override default worker pool size with KUBESCAPE_WORKERS

Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
Merge pull request #1803 from kubescape/dependabot/go_modules/github.com/go-jose/go-jose/v3-3.0.4
2026-02-14 18:09:55 +00:00 · 2025-03-07 18:13:29 +01:00 · 2025-03-04 10:38:44 +01:00 · 2025-03-04 09:28:14 +01:00 · 2025-03-03 15:20:14 +02:00 · 2025-02-26 11:51:42 +01:00
373 changed files with 60416 additions and 7611 deletions
--- a/.github/workflows/00-pr-scanner.yaml
+++ b/.github/workflows/00-pr-scanner.yaml
@@ -23,7 +23,6 @@ jobs:
    permissions:
      actions: read
      checks: read
-      contents: read
      deployments: read
      id-token: write
      issues: read
@@ -34,17 +33,22 @@ jobs:
      repository-projects: read
      security-events: read
      statuses: read
+      attestations: read
+      contents: write
    uses: ./.github/workflows/a-pr-scanner.yaml
    with:
      RELEASE: ""
      CLIENT: test
+      CGO_ENABLED: 0
+      GO111MODULE: ""
    secrets: inherit

  binary-build:
+    if: ${{ github.actor == 'kubescape' }}
    permissions:
      actions: read
      checks: read
-      contents: read
+      contents: write
      deployments: read
      discussions: read
      id-token: write
@@ -55,14 +59,13 @@ jobs:
      repository-projects: read
      security-events: read
      statuses: read
+      attestations: read
    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
    with:
      COMPONENT_NAME: kubescape
-      CGO_ENABLED: 1
+      CGO_ENABLED: 0
      GO111MODULE: ""
-      GO_VERSION: "1.20"
+      GO_VERSION: "1.23"
      RELEASE: "latest"
      CLIENT: test
-      ARCH_MATRIX: '[ "" ]'
-      OS_MATRIX: '[ "ubuntu-20.04" ]'
    secrets: inherit
--- a/.github/workflows/02-release.yaml
+++ b/.github/workflows/02-release.yaml
@@ -8,9 +8,9 @@ jobs:
  retag:
    outputs:
      NEW_TAG: ${{ steps.tag-calculator.outputs.NEW_TAG }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu22-core4-mem16-ssd150
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+      - uses: actions/checkout@v4
      - id: tag-calculator
        uses: ./.github/actions/tag-action
        with:
@@ -19,7 +19,6 @@ jobs:
    permissions:
      actions: read
      checks: read
-      contents: read
      deployments: read
      discussions: read
      id-token: write
@@ -30,13 +29,15 @@ jobs:
      repository-projects: read
      security-events: read
      statuses: read
+      contents: write
+      attestations: write
    needs: [retag]
    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
    with:
      COMPONENT_NAME: kubescape
-      CGO_ENABLED: 1
+      CGO_ENABLED: 0
      GO111MODULE: ""
-      GO_VERSION: "1.20"
+      GO_VERSION: "1.23"
      RELEASE: ${{ needs.retag.outputs.NEW_TAG }}
      CLIENT: release
    secrets: inherit
@@ -55,6 +56,7 @@ jobs:
      repository-projects: read
      statuses: read
      security-events: read
+      attestations: read
    needs: [retag, binary-build]
    uses: ./.github/workflows/c-create-release.yaml
    with:
@@ -66,7 +68,6 @@ jobs:
    permissions:
      actions: read
      checks: read
-      contents: read
      deployments: read
      discussions: read
      id-token: write
@@ -77,6 +78,8 @@ jobs:
      repository-projects: read
      security-events: read
      statuses: read
+      attestations: read
+      contents: write
    uses: ./.github/workflows/d-publish-image.yaml
    needs: [create-release, retag]
    with:
@@ -86,3 +89,24 @@ jobs:
      support_platforms: true
      cosign: true
    secrets: inherit
+  post-release:
+    permissions:
+      actions: read
+      checks: read
+      deployments: read
+      discussions: read
+      id-token: write
+      issues: read
+      packages: write
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: read
+      statuses: read
+      attestations: read
+      contents: write
+    uses: ./.github/workflows/e-post-release.yaml
+    needs: [publish-image]
+    with:
+      TAG: ${{ needs.retag.outputs.NEW_TAG }}
+    secrets: inherit
--- a/.github/workflows/04-publish-krew-plugin.yaml
+++ b/.github/workflows/04-publish-krew-plugin.yaml
@@ -1,17 +0,0 @@
-name: 04-publish_krew_plugin
-permissions: read-all
-on:
-  push:
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+'
-jobs:
-  publish_krew_plugin:
-    name: Publish Krew plugin
-    runs-on: ubuntu-latest
-    if: github.repository_owner == 'kubescape'
-    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
-        with:
-          submodules: recursive
-      - name: Update new version in krew-index
-        uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # ratchet:rajatjindal/krew-release-bot@v0.0.43
--- a/.github/workflows/a-pr-scanner.yaml
+++ b/.github/workflows/a-pr-scanner.yaml
@@ -15,23 +15,84 @@ on:
        required: false
        type: string
        default: "./..."
+      GO111MODULE:
+        required: true
+        type: string
+      CGO_ENABLED:
+        type: number
+        default: 1
 jobs:
+  unit-tests:
+    if: ${{ github.actor != 'kubescape' }}
+    name: Create cross-platform build
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    runs-on: ubuntu22-core4-mem16-ssd150
+    steps:
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - uses: actions/setup-go@v4
+        name: Installing go
+        with:
+          go-version: ${{ inputs.GO_VERSION }}
+
+      - name: Test core pkg
+        run: ${{ env.DOCKER_CMD }} go test -v ./...
+        if: startsWith(github.ref, 'refs/tags')
+
+      - name: Test httphandler pkg
+        run: ${{ env.DOCKER_CMD }} sh -c 'cd httphandler && go test -v ./...'
+        if: startsWith(github.ref, 'refs/tags')
+
+      - uses: anchore/sbom-action/download-syft@v0.15.2
+        name: Setup Syft
+
+      - uses: goreleaser/goreleaser-action@v5
+        name: Build
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean --snapshot
+        env:
+          RELEASE: ${{ inputs.RELEASE }}
+          CLIENT: ${{ inputs.CLIENT }}
+          CGO_ENABLED: ${{ inputs.CGO_ENABLED }}
+
+      - name: Smoke Testing
+        env:
+          RELEASE: ${{ inputs.RELEASE }}
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ${PWD}/dist/kubescape-ubuntu-latest
+
+      - name: golangci-lint
+        continue-on-error: false
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: latest
+          args: --timeout 10m
+          only-new-issues: true
+          skip-pkg-cache: true
+          skip-build-cache: true
+
  scanners:
    env:
      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
    name: PR Scanner
-    runs-on: ubuntu-latest
+    runs-on: ubuntu22-core4-mem16-ssd150
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          submodules: recursive
-      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # Install go because go-licenses use it ratchet:actions/setup-go@v3
+      - uses: actions/setup-go@v4
        name: Installing go
        with:
-          go-version: '1.20'
-          cache: true
+          go-version: "1.23"
      - name: Scanning - Forbidden Licenses (go-licenses)
        id: licenses-scan
        continue-on-error: true
@@ -44,7 +105,7 @@ jobs:
        if: ${{ env.GITGUARDIAN_API_KEY }}
        continue-on-error: true
        id: credentials-scan
-        uses: GitGuardian/ggshield-action@4ab2994172fadab959240525e6b833d9ae3aca61 # ratchet:GitGuardian/ggshield-action@master
+        uses: GitGuardian/ggshield-action@master
        with:
          args: -v --all-policies
        env:
@@ -57,7 +118,7 @@ jobs:
        if: ${{ env.SNYK_TOKEN }}
        id: vulnerabilities-scan
        continue-on-error: true
-        uses: snyk/actions/golang@806182742461562b67788a64410098c9d9b96adb # ratchet:snyk/actions/golang@master
+        uses: snyk/actions/golang@master
        with:
          command: test --all-projects
        env:
@@ -74,12 +135,12 @@ jobs:
        continue-on-error: true
        uses: coverallsapp/github-action@v1
        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
          path-to-lcov: coverage.lcov

      - name: Comment results to PR
        continue-on-error: true # Warning: This might break opening PRs from forks
-        uses: peter-evans/create-or-update-comment@5adcb0bb0f9fb3f95ef05400558bdb3f329ee808 # ratchet:peter-evans/create-or-update-comment@v2.1.0
+        uses: peter-evans/create-or-update-comment@v4
        with:
          issue-number: ${{ github.event.pull_request.number }}
          body: |
--- a/.github/workflows/b-binary-build-and-e2e-tests.yaml
+++ b/.github/workflows/b-binary-build-and-e2e-tests.yaml
@@ -18,7 +18,7 @@ on:
      GO_VERSION:
        required: false
        type: string
-        default: "1.20"
+        default: "1.23"
      GO111MODULE:
        required: false
        type: string
@@ -27,18 +27,35 @@ on:
        type: number
        default: 1
        required: false
-      OS_MATRIX:
-        type: string
-        required: false
-        default: '[ "ubuntu-20.04", "macos-latest", "windows-latest"]'
-      ARCH_MATRIX:
-        type: string
-        required: false
-        default: '[ "", "arm64"]'
      BINARY_TESTS:
        type: string
        required: false
-        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score", "control_cluster_from_CLI_config_scan_exclude_namespaces", "control_cluster_from_CLI_config_scan_include_namespaces", "control_cluster_from_CLI_config_scan_host_scanner_enabled", "control_cluster_from_CLI_config_scan_MITRE_framework", "control_cluster_from_CLI_vulnerabilities_scan_default", "control_cluster_from_CLI_vulnerabilities_scan_include_namespaces" ]'
+        default: '[
+          "ks_microservice_create_2_cronjob_mitre_and_nsa_proxy",
+          "ks_microservice_triggering_with_cron_job",
+          "ks_microservice_update_cronjob_schedule",
+          "ks_microservice_delete_cronjob",
+          "ks_microservice_create_2_cronjob_mitre_and_nsa",
+          "ks_microservice_ns_creation",
+          "ks_microservice_on_demand",
+          "ks_microservice_mitre_framework_on_demand",
+          "ks_microservice_nsa_and_mitre_framework_demand",
+          "scan_nsa",
+          "scan_mitre",
+          "scan_with_exceptions",
+          "scan_repository",
+          "scan_local_file",
+          "scan_local_glob_files",
+          "scan_local_list_of_files",
+          "scan_with_exception_to_backend",
+          "scan_nsa_and_submit_to_backend",
+          "scan_mitre_and_submit_to_backend",
+          "scan_local_repository_and_submit_to_backend",
+          "scan_repository_from_url_and_submit_to_backend",
+          "scan_with_custom_framework",
+          "scan_customer_configuration",
+          "scan_compliance_score"
+          ]'

  workflow_call:
    inputs:
@@ -53,7 +70,7 @@ on:
        type: string
      GO_VERSION:
        type: string
-        default: "1.20"
+        default: "1.23"
      GO111MODULE:
        required: true
        type: string
@@ -62,15 +79,25 @@ on:
        default: 1
      BINARY_TESTS:
        type: string
-        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score", "scan_custom_framework_scanning_file_scope_testing", "scan_custom_framework_scanning_cluster_scope_testing", "scan_custom_framework_scanning_cluster_and_file_scope_testing", "unified_configuration_config_view", "unified_configuration_config_set", "unified_configuration_config_delete" ]'
-      OS_MATRIX:
-        type: string
-        required: false
-        default: '[ "ubuntu-20.04", "macos-latest", "windows-latest"]'
-      ARCH_MATRIX:
-        type: string
-        required: false
-        default: '[ "", "arm64"]'
+        default: '[ 
+          "scan_nsa", 
+          "scan_mitre", 
+          "scan_with_exceptions", 
+          "scan_repository", 
+          "scan_local_file", 
+          "scan_local_glob_files", 
+          "scan_local_list_of_files", 
+          "scan_nsa_and_submit_to_backend", 
+          "scan_mitre_and_submit_to_backend", 
+          "scan_local_repository_and_submit_to_backend", 
+          "scan_repository_from_url_and_submit_to_backend", 
+          "scan_with_custom_framework", 
+          "scan_customer_configuration", 
+          "scan_compliance_score", 
+          "scan_custom_framework_scanning_file_scope_testing", 
+          "scan_custom_framework_scanning_cluster_scope_testing", 
+          "scan_custom_framework_scanning_cluster_and_file_scope_testing"
+          ]'

 jobs:
  wf-preparation:
@@ -78,8 +105,6 @@ jobs:
    runs-on: ubuntu-latest
    outputs:
      TEST_NAMES: ${{ steps.export_tests_to_env.outputs.TEST_NAMES }}
-      OS_MATRIX: ${{ steps.export_os_to_env.outputs.OS_MATRIX }}
-      ARCH_MATRIX: ${{ steps.export_arch_to_env.outputs.ARCH_MATRIX }}
      is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}

    steps:
@@ -93,14 +118,7 @@ jobs:
          SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-        run: "echo \"is-secret-set=${{ env.CUSTOMER != '' && \n                        env.USERNAME != '' &&\n                        env.PASSWORD != '' &&\n                        env.CLIENT_ID != '' &&\n                        env.SECRET_KEY != '' &&\n                        env.REGISTRY_USERNAME != '' &&\n                        env.REGISTRY_PASSWORD != ''\n                      }}\" >> $GITHUB_OUTPUT\n"
-
-      - id: export_os_to_env
-        name: set test name
-        run: |
-          echo "OS_MATRIX=$input" >> $GITHUB_OUTPUT
-        env:
-          input: ${{ inputs.OS_MATRIX }}
+        run: "echo \"is-secret-set=${{ env.CUSTOMER != '' && env.USERNAME != '' && env.PASSWORD != '' && env.CLIENT_ID != '' && env.SECRET_KEY != '' && env.REGISTRY_USERNAME != '' && env.REGISTRY_PASSWORD != '' }}\" >> $GITHUB_OUTPUT\n"

      - id: export_tests_to_env
        name: set test name
@@ -109,13 +127,6 @@ jobs:
        env:
          input: ${{ inputs.BINARY_TESTS }}

-      - id: export_arch_to_env
-        name: set test name
-        run: |
-          echo "ARCH_MATRIX=$input" >> $GITHUB_OUTPUT
-        env:
-          input: ${{ inputs.ARCH_MATRIX }}
-
  check-secret:
    name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
    runs-on: ubuntu-latest
@@ -135,150 +146,96 @@ jobs:
    needs: wf-preparation
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      GOARCH: ${{ matrix.arch }}
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: ${{ fromJson(needs.wf-preparation.outputs.OS_MATRIX) }}
-        arch: ${{ fromJson(needs.wf-preparation.outputs.ARCH_MATRIX) }}
-        exclude:
-        - os: windows-latest
-          arch: arm64
+    runs-on: ubuntu-large
    steps:
+      - name: (debug) Step 1 - Check disk space before checkout
+        run: df -h

-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          submodules: recursive

-      - name: Cache Go modules (Linux)
-        if: matrix.os == 'ubuntu-20.04'
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
-        with:
-          path: |
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+      - name: (debug) Step 2 - Check disk space before installing Go
+        run: df -h

-      - name: Cache Go modules (macOS)
-        if: matrix.os == 'macos-latest'
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
-        with:
-          path: |
-            ~/Library/Caches/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Cache Go modules (Windows)
-        if: matrix.os == 'windows-latest'
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3
+      - uses: actions/setup-go@v4
        name: Installing go
        with:
          go-version: ${{ inputs.GO_VERSION }}
-          cache: true

-      - name: start ${{ matrix.arch }} environment in container
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y binfmt-support qemu-user-static
-          sudo docker run --platform linux/${{ matrix.arch }} -e RELEASE=${{ inputs.RELEASE }} \
-          -e CLIENT=${{ inputs.CLIENT }} -e CGO_ENABLED=${{ inputs.CGO_ENABLED }} \
-          -e KUBESCAPE_SKIP_UPDATE_CHECK=true -e GOARCH=${{ matrix.arch }} -v ${PWD}:/work \
-          -w /work -v ~/go/pkg/mod:/root/go/pkg/mod -v ~/.cache/go-build:/root/.cache/go-build \
-          -d --name build golang:${{ inputs.GO_VERSION }}-bullseye sleep 21600
-          sudo docker ps
-          DOCKER_CMD="sudo docker exec build"
-          ${DOCKER_CMD} apt update
-          ${DOCKER_CMD} apt install -y cmake python3
-          ${DOCKER_CMD} git config --global --add safe.directory '*'
-          echo "DOCKER_CMD=${DOCKER_CMD}" >> $GITHUB_ENV;
-        if: matrix.os == 'ubuntu-20.04' && matrix.arch != ''
-
-      - name: Install pkg-config (macOS)
-        run: brew install pkg-config
-        if: matrix.os == 'macos-latest'
-
-      - name: Install libgit2 (Linux/macOS)
-        run: ${{ env.DOCKER_CMD }} make libgit2${{ matrix.arch }}
-        if: matrix.os != 'windows-latest'
+      - name: (debug) Step 3 - Check disk space before build
+        run: df -h

      - name: Test core pkg
        run: ${{ env.DOCKER_CMD }} go test -v ./...
-        if: "!startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch == '' || startsWith(github.ref, 'refs/tags') && (matrix.os != 'macos-latest' || matrix.arch != 'arm64')"
+        if: startsWith(github.ref, 'refs/tags')
+
+      - name: (debug) Step 4 - Check disk space before testing httphandler pkg
+        run: df -h

      - name: Test httphandler pkg
        run: ${{ env.DOCKER_CMD }} sh -c 'cd httphandler && go test -v ./...'
-        if: "!startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch == '' || startsWith(github.ref, 'refs/tags') && (matrix.os != 'macos-latest' || matrix.arch != 'arm64')"
+        if: startsWith(github.ref, 'refs/tags')

-      - name: Build
+      - name: (debug) Step 5 - Check disk space before setting up Syft
+        run: df -h
+
+      - uses: anchore/sbom-action/download-syft@v0
+        name: Setup Syft
+
+      - name: (debug) Step 6 - Check disk space before goreleaser
+        run: df -h
+
+      - uses: goreleaser/goreleaser-action@v5
+        name: Build
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean --snapshot
        env:
          RELEASE: ${{ inputs.RELEASE }}
          CLIENT: ${{ inputs.CLIENT }}
          CGO_ENABLED: ${{ inputs.CGO_ENABLED }}
-        run: ${{ env.DOCKER_CMD }} python3 --version && ${{ env.DOCKER_CMD }} python3 build.py

-      - name: Smoke Testing (Windows / MacOS)
+      - name: (debug) Step 7 - Check disk space before smoke testing
+        run: df -h
+
+      - name: Smoke Testing
        env:
          RELEASE: ${{ inputs.RELEASE }}
          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/kubescape-${{ matrix.os }}
-        if: startsWith(github.ref, 'refs/tags') && matrix.os != 'ubuntu-20.04' && matrix.arch == ''
+        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ${PWD}/dist/kubescape-ubuntu-latest

-      - name: Smoke Testing (Linux amd64)
-        env:
-          RELEASE: ${{ inputs.RELEASE }}
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ${PWD}/build/kubescape-ubuntu-latest
-        if: matrix.os == 'ubuntu-20.04' && matrix.arch == ''
-
-      - name: Smoke Testing (Linux ${{ matrix.arch }})
-        env:
-          RELEASE: ${{ inputs.RELEASE }}
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ./build/kubescape-${{ matrix.arch }}-ubuntu-latest
-        if: startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch != ''
+      - name: (debug) Step 8 - Check disk space before golangci-lint
+        run: df -h

      - name: golangci-lint
-        if: matrix.os == 'ubuntu-20.04'
        continue-on-error: true
-        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # ratchet:golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v3
        with:
          version: latest
-          args: --timeout 10m --build-tags=static
+          args: --timeout 10m
          only-new-issues: true
+          skip-pkg-cache: true
+          skip-build-cache: true

-      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1
-        name: Upload artifact (Linux)
-        if: matrix.os == 'ubuntu-20.04'
+      - name: (debug) Step 9 - Check disk space before uploading artifacts
+        run: df -h
+
+      - uses: actions/upload-artifact@v4
+        name: Upload artifacts
        with:
-          name: kubescape${{ matrix.arch }}-ubuntu-latest
-          path: build/
+          name: kubescape
+          path: dist/kubescape*
          if-no-files-found: error

-      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1
-        name: Upload artifact (MacOS, Win)
-        if: matrix.os != 'ubuntu-20.04'
-        with:
-          name: kubescape${{ matrix.arch }}-${{ matrix.os }}
-          path: build/
-          if-no-files-found: error
+      - name: (debug) Step 10 - Check disk space after uploading artifacts
+        run: df -h

  build-http-image:
    permissions:
-      contents: read
+      contents: write
      id-token: write
      packages: write
      pull-requests: read
@@ -291,7 +248,7 @@ jobs:
      CGO_ENABLED: 0
      GO111MODULE: "on"
      BUILD_PLATFORM: linux/amd64,linux/arm64
-      GO_VERSION: "1.20"
+      GO_VERSION: "1.23"
      REQUIRED_TESTS: '[
                "ks_microservice_create_2_cronjob_mitre_and_nsa_proxy", 
                "ks_microservice_triggering_with_cron_job",
@@ -302,8 +259,22 @@ jobs:
                "ks_microservice_on_demand",
                "ks_microservice_mitre_framework_on_demand",
                "ks_microservice_nsa_and_mitre_framework_demand",
+                "scan_nsa", 
+                "scan_mitre", 
+                "scan_with_exceptions", 
+                "scan_repository", 
+                "scan_local_file", 
+                "scan_local_glob_files", 
+                "scan_local_list_of_files", 
+                "scan_with_exception_to_backend", 
+                "scan_nsa_and_submit_to_backend", 
+                "scan_mitre_and_submit_to_backend", 
+                "scan_local_repository_and_submit_to_backend", 
+                "scan_repository_from_url_and_submit_to_backend", 
+                "scan_with_custom_framework", 
+                "scan_customer_configuration", 
                "scan_compliance_score"
-              ]'
+                ]'
      COSIGN: true
      HELM_E2E_TEST: true
      FORCE: true
@@ -318,10 +289,10 @@ jobs:
    if: ${{ (needs.wf-preparation.outputs.is-secret-set == 'true') && (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }}
    runs-on: ubuntu-latest # This cannot change
    steps:
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
+      - uses: actions/download-artifact@v4
        id: download-artifact
        with:
-          name: kubescape-ubuntu-latest
+          name: kubescape
          path: "~"

      - run: ls -laR
@@ -330,12 +301,12 @@ jobs:
        run: chmod +x -R ${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest

      - name: Checkout systests repo
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          repository: armosec/system-tests
          path: .

-      - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # ratchet:actions/setup-python@v4
+      - uses: actions/setup-python@v4
        with:
          python-version: '3.8.13'
          cache: 'pip'
@@ -350,7 +321,7 @@ jobs:

      - name: Create k8s Kind Cluster
        id: kind-cluster-install
-        uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d # ratchet:helm/kind-action@v1.3.0
+        uses: helm/kind-action@v1.10.0
        with:
          cluster_name: ${{ steps.uuid.outputs.RANDOM_UUID }}

@@ -380,8 +351,9 @@ jobs:
          deactivate

      - name: Test Report
-        uses: mikepenz/action-junit-report@6e9933f4a97f4d2b99acef4d7b97924466037882 # ratchet:mikepenz/action-junit-report@v3.6.1
+        uses: mikepenz/action-junit-report@v5
        if: always() # always run even if the previous step fails
        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
          report_paths: '**/results_xml_format/**.xml'
          commit: ${{github.event.workflow_run.head_sha}}
--- a/.github/workflows/build-image.yaml
+++ b/.github/workflows/build-image.yaml
@@ -23,7 +23,7 @@ jobs:
    permissions:
      id-token: write
      packages: write
-      contents: read
+      contents: write
      pull-requests: read
    uses: kubescape/workflows/.github/workflows/incluster-comp-pr-merged.yaml@main
    with:
@@ -33,7 +33,7 @@ jobs:
      CGO_ENABLED: 0
      GO111MODULE: "on"
      BUILD_PLATFORM: ${{ inputs.PLATFORMS && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
-      GO_VERSION: "1.20"
+      GO_VERSION: "1.23"
      REQUIRED_TESTS: '[]'
      COSIGN: ${{ inputs.CO_SIGN }}
      HELM_E2E_TEST: false
--- a/.github/workflows/c-create-release.yaml
+++ b/.github/workflows/c-create-release.yaml
@@ -24,50 +24,69 @@ jobs:
      MAC_OS: macos-latest
      UBUNTU_OS: ubuntu-latest
      WINDOWS_OS: windows-latest
-    # permissions:
-    #   contents: write
+    permissions:
+      contents: write
    steps:
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
+      - uses: actions/download-artifact@v4
        id: download-artifact
        with:
+          name: kubescape
          path: .

      # TODO: kubescape-windows-latest is deprecated and should be removed
-      - name: Get kubescape.exe from kubescape-windows-latest
-        run: cp ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }} ./kubescape-${{ env.WINDOWS_OS }}/kubescape.exe
+      - name: Get kubescape.exe from kubescape-windows-latest.exe
+        run: cp ${{steps.download-artifact.outputs.download-path}}/kubescape-${{ env.WINDOWS_OS }}.exe ${{steps.download-artifact.outputs.download-path}}/kubescape.exe

      - name: Set release token
+        id: set-token
        run: |
          if [ "${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" != "" ]; then
-            echo "TOKEN=${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" >> $GITHUB_ENV;
+            echo "token=${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" >> $GITHUB_OUTPUT;
          else
-            echo "TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV;
+            echo "token=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_OUTPUT;
          fi
+
+      - name: List artifacts
+        run: |
+          find . -type f -print
+
      - name: Release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # ratchet:softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
        with:
-          token: ${{ env.TOKEN }}
+          token: ${{ steps.set-token.outputs.token }}
          name: ${{ inputs.RELEASE_NAME }}
          tag_name: ${{ inputs.TAG }}
          body: ${{ github.event.pull_request.body }}
          draft: ${{ inputs.DRAFT }}
-          fail_on_unmatched_files: true
          prerelease: false
-          # TODO: kubescape-windows-latest is deprecated and should be removed
+          fail_on_unmatched_files: true
          files: |
-            ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }}
-            ./kubescape-${{ env.MAC_OS }}/kubescape-${{ env.MAC_OS }}
-            ./kubescape-${{ env.MAC_OS }}/kubescape-${{ env.MAC_OS }}.sha256
-            ./kubescape-${{ env.MAC_OS }}/kubescape-${{ env.MAC_OS }}.tar.gz
-            ./kubescape-${{ env.UBUNTU_OS }}/kubescape-${{ env.UBUNTU_OS }}
-            ./kubescape-${{ env.UBUNTU_OS }}/kubescape-${{ env.UBUNTU_OS }}.sha256
-            ./kubescape-${{ env.UBUNTU_OS }}/kubescape-${{ env.UBUNTU_OS }}.tar.gz
-            ./kubescape-${{ env.WINDOWS_OS }}/kubescape.exe
-            ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }}.sha256
-            ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }}.tar.gz
-            ./kubescapearm64-${{ env.MAC_OS }}/kubescape-arm64-${{ env.MAC_OS }}
-            ./kubescapearm64-${{ env.MAC_OS }}/kubescape-arm64-${{ env.MAC_OS }}.sha256
-            ./kubescapearm64-${{ env.MAC_OS }}/kubescape-arm64-${{ env.MAC_OS }}.tar.gz
-            ./kubescapearm64-${{ env.UBUNTU_OS }}/kubescape-arm64-${{ env.UBUNTU_OS }}
-            ./kubescapearm64-${{ env.UBUNTU_OS }}/kubescape-arm64-${{ env.UBUNTU_OS }}.sha256
-            ./kubescapearm64-${{ env.UBUNTU_OS }}/kubescape-arm64-${{ env.UBUNTU_OS }}.tar.gz
+            ./kubescape-${{ env.MAC_OS }}
+            ./kubescape-${{ env.MAC_OS }}.sbom
+            ./kubescape-${{ env.MAC_OS }}.sha256
+            ./kubescape-${{ env.MAC_OS }}.tar.gz
+            ./kubescape-${{ env.UBUNTU_OS }}
+            ./kubescape-${{ env.UBUNTU_OS }}.sbom
+            ./kubescape-${{ env.UBUNTU_OS }}.sha256
+            ./kubescape-${{ env.UBUNTU_OS }}.tar.gz
+            ./kubescape-${{ env.WINDOWS_OS }}.exe
+            ./kubescape-${{ env.WINDOWS_OS }}.exe.sbom
+            ./kubescape-${{ env.WINDOWS_OS }}.exe.sha256
+            ./kubescape-${{ env.WINDOWS_OS }}.tar.gz
+            ./kubescape-arm64-${{ env.MAC_OS }}
+            ./kubescape-arm64-${{ env.MAC_OS }}.sbom
+            ./kubescape-arm64-${{ env.MAC_OS }}.sha256
+            ./kubescape-arm64-${{ env.MAC_OS }}.tar.gz
+            ./kubescape-arm64-${{ env.UBUNTU_OS }}
+            ./kubescape-arm64-${{ env.UBUNTU_OS }}.sbom
+            ./kubescape-arm64-${{ env.UBUNTU_OS }}.sha256
+            ./kubescape-arm64-${{ env.UBUNTU_OS }}.tar.gz
+            ./kubescape-arm64-${{ env.WINDOWS_OS }}.exe
+            ./kubescape-arm64-${{ env.WINDOWS_OS }}.exe.sbom
+            ./kubescape-arm64-${{ env.WINDOWS_OS }}.exe.sha256
+            ./kubescape-arm64-${{ env.WINDOWS_OS }}.tar.gz
+            ./kubescape-riscv64-${{ env.UBUNTU_OS }}
+            ./kubescape-riscv64-${{ env.UBUNTU_OS }}.sbom
+            ./kubescape-riscv64-${{ env.UBUNTU_OS }}.sha256
+            ./kubescape-riscv64-${{ env.UBUNTU_OS }}.tar.gz
+            ./kubescape.exe
--- a/.github/workflows/d-publish-image.yaml
+++ b/.github/workflows/d-publish-image.yaml
@@ -1,5 +1,18 @@
 name: d-publish-image
-permissions: read-all
+permissions:
+  actions: read
+  checks: read
+  contents: write
+  deployments: read
+  discussions: read
+  id-token: write
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
 on:
  workflow_call:
    inputs:
@@ -46,35 +59,49 @@ jobs:
    name: Build image and upload to registry
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          submodules: recursive
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # ratchet:docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      - name: Login to Quay.io
        env:
          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
+      - uses: actions/download-artifact@v4
        id: download-artifact
        with:
+          name: kubescape
          path: .
+      - name: mv kubescape amd64 binary
+        run: mv kubescape-ubuntu-latest kubescape-amd64-ubuntu-latest
      - name: chmod +x
-        run: chmod +x -v kubescape-*/kubescape-*
-      - name: Build and push image for linux/amd64
-        run: docker buildx build . --file build/kubescape-cli.Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --build-arg ks_binary=kubescape-ubuntu-latest/kubescape-ubuntu-latest --push --platform linux/amd64
-      - name: Build and push image for linux/arm64
-        run: docker buildx build . --file build/kubescape-cli.Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --build-arg ks_binary=kubescape-arm64-ubuntu-latest/kubescape-arm64-ubuntu-latest --push --platform linux/arm64
+        run: chmod +x -v kubescape-a*
+      - name: Build and push images
+        run: docker buildx build . --file build/kubescape-cli.Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push --platform linux/amd64,linux/arm64
      - name: Install cosign
-        uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 # ratchet:sigstore/cosign-installer@main
+        uses: sigstore/cosign-installer@main
        with:
-          cosign-release: 'v1.12.0'
+          cosign-release: 'v2.2.2'
      - name: sign kubescape container image
        if: ${{ inputs.cosign }}
        env:
          COSIGN_EXPERIMENTAL: "true"
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY_V1 }}
+          COSIGN_PRIVATE_KEY_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_V1_PASSWORD }}
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY_V1 }}
        run: |
-          cosign sign --force ${{ inputs.image_name }}
+            # Sign the image with keyless mode
+            cosign sign -y ${{ inputs.image_name }}:${{ inputs.image_tag }}
+
+            # Sign the image with key for verifier clients without keyless support
+            # Put the key from environment variable to a file
+            echo "$COSIGN_PRIVATE_KEY" > cosign.key
+            printf "$COSIGN_PRIVATE_KEY_PASSWORD" | cosign sign -key cosign.key -y ${{ inputs.image_name }}:${{ inputs.image_tag }}
+            rm cosign.key
+            # Verify the image
+            echo "$COSIGN_PUBLIC_KEY" > cosign.pub
+            cosign verify -key cosign.pub ${{ inputs.image_name }}:${{ inputs.image_tag }}
--- a/.github/workflows/03-post-release.yaml
+++ b/.github/workflows/03-post-release.yaml
@@ -1,21 +1,25 @@
-name: 03-post_release
+name: e-post_release
 permissions: read-all
 on:
-  release:
-    types: [published]
-    branches:
-      - 'master'
-      - 'main'
+  workflow_call:
+    inputs:
+      TAG:
+        description: 'Tag name'
+        required: true
+        type: string
 jobs:
  post_release:
    name: Post release jobs
    runs-on: ubuntu-latest
    steps:
-      - name: Digest
-        uses: MCJack123/ghaction-generate-release-hashes@c03f3111b39432dde3edebe401c5a8d1ffbbf917 # ratchet:MCJack123/ghaction-generate-release-hashes@v1
+      - uses: actions/checkout@v4
        with:
-          hash-type: sha1
-          file-name: kubescape-release-digests
+          submodules: recursive
+      - name: Update new version in krew-index
+        uses: rajatjindal/krew-release-bot@v0.0.47
+        if: github.repository_owner == 'kubescape'
+        env:
+          GITHUB_REF: ${{ inputs.TAG }}
      - name: Invoke workflow to update packaging
        uses: benc-uk/workflow-dispatch@v1
        if: github.repository_owner == 'kubescape'
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -32,12 +32,12 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
@@ -59,7 +59,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@v4
        with:
          name: SARIF file
          path: results.sarif
@@ -67,6 +67,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
--- a/.github/workflows/z-close-typos-issues.yaml
+++ b/.github/workflows/z-close-typos-issues.yaml
@@ -7,14 +7,14 @@ jobs:
    if: github.event.label.name == 'typo'
    runs-on: ubuntu-latest
    steps:
-      - uses: ben-z/actions-comment-on-issue@10be23f9c43ac792663043420fda29dde07e2f0f # ratchet:ben-z/actions-comment-on-issue@1.0.2
+      - uses: ben-z/actions-comment-on-issue@1.0.2
        with:
          message: "Hello! :wave:\n\nThis issue is being automatically closed, Please open a PR with a relevant fix."
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  auto_close_issues:
    runs-on: ubuntu-latest
    steps:
-      - uses: lee-dohm/close-matching-issues@e9e43aad2fa6f06a058cedfd8fb975fd93b56d8f # ratchet:lee-dohm/close-matching-issues@v2
+      - uses: lee-dohm/close-matching-issues@v2
        with:
          query: 'label:typo'
          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,5 @@
 ca.srl
 *.out
 ks
+
+dist/
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +0,0 @@
-[submodule "git2go"]
-	path = git2go
-	url = https://github.com/libgit2/git2go.git
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,6 +1,6 @@
 linters-settings:
  govet:
-    check-shadowing: true
+    shadow: true
  dupl:
    threshold: 200
  goconst:
@@ -24,7 +24,6 @@ linters:
    - gosimple
  disable:
    # temporarily disabled
-    - varcheck
    - errcheck
    - dupl
    - gocritic
@@ -36,8 +35,6 @@ linters:
    - unparam
    #- forbidigo # <- see later
    # should remain disabled
-    - deadcode   # deprecated linter
-    - maligned
    - lll
    - gochecknoinits
    - gochecknoglobals
@@ -52,6 +49,3 @@ issues:
    - linters:
      - stylecheck
      text: "ST1003"
-run:
-  skip-dirs:
-    - git2go
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -0,0 +1,60 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines bellow are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+
+builds:
+  - goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+      - riscv64
+    ldflags:
+      - -s -w
+      - -X "github.com/kubescape/kubescape/v3/core/cautils.BuildNumber={{.Env.RELEASE}}"
+      - -X "github.com/kubescape/kubescape/v3/core/cautils.Client={{.Env.CLIENT}}"
+    binary: >-
+      {{ .ProjectName }}-
+      {{- if eq .Arch "amd64" }}
+      {{- else }}{{ .Arch }}-{{ end }}
+      {{- if eq .Os "darwin" }}macos
+      {{- else if eq .Os "linux" }}ubuntu
+      {{- else }}{{ .Os }}{{ end }}-latest
+    no_unique_dist_dir: true
+
+archives:
+  - format: binary
+    id: binaries
+    name_template: >-
+      {{ .Binary }}
+  - format: tar.gz
+    name_template: >-
+      {{ .Binary }}
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+
+checksum:
+  ids:
+    - binaries
+  split: true
+
+sboms:
+  - artifacts: binary
+    documents:
+      - "{{ .Binary }}.sbom"
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -1,23 +1,5 @@
 # Adopters

-# Well-known companies
-Well-known companies who are using and/or contributing to Kubescape are (in alphabetical order):
-* Accenture
-* Amazon.com
-* IBM
-* Intel
-* Meetup
-* RedHat
-* Scaleway
-
-# Users
-
-If you want to be listed here and share with others your experience, open a PR and add the bellow table:
-
-
-| Name | Company | Use case | Contact for questions (optional) |
-| ---- | ------- | -------- | -------------------------------- |
-| Yonathan Amzallag | ARMO | Vulnerability monitoring | yonatana@armosec.io |
-
-
+The Kubescape project manages this document in the central project repository.

+Go to the [centralized ADOPTERS.md](https://github.com/kubescape/project-governance/blob/main/ADOPTERS.md)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,3 +1,5 @@
-## Code of Conduct
+# Code of Conduct

-The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized CODE_OF_CONDUCT.md](https://github.com/kubescape/project-governance/blob/main/CODE_OF_CONDUCT.md)
--- a/COMMUNITY.md
+++ b/COMMUNITY.md
@@ -0,0 +1,5 @@
+# Community
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized COMMUNITY.md](https://github.com/kubescape/project-governance/blob/main/COMMUNITY.md)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,98 +1,5 @@
 # Contributing

-First, it is awesome that you are considering contributing to Kubescape! Contributing is important and fun and we welcome your efforts.
+The Kubescape project manages this document in the central project repository.

-When contributing, we categorize contributions into two:
-* Small code changes or fixes, whose scope is limited to a single or two files
-* Complex features and improvements, with potentially unlimited scope
-
-If you have a small change, feel free to fire up a Pull Request.
-
-When planning a bigger change, please first discuss the change you wish to make via an issue,
-so the maintainers are able to help guide you and let you know if you are going in the right direction.
-
-## Code of Conduct
-
-Please follow our [code of conduct](CODE_OF_CONDUCT.md) in all of your interactions within the project.
-
-## Build and test locally
-
-Please follow the [instructions here](https://github.com/kubescape/kubescape/wiki/Building).
-
-## Pull Request Process
-
-1. Ensure any install or build dependencies are removed before the end of the layer when doing a 
-   build.
-2. Update the README.md with details of changes to the interface, this includes new environment 
-   variables, exposed ports, useful file locations and container parameters.
-3. Open Pull Request to the `master` branch.
-4. We will merge the Pull Request once you have the sign-off.
-
-## Developer Certificate of Origin
-
-All commits to the project must be "signed off", which states that you agree to the terms of the [Developer Certificate of Origin](https://developercertificate.org/).  This is done by adding a "Signed-off-by:" line in the commit message, with your name and email address.
-
-Commits made through the GitHub web application are automatically signed off.
-
-### Configuring Git to sign off commits
-
-First, configure your name and email address in Git global settings:
-
-```
-$ git config --global user.name "John Doe" 
-$ git config --global user.email johndoe@example.com
-```
-
-You can now sign off per-commit, or configure Git to always sign off commits per repository.
-
-### Sign off per-commit
-
-Add [`-s`](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) to your Git command line. For example:
-
-```git commit -s -m "Fix issue 64738"```
-
-This is tedious, and if you forget, you'll have to [amend your commit](#fixing-a-commit-where-the-dco-failed).
-
-### Configure a repository to always include sign off
-
-There are many ways to achieve this with Git hooks, but the simplest is to do the following:
-
-```
-cd your-repo
-curl -Ls https://gist.githubusercontent.com/dixudx/7d7edea35b4d91e1a2a8fbf41d0954fa/raw/prepare-commit-msg -o .git/hooks/prepare-commit-msg
-chmod +x .git/hooks/prepare-commit-msg
-```
-
-### Use semantic commit messages (optional)
-
-When contributing, you could consider using [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/), in order to improve logs readability and help us to automatically generate `CHANGELOG`s.
-
-Format: `<type>(<scope>): <subject>`
-
-`<scope>` is optional
-
-#### Example
-
-```
-feat(cmd): add kubectl plugin
-^--^ ^-^   ^----------------^
-|    |     |
-|    |     +-> subject: summary in present tense.
-|    |
-|    +-------> scope: point of interest
-|
-+-------> type: chore, docs, feat, fix, refactor, style, or test.
-```
-
-More Examples:
-* `feat`: new feature for the user, not a new feature for build script
-* `fix`: bug fix for the user, not a fix to a build script
-* `docs`: changes to the documentation
-* `style`: formatting, missing semi colons, etc; no production code change
-* `refactor`: refactoring production code, eg. renaming a variable
-* `test`: adding missing tests, refactoring tests; no production code change
-* `chore`: updating grunt tasks etc; no production code change
-
-## Fixing a commit where the DCO failed
-
-Check out [this guide](https://github.com/src-d/guide/blob/master/developer-community/fix-DCO.md).
+Go to the [centralized CONTRIBUTING.md](https://github.com/kubescape/project-governance/blob/main/CONTRIBUTING.md)
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@@ -1,65 +1,5 @@
-# Governance of Kubescape
+# Governance

-## Overview
+The Kubescape project manages this document in the central project repository.

-The Kubescape project is an open-source initiative dedicated to improve security and best practices in Kubernetes environments. This document outlines the governance structure of the Kubescape project and provides guidance for its community contributors.
-
-## Decision Making
-
-### Maintainers
-
- Maintainers are responsible for the smooth operation of the project.
- They review and merge pull requests, manage releases, and ensure the quality and stability of the codebase.
- Maintainers are chosen based on their ongoing contributions and their demonstrated commitment to the project.
- Everyone who had at least 5 code contribution in the last 12 month can submit her/himself for joining the maintainer team
- Maintainers who are not taken part in the project work (code, reviews, discussions) for 12 month are automaticaly removed from the maintainer team
-
-
-### Committers
-
- Committers are contributors who have made significant and consistent contributions to the project.
- They have the ability to merge minor pull requests if assigned by maintainers.
- A contributor can be proposed as a committer by any existing maintainer. The proposal will be reviewed and voted on by the existing maintainers.
-
-### Community Members
-
- Anyone can become a community member by contributing to the project. This can be in the form of code contributions, documentation, or any other form of project support.
-
-## Processes
-
-### Proposing Changes
-
-1. Open an issue on the project repository to discuss the proposed change.
-2. Once there is consensus around the proposed change, create a pull request.
-3. Pull requests will be reviewed by committers and/or maintainers.
-4. Once the pull request has received approval, it can be merged into the main codebase.
-
-### Conflict Resolution
-
-1. In case of any conflicts, it is primarily the responsibility of the parties involved to resolve it.
-2. If the conflict cannot be resolved, it will be escalated to the maintainers for resolution.
-3. Maintainers' decision will be final in case of unresolved conflicts.
-
-## Roles and Responsibilities
-
-### Maintainers
-
- Ensure the quality and stability of the project.
- Resolve conflicts.
- Provide direction and set priorities for the project.
-
-### Committers
-
- Review and merge minor pull requests.
- Assist maintainers in project tasks.
- Promote best practices within the community.
-
-### Community Members
-
- Contribute to the project in any form.
- Participate in discussions and provide feedback.
- Respect the code of conduct and governance of the project.
-
-## Changes to the Governance Document
-
-Proposed changes to this governance document should follow the same process as any other code change to the Kubescape project (see "Proposing Changes").
+Go to the [centralized GOVERNANCE.md](https://github.com/kubescape/project-governance/blob/main/GOVERNANCE.md)
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@@ -1,12 +1,5 @@
 # Maintainers

-The following table lists the Kubescape project core maintainers:
-
-| Name | GitHub | Organization | Added/Renewed On |
-| --- | --- | --- | --- |
-| [Matthias Bertschy](https://www.linkedin.com/in/matthias-bertschy-b427b815/) | [@matthyx](https://github.com/matthyx) | [ARMO](https://www.armosec.io/) | 2023-01-01 |
-| [Craig Box](https://www.linkedin.com/in/crbnz/) | [@craigbox](https://github.com/craigbox) | [ARMO](https://www.armosec.io/) | 2022-10-31 |
-| [Ben Hirschberg](https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890) | [@slashben](https://github.com/slashben) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
-| [Rotem Refael](https://www.linkedin.com/in/rotem-refael) | [@rotemamsa](https://github.com/rotemamsa) | [ARMO](https://www.armosec.io/) | 2021-10-11 |
-| [David Wertenteil](https://www.linkedin.com/in/david-wertenteil-0ba277b9) | [@dwertent](https://github.com/dwertent) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
+The Kubescape project manages this document in the central project repository.

+Go to the [centralized MAINTAINERS.md](https://github.com/kubescape/project-governance/blob/main/MAINTAINERS.md)
--- a/26
+++ b/26
@@ -1,28 +1,12 @@
-.PHONY: test all build libgit2
+.PHONY: test all build

 # default task invoked while running make
-all: libgit2 build
+all: build

-export CGO_ENABLED=1
-
-# build and install libgit2
-libgit2:
-	-git submodule update --init --recursive
-	cd git2go; make install-static
-
-# build and install libgit2 for macOS m1
-libgit2arm64:
-	git submodule update --init --recursive
-	if [ "$(shell uname -s)" = "Darwin" ]; then \
-		sed -i '' 's/cmake -D/cmake -DCMAKE_OSX_ARCHITECTURES="arm64" -D/' git2go/script/build-libgit2.sh; \
-	fi
-	cd git2go; make install-static
-
-# go build tags
-TAGS = "gitenabled,static"
+export CGO_ENABLED=0

 build:
-	go build -v -tags=$(TAGS) .
+	go build -v .

 test:
-	go test -v -tags=$(TAGS) ./...
+	go test -v ./...
--- a/README.md
+++ b/README.md
@@ -3,12 +3,14 @@
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubescape/kubescape)](https://goreportcard.com/report/github.com/kubescape/kubescape)
 [![Gitpod Ready-to-Code](https://img.shields.io/badge/Gitpod-Ready--to--Code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/kubescape/kubescape)
 [![GitHub](https://img.shields.io/github/license/kubescape/kubescape)](https://github.com/kubescape/kubescape/blob/master/LICENSE)
-[![CNCF](https://shields.io/badge/CNCF-Sandbox%20project-blue?logo=linux-foundation&style=flat)](https://landscape.cncf.io/card-mode?project=sandbox&selected=kubescape)
+[![CNCF](https://shields.io/badge/CNCF-Incubating%20project-blue?logo=linux-foundation&style=flat)](https://landscape.cncf.io/?item=provisioning--security-compliance--kubescape)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubescape)](https://artifacthub.io/packages/search?repo=kubescape)
 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkubescape%2Fkubescape.svg?type=shield&issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubescape%2Fkubescape?ref=badge_shield&issueType=license)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/6944/badge)](https://www.bestpractices.dev/projects/6944)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubescape/kubescape/badge)](https://securityscorecards.dev/viewer/?uri=github.com/kubescape/kubescape)
+[![Stars](https://img.shields.io/github/stars/kubescape/kubescape?style=social)](https://github.com/kubescape/kubescape/stargazers)
 [![Twitter Follow](https://img.shields.io/twitter/follow/kubescape?style=social)](https://twitter.com/kubescape)
+[![Slack](https://img.shields.io/badge/slack-kubescape-blueviolet?logo=slack)](https://cloud-native.slack.com/archives/C04EY3ZF9GE)

 # Kubescape

@@ -18,19 +20,22 @@
  <img alt="Kubescape logo" align="right" src="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
 </picture>

-_An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters_
+_Comprehensive Kubernetes Security from Development to Runtime_

-Kubescape is an open-source Kubernetes security platform. It includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.
+Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage, from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments. It saves Kubernetes users and admins precious time, effort, and resources.

-Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) and the [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)).
+Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.armosec.io/glossary/mitre-attck-framework/?utm_source=github&utm_medium=repository) and the [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)).

-Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository) and is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/).
-
-## Demo
-<img src="docs/img/demo.gif">
+Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository) and is a [Cloud Native Computing Foundation (CNCF) incubating project](https://www.cncf.io/projects/).

 _Please [star ⭐](https://github.com/kubescape/kubescape/stargazers) the repo if you want us to continue developing and improving Kubescape! 😀_

+## Demo
+
+Kubescape has a command line tool that you can use to quickly get a report on the security posture of a Kubernetes cluster:
+
+<img src="docs/img/demo-v3.gif">
+
 ## Getting started

 Experimenting with Kubescape is as easy as:
@@ -39,13 +44,13 @@ Experimenting with Kubescape is as easy as:
 curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
 ```

+This script will automatically download the latest Kubescape CLI release and scan the Kubernetes cluster in your current kubectl context.
+
 Learn more about:

-* [Installing Kubescape](docs/installation.md)
-* [Running your first scan](docs/getting-started.md#run-your-first-scan)
-* [Usage](docs/getting-started.md#examples)
-* [Architecture](docs/architecture.md)
-* [Building Kubescape from source](https://github.com/kubescape/kubescape/wiki/Building)
+* [Installing the Kubescape CLI](https://kubescape.io/docs/install-cli/)
+* [Running your first scan](https://kubescape.io/docs/scanning/)
+* [Accepting risk with exceptions](https://kubescape.io/docs/accepting-risk/)

 _Did you know you can use Kubescape in all these places?_

@@ -53,37 +58,47 @@ _Did you know you can use Kubescape in all these places?_
    <img src="docs/img/ksfromcodetodeploy.png" alt="Places you can use Kubescape: in your IDE, CI, CD, or against a running cluster.">
 </div>

+### Continuous security monitoring with the Kubescape Operator
+
+As well as a CLI, Kubescape provides an in-cluster mode, which is installed via a Helm chart. Kubescape in-cluster provides extensive features such as continuous scanning, image vulnerability scanning, runtime analysis, network policy generation, and more. [Learn more about the Kubescape operator](https://kubescape.io/docs/operator/).
+
+### Using Kubescape as a GitHub Action
+
+Kubescape can be used as a GitHub Action. This is a great way to integrate Kubescape into your CI/CD pipeline. You can find the Kubescape GitHub Action in the [GitHub Action marketplace](https://github.com/marketplace/actions/kubescape).
+
 ## Under the hood

 Kubescape uses [Open Policy Agent](https://github.com/open-policy-agent/opa) to verify Kubernetes objects against [a library of posture controls](https://github.com/kubescape/regolibrary).
+For image scanning, it uses [Grype](https://github.com/anchore/grype).  
+For image patching, it uses [Copacetic](https://github.com/project-copacetic/copacetic).
+For eBPF, it uses [Inspektor Gadget](https://github.com/inspektor-gadget)

-By default, the results are printed in a console-friendly manner, but they can be:
+By default, CLI scan results are printed in a console-friendly manner, but they can be:

-* exported to JSON or junit XML
+* exported to JSON, junit XML or SARIF
 * rendered to HTML or PDF
 * submitted to a [cloud service](docs/providers.md)

-It retrieves Kubernetes objects from the API server and runs a set of [Rego snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io?utm_source=github&utm_medium=repository).
+### In-cluster architecture 
+
+![Architecture diagram](docs/img/architecture-diagram.png)

 ## Community

-Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the Kubernetes community and are building more tests and controls as the ecosystem develops.
+Kubescape is an open source project. We welcome your feedback and ideas for improvement. We are part of the CNCF community and are evolving Kubescape in sync with the security needs of Kubernetes users. To learn more about where Kubescape is heading, please check out our [ROADMAP](https://github.com/kubescape/project-governance/blob/main/ROADMAP.md).

-We hold [community meetings](https://zoom.us/j/95174063585) on Zoom, on the first Tuesday of every month, at 14:00 GMT. ([See that in your local time zone](https://time.is/compare/1400_in_GMT)).
+If you feel inspired to contribute to Kubescape, check out our [CONTRIBUTING](https://github.com/kubescape/project-governance/blob/main/CONTRIBUTING.md) file to learn how. You can find the issues we are working on (triage to development) on the [Kubescaping board](https://github.com/orgs/kubescape/projects/4/views/1)
+
+* Feel free to pick a task from the [board](https://github.com/orgs/kubescape/projects/4) or suggest a feature of your own.
+* Open an issue on the board. We aim to respond to all issues within 48 hours.
+* [Join the CNCF Slack](https://slack.cncf.io/) and then our [users](https://cloud-native.slack.com/archives/C04EY3ZF9GE) or [developers](https://cloud-native.slack.com/archives/C04GY6H082K) channel.

 The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).

-### Adopters
+For more information about the Kubescape community, please visit [COMMUNITY](https://github.com/kubescape/project-governance/blob/main/COMMUNITY.md).

-See [here](ADOPTERS.md) a list of adopters.

-## Contributions
-
-Thanks to all our contributors!  Check out our [CONTRIBUTING](CONTRIBUTING.md) file to learn how to join them.
-
-* Feel free to pick a task from the [issues](https://github.com/kubescape/kubescape/issues?q=is%3Aissue+is%3Aopen+label%3A%22open+for+contribution%22), [roadmap](docs/roadmap.md) or suggest a feature of your own.
-* [Open an issue](https://github.com/kubescape/kubescape/issues/new/choose): we aim to respond to all issues within 48 hours.
-* [Join the CNCF Slack](https://slack.cncf.io/) and then our [users](https://cloud-native.slack.com/archives/C04EY3ZF9GE) or [developers](https://cloud-native.slack.com/archives/C04GY6H082K) channel.
+We would like to take this opportunity to thank all our contibutors to date.

 <br>

@@ -93,14 +108,14 @@ Thanks to all our contributors!  Check out our [CONTRIBUTING](CONTRIBUTING.md) f

 ## Changelog

-Kubescape changes are tracked on the [release](https://github.com/kubescape/kubescape/releases) page
+Kubescape changes are tracked on the [release](https://github.com/kubescape/kubescape/releases) page.

 ## License

-Copyright 2021-2023, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.
+Copyright 2021-2024, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.

-Kubescape is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/) and was contributed by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository).
+Kubescape is a [Cloud Native Computing Foundation (CNCF) incubating project](https://www.cncf.io/projects/kubescape/) and was contributed by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository).

 <div align="center">
-    <img src="https://raw.githubusercontent.com/cncf/artwork/master/other/cncf-sandbox/horizontal/color/cncf-sandbox-horizontal-color.svg" width="300" alt="CNCF Sandbox Project">
+    <img src="https://raw.githubusercontent.com/cncf/artwork/refs/heads/main/other/cncf-member/incubating/color/cncf-incubating-color.svg" width="300" alt="CNCF Incubating Project">
 </div>
--- a/SECURITY-INSIGHTS.yml
+++ b/SECURITY-INSIGHTS.yml
@@ -4,19 +4,30 @@ header:
  last-reviewed: '2023-10-12'
  expiration-date: '2024-10-12T01:00:00.000Z'
  project-url: https://github.com/kubescape/kubescape/
-  project-release: '1.0.0'
+  project-release: 1.0.0
 project-lifecycle:
  status: active
  bug-fixes-only: false
  core-maintainers:
-  - github:slashben
+  - github:amirmalka
+  - github:amitschendel
+  - github:bezbran
  - github:craigbox
-  - github:matthyx
  - github:dwertent
+  - github:matthyx
+  - github:rotemamsa
+  - github:slashben
 contribution-policy:
  accepts-pull-requests: true
  accepts-automated-pull-requests: false
  code-of-conduct: https://github.com/kubescape/kubescape/blob/master/CODE_OF_CONDUCT.md
+dependencies:
+  third-party-packages: true
+  dependencies-lists:
+  - https://github.com/kubescape/kubescape/blob/master/go.mod
+  - https://github.com/kubescape/kubescape/blob/master/httphandler/go.mod
+  env-dependencies-policy:
+    policy-url: https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md
 documentation:
 - https://github.com/kubescape/kubescape/tree/master/docs
 distribution-points:
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,7 +1,5 @@
-# Reporting Security Issues
+# Security

-To report a security issue or vulnerability, submit a [private vulnerability report via GitHub](https://github.com/kubescape/kubescape/security/advisories/new) to the repository maintainers with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+The Kubescape project manages this document in the central project repository.

-The maintainers will respond within 7 working days of your report. If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it. This project follows a 90 day disclosure timeline.
-
-Other contacts: cncf-kubescape-maintainers@lists.cncf.io
+Go to the [centralized SECURITY.md](https://github.com/kubescape/project-governance/blob/main/SECURITY.md)
--- a/build.ps1
+++ b/build.ps1
@@ -1,78 +0,0 @@
-# Defining input params
-param (
-    [string]$mode = "error"
-)
-
-# Function to install MSYS
-function Install {
-    Write-Host "Starting install..." -ForegroundColor Cyan
-
-    # Check to see if already installed
-    if (Test-Path "C:\MSYS64\") {
-        Write-Host "MSYS2 already installed" -ForegroundColor Green
-    } else {
-        # Create a temp directory
-        New-Item -Path "$PSScriptRoot\temp_install" -ItemType Directory > $null
-        
-        # Download MSYS
-        Write-Host "Downloading MSYS2..." -ForegroundColor Cyan
-        $bitsJobObj = Start-BitsTransfer "https://github.com/msys2/msys2-installer/releases/download/2022-06-03/msys2-x86_64-20220603.exe" -Destination "$PSScriptRoot\temp_install\msys2-x86_64-20220603.exe"
-        switch ($bitsJobObj.JobState) {
-            "Transferred" {
-                Complete-BitsTransfer -BitsJob $bitsJobObj
-                break
-            }
-            "Error" {
-                throw "Error downloading"
-            }
-        }
-        Write-Host "MSYS2 download complete" -ForegroundColor Green
-
-        # Install MSYS
-        Write-Host "Installing MSYS2..." -ForegroundColor Cyan
-        Start-Process -Filepath "$PSScriptRoot\temp_install\msys2-x86_64-20220603.exe" -ArgumentList @("install", "--root", "C:\MSYS64", "--confirm-command") -Wait
-        Write-Host "MSYS2 install complete" -ForegroundColor Green
-
-        # Remove temp directory
-        Remove-Item "$PSScriptRoot\temp_install" -Recurse
-    }
-
-    # Set PATH
-    $env:Path = "C:\MSYS64\mingw64\bin;C:\MSYS64\usr\bin;" + $env:Path
-
-    # Install MSYS packages
-    Write-Host "Installing MSYS2 packages..." -ForegroundColor Cyan
-    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "make") -Wait
-    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "mingw-w64-x86_64-cmake") -Wait
-    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "mingw-w64-x86_64-gcc") -Wait
-    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "mingw-w64-x86_64-pkg-config") -Wait
-    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "msys2-w32api-runtime") -Wait
-    Write-Host "MSYS2 packages install complete" -ForegroundColor Green
-
-    Write-Host "Install complete" -ForegroundColor Green
-}
-
-# Function to build libgit2
-function Build {
-    Write-Host "Starting build..." -ForegroundColor Cyan
-
-    # Set PATH
-    $env:Path = "C:\MSYS64\mingw64\bin;C:\MSYS64\usr\bin;" + $env:Path
-
-    # Build
-    Start-Process -Filepath "make" -ArgumentList @("libgit2") -Wait -NoNewWindow
-
-    Write-Host "Build complete" -ForegroundColor Green
-}
-
-# Check user call mode
-if ($mode -eq "all") {
-    Install
-    Build
-} elseif ($mode -eq "install") {
-    Install
-} elseif ($mode -eq "build") {
-    Build
-} else {
-    Write-Host "Error: -mode should be one of (all|install|build)" -ForegroundColor Red
-}
--- a/build.py
+++ b/build.py
@@ -1,97 +0,0 @@
-import os
-import sys
-import hashlib
-import platform
-import subprocess
-import tarfile
-
-BASE_GETTER_CONST = "github.com/kubescape/kubescape/v2/core/cautils/getter"
-CURRENT_PLATFORM = platform.system()
-
-platformSuffixes = {
-    "Windows": "windows-latest",
-    "Linux": "ubuntu-latest",
-    "Darwin": "macos-latest",
-}
-
-def check_status(status, msg):
-    if status != 0:
-        sys.stderr.write(msg)
-        exit(status)
-
-
-def get_build_dir():
-    return "build"
-
-
-def get_package_name():
-    if CURRENT_PLATFORM not in platformSuffixes: raise OSError("Platform %s is not supported!" % (CURRENT_PLATFORM))
-
-    # # TODO: kubescape-windows-latest is deprecated and should be removed
-    # if CURRENT_PLATFORM == "Windows": return "kubescape.exe"
-
-    package_name = "kubescape-"
-    if os.getenv("GOARCH"):
-        package_name += os.getenv("GOARCH") + "-"
-    return package_name + platformSuffixes[CURRENT_PLATFORM]
-
-
-def main():
-    print("Building Kubescape")
-
-    # Set some variables
-    package_name = get_package_name()
-    build_url = "github.com/kubescape/kubescape/v2/core/cautils.BuildNumber"
-    release_version = os.getenv("RELEASE")
-
-    client_var = "github.com/kubescape/kubescape/v2/core/cautils.Client"
-    client_name = os.getenv("CLIENT")
-
-    # Create build directory
-    build_dir = get_build_dir()
-
-    ks_file = os.path.join(build_dir, package_name)
-    hash_file = ks_file + ".sha256"
-    tar_file = ks_file + ".tar.gz"
-
-    if not os.path.isdir(build_dir):
-        os.makedirs(build_dir)
-
-    # Build kubescape
-    ldflags = "-w -s"
-    if release_version:
-        ldflags += " -X {}={}".format(build_url, release_version)
-    if client_name:
-        ldflags += " -X {}={}".format(client_var, client_name)
-
-    build_command = ["go", "build", "-buildmode=pie", "-tags=static,gitenabled", "-o", ks_file, "-ldflags" ,ldflags]
-    if CURRENT_PLATFORM == "Windows":
-        os.putenv("CGO_ENABLED", "0")
-        build_command = ["go", "build", "-o", ks_file, "-ldflags", ldflags]
-
-    print("Building kubescape and saving here: {}".format(ks_file))
-    print("Build command: {}".format(" ".join(build_command)))
-
-    status = subprocess.call(build_command)
-    check_status(status, "Failed to build kubescape")
-
-    sha256 = hashlib.sha256()
-    with open(ks_file, "rb") as kube:
-        sha256.update(kube.read())
-        with open(hash_file, "w") as kube_sha:
-            hash = sha256.hexdigest()
-            print("kubescape hash: {}, file: {}".format(hash, hash_file))
-            kube_sha.write(sha256.hexdigest())
-
-    with tarfile.open(tar_file, 'w:gz') as archive:
-        name = "kubescape"
-        if CURRENT_PLATFORM == "Windows":
-            name += ".exe"
-        archive.add(ks_file, name)
-        archive.add("LICENSE", "LICENSE")
-
-    print("Build Done")
-
-
-if __name__ == "__main__":
-    main()
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.20-bullseye as builder
+FROM --platform=$BUILDPLATFORM golang:1.23-bookworm AS builder

 ENV GO111MODULE=on CGO_ENABLED=0
 WORKDIR /work
@@ -8,13 +8,18 @@ RUN --mount=target=. \
    --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg \
    cd httphandler && GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/ksserver .
+RUN --mount=target=. \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    go run downloader/main.go

-FROM gcr.io/distroless/static-debian11:nonroot
+FROM gcr.io/distroless/static-debian12:nonroot

 USER nonroot
 WORKDIR /home/nonroot/

 COPY --from=builder /out/ksserver /usr/bin/ksserver
+COPY --from=builder /root/.kubescape /home/nonroot/.kubescape

 ARG image_version client
 ENV RELEASE=$image_version CLIENT=$client
--- a/build/Dockerfile.dockerignore
+++ b/build/Dockerfile.dockerignore
@@ -1,3 +1,2 @@
 .git
-git2go
 kubescape*
--- a/build/kubescape-cli.Dockerfile
+++ b/build/kubescape-cli.Dockerfile
@@ -1,12 +1,12 @@
-FROM gcr.io/distroless/base-debian11:debug-nonroot
+FROM gcr.io/distroless/static-debian12:debug-nonroot

 USER nonroot
 WORKDIR /home/nonroot/

-ARG image_version client ks_binary
+ARG image_version client TARGETARCH
 ENV RELEASE=$image_version CLIENT=$client

-COPY $ks_binary /usr/bin/kubescape
+COPY kubescape-${TARGETARCH}-ubuntu-latest /usr/bin/kubescape
 RUN ["kubescape", "download", "artifacts"]

 ENTRYPOINT ["kubescape"]
--- a/build/kubescape-cli.Dockerfile.dockerignore
+++ b/build/kubescape-cli.Dockerfile.dockerignore
@@ -1,2 +1 @@
 .git
-git2go
--- a/cmd/completion/completion.go
+++ b/cmd/completion/completion.go
@@ -5,7 +5,7 @@ import (
 	"os"
 	"strings"

-	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/spf13/cobra"
 )

@@ -29,6 +29,12 @@ func GetCompletionCmd() *cobra.Command {
 		ValidArgs:             []string{"bash", "zsh", "fish", "powershell"},
 		Args:                  cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs),
 		Run: func(cmd *cobra.Command, args []string) {
+			// Check if args array is not empty
+			if len(args) == 0 {
+				fmt.Println("No arguements provided.")
+				return
+			}
+
 			switch strings.ToLower(args[0]) {
 			case "bash":
 				cmd.Root().GenBashCompletion(os.Stdout)
@@ -38,6 +44,8 @@ func GetCompletionCmd() *cobra.Command {
 				cmd.Root().GenFishCompletion(os.Stdout, true)
 			case "powershell":
 				cmd.Root().GenPowerShellCompletionWithDesc(os.Stdout)
+			default:
+				fmt.Printf("Invalid arguement %s", args[0])
 			}
 		},
 	}
--- a/cmd/completion/completion_test.go
+++ b/cmd/completion/completion_test.go
@@ -0,0 +1,187 @@
+package completion
+
+import (
+	"io"
+	"os"
+	"testing"
+
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+// Generates autocompletion script for valid shell types
+func TestGetCompletionCmd(t *testing.T) {
+	// Arrange
+	completionCmd := GetCompletionCmd()
+	assert.Equal(t, "completion [bash|zsh|fish|powershell]", completionCmd.Use)
+	assert.Equal(t, "Generate autocompletion script", completionCmd.Short)
+	assert.Equal(t, "To load completions", completionCmd.Long)
+	assert.Equal(t, completionCmdExamples, completionCmd.Example)
+	assert.Equal(t, true, completionCmd.DisableFlagsInUseLine)
+	assert.Equal(t, []string{"bash", "zsh", "fish", "powershell"}, completionCmd.ValidArgs)
+}
+
+func TestGetCompletionCmd_RunExpectedOutputs(t *testing.T) {
+	tests := []struct {
+		name string
+		args []string
+		want string
+	}{
+		{
+			name: "Unknown completion",
+			args: []string{"unknown"},
+			want: "Invalid arguement unknown",
+		},
+		{
+			name: "Empty arguements",
+			args: []string{},
+			want: "No arguements provided.\n",
+		},
+	}
+
+	completionCmd := GetCompletionCmd()
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			completionCmd.Run(&cobra.Command{}, tt.args)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestGetCompletionCmd_RunNotExpectedOutputs(t *testing.T) {
+	notExpectedOutput1 := "No arguments provided."
+	notExpectedOutput2 := "No arguments provided."
+
+	tests := []struct {
+		name string
+		args []string
+	}{
+		{
+			name: "Bash completion",
+			args: []string{"bash"},
+		},
+		{
+			name: "Zsh completion",
+			args: []string{"zsh"},
+		},
+		{
+			name: "Fish completion",
+			args: []string{"fish"},
+		},
+		{
+			name: "PowerShell completion",
+			args: []string{"powershell"},
+		},
+	}
+
+	completionCmd := GetCompletionCmd()
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			completionCmd.Run(&cobra.Command{}, tt.args)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.NotEqual(t, notExpectedOutput1, string(got))
+			assert.NotEqual(t, notExpectedOutput2, string(got))
+		})
+	}
+}
+
+func TestGetCompletionCmd_RunBashCompletionNotExpectedOutputs(t *testing.T) {
+	notExpectedOutput1 := "Unexpected output for bash completion test 1."
+	notExpectedOutput2 := "Unexpected output for bash completion test 2."
+
+	// Redirect stdout to a buffer
+	rescueStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	completionCmd := GetCompletionCmd()
+	completionCmd.Run(&cobra.Command{}, []string{"bash"})
+
+	w.Close()
+	got, _ := io.ReadAll(r)
+	os.Stdout = rescueStdout
+
+	assert.NotEqual(t, notExpectedOutput1, string(got))
+	assert.NotEqual(t, notExpectedOutput2, string(got))
+}
+
+func TestGetCompletionCmd_RunZshCompletionNotExpectedOutputs(t *testing.T) {
+	notExpectedOutput1 := "Unexpected output for zsh completion test 1."
+	notExpectedOutput2 := "Unexpected output for zsh completion test 2."
+
+	// Redirect stdout to a buffer
+	rescueStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	completionCmd := GetCompletionCmd()
+	completionCmd.Run(&cobra.Command{}, []string{"zsh"})
+
+	w.Close()
+	got, _ := io.ReadAll(r)
+	os.Stdout = rescueStdout
+
+	assert.NotEqual(t, notExpectedOutput1, string(got))
+	assert.NotEqual(t, notExpectedOutput2, string(got))
+}
+
+func TestGetCompletionCmd_RunFishCompletionNotExpectedOutputs(t *testing.T) {
+	notExpectedOutput1 := "Unexpected output for fish completion test 1."
+	notExpectedOutput2 := "Unexpected output for fish completion test 2."
+
+	// Redirect stdout to a buffer
+	rescueStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	completionCmd := GetCompletionCmd()
+	completionCmd.Run(&cobra.Command{}, []string{"fish"})
+
+	w.Close()
+	got, _ := io.ReadAll(r)
+	os.Stdout = rescueStdout
+
+	assert.NotEqual(t, notExpectedOutput1, string(got))
+	assert.NotEqual(t, notExpectedOutput2, string(got))
+}
+
+func TestGetCompletionCmd_RunPowerShellCompletionNotExpectedOutputs(t *testing.T) {
+	notExpectedOutput1 := "Unexpected output for powershell completion test 1."
+	notExpectedOutput2 := "Unexpected output for powershell completion test 2."
+
+	// Redirect stdout to a buffer
+	rescueStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	completionCmd := GetCompletionCmd()
+	completionCmd.Run(&cobra.Command{}, []string{"powershell"})
+
+	w.Close()
+	got, _ := io.ReadAll(r)
+	os.Stdout = rescueStdout
+
+	assert.NotEqual(t, notExpectedOutput1, string(got))
+	assert.NotEqual(t, notExpectedOutput2, string(got))
+}
--- a/cmd/config/config.go
+++ b/cmd/config/config.go
@@ -3,8 +3,8 @@ package config
 import (
 	"fmt"

-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/meta"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
 	"github.com/spf13/cobra"
 )

--- a/cmd/config/config_test.go
+++ b/cmd/config/config_test.go
@@ -0,0 +1,44 @@
+package config
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetConfigCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetConfigCmd function
+	configCmd := GetConfigCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "config", configCmd.Use)
+	assert.Equal(t, "Handle cached configurations", configCmd.Short)
+	assert.Equal(t, configExample, configCmd.Example)
+
+	// Verify that the subcommands are added correctly
+	assert.Equal(t, 3, len(configCmd.Commands()))
+
+	for _, subcmd := range configCmd.Commands() {
+		switch subcmd.Name() {
+		case "delete":
+			// Verify that the delete subcommand is added correctly
+			assert.Equal(t, "delete", subcmd.Use)
+			assert.Equal(t, "Delete cached configurations", subcmd.Short)
+		case "set":
+			// Verify that the set subcommand is added correctly
+			assert.Equal(t, "set", subcmd.Use)
+			assert.Equal(t, "Set configurations, supported: "+strings.Join(stringKeysToSlice(supportConfigSet), "/"), subcmd.Short)
+		case "view":
+			// Verify that the view subcommand is added correctly
+			assert.Equal(t, "view", subcmd.Use)
+			assert.Equal(t, "View cached configurations", subcmd.Short)
+		default:
+			t.Errorf("Unexpected subcommand name: %s", subcmd.Name())
+		}
+	}
+}
--- a/cmd/config/delete.go
+++ b/cmd/config/delete.go
@@ -1,11 +1,9 @@
 package config

 import (
-	"context"
-
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
 )

@@ -15,7 +13,7 @@ func getDeleteCmd(ks meta.IKubescape) *cobra.Command {
 		Short: "Delete cached configurations",
 		Long:  ``,
 		Run: func(cmd *cobra.Command, args []string) {
-			if err := ks.DeleteCachedConfig(context.TODO(), &v1.DeleteConfig{}); err != nil {
+			if err := ks.DeleteCachedConfig(&v1.DeleteConfig{}); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 		},
--- a/cmd/config/delete_test.go
+++ b/cmd/config/delete_test.go
@@ -0,0 +1,21 @@
+package config
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetDeleteCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetConfigCmd function
+	configCmd := getDeleteCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "delete", configCmd.Use)
+	assert.Equal(t, "Delete cached configurations", configCmd.Short)
+	assert.Equal(t, "", configCmd.Long)
+}
--- a/cmd/config/set.go
+++ b/cmd/config/set.go
@@ -2,11 +2,12 @@ package config

 import (
 	"fmt"
+	"sort"
 	"strings"

-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
 )

@@ -33,16 +34,23 @@ func getSetCmd(ks meta.IKubescape) *cobra.Command {
 }

 var supportConfigSet = map[string]func(*metav1.SetConfig, string){
+	"accessKey":      func(s *metav1.SetConfig, accessKey string) { s.AccessKey = accessKey },
 	"accountID":      func(s *metav1.SetConfig, account string) { s.Account = account },
 	"cloudAPIURL":    func(s *metav1.SetConfig, cloudAPIURL string) { s.CloudAPIURL = cloudAPIURL },
 	"cloudReportURL": func(s *metav1.SetConfig, cloudReportURL string) { s.CloudReportURL = cloudReportURL },
 }

 func stringKeysToSlice(m map[string]func(*metav1.SetConfig, string)) []string {
-	l := []string{}
-	for i := range m {
-		l = append(l, i)
+	keys := []string{}
+	for key := range m {
+		keys = append(keys, key)
 	}
+
+	// Sort the keys of the map
+	sort.Strings(keys)
+
+	l := []string{}
+	l = append(l, keys...)
 	return l
 }

--- a/cmd/config/set_test.go
+++ b/cmd/config/set_test.go
@@ -0,0 +1,81 @@
+package config
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetSetCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetConfigCmd function
+	configSetCmd := getSetCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "set", configSetCmd.Use)
+	assert.Equal(t, "Set configurations, supported: "+strings.Join(stringKeysToSlice(supportConfigSet), "/"), configSetCmd.Short)
+	assert.Equal(t, setConfigExample, configSetCmd.Example)
+	assert.Equal(t, stringKeysToSlice(supportConfigSet), configSetCmd.ValidArgs)
+
+	err := configSetCmd.RunE(&cobra.Command{}, []string{"accountID=value1"})
+	assert.Nil(t, err)
+
+	err = configSetCmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage := "key '' unknown . supported: accessKey/accountID/cloudAPIURL/cloudReportURL"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
+
+// Should return a slice of keys when given a non-empty map
+func TestStringKeysToSlice(t *testing.T) {
+	m := map[string]func(*metav1.SetConfig, string){
+		"key1": nil,
+		"key2": nil,
+		"key3": nil,
+	}
+	result := stringKeysToSlice(m)
+	expected := []string{"key1", "key2", "key3"}
+	assert.ElementsMatch(t, expected, result)
+}
+
+func TestParseSetArgs_InvalidFormat(t *testing.T) {
+	args := []string{"key"}
+	setConfig, err := parseSetArgs(args)
+	assert.Equal(t, "", setConfig.Account)
+	assert.Equal(t, "", setConfig.AccessKey)
+	assert.Equal(t, "", setConfig.CloudReportURL)
+	assert.Equal(t, "", setConfig.CloudAPIURL)
+
+	expectedErrorMessage := fmt.Sprintf("key '' unknown . supported: %s", strings.Join(stringKeysToSlice(supportConfigSet), "/"))
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
+
+func TestParseSetArgs_AccessKey(t *testing.T) {
+	args := []string{"accessKey", "value1"}
+	setConfig, _ := parseSetArgs(args)
+	assert.Equal(t, "", setConfig.Account)
+	assert.Equal(t, "value1", setConfig.AccessKey)
+	assert.Equal(t, "", setConfig.CloudReportURL)
+	assert.Equal(t, "", setConfig.CloudAPIURL)
+}
+
+func TestParseSetArgs_Single(t *testing.T) {
+	args := []string{"accountID=value1"}
+	setConfig, _ := parseSetArgs(args)
+	assert.Equal(t, "value1", setConfig.Account)
+	assert.Equal(t, "", setConfig.AccessKey)
+	assert.Equal(t, "", setConfig.CloudReportURL)
+	assert.Equal(t, "", setConfig.CloudAPIURL)
+}
+
+func TestParseSetArgs_InvalidKey(t *testing.T) {
+	args := []string{"invalidKey=value1"}
+	_, err := parseSetArgs(args)
+	assert.Equal(t, "key 'invalidKey' unknown . supported: accessKey/accountID/cloudAPIURL/cloudReportURL", err.Error())
+}
--- a/cmd/config/view.go
+++ b/cmd/config/view.go
@@ -3,9 +3,9 @@ package config
 import (
 	"os"

-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
 )

--- a/cmd/config/view_test.go
+++ b/cmd/config/view_test.go
@@ -0,0 +1,21 @@
+package config
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetViewCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetConfigCmd function
+	configCmd := getViewCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "view", configCmd.Use)
+	assert.Equal(t, "View cached configurations", configCmd.Short)
+	assert.Equal(t, "", configCmd.Long)
+}
--- a/cmd/download/download.go
+++ b/cmd/download/download.go
@@ -1,18 +1,17 @@
 package download

 import (
-	"context"
 	"fmt"
 	"path/filepath"
+	"slices"
 	"strings"

-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/core"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/core"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
-	"golang.org/x/exp/slices"
 )

 var (
@@ -37,9 +36,6 @@ var (

  # Download the configured controls-inputs 
  %[1]s download controls-inputs 
-
-  # Download the attack tracks
-  %[1]s download attack-tracks
 `, cautils.ExecName())
 )

@@ -70,13 +66,16 @@ func GetDownloadCmd(ks meta.IKubescape) *cobra.Command {
 			if filepath.Ext(downloadInfo.Path) == ".json" {
 				downloadInfo.Path, downloadInfo.FileName = filepath.Split(downloadInfo.Path)
 			}
+
+			if len(args) == 0 {
+				return fmt.Errorf("no arguements provided")
+			}
+
 			downloadInfo.Target = args[0]
 			if len(args) >= 2 {
-
 				downloadInfo.Identifier = args[1]
-
 			}
-			if err := ks.Download(context.TODO(), &downloadInfo); err != nil {
+			if err := ks.Download(&downloadInfo); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 			return nil
@@ -84,8 +83,7 @@ func GetDownloadCmd(ks meta.IKubescape) *cobra.Command {
 	}

 	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.AccountID, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
-	downloadCmd.PersistentFlags().MarkDeprecated("client-id", "Client ID is no longer supported. Feel free to contact the Kubescape maintainers for more information.")
-	downloadCmd.PersistentFlags().MarkDeprecated("secret-key", "Secret Key is no longer supported. Feel free to contact the Kubescape maintainers for more information.")
+	downloadCmd.PersistentFlags().StringVarP(&downloadInfo.AccessKey, "access-key", "", "", "Kubescape SaaS access key. Default will load access key from cache")
 	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If not specified, will save in `~/.kubescape/<policy name>.json`")

 	return downloadCmd
--- a/cmd/download/download_test.go
+++ b/cmd/download/download_test.go
@@ -0,0 +1,102 @@
+package download
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/core"
+	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetViewCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetConfigCmd function
+	configCmd := GetDownloadCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "download <policy> <policy name>", configCmd.Use)
+	assert.Equal(t, fmt.Sprintf("Download %s", strings.Join(core.DownloadSupportCommands(), ",")), configCmd.Short)
+	assert.Equal(t, "", configCmd.Long)
+	assert.Equal(t, downloadExample, configCmd.Example)
+}
+
+func TestGetViewCmd_Args(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetConfigCmd function
+	downloadCmd := GetDownloadCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "download <policy> <policy name>", downloadCmd.Use)
+	assert.Equal(t, fmt.Sprintf("Download %s", strings.Join(core.DownloadSupportCommands(), ",")), downloadCmd.Short)
+	assert.Equal(t, "", downloadCmd.Long)
+	assert.Equal(t, downloadExample, downloadCmd.Example)
+
+	err := downloadCmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage := "no arguements provided"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = downloadCmd.RunE(&cobra.Command{}, []string{"config"})
+	assert.Nil(t, err)
+
+	err = downloadCmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage = "policy type required, supported: artifacts,attack-tracks,control,controls-inputs,exceptions,framework"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = downloadCmd.Args(&cobra.Command{}, []string{"invalid"})
+	expectedErrorMessage = "invalid parameter 'invalid'. Supported parameters: artifacts,attack-tracks,control,controls-inputs,exceptions,framework"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = downloadCmd.Args(&cobra.Command{}, []string{"attack-tracks"})
+	assert.Nil(t, err)
+
+	err = downloadCmd.Args(&cobra.Command{}, []string{"control", "random.json"})
+	assert.Nil(t, err)
+
+	err = downloadCmd.Args(&cobra.Command{}, []string{"control", "C-0001"})
+	assert.Nil(t, err)
+
+	err = downloadCmd.Args(&cobra.Command{}, []string{"control", "C-0001", "C-0002"})
+	assert.Nil(t, err)
+
+	err = downloadCmd.RunE(&cobra.Command{}, []string{"control", "C-0001", "C-0002"})
+	assert.Nil(t, err)
+}
+
+func TestFlagValidationDownload_NoError(t *testing.T) {
+	downloadInfo := v1.DownloadInfo{
+		AccessKey: "",
+		AccountID: "",
+	}
+	assert.Equal(t, nil, flagValidationDownload(&downloadInfo))
+}
+
+func TestFlagValidationDownload_Error(t *testing.T) {
+	tests := []struct {
+		downloadInfo v1.DownloadInfo
+	}{
+		{
+			downloadInfo: v1.DownloadInfo{
+				AccountID: "12345678",
+			},
+		},
+		{
+			downloadInfo: v1.DownloadInfo{
+				AccountID: "New",
+			},
+		},
+	}
+	want := "bad argument: accound ID must be a valid UUID"
+	for _, tt := range tests {
+		t.Run(tt.downloadInfo.AccountID, func(t *testing.T) {
+			assert.Equal(t, want, flagValidationDownload(&tt.downloadInfo).Error())
+		})
+	}
+}
--- a/cmd/fix/fix.go
+++ b/cmd/fix/fix.go
@@ -1,14 +1,12 @@
 package fix

 import (
-	"context"
 	"errors"
 	"fmt"

-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	metav1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
-
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
 )

@@ -36,7 +34,7 @@ func GetFixCmd(ks meta.IKubescape) *cobra.Command {
 			}
 			fixInfo.ReportFile = args[0]

-			return ks.Fix(context.TODO(), &fixInfo)
+			return ks.Fix(&fixInfo)
 		},
 	}

--- a/cmd/fix/fix_test.go
+++ b/cmd/fix/fix_test.go
@@ -0,0 +1,30 @@
+package fix
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetFixCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetFixCmd function
+	fixCmd := GetFixCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "fix <report output file>", fixCmd.Use)
+	assert.Equal(t, "Propose a fix for the misconfiguration found when scanning Kubernetes manifest files", fixCmd.Short)
+	assert.Equal(t, "", fixCmd.Long)
+	assert.Equal(t, fixCmdExamples, fixCmd.Example)
+
+	err := fixCmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage := "report output file is required"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = fixCmd.RunE(&cobra.Command{}, []string{"random-file.json"})
+	assert.Nil(t, err)
+}
--- a/cmd/list/list.go
+++ b/cmd/list/list.go
@@ -1,17 +1,17 @@
 package list

 import (
-	"context"
+	"errors"
 	"fmt"
+	"slices"
 	"strings"

-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/core"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	v1 "github.com/kubescape/kubescape/v2/core/meta/datastructures/v1"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/core"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
-	"golang.org/x/exp/slices"
 )

 var (
@@ -55,15 +55,20 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {
 				return err
 			}

+			if len(args) < 1 {
+				return errors.New("no arguements provided")
+			}
+
 			listPolicies.Target = args[0]

-			if err := ks.List(context.TODO(), &listPolicies); err != nil {
+			if err := ks.List(&listPolicies); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 			return nil
 		},
 	}
 	listCmd.PersistentFlags().StringVarP(&listPolicies.AccountID, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	listCmd.PersistentFlags().StringVarP(&listPolicies.AccessKey, "access-key", "", "", "Kubescape SaaS access key. Default will load access key from cache")
 	listCmd.PersistentFlags().StringVar(&listPolicies.Format, "format", "pretty-print", "output format. supported: 'pretty-print'/'json'")
 	listCmd.PersistentFlags().MarkDeprecated("id", "Control ID's are included in list outputs")

--- a/cmd/list/list_test.go
+++ b/cmd/list/list_test.go
@@ -0,0 +1,44 @@
+package list
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/core"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetListCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetListCmd function
+	listCmd := GetListCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "list <policy> [flags]", listCmd.Use)
+	assert.Equal(t, "List frameworks/controls will list the supported frameworks and controls", listCmd.Short)
+	assert.Equal(t, "", listCmd.Long)
+	assert.Equal(t, listExample, listCmd.Example)
+	supported := strings.Join(core.ListSupportActions(), ",")
+
+	err := listCmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage := "policy type requeued, supported: " + supported
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = listCmd.Args(&cobra.Command{}, []string{"not-frameworks"})
+	expectedErrorMessage = "invalid parameter 'not-frameworks'. Supported parameters: " + supported
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = listCmd.Args(&cobra.Command{}, []string{"frameworks"})
+	assert.Nil(t, err)
+
+	err = listCmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage = "no arguements provided"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = listCmd.RunE(&cobra.Command{}, []string{"some-value"})
+	assert.Nil(t, err)
+}
--- a/cmd/operator/configscan.go
+++ b/cmd/operator/configscan.go
@@ -5,9 +5,9 @@ import (

 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/core"
-	"github.com/kubescape/kubescape/v2/core/meta"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/core"
+	"github.com/kubescape/kubescape/v3/core/meta"
 	"github.com/spf13/cobra"
 )

@@ -21,7 +21,7 @@ var operatorScanConfigExamples = fmt.Sprintf(`
 func getOperatorScanConfigCmd(ks meta.IKubescape, operatorInfo cautils.OperatorInfo) *cobra.Command {
 	configCmd := &cobra.Command{
 		Use:     "configurations",
-		Short:   "Trigger configuration scanning from the Kubescape-Operator microservice",
+		Short:   "Trigger configuration scanning from the Kubescape Operator microservice",
 		Long:    ``,
 		Example: operatorScanConfigExamples,
 		Args: func(cmd *cobra.Command, args []string) error {
@@ -29,17 +29,17 @@ func getOperatorScanConfigCmd(ks meta.IKubescape, operatorInfo cautils.OperatorI
 			return nil
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
-			operatorAdapter, err := core.NewOperatorAdapter(operatorInfo.OperatorScanInfo)
+			operatorAdapter, err := core.NewOperatorAdapter(operatorInfo.OperatorScanInfo, operatorInfo.Namespace)
 			if err != nil {
 				return err
 			}
-			logger.L().Start("Kubescape-Operator Triggering for configuration scanning")
+			logger.L().Start("Kubescape Operator Triggering for configuration scanning")
 			_, err = operatorAdapter.OperatorScan()
 			if err != nil {
-				logger.L().StopError("Failed to triggering Kubescape-Operator for configuration scanning", helpers.Error(err))
+				logger.L().StopError("Failed to triggering Kubescape Operator for configuration scanning", helpers.Error(err))
 				return err
 			}
-			logger.L().StopSuccess("Triggered Kubescape-Operator for configuration scanning")
+			logger.L().StopSuccess("Triggered Kubescape Operator for configuration scanning")
 			return nil
 		},
 	}
--- a/cmd/operator/configscan_test.go
+++ b/cmd/operator/configscan_test.go
@@ -0,0 +1,32 @@
+package operator
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetOperatorScanConfigCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	operatorInfo := cautils.OperatorInfo{
+		Namespace: "namespace",
+	}
+
+	cmd := getOperatorScanConfigCmd(mockKubescape, operatorInfo)
+
+	// Verify the command name and short description
+	assert.Equal(t, "configurations", cmd.Use)
+	assert.Equal(t, "Trigger configuration scanning from the Kubescape Operator microservice", cmd.Short)
+	assert.Equal(t, "", cmd.Long)
+	assert.Equal(t, operatorScanConfigExamples, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	assert.Nil(t, err)
+
+	err = cmd.Args(&cobra.Command{}, []string{"configurations"})
+	assert.Nil(t, err)
+}
--- a/cmd/operator/operator.go
+++ b/cmd/operator/operator.go
@@ -4,9 +4,8 @@ import (
 	"errors"
 	"fmt"

-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/meta"
-
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
 	"github.com/spf13/cobra"
 )

@@ -29,7 +28,7 @@ func GetOperatorCmd(ks meta.IKubescape) *cobra.Command {

 	operatorCmd := &cobra.Command{
 		Use:     "operator",
-		Short:   "The operator is used to communicate with the Kubescape-Operator within the cluster components.",
+		Short:   "The operator is used to communicate with the Kubescape Operator within the cluster components.",
 		Long:    ``,
 		Example: operatorExamples,
 		Args: func(cmd *cobra.Command, args []string) error {
--- a/cmd/operator/operator_test.go
+++ b/cmd/operator/operator_test.go
@@ -0,0 +1,42 @@
+package operator
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetOperatorCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	cmd := GetOperatorCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "operator", cmd.Use)
+	assert.Equal(t, "The operator is used to communicate with the Kubescape Operator within the cluster components.", cmd.Short)
+	assert.Equal(t, "", cmd.Long)
+	assert.Equal(t, operatorExamples, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage := "For the operator sub-command, you need to provide at least one additional sub-command. Refer to the examples above."
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.Args(&cobra.Command{}, []string{"scan", "configurations"})
+	assert.Nil(t, err)
+
+	err = cmd.RunE(&cobra.Command{}, []string{})
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{"scan", "configurations"})
+	assert.Nil(t, err)
+
+	err = cmd.RunE(&cobra.Command{}, []string{"scan"})
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{"random-subcommand", "random-config"})
+	expectedErrorMessage = "For the operator sub-command, only " + scanSubCommand + " is supported. Refer to the examples above."
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
--- a/cmd/operator/scan.go
+++ b/cmd/operator/scan.go
@@ -4,8 +4,8 @@ import (
 	"errors"
 	"fmt"

-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/meta"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
 	"github.com/spf13/cobra"
 )

@@ -38,6 +38,7 @@ func getOperatorScanCmd(ks meta.IKubescape, operatorInfo cautils.OperatorInfo) *
 		},
 	}

+	operatorCmd.PersistentFlags().StringVar(&operatorInfo.Namespace, "namespace", "kubescape", "namespace of the Kubescape Operator")
 	operatorCmd.AddCommand(getOperatorScanConfigCmd(ks, operatorInfo))
 	operatorCmd.AddCommand(getOperatorScanVulnerabilitiesCmd(ks, operatorInfo))

--- a/cmd/operator/scan_test.go
+++ b/cmd/operator/scan_test.go
@@ -0,0 +1,46 @@
+package operator
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetOperatorScanCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	operatorInfo := cautils.OperatorInfo{
+		Namespace: "namespace",
+	}
+
+	cmd := getOperatorScanCmd(mockKubescape, operatorInfo)
+
+	// Verify the command name and short description
+	assert.Equal(t, "scan", cmd.Use)
+	assert.Equal(t, "Scan your cluster using the Kubescape-operator within the cluster components", cmd.Short)
+	assert.Equal(t, "", cmd.Long)
+	assert.Equal(t, operatorExamples, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage := "for operator scan sub command, you must pass at least 1 more sub commands, see above examples"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.Args(&cobra.Command{}, []string{"operator"})
+	assert.Nil(t, err)
+
+	err = cmd.RunE(&cobra.Command{}, []string{})
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{"configurations"})
+	assert.Nil(t, err)
+
+	err = cmd.RunE(&cobra.Command{}, []string{"vulnerabilities"})
+	assert.Nil(t, err)
+
+	err = cmd.RunE(&cobra.Command{}, []string{"random"})
+	expectedErrorMessage = "For the operator sub-command, only " + vulnerabilitiesSubCommand + " and " + configurationsSubCommand + " are supported. Refer to the examples above."
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
--- a/cmd/operator/vulnerabilitiesscan.go
+++ b/cmd/operator/vulnerabilitiesscan.go
@@ -6,9 +6,9 @@ import (
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/core"
-	"github.com/kubescape/kubescape/v2/core/meta"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/core"
+	"github.com/kubescape/kubescape/v3/core/meta"
 	"github.com/spf13/cobra"
 )

@@ -30,17 +30,17 @@ func getOperatorScanVulnerabilitiesCmd(ks meta.IKubescape, operatorInfo cautils.
 			return nil
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
-			operatorAdapter, err := core.NewOperatorAdapter(operatorInfo.OperatorScanInfo)
+			operatorAdapter, err := core.NewOperatorAdapter(operatorInfo.OperatorScanInfo, operatorInfo.Namespace)
 			if err != nil {
 				return err
 			}
-			logger.L().Start("Triggering the Kubescape-Operator for vulnerability scanning")
+			logger.L().Start("Triggering the Kubescape Operator for vulnerability scanning")
 			_, err = operatorAdapter.OperatorScan()
 			if err != nil {
-				logger.L().StopError("Failed to trigger the Kubescape-Operator for vulnerability scanning", helpers.Error(err))
+				logger.L().StopError("Failed to trigger the Kubescape Operator for vulnerability scanning", helpers.Error(err))
 				return err
 			}
-			logger.L().StopSuccess("Triggered Kubescape-Operator for vulnerability scanning. View the scanning results once they are ready using the following command: \"kubectl get vulnerabilitysummaries\"")
+			logger.L().StopSuccess("Triggered Kubescape Operator for vulnerability scanning. View the scanning results once they are ready using the following command: \"kubectl get vulnerabilitysummaries\"")
 			return err
 		},
 	}
--- a/cmd/operator/vulnerabilitiesscan_test.go
+++ b/cmd/operator/vulnerabilitiesscan_test.go
@@ -0,0 +1,29 @@
+package operator
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetOperatorScanVulnerabilitiesCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	operatorInfo := cautils.OperatorInfo{
+		Namespace: "namespace",
+	}
+
+	cmd := getOperatorScanVulnerabilitiesCmd(mockKubescape, operatorInfo)
+
+	// Verify the command name and short description
+	assert.Equal(t, "vulnerabilities", cmd.Use)
+	assert.Equal(t, "Vulnerabilities use for scan your cluster vulnerabilities using Kubescape operator in the in cluster components", cmd.Short)
+	assert.Equal(t, "", cmd.Long)
+	assert.Equal(t, operatorScanVulnerabilitiesExamples, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{"random-arg"})
+	assert.Nil(t, err)
+}
--- a/cmd/patch/README.md
+++ b/cmd/patch/README.md
@@ -0,0 +1,142 @@
+# Patch Command
+
+The patch command is used for patching container images with vulnerabilities.  
+It uses [copa](https://github.com/project-copacetic/copacetic) and [buildkit](https://github.com/moby/buildkit) under the hood for patching the container images, and [grype](https://github.com/anchore/grype) as the engine for scanning the images (at the moment).
+
+## Usage
+
+```bash
+kubescape patch --image <image-name> [flags]
+```
+
+The patch command can be run in 2 ways:
+1. **With sudo privileges**
+
+    You will need to start `buildkitd` if it is not already running
+
+    ```bash
+    sudo buildkitd & 
+    sudo kubescape patch --image <image-name>
+    ```
+
+2. **Without sudo privileges**
+   ```bash
+    export BUILDKIT_VERSION=v0.11.4
+    export BUILDKIT_PORT=8888
+
+    docker run \
+        --detach \
+        --rm \
+        --privileged \
+        -p 127.0.0.1:$BUILDKIT_PORT:$BUILDKIT_PORT/tcp \
+        --name buildkitd \
+        --entrypoint buildkitd \
+        "moby/buildkit:$BUILDKIT_VERSION" \
+        --addr tcp://0.0.0.0:$BUILDKIT_PORT
+
+    kubescape patch \
+        -i <image-name> \
+        -a tcp://0.0.0.0:$BUILDKIT_PORT
+   ```
+
+### Flags
+
+| Flag           | Description                                            | Required | Default                             |
+| -------------- | ------------------------------------------------------ | -------- | ----------------------------------- |
+| -i, --image    | Image name to be patched (should be in canonical form) | Yes      |                                     |
+| -a, --addr     | Address of the buildkitd service                       | No       | unix:///run/buildkit/buildkitd.sock |
+| -t, --tag      | Tag of the resultant patched image                     | No       | image_name-patched                  |
+| --timeout      | Timeout for the patching process                       | No       | 5m                                  |
+| --ignore-errors| Ignore errors during patching                          | No       | false                               |
+| -u, --username | Username for the image registry login                  | No       |                                     |
+| -p, --password | Password for the image registry login                  | No       |                                     |
+| -f, --format   | Output file format.                                    | No       |                                     |
+| -o, --output   | Output file. Print output to file and not stdout       | No       |                                     |
+| -v, --verbose  | Display full report. Default to false                  | No       |                                     |
+| -h, --help     | help for patch                                         | No       |                                     |
+
+
+## Example
+
+We will demonstrate how to use the patch command with an example of [nginx](https://www.nginx.com/) image.
+
+### Pre-requisites
+
+- [docker](https://docs.docker.com/desktop/install/linux-install/#generic-installation-steps) daemon must be installed and running.
+- [buildkit](https://github.com/moby/buildkit) daemon must be installed
+    
+### Steps
+
+1. Run `buildkitd` service:
+
+    ```bash
+    sudo buildkitd
+    ```
+
+2. In a seperate terminal, run the `kubescape patch` command: 
+    
+    ```bash
+    sudo kubescape patch --image docker.io/library/nginx:1.22
+    ```
+
+3. You will get an output like below:
+
+    ```bash
+    ✅  Successfully scanned image: docker.io/library/nginx:1.22
+    ✅  Patched image successfully. Loaded image: nginx:1.22-patched
+    ✅  Successfully re-scanned image: nginx:1.22-patched
+
+    | Severity | Vulnerability  | Component     | Version                 | Fixed In |
+    | -------- | -------------- | ------------- | ----------------------- | -------- |
+    | Critical | CVE-2023-23914 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | Critical | CVE-2019-8457  | libdb5.3      | 5.3.28+dfsg1-0.8        | wont-fix |
+    | High     | CVE-2022-42916 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-1304  | libext2fs2    | 1.46.2-2                | wont-fix |
+    | High     | CVE-2022-42916 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-1304  | e2fsprogs     | 1.46.2-2                | wont-fix |
+    | High     | CVE-2022-1304  | libcom-err2   | 1.46.2-2                | wont-fix |
+    | High     | CVE-2023-27533 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2023-27534 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2023-27533 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-43551 | libcurl4      | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-3715  | bash          | 5.1-2+deb11u1           | wont-fix |
+    | High     | CVE-2023-27534 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2022-43551 | curl          | 7.74.0-1.3+deb11u7      | wont-fix |
+    | High     | CVE-2021-33560 | libgcrypt20   | 1.8.7-6                 | wont-fix |
+    | High     | CVE-2023-2953  | libldap-2.4-2 | 2.4.57+dfsg-3+deb11u1   | wont-fix |
+    | High     | CVE-2022-1304  | libss2        | 1.46.2-2                | wont-fix |
+    | High     | CVE-2020-22218 | libssh2-1     | 1.9.0-2                 | wont-fix |
+    | High     | CVE-2023-29491 | libtinfo6     | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2022-2309  | libxml2       | 2.9.10+dfsg-6.7+deb11u4 | wont-fix |
+    | High     | CVE-2022-4899  | libzstd1      | 1.4.8+dfsg-2.1          | wont-fix |
+    | High     | CVE-2022-1304  | logsave       | 1.46.2-2                | wont-fix |
+    | High     | CVE-2023-29491 | ncurses-base  | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2023-29491 | ncurses-bin   | 6.2+20201114-2+deb11u1  | wont-fix |
+    | High     | CVE-2023-31484 | perl-base     | 5.32.1-4+deb11u2        | wont-fix |
+    | High     | CVE-2020-16156 | perl-base     | 5.32.1-4+deb11u2        | wont-fix |
+    
+    Vulnerability summary - 161 vulnerabilities found:
+    Image: nginx:1.22-patched
+      * 3 Critical
+      * 24 High
+      * 31 Medium
+      * 103 Other
+
+    Most vulnerable components:
+      * curl (7.74.0-1.3+deb11u7) - 1 Critical, 4 High, 5 Medium, 1 Low, 3 Negligible
+      * libcurl4 (7.74.0-1.3+deb11u7) - 1 Critical, 4 High, 5 Medium, 1 Low, 3 Negligible
+      * libtiff5 (4.2.0-1+deb11u4) - 7 Medium, 10 Negligible, 2 Unknown
+      * libxml2 (2.9.10+dfsg-6.7+deb11u4) - 1 High, 2 Medium
+      * perl-base (5.32.1-4+deb11u2) - 2 High, 2 Negligible
+    
+    What now?
+    ─────────
+    * Run with '--verbose'/'-v' flag for detailed vulnerabilities view
+    * Install Kubescape in your cluster for continuous monitoring and a full vulnerability report: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator
+    ```
+
+## Limitations
+
+- The patch command can only fix OS-level vulnerability. It cannot fix application-level vulnerabilities. This is a limitation of copa. The reason behind this is that application level vulnerabilities are best suited to be fixed by the developers of the application.
+Hence, this is not really a limitation but a design decision.
+- No support for windows containers given the dependency on buildkit.
--- a/cmd/patch/patch.go
+++ b/cmd/patch/patch.go
@@ -0,0 +1,141 @@
+package patch
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/cmd/shared"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/kubescape/kubescape/v3/pkg/imagescan"
+	"github.com/spf13/cobra"
+)
+
+var patchCmdExamples = fmt.Sprintf(`
+  # Patch the nginx:1.22 image
+  1) sudo buildkitd        # start buildkitd service, run in seperate terminal
+  2) sudo %[1]s patch --image docker.io/library/nginx:1.22   # patch the image
+
+  # The patch command can also be run without sudo privileges
+  # Documentation: https://github.com/kubescape/kubescape/tree/master/cmd/patch
+`, cautils.ExecName())
+
+func GetPatchCmd(ks meta.IKubescape) *cobra.Command {
+	var patchInfo metav1.PatchInfo
+	var scanInfo cautils.ScanInfo
+
+	patchCmd := &cobra.Command{
+		Use:     "patch --image <image>:<tag> [flags]",
+		Short:   "Patch container images with vulnerabilities",
+		Long:    `Patch command is for automatically patching images with vulnerabilities.`,
+		Example: patchCmdExamples,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 0 {
+				return fmt.Errorf("the command takes no arguments")
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := shared.ValidateImageScanInfo(&scanInfo); err != nil {
+				return err
+			}
+
+			if err := validateImagePatchInfo(&patchInfo); err != nil {
+				return err
+			}
+
+			results, err := ks.Patch(&patchInfo, &scanInfo)
+			if err != nil {
+				return err
+			}
+
+			if imagescan.ExceedsSeverityThreshold(results, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)) {
+				shared.TerminateOnExceedingSeverity(&scanInfo, logger.L())
+			}
+
+			return nil
+		},
+	}
+
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.Image, "image", "i", "", "Application image name and tag to patch")
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.PatchedImageTag, "tag", "t", "", "Tag for the patched image. Defaults to '<image-tag>-patched' ")
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.BuildkitAddress, "address", "a", "unix:///run/buildkit/buildkitd.sock", "Address of buildkitd service, defaults to local buildkitd.sock")
+	patchCmd.PersistentFlags().DurationVar(&patchInfo.Timeout, "timeout", 5*time.Minute, "Timeout for the operation, defaults to '5m'")
+	patchCmd.PersistentFlags().BoolVar(&patchInfo.IgnoreError, "ignore-errors", false, "Ignore errors and continue patching other images. Default to false")
+
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.Username, "username", "u", "", "Username for registry login")
+	patchCmd.PersistentFlags().StringVarP(&patchInfo.Password, "password", "p", "", "Password for registry login")
+
+	patchCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "", `Output file format. Supported formats: "pretty-printer", "json", "sarif"`)
+	patchCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
+	patchCmd.PersistentFlags().BoolVarP(&scanInfo.VerboseMode, "verbose", "v", false, "Display full report. Default to false")
+
+	patchCmd.PersistentFlags().StringVarP(&scanInfo.FailThresholdSeverity, "severity-threshold", "s", "", "Severity threshold is the severity of a vulnerability at which the command fails and returns exit code 1")
+
+	return patchCmd
+}
+
+// validateImagePatchInfo validates the image patch info for the `patch` command
+func validateImagePatchInfo(patchInfo *metav1.PatchInfo) error {
+
+	if patchInfo.Image == "" {
+		return errors.New("image tag is required")
+	}
+
+	// Convert image to canonical format (required by copacetic for patching images)
+	patchInfoImage, err := cautils.NormalizeImageName(patchInfo.Image)
+	if err != nil {
+		return nil
+	}
+
+	// Parse the image full name to get image name and tag
+	named, err := reference.ParseNamed(patchInfoImage)
+	if err != nil {
+		return err
+	}
+
+	// If no tag or digest is provided, default to 'latest'
+	if reference.IsNameOnly(named) {
+		logger.L().Warning("Image name has no tag or digest, using latest as tag")
+		named = reference.TagNameOnly(named)
+	}
+	patchInfo.Image = named.String()
+
+	// If no patched image tag is provided, default to '<image-tag>-patched'
+	if patchInfo.PatchedImageTag == "" {
+
+		taggedName, ok := named.(reference.Tagged)
+		if !ok {
+			return errors.New("unexpected error while parsing image tag")
+		}
+
+		patchInfo.ImageTag = taggedName.Tag()
+
+		if patchInfo.ImageTag == "" {
+			logger.L().Warning("No tag provided, defaulting to 'patched'")
+			patchInfo.PatchedImageTag = "patched"
+		} else {
+			patchInfo.PatchedImageTag = fmt.Sprintf("%s-%s", patchInfo.ImageTag, "patched")
+		}
+
+	}
+
+	// Extract the "image" name from the canonical Image URL
+	// If it's an official docker image, we store just the "image-name". Else if a docker repo then we store as "repo/image". Else complete URL
+	ref, _ := reference.ParseNormalizedNamed(patchInfo.Image)
+	imageName := named.Name()
+	if strings.Contains(imageName, "docker.io/library/") {
+		imageName = reference.Path(ref)
+		imageName = imageName[strings.LastIndex(imageName, "/")+1:]
+	} else if strings.Contains(imageName, "docker.io/") {
+		imageName = reference.Path(ref)
+	}
+	patchInfo.ImageName = imageName
+
+	return nil
+}
--- a/cmd/patch/patch_test.go
+++ b/cmd/patch/patch_test.go
@@ -0,0 +1,52 @@
+package patch
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetPatchCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	cmd := GetPatchCmd(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "patch --image <image>:<tag> [flags]", cmd.Use)
+	assert.Equal(t, "Patch container images with vulnerabilities", cmd.Short)
+	assert.Equal(t, "Patch command is for automatically patching images with vulnerabilities.", cmd.Long)
+	assert.Equal(t, patchCmdExamples, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	assert.Nil(t, err)
+
+	err = cmd.Args(&cobra.Command{}, []string{"test"})
+	expectedErrorMessage := "the command takes no arguments"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage = "image tag is required"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{"patch", "--image", "docker.io/library/nginx:1.22"})
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
+
+func TestGetPatchCmdWithNonExistentImage(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	// Call the GetPatchCmd function
+	cmd := GetPatchCmd(mockKubescape)
+
+	// Run the command with a non-existent image argument
+	err := cmd.RunE(&cobra.Command{}, []string{"patch", "--image", "non-existent-image"})
+
+	// Check that there is an error and the error message is as expected
+	expectedErrorMessage := "image tag is required"
+	assert.Error(t, err)
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
--- a/cmd/prerequisites/prerequisites.go
+++ b/cmd/prerequisites/prerequisites.go
@@ -0,0 +1,46 @@
+package prerequisites
+
+import (
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	"github.com/kubescape/sizing-checker/pkg/checks/connectivitycheck"
+	"github.com/kubescape/sizing-checker/pkg/checks/ebpfcheck"
+	"github.com/kubescape/sizing-checker/pkg/checks/pvcheck"
+	"github.com/kubescape/sizing-checker/pkg/checks/sizing"
+	"github.com/kubescape/sizing-checker/pkg/common"
+	"github.com/spf13/cobra"
+)
+
+func GetPreReqCmd(ks meta.IKubescape) *cobra.Command {
+	// preReqCmd represents the prerequisites command
+	preReqCmd := &cobra.Command{
+		Use:   "prerequisites",
+		Short: "Check prerequisites for installing Kubescape Operator",
+		Run: func(cmd *cobra.Command, args []string) {
+			clientSet, inCluster := common.BuildKubeClient()
+			if clientSet == nil {
+				logger.L().Fatal("Could not create kube client. Exiting.")
+			}
+
+			// 1) Collect cluster data
+			clusterData, err := common.CollectClusterData(ks.Context(), clientSet)
+			if err != nil {
+				logger.L().Error("Failed to collect cluster data", helpers.Error(err))
+			}
+
+			// 2) Run checks
+			sizingResult := sizing.RunSizingChecker(clusterData)
+			pvResult := pvcheck.RunPVProvisioningCheck(ks.Context(), clientSet, clusterData, inCluster)
+			connectivityResult := connectivitycheck.RunConnectivityChecks(ks.Context(), clientSet, clusterData, inCluster)
+			ebpfResult := ebpfcheck.RunEbpfCheck(ks.Context(), clientSet, clusterData, inCluster)
+
+			// 3) Build and export the final ReportData
+			finalReport := common.BuildReportData(clusterData, sizingResult, pvResult, connectivityResult, ebpfResult)
+			finalReport.InCluster = inCluster
+
+			common.GenerateOutput(finalReport, inCluster)
+		},
+	}
+	return preReqCmd
+}
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -1,26 +1,29 @@
 package cmd

 import (
+	"context"
 	"fmt"
 	"strings"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
-	"github.com/kubescape/kubescape/v2/cmd/completion"
-	"github.com/kubescape/kubescape/v2/cmd/config"
-	"github.com/kubescape/kubescape/v2/cmd/download"
-	"github.com/kubescape/kubescape/v2/cmd/fix"
-	"github.com/kubescape/kubescape/v2/cmd/list"
-	"github.com/kubescape/kubescape/v2/cmd/operator"
-	"github.com/kubescape/kubescape/v2/cmd/scan"
-	"github.com/kubescape/kubescape/v2/cmd/update"
-	"github.com/kubescape/kubescape/v2/cmd/version"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/cautils/getter"
-	"github.com/kubescape/kubescape/v2/core/core"
-	"github.com/kubescape/kubescape/v2/core/meta"
-
+	"github.com/kubescape/kubescape/v3/cmd/completion"
+	"github.com/kubescape/kubescape/v3/cmd/config"
+	"github.com/kubescape/kubescape/v3/cmd/download"
+	"github.com/kubescape/kubescape/v3/cmd/fix"
+	"github.com/kubescape/kubescape/v3/cmd/list"
+	"github.com/kubescape/kubescape/v3/cmd/operator"
+	"github.com/kubescape/kubescape/v3/cmd/patch"
+	"github.com/kubescape/kubescape/v3/cmd/prerequisites"
+	"github.com/kubescape/kubescape/v3/cmd/scan"
+	"github.com/kubescape/kubescape/v3/cmd/update"
+	"github.com/kubescape/kubescape/v3/cmd/vap"
+	"github.com/kubescape/kubescape/v3/cmd/version"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/cautils/getter"
+	"github.com/kubescape/kubescape/v3/core/core"
+	"github.com/kubescape/kubescape/v3/core/meta"
 	"github.com/spf13/cobra"
 )

@@ -40,8 +43,8 @@ var ksExamples = fmt.Sprintf(`
  %[1]s config view
 `, cautils.ExecName())

-func NewDefaultKubescapeCommand() *cobra.Command {
-	ks := core.NewKubescape()
+func NewDefaultKubescapeCommand(ctx context.Context) *cobra.Command {
+	ks := core.NewKubescape(ctx)
 	return getRootCmd(ks)
 }

@@ -82,8 +85,6 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {

 	rootCmd.PersistentFlags().StringVarP(&rootInfo.Logger, "logger", "l", helpers.InfoLevel.String(), fmt.Sprintf("Logger level. Supported: %s [$KS_LOGGER]", strings.Join(helpers.SupportedLevels(), "/")))
 	rootCmd.PersistentFlags().StringVar(&rootInfo.CacheDir, "cache-dir", getter.DefaultLocalStore, "Cache directory [$KS_CACHE_DIR]")
-	rootCmd.PersistentFlags().BoolVarP(&rootInfo.DisableColor, "disable-color", "", false, "Disable color output for logging")
-	rootCmd.PersistentFlags().BoolVarP(&rootInfo.EnableColor, "enable-color", "", false, "Force enable color output for logging")

 	rootCmd.PersistentFlags().StringVarP(&rootInfo.KubeContext, "kube-context", "", "", "Kube context. Default will use the current-context")
 	// Supported commands
@@ -91,11 +92,14 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 	rootCmd.AddCommand(download.GetDownloadCmd(ks))
 	rootCmd.AddCommand(list.GetListCmd(ks))
 	rootCmd.AddCommand(completion.GetCompletionCmd())
-	rootCmd.AddCommand(version.GetVersionCmd())
+	rootCmd.AddCommand(version.GetVersionCmd(ks))
 	rootCmd.AddCommand(config.GetConfigCmd(ks))
-	rootCmd.AddCommand(update.GetUpdateCmd())
+	rootCmd.AddCommand(update.GetUpdateCmd(ks))
 	rootCmd.AddCommand(fix.GetFixCmd(ks))
+	rootCmd.AddCommand(patch.GetPatchCmd(ks))
+	rootCmd.AddCommand(vap.GetVapHelperCmd())
 	rootCmd.AddCommand(operator.GetOperatorCmd(ks))
+	rootCmd.AddCommand(prerequisites.GetPreReqCmd(ks))

 	// deprecated commands
 	rootCmd.AddCommand(&cobra.Command{
@@ -110,7 +114,7 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 	return rootCmd
 }

-func Execute() error {
-	ks := NewDefaultKubescapeCommand()
+func Execute(ctx context.Context) error {
+	ks := NewDefaultKubescapeCommand(ctx)
 	return ks.Execute()
 }
--- a/cmd/rootutils.go
+++ b/cmd/rootutils.go
@@ -7,21 +7,17 @@ import (

 	v1 "github.com/kubescape/backend/pkg/client/v1"
 	"github.com/kubescape/backend/pkg/servicediscovery"
-	sdClientV1 "github.com/kubescape/backend/pkg/servicediscovery/v1"
-	logger "github.com/kubescape/go-logger"
+	sdClientV2 "github.com/kubescape/backend/pkg/servicediscovery/v2"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/go-logger/iconlogger"
 	"github.com/kubescape/go-logger/zaplogger"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/cautils/getter"
-
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/cautils/getter"
 	"github.com/mattn/go-isatty"
 )

 func initLogger() {
-	logger.DisableColor(rootInfo.DisableColor)
-	logger.EnableColor(rootInfo.EnableColor)
-
 	if rootInfo.LoggerName == "" {
 		if l := os.Getenv("KS_LOGGER_NAME"); l != "" {
 			rootInfo.LoggerName = l
@@ -35,8 +31,8 @@ func initLogger() {
 	}

 	logger.InitLogger(rootInfo.LoggerName)
-
 }
+
 func initLoggerLevel() {
 	if rootInfo.Logger == helpers.InfoLevel.String() {
 	} else if l := os.Getenv("KS_LOGGER"); l != "" {
@@ -66,7 +62,7 @@ func initEnvironment() {

 	logger.L().Debug("fetching URLs from service discovery server", helpers.String("server", rootInfo.DiscoveryServerURL))

-	client, err := sdClientV1.NewServiceDiscoveryClientV1(rootInfo.DiscoveryServerURL)
+	client, err := sdClientV2.NewServiceDiscoveryClientV2(rootInfo.DiscoveryServerURL)
 	if err != nil {
 		logger.L().Fatal("failed to create service discovery client", helpers.Error(err), helpers.String("server", rootInfo.DiscoveryServerURL))
 		return
@@ -77,13 +73,13 @@ func initEnvironment() {
 	)

 	if err != nil {
-		logger.L().Fatal("failed to to get services from server", helpers.Error(err), helpers.String("server", rootInfo.DiscoveryServerURL))
+		logger.L().Fatal("failed to get services from server", helpers.Error(err), helpers.String("server", rootInfo.DiscoveryServerURL))
 		return
 	}

 	logger.L().Debug("configuring service discovery URLs", helpers.String("cloudAPIURL", services.GetApiServerUrl()), helpers.String("cloudReportURL", services.GetReportReceiverHttpUrl()))

-	tenant := cautils.GetTenantConfig("", "", "", nil)
+	tenant := cautils.GetTenantConfig("", "", "", "", nil)
 	if services.GetApiServerUrl() != "" {
 		tenant.GetConfigObj().CloudAPIURL = services.GetApiServerUrl()
 	}
@@ -99,6 +95,7 @@ func initEnvironment() {
 		services.GetApiServerUrl(),
 		services.GetReportReceiverHttpUrl(),
 		"",
+		"",
 	)
 	if err != nil {
 		logger.L().Fatal("failed to create KS Cloud client", helpers.Error(err))
--- a/cmd/scan/control.go
+++ b/cmd/scan/control.go
@@ -1,19 +1,17 @@
 package scan

 import (
-	"context"
 	"fmt"
 	"io"
 	"os"
 	"strings"

-	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
-
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/meta"
-
+	"github.com/kubescape/kubescape/v3/cmd/shared"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/spf13/cobra"
 )

@@ -97,12 +95,11 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 				return err
 			}

-			ctx := context.TODO()
-			results, err := ks.Scan(ctx, scanInfo)
+			results, err := ks.Scan(scanInfo)
 			if err != nil {
 				logger.L().Fatal(err.Error())
 			}
-			if err := results.HandleResults(ctx); err != nil {
+			if err := results.HandleResults(ks.Context()); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 			if !scanInfo.VerboseMode {
@@ -129,7 +126,7 @@ func validateControlScanInfo(scanInfo *cautils.ScanInfo) error {
 		return fmt.Errorf("you can use `omit-raw-resources` or `submit`, but not both")
 	}

-	if err := validateSeverity(severity); severity != "" && err != nil {
+	if err := shared.ValidateSeverity(severity); severity != "" && err != nil {
 		return err
 	}
 	return nil
--- a/cmd/scan/control_test.go
+++ b/cmd/scan/control_test.go
@@ -0,0 +1,60 @@
+package scan
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetControlCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	scanInfo := cautils.ScanInfo{
+		AccountID: "new",
+	}
+
+	cmd := getControlCmd(mockKubescape, &scanInfo)
+
+	// Verify the command name and short description
+	assert.Equal(t, "control <control names list>/<control ids list>", cmd.Use)
+	assert.Equal(t, fmt.Sprintf("The controls you wish to use. Run '%[1]s list controls' for the list of supported controls", cautils.ExecName()), cmd.Short)
+	assert.Equal(t, controlExample, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage := "requires at least one control name"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.Args(&cobra.Command{}, []string{"C-0001,C-0002"})
+	assert.Nil(t, err)
+
+	err = cmd.Args(&cobra.Command{}, []string{"C-0001,C-0002,"})
+	expectedErrorMessage = "usage: <control-0>,<control-1>"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage = "bad argument: accound ID must be a valid UUID"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
+
+func TestGetControlCmdWithNonExistentControl(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	scanInfo := cautils.ScanInfo{
+		AccountID: "new",
+	}
+
+	// Call the GetControlCmd function
+	cmd := getControlCmd(mockKubescape, &scanInfo)
+
+	// Run the command with a non-existent control argument
+	err := cmd.RunE(&cobra.Command{}, []string{"control", "C-0001,C-0002"})
+
+	// Check that there is an error and the error message is as expected
+	expectedErrorMessage := "bad argument: accound ID must be a valid UUID"
+	assert.Error(t, err)
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
--- a/cmd/scan/framework.go
+++ b/cmd/scan/framework.go
@@ -1,24 +1,22 @@
 package scan

 import (
-	"context"
 	"errors"
 	"fmt"
 	"io"
 	"os"
+	"slices"
 	"strings"

+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v3/cmd/shared"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/cautils/getter"
+	"github.com/kubescape/kubescape/v3/core/meta"
 	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
-	"golang.org/x/exp/slices"
-
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/go-logger/helpers"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/cautils/getter"
-	"github.com/kubescape/kubescape/v2/core/meta"
-
 	"github.com/spf13/cobra"
 )

@@ -42,7 +40,6 @@ var (
  Run '%[1]s list frameworks' for the list of supported frameworks
 `, cautils.ExecName())

-	ErrUnknownSeverity          = errors.New("unknown severity")
 	ErrSecurityViewNotSupported = errors.New("security view is not supported for framework scan")
 	ErrBadThreshold             = errors.New("bad argument: out of range threshold")
 	ErrKeepLocalOrSubmit        = errors.New("you can use `keep-local` or `submit`, but not both")
@@ -94,7 +91,7 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm

 				}
 				if len(args) > 1 {
-					if len(args[1:]) == 0 || args[1] != "-" {
+					if args[1] != "-" {
 						scanInfo.InputPatterns = args[1:]
 						logger.L().Debug("List of input files", helpers.Interface("patterns", scanInfo.InputPatterns))
 					} else { // store stdin to file - do NOT move to separate function !!
@@ -112,23 +109,18 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 				}
 			}
 			scanInfo.SetScanType(cautils.ScanTypeFramework)
-			scanInfo.FrameworkScan = true

 			scanInfo.SetPolicyIdentifiers(frameworks, apisv1.KindFramework)

-			ctx := context.TODO()
-			results, err := ks.Scan(ctx, scanInfo)
+			results, err := ks.Scan(scanInfo)
 			if err != nil {
 				logger.L().Fatal(err.Error())
 			}

-			if err = results.HandleResults(ctx); err != nil {
+			if err = results.HandleResults(ks.Context()); err != nil {
 				logger.L().Fatal(err.Error())
 			}

-			if !scanInfo.VerboseMode && scanInfo.ScanType == cautils.ScanTypeFramework {
-				logger.L().Info("Run with '--verbose'/'-v' flag for detailed resources view\n")
-			}
 			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {
 				logger.L().Fatal("scan risk-score is above permitted threshold", helpers.String("risk-score", fmt.Sprintf("%.2f", results.GetRiskScore())), helpers.String("fail-threshold", fmt.Sprintf("%.2f", scanInfo.FailThreshold)))
 			}
@@ -140,12 +132,13 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 			return nil
 		},
 	}
+
 }

 // countersExceedSeverityThreshold returns true if severity of failed controls exceed the set severity threshold, else returns false
 func countersExceedSeverityThreshold(severityCounters reportsummary.ISeverityCounters, scanInfo *cautils.ScanInfo) (bool, error) {
 	targetSeverity := scanInfo.FailThresholdSeverity
-	if err := validateSeverity(targetSeverity); err != nil {
+	if err := shared.ValidateSeverity(targetSeverity); err != nil {
 		return false, err
 	}

@@ -180,7 +173,7 @@ func countersExceedSeverityThreshold(severityCounters reportsummary.ISeverityCou

 // terminateOnExceedingSeverity terminates the application on exceeding severity
 func terminateOnExceedingSeverity(scanInfo *cautils.ScanInfo, l helpers.ILogger) {
-	l.Fatal("result exceeds severity threshold", helpers.String("set severity threshold", scanInfo.FailThresholdSeverity))
+	l.Fatal("compliance result exceeds severity threshold", helpers.String("set severity threshold", scanInfo.FailThresholdSeverity))
 }

 // enforceSeverityThresholds ensures that the scan results are below the defined severity threshold
@@ -199,21 +192,10 @@ func enforceSeverityThresholds(severityCounters reportsummary.ISeverityCounters,
 	}
 }

-// validateSeverity returns an error if a given severity is not known, nil otherwise
-func validateSeverity(severity string) error {
-	for _, val := range reporthandlingapis.GetSupportedSeverities() {
-		if strings.EqualFold(severity, val) {
-			return nil
-		}
-	}
-	return ErrUnknownSeverity
-
-}
-
 // validateFrameworkScanInfo validates the scan info struct for the `scan framework` command
 func validateFrameworkScanInfo(scanInfo *cautils.ScanInfo) error {
 	if scanInfo.View == string(cautils.SecurityViewType) {
-		return ErrSecurityViewNotSupported
+		scanInfo.View = string(cautils.ResourceViewType)
 	}

 	if scanInfo.Submit && scanInfo.Local {
@@ -229,7 +211,7 @@ func validateFrameworkScanInfo(scanInfo *cautils.ScanInfo) error {
 		return ErrOmitRawResourcesOrSubmit
 	}
 	severity := scanInfo.FailThresholdSeverity
-	if err := validateSeverity(severity); severity != "" && err != nil {
+	if err := shared.ValidateSeverity(severity); severity != "" && err != nil {
 		return err
 	}

--- a/cmd/scan/framework_test.go
+++ b/cmd/scan/framework_test.go
@@ -0,0 +1,60 @@
+package scan
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetFrameworkCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	scanInfo := cautils.ScanInfo{
+		AccountID: "new",
+	}
+
+	cmd := getFrameworkCmd(mockKubescape, &scanInfo)
+
+	// Verify the command name and short description
+	assert.Equal(t, "framework <framework names list> [`<glob pattern>`/`-`] [flags]", cmd.Use)
+	assert.Equal(t, fmt.Sprintf("The framework you wish to use. Run '%[1]s list frameworks' for the list of supported frameworks", cautils.ExecName()), cmd.Short)
+	assert.Equal(t, frameworkExample, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage := "requires at least one framework name"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.Args(&cobra.Command{}, []string{"nsa,mitre"})
+	assert.Nil(t, err)
+
+	err = cmd.Args(&cobra.Command{}, []string{"nsa,mitre,"})
+	expectedErrorMessage = "usage: <framework-0>,<framework-1>"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.RunE(&cobra.Command{}, []string{})
+	expectedErrorMessage = "bad argument: accound ID must be a valid UUID"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
+
+func TestGetFrameworkCmdWithNonExistentFramework(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	scanInfo := cautils.ScanInfo{
+		AccountID: "new",
+	}
+
+	// Call the GetFrameworkCmd function
+	cmd := getFrameworkCmd(mockKubescape, &scanInfo)
+
+	// Run the command with a non-existent framework argument
+	err := cmd.RunE(&cobra.Command{}, []string{"framework", "nsa,mitre"})
+
+	// Check that there is an error and the error message is as expected
+	expectedErrorMessage := "bad argument: accound ID must be a valid UUID"
+	assert.Error(t, err)
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
--- a/cmd/scan/image.go
+++ b/cmd/scan/image.go
@@ -1,43 +1,41 @@
 package scan

 import (
-	"context"
 	"fmt"

-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/core"
-	"github.com/kubescape/kubescape/v2/core/meta"
-	"github.com/kubescape/kubescape/v2/core/pkg/resultshandling"
-	"github.com/kubescape/kubescape/v2/pkg/imagescan"
-
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/cmd/shared"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+	"github.com/kubescape/kubescape/v3/pkg/imagescan"
 	"github.com/spf13/cobra"
 )

-type imageScanInfo struct {
-	Username string
-	Password string
-}
-
 // TODO(vladklokun): document image scanning on the Kubescape Docs Hub?
 var (
 	imageExample = fmt.Sprintf(`
-  This command is still in BETA. Feel free to contact the Kubescape maintainers for more information.
-  
  Scan an image for vulnerabilities. 

  # Scan the 'nginx' image
  %[1]s scan image "nginx"

-  # Image scan documentation:
-  # https://hub.armosec.io/docs/images
+  # Scan the 'nginx' image and see the full report 
+  %[1]s scan image "nginx" -v
+
+  # Scan the 'nginx' image and use exceptions
+  %[1]s scan image "nginx" --exceptions exceptions.json
+
 `, cautils.ExecName())
 )

-// imageCmd represents the image command
-func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo, imgScanInfo *imageScanInfo) *cobra.Command {
+// getImageCmd returns the scan image command
+func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
+	var imgCredentials shared.ImageCredentials
+	var exceptions string
+
 	cmd := &cobra.Command{
-		Use:     "image <IMAGE_NAME>",
+		Use:     "image <image>:<tag> [flags]",
 		Short:   "Scan an image for vulnerabilities",
 		Example: imageExample,
 		Args: func(cmd *cobra.Command, args []string) error {
@@ -47,68 +45,38 @@ func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo, imgScanInfo *im
 			return nil
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
-			if err := validateImageScanInfo(scanInfo); err != nil {
+			if len(args) != 1 {
+				return fmt.Errorf("the command takes exactly one image name as an argument")
+			}
+
+			if err := shared.ValidateImageScanInfo(scanInfo); err != nil {
 				return err
 			}
-			failOnSeverity := imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)

-			ctx := context.Background()
-
-			dbCfg, _ := imagescan.NewDefaultDBConfig()
-			svc := imagescan.NewScanService(dbCfg)
-
-			creds := imagescan.RegistryCredentials{
-				Username: imgScanInfo.Username,
-				Password: imgScanInfo.Password,
+			imgScanInfo := &metav1.ImageScanInfo{
+				Image:      args[0],
+				Username:   imgCredentials.Username,
+				Password:   imgCredentials.Password,
+				Exceptions: exceptions,
 			}

-			userInput := args[0]
-
-			logger.L().Start(fmt.Sprintf("Scanning image: %s", userInput))
-			scanResults, err := svc.Scan(ctx, userInput, creds)
+			results, err := ks.ScanImage(imgScanInfo, scanInfo)
 			if err != nil {
-				logger.L().StopError(fmt.Sprintf("Failed to scan image: %s", userInput))
 				return err
 			}
-			logger.L().StopSuccess(fmt.Sprintf("Successfully scanned image: %s", userInput))

-			scanInfo.SetScanType(cautils.ScanTypeImage)
-
-			outputPrinters := core.GetOutputPrinters(scanInfo, ctx, "")
-
-			uiPrinter := core.GetUIPrinter(ctx, scanInfo, "")
-
-			resultsHandler := resultshandling.NewResultsHandler(nil, outputPrinters, uiPrinter)
-
-			resultsHandler.ImageScanData = []cautils.ImageScanData{
-				{
-					PresenterConfig: scanResults,
-					Image:           userInput,
-				},
+			if imagescan.ExceedsSeverityThreshold(results, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)) {
+				shared.TerminateOnExceedingSeverity(scanInfo, logger.L())
 			}

-			resultsHandler.HandleResults(ctx)
-
-			if imagescan.ExceedsSeverityThreshold(scanResults, failOnSeverity) {
-				terminateOnExceedingSeverity(scanInfo, logger.L())
-			}
-
-			return err
+			return nil
 		},
 	}

-	cmd.PersistentFlags().StringVarP(&imgScanInfo.Username, "username", "u", "", "Username for registry login")
-	cmd.PersistentFlags().StringVarP(&imgScanInfo.Password, "password", "p", "", "Password for registry login")
+	// The exceptions flag
+	cmd.PersistentFlags().StringVarP(&exceptions, "exceptions", "", "", "Path to the exceptions file")
+	cmd.PersistentFlags().StringVarP(&imgCredentials.Username, "username", "u", "", "Username for registry login")
+	cmd.PersistentFlags().StringVarP(&imgCredentials.Password, "password", "p", "", "Password for registry login")

 	return cmd
 }
-
-// validateImageScanInfo validates the ScanInfo struct for the `image` command
-func validateImageScanInfo(scanInfo *cautils.ScanInfo) error {
-	severity := scanInfo.FailThresholdSeverity
-
-	if err := validateSeverity(severity); severity != "" && err != nil {
-		return err
-	}
-	return nil
-}
--- a/cmd/scan/image_test.go
+++ b/cmd/scan/image_test.go
@@ -0,0 +1,35 @@
+package scan
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetImageCmd(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	scanInfo := cautils.ScanInfo{
+		AccountID: "new",
+	}
+
+	cmd := getImageCmd(mockKubescape, &scanInfo)
+
+	// Verify the command name and short description
+	assert.Equal(t, "image <image>:<tag> [flags]", cmd.Use)
+	assert.Equal(t, "Scan an image for vulnerabilities", cmd.Short)
+	assert.Equal(t, imageExample, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage := "the command takes exactly one image name as an argument"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.Args(&cobra.Command{}, []string{"nginx"})
+	assert.Nil(t, err)
+
+	err = cmd.RunE(&cobra.Command{}, []string{})
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
--- a/cmd/scan/scan.go
+++ b/cmd/scan/scan.go
@@ -1,25 +1,25 @@
 package scan

 import (
-	"context"
 	"flag"
 	"fmt"
 	"strings"

-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/cautils/getter"
-	"github.com/kubescape/kubescape/v2/core/meta"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/cautils/getter"
+	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/spf13/cobra"
 )

 var scanCmdExamples = fmt.Sprintf(`
-  Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks 
-  
+  Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks
+
  # Scan current cluster
  %[1]s scan

-  # Scan kubernetes manifest files 
+  # Scan kubernetes manifest files
  %[1]s scan .

  # Scan and save the results in the JSON format
@@ -28,7 +28,7 @@ var scanCmdExamples = fmt.Sprintf(`
  # Display all resources
  %[1]s scan --verbose

-  # Scan different clusters from the kubectl context 
+  # Scan different clusters from the kubectl context
  %[1]s scan --kube-context <kubernetes context>
 `, cautils.ExecName())

@@ -45,12 +45,17 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 			if scanInfo.View == string(cautils.SecurityViewType) {
 				setSecurityViewScanInfo(args, &scanInfo)

-				return securityScan(scanInfo, ks)
+				if err := securityScan(scanInfo, ks); err != nil {
+					logger.L().Fatal(err.Error())
+				}
+			} else if len(args) == 0 || (args[0] != "framework" && args[0] != "control") {
+				if err := getFrameworkCmd(ks, &scanInfo).RunE(cmd, append([]string{strings.Join(getter.NativeFrameworks, ",")}, args...)); err != nil {
+					logger.L().Fatal(err.Error())
+				}
+			} else {
+				return fmt.Errorf("kubescape did not do anything")
 			}

-			if len(args) == 0 || (args[0] != "framework" && args[0] != "control") {
-				return getFrameworkCmd(ks, &scanInfo).RunE(cmd, append([]string{strings.Join(getter.NativeFrameworks, ",")}, args...))
-			}
 			return nil
 		},
 		PostRun: func(cmd *cobra.Command, args []string) {
@@ -58,7 +63,10 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 		},
 	}

+	scanInfo.TriggeredByCLI = true
+
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.AccountID, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.AccessKey, "access-key", "", "", "Kubescape SaaS access key. Default will load access key from cache")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.UseArtifactsFrom, "use-artifacts-from", "", "Load artifacts from local directory. If not used will download them")
@@ -68,12 +76,12 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	scanCmd.PersistentFlags().Float32VarP(&scanInfo.ComplianceThreshold, "compliance-threshold", "", 0, "Compliance threshold is the percent below which the command fails and returns exit code 1")

 	scanCmd.PersistentFlags().StringVar(&scanInfo.FailThresholdSeverity, "severity-threshold", "", "Severity threshold is the severity of failed controls at which the command fails and returns exit code 1")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "", `Output file format. Supported formats: "pretty-printer", "json", "junit", "prometheus", "pdf", "html", "sarif"`)
+	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output file format. Supported formats: "pretty-printer", "json", "junit", "prometheus", "pdf", "html", "sarif"`)
 	scanCmd.PersistentFlags().StringVar(&scanInfo.IncludeNamespaces, "include-namespaces", "", "scan specific namespaces. e.g: --include-namespaces ns-a,ns-b")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to configured backend.")
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.VerboseMode, "verbose", "v", false, "Display all of the input resources and not only failed resources")
-	scanCmd.PersistentFlags().StringVar(&scanInfo.View, "view", string(cautils.ResourceViewType), fmt.Sprintf("View results based on the %s/%s/%s. default is --view=%s", cautils.ResourceViewType, cautils.ControlViewType, cautils.SecurityViewType, cautils.ResourceViewType))
+	scanCmd.PersistentFlags().StringVar(&scanInfo.View, "view", string(cautils.SecurityViewType), fmt.Sprintf("View results based on the %s/%s/%s. default is --view=%s", cautils.ResourceViewType, cautils.ControlViewType, cautils.SecurityViewType, cautils.SecurityViewType))
 	scanCmd.PersistentFlags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local policy object from default path. If not used will download latest")
 	scanCmd.PersistentFlags().StringSliceVar(&scanInfo.UseFrom, "use-from", nil, "Load local policy object from specified path. If not used will download latest")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.HostSensorYamlPath, "host-scan-yaml", "", "Override default host scanner DaemonSet. Use this flag cautiously")
@@ -82,18 +90,16 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Submit the scan results to Kubescape SaaS where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.OmitRawResources, "omit-raw-resources", "", false, "Omit raw resources from the output. By default the raw resources are included in the output")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.PrintAttackTree, "print-attack-tree", "", false, "Print attack tree")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.EnableRegoPrint, "enable-rego-prints", "", false, "Enable sending to rego prints to the logs (use with debug log level: -l debug)")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.ScanImages, "scan-images", "", false, "Scan resources images")

-	scanCmd.PersistentFlags().MarkDeprecated("silent", "use '--logger' flag instead. Flag will be removed at 1.May.2022")
 	scanCmd.PersistentFlags().MarkDeprecated("fail-threshold", "use '--compliance-threshold' flag instead. Flag will be removed at 1.Dec.2023")
-
-	scanCmd.PersistentFlags().MarkDeprecated("client-id", "Client ID is no longer supported. Feel free to contact the Kubescape maintainers for more information.")
 	scanCmd.PersistentFlags().MarkDeprecated("create-account", "Create account is no longer supported. In case of a missing Account ID and a configured backend server, a new account id will be generated automatically by Kubescape. Feel free to contact the Kubescape maintainers for more information.")
-	scanCmd.PersistentFlags().MarkDeprecated("secret-key", "Secret Key is no longer supported. Feel free to contact the Kubescape maintainers for more information.")

 	// hidden flags
 	scanCmd.PersistentFlags().MarkHidden("omit-raw-resources")
 	scanCmd.PersistentFlags().MarkHidden("print-attack-tree")
+	scanCmd.PersistentFlags().MarkHidden("format-version")

 	// Retrieve --kubeconfig flag from https://github.com/kubernetes/kubectl/blob/master/pkg/cmd/cmd.go
 	scanCmd.PersistentFlags().AddGoFlag(flag.Lookup("kubeconfig"))
@@ -111,8 +117,7 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	scanCmd.AddCommand(getFrameworkCmd(ks, &scanInfo))
 	scanCmd.AddCommand(getWorkloadCmd(ks, &scanInfo))

-	isi := &imageScanInfo{}
-	scanCmd.AddCommand(getImageCmd(ks, &scanInfo, isi))
+	scanCmd.AddCommand(getImageCmd(ks, &scanInfo))

 	return scanCmd
 }
@@ -121,22 +126,20 @@ func setSecurityViewScanInfo(args []string, scanInfo *cautils.ScanInfo) {
 	if len(args) > 0 {
 		scanInfo.SetScanType(cautils.ScanTypeRepo)
 		scanInfo.InputPatterns = args
+		scanInfo.SetPolicyIdentifiers([]string{"workloadscan", "allcontrols"}, v1.KindFramework)
 	} else {
 		scanInfo.SetScanType(cautils.ScanTypeCluster)
+		scanInfo.SetPolicyIdentifiers([]string{"clusterscan", "mitre", "nsa"}, v1.KindFramework)
 	}
-	scanInfo.SetPolicyIdentifiers([]string{"clusterscan", "mitre", "nsa"}, v1.KindFramework)
 }

 func securityScan(scanInfo cautils.ScanInfo, ks meta.IKubescape) error {
-
-	ctx := context.TODO()
-
-	results, err := ks.Scan(ctx, &scanInfo)
+	results, err := ks.Scan(&scanInfo)
 	if err != nil {
 		return err
 	}

-	if err = results.HandleResults(ctx); err != nil {
+	if err = results.HandleResults(ks.Context()); err != nil {
 		return err
 	}

--- a/cmd/scan/scan_test.go
+++ b/cmd/scan/scan_test.go
@@ -2,17 +2,18 @@ package scan

 import (
 	"context"
-
-	"github.com/kubescape/go-logger/helpers"
-
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
-	"github.com/kubescape/opa-utils/reporthandling/apis"
-	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
-
 	"os"
 	"reflect"
 	"testing"
+
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v3/cmd/shared"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/mocks"
+	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+	"github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
+	"github.com/stretchr/testify/assert"
 )

 func TestExceedsSeverity(t *testing.T) {
@@ -112,7 +113,7 @@ func TestExceedsSeverity(t *testing.T) {
 			ScanInfo:         &cautils.ScanInfo{FailThresholdSeverity: "unknown"},
 			SeverityCounters: &reportsummary.SeverityCounters{LowSeverityCounter: 1},
 			Want:             false,
-			Error:            ErrUnknownSeverity,
+			Error:            shared.ErrUnknownSeverity,
 		},
 	}

@@ -213,7 +214,7 @@ func (l *spyLogger) GetSpiedItems() []spyLogMessage {
 }

 func Test_terminateOnExceedingSeverity(t *testing.T) {
-	expectedMessage := "result exceeds severity threshold"
+	expectedMessage := "compliance result exceeds severity threshold"
 	expectedKey := "set severity threshold"

 	testCases := []struct {
@@ -302,15 +303,11 @@ func TestSetSecurityViewScanInfo(t *testing.T) {
 				PolicyIdentifier: []cautils.PolicyIdentifier{
 					{
 						Kind:       v1.KindFramework,
-						Identifier: "clusterscan",
+						Identifier: "workloadscan",
 					},
 					{
 						Kind:       v1.KindFramework,
-						Identifier: "mitre",
-					},
-					{
-						Kind:       v1.KindFramework,
-						Identifier: "nsa",
+						Identifier: "allcontrols",
 					},
 				},
 			},
@@ -361,3 +358,16 @@ func TestSetSecurityViewScanInfo(t *testing.T) {
 	}

 }
+
+func TestGetScanCommand(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+
+	cmd := GetScanCommand(mockKubescape)
+
+	// Verify the command name and short description
+	assert.Equal(t, "scan", cmd.Use)
+	assert.Equal(t, "Scan a Kubernetes cluster or YAML files for image vulnerabilities and misconfigurations", cmd.Short)
+	assert.Equal(t, "The action you want to perform", cmd.Long)
+	assert.Equal(t, scanCmdExamples, cmd.Example)
+}
--- a/cmd/scan/validators_test.go
+++ b/cmd/scan/validators_test.go
@@ -3,7 +3,8 @@ package scan
 import (
 	"testing"

-	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v3/cmd/shared"
+	"github.com/kubescape/kubescape/v3/core/cautils"
 )

 // Test_validateControlScanInfo tests how scan info is validated for the `scan control` command
@@ -26,7 +27,7 @@ func Test_validateControlScanInfo(t *testing.T) {
 		{
 			"Unknown severity should be invalid for scan info",
 			&cautils.ScanInfo{FailThresholdSeverity: "Unknown"},
-			ErrUnknownSeverity,
+			shared.ErrUnknownSeverity,
 		},
 	}

@@ -66,12 +67,12 @@ func Test_validateFrameworkScanInfo(t *testing.T) {
 		{
 			"Unknown severity should be invalid for scan info",
 			&cautils.ScanInfo{FailThresholdSeverity: "Unknown"},
-			ErrUnknownSeverity,
+			shared.ErrUnknownSeverity,
 		},
 		{
 			"Security view should be invalid for scan info",
 			&cautils.ScanInfo{View: string(cautils.SecurityViewType)},
-			ErrSecurityViewNotSupported,
+			nil,
 		},
 		{
 			"Empty view should be valid for scan info",
@@ -96,35 +97,6 @@ func Test_validateFrameworkScanInfo(t *testing.T) {
 	}
 }

-func Test_validateSeverity(t *testing.T) {
-	testCases := []struct {
-		Description string
-		Input       string
-		Want        error
-	}{
-		{"low should be a valid severity", "low", nil},
-		{"Low should be a valid severity", "Low", nil},
-		{"medium should be a valid severity", "medium", nil},
-		{"Medium should be a valid severity", "Medium", nil},
-		{"high should be a valid severity", "high", nil},
-		{"Critical should be a valid severity", "Critical", nil},
-		{"critical should be a valid severity", "critical", nil},
-		{"Unknown should be an invalid severity", "Unknown", ErrUnknownSeverity},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.Description, func(t *testing.T) {
-			input := testCase.Input
-			want := testCase.Want
-			got := validateSeverity(input)
-
-			if got != want {
-				t.Errorf("got: %v, want: %v", got, want)
-			}
-		})
-	}
-}
-
 func Test_validateWorkloadIdentifier(t *testing.T) {
 	testCases := []struct {
 		Description string
--- a/cmd/scan/workload.go
+++ b/cmd/scan/workload.go
@@ -1,24 +1,20 @@
 package scan

 import (
-	"context"
 	"errors"
 	"fmt"
 	"strings"

-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/kubescape/v2/core/cautils"
-	"github.com/kubescape/kubescape/v2/core/meta"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/kubescape/opa-utils/objectsenvelopes"
-
 	"github.com/spf13/cobra"
 )

 var (
 	workloadExample = fmt.Sprintf(`
-  This command is still in BETA. Feel free to contact the Kubescape maintainers for more information.
-
  Scan a workload for misconfigurations and image vulnerabilities.

  # Scan an workload
@@ -52,6 +48,7 @@ func getWorkloadCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comma
 				return fmt.Errorf("usage: <kind>/<name> [`<glob pattern>`/`-`] [flags]")
 			}

+			// Looks strange, a bug maybe????
 			if scanInfo.ChartPath != "" && scanInfo.FilePath == "" {
 				return fmt.Errorf("usage: --chart-path <chart path> --file-path <file path>")
 			}
@@ -68,16 +65,17 @@ func getWorkloadCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comma
 			setWorkloadScanInfo(scanInfo, kind, name)

 			// todo: add api version if provided
-			ctx := context.TODO()
-			results, err := ks.Scan(ctx, scanInfo)
+			results, err := ks.Scan(scanInfo)
 			if err != nil {
 				logger.L().Fatal(err.Error())
 			}

-			if err = results.HandleResults(ctx); err != nil {
+			if err = results.HandleResults(ks.Context()); err != nil {
 				logger.L().Fatal(err.Error())
 			}

+			enforceSeverityThresholds(results.GetData().Report.SummaryDetails.GetResourcesSeverityCounters(), scanInfo, terminateOnExceedingSeverity)
+
 			return nil
 		},
 	}
--- a/cmd/scan/workload_test.go
+++ b/cmd/scan/workload_test.go
@@ -3,9 +3,12 @@ package scan
 import (
 	"testing"

-	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/mocks"
 	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/kubescape/opa-utils/objectsenvelopes"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
 )

 func TestSetWorkloadScanInfo(t *testing.T) {
@@ -67,3 +70,27 @@ func TestSetWorkloadScanInfo(t *testing.T) {
 		)
 	}
 }
+
+func TestGetWorkloadCmd_ChartPathAndFilePathEmpty(t *testing.T) {
+	// Create a mock Kubescape interface
+	mockKubescape := &mocks.MockIKubescape{}
+	scanInfo := cautils.ScanInfo{
+		ChartPath: "temp",
+		FilePath:  "",
+	}
+
+	cmd := getWorkloadCmd(mockKubescape, &scanInfo)
+
+	// Verify the command name and short description
+	assert.Equal(t, "workload <kind>/<name> [`<glob pattern>`/`-`] [flags]", cmd.Use)
+	assert.Equal(t, "Scan a workload for misconfigurations and image vulnerabilities", cmd.Short)
+	assert.Equal(t, workloadExample, cmd.Example)
+
+	err := cmd.Args(&cobra.Command{}, []string{})
+	expectedErrorMessage := "usage: <kind>/<name> [`<glob pattern>`/`-`] [flags]"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+
+	err = cmd.Args(&cobra.Command{}, []string{"nginx"})
+	expectedErrorMessage = "invalid workload identifier"
+	assert.Equal(t, expectedErrorMessage, err.Error())
+}
--- a/cmd/shared/image_scan.go
+++ b/cmd/shared/image_scan.go
@@ -0,0 +1,18 @@
+package shared
+
+import "github.com/kubescape/kubescape/v3/core/cautils"
+
+type ImageCredentials struct {
+	Username string
+	Password string
+}
+
+// ValidateImageScanInfo validates the ScanInfo struct for image scanning commands
+func ValidateImageScanInfo(scanInfo *cautils.ScanInfo) error {
+	severity := scanInfo.FailThresholdSeverity
+
+	if err := ValidateSeverity(severity); severity != "" && err != nil {
+		return err
+	}
+	return nil
+}
--- a/cmd/shared/image_scan_test.go
+++ b/cmd/shared/image_scan_test.go
@@ -0,0 +1,61 @@
+package shared
+
+import (
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/stretchr/testify/assert"
+)
+
+// Validate a scanInfo struct with a valid fail threshold severity
+func TestValidateImageScanInfo(t *testing.T) {
+	testCases := []struct {
+		Description string
+		ScanInfo    *cautils.ScanInfo
+		Want        error
+	}{
+		{
+			"Empty scanInfo is valid",
+			&cautils.ScanInfo{},
+			nil,
+		},
+		{
+			"Empty severity is valid",
+			&cautils.ScanInfo{FailThresholdSeverity: ""},
+			nil,
+		},
+		{
+			"High severity is valid",
+			&cautils.ScanInfo{FailThresholdSeverity: "High"},
+			nil,
+		},
+		{
+			"HIGH severity is valid",
+			&cautils.ScanInfo{FailThresholdSeverity: "HIGH"},
+			nil,
+		},
+		{
+			"high severity is valid",
+			&cautils.ScanInfo{FailThresholdSeverity: "high"},
+			nil,
+		},
+		{
+			"Unknown severity is invalid",
+			&cautils.ScanInfo{FailThresholdSeverity: "unknown"},
+			ErrUnknownSeverity,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				var want error = tc.Want
+
+				got := ValidateImageScanInfo(tc.ScanInfo)
+
+				assert.Equal(t, want, got)
+			},
+		)
+	}
+}
--- a/cmd/shared/scan.go
+++ b/cmd/shared/scan.go
@@ -0,0 +1,28 @@
+package shared
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
+)
+
+var ErrUnknownSeverity = fmt.Errorf("unknown severity. Supported severities are: %s", strings.Join(reporthandlingapis.GetSupportedSeverities(), ", "))
+
+// ValidateSeverity returns an error if a given severity is not known, nil otherwise
+func ValidateSeverity(severity string) error {
+	for _, val := range reporthandlingapis.GetSupportedSeverities() {
+		if strings.EqualFold(severity, val) {
+			return nil
+		}
+	}
+	return ErrUnknownSeverity
+
+}
+
+// TerminateOnExceedingSeverity terminates the program if the result exceeds the severity threshold
+func TerminateOnExceedingSeverity(scanInfo *cautils.ScanInfo, l helpers.ILogger) {
+	l.Fatal("result exceeds severity threshold", helpers.String("Set severity threshold", scanInfo.FailThresholdSeverity))
+}
--- a/cmd/shared/scan_test.go
+++ b/cmd/shared/scan_test.go
@@ -0,0 +1,124 @@
+package shared
+
+import (
+	"context"
+	"os"
+	"reflect"
+	"testing"
+
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/opa-utils/reporthandling/apis"
+)
+
+type spyLogMessage struct {
+	Message string
+	Details map[string]string
+}
+
+type spyLogger struct {
+	setItems []spyLogMessage
+}
+
+func (l *spyLogger) Error(msg string, details ...helpers.IDetails)       {}
+func (l *spyLogger) Success(msg string, details ...helpers.IDetails)     {}
+func (l *spyLogger) Warning(msg string, details ...helpers.IDetails)     {}
+func (l *spyLogger) Info(msg string, details ...helpers.IDetails)        {}
+func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)       {}
+func (l *spyLogger) SetLevel(level string) error                         { return nil }
+func (l *spyLogger) GetLevel() string                                    { return "" }
+func (l *spyLogger) SetWriter(w *os.File)                                {}
+func (l *spyLogger) GetWriter() *os.File                                 { return &os.File{} }
+func (l *spyLogger) LoggerName() string                                  { return "" }
+func (l *spyLogger) Ctx(_ context.Context) helpers.ILogger               { return l }
+func (l *spyLogger) Start(msg string, details ...helpers.IDetails)       {}
+func (l *spyLogger) StopSuccess(msg string, details ...helpers.IDetails) {}
+func (l *spyLogger) StopError(msg string, details ...helpers.IDetails)   {}
+
+func (l *spyLogger) Fatal(msg string, details ...helpers.IDetails) {
+	firstDetail := details[0]
+	detailsMap := map[string]string{firstDetail.Key(): firstDetail.Value().(string)}
+
+	newMsg := spyLogMessage{msg, detailsMap}
+	l.setItems = append(l.setItems, newMsg)
+}
+
+func (l *spyLogger) GetSpiedItems() []spyLogMessage {
+	return l.setItems
+}
+
+func TestTerminateOnExceedingSeverity(t *testing.T) {
+	expectedMessage := "result exceeds severity threshold"
+	expectedKey := "Set severity threshold"
+
+	testCases := []struct {
+		Description     string
+		ExpectedMessage string
+		ExpectedKey     string
+		ExpectedValue   string
+		Logger          *spyLogger
+	}{
+		{
+			"Should log the Critical threshold that was set in scan info",
+			expectedMessage,
+			expectedKey,
+			apis.SeverityCriticalString,
+			&spyLogger{},
+		},
+		{
+			"Should log the High threshold that was set in scan info",
+			expectedMessage,
+			expectedKey,
+			apis.SeverityHighString,
+			&spyLogger{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(
+			tc.Description,
+			func(t *testing.T) {
+				want := []spyLogMessage{
+					{tc.ExpectedMessage, map[string]string{tc.ExpectedKey: tc.ExpectedValue}},
+				}
+				scanInfo := &cautils.ScanInfo{FailThresholdSeverity: tc.ExpectedValue}
+
+				TerminateOnExceedingSeverity(scanInfo, tc.Logger)
+
+				got := tc.Logger.GetSpiedItems()
+				if !reflect.DeepEqual(got, want) {
+					t.Errorf("got: %v, want: %v", got, want)
+				}
+			},
+		)
+	}
+}
+
+func TestValidateSeverity(t *testing.T) {
+	testCases := []struct {
+		Description string
+		Input       string
+		Want        error
+	}{
+		{"low should be a valid severity", "low", nil},
+		{"Low should be a valid severity", "Low", nil},
+		{"medium should be a valid severity", "medium", nil},
+		{"Medium should be a valid severity", "Medium", nil},
+		{"high should be a valid severity", "high", nil},
+		{"Critical should be a valid severity", "Critical", nil},
+		{"critical should be a valid severity", "critical", nil},
+		{"Unknown should be an invalid severity", "Unknown", ErrUnknownSeverity},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.Description, func(t *testing.T) {
+			input := testCase.Input
+			want := testCase.Want
+			got := ValidateSeverity(input)
+
+			if got != want {
+				t.Errorf("got: %v, want: %v", got, want)
+			}
+		})
+	}
+}
--- a/cmd/update/update.go
+++ b/cmd/update/update.go
@@ -6,15 +6,19 @@ package update

 import (
 	"fmt"
+	"strings"

-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/meta"
+
+	"github.com/kubescape/backend/pkg/versioncheck"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
-	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/spf13/cobra"
 )

 const (
-	installationLink string = "https://github.com/kubescape/kubescape/blob/master/docs/installation.md"
+	installationLink string = "https://kubescape.io/docs/install-cli/"
 )

 var updateCmdExamples = fmt.Sprintf(`
@@ -22,19 +26,31 @@ var updateCmdExamples = fmt.Sprintf(`
  %[1]s update
 `, cautils.ExecName())

-func GetUpdateCmd() *cobra.Command {
+func GetUpdateCmd(ks meta.IKubescape) *cobra.Command {
 	updateCmd := &cobra.Command{
 		Use:     "update",
 		Short:   "Update to latest release version",
 		Long:    ``,
 		Example: updateCmdExamples,
 		RunE: func(_ *cobra.Command, args []string) error {
+			v := versioncheck.NewVersionCheckHandler()
+			versionCheckRequest := versioncheck.NewVersionCheckRequest("", versioncheck.BuildNumber, "", "", "update", nil)
+			if err := v.CheckLatestVersion(ks.Context(), versionCheckRequest); err != nil {
+				return err
+			}
+
 			//Checking the user's version of kubescape to the latest release
-			if cautils.BuildNumber == cautils.LatestReleaseVersion {
+			if versioncheck.BuildNumber == "" || strings.Contains(versioncheck.BuildNumber, "rc") {
+				//your version is unknown
+				fmt.Printf("Nothing to update: you are running the development version\n")
+			} else if versioncheck.LatestReleaseVersion == "" {
+				//Failed to check for updates
+				logger.L().Info("Failed to check for updates")
+			} else if versioncheck.BuildNumber == versioncheck.LatestReleaseVersion {
 				//your version == latest version
-				logger.L().Info(("Nothing to update, you are running the latest version"), helpers.String("Version", cautils.BuildNumber))
+				logger.L().Info("Nothing to update: you are running the latest version", helpers.String("Version", versioncheck.BuildNumber))
 			} else {
-				fmt.Printf("Please refer to our installation docs in the following link: %s\n", installationLink)
+				fmt.Printf("Version %s is available. Please refer to our installation documentation: %s\n", versioncheck.LatestReleaseVersion, installationLink)
 			}
 			return nil
 		},
--- a/cmd/vap/vap.go
+++ b/cmd/vap/vap.go
@@ -0,0 +1,235 @@
+package vap
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"regexp"
+
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/spf13/cobra"
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
+)
+
+var vapHelperCmdExamples = fmt.Sprintf(`
+  vap command can be used for managing Validating Admission Policies in a Kubernetes cluster.
+  This is an experimental feature and it might change.
+
+  Examples:
+
+  # Install Kubescape CEL admission policy library
+  %[1]s vap deploy-library | kubectl apply -f -
+  # Create a policy binding
+  %[1]s vap create-policy-binding --name my-policy-binding --policy c-0016 --namespace=my-namespace | kubectl apply -f -
+`, cautils.ExecName())
+
+func GetVapHelperCmd() *cobra.Command {
+
+	vapHelperCmd := &cobra.Command{
+		Use:     "vap",
+		Short:   "Helper commands for managing Validating Admission Policies in a Kubernetes cluster",
+		Long:    ``,
+		Example: vapHelperCmdExamples,
+	}
+
+	// Create subcommands
+	vapHelperCmd.AddCommand(getDeployLibraryCmd())
+	vapHelperCmd.AddCommand(getCreatePolicyBindingCmd())
+
+	return vapHelperCmd
+}
+
+func getDeployLibraryCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:   "deploy-library",
+		Short: "Install Kubescape CEL admission policy library",
+		Long:  ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return deployLibrary()
+		},
+	}
+}
+
+func getCreatePolicyBindingCmd() *cobra.Command {
+	var policyBindingName string
+	var policyName string
+	var namespaceArr []string
+	var labelArr []string
+	var action string
+	var parameterReference string
+
+	createPolicyBindingCmd := &cobra.Command{
+		Use:   "create-policy-binding",
+		Short: "Create a policy binding",
+		Long:  ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			// Validate the inputs
+			if err := isValidK8sObjectName(policyBindingName); err != nil {
+				return fmt.Errorf("invalid policy binding name %s: %w", policyBindingName, err)
+			}
+			if err := isValidK8sObjectName(policyName); err != nil {
+				return fmt.Errorf("invalid policy name %s: %w", policyName, err)
+			}
+			for _, namespace := range namespaceArr {
+				if err := isValidK8sObjectName(namespace); err != nil {
+					return fmt.Errorf("invalid namespace %s: %w", namespace, err)
+				}
+			}
+			for _, label := range labelArr {
+				// Label selector must be in the format key=value
+				if !regexp.MustCompile(`^[a-zA-Z0-9]+=[a-zA-Z0-9]+$`).MatchString(label) {
+					return fmt.Errorf("invalid label selector: %s", label)
+				}
+			}
+			if action != "Deny" && action != "Audit" && action != "Warn" {
+				return fmt.Errorf("invalid action: %s", action)
+			}
+			if parameterReference != "" {
+				if err := isValidK8sObjectName(parameterReference); err != nil {
+					return fmt.Errorf("invalid parameter reference %s: %w", parameterReference, err)
+				}
+			}
+
+			return createPolicyBinding(policyBindingName, policyName, action, parameterReference, namespaceArr, labelArr)
+		},
+	}
+	// Must specify the name of the policy binding
+	createPolicyBindingCmd.Flags().StringVarP(&policyBindingName, "name", "n", "", "Name of the policy binding")
+	createPolicyBindingCmd.MarkFlagRequired("name")
+	createPolicyBindingCmd.Flags().StringVarP(&policyName, "policy", "p", "", "Name of the policy to bind the resources to")
+	createPolicyBindingCmd.MarkFlagRequired("policy")
+	createPolicyBindingCmd.Flags().StringSliceVar(&namespaceArr, "namespace", []string{}, "Resource namespace selector")
+	createPolicyBindingCmd.Flags().StringSliceVar(&labelArr, "label", []string{}, "Resource label selector")
+	createPolicyBindingCmd.Flags().StringVarP(&action, "action", "a", "Deny", "Action to take when policy fails")
+	createPolicyBindingCmd.Flags().StringVarP(&parameterReference, "parameter-reference", "r", "", "Parameter reference object name")
+
+	return createPolicyBindingCmd
+}
+
+// Implementation of the VAP helper commands
+// deploy-library
+func deployLibrary() error {
+	logger.L().Info("Downloading the Kubescape CEL admission policy library")
+	// Download the policy-configuration-definition.yaml from the latest release URL
+	policyConfigurationDefinitionURL := "https://github.com/kubescape/cel-admission-library/releases/latest/download/policy-configuration-definition.yaml"
+	policyConfigurationDefinition, err := downloadFileToString(policyConfigurationDefinitionURL)
+	if err != nil {
+		return err
+	}
+
+	// Download the basic-control-configuration.yaml from the latest release URL
+	basicControlConfigurationURL := "https://github.com/kubescape/cel-admission-library/releases/latest/download/basic-control-configuration.yaml"
+	basicControlConfiguration, err := downloadFileToString(basicControlConfigurationURL)
+	if err != nil {
+		return err
+	}
+
+	// Download the kubescape-validating-admission-policies.yaml from the latest release URL
+	kubescapeValidatingAdmissionPoliciesURL := "https://github.com/kubescape/cel-admission-library/releases/latest/download/kubescape-validating-admission-policies.yaml"
+	kubescapeValidatingAdmissionPolicies, err := downloadFileToString(kubescapeValidatingAdmissionPoliciesURL)
+	if err != nil {
+		return err
+	}
+
+	logger.L().Info("Successfully downloaded admission policy library")
+
+	// Print the downloaded files to the STDOUT for the user to apply connecting them to a single YAML with ---
+	fmt.Println(policyConfigurationDefinition)
+	fmt.Println("---")
+	fmt.Println(basicControlConfiguration)
+	fmt.Println("---")
+	fmt.Println(kubescapeValidatingAdmissionPolicies)
+
+	return nil
+}
+
+func downloadFileToString(url string) (string, error) {
+	// Send an HTTP GET request to the URL
+	response, err := http.Get(url) //nolint:gosec
+	if err != nil {
+		return "", err // Return an empty string and the error if the request fails
+	}
+	defer response.Body.Close()
+
+	// Check for a successful response (HTTP 200 OK)
+	if response.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("failed to download file: %s", response.Status)
+	}
+
+	// Read the response body
+	bodyBytes, err := io.ReadAll(response.Body)
+	if err != nil {
+		return "", err // Return an empty string and the error if reading fails
+	}
+
+	// Convert the byte slice to a string
+	bodyString := string(bodyBytes)
+	return bodyString, nil
+}
+
+func isValidK8sObjectName(name string) error {
+	// Kubernetes object names must consist of lower case alphanumeric characters, '-' or '.',
+	// and must start and end with an alphanumeric character (e.g., 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')
+	// Max length of 63 characters.
+	if len(name) > 63 {
+		return errors.New("name should be less than 63 characters")
+	}
+
+	regex := regexp.MustCompile(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`)
+	if !regex.MatchString(name) {
+		return errors.New("name should consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character")
+	}
+
+	return nil
+}
+
+// Create a policy binding
+func createPolicyBinding(bindingName string, policyName string, action string, paramRefName string, namespaceArr []string, labelMatch []string) error {
+	// Create a policy binding struct
+	policyBinding := &admissionv1.ValidatingAdmissionPolicyBinding{}
+	// Print the policy binding after marshalling it to YAML to the STDOUT
+	// The user can apply the output to the cluster
+	policyBinding.APIVersion = "admissionregistration.k8s.io/v1"
+	policyBinding.Name = bindingName
+	policyBinding.Kind = "ValidatingAdmissionPolicyBinding"
+	policyBinding.Spec.PolicyName = policyName
+	policyBinding.Spec.MatchResources = &admissionv1.MatchResources{}
+	if len(namespaceArr) > 0 {
+		policyBinding.Spec.MatchResources.NamespaceSelector = &metav1.LabelSelector{
+			MatchExpressions: []metav1.LabelSelectorRequirement{
+				{
+					Key:      "kubernetes.io/metadata.name",
+					Operator: metav1.LabelSelectorOpIn,
+					Values:   namespaceArr,
+				},
+			},
+		}
+	}
+
+	if len(labelMatch) > 0 {
+		policyBinding.Spec.MatchResources.ObjectSelector = &metav1.LabelSelector{}
+		policyBinding.Spec.MatchResources.ObjectSelector.MatchLabels = make(map[string]string)
+		for _, label := range labelMatch {
+			labelParts := regexp.MustCompile(`=`).Split(label, 2)
+			policyBinding.Spec.MatchResources.ObjectSelector.MatchLabels[labelParts[0]] = labelParts[1]
+		}
+	}
+
+	policyBinding.Spec.ValidationActions = []admissionv1.ValidationAction{admissionv1.ValidationAction(action)}
+	if paramRefName != "" {
+		policyBinding.Spec.ParamRef = &admissionv1.ParamRef{
+			Name: paramRefName,
+		}
+	}
+	// Marshal the policy binding to YAML
+	out, err := yaml.Marshal(policyBinding)
+	if err != nil {
+		return err
+	}
+	fmt.Println(string(out))
+	return nil
+}
--- a/cmd/vap/vap_test.go
+++ b/cmd/vap/vap_test.go
@@ -0,0 +1,10 @@
+package vap
+
+import (
+	"testing"
+)
+
+func TestGetVapHelperCmd(t *testing.T) {
+	// Call the GetFixCmd function
+	_ = GetVapHelperCmd()
+}
--- a/cmd/version/git_native_disabled.go
+++ b/cmd/version/git_native_disabled.go
@@ -1,7 +0,0 @@
-//go:build !gitenabled
-
-package version
-
-func isGitEnabled() bool {
-	return false
-}
--- a/cmd/version/git_native_enabled.go
+++ b/cmd/version/git_native_enabled.go
@@ -1,7 +0,0 @@
-//go:build gitenabled
-
-package version
-
-func isGitEnabled() bool {
-	return true
-}
--- a/cmd/version/version.go
+++ b/cmd/version/version.go
@@ -1,29 +1,30 @@
 package version

 import (
-	"context"
 	"fmt"
-	"os"

-	"github.com/kubescape/go-logger"
-	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+
+	"github.com/kubescape/backend/pkg/versioncheck"
 	"github.com/spf13/cobra"
 )

-func GetVersionCmd() *cobra.Command {
+func GetVersionCmd(ks meta.IKubescape) *cobra.Command {
 	versionCmd := &cobra.Command{
 		Use:   "version",
 		Short: "Get current version",
 		Long:  ``,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			ctx := context.TODO()
-			v := cautils.NewIVersionCheckHandler(ctx)
-			v.CheckLatestVersion(ctx, cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "version"))
-			fmt.Fprintf(os.Stdout,
+			v := versioncheck.NewIVersionCheckHandler(ks.Context())
+			versionCheckRequest := versioncheck.NewVersionCheckRequest("", versioncheck.BuildNumber, "", "", "version", nil)
+			if err := v.CheckLatestVersion(ks.Context(), versionCheckRequest); err != nil {
+				return err
+			}
+
+			fmt.Fprintf(cmd.OutOrStdout(),
 				"Your current version is: %s\n",
-				cautils.BuildNumber,
+				versionCheckRequest.ClientVersion,
 			)
-			logger.L().Debug(fmt.Sprintf("git enabled in build: %t", isGitEnabled()))
 			return nil
 		},
 	}
--- a/cmd/version/version_test.go
+++ b/cmd/version/version_test.go
@@ -0,0 +1,49 @@
+package version
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/core"
+
+	"github.com/kubescape/backend/pkg/versioncheck"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetVersionCmd(t *testing.T) {
+	tests := []struct {
+		name        string
+		buildNumber string
+		want        string
+	}{
+		{
+			name:        "Undefined Build Number",
+			buildNumber: "",
+			want:        "Your current version is: unknown\n",
+		},
+		{
+			name:        "Defined Build Number: v3.0.1",
+			buildNumber: "v3.0.1",
+			want:        "Your current version is: v3.0.1\n",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			versioncheck.BuildNumber = tt.buildNumber
+
+			ks := core.NewKubescape(context.TODO())
+			if cmd := GetVersionCmd(ks); cmd != nil {
+				buf := bytes.NewBufferString("")
+				cmd.SetOut(buf)
+				cmd.Execute()
+				out, err := io.ReadAll(buf)
+				if err != nil {
+					t.Fatal(err)
+				}
+				assert.Equal(t, tt.want, string(out))
+			}
+		})
+	}
+}
--- a/core/cautils/buildinfo.go
+++ b/core/cautils/buildinfo.go
@@ -0,0 +1,21 @@
+package cautils
+
+import (
+	"os"
+
+	"github.com/kubescape/backend/pkg/versioncheck"
+)
+
+var BuildNumber string
+var Client string
+
+func init() {
+	if BuildNumber != "" {
+		versioncheck.BuildNumber = BuildNumber
+	} else {
+		versioncheck.BuildNumber = os.Getenv("RELEASE")
+	}
+	if Client != "" {
+		versioncheck.Client = Client
+	}
+}
--- a/core/cautils/controllink_test.go
+++ b/core/cautils/controllink_test.go
@@ -0,0 +1,53 @@
+package cautils
+
+import (
+	"testing"
+)
+
+// Returns a valid URL when given a valid control ID.
+func TestGetControlLink_ValidControlID(t *testing.T) {
+	controlID := "cis-1.1.3"
+	expectedURL := "https://hub.armosec.io/docs/cis-1-1-3"
+
+	result := GetControlLink(controlID)
+
+	if result != expectedURL {
+		t.Errorf("Expected URL: %s, but got: %s", expectedURL, result)
+	}
+}
+
+// Replaces dots with hyphens in the control ID to generate the correct documentation link.
+func TestGetControlLink_DotsInControlID(t *testing.T) {
+	controlID := "cis.1.1.3"
+	expectedURL := "https://hub.armosec.io/docs/cis-1-1-3"
+
+	result := GetControlLink(controlID)
+
+	if result != expectedURL {
+		t.Errorf("Expected URL: %s, but got: %s", expectedURL, result)
+	}
+}
+
+// Returns a lowercase URL.
+func TestGetControlLink_LowercaseURL(t *testing.T) {
+	controlID := "CIS-1.1.3"
+	expectedURL := "https://hub.armosec.io/docs/cis-1-1-3"
+
+	result := GetControlLink(controlID)
+
+	if result != expectedURL {
+		t.Errorf("Expected URL: %s, but got: %s", expectedURL, result)
+	}
+}
+
+// Returns URL to armosec docs when given an empty control ID.
+func TestGetControlLink_EmptyControlID(t *testing.T) {
+	controlID := ""
+	expectedURL := "https://hub.armosec.io/docs/"
+
+	result := GetControlLink(controlID)
+
+	if result != expectedURL {
+		t.Errorf("Expected URL: %s, but got: %s", expectedURL, result)
+	}
+}
--- a/core/cautils/customerloader.go
+++ b/core/cautils/customerloader.go
@@ -7,33 +7,35 @@ import (
 	"path/filepath"
 	"regexp"

-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
 	"github.com/google/uuid"
 	v1 "github.com/kubescape/backend/pkg/client/v1"
 	"github.com/kubescape/backend/pkg/servicediscovery"
 	servicediscoveryv1 "github.com/kubescape/backend/pkg/servicediscovery/v1"
-	logger "github.com/kubescape/go-logger"
+	servicediscoveryv2 "github.com/kubescape/backend/pkg/servicediscovery/v2"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
-	"github.com/kubescape/kubescape/v2/core/cautils/getter"
+	"github.com/kubescape/kubescape/v3/core/cautils/getter"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

 const (
-	configFileName              string = "config"
-	kubescapeNamespace          string = "kubescape"
-	kubescapeConfigMapName      string = "kubescape-config"
-	kubescapeCloudConfigMapName string = "ks-cloud-config"
+	configFileName     string = "config"
+	kubescapeNamespace string = "kubescape"
+
+	kubescapeConfigMapName      string = "kubescape-config" // deprecated - for backward compatibility
+	kubescapeCloudConfigMapName string = "ks-cloud-config"  // deprecated - for backward compatibility
+
+	cloudConfigMapLabelSelector string = "kubescape.io/infra=config"
+	credsLabelSelectors         string = "kubescape.io/infra=credentials" //nolint:gosec

 	// env vars
-	defaultConfigMapNameEnvVar      string = "KS_DEFAULT_CONFIGMAP_NAME"
-	defaultCloudConfigMapNameEnvVar string = "KS_DEFAULT_CLOUD_CONFIGMAP_NAME"
 	defaultConfigMapNamespaceEnvVar string = "KS_DEFAULT_CONFIGMAP_NAMESPACE"
 	accountIdEnvVar                 string = "KS_ACCOUNT_ID"
+	accessKeyEnvVar                 string = "KS_ACCESS_KEY"
 	cloudApiUrlEnvVar               string = "KS_CLOUD_API_URL"
 	cloudReportUrlEnvVar            string = "KS_CLOUD_REPORT_URL"
-	storageEnabledEnvVar            string = "KS_STORAGE_ENABLED"
 )

 func ConfigFileFullPath() string { return getter.GetDefaultPath(configFileName + ".json") }
@@ -47,7 +49,7 @@ type ConfigObj struct {
 	ClusterName    string `json:"clusterName,omitempty"`
 	CloudReportURL string `json:"cloudReportURL,omitempty"`
 	CloudAPIURL    string `json:"cloudAPIURL,omitempty"`
-	StorageEnabled bool   `json:"storageEnabled,omitempty"`
+	AccessKey      string `json:"accessKey,omitempty"`
 }

 // Config - convert ConfigObj to config file
@@ -92,15 +94,15 @@ type ITenantConfig interface {
 	UpdateCachedConfig() error
 	DeleteCachedConfig(ctx context.Context) error
 	GenerateAccountID() (string, error)
-	DeleteAccountID() error
+	DeleteCredentials() error

 	// getters
 	GetContextName() string
 	GetAccountID() string
+	GetAccessKey() string
 	GetConfigObj() *ConfigObj
 	GetCloudReportURL() string
 	GetCloudAPIURL() string
-	IsStorageEnabled() bool
 }

 // ======================================================================================
@@ -114,7 +116,7 @@ type LocalConfig struct {
 	configObj *ConfigObj
 }

-func NewLocalConfig(accountID, clusterName string, customClusterName string) *LocalConfig {
+func NewLocalConfig(accountID, accessKey, clusterName, customClusterName string) *LocalConfig {
 	lc := &LocalConfig{
 		configObj: &ConfigObj{},
 	}
@@ -123,9 +125,8 @@ func NewLocalConfig(accountID, clusterName string, customClusterName string) *Lo
 		loadConfigFromFile(lc.configObj)
 	}

-	updateAccountID(lc.configObj, accountID)
+	updateCredentials(lc.configObj, accountID, accessKey)
 	updateCloudURLs(lc.configObj)
-	updateStorageEnabled(lc.configObj)

 	// If a custom cluster name is provided then set that name, else use the cluster's original name
 	if customClusterName != "" {
@@ -134,8 +135,7 @@ func NewLocalConfig(accountID, clusterName string, customClusterName string) *Lo
 		lc.configObj.ClusterName = AdoptClusterName(clusterName) // override config clusterName
 	}

-	updatedKsCloud := initializeCloudAPI(lc)
-	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", updatedKsCloud.GetCloudAPIURL()), helpers.String("report", updatedKsCloud.GetCloudReportURL()))
+	initializeCloudAPI(lc)

 	return lc
 }
@@ -145,7 +145,7 @@ func (lc *LocalConfig) GetAccountID() string      { return lc.configObj.AccountI
 func (lc *LocalConfig) GetContextName() string    { return lc.configObj.ClusterName }
 func (lc *LocalConfig) GetCloudReportURL() string { return lc.configObj.CloudReportURL }
 func (lc *LocalConfig) GetCloudAPIURL() string    { return lc.configObj.CloudAPIURL }
-func (lc *LocalConfig) IsStorageEnabled() bool    { return lc.configObj.StorageEnabled }
+func (lc *LocalConfig) GetAccessKey() string      { return lc.configObj.AccessKey }

 func (lc *LocalConfig) GenerateAccountID() (string, error) {
 	lc.configObj.AccountID = uuid.NewString()
@@ -153,7 +153,8 @@ func (lc *LocalConfig) GenerateAccountID() (string, error) {
 	return lc.configObj.AccountID, err
 }

-func (lc *LocalConfig) DeleteAccountID() error {
+func (lc *LocalConfig) DeleteCredentials() error {
+	lc.configObj.AccessKey = ""
 	lc.configObj.AccountID = ""
 	return lc.UpdateCachedConfig()
 }
@@ -189,20 +190,16 @@ KS_CACHE // path to cached files
 var _ ITenantConfig = &ClusterConfig{}

 type ClusterConfig struct {
-	k8s                  *k8sinterface.KubernetesApi
-	configObj            *ConfigObj
-	configMapNamespace   string
-	ksConfigMapName      string
-	ksCloudConfigMapName string
+	k8s                *k8sinterface.KubernetesApi
+	configObj          *ConfigObj
+	configMapNamespace string
 }

-func NewClusterConfig(k8s *k8sinterface.KubernetesApi, accountID, clusterName string, customClusterName string) *ClusterConfig {
+func NewClusterConfig(k8s *k8sinterface.KubernetesApi, accountID, accessKey, clusterName, customClusterName string) *ClusterConfig {
 	c := &ClusterConfig{
-		k8s:                  k8s,
-		configObj:            &ConfigObj{},
-		ksConfigMapName:      getKubescapeConfigMapName(),
-		ksCloudConfigMapName: getKubescapeCloudConfigMapName(),
-		configMapNamespace:   GetConfigMapNamespace(),
+		k8s:                k8s,
+		configObj:          &ConfigObj{},
+		configMapNamespace: GetConfigMapNamespace(),
 	}

 	// first, load from file
@@ -210,19 +207,14 @@ func NewClusterConfig(k8s *k8sinterface.KubernetesApi, accountID, clusterName st
 		loadConfigFromFile(c.configObj)
 	}

-	// second, load from configMap
-	if c.existsConfigMap(c.ksConfigMapName) {
-		c.updateConfigEmptyFieldsFromKubescapeConfigMap()
-	}
+	// second, load urls from config map
+	c.updateConfigEmptyFieldsFromKubescapeConfigMap()

-	// third, load urls from cloudConfigMap
-	if c.existsConfigMap(c.ksCloudConfigMapName) {
-		c.updateConfigEmptyFieldsFromKubescapeCloudConfigMap()
-	}
+	// third, credentials from secret
+	c.updateConfigEmptyFieldsFromCredentialsSecret()

-	updateAccountID(c.configObj, accountID)
+	updateCredentials(c.configObj, accountID, accessKey)
 	updateCloudURLs(c.configObj)
-	updateStorageEnabled(c.configObj)

 	// If a custom cluster name is provided then set that name, else use the cluster's original name
 	if customClusterName != "" {
@@ -236,8 +228,7 @@ func NewClusterConfig(k8s *k8sinterface.KubernetesApi, accountID, clusterName st
 	} else { // override the cluster name if it has unwanted characters
 		c.configObj.ClusterName = AdoptClusterName(c.configObj.ClusterName)
 	}
-	updatedKsCloud := initializeCloudAPI(c)
-	logger.L().Debug("Kubescape Cloud URLs", helpers.String("api", updatedKsCloud.GetCloudAPIURL()), helpers.String("report", updatedKsCloud.GetCloudReportURL()))
+	initializeCloudAPI(c)
 	return c
 }

@@ -246,7 +237,7 @@ func (c *ClusterConfig) GetDefaultNS() string      { return c.configMapNamespace
 func (c *ClusterConfig) GetAccountID() string      { return c.configObj.AccountID }
 func (c *ClusterConfig) GetCloudReportURL() string { return c.configObj.CloudReportURL }
 func (c *ClusterConfig) GetCloudAPIURL() string    { return c.configObj.CloudAPIURL }
-func (c *ClusterConfig) IsStorageEnabled() bool    { return c.configObj.StorageEnabled }
+func (c *ClusterConfig) GetAccessKey() string      { return c.configObj.AccessKey }

 func (c *ClusterConfig) UpdateCachedConfig() error {
 	logger.L().Debug("updating cached config", helpers.Interface("configObj", c.configObj))
@@ -272,42 +263,84 @@ func (c *ClusterConfig) ToMapString() map[string]interface{} {
 }

 func (c *ClusterConfig) updateConfigEmptyFieldsFromKubescapeConfigMap() error {
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.ksConfigMapName, metav1.GetOptions{})
+	configMaps, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).List(context.Background(), metav1.ListOptions{
+		LabelSelector: cloudConfigMapLabelSelector,
+	})
 	if err != nil {
 		return err
 	}
-
-	tempCO := ConfigObj{}
-	if jsonConf, ok := configMap.Data["config.json"]; ok {
-		if err = json.Unmarshal([]byte(jsonConf), &tempCO); err != nil {
-			return err
-		}
-		return c.configObj.updateEmptyFields(&tempCO)
+	var ksConfigMap *corev1.ConfigMap
+	var urlsConfigMap *corev1.ConfigMap
+	if len(configMaps.Items) == 0 {
+		// try to find configmaps by name (for backward compatibility)
+		ksConfigMap, _ = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), kubescapeConfigMapName, metav1.GetOptions{})
+		urlsConfigMap, _ = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), kubescapeCloudConfigMapName, metav1.GetOptions{})
+	} else {
+		// use the first configmap with the label
+		ksConfigMap = &configMaps.Items[0]
+		urlsConfigMap = &configMaps.Items[0]
 	}
+
+	if ksConfigMap != nil {
+		if jsonConf, ok := ksConfigMap.Data["clusterData"]; ok {
+			tempCO := ConfigObj{}
+			if err = json.Unmarshal([]byte(jsonConf), &tempCO); err != nil {
+				return err
+			}
+			c.configObj.updateEmptyFields(&tempCO)
+		}
+	}
+
+	if urlsConfigMap != nil {
+		if jsonConf, ok := urlsConfigMap.Data["services"]; ok {
+			services, err := servicediscovery.GetServices(
+				servicediscoveryv2.NewServiceDiscoveryStreamV2([]byte(jsonConf)),
+			)
+			if err != nil {
+				// try to parse as v1
+				services, err = servicediscovery.GetServices(
+					servicediscoveryv1.NewServiceDiscoveryStreamV1([]byte(jsonConf)),
+				)
+				if err != nil {
+					return err
+				}
+			}
+
+			if services.GetApiServerUrl() != "" {
+				c.configObj.CloudAPIURL = services.GetApiServerUrl()
+			}
+			if services.GetReportReceiverHttpUrl() != "" {
+				c.configObj.CloudReportURL = services.GetReportReceiverHttpUrl()
+			}
+		}
+	}
+
 	return err
 }

-func (c *ClusterConfig) updateConfigEmptyFieldsFromKubescapeCloudConfigMap() error {
-	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), c.ksCloudConfigMapName, metav1.GetOptions{})
+func (c *ClusterConfig) updateConfigEmptyFieldsFromCredentialsSecret() error {
+	secrets, err := c.k8s.KubernetesClient.CoreV1().Secrets(c.configMapNamespace).List(context.Background(),
+		metav1.ListOptions{LabelSelector: credsLabelSelectors})
 	if err != nil {
 		return err
 	}

-	if jsonConf, ok := configMap.Data["services"]; ok {
-		services, err := servicediscovery.GetServices(
-			servicediscoveryv1.NewServiceDiscoveryStreamV1([]byte(jsonConf)),
-		)
-		if err != nil {
-			return err
-		}
+	if len(secrets.Items) == 0 {
+		return nil
+	}

-		if services.GetApiServerUrl() != "" {
-			c.configObj.CloudAPIURL = services.GetApiServerUrl()
-		}
-		if services.GetReportReceiverHttpUrl() != "" {
-			c.configObj.CloudReportURL = services.GetReportReceiverHttpUrl()
+	if jsonConf, ok := secrets.Items[0].Data["account"]; ok {
+		if account := string(jsonConf); account != "" {
+			c.configObj.AccountID = account
 		}
 	}
+
+	if jsonConf, ok := secrets.Items[0].Data["accessKey"]; ok {
+		if accessKey := string(jsonConf); accessKey != "" {
+			c.configObj.AccessKey = accessKey
+		}
+	}
+
 	return nil
 }

@@ -323,11 +356,6 @@ func loadConfigFromData(co *ConfigObj, data map[string]string) error {
 	return e
 }

-func (c *ClusterConfig) existsConfigMap(name string) bool {
-	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), name, metav1.GetOptions{})
-	return err == nil
-}
-
 func existsConfigFile() bool {
 	_, err := os.ReadFile(ConfigFileFullPath())
 	return err == nil
@@ -349,8 +377,9 @@ func (c *ClusterConfig) GenerateAccountID() (string, error) {
 	return c.configObj.AccountID, err
 }

-func (c *ClusterConfig) DeleteAccountID() error {
+func (c *ClusterConfig) DeleteCredentials() error {
 	c.configObj.AccountID = ""
+	c.configObj.AccessKey = ""
 	return c.UpdateCachedConfig()
 }

@@ -396,21 +425,6 @@ func AdoptClusterName(clusterName string) string {
 	return re.ReplaceAllString(clusterName, "-")
 }

-func getKubescapeConfigMapName() string {
-	if n := os.Getenv(defaultConfigMapNameEnvVar); n != "" {
-		return n
-	}
-	return kubescapeConfigMapName
-}
-
-func getKubescapeCloudConfigMapName() string {
-	if n := os.Getenv(defaultCloudConfigMapNameEnvVar); n != "" {
-		return n
-	}
-
-	return kubescapeCloudConfigMapName
-}
-
 // GetConfigMapNamespace returns the namespace of the cluster config, which is the same for all in-cluster components
 func GetConfigMapNamespace() string {
 	if n := os.Getenv(defaultConfigMapNamespaceEnvVar); n != "" {
@@ -419,7 +433,15 @@ func GetConfigMapNamespace() string {
 	return kubescapeNamespace
 }

-func updateAccountID(configObj *ConfigObj, accountID string) {
+func updateCredentials(configObj *ConfigObj, accountID, accessKey string) {
+	if accessKey != "" {
+		configObj.AccessKey = accessKey
+	}
+
+	if envAccessKey := os.Getenv(accessKeyEnvVar); envAccessKey != "" {
+		configObj.AccessKey = envAccessKey
+	}
+
 	if accountID != "" {
 		configObj.AccountID = accountID
 	}
@@ -429,10 +451,6 @@ func updateAccountID(configObj *ConfigObj, accountID string) {
 	}
 }

-func updateStorageEnabled(configObj *ConfigObj) {
-	configObj.StorageEnabled, _ = ParseBoolEnvVar(storageEnabledEnvVar, configObj.StorageEnabled)
-}
-
 func getCloudURLsFromEnv(cloudURLs *CloudURLs) {
 	// load from env
 	if cloudAPIURL := os.Getenv(cloudApiUrlEnvVar); cloudAPIURL != "" {
@@ -460,18 +478,52 @@ func updateCloudURLs(configObj *ConfigObj) {
 }

 func initializeCloudAPI(c ITenantConfig) *v1.KSCloudAPI {
-	logger.L().Debug("initializing KS Cloud API from config", helpers.String("accountID", c.GetAccountID()), helpers.String("cloudAPIURL", c.GetCloudAPIURL()), helpers.String("cloudReportURL", c.GetCloudReportURL()))
-	cloud, err := v1.NewKSCloudAPI(c.GetCloudAPIURL(), c.GetCloudReportURL(), c.GetAccountID())
-	if err != nil {
-		logger.L().Fatal("failed to create KS Cloud client", helpers.Error(err))
+	if ksCloud := getter.GetKSCloudAPIConnector(); ksCloud != nil {
+
+		if val := c.GetCloudAPIURL(); val != "" && val != ksCloud.GetCloudAPIURL() {
+			logger.L().Debug("updating KS Cloud API from config", helpers.String("old", ksCloud.GetCloudAPIURL()), helpers.String("new", val))
+			ksCloud.SetCloudAPIURL(val)
+		}
+		if val := c.GetCloudReportURL(); val != "" && val != ksCloud.GetCloudReportURL() {
+			logger.L().Debug("updating KS Cloud Report from config", helpers.String("old", ksCloud.GetCloudReportURL()), helpers.String("new", val))
+			ksCloud.SetCloudReportURL(val)
+		}
+		if val := c.GetAccountID(); val != "" && val != ksCloud.GetAccountID() {
+			logger.L().Debug("updating Account ID from config", helpers.String("old", ksCloud.GetAccountID()), helpers.String("new", val))
+			ksCloud.SetAccountID(val)
+		}
+		if val := c.GetAccessKey(); val != "" && val != ksCloud.GetAccessKey() {
+			logger.L().Debug("updating Access Key from config", helpers.Int("old (len)", len(ksCloud.GetAccessKey())), helpers.Int("new (len)", len(val)))
+			ksCloud.SetAccessKey(val)
+		}
+		getter.SetKSCloudAPIConnector(ksCloud)
+	} else {
+		logger.L().Debug("initializing KS Cloud API from config", helpers.String("accountID", c.GetAccountID()), helpers.String("cloudAPIURL", c.GetCloudAPIURL()), helpers.String("cloudReportURL", c.GetCloudReportURL()))
+		cloud, err := v1.NewKSCloudAPI(
+			c.GetCloudAPIURL(),
+			c.GetCloudReportURL(),
+			c.GetAccountID(),
+			c.GetAccessKey())
+		if err != nil {
+			logger.L().Fatal("failed to create KS Cloud client", helpers.Error(err))
+		}
+		getter.SetKSCloudAPIConnector(cloud)
 	}
-	getter.SetKSCloudAPIConnector(cloud)
+
 	return getter.GetKSCloudAPIConnector()
 }

-func GetTenantConfig(accountID, clusterName, customClusterName string, k8s *k8sinterface.KubernetesApi) ITenantConfig {
+func GetTenantConfig(accountID, accessKey, clusterName, customClusterName string, k8s *k8sinterface.KubernetesApi) ITenantConfig {
 	if !k8sinterface.IsConnectedToCluster() || k8s == nil {
-		return NewLocalConfig(accountID, clusterName, customClusterName)
+		return NewLocalConfig(accountID, accessKey, clusterName, customClusterName)
 	}
-	return NewClusterConfig(k8s, accountID, clusterName, customClusterName)
+	return NewClusterConfig(k8s, accountID, accessKey, clusterName, customClusterName)
+}
+
+// firstNonEmpty returns the first non-empty string
+func firstNonEmpty(s1, s2 string) string {
+	if s1 != "" {
+		return s1
+	}
+	return s2
 }
--- a/core/cautils/customerloader_test.go
+++ b/core/cautils/customerloader_test.go
@@ -5,7 +5,7 @@ import (
 	"os"
 	"testing"

-	"github.com/kubescape/kubescape/v2/core/cautils/getter"
+	"github.com/kubescape/kubescape/v3/core/cautils/getter"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 )
--- a/core/cautils/datastructures.go
+++ b/core/cautils/datastructures.go
@@ -27,7 +27,7 @@ type ImageScanData struct {
 type ScanTypes string

 const (
-	TopWorkloadsNumber           = 5
+	TopWorkloadsNumber           = 3
 	ScanTypeCluster    ScanTypes = "cluster"
 	ScanTypeRepo       ScanTypes = "repo"
 	ScanTypeImage      ScanTypes = "image"
@@ -58,6 +58,8 @@ type OPASessionObj struct {
 	OmitRawResources      bool                               // omit raw resources from output
 	SingleResourceScan    workloadinterface.IWorkload        // single resource scan
 	TopWorkloadsByScore   []reporthandling.IResource
+	TemplateMapping       map[string]MappingNodes // Map chart obj to template (only for rendering from path)
+	TriggeredByCLI        bool
 }

 func NewOPASessionObj(ctx context.Context, frameworks []reporthandling.Framework, k8sResources K8SResources, scanInfo *ScanInfo) *OPASessionObj {
@@ -74,6 +76,8 @@ func NewOPASessionObj(ctx context.Context, frameworks []reporthandling.Framework
 		SessionID:             scanInfo.ScanID,
 		Metadata:              scanInfoToScanMetadata(ctx, scanInfo),
 		OmitRawResources:      scanInfo.OmitRawResources,
+		TriggeredByCLI:        scanInfo.TriggeredByCLI,
+		TemplateMapping:       make(map[string]MappingNodes),
 	}
 }

--- a/core/cautils/datastructuresmethods.go
+++ b/core/cautils/datastructuresmethods.go
@@ -1,12 +1,11 @@
 package cautils

 import (
-	"golang.org/x/mod/semver"
-
-	"github.com/armosec/utils-go/boolutils"
-	cloudsupport "github.com/kubescape/k8s-interface/cloudsupport/v1"
+	"github.com/kubescape/backend/pkg/versioncheck"
 	"github.com/kubescape/opa-utils/reporthandling"
 	"github.com/kubescape/opa-utils/reporthandling/apis"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+	"golang.org/x/mod/semver"
 )

 func NewPolicies() *Policies {
@@ -16,7 +15,7 @@ func NewPolicies() *Policies {
 	}
 }

-func (policies *Policies) Set(frameworks []reporthandling.Framework, version string, excludedRules map[string]bool, scanningScope reporthandling.ScanningScopeType) {
+func (policies *Policies) Set(frameworks []reporthandling.Framework, excludedRules map[string]bool, scanningScope reporthandling.ScanningScopeType) {
 	for i := range frameworks {
 		if !isFrameworkFitToScanScope(frameworks[i], scanningScope) {
 			continue
@@ -34,9 +33,12 @@ func (policies *Policies) Set(frameworks []reporthandling.Framework, version str
 					}
 				}

-				if !ruleWithKSOpaDependency(frameworks[i].Controls[j].Rules[r].Attributes) && isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) && isControlFitToScanScope(frameworks[i].Controls[j], scanningScope) {
-					compatibleRules = append(compatibleRules, frameworks[i].Controls[j].Rules[r])
+				if ShouldSkipRule(frameworks[i].Controls[j], frameworks[i].Controls[j].Rules[r], scanningScope) {
+					continue
 				}
+				// if isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) && isControlFitToScanScope(frameworks[i].Controls[j], scanningScope) {
+				compatibleRules = append(compatibleRules, frameworks[i].Controls[j].Rules[r])
+				// }
 			}
 			if len(compatibleRules) > 0 {
 				frameworks[i].Controls[j].Rules = compatibleRules
@@ -56,12 +58,16 @@ func (policies *Policies) Set(frameworks []reporthandling.Framework, version str
 	}
 }

-func ruleWithKSOpaDependency(attributes map[string]interface{}) bool {
-	if attributes == nil {
-		return false
+// ShouldSkipRule checks if the rule should be skipped
+// It checks the following:
+//  1. Rule is compatible with the current kubescape version
+//  2. Rule fits the current scanning scope
+func ShouldSkipRule(control reporthandling.Control, rule reporthandling.PolicyRule, scanningScope reporthandling.ScanningScopeType) bool {
+	if !isRuleKubescapeVersionCompatible(rule.Attributes, versioncheck.BuildNumber) {
+		return true
 	}
-	if s, ok := attributes["armoOpa"]; ok { // TODO - make global
-		return boolutils.StringToBool(s.(string))
+	if !isControlFitToScanScope(control, scanningScope) {
+		return true
 	}
 	return false
 }
@@ -71,49 +77,31 @@ func ruleWithKSOpaDependency(attributes map[string]interface{}) bool {
 // returns true only if rule doesn't have the "until" attribute
 func isRuleKubescapeVersionCompatible(attributes map[string]interface{}, version string) bool {
 	if from, ok := attributes["useFromKubescapeVersion"]; ok && from != nil {
-		if version != "" {
-			if semver.Compare(version, from.(string)) == -1 {
+		switch sfrom := from.(type) {
+		case string:
+			if version != "" && semver.Compare(version, sfrom) == -1 {
 				return false
 			}
-		}
-	}
-	if until, ok := attributes["useUntilKubescapeVersion"]; ok && until != nil {
-		if version == "" {
+		default:
+			// Handle case where useFromKubescapeVersion is not a string
 			return false
 		}
-		if semver.Compare(version, until.(string)) >= 0 {
+	}
+
+	if until, ok := attributes["useUntilKubescapeVersion"]; ok && until != nil {
+		switch suntil := until.(type) {
+		case string:
+			if version == "" || semver.Compare(version, suntil) >= 0 {
+				return false
+			}
+		default:
+			// Handle case where useUntilKubescapeVersion is not a string
 			return false
 		}
 	}
 	return true
 }

-func getCloudProvider(scanInfo *ScanInfo) reporthandling.ScanningScopeType {
-	if cloudsupport.IsAKS() {
-		return reporthandling.ScopeCloudAKS
-	}
-	if cloudsupport.IsEKS() {
-		return reporthandling.ScopeCloudEKS
-	}
-	if cloudsupport.IsGKE() {
-		return reporthandling.ScopeCloudGKE
-	}
-	return ""
-}
-
-func GetScanningScope(scanInfo *ScanInfo) reporthandling.ScanningScopeType {
-
-	switch scanInfo.GetScanningContext() {
-	case ContextCluster:
-		if cloudProvider := getCloudProvider(scanInfo); cloudProvider != "" {
-			return cloudProvider
-		}
-		return reporthandling.ScopeCluster
-	default:
-		return reporthandling.ScopeFile
-	}
-}
-
 func isScanningScopeMatchToControlScope(scanScope reporthandling.ScanningScopeType, controlScope reporthandling.ScanningScopeType) bool {

 	switch controlScope {
@@ -165,3 +153,13 @@ func isFrameworkFitToScanScope(framework reporthandling.Framework, scanScopeMatc
 	}
 	return false
 }
+
+func GetScanningScope(ContextMetadata reporthandlingv2.ContextMetadata) reporthandling.ScanningScopeType {
+	if ContextMetadata.ClusterContextMetadata != nil {
+		if ContextMetadata.ClusterContextMetadata.CloudMetadata != nil && ContextMetadata.ClusterContextMetadata.CloudMetadata.CloudProvider != "" {
+			return reporthandling.ScanningScopeType(ContextMetadata.ClusterContextMetadata.CloudMetadata.CloudProvider)
+		}
+		return reporthandling.ScopeCluster
+	}
+	return reporthandling.ScopeFile
+}
--- a/core/cautils/datastructuresmethods_test.go
+++ b/core/cautils/datastructuresmethods_test.go
@@ -9,99 +9,6 @@ import (
 	"github.com/stretchr/testify/assert"
 )

-func TestIsControlFitToScanScope(t *testing.T) {
-	tests := []struct {
-		scanInfo     *ScanInfo
-		Control      reporthandling.Control
-		expected_res bool
-	}{
-		{
-			scanInfo: &ScanInfo{
-				InputPatterns: []string{
-					"./testdata/any_file_for_test.json",
-				},
-			},
-			Control: reporthandling.Control{
-				ScanningScope: &reporthandling.ScanningScope{
-					Matches: []reporthandling.ScanningScopeType{
-						reporthandling.ScopeFile,
-					},
-				},
-			},
-			expected_res: true,
-		},
-		{
-			scanInfo: &ScanInfo{
-				InputPatterns: []string{
-					"./testdata/any_file_for_test.json",
-				},
-			},
-			Control: reporthandling.Control{
-				ScanningScope: &reporthandling.ScanningScope{
-
-					Matches: []reporthandling.ScanningScopeType{
-						reporthandling.ScopeCluster,
-						reporthandling.ScopeFile,
-					},
-				},
-			},
-			expected_res: true,
-		},
-		{
-			scanInfo: &ScanInfo{},
-			Control: reporthandling.Control{
-				ScanningScope: &reporthandling.ScanningScope{
-
-					Matches: []reporthandling.ScanningScopeType{
-						reporthandling.ScopeCluster,
-					},
-				},
-			},
-			expected_res: true,
-		},
-		{
-			scanInfo: &ScanInfo{
-				InputPatterns: []string{
-					"./testdata/any_file_for_test.json",
-				},
-			},
-			Control: reporthandling.Control{
-				ScanningScope: &reporthandling.ScanningScope{
-
-					Matches: []reporthandling.ScanningScopeType{
-						reporthandling.ScopeCloudGKE,
-					},
-				},
-			},
-			expected_res: false,
-		},
-		{
-			scanInfo: &ScanInfo{},
-			Control: reporthandling.Control{
-				ScanningScope: &reporthandling.ScanningScope{
-					Matches: []reporthandling.ScanningScopeType{
-						reporthandling.ScopeCloudEKS,
-					},
-				},
-			},
-			expected_res: false,
-		},
-		{
-			scanInfo: &ScanInfo{},
-			Control: reporthandling.Control{
-				ScanningScope: &reporthandling.ScanningScope{
-					Matches: []reporthandling.ScanningScopeType{
-						reporthandling.ScopeCloud,
-					},
-				},
-			},
-			expected_res: false,
-		}}
-	for i := range tests {
-		assert.Equal(t, tests[i].expected_res, isControlFitToScanScope(tests[i].Control, GetScanningScope(tests[i].scanInfo)), fmt.Sprintf("tests_true index %d", i))
-	}
-}
-
 func TestIsScanningScopeMatchToControlScope(t *testing.T) {
 	tests := []struct {
 		scanScope    reporthandling.ScanningScopeType
@@ -332,3 +239,59 @@ func TestIsFrameworkFitToScanScope(t *testing.T) {
 		})
 	}
 }
+
+var rule_v1_0_131 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useUntilKubescapeVersion": "v1.0.132"}}}
+var rule_v1_0_132 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.132", "useUntilKubescapeVersion": "v1.0.133"}}}
+var rule_v1_0_133 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.133", "useUntilKubescapeVersion": "v1.0.134"}}}
+var rule_v1_0_134 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.134"}}}
+var rule_invalid_from = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": 1.0135, "useUntilKubescapeVersion": "v1.0.135"}}}
+var rule_invalid_until = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.135", "useUntilKubescapeVersion": 1.0135}}}
+
+func TestIsRuleKubescapeVersionCompatible(t *testing.T) {
+	// local build- no build number
+
+	// should not crash when the value of useUntilKubescapeVersion is not a string
+	buildNumberMock := "v1.0.135"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_invalid_from.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_invalid_until.Attributes, buildNumberMock))
+	// should use only rules that don't have "until"
+	buildNumberMock = ""
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.130"
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.132"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.133"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.135"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+}
--- a/core/cautils/display.go
+++ b/core/cautils/display.go
@@ -4,11 +4,12 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"strings"
 	"time"

 	spinnerpkg "github.com/briandowns/spinner"
 	"github.com/jwalton/gchalk"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/mattn/go-isatty"
 	"github.com/schollz/progressbar/v3"
@@ -27,7 +28,7 @@ func FailureTextDisplay(w io.Writer, format string, a ...interface{}) {
 }

 func InfoDisplay(w io.Writer, format string, a ...interface{}) {
-	fmt.Fprintf(w, gchalk.WithCyan().Bold(format), a...)
+	fmt.Fprintf(w, gchalk.WithBrightWhite().Bold(format), a...)
 }

 func InfoTextDisplay(w io.Writer, format string, a ...interface{}) {
@@ -50,6 +51,20 @@ func BoldDisplay(w io.Writer, format string, a ...interface{}) {
 	fmt.Fprintf(w, gchalk.Bold(format), a...)
 }

+func LineDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithAnsi256(238).Bold(format), a...)
+}
+
+func SectionHeadingDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, "\n"+
+		gchalk.WithBrightWhite().Bold(format)+
+		gchalk.WithAnsi256(238).Bold(fmt.Sprintf("\n%s\n\n", strings.Repeat("─", len(format)))), a...)
+}
+
+func StarDisplay(w io.Writer, format string, a ...interface{}) {
+	fmt.Fprintf(w, gchalk.WithAnsi256(238).Bold("* ")+gchalk.White(format), a...)
+}
+
 var spinner *spinnerpkg.Spinner

 func StartSpinner() {
--- a/core/cautils/display_test.go
+++ b/core/cautils/display_test.go
@@ -1,9 +1,12 @@
 package cautils

 import (
+	"io"
+	"os"
 	"testing"

 	"github.com/kubescape/go-logger"
+	"github.com/stretchr/testify/assert"
 )

 func TestStartSpinner(t *testing.T) {
@@ -30,3 +33,422 @@ func TestStartSpinner(t *testing.T) {
 		})
 	}
 }
+
+func TestFailureDisplay(t *testing.T) {
+	tests := []struct {
+		text string
+		want string
+	}{
+		{
+			text: "Test",
+			want: "Test",
+		},
+		{
+			text: "",
+			want: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.text, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			FailureDisplay(os.Stdout, tt.text)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestWarningDisplay(t *testing.T) {
+	tests := []struct {
+		text string
+		want string
+	}{
+		{
+			text: "Test",
+			want: "Test",
+		},
+		{
+			text: "",
+			want: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.text, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			WarningDisplay(os.Stdout, tt.text)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestFailureTextDisplay(t *testing.T) {
+	tests := []struct {
+		text string
+		want string
+	}{
+		{
+			text: "Test",
+			want: "Test",
+		},
+		{
+			text: "",
+			want: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.text, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			FailureTextDisplay(os.Stdout, tt.text)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestInfoDisplay(t *testing.T) {
+	tests := []struct {
+		text string
+		want string
+	}{
+		{
+			text: "Test",
+			want: "Test",
+		},
+		{
+			text: "",
+			want: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.text, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			InfoDisplay(os.Stdout, tt.text)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestInfoTextDisplay(t *testing.T) {
+	tests := []struct {
+		text string
+		want string
+	}{
+		{
+			text: "Test",
+			want: "Test",
+		},
+		{
+			text: "",
+			want: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.text, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			InfoTextDisplay(os.Stdout, tt.text)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestSimpleDisplay(t *testing.T) {
+	tests := []struct {
+		text string
+		want string
+	}{
+		{
+			text: "Test",
+			want: "Test",
+		},
+		{
+			text: "",
+			want: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.text, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			SimpleDisplay(os.Stdout, tt.text)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestSuccessDisplay(t *testing.T) {
+	tests := []struct {
+		text string
+		want string
+	}{
+		{
+			text: "Test",
+			want: "Test",
+		},
+		{
+			text: "",
+			want: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.text, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			SuccessDisplay(os.Stdout, tt.text)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestDescriptionDisplay(t *testing.T) {
+	tests := []struct {
+		text string
+		want string
+	}{
+		{
+			text: "Test",
+			want: "Test",
+		},
+		{
+			text: "",
+			want: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.text, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			DescriptionDisplay(os.Stdout, tt.text)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestBoldDisplay(t *testing.T) {
+	tests := []struct {
+		text string
+		want string
+	}{
+		{
+			text: "Test",
+			want: "Test",
+		},
+		{
+			text: "",
+			want: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.text, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			BoldDisplay(os.Stdout, tt.text)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestLineDisplay(t *testing.T) {
+	tests := []struct {
+		text string
+		want string
+	}{
+		{
+			text: "Test",
+			want: "Test",
+		},
+		{
+			text: "",
+			want: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.text, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			LineDisplay(os.Stdout, tt.text)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestSectionHeadingDisplay(t *testing.T) {
+	tests := []struct {
+		text string
+		want string
+	}{
+		{
+			text: "Test Section",
+			want: "\nTest Section\n────────────\n\n",
+		},
+		{
+			text: "",
+			want: "\n\n\n\n",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.text, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			SectionHeadingDisplay(os.Stdout, tt.text)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestStarDisplay(t *testing.T) {
+	tests := []struct {
+		text string
+		want string
+	}{
+		{
+			text: "Test",
+			want: "* Test",
+		},
+		{
+			text: "",
+			want: "* ",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.text, func(t *testing.T) {
+			// Redirect stdout to a buffer
+			rescueStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			StarDisplay(os.Stdout, tt.text)
+
+			w.Close()
+			got, _ := io.ReadAll(r)
+			os.Stdout = rescueStdout
+
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+// Returns a new instance of ProgressHandler with the given title.
+func TestNewProgressHandler_(t *testing.T) {
+	tests := []struct {
+		title string
+	}{
+		{
+			title: "Test title",
+		},
+		{
+			title: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.title, func(t *testing.T) {
+			progressHandler := NewProgressHandler(tt.title)
+			assert.NotNil(t, progressHandler)
+
+			assert.Equal(t, tt.title, progressHandler.title)
+		})
+	}
+}
--- a/core/cautils/fileutils.go
+++ b/core/cautils/fileutils.go
@@ -7,16 +7,14 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"

+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
-	"golang.org/x/exp/slices"
-
-	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/opa-utils/objectsenvelopes"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
-
 	"gopkg.in/yaml.v3"
 )

@@ -57,7 +55,6 @@ func LoadResourcesFromHelmCharts(ctx context.Context, basePath string) (map[stri
 				logger.L().Ctx(ctx).Warning(fmt.Sprintf("Rendering of Helm chart template '%s', failed: %v", chart.GetName(), errs))
 				continue
 			}
-
 			chartName := chart.GetName()
 			for k, v := range wls {
 				sourceToWorkloads[k] = v
@@ -74,7 +71,7 @@ func LoadResourcesFromHelmCharts(ctx context.Context, basePath string) (map[stri
 // If the contents at given path is a Kustomize Directory, LoadResourcesFromKustomizeDirectory will
 // generate yaml files using "Kustomize" & renders a map of workloads from those yaml files
 func LoadResourcesFromKustomizeDirectory(ctx context.Context, basePath string) (map[string][]workloadinterface.IMetadata, string) {
-	isKustomizeDirectory := IsKustomizeDirectory(basePath)
+	isKustomizeDirectory := isKustomizeDirectory(basePath)
 	isKustomizeFile := IsKustomizeFile(basePath)
 	if ok := isKustomizeDirectory || isKustomizeFile; !ok {
 		return nil, ""
@@ -94,7 +91,7 @@ func LoadResourcesFromKustomizeDirectory(ctx context.Context, basePath string) (
 	}

 	wls, errs := kustomizeDirectory.GetWorkloads(newBasePath)
-	kustomizeDirectoryName := GetKustomizeDirectoryName(newBasePath)
+	kustomizeDirectoryName := getKustomizeDirectoryName(newBasePath)

 	if len(errs) > 0 {
 		logger.L().Ctx(ctx).Warning(fmt.Sprintf("Rendering yaml from Kustomize failed: %v", errs))
@@ -137,7 +134,7 @@ func loadFiles(rootPath string, filePaths []string) (map[string][]workloadinterf
 			continue // empty file
 		}

-		w, e := ReadFile(f, GetFileFormat(filePaths[i]))
+		w, e := ReadFile(f, getFileFormat(filePaths[i]))
 		if e != nil {
 			logger.L().Debug("failed to read file", helpers.String("file", filePaths[i]), helpers.Error(e))
 		}
@@ -196,14 +193,14 @@ func listFilesOrDirectories(pattern string, onlyDirectories bool) ([]string, []e
 		pattern = filepath.Join(o, pattern)
 	}

-	if !onlyDirectories && IsFile(pattern) {
+	if !onlyDirectories && isFile(pattern) {
 		paths = append(paths, pattern)
 		return paths, errs
 	}

 	root, shouldMatch := filepath.Split(pattern)

-	if IsDir(pattern) {
+	if isDir(pattern) {
 		root = pattern
 		shouldMatch = "*"
 	}
@@ -324,7 +321,7 @@ func glob(root, pattern string, onlyDirectories bool) ([]string, error) {
 		if info.IsDir() {
 			return nil
 		}
-		fileFormat := GetFileFormat(path)
+		fileFormat := getFileFormat(path)
 		if !(fileFormat == JSON_FILE_FORMAT || fileFormat == YAML_FILE_FORMAT) {
 			return nil
 		}
@@ -342,8 +339,8 @@ func glob(root, pattern string, onlyDirectories bool) ([]string, error) {
 	return matches, nil
 }

-// IsFile checks if a given path is a file
-func IsFile(name string) bool {
+// isFile checks if a given path is a file
+func isFile(name string) bool {
 	if fi, err := os.Stat(name); err == nil {
 		if fi.Mode().IsRegular() {
 			return true
@@ -352,8 +349,8 @@ func IsFile(name string) bool {
 	return false
 }

-// IsDir checks if a given path is a directory
-func IsDir(name string) bool {
+// isDir checks if a given path is a directory
+func isDir(name string) bool {
 	if info, err := os.Stat(name); err == nil {
 		if info.IsDir() {
 			return true
@@ -362,7 +359,7 @@ func IsDir(name string) bool {
 	return false
 }

-func GetFileFormat(filePath string) FileFormat {
+func getFileFormat(filePath string) FileFormat {
 	if IsYaml(filePath) {
 		return YAML_FILE_FORMAT
 	} else if IsJson(filePath) {
--- a/core/cautils/fileutils_test.go
+++ b/core/cautils/fileutils_test.go
@@ -27,7 +27,7 @@ func TestListFiles(t *testing.T) {

 	files, errs := listFiles(filesPath)
 	assert.Equal(t, 0, len(errs))
-	assert.Equal(t, 12, len(files))
+	assert.Equal(t, 13, len(files))
 }

 func TestLoadResourcesFromFiles(t *testing.T) {
@@ -49,6 +49,7 @@ func TestLoadResourcesFromHelmCharts(t *testing.T) {
 	assert.Equal(t, 6, len(sourceToWorkloads))

 	for file, workloads := range sourceToWorkloads {
+
 		assert.Equalf(t, 1, len(workloads), "expected 1 workload in file %s", file)

 		w := workloads[0]
@@ -105,3 +106,110 @@ func getRelativePath(p string) string {
 	pp := strings.SplitAfter(p, "api=")
 	return pp[1]
 }
+
+// Converts a YAML object to a JSON object
+func TestConvertYamlToJson(t *testing.T) {
+	tests := []struct {
+		yamlObj map[interface{}]interface{}
+		jsonObj map[string]interface{}
+	}{
+		{
+			yamlObj: map[interface{}]interface{}{
+				"name": "John",
+				"age":  30,
+				"city": "New York",
+			},
+			jsonObj: map[string]interface{}{
+				"name": "John",
+				"age":  30,
+				"city": "New York",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run("", func(t *testing.T) {
+			assert.Equal(t, tt.jsonObj, convertYamlToJson(tt.yamlObj))
+		})
+	}
+}
+
+func TestIsYaml(t *testing.T) {
+	tests := []struct {
+		path string
+		want bool
+	}{
+		{
+			path: "temp.yaml",
+			want: true,
+		},
+		{
+			path: "temp.json",
+			want: false,
+		},
+		{
+			path: "random.txt",
+			want: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.path, func(t *testing.T) {
+			assert.Equal(t, tt.want, IsYaml(tt.path))
+		})
+	}
+}
+
+func TestIsJson(t *testing.T) {
+	tests := []struct {
+		path string
+		want bool
+	}{
+		{
+			path: "temp.yaml",
+			want: false,
+		},
+		{
+			path: "temp.json",
+			want: true,
+		},
+		{
+			path: "random.txt",
+			want: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.path, func(t *testing.T) {
+			assert.Equal(t, tt.want, IsJson(tt.path))
+		})
+	}
+
+}
+
+func TestGetFileFormat(t *testing.T) {
+	tests := []struct {
+		path string
+		want FileFormat
+	}{
+		{
+			path: "temp.yaml",
+			want: YAML_FILE_FORMAT,
+		},
+		{
+			path: "temp.json",
+			want: JSON_FILE_FORMAT,
+		},
+		{
+			path: "random.txt",
+			want: "random.txt",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.path, func(t *testing.T) {
+			assert.Equal(t, tt.want, getFileFormat(tt.path))
+		})
+	}
+
+}
--- a/core/cautils/getter/downloadreleasedpolicy.go
+++ b/core/cautils/getter/downloadreleasedpolicy.go
@@ -5,11 +5,9 @@ import (
 	"strings"

 	"github.com/armosec/armoapi-go/armotypes"
-
 	"github.com/kubescape/opa-utils/reporthandling"
 	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
-
-	"github.com/kubescape/regolibrary/gitregostore"
+	"github.com/kubescape/regolibrary/v2/gitregostore"
 )

 // =======================================================================================================================
@@ -29,7 +27,7 @@ type DownloadReleasedPolicy struct {

 func NewDownloadReleasedPolicy() *DownloadReleasedPolicy {
 	return &DownloadReleasedPolicy{
-		gs: gitregostore.NewDefaultGitRegoStore(-1),
+		gs: gitregostore.NewGitRegoStoreV2(-1),
 	}
 }

--- a/core/cautils/getter/downloadreleasedpolicy_test.go
+++ b/core/cautils/getter/downloadreleasedpolicy_test.go
@@ -10,7 +10,7 @@ import (
 	"testing"

 	jsoniter "github.com/json-iterator/go"
-	"github.com/kubescape/kubescape/v2/internal/testutils"
+	"github.com/kubescape/kubescape/v3/internal/testutils"
 	"github.com/stretchr/testify/require"
 )

--- a/core/cautils/getter/getpoliciesutils.go
+++ b/core/cautils/getter/getpoliciesutils.go
@@ -1,7 +1,6 @@
 package getter

 import (
-	"bytes"
 	"fmt"
 	"io"
 	"net/http"
@@ -86,26 +85,6 @@ func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]stri
 	return respStr, nil
 }

-// HttpPost provides a low-level capability to send a HTTP POST request and serialize the response as a string.
-//
-// Deprecated: use methods of the KSCloudAPI client instead.
-func HttpPost(httpClient *http.Client, fullURL string, headers map[string]string, body []byte) (string, error) {
-	req, err := http.NewRequest("POST", fullURL, bytes.NewReader(body))
-	if err != nil {
-		return "", err
-	}
-	setHeaders(req, headers)
-	resp, err := httpClient.Do(req)
-	if err != nil {
-		return "", err
-	}
-	respStr, err := httpRespToString(resp)
-	if err != nil {
-		return "", err
-	}
-	return respStr, nil
-}
-
 func setHeaders(req *http.Request, headers map[string]string) {
 	if len(headers) >= 0 { // might be nil
 		for k, v := range headers {
--- a/core/cautils/getter/getpoliciesutils_test.go
+++ b/core/cautils/getter/getpoliciesutils_test.go
@@ -1,12 +1,15 @@
 package getter

 import (
+	"io/ioutil"
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"

 	beClient "github.com/kubescape/backend/pkg/client/v1"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

@@ -82,17 +85,51 @@ func TestHttpMethods(t *testing.T) {
 		require.EqualValues(t, "body-get", resp)
 	})

-	t.Run("HttpPost should POST", func(t *testing.T) {
-		body := []byte("body-post")
-
-		resp, err := HttpPost(client, srv.URL(pathTestPost), hdrs, body)
-		require.NoError(t, err)
-		require.EqualValues(t, string(body), resp)
-	})
-
 	t.Run("HttpDelete should DELETE", func(t *testing.T) {
 		resp, err := HttpDelete(client, srv.URL(pathTestDelete), hdrs)
 		require.NoError(t, err)
 		require.EqualValues(t, "body-delete", resp)
 	})
 }
+
+// Returns an empty string and nil error when given a nil response or nil response body.
+func TestHttpRespToString_NilResponse(t *testing.T) {
+	resp := &http.Response{}
+	result, err := httpRespToString(resp)
+	assert.Equal(t, "", result)
+	assert.Nil(t, err)
+}
+
+func TestHttpRespToString_ValidResponse(t *testing.T) {
+	resp := &http.Response{
+		Body:       ioutil.NopCloser(strings.NewReader("test response")),
+		Status:     "200 OK",
+		StatusCode: 200,
+	}
+	result, err := httpRespToString(resp)
+	assert.Equal(t, "test response", result)
+	assert.Nil(t, err)
+}
+
+// Returns an error with status and reason when unable to read response body.
+func TestHttpRespToString_ReadError(t *testing.T) {
+	resp := &http.Response{
+		Body: ioutil.NopCloser(strings.NewReader("test response")),
+	}
+	resp.Body.Close()
+	result, err := httpRespToString(resp)
+	assert.EqualError(t, err, "http-error: '', reason: 'test response'")
+	assert.Equal(t, "test response", result)
+}
+
+// Returns an error with status and reason when unable to read response body.
+func TestHttpRespToString_ErrorCodeLessThan200(t *testing.T) {
+	resp := &http.Response{
+		Body:       ioutil.NopCloser(strings.NewReader("test response")),
+		StatusCode: 100,
+	}
+	resp.Body.Close()
+	result, err := httpRespToString(resp)
+	assert.EqualError(t, err, "http-error: '', reason: 'test response'")
+	assert.Equal(t, "test response", result)
+}
--- a/core/cautils/getter/json.go
+++ b/core/cautils/getter/json.go
@@ -1,9 +1,6 @@
 package getter

 import (
-	"io"
-	"strings"
-
 	jsoniter "github.com/json-iterator/go"
 )

@@ -14,25 +11,3 @@ func init() {
 	// For finer-grained config, see: https://pkg.go.dev/github.com/json-iterator/go#section-readme
 	json = jsoniter.ConfigFastest
 }
-
-// JSONDecoder provides a low-level utility that returns a JSON decoder for given string.
-//
-// Deprecated: use higher level methods from the KSCloudAPI client instead.
-func JSONDecoder(origin string) *jsoniter.Decoder {
-	dec := jsoniter.NewDecoder(strings.NewReader(origin))
-	dec.UseNumber()
-
-	return dec
-}
-
-func decode[T any](rdr io.Reader) (T, error) {
-	var receiver T
-	dec := newDecoder(rdr)
-	err := dec.Decode(&receiver)
-
-	return receiver, err
-}
-
-func newDecoder(rdr io.Reader) *jsoniter.Decoder {
-	return json.NewDecoder(rdr)
-}
--- a/core/cautils/getter/json_test.go
+++ b/core/cautils/getter/json_test.go
@@ -1,32 +0,0 @@
-package getter
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestJSONDecoder(t *testing.T) {
-	t.Run("should decode json string", func(t *testing.T) {
-		const input = `"xyz"`
-		d := JSONDecoder(input)
-		var receiver string
-		require.NoError(t, d.Decode(&receiver))
-		require.Equal(t, "xyz", receiver)
-	})
-
-	t.Run("should decode json number", func(t *testing.T) {
-		const input = `123.01`
-		d := JSONDecoder(input)
-		var receiver float64
-		require.NoError(t, d.Decode(&receiver))
-		require.Equal(t, 123.01, receiver)
-	})
-
-	t.Run("requires json quotes", func(t *testing.T) {
-		const input = `xyz`
-		d := JSONDecoder(input)
-		var receiver string
-		require.Error(t, d.Decode(&receiver))
-	})
-}
--- a/Show More
+++ b/Show More