing Account ID and a configured backend server, a new account id will be generated automatically by Kubescape. Feel free to contact the Kubescape maintainers for more information.")
+	scanCmd.PersistentFlags().MarkDeprecated("secret-key", "Secret Key is no longer supported. Feel free to contact the Kubescape maintainers for more information.")
 
 	// hidden flags
-	scanCmd.PersistentFlags().MarkHidden("host-scan-yaml") // this flag should be used very cautiously. We prefer users will not use it at all unless the DaemonSet can not run pods on the nodes
 	scanCmd.PersistentFlags().MarkHidden("omit-raw-resources")
 	scanCmd.PersistentFlags().MarkHidden("print-attack-tree")
 
@@ -105,9 +102,43 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	hostF := scanCmd.PersistentFlags().VarPF(&scanInfo.HostSensorEnabled, "enable-host-scan", "", "Deploy Kubescape host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valuable data from cluster nodes for certain controls. Yaml file: https://github.com/kubescape/kubescape/blob/master/core/pkg/hostsensorutils/hostsensor.yaml")
 	hostF.NoOptDefVal = "true"
 	hostF.DefValue = "false, for no TTY in stdin"
+	scanCmd.PersistentFlags().MarkHidden("enable-host-scan")
+	scanCmd.PersistentFlags().MarkDeprecated("enable-host-scan", "To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator. The flag will be removed at 1.Dec.2023")
+
+	scanCmd.PersistentFlags().MarkHidden("host-scan-yaml") // this flag should be used very cautiously. We prefer users will not use it at all unless the DaemonSet can not run pods on the nodes
+	scanCmd.PersistentFlags().MarkDeprecated("host-scan-yaml", "To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator. The flag will be removed at 1.Dec.2023")
 
 	scanCmd.AddCommand(getControlCmd(ks, &scanInfo))
 	scanCmd.AddCommand(getFrameworkCmd(ks, &scanInfo))
+	scanCmd.AddCommand(getWorkloadCmd(ks, &scanInfo))
 
 	return scanCmd
 }
+
+func setSecurityViewScanInfo(args []string, scanInfo *cautils.ScanInfo) {
+	if len(args) > 0 {
+		scanInfo.SetScanType(cautils.ScanTypeRepo)
+		scanInfo.InputPatterns = args
+	} else {
+		scanInfo.SetScanType(cautils.ScanTypeCluster)
+	}
+	scanInfo.SetPolicyIdentifiers([]string{"clusterscan", "mitre", "nsa"}, v1.KindFramework)
+}
+
+func securityScan(scanInfo cautils.ScanInfo, ks meta.IKubescape) error {
+
+	ctx := context.TODO()
+
+	results, err := ks.Scan(ctx, &scanInfo)
+	if err != nil {
+		return err
+	}
+
+	if err = results.HandleResults(ctx); err != nil {
+		return err
+	}
+
+	enforceSeverityThresholds(results.GetData().Report.SummaryDetails.GetResourcesSeverityCounters(), &scanInfo, utils.TerminateOnExceedingSeverity)
+
+	return nil
+}

cmd/scan/scan_test.go

@@ -1,16 +1,14 @@
 package scan
 
 import (
-	"context"
-
 	"github.com/kubescape/go-logger/helpers"
 
+	"github.com/kubescape/kubescape/v2/cmd/utils"
 	"github.com/kubescape/kubescape/v2/core/cautils"
+	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/kubescape/opa-utils/reporthandling/apis"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
 
-	"os"
-	"reflect"
 	"testing"
 )
 
@@ -111,7 +109,7 @@ func TestExceedsSeverity(t *testing.T) {
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "unknown"},
 			SeverityCounters: &reportsummary.SeverityCounters{LowSeverityCounter: 1},
 			Want:             false,
-			Error:            ErrUnknownSeverity,
+			Error:            utils.ErrUnknownSeverity,
 		},
 	}
 
@@ -175,82 +173,105 @@ func Test_enforceSeverityThresholds(t *testing.T) {
 	}
 }
 
-type spyLogMessage struct {
-	Message string
-	Details map[string]string
-}
-
-type spyLogger struct {
-	setItems []spyLogMessage
-}
-
-func (l *spyLogger) Error(msg string, details ...helpers.IDetails)   {}
-func (l *spyLogger) Success(msg string, details ...helpers.IDetails) {}
-func (l *spyLogger) Warning(msg string, details ...helpers.IDetails) {}
-func (l *spyLogger) Info(msg string, details ...helpers.IDetails)    {}
-func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)   {}
-func (l *spyLogger) SetLevel(level string) error                     { return nil }
-func (l *spyLogger) GetLevel() string                                { return "" }
-func (l *spyLogger) SetWriter(w *os.File)                            {}
-func (l *spyLogger) GetWriter() *os.File                             { return &os.File{} }
-func (l *spyLogger) LoggerName() string                              { return "" }
-func (l *spyLogger) Ctx(_ context.Context) helpers.ILogger           { return l }
-
-func (l *spyLogger) Fatal(msg string, details ...helpers.IDetails) {
-	firstDetail := details[0]
-	detailsMap := map[string]string{firstDetail.Key(): firstDetail.Value().(string)}
-
-	newMsg := spyLogMessage{msg, detailsMap}
-	l.setItems = append(l.setItems, newMsg)
-}
-
-func (l *spyLogger) GetSpiedItems() []spyLogMessage {
-	return l.setItems
-}
-
-func Test_terminateOnExceedingSeverity(t *testing.T) {
-	expectedMessage := "result exceeds severity threshold"
-	expectedKey := "set severity threshold"
-
-	testCases := []struct {
-		Description     string
-		ExpectedMessage string
-		ExpectedKey     string
-		ExpectedValue   string
-		Logger          *spyLogger
+func TestSetSecurityViewScanInfo(t *testing.T) {
+	tests := []struct {
+		name string
+		args []string
+		want *cautils.ScanInfo
 	}{
 		{
-			"Should log the Critical threshold that was set in scan info",
-			expectedMessage,
-			expectedKey,
-			apis.SeverityCriticalString,
-			&spyLogger{},
+			name: "no args",
+			args: []string{},
+			want: &cautils.ScanInfo{
+				InputPatterns: []string{},
+				ScanType:      cautils.ScanTypeCluster,
+				PolicyIdentifier: []cautils.PolicyIdentifier{
+					{
+						Kind:       v1.KindFramework,
+						Identifier: "clusterscan",
+					},
+					{
+						Kind:       v1.KindFramework,
+						Identifier: "mitre",
+					},
+					{
+						Kind:       v1.KindFramework,
+						Identifier: "nsa",
+					},
+				},
+			},
 		},
 		{
-			"Should log the High threshold that was set in scan info",
-			expectedMessage,
-			expectedKey,
-			apis.SeverityHighString,
-			&spyLogger{},
+			name: "with args",
+			args: []string{
+				"file.yaml",
+				"file2.yaml",
+			},
+			want: &cautils.ScanInfo{
+				ScanType: cautils.ScanTypeRepo,
+				InputPatterns: []string{
+					"file.yaml",
+					"file2.yaml",
+				},
+				PolicyIdentifier: []cautils.PolicyIdentifier{
+					{
+						Kind:       v1.KindFramework,
+						Identifier: "clusterscan",
+					},
+					{
+						Kind:       v1.KindFramework,
+						Identifier: "mitre",
+					},
+					{
+						Kind:       v1.KindFramework,
+						Identifier: "nsa",
+					},
+				},
+			},
 		},
 	}
 
-	for _, tc := range testCases {
-		t.Run(
-			tc.Description,
-			func(t *testing.T) {
-				want := []spyLogMessage{
-					{tc.ExpectedMessage, map[string]string{tc.ExpectedKey: tc.ExpectedValue}},
-				}
-				scanInfo := &cautils.ScanInfo{FailThresholdSeverity: tc.ExpectedValue}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := &cautils.ScanInfo{
+				View: string(cautils.SecurityViewType),
+			}
+			setSecurityViewScanInfo(tt.args, got)
 
-				terminateOnExceedingSeverity(scanInfo, tc.Logger)
+			if len(tt.want.InputPatterns) != len(got.InputPatterns) {
+				t.Errorf("in test: %s, got: %v, want: %v", tt.name, got.InputPatterns, tt.want.InputPatterns)
+			}
 
-				got := tc.Logger.GetSpiedItems()
-				if !reflect.DeepEqual(got, want) {
-					t.Errorf("got: %v, want: %v", got, want)
+			if tt.want.ScanType != got.ScanType {
+				t.Errorf("in test: %s, got: %v, want: %v", tt.name, got.ScanType, tt.want.ScanType)
+			}
+
+			for i := range tt.want.InputPatterns {
+				found := false
+				for j := range tt.want.InputPatterns[i] {
+					if tt.want.InputPatterns[i][j] == got.InputPatterns[i][j] {
+						found = true
+						break
+					}
 				}
-			},
-		)
+				if !found {
+					t.Errorf("in test: %s, got: %v, want: %v", tt.name, got.InputPatterns, tt.want.InputPatterns)
+				}
+			}
+
+			for i := range tt.want.PolicyIdentifier {
+				found := false
+				for j := range got.PolicyIdentifier {
+					if tt.want.PolicyIdentifier[i].Kind == got.PolicyIdentifier[j].Kind && tt.want.PolicyIdentifier[i].Identifier == got.PolicyIdentifier[j].Identifier {
+						found = true
+						break
+					}
+				}
+				if !found {
+					t.Errorf("in test: %s, got: %v, want: %v", tt.name, got.PolicyIdentifier, tt.want.PolicyIdentifier)
+				}
+			}
+		})
 	}
+
 }

cmd/scan/validators_test.go

@@ -3,6 +3,7 @@ package scan
 import (
 	"testing"
 
+	"github.com/kubescape/kubescape/v2/cmd/utils"
 	"github.com/kubescape/kubescape/v2/core/cautils"
 )
 
@@ -26,7 +27,7 @@ func Test_validateControlScanInfo(t *testing.T) {
 		{
 			"Unknown severity should be invalid for scan info",
 			&cautils.ScanInfo{FailThresholdSeverity: "Unknown"},
-			ErrUnknownSeverity,
+			utils.ErrUnknownSeverity,
 		},
 	}
 
@@ -66,7 +67,17 @@ func Test_validateFrameworkScanInfo(t *testing.T) {
 		{
 			"Unknown severity should be invalid for scan info",
 			&cautils.ScanInfo{FailThresholdSeverity: "Unknown"},
-			ErrUnknownSeverity,
+			utils.ErrUnknownSeverity,
+		},
+		{
+			"Security view should be invalid for scan info",
+			&cautils.ScanInfo{View: string(cautils.SecurityViewType)},
+			ErrSecurityViewNotSupported,
+		},
+		{
+			"Empty view should be valid for scan info",
+			&cautils.ScanInfo{},
+			nil,
 		},
 	}
 
@@ -86,27 +97,22 @@ func Test_validateFrameworkScanInfo(t *testing.T) {
 	}
 }
 
-func Test_validateSeverity(t *testing.T) {
+func Test_validateWorkloadIdentifier(t *testing.T) {
 	testCases := []struct {
 		Description string
 		Input       string
 		Want        error
 	}{
-		{"low should be a valid severity", "low", nil},
-		{"Low should be a valid severity", "Low", nil},
-		{"medium should be a valid severity", "medium", nil},
-		{"Medium should be a valid severity", "Medium", nil},
-		{"high should be a valid severity", "high", nil},
-		{"Critical should be a valid severity", "Critical", nil},
-		{"critical should be a valid severity", "critical", nil},
-		{"Unknown should be an invalid severity", "Unknown", ErrUnknownSeverity},
+		{"valid workload identifier should be valid", "deployment/test", nil},
+		{"invalid workload identifier missing kind", "deployment", ErrInvalidWorkloadIdentifier},
+		{"invalid workload identifier with namespace", "ns/deployment/name", ErrInvalidWorkloadIdentifier},
 	}
 
 	for _, testCase := range testCases {
 		t.Run(testCase.Description, func(t *testing.T) {
 			input := testCase.Input
 			want := testCase.Want
-			got := validateSeverity(input)
+			got := validateWorkloadIdentifier(input)
 
 			if got != want {
 				t.Errorf("got: %v, want: %v", got, want)

cmd/scan/workload.go

@@ -0,0 +1,126 @@
+package scan
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/meta"
+	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+	"github.com/kubescape/opa-utils/objectsenvelopes"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	workloadExample = fmt.Sprintf(`
+  This command is still in BETA. Feel free to contact the Kubescape maintainers for more information.
+
+  Scan a workload for misconfigurations and image vulnerabilities.
+
+  # Scan an workload
+  %[1]s scan workload <kind>/<name>
+	
+  # Scan an workload in a specific namespace
+  %[1]s scan workload <kind>/<name> --namespace <namespace>
+
+  # Scan an workload from a file path
+  %[1]s scan workload <kind>/<name> --file-path <file path>
+  
+  # Scan an workload from a helm-chart template
+  %[1]s scan workload <kind>/<name> --chart-path <chart path> --file-path <file path>
+
+
+`, cautils.ExecName())
+
+	ErrInvalidWorkloadIdentifier = errors.New("invalid workload identifier")
+)
+
+var namespace string
+
+// controlCmd represents the control command
+func getWorkloadCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
+	workloadCmd := &cobra.Command{
+		Use:     "workload <kind>/<name> [`<glob pattern>`/`-`] [flags]",
+		Short:   "Scan a workload for misconfigurations and image vulnerabilities",
+		Example: workloadExample,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("usage: <kind>/<name> [`<glob pattern>`/`-`] [flags]")
+			}
+
+			if scanInfo.ChartPath != "" && scanInfo.FilePath == "" {
+				return fmt.Errorf("usage: --chart-path <chart path> --file-path <file path>")
+			}
+
+			return validateWorkloadIdentifier(args[0])
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			kind, name, err := parseWorkloadIdentifierString(args[0])
+			if err != nil {
+				return fmt.Errorf("invalid input: %s", err.Error())
+			}
+
+			setWorkloadScanInfo(scanInfo, kind, name)
+
+			// todo: add api version if provided
+			ctx := context.TODO()
+			results, err := ks.Scan(ctx, scanInfo)
+			if err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
+			if err = results.HandleResults(ctx); err != nil {
+				logger.L().Fatal(err.Error())
+			}
+
+			return nil
+		},
+	}
+	workloadCmd.PersistentFlags().StringVarP(&namespace, "namespace", "n", "", "Namespace of the workload. Default will be empty.")
+	workloadCmd.PersistentFlags().StringVar(&scanInfo.FilePath, "file-path", "", "Path to the workload file.")
+	workloadCmd.PersistentFlags().StringVar(&scanInfo.ChartPath, "chart-path", "", "Path to the helm chart the workload is part of. Must be used with --file-path.")
+
+	return workloadCmd
+}
+
+func setWorkloadScanInfo(scanInfo *cautils.ScanInfo, kind string, name string) {
+	scanInfo.SetScanType(cautils.ScanTypeWorkload)
+	scanInfo.ScanImages = true
+
+	scanInfo.ScanObject = &objectsenvelopes.ScanObject{}
+	scanInfo.ScanObject.SetNamespace(namespace)
+	scanInfo.ScanObject.SetKind(kind)
+	scanInfo.ScanObject.SetName(name)
+
+	scanInfo.SetPolicyIdentifiers([]string{"workloadscan"}, v1.KindFramework)
+
+	if scanInfo.FilePath != "" {
+		scanInfo.InputPatterns = []string{scanInfo.FilePath}
+	}
+}
+
+func validateWorkloadIdentifier(workloadIdentifier string) error {
+	// workloadIdentifier is in the form of kind/name
+	x := strings.Split(workloadIdentifier, "/")
+	if len(x) != 2 || x[0] == "" || x[1] == "" {
+		return ErrInvalidWorkloadIdentifier
+	}
+
+	return nil
+}
+
+func parseWorkloadIdentifierString(workloadIdentifier string) (kind, name string, err error) {
+	// workloadIdentifier is in the form of namespace/kind/name
+	// example: default/Deployment/nginx-deployment
+	x := strings.Split(workloadIdentifier, "/")
+	if len(x) != 2 {
+		return "", "", ErrInvalidWorkloadIdentifier
+	}
+
+	return x[0], x[1], nil
+}

cmd/scan/workload_test.go

@@ -0,0 +1,69 @@
+package scan
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+	"github.com/kubescape/opa-utils/objectsenvelopes"
+)
+
+func TestSetWorkloadScanInfo(t *testing.T) {
+	test := []struct {
+		Description string
+		kind        string
+		name        string
+		want        *cautils.ScanInfo
+	}{
+		{
+			Description: "Set workload scan info",
+			kind:        "Deployment",
+			name:        "test",
+			want: &cautils.ScanInfo{
+				PolicyIdentifier: []cautils.PolicyIdentifier{
+					{
+						Identifier: "workloadscan",
+						Kind:       v1.KindFramework,
+					},
+				},
+				ScanType: cautils.ScanTypeWorkload,
+				ScanObject: &objectsenvelopes.ScanObject{
+					Kind: "Deployment",
+					Metadata: objectsenvelopes.ScanObjectMetadata{
+						Name: "test",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range test {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				scanInfo := &cautils.ScanInfo{}
+				setWorkloadScanInfo(scanInfo, tc.kind, tc.name)
+
+				if scanInfo.ScanType != tc.want.ScanType {
+					t.Errorf("got: %v, want: %v", scanInfo.ScanType, tc.want.ScanType)
+				}
+
+				if scanInfo.ScanObject.Kind != tc.want.ScanObject.Kind {
+					t.Errorf("got: %v, want: %v", scanInfo.ScanObject.Kind, tc.want.ScanObject.Kind)
+				}
+
+				if scanInfo.ScanObject.Metadata.Name != tc.want.ScanObject.Metadata.Name {
+					t.Errorf("got: %v, want: %v", scanInfo.ScanObject.Metadata.Name, tc.want.ScanObject.Metadata.Name)
+				}
+
+				if len(scanInfo.PolicyIdentifier) != 1 {
+					t.Errorf("got: %v, want: %v", len(scanInfo.PolicyIdentifier), 1)
+				}
+
+				if scanInfo.PolicyIdentifier[0].Identifier != tc.want.PolicyIdentifier[0].Identifier {
+					t.Errorf("got: %v, want: %v", scanInfo.PolicyIdentifier[0].Identifier, tc.want.PolicyIdentifier[0].Identifier)
+				}
+			},
+		)
+	}
+}

cmd/submit/exceptions.go

@@ -1,35 +0,0 @@
-package submit
-
-import (
-	"context"
-	"fmt"
-
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-
-	"github.com/spf13/cobra"
-)
-
-func getExceptionsCmd(ks meta.IKubescape, submitInfo *metav1.Submit) *cobra.Command {
-	return &cobra.Command{
-		Use:   "exceptions <full path to exceptions file>",
-		Short: "Submit exceptions to the Kubescape SaaS version",
-		Args: func(cmd *cobra.Command, args []string) error {
-			if len(args) != 1 {
-				return fmt.Errorf("missing full path to exceptions file")
-			}
-			return nil
-		},
-		Run: func(cmd *cobra.Command, args []string) {
-
-			if err := flagValidationSubmit(submitInfo); err != nil {
-				logger.L().Fatal(err.Error())
-			}
-
-			if err := ks.SubmitExceptions(context.TODO(), &submitInfo.Credentials, args[0]); err != nil {
-				logger.L().Fatal(err.Error())
-			}
-		},
-	}
-}

cmd/submit/rbac.go

@@ -1,98 +0,0 @@
-package submit
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/google/uuid"
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/go-logger/helpers"
-	"github.com/kubescape/k8s-interface/k8sinterface"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/cautils/getter"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	"github.com/kubescape/kubescape/v2/core/meta/cliinterfaces"
-	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-	reporterv2 "github.com/kubescape/kubescape/v2/core/pkg/resultshandling/reporter/v2"
-
-	"github.com/kubescape/rbac-utils/rbacscanner"
-	"github.com/spf13/cobra"
-)
-
-var (
-	rbacExamples = fmt.Sprintf(`
-	# Submit cluster's Role-Based Access Control(RBAC)
-	%[1]s submit rbac
-
-	# Submit cluster's Role-Based Access Control(RBAC) with account ID 
-	%[1]s submit rbac --account <account-id>
-	`, cautils.ExecName())
-)
-
-// getRBACCmd represents the RBAC command
-func getRBACCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
-	return &cobra.Command{
-		Use:        "rbac",
-		Deprecated: "This command is deprecated and will not be supported after 1/Jan/2023. Please use the 'scan' command instead.",
-		Example:    rbacExamples,
-		Short:      "Submit cluster's Role-Based Access Control(RBAC)",
-		Long:       ``,
-		RunE: func(_ *cobra.Command, args []string) error {
-
-			if err := flagValidationSubmit(submitInfo); err != nil {
-				return err
-			}
-
-			k8s := k8sinterface.NewKubernetesApi()
-
-			// get config
-			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", "", k8s)
-			if err := clusterConfig.SetTenant(); err != nil {
-				logger.L().Error("failed setting account ID", helpers.Error(err))
-			}
-
-			if clusterConfig.GetAccountID() == "" {
-				return fmt.Errorf("account ID is not set, run '%[1]s submit rbac --account <account-id>'", cautils.ExecName())
-			}
-
-			// list RBAC
-			rbacObjects := cautils.NewRBACObjects(rbacscanner.NewRbacScannerFromK8sAPI(k8s, clusterConfig.GetAccountID(), clusterConfig.GetContextName()))
-
-			// submit resources
-			r := reporterv2.NewReportEventReceiver(clusterConfig.GetConfigObj(), uuid.NewString(), reporterv2.SubmitContextRBAC)
-
-			submitInterfaces := cliinterfaces.SubmitInterfaces{
-				ClusterConfig: clusterConfig,
-				SubmitObjects: rbacObjects,
-				Reporter:      r,
-			}
-
-			if err := ks.Submit(context.TODO(), submitInterfaces); err != nil {
-				logger.L().Fatal(err.Error())
-			}
-			return nil
-		},
-	}
-
-}
-
-// getKubernetesApi
-func getKubernetesApi() *k8sinterface.KubernetesApi {
-	if !k8sinterface.IsConnectedToCluster() {
-		return nil
-	}
-	return k8sinterface.NewKubernetesApi()
-}
-func getTenantConfig(credentials *cautils.Credentials, clusterName string, customClusterName string, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
-	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
-		return cautils.NewLocalConfig(getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
-	}
-	return cautils.NewClusterConfig(k8s, getter.GetKSCloudAPIConnector(), credentials, clusterName, customClusterName)
-}
-
-// Check if the flag entered are valid
-func flagValidationSubmit(submitInfo *v1.Submit) error {
-
-	// Validate the user's credentials
-	return submitInfo.Credentials.Validate()
-}

cmd/submit/results.go

@@ -1,106 +0,0 @@
-package submit
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"os"
-
-	"github.com/google/uuid"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
-
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/go-logger/helpers"
-	"github.com/kubescape/k8s-interface/workloadinterface"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	"github.com/kubescape/kubescape/v2/core/meta/cliinterfaces"
-	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-	reporterv2 "github.com/kubescape/kubescape/v2/core/pkg/resultshandling/reporter/v2"
-
-	"github.com/spf13/cobra"
-)
-
-var formatVersion string
-
-type ResultsObject struct {
-	filePath     string
-	customerGUID string
-	clusterName  string
-}
-
-func NewResultsObject(customerGUID, clusterName, filePath string) *ResultsObject {
-	return &ResultsObject{
-		filePath:     filePath,
-		customerGUID: customerGUID,
-		clusterName:  clusterName,
-	}
-}
-
-func (resultsObject *ResultsObject) SetResourcesReport() (*reporthandlingv2.PostureReport, error) {
-	// load framework results from json file
-	report, err := loadResultsFromFile(resultsObject.filePath)
-	if err != nil {
-		return nil, err
-	}
-	return report, nil
-}
-
-func (resultsObject *ResultsObject) ListAllResources() (map[string]workloadinterface.IMetadata, error) {
-	return map[string]workloadinterface.IMetadata{}, nil
-}
-
-func getResultsCmd(ks meta.IKubescape, submitInfo *v1.Submit) *cobra.Command {
-	var resultsCmd = &cobra.Command{
-		Use:   fmt.Sprintf("results <json file>\nExample:\n$ %[1]s submit results path/to/results.json --format-version v2", cautils.ExecName()),
-		Short: "Submit a pre scanned results file. The file must be in json format",
-		Long:  ``,
-		RunE: func(cmd *cobra.Command, args []string) error {
-
-			if err := flagValidationSubmit(submitInfo); err != nil {
-				return err
-			}
-
-			if len(args) == 0 {
-				return fmt.Errorf("missing results file")
-			}
-
-			k8s := getKubernetesApi()
-
-			// get config
-			clusterConfig := getTenantConfig(&submitInfo.Credentials, "", "", k8s)
-			if err := clusterConfig.SetTenant(); err != nil {
-				logger.L().Error("failed setting account ID", helpers.Error(err))
-			}
-
-			resultsObjects := NewResultsObject(clusterConfig.GetAccountID(), clusterConfig.GetContextName(), args[0])
-
-			r := reporterv2.NewReportEventReceiver(clusterConfig.GetConfigObj(), uuid.NewString(), reporterv2.SubmitContextScan)
-
-			submitInterfaces := cliinterfaces.SubmitInterfaces{
-				ClusterConfig: clusterConfig,
-				SubmitObjects: resultsObjects,
-				Reporter:      r,
-			}
-
-			if err := ks.Submit(context.TODO(), submitInterfaces); err != nil {
-				logger.L().Fatal(err.Error())
-			}
-			return nil
-		},
-	}
-	resultsCmd.PersistentFlags().StringVar(&formatVersion, "format-version", "v2", "Output object can be different between versions, this is for maintaining backward and forward compatibility. Supported:'v1'/'v2'")
-
-	return resultsCmd
-}
-func loadResultsFromFile(filePath string) (*reporthandlingv2.PostureReport, error) {
-	report := &reporthandlingv2.PostureReport{}
-	f, err := os.ReadFile(filePath)
-	if err != nil {
-		return nil, err
-	}
-	if err = json.Unmarshal(f, report); err != nil {
-		return report, fmt.Errorf("failed to unmarshal results file: %s, make sure you run kubescape with '--format=json --format-version=v2'", err.Error())
-	}
-	return report, nil
-}

cmd/submit/submit.go

@@ -1,40 +0,0 @@
-package submit
-
-import (
-	"fmt"
-
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-	"github.com/spf13/cobra"
-)
-
-var submitCmdExamples = fmt.Sprintf(`
-# Submit Kubescape scan results file
-%[1]s submit results
-
-# Submit exceptions file to Kubescape SaaS
-%[1]s submit exceptions
-`, cautils.ExecName())
-
-func GetSubmitCmd(ks meta.IKubescape) *cobra.Command {
-	var submitInfo metav1.Submit
-
-	submitCmd := &cobra.Command{
-		Use:     "submit <command>",
-		Short:   "Submit an object to the Kubescape SaaS version",
-		Long:    ``,
-		Example: submitCmdExamples,
-		Run: func(cmd *cobra.Command, args []string) {
-		},
-	}
-	submitCmd.PersistentFlags().StringVarP(&submitInfo.Credentials.Account, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
-	submitCmd.PersistentFlags().StringVarP(&submitInfo.Credentials.ClientID, "client-id", "", "", "Kubescape SaaS client ID. Default will load client ID from cache, read more - https://hub.armosec.io/docs/authentication")
-	submitCmd.PersistentFlags().StringVarP(&submitInfo.Credentials.SecretKey, "secret-key", "", "", "Kubescape SaaS secret key. Default will load secret key from cache, read more - https://hub.armosec.io/docs/authentication")
-
-	submitCmd.AddCommand(getExceptionsCmd(ks, &submitInfo))
-	submitCmd.AddCommand(getResultsCmd(ks, &submitInfo))
-	submitCmd.AddCommand(getRBACCmd(ks, &submitInfo))
-
-	return submitCmd
-}

cmd/update/update.go

@@ -6,14 +6,17 @@ package update
 
 import (
 	"fmt"
-	"os/exec"
-	"runtime"
 
 	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/spf13/cobra"
 )
 
+const (
+	installationLink string = "https://github.com/kubescape/kubescape/blob/master/docs/installation.md"
+)
+
 var updateCmdExamples = fmt.Sprintf(`
   # Update to the latest kubescape release
   %[1]s update
@@ -22,42 +25,16 @@ var updateCmdExamples = fmt.Sprintf(`
 func GetUpdateCmd() *cobra.Command {
 	updateCmd := &cobra.Command{
 		Use:     "update",
-		Short:   "Update your version",
+		Short:   "Update to latest release version",
 		Long:    ``,
 		Example: updateCmdExamples,
 		RunE: func(_ *cobra.Command, args []string) error {
 			//Checking the user's version of kubescape to the latest release
 			if cautils.BuildNumber == cautils.LatestReleaseVersion {
 				//your version == latest version
-				logger.L().Info(("You are in the latest version"))
+				logger.L().Info(("Nothing to update, you are running the latest version"), helpers.String("Version", cautils.BuildNumber))
 			} else {
-
-				const OSTYPE string = runtime.GOOS
-				var ShellToUse string
-				switch OSTYPE {
-
-				case "windows":
-					cautils.StartSpinner()
-					//run the installation command for windows
-					ShellToUse = "powershell"
-					_, err := exec.Command(ShellToUse, "-c", "iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex").Output()
-
-					if err != nil {
-						logger.L().Fatal(err.Error())
-					}
-					cautils.StopSpinner()
-
-				default:
-					ShellToUse = "bash"
-					cautils.StartSpinner()
-					//run the installation command for linux and macOS
-					_, err := exec.Command(ShellToUse, "-c", "curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash").Output()
-					if err != nil {
-						logger.L().Fatal(err.Error())
-					}
-
-					cautils.StopSpinner()
-				}
+				fmt.Printf("Please refer to our installation docs in the following link: %s", installationLink)
 			}
 			return nil
 		},

cmd/utils/utils.go

@@ -0,0 +1,27 @@
+package utils
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
+)
+
+var ErrUnknownSeverity = fmt.Errorf("unknown severity. Supported severities are: %s", strings.Join(reporthandlingapis.GetSupportedSeverities(), ", "))
+
+// validateSeverity returns an error if a given severity is not known, nil otherwise
+func ValidateSeverity(severity string) error {
+	for _, val := range reporthandlingapis.GetSupportedSeverities() {
+		if strings.EqualFold(severity, val) {
+			return nil
+		}
+	}
+	return ErrUnknownSeverity
+
+}
+
+func TerminateOnExceedingSeverity(scanInfo *cautils.ScanInfo, l helpers.ILogger) {
+	l.Fatal("result exceeds severity threshold", helpers.String("Set severity threshold", scanInfo.FailThresholdSeverity))
+}

cmd/utils/utils_test.go

@@ -0,0 +1,124 @@
+package utils
+
+import (
+	"context"
+	"os"
+	"reflect"
+	"testing"
+
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/opa-utils/reporthandling/apis"
+)
+
+type spyLogMessage struct {
+	Message string
+	Details map[string]string
+}
+
+type spyLogger struct {
+	setItems []spyLogMessage
+}
+
+func (l *spyLogger) Error(msg string, details ...helpers.IDetails)       {}
+func (l *spyLogger) Success(msg string, details ...helpers.IDetails)     {}
+func (l *spyLogger) Warning(msg string, details ...helpers.IDetails)     {}
+func (l *spyLogger) Info(msg string, details ...helpers.IDetails)        {}
+func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)       {}
+func (l *spyLogger) SetLevel(level string) error                         { return nil }
+func (l *spyLogger) GetLevel() string                                    { return "" }
+func (l *spyLogger) SetWriter(w *os.File)                                {}
+func (l *spyLogger) GetWriter() *os.File                                 { return &os.File{} }
+func (l *spyLogger) LoggerName() string                                  { return "" }
+func (l *spyLogger) Ctx(_ context.Context) helpers.ILogger               { return l }
+func (l *spyLogger) Start(msg string, details ...helpers.IDetails)       {}
+func (l *spyLogger) StopSuccess(msg string, details ...helpers.IDetails) {}
+func (l *spyLogger) StopError(msg string, details ...helpers.IDetails)   {}
+
+func (l *spyLogger) Fatal(msg string, details ...helpers.IDetails) {
+	firstDetail := details[0]
+	detailsMap := map[string]string{firstDetail.Key(): firstDetail.Value().(string)}
+
+	newMsg := spyLogMessage{msg, detailsMap}
+	l.setItems = append(l.setItems, newMsg)
+}
+
+func (l *spyLogger) GetSpiedItems() []spyLogMessage {
+	return l.setItems
+}
+
+func TestTerminateOnExceedingSeverity(t *testing.T) {
+	expectedMessage := "result exceeds severity threshold"
+	expectedKey := "Set severity threshold"
+
+	testCases := []struct {
+		Description     string
+		ExpectedMessage string
+		ExpectedKey     string
+		ExpectedValue   string
+		Logger          *spyLogger
+	}{
+		{
+			"Should log the Critical threshold that was set in scan info",
+			expectedMessage,
+			expectedKey,
+			apis.SeverityCriticalString,
+			&spyLogger{},
+		},
+		{
+			"Should log the High threshold that was set in scan info",
+			expectedMessage,
+			expectedKey,
+			apis.SeverityHighString,
+			&spyLogger{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				want := []spyLogMessage{
+					{tc.ExpectedMessage, map[string]string{tc.ExpectedKey: tc.ExpectedValue}},
+				}
+				scanInfo := &cautils.ScanInfo{FailThresholdSeverity: tc.ExpectedValue}
+
+				TerminateOnExceedingSeverity(scanInfo, tc.Logger)
+
+				got := tc.Logger.GetSpiedItems()
+				if !reflect.DeepEqual(got, want) {
+					t.Errorf("got: %v, want: %v", got, want)
+				}
+			},
+		)
+	}
+}
+
+func TestValidateSeverity(t *testing.T) {
+	testCases := []struct {
+		Description string
+		Input       string
+		Want        error
+	}{
+		{"low should be a valid severity", "low", nil},
+		{"Low should be a valid severity", "Low", nil},
+		{"medium should be a valid severity", "medium", nil},
+		{"Medium should be a valid severity", "Medium", nil},
+		{"high should be a valid severity", "high", nil},
+		{"Critical should be a valid severity", "Critical", nil},
+		{"critical should be a valid severity", "critical", nil},
+		{"Unknown should be an invalid severity", "Unknown", ErrUnknownSeverity},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.Description, func(t *testing.T) {
+			input := testCase.Input
+			want := testCase.Want
+			got := ValidateSeverity(input)
+
+			if got != want {
+				t.Errorf("got: %v, want: %v", got, want)
+			}
+		})
+	}
+}

cmd/version/version.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/spf13/cobra"
 )
@@ -19,10 +20,10 @@ func GetVersionCmd() *cobra.Command {
 			v := cautils.NewIVersionCheckHandler(ctx)
 			v.CheckLatestVersion(ctx, cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "version"))
 			fmt.Fprintf(os.Stdout,
-				"Your current version is: %s [git enabled in build: %t]\n",
+				"Your current version is: %s\n",
 				cautils.BuildNumber,
-				isGitEnabled(),
 			)
+			logger.L().Debug(fmt.Sprintf("git enabled in build: %t", isGitEnabled()))
 			return nil
 		},
 	}

core/cautils/customerloader.go

@@ -3,13 +3,16 @@ package cautils
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	"os"
+	"path/filepath"
 	"regexp"
-	"strings"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"github.com/google/uuid"
+	v1 "github.com/kubescape/backend/pkg/client/v1"
+	"github.com/kubescape/backend/pkg/servicediscovery"
+	servicediscoveryv1 "github.com/kubescape/backend/pkg/servicediscovery/v1"
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
@@ -17,7 +20,20 @@ import (
 	corev1 "k8s.io/api/core/v1"
 )
 
-const configFileName = "config"
+const (
+	configFileName              string = "config"
+	kubescapeNamespace          string = "kubescape"
+	kubescapeConfigMapName      string = "kubescape-config"
+	kubescapeCloudConfigMapName string = "ks-cloud-config"
+
+	// env vars
+	defaultConfigMapNameEnvVar      string = "KS_DEFAULT_CONFIGMAP_NAME"
+	defaultCloudConfigMapNameEnvVar string = "KS_DEFAULT_CLOUD_CONFIGMAP_NAME"
+	defaultConfigMapNamespaceEnvVar string = "KS_DEFAULT_CONFIGMAP_NAMESPACE"
+	accountIdEnvVar                 string = "KS_ACCOUNT_ID"
+	cloudApiUrlEnvVar               string = "KS_CLOUD_API_URL"
+	cloudReportUrlEnvVar            string = "KS_CLOUD_REPORT_URL"
+)
 
 func ConfigFileFullPath() string { return getter.GetDefaultPath(configFileName + ".json") }
 
@@ -26,17 +42,10 @@ func ConfigFileFullPath() string { return getter.GetDefaultPath(configFileName +
 // ======================================================================================
 
 type ConfigObj struct {
-	AccountID          string `json:"accountID,omitempty"`
-	ClientID           string `json:"clientID,omitempty"`
-	SecretKey          string `json:"secretKey,omitempty"`
-	CustomerGUID       string `json:"customerGUID,omitempty"` // Deprecated
-	Token              string `json:"invitationParam,omitempty"`
-	CustomerAdminEMail string `json:"adminMail,omitempty"`
-	ClusterName        string `json:"clusterName,omitempty"`
-	CloudReportURL     string `json:"cloudReportURL,omitempty"`
-	CloudAPIURL        string `json:"cloudAPIURL,omitempty"`
-	CloudUIURL         string `json:"cloudUIURL,omitempty"`
-	CloudAuthURL       string `json:"cloudAuthURL,omitempty"`
+	AccountID      string `json:"accountID,omitempty"`
+	ClusterName    string `json:"clusterName,omitempty"`
+	CloudReportURL string `json:"cloudReportURL,omitempty"`
+	CloudAPIURL    string `json:"cloudAPIURL,omitempty"`
 }
 
 // Config - convert ConfigObj to config file
@@ -44,17 +53,11 @@ func (co *ConfigObj) Config() []byte {
 
 	// remove cluster name before saving to file
 	clusterName := co.ClusterName
-	customerAdminEMail := co.CustomerAdminEMail
-	token := co.Token
 	co.ClusterName = ""
-	co.Token = ""
-	co.CustomerAdminEMail = ""
 
 	b, err := json.MarshalIndent(co, "", "  ")
 
 	co.ClusterName = clusterName
-	co.CustomerAdminEMail = customerAdminEMail
-	co.Token = token
 
 	if err == nil {
 		return b
@@ -63,55 +66,61 @@ func (co *ConfigObj) Config() []byte {
 	return []byte{}
 }
 
+func (co *ConfigObj) updateEmptyFields(inCO *ConfigObj) error {
+	if inCO.AccountID != "" {
+		co.AccountID = inCO.AccountID
+	}
+	if inCO.CloudAPIURL != "" {
+		co.CloudAPIURL = inCO.CloudAPIURL
+	}
+	if inCO.CloudReportURL != "" {
+		co.CloudReportURL = inCO.CloudReportURL
+	}
+	if inCO.ClusterName != "" {
+		co.ClusterName = inCO.ClusterName
+	}
+
+	return nil
+}
+
 // ======================================================================================
 // =============================== interface ============================================
 // ======================================================================================
 type ITenantConfig interface {
-	// set
-	SetTenant() error
 	UpdateCachedConfig() error
 	DeleteCachedConfig(ctx context.Context) error
+	GenerateAccountID() (string, error)
+	DeleteAccountID() error
 
 	// getters
 	GetContextName() string
 	GetAccountID() string
-	GetTenantEmail() string
-	GetToken() string
-	GetClientID() string
-	GetSecretKey() string
 	GetConfigObj() *ConfigObj
 	GetCloudReportURL() string
 	GetCloudAPIURL() string
-	GetCloudUIURL() string
-	GetCloudAuthURL() string
-	// GetBackendAPI() getter.IBackend
-	// GenerateURL()
-
-	IsConfigFound() bool
 }
 
 // ======================================================================================
 // ============================ Local Config ============================================
 // ======================================================================================
 // Config when scanning YAML files or URL but not a Kubernetes cluster
+
+var _ ITenantConfig = &LocalConfig{}
+
 type LocalConfig struct {
-	backendAPI getter.IBackend
-	configObj  *ConfigObj
+	configObj *ConfigObj
 }
 
-func NewLocalConfig(
-	backendAPI getter.IBackend, credentials *Credentials, clusterName string, customClusterName string) *LocalConfig {
-
+func NewLocalConfig(accountID, clusterName string, customClusterName string) *LocalConfig {
 	lc := &LocalConfig{
-		backendAPI: backendAPI,
-		configObj:  &ConfigObj{},
+		configObj: &ConfigObj{},
 	}
 	// get from configMap
 	if existsConfigFile() { // get from file
 		loadConfigFromFile(lc.configObj)
 	}
 
-	updateCredentials(lc.configObj, credentials)
+	updateAccountID(lc.configObj, accountID)
 	updateCloudURLs(lc.configObj)
 
 	// If a custom cluster name is provided then set that name, else use the cluster's original name
@@ -121,57 +130,31 @@ func NewLocalConfig(
 		lc.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
 	}
 
-	lc.backendAPI.SetAccountID(lc.configObj.AccountID)
-	lc.backendAPI.SetClientID(lc.configObj.ClientID)
-	lc.backendAPI.SetSecretKey(lc.configObj.SecretKey)
-	if lc.configObj.CloudAPIURL != "" {
-		lc.backendAPI.SetCloudAPIURL(lc.configObj.CloudAPIURL)
-	} else {
-		lc.configObj.CloudAPIURL = lc.backendAPI.GetCloudAPIURL()
-	}
-	if lc.configObj.CloudAuthURL != "" {
-		lc.backendAPI.SetCloudAuthURL(lc.configObj.CloudAuthURL)
-	} else {
-		lc.configObj.CloudAuthURL = lc.backendAPI.GetCloudAuthURL()
-	}
-	if lc.configObj.CloudReportURL != "" {
-		lc.backendAPI.SetCloudReportURL(lc.configObj.CloudReportURL)
-	} else {
-		lc.configObj.CloudReportURL = lc.backendAPI.GetCloudReportURL()
-	}
-	if lc.configObj.CloudUIURL != "" {
-		lc.backendAPI.SetCloudUIURL(lc.configObj.CloudUIURL)
-	} else {
-		lc.configObj.CloudUIURL = lc.backendAPI.GetCloudUIURL()
-	}
-	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", lc.backendAPI.GetCloudAPIURL()), helpers.String("auth", lc.backendAPI.GetCloudAuthURL()), helpers.String("report", lc.backendAPI.GetCloudReportURL()), helpers.String("UI", lc.backendAPI.GetCloudUIURL()))
+	updatedKsCloud := initializeCloudAPI(lc)
+	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", updatedKsCloud.GetCloudAPIURL()), helpers.String("report", updatedKsCloud.GetCloudReportURL()))
 
 	return lc
 }
 
 func (lc *LocalConfig) GetConfigObj() *ConfigObj  { return lc.configObj }
-func (lc *LocalConfig) GetTenantEmail() string    { return lc.configObj.CustomerAdminEMail }
 func (lc *LocalConfig) GetAccountID() string      { return lc.configObj.AccountID }
-func (lc *LocalConfig) GetClientID() string       { return lc.configObj.ClientID }
-func (lc *LocalConfig) GetSecretKey() string      { return lc.configObj.SecretKey }
 func (lc *LocalConfig) GetContextName() string    { return lc.configObj.ClusterName }
-func (lc *LocalConfig) GetToken() string          { return lc.configObj.Token }
 func (lc *LocalConfig) GetCloudReportURL() string { return lc.configObj.CloudReportURL }
 func (lc *LocalConfig) GetCloudAPIURL() string    { return lc.configObj.CloudAPIURL }
-func (lc *LocalConfig) GetCloudUIURL() string     { return lc.configObj.CloudUIURL }
-func (lc *LocalConfig) GetCloudAuthURL() string   { return lc.configObj.CloudAuthURL }
-func (lc *LocalConfig) IsConfigFound() bool       { return existsConfigFile() }
-func (lc *LocalConfig) SetTenant() error {
-
-	// Kubescape Cloud tenant GUID
-	if err := getTenantConfigFromBE(lc.backendAPI, lc.configObj); err != nil {
-		return err
-	}
-	lc.UpdateCachedConfig()
-	return nil
 
+func (lc *LocalConfig) GenerateAccountID() (string, error) {
+	lc.configObj.AccountID = uuid.NewString()
+	err := lc.UpdateCachedConfig()
+	return lc.configObj.AccountID, err
 }
+
+func (lc *LocalConfig) DeleteAccountID() error {
+	lc.configObj.AccountID = ""
+	return lc.UpdateCachedConfig()
+}
+
 func (lc *LocalConfig) UpdateCachedConfig() error {
+	logger.L().Debug("updating cached config", helpers.Interface("configObj", lc.configObj))
 	return updateConfigFile(lc.configObj)
 }
 
@@ -182,26 +165,6 @@ func (lc *LocalConfig) DeleteCachedConfig(ctx context.Context) error {
 	return nil
 }
 
-func getTenantConfigFromBE(backendAPI getter.IBackend, configObj *ConfigObj) error {
-
-	// get from Kubescape Cloud API
-	tenantResponse, err := backendAPI.GetTenant()
-	if err == nil && tenantResponse != nil {
-		if tenantResponse.AdminMail != "" { // registered tenant
-			configObj.CustomerAdminEMail = tenantResponse.AdminMail
-		} else { // new tenant
-			configObj.Token = tenantResponse.Token
-			configObj.AccountID = tenantResponse.TenantID
-		}
-	} else {
-		if err != nil && !strings.Contains(err.Error(), "already exists") {
-			return err
-		}
-	}
-
-	return nil
-}
-
 // ======================================================================================
 // ========================== Cluster Config ============================================
 // ======================================================================================
@@ -214,40 +177,45 @@ KS_DEFAULT_CONFIGMAP_NAME  // name of configmap, if not set default is 'kubescap
 KS_DEFAULT_CONFIGMAP_NAMESPACE   // configmap namespace, if not set default is 'default'
 
 KS_ACCOUNT_ID
-KS_CLIENT_ID
-KS_SECRET_KEY
 
 TODO - support:
 KS_CACHE // path to cached files
 */
+var _ ITenantConfig = &ClusterConfig{}
+
 type ClusterConfig struct {
-	backendAPI         getter.IBackend
-	k8s                *k8sinterface.KubernetesApi
-	configObj          *ConfigObj
-	configMapName      string
-	configMapNamespace string
+	k8s                  *k8sinterface.KubernetesApi
+	configObj            *ConfigObj
+	configMapNamespace   string
+	ksConfigMapName      string
+	ksCloudConfigMapName string
 }
 
-func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend, credentials *Credentials, clusterName string, customClusterName string) *ClusterConfig {
-	// var configObj *ConfigObj
+func NewClusterConfig(k8s *k8sinterface.KubernetesApi, accountID, clusterName string, customClusterName string) *ClusterConfig {
 	c := &ClusterConfig{
-		k8s:                k8s,
-		backendAPI:         backendAPI,
-		configObj:          &ConfigObj{},
-		configMapName:      getConfigMapName(),
-		configMapNamespace: getConfigMapNamespace(),
+		k8s:                  k8s,
+		configObj:            &ConfigObj{},
+		ksConfigMapName:      getKubescapeConfigMapName(),
+		ksCloudConfigMapName: getKubescapeCloudConfigMapName(),
+		configMapNamespace:   GetConfigMapNamespace(),
 	}
 
-	// first, load from configMap
-	if c.existsConfigMap() {
-		c.loadConfigFromConfigMap()
-	}
-
-	// second, load from file
+	// first, load from file
 	if existsConfigFile() { // get from file
 		loadConfigFromFile(c.configObj)
 	}
-	updateCredentials(c.configObj, credentials)
+
+	// second, load from configMap
+	if c.existsConfigMap(c.ksConfigMapName) {
+		c.updateConfigEmptyFieldsFromKubescapeConfigMap()
+	}
+
+	// third, load urls from cloudConfigMap
+	if c.existsConfigMap(c.ksCloudConfigMapName) {
+		c.updateConfigEmptyFieldsFromKubescapeCloudConfigMap()
+	}
+
+	updateAccountID(c.configObj, accountID)
 	updateCloudURLs(c.configObj)
 
 	// If a custom cluster name is provided then set that name, else use the cluster's original name
@@ -262,78 +230,23 @@ func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBacken
 	} else { // override the cluster name if it has unwanted characters
 		c.configObj.ClusterName = AdoptClusterName(c.configObj.ClusterName)
 	}
-
-	c.backendAPI.SetAccountID(c.configObj.AccountID)
-	c.backendAPI.SetClientID(c.configObj.ClientID)
-	c.backendAPI.SetSecretKey(c.configObj.SecretKey)
-	if c.configObj.CloudAPIURL != "" {
-		c.backendAPI.SetCloudAPIURL(c.configObj.CloudAPIURL)
-	} else {
-		c.configObj.CloudAPIURL = c.backendAPI.GetCloudAPIURL()
-	}
-	if c.configObj.CloudAuthURL != "" {
-		c.backendAPI.SetCloudAuthURL(c.configObj.CloudAuthURL)
-	} else {
-		c.configObj.CloudAuthURL = c.backendAPI.GetCloudAuthURL()
-	}
-	if c.configObj.CloudReportURL != "" {
-		c.backendAPI.SetCloudReportURL(c.configObj.CloudReportURL)
-	} else {
-		c.configObj.CloudReportURL = c.backendAPI.GetCloudReportURL()
-	}
-	if c.configObj.CloudUIURL != "" {
-		c.backendAPI.SetCloudUIURL(c.configObj.CloudUIURL)
-	} else {
-		c.configObj.CloudUIURL = c.backendAPI.GetCloudUIURL()
-	}
-	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", c.backendAPI.GetCloudAPIURL()), helpers.String("auth", c.backendAPI.GetCloudAuthURL()), helpers.String("report", c.backendAPI.GetCloudReportURL()), helpers.String("UI", c.backendAPI.GetCloudUIURL()))
-
+	updatedKsCloud := initializeCloudAPI(c)
+	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", updatedKsCloud.GetCloudAPIURL()), helpers.String("report", updatedKsCloud.GetCloudReportURL()))
 	return c
 }
 
 func (c *ClusterConfig) GetConfigObj() *ConfigObj  { return c.configObj }
 func (c *ClusterConfig) GetDefaultNS() string      { return c.configMapNamespace }
 func (c *ClusterConfig) GetAccountID() string      { return c.configObj.AccountID }
-func (c *ClusterConfig) GetClientID() string       { return c.configObj.ClientID }
-func (c *ClusterConfig) GetSecretKey() string      { return c.configObj.SecretKey }
-func (c *ClusterConfig) GetTenantEmail() string    { return c.configObj.CustomerAdminEMail }
-func (c *ClusterConfig) GetToken() string          { return c.configObj.Token }
 func (c *ClusterConfig) GetCloudReportURL() string { return c.configObj.CloudReportURL }
 func (c *ClusterConfig) GetCloudAPIURL() string    { return c.configObj.CloudAPIURL }
-func (c *ClusterConfig) GetCloudUIURL() string     { return c.configObj.CloudUIURL }
-func (c *ClusterConfig) GetCloudAuthURL() string   { return c.configObj.CloudAuthURL }
-
-func (c *ClusterConfig) IsConfigFound() bool { return existsConfigFile() || c.existsConfigMap() }
-
-func (c *ClusterConfig) SetTenant() error {
-
-	// ARMO tenant GUID
-	if err := getTenantConfigFromBE(c.backendAPI, c.configObj); err != nil {
-		return err
-	}
-	c.UpdateCachedConfig()
-	return nil
-
-}
 
 func (c *ClusterConfig) UpdateCachedConfig() error {
-	// update/create config
-	if c.existsConfigMap() {
-		if err := c.updateConfigMap(); err != nil {
-			return err
-		}
-	} else {
-		if err := c.createConfigMap(); err != nil {
-			return err
-		}
-	}
+	logger.L().Debug("updating cached config", helpers.Interface("configObj", c.configObj))
 	return updateConfigFile(c.configObj)
 }
 
 func (c *ClusterConfig) DeleteCachedConfig(ctx context.Context) error {
-	if err := c.deleteConfigMap(); err != nil {
-		logger.L().Ctx(ctx).Warning(err.Error())
-	}
 	if err := DeleteConfigFile(); err != nil {
 		logger.L().Ctx(ctx).Warning(err.Error())
 	}
@@ -350,13 +263,45 @@ func (c *ClusterConfig) ToMapString() map[string]interface{} {
 	}
 	return m
 }
-func (c *ClusterConfig) loadConfigFromConfigMap() error {
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
+
+func (c *ClusterConfig) updateConfigEmptyFieldsFromKubescapeConfigMap() error {
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.ksConfigMapName, metav1.GetOptions{})
 	if err != nil {
 		return err
 	}
 
-	return loadConfigFromData(c.configObj, configMap.Data)
+	tempCO := ConfigObj{}
+	if jsonConf, ok := configMap.Data["config.json"]; ok {
+		if err = json.Unmarshal([]byte(jsonConf), &tempCO); err != nil {
+			return err
+		}
+		return c.configObj.updateEmptyFields(&tempCO)
+	}
+	return err
+}
+
+func (c *ClusterConfig) updateConfigEmptyFieldsFromKubescapeCloudConfigMap() error {
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.ksCloudConfigMapName, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	if jsonConf, ok := configMap.Data["services"]; ok {
+		services, err := servicediscovery.GetServices(
+			servicediscoveryv1.NewServiceDiscoveryStreamV1([]byte(jsonConf)),
+		)
+		if err != nil {
+			return err
+		}
+
+		if services.GetApiServerUrl() != "" {
+			c.configObj.CloudAPIURL = services.GetApiServerUrl()
+		}
+		if services.GetReportReceiverHttpUrl() != "" {
+			c.configObj.CloudReportURL = services.GetReportReceiverHttpUrl()
+		}
+	}
+	return nil
 }
 
 func loadConfigFromData(co *ConfigObj, data map[string]string) error {
@@ -370,107 +315,36 @@ func loadConfigFromData(co *ConfigObj, data map[string]string) error {
 
 	return e
 }
-func (c *ClusterConfig) existsConfigMap() bool {
-	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
-	// TODO - check if has customerGUID
+
+func (c *ClusterConfig) existsConfigMap(name string) bool {
+	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), name, metav1.GetOptions{})
 	return err == nil
 }
 
-func (c *ClusterConfig) GetValueByKeyFromConfigMap(key string) (string, error) {
-
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
-
-	if err != nil {
-		return "", err
-	}
-	if val, ok := configMap.Data[key]; ok {
-		return val, nil
-	} else {
-		return "", fmt.Errorf("value does not exist")
-	}
-}
-
-func GetValueFromConfigJson(key string) (string, error) {
-	data, err := os.ReadFile(ConfigFileFullPath())
-	if err != nil {
-		return "", err
-	}
-	var obj map[string]interface{}
-	if err := json.Unmarshal(data, &obj); err != nil {
-		return "", err
-	}
-	if val, ok := obj[key]; ok {
-		return fmt.Sprint(val), nil
-	} else {
-		return "", fmt.Errorf("value does not exist")
-	}
-
-}
-
-func (c *ClusterConfig) SetKeyValueInConfigmap(key string, value string) error {
-
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
-	if err != nil {
-		configMap = &corev1.ConfigMap{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: c.configMapName,
-			},
-		}
-	}
-
-	if len(configMap.Data) == 0 {
-		configMap.Data = make(map[string]string)
-	}
-
-	configMap.Data[key] = value
-
-	if err != nil {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Create(context.Background(), configMap, metav1.CreateOptions{})
-	} else {
-		_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
-	}
-
-	return err
-}
-
 func existsConfigFile() bool {
 	_, err := os.ReadFile(ConfigFileFullPath())
 	return err == nil
 }
 
-func (c *ClusterConfig) createConfigMap() error {
-	if c.k8s == nil {
-		return nil
-	}
-	configMap := &corev1.ConfigMap{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: c.configMapName,
-		},
-	}
-	c.updateConfigData(configMap)
-
-	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Create(context.Background(), configMap, metav1.CreateOptions{})
-	return err
-}
-
-func (c *ClusterConfig) updateConfigMap() error {
-	if c.k8s == nil {
-		return nil
-	}
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.configMapName, metav1.GetOptions{})
-
-	if err != nil {
+func updateConfigFile(configObj *ConfigObj) error {
+	fullPath := ConfigFileFullPath()
+	dir := filepath.Dir(fullPath)
+	if err := os.MkdirAll(dir, 0755); err != nil {
 		return err
 	}
 
-	c.updateConfigData(configMap)
-
-	_, err = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
-	return err
+	return os.WriteFile(fullPath, configObj.Config(), 0664) //nolint:gosec
 }
 
-func updateConfigFile(configObj *ConfigObj) error {
-	return os.WriteFile(ConfigFileFullPath(), configObj.Config(), 0664) //nolint:gosec
+func (c *ClusterConfig) GenerateAccountID() (string, error) {
+	c.configObj.AccountID = uuid.NewString()
+	err := c.UpdateCachedConfig()
+	return c.configObj.AccountID, err
+}
+
+func (c *ClusterConfig) DeleteAccountID() error {
+	c.configObj.AccountID = ""
+	return c.UpdateCachedConfig()
 }
 
 func (c *ClusterConfig) updateConfigData(configMap *corev1.ConfigMap) {
@@ -500,35 +374,9 @@ func readConfig(dat []byte, configObj *ConfigObj) error {
 	if err := json.Unmarshal(dat, configObj); err != nil {
 		return err
 	}
-	if configObj.AccountID == "" {
-		configObj.AccountID = configObj.CustomerGUID
-	}
-	configObj.CustomerGUID = ""
 	return nil
 }
 
-// Check if the customer is submitted
-func (clusterConfig *ClusterConfig) IsSubmitted() bool {
-	return clusterConfig.existsConfigMap() || existsConfigFile()
-}
-
-// Check if the customer is registered
-func (clusterConfig *ClusterConfig) IsRegistered() bool {
-
-	// get from armoBE
-	tenantResponse, err := clusterConfig.backendAPI.GetTenant()
-	if err == nil && tenantResponse != nil {
-		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
-			return true
-		}
-	}
-	return false
-}
-
-func (clusterConfig *ClusterConfig) deleteConfigMap() error {
-	return clusterConfig.k8s.KubernetesClient.CoreV1().ConfigMaps(clusterConfig.configMapNamespace).Delete(context.Background(), clusterConfig.configMapName, metav1.DeleteOptions{})
-}
-
 func DeleteConfigFile() error {
 	return os.Remove(ConfigFileFullPath())
 }
@@ -541,66 +389,49 @@ func AdoptClusterName(clusterName string) string {
 	return re.ReplaceAllString(clusterName, "-")
 }
 
-func getConfigMapName() string {
-	if n := os.Getenv("KS_DEFAULT_CONFIGMAP_NAME"); n != "" {
+func getKubescapeConfigMapName() string {
+	if n := os.Getenv(defaultConfigMapNameEnvVar); n != "" {
 		return n
 	}
-	return "kubescape"
+	return kubescapeConfigMapName
 }
 
-func getConfigMapNamespace() string {
-	if n := os.Getenv("KS_DEFAULT_CONFIGMAP_NAMESPACE"); n != "" {
+func getKubescapeCloudConfigMapName() string {
+	if n := os.Getenv(defaultCloudConfigMapNameEnvVar); n != "" {
 		return n
 	}
-	return "default"
+
+	return kubescapeCloudConfigMapName
 }
 
-func getAccountFromEnv(credentials *Credentials) {
-	// load from env
-	if accountID := os.Getenv("KS_ACCOUNT_ID"); credentials.Account == "" && accountID != "" {
-		credentials.Account = accountID
-	}
-	if clientID := os.Getenv("KS_CLIENT_ID"); credentials.ClientID == "" && clientID != "" {
-		credentials.ClientID = clientID
-	}
-	if secretKey := os.Getenv("KS_SECRET_KEY"); credentials.SecretKey == "" && secretKey != "" {
-		credentials.SecretKey = secretKey
+// GetConfigMapNamespace returns the namespace of the cluster config, which is the same for all in-cluster components
+func GetConfigMapNamespace() string {
+	if n := os.Getenv(defaultConfigMapNamespaceEnvVar); n != "" {
+		return n
 	}
+	return kubescapeNamespace
 }
 
-func updateCredentials(configObj *ConfigObj, credentials *Credentials) {
-
-	if credentials == nil {
-		credentials = &Credentials{}
-	}
-	getAccountFromEnv(credentials)
-
-	if credentials.Account != "" {
-		configObj.AccountID = credentials.Account // override config Account
-	}
-	if credentials.ClientID != "" {
-		configObj.ClientID = credentials.ClientID // override config ClientID
-	}
-	if credentials.SecretKey != "" {
-		configObj.SecretKey = credentials.SecretKey // override config SecretKey
+func updateAccountID(configObj *ConfigObj, accountID string) {
+	if accountID != "" {
+		configObj.AccountID = accountID
 	}
 
+	if envAccountID := os.Getenv(accountIdEnvVar); envAccountID != "" {
+		configObj.AccountID = envAccountID
+	}
 }
 
 func getCloudURLsFromEnv(cloudURLs *CloudURLs) {
 	// load from env
-	if cloudAPIURL := os.Getenv("KS_CLOUD_API_URL"); cloudAPIURL != "" {
+	if cloudAPIURL := os.Getenv(cloudApiUrlEnvVar); cloudAPIURL != "" {
+		logger.L().Debug("cloud API URL updated from env var", helpers.Interface(cloudApiUrlEnvVar, cloudAPIURL))
 		cloudURLs.CloudAPIURL = cloudAPIURL
 	}
-	if cloudAuthURL := os.Getenv("KS_CLOUD_AUTH_URL"); cloudAuthURL != "" {
-		cloudURLs.CloudAuthURL = cloudAuthURL
-	}
-	if cloudReportURL := os.Getenv("KS_CLOUD_REPORT_URL"); cloudReportURL != "" {
+	if cloudReportURL := os.Getenv(cloudReportUrlEnvVar); cloudReportURL != "" {
+		logger.L().Debug("cloud Report URL updated from env var", helpers.Interface(cloudReportUrlEnvVar, cloudReportURL))
 		cloudURLs.CloudReportURL = cloudReportURL
 	}
-	if cloudUIURL := os.Getenv("KS_CLOUD_UI_URL"); cloudUIURL != "" {
-		cloudURLs.CloudUIURL = cloudUIURL
-	}
 }
 
 func updateCloudURLs(configObj *ConfigObj) {
@@ -611,14 +442,25 @@ func updateCloudURLs(configObj *ConfigObj) {
 	if cloudURLs.CloudAPIURL != "" {
 		configObj.CloudAPIURL = cloudURLs.CloudAPIURL // override config CloudAPIURL
 	}
-	if cloudURLs.CloudAuthURL != "" {
-		configObj.CloudAuthURL = cloudURLs.CloudAuthURL // override config CloudAuthURL
-	}
 	if cloudURLs.CloudReportURL != "" {
 		configObj.CloudReportURL = cloudURLs.CloudReportURL // override config CloudReportURL
 	}
-	if cloudURLs.CloudUIURL != "" {
-		configObj.CloudUIURL = cloudURLs.CloudUIURL // override config CloudUIURL
-	}
 
 }
+
+func initializeCloudAPI(c ITenantConfig) *v1.KSCloudAPI {
+	logger.L().Debug("initializing KS Cloud API from config", helpers.String("accountID", c.GetAccountID()), helpers.String("cloudAPIURL", c.GetCloudAPIURL()), helpers.String("cloudReportURL", c.GetCloudReportURL()))
+	cloud, err := v1.NewKSCloudAPI(c.GetCloudAPIURL(), c.GetCloudReportURL(), c.GetAccountID())
+	if err != nil {
+		logger.L().Fatal("failed to create KS Cloud client", helpers.Error(err))
+	}
+	getter.SetKSCloudAPIConnector(cloud)
+	return getter.GetKSCloudAPIConnector()
+}
+
+func GetTenantConfig(accountID, clusterName, customClusterName string, k8s *k8sinterface.KubernetesApi) ITenantConfig {
+	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
+		return NewLocalConfig(accountID, clusterName, customClusterName)
+	}
+	return NewClusterConfig(k8s, accountID, clusterName, customClusterName)
+}

core/cautils/customerloader_test.go

@@ -5,35 +5,28 @@ import (
 	"os"
 	"testing"
 
+	"github.com/kubescape/kubescape/v2/core/cautils/getter"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 )
 
 func mockConfigObj() *ConfigObj {
 	return &ConfigObj{
-		AccountID:          "aaa",
-		ClientID:           "bbb",
-		SecretKey:          "ccc",
-		ClusterName:        "ddd",
-		CustomerAdminEMail: "ab@cd",
-		Token:              "eee",
-		CloudReportURL:     "report.armo.cloud",
-		CloudAPIURL:        "api.armosec.io",
-		CloudUIURL:         "cloud.armosec.io",
-		CloudAuthURL:       "auth.armosec.io",
+		AccountID:      "aaa",
+		ClusterName:    "ddd",
+		CloudReportURL: "report.domain.com",
+		CloudAPIURL:    "api.domain.com",
 	}
 }
 func mockLocalConfig() *LocalConfig {
 	return &LocalConfig{
-		backendAPI: nil,
-		configObj:  mockConfigObj(),
+		configObj: mockConfigObj(),
 	}
 }
 
 func mockClusterConfig() *ClusterConfig {
 	return &ClusterConfig{
-		backendAPI: nil,
-		configObj:  mockConfigObj(),
+		configObj: mockConfigObj(),
 	}
 }
 func TestConfig(t *testing.T) {
@@ -42,15 +35,9 @@ func TestConfig(t *testing.T) {
 
 	assert.NoError(t, json.Unmarshal(co.Config(), &cop))
 	assert.Equal(t, co.AccountID, cop.AccountID)
-	assert.Equal(t, co.ClientID, cop.ClientID)
-	assert.Equal(t, co.SecretKey, cop.SecretKey)
 	assert.Equal(t, co.CloudReportURL, cop.CloudReportURL)
 	assert.Equal(t, co.CloudAPIURL, cop.CloudAPIURL)
-	assert.Equal(t, co.CloudUIURL, cop.CloudUIURL)
-	assert.Equal(t, co.CloudAuthURL, cop.CloudAuthURL)
-	assert.Equal(t, "", cop.ClusterName)        // Not copied to bytes
-	assert.Equal(t, "", cop.CustomerAdminEMail) // Not copied to bytes
-	assert.Equal(t, "", cop.Token)              // Not copied to bytes
+	assert.Equal(t, "", cop.ClusterName) // Not copied to bytes
 
 }
 
@@ -64,27 +51,15 @@ func TestITenantConfig(t *testing.T) {
 
 	// test LocalConfig methods
 	assert.Equal(t, co.AccountID, lc.GetAccountID())
-	assert.Equal(t, co.ClientID, lc.GetClientID())
-	assert.Equal(t, co.SecretKey, lc.GetSecretKey())
 	assert.Equal(t, co.ClusterName, lc.GetContextName())
-	assert.Equal(t, co.CustomerAdminEMail, lc.GetTenantEmail())
-	assert.Equal(t, co.Token, lc.GetToken())
 	assert.Equal(t, co.CloudReportURL, lc.GetCloudReportURL())
 	assert.Equal(t, co.CloudAPIURL, lc.GetCloudAPIURL())
-	assert.Equal(t, co.CloudUIURL, lc.GetCloudUIURL())
-	assert.Equal(t, co.CloudAuthURL, lc.GetCloudAuthURL())
 
 	// test ClusterConfig methods
 	assert.Equal(t, co.AccountID, c.GetAccountID())
-	assert.Equal(t, co.ClientID, c.GetClientID())
-	assert.Equal(t, co.SecretKey, c.GetSecretKey())
 	assert.Equal(t, co.ClusterName, c.GetContextName())
-	assert.Equal(t, co.CustomerAdminEMail, c.GetTenantEmail())
-	assert.Equal(t, co.Token, c.GetToken())
 	assert.Equal(t, co.CloudReportURL, c.GetCloudReportURL())
 	assert.Equal(t, co.CloudAPIURL, c.GetCloudAPIURL())
-	assert.Equal(t, co.CloudUIURL, c.GetCloudUIURL())
-	assert.Equal(t, co.CloudAuthURL, c.GetCloudAuthURL())
 }
 
 func TestUpdateConfigData(t *testing.T) {
@@ -95,12 +70,8 @@ func TestUpdateConfigData(t *testing.T) {
 	c.updateConfigData(configMap)
 
 	assert.Equal(t, c.GetAccountID(), configMap.Data["accountID"])
-	assert.Equal(t, c.GetClientID(), configMap.Data["clientID"])
-	assert.Equal(t, c.GetSecretKey(), configMap.Data["secretKey"])
 	assert.Equal(t, c.GetCloudReportURL(), configMap.Data["cloudReportURL"])
 	assert.Equal(t, c.GetCloudAPIURL(), configMap.Data["cloudAPIURL"])
-	assert.Equal(t, c.GetCloudUIURL(), configMap.Data["cloudUIURL"])
-	assert.Equal(t, c.GetCloudAuthURL(), configMap.Data["cloudAuthURL"])
 }
 
 func TestReadConfig(t *testing.T) {
@@ -113,15 +84,9 @@ func TestReadConfig(t *testing.T) {
 	readConfig(b, co)
 
 	assert.Equal(t, com.AccountID, co.AccountID)
-	assert.Equal(t, com.ClientID, co.ClientID)
-	assert.Equal(t, com.SecretKey, co.SecretKey)
 	assert.Equal(t, com.ClusterName, co.ClusterName)
-	assert.Equal(t, com.CustomerAdminEMail, co.CustomerAdminEMail)
-	assert.Equal(t, com.Token, co.Token)
 	assert.Equal(t, com.CloudReportURL, co.CloudReportURL)
 	assert.Equal(t, com.CloudAPIURL, co.CloudAPIURL)
-	assert.Equal(t, com.CloudUIURL, co.CloudUIURL)
-	assert.Equal(t, com.CloudAuthURL, co.CloudAuthURL)
 }
 
 func TestLoadConfigFromData(t *testing.T) {
@@ -140,15 +105,9 @@ func TestLoadConfigFromData(t *testing.T) {
 		loadConfigFromData(c.configObj, configMap.Data)
 
 		assert.Equal(t, c.GetAccountID(), co.AccountID)
-		assert.Equal(t, c.GetClientID(), co.ClientID)
-		assert.Equal(t, c.GetSecretKey(), co.SecretKey)
 		assert.Equal(t, c.GetContextName(), co.ClusterName)
-		assert.Equal(t, c.GetTenantEmail(), co.CustomerAdminEMail)
-		assert.Equal(t, c.GetToken(), co.Token)
 		assert.Equal(t, c.GetCloudReportURL(), co.CloudReportURL)
 		assert.Equal(t, c.GetCloudAPIURL(), co.CloudAPIURL)
-		assert.Equal(t, c.GetCloudUIURL(), co.CloudUIURL)
-		assert.Equal(t, c.GetCloudAuthURL(), co.CloudAuthURL)
 	}
 
 	// use case: all data is in config.json
@@ -166,12 +125,8 @@ func TestLoadConfigFromData(t *testing.T) {
 		loadConfigFromData(c.configObj, configMap.Data)
 
 		assert.Equal(t, c.GetAccountID(), co.AccountID)
-		assert.Equal(t, c.GetClientID(), co.ClientID)
-		assert.Equal(t, c.GetSecretKey(), co.SecretKey)
 		assert.Equal(t, c.GetCloudReportURL(), co.CloudReportURL)
 		assert.Equal(t, c.GetCloudAPIURL(), co.CloudAPIURL)
-		assert.Equal(t, c.GetCloudUIURL(), co.CloudUIURL)
-		assert.Equal(t, c.GetCloudAuthURL(), co.CloudAuthURL)
 	}
 
 	// use case: some data is in config.json
@@ -182,21 +137,15 @@ func TestLoadConfigFromData(t *testing.T) {
 		}
 
 		// add to map
-		configMap.Data["clientID"] = c.configObj.ClientID
-		configMap.Data["secretKey"] = c.configObj.SecretKey
 		configMap.Data["cloudReportURL"] = c.configObj.CloudReportURL
 
 		// delete the content
-		c.configObj.ClientID = ""
-		c.configObj.SecretKey = ""
 		c.configObj.CloudReportURL = ""
 
 		configMap.Data["config.json"] = string(c.GetConfigObj().Config())
 		loadConfigFromData(c.configObj, configMap.Data)
 
 		assert.NotEmpty(t, c.GetAccountID())
-		assert.NotEmpty(t, c.GetClientID())
-		assert.NotEmpty(t, c.GetSecretKey())
 		assert.NotEmpty(t, c.GetCloudReportURL())
 	}
 
@@ -211,19 +160,11 @@ func TestLoadConfigFromData(t *testing.T) {
 
 		// add to map
 		configMap.Data["accountID"] = mockConfigObj().AccountID
-		configMap.Data["clientID"] = c.configObj.ClientID
-		configMap.Data["secretKey"] = c.configObj.SecretKey
-
-		// delete the content
-		c.configObj.ClientID = ""
-		c.configObj.SecretKey = ""
 
 		configMap.Data["config.json"] = string(c.GetConfigObj().Config())
 		loadConfigFromData(c.configObj, configMap.Data)
 
 		assert.Equal(t, mockConfigObj().AccountID, c.GetAccountID())
-		assert.NotEmpty(t, c.GetClientID())
-		assert.NotEmpty(t, c.GetSecretKey())
 	}
 
 }
@@ -268,3 +209,149 @@ func TestUpdateCloudURLs(t *testing.T) {
 	updateCloudURLs(co)
 	assert.Equal(t, co.CloudAPIURL, mockCloudAPIURL)
 }
+
+func Test_initializeCloudAPI(t *testing.T) {
+	type args struct {
+		c ITenantConfig
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "test",
+			args: args{
+				c: mockClusterConfig(),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			initializeCloudAPI(tt.args.c)
+			cloud := getter.GetKSCloudAPIConnector()
+			assert.Equal(t, "https://api.domain.com", cloud.GetCloudAPIURL())
+			assert.Equal(t, "https://report.domain.com", cloud.GetCloudReportURL())
+			assert.Equal(t, tt.args.c.GetAccountID(), cloud.GetAccountID())
+		})
+	}
+}
+
+func TestGetConfigMapNamespace(t *testing.T) {
+	tests := []struct {
+		name string
+		env  string
+		want string
+	}{
+		{
+			name: "no env",
+			want: kubescapeNamespace,
+		},
+		{
+			name: "default ns",
+			env:  kubescapeNamespace,
+			want: kubescapeNamespace,
+		},
+		{
+			name: "custom ns",
+			env:  "my-ns",
+			want: "my-ns",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.env != "" {
+				_ = os.Setenv("KS_DEFAULT_CONFIGMAP_NAMESPACE", tt.env)
+			}
+			assert.Equalf(t, tt.want, GetConfigMapNamespace(), "GetConfigMapNamespace()")
+		})
+	}
+}
+
+const (
+	anyString       string = "anyString"
+	shouldNotUpdate string = "shouldNotUpdate"
+	shouldUpdate    string = "shouldUpdate"
+)
+
+func checkIsUpdateCorrectly(t *testing.T, beforeField string, afterField string) {
+	switch beforeField {
+	case anyString:
+		assert.Equal(t, anyString, afterField)
+	case "":
+		assert.Equal(t, shouldUpdate, afterField)
+	}
+}
+
+func TestUpdateEmptyFields(t *testing.T) {
+
+	tests := []struct {
+		inCo  *ConfigObj
+		outCo *ConfigObj
+	}{
+		{
+			outCo: &ConfigObj{
+				AccountID:      "",
+				ClusterName:    "",
+				CloudReportURL: "",
+				CloudAPIURL:    "",
+			},
+			inCo: &ConfigObj{
+				AccountID:      shouldUpdate,
+				ClusterName:    shouldUpdate,
+				CloudReportURL: shouldUpdate,
+				CloudAPIURL:    shouldUpdate,
+			},
+		},
+		{
+			outCo: &ConfigObj{
+				AccountID:      anyString,
+				ClusterName:    "",
+				CloudReportURL: "",
+				CloudAPIURL:    "",
+			},
+			inCo: &ConfigObj{
+				AccountID:      shouldNotUpdate,
+				ClusterName:    shouldUpdate,
+				CloudReportURL: shouldUpdate,
+				CloudAPIURL:    shouldUpdate,
+			},
+		},
+		{
+			outCo: &ConfigObj{
+				AccountID:      "",
+				ClusterName:    anyString,
+				CloudReportURL: anyString,
+				CloudAPIURL:    anyString,
+			},
+			inCo: &ConfigObj{
+				AccountID:      shouldUpdate,
+				ClusterName:    shouldNotUpdate,
+				CloudReportURL: shouldNotUpdate,
+				CloudAPIURL:    shouldNotUpdate,
+			},
+		},
+		{
+			outCo: &ConfigObj{
+				AccountID:      anyString,
+				ClusterName:    anyString,
+				CloudReportURL: "",
+				CloudAPIURL:    anyString,
+			},
+			inCo: &ConfigObj{
+				AccountID:      shouldNotUpdate,
+				ClusterName:    shouldNotUpdate,
+				CloudReportURL: shouldUpdate,
+				CloudAPIURL:    shouldNotUpdate,
+			},
+		},
+	}
+
+	for i := range tests {
+		beforeChangesOutCO := tests[i].outCo
+		tests[i].outCo.updateEmptyFields(tests[i].inCo)
+		checkIsUpdateCorrectly(t, beforeChangesOutCO.AccountID, tests[i].outCo.AccountID)
+		checkIsUpdateCorrectly(t, beforeChangesOutCO.CloudAPIURL, tests[i].outCo.CloudAPIURL)
+		checkIsUpdateCorrectly(t, beforeChangesOutCO.CloudReportURL, tests[i].outCo.CloudReportURL)
+		checkIsUpdateCorrectly(t, beforeChangesOutCO.ClusterName, tests[i].outCo.ClusterName)
+	}
+}

core/cautils/datastructures.go

@@ -2,7 +2,9 @@ package cautils
 
 import (
 	"context"
+	"sort"
 
+	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/opa-utils/reporthandling"
@@ -15,12 +17,30 @@ import (
 
 // K8SResources map[<api group>/<api version>/<resource>][]<resourceID>
 type K8SResources map[string][]string
-type KSResources map[string][]string
+type ExternalResources map[string][]string
+
+type ImageScanData struct {
+	PresenterConfig *models.PresenterConfig
+	Image           string
+}
+
+type ScanTypes string
+
+const (
+	TopWorkloadsNumber           = 5
+	ScanTypeCluster    ScanTypes = "cluster"
+	ScanTypeRepo       ScanTypes = "repo"
+	ScanTypeImage      ScanTypes = "image"
+	ScanTypeWorkload   ScanTypes = "workload"
+	ScanTypeFramework  ScanTypes = "framework"
+	ScanTypeControl    ScanTypes = "control"
+)
 
 type OPASessionObj struct {
-	K8SResources          *K8SResources                                 // input k8s objects
-	ArmoResource          *KSResources                                  // input ARMO objects
+	K8SResources          K8SResources                                  // input k8s objects
+	ExternalResources     ExternalResources                             // input non-k8s objects (external resources)
 	AllPolicies           *Policies                                     // list of all frameworks
+	ExcludedRules         map[string]bool                               // rules to exclude map[rule name>]X
 	AllResources          map[string]workloadinterface.IMetadata        // all scanned resources, map[<resource ID>]<resource>
 	ResourcesResult       map[string]resourcesresults.Result            // resources scan results, map[<resource ID>]<resource result>
 	ResourceSource        map[string]reporthandling.Source              // resources sources, map[<resource ID>]<resource result>
@@ -36,9 +56,11 @@ type OPASessionObj struct {
 	Policies              []reporthandling.Framework         // list of frameworks to scan
 	Exceptions            []armotypes.PostureExceptionPolicy // list of exceptions to apply on scan results
 	OmitRawResources      bool                               // omit raw resources from output
+	SingleResourceScan    workloadinterface.IWorkload        // single resource scan
+	TopWorkloadsByScore   []reporthandling.IResource
 }
 
-func NewOPASessionObj(ctx context.Context, frameworks []reporthandling.Framework, k8sResources *K8SResources, scanInfo *ScanInfo) *OPASessionObj {
+func NewOPASessionObj(ctx context.Context, frameworks []reporthandling.Framework, k8sResources K8SResources, scanInfo *ScanInfo) *OPASessionObj {
 	return &OPASessionObj{
 		Report:                &reporthandlingv2.PostureReport{},
 		Policies:              frameworks,
@@ -55,6 +77,45 @@ func NewOPASessionObj(ctx context.Context, frameworks []reporthandling.Framework
 	}
 }
 
+// SetTopWorkloads sets the top workloads by score
+func (sessionObj *OPASessionObj) SetTopWorkloads() {
+	count := 0
+
+	topWorkloadsSorted := make([]prioritization.PrioritizedResource, 0)
+
+	// create list in order to sort
+	for _, wl := range sessionObj.ResourcesPrioritized {
+		topWorkloadsSorted = append(topWorkloadsSorted, wl)
+	}
+
+	// sort by score. If scores are equal, sort by resource ID
+	sort.Slice(topWorkloadsSorted, func(i, j int) bool {
+		if topWorkloadsSorted[i].Score == topWorkloadsSorted[j].Score {
+			return topWorkloadsSorted[i].ResourceID < topWorkloadsSorted[j].ResourceID
+		}
+		return topWorkloadsSorted[i].Score > topWorkloadsSorted[j].Score
+	})
+
+	if sessionObj.Report == nil {
+		sessionObj.Report = &reporthandlingv2.PostureReport{}
+	}
+
+	// set top workloads according to number of top workloads
+	for i := 0; i < TopWorkloadsNumber; i++ {
+		if i >= len(topWorkloadsSorted) {
+			break
+		}
+		source := sessionObj.ResourceSource[topWorkloadsSorted[i].ResourceID]
+		wlObj := &reporthandling.Resource{
+			IMetadata: sessionObj.AllResources[topWorkloadsSorted[i].ResourceID],
+			Source:    &source,
+		}
+
+		sessionObj.TopWorkloadsByScore = append(sessionObj.TopWorkloadsByScore, wlObj)
+		count++
+	}
+}
+
 func (sessionObj *OPASessionObj) SetMapNamespaceToNumberOfResources(mapNamespaceToNumberOfResources map[string]int) {
 	if sessionObj.Metadata.ContextMetadata.ClusterContextMetadata == nil {
 		sessionObj.Metadata.ContextMetadata.ClusterContextMetadata = &reporthandlingv2.ClusterMetadata{}

core/cautils/datastructuresmethods.go

@@ -4,6 +4,7 @@ import (
 	"golang.org/x/mod/semver"
 
 	"github.com/armosec/utils-go/boolutils"
+	cloudsupport "github.com/kubescape/k8s-interface/cloudsupport/v1"
 	"github.com/kubescape/opa-utils/reporthandling"
 	"github.com/kubescape/opa-utils/reporthandling/apis"
 )
@@ -15,15 +16,25 @@ func NewPolicies() *Policies {
 	}
 }
 
-func (policies *Policies) Set(frameworks []reporthandling.Framework, version string) {
+func (policies *Policies) Set(frameworks []reporthandling.Framework, version string, excludedRules map[string]bool, scanningScope reporthandling.ScanningScopeType) {
 	for i := range frameworks {
+		if !isFrameworkFitToScanScope(frameworks[i], scanningScope) {
+			continue
+		}
 		if frameworks[i].Name != "" && len(frameworks[i].Controls) > 0 {
 			policies.Frameworks = append(policies.Frameworks, frameworks[i].Name)
 		}
 		for j := range frameworks[i].Controls {
 			compatibleRules := []reporthandling.PolicyRule{}
 			for r := range frameworks[i].Controls[j].Rules {
-				if !ruleWithKSOpaDependency(frameworks[i].Controls[j].Rules[r].Attributes) && isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) {
+				if excludedRules != nil {
+					ruleName := frameworks[i].Controls[j].Rules[r].Name
+					if _, exclude := excludedRules[ruleName]; exclude {
+						continue
+					}
+				}
+
+				if !ruleWithKSOpaDependency(frameworks[i].Controls[j].Rules[r].Attributes) && isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) && isControlFitToScanScope(frameworks[i].Controls[j], scanningScope) {
 					compatibleRules = append(compatibleRules, frameworks[i].Controls[j].Rules[r])
 				}
 			}
@@ -76,3 +87,81 @@ func isRuleKubescapeVersionCompatible(attributes map[string]interface{}, version
 	}
 	return true
 }
+
+func getCloudProvider(scanInfo *ScanInfo) reporthandling.ScanningScopeType {
+	if cloudsupport.IsAKS() {
+		return reporthandling.ScopeCloudAKS
+	}
+	if cloudsupport.IsEKS() {
+		return reporthandling.ScopeCloudEKS
+	}
+	if cloudsupport.IsGKE() {
+		return reporthandling.ScopeCloudGKE
+	}
+	return ""
+}
+
+func GetScanningScope(scanInfo *ScanInfo) reporthandling.ScanningScopeType {
+
+	switch scanInfo.GetScanningContext() {
+	case ContextCluster:
+		if cloudProvider := getCloudProvider(scanInfo); cloudProvider != "" {
+			return cloudProvider
+		}
+		return reporthandling.ScopeCluster
+	default:
+		return reporthandling.ScopeFile
+	}
+}
+
+func isScanningScopeMatchToControlScope(scanScope reporthandling.ScanningScopeType, controlScope reporthandling.ScanningScopeType) bool {
+
+	switch controlScope {
+	case reporthandling.ScopeFile:
+		return reporthandling.ScopeFile == scanScope
+	case reporthandling.ScopeCluster:
+		return reporthandling.ScopeCluster == scanScope || reporthandling.ScopeCloud == scanScope || reporthandling.ScopeCloudAKS == scanScope || reporthandling.ScopeCloudEKS == scanScope || reporthandling.ScopeCloudGKE == scanScope
+	case reporthandling.ScopeCloud:
+		return reporthandling.ScopeCloud == scanScope || reporthandling.ScopeCloudAKS == scanScope || reporthandling.ScopeCloudEKS == scanScope || reporthandling.ScopeCloudGKE == scanScope
+	case reporthandling.ScopeCloudAKS:
+		return reporthandling.ScopeCloudAKS == scanScope
+	case reporthandling.ScopeCloudEKS:
+		return reporthandling.ScopeCloudEKS == scanScope
+	case reporthandling.ScopeCloudGKE:
+		return reporthandling.ScopeCloudGKE == scanScope
+	default:
+		return true
+	}
+}
+
+func isControlFitToScanScope(control reporthandling.Control, scanScopeMatches reporthandling.ScanningScopeType) bool {
+	// for backward compatibility - case: kubescape with scope(new one) and regolibrary without scope(old one)
+	if control.ScanningScope == nil {
+		return true
+	}
+	if len(control.ScanningScope.Matches) == 0 {
+		return true
+	}
+	for i := range control.ScanningScope.Matches {
+		if isScanningScopeMatchToControlScope(scanScopeMatches, control.ScanningScope.Matches[i]) {
+			return true
+		}
+	}
+	return false
+}
+
+func isFrameworkFitToScanScope(framework reporthandling.Framework, scanScopeMatches reporthandling.ScanningScopeType) bool {
+	// for backward compatibility - case: kubescape with scope(new one) and regolibrary without scope(old one)
+	if framework.ScanningScope == nil {
+		return true
+	}
+	if len(framework.ScanningScope.Matches) == 0 {
+		return true
+	}
+	for i := range framework.ScanningScope.Matches {
+		if isScanningScopeMatchToControlScope(scanScopeMatches, framework.ScanningScope.Matches[i]) {
+			return true
+		}
+	}
+	return false
+}

core/cautils/datastructuresmethods_test.go

@@ -0,0 +1,334 @@
+package cautils
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsControlFitToScanScope(t *testing.T) {
+	tests := []struct {
+		scanInfo     *ScanInfo
+		Control      reporthandling.Control
+		expected_res bool
+	}{
+		{
+			scanInfo: &ScanInfo{
+				InputPatterns: []string{
+					"./testdata/any_file_for_test.json",
+				},
+			},
+			Control: reporthandling.Control{
+				ScanningScope: &reporthandling.ScanningScope{
+					Matches: []reporthandling.ScanningScopeType{
+						reporthandling.ScopeFile,
+					},
+				},
+			},
+			expected_res: true,
+		},
+		{
+			scanInfo: &ScanInfo{
+				InputPatterns: []string{
+					"./testdata/any_file_for_test.json",
+				},
+			},
+			Control: reporthandling.Control{
+				ScanningScope: &reporthandling.ScanningScope{
+
+					Matches: []reporthandling.ScanningScopeType{
+						reporthandling.ScopeCluster,
+						reporthandling.ScopeFile,
+					},
+				},
+			},
+			expected_res: true,
+		},
+		{
+			scanInfo: &ScanInfo{},
+			Control: reporthandling.Control{
+				ScanningScope: &reporthandling.ScanningScope{
+
+					Matches: []reporthandling.ScanningScopeType{
+						reporthandling.ScopeCluster,
+					},
+				},
+			},
+			expected_res: true,
+		},
+		{
+			scanInfo: &ScanInfo{
+				InputPatterns: []string{
+					"./testdata/any_file_for_test.json",
+				},
+			},
+			Control: reporthandling.Control{
+				ScanningScope: &reporthandling.ScanningScope{
+
+					Matches: []reporthandling.ScanningScopeType{
+						reporthandling.ScopeCloudGKE,
+					},
+				},
+			},
+			expected_res: false,
+		},
+		{
+			scanInfo: &ScanInfo{},
+			Control: reporthandling.Control{
+				ScanningScope: &reporthandling.ScanningScope{
+					Matches: []reporthandling.ScanningScopeType{
+						reporthandling.ScopeCloudEKS,
+					},
+				},
+			},
+			expected_res: false,
+		},
+		{
+			scanInfo: &ScanInfo{},
+			Control: reporthandling.Control{
+				ScanningScope: &reporthandling.ScanningScope{
+					Matches: []reporthandling.ScanningScopeType{
+						reporthandling.ScopeCloud,
+					},
+				},
+			},
+			expected_res: false,
+		}}
+	for i := range tests {
+		assert.Equal(t, tests[i].expected_res, isControlFitToScanScope(tests[i].Control, GetScanningScope(tests[i].scanInfo)), fmt.Sprintf("tests_true index %d", i))
+	}
+}
+
+func TestIsScanningScopeMatchToControlScope(t *testing.T) {
+	tests := []struct {
+		scanScope    reporthandling.ScanningScopeType
+		controlScope reporthandling.ScanningScopeType
+		expected     bool
+	}{
+		{
+			scanScope:    reporthandling.ScopeFile,
+			controlScope: reporthandling.ScopeFile,
+			expected:     true,
+		},
+		{
+			scanScope:    ScopeCluster,
+			controlScope: ScopeCluster,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloud,
+			controlScope: reporthandling.ScopeCloud,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudAKS,
+			controlScope: reporthandling.ScopeCloudAKS,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudEKS,
+			controlScope: reporthandling.ScopeCloudEKS,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudGKE,
+			controlScope: reporthandling.ScopeCloudGKE,
+			expected:     true,
+		},
+		{
+			scanScope:    ScopeCluster,
+			controlScope: reporthandling.ScopeCloud,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloud,
+			controlScope: ScopeCluster,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudAKS,
+			controlScope: ScopeCluster,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudEKS,
+			controlScope: ScopeCluster,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudGKE,
+			controlScope: ScopeCluster,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloud,
+			controlScope: reporthandling.ScopeCloudAKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudAKS,
+			controlScope: reporthandling.ScopeCloud,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudEKS,
+			controlScope: reporthandling.ScopeCloud,
+			expected:     true,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudGKE,
+			controlScope: reporthandling.ScopeCloud,
+			expected:     true,
+		},
+		{
+			scanScope:    ScopeCluster,
+			controlScope: reporthandling.ScopeCloudAKS,
+			expected:     false,
+		},
+		{
+			scanScope:    ScopeCluster,
+			controlScope: reporthandling.ScopeCloudEKS,
+			expected:     false,
+		},
+		{
+			scanScope:    ScopeCluster,
+			controlScope: reporthandling.ScopeCloudGKE,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeFile,
+			controlScope: ScopeCluster,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeFile,
+			controlScope: reporthandling.ScopeCloud,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeFile,
+			controlScope: reporthandling.ScopeCloudAKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeFile,
+			controlScope: reporthandling.ScopeCloudEKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeFile,
+			controlScope: reporthandling.ScopeCloudGKE,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloud,
+			controlScope: reporthandling.ScopeCloudEKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloud,
+			controlScope: reporthandling.ScopeCloudGKE,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudAKS,
+			controlScope: reporthandling.ScopeCloudEKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudAKS,
+			controlScope: reporthandling.ScopeCloudGKE,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudEKS,
+			controlScope: reporthandling.ScopeCloudAKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudEKS,
+			controlScope: reporthandling.ScopeCloudGKE,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudGKE,
+			controlScope: reporthandling.ScopeCloudAKS,
+			expected:     false,
+		},
+		{
+			scanScope:    reporthandling.ScopeCloudGKE,
+			controlScope: reporthandling.ScopeCloudEKS,
+			expected:     false,
+		},
+	}
+
+	for _, test := range tests {
+		result := isScanningScopeMatchToControlScope(test.scanScope, test.controlScope)
+		assert.Equal(t, test.expected, result, fmt.Sprintf("scanScope: %v, controlScope: %v", test.scanScope, test.controlScope))
+	}
+}
+
+func TestIsFrameworkFitToScanScope(t *testing.T) {
+	tests := []struct {
+		name           string
+		framework      reporthandling.Framework
+		scanScopeMatch reporthandling.ScanningScopeType
+		want           bool
+	}{
+		{
+			name: "Framework with nil ScanningScope should return true",
+			framework: reporthandling.Framework{
+				PortalBase: armotypes.PortalBase{
+					Name: "test-framework",
+				},
+			},
+			scanScopeMatch: reporthandling.ScopeFile,
+			want:           true,
+		},
+		{
+			name: "Framework with empty ScanningScope.Matches should return true",
+			framework: reporthandling.Framework{
+				PortalBase: armotypes.PortalBase{
+					Name: "test-framework",
+				}, ScanningScope: &reporthandling.ScanningScope{},
+			},
+			scanScopeMatch: reporthandling.ScopeFile,
+			want:           true,
+		},
+		{
+			name: "Framework with matching ScanningScope.Matches should return true",
+			framework: reporthandling.Framework{
+				PortalBase: armotypes.PortalBase{
+					Name: "test-framework",
+				}, ScanningScope: &reporthandling.ScanningScope{
+					Matches: []reporthandling.ScanningScopeType{reporthandling.ScopeFile},
+				},
+			},
+			scanScopeMatch: reporthandling.ScopeFile,
+			want:           true,
+		},
+		{
+			name: "Framework with non-matching ScanningScope.Matches should return false",
+			framework: reporthandling.Framework{
+				PortalBase: armotypes.PortalBase{
+					Name: "test-framework",
+				}, ScanningScope: &reporthandling.ScanningScope{
+					Matches: []reporthandling.ScanningScopeType{reporthandling.ScopeCluster},
+				},
+			},
+			scanScopeMatch: reporthandling.ScopeFile,
+			want:           false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := isFrameworkFitToScanScope(tt.framework, tt.scanScopeMatch); got != tt.want {
+				t.Errorf("isFrameworkFitToScanScope() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

core/cautils/display.go

@@ -1,27 +1,62 @@
 package cautils
 
 import (
+	"fmt"
+	"io"
 	"os"
 	"time"
 
 	spinnerpkg "github.com/briandowns/spinner"
-	"github.com/fatih/color"
+	"github.com/jwalton/gchalk"
+	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
 	"github.com/mattn/go-isatty"
 	"github.com/schollz/progressbar/v3"
 )
 
-var FailureDisplay = color.New(color.Bold, color.FgHiRed).FprintfFunc()
-var WarningDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
-var FailureTextDisplay = color.New(color.Faint, color.FgHiRed).FprintfFunc()
-var InfoDisplay = color.New(color.Bold, color.FgCyan).FprintfFunc()
-var InfoTextDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
-var SimpleDisplay = color.New().FprintfFunc()
-var SuccessDisplay = color.New(color.Bold, color.FgHiGreen).FprintfFunc()
-var DescriptionDisplay = color.New(color.Faint, color.FgWhite).FprintfFunc()
+func FailureDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithBrightRed().Bold(format), a...)
+}
+
+func WarningDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithBrightYellow().Bold(format), a...)
+}
+
+func FailureTextDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithBrightRed().Dim(format), a...)
+}
+
+func InfoDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithCyan().Bold(format), a...)
+}
+
+func InfoTextDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithBrightYellow().Bold(format), a...)
+}
+
+func SimpleDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.White(format), a...)
+}
+
+func SuccessDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithBlue().Bold(format), a...)
+}
+
+func DescriptionDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithWhite().Dim(format), a...)
+}
+
+func BoldDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.Bold(format), a...)
+}
 
 var spinner *spinnerpkg.Spinner
 
 func StartSpinner() {
+	if helpers.ToLevel(logger.L().GetLevel()) >= helpers.WarningLevel {
+		return
+	}
+
 	if spinner != nil {
 		if !spinner.Active() {
 			spinner.Start()
@@ -42,8 +77,8 @@ func StopSpinner() {
 }
 
 type ProgressHandler struct {
-	title string
 	pb    *progressbar.ProgressBar
+	title string
 }
 
 func NewProgressHandler(title string) *ProgressHandler {
@@ -51,11 +86,11 @@ func NewProgressHandler(title string) *ProgressHandler {
 }
 
 func (p *ProgressHandler) Start(allSteps int) {
-	if isatty.IsTerminal(os.Stderr.Fd()) {
-		p.pb = progressbar.Default(int64(allSteps), p.title)
-	} else {
+	if !isatty.IsTerminal(os.Stderr.Fd()) || helpers.ToLevel(logger.L().GetLevel()) >= helpers.WarningLevel {
 		p.pb = progressbar.DefaultSilent(int64(allSteps), p.title)
+		return
 	}
+	p.pb = progressbar.Default(int64(allSteps), p.title)
 }
 
 func (p *ProgressHandler) ProgressJob(step int, message string) {

core/cautils/display_test.go

@@ -0,0 +1,32 @@
+package cautils
+
+import (
+	"testing"
+
+	"github.com/kubescape/go-logger"
+)
+
+func TestStartSpinner(t *testing.T) {
+	tests := []struct {
+		name        string
+		loggerLevel string
+		enabled     bool
+	}{
+		{
+			name:        "TestStartSpinner - disabled",
+			loggerLevel: "warning",
+			enabled:     false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			logger.L().SetLevel(tt.loggerLevel)
+			StartSpinner()
+			if !tt.enabled {
+				if spinner != nil {
+					t.Errorf("spinner should be nil")
+				}
+			}
+		})
+	}
+}

core/cautils/environments.go

@@ -1,7 +0,0 @@
-package cautils
-
-// Kubescape Cloud environment vars
-var (
-	CustomerGUID = ""
-	ClusterName  = ""
-)

core/cautils/fileutils.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
+	"golang.org/x/exp/slices"
 
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/opa-utils/objectsenvelopes"
@@ -31,8 +32,13 @@ const (
 	JSON_FILE_FORMAT FileFormat = "json"
 )
 
+type Chart struct {
+	Name string
+	Path string
+}
+
 // LoadResourcesFromHelmCharts scans a given path (recursively) for helm charts, renders the templates and returns a map of workloads and a map of chart names
-func LoadResourcesFromHelmCharts(ctx context.Context, basePath string) (map[string][]workloadinterface.IMetadata, map[string]string) {
+func LoadResourcesFromHelmCharts(ctx context.Context, basePath string) (map[string][]workloadinterface.IMetadata, map[string]Chart) {
 	directories, _ := listDirs(basePath)
 	helmDirectories := make([]string, 0)
 	for _, dir := range directories {
@@ -42,24 +48,27 @@ func LoadResourcesFromHelmCharts(ctx context.Context, basePath string) (map[stri
 	}
 
 	sourceToWorkloads := map[string][]workloadinterface.IMetadata{}
-	sourceToChartName := map[string]string{}
+	sourceToChart := make(map[string]Chart, 0)
 	for _, helmDir := range helmDirectories {
 		chart, err := NewHelmChart(helmDir)
 		if err == nil {
 			wls, errs := chart.GetWorkloadsWithDefaultValues()
 			if len(errs) > 0 {
-				logger.L().Ctx(ctx).Error(fmt.Sprintf("Rendering of Helm chart template '%s', failed: %v", chart.GetName(), errs))
+				logger.L().Ctx(ctx).Warning(fmt.Sprintf("Rendering of Helm chart template '%s', failed: %v", chart.GetName(), errs))
 				continue
 			}
 
 			chartName := chart.GetName()
 			for k, v := range wls {
 				sourceToWorkloads[k] = v
-				sourceToChartName[k] = chartName
+				sourceToChart[k] = Chart{
+					Name: chartName,
+					Path: helmDir,
+				}
 			}
 		}
 	}
-	return sourceToWorkloads, sourceToChartName
+	return sourceToWorkloads, sourceToChart
 }
 
 // If the contents at given path is a Kustomize Directory, LoadResourcesFromKustomizeDirectory will
@@ -88,7 +97,7 @@ func LoadResourcesFromKustomizeDirectory(ctx context.Context, basePath string) (
 	kustomizeDirectoryName := GetKustomizeDirectoryName(newBasePath)
 
 	if len(errs) > 0 {
-		logger.L().Ctx(ctx).Error(fmt.Sprintf("Rendering yaml from Kustomize failed: %v", errs))
+		logger.L().Ctx(ctx).Warning(fmt.Sprintf("Rendering yaml from Kustomize failed: %v", errs))
 	}
 
 	for k, v := range wls {
@@ -100,15 +109,16 @@ func LoadResourcesFromKustomizeDirectory(ctx context.Context, basePath string) (
 func LoadResourcesFromFiles(ctx context.Context, input, rootPath string) map[string][]workloadinterface.IMetadata {
 	files, errs := listFiles(input)
 	if len(errs) > 0 {
-		logger.L().Ctx(ctx).Error(fmt.Sprintf("%v", errs))
+		logger.L().Ctx(ctx).Warning(fmt.Sprintf("%v", errs))
 	}
 	if len(files) == 0 {
+		logger.L().Ctx(ctx).Error("no files found to scan", helpers.String("input", input))
 		return nil
 	}
 
 	workloads, errs := loadFiles(rootPath, files)
 	if len(errs) > 0 {
-		logger.L().Ctx(ctx).Error(fmt.Sprintf("%v", errs))
+		logger.L().Ctx(ctx).Warning(fmt.Sprintf("%v", errs))
 	}
 
 	return workloads
@@ -283,11 +293,11 @@ func convertYamlToJson(i interface{}) interface{} {
 }
 
 func IsYaml(filePath string) bool {
-	return StringInSlice(YAML_PREFIX, strings.ReplaceAll(filepath.Ext(filePath), ".", "")) != ValueNotFound
+	return slices.Contains(YAML_PREFIX, strings.ReplaceAll(filepath.Ext(filePath), ".", ""))
 }
 
 func IsJson(filePath string) bool {
-	return StringInSlice(JSON_PREFIX, strings.ReplaceAll(filepath.Ext(filePath), ".", "")) != ValueNotFound
+	return slices.Contains(JSON_PREFIX, strings.ReplaceAll(filepath.Ext(filePath), ".", ""))
 }
 
 func glob(root, pattern string, onlyDirectories bool) ([]string, error) {

core/cautils/fileutils_test.go

@@ -53,7 +53,8 @@ func TestLoadResourcesFromHelmCharts(t *testing.T) {
 
 		w := workloads[0]
 		assert.True(t, localworkload.IsTypeLocalWorkload(w.GetObject()), "Expected localworkload as object type")
-		assert.Equal(t, "kubescape", sourceToChartName[file])
+		assert.Equal(t, "kubescape", sourceToChartName[file].Name)
+		assert.Equal(t, helmChartPath(), sourceToChartName[file].Path)
 
 		switch filepath.Base(file) {
 		case "serviceaccount.yaml":

core/cautils/getter/datastructures.go

@@ -1,24 +1,4 @@
 package getter
 
-type FeLoginData struct {
-	Secret   string `json:"secret"`
-	ClientId string `json:"clientId"`
-}
-
-type FeLoginResponse struct {
-	Token        string `json:"accessToken"`
-	RefreshToken string `json:"refreshToken"`
-	Expires      string `json:"expires"`
-	ExpiresIn    int32  `json:"expiresIn"`
-}
-
-type KSCloudSelectCustomer struct {
-	SelectedCustomerGuid string `json:"selectedCustomer"`
-}
-
-type TenantResponse struct {
-	TenantID  string `json:"tenantId"`
-	Token     string `json:"token"`
-	Expires   string `json:"expires"`
-	AdminMail string `json:"adminMail,omitempty"`
-}
+// NativeFrameworks identifies all pre-built, native frameworks.
+var NativeFrameworks = []string{"allcontrols", "nsa", "mitre"}

core/cautils/getter/doc.go

@@ -0,0 +1,8 @@
+// Package getter provides functionality to retrieve policy objects.
+//
+// It comes with 3 implementations:
+//
+// * KSCloudAPI is a client for the KS Cloud SaaS API
+// * LoadPolicy exposes policy objects stored in a local repository
+// * DownloadReleasedPolicy downloads policy objects from the policy library released on github: https://github.com/kubescape/regolibrary
+package getter

core/cautils/getter/downloadreleasedpolicy.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/armosec/armoapi-go/armotypes"
+
 	"github.com/kubescape/opa-utils/reporthandling"
 	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
 
@@ -14,6 +15,12 @@ import (
 // =======================================================================================================================
 // ======================================== DownloadReleasedPolicy =======================================================
 // =======================================================================================================================
+var (
+	_ IPolicyGetter         = &DownloadReleasedPolicy{}
+	_ IExceptionsGetter     = &DownloadReleasedPolicy{}
+	_ IAttackTracksGetter   = &DownloadReleasedPolicy{}
+	_ IControlsInputsGetter = &DownloadReleasedPolicy{}
+)
 
 // Use gitregostore to get policies from github release
 type DownloadReleasedPolicy struct {
@@ -72,12 +79,12 @@ func (drp *DownloadReleasedPolicy) ListControls() ([]string, error) {
 	}
 	var controlsFrameworksList [][]string
 	for _, control := range controls {
-		controlsFrameworksList = append(controlsFrameworksList, control.FrameworkNames)
+		controlsFrameworksList = append(controlsFrameworksList, drp.gs.GetOpaFrameworkListByControlID(control.ControlID))
 	}
 	controlsNamesWithIDsandFrameworksList := make([]string, len(controlsIDsList))
 	// by design all slices have the same lengt
 	for i := range controlsIDsList {
-		controlsNamesWithIDsandFrameworksList[i] = fmt.Sprintf("%v|%v|%v", controlsIDsList[i], controlsNamesList[i], strings.Join(controlsFrameworksList[i], ","))
+		controlsNamesWithIDsandFrameworksList[i] = fmt.Sprintf("%v|%v|%v", controlsIDsList[i], controlsNamesList[i], strings.Join(controlsFrameworksList[i], ", "))
 	}
 	return controlsNamesWithIDsandFrameworksList, nil
 }

core/cautils/getter/downloadreleasedpolicy_test.go

@@ -9,9 +9,19 @@ import (
 	"strings"
 	"testing"
 
+	jsoniter "github.com/json-iterator/go"
+	"github.com/kubescape/kubescape/v2/internal/testutils"
 	"github.com/stretchr/testify/require"
 )
 
+func min(a, b int64) int64 {
+	if a < b {
+		return a
+	}
+
+	return b
+}
+
 func TestReleasedPolicy(t *testing.T) {
 	t.Parallel()
 
@@ -32,7 +42,7 @@ func TestReleasedPolicy(t *testing.T) {
 			require.NoError(t, err)
 			require.NotEmpty(t, controlIDs)
 
-			sampleSize := min(len(controlIDs), 10)
+			sampleSize := int(min(int64(len(controlIDs)), 10))
 
 			for _, toPin := range controlIDs[:sampleSize] {
 				// Example of a returned "ID": `C-0154|Ensure_that_the_--client-cert-auth_argument_is_set_to_true|`
@@ -128,14 +138,6 @@ func TestReleasedPolicy(t *testing.T) {
 	})
 }
 
-func min(a, b int) int {
-	if a > b {
-		return b
-	}
-
-	return a
-}
-
 func hydrateReleasedPolicyFromMock(t testing.TB, p *DownloadReleasedPolicy) {
 	regoFile := testRegoFile("policy")
 
@@ -161,10 +163,10 @@ func hydrateReleasedPolicyFromMock(t testing.TB, p *DownloadReleasedPolicy) {
 	require.NoError(t, err)
 
 	require.NoError(t,
-		json.Unmarshal(buf, p.gs),
+		jsoniter.Unmarshal(buf, p.gs),
 	)
 }
 
 func testRegoFile(framework string) string {
-	return filepath.Join(currentDir(), "testdata", fmt.Sprintf("%s.json", framework))
+	return filepath.Join(testutils.CurrentDir(), "testdata", fmt.Sprintf("%s.json", framework))
 }

core/cautils/getter/gcpcloudapi.go

@@ -1,42 +0,0 @@
-package getter
-
-import (
-	"context"
-	"os"
-
-	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
-)
-
-type GCPCloudAPI struct {
-	credentialsPath  string
-	context          context.Context
-	client           *containeranalysis.Client
-	projectID        string
-	credentialsCheck bool
-}
-
-func GetGlobalGCPCloudAPIConnector() *GCPCloudAPI {
-
-	if os.Getenv("KS_GCP_CREDENTIALS_PATH") == "" || os.Getenv("KS_GCP_PROJECT_ID") == "" {
-		return &GCPCloudAPI{
-			credentialsCheck: false,
-		}
-	} else {
-		return &GCPCloudAPI{
-			context:          context.Background(),
-			credentialsPath:  os.Getenv("KS_GCP_CREDENTIALS_PATH"),
-			projectID:        os.Getenv("KS_GCP_PROJECT_ID"),
-			credentialsCheck: true,
-		}
-	}
-}
-
-func (api *GCPCloudAPI) SetClient(client *containeranalysis.Client) {
-	api.client = client
-}
-
-func (api *GCPCloudAPI) GetCredentialsPath() string           { return api.credentialsPath }
-func (api *GCPCloudAPI) GetClient() *containeranalysis.Client { return api.client }
-func (api *GCPCloudAPI) GetProjectID() string                 { return api.projectID }
-func (api *GCPCloudAPI) GetCredentialsCheck() bool            { return api.credentialsCheck }
-func (api *GCPCloudAPI) GetContext() context.Context          { return api.context }

core/cautils/getter/getpolicies.go

@@ -1,47 +0,0 @@
-package getter
-
-import (
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/kubescape/opa-utils/reporthandling"
-	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
-)
-
-type IPolicyGetter interface {
-	GetFramework(name string) (*reporthandling.Framework, error)
-	GetFrameworks() ([]reporthandling.Framework, error)
-	GetControl(ID string) (*reporthandling.Control, error)
-
-	ListFrameworks() ([]string, error)
-	ListControls() ([]string, error)
-}
-
-type IExceptionsGetter interface {
-	GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error)
-}
-type IBackend interface {
-	GetAccountID() string
-	GetClientID() string
-	GetSecretKey() string
-	GetCloudReportURL() string
-	GetCloudAPIURL() string
-	GetCloudUIURL() string
-	GetCloudAuthURL() string
-
-	SetAccountID(accountID string)
-	SetClientID(clientID string)
-	SetSecretKey(secretKey string)
-	SetCloudReportURL(cloudReportURL string)
-	SetCloudAPIURL(cloudAPIURL string)
-	SetCloudUIURL(cloudUIURL string)
-	SetCloudAuthURL(cloudAuthURL string)
-
-	GetTenant() (*TenantResponse, error)
-}
-
-type IControlsInputsGetter interface {
-	GetControlsInputs(clusterName string) (map[string][]string, error)
-}
-
-type IAttackTracksGetter interface {
-	GetAttackTracks() ([]v1alpha1.AttackTrack, error)
-}

core/cautils/getter/getpoliciesutils.go

@@ -10,19 +10,23 @@ import (
 	"strings"
 )
 
+// GetDefaultPath returns a location under the local dot files for kubescape.
+//
+// This is typically located under $HOME/.kubescape
 func GetDefaultPath(name string) string {
 	return filepath.Join(DefaultLocalStore, name)
 }
 
-func SaveInFile(policy interface{}, pathStr string) error {
-	encodedData, err := json.MarshalIndent(policy, "", "  ")
+// SaveInFile serializes any object as a JSON file.
+func SaveInFile(object interface{}, targetFile string) error {
+	encodedData, err := json.MarshalIndent(object, "", "  ")
 	if err != nil {
 		return err
 	}
-	err = os.WriteFile(pathStr, encodedData, 0644) //nolint:gosec
+	err = os.WriteFile(targetFile, encodedData, 0644) //nolint:gosec
 	if err != nil {
 		if os.IsNotExist(err) {
-			pathDir := filepath.Dir(pathStr)
+			pathDir := filepath.Dir(targetFile)
 			// pathDir could contain subdirectories
 			if erm := os.MkdirAll(pathDir, 0755); erm != nil {
 				return erm
@@ -31,7 +35,7 @@ func SaveInFile(policy interface{}, pathStr string) error {
 			return err
 
 		}
-		err = os.WriteFile(pathStr, encodedData, 0644) //nolint:gosec
+		err = os.WriteFile(targetFile, encodedData, 0644) //nolint:gosec
 		if err != nil {
 			return err
 		}
@@ -39,6 +43,9 @@ func SaveInFile(policy interface{}, pathStr string) error {
 	return nil
 }
 
+// HttpDelete provides a low-level capability to send a HTTP DELETE request and serialize the response as a string.
+//
+// Deprecated: use methods of the KSCloudAPI client instead.
 func HttpDelete(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) {
 
 	req, err := http.NewRequest("DELETE", fullURL, nil)
@@ -58,8 +65,10 @@ func HttpDelete(httpClient *http.Client, fullURL string, headers map[string]stri
 	return respStr, nil
 }
 
+// HttpGetter provides a low-level capability to send a HTTP GET request and serialize the response as a string.
+//
+// Deprecated: use methods of the KSCloudAPI client instead.
 func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) {
-
 	req, err := http.NewRequest("GET", fullURL, nil)
 	if err != nil {
 		return "", err
@@ -77,8 +86,10 @@ func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]stri
 	return respStr, nil
 }
 
+// HttpPost provides a low-level capability to send a HTTP POST request and serialize the response as a string.
+//
+// Deprecated: use methods of the KSCloudAPI client instead.
 func HttpPost(httpClient *http.Client, fullURL string, headers map[string]string, body []byte) (string, error) {
-
 	req, err := http.NewRequest("POST", fullURL, bytes.NewReader(body))
 	if err != nil {
 		return "", err
@@ -103,7 +114,7 @@ func setHeaders(req *http.Request, headers map[string]string) {
 	}
 }
 
-// HTTPRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
+// httpRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
 func httpRespToString(resp *http.Response) (string, error) {
 	if resp == nil || resp.Body == nil {
 		return "", nil
@@ -113,6 +124,7 @@ func httpRespToString(resp *http.Response) (string, error) {
 	if resp.ContentLength > 0 {
 		strBuilder.Grow(int(resp.ContentLength))
 	}
+
 	_, err := io.Copy(&strBuilder, resp.Body)
 	respStr := strBuilder.String()
 	if err != nil {

core/cautils/getter/getpoliciesutils_test.go

@@ -1,10 +1,12 @@
 package getter
 
 import (
+	"net/http"
 	"os"
 	"path/filepath"
 	"testing"
 
+	beClient "github.com/kubescape/backend/pkg/client/v1"
 	"github.com/stretchr/testify/require"
 )
 
@@ -66,3 +68,31 @@ func TestSaveInFile(t *testing.T) {
 		require.Error(t, SaveInFile(badPolicy, target))
 	})
 }
+
+func TestHttpMethods(t *testing.T) {
+	client := http.DefaultClient
+	hdrs := map[string]string{"key": "value"}
+
+	srv := beClient.MockAPIServer(t)
+	t.Cleanup(srv.Close)
+
+	t.Run("HttpGetter should GET", func(t *testing.T) {
+		resp, err := HttpGetter(client, srv.URL(pathTestGet), hdrs)
+		require.NoError(t, err)
+		require.EqualValues(t, "body-get", resp)
+	})
+
+	t.Run("HttpPost should POST", func(t *testing.T) {
+		body := []byte("body-post")
+
+		resp, err := HttpPost(client, srv.URL(pathTestPost), hdrs, body)
+		require.NoError(t, err)
+		require.EqualValues(t, string(body), resp)
+	})
+
+	t.Run("HttpDelete should DELETE", func(t *testing.T) {
+		resp, err := HttpDelete(client, srv.URL(pathTestDelete), hdrs)
+		require.NoError(t, err)
+		require.EqualValues(t, "body-delete", resp)
+	})
+}

core/cautils/getter/interfaces.go

@@ -0,0 +1,34 @@
+package getter
+
+import (
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
+)
+
+type (
+	// IPolicyGetter knows how to retrieve policies, i.e. frameworks and their controls.
+	IPolicyGetter interface {
+		GetFramework(name string) (*reporthandling.Framework, error)
+		GetFrameworks() ([]reporthandling.Framework, error)
+		GetControl(ID string) (*reporthandling.Control, error)
+
+		ListFrameworks() ([]string, error)
+		ListControls() ([]string, error)
+	}
+
+	// IExceptionsGetter knows how to retrieve exceptions.
+	IExceptionsGetter interface {
+		GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error)
+	}
+
+	// IControlsInputsGetter knows how to retrieve controls inputs.
+	IControlsInputsGetter interface {
+		GetControlsInputs(clusterName string) (map[string][]string, error)
+	}
+
+	// IAttackTracksGetter knows how to retrieve attack tracks.
+	IAttackTracksGetter interface {
+		GetAttackTracks() ([]v1alpha1.AttackTrack, error)
+	}
+)

core/cautils/getter/json.go

@@ -1,16 +1,13 @@
 package getter
 
 import (
+	"io"
 	"strings"
 
-	stdjson "encoding/json"
-
 	jsoniter "github.com/json-iterator/go"
 )
 
-var (
-	json jsoniter.API
-)
+var json jsoniter.API
 
 func init() {
 	// NOTE(fredbi): attention, this configuration rounds floats down to 6 digits
@@ -18,9 +15,24 @@ func init() {
 	json = jsoniter.ConfigFastest
 }
 
-// JSONDecoder returns JSON decoder for given string
-func JSONDecoder(origin string) *stdjson.Decoder {
-	dec := stdjson.NewDecoder(strings.NewReader(origin))
+// JSONDecoder provides a low-level utility that returns a JSON decoder for given string.
+//
+// Deprecated: use higher level methods from the KSCloudAPI client instead.
+func JSONDecoder(origin string) *jsoniter.Decoder {
+	dec := jsoniter.NewDecoder(strings.NewReader(origin))
 	dec.UseNumber()
+
 	return dec
 }
+
+func decode[T any](rdr io.Reader) (T, error) {
+	var receiver T
+	dec := newDecoder(rdr)
+	err := dec.Decode(&receiver)
+
+	return receiver, err
+}
+
+func newDecoder(rdr io.Reader) *jsoniter.Decoder {
+	return json.NewDecoder(rdr)
+}

core/cautils/getter/kscloudapi.go

@@ -1,379 +1,49 @@
 package getter
 
 import (
-	"bytes"
-	"fmt"
-	"io"
-	"net/http"
-	"strings"
-	"time"
-
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/kubescape/opa-utils/reporthandling"
-	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
+	v1 "github.com/kubescape/backend/pkg/client/v1"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
 )
 
 var (
-	ksCloudERURL   = "report.armo.cloud"
-	ksCloudBEURL   = "api.armosec.io"
-	ksCloudFEURL   = "cloud.armosec.io"
-	ksCloudAUTHURL = "auth.armosec.io"
+	// globalKSCloudAPIConnector is a static global instance of the KS Cloud client,
+	// to be initialized with SetKSCloudAPIConnector.
+	globalKSCloudAPIConnector *v1.KSCloudAPI
 
-	ksCloudStageERURL   = "report-ks.eustage2.cyberarmorsoft.com"
-	ksCloudStageBEURL   = "api-stage.armosec.io"
-	ksCloudStageFEURL   = "armoui-stage.armosec.io"
-	ksCloudStageAUTHURL = "eggauth-stage.armosec.io"
-
-	ksCloudDevERURL   = "report.eudev3.cyberarmorsoft.com"
-	ksCloudDevBEURL   = "api-dev.armosec.io"
-	ksCloudDevFEURL   = "cloud-dev.armosec.io"
-	ksCloudDevAUTHURL = "eggauth-dev.armosec.io"
+	_ IPolicyGetter         = &v1.KSCloudAPI{}
+	_ IExceptionsGetter     = &v1.KSCloudAPI{}
+	_ IAttackTracksGetter   = &v1.KSCloudAPI{}
+	_ IControlsInputsGetter = &v1.KSCloudAPI{}
 )
 
-// KSCloudAPI allows accessing the API of the Kubescape Cloud offering
-type KSCloudAPI struct {
-	httpClient     *http.Client
-	cloudAPIURL    string
-	cloudAuthURL   string
-	cloudReportURL string
-	cloudUIURL     string
-	accountID      string
-	clientID       string
-	secretKey      string
-	authCookie     string
-	feToken        FeLoginResponse
-	loggedIn       bool
-}
-
-var globalKSCloudAPIConnector *KSCloudAPI
-
-func SetKSCloudAPIConnector(ksCloudAPI *KSCloudAPI) {
+// SetKSCloudAPIConnector registers a global instance of the KS Cloud client.
+//
+// NOTE: cannot be used concurrently.
+func SetKSCloudAPIConnector(ksCloudAPI *v1.KSCloudAPI) {
+	if ksCloudAPI != nil {
+		logger.L().Debug("setting global KS Cloud API connector",
+			helpers.String("accountID", ksCloudAPI.GetAccountID()),
+			helpers.String("cloudAPIURL", ksCloudAPI.GetCloudAPIURL()),
+			helpers.String("cloudReportURL", ksCloudAPI.GetCloudReportURL()))
+	} else {
+		logger.L().Debug("setting global KS Cloud API connector (nil)")
+	}
 	globalKSCloudAPIConnector = ksCloudAPI
 }
 
-func GetKSCloudAPIConnector() *KSCloudAPI {
+// GetKSCloudAPIConnector returns a shallow clone of the KS Cloud client registered for this package.
+//
+// NOTE: cannot be used concurrently with SetKSCloudAPIConnector.
+func GetKSCloudAPIConnector() *v1.KSCloudAPI {
 	if globalKSCloudAPIConnector == nil {
-		SetKSCloudAPIConnector(NewKSCloudAPIProd())
+		SetKSCloudAPIConnector(v1.NewEmptyKSCloudAPI())
 	}
-	return globalKSCloudAPIConnector
-}
-
-func NewKSCloudAPIDev() *KSCloudAPI {
-	apiObj := newKSCloudAPI()
-
-	apiObj.cloudAPIURL = ksCloudDevBEURL
-	apiObj.cloudAuthURL = ksCloudDevAUTHURL
-	apiObj.cloudReportURL = ksCloudDevERURL
-	apiObj.cloudUIURL = ksCloudDevFEURL
-
-	return apiObj
-}
-
-func NewKSCloudAPIProd() *KSCloudAPI {
-	apiObj := newKSCloudAPI()
-
-	apiObj.cloudAPIURL = ksCloudBEURL
-	apiObj.cloudReportURL = ksCloudERURL
-	apiObj.cloudUIURL = ksCloudFEURL
-	apiObj.cloudAuthURL = ksCloudAUTHURL
-
-	return apiObj
-}
-
-func NewKSCloudAPIStaging() *KSCloudAPI {
-	apiObj := newKSCloudAPI()
-
-	apiObj.cloudAPIURL = ksCloudStageBEURL
-	apiObj.cloudReportURL = ksCloudStageERURL
-	apiObj.cloudUIURL = ksCloudStageFEURL
-	apiObj.cloudAuthURL = ksCloudStageAUTHURL
-
-	return apiObj
-}
-
-func NewKSCloudAPICustomized(ksCloudERURL, ksCloudBEURL, ksCloudFEURL, ksCloudAUTHURL string) *KSCloudAPI {
-	apiObj := newKSCloudAPI()
-
-	apiObj.cloudReportURL = ksCloudERURL
-	apiObj.cloudAPIURL = ksCloudBEURL
-	apiObj.cloudUIURL = ksCloudFEURL
-	apiObj.cloudAuthURL = ksCloudAUTHURL
-
-	return apiObj
-}
-
-func newKSCloudAPI() *KSCloudAPI {
-	return &KSCloudAPI{
-		httpClient: &http.Client{Timeout: time.Duration(61) * time.Second},
-		loggedIn:   false,
-	}
-}
-
-func (api *KSCloudAPI) Post(fullURL string, headers map[string]string, body []byte) (string, error) {
-	if headers == nil {
-		headers = make(map[string]string)
-	}
-	api.appendAuthHeaders(headers)
-	return HttpPost(api.httpClient, fullURL, headers, body)
-}
-
-func (api *KSCloudAPI) Delete(fullURL string, headers map[string]string) (string, error) {
-	if headers == nil {
-		headers = make(map[string]string)
-	}
-	api.appendAuthHeaders(headers)
-	return HttpDelete(api.httpClient, fullURL, headers)
-}
-func (api *KSCloudAPI) Get(fullURL string, headers map[string]string) (string, error) {
-	if headers == nil {
-		headers = make(map[string]string)
-	}
-	api.appendAuthHeaders(headers)
-	return HttpGetter(api.httpClient, fullURL, headers)
-}
-
-func (api *KSCloudAPI) GetAccountID() string      { return api.accountID }
-func (api *KSCloudAPI) IsLoggedIn() bool          { return api.loggedIn }
-func (api *KSCloudAPI) GetClientID() string       { return api.clientID }
-func (api *KSCloudAPI) GetSecretKey() string      { return api.secretKey }
-func (api *KSCloudAPI) GetCloudReportURL() string { return api.cloudReportURL }
-func (api *KSCloudAPI) GetCloudAPIURL() string    { return api.cloudAPIURL }
-func (api *KSCloudAPI) GetCloudUIURL() string     { return api.cloudUIURL }
-func (api *KSCloudAPI) GetCloudAuthURL() string   { return api.cloudAuthURL }
-
-func (api *KSCloudAPI) SetAccountID(accountID string)           { api.accountID = accountID }
-func (api *KSCloudAPI) SetClientID(clientID string)             { api.clientID = clientID }
-func (api *KSCloudAPI) SetSecretKey(secretKey string)           { api.secretKey = secretKey }
-func (api *KSCloudAPI) SetCloudReportURL(cloudReportURL string) { api.cloudReportURL = cloudReportURL }
-func (api *KSCloudAPI) SetCloudAPIURL(cloudAPIURL string)       { api.cloudAPIURL = cloudAPIURL }
-func (api *KSCloudAPI) SetCloudUIURL(cloudUIURL string)         { api.cloudUIURL = cloudUIURL }
-func (api *KSCloudAPI) SetCloudAuthURL(cloudAuthURL string)     { api.cloudAuthURL = cloudAuthURL }
-
-func (api *KSCloudAPI) GetAttackTracks() ([]v1alpha1.AttackTrack, error) {
-	respStr, err := api.Get(api.getAttackTracksURL(), nil)
-	if err != nil {
-		return nil, nil
-	}
-
-	attackTracks := []v1alpha1.AttackTrack{}
-	if err = JSONDecoder(respStr).Decode(&attackTracks); err != nil {
-		return nil, err
-	}
-
-	return attackTracks, err
-}
-
-func (api *KSCloudAPI) GetFramework(name string) (*reporthandling.Framework, error) {
-	respStr, err := api.Get(api.getFrameworkURL(name), nil)
-	if err != nil {
-		return nil, nil
-	}
-
-	framework := &reporthandling.Framework{}
-	if err = JSONDecoder(respStr).Decode(framework); err != nil {
-		return nil, err
-	}
-
-	return framework, err
-}
-
-func (api *KSCloudAPI) GetFrameworks() ([]reporthandling.Framework, error) {
-	respStr, err := api.Get(api.getListFrameworkURL(), nil)
-	if err != nil {
-		return nil, nil
-	}
-
-	frameworks := []reporthandling.Framework{}
-	if err = JSONDecoder(respStr).Decode(&frameworks); err != nil {
-		return nil, err
-	}
-
-	return frameworks, err
-}
-
-func (api *KSCloudAPI) GetControl(ID string) (*reporthandling.Control, error) {
-	return nil, fmt.Errorf("control api is not public")
-}
-
-func (api *KSCloudAPI) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
-	exceptions := []armotypes.PostureExceptionPolicy{}
-
-	respStr, err := api.Get(api.getExceptionsURL(clusterName), nil)
-	if err != nil {
-		return nil, err
-	}
-
-	if err = JSONDecoder(respStr).Decode(&exceptions); err != nil {
-		return nil, err
-	}
-
-	return exceptions, nil
-}
-
-func (api *KSCloudAPI) GetTenant() (*TenantResponse, error) {
-	url := api.getAccountURL()
-	if api.accountID != "" {
-		url = fmt.Sprintf("%s?customerGUID=%s", url, api.accountID)
-	}
-	respStr, err := api.Get(url, nil)
-	if err != nil {
-		return nil, err
-	}
-	tenant := &TenantResponse{}
-	if err = JSONDecoder(respStr).Decode(tenant); err != nil {
-		return nil, err
-	}
-	if tenant.TenantID != "" {
-		api.accountID = tenant.TenantID
-	}
-	return tenant, nil
-}
-
-// ControlsInputs  // map[<control name>][<input arguments>]
-func (api *KSCloudAPI) GetAccountConfig(clusterName string) (*armotypes.CustomerConfig, error) {
-	accountConfig := &armotypes.CustomerConfig{}
-	if api.accountID == "" {
-		return accountConfig, nil
-	}
-	respStr, err := api.Get(api.getAccountConfig(clusterName), nil)
-	if err != nil {
-		return nil, err
-	}
-
-	if err = JSONDecoder(respStr).Decode(&accountConfig); err != nil {
-		// try with default scope
-		respStr, err = api.Get(api.getAccountConfigDefault(clusterName), nil)
-		if err != nil {
-			return nil, err
-		}
-		if err = JSONDecoder(respStr).Decode(&accountConfig); err != nil {
-			return nil, err
-		}
-	}
-
-	return accountConfig, nil
-}
-
-// ControlsInputs  // map[<control name>][<input arguments>]
-func (api *KSCloudAPI) GetControlsInputs(clusterName string) (map[string][]string, error) {
-	accountConfig, err := api.GetAccountConfig(clusterName)
-	if err == nil {
-		return accountConfig.Settings.PostureControlInputs, nil
-	}
-	return nil, err
-}
-
-func (api *KSCloudAPI) ListCustomFrameworks() ([]string, error) {
-	respStr, err := api.Get(api.getListFrameworkURL(), nil)
-	if err != nil {
-		return nil, err
-	}
-	frs := []reporthandling.Framework{}
-	if err = json.Unmarshal([]byte(respStr), &frs); err != nil {
-		return nil, err
-	}
-
-	frameworkList := []string{}
-	for _, fr := range frs {
-		if !isNativeFramework(fr.Name) {
-			frameworkList = append(frameworkList, fr.Name)
-		}
-	}
-
-	return frameworkList, nil
-}
-
-func (api *KSCloudAPI) ListFrameworks() ([]string, error) {
-	respStr, err := api.Get(api.getListFrameworkURL(), nil)
-	if err != nil {
-		return nil, err
-	}
-	frs := []reporthandling.Framework{}
-	if err = json.Unmarshal([]byte(respStr), &frs); err != nil {
-		return nil, err
-	}
-
-	frameworkList := []string{}
-	for _, fr := range frs {
-		if isNativeFramework(fr.Name) {
-			frameworkList = append(frameworkList, strings.ToLower(fr.Name))
-		} else {
-			frameworkList = append(frameworkList, fr.Name)
-		}
-	}
-
-	return frameworkList, nil
-}
-
-func (api *KSCloudAPI) ListControls() ([]string, error) {
-	return nil, fmt.Errorf("control api is not public")
-}
-
-func (api *KSCloudAPI) PostExceptions(exceptions []armotypes.PostureExceptionPolicy) error {
-
-	for i := range exceptions {
-		ex, err := json.Marshal(exceptions[i])
-		if err != nil {
-			return err
-		}
-		_, err = api.Post(api.exceptionsURL(""), map[string]string{"Content-Type": "application/json"}, ex)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (api *KSCloudAPI) DeleteException(exceptionName string) error {
-
-	_, err := api.Delete(api.exceptionsURL(exceptionName), nil)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-func (api *KSCloudAPI) Login() error {
-	if api.accountID == "" {
-		return fmt.Errorf("failed to login, missing accountID")
-	}
-	if api.clientID == "" {
-		return fmt.Errorf("failed to login, missing clientID")
-	}
-	if api.secretKey == "" {
-		return fmt.Errorf("failed to login, missing secretKey")
-	}
-
-	// init URLs
-	feLoginData := FeLoginData{ClientId: api.clientID, Secret: api.secretKey}
-	body, _ := json.Marshal(feLoginData)
-
-	resp, err := http.Post(api.getApiToken(), "application/json", bytes.NewBuffer(body))
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("error authenticating: %d", resp.StatusCode)
-	}
-
-	responseBody, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return err
-	}
-	var feLoginResponse FeLoginResponse
-
-	if err = json.Unmarshal(responseBody, &feLoginResponse); err != nil {
-		return err
-	}
-	api.feToken = feLoginResponse
-
-	/* Now we have JWT */
-
-	api.authCookie, err = api.getAuthCookie()
-	if err != nil {
-		return err
-	}
-	api.loggedIn = true
-	return nil
+
+	// we return a shallow clone that may be freely modified by the caller.
+	client := *globalKSCloudAPIConnector
+	options := *globalKSCloudAPIConnector.KsCloudOptions
+	client.KsCloudOptions = &options
+
+	return &client
 }

core/cautils/getter/kscloudapi_mocks_test.go

@@ -1,273 +0,0 @@
-package getter
-
-import (
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/kubescape/opa-utils/reporthandling"
-	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
-)
-
-func mockAttackTracks() []v1alpha1.AttackTrack {
-	return []v1alpha1.AttackTrack{
-		{
-			ApiVersion: "v1",
-			Kind:       "track",
-			Metadata:   map[string]interface{}{"label": "name"},
-			Spec: v1alpha1.AttackTrackSpecification{
-				Version:     "v2",
-				Description: "a mock",
-				Data: v1alpha1.AttackTrackStep{
-					Name:        "track1",
-					Description: "mock-step",
-					SubSteps: []v1alpha1.AttackTrackStep{
-						{
-							Name:        "track1",
-							Description: "mock-step",
-							Controls: []v1alpha1.IAttackTrackControl{
-								mockControlPtr("control-1"),
-							},
-						},
-					},
-					Controls: []v1alpha1.IAttackTrackControl{
-						mockControlPtr("control-2"),
-						mockControlPtr("control-3"),
-					},
-				},
-			},
-		},
-		{
-			ApiVersion: "v1",
-			Kind:       "track",
-			Metadata:   map[string]interface{}{"label": "stuff"},
-			Spec: v1alpha1.AttackTrackSpecification{
-				Version:     "v1",
-				Description: "another mock",
-				Data: v1alpha1.AttackTrackStep{
-					Name:        "track2",
-					Description: "mock-step2",
-					SubSteps: []v1alpha1.AttackTrackStep{
-						{
-							Name:        "track3",
-							Description: "mock-step",
-							Controls: []v1alpha1.IAttackTrackControl{
-								mockControlPtr("control-4"),
-							},
-						},
-					},
-					Controls: []v1alpha1.IAttackTrackControl{
-						mockControlPtr("control-5"),
-						mockControlPtr("control-6"),
-					},
-				},
-			},
-		},
-	}
-}
-
-func mockFrameworks() []reporthandling.Framework {
-	id1s := []string{"control-1", "control-2"}
-	id2s := []string{"control-3", "control-4"}
-	id3s := []string{"control-5", "control-6"}
-
-	return []reporthandling.Framework{
-		{
-			PortalBase: armotypes.PortalBase{
-				Name: "mock-1",
-			},
-			CreationTime: "now",
-			Description:  "mock-1",
-			Controls: []reporthandling.Control{
-				mockControl("control-1"),
-				mockControl("control-2"),
-			},
-			ControlsIDs: &id1s,
-			SubSections: map[string]*reporthandling.FrameworkSubSection{
-				"section1": {
-					ID:         "section-id",
-					ControlIDs: id1s,
-				},
-			},
-		},
-		{
-			PortalBase: armotypes.PortalBase{
-				Name: "mock-2",
-			},
-			CreationTime: "then",
-			Description:  "mock-2",
-			Controls: []reporthandling.Control{
-				mockControl("control-3"),
-				mockControl("control-4"),
-			},
-			ControlsIDs: &id2s,
-			SubSections: map[string]*reporthandling.FrameworkSubSection{
-				"section2": {
-					ID:         "section-id",
-					ControlIDs: id2s,
-				},
-			},
-		},
-		{
-			PortalBase: armotypes.PortalBase{
-				Name: "nsa",
-			},
-			CreationTime: "tomorrow",
-			Description:  "nsa mock",
-			Controls: []reporthandling.Control{
-				mockControl("control-5"),
-				mockControl("control-6"),
-			},
-			ControlsIDs: &id3s,
-			SubSections: map[string]*reporthandling.FrameworkSubSection{
-				"section2": {
-					ID:         "section-id",
-					ControlIDs: id3s,
-				},
-			},
-		},
-	}
-}
-
-func mockControl(controlID string) reporthandling.Control {
-	return reporthandling.Control{
-		ControlID: controlID,
-	}
-}
-func mockControlPtr(controlID string) *reporthandling.Control {
-	val := mockControl(controlID)
-
-	return &val
-}
-
-func mockExceptions() []armotypes.PostureExceptionPolicy {
-	return []armotypes.PostureExceptionPolicy{
-		{
-			PolicyType:   "postureExceptionPolicy",
-			CreationTime: "now",
-			Actions: []armotypes.PostureExceptionPolicyActions{
-				"alertOnly",
-			},
-			Resources: []armotypes.PortalDesignator{
-				{
-					DesignatorType: "Attributes",
-					Attributes: map[string]string{
-						"kind":      "Pod",
-						"name":      "coredns-[A-Za-z0-9]+-[A-Za-z0-9]+",
-						"namespace": "kube-system",
-					},
-				},
-				{
-					DesignatorType: "Attributes",
-					Attributes: map[string]string{
-						"kind":      "Pod",
-						"name":      "etcd-.*",
-						"namespace": "kube-system",
-					},
-				},
-			},
-			PosturePolicies: []armotypes.PosturePolicy{
-				{
-					FrameworkName: "MITRE",
-					ControlID:     "C-.*",
-				},
-				{
-					FrameworkName: "another-framework",
-					ControlID:     "a regexp",
-				},
-			},
-		},
-		{
-			PolicyType:   "postureExceptionPolicy",
-			CreationTime: "then",
-			Actions: []armotypes.PostureExceptionPolicyActions{
-				"alertOnly",
-			},
-			Resources: []armotypes.PortalDesignator{
-				{
-					DesignatorType: "Attributes",
-					Attributes: map[string]string{
-						"kind": "Deployment",
-						"name": "my-regexp",
-					},
-				},
-				{
-					DesignatorType: "Attributes",
-					Attributes: map[string]string{
-						"kind": "Secret",
-						"name": "another-regexp",
-					},
-				},
-			},
-			PosturePolicies: []armotypes.PosturePolicy{
-				{
-					FrameworkName: "yet-another-framework",
-					ControlID:     "a regexp",
-				},
-			},
-		},
-	}
-}
-
-func mockTenantResponse() *TenantResponse {
-	return &TenantResponse{
-		TenantID:  "id",
-		Token:     "token",
-		Expires:   "expiry-time",
-		AdminMail: "admin@example.com",
-	}
-}
-
-func mockCustomerConfig(cluster, scope string) func() *armotypes.CustomerConfig {
-	if cluster == "" {
-		cluster = "my-cluster"
-	}
-
-	if scope == "" {
-		scope = "default"
-	}
-
-	return func() *armotypes.CustomerConfig {
-		return &armotypes.CustomerConfig{
-			Name: "user",
-			Attributes: map[string]interface{}{
-				"label": "value",
-			},
-			Scope: armotypes.PortalDesignator{
-				DesignatorType: "Attributes",
-				Attributes: map[string]string{
-					"kind":  "Cluster",
-					"name":  cluster,
-					"scope": scope,
-				},
-			},
-			Settings: armotypes.Settings{
-				PostureControlInputs: map[string][]string{
-					"inputs-1": {"x1", "y2"},
-					"inputs-2": {"x2", "y2"},
-				},
-				PostureScanConfig: armotypes.PostureScanConfig{
-					ScanFrequency: armotypes.ScanFrequency("weekly"),
-				},
-				VulnerabilityScanConfig: armotypes.VulnerabilityScanConfig{
-					ScanFrequency:             armotypes.ScanFrequency("daily"),
-					CriticalPriorityThreshold: 1,
-					HighPriorityThreshold:     2,
-					MediumPriorityThreshold:   3,
-					ScanNewDeployment:         true,
-					AllowlistRegistries:       []string{"a", "b"},
-					BlocklistRegistries:       []string{"c", "d"},
-				},
-				SlackConfigurations: armotypes.SlackSettings{
-					Token: "slack-token",
-				},
-			},
-		}
-	}
-}
-
-func mockLoginResponse() *FeLoginResponse {
-	return &FeLoginResponse{
-		Token:        "access-token",
-		RefreshToken: "refresh-token",
-		Expires:      "expiry-time",
-		ExpiresIn:    123,
-	}
-}

core/cautils/getter/kscloudapiutils.go

@@ -1,199 +0,0 @@
-package getter
-
-import (
-	"bytes"
-	"fmt"
-	"net/http"
-	"net/url"
-	"strings"
-)
-
-var NativeFrameworks = []string{"allcontrols", "nsa", "mitre"}
-
-func (api *KSCloudAPI) getFrameworkURL(frameworkName string) string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/armoFrameworks"
-	q := u.Query()
-	q.Add("customerGUID", api.getCustomerGUIDFallBack())
-	if isNativeFramework(frameworkName) {
-		q.Add("frameworkName", strings.ToUpper(frameworkName))
-	} else {
-		// For customer framework has to be the way it was added
-		q.Add("frameworkName", frameworkName)
-	}
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (api *KSCloudAPI) getAttackTracksURL() string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/attackTracks"
-	q := u.Query()
-	q.Add("customerGUID", api.getCustomerGUIDFallBack())
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (api *KSCloudAPI) getListFrameworkURL() string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/armoFrameworks"
-	q := u.Query()
-	q.Add("customerGUID", api.getCustomerGUIDFallBack())
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-func (api *KSCloudAPI) getExceptionsURL(clusterName string) string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/armoPostureExceptions"
-
-	q := u.Query()
-	q.Add("customerGUID", api.getCustomerGUIDFallBack())
-	// if clusterName != "" { // TODO - fix customer name support in Armo BE
-	// 	q.Add("clusterName", clusterName)
-	// }
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (api *KSCloudAPI) exceptionsURL(exceptionsPolicyName string) string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/postureExceptionPolicy"
-
-	q := u.Query()
-	q.Add("customerGUID", api.getCustomerGUIDFallBack())
-	if exceptionsPolicyName != "" { // for delete
-		q.Add("policyName", exceptionsPolicyName)
-	}
-
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (api *KSCloudAPI) getAccountConfigDefault(clusterName string) string {
-	config := api.getAccountConfig(clusterName)
-	url := config + "&scope=customer"
-	return url
-}
-
-func (api *KSCloudAPI) getAccountConfig(clusterName string) string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/armoCustomerConfiguration"
-
-	q := u.Query()
-	q.Add("customerGUID", api.getCustomerGUIDFallBack())
-	if clusterName != "" { // TODO - fix customer name support in Armo BE
-		q.Add("clusterName", clusterName)
-	}
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
-func (api *KSCloudAPI) getAccountURL() string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/createTenant"
-	return u.String()
-}
-
-func (api *KSCloudAPI) getApiToken() string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAuthURL())
-	u.Path = "identity/resources/auth/v1/api-token"
-	return u.String()
-}
-
-func (api *KSCloudAPI) getOpenidCustomers() string {
-	u := url.URL{}
-	u.Scheme, u.Host = parseHost(api.GetCloudAPIURL())
-	u.Path = "api/v1/openid_customers"
-	return u.String()
-}
-
-func (api *KSCloudAPI) getAuthCookie() (string, error) {
-	selectCustomer := KSCloudSelectCustomer{SelectedCustomerGuid: api.accountID}
-	requestBody, _ := json.Marshal(selectCustomer)
-	client := &http.Client{}
-	httpRequest, err := http.NewRequest(http.MethodPost, api.getOpenidCustomers(), bytes.NewBuffer(requestBody))
-	if err != nil {
-		return "", err
-	}
-	httpRequest.Header.Set("Content-Type", "application/json")
-	httpRequest.Header.Set("Authorization", fmt.Sprintf("Bearer %s", api.feToken.Token))
-	httpResponse, err := client.Do(httpRequest)
-	if err != nil {
-		return "", err
-	}
-	defer httpResponse.Body.Close()
-	if httpResponse.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("failed to get cookie from %s: status %d", api.getOpenidCustomers(), httpResponse.StatusCode)
-	}
-
-	cookies := httpResponse.Header.Get("set-cookie")
-	if len(cookies) == 0 {
-		return "", fmt.Errorf("no cookie field in response from %s", api.getOpenidCustomers())
-	}
-
-	authCookie := ""
-	for _, cookie := range strings.Split(cookies, ";") {
-		kv := strings.Split(cookie, "=")
-		if kv[0] == "auth" {
-			authCookie = kv[1]
-		}
-	}
-
-	if len(authCookie) == 0 {
-		return "", fmt.Errorf("no auth cookie field in response from %s", api.getOpenidCustomers())
-	}
-
-	return authCookie, nil
-}
-func (api *KSCloudAPI) appendAuthHeaders(headers map[string]string) {
-
-	if api.feToken.Token != "" {
-		headers["Authorization"] = fmt.Sprintf("Bearer %s", api.feToken.Token)
-	}
-	if api.authCookie != "" {
-		headers["Cookie"] = fmt.Sprintf("auth=%s", api.authCookie)
-	}
-}
-
-func (api *KSCloudAPI) getCustomerGUIDFallBack() string {
-	if api.accountID != "" {
-		return api.accountID
-	}
-	return "11111111-1111-1111-1111-111111111111"
-}
-
-func parseHost(host string) (string, string) {
-	if strings.HasPrefix(host, "http://") {
-		return "http", strings.Replace(host, "http://", "", 1)
-	}
-
-	// default scheme
-	return "https", strings.Replace(host, "https://", "", 1)
-}
-
-func isNativeFramework(framework string) bool {
-	return contains(NativeFrameworks, framework)
-}
-
-func contains(s []string, str string) bool {
-	for _, v := range s {
-		if strings.EqualFold(v, str) {
-			return true
-		}
-	}
-	return false
-}

core/cautils/getter/loadpolicy.go

@@ -24,9 +24,13 @@ var (
 	ErrIDRequired           = errors.New("missing required input control ID")
 	ErrFrameworkNotMatching = errors.New("framework from file not matching")
 	ErrControlNotMatching   = errors.New("framework from file not matching")
+)
 
-	_ IPolicyGetter     = &LoadPolicy{}
-	_ IExceptionsGetter = &LoadPolicy{}
+var (
+	_ IPolicyGetter         = &LoadPolicy{}
+	_ IExceptionsGetter     = &LoadPolicy{}
+	_ IAttackTracksGetter   = &LoadPolicy{}
+	_ IControlsInputsGetter = &LoadPolicy{}
 )
 
 func getCacheDir() string {

core/cautils/getter/loadpolicy_test.go

@@ -4,9 +4,9 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"runtime"
 	"testing"
 
+	"github.com/kubescape/kubescape/v2/internal/testutils"
 	"github.com/stretchr/testify/require"
 )
 
@@ -387,7 +387,7 @@ func TestLoadPolicy(t *testing.T) {
 }
 
 func testFrameworkFile(framework string) string {
-	return filepath.Join(currentDir(), "testdata", fmt.Sprintf("%s.json", framework))
+	return filepath.Join(testutils.CurrentDir(), "testdata", fmt.Sprintf("%s.json", framework))
 }
 
 func writeTempJSONControlInputs(t testing.TB) (string, map[string][]string) {
@@ -408,9 +408,3 @@ func writeTempJSONControlInputs(t testing.TB) (string, map[string][]string) {
 
 	return fileName, mock
 }
-
-func currentDir() string {
-	_, filename, _, _ := runtime.Caller(1)
-
-	return filepath.Dir(filename)
-}

core/cautils/getter/testdata/MITRE.json

@@ -6,6 +6,7 @@
   },
   "creationTime": "",
   "description": "Testing MITRE for Kubernetes as suggested by microsoft in https://www.microsoft.com/security/blog/wp-content/uploads/2020/04/k8s-matrix.png",
+  "typeTags": ["compliance"],
   "controls": [
     {
       "guid": "",

core/cautils/getter/testdata/NSA.json

@@ -6,6 +6,7 @@
   },
   "creationTime": "",
   "description": "Implement NSA security advices for K8s ",
+  "typeTags": ["compliance"],
   "controls": [
     {
       "guid": "",

core/cautils/getter/testdata/policy.json

@@ -25789,7 +25789,7 @@
     },
     {
       "guid": "",
-      "name": "exclude-kubescape-host-scanner-resources",
+      "name": "exclude-host-scanner-resources",
       "attributes": {
         "systemException": true
       },
@@ -25804,7 +25804,7 @@
           "attributes": {
             "kind": "DaemonSet",
             "name": "host-scanner",
-            "namespace": "kubescape-host-scanner"
+            "namespace": "kubescape"
           }
         }
       ],

core/cautils/getter/utils.go

@@ -0,0 +1,15 @@
+package getter
+
+import (
+	"strings"
+)
+
+func contains(s []string, str string) bool {
+	for _, v := range s {
+		if strings.EqualFold(v, str) {
+			return true
+		}
+	}
+
+	return false
+}

core/cautils/normalize_image_name.go

@@ -0,0 +1,13 @@
+package cautils
+
+import (
+	"github.com/docker/distribution/reference"
+)
+
+func NormalizeImageName(img string) (string, error) {
+	name, err := reference.ParseNormalizedNamed(img)
+	if err != nil {
+		return "", err
+	}
+	return name.String(), nil
+}

core/cautils/normalize_image_name_test.go

@@ -0,0 +1,28 @@
+package cautils
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_normalize_name(t *testing.T) {
+
+	tests := []struct {
+		name string
+		img  string
+		want string
+	}{
+		{
+			name: "Normalize image name",
+			img:  "nginx",
+			want: "docker.io/library/nginx",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			name, _ := NormalizeImageName(tt.img)
+			assert.Equal(t, tt.want, name, tt.name)
+		})
+	}
+}

core/cautils/reportv2tov1.go

@@ -3,6 +3,7 @@ package cautils
 import (
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/opa-utils/reporthandling"
+	helpersv1 "github.com/kubescape/opa-utils/reporthandling/helpers/v1"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
 )
 
@@ -54,10 +55,8 @@ func controlReportV2ToV1(opaSessionObj *OPASessionObj, frameworkName string, con
 		crv1.Remediation = crv2.Remediation
 
 		rulesv1 := map[string]reporthandling.RuleReport{}
-
-		iter := crv2.ListResourcesIDs().All()
-		for iter.HasNext() {
-			resourceID := iter.Next()
+		l := helpersv1.GetAllListsFromPool()
+		for resourceID := range crv2.ListResourcesIDs(l).All() {
 			if result, ok := opaSessionObj.ResourcesResult[resourceID]; ok {
 				for _, rulev2 := range result.ListRulesOfControl(crv2.GetID(), "") {
 
@@ -104,6 +103,7 @@ func controlReportV2ToV1(opaSessionObj *OPASessionObj, frameworkName string, con
 				}
 			}
 		}
+		helpersv1.PutAllListsToPool(l)
 		if len(rulesv1) > 0 {
 			for i := range rulesv1 {
 				crv1.RuleReports = append(crv1.RuleReports, rulesv1[i])

core/cautils/rootinfo.go

@@ -7,43 +7,24 @@ import (
 )
 
 type RootInfo struct {
-	Logger       string // logger level
-	LoggerName   string // logger name ("pretty"/"zap"/"none")
-	CacheDir     string // cached dir
-	DisableColor bool   // Disable Color
-	EnableColor  bool   // Force enable Color
-
-	KSCloudBEURLs    string // Kubescape Cloud URL
-	KSCloudBEURLsDep string // Kubescape Cloud URL
+	Logger             string // logger level
+	LoggerName         string // logger name ("pretty"/"zap"/"none")
+	CacheDir           string // cached dir
+	DisableColor       bool   // Disable Color
+	EnableColor        bool   // Force enable Color
+	DiscoveryServerURL string // Discovery Server URL  (See https://github.com/kubescape/backend/tree/main/pkg/servicediscovery)
+	KubeContext        string //  context name
 }
 type CloudURLs struct {
 	CloudReportURL string
 	CloudAPIURL    string
-	CloudUIURL     string
-	CloudAuthURL   string
 }
 
-type Credentials struct {
-	Account   string
-	ClientID  string
-	SecretKey string
-}
-
-// To check if the user's credentials: accountID / clientID / secretKey are valid.
-func (credentials *Credentials) Validate() error {
-
+// To check if the provided account ID is valid
+func ValidateAccountID(accountID string) error {
 	// Check if the Account-ID is valid
-	if _, err := uuid.Parse(credentials.Account); credentials.Account != "" && err != nil {
-		return fmt.Errorf("bad argument: account must be a valid UUID")
-	}
-	// Check if the Client-ID is valid
-	if _, err := uuid.Parse(credentials.ClientID); credentials.ClientID != "" && err != nil {
-		return fmt.Errorf("bad argument: account must be a valid UUID")
-	}
-
-	// Check if the Secret-Key is valid
-	if _, err := uuid.Parse(credentials.SecretKey); credentials.SecretKey != "" && err != nil {
-		return fmt.Errorf("bad argument: account must be a valid UUID")
+	if _, err := uuid.Parse(accountID); accountID != "" && err != nil {
+		return fmt.Errorf("bad argument: accound ID must be a valid UUID")
 	}
 
 	return nil

core/cautils/rootinfo_test.go

@@ -2,11 +2,9 @@ package cautils
 
 import "testing"
 
-func TestCredentials_Validate(t *testing.T) {
+func TestValidateAccountID(t *testing.T) {
 	type fields struct {
-		Account   string
-		ClientID  string
-		SecretKey string
+		Account string
 	}
 	tests := []struct {
 		name    string
@@ -27,44 +25,11 @@ func TestCredentials_Validate(t *testing.T) {
 			},
 			wantErr: true,
 		},
-		{
-			name: "valid client ID",
-			fields: fields{
-				ClientID: "22019933-feac-4012-a8eb-e81461ba6655",
-			},
-			wantErr: false,
-		},
-		{
-			name: "invalid client ID",
-			fields: fields{
-				ClientID: "22019933-feac-4012-a8eb-e81461ba665",
-			},
-			wantErr: true,
-		},
-		{
-			name: "valid secret key",
-			fields: fields{
-				SecretKey: "22019933-feac-4012-a8eb-e81461ba6655",
-			},
-			wantErr: false,
-		},
-		{
-			name: "invalid secret key",
-			fields: fields{
-				SecretKey: "22019933-feac-4012-a8eb-e81461ba665",
-			},
-			wantErr: true,
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			credentials := &Credentials{
-				Account:   tt.fields.Account,
-				ClientID:  tt.fields.ClientID,
-				SecretKey: tt.fields.SecretKey,
-			}
-			if err := credentials.Validate(); (err != nil) != tt.wantErr {
-				t.Errorf("Credentials.Validate() error = %v, wantErr %v", err, tt.wantErr)
+			if err := ValidateAccountID(tt.fields.Account); (err != nil) != tt.wantErr {
+				t.Errorf("ValidateAccountID() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}

core/cautils/scaninfo.go

@@ -8,13 +8,13 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/armosec/armoapi-go/armotypes"
 	giturl "github.com/kubescape/go-git-url"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/kubescape/v2/core/cautils/getter"
 	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+	"github.com/kubescape/opa-utils/objectsenvelopes"
 	"github.com/kubescape/opa-utils/reporthandling"
 	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
 
@@ -87,51 +87,57 @@ func (bpf *BoolPtrFlag) Set(val string) error {
 
 // TODO - UPDATE
 type ViewTypes string
+type EnvScopeTypes string
+type ManageClusterTypes string
 
 const (
 	ResourceViewType ViewTypes = "resource"
+	SecurityViewType ViewTypes = "security"
 	ControlViewType  ViewTypes = "control"
 )
 
 type PolicyIdentifier struct {
-	Identifier  string                        // policy Identifier e.g. c-0012 for control, nsa,mitre for frameworks
-	Kind        apisv1.NotificationPolicyKind // policy kind e.g. Framework,Control,Rule
-	Designators armotypes.PortalDesignator
+	Identifier string                        // policy Identifier e.g. c-0012 for control, nsa,mitre for frameworks
+	Kind       apisv1.NotificationPolicyKind // policy kind e.g. Framework,Control,Rule
 }
 
 type ScanInfo struct {
-	Getters                                  // TODO - remove from object
-	PolicyIdentifier      []PolicyIdentifier // TODO - remove from object
-	UseExceptions         string             // Load file with exceptions configuration
-	ControlsInputs        string             // Load file with inputs for controls
-	AttackTracks          string             // Load file with attack tracks
-	UseFrom               []string           // Load framework from local file (instead of download). Use when running offline
-	UseDefault            bool               // Load framework from cached file (instead of download). Use when running offline
-	UseArtifactsFrom      string             // Load artifacts from local path. Use when running offline
-	VerboseMode           bool               // Display all of the input resources and not only failed resources
-	View                  string             // Display all of the input resources and not only failed resources
-	Format                string             // Format results (table, json, junit ...)
-	Output                string             // Store results in an output file, Output file name
-	FormatVersion         string             // Output object can be different between versions, this is for testing and backward compatibility
-	CustomClusterName     string             // Set the custom name of the cluster
-	ExcludedNamespaces    string             // used for host scanner namespace
-	IncludeNamespaces     string             //
-	InputPatterns         []string           // Yaml files input patterns
-	Silent                bool               // Silent mode - Do not print progress logs
-	FailThreshold         float32            // Failure score threshold
-	FailThresholdSeverity string             // Severity at and above which the command should fail
-	Submit                bool               // Submit results to Kubescape Cloud BE
-	CreateAccount         bool               // Create account in Kubescape Cloud BE if no account found in local cache
-	ScanID                string             // Report id of the current scan
-	HostSensorEnabled     BoolPtrFlag        // Deploy Kubescape K8s host scanner to collect data from certain controls
-	HostSensorYamlPath    string             // Path to hostsensor file
-	Local                 bool               // Do not submit results
-	Credentials           Credentials        // account ID
-	KubeContext           string             // context name
-	FrameworkScan         bool               // false if scanning control
-	ScanAll               bool               // true if scan all frameworks
-	OmitRawResources      bool               // true if omit raw resources from the output
-	PrintAttackTree       bool               // true if print attack tree
+	Getters                                            // TODO - remove from object
+	PolicyIdentifier      []PolicyIdentifier           // TODO - remove from object
+	UseExceptions         string                       // Load file with exceptions configuration
+	ControlsInputs        string                       // Load file with inputs for controls
+	AttackTracks          string                       // Load file with attack tracks
+	UseFrom               []string                     // Load framework from local file (instead of download). Use when running offline
+	UseDefault            bool                         // Load framework from cached file (instead of download). Use when running offline
+	UseArtifactsFrom      string                       // Load artifacts from local path. Use when running offline
+	VerboseMode           bool                         // Display all of the input resources and not only failed resources
+	View                  string                       // Display all of the input resources and not only failed resources
+	Format                string                       // Format results (table, json, junit ...)
+	Output                string                       // Store results in an output file, Output file name
+	FormatVersion         string                       // Output object can be different between versions, this is for testing and backward compatibility
+	CustomClusterName     string                       // Set the custom name of the cluster
+	ExcludedNamespaces    string                       // used for host scanner namespace
+	IncludeNamespaces     string                       //
+	InputPatterns         []string                     // Yaml files input patterns
+	Silent                bool                         // Silent mode - Do not print progress logs
+	FailThreshold         float32                      // DEPRECATED - Failure score threshold
+	ComplianceThreshold   float32                      // Compliance score threshold
+	FailThresholdSeverity string                       // Severity at and above which the command should fail
+	Submit                bool                         // Submit results to Kubescape Cloud BE
+	ScanID                string                       // Report id of the current scan
+	HostSensorEnabled     BoolPtrFlag                  // Deploy Kubescape K8s host scanner to collect data from certain controls
+	HostSensorYamlPath    string                       // Path to hostsensor file
+	Local                 bool                         // Do not submit results
+	AccountID             string                       // account ID
+	FrameworkScan         bool                         // false if scanning control
+	ScanAll               bool                         // true if scan all frameworks
+	OmitRawResources      bool                         // true if omit raw resources from the output
+	PrintAttackTree       bool                         // true if print attack tree
+	ScanObject            *objectsenvelopes.ScanObject // identifies a single resource (k8s object) to be scanned
+	ScanType              ScanTypes
+	ScanImages            bool
+	ChartPath             string
+	FilePath              string
 }
 
 type Getters struct {
@@ -203,6 +209,10 @@ func (scanInfo *ScanInfo) Formats() []string {
 	}
 }
 
+func (scanInfo *ScanInfo) SetScanType(scanType ScanTypes) {
+	scanInfo.ScanType = scanType
+}
+
 func (scanInfo *ScanInfo) SetPolicyIdentifiers(policies []string, kind apisv1.NotificationPolicyKind) {
 	for _, policy := range policies {
 		if !scanInfo.contains(policy) {
@@ -226,7 +236,7 @@ func (scanInfo *ScanInfo) contains(policyName string) bool {
 func scanInfoToScanMetadata(ctx context.Context, scanInfo *ScanInfo) *reporthandlingv2.Metadata {
 	metadata := &reporthandlingv2.Metadata{}
 
-	metadata.ScanMetadata.Format = scanInfo.Format
+	metadata.ScanMetadata.Formats = []string{scanInfo.Format}
 	metadata.ScanMetadata.FormatVersion = scanInfo.FormatVersion
 	metadata.ScanMetadata.Submit = scanInfo.Submit
 
@@ -250,6 +260,7 @@ func scanInfoToScanMetadata(ctx context.Context, scanInfo *ScanInfo) *reporthand
 	metadata.ScanMetadata.KubescapeVersion = BuildNumber
 	metadata.ScanMetadata.VerboseMode = scanInfo.VerboseMode
 	metadata.ScanMetadata.FailThreshold = scanInfo.FailThreshold
+	metadata.ScanMetadata.ComplianceThreshold = scanInfo.ComplianceThreshold
 	metadata.ScanMetadata.HostScanner = scanInfo.HostSensorEnabled.GetBool()
 	metadata.ScanMetadata.VerboseMode = scanInfo.VerboseMode
 	metadata.ScanMetadata.ControlsInputs = scanInfo.ControlsInputs
@@ -283,11 +294,10 @@ func scanInfoToScanMetadata(ctx context.Context, scanInfo *ScanInfo) *reporthand
 }
 
 func (scanInfo *ScanInfo) GetScanningContext() ScanningContext {
-	input := ""
 	if len(scanInfo.InputPatterns) > 0 {
-		input = scanInfo.InputPatterns[0]
+		return GetScanningContext(scanInfo.InputPatterns[0])
 	}
-	return GetScanningContext(input)
+	return GetScanningContext("")
 }
 
 // GetScanningContext get scanning context from the input param
@@ -339,11 +349,30 @@ func setContextMetadata(ctx context.Context, contextMetadata *reporthandlingv2.C
 			BasePath: getAbsPath(input),
 			HostName: getHostname(),
 		}
+		// add repo context for submitting
+		contextMetadata.RepoContextMetadata = &reporthandlingv2.RepoContextMetadata{
+			Provider:      "none",
+			Repo:          fmt.Sprintf("path@%s", getAbsPath(input)),
+			Owner:         getHostname(),
+			Branch:        "none",
+			DefaultBranch: "none",
+			LocalRootPath: getAbsPath(input),
+		}
+
 	case ContextFile:
 		contextMetadata.FileContextMetadata = &reporthandlingv2.FileContextMetadata{
 			FilePath: getAbsPath(input),
 			HostName: getHostname(),
 		}
+		// add repo context for submitting
+		contextMetadata.RepoContextMetadata = &reporthandlingv2.RepoContextMetadata{
+			Provider:      "none",
+			Repo:          fmt.Sprintf("file@%s", getAbsPath(input)),
+			Owner:         getHostname(),
+			Branch:        "none",
+			DefaultBranch: "none",
+			LocalRootPath: getAbsPath(input),
+		}
 	case ContextGitLocal:
 		// local
 		context, err := metadataGitLocal(input)

core/cautils/scaninfo_test.go

@@ -2,6 +2,8 @@ package cautils
 
 import (
 	"context"
+	"os"
+	"path/filepath"
 	"testing"
 
 	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
@@ -23,13 +25,11 @@ func TestSetContextMetadata(t *testing.T) {
 	/*{
 		ctx := reporthandlingv2.ContextMetadata{}
 		setContextMetadata(&ctx, "https://github.com/kubescape/kubescape")
-
 		assert.Nil(t, ctx.ClusterContextMetadata)
 		assert.Nil(t, ctx.DirectoryContextMetadata)
 		assert.Nil(t, ctx.FileContextMetadata)
 		assert.Nil(t, ctx.HelmContextMetadata)
 		assert.NotNil(t, ctx.RepoContextMetadata)
-
 		assert.Equal(t, "kubescape", ctx.RepoContextMetadata.Repo)
 		assert.Equal(t, "kubescape", ctx.RepoContextMetadata.Owner)
 		assert.Equal(t, "master", ctx.RepoContextMetadata.Branch)
@@ -37,12 +37,18 @@ func TestSetContextMetadata(t *testing.T) {
 }
 
 func TestGetHostname(t *testing.T) {
+	// Test that the hostname is not empty
 	assert.NotEqual(t, "", getHostname())
 }
 
 func TestGetScanningContext(t *testing.T) {
+	// Test with empty input
 	assert.Equal(t, ContextCluster, GetScanningContext(""))
+
+	// Test with Git URL input
 	assert.Equal(t, ContextGitURL, GetScanningContext("https://github.com/kubescape/kubescape"))
+
+	// TODO: Add more tests with other input types
 }
 
 func TestScanInfoFormats(t *testing.T) {
@@ -71,3 +77,30 @@ func TestScanInfoFormats(t *testing.T) {
 		})
 	}
 }
+
+func TestGetScanningContextWithFile(t *testing.T) {
+	// Test with a file
+	dir, err := os.MkdirTemp("", "example")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir)
+
+	filePath := filepath.Join(dir, "file.txt")
+	if _, err := os.Create(filePath); err != nil {
+		t.Fatal(err)
+	}
+
+	assert.Equal(t, ContextFile, GetScanningContext(filePath))
+}
+
+func TestGetScanningContextWithDir(t *testing.T) {
+	// Test with a directory
+	dir, err := os.MkdirTemp("", "example")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir)
+
+	assert.Equal(t, ContextDir, GetScanningContext(dir))
+}

core/cautils/strutils.go

@@ -2,11 +2,12 @@ package cautils
 
 import (
 	"fmt"
+	"os"
+	"sort"
+	"strconv"
 	"strings"
 )
 
-const ValueNotFound = -1
-
 func ConvertLabelsToString(labels map[string]string) string {
 	labelsStr := ""
 	delimiter := ""
@@ -34,11 +35,31 @@ func ConvertStringToLabels(labelsStr string) map[string]string {
 	return labels
 }
 
-func StringInSlice(strSlice []string, str string) int {
-	for i := range strSlice {
-		if strSlice[i] == str {
-			return i
+func StringSlicesAreEqual(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+
+	sort.Strings(a)
+	sort.Strings(b)
+	for i := range a {
+		if a[i] != b[i] {
+			return false
 		}
 	}
-	return ValueNotFound
+	return true
+}
+
+func ParseIntEnvVar(varName string, defaultValue int) (int, error) {
+	varValue, exists := os.LookupEnv(varName)
+	if !exists {
+		return defaultValue, nil
+	}
+
+	intValue, err := strconv.Atoi(varValue)
+	if err != nil {
+		return defaultValue, fmt.Errorf("failed to parse %s env var as int: %w", varName, err)
+	}
+
+	return intValue, nil
 }

core/cautils/strutils_test.go

@@ -2,8 +2,11 @@ package cautils
 
 import (
 	"fmt"
+	"os"
 	"strings"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestConvertLabelsToString(t *testing.T) {
@@ -33,3 +36,102 @@ func TestConvertStringToLabels(t *testing.T) {
 		t.Errorf("%s != %s", fmt.Sprintf("%v", rstrMap), fmt.Sprintf("%v", strMap))
 	}
 }
+
+func TestParseIntEnvVar(t *testing.T) {
+	testCases := []struct {
+		expectedErr  string
+		name         string
+		varName      string
+		varValue     string
+		defaultValue int
+		expected     int
+	}{
+		{
+			name:         "Variable does not exist",
+			varName:      "DOES_NOT_EXIST",
+			varValue:     "",
+			defaultValue: 123,
+			expected:     123,
+			expectedErr:  "",
+		},
+		{
+			name:         "Variable exists and is a valid integer",
+			varName:      "MY_VAR",
+			varValue:     "456",
+			defaultValue: 123,
+			expected:     456,
+			expectedErr:  "",
+		},
+		{
+			name:         "Variable exists but is not a valid integer",
+			varName:      "MY_VAR",
+			varValue:     "not_an_integer",
+			defaultValue: 123,
+			expected:     123,
+			expectedErr:  "failed to parse MY_VAR env var as int",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if tc.varValue != "" {
+				os.Setenv(tc.varName, tc.varValue)
+			} else {
+				os.Unsetenv(tc.varName)
+			}
+
+			actual, err := ParseIntEnvVar(tc.varName, tc.defaultValue)
+			if tc.expectedErr != "" {
+				assert.NotNil(t, err)
+				assert.ErrorContains(t, err, tc.expectedErr)
+			} else {
+				assert.Nil(t, err)
+			}
+
+			assert.Equalf(t, tc.expected, actual, "unexpected result")
+		})
+	}
+}
+
+func TestStringSlicesAreEqual(t *testing.T) {
+	tt := []struct {
+		name string
+		a    []string
+		b    []string
+		want bool
+	}{
+		{
+			name: "equal unsorted slices",
+			a:    []string{"foo", "bar", "baz"},
+			b:    []string{"baz", "foo", "bar"},
+			want: true,
+		},
+		{
+			name: "equal sorted slices",
+			a:    []string{"bar", "baz", "foo"},
+			b:    []string{"bar", "baz", "foo"},
+			want: true,
+		},
+		{
+			name: "unequal slices",
+			a:    []string{"foo", "bar", "baz"},
+			b:    []string{"foo", "bar", "qux"},
+			want: false,
+		},
+		{
+			name: "different length slices",
+			a:    []string{"foo", "bar", "baz"},
+			b:    []string{"foo", "bar"},
+			want: false,
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.name, func(t *testing.T) {
+			got := StringSlicesAreEqual(tc.a, tc.b)
+			if got != tc.want {
+				t.Errorf("StringSlicesAreEqual(%v, %v) = %v; want %v", tc.a, tc.b, got, tc.want)
+			}
+		})
+	}
+}

core/cautils/versioncheck.go

@@ -31,7 +31,7 @@ type IVersionCheckHandler interface {
 
 func NewIVersionCheckHandler(ctx context.Context) IVersionCheckHandler {
 	if BuildNumber == "" {
-		logger.L().Ctx(ctx).Warning("unknown build number, this might affect your scan results. Please make sure you are updated to latest version")
+		logger.L().Ctx(ctx).Warning("Unknown build number, this might affect your scan results. Please make sure that you are running the latest version")
 	}
 
 	if v, ok := os.LookupEnv(CLIENT_ENV); ok && v != "" {

core/cautils/workloadmappingutils.go

@@ -27,13 +27,14 @@ var (
 		cloudapis.CloudProviderDescribeKind,
 		cloudapis.CloudProviderDescribeRepositoriesKind,
 		cloudapis.CloudProviderListEntitiesForPoliciesKind,
+		cloudapis.CloudProviderPolicyVersionKind,
 		string(cloudsupport.TypeApiServerInfo),
 	}
 )
 
-func MapKSResource(ksResourceMap *KSResources, resources []string) []string {
+func MapExternalResource(externalResourceMap ExternalResources, resources []string) []string {
 	var hostResources []string
-	for k := range *ksResourceMap {
+	for k := range externalResourceMap {
 		for _, resource := range resources {
 			if strings.Contains(k, resource) {
 				hostResources = append(hostResources, k)
@@ -43,16 +44,16 @@ func MapKSResource(ksResourceMap *KSResources, resources []string) []string {
 	return hostResources
 }
 
-func MapHostResources(ksResourceMap *KSResources) []string {
-	return MapKSResource(ksResourceMap, HostSensorResources)
+func MapHostResources(externalResourceMap ExternalResources) []string {
+	return MapExternalResource(externalResourceMap, HostSensorResources)
 }
 
-func MapImageVulnResources(ksResourceMap *KSResources) []string {
-	return MapKSResource(ksResourceMap, ImageVulnResources)
+func MapImageVulnResources(externalResourceMap ExternalResources) []string {
+	return MapExternalResource(externalResourceMap, ImageVulnResources)
 }
 
-func MapCloudResources(ksResourceMap *KSResources) []string {
-	return MapKSResource(ksResourceMap, CloudResources)
+func MapCloudResources(externalResourceMap ExternalResources) []string {
+	return MapExternalResource(externalResourceMap, CloudResources)
 }
 
 func SetInfoMapForResources(info string, resources []string, errorMap map[string]apis.StatusInfo) {

core/core/cachedconfig.go

@@ -4,47 +4,35 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/kubescape/kubescape/v2/core/cautils"
 	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
 )
 
 func (ks *Kubescape) SetCachedConfig(setConfig *metav1.SetConfig) error {
-
-	tenant := getTenantConfig(nil, "", "", getKubernetesApi())
+	tenant := cautils.GetTenantConfig("", "", "", nil)
 
 	if setConfig.Account != "" {
 		tenant.GetConfigObj().AccountID = setConfig.Account
 	}
-	if setConfig.SecretKey != "" {
-		tenant.GetConfigObj().SecretKey = setConfig.SecretKey
-	}
-	if setConfig.ClientID != "" {
-		tenant.GetConfigObj().ClientID = setConfig.ClientID
-	}
 	if setConfig.CloudAPIURL != "" {
 		tenant.GetConfigObj().CloudAPIURL = setConfig.CloudAPIURL
 	}
-	if setConfig.CloudAuthURL != "" {
-		tenant.GetConfigObj().CloudAuthURL = setConfig.CloudAuthURL
-	}
 	if setConfig.CloudReportURL != "" {
 		tenant.GetConfigObj().CloudReportURL = setConfig.CloudReportURL
 	}
-	if setConfig.CloudUIURL != "" {
-		tenant.GetConfigObj().CloudUIURL = setConfig.CloudUIURL
-	}
 
 	return tenant.UpdateCachedConfig()
 }
 
 // View cached configurations
 func (ks *Kubescape) ViewCachedConfig(viewConfig *metav1.ViewConfig) error {
-	tenant := getTenantConfig(nil, "", "", getKubernetesApi()) // change k8sinterface
+	tenant := cautils.GetTenantConfig("", "", "", getKubernetesApi()) // change k8sinterface
 	fmt.Fprintf(viewConfig.Writer, "%s\n", tenant.GetConfigObj().Config())
 	return nil
 }
 
 func (ks *Kubescape) DeleteCachedConfig(ctx context.Context, deleteConfig *metav1.DeleteConfig) error {
 
-	tenant := getTenantConfig(nil, "", "", getKubernetesApi()) // change k8sinterface
+	tenant := cautils.GetTenantConfig("", "", "", nil) // change k8sinterface
 	return tenant.DeleteCachedConfig(ctx)
 }

core/core/config_scan.go

@@ -7,6 +7,7 @@ import (
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
+	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/cautils/getter"
 	"github.com/kubescape/kubescape/v2/core/pkg/hostsensorutils"
@@ -17,8 +18,10 @@ import (
 	"github.com/kubescape/kubescape/v2/core/pkg/resultshandling"
 	"github.com/kubescape/kubescape/v2/core/pkg/resultshandling/printer"
 	"github.com/kubescape/kubescape/v2/core/pkg/resultshandling/reporter"
+	"github.com/kubescape/kubescape/v2/pkg/imagescan"
 	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"go.opentelemetry.io/otel"
+	"golang.org/x/exp/slices"
 
 	"github.com/kubescape/opa-utils/resources"
 )
@@ -27,13 +30,13 @@ type componentInterfaces struct {
 	tenantConfig      cautils.ITenantConfig
 	resourceHandler   resourcehandler.IResourceHandler
 	report            reporter.IReport
-	outputPrinters    []printer.IPrinter
 	uiPrinter         printer.IPrinter
 	hostSensorHandler hostsensorutils.IHostSensor
+	outputPrinters    []printer.IPrinter
 }
 
 func getInterfaces(ctx context.Context, scanInfo *cautils.ScanInfo) componentInterfaces {
-	ctx, span := otel.Tracer("").Start(ctx, "getInterfaces")
+	ctx, span := otel.Tracer("").Start(ctx, "setup interfaces")
 	defer span.End()
 
 	// ================== setup k8s interface object ======================================
@@ -46,23 +49,17 @@ func getInterfaces(ctx context.Context, scanInfo *cautils.ScanInfo) componentInt
 	}
 
 	// ================== setup tenant object ======================================
-	ctxTenant, spanTenant := otel.Tracer("").Start(ctx, "setup tenant")
-	tenantConfig := getTenantConfig(&scanInfo.Credentials, k8sinterface.GetContextName(), scanInfo.CustomClusterName, k8s)
+	tenantConfig := cautils.GetTenantConfig(scanInfo.AccountID, k8sinterface.GetContextName(), scanInfo.CustomClusterName, k8s)
 
 	// Set submit behavior AFTER loading tenant config
 	setSubmitBehavior(scanInfo, tenantConfig)
 
 	if scanInfo.Submit {
 		// submit - Create tenant & Submit report
-		if err := tenantConfig.SetTenant(); err != nil {
-			logger.L().Ctx(ctxTenant).Error(err.Error())
-		}
-
 		if scanInfo.OmitRawResources {
 			logger.L().Ctx(ctx).Warning("omit-raw-resources flag will be ignored in submit mode")
 		}
 	}
-	spanTenant.End()
 
 	// ================== version testing ======================================
 
@@ -74,37 +71,23 @@ func getInterfaces(ctx context.Context, scanInfo *cautils.ScanInfo) componentInt
 	hostSensorHandler := getHostSensorHandler(ctx, scanInfo, k8s)
 	if err := hostSensorHandler.Init(ctxHostScanner); err != nil {
 		logger.L().Ctx(ctxHostScanner).Error("failed to init host scanner", helpers.Error(err))
-		hostSensorHandler = &hostsensorutils.HostSensorHandlerMock{}
+		hostSensorHandler = hostsensorutils.NewHostSensorHandlerMock()
 	}
 	spanHostScanner.End()
 
-	// ================== setup registry adaptors ======================================
-
-	registryAdaptors, err := resourcehandler.NewRegistryAdaptors()
-	if err != nil {
-		logger.L().Ctx(ctx).Error("failed to initialize registry adaptors", helpers.Error(err))
-	}
-
 	// ================== setup resource collector object ======================================
 
-	resourceHandler := getResourceHandler(ctx, scanInfo, tenantConfig, k8s, hostSensorHandler, registryAdaptors)
+	resourceHandler := getResourceHandler(ctx, scanInfo, tenantConfig, k8s, hostSensorHandler)
 
 	// ================== setup reporter & printer objects ======================================
 
 	// reporting behavior - setup reporter
-	reportHandler := getReporter(ctx, tenantConfig, scanInfo.ScanID, scanInfo.Submit, scanInfo.FrameworkScan, scanInfo.GetScanningContext())
+	reportHandler := getReporter(ctx, tenantConfig, scanInfo.ScanID, scanInfo.Submit, scanInfo.FrameworkScan, *scanInfo)
 
 	// setup printers
-	formats := scanInfo.Formats()
+	outputPrinters := GetOutputPrinters(scanInfo, ctx, tenantConfig.GetContextName())
 
-	outputPrinters := make([]printer.IPrinter, 0)
-	for _, format := range formats {
-		printerHandler := resultshandling.NewPrinter(ctx, format, scanInfo.FormatVersion, scanInfo.PrintAttackTree, scanInfo.VerboseMode, cautils.ViewTypes(scanInfo.View))
-		printerHandler.SetWriter(ctx, scanInfo.Output)
-		outputPrinters = append(outputPrinters, printerHandler)
-	}
-
-	uiPrinter := getUIPrinter(ctx, scanInfo.VerboseMode, scanInfo.FormatVersion, scanInfo.PrintAttackTree, cautils.ViewTypes(scanInfo.View))
+	uiPrinter := GetUIPrinter(ctx, scanInfo, tenantConfig.GetContextName())
 
 	// ================== return interface ======================================
 
@@ -118,29 +101,39 @@ func getInterfaces(ctx context.Context, scanInfo *cautils.ScanInfo) componentInt
 	}
 }
 
+func GetOutputPrinters(scanInfo *cautils.ScanInfo, ctx context.Context, clusterName string) []printer.IPrinter {
+	formats := scanInfo.Formats()
+
+	outputPrinters := make([]printer.IPrinter, 0)
+	for _, format := range formats {
+		if err := resultshandling.ValidatePrinter(scanInfo.ScanType, scanInfo.GetScanningContext(), format); err != nil {
+			logger.L().Ctx(ctx).Fatal(err.Error())
+		}
+
+		printerHandler := resultshandling.NewPrinter(ctx, format, scanInfo.FormatVersion, scanInfo.PrintAttackTree, scanInfo.VerboseMode, cautils.ViewTypes(scanInfo.View), clusterName)
+		printerHandler.SetWriter(ctx, scanInfo.Output)
+		outputPrinters = append(outputPrinters, printerHandler)
+	}
+	return outputPrinters
+}
+
 func (ks *Kubescape) Scan(ctx context.Context, scanInfo *cautils.ScanInfo) (*resultshandling.ResultsHandler, error) {
-	ctx, spanScan := otel.Tracer("").Start(ctx, "kubescape.Scan")
-	defer spanScan.End()
-	logger.L().Info("Kubescape scanner starting")
+	ctxInit, spanInit := otel.Tracer("").Start(ctx, "initialization")
+	logger.L().Start("Kubescape scanner initializing")
 
 	// ===================== Initialization =====================
-	ctxInit, spanInit := otel.Tracer("").Start(ctx, "initialization")
 	scanInfo.Init(ctxInit) // initialize scan info
 
 	interfaces := getInterfaces(ctxInit, scanInfo)
-
-	cautils.ClusterName = interfaces.tenantConfig.GetContextName() // TODO - Deprecated
-	cautils.CustomerGUID = interfaces.tenantConfig.GetAccountID()  // TODO - Deprecated
-	interfaces.report.SetClusterName(interfaces.tenantConfig.GetContextName())
-	interfaces.report.SetCustomerGUID(interfaces.tenantConfig.GetAccountID())
+	interfaces.report.SetTenantConfig(interfaces.tenantConfig)
 
 	downloadReleasedPolicy := getter.NewDownloadReleasedPolicy() // download config inputs from github release
 
 	// set policy getter only after setting the customerGUID
-	scanInfo.Getters.PolicyGetter = getPolicyGetter(ctx, scanInfo.UseFrom, interfaces.tenantConfig.GetTenantEmail(), scanInfo.FrameworkScan, downloadReleasedPolicy)
-	scanInfo.Getters.ControlsInputsGetter = getConfigInputsGetter(ctx, scanInfo.ControlsInputs, interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
-	scanInfo.Getters.ExceptionsGetter = getExceptionsGetter(ctx, scanInfo.UseExceptions, interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
-	scanInfo.Getters.AttackTracksGetter = getAttackTracksGetter(ctx, scanInfo.AttackTracks, interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
+	scanInfo.Getters.PolicyGetter = getPolicyGetter(ctxInit, scanInfo.UseFrom, interfaces.tenantConfig.GetAccountID(), scanInfo.FrameworkScan, downloadReleasedPolicy)
+	scanInfo.Getters.ControlsInputsGetter = getConfigInputsGetter(ctxInit, scanInfo.ControlsInputs, interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
+	scanInfo.Getters.ExceptionsGetter = getExceptionsGetter(ctxInit, scanInfo.UseExceptions, interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
+	scanInfo.Getters.AttackTracksGetter = getAttackTracksGetter(ctxInit, scanInfo.AttackTracks, interfaces.tenantConfig.GetAccountID(), downloadReleasedPolicy)
 
 	// TODO - list supported frameworks/controls
 	if scanInfo.ScanAll {
@@ -150,41 +143,62 @@ func (ks *Kubescape) Scan(ctx context.Context, scanInfo *cautils.ScanInfo) (*res
 	// remove host scanner components
 	defer func() {
 		if err := interfaces.hostSensorHandler.TearDown(); err != nil {
-			logger.L().Ctx(ctxInit).Error("failed to tear down host scanner", helpers.Error(err))
+			logger.L().Ctx(ctx).StopError("Failed to tear down host scanner", helpers.Error(err))
 		}
 	}()
 
-	resultsHandling := resultshandling.NewResultsHandler(interfaces.report, interfaces.outputPrinters, interfaces.uiPrinter)
-	spanInit.End()
+	logger.L().StopSuccess("Initialized scanner")
 
-	// ===================== policies & resources =====================
-	ctxPolicies, spanPolicies := otel.Tracer("").Start(ctx, "policies & resources")
-	policyHandler := policyhandler.NewPolicyHandler(interfaces.resourceHandler)
-	scanData, err := policyHandler.CollectResources(ctxPolicies, scanInfo.PolicyIdentifier, scanInfo)
+	resultsHandling := resultshandling.NewResultsHandler(interfaces.report, interfaces.outputPrinters, interfaces.uiPrinter)
+
+	// ===================== policies =====================
+	ctxPolicies, spanPolicies := otel.Tracer("").Start(ctxInit, "policies")
+	policyHandler := policyhandler.NewPolicyHandler(interfaces.tenantConfig.GetContextName())
+	scanData, err := policyHandler.CollectPolicies(ctxPolicies, scanInfo.PolicyIdentifier, scanInfo)
 	if err != nil {
+		spanInit.End()
 		return resultsHandling, err
 	}
 	spanPolicies.End()
 
+	// ===================== resources =====================
+	ctxResources, spanResources := otel.Tracer("").Start(ctxInit, "resources")
+	err = resourcehandler.CollectResources(ctxResources, interfaces.resourceHandler, scanInfo.PolicyIdentifier, scanData, cautils.NewProgressHandler(""), scanInfo)
+	if err != nil {
+		spanInit.End()
+		return resultsHandling, err
+	}
+	spanResources.End()
+	spanInit.End()
+
 	// ========================= opa testing =====================
 	ctxOpa, spanOpa := otel.Tracer("").Start(ctx, "opa testing")
+	defer spanOpa.End()
+
 	deps := resources.NewRegoDependenciesData(k8sinterface.GetK8sConfig(), interfaces.tenantConfig.GetContextName())
-	reportResults := opaprocessor.NewOPAProcessor(scanData, deps)
-	if err := reportResults.ProcessRulesListenner(ctxOpa, cautils.NewProgressHandler("")); err != nil {
+	reportResults := opaprocessor.NewOPAProcessor(scanData, deps, interfaces.tenantConfig.GetContextName())
+	if err = reportResults.ProcessRulesListener(ctxOpa, cautils.NewProgressHandler(""), scanInfo); err != nil {
 		// TODO - do something
 		return resultsHandling, fmt.Errorf("%w", err)
 	}
-	spanOpa.End()
 
 	// ======================== prioritization ===================
-	_, spanPrioritization := otel.Tracer("").Start(ctx, "prioritization")
-	if priotizationHandler, err := resourcesprioritization.NewResourcesPrioritizationHandler(ctx, scanInfo.Getters.AttackTracksGetter, scanInfo.PrintAttackTree); err != nil {
-		logger.L().Ctx(ctx).Warning("failed to get attack tracks, this may affect the scanning results", helpers.Error(err))
-	} else if err := priotizationHandler.PrioritizeResources(scanData); err != nil {
-		return resultsHandling, fmt.Errorf("%w", err)
+	if scanInfo.PrintAttackTree || isPrioritizationScanType(scanInfo.ScanType) {
+		_, spanPrioritization := otel.Tracer("").Start(ctxOpa, "prioritization")
+		if priotizationHandler, err := resourcesprioritization.NewResourcesPrioritizationHandler(ctxOpa, scanInfo.Getters.AttackTracksGetter, scanInfo.PrintAttackTree); err != nil {
+			logger.L().Ctx(ctx).Warning("failed to get attack tracks, this may affect the scanning results", helpers.Error(err))
+		} else if err := priotizationHandler.PrioritizeResources(scanData); err != nil {
+			return resultsHandling, fmt.Errorf("%w", err)
+		}
+		if err == nil && isPrioritizationScanType(scanInfo.ScanType) {
+			scanData.SetTopWorkloads()
+		}
+		spanPrioritization.End()
 	}
-	spanPrioritization.End()
 
+	if scanInfo.ScanImages {
+		scanImages(scanInfo.ScanType, scanData, ctx, resultsHandling)
+	}
 	// ========================= results handling =====================
 	resultsHandling.SetData(scanData)
 
@@ -194,3 +208,62 @@ func (ks *Kubescape) Scan(ctx context.Context, scanInfo *cautils.ScanInfo) (*res
 
 	return resultsHandling, nil
 }
+
+func scanImages(scanType cautils.ScanTypes, scanData *cautils.OPASessionObj, ctx context.Context, resultsHandling *resultshandling.ResultsHandler) {
+	imagesToScan := []string{}
+
+	if scanType == cautils.ScanTypeWorkload {
+		containers, err := workloadinterface.NewWorkloadObj(scanData.SingleResourceScan.GetObject()).GetContainers()
+		if err != nil {
+			logger.L().Error("failed to get containers", helpers.Error(err))
+			return
+		}
+		for _, container := range containers {
+			if !slices.Contains(imagesToScan, container.Image) {
+				imagesToScan = append(imagesToScan, container.Image)
+			}
+		}
+	} else {
+		for _, workload := range scanData.AllResources {
+			containers, err := workloadinterface.NewWorkloadObj(workload.GetObject()).GetContainers()
+			if err != nil {
+				logger.L().Error(fmt.Sprintf("failed to get containers for kind: %s, name: %s, namespace: %s", workload.GetKind(), workload.GetName(), workload.GetNamespace()), helpers.Error(err))
+				continue
+			}
+			for _, container := range containers {
+				if !slices.Contains(imagesToScan, container.Image) {
+					imagesToScan = append(imagesToScan, container.Image)
+				}
+			}
+		}
+	}
+
+	dbCfg, _ := imagescan.NewDefaultDBConfig()
+	svc := imagescan.NewScanService(dbCfg)
+
+	for _, img := range imagesToScan {
+		logger.L().Start("Scanning", helpers.String("image", img))
+		if err := scanSingleImage(ctx, img, svc, resultsHandling); err != nil {
+			logger.L().StopError("failed to scan", helpers.String("image", img), helpers.Error(err))
+		}
+		logger.L().StopSuccess("Scanned successfully", helpers.String("image", img))
+	}
+}
+
+func scanSingleImage(ctx context.Context, img string, svc imagescan.Service, resultsHandling *resultshandling.ResultsHandler) error {
+
+	scanResults, err := svc.Scan(ctx, img, imagescan.RegistryCredentials{})
+	if err != nil {
+		return err
+	}
+
+	resultsHandling.ImageScanData = append(resultsHandling.ImageScanData, cautils.ImageScanData{
+		Image:           img,
+		PresenterConfig: scanResults,
+	})
+	return nil
+}
+
+func isPrioritizationScanType(scanType cautils.ScanTypes) bool {
+	return scanType == cautils.ScanTypeCluster || scanType == cautils.ScanTypeRepo
+}

core/core/delete.go

@@ -1,36 +0,0 @@
-package core
-
-import (
-	"fmt"
-
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/go-logger/helpers"
-	"github.com/kubescape/kubescape/v2/core/cautils/getter"
-	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-)
-
-func (ks *Kubescape) DeleteExceptions(delExceptions *v1.DeleteExceptions) error {
-
-	// load cached config
-	getTenantConfig(&delExceptions.Credentials, "", "", getKubernetesApi())
-
-	// login kubescape SaaS
-	ksCloudAPI := getter.GetKSCloudAPIConnector()
-	if err := ksCloudAPI.Login(); err != nil {
-		return err
-	}
-
-	for i := range delExceptions.Exceptions {
-		exceptionName := delExceptions.Exceptions[i]
-		if exceptionName == "" {
-			continue
-		}
-		logger.L().Info("Deleting exception", helpers.String("name", exceptionName))
-		if err := ksCloudAPI.DeleteException(exceptionName); err != nil {
-			return fmt.Errorf("failed to delete exception '%s', reason: %s", exceptionName, err.Error())
-		}
-		logger.L().Success("Exception deleted successfully")
-	}
-
-	return nil
-}

core/core/download.go

@@ -9,6 +9,7 @@ import (
 
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/cautils/getter"
 	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
 )
@@ -84,14 +85,14 @@ func downloadArtifacts(ctx context.Context, downloadInfo *metav1.DownloadInfo) e
 	}
 	for artifact := range artifacts {
 		if err := downloadArtifact(ctx, &metav1.DownloadInfo{Target: artifact, Path: downloadInfo.Path, FileName: fmt.Sprintf("%s.json", artifact)}, artifacts); err != nil {
-			logger.L().Ctx(ctx).Error("error downloading", helpers.String("artifact", artifact), helpers.Error(err))
+			logger.L().Ctx(ctx).Warning("error downloading", helpers.String("artifact", artifact), helpers.Error(err))
 		}
 	}
 	return nil
 }
 
 func downloadConfigInputs(ctx context.Context, downloadInfo *metav1.DownloadInfo) error {
-	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
+	tenant := cautils.GetTenantConfig(downloadInfo.AccountID, "", "", getKubernetesApi())
 
 	controlsInputsGetter := getConfigInputsGetter(ctx, downloadInfo.Identifier, tenant.GetAccountID(), nil)
 	controlInputs, err := controlsInputsGetter.GetControlsInputs(tenant.GetContextName())
@@ -114,7 +115,7 @@ func downloadConfigInputs(ctx context.Context, downloadInfo *metav1.DownloadInfo
 }
 
 func downloadExceptions(ctx context.Context, downloadInfo *metav1.DownloadInfo) error {
-	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
+	tenant := cautils.GetTenantConfig(downloadInfo.AccountID, "", "", getKubernetesApi())
 	exceptionsGetter := getExceptionsGetter(ctx, "", tenant.GetAccountID(), nil)
 
 	exceptions, err := exceptionsGetter.GetExceptions(tenant.GetContextName())
@@ -136,7 +137,7 @@ func downloadExceptions(ctx context.Context, downloadInfo *metav1.DownloadInfo)
 
 func downloadAttackTracks(ctx context.Context, downloadInfo *metav1.DownloadInfo) error {
 	var err error
-	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
+	tenant := cautils.GetTenantConfig(downloadInfo.AccountID, "", "", getKubernetesApi())
 
 	attackTracksGetter := getAttackTracksGetter(ctx, "", tenant.GetAccountID(), nil)
 
@@ -160,9 +161,9 @@ func downloadAttackTracks(ctx context.Context, downloadInfo *metav1.DownloadInfo
 
 func downloadFramework(ctx context.Context, downloadInfo *metav1.DownloadInfo) error {
 
-	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
+	tenant := cautils.GetTenantConfig(downloadInfo.AccountID, "", "", getKubernetesApi())
 
-	g := getPolicyGetter(ctx, nil, tenant.GetTenantEmail(), true, nil)
+	g := getPolicyGetter(ctx, nil, tenant.GetAccountID(), true, nil)
 
 	if downloadInfo.Identifier == "" {
 		// if framework name not specified - download all frameworks
@@ -202,9 +203,9 @@ func downloadFramework(ctx context.Context, downloadInfo *metav1.DownloadInfo) e
 
 func downloadControl(ctx context.Context, downloadInfo *metav1.DownloadInfo) error {
 
-	tenant := getTenantConfig(&downloadInfo.Credentials, "", "", getKubernetesApi())
+	tenant := cautils.GetTenantConfig(downloadInfo.AccountID, "", "", getKubernetesApi())
 
-	g := getPolicyGetter(ctx, nil, tenant.GetTenantEmail(), false, nil)
+	g := getPolicyGetter(ctx, nil, tenant.GetAccountID(), false, nil)
 
 	if downloadInfo.Identifier == "" {
 		// TODO - support