Merge pull request #1941 from kubescape/semver

fix isRuleKubescapeVersionCompatible bug with version 4.0.0

.github/workflows/00-pr-scanner.yaml

@@ -1,69 +1,243 @@
 name: 00-pr_scanner
 permissions: read-all
 on:
-  pull_request:
-    types: [opened, reopened, synchronize, ready_for_review]
-    paths-ignore:
-      - '**.yaml'
-      - '**.yml'
-      - '**.md'
-      - '**.sh'
-      - 'website/*'
-      - 'examples/*'
-      - 'docs/*'
-      - 'build/*'
-      - '.github/*'
+    workflow_dispatch: {}
+    pull_request:
+        types: [opened, reopened, synchronize, ready_for_review]
+        paths-ignore:
+            - "**.yaml"
+            - "**.yml"
+            - "**.md"
+            - "**.sh"
+            - "website/*"
+            - "examples/*"
+            - "docs/*"
+            - "build/*"
+            - ".github/*"
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
 
 jobs:
-  pr-scanner:
-    permissions:
-      actions: read
-      checks: read
-      contents: read
-      deployments: read
-      id-token: write
-      issues: read
-      discussions: read
-      packages: read
-      pages: read
-      pull-requests: write
-      repository-projects: read
-      security-events: read
-      statuses: read
-    uses: ./.github/workflows/a-pr-scanner.yaml
-    with:
-      RELEASE: ""
-      CLIENT: test
-    secrets: inherit
+    pr-scanner:
+        permissions:
+            actions: read
+            artifact-metadata: read
+            attestations: read
+            checks: read
+            contents: write
+            deployments: read
+            discussions: read
+            id-token: write
+            issues: read
+            models: read
+            packages: read
+            pages: read
+            pull-requests: write
+            repository-projects: read
+            security-events: read
+            statuses: read
+        uses: ./.github/workflows/a-pr-scanner.yaml
+        with:
+            RELEASE: ""
+            CLIENT: test
+            CGO_ENABLED: 0
+            GO111MODULE: ""
+        secrets: inherit
 
-  binary-build:
-    if: ${{ github.repository_owner == 'kubescape' }}
-    permissions:
-      actions: read
-      checks: read
-      contents: read
-      deployments: read
-      discussions: read
-      id-token: write
-      issues: read
-      packages: write
-      pages: read
-      pull-requests: read
-      repository-projects: read
-      security-events: read
-      statuses: read
-    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
-    with:
-      COMPONENT_NAME: kubescape
-      CGO_ENABLED: 1
-      GO111MODULE: ""
-      GO_VERSION: "1.21"
-      RELEASE: "latest"
-      CLIENT: test
-      ARCH_MATRIX: '[ "" ]'
-      OS_MATRIX: '[ "ubuntu-20.04", "macos-latest", "windows-latest"]'
-    secrets: inherit
+    wf-preparation:
+        name: secret-validator
+        runs-on: ubuntu-latest
+        outputs:
+            is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
+
+        steps:
+            - name: check if the necessary secrets are set in github secrets
+              id: check-secret-set
+              env:
+                  CUSTOMER: ${{ secrets.CUSTOMER }}
+                  USERNAME: ${{ secrets.USERNAME }}
+                  PASSWORD: ${{ secrets.PASSWORD }}
+                  CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
+                  SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
+                  REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+                  REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+              run: "echo \"is-secret-set=${{ env.CUSTOMER != '' && env.USERNAME != '' && env.PASSWORD != '' && env.CLIENT_ID != '' && env.SECRET_KEY != '' && env.REGISTRY_USERNAME != '' && env.REGISTRY_PASSWORD != '' }}\" >> $GITHUB_OUTPUT\n"
+
+
+    run-system-tests:
+        needs: [wf-preparation, pr-scanner]
+        if: ${{ (needs.wf-preparation.outputs.is-secret-set == 'true') && (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }}
+        runs-on: ubuntu-latest
+        permissions:
+            actions: read
+            contents: read
+            pull-requests: write
+        steps:
+            - name: Set dispatch info
+              id: dispatch-info
+              run: |
+                  # Correlation ID WITHOUT attempt - so re-runs can find the original run
+                  CORRELATION_ID="${GITHUB_REPOSITORY##*/}-${{ github.run_id }}"
+                  echo "correlation_id=${CORRELATION_ID}" >> "$GITHUB_OUTPUT"
+                  echo "Correlation ID: ${CORRELATION_ID}, Attempt: ${{ github.run_attempt }}"
+
+            - name: Generate GitHub App token
+              id: app-token
+              uses: actions/create-github-app-token@v1
+              with:
+                  app-id: ${{ secrets.E2E_DISPATCH_APP_ID }}
+                  private-key: ${{ secrets.E2E_DISPATCH_APP_PRIVATE_KEY }}
+                  owner: armosec
+                  repositories: shared-workflows
+
+            - name: Dispatch system tests to private repo
+              if: ${{ github.run_attempt == 1 }}
+              env:
+                  GH_TOKEN: ${{ steps.app-token.outputs.token }}
+                  CORRELATION_ID: ${{ steps.dispatch-info.outputs.correlation_id }}
+                  KS_BRANCH: ${{ github.head_ref || github.ref_name }}
+              run: |
+                  echo "Dispatching E2E tests with correlation_id: ${CORRELATION_ID}"
+                  echo "Using test group: KUBESCAPE_CLI_E2E"
+
+                  gh api "repos/armosec/shared-workflows/dispatches" \
+                    -f event_type="e2e-test-trigger" \
+                    -f "client_payload[correlation_id]=${CORRELATION_ID}" \
+                    -f "client_payload[github_repository]=${GITHUB_REPOSITORY}" \
+                    -f "client_payload[environment]=production" \
+                    -f "client_payload[tests_groups]=KUBESCAPE_CLI_E2E" \
+                    -f "client_payload[systests_branch]=master" \
+                    -f "client_payload[ks_branch]=${KS_BRANCH}"
+
+                  echo "Dispatch completed"
+
+            - name: Find E2E workflow run
+              id: find-run
+              env:
+                  GH_TOKEN: ${{ steps.app-token.outputs.token }}
+                  CORRELATION_ID: ${{ steps.dispatch-info.outputs.correlation_id }}
+              run: |
+                  for i in {1..15}; do
+                    run_id=$(gh api "repos/armosec/shared-workflows/actions/runs?event=repository_dispatch&per_page=30" \
+                      --jq '.workflow_runs | map(select(.name | contains("'"$CORRELATION_ID"'"))) | first | .id // empty')
+
+                    if [ -n "$run_id" ]; then
+                      echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
+                      gh api "repos/armosec/shared-workflows/actions/runs/${run_id}" --jq '"url=" + .html_url' >> "$GITHUB_OUTPUT"
+                      exit 0
+                    fi
+                    echo "Attempt $i: waiting for run..."
+                    sleep $((i < 5 ? 10 : 30))
+                  done
+                  echo "::error::Could not find workflow run"
+                  exit 1
+
+            - name: Re-run failed jobs in private repo
+              id: rerun
+              if: ${{ github.run_attempt > 1 }}
+              env:
+                  GH_TOKEN: ${{ steps.app-token.outputs.token }}
+                  RUN_ID: ${{ steps.find-run.outputs.run_id }}
+              run: |
+                  conclusion=$(gh api "repos/armosec/shared-workflows/actions/runs/${RUN_ID}" --jq '.conclusion')
+                  echo "Previous conclusion: $conclusion"
+
+                  if [ "$conclusion" = "success" ]; then
+                    echo "Previous run passed. Nothing to re-run."
+                    echo "skip=true" >> "$GITHUB_OUTPUT"
+                    exit 0
+                  fi
+
+                  # Full rerun if cancelled, partial if failed
+                  if [ "$conclusion" = "cancelled" ]; then
+                    echo "Run was cancelled - triggering full re-run"
+                    gh api --method POST "repos/armosec/shared-workflows/actions/runs/${RUN_ID}/rerun"
+                  else
+                    echo "Re-running failed jobs only"
+                    gh api --method POST "repos/armosec/shared-workflows/actions/runs/${RUN_ID}/rerun-failed-jobs"
+                  fi
+
+                  # Wait for status to flip from 'completed'
+                  for i in {1..30}; do
+                    [ "$(gh api "repos/armosec/shared-workflows/actions/runs/${RUN_ID}" --jq '.status')" != "completed" ] && break
+                    sleep 2
+                  done
+
+            - name: Wait for E2E tests to complete
+              if: ${{ steps.rerun.outputs.skip != 'true' }}
+              env:
+                  GH_TOKEN: ${{ steps.app-token.outputs.token }}
+                  RUN_ID: ${{ steps.find-run.outputs.run_id }}
+                  URL: ${{ steps.find-run.outputs.url }}
+              run: |
+                  echo "Monitoring: ${URL}"
+
+                  for i in {1..60}; do  # 60 iterations × 60s = 1 hour max
+                    read status conclusion < <(gh api "repos/armosec/shared-workflows/actions/runs/${RUN_ID}" \
+                      --jq '[.status, .conclusion // "null"] | @tsv')
+
+                    echo "Status: ${status} | Conclusion: ${conclusion}"
+
+                    if [ "$status" = "completed" ]; then
+                      if [ "$conclusion" = "success" ]; then
+                        echo "E2E tests passed!"
+                        exit 0
+                      fi
+
+                      echo "::error::E2E tests failed: ${conclusion}"
+                      echo ""
+
+                      # Get failed job IDs to a file first
+                      gh api "repos/armosec/shared-workflows/actions/runs/${RUN_ID}/jobs" \
+                        --jq '.jobs[] | select(.conclusion == "failure") | [.id, .name, (.steps[] | select(.conclusion == "failure") | .name)] | @tsv' > /tmp/failed_jobs.txt
+
+                      # Process each failed job
+                      while IFS=$'\t' read -r job_id job_name step_name; do
+                        # Extract test name: "run-helm-e2e / ST (relevancy_python)" → "relevancy_python"
+                        test_name=$(echo "$job_name" | sed 's/.*(\(.*\))/\1/')
+
+                        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+                        echo "${job_name}"
+                        echo "   Step: ${step_name}"
+                        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+                        # Fetch logs to temp file
+                        gh api "repos/armosec/shared-workflows/actions/jobs/${job_id}/logs" 2>/dev/null > /tmp/job_logs.txt
+
+                        # Show summary in console
+                        grep -E "(ERROR|FAILURE)" /tmp/job_logs.txt | tail -10
+                        echo ""
+
+                        # Save to separate file per test
+                        log_file="failed_${test_name}.txt"
+                        echo "════════════════════════════════════════" > "$log_file"
+                        echo "${job_name}" >> "$log_file"
+                        echo "   Step: ${step_name}" >> "$log_file"
+                        echo "════════════════════════════════════════" >> "$log_file"
+                        last_endgroup=$(grep -n "##\\[endgroup\\]" /tmp/job_logs.txt | tail -1 | cut -d: -f1)
+                        if [ -n "$last_endgroup" ]; then
+                          tail -n +$((last_endgroup + 1)) /tmp/job_logs.txt >> "$log_file"
+                        else
+                          tail -500 /tmp/job_logs.txt >> "$log_file"
+                        fi
+                      done < /tmp/failed_jobs.txt
+
+                      echo "View full logs: ${URL}"
+                      exit 1
+                    fi
+
+                    sleep 60
+                  done
+
+                  echo "::error::Timeout waiting for tests"
+                  exit 1
+
+            - name: Upload failed step logs
+              if: failure()
+              uses: actions/upload-artifact@v4
+              with:
+                  name: failed-e2e-logs-attempt-${{ github.run_attempt }}
+                  path: failed_*.txt
+                  retention-days: 7

.github/workflows/02-release.yaml

@@ -3,44 +3,16 @@ permissions: read-all
 on:
   push:
     tags:
-      - 'v*.*.*-rc.*'
+      - "v[0-9]+.[0-9]+.[0-9]+"
+  workflow_dispatch:
+    inputs:
+      skip_publish:
+        description: "Skip publishing artifacts"
+        required: false
+        default: true
+        type: boolean
 jobs:
-  retag:
-    outputs:
-      NEW_TAG: ${{ steps.tag-calculator.outputs.NEW_TAG }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
-      - id: tag-calculator
-        uses: ./.github/actions/tag-action
-        with:
-          SUB_STRING: "-rc"
-  binary-build:
-    permissions:
-      actions: read
-      checks: read
-      contents: read
-      deployments: read
-      discussions: read
-      id-token: write
-      issues: read
-      packages: write
-      pages: read
-      pull-requests: read
-      repository-projects: read
-      security-events: read
-      statuses: read
-    needs: [retag]
-    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
-    with:
-      COMPONENT_NAME: kubescape
-      CGO_ENABLED: 1
-      GO111MODULE: ""
-      GO_VERSION: "1.21"
-      RELEASE: ${{ needs.retag.outputs.NEW_TAG }}
-      CLIENT: release
-    secrets: inherit
-  create-release:
+  release:
     permissions:
       actions: read
       checks: read
@@ -49,40 +21,105 @@ jobs:
       discussions: read
       id-token: write
       issues: read
-      packages: read
-      pages: read
-      pull-requests: read
-      repository-projects: read
-      statuses: read
-      security-events: read
-    needs: [retag, binary-build]
-    uses: ./.github/workflows/c-create-release.yaml
-    with:
-      RELEASE_NAME: "Release ${{ needs.retag.outputs.NEW_TAG }}"
-      TAG: ${{ needs.retag.outputs.NEW_TAG }}
-      DRAFT: false
-    secrets: inherit
-  publish-image:
-    permissions:
-      actions: read
-      checks: read
-      contents: read
-      deployments: read
-      discussions: read
-      id-token: write
-      issues: read
+      models: read
       packages: write
       pages: read
       pull-requests: read
       repository-projects: read
-      security-events: read
       statuses: read
-    uses: ./.github/workflows/d-publish-image.yaml
-    needs: [create-release, retag]
-    with:
-      client: "image-release"
-      image_name: "quay.io/${{ github.repository_owner }}/kubescape-cli"
-      image_tag: ${{ needs.retag.outputs.NEW_TAG }}
-      support_platforms: true
-      cosign: true
-    secrets: inherit
+      security-events: read
+      attestations: read
+      artifact-metadata: read
+    runs-on: ubuntu-large
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.25"
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.9"
+
+      - name: Install system dependencies for system-tests
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            libpq5 \
+            libpq-dev \
+            gcc \
+            python3-dev
+          sudo rm -rf /var/lib/apt/lists/*
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.5.0
+
+      - name: Create Cosign Key
+        run: echo "${{ secrets.COSIGN_PRIVATE_KEY_V1 }}" > cosign.key
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+          password: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+
+      - uses: anchore/sbom-action/download-syft@v0
+        name: Setup Syft
+
+      - name: Create k8s Kind Cluster
+        uses: helm/kind-action@v1.10.0
+        with:
+          cluster_name: kubescape-e2e
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean ${{ inputs.skip_publish == true && '--skip=publish' || '' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
+          COSIGN_PWD: ${{ secrets.COSIGN_PRIVATE_KEY_V1_PASSWORD }}
+          RELEASE: ${{ github.ref_name }}
+          CLIENT: release
+          RUN_E2E: "true"
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+          CUSTOMER: ${{ secrets.CUSTOMER }}
+          USERNAME: ${{ secrets.USERNAME }}
+          PASSWORD: ${{ secrets.PASSWORD }}
+          CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
+          SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Update new version in krew-index
+        if: github.event_name != 'workflow_dispatch' || inputs.skip_publish != true
+        uses: rajatjindal/krew-release-bot@v0.0.47
+        with:
+          krew_template_file: .krew.yaml
+
+      - name: List collected system-test results (debug)
+        if: always()
+        run: |
+          echo "Listing test-results/system-tests (if any):"
+          ls -laR test-results/system-tests || true
+
+      - name: System Tests Report
+        uses: mikepenz/action-junit-report@v5
+        if: always()
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          report_paths: "test-results/system-tests/**/results_xml_format/**.xml"
+          annotate_only: true
+          job_summary: true

.github/workflows/03-post-release.yaml

@@ -1,42 +0,0 @@
-name: 03-post_release
-permissions: read-all
-on:
-  release:
-    types: [published]
-    branches:
-      - 'master'
-      - 'main'
-jobs:
-  post_release:
-    name: Post release jobs
-    runs-on: ubuntu-latest
-    steps:
-      - name: Digest
-        uses: MCJack123/ghaction-generate-release-hashes@c03f3111b39432dde3edebe401c5a8d1ffbbf917 # ratchet:MCJack123/ghaction-generate-release-hashes@v1
-        with:
-          hash-type: sha1
-          file-name: kubescape-release-digests
-      - name: Invoke workflow to update packaging
-        uses: benc-uk/workflow-dispatch@v1
-        if: github.repository_owner == 'kubescape'
-        with:
-          workflow: release.yml
-          repo: kubescape/packaging
-          ref: refs/heads/main
-          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
-      - name: Invoke workflow to update homebrew tap
-        uses: benc-uk/workflow-dispatch@v1
-        if: github.repository_owner == 'kubescape'
-        with:
-          workflow: release.yml
-          repo: kubescape/homebrew-tap
-          ref: refs/heads/main
-          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
-      - name: Invoke workflow to update github action
-        uses: benc-uk/workflow-dispatch@v1
-        if: github.repository_owner == 'kubescape'
-        with:
-          workflow: release.yaml
-          repo: kubescape/github-action
-          ref: refs/heads/main
-          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}

.github/workflows/04-publish-krew-plugin.yaml

@@ -1,17 +0,0 @@
-name: 04-publish_krew_plugin
-permissions: read-all
-on:
-  push:
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+'
-jobs:
-  publish_krew_plugin:
-    name: Publish Krew plugin
-    runs-on: ubuntu-latest
-    if: github.repository_owner == 'kubescape'
-    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
-        with:
-          submodules: recursive
-      - name: Update new version in krew-index
-        uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # ratchet:rajatjindal/krew-release-bot@v0.0.43

.github/workflows/a-pr-scanner.yaml

@@ -15,76 +15,62 @@ on:
         required: false
         type: string
         default: "./..."
+      GO111MODULE:
+        required: true
+        type: string
+      CGO_ENABLED:
+        type: number
+        default: 1
 jobs:
-  scanners:
+  unit-tests:
+    if: ${{ github.actor != 'kubescape' }}
+    name: Create cross-platform build
     env:
-      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
-      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-    name: PR Scanner
-    runs-on: ubuntu-latest
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    runs-on: ubuntu-large
     steps:
+
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           submodules: recursive
+
       - uses: actions/setup-go@v4
         name: Installing go
         with:
-          go-version: '1.21'
-          cache: true
-      - name: Scanning - Forbidden Licenses (go-licenses)
-        id: licenses-scan
-        continue-on-error: true
-        run: |
-          echo "## Installing go-licenses tool"
-          go install github.com/google/go-licenses@latest
-          echo "## Scanning for forbiden licenses ##"
-          go-licenses check .
-      - name: Scanning - Credentials (GitGuardian)
-        if: ${{ env.GITGUARDIAN_API_KEY }}
-        continue-on-error: true
-        id: credentials-scan
-        uses: GitGuardian/ggshield-action@4ab2994172fadab959240525e6b833d9ae3aca61 # ratchet:GitGuardian/ggshield-action@master
+          go-version: ${{ inputs.GO_VERSION }}
+
+      - name: Test core pkg
+        run: ${{ env.DOCKER_CMD }} go test -v ./...
+        if: startsWith(github.ref, 'refs/tags')
+
+      - name: Test httphandler pkg
+        run: ${{ env.DOCKER_CMD }} sh -c 'cd httphandler && go test -v ./...'
+        if: startsWith(github.ref, 'refs/tags')
+
+      - uses: anchore/sbom-action/download-syft@v0
+        name: Setup Syft
+
+      - uses: goreleaser/goreleaser-action@v6
+        name: Build
         with:
-          args: -v --all-policies
+          distribution: goreleaser
+          version: latest
+          args: build --clean --snapshot --single-target
         env:
-          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
-          GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
-          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
-          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
-      - name: Scanning - Vulnerabilities (Snyk)
-        if: ${{ env.SNYK_TOKEN }}
-        id: vulnerabilities-scan
-        continue-on-error: true
-        uses: snyk/actions/golang@806182742461562b67788a64410098c9d9b96adb # ratchet:snyk/actions/golang@master
-        with:
-          command: test --all-projects
+          RELEASE: ${{ inputs.RELEASE }}
+          CLIENT: ${{ inputs.CLIENT }}
+          CGO_ENABLED: ${{ inputs.CGO_ENABLED }}
+
+      - name: Smoke Testing
         env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          RELEASE: ${{ inputs.RELEASE }}
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ${PWD}/dist/cli_linux_amd64_v1/kubescape
 
-      - name: Test coverage
-        id: unit-test
-        run: go test -v ${{ inputs.UNIT_TESTS_PATH }} -covermode=count -coverprofile=coverage.out
-
-      - name: Convert coverage count to lcov format
-        uses: jandelgado/gcov2lcov-action@v1
-
-      - name: Submit coverage tests to Coveralls
-        continue-on-error: true
-        uses: coverallsapp/github-action@v1
+      - name: golangci-lint
+        continue-on-error: false
+        uses: golangci/golangci-lint-action@v9
         with:
-          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
-          path-to-lcov: coverage.lcov
-
-      - name: Comment results to PR
-        continue-on-error: true # Warning: This might break opening PRs from forks
-        uses: peter-evans/create-or-update-comment@5adcb0bb0f9fb3f95ef05400558bdb3f329ee808 # ratchet:peter-evans/create-or-update-comment@v2.1.0
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          body: |
-            Scan results:
-            - License scan: ${{ steps.licenses-scan.outcome }}
-            - Credentials scan: ${{ steps.credentials-scan.outcome }}
-            - Vulnerabilities scan: ${{ steps.vulnerabilities-scan.outcome }}
-          reactions: 'eyes'
+          args: --timeout 10m
+          only-new-issues: true

.github/workflows/b-binary-build-and-e2e-tests.yaml

@@ -1,387 +0,0 @@
-name: b-binary-build-and-e2e-tests
-permissions: read-all
-on:
-  workflow_dispatch:
-    inputs:
-      COMPONENT_NAME:
-        required: false
-        type: string
-        default: "kubescape"
-      RELEASE:
-        required: false
-        type: string
-        default: ""
-      CLIENT:
-        required: false
-        type: string
-        default: "test"
-      GO_VERSION:
-        required: false
-        type: string
-        default: "1.21"
-      GO111MODULE:
-        required: false
-        type: string
-        default: ""
-      CGO_ENABLED:
-        type: number
-        default: 1
-        required: false
-      OS_MATRIX:
-        type: string
-        required: false
-        default: '[ "ubuntu-20.04", "macos-latest", "windows-latest"]'
-      ARCH_MATRIX:
-        type: string
-        required: false
-        default: '[ "", "arm64"]'
-      BINARY_TESTS:
-        type: string
-        required: false
-        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score", "control_cluster_from_CLI_config_scan_exclude_namespaces", "control_cluster_from_CLI_config_scan_include_namespaces", "control_cluster_from_CLI_config_scan_host_scanner_enabled", "control_cluster_from_CLI_config_scan_MITRE_framework", "control_cluster_from_CLI_vulnerabilities_scan_default", "control_cluster_from_CLI_vulnerabilities_scan_include_namespaces" ]'
-
-  workflow_call:
-    inputs:
-      COMPONENT_NAME:
-        required: true
-        type: string
-      RELEASE:
-        required: true
-        type: string
-      CLIENT:
-        required: true
-        type: string
-      GO_VERSION:
-        type: string
-        default: "1.21"
-      GO111MODULE:
-        required: true
-        type: string
-      CGO_ENABLED:
-        type: number
-        default: 1
-      BINARY_TESTS:
-        type: string
-        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score", "scan_custom_framework_scanning_file_scope_testing", "scan_custom_framework_scanning_cluster_scope_testing", "scan_custom_framework_scanning_cluster_and_file_scope_testing" ]'
-      OS_MATRIX:
-        type: string
-        required: false
-        default: '[ "ubuntu-20.04", "macos-latest", "windows-latest"]'
-      ARCH_MATRIX:
-        type: string
-        required: false
-        default: '[ "", "arm64"]'
-
-jobs:
-  wf-preparation:
-    name: secret-validator
-    runs-on: ubuntu-latest
-    outputs:
-      TEST_NAMES: ${{ steps.export_tests_to_env.outputs.TEST_NAMES }}
-      OS_MATRIX: ${{ steps.export_os_to_env.outputs.OS_MATRIX }}
-      ARCH_MATRIX: ${{ steps.export_arch_to_env.outputs.ARCH_MATRIX }}
-      is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
-
-    steps:
-      - name: check if the necessary secrets are set in github secrets
-        id: check-secret-set
-        env:
-          CUSTOMER: ${{ secrets.CUSTOMER }}
-          USERNAME: ${{ secrets.USERNAME }}
-          PASSWORD: ${{ secrets.PASSWORD }}
-          CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
-          SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
-          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
-          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-        run: "echo \"is-secret-set=${{ env.CUSTOMER != '' && \n                        env.USERNAME != '' &&\n                        env.PASSWORD != '' &&\n                        env.CLIENT_ID != '' &&\n                        env.SECRET_KEY != '' &&\n                        env.REGISTRY_USERNAME != '' &&\n                        env.REGISTRY_PASSWORD != ''\n                      }}\" >> $GITHUB_OUTPUT\n"
-
-      - id: export_os_to_env
-        name: set test name
-        run: |
-          echo "OS_MATRIX=$input" >> $GITHUB_OUTPUT
-        env:
-          input: ${{ inputs.OS_MATRIX }}
-
-      - id: export_tests_to_env
-        name: set test name
-        run: |
-          echo "TEST_NAMES=$input" >> $GITHUB_OUTPUT
-        env:
-          input: ${{ inputs.BINARY_TESTS }}
-
-      - id: export_arch_to_env
-        name: set test name
-        run: |
-          echo "ARCH_MATRIX=$input" >> $GITHUB_OUTPUT
-        env:
-          input: ${{ inputs.ARCH_MATRIX }}
-
-  check-secret:
-    name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
-    runs-on: ubuntu-latest
-    outputs:
-      is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
-    steps:
-      - name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
-        id: check-secret-set
-        env:
-          QUAYIO_REGISTRY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-          QUAYIO_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-        run: |
-          echo "is-secret-set=${{ env.QUAYIO_REGISTRY_USERNAME != '' && env.QUAYIO_REGISTRY_PASSWORD != '' }}" >> $GITHUB_OUTPUT
-
-  binary-build:
-    name: Create cross-platform build
-    needs: wf-preparation
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      GOARCH: ${{ matrix.arch }}
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: ${{ fromJson(needs.wf-preparation.outputs.OS_MATRIX) }}
-        arch: ${{ fromJson(needs.wf-preparation.outputs.ARCH_MATRIX) }}
-        exclude:
-        - os: windows-latest
-          arch: arm64
-    steps:
-
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
-        with:
-          fetch-depth: 0
-          submodules: recursive
-
-      - name: Cache Go modules (Linux)
-        if: matrix.os == 'ubuntu-20.04'
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
-        with:
-          path: |
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Cache Go modules (macOS)
-        if: matrix.os == 'macos-latest'
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
-        with:
-          path: |
-            ~/Library/Caches/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Cache Go modules (Windows)
-        if: matrix.os == 'windows-latest'
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3
-        name: Installing go
-        with:
-          go-version: ${{ inputs.GO_VERSION }}
-          cache: true
-
-      - name: start ${{ matrix.arch }} environment in container
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y binfmt-support qemu-user-static
-          sudo docker run --platform linux/${{ matrix.arch }} -e RELEASE=${{ inputs.RELEASE }} \
-          -e CLIENT=${{ inputs.CLIENT }} -e CGO_ENABLED=${{ inputs.CGO_ENABLED }} \
-          -e KUBESCAPE_SKIP_UPDATE_CHECK=true -e GOARCH=${{ matrix.arch }} -v ${PWD}:/work \
-          -w /work -v ~/go/pkg/mod:/root/go/pkg/mod -v ~/.cache/go-build:/root/.cache/go-build \
-          -d --name build golang:${{ inputs.GO_VERSION }}-bullseye sleep 21600
-          sudo docker ps
-          DOCKER_CMD="sudo docker exec build"
-          ${DOCKER_CMD} apt update
-          ${DOCKER_CMD} apt install -y cmake python3
-          ${DOCKER_CMD} git config --global --add safe.directory '*'
-          echo "DOCKER_CMD=${DOCKER_CMD}" >> $GITHUB_ENV;
-        if: matrix.os == 'ubuntu-20.04' && matrix.arch != ''
-
-      - name: Install pkg-config (macOS)
-        run: brew install pkg-config
-        if: matrix.os == 'macos-latest'
-
-      - name: Install libgit2 (Linux/macOS)
-        run: ${{ env.DOCKER_CMD }} make libgit2${{ matrix.arch }}
-        if: matrix.os != 'windows-latest'
-
-      # - name: Test core pkg
-      #   run: ${{ env.DOCKER_CMD }} go test -v ./...
-      #   if: "!startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch == '' || startsWith(github.ref, 'refs/tags') && (matrix.os != 'macos-latest' || matrix.arch != 'arm64')"
-
-      # - name: Test httphandler pkg
-      #   run: ${{ env.DOCKER_CMD }} sh -c 'cd httphandler && go test -v ./...'
-      #   if: "!startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch == '' || startsWith(github.ref, 'refs/tags') && (matrix.os != 'macos-latest' || matrix.arch != 'arm64')"
-
-      - name: Build
-        env:
-          RELEASE: ${{ inputs.RELEASE }}
-          CLIENT: ${{ inputs.CLIENT }}
-          CGO_ENABLED: ${{ inputs.CGO_ENABLED }}
-        run: ${{ env.DOCKER_CMD }} python3 --version && ${{ env.DOCKER_CMD }} python3 build.py
-
-      - name: Smoke Testing (Windows / MacOS)
-        env:
-          RELEASE: ${{ inputs.RELEASE }}
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/kubescape-${{ matrix.os }}
-        if: startsWith(github.ref, 'refs/tags') && matrix.os != 'ubuntu-20.04' && matrix.arch == ''
-
-      - name: Smoke Testing (Linux amd64)
-        env:
-          RELEASE: ${{ inputs.RELEASE }}
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ${PWD}/build/kubescape-ubuntu-latest
-        if: matrix.os == 'ubuntu-20.04' && matrix.arch == ''
-
-      - name: Smoke Testing (Linux ${{ matrix.arch }})
-        env:
-          RELEASE: ${{ inputs.RELEASE }}
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ./build/kubescape-${{ matrix.arch }}-ubuntu-latest
-        if: startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch != ''
-
-      - name: golangci-lint
-        if: matrix.os == 'ubuntu-20.04'
-        continue-on-error: true
-        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # ratchet:golangci/golangci-lint-action@v3
-        with:
-          version: latest
-          args: --timeout 10m --build-tags=static
-          only-new-issues: true
-
-      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1
-        name: Upload artifact (Linux)
-        if: matrix.os == 'ubuntu-20.04'
-        with:
-          name: kubescape${{ matrix.arch }}-ubuntu-latest
-          path: build/
-          if-no-files-found: error
-
-      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1
-        name: Upload artifact (MacOS, Win)
-        if: matrix.os != 'ubuntu-20.04'
-        with:
-          name: kubescape${{ matrix.arch }}-${{ matrix.os }}
-          path: build/
-          if-no-files-found: error
-
-  build-http-image:
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-      pull-requests: read
-    needs: [check-secret]
-    uses: kubescape/workflows/.github/workflows/incluster-comp-pr-merged.yaml@main
-    with:
-      IMAGE_NAME: quay.io/${{ github.repository_owner }}/kubescape
-      IMAGE_TAG: ${{ inputs.RELEASE }}
-      COMPONENT_NAME: kubescape
-      CGO_ENABLED: 0
-      GO111MODULE: "on"
-      BUILD_PLATFORM: linux/amd64,linux/arm64
-      GO_VERSION: "1.21"
-      REQUIRED_TESTS: '[
-                "ks_microservice_create_2_cronjob_mitre_and_nsa_proxy", 
-                "ks_microservice_triggering_with_cron_job",
-                "ks_microservice_update_cronjob_schedule",
-                "ks_microservice_delete_cronjob",
-                "ks_microservice_create_2_cronjob_mitre_and_nsa",
-                "ks_microservice_ns_creation",
-                "ks_microservice_on_demand",
-                "ks_microservice_mitre_framework_on_demand",
-                "ks_microservice_nsa_and_mitre_framework_demand",
-                "scan_compliance_score"
-              ]'
-      COSIGN: true
-      HELM_E2E_TEST: true
-      FORCE: true
-    secrets: inherit
-
-  run-tests:
-    strategy:
-      fail-fast: false
-      matrix:
-        TEST: ${{ fromJson(needs.wf-preparation.outputs.TEST_NAMES) }}
-    needs: [wf-preparation, binary-build]
-    if: ${{ (needs.wf-preparation.outputs.is-secret-set == 'true') && (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }}
-    runs-on: ubuntu-latest # This cannot change
-    steps:
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
-        id: download-artifact
-        with:
-          name: kubescape-ubuntu-latest
-          path: "~"
-
-      - run: ls -laR
-
-      - name: chmod +x
-        run: chmod +x -R ${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest
-
-      - name: Checkout systests repo
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
-        with:
-          repository: armosec/system-tests
-          path: .
-
-      - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # ratchet:actions/setup-python@v4
-        with:
-          python-version: '3.8.13'
-          cache: 'pip'
-
-      - name: create env
-        run: ./create_env.sh
-
-      - name: Generate uuid
-        id: uuid
-        run: |
-          echo "RANDOM_UUID=$(uuidgen)" >> $GITHUB_OUTPUT
-
-      - name: Create k8s Kind Cluster
-        id: kind-cluster-install
-        uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d # ratchet:helm/kind-action@v1.3.0
-        with:
-          cluster_name: ${{ steps.uuid.outputs.RANDOM_UUID }}
-
-      - name: run-tests-on-local-built-kubescape
-        env:
-          CUSTOMER: ${{ secrets.CUSTOMER }}
-          USERNAME: ${{ secrets.USERNAME }}
-          PASSWORD: ${{ secrets.PASSWORD }}
-          CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
-          SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
-          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
-          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-        run: |
-          echo "Test history:"
-          echo " ${{ matrix.TEST }} " >/tmp/testhistory
-          cat /tmp/testhistory
-          source systests_python_env/bin/activate
-
-          python3 systest-cli.py             \
-            -t ${{ matrix.TEST }}            \
-            -b production                    \
-            -c CyberArmorTests               \
-            --duration 3                     \
-            --logger DEBUG                   \
-            --kwargs kubescape=${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest
-
-          deactivate
-
-      - name: Test Report
-        uses: mikepenz/action-junit-report@6e9933f4a97f4d2b99acef4d7b97924466037882 # ratchet:mikepenz/action-junit-report@v3.6.1
-        if: always() # always run even if the previous step fails
-        with:
-          report_paths: '**/results_xml_format/**.xml'
-          commit: ${{github.event.workflow_run.head_sha}}

.github/workflows/build-image.yaml

@@ -1,41 +0,0 @@
-name: build-image
-permissions: read-all
-on:
-    workflow_dispatch:
-      inputs:
-        CLIENT:
-          required: false
-          type: string
-          default: "test"
-        IMAGE_TAG:
-          required: true
-          type: string
-        CO_SIGN:
-          type: boolean
-          required: false
-          default: false
-        PLATFORMS:
-            type: boolean
-            required: false
-            default: false
-jobs:
-  build-http-image:
-    permissions:
-      id-token: write
-      packages: write
-      contents: read
-      pull-requests: read
-    uses: kubescape/workflows/.github/workflows/incluster-comp-pr-merged.yaml@main
-    with:
-      IMAGE_NAME: quay.io/${{ github.repository_owner }}/kubescape
-      IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
-      COMPONENT_NAME: kubescape
-      CGO_ENABLED: 0
-      GO111MODULE: "on"
-      BUILD_PLATFORM: ${{ inputs.PLATFORMS && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
-      GO_VERSION: "1.21"
-      REQUIRED_TESTS: '[]'
-      COSIGN: ${{ inputs.CO_SIGN }}
-      HELM_E2E_TEST: false
-      FORCE: true
-    secrets: inherit

.github/workflows/c-create-release.yaml

@@ -1,73 +0,0 @@
-name: c-create_release
-permissions: read-all
-on:
-  workflow_call:
-    inputs:
-      RELEASE_NAME:
-        description: 'Release name'
-        required: true
-        type: string
-      TAG:
-        description: 'Tag name'
-        required: true
-        type: string
-      DRAFT:
-        description: 'Create draft release'
-        required: false
-        type: boolean
-        default: false
-jobs:
-  create-release:
-    name: create-release
-    runs-on: ubuntu-latest
-    env:
-      MAC_OS: macos-latest
-      UBUNTU_OS: ubuntu-latest
-      WINDOWS_OS: windows-latest
-    # permissions:
-    #   contents: write
-    steps:
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
-        id: download-artifact
-        with:
-          path: .
-
-      # TODO: kubescape-windows-latest is deprecated and should be removed
-      - name: Get kubescape.exe from kubescape-windows-latest
-        run: cp ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }} ./kubescape-${{ env.WINDOWS_OS }}/kubescape.exe
-
-      - name: Set release token
-        run: |
-          if [ "${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" != "" ]; then
-            echo "TOKEN=${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" >> $GITHUB_ENV;
-          else
-            echo "TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV;
-          fi
-      - name: Release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # ratchet:softprops/action-gh-release@v1
-        with:
-          token: ${{ env.TOKEN }}
-          name: ${{ inputs.RELEASE_NAME }}
-          tag_name: ${{ inputs.TAG }}
-          body: ${{ github.event.pull_request.body }}
-          draft: ${{ inputs.DRAFT }}
-          fail_on_unmatched_files: true
-          prerelease: false
-          # TODO: kubescape-windows-latest is deprecated and should be removed
-          files: |
-            ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }}
-            ./kubescape-${{ env.MAC_OS }}/kubescape-${{ env.MAC_OS }}
-            ./kubescape-${{ env.MAC_OS }}/kubescape-${{ env.MAC_OS }}.sha256
-            ./kubescape-${{ env.MAC_OS }}/kubescape-${{ env.MAC_OS }}.tar.gz
-            ./kubescape-${{ env.UBUNTU_OS }}/kubescape-${{ env.UBUNTU_OS }}
-            ./kubescape-${{ env.UBUNTU_OS }}/kubescape-${{ env.UBUNTU_OS }}.sha256
-            ./kubescape-${{ env.UBUNTU_OS }}/kubescape-${{ env.UBUNTU_OS }}.tar.gz
-            ./kubescape-${{ env.WINDOWS_OS }}/kubescape.exe
-            ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }}.sha256
-            ./kubescape-${{ env.WINDOWS_OS }}/kubescape-${{ env.WINDOWS_OS }}.tar.gz
-            ./kubescapearm64-${{ env.MAC_OS }}/kubescape-arm64-${{ env.MAC_OS }}
-            ./kubescapearm64-${{ env.MAC_OS }}/kubescape-arm64-${{ env.MAC_OS }}.sha256
-            ./kubescapearm64-${{ env.MAC_OS }}/kubescape-arm64-${{ env.MAC_OS }}.tar.gz
-            ./kubescapearm64-${{ env.UBUNTU_OS }}/kubescape-arm64-${{ env.UBUNTU_OS }}
-            ./kubescapearm64-${{ env.UBUNTU_OS }}/kubescape-arm64-${{ env.UBUNTU_OS }}.sha256
-            ./kubescapearm64-${{ env.UBUNTU_OS }}/kubescape-arm64-${{ env.UBUNTU_OS }}.tar.gz

.github/workflows/d-publish-image.yaml

@@ -1,96 +0,0 @@
-name: d-publish-image
-permissions: read-all
-on:
-  workflow_call:
-    inputs:
-      client:
-        description: 'client name'
-        required: true
-        type: string
-      image_tag:
-        description: 'image tag'
-        required: true
-        type: string
-      image_name:
-        description: 'image registry and name'
-        required: true
-        type: string
-      cosign:
-        required: false
-        default: false
-        type: boolean
-        description: 'run cosign on released image'
-      support_platforms:
-        required: false
-        default: true
-        type: boolean
-        description: 'support amd64/arm64'
-jobs:
-  check-secret:
-    name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
-    runs-on: ubuntu-latest
-    outputs:
-      is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
-    steps:
-      - name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
-        id: check-secret-set
-        env:
-          QUAYIO_REGISTRY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-          QUAYIO_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-        run: |
-          echo "is-secret-set=${{ env.QUAYIO_REGISTRY_USERNAME != '' && env.QUAYIO_REGISTRY_PASSWORD != '' }}" >> $GITHUB_OUTPUT
-
-  build-cli-image:
-    needs: [check-secret]
-    if: needs.check-secret.outputs.is-secret-set == 'true'
-    name: Build image and upload to registry
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
-        with:
-          submodules: recursive
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/setup-qemu-action@v2
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # ratchet:docker/setup-buildx-action@v2
-      - name: Login to Quay.io
-        env:
-          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
-        id: download-artifact
-        with:
-          path: .
-      - name: mv kubescape amd64 binary
-        run: mv kubescape-ubuntu-latest/kubescape-ubuntu-latest kubescape-amd64-ubuntu-latest
-      - name: mv kubescape arm64 binary
-        run: mv kubescape-ubuntu-latest/kubescape-arm64-ubuntu-latest kubescape-arm64-ubuntu-latest
-      - name: chmod +x
-        run: chmod +x -v kubescape-a*
-      - name: Build and push images
-        run: docker buildx build . --file build/kubescape-cli.Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push --platform linux/amd64,linux/arm64
-      - name: Install cosign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: 'v2.2.2'
-      - name: sign kubescape container image
-        if: ${{ inputs.cosign }}
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY_V1 }}
-          COSIGN_PRIVATE_KEY_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_V1_PASSWORD }}
-          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY_V1 }}
-        run: |
-            # Sign the image with keyless mode
-            cosign sign -y ${{ inputs.image_name }}:${{ inputs.image_tag }}
-
-            # Sign the image with key for verifier clients without keyless support
-            # Put the key from environment variable to a file
-            echo "$COSIGN_PRIVATE_KEY" > cosign.key
-            printf "$COSIGN_PRIVATE_KEY_PASSWORD" | cosign sign -key cosign.key -y ${{ inputs.image_name }}:${{ inputs.image_tag }}
-            rm cosign.key
-            # Verify the image
-            echo "$COSIGN_PUBLIC_KEY" > cosign.pub
-            cosign verify -key cosign.pub ${{ inputs.image_name }}:${{ inputs.image_tag }}
-

.github/workflows/scorecard.yml

@@ -32,12 +32,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -59,7 +59,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@v4
         with:
           name: SARIF file
           path: results.sarif
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: results.sarif

.github/workflows/z-close-typos-issues.yaml

@@ -1,20 +0,0 @@
-permissions: read-all
-on:
-  issues:
-    types: [opened, labeled]
-jobs:
-  open_PR_message:
-    if: github.event.label.name == 'typo'
-    runs-on: ubuntu-latest
-    steps:
-      - uses: ben-z/actions-comment-on-issue@10be23f9c43ac792663043420fda29dde07e2f0f # ratchet:ben-z/actions-comment-on-issue@1.0.2
-        with:
-          message: "Hello! :wave:\n\nThis issue is being automatically closed, Please open a PR with a relevant fix."
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  auto_close_issues:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: lee-dohm/close-matching-issues@e9e43aad2fa6f06a058cedfd8fb975fd93b56d8f # ratchet:lee-dohm/close-matching-issues@v2
-        with:
-          query: 'label:typo'
-          token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -9,3 +9,10 @@
 ca.srl
 *.out
 ks
+cosign.key
+
+dist/
+
+# Test output files
+customFilename.pdf
+customFilename.xml

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "git2go"]
-	path = git2go
-	url = https://github.com/libgit2/git2go.git

.golangci.yml

@@ -1,57 +1,57 @@
-linters-settings:
-  govet:
-    check-shadowing: true
-  dupl:
-    threshold: 200
-  goconst:
-    min-len: 3
-    min-occurrences: 2
-  gocognit:
-    min-complexity: 65
-
+version: "2"
 linters:
   enable:
-    - gosec
-    - staticcheck
-    - nolintlint
-    - gofmt
-    - unused
-    - govet
     - bodyclose
-    - typecheck
-    - goimports
-    - ineffassign
-    - gosimple
+    - gosec
+    - nolintlint
   disable:
-    # temporarily disabled
-    - varcheck
-    - errcheck
     - dupl
-    - gocritic
+    - errcheck
+    - gochecknoglobals
+    - gochecknoinits
     - gocognit
+    - gocritic
+    - lll
     - nakedret
     - revive
-    - stylecheck
     - unconvert
     - unparam
-    #- forbidigo # <- see later
-    # should remain disabled
-    - deadcode   # deprecated linter
-    - maligned
-    - lll
-    - gochecknoinits
-    - gochecknoglobals
-issues:
-  exclude-rules:
-    - linters:
-      - revive
-      text: "var-naming"
-    - linters:
-      - revive
-      text: "type name will be used as (.+?) by other packages, and that stutters"
-    - linters:
-      - stylecheck
-      text: "ST1003"
-run:
-  skip-dirs:
-    - git2go
+  settings:
+    dupl:
+      threshold: 200
+    gocognit:
+      min-complexity: 65
+    goconst:
+      min-len: 3
+      min-occurrences: 2
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - revive
+        text: var-naming
+      - linters:
+          - revive
+        text: type name will be used as (.+?) by other packages, and that stutters
+      - linters:
+          - staticcheck
+        text: ST1003
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

.goreleaser.yaml

@@ -0,0 +1,148 @@
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines below are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+version: 2
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+    - go test -v ./...
+    - go -C httphandler test -v ./...
+
+archives:
+  - id: cli
+    ids:
+      - cli
+
+    formats:
+      - binary
+      - tar.gz
+
+builds:
+  - id: cli
+    binary: kubescape
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -X main.version={{.Version}}
+      - -X main.commit={{.Commit}}
+      - -X main.date={{.Date}}
+      - -X github.com/kubescape/backend/pkg/versioncheck.Client={{.Env.CLIENT}}
+    hooks:
+      post:
+        - cmd: >
+            {{ if eq .Arch "amd64" }}
+            /bin/sh -lc 'sh build/goreleaser-post-e2e.sh'
+            {{ end }}
+  - id: downloader
+    dir: downloader
+    binary: downloader
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+  - id: http
+    dir: httphandler
+    binary: ksserver
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+
+nfpms:
+  - id: cli
+    package_name: kubescape
+    ids:
+      - cli
+    vendor: Kubescape
+    homepage: https://kubescape.io/
+    maintainer: matthiasb@kubescape.io
+    formats:
+      - apk
+      - deb
+      - rpm
+    bindir: /usr/bin
+
+docker_signs:
+  - stdin: "{{ .Env.COSIGN_PWD }}"
+
+dockers_v2:
+  - id: cli
+    images:
+      - "quay.io/kubescape/kubescape-cli"
+    tags:
+      - "{{ .Tag }}"
+    labels:
+      "org.opencontainers.image.description": "Kubescape CLI"
+      "org.opencontainers.image.created": "{{.Date}}"
+      "org.opencontainers.image.name": "{{.ProjectName}}"
+      "org.opencontainers.image.revision": "{{.FullCommit}}"
+      "org.opencontainers.image.version": "{{.Version}}"
+      "org.opencontainers.image.source": "{{.GitURL}}"
+    ids:
+      - cli
+    dockerfile: build/kubescape-cli.Dockerfile
+  - id: http
+    images:
+      - "quay.io/kubescape/kubescape"
+    tags:
+      - "{{ .Tag }}"
+    labels:
+      "org.opencontainers.image.description": "Kubescape microservice"
+      "org.opencontainers.image.created": "{{.Date}}"
+      "org.opencontainers.image.name": "{{.ProjectName}}"
+      "org.opencontainers.image.revision": "{{.FullCommit}}"
+      "org.opencontainers.image.version": "{{.Version}}"
+      "org.opencontainers.image.source": "{{.GitURL}}"
+    ids:
+      - downloader
+      - http
+    dockerfile: build/Dockerfile
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+
+checksum:
+  name_template: "checksums.sha256"
+
+sboms:
+  - artifacts: binary
+
+krews:
+  - name: kubescape
+    ids:
+      - cli
+    skip_upload: true
+    homepage: https://kubescape.io/
+    description: It includes risk analysis, security compliance, and misconfiguration scanning with an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.
+    short_description: Scan resources and cluster configs against security frameworks.
+
+release:
+  draft: false
+  footer: >-
+
+    ---
+
+    Released by [GoReleaser](https://github.com/goreleaser/goreleaser).

.krew.yaml

@@ -3,40 +3,58 @@ kind: Plugin
 metadata:
   name: kubescape
 spec:
-  homepage: https://github.com/kubescape/kubescape/
-  shortDescription: Scan resources and cluster configs against security frameworks.
   version: {{ .TagName }}
-  description: |
-    It includes risk analysis, security compliance, and misconfiguration scanning
-    with an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.
   platforms:
-  - selector:
-      matchLabels:
-        os: darwin
-        arch: amd64
-    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-macos-latest.tar.gz" .TagName }}
-    bin: kubescape
-  - selector:
-      matchLabels:
-        os: darwin
-        arch: arm64
-    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-arm64-macos-latest.tar.gz" .TagName }}
-    bin: kubescape
   - selector:
       matchLabels:
         os: linux
         arch: amd64
-    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-ubuntu-latest.tar.gz" .TagName }}
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_linux_amd64.tar.gz" .TagName) .TagName }}
     bin: kubescape
   - selector:
       matchLabels:
         os: linux
         arch: arm64
-    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-arm64-ubuntu-latest.tar.gz" .TagName }}
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_linux_arm64.tar.gz" .TagName) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: amd64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_darwin_amd64.tar.gz" .TagName) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: arm64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_darwin_arm64.tar.gz" .TagName) .TagName }}
     bin: kubescape
   - selector:
       matchLabels:
         os: windows
         arch: amd64
-    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/{{ .TagName }}/kubescape-windows-latest.tar.gz" .TagName }}
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_windows_amd64.tar.gz" .TagName) .TagName }}
     bin: kubescape.exe
+  - selector:
+      matchLabels:
+        os: windows
+        arch: arm64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_windows_arm64.tar.gz" .TagName) .TagName }}
+    bin: kubescape.exe
+  shortDescription: Scan resources and cluster configs against security frameworks.
+  description: |
+    Kubescape is the first tool for testing if Kubernetes is deployed securely
+    according to mitigations and best practices. It includes risk analysis,
+    security compliance, and misconfiguration scanning with an easy-to-use
+    CLI interface, flexible output formats, and automated scanning capabilities.
+
+    Features:
+    - Risk analysis: Identify vulnerabilities and security risks in your cluster
+    - Security compliance: Check your cluster against multiple security frameworks
+    - Misconfiguration scanning: Detect security misconfigurations in your workloads
+    - Flexible output: Results in JSON, SARIF, HTML, JUnit, and Prometheus formats
+    - CI/CD integration: Easily integrate into your CI/CD pipeline
+  homepage: https://kubescape.io/
+  caveats: |
+    Requires kubectl and basic knowledge of Kubernetes.
+    Run 'kubescape scan' to scan your Kubernetes cluster or manifests.

ADOPTERS.md

@@ -1,22 +1,5 @@
 # Adopters
 
-# Well-known companies
-Well-known companies who are using and/or contributing to Kubescape are (in alphabetical order):
-* Accenture
-* Amazon.com
-* IBM
-* Intel
-* Meetup
-* RedHat
-* Scaleway
+The Kubescape project manages this document in the central project repository.
 
-# Users
-
-If you want to be listed here and share with others your experience, open a PR and add the bellow table:
-
-
-| Name | Company | Use case | Contact for questions (optional) |
-| ---- | ------- | -------- | -------------------------------- |
-| Yonathan Amzallag | ARMO | Vulnerability monitoring | yonatana@armosec.io |
-| Engin Diri | Schwarz IT (SIT) | Ensure continuous compliance for edge k8s cluster | engin.diri@mail.schwarz |
-| Idan Bidani | Cox Communications | Security analysis for k8s best practices in CI pipelines of 3,000 applications 🔒☸ | idan.bidani@cox.com |
+Go to the [centralized ADOPTERS.md](https://github.com/kubescape/project-governance/blob/main/ADOPTERS.md)

CODE_OF_CONDUCT.md

@@ -1,3 +1,5 @@
-## Code of Conduct
+# Code of Conduct
 
-The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized CODE_OF_CONDUCT.md](https://github.com/kubescape/project-governance/blob/main/CODE_OF_CONDUCT.md)

COMMUNITY.md

@@ -0,0 +1,5 @@
+# Community
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized COMMUNITY.md](https://github.com/kubescape/project-governance/blob/main/COMMUNITY.md)

CONTRIBUTING.md

@@ -1,98 +1,5 @@
 # Contributing
 
-First, it is awesome that you are considering contributing to Kubescape! Contributing is important and fun and we welcome your efforts.
+The Kubescape project manages this document in the central project repository.
 
-When contributing, we categorize contributions into two:
-* Small code changes or fixes, whose scope is limited to a single or two files
-* Complex features and improvements, with potentially unlimited scope
-
-If you have a small change, feel free to fire up a Pull Request.
-
-When planning a bigger change, please first discuss the change you wish to make via an issue,
-so the maintainers are able to help guide you and let you know if you are going in the right direction.
-
-## Code of Conduct
-
-Please follow our [code of conduct](CODE_OF_CONDUCT.md) in all of your interactions within the project.
-
-## Build and test locally
-
-Please follow the [instructions here](https://github.com/kubescape/kubescape/wiki/Building).
-
-## Pull Request Process
-
-1. Ensure any install or build dependencies are removed before the end of the layer when doing a 
-   build.
-2. Update the README.md with details of changes to the interface, this includes new environment 
-   variables, exposed ports, useful file locations and container parameters.
-3. Open Pull Request to the `master` branch.
-4. We will merge the Pull Request once you have the sign-off.
-
-## Developer Certificate of Origin
-
-All commits to the project must be "signed off", which states that you agree to the terms of the [Developer Certificate of Origin](https://developercertificate.org/).  This is done by adding a "Signed-off-by:" line in the commit message, with your name and email address.
-
-Commits made through the GitHub web application are automatically signed off.
-
-### Configuring Git to sign off commits
-
-First, configure your name and email address in Git global settings:
-
-```
-$ git config --global user.name "John Doe" 
-$ git config --global user.email johndoe@example.com
-```
-
-You can now sign off per-commit, or configure Git to always sign off commits per repository.
-
-### Sign off per-commit
-
-Add [`-s`](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) to your Git command line. For example:
-
-```git commit -s -m "Fix issue 64738"```
-
-This is tedious, and if you forget, you'll have to [amend your commit](#fixing-a-commit-where-the-dco-failed).
-
-### Configure a repository to always include sign off
-
-There are many ways to achieve this with Git hooks, but the simplest is to do the following:
-
-```
-cd your-repo
-curl -Ls https://gist.githubusercontent.com/dixudx/7d7edea35b4d91e1a2a8fbf41d0954fa/raw/prepare-commit-msg -o .git/hooks/prepare-commit-msg
-chmod +x .git/hooks/prepare-commit-msg
-```
-
-### Use semantic commit messages (optional)
-
-When contributing, you could consider using [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/), in order to improve logs readability and help us to automatically generate `CHANGELOG`s.
-
-Format: `<type>(<scope>): <subject>`
-
-`<scope>` is optional
-
-#### Example
-
-```
-feat(cmd): add kubectl plugin
-^--^ ^-^   ^----------------^
-|    |     |
-|    |     +-> subject: summary in present tense.
-|    |
-|    +-------> scope: point of interest
-|
-+-------> type: chore, docs, feat, fix, refactor, style, or test.
-```
-
-More Examples:
-* `feat`: new feature for the user, not a new feature for build script
-* `fix`: bug fix for the user, not a fix to a build script
-* `docs`: changes to the documentation
-* `style`: formatting, missing semi colons, etc; no production code change
-* `refactor`: refactoring production code, eg. renaming a variable
-* `test`: adding missing tests, refactoring tests; no production code change
-* `chore`: updating grunt tasks etc; no production code change
-
-## Fixing a commit where the DCO failed
-
-Check out [this guide](https://github.com/src-d/guide/blob/master/developer-community/fix-DCO.md).
+Go to the [centralized CONTRIBUTING.md](https://github.com/kubescape/project-governance/blob/main/CONTRIBUTING.md)

GOVERNANCE.md

@@ -1,65 +1,5 @@
-# Governance of Kubescape
+# Governance
 
-## Overview
+The Kubescape project manages this document in the central project repository.
 
-The Kubescape project is an open-source initiative dedicated to improve security and best practices in Kubernetes environments. This document outlines the governance structure of the Kubescape project and provides guidance for its community contributors.
-
-## Decision Making
-
-### Maintainers
-
-- Maintainers are responsible for the smooth operation of the project.
-- They review and merge pull requests, manage releases, and ensure the quality and stability of the codebase.
-- Maintainers are chosen based on their ongoing contributions and their demonstrated commitment to the project.
-- Everyone who had at least 5 code contribution in the last 12 month can submit her/himself for joining the maintainer team
-- Maintainers who are not taken part in the project work (code, reviews, discussions) for 12 month are automaticaly removed from the maintainer team
-
-
-### Committers
-
-- Committers are contributors who have made significant and consistent contributions to the project.
-- They have the ability to merge minor pull requests if assigned by maintainers.
-- A contributor can be proposed as a committer by any existing maintainer. The proposal will be reviewed and voted on by the existing maintainers.
-
-### Community Members
-
-- Anyone can become a community member by contributing to the project. This can be in the form of code contributions, documentation, or any other form of project support.
-
-## Processes
-
-### Proposing Changes
-
-1. Open an issue on the project repository to discuss the proposed change.
-2. Once there is consensus around the proposed change, create a pull request.
-3. Pull requests will be reviewed by committers and/or maintainers.
-4. Once the pull request has received approval, it can be merged into the main codebase.
-
-### Conflict Resolution
-
-1. In case of any conflicts, it is primarily the responsibility of the parties involved to resolve it.
-2. If the conflict cannot be resolved, it will be escalated to the maintainers for resolution.
-3. Maintainers' decision will be final in case of unresolved conflicts.
-
-## Roles and Responsibilities
-
-### Maintainers
-
-- Ensure the quality and stability of the project.
-- Resolve conflicts.
-- Provide direction and set priorities for the project.
-
-### Committers
-
-- Review and merge minor pull requests.
-- Assist maintainers in project tasks.
-- Promote best practices within the community.
-
-### Community Members
-
-- Contribute to the project in any form.
-- Participate in discussions and provide feedback.
-- Respect the code of conduct and governance of the project.
-
-## Changes to the Governance Document
-
-Proposed changes to this governance document should follow the same process as any other code change to the Kubescape project (see "Proposing Changes").
+Go to the [centralized GOVERNANCE.md](https://github.com/kubescape/project-governance/blob/main/GOVERNANCE.md)

KREW_RELEASE.md

@@ -0,0 +1,273 @@
+# Krew Release Automation Guide
+
+This document explains how kubescape automates publishing to the Kubernetes plugin package manager, krew.
+
+## What is Krew?
+
+Krew is a plugin manager for `kubectl`. It allows users to discover and install `kubectl` plugins easily. You can learn more about krew at [https://krew.sigs.k8s.io/](https://krew.sigs.k8s.io/).
+
+## How kubescape publishes to krew
+
+We use the [krew-release-bot](https://github.com/rajatjindal/krew-release-bot) to automatically create pull requests to the [kubernetes-sigs/krew-index](https://github.com/kubernetes-sigs/krew-index) repository whenever a new release of kubescape is published.
+
+### Setup Overview
+
+The automation consists of three components:
+
+1. **`.krew.yaml`** - A template file that the bot uses to generate the krew plugin manifest
+2. **`.github/workflows/02-release.yaml`** - GitHub Actions workflow that runs the krew-release-bot after a successful release
+3. **`.goreleaser.yaml`** - GoReleaser configuration that defines the krew manifest (though upload is skipped)
+
+### Why Use krew-release-bot Instead of GoReleaser's Built-in Krew Support?
+
+You might have noticed that **GoReleaser has built-in krew support** in its `krews` section. However, almost all projects (including stern) use `skip_upload: true` and rely on **krew-release-bot** instead. Here's why:
+
+#### Problems with GoReleaser's Built-in Krew Publishing
+
+To use GoReleaser's direct krew publishing, you would need to:
+
+```yaml
+krews:
+  - name: kubescape
+    skip_upload: false  # Instead of true
+    repository:
+      owner: kubernetes-sigs
+      name: krew-index
+      token: "{{ .Env.KREW_INDEX_TOKEN }}"  # Required!
+      pull_request:
+        enabled: true  # Requires GoReleaser Pro for cross-repo PRs
+```
+
+This approach has several critical issues:
+
+1. **Permission Barrier**: Almost no one has write access to `kubernetes-sigs/krew-index`. You would need special permissions from the Krew maintainers, which is rarely granted.
+
+2. **Security Risk**: You'd need to store a GitHub personal access token with write access to the krew-index in your repository secrets. This token could be compromised and used to make unauthorized changes to the krew-index.
+
+3. **GoReleaser Pro Required**: To create pull requests to a different repository (cross-repository), you need GoReleaser Pro, which is a paid product.
+
+4. **Manual Work**: Even if you had access, you'd need to manually configure and maintain the repository settings, tokens, and potentially deal with rate limits and authentication issues.
+
+#### Why krew-release-bot is the Right Solution
+
+The **krew-release-bot** was created by the Kubernetes community (in collaboration with the Krew team) specifically to solve these problems:
+
+- **No Repository Access Required**: The bot acts as an intermediary with pre-configured access to krew-index. You don't need write permissions.
+
+- **No Tokens Needed**: It uses GitHub's `GITHUB_TOKEN` (automatically available in GitHub Actions) via webhooks and events. No personal access tokens required.
+
+- **Designed for Krew**: It's specifically built for the krew-index workflow and integrates with Krew's automation.
+
+- **Automatic Merging**: The Krew team has configured their CI to automatically test and merge PRs from krew-release-bot (usually within 5-10 minutes).
+
+- **Officially Recommended**: The Krew team explicitly recommends this approach in their documentation as the standard way to automate plugin updates.
+
+- **Free and Open Source**: No paid subscriptions required.
+
+#### The Real-World Evidence
+
+Looking at recent pull requests to `kubernetes-sigs/krew-index`, **almost all automated plugin updates are created by krew-release-bot**. You'll see patterns like:
+
+```
+Author: krew-release-bot
+Title: "release new version v0.6.11 of radar"
+```
+
+This demonstrates that the entire Kubernetes ecosystem has standardized on krew-release-bot, not GoReleaser's built-in publishing.
+
+#### Summary
+
+While GoReleaser's built-in krew support exists in the code, it's **practically unusable for the krew-index repository** due to permission and security constraints. The krew-release-bot is the de facto standard because:
+- It works without special permissions
+- It's more secure
+- It integrates with Krew's automation
+- It's free and recommended by the Krew team
+
+This is why we use `skip_upload: true` in GoReleaser and let krew-release-bot handle the actual publishing.
+
+### The Template File
+
+The `.krew.yaml` file in the repository root is a Go template that contains placeholders for dynamic values:
+
+```yaml
+apiVersion: krew.googlecontainertools.github.com/v1alpha2
+kind: Plugin
+metadata:
+  name: kubescape
+spec:
+  version: {{ .TagName }}
+  platforms:
+  - selector:
+      matchLabels:
+        os: linux
+        arch: amd64
+    {{ $version := trimPrefix "v" .TagName }}{{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_linux_amd64.tar.gz" $version) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: linux
+        arch: arm64
+    {{ $version := trimPrefix "v" .TagName }}{{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_linux_arm64.tar.gz" $version) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: amd64
+    {{ $version := trimPrefix "v" .TagName }}{{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_darwin_amd64.tar.gz" $version) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: arm64
+    {{ $version := trimPrefix "v" .TagName }}{{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_darwin_arm64.tar.gz" $version) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: windows
+        arch: amd64
+    {{ $version := trimPrefix "v" .TagName }}{{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_windows_amd64.tar.gz" $version) .TagName }}
+    bin: kubescape.exe
+  - selector:
+      matchLabels:
+        os: windows
+        arch: arm64
+    {{ $version := trimPrefix "v" .TagName }}{{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_windows_arm64.tar.gz" $version) .TagName }}
+    bin: kubescape.exe
+  shortDescription: Scan resources and cluster configs against security frameworks.
+  description: |
+    Kubescape is the first tool for testing if Kubernetes is deployed securely
+    according to mitigations and best practices. It includes risk analysis,
+    security compliance, and misconfiguration scanning with an easy-to-use
+    CLI interface, flexible output formats, and automated scanning capabilities.
+
+    Features:
+    - Risk analysis: Identify vulnerabilities and security risks in your cluster
+    - Security compliance: Check your cluster against multiple security frameworks
+    - Misconfiguration scanning: Detect security misconfigurations in your workloads
+    - Flexible output: Results in JSON, SARIF, HTML, JUnit, and Prometheus formats
+    - CI/CD integration: Easily integrate into your CI/CD pipeline
+  homepage: https://kubescape.io/
+  caveats: |
+    Requires kubectl and basic knowledge of Kubernetes.
+    Run 'kubescape scan' to scan your Kubernetes cluster or manifests.
+```
+
+The `{{ .TagName }}` is replaced with the release tag (e.g., `v3.0.0`), `{{ trimPrefix "v" .TagName }}` removes the version prefix, and `{{ addURIAndSha ... }}` calculates the SHA256 checksum for the binary archive.
+
+### Release Workflow
+
+The release workflow (`.github/workflows/02-release.yaml`) can be triggered in two ways:
+
+1. **Automatic**: When a new tag matching the pattern `v[0-9]+.[0-9]+.[0-9]+` is pushed to the repository
+2. **Manual**: Via `workflow_dispatch` with an optional `skip_publish` input
+
+When the workflow is triggered:
+
+1. GoReleaser builds and publishes the release artifacts (unless `skip_publish=true` is set)
+2. The krew-release-bot step runs conditionally:
+   - It **runs** when triggered by a tag push OR by `workflow_dispatch` with `skip_publish=false`
+   - It **skips** when triggered by `workflow_dispatch` with `skip_publish=true` (default)
+3. When it runs, the bot:
+   - Reads the `.krew.yaml` template
+   - Fills in the template with release information
+   - Creates a pull request to the `kubernetes-sigs/krew-index` repository
+   - The PR is automatically tested and merged by krew's infrastructure
+
+### Workflow Permissions
+
+The release job has the following permissions:
+
+```yaml
+permissions:
+  actions: read
+  checks: read
+  contents: write
+  deployments: read
+  discussions: read
+  id-token: write
+  issues: read
+  models: read
+  packages: write
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  attestations: read
+  artifact-metadata: read
+```
+
+These permissions are necessary for GoReleaser to create releases and upload artifacts.
+
+### Testing the Template
+
+Before committing changes to `.krew.yaml`, you can test how the template will be rendered using Docker:
+
+```bash
+docker run -v $(pwd)/.krew.yaml:/tmp/.krew.yaml ghcr.io/rajatjindal/krew-release-bot:v0.0.47 \
+  krew-release-bot template --tag v3.0.0 --template-file /tmp/.krew.yaml
+```
+
+This will output the generated krew manifest file, allowing you to verify:
+- The version field is correct
+- All download URLs are properly formatted
+- The SHA256 checksum will be calculated correctly
+
+### Why skip_upload in GoReleaser?
+
+In `.goreleaser.yaml`, the `krews` section has `skip_upload: true`:
+
+```yaml
+krews:
+  - name: kubescape
+    ids:
+      - cli
+    skip_upload: true  # We use krew-release-bot instead
+    homepage: https://kubescape.io/
+    description: It includes risk analysis, security compliance, and misconfiguration scanning with an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.
+    short_description: Scan resources and cluster configs against security frameworks.
+```
+
+This is intentional because:
+- GoReleaser generates the manifest but doesn't have built-in support for submitting PRs to krew-index
+- krew-release-bot is the recommended tool for krew automation by the Krew team
+- Using krew-release-bot provides automatic testing and merging of version bump PRs
+
+### Manual Release Testing
+
+You can test the release workflow manually without publishing to krew by using `workflow_dispatch`:
+
+1. Go to Actions tab in GitHub
+2. Select "02-create_release" workflow
+3. Click "Run workflow"
+4. The `skip_publish` input defaults to `true` (publishing will be skipped)
+5. Set `skip_publish` to `false` if you want to test the full release process including krew indexing
+
+### Making Changes to the Template
+
+If you need to update the krew manifest (e.g., change the description, add platforms, or update the binary location):
+
+1. Edit the `.krew.yaml` file
+2. Test your changes with the Docker command shown above
+3. Commit and push the changes
+4. The next release will use the updated template
+
+### Installing kubescape via krew
+
+Once the plugin is indexed in krew, users can install it with:
+
+```bash
+kubectl krew install kubernetes-sigs/kubescape
+```
+
+Or after index update:
+
+```bash
+kubectl krew install kubescape
+```
+
+### Further Reading
+
+- [Krew official documentation](https://krew.sigs.k8s.io/docs/developer-guide/)
+- [krew-release-bot repository](https://github.com/rajatjindal/krew-release-bot)
+- [Krew plugin submission guide](https://krew.sigs.k8s.io/docs/developer-guide/develop/plugins/)

MAINTAINERS.md

@@ -1,12 +1,5 @@
 # Maintainers
 
-The following table lists the Kubescape project core maintainers:
-
-| Name | GitHub | Organization | Added/Renewed On |
-| --- | --- | --- | --- |
-| [Matthias Bertschy](https://www.linkedin.com/in/matthias-bertschy-b427b815/) | [@matthyx](https://github.com/matthyx) | [ARMO](https://www.armosec.io/) | 2023-01-01 |
-| [Craig Box](https://www.linkedin.com/in/crbnz/) | [@craigbox](https://github.com/craigbox) | [Solo.io](https://www.solo.io/) | 2022-10-31 |
-| [Ben Hirschberg](https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890) | [@slashben](https://github.com/slashben) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
-| [Rotem Refael](https://www.linkedin.com/in/rotem-refael) | [@rotemamsa](https://github.com/rotemamsa) | [ARMO](https://www.armosec.io/) | 2021-10-11 |
-| [David Wertenteil](https://www.linkedin.com/in/david-wertenteil-0ba277b9) | [@dwertent](https://github.com/dwertent) | [ARMO](https://www.armosec.io/) | 2021-09-01 |
+The Kubescape project manages this document in the central project repository.
 
+Go to the [centralized MAINTAINERS.md](https://github.com/kubescape/project-governance/blob/main/MAINTAINERS.md)

Makefile

@@ -1,28 +1,12 @@
-.PHONY: test all build libgit2
+.PHONY: test all build
 
 # default task invoked while running make
-all: libgit2 build
+all: build
 
-export CGO_ENABLED=1
-
-# build and install libgit2
-libgit2:
-	-git submodule update --init --recursive
-	cd git2go; make install-static
-
-# build and install libgit2 for macOS m1
-libgit2arm64:
-	git submodule update --init --recursive
-	if [ "$(shell uname -s)" = "Darwin" ]; then \
-		sed -i '' 's/cmake -D/cmake -DCMAKE_OSX_ARCHITECTURES="arm64" -D/' git2go/script/build-libgit2.sh; \
-	fi
-	cd git2go; make install-static
-
-# go build tags
-TAGS = "gitenabled,static"
+export CGO_ENABLED=0
 
 build:
-	go build -v -tags=$(TAGS) .
+	go build -v .
 
 test:
-	go test -v -tags=$(TAGS) ./...
+	go test -v ./...

README.md

@@ -3,11 +3,12 @@
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubescape/kubescape)](https://goreportcard.com/report/github.com/kubescape/kubescape)
 [![Gitpod Ready-to-Code](https://img.shields.io/badge/Gitpod-Ready--to--Code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/kubescape/kubescape)
 [![GitHub](https://img.shields.io/github/license/kubescape/kubescape)](https://github.com/kubescape/kubescape/blob/master/LICENSE)
-[![CNCF](https://shields.io/badge/CNCF-Sandbox%20project-blue?logo=linux-foundation&style=flat)](https://landscape.cncf.io/card-mode?project=sandbox&selected=kubescape)
+[![CNCF](https://shields.io/badge/CNCF-Incubating%20project-blue?logo=linux-foundation&style=flat)](https://landscape.cncf.io/?item=provisioning--security-compliance--kubescape)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubescape)](https://artifacthub.io/packages/search?repo=kubescape)
 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkubescape%2Fkubescape.svg?type=shield&issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubescape%2Fkubescape?ref=badge_shield&issueType=license)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/6944/badge)](https://www.bestpractices.dev/projects/6944)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubescape/kubescape/badge)](https://securityscorecards.dev/viewer/?uri=github.com/kubescape/kubescape)
+[![Docs](https://img.shields.io/badge/docs-latest-brightgreen?logo=gitbook)](https://kubescape.io/docs/)
 [![Stars](https://img.shields.io/github/stars/kubescape/kubescape?style=social)](https://github.com/kubescape/kubescape/stargazers)
 [![Twitter Follow](https://img.shields.io/twitter/follow/kubescape?style=social)](https://twitter.com/kubescape)
 [![Slack](https://img.shields.io/badge/slack-kubescape-blueviolet?logo=slack)](https://cloud-native.slack.com/archives/C04EY3ZF9GE)
@@ -20,91 +21,480 @@
   <img alt="Kubescape logo" align="right" src="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
 </picture>
 
-_An open-source Kubernetes security platform for your clusters, CI/CD pipelines, and IDE that seperates out the security signal from the scanner noise_
+_Comprehensive Kubernetes Security from Development to Runtime_
 
-Kubescape is an open-source Kubernetes security platform, built for use in your day-to-day workflow, by fitting into your clusters, CI/CD pipelines and IDE. It serves as a one-stop-shop for Kuberenetes security and includes vulnerability and misconfiguration scanning. You can run scans via the CLI, or add the Kubescape Helm chart, which gives an in-depth view of what is going on in the cluster.
+Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage, from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments.
 
-Kubescape includes misconfiguration and vulnerability scanning as well as risk analysis and security compliance indicators. All results are presented in context and users get many cues on what to do based on scan results.Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.
+Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository) and is a [Cloud Native Computing Foundation (CNCF) incubating project](https://www.cncf.io/projects/).
 
-Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) and the [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)).
+_Please [star ⭐](https://github.com/kubescape/kubescape/stargazers) the repo if you want us to continue developing and improving Kubescape!_
 
-Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository) and is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/).
+---
 
-## Demo
-<img src="docs/img/demo-v3.gif">
+## 📑 Table of Contents
 
-_Please [star ⭐](https://github.com/kubescape/kubescape/stargazers) the repo if you want us to continue developing and improving Kubescape! 😀_
+- [Features](#-features)
+- [Demo](#-demo)
+- [Quick Start](#-quick-start)
+- [Installation](#-installation)
+- [CLI Commands](#%EF%B8%8F-cli-commands)
+- [Usage Examples](#-usage-examples)
+- [Architecture](#%EF%B8%8F-architecture)
+- [In-Cluster Operator](#%EF%B8%8F-in-cluster-operator)
+- [Integrations](#-integrations)
+- [Community](#-community)
+- [Changelog](#changelog)
+- [License](#license)
 
-## Getting started
+---
 
-Experimenting with Kubescape is as easy as:
+## ✨ Features
+
+| Feature | Description |
+|---------|-------------|
+| 🔍 **Misconfiguration Scanning** | Scan clusters, YAML files, and Helm charts against NSA-CISA, MITRE ATT&CK®, and CIS Benchmarks |
+| 🐳 **Image Vulnerability Scanning** | Detect CVEs in container images using [Grype](https://github.com/anchore/grype) |
+| 🩹 **Image Patching** | Automatically patch vulnerable images using [Copacetic](https://github.com/project-copacetic/copacetic) |
+| 🔧 **Auto-Remediation** | Automatically fix misconfigurations in Kubernetes manifests |
+| 🛡️ **Admission Control** | Enforce security policies with Validating Admission Policies (VAP) |
+| 📊 **Runtime Security** | eBPF-based runtime monitoring via [Inspektor Gadget](https://github.com/inspektor-gadget) |
+| 🤖 **AI Integration** | MCP server for AI assistant integration |
+
+---
+
+## 🎬 Demo
+
+<img src="docs/img/demo-v3.gif" alt="Kubescape CLI demo">
+
+---
+
+## 🚀 Quick Start
+
+### 1. Install Kubescape
 
 ```sh
 curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
 ```
 
-Learn more about:
+> 💡 See [Installation](#-installation) for more options (Homebrew, Krew, Windows, etc.)
 
-* [Installing Kubescape](docs/installation.md)
-* [Running your first scan](docs/getting-started.md#run-your-first-scan)
-* [Usage](docs/getting-started.md#examples)
-* [Architecture](docs/architecture.md)
-* [Building Kubescape from source](https://github.com/kubescape/kubescape/wiki/Building)
+### 2. Run Your First Scan
 
-_Did you know you can use Kubescape in all these places?_
+```sh
+# Scan your current cluster
+kubescape scan
+
+# Scan a specific YAML file or directory
+kubescape scan /path/to/manifests/
+
+# Scan a container image for vulnerabilities
+kubescape scan image nginx:latest
+```
+
+### 3. Explore the Results
+
+Kubescape provides a detailed security posture overview including:
+- Control plane security status
+- Access control risks
+- Workload misconfigurations
+- Network policy gaps
+- Compliance scores (MITRE, NSA)
+
+---
+
+## 📦 Installation
+
+### One-Line Install (Linux/macOS)
+
+```bash
+curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
+```
+
+### Package Managers
+
+| Platform | Command |
+|----------|---------|
+| **Homebrew** | `brew install kubescape` |
+| **Krew** | `kubectl krew install kubescape` |
+| **Arch Linux** | `yay -S kubescape` |
+| **Ubuntu** | `sudo add-apt-repository ppa:kubescape/kubescape && sudo apt install kubescape` |
+| **NixOS** | `nix-shell -p kubescape` |
+| **Chocolatey** | `choco install kubescape` |
+| **Scoop** | `scoop install kubescape` |
+
+### Windows (PowerShell)
+
+```powershell
+iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex
+```
+
+📖 **[Full Installation Guide →](docs/installation.md)**
+
+---
+
+## 🛠️ CLI Commands
+
+Kubescape provides a comprehensive CLI with the following commands:
+
+| Command | Description |
+|---------|-------------|
+| [`kubescape scan`](#scanning) | Scan cluster, files, or images for security issues |
+| [`kubescape scan image`](#image-scanning) | Scan container images for vulnerabilities |
+| [`kubescape fix`](#auto-fix) | Auto-fix misconfigurations in manifest files |
+| [`kubescape patch`](#image-patching) | Patch container images to fix vulnerabilities |
+| [`kubescape list`](#list-frameworks-and-controls) | List available frameworks and controls |
+| [`kubescape download`](#offline-support) | Download artifacts for offline/air-gapped use |
+| [`kubescape config`](#configuration) | Manage cached configurations |
+| [`kubescape operator`](#operator-commands) | Interact with in-cluster Kubescape operator |
+| [`kubescape vap`](#validating-admission-policies) | Manage Validating Admission Policies |
+| [`kubescape mcpserver`](#mcp-server) | Start MCP server for AI assistant integration |
+| `kubescape completion` | Generate shell completion scripts |
+| `kubescape version` | Display version information |
+
+---
+
+## 📖 Usage Examples
+
+### Scanning
+
+#### Scan a Running Cluster
+
+```bash
+# Default scan (all frameworks)
+kubescape scan
+
+# Scan with a specific framework
+kubescape scan framework nsa
+kubescape scan framework mitre
+kubescape scan framework cis-v1.23-t1.0.1
+
+# Scan a specific control
+kubescape scan control C-0005 -v
+```
+
+#### Scan Files and Repositories
+
+```bash
+# Scan local YAML files
+kubescape scan /path/to/manifests/
+
+# Scan a Helm chart
+kubescape scan /path/to/helm/chart/
+
+# Scan a Git repository
+kubescape scan https://github.com/kubescape/kubescape
+
+# Scan with Kustomize
+kubescape scan /path/to/kustomize/directory/
+```
+
+#### Scan Options
+
+```bash
+# Include/exclude namespaces
+kubescape scan --include-namespaces production,staging
+kubescape scan --exclude-namespaces kube-system,kube-public
+
+# Use alternative kubeconfig
+kubescape scan --kubeconfig /path/to/kubeconfig
+
+# Set compliance threshold (exit code 1 if below threshold)
+kubescape scan --compliance-threshold 80
+
+# Set severity threshold
+kubescape scan --severity-threshold high
+```
+
+#### Output Formats
+
+```bash
+# JSON output
+kubescape scan --format json --output results.json
+
+# JUnit XML (for CI/CD)
+kubescape scan --format junit --output results.xml
+
+# SARIF (for GitHub Code Scanning)
+kubescape scan --format sarif --output results.sarif
+
+# HTML report
+kubescape scan --format html --output report.html
+
+# PDF report
+kubescape scan --format pdf --output report.pdf
+```
+
+### Image Scanning
+
+```bash
+# Scan a public image
+kubescape scan image nginx:1.21
+
+# Scan with verbose output
+kubescape scan image nginx:1.21 -v
+
+# Scan a private registry image
+kubescape scan image myregistry/myimage:tag --username user --password pass
+```
+
+### Auto-Fix
+
+Automatically fix misconfigurations in your manifest files:
+
+```bash
+# First, scan and save results to JSON
+kubescape scan /path/to/manifests --format json --output results.json
+
+# Then apply fixes
+kubescape fix results.json
+
+# Dry run (preview changes without applying)
+kubescape fix results.json --dry-run
+
+# Apply fixes without confirmation prompts
+kubescape fix results.json --no-confirm
+```
+
+### Image Patching
+
+Patch container images to fix OS-level vulnerabilities:
+
+```bash
+# Start buildkitd (required)
+sudo buildkitd &
+
+# Patch an image
+sudo kubescape patch --image docker.io/library/nginx:1.22
+
+# Specify custom output tag
+sudo kubescape patch --image nginx:1.22 --tag nginx:1.22-patched
+
+# See detailed vulnerability report
+sudo kubescape patch --image nginx:1.22 -v
+```
+
+📖 **[Full Patch Command Documentation →](cmd/patch/README.md)**
+
+### List Frameworks and Controls
+
+```bash
+# List available frameworks
+kubescape list frameworks
+
+# List all controls
+kubescape list controls
+
+# Output as JSON
+kubescape list controls --format json
+```
+
+### Offline Support
+
+Download artifacts for air-gapped environments:
+
+```bash
+# Download all artifacts
+kubescape download artifacts --output /path/to/offline/dir
+
+# Download a specific framework
+kubescape download framework nsa --output /path/to/nsa.json
+
+# Scan using downloaded artifacts
+kubescape scan --use-artifacts-from /path/to/offline/dir
+```
+
+### Configuration
+
+```bash
+# View current configuration
+kubescape config view
+
+# Set account ID
+kubescape config set accountID <your-account-id>
+
+# Delete cached configuration
+kubescape config delete
+```
+
+### Operator Commands
+
+Interact with the in-cluster Kubescape operator:
+
+```bash
+# Trigger a configuration scan
+kubescape operator scan configurations
+
+# Trigger a vulnerability scan
+kubescape operator scan vulnerabilities
+```
+
+### Validating Admission Policies
+
+Manage Kubernetes Validating Admission Policies:
+
+```bash
+# Deploy the Kubescape CEL admission policy library
+kubescape vap deploy-library | kubectl apply -f -
+
+# Create a policy binding
+kubescape vap create-policy-binding \
+  --name my-policy-binding \
+  --policy c-0016 \
+  --namespace my-namespace | kubectl apply -f -
+```
+
+### MCP Server
+
+Start an MCP (Model Context Protocol) server for AI assistant integration:
+
+```bash
+kubescape mcpserver
+```
+
+The MCP server exposes Kubescape's vulnerability and configuration scan data to AI assistants, enabling natural language queries about your cluster's security posture.
+
+**Available MCP Tools:**
+- `list_vulnerability_manifests` - Discover vulnerability manifests
+- `list_vulnerabilities_in_manifest` - List CVEs in a manifest
+- `list_vulnerability_matches_for_cve` - Get details for a specific CVE
+- `list_configuration_security_scan_manifests` - List configuration scan results
+- `get_configuration_security_scan_manifest` - Get configuration scan details
+
+---
+
+## 🏗️ Architecture
+
+Kubescape can run in two modes:
+
+### CLI Mode
+
+The CLI is a standalone tool that scans clusters, files, and images on-demand.
 
 <div align="center">
-    <img src="docs/img/ksfromcodetodeploy.png" alt="Places you can use Kubescape: in your IDE, CI, CD, or against a running cluster.">
+    <img src="docs/img/ks-cli-arch.png" width="600" alt="CLI Architecture">
 </div>
 
-## Under the hood
+**Key Components:**
+- **[Open Policy Agent (OPA)](https://github.com/open-policy-agent/opa)** - Policy evaluation engine
+- **[Regolibrary](https://github.com/kubescape/regolibrary)** - Library of security controls
+- **[Grype](https://github.com/anchore/grype)** - Image vulnerability scanning
+- **[Copacetic](https://github.com/project-copacetic/copacetic)** - Image patching
 
-Kubescape uses [Open Policy Agent](https://github.com/open-policy-agent/opa) to verify Kubernetes objects against [a library of posture controls](https://github.com/kubescape/regolibrary).
+### Operator Mode (In-Cluster)
 
-By default, the results are printed in a console-friendly manner, but they can be:
+For continuous monitoring, deploy the Kubescape operator via Helm.
 
-* exported to JSON or junit XML
-* rendered to HTML or PDF
-* submitted to a [cloud service](docs/providers.md)
+<div align="center">
+    <img src="docs/img/ks-operator-arch.png" width="600" alt="Operator Architecture">
+</div>
 
-It retrieves Kubernetes objects from the API server and runs a set of [Rego snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io?utm_source=github&utm_medium=repository).
+**Additional Capabilities:**
+- Continuous configuration scanning
+- Image vulnerability scanning
+- Runtime analysis with eBPF
+- Network policy generation
 
-## Community
+📖 **[Full Architecture Documentation →](docs/architecture.md)**
 
-Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the Kubernetes community and are building more tests and controls as the ecosystem develops.
+---
 
-We hold [community meetings](https://zoom.us/j/95174063585) on Zoom, on the first Tuesday of every month, at 14:00 GMT. ([See that in your local time zone](https://time.is/compare/1400_in_GMT)).
+## ☸️ In-Cluster Operator
 
-The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
+The Kubescape operator provides continuous security monitoring in your cluster:
 
-### Adopters
+```bash
+# Add the Kubescape Helm repository
+helm repo add kubescape https://kubescape.github.io/helm-charts/
 
-See [here](ADOPTERS.md) a list of adopters.
+# Install the operator
+helm upgrade --install kubescape kubescape/kubescape-operator \
+  --namespace kubescape \
+  --create-namespace
+```
 
-## Contributions
+**Operator Features:**
+- 🔄 Continuous misconfiguration scanning
+- 🐳 Image vulnerability scanning for all workloads
+- 🔍 Runtime threat detection (eBPF-based)
+- 🌐 Network policy generation
+- 📈 Prometheus metrics integration
 
-Thanks to all our contributors!  Check out our [CONTRIBUTING](CONTRIBUTING.md) file to learn how to join them.
+📖 **[Operator Installation Guide →](https://kubescape.io/docs/operator/)**
 
-* Feel free to pick a task from the [issues](https://github.com/kubescape/kubescape/issues?q=is%3Aissue+is%3Aopen+label%3A%22open+for+contribution%22), [roadmap](docs/roadmap.md) or suggest a feature of your own.
-* [Open an issue](https://github.com/kubescape/kubescape/issues/new/choose): we aim to respond to all issues within 48 hours.
-* [Join the CNCF Slack](https://slack.cncf.io/) and then our [users](https://cloud-native.slack.com/archives/C04EY3ZF9GE) or [developers](https://cloud-native.slack.com/archives/C04GY6H082K) channel.
+---
 
-<br>
+## 🔌 Integrations
 
-<a href = "https://github.com/kubescape/kubescape/graphs/contributors">
-  <img src = "https://contrib.rocks/image?repo=kubescape/kubescape"/>
+### CI/CD
+
+| Platform | Integration |
+|----------|-------------|
+| **GitHub Actions** | [kubescape/github-action](https://github.com/marketplace/actions/kubescape) |
+| **GitLab CI** | [Documentation](https://kubescape.io/docs/integrations/gitlab/) |
+| **Jenkins** | [Documentation](https://kubescape.io/docs/integrations/jenkins/) |
+
+### IDE Extensions
+
+| IDE | Extension |
+|-----|-----------|
+| **VS Code** | [Kubescape Extension](https://marketplace.visualstudio.com/items?itemName=kubescape.kubescape) |
+| **Lens** | [Kubescape Lens Extension](https://github.com/armosec/lens-kubescape) |
+
+### Where You Can Use Kubescape
+
+<div align="center">
+    <img src="docs/img/ksfromcodetodeploy.png" alt="Kubescape integration points: IDE, CI, CD, Runtime">
+</div>
+
+---
+
+## 👥 Community
+
+Kubescape is a CNCF incubating project with an active community.
+
+### Get Involved
+
+- 💬 **[Slack - Users Channel](https://cloud-native.slack.com/archives/C04EY3ZF9GE)** - Ask questions, get help
+- 💬 **[Slack - Developers Channel](https://cloud-native.slack.com/archives/C04GY6H082K)** - Contribute to development
+- 🐛 **[GitHub Issues](https://github.com/kubescape/kubescape/issues)** - Report bugs and request features
+- 📋 **[Project Board](https://github.com/orgs/kubescape/projects/4)** - See what we're working on
+- 🗺️ **[Roadmap](https://github.com/kubescape/project-governance/blob/main/ROADMAP.md)** - Future plans
+
+### Contributing
+
+We welcome contributions! Please see our:
+- **[Contributing Guide](https://github.com/kubescape/project-governance/blob/main/CONTRIBUTING.md)**
+- **[Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)**
+
+### Community Resources
+
+- **[Community Info](https://github.com/kubescape/project-governance/blob/main/COMMUNITY.md)**
+- **[Governance](https://github.com/kubescape/project-governance/blob/main/GOVERNANCE.md)**
+- **[Security Policy](https://github.com/kubescape/project-governance/blob/main/SECURITY.md)**
+- **[Maintainers](https://github.com/kubescape/project-governance/blob/main/MAINTAINERS.md)**
+
+### Contributors
+
+<a href="https://github.com/kubescape/kubescape/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=kubescape/kubescape"/>
 </a>
 
+---
+
 ## Changelog
 
-Kubescape changes are tracked on the [release](https://github.com/kubescape/kubescape/releases) page
+Kubescape changes are tracked on the [releases page](https://github.com/kubescape/kubescape/releases).
+
+---
 
 ## License
 
-Copyright 2021-2023, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.
+Copyright 2021-2025, the Kubescape Authors. All rights reserved.
 
-Kubescape is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/) and was contributed by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository).
+Kubescape is released under the [Apache 2.0 license](LICENSE).
+
+Kubescape is a [Cloud Native Computing Foundation (CNCF) incubating project](https://www.cncf.io/projects/kubescape/) and was contributed by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository).
 
 <div align="center">
-    <img src="https://raw.githubusercontent.com/cncf/artwork/master/other/cncf-sandbox/horizontal/color/cncf-sandbox-horizontal-color.svg" width="300" alt="CNCF Sandbox Project">
-</div>
+    <img src="https://raw.githubusercontent.com/cncf/artwork/refs/heads/main/other/cncf-member/incubating/color/cncf-incubating-color.svg" width="300" alt="CNCF Incubating Project">
+</div>

SECURITY-INSIGHTS.yml

@@ -4,15 +4,19 @@ header:
   last-reviewed: '2023-10-12'
   expiration-date: '2024-10-12T01:00:00.000Z'
   project-url: https://github.com/kubescape/kubescape/
-  project-release: '1.0.0'
+  project-release: 1.0.0
 project-lifecycle:
   status: active
   bug-fixes-only: false
   core-maintainers:
-  - github:slashben
+  - github:amirmalka
+  - github:amitschendel
+  - github:bezbran
   - github:craigbox
-  - github:matthyx
   - github:dwertent
+  - github:matthyx
+  - github:rotemamsa
+  - github:slashben
 contribution-policy:
   accepts-pull-requests: true
   accepts-automated-pull-requests: false

SECURITY.md

@@ -1,7 +1,5 @@
-# Reporting Security Issues
+# Security
 
-To report a security issue or vulnerability, submit a [private vulnerability report via GitHub](https://github.com/kubescape/kubescape/security/advisories/new) to the repository maintainers with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+The Kubescape project manages this document in the central project repository.
 
-The maintainers will respond within 7 working days of your report. If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it. This project follows a 90 day disclosure timeline.
-
-Other contacts: cncf-kubescape-maintainers@lists.cncf.io
+Go to the [centralized SECURITY.md](https://github.com/kubescape/project-governance/blob/main/SECURITY.md)

build.ps1

@@ -1,78 +0,0 @@
-# Defining input params
-param (
-    [string]$mode = "error"
-)
-
-# Function to install MSYS
-function Install {
-    Write-Host "Starting install..." -ForegroundColor Cyan
-
-    # Check to see if already installed
-    if (Test-Path "C:\MSYS64\") {
-        Write-Host "MSYS2 already installed" -ForegroundColor Green
-    } else {
-        # Create a temp directory
-        New-Item -Path "$PSScriptRoot\temp_install" -ItemType Directory > $null
-        
-        # Download MSYS
-        Write-Host "Downloading MSYS2..." -ForegroundColor Cyan
-        $bitsJobObj = Start-BitsTransfer "https://github.com/msys2/msys2-installer/releases/download/2022-06-03/msys2-x86_64-20220603.exe" -Destination "$PSScriptRoot\temp_install\msys2-x86_64-20220603.exe"
-        switch ($bitsJobObj.JobState) {
-            "Transferred" {
-                Complete-BitsTransfer -BitsJob $bitsJobObj
-                break
-            }
-            "Error" {
-                throw "Error downloading"
-            }
-        }
-        Write-Host "MSYS2 download complete" -ForegroundColor Green
-
-        # Install MSYS
-        Write-Host "Installing MSYS2..." -ForegroundColor Cyan
-        Start-Process -Filepath "$PSScriptRoot\temp_install\msys2-x86_64-20220603.exe" -ArgumentList @("install", "--root", "C:\MSYS64", "--confirm-command") -Wait
-        Write-Host "MSYS2 install complete" -ForegroundColor Green
-
-        # Remove temp directory
-        Remove-Item "$PSScriptRoot\temp_install" -Recurse
-    }
-
-    # Set PATH
-    $env:Path = "C:\MSYS64\mingw64\bin;C:\MSYS64\usr\bin;" + $env:Path
-
-    # Install MSYS packages
-    Write-Host "Installing MSYS2 packages..." -ForegroundColor Cyan
-    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "make") -Wait
-    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "mingw-w64-x86_64-cmake") -Wait
-    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "mingw-w64-x86_64-gcc") -Wait
-    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "mingw-w64-x86_64-pkg-config") -Wait
-    Start-Process -Filepath "pacman" -ArgumentList @("-S", "--needed", "--noconfirm", "msys2-w32api-runtime") -Wait
-    Write-Host "MSYS2 packages install complete" -ForegroundColor Green
-
-    Write-Host "Install complete" -ForegroundColor Green
-}
-
-# Function to build libgit2
-function Build {
-    Write-Host "Starting build..." -ForegroundColor Cyan
-
-    # Set PATH
-    $env:Path = "C:\MSYS64\mingw64\bin;C:\MSYS64\usr\bin;" + $env:Path
-
-    # Build
-    Start-Process -Filepath "make" -ArgumentList @("libgit2") -Wait -NoNewWindow
-
-    Write-Host "Build complete" -ForegroundColor Green
-}
-
-# Check user call mode
-if ($mode -eq "all") {
-    Install
-    Build
-} elseif ($mode -eq "install") {
-    Install
-} elseif ($mode -eq "build") {
-    Build
-} else {
-    Write-Host "Error: -mode should be one of (all|install|build)" -ForegroundColor Red
-}

build.py

@@ -1,97 +0,0 @@
-import os
-import sys
-import hashlib
-import platform
-import subprocess
-import tarfile
-
-BASE_GETTER_CONST = "github.com/kubescape/kubescape/v3/core/cautils/getter"
-CURRENT_PLATFORM = platform.system()
-
-platformSuffixes = {
-    "Windows": "windows-latest",
-    "Linux": "ubuntu-latest",
-    "Darwin": "macos-latest",
-}
-
-def check_status(status, msg):
-    if status != 0:
-        sys.stderr.write(msg)
-        exit(status)
-
-
-def get_build_dir():
-    return "build"
-
-
-def get_package_name():
-    if CURRENT_PLATFORM not in platformSuffixes: raise OSError("Platform %s is not supported!" % (CURRENT_PLATFORM))
-
-    # # TODO: kubescape-windows-latest is deprecated and should be removed
-    # if CURRENT_PLATFORM == "Windows": return "kubescape.exe"
-
-    package_name = "kubescape-"
-    if os.getenv("GOARCH"):
-        package_name += os.getenv("GOARCH") + "-"
-    return package_name + platformSuffixes[CURRENT_PLATFORM]
-
-
-def main():
-    print("Building Kubescape")
-
-    # Set some variables
-    package_name = get_package_name()
-    build_url = "github.com/kubescape/kubescape/v3/core/cautils.BuildNumber"
-    release_version = os.getenv("RELEASE")
-
-    client_var = "github.com/kubescape/kubescape/v3/core/cautils.Client"
-    client_name = os.getenv("CLIENT")
-
-    # Create build directory
-    build_dir = get_build_dir()
-
-    ks_file = os.path.join(build_dir, package_name)
-    hash_file = ks_file + ".sha256"
-    tar_file = ks_file + ".tar.gz"
-
-    if not os.path.isdir(build_dir):
-        os.makedirs(build_dir)
-
-    # Build kubescape
-    ldflags = "-w -s"
-    if release_version:
-        ldflags += " -X {}={}".format(build_url, release_version)
-    if client_name:
-        ldflags += " -X {}={}".format(client_var, client_name)
-
-    build_command = ["go", "build", "-buildmode=pie", "-tags=static,gitenabled", "-o", ks_file, "-ldflags" ,ldflags]
-    if CURRENT_PLATFORM == "Windows":
-        os.putenv("CGO_ENABLED", "0")
-        build_command = ["go", "build", "-o", ks_file, "-ldflags", ldflags]
-
-    print("Building kubescape and saving here: {}".format(ks_file))
-    print("Build command: {}".format(" ".join(build_command)))
-
-    status = subprocess.call(build_command)
-    check_status(status, "Failed to build kubescape")
-
-    sha256 = hashlib.sha256()
-    with open(ks_file, "rb") as kube:
-        sha256.update(kube.read())
-        with open(hash_file, "w") as kube_sha:
-            hash = sha256.hexdigest()
-            print("kubescape hash: {}, file: {}".format(hash, hash_file))
-            kube_sha.write(sha256.hexdigest())
-
-    with tarfile.open(tar_file, 'w:gz') as archive:
-        name = "kubescape"
-        if CURRENT_PLATFORM == "Windows":
-            name += ".exe"
-        archive.add(ks_file, name)
-        archive.add("LICENSE", "LICENSE")
-
-    print("Build Done")
-
-
-if __name__ == "__main__":
-    main()

build/Dockerfile

@@ -1,20 +1,12 @@
-FROM --platform=$BUILDPLATFORM golang:1.21-bullseye as builder
-
-ENV GO111MODULE=on CGO_ENABLED=0
-WORKDIR /work
-ARG TARGETOS TARGETARCH
-
-RUN --mount=target=. \
-    --mount=type=cache,target=/root/.cache/go-build \
-    --mount=type=cache,target=/go/pkg \
-    cd httphandler && GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/ksserver .
-
-FROM gcr.io/distroless/static-debian11:nonroot
+FROM gcr.io/distroless/static-debian13:nonroot
 
 USER nonroot
 WORKDIR /home/nonroot/
 
-COPY --from=builder /out/ksserver /usr/bin/ksserver
+ARG TARGETPLATFORM
+COPY $TARGETPLATFORM/downloader /usr/bin/downloader
+RUN ["downloader"]
+COPY $TARGETPLATFORM/ksserver /usr/bin/ksserver
 
 ARG image_version client
 ENV RELEASE=$image_version CLIENT=$client

build/Dockerfile.dockerignore

@@ -1,3 +1,2 @@
 .git
-git2go
 kubescape*

build/README.md

@@ -1,19 +1,241 @@
-## Docker Build
+# Building Kubescape
 
-### Build your own Docker image
+This guide covers how to build Kubescape from source.
 
-1. Clone Project
-```
-git clone https://github.com/kubescape/kubescape.git kubescape && cd "$_"
+## Table of Contents
+
+- [Prerequisites](#prerequisites)
+- [Building the CLI](#building-the-cli)
+- [Building Docker Images](#building-docker-images)
+- [Build Options](#build-options)
+- [Development Setup](#development-setup)
+- [Troubleshooting](#troubleshooting)
+
+---
+
+## Prerequisites
+
+### Required
+
+- **Go 1.23+** - [Installation Guide](https://golang.org/doc/install)
+- **Git** - For cloning the repository
+- **Make** - For running build commands
+
+### Optional (for Docker builds)
+
+- **Docker** - [Installation Guide](https://docs.docker.com/get-docker/)
+- **Docker Buildx** - For multi-platform builds (included with Docker Desktop)
+- **GoReleaser** - [Installation Guide](https://goreleaser.com/install/)
+
+### Verify Prerequisites
+
+```bash
+go version    # Should be 1.23 or higher
+git --version
+make --version
+docker --version      # Optional
+goreleaser --version  # Optional
 ```
 
-2. Build kubescape CLI Docker image
-```
-make all
-docker buildx build -t kubescape-cli -f build/kubescape-cli.Dockerfile --build-arg="ks_binary=kubescape" --load .
+---
+
+## Building the CLI
+
+### Clone the Repository
+
+```bash
+git clone https://github.com/kubescape/kubescape.git
+cd kubescape
 ```
 
-3. Build kubescape Docker image
+### Build with Make
+
+```bash
+# Build for your current platform
+make build
+
+# The binary will be at ./kubescape
+./kubescape version
 ```
-docker buildx build -t kubescape -f build/Dockerfile --load .
+
+### Build Directly with Go
+
+```bash
+go build -o kubescape .
 ```
+
+### Build with GoReleaser
+
+```bash
+# Build for your current platform
+RELEASE=v0.0.1 CLIENT=local goreleaser build --snapshot --clean --single-target
+```
+
+### Cross-Compilation
+
+Build for different platforms:
+
+```bash
+# Linux (amd64)
+GOOS=linux GOARCH=amd64 go build -o kubescape-linux-amd64 .
+
+# Linux (arm64)
+GOOS=linux GOARCH=arm64 go build -o kubescape-linux-arm64 .
+
+# macOS (amd64)
+GOOS=darwin GOARCH=amd64 go build -o kubescape-darwin-amd64 .
+
+# macOS (arm64 / Apple Silicon)
+GOOS=darwin GOARCH=arm64 go build -o kubescape-darwin-arm64 .
+
+# Windows (amd64)
+GOOS=windows GOARCH=amd64 go build -o kubescape-windows-amd64.exe .
+```
+
+---
+
+## Building Docker Images
+
+Kubescape uses [GoReleaser](https://goreleaser.com/) to build its Docker images. The Dockerfiles are specifically designed to work with GoReleaser's build pipeline, which handles cross-compilation and places binaries in the expected directory structure.
+
+### Build with GoReleaser
+
+The recommended way to build Docker images locally is using GoReleaser. Note that `RELEASE`, `CLIENT`, and `RUN_E2E` environment variables are required:
+
+```bash
+# Build all artifacts and Docker images locally without publishing
+# --skip=before,krew,nfpm,sbom skips unnecessary steps for faster local builds
+RELEASE=v0.0.1 CLIENT=local RUN_E2E=false goreleaser release --snapshot --clean --skip=before,nfpm,sbom
+```
+
+Please read the [GoReleaser documentation](https://goreleaser.com/customization/dockers_v2/#testing-locally) for more details on using it for local testing.
+
+---
+
+## Build Options
+
+### Make Targets
+
+| Target | Description |
+|--------|-------------|
+| `make build` | Build the Kubescape binary |
+| `make test` | Run unit tests |
+| `make all` | Build everything |
+| `make clean` | Remove build artifacts |
+
+### Build Tags
+
+You can use Go build tags to customize the build:
+
+```bash
+# Example with build tags
+go build -tags "netgo" -o kubescape .
+```
+
+### Version Information
+
+To embed version information in the build:
+
+```bash
+VERSION=$(git describe --tags --always)
+BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+COMMIT=$(git rev-parse HEAD)
+
+go build -ldflags "-X main.version=$VERSION -X main.buildDate=$BUILD_DATE -X main.commit=$COMMIT" -o kubescape .
+```
+
+---
+
+## Development Setup
+
+### Install Development Dependencies
+
+```bash
+# Install golangci-lint for linting
+go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+
+# Install other tools as needed
+go mod download
+```
+
+### Run Tests
+
+```bash
+# Run all tests
+make test
+
+# Run tests with coverage
+go test -cover ./...
+
+# Run specific package tests
+go test ./core/...
+```
+
+### Run Linter
+
+```bash
+golangci-lint run
+```
+
+### Code Formatting
+
+```bash
+go fmt ./...
+```
+
+---
+
+## Troubleshooting
+
+### Build Fails with "module not found"
+
+```bash
+# Update dependencies
+go mod tidy
+go mod download
+```
+
+### CGO-related Errors
+
+If you encounter CGO errors, try building with CGO disabled:
+
+```bash
+CGO_ENABLED=0 go build -o kubescape .
+```
+
+### Docker Build Fails
+
+Ensure Docker daemon is running and you have sufficient permissions.
+
+If you encounter an error like `failed to calculate checksum ... "/linux/amd64/kubescape": not found`, it usually means you are trying to run `docker build` manually. Because the Dockerfiles are optimized for GoReleaser, you should use the `goreleaser release --snapshot` command described in the [Building Docker Images](#building-docker-images) section instead.
+
+```bash
+# Check Docker status
+docker info
+```
+
+### Out of Memory During Build
+
+For systems with limited memory:
+
+```bash
+# Limit Go's memory usage
+GOGC=50 go build -o kubescape .
+```
+
+---
+
+## Dockerfiles
+
+| File | Description |
+|------|-------------|
+| `build/Dockerfile` | Full Kubescape image with HTTP handler |
+| `build/kubescape-cli.Dockerfile` | Minimal CLI-only image |
+
+---
+
+## Related Documentation
+
+- [Contributing Guide](https://github.com/kubescape/project-governance/blob/main/CONTRIBUTING.md)
+- [Architecture](../docs/architecture.md)
+- [Getting Started](../docs/getting-started.md)

build/goreleaser-post-e2e.sh

@@ -0,0 +1,151 @@
+#!/usr/bin/env sh
+#
+# goreleaser-post-e2e.sh
+#
+# A small, robust POSIX shell script intended to be called from the goreleaser
+# `builds[].hooks.post` entry. It is responsible for optionally running the
+# repository smoke tests against the artifact produced in `dist/`.
+#
+# Usage:
+#   RUN_E2E=true        -> enable running smoke tests
+#   E2E_FAIL_ON_ERROR=1 -> (default) treat test failures as fatal (exit non-zero)
+#   E2E_FAIL_ON_ERROR=0 -> treat test failures as non-fatal (log, but exit 0)
+#
+# The script is written to be defensive and to work under /bin/sh on CI runners.
+# Use POSIX-safe flags only.
+set -eu
+
+# Helper for logging
+_now() {
+  date --iso-8601=seconds 2>/dev/null || date
+}
+log() {
+  printf '%s [goreleaser-post-e2e] %s\n' "$(_now)" "$*"
+}
+
+# GitHub Actions log grouping helpers (no-op outside Actions)
+gha_group_start() {
+  if [ "${GITHUB_ACTIONS:-}" = "true" ]; then
+    # Titles must be on a single line
+    printf '::group::%s\n' "$*"
+  fi
+}
+gha_group_end() {
+  if [ "${GITHUB_ACTIONS:-}" = "true" ]; then
+    printf '::endgroup::\n'
+  fi
+}
+
+# Small helper to interpret various truthy forms (1/true/yes/y)
+is_true() {
+  case "${1:-}" in
+    1|true|TRUE|yes|YES|y|Y) return 0 ;;
+    *) return 1 ;;
+  esac
+}
+
+# Determine repo root relative to this script (script is expected to live in kubescape/build/)
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+: "${RUN_E2E:=false}"
+# Default to fatal E2E failures.
+: "${E2E_FAIL_ON_ERROR:=1}"
+
+log "Starting goreleaser post-build e2e script"
+log "RUN_E2E=${RUN_E2E}"
+log "E2E_FAIL_ON_ERROR=${E2E_FAIL_ON_ERROR}"
+
+# Only run on linux/amd64 to avoid running multiple times (once per build)
+# and to ensure we can run the binary on the current host (assuming host is amd64).
+if [ -n "${GOARCH:-}" ] && [ "${GOARCH}" != "amd64" ]; then
+  log "Skipping smoke tests for non-amd64 build (GOARCH=${GOARCH})."
+  exit 0
+fi
+
+if ! is_true "${RUN_E2E}"; then
+  log "RUN_E2E is not enabled. Skipping smoke tests. (RUN_E2E=${RUN_E2E})"
+  exit 0
+fi
+
+# Locate the amd64 artifact in dist/.
+# Goreleaser v2 puts binaries in dist/<id>_<os>_<arch>_<version>/<binary>
+# Example: dist/cli_linux_amd64_v1/kubescape
+ART_PATH=""
+if [ -d "$REPO_ROOT/dist" ]; then
+  # Find any file named 'kubescape' inside a directory containing 'linux_amd64' inside 'dist'
+  # We use 'find' for robustness against varying directory names
+  ART_PATH=$(find "$REPO_ROOT/dist" -type f -name "kubescape" -path "*linux_amd64*" | head -n 1)
+fi
+
+if [ -z "$ART_PATH" ] || [ ! -f "$ART_PATH" ]; then
+  log "No kubescape artifact found in dist/ matching *linux_amd64*/kubescape. Skipping smoke tests."
+  # If we are supposed to run E2E, not finding the artifact is probably an error.
+  if is_true "${E2E_FAIL_ON_ERROR}"; then
+     log "E2E_FAIL_ON_ERROR enabled -> failing because artifact was not found."
+     exit 1
+  fi
+  exit 0
+fi
+
+log "Using artifact: $ART_PATH"
+# Make binary executable if it is a binary
+chmod +x "$ART_PATH" >/dev/null 2>&1 || true
+
+# Locate python runner
+PYTHON=""
+if command -v python3 >/dev/null 2>&1; then
+  PYTHON=python3
+elif command -v python >/dev/null 2>&1; then
+  PYTHON=python
+fi
+
+if [ -z "$PYTHON" ]; then
+  log "python3 (or python) not found in PATH."
+  if is_true "${E2E_FAIL_ON_ERROR}"; then
+    log "E2E_FAIL_ON_ERROR enabled -> failing the release because python is missing."
+    exit 2
+  else
+    log "E2E_FAIL_ON_ERROR disabled -> continuing without running tests."
+    exit 0
+  fi
+fi
+
+# Check for smoke test runner
+SMOKE_RUNNER="$REPO_ROOT/smoke_testing/init.py"
+if [ ! -f "$SMOKE_RUNNER" ]; then
+  log "Smoke test runner not found at $SMOKE_RUNNER"
+  if is_true "${E2E_FAIL_ON_ERROR}"; then
+    log "E2E_FAIL_ON_ERROR enabled -> failing the release because smoke runner is missing."
+    exit 3
+  else
+    log "E2E_FAIL_ON_ERROR disabled -> continuing without running tests."
+    exit 0
+  fi
+fi
+
+gha_group_start "Smoke tests"
+log "Running smoke tests with $PYTHON $SMOKE_RUNNER \"$ART_PATH\""
+# Run the test runner, propagate exit code
+set +e
+RELEASE="${RELEASE:-}" "$PYTHON" "$SMOKE_RUNNER" "$ART_PATH"
+rc=$?
+set -e
+
+if [ $rc -eq 0 ]; then
+  log "Smoke tests passed (exit code 0)."
+fi
+
+log "Smoke tests exited with code: $rc"
+gha_group_end
+
+if [ $rc -ne 0 ]; then
+  if is_true "${E2E_FAIL_ON_ERROR}"; then
+    log "E2E_FAIL_ON_ERROR enabled -> failing the release (exit code $rc)."
+    exit $rc
+  else
+    log "E2E_FAIL_ON_ERROR disabled -> continuing despite test failures."
+  fi
+fi
+
+exit 0

build/kubescape-cli.Dockerfile

@@ -1,4 +1,4 @@
-FROM gcr.io/distroless/base-debian11:debug-nonroot
+FROM gcr.io/distroless/static-debian13:debug-nonroot
 
 USER nonroot
 WORKDIR /home/nonroot/
@@ -6,7 +6,8 @@ WORKDIR /home/nonroot/
 ARG image_version client TARGETARCH
 ENV RELEASE=$image_version CLIENT=$client
 
-COPY kubescape-${TARGETARCH}-ubuntu-latest /usr/bin/kubescape
+ARG TARGETPLATFORM
+COPY $TARGETPLATFORM/kubescape /usr/bin/kubescape
 RUN ["kubescape", "download", "artifacts"]
 
 ENTRYPOINT ["kubescape"]

build/kubescape-cli.Dockerfile.dockerignore

@@ -1,2 +1 @@
 .git
-git2go

cmd/config/delete.go

@@ -1,9 +1,7 @@
 package config
 
 import (
-	"context"
-
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
@@ -15,7 +13,7 @@ func getDeleteCmd(ks meta.IKubescape) *cobra.Command {
 		Short: "Delete cached configurations",
 		Long:  ``,
 		Run: func(cmd *cobra.Command, args []string) {
-			if err := ks.DeleteCachedConfig(context.TODO(), &v1.DeleteConfig{}); err != nil {
+			if err := ks.DeleteCachedConfig(&v1.DeleteConfig{}); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 		},

cmd/config/set.go

@@ -5,7 +5,7 @@ import (
 	"sort"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"

cmd/config/view.go

@@ -3,7 +3,7 @@ package config
 import (
 	"os"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"

cmd/download/download.go

@@ -1,18 +1,17 @@
 package download
 
 import (
-	"context"
 	"fmt"
 	"path/filepath"
+	"slices"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/core"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
-	"golang.org/x/exp/slices"
 )
 
 var (
@@ -74,11 +73,9 @@ func GetDownloadCmd(ks meta.IKubescape) *cobra.Command {
 
 			downloadInfo.Target = args[0]
 			if len(args) >= 2 {
-
 				downloadInfo.Identifier = args[1]
-
 			}
-			if err := ks.Download(context.TODO(), &downloadInfo); err != nil {
+			if err := ks.Download(&downloadInfo); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 			return nil

cmd/fix/fix.go

@@ -1,14 +1,12 @@
 package fix
 
 import (
-	"context"
 	"errors"
 	"fmt"
 
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
-
 	"github.com/spf13/cobra"
 )
 
@@ -36,7 +34,7 @@ func GetFixCmd(ks meta.IKubescape) *cobra.Command {
 			}
 			fixInfo.ReportFile = args[0]
 
-			return ks.Fix(context.TODO(), &fixInfo)
+			return ks.Fix(&fixInfo)
 		},
 	}
 

cmd/list/list.go

@@ -1,18 +1,17 @@
 package list
 
 import (
-	"context"
 	"errors"
 	"fmt"
+	"slices"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/core"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"
-	"golang.org/x/exp/slices"
 )
 
 var (
@@ -27,7 +26,7 @@ var (
   %[1]s list controls
   
   Control documentation:
-  https://hub.armosec.io/docs/controls
+  https://kubescape.io/docs/controls/
 `, cautils.ExecName())
 )
 
@@ -62,7 +61,7 @@ func GetListCmd(ks meta.IKubescape) *cobra.Command {
 
 			listPolicies.Target = args[0]
 
-			if err := ks.List(context.TODO(), &listPolicies); err != nil {
+			if err := ks.List(&listPolicies); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 			return nil

cmd/mcpserver/mcpserver.go

@@ -0,0 +1,499 @@
+package mcpserver
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"strings"
+	"time"
+
+	"github.com/kubescape/go-logger"
+	helpersv1 "github.com/kubescape/k8s-interface/instanceidhandler/v1/helpers"
+	"github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
+	spdxv1beta1 "github.com/kubescape/storage/pkg/generated/clientset/versioned/typed/softwarecomposition/v1beta1"
+	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/mark3labs/mcp-go/server"
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type KubescapeMcpserver struct {
+	s        *server.MCPServer
+	ksClient spdxv1beta1.SpdxV1beta1Interface
+}
+
+func createVulnerabilityToolsAndResources(ksServer *KubescapeMcpserver) {
+	// Tool to list vulnerability manifests
+	listManifestsTool := mcp.NewTool(
+		"list_vulnerability_manifests",
+		mcp.WithDescription("Discover available vulnerability manifests at image and workload levels"),
+		mcp.WithString("namespace",
+			mcp.Description("Filter by namespace (optional)"),
+		),
+		mcp.WithString("level",
+			mcp.Description("Type of vulnerability manifests to list"),
+			mcp.Enum("image", "workload", "both"),
+		),
+	)
+
+	ksServer.s.AddTool(listManifestsTool, func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+		return ksServer.CallTool("list_vulnerability_manifests", request.Params.Arguments.(map[string]interface{}))
+	})
+
+	listVulnerabilitiesTool := mcp.NewTool(
+		"list_vulnerabilities_in_manifest",
+		mcp.WithDescription("List all vulnerabilities in a given manifest"),
+		mcp.WithString("namespace",
+			mcp.Description("Filter by namespace (optional)"),
+		),
+		mcp.WithString("manifest_name",
+			mcp.Required(),
+			mcp.Description("Name of the manifest to list vulnerabilities from"),
+		),
+	)
+
+	ksServer.s.AddTool(listVulnerabilitiesTool, func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+		return ksServer.CallTool("list_vulnerabilities_in_manifest", request.Params.Arguments.(map[string]interface{}))
+	})
+
+	listVulnerabilityMatchesForCVE := mcp.NewTool(
+		"list_vulnerability_matches_for_cve",
+		mcp.WithDescription("List all vulnerability matches for a given CVE in a given manifest"),
+		mcp.WithString("namespace",
+			mcp.Description("Filter by namespace (optional)"),
+		),
+		mcp.WithString("manifest_name",
+			mcp.Required(),
+			mcp.Description("Name of the manifest to list vulnerabilities from"),
+		),
+		mcp.WithString("cve_id",
+			mcp.Required(),
+			mcp.Description("ID of the CVE to list matches for"),
+		),
+	)
+
+	ksServer.s.AddTool(listVulnerabilityMatchesForCVE, func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+		return ksServer.CallTool("list_vulnerability_matches_for_cve", request.Params.Arguments.(map[string]interface{}))
+	})
+
+	vulnerabilityManifestTemplate := mcp.NewResourceTemplate(
+		"kubescape://vulnerability-manifests/{namespace}/{manifest_name}",
+		"Vulnerability Manifest",
+		mcp.WithTemplateDescription("Complete vulnerability manifest either for a specific workload or image. Use 'list_vulnerability_manifests' tool to discover available manifests."),
+		mcp.WithTemplateMIMEType("application/json"),
+	)
+
+	ksServer.s.AddResourceTemplate(vulnerabilityManifestTemplate, ksServer.ReadResource)
+
+}
+
+func createConfigurationsToolsAndResources(ksServer *KubescapeMcpserver) {
+	// Tool to list configuration manifests
+	listConfigsTool := mcp.NewTool(
+		"list_configuration_security_scan_manifests",
+		mcp.WithDescription("Discover available security configuration scan results at workload level (this returns a list of manifests, not the scan results themselves, to get the scan results, use the get_configuration_security_scan_manifest tool)"),
+		mcp.WithString("namespace",
+			mcp.Description("Filter by namespace (optional)"),
+		),
+	)
+
+	ksServer.s.AddTool(listConfigsTool, func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+		return ksServer.CallTool("list_configuration_security_scan_manifests", request.Params.Arguments.(map[string]interface{}))
+	})
+
+	getConfigDetailsTool := mcp.NewTool(
+		"get_configuration_security_scan_manifest",
+		mcp.WithDescription("Get details of a specific security configuration scan result"),
+		mcp.WithString("namespace",
+			mcp.Description("Namespace of the manifest (optional, defaults to 'kubescape')"),
+		),
+		mcp.WithString("manifest_name",
+			mcp.Required(),
+			mcp.Description("Name of the configuration manifest to get details for (get this from the list_configuration_security_scan_manifests tool)"),
+		),
+	)
+
+	ksServer.s.AddTool(getConfigDetailsTool, func(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+		return ksServer.CallTool("get_configuration_security_scan_manifest", request.Params.Arguments.(map[string]interface{}))
+	})
+
+	configManifestTemplate := mcp.NewResourceTemplate(
+		"kubescape://configuration-manifests/{namespace}/{manifest_name}",
+		"Configuration Security Scan Manifest",
+		mcp.WithTemplateDescription("Complete configuration scan manifest for a specific workload. Use 'list_configuration_security_scan_manifests' tool to discover available manifests."),
+		mcp.WithTemplateMIMEType("application/json"),
+	)
+
+	ksServer.s.AddResourceTemplate(configManifestTemplate, ksServer.ReadConfigurationResource)
+}
+
+func (ksServer *KubescapeMcpserver) ReadResource(ctx context.Context, request mcp.ReadResourceRequest) ([]mcp.ResourceContents, error) {
+	uri := request.Params.URI
+	// Validate the URI and check if it starts with kubescape://vulnerability-manifests/
+	if !strings.HasPrefix(uri, "kubescape://vulnerability-manifests/") {
+		return nil, fmt.Errorf("invalid URI: %s", uri)
+	}
+
+	// Verify that the URI is either the CVE list or CVE details
+	if !strings.HasSuffix(uri, "/cve_list") && !strings.Contains(uri, "/cve_details/") {
+		return nil, fmt.Errorf("invalid URI: %s", uri)
+	}
+
+	// Split the URI into namespace and manifest name
+	parts := strings.Split(uri, "/")
+	if len(parts) != 4 && len(parts) != 5 {
+		return nil, fmt.Errorf("invalid URI: %s", uri)
+	}
+
+	namespace := parts[1]
+	manifestName := parts[2]
+	cveID := ""
+	if len(parts) == 5 {
+		cveID = parts[3]
+	}
+
+	// Get the vulnerability manifest
+	manifest, err := ksServer.ksClient.VulnerabilityManifests(namespace).Get(ctx, manifestName, metav1.GetOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to get vulnerability manifest: %s", err)
+	}
+
+	var responseJson []byte
+	if cveID == "" {
+		// CVE list
+		var cveList []v1beta1.Vulnerability
+		for _, match := range manifest.Spec.Payload.Matches {
+			cveList = append(cveList, match.Vulnerability)
+		}
+		responseJson, err = json.Marshal(cveList)
+		if err != nil {
+			return nil, fmt.Errorf("failed to marshal cve list: %s", err)
+		}
+	} else {
+		// CVE details
+		var match []v1beta1.Match
+		for _, m := range manifest.Spec.Payload.Matches {
+			if m.Vulnerability.ID == cveID {
+				match = append(match, m)
+			}
+		}
+		responseJson, err = json.Marshal(match)
+		if err != nil {
+			return nil, fmt.Errorf("failed to marshal cve details: %s", err)
+		}
+	}
+
+	return []mcp.ResourceContents{mcp.TextResourceContents{
+		URI:  uri,
+		Text: string(responseJson),
+	}}, nil
+}
+
+func (ksServer *KubescapeMcpserver) ReadConfigurationResource(ctx context.Context, request mcp.ReadResourceRequest) ([]mcp.ResourceContents, error) {
+	uri := request.Params.URI
+	if !strings.HasPrefix(uri, "kubescape://configuration-manifests/") {
+		return nil, fmt.Errorf("invalid URI: %s", uri)
+	}
+	parts := strings.Split(uri[len("kubescape://configuration-manifests/"):], "/")
+	if len(parts) != 2 {
+		return nil, fmt.Errorf("invalid URI: %s", uri)
+	}
+	namespace := parts[0]
+	manifestName := parts[1]
+	manifest, err := ksServer.ksClient.WorkloadConfigurationScans(namespace).Get(ctx, manifestName, metav1.GetOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to get configuration manifest: %s", err)
+	}
+	responseJson, err := json.Marshal(manifest)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal configuration manifest: %s", err)
+	}
+	return []mcp.ResourceContents{mcp.TextResourceContents{
+		URI:  uri,
+		Text: string(responseJson),
+	}}, nil
+}
+
+func (ksServer *KubescapeMcpserver) CallTool(name string, arguments map[string]interface{}) (*mcp.CallToolResult, error) {
+	switch name {
+	case "list_vulnerability_manifests":
+		//namespace, ok := arguments["namespace"]
+		//if !ok {
+		//	namespace = ""
+		//}
+		level, ok := arguments["level"]
+		if !ok {
+			level = "both"
+		}
+
+		result := map[string]interface{}{
+			"vulnerability_manifests": map[string]interface{}{},
+		}
+
+		// Get workload-level manifests
+		labelSelector := ""
+		switch level {
+		case "workload":
+			labelSelector = "kubescape.io/context=filtered"
+		case "image":
+			labelSelector = "kubescape.io/context=non-filtered"
+		}
+
+		var manifests *v1beta1.VulnerabilityManifestList
+		var err error
+		if labelSelector == "" {
+			manifests, err = ksServer.ksClient.VulnerabilityManifests(metav1.NamespaceAll).List(context.Background(), metav1.ListOptions{})
+		} else {
+			manifests, err = ksServer.ksClient.VulnerabilityManifests(metav1.NamespaceAll).List(context.Background(), metav1.ListOptions{
+				LabelSelector: labelSelector,
+			})
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		log.Printf("Found %d manifests", len(manifests.Items))
+
+		vulnerabilityManifests := []map[string]interface{}{}
+		for _, manifest := range manifests.Items {
+			isImageLevel := manifest.Annotations[helpersv1.WlidMetadataKey] == ""
+			manifestMap := map[string]interface{}{
+				"type":                    "workload",
+				"namespace":               manifest.Namespace,
+				"manifest_name":           manifest.Name,
+				"image-level":             isImageLevel,
+				"workload-level":          !isImageLevel,
+				"image-id":                manifest.Annotations[helpersv1.ImageIDMetadataKey],
+				"image-tag":               manifest.Annotations[helpersv1.ImageTagMetadataKey],
+				"workload-id":             manifest.Annotations[helpersv1.WlidMetadataKey],
+				"workload-container-name": manifest.Annotations[helpersv1.ContainerNameMetadataKey],
+				"resource_uri": fmt.Sprintf("kubescape://vulnerability-manifests/%s/%s",
+					manifest.Namespace, manifest.Name),
+			}
+			vulnerabilityManifests = append(vulnerabilityManifests, manifestMap)
+		}
+		result["vulnerability_manifests"].(map[string]interface{})["manifests"] = vulnerabilityManifests
+
+		// Add template information
+		result["available_templates"] = map[string]string{
+			"vulnerability_manifest_cve_list":    "kubescape://vulnerability-manifests/{namespace}/{manifest_name}/cve_list",
+			"vulnerability_manifest_cve_details": "kubescape://vulnerability-manifests/{namespace}/{manifest_name}/cve_details/{cve_id}",
+		}
+
+		content, _ := json.Marshal(result)
+		return &mcp.CallToolResult{
+			Content: []mcp.Content{
+				mcp.TextContent{
+					Type: "text",
+					Text: string(content),
+				},
+			},
+		}, nil
+	case "list_vulnerabilities_in_manifest":
+		namespace, ok := arguments["namespace"]
+		if !ok {
+			namespace = "kubescape"
+		}
+		namespaceStr, ok := namespace.(string)
+		if !ok {
+			return nil, fmt.Errorf("namespace must be a string")
+		}
+		manifestName, ok := arguments["manifest_name"]
+		if !ok {
+			return nil, fmt.Errorf("manifest_name is required")
+		}
+		manifestNameStr, ok := manifestName.(string)
+		if !ok {
+			return nil, fmt.Errorf("manifest_name must be a string")
+		}
+		manifest, err := ksServer.ksClient.VulnerabilityManifests(namespaceStr).Get(context.Background(), manifestNameStr, metav1.GetOptions{})
+		if err != nil {
+			return nil, fmt.Errorf("failed to get vulnerability manifest: %s", err)
+		}
+		var cveList []v1beta1.Vulnerability
+		for _, match := range manifest.Spec.Payload.Matches {
+			cveList = append(cveList, match.Vulnerability)
+		}
+		responseJson, err := json.Marshal(cveList)
+		if err != nil {
+			return nil, fmt.Errorf("failed to marshal cve list: %s", err)
+		}
+		return &mcp.CallToolResult{
+			Content: []mcp.Content{
+				mcp.TextContent{
+					Type: "text",
+					Text: string(responseJson),
+				},
+			},
+		}, nil
+	case "list_vulnerability_matches_for_cve":
+		namespace, ok := arguments["namespace"]
+		if !ok {
+			namespace = "kubescape"
+		}
+		namespaceStr, ok := namespace.(string)
+		if !ok {
+			return nil, fmt.Errorf("namespace must be a string")
+		}
+		manifestName, ok := arguments["manifest_name"]
+		if !ok {
+			return nil, fmt.Errorf("manifest_name is required")
+		}
+		manifestNameStr, ok := manifestName.(string)
+		if !ok {
+			return nil, fmt.Errorf("manifest_name must be a string")
+		}
+		cveID, ok := arguments["cve_id"]
+		if !ok {
+			return nil, fmt.Errorf("cve_id is required")
+		}
+		cveIDStr, ok := cveID.(string)
+		if !ok {
+			return nil, fmt.Errorf("cve_id must be a string")
+		}
+		manifest, err := ksServer.ksClient.VulnerabilityManifests(namespaceStr).Get(context.Background(), manifestNameStr, metav1.GetOptions{})
+		if err != nil {
+			return nil, fmt.Errorf("failed to get vulnerability manifest: %s", err)
+		}
+		var match []v1beta1.Match
+		for _, m := range manifest.Spec.Payload.Matches {
+			if m.Vulnerability.ID == cveIDStr {
+				match = append(match, m)
+			}
+		}
+		responseJson, err := json.Marshal(match)
+		if err != nil {
+			return nil, fmt.Errorf("failed to marshal cve details: %s", err)
+		}
+		return &mcp.CallToolResult{
+			Content: []mcp.Content{
+				mcp.TextContent{
+					Type: "text",
+					Text: string(responseJson),
+				},
+			},
+		}, nil
+	case "list_configuration_security_scan_manifests":
+		namespace, ok := arguments["namespace"]
+		if !ok {
+			namespace = "kubescape"
+		}
+		namespaceStr, ok := namespace.(string)
+		if !ok {
+			return nil, fmt.Errorf("namespace must be a string")
+		}
+		manifests, err := ksServer.ksClient.WorkloadConfigurationScans(namespaceStr).List(context.Background(), metav1.ListOptions{})
+		if err != nil {
+			return nil, err
+		}
+		log.Printf("Found %d configuration manifests", len(manifests.Items))
+		configManifests := []map[string]interface{}{}
+		for _, manifest := range manifests.Items {
+			item := map[string]interface{}{
+				"namespace":     manifest.Namespace,
+				"manifest_name": manifest.Name,
+				"resource_uri":  fmt.Sprintf("kubescape://configuration-manifests/%s/%s", manifest.Namespace, manifest.Name),
+			}
+			configManifests = append(configManifests, item)
+		}
+		result := map[string]interface{}{
+			"configuration_manifests": map[string]interface{}{
+				"manifests": configManifests,
+			},
+			"available_templates": map[string]string{
+				"configuration_manifest_details": "kubescape://configuration-manifests/{namespace}/{manifest_name}",
+			},
+		}
+		content, _ := json.Marshal(result)
+		return &mcp.CallToolResult{
+			Content: []mcp.Content{
+				mcp.TextContent{
+					Type: "text",
+					Text: string(content),
+				},
+			},
+		}, nil
+	case "get_configuration_security_scan_manifest":
+		namespace, ok := arguments["namespace"]
+		if !ok {
+			namespace = "kubescape"
+		}
+		namespaceStr, ok := namespace.(string)
+		if !ok {
+			return nil, fmt.Errorf("namespace must be a string")
+		}
+		manifestName, ok := arguments["manifest_name"]
+		if !ok {
+			return nil, fmt.Errorf("manifest_name is required")
+		}
+		manifestNameStr, ok := manifestName.(string)
+		if !ok {
+			return nil, fmt.Errorf("manifest_name must be a string")
+		}
+		manifest, err := ksServer.ksClient.WorkloadConfigurationScans(namespaceStr).Get(context.Background(), manifestNameStr, metav1.GetOptions{})
+		if err != nil {
+			return nil, fmt.Errorf("failed to get configuration manifest: %s", err)
+		}
+		responseJson, err := json.Marshal(manifest)
+		if err != nil {
+			return nil, fmt.Errorf("failed to marshal configuration manifest: %s", err)
+		}
+		return &mcp.CallToolResult{
+			Content: []mcp.Content{
+				mcp.TextContent{
+					Type: "text",
+					Text: string(responseJson),
+				},
+			},
+		}, nil
+	default:
+		return nil, fmt.Errorf("unknown tool: %s", name)
+	}
+}
+
+func mcpServerEntrypoint() error {
+	logger.L().Info("Starting MCP server...")
+
+	// Create a kubernetes client and verify it's working
+	client, err := CreateKsObjectConnection("default", 10*time.Second)
+	if err != nil {
+		return fmt.Errorf("failed to create kubernetes client: %v", err)
+	}
+
+	// Create a new MCP server
+	s := server.NewMCPServer(
+		"Kubescape MCP Server",
+		"0.0.1",
+		server.WithToolCapabilities(false),
+		server.WithRecovery(),
+	)
+
+	ksServer := &KubescapeMcpserver{
+		s:        s,
+		ksClient: client,
+	}
+
+	// Creating Kubescape tools and resources
+
+	createVulnerabilityToolsAndResources(ksServer)
+	createConfigurationsToolsAndResources(ksServer)
+
+	// Start the server
+	if err := server.ServeStdio(s); err != nil {
+		return fmt.Errorf("server error: %v", err)
+	}
+	return nil
+}
+
+func GetMCPServerCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "mcpserver",
+		Short: "Start the Kubescape MCP server",
+		Long:  `Start the Kubescape MCP server`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return mcpServerEntrypoint()
+		},
+	}
+	return cmd
+}

cmd/mcpserver/storage.go

@@ -0,0 +1,14 @@
+package mcpserver
+
+import (
+	"time"
+
+	"github.com/kubescape/kubescape/v3/pkg/ksinit"
+
+	spdxv1beta1 "github.com/kubescape/storage/pkg/generated/clientset/versioned/typed/softwarecomposition/v1beta1"
+)
+
+// CreateKsObjectConnection delegates to the shared ksinit package
+func CreateKsObjectConnection(namespace string, maxElapsedTime time.Duration) (spdxv1beta1.SpdxV1beta1Interface, error) {
+	return ksinit.CreateKsObjectConnection(namespace, maxElapsedTime)
+}

cmd/operator/operator.go

@@ -6,7 +6,6 @@ import (
 
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
-
 	"github.com/spf13/cobra"
 )
 
@@ -15,7 +14,7 @@ const (
 )
 
 var operatorExamples = fmt.Sprintf(`
-  
+
   # Trigger a configuration scan
   %[1]s operator scan configurations
 
@@ -35,16 +34,16 @@ func GetOperatorCmd(ks meta.IKubescape) *cobra.Command {
 		Args: func(cmd *cobra.Command, args []string) error {
 			operatorInfo.Subcommands = append(operatorInfo.Subcommands, "operator")
 			if len(args) < 2 {
-				return errors.New("For the operator sub-command, you need to provide at least one additional sub-command. Refer to the examples above.")
+				return errors.New("for the operator sub-command, you need to provide at least one additional sub-command. Refer to the examples above")
 			}
 			return nil
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if len(args) < 2 {
-				return errors.New("For the operator sub-command, you need to provide at least one additional sub-command. Refer to the examples above.")
+				return errors.New("for the operator sub-command, you need to provide at least one additional sub-command. Refer to the examples above")
 			}
 			if args[0] != scanSubCommand {
-				return errors.New(fmt.Sprintf("For the operator sub-command, only %s is supported. Refer to the examples above.", scanSubCommand))
+				return fmt.Errorf("for the operator sub-command, only %s is supported. Refer to the examples above", scanSubCommand)
 			}
 			return nil
 		},

cmd/operator/operator_test.go

@@ -21,7 +21,7 @@ func TestGetOperatorCmd(t *testing.T) {
 	assert.Equal(t, operatorExamples, cmd.Example)
 
 	err := cmd.Args(&cobra.Command{}, []string{})
-	expectedErrorMessage := "For the operator sub-command, you need to provide at least one additional sub-command. Refer to the examples above."
+	expectedErrorMessage := "for the operator sub-command, you need to provide at least one additional sub-command. Refer to the examples above"
 	assert.Equal(t, expectedErrorMessage, err.Error())
 
 	err = cmd.Args(&cobra.Command{}, []string{"scan", "configurations"})
@@ -37,6 +37,6 @@ func TestGetOperatorCmd(t *testing.T) {
 	assert.Equal(t, expectedErrorMessage, err.Error())
 
 	err = cmd.RunE(&cobra.Command{}, []string{"random-subcommand", "random-config"})
-	expectedErrorMessage = "For the operator sub-command, only " + scanSubCommand + " is supported. Refer to the examples above."
+	expectedErrorMessage = "for the operator sub-command, only " + scanSubCommand + " is supported. Refer to the examples above"
 	assert.Equal(t, expectedErrorMessage, err.Error())
 }

cmd/operator/scan.go

@@ -32,7 +32,7 @@ func getOperatorScanCmd(ks meta.IKubescape, operatorInfo cautils.OperatorInfo) *
 				return errors.New("for operator scan sub command, you must pass at least 1 more sub commands, see above examples")
 			}
 			if (args[0] != vulnerabilitiesSubCommand) && (args[0] != configurationsSubCommand) {
-				return errors.New(fmt.Sprintf("For the operator sub-command, only %s and %s are supported. Refer to the examples above.", vulnerabilitiesSubCommand, configurationsSubCommand))
+				return fmt.Errorf("for the operator sub-command, only %s and %s are supported. Refer to the examples above", vulnerabilitiesSubCommand, configurationsSubCommand)
 			}
 			return nil
 		},

cmd/operator/scan_test.go

@@ -41,6 +41,6 @@ func TestGetOperatorScanCmd(t *testing.T) {
 	assert.Nil(t, err)
 
 	err = cmd.RunE(&cobra.Command{}, []string{"random"})
-	expectedErrorMessage = "For the operator sub-command, only " + vulnerabilitiesSubCommand + " and " + configurationsSubCommand + " are supported. Refer to the examples above."
+	expectedErrorMessage = "for the operator sub-command, only " + vulnerabilitiesSubCommand + " and " + configurationsSubCommand + " are supported. Refer to the examples above"
 	assert.Equal(t, expectedErrorMessage, err.Error())
 }

cmd/patch/README.md

@@ -47,6 +47,7 @@ The patch command can be run in 2 ways:
 | -a, --addr     | Address of the buildkitd service                       | No       | unix:///run/buildkit/buildkitd.sock |
 | -t, --tag      | Tag of the resultant patched image                     | No       | image_name-patched                  |
 | --timeout      | Timeout for the patching process                       | No       | 5m                                  |
+| --ignore-errors| Ignore errors during patching                          | No       | false                               |
 | -u, --username | Username for the image registry login                  | No       |                                     |
 | -p, --password | Password for the image registry login                  | No       |                                     |
 | -f, --format   | Output file format.                                    | No       |                                     |
@@ -72,7 +73,7 @@ We will demonstrate how to use the patch command with an example of [nginx](http
     sudo buildkitd
     ```
 
-2. In a seperate terminal, run the `kubescape patch` command: 
+2. In a separate terminal, run the `kubescape patch` command: 
     
     ```bash
     sudo kubescape patch --image docker.io/library/nginx:1.22

cmd/patch/patch.go

@@ -1,22 +1,17 @@
 package patch
 
 import (
-	"context"
 	"errors"
 	"fmt"
 	"strings"
 	"time"
 
-	ref "github.com/distribution/distribution/reference"
-	"github.com/docker/distribution/reference"
-
+	"github.com/distribution/reference"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/cmd/shared"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
-	"github.com/kubescape/kubescape/v3/pkg/imagescan"
-
 	"github.com/spf13/cobra"
 )
 
@@ -32,6 +27,7 @@ var patchCmdExamples = fmt.Sprintf(`
 func GetPatchCmd(ks meta.IKubescape) *cobra.Command {
 	var patchInfo metav1.PatchInfo
 	var scanInfo cautils.ScanInfo
+	var useDefaultMatchers bool
 
 	patchCmd := &cobra.Command{
 		Use:     "patch --image <image>:<tag> [flags]",
@@ -53,12 +49,15 @@ func GetPatchCmd(ks meta.IKubescape) *cobra.Command {
 				return err
 			}
 
-			results, err := ks.Patch(context.Background(), &patchInfo, &scanInfo)
+			// Set the UseDefaultMatchers field in scanInfo
+			scanInfo.UseDefaultMatchers = useDefaultMatchers
+
+			exceedsSeverityThreshold, err := ks.Patch(&patchInfo, &scanInfo)
 			if err != nil {
 				return err
 			}
 
-			if imagescan.ExceedsSeverityThreshold(results, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)) {
+			if exceedsSeverityThreshold {
 				shared.TerminateOnExceedingSeverity(&scanInfo, logger.L())
 			}
 
@@ -70,6 +69,7 @@ func GetPatchCmd(ks meta.IKubescape) *cobra.Command {
 	patchCmd.PersistentFlags().StringVarP(&patchInfo.PatchedImageTag, "tag", "t", "", "Tag for the patched image. Defaults to '<image-tag>-patched' ")
 	patchCmd.PersistentFlags().StringVarP(&patchInfo.BuildkitAddress, "address", "a", "unix:///run/buildkit/buildkitd.sock", "Address of buildkitd service, defaults to local buildkitd.sock")
 	patchCmd.PersistentFlags().DurationVar(&patchInfo.Timeout, "timeout", 5*time.Minute, "Timeout for the operation, defaults to '5m'")
+	patchCmd.PersistentFlags().BoolVar(&patchInfo.IgnoreError, "ignore-errors", false, "Ignore errors and continue patching other images. Default to false")
 
 	patchCmd.PersistentFlags().StringVarP(&patchInfo.Username, "username", "u", "", "Username for registry login")
 	patchCmd.PersistentFlags().StringVarP(&patchInfo.Password, "password", "p", "", "Password for registry login")
@@ -79,6 +79,7 @@ func GetPatchCmd(ks meta.IKubescape) *cobra.Command {
 	patchCmd.PersistentFlags().BoolVarP(&scanInfo.VerboseMode, "verbose", "v", false, "Display full report. Default to false")
 
 	patchCmd.PersistentFlags().StringVarP(&scanInfo.FailThresholdSeverity, "severity-threshold", "s", "", "Severity threshold is the severity of a vulnerability at which the command fails and returns exit code 1")
+	patchCmd.PersistentFlags().BoolVarP(&useDefaultMatchers, "use-default-matchers", "", true, "Use default matchers (true) or CPE matchers (false) for image scanning")
 
 	return patchCmd
 }
@@ -97,22 +98,22 @@ func validateImagePatchInfo(patchInfo *metav1.PatchInfo) error {
 	}
 
 	// Parse the image full name to get image name and tag
-	named, err := ref.ParseNamed(patchInfoImage)
+	named, err := reference.ParseNamed(patchInfoImage)
 	if err != nil {
 		return err
 	}
 
 	// If no tag or digest is provided, default to 'latest'
-	if ref.IsNameOnly(named) {
+	if reference.IsNameOnly(named) {
 		logger.L().Warning("Image name has no tag or digest, using latest as tag")
-		named = ref.TagNameOnly(named)
+		named = reference.TagNameOnly(named)
 	}
 	patchInfo.Image = named.String()
 
 	// If no patched image tag is provided, default to '<image-tag>-patched'
 	if patchInfo.PatchedImageTag == "" {
 
-		taggedName, ok := named.(ref.Tagged)
+		taggedName, ok := named.(reference.Tagged)
 		if !ok {
 			return errors.New("unexpected error while parsing image tag")
 		}

cmd/patch/patch_test.go

@@ -3,6 +3,8 @@ package patch
 import (
 	"testing"
 
+	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
+
 	"github.com/kubescape/kubescape/v3/core/mocks"
 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/assert"
@@ -50,3 +52,18 @@ func TestGetPatchCmdWithNonExistentImage(t *testing.T) {
 	assert.Error(t, err)
 	assert.Equal(t, expectedErrorMessage, err.Error())
 }
+
+func Test_validateImagePatchInfo_EmptyImage(t *testing.T) {
+	patchInfo := &metav1.PatchInfo{}
+	err := validateImagePatchInfo(patchInfo)
+	assert.NotNil(t, err)
+	assert.Equal(t, "image tag is required", err.Error())
+}
+
+func Test_validateImagePatchInfo_Image(t *testing.T) {
+	patchInfo := &metav1.PatchInfo{
+		Image: "testing",
+	}
+	err := validateImagePatchInfo(patchInfo)
+	assert.Nil(t, err)
+}

cmd/prerequisites/prerequisites.go

@@ -0,0 +1,51 @@
+package prerequisites
+
+import (
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/kubescape/v3/core/meta"
+	"github.com/kubescape/sizing-checker/pkg/checks/connectivitycheck"
+	"github.com/kubescape/sizing-checker/pkg/checks/ebpfcheck"
+	"github.com/kubescape/sizing-checker/pkg/checks/pvcheck"
+	"github.com/kubescape/sizing-checker/pkg/checks/sizing"
+	"github.com/kubescape/sizing-checker/pkg/common"
+	"github.com/spf13/cobra"
+)
+
+func GetPreReqCmd(ks meta.IKubescape) *cobra.Command {
+	var kubeconfigPath *string
+
+	// preReqCmd represents the prerequisites command
+	preReqCmd := &cobra.Command{
+		Use:   "prerequisites",
+		Short: "Check prerequisites for installing Kubescape Operator",
+		Run: func(cmd *cobra.Command, args []string) {
+			clientSet, inCluster := common.BuildKubeClient(*kubeconfigPath)
+			if clientSet == nil {
+				logger.L().Fatal("Could not create kube client. Exiting.")
+			}
+
+			// 1) Collect cluster data
+			clusterData, err := common.CollectClusterData(ks.Context(), clientSet)
+			if err != nil {
+				logger.L().Error("Failed to collect cluster data", helpers.Error(err))
+			}
+
+			// 2) Run checks
+			sizingResult := sizing.RunSizingChecker(clusterData)
+			pvResult := pvcheck.RunPVProvisioningCheck(ks.Context(), clientSet, clusterData, inCluster)
+			connectivityResult := connectivitycheck.RunConnectivityChecks(ks.Context(), clientSet, clusterData, inCluster)
+			ebpfResult := ebpfcheck.RunEbpfCheck(ks.Context(), clientSet, clusterData, inCluster)
+
+			// 3) Build and export the final ReportData
+			finalReport := common.BuildReportData(clusterData, sizingResult, pvResult, connectivityResult, ebpfResult)
+			finalReport.InCluster = inCluster
+
+			common.GenerateOutput(finalReport, inCluster)
+		},
+	}
+
+	kubeconfigPath = preReqCmd.PersistentFlags().String("kubeconfig", "", "Path to the kubeconfig file. If not set, in-cluster config is used or $HOME/.kube/config if outside a cluster.")
+
+	return preReqCmd
+}

cmd/root.go

@@ -1,10 +1,11 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/kubescape/v3/cmd/completion"
@@ -12,16 +13,18 @@ import (
 	"github.com/kubescape/kubescape/v3/cmd/download"
 	"github.com/kubescape/kubescape/v3/cmd/fix"
 	"github.com/kubescape/kubescape/v3/cmd/list"
+	"github.com/kubescape/kubescape/v3/cmd/mcpserver"
 	"github.com/kubescape/kubescape/v3/cmd/operator"
 	"github.com/kubescape/kubescape/v3/cmd/patch"
+	"github.com/kubescape/kubescape/v3/cmd/prerequisites"
 	"github.com/kubescape/kubescape/v3/cmd/scan"
 	"github.com/kubescape/kubescape/v3/cmd/update"
+	"github.com/kubescape/kubescape/v3/cmd/vap"
 	"github.com/kubescape/kubescape/v3/cmd/version"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"
 	"github.com/kubescape/kubescape/v3/core/core"
 	"github.com/kubescape/kubescape/v3/core/meta"
-
 	"github.com/spf13/cobra"
 )
 
@@ -41,16 +44,16 @@ var ksExamples = fmt.Sprintf(`
   %[1]s config view
 `, cautils.ExecName())
 
-func NewDefaultKubescapeCommand() *cobra.Command {
-	ks := core.NewKubescape()
-	return getRootCmd(ks)
+func NewDefaultKubescapeCommand(ctx context.Context, ksVersion, ksCommit, ksDate string) *cobra.Command {
+	ks := core.NewKubescape(ctx)
+	return getRootCmd(ks, ksVersion, ksCommit, ksDate)
 }
 
-func getRootCmd(ks meta.IKubescape) *cobra.Command {
+func getRootCmd(ks meta.IKubescape, ksVersion, ksCommit, ksDate string) *cobra.Command {
 
 	rootCmd := &cobra.Command{
 		Use:     "kubescape",
-		Short:   "Kubescape is a tool for testing Kubernetes security posture. Docs: https://hub.armosec.io/docs",
+		Short:   "Kubescape is a tool for testing Kubernetes security posture. Docs: https://kubescape.io/docs/",
 		Example: ksExamples,
 		PersistentPreRun: func(cmd *cobra.Command, args []string) {
 			k8sinterface.SetClusterContextName(rootInfo.KubeContext)
@@ -83,8 +86,6 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 
 	rootCmd.PersistentFlags().StringVarP(&rootInfo.Logger, "logger", "l", helpers.InfoLevel.String(), fmt.Sprintf("Logger level. Supported: %s [$KS_LOGGER]", strings.Join(helpers.SupportedLevels(), "/")))
 	rootCmd.PersistentFlags().StringVar(&rootInfo.CacheDir, "cache-dir", getter.DefaultLocalStore, "Cache directory [$KS_CACHE_DIR]")
-	rootCmd.PersistentFlags().BoolVarP(&rootInfo.DisableColor, "disable-color", "", false, "Disable color output for logging")
-	rootCmd.PersistentFlags().BoolVarP(&rootInfo.EnableColor, "enable-color", "", false, "Force enable color output for logging")
 
 	rootCmd.PersistentFlags().StringVarP(&rootInfo.KubeContext, "kube-context", "", "", "Kube context. Default will use the current-context")
 	// Supported commands
@@ -92,12 +93,15 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 	rootCmd.AddCommand(download.GetDownloadCmd(ks))
 	rootCmd.AddCommand(list.GetListCmd(ks))
 	rootCmd.AddCommand(completion.GetCompletionCmd())
-	rootCmd.AddCommand(version.GetVersionCmd())
+	rootCmd.AddCommand(version.GetVersionCmd(ks, ksVersion, ksCommit, ksDate))
 	rootCmd.AddCommand(config.GetConfigCmd(ks))
-	rootCmd.AddCommand(update.GetUpdateCmd())
+	rootCmd.AddCommand(update.GetUpdateCmd(ks))
 	rootCmd.AddCommand(fix.GetFixCmd(ks))
 	rootCmd.AddCommand(patch.GetPatchCmd(ks))
+	rootCmd.AddCommand(vap.GetVapHelperCmd())
 	rootCmd.AddCommand(operator.GetOperatorCmd(ks))
+	rootCmd.AddCommand(prerequisites.GetPreReqCmd(ks))
+	rootCmd.AddCommand(mcpserver.GetMCPServerCmd())
 
 	// deprecated commands
 	rootCmd.AddCommand(&cobra.Command{
@@ -112,7 +116,7 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 	return rootCmd
 }
 
-func Execute() error {
-	ks := NewDefaultKubescapeCommand()
+func Execute(ctx context.Context, ksVersion, ksCommit, ksDate string) error {
+	ks := NewDefaultKubescapeCommand(ctx, ksVersion, ksCommit, ksDate)
 	return ks.Execute()
-}
+}

cmd/root_test.go

@@ -0,0 +1,24 @@
+package cmd
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewDefaultKubescapeCommand(t *testing.T) {
+	t.Run("NewDefaultKubescapeCommand", func(t *testing.T) {
+		cmd := NewDefaultKubescapeCommand(context.Background(), "", "", "")
+		assert.NotNil(t, cmd)
+	})
+}
+
+func TestExecute(t *testing.T) {
+	t.Run("Execute", func(t *testing.T) {
+		err := Execute(context.Background(), "", "", "")
+		if err != nil {
+			assert.EqualErrorf(t, err, "unknown command \"^\\\\QTestExecute\\\\E$\" for \"kubescape\"", err.Error())
+		}
+	})
+}

cmd/rootutils.go

@@ -8,20 +8,16 @@ import (
 	v1 "github.com/kubescape/backend/pkg/client/v1"
 	"github.com/kubescape/backend/pkg/servicediscovery"
 	sdClientV2 "github.com/kubescape/backend/pkg/servicediscovery/v2"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/go-logger/iconlogger"
 	"github.com/kubescape/go-logger/zaplogger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"
-
 	"github.com/mattn/go-isatty"
 )
 
 func initLogger() {
-	logger.DisableColor(rootInfo.DisableColor)
-	logger.EnableColor(rootInfo.EnableColor)
-
 	if rootInfo.LoggerName == "" {
 		if l := os.Getenv("KS_LOGGER_NAME"); l != "" {
 			rootInfo.LoggerName = l
@@ -35,8 +31,8 @@ func initLogger() {
 	}
 
 	logger.InitLogger(rootInfo.LoggerName)
-
 }
+
 func initLoggerLevel() {
 	if rootInfo.Logger == helpers.InfoLevel.String() {
 	} else if l := os.Getenv("KS_LOGGER"); l != "" {
@@ -77,7 +73,7 @@ func initEnvironment() {
 	)
 
 	if err != nil {
-		logger.L().Fatal("failed to to get services from server", helpers.Error(err), helpers.String("server", rootInfo.DiscoveryServerURL))
+		logger.L().Fatal("failed to get services from server", helpers.Error(err), helpers.String("server", rootInfo.DiscoveryServerURL))
 		return
 	}
 

cmd/scan/control.go

@@ -1,20 +1,17 @@
 package scan
 
 import (
-	"context"
 	"fmt"
 	"io"
 	"os"
 	"strings"
 
-	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
-
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/cmd/shared"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
-
+	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/spf13/cobra"
 )
 
@@ -32,7 +29,7 @@ var (
   Run '%[1]s list controls' for the list of supported controls
   
   Control documentation:
-  https://hub.armosec.io/docs/controls
+  https://kubescape.io/docs/controls/
 `, cautils.ExecName())
 )
 
@@ -98,12 +95,11 @@ func getControlCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comman
 				return err
 			}
 
-			ctx := context.TODO()
-			results, err := ks.Scan(ctx, scanInfo)
+			results, err := ks.Scan(scanInfo)
 			if err != nil {
 				logger.L().Fatal(err.Error())
 			}
-			if err := results.HandleResults(ctx); err != nil {
+			if err := results.HandleResults(ks.Context(), scanInfo); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 			if !scanInfo.VerboseMode {

cmd/scan/framework.go

@@ -1,25 +1,22 @@
 package scan
 
 import (
-	"context"
 	"errors"
 	"fmt"
 	"io"
 	"os"
+	"slices"
 	"strings"
 
-	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
-	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
-	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
-	"golang.org/x/exp/slices"
-
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/cmd/shared"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"
 	"github.com/kubescape/kubescape/v3/core/meta"
-
+	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+	reporthandlingapis "github.com/kubescape/opa-utils/reporthandling/apis"
+	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
 	"github.com/spf13/cobra"
 )
 
@@ -94,7 +91,7 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 
 				}
 				if len(args) > 1 {
-					if len(args[1:]) == 0 || args[1] != "-" {
+					if args[1] != "-" {
 						scanInfo.InputPatterns = args[1:]
 						logger.L().Debug("List of input files", helpers.Interface("patterns", scanInfo.InputPatterns))
 					} else { // store stdin to file - do NOT move to separate function !!
@@ -112,17 +109,15 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 				}
 			}
 			scanInfo.SetScanType(cautils.ScanTypeFramework)
-			scanInfo.FrameworkScan = true
 
 			scanInfo.SetPolicyIdentifiers(frameworks, apisv1.KindFramework)
 
-			ctx := context.TODO()
-			results, err := ks.Scan(ctx, scanInfo)
+			results, err := ks.Scan(scanInfo)
 			if err != nil {
 				logger.L().Fatal(err.Error())
 			}
 
-			if err = results.HandleResults(ctx); err != nil {
+			if err = results.HandleResults(ks.Context(), scanInfo); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 
@@ -178,7 +173,7 @@ func countersExceedSeverityThreshold(severityCounters reportsummary.ISeverityCou
 
 // terminateOnExceedingSeverity terminates the application on exceeding severity
 func terminateOnExceedingSeverity(scanInfo *cautils.ScanInfo, l helpers.ILogger) {
-	l.Fatal("result exceeds severity threshold", helpers.String("set severity threshold", scanInfo.FailThresholdSeverity))
+	l.Fatal("compliance result exceeds severity threshold", helpers.String("set severity threshold", scanInfo.FailThresholdSeverity))
 }
 
 // enforceSeverityThresholds ensures that the scan results are below the defined severity threshold

cmd/scan/image.go

@@ -1,16 +1,13 @@
 package scan
 
 import (
-	"context"
 	"fmt"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/cmd/shared"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
-	"github.com/kubescape/kubescape/v3/pkg/imagescan"
-
 	"github.com/spf13/cobra"
 )
 
@@ -25,12 +22,18 @@ var (
   # Scan the 'nginx' image and see the full report 
   %[1]s scan image "nginx" -v
 
+  # Scan the 'nginx' image and use exceptions
+  %[1]s scan image "nginx" --exceptions exceptions.json
+
 `, cautils.ExecName())
 )
 
 // getImageCmd returns the scan image command
 func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command {
 	var imgCredentials shared.ImageCredentials
+	var exceptions string
+	var useDefaultMatchers bool
+
 	cmd := &cobra.Command{
 		Use:     "image <image>:<tag> [flags]",
 		Short:   "Scan an image for vulnerabilities",
@@ -51,17 +54,19 @@ func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command
 			}
 
 			imgScanInfo := &metav1.ImageScanInfo{
-				Image:    args[0],
-				Username: imgCredentials.Username,
-				Password: imgCredentials.Password,
+				Image:              args[0],
+				Username:           imgCredentials.Username,
+				Password:           imgCredentials.Password,
+				Exceptions:         exceptions,
+				UseDefaultMatchers: useDefaultMatchers,
 			}
 
-			results, err := ks.ScanImage(context.Background(), imgScanInfo, scanInfo)
+			exceedsSeverityThreshold, err := ks.ScanImage(imgScanInfo, scanInfo)
 			if err != nil {
 				return err
 			}
 
-			if imagescan.ExceedsSeverityThreshold(results, imagescan.ParseSeverity(scanInfo.FailThresholdSeverity)) {
+			if exceedsSeverityThreshold {
 				shared.TerminateOnExceedingSeverity(scanInfo, logger.L())
 			}
 
@@ -69,8 +74,11 @@ func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command
 		},
 	}
 
+	// The exceptions flag
+	cmd.PersistentFlags().StringVarP(&exceptions, "exceptions", "", "", "Path to the exceptions file")
 	cmd.PersistentFlags().StringVarP(&imgCredentials.Username, "username", "u", "", "Username for registry login")
 	cmd.PersistentFlags().StringVarP(&imgCredentials.Password, "password", "p", "", "Password for registry login")
+	cmd.PersistentFlags().BoolVarP(&useDefaultMatchers, "use-default-matchers", "", true, "Use default matchers (true) or CPE matchers (false)")
 
 	return cmd
 }

cmd/scan/scan.go

@@ -1,11 +1,11 @@
 package scan
 
 import (
-	"context"
 	"flag"
 	"fmt"
 	"strings"
 
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"
 	"github.com/kubescape/kubescape/v3/core/meta"
@@ -14,12 +14,12 @@ import (
 )
 
 var scanCmdExamples = fmt.Sprintf(`
-  Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks 
-  
+  Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks
+
   # Scan current cluster
   %[1]s scan
 
-  # Scan kubernetes manifest files 
+  # Scan kubernetes manifest files
   %[1]s scan .
 
   # Scan and save the results in the JSON format
@@ -28,7 +28,7 @@ var scanCmdExamples = fmt.Sprintf(`
   # Display all resources
   %[1]s scan --verbose
 
-  # Scan different clusters from the kubectl context 
+  # Scan different clusters from the kubectl context
   %[1]s scan --kube-context <kubernetes context>
 `, cautils.ExecName())
 
@@ -45,12 +45,17 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 			if scanInfo.View == string(cautils.SecurityViewType) {
 				setSecurityViewScanInfo(args, &scanInfo)
 
-				return securityScan(scanInfo, ks)
+				if err := securityScan(scanInfo, ks); err != nil {
+					logger.L().Fatal(err.Error())
+				}
+			} else if len(args) == 0 || (args[0] != "framework" && args[0] != "control") {
+				if err := getFrameworkCmd(ks, &scanInfo).RunE(cmd, append([]string{strings.Join(getter.NativeFrameworks, ",")}, args...)); err != nil {
+					logger.L().Fatal(err.Error())
+				}
+			} else {
+				return fmt.Errorf("kubescape did not do anything")
 			}
 
-			if len(args) == 0 || (args[0] != "framework" && args[0] != "control") {
-				return getFrameworkCmd(ks, &scanInfo).RunE(cmd, append([]string{strings.Join(getter.NativeFrameworks, ",")}, args...))
-			}
 			return nil
 		},
 		PostRun: func(cmd *cobra.Command, args []string) {
@@ -58,6 +63,8 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 		},
 	}
 
+	scanInfo.TriggeredByCLI = true
+
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.AccountID, "account", "", "", "Kubescape SaaS account ID. Default will load account ID from cache")
 	scanCmd.PersistentFlags().StringVarP(&scanInfo.AccessKey, "access-key", "", "", "Kubescape SaaS access key. Default will load access key from cache")
 	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
@@ -83,7 +90,10 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Submit the scan results to Kubescape SaaS where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.OmitRawResources, "omit-raw-resources", "", false, "Omit raw resources from the output. By default the raw resources are included in the output")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.PrintAttackTree, "print-attack-tree", "", false, "Print attack tree")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.EnableRegoPrint, "enable-rego-prints", "", false, "Enable sending to rego prints to the logs (use with debug log level: -l debug)")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.ScanImages, "scan-images", "", false, "Scan resources images")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.UseDefaultMatchers, "use-default-matchers", "", true, "Use default matchers (true) or CPE matchers (false) for image scanning")
+	scanCmd.PersistentFlags().StringSliceVar(&scanInfo.LabelsToCopy, "labels-to-copy", nil, "Labels to copy from workloads to scan reports for easy identification. e.g: --labels-to-copy=app,team,environment")
 
 	scanCmd.PersistentFlags().MarkDeprecated("fail-threshold", "use '--compliance-threshold' flag instead. Flag will be removed at 1.Dec.2023")
 	scanCmd.PersistentFlags().MarkDeprecated("create-account", "Create account is no longer supported. In case of a missing Account ID and a configured backend server, a new account id will be generated automatically by Kubescape. Feel free to contact the Kubescape maintainers for more information.")
@@ -118,22 +128,20 @@ func setSecurityViewScanInfo(args []string, scanInfo *cautils.ScanInfo) {
 	if len(args) > 0 {
 		scanInfo.SetScanType(cautils.ScanTypeRepo)
 		scanInfo.InputPatterns = args
+		scanInfo.SetPolicyIdentifiers([]string{"workloadscan", "allcontrols"}, v1.KindFramework)
 	} else {
 		scanInfo.SetScanType(cautils.ScanTypeCluster)
+		scanInfo.SetPolicyIdentifiers([]string{"clusterscan", "mitre", "nsa"}, v1.KindFramework)
 	}
-	scanInfo.SetPolicyIdentifiers([]string{"clusterscan", "mitre", "nsa"}, v1.KindFramework)
 }
 
 func securityScan(scanInfo cautils.ScanInfo, ks meta.IKubescape) error {
-
-	ctx := context.TODO()
-
-	results, err := ks.Scan(ctx, &scanInfo)
+	results, err := ks.Scan(&scanInfo)
 	if err != nil {
 		return err
 	}
 
-	if err = results.HandleResults(ctx); err != nil {
+	if err = results.HandleResults(ks.Context(), &scanInfo); err != nil {
 		return err
 	}
 

cmd/scan/scan_test.go

@@ -2,20 +2,19 @@ package scan
 
 import (
 	"context"
+	"os"
+	"reflect"
+	"testing"
+	"time"
 
 	"github.com/kubescape/go-logger/helpers"
-	"github.com/stretchr/testify/assert"
-
 	"github.com/kubescape/kubescape/v3/cmd/shared"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/mocks"
 	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/kubescape/opa-utils/reporthandling/apis"
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
-
-	"os"
-	"reflect"
-	"testing"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestExceedsSeverity(t *testing.T) {
@@ -188,20 +187,23 @@ type spyLogger struct {
 	setItems []spyLogMessage
 }
 
-func (l *spyLogger) Error(msg string, details ...helpers.IDetails)       {}
-func (l *spyLogger) Success(msg string, details ...helpers.IDetails)     {}
-func (l *spyLogger) Warning(msg string, details ...helpers.IDetails)     {}
-func (l *spyLogger) Info(msg string, details ...helpers.IDetails)        {}
-func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)       {}
-func (l *spyLogger) SetLevel(level string) error                         { return nil }
-func (l *spyLogger) GetLevel() string                                    { return "" }
-func (l *spyLogger) SetWriter(w *os.File)                                {}
-func (l *spyLogger) GetWriter() *os.File                                 { return &os.File{} }
-func (l *spyLogger) LoggerName() string                                  { return "" }
-func (l *spyLogger) Ctx(_ context.Context) helpers.ILogger               { return l }
-func (l *spyLogger) Start(msg string, details ...helpers.IDetails)       {}
-func (l *spyLogger) StopSuccess(msg string, details ...helpers.IDetails) {}
-func (l *spyLogger) StopError(msg string, details ...helpers.IDetails)   {}
+var _ helpers.ILogger = &spyLogger{}
+
+func (l *spyLogger) Error(msg string, details ...helpers.IDetails)                    {}
+func (l *spyLogger) Success(msg string, details ...helpers.IDetails)                  {}
+func (l *spyLogger) Warning(msg string, details ...helpers.IDetails)                  {}
+func (l *spyLogger) Info(msg string, details ...helpers.IDetails)                     {}
+func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)                    {}
+func (l *spyLogger) SetLevel(level string) error                                      { return nil }
+func (l *spyLogger) GetLevel() string                                                 { return "" }
+func (l *spyLogger) SetWriter(w *os.File)                                             {}
+func (l *spyLogger) GetWriter() *os.File                                              { return &os.File{} }
+func (l *spyLogger) LoggerName() string                                               { return "" }
+func (l *spyLogger) Ctx(_ context.Context) helpers.ILogger                            { return l }
+func (l *spyLogger) Start(msg string, details ...helpers.IDetails)                    {}
+func (l *spyLogger) StopSuccess(msg string, details ...helpers.IDetails)              {}
+func (l *spyLogger) StopError(msg string, details ...helpers.IDetails)                {}
+func (l *spyLogger) TimedWrapper(funcName string, timeout time.Duration, task func()) {}
 
 func (l *spyLogger) Fatal(msg string, details ...helpers.IDetails) {
 	firstDetail := details[0]
@@ -216,7 +218,7 @@ func (l *spyLogger) GetSpiedItems() []spyLogMessage {
 }
 
 func Test_terminateOnExceedingSeverity(t *testing.T) {
-	expectedMessage := "result exceeds severity threshold"
+	expectedMessage := "compliance result exceeds severity threshold"
 	expectedKey := "set severity threshold"
 
 	testCases := []struct {
@@ -305,15 +307,11 @@ func TestSetSecurityViewScanInfo(t *testing.T) {
 				PolicyIdentifier: []cautils.PolicyIdentifier{
 					{
 						Kind:       v1.KindFramework,
-						Identifier: "clusterscan",
+						Identifier: "workloadscan",
 					},
 					{
 						Kind:       v1.KindFramework,
-						Identifier: "mitre",
-					},
-					{
-						Kind:       v1.KindFramework,
-						Identifier: "nsa",
+						Identifier: "allcontrols",
 					},
 				},
 			},

cmd/scan/validators_test.go

@@ -35,7 +35,7 @@ func Test_validateControlScanInfo(t *testing.T) {
 		t.Run(
 			tc.Description,
 			func(t *testing.T) {
-				var want error = tc.Want
+				var want = tc.Want
 
 				got := validateControlScanInfo(tc.ScanInfo)
 
@@ -85,7 +85,7 @@ func Test_validateFrameworkScanInfo(t *testing.T) {
 		t.Run(
 			tc.Description,
 			func(t *testing.T) {
-				var want error = tc.Want
+				var want = tc.Want
 
 				got := validateFrameworkScanInfo(tc.ScanInfo)
 

cmd/scan/workload.go

@@ -1,17 +1,15 @@
 package scan
 
 import (
-	"context"
 	"errors"
 	"fmt"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/kubescape/opa-utils/objectsenvelopes"
-
 	"github.com/spf13/cobra"
 )
 
@@ -67,16 +65,17 @@ func getWorkloadCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comma
 			setWorkloadScanInfo(scanInfo, kind, name)
 
 			// todo: add api version if provided
-			ctx := context.TODO()
-			results, err := ks.Scan(ctx, scanInfo)
+			results, err := ks.Scan(scanInfo)
 			if err != nil {
 				logger.L().Fatal(err.Error())
 			}
 
-			if err = results.HandleResults(ctx); err != nil {
+			if err = results.HandleResults(ks.Context(), scanInfo); err != nil {
 				logger.L().Fatal(err.Error())
 			}
 
+			enforceSeverityThresholds(results.GetData().Report.SummaryDetails.GetResourcesSeverityCounters(), scanInfo, terminateOnExceedingSeverity)
+
 			return nil
 		},
 	}
@@ -96,7 +95,7 @@ func setWorkloadScanInfo(scanInfo *cautils.ScanInfo, kind string, name string) {
 	scanInfo.ScanObject.SetKind(kind)
 	scanInfo.ScanObject.SetName(name)
 
-	scanInfo.SetPolicyIdentifiers([]string{"workloadscan"}, v1.KindFramework)
+	scanInfo.SetPolicyIdentifiers([]string{"workloadscan", "allcontrols"}, v1.KindFramework)
 
 	if scanInfo.FilePath != "" {
 		scanInfo.InputPatterns = []string{scanInfo.FilePath}

cmd/scan/workload_test.go

@@ -28,6 +28,10 @@ func TestSetWorkloadScanInfo(t *testing.T) {
 						Identifier: "workloadscan",
 						Kind:       v1.KindFramework,
 					},
+					{
+						Identifier: "allcontrols",
+						Kind:       v1.KindFramework,
+					},
 				},
 				ScanType: cautils.ScanTypeWorkload,
 				ScanObject: &objectsenvelopes.ScanObject{
@@ -59,12 +63,19 @@ func TestSetWorkloadScanInfo(t *testing.T) {
 					t.Errorf("got: %v, want: %v", scanInfo.ScanObject.Metadata.Name, tc.want.ScanObject.Metadata.Name)
 				}
 
-				if len(scanInfo.PolicyIdentifier) != 1 {
-					t.Errorf("got: %v, want: %v", len(scanInfo.PolicyIdentifier), 1)
+				if len(scanInfo.PolicyIdentifier) != len(tc.want.PolicyIdentifier) {
+					t.Errorf("got: %v policy identifiers, want: %v", len(scanInfo.PolicyIdentifier), len(tc.want.PolicyIdentifier))
 				}
 
-				if scanInfo.PolicyIdentifier[0].Identifier != tc.want.PolicyIdentifier[0].Identifier {
-					t.Errorf("got: %v, want: %v", scanInfo.PolicyIdentifier[0].Identifier, tc.want.PolicyIdentifier[0].Identifier)
+				for i, wantPolicy := range tc.want.PolicyIdentifier {
+					if i < len(scanInfo.PolicyIdentifier) {
+						if scanInfo.PolicyIdentifier[i].Identifier != wantPolicy.Identifier {
+							t.Errorf("got: %v, want: %v", scanInfo.PolicyIdentifier[i].Identifier, wantPolicy.Identifier)
+						}
+						if scanInfo.PolicyIdentifier[i].Kind != wantPolicy.Kind {
+							t.Errorf("got: %v, want: %v", scanInfo.PolicyIdentifier[i].Kind, wantPolicy.Kind)
+						}
+					}
 				}
 			},
 		)
@@ -94,3 +105,17 @@ func TestGetWorkloadCmd_ChartPathAndFilePathEmpty(t *testing.T) {
 	expectedErrorMessage = "invalid workload identifier"
 	assert.Equal(t, expectedErrorMessage, err.Error())
 }
+
+func Test_parseWorkloadIdentifierString_Empty(t *testing.T) {
+	t.Run("empty identifier", func(t *testing.T) {
+		_, _, err := parseWorkloadIdentifierString("")
+		assert.Error(t, err)
+	})
+}
+
+func Test_parseWorkloadIdentifierString_NoError(t *testing.T) {
+	t.Run("valid identifier", func(t *testing.T) {
+		_, _, err := parseWorkloadIdentifierString("default/Deployment")
+		assert.NoError(t, err)
+	})
+}

cmd/shared/image_scan_test.go

@@ -50,7 +50,7 @@ func TestValidateImageScanInfo(t *testing.T) {
 		t.Run(
 			tc.Description,
 			func(t *testing.T) {
-				var want error = tc.Want
+				var want = tc.Want
 
 				got := ValidateImageScanInfo(tc.ScanInfo)
 

cmd/shared/scan_test.go

@@ -5,6 +5,7 @@ import (
 	"os"
 	"reflect"
 	"testing"
+	"time"
 
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
@@ -20,20 +21,23 @@ type spyLogger struct {
 	setItems []spyLogMessage
 }
 
-func (l *spyLogger) Error(msg string, details ...helpers.IDetails)       {}
-func (l *spyLogger) Success(msg string, details ...helpers.IDetails)     {}
-func (l *spyLogger) Warning(msg string, details ...helpers.IDetails)     {}
-func (l *spyLogger) Info(msg string, details ...helpers.IDetails)        {}
-func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)       {}
-func (l *spyLogger) SetLevel(level string) error                         { return nil }
-func (l *spyLogger) GetLevel() string                                    { return "" }
-func (l *spyLogger) SetWriter(w *os.File)                                {}
-func (l *spyLogger) GetWriter() *os.File                                 { return &os.File{} }
-func (l *spyLogger) LoggerName() string                                  { return "" }
-func (l *spyLogger) Ctx(_ context.Context) helpers.ILogger               { return l }
-func (l *spyLogger) Start(msg string, details ...helpers.IDetails)       {}
-func (l *spyLogger) StopSuccess(msg string, details ...helpers.IDetails) {}
-func (l *spyLogger) StopError(msg string, details ...helpers.IDetails)   {}
+var _ helpers.ILogger = &spyLogger{}
+
+func (l *spyLogger) Error(msg string, details ...helpers.IDetails)                    {}
+func (l *spyLogger) Success(msg string, details ...helpers.IDetails)                  {}
+func (l *spyLogger) Warning(msg string, details ...helpers.IDetails)                  {}
+func (l *spyLogger) Info(msg string, details ...helpers.IDetails)                     {}
+func (l *spyLogger) Debug(msg string, details ...helpers.IDetails)                    {}
+func (l *spyLogger) SetLevel(level string) error                                      { return nil }
+func (l *spyLogger) GetLevel() string                                                 { return "" }
+func (l *spyLogger) SetWriter(w *os.File)                                             {}
+func (l *spyLogger) GetWriter() *os.File                                              { return &os.File{} }
+func (l *spyLogger) LoggerName() string                                               { return "" }
+func (l *spyLogger) Ctx(_ context.Context) helpers.ILogger                            { return l }
+func (l *spyLogger) Start(msg string, details ...helpers.IDetails)                    {}
+func (l *spyLogger) StopSuccess(msg string, details ...helpers.IDetails)              {}
+func (l *spyLogger) StopError(msg string, details ...helpers.IDetails)                {}
+func (l *spyLogger) TimedWrapper(funcName string, timeout time.Duration, task func()) {}
 
 func (l *spyLogger) Fatal(msg string, details ...helpers.IDetails) {
 	firstDetail := details[0]

cmd/update/update.go

@@ -5,11 +5,13 @@ package update
 //          kubescape update
 
 import (
-	"context"
 	"fmt"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/meta"
+
+	"github.com/kubescape/backend/pkg/versioncheck"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/spf13/cobra"
@@ -24,30 +26,31 @@ var updateCmdExamples = fmt.Sprintf(`
   %[1]s update
 `, cautils.ExecName())
 
-func GetUpdateCmd() *cobra.Command {
+func GetUpdateCmd(ks meta.IKubescape) *cobra.Command {
 	updateCmd := &cobra.Command{
 		Use:     "update",
 		Short:   "Update to latest release version",
 		Long:    ``,
 		Example: updateCmdExamples,
 		RunE: func(_ *cobra.Command, args []string) error {
-			ctx := context.TODO()
-			v := cautils.NewVersionCheckHandler()
-			versionCheckRequest := cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "update")
-			v.CheckLatestVersion(ctx, versionCheckRequest)
+			v := versioncheck.NewVersionCheckHandler()
+			versionCheckRequest := versioncheck.NewVersionCheckRequest("", versioncheck.BuildNumber, "", "", "update", nil)
+			if err := v.CheckLatestVersion(ks.Context(), versionCheckRequest); err != nil {
+				return err
+			}
 
 			//Checking the user's version of kubescape to the latest release
-			if cautils.BuildNumber == "" || strings.Contains(cautils.BuildNumber, "rc") {
+			if versioncheck.BuildNumber == "" || strings.Contains(versioncheck.BuildNumber, "rc") {
 				//your version is unknown
 				fmt.Printf("Nothing to update: you are running the development version\n")
-			} else if cautils.LatestReleaseVersion == "" {
+			} else if versioncheck.LatestReleaseVersion == "" {
 				//Failed to check for updates
-				logger.L().Info(("Failed to check for updates"))
-			} else if cautils.BuildNumber == cautils.LatestReleaseVersion {
+				logger.L().Info("Failed to check for updates")
+			} else if versioncheck.BuildNumber == versioncheck.LatestReleaseVersion {
 				//your version == latest version
-				logger.L().Info(("Nothing to update: you are running the latest version"), helpers.String("Version", cautils.BuildNumber))
+				logger.L().Info("Nothing to update: you are running the latest version", helpers.String("Version", versioncheck.BuildNumber))
 			} else {
-				fmt.Printf("Version %s is available. Please refer to our installation documentation: %s\n", cautils.LatestReleaseVersion, installationLink)
+				fmt.Printf("Version %s is available. Please refer to our installation documentation: %s\n", versioncheck.LatestReleaseVersion, installationLink)
 			}
 			return nil
 		},

cmd/update/update_test.go

@@ -0,0 +1,18 @@
+package update
+
+import (
+	"context"
+	"testing"
+
+	"github.com/kubescape/kubescape/v3/core/core"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetUpdateCmd(t *testing.T) {
+	ks := core.NewKubescape(context.TODO())
+	cmd := GetUpdateCmd(ks)
+	assert.NotNil(t, cmd)
+
+	err := cmd.RunE(cmd, []string{})
+	assert.Nil(t, err)
+}

cmd/vap/vap.go

@@ -0,0 +1,237 @@
+package vap
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"regexp"
+
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/spf13/cobra"
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
+)
+
+var vapHelperCmdExamples = fmt.Sprintf(`
+  vap command can be used for managing Validating Admission Policies in a Kubernetes cluster.
+  This is an experimental feature and it might change.
+
+  Examples:
+
+  # Install Kubescape CEL admission policy library
+  %[1]s vap deploy-library | kubectl apply -f -
+  # Create a policy binding
+  %[1]s vap create-policy-binding --name my-policy-binding --policy c-0016 --namespace=my-namespace | kubectl apply -f -
+`, cautils.ExecName())
+
+func GetVapHelperCmd() *cobra.Command {
+
+	vapHelperCmd := &cobra.Command{
+		Use:     "vap",
+		Short:   "Helper commands for managing Validating Admission Policies in a Kubernetes cluster",
+		Long:    ``,
+		Example: vapHelperCmdExamples,
+	}
+
+	// Create subcommands
+	vapHelperCmd.AddCommand(getDeployLibraryCmd())
+	vapHelperCmd.AddCommand(getCreatePolicyBindingCmd())
+
+	return vapHelperCmd
+}
+
+func getDeployLibraryCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:   "deploy-library",
+		Short: "Install Kubescape CEL admission policy library",
+		Long:  ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return deployLibrary()
+		},
+	}
+}
+
+func getCreatePolicyBindingCmd() *cobra.Command {
+	var policyBindingName string
+	var policyName string
+	var namespaceArr []string
+	var labelArr []string
+	var action string
+	var parameterReference string
+
+	createPolicyBindingCmd := &cobra.Command{
+		Use:   "create-policy-binding",
+		Short: "Create a policy binding",
+		Long:  ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			// Validate the inputs
+			if err := isValidK8sObjectName(policyBindingName); err != nil {
+				return fmt.Errorf("invalid policy binding name %s: %w", policyBindingName, err)
+			}
+			if err := isValidK8sObjectName(policyName); err != nil {
+				return fmt.Errorf("invalid policy name %s: %w", policyName, err)
+			}
+			for _, namespace := range namespaceArr {
+				if err := isValidK8sObjectName(namespace); err != nil {
+					return fmt.Errorf("invalid namespace %s: %w", namespace, err)
+				}
+			}
+			for _, label := range labelArr {
+				// Label selector must be in the format key=value
+				if !regexp.MustCompile(`^[a-zA-Z0-9]+=[a-zA-Z0-9]+$`).MatchString(label) {
+					return fmt.Errorf("invalid label selector: %s", label)
+				}
+			}
+			if action != "Deny" && action != "Audit" && action != "Warn" {
+				return fmt.Errorf("invalid action: %s", action)
+			}
+			if parameterReference != "" {
+				if err := isValidK8sObjectName(parameterReference); err != nil {
+					return fmt.Errorf("invalid parameter reference %s: %w", parameterReference, err)
+				}
+			}
+
+			return createPolicyBinding(policyBindingName, policyName, action, parameterReference, namespaceArr, labelArr)
+		},
+	}
+	// Must specify the name of the policy binding
+	createPolicyBindingCmd.Flags().StringVarP(&policyBindingName, "name", "n", "", "Name of the policy binding")
+	createPolicyBindingCmd.MarkFlagRequired("name")
+	createPolicyBindingCmd.Flags().StringVarP(&policyName, "policy", "p", "", "Name of the policy to bind the resources to")
+	createPolicyBindingCmd.MarkFlagRequired("policy")
+	createPolicyBindingCmd.Flags().StringSliceVar(&namespaceArr, "namespace", []string{}, "Resource namespace selector")
+	createPolicyBindingCmd.Flags().StringSliceVar(&labelArr, "label", []string{}, "Resource label selector")
+	createPolicyBindingCmd.Flags().StringVarP(&action, "action", "a", "Deny", "Action to take when policy fails")
+	createPolicyBindingCmd.Flags().StringVarP(&parameterReference, "parameter-reference", "r", "", "Parameter reference object name")
+
+	return createPolicyBindingCmd
+}
+
+// Implementation of the VAP helper commands
+// deploy-library
+func deployLibrary() error {
+	logger.L().Info("Downloading the Kubescape CEL admission policy library")
+	// Download the policy-configuration-definition.yaml from the latest release URL
+	policyConfigurationDefinitionURL := "https://github.com/kubescape/cel-admission-library/releases/latest/download/policy-configuration-definition.yaml"
+	policyConfigurationDefinition, err := downloadFileToString(policyConfigurationDefinitionURL)
+	if err != nil {
+		return err
+	}
+
+	// Download the basic-control-configuration.yaml from the latest release URL
+	basicControlConfigurationURL := "https://github.com/kubescape/cel-admission-library/releases/latest/download/basic-control-configuration.yaml"
+	basicControlConfiguration, err := downloadFileToString(basicControlConfigurationURL)
+	if err != nil {
+		return err
+	}
+
+	// Download the kubescape-validating-admission-policies.yaml from the latest release URL
+	kubescapeValidatingAdmissionPoliciesURL := "https://github.com/kubescape/cel-admission-library/releases/latest/download/kubescape-validating-admission-policies.yaml"
+	kubescapeValidatingAdmissionPolicies, err := downloadFileToString(kubescapeValidatingAdmissionPoliciesURL)
+	if err != nil {
+		return err
+	}
+
+	logger.L().Info("Successfully downloaded admission policy library")
+
+	// Print the downloaded files to the STDOUT for the user to apply connecting them to a single YAML with ---
+	fmt.Println(policyConfigurationDefinition)
+	fmt.Println("---")
+	fmt.Println(basicControlConfiguration)
+	fmt.Println("---")
+	fmt.Println(kubescapeValidatingAdmissionPolicies)
+
+	return nil
+}
+
+func downloadFileToString(url string) (string, error) {
+	// Send an HTTP GET request to the URL
+	response, err := http.Get(url) //nolint:gosec
+	if err != nil {
+		return "", err // Return an empty string and the error if the request fails
+	}
+	defer response.Body.Close()
+
+	// Check for a successful response (HTTP 200 OK)
+	if response.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("failed to download file: %s", response.Status)
+	}
+
+	// Read the response body
+	bodyBytes, err := io.ReadAll(response.Body)
+	if err != nil {
+		return "", err // Return an empty string and the error if reading fails
+	}
+
+	// Convert the byte slice to a string
+	bodyString := string(bodyBytes)
+	return bodyString, nil
+}
+
+func isValidK8sObjectName(name string) error {
+	// Kubernetes object names must consist of lower case alphanumeric characters, '-' or '.',
+	// and must start and end with an alphanumeric character (e.g., 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')
+	// Max length of 63 characters.
+	if len(name) > 63 {
+		return errors.New("name should be less than 63 characters")
+	}
+
+	regex := regexp.MustCompile(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`)
+	if !regex.MatchString(name) {
+		return errors.New("name should consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character")
+	}
+
+	return nil
+}
+
+// Create a policy binding
+func createPolicyBinding(bindingName string, policyName string, action string, paramRefName string, namespaceArr []string, labelMatch []string) error {
+	// Create a policy binding struct
+	policyBinding := &admissionv1.ValidatingAdmissionPolicyBinding{}
+	// Print the policy binding after marshalling it to YAML to the STDOUT
+	// The user can apply the output to the cluster
+	policyBinding.APIVersion = "admissionregistration.k8s.io/v1"
+	policyBinding.Name = bindingName
+	policyBinding.Kind = "ValidatingAdmissionPolicyBinding"
+	policyBinding.Spec.PolicyName = policyName
+	policyBinding.Spec.MatchResources = &admissionv1.MatchResources{}
+	if len(namespaceArr) > 0 {
+		policyBinding.Spec.MatchResources.NamespaceSelector = &metav1.LabelSelector{
+			MatchExpressions: []metav1.LabelSelectorRequirement{
+				{
+					Key:      "kubernetes.io/metadata.name",
+					Operator: metav1.LabelSelectorOpIn,
+					Values:   namespaceArr,
+				},
+			},
+		}
+	}
+
+	if len(labelMatch) > 0 {
+		policyBinding.Spec.MatchResources.ObjectSelector = &metav1.LabelSelector{}
+		policyBinding.Spec.MatchResources.ObjectSelector.MatchLabels = make(map[string]string)
+		for _, label := range labelMatch {
+			labelParts := regexp.MustCompile(`=`).Split(label, 2)
+			policyBinding.Spec.MatchResources.ObjectSelector.MatchLabels[labelParts[0]] = labelParts[1]
+		}
+	}
+
+	policyBinding.Spec.ValidationActions = []admissionv1.ValidationAction{admissionv1.ValidationAction(action)}
+	paramAction := admissionv1.DenyAction
+	if paramRefName != "" {
+		policyBinding.Spec.ParamRef = &admissionv1.ParamRef{
+			Name:                    paramRefName,
+			ParameterNotFoundAction: &paramAction,
+		}
+	}
+	// Marshal the policy binding to YAML
+	out, err := yaml.Marshal(policyBinding)
+	if err != nil {
+		return err
+	}
+	fmt.Println(string(out))
+	return nil
+}

cmd/vap/vap_test.go

@@ -0,0 +1,10 @@
+package vap
+
+import (
+	"testing"
+)
+
+func TestGetVapHelperCmd(t *testing.T) {
+	// Call the GetFixCmd function
+	_ = GetVapHelperCmd()
+}

cmd/version/git_native_disabled.go

@@ -1,7 +0,0 @@
-//go:build !gitenabled
-
-package version
-
-func isGitEnabled() bool {
-	return false
-}

cmd/version/git_native_enabled.go

@@ -1,7 +0,0 @@
-//go:build gitenabled
-
-package version
-
-func isGitEnabled() bool {
-	return true
-}

cmd/version/version.go

@@ -1,31 +1,37 @@
 package version
 
 import (
-	"context"
 	"fmt"
 
-	"github.com/kubescape/go-logger"
-	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/meta"
+
+	"github.com/kubescape/backend/pkg/versioncheck"
 	"github.com/spf13/cobra"
 )
 
-func GetVersionCmd() *cobra.Command {
+func GetVersionCmd(ks meta.IKubescape, version, commit, date string) *cobra.Command {
 	versionCmd := &cobra.Command{
 		Use:   "version",
 		Short: "Get current version",
 		Long:  ``,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			ctx := context.TODO()
-			v := cautils.NewIVersionCheckHandler(ctx)
-			versionCheckRequest := cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "version")
-			v.CheckLatestVersion(ctx, versionCheckRequest)
-			fmt.Fprintf(cmd.OutOrStdout(),
+			v := versioncheck.NewIVersionCheckHandler(ks.Context())
+			_ = v.CheckLatestVersion(ks.Context(), versioncheck.NewVersionCheckRequest("", version, "", "", "version", nil))
+
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(),
 				"Your current version is: %s\n",
-				versionCheckRequest.ClientVersion,
+				version,
+			)
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(),
+				"Build commit: %s\n",
+				commit,
+			)
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(),
+				"Build date: %s\n",
+				date,
 			)
-			logger.L().Debug(fmt.Sprintf("git enabled in build: %t", isGitEnabled()))
 			return nil
 		},
 	}
 	return versionCmd
-}
+}

cmd/version/version_test.go

@@ -2,10 +2,13 @@ package version
 
 import (
 	"bytes"
+	"context"
 	"io"
 	"testing"
 
-	"github.com/kubescape/kubescape/v3/core/cautils"
+	"github.com/kubescape/kubescape/v3/core/core"
+
+	"github.com/kubescape/backend/pkg/versioncheck"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -17,20 +20,21 @@ func TestGetVersionCmd(t *testing.T) {
 	}{
 		{
 			name:        "Undefined Build Number",
-			buildNumber: "",
-			want:        "Your current version is: unknown\n",
+			buildNumber: "unknown",
+			want:        "Your current version is: unknown\nBuild commit: \nBuild date: \n",
 		},
 		{
 			name:        "Defined Build Number: v3.0.1",
 			buildNumber: "v3.0.1",
-			want:        "Your current version is: v3.0.1\n",
+			want:        "Your current version is: v3.0.1\nBuild commit: \nBuild date: \n",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cautils.BuildNumber = tt.buildNumber
+			versioncheck.BuildNumber = tt.buildNumber
 
-			if cmd := GetVersionCmd(); cmd != nil {
+			ks := core.NewKubescape(context.TODO())
+			if cmd := GetVersionCmd(ks, tt.buildNumber, "", ""); cmd != nil {
 				buf := bytes.NewBufferString("")
 				cmd.SetOut(buf)
 				cmd.Execute()
@@ -42,4 +46,4 @@ func TestGetVersionCmd(t *testing.T) {
 			}
 		})
 	}
-}
+}

core/README.md

@@ -1,14 +1,248 @@
-# Kubescape core package
+# Kubescape Core Package
+
+The `core` package provides the main Kubescape scanning engine as a Go library, allowing you to integrate Kubescape security scanning directly into your applications.
+
+## Table of Contents
+
+- [Installation](#installation)
+- [Quick Start](#quick-start)
+- [API Reference](#api-reference)
+- [Examples](#examples)
+- [Configuration Options](#configuration-options)
+
+---
+
+## Installation
+
+```bash
+go get github.com/kubescape/kubescape/v3/core
+```
+
+---
+
+## Quick Start
 
 ```go
+package main
 
-// initialize kubescape
-ks := core.NewKubescape()
+import (
+    "context"
+    "fmt"
+    "log"
 
-// scan cluster
-results, err := ks.Scan(&cautils.ScanInfo{})
+    "github.com/kubescape/kubescape/v3/core"
+    "github.com/kubescape/kubescape/v3/core/cautils"
+)
 
-// convert scan results to json
-jsonRes, err := results.ToJson()
+func main() {
+    ctx := context.Background()
 
-```
+    // Initialize Kubescape
+    ks := core.NewKubescape(ctx)
+
+    // Configure scan
+    scanInfo := &cautils.ScanInfo{
+        // Scan the current cluster
+        ScanAll: true,
+    }
+
+    // Run scan
+    results, err := ks.Scan(scanInfo)
+    if err != nil {
+        log.Fatalf("Scan failed: %v", err)
+    }
+
+    // Convert results to JSON
+    jsonRes, err := results.ToJson()
+    if err != nil {
+        log.Fatalf("Failed to convert results: %v", err)
+    }
+
+    fmt.Println(string(jsonRes))
+}
+```
+
+---
+
+## API Reference
+
+### Creating a Kubescape Instance
+
+```go
+// Create with context
+ks := core.NewKubescape(ctx)
+```
+
+### Scanning
+
+```go
+// Scan with configuration
+results, err := ks.Scan(scanInfo)
+```
+
+### Listing Frameworks and Controls
+
+```go
+// List available policies
+err := ks.List(listPolicies)
+```
+
+### Downloading Artifacts
+
+```go
+// Download for offline use
+err := ks.Download(downloadInfo)
+```
+
+### Image Scanning
+
+```go
+// Scan container image
+exceedsSeverity, err := ks.ScanImage(imgScanInfo, scanInfo)
+```
+
+### Fixing Misconfigurations
+
+```go
+// Apply fixes to manifests
+err := ks.Fix(fixInfo)
+```
+
+---
+
+## Examples
+
+### Scan a Specific Framework
+
+```go
+scanInfo := &cautils.ScanInfo{}
+scanInfo.SetPolicyIdentifiers([]string{"nsa"}, "framework")
+
+results, err := ks.Scan(scanInfo)
+```
+
+### Scan Specific Namespaces
+
+```go
+scanInfo := &cautils.ScanInfo{
+    IncludeNamespaces: "production,staging",
+}
+
+results, err := ks.Scan(scanInfo)
+```
+
+### Scan Local YAML Files
+
+```go
+scanInfo := &cautils.ScanInfo{
+    InputPatterns: []string{"/path/to/manifests"},
+}
+scanInfo.SetScanType(cautils.ScanTypeRepo)
+
+results, err := ks.Scan(scanInfo)
+```
+
+### Export Results to Different Formats
+
+```go
+results, _ := ks.Scan(scanInfo)
+
+// JSON
+jsonData, _ := results.ToJson()
+
+// Get summary
+summary := results.GetData().Report.SummaryDetails
+fmt.Printf("Compliance Score: %.2f%%\n", summary.ComplianceScore)
+```
+
+### Scan with Compliance Threshold
+
+```go
+scanInfo := &cautils.ScanInfo{
+    ComplianceThreshold: 80.0, // Fail if below 80%
+}
+
+results, err := ks.Scan(scanInfo)
+if err != nil {
+    // Handle scan failure
+}
+
+// Check if threshold was exceeded
+if results.GetData().Report.SummaryDetails.ComplianceScore < scanInfo.ComplianceThreshold {
+    log.Fatal("Compliance score below threshold")
+}
+```
+
+---
+
+## Configuration Options
+
+### ScanInfo Fields
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `AccountID` | string | Kubescape SaaS account ID |
+| `AccessKey` | string | Kubescape SaaS access key |
+| `InputPatterns` | []string | Paths to scan (files, directories, URLs) |
+| `ExcludedNamespaces` | string | Comma-separated namespaces to exclude |
+| `IncludeNamespaces` | string | Comma-separated namespaces to include |
+| `Format` | string | Output format (json, junit, sarif, etc.) |
+| `Output` | string | Output file path |
+| `VerboseMode` | bool | Show all resources in output |
+| `FailThreshold` | float32 | Fail threshold percentage |
+| `ComplianceThreshold` | float32 | Compliance threshold percentage |
+| `UseExceptions` | string | Path to exceptions file |
+| `UseArtifactsFrom` | string | Path to offline artifacts |
+| `Submit` | bool | Submit results to SaaS |
+| `Local` | bool | Keep results local (don't submit) |
+
+---
+
+## Error Handling
+
+```go
+results, err := ks.Scan(scanInfo)
+if err != nil {
+    switch {
+    case errors.Is(err, context.DeadlineExceeded):
+        log.Fatal("Scan timed out")
+    case errors.Is(err, context.Canceled):
+        log.Fatal("Scan was canceled")
+    default:
+        log.Fatalf("Scan error: %v", err)
+    }
+}
+```
+
+---
+
+## Thread Safety
+
+The Kubescape instance is safe for concurrent use. You can run multiple scans in parallel:
+
+```go
+var wg sync.WaitGroup
+
+for _, ns := range namespaces {
+    wg.Add(1)
+    go func(namespace string) {
+        defer wg.Done()
+        
+        scanInfo := &cautils.ScanInfo{
+            IncludeNamespaces: namespace,
+        }
+        results, _ := ks.Scan(scanInfo)
+        // Process results...
+    }(ns)
+}
+
+wg.Wait()
+```
+
+---
+
+## Related Documentation
+
+- [CLI Reference](../docs/cli-reference.md)
+- [Getting Started Guide](../docs/getting-started.md)
+- [Architecture](../docs/architecture.md)

core/cautils/customerloader.go

@@ -7,26 +7,24 @@ import (
 	"path/filepath"
 	"regexp"
 
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
 	"github.com/google/uuid"
 	v1 "github.com/kubescape/backend/pkg/client/v1"
 	"github.com/kubescape/backend/pkg/servicediscovery"
 	servicediscoveryv1 "github.com/kubescape/backend/pkg/servicediscovery/v1"
 	servicediscoveryv2 "github.com/kubescape/backend/pkg/servicediscovery/v2"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 const (
 	configFileName     string = "config"
 	kubescapeNamespace string = "kubescape"
 
-	kubescapeConfigMapName      string = "kubescape-config" // deprecated - for backward compatibility
-	kubescapeCloudConfigMapName string = "ks-cloud-config"  // deprecated - for backward compatibility
+	kubescapeConfigMapName string = "kubescape-config" // deprecated - for backward compatibility
 
 	cloudConfigMapLabelSelector string = "kubescape.io/infra=config"
 	credsLabelSelectors         string = "kubescape.io/infra=credentials" //nolint:gosec
@@ -208,6 +206,8 @@ func NewClusterConfig(k8s *k8sinterface.KubernetesApi, accountID, accessKey, clu
 		loadConfigFromFile(c.configObj)
 	}
 
+	loadUrlsFromFile(c.configObj)
+
 	// second, load urls from config map
 	c.updateConfigEmptyFieldsFromKubescapeConfigMap()
 
@@ -271,15 +271,12 @@ func (c *ClusterConfig) updateConfigEmptyFieldsFromKubescapeConfigMap() error {
 		return err
 	}
 	var ksConfigMap *corev1.ConfigMap
-	var urlsConfigMap *corev1.ConfigMap
 	if len(configMaps.Items) == 0 {
 		// try to find configmaps by name (for backward compatibility)
 		ksConfigMap, _ = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), kubescapeConfigMapName, metav1.GetOptions{})
-		urlsConfigMap, _ = c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.configMapNamespace).Get(context.Background(), kubescapeCloudConfigMapName, metav1.GetOptions{})
 	} else {
 		// use the first configmap with the label
 		ksConfigMap = &configMaps.Items[0]
-		urlsConfigMap = &configMaps.Items[0]
 	}
 
 	if ksConfigMap != nil {
@@ -292,30 +289,6 @@ func (c *ClusterConfig) updateConfigEmptyFieldsFromKubescapeConfigMap() error {
 		}
 	}
 
-	if urlsConfigMap != nil {
-		if jsonConf, ok := urlsConfigMap.Data["services"]; ok {
-			services, err := servicediscovery.GetServices(
-				servicediscoveryv2.NewServiceDiscoveryStreamV2([]byte(jsonConf)),
-			)
-			if err != nil {
-				// try to parse as v1
-				services, err = servicediscovery.GetServices(
-					servicediscoveryv1.NewServiceDiscoveryStreamV1([]byte(jsonConf)),
-				)
-				if err != nil {
-					return err
-				}
-			}
-
-			if services.GetApiServerUrl() != "" {
-				c.configObj.CloudAPIURL = services.GetApiServerUrl()
-			}
-			if services.GetReportReceiverHttpUrl() != "" {
-				c.configObj.CloudReportURL = services.GetReportReceiverHttpUrl()
-			}
-		}
-	}
-
 	return err
 }
 
@@ -398,7 +371,7 @@ func (c *ClusterConfig) updateConfigData(configMap *corev1.ConfigMap) {
 func loadConfigFromFile(configObj *ConfigObj) error {
 	dat, err := os.ReadFile(ConfigFileFullPath())
 	if err != nil {
-		return err
+		return nil // no config file
 	}
 	return readConfig(dat, configObj)
 }
@@ -414,6 +387,32 @@ func readConfig(dat []byte, configObj *ConfigObj) error {
 	return nil
 }
 
+func loadUrlsFromFile(obj *ConfigObj) error {
+	dat, err := os.ReadFile("/etc/config/services.json")
+	if err != nil {
+		return nil // no config file
+	}
+	services, err := servicediscovery.GetServices(
+		servicediscoveryv2.NewServiceDiscoveryStreamV2(dat),
+	)
+	if err != nil {
+		// try to parse as v1
+		services, err = servicediscovery.GetServices(
+			servicediscoveryv1.NewServiceDiscoveryStreamV1(dat),
+		)
+		if err != nil {
+			return err
+		}
+	}
+	if services.GetApiServerUrl() != "" {
+		obj.CloudAPIURL = services.GetApiServerUrl()
+	}
+	if services.GetReportReceiverHttpUrl() != "" {
+		obj.CloudReportURL = services.GetReportReceiverHttpUrl()
+	}
+	return nil
+}
+
 func DeleteConfigFile() error {
 	return os.Remove(ConfigFileFullPath())
 }
@@ -522,9 +521,3 @@ func GetTenantConfig(accountID, accessKey, clusterName, customClusterName string
 }
 
 // firstNonEmpty returns the first non-empty string
-func firstNonEmpty(s1, s2 string) string {
-	if s1 != "" {
-		return s1
-	}
-	return s2
-}

core/cautils/datastructures.go

@@ -4,7 +4,10 @@ import (
 	"context"
 	"sort"
 
-	"github.com/anchore/grype/grype/presenter/models"
+	"github.com/anchore/grype/grype/match"
+	"github.com/anchore/grype/grype/pkg"
+	"github.com/anchore/grype/grype/vulnerability"
+	"github.com/anchore/syft/syft/sbom"
 	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/opa-utils/reporthandling"
@@ -20,8 +23,14 @@ type K8SResources map[string][]string
 type ExternalResources map[string][]string
 
 type ImageScanData struct {
-	PresenterConfig *models.PresenterConfig
-	Image           string
+	Context               pkg.Context
+	IgnoredMatches        []match.IgnoredMatch
+	Image                 string
+	Matches               match.Matches
+	Packages              []pkg.Package
+	RemainingMatches      *match.Matches
+	SBOM                  *sbom.SBOM
+	VulnerabilityProvider vulnerability.Provider
 }
 
 type ScanTypes string
@@ -58,25 +67,44 @@ type OPASessionObj struct {
 	OmitRawResources      bool                               // omit raw resources from output
 	SingleResourceScan    workloadinterface.IWorkload        // single resource scan
 	TopWorkloadsByScore   []reporthandling.IResource
+	TemplateMapping       map[string]MappingNodes // Map chart obj to template (only for rendering from path)
+	TriggeredByCLI        bool
+	LabelsToCopy          []string // Labels to copy from workloads to scan reports
 }
 
 func NewOPASessionObj(ctx context.Context, frameworks []reporthandling.Framework, k8sResources K8SResources, scanInfo *ScanInfo) *OPASessionObj {
+	clusterSize := estimateClusterSize(k8sResources)
+	if clusterSize < 100 {
+		clusterSize = 100
+	}
+
 	return &OPASessionObj{
 		Report:                &reporthandlingv2.PostureReport{},
 		Policies:              frameworks,
 		K8SResources:          k8sResources,
-		AllResources:          make(map[string]workloadinterface.IMetadata),
-		ResourcesResult:       make(map[string]resourcesresults.Result),
-		ResourcesPrioritized:  make(map[string]prioritization.PrioritizedResource),
-		InfoMap:               make(map[string]apis.StatusInfo),
-		ResourceToControlsMap: make(map[string][]string),
-		ResourceSource:        make(map[string]reporthandling.Source),
+		AllResources:          make(map[string]workloadinterface.IMetadata, clusterSize),
+		ResourcesResult:       make(map[string]resourcesresults.Result, clusterSize),
+		ResourcesPrioritized:  make(map[string]prioritization.PrioritizedResource, clusterSize/10),
+		InfoMap:               make(map[string]apis.StatusInfo, clusterSize/10),
+		ResourceToControlsMap: make(map[string][]string, clusterSize/2),
+		ResourceSource:        make(map[string]reporthandling.Source, clusterSize),
 		SessionID:             scanInfo.ScanID,
 		Metadata:              scanInfoToScanMetadata(ctx, scanInfo),
 		OmitRawResources:      scanInfo.OmitRawResources,
+		TriggeredByCLI:        scanInfo.TriggeredByCLI,
+		TemplateMapping:       make(map[string]MappingNodes, clusterSize/10),
+		LabelsToCopy:          scanInfo.LabelsToCopy,
 	}
 }
 
+func estimateClusterSize(k8sResources K8SResources) int {
+	total := 0
+	for _, resourceIDs := range k8sResources {
+		total += len(resourceIDs)
+	}
+	return total
+}
+
 // SetTopWorkloads sets the top workloads by score
 func (sessionObj *OPASessionObj) SetTopWorkloads() {
 	count := 0

core/cautils/datastructuresmethods.go

@@ -1,10 +1,11 @@
 package cautils
 
 import (
-	"golang.org/x/mod/semver"
-
+	"github.com/kubescape/backend/pkg/versioncheck"
 	"github.com/kubescape/opa-utils/reporthandling"
 	"github.com/kubescape/opa-utils/reporthandling/apis"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
+	"golang.org/x/mod/semver"
 )
 
 func NewPolicies() *Policies {
@@ -14,7 +15,7 @@ func NewPolicies() *Policies {
 	}
 }
 
-func (policies *Policies) Set(frameworks []reporthandling.Framework, version string, excludedRules map[string]bool, scanningScope reporthandling.ScanningScopeType) {
+func (policies *Policies) Set(frameworks []reporthandling.Framework, excludedRules map[string]bool, scanningScope reporthandling.ScanningScopeType) {
 	for i := range frameworks {
 		if !isFrameworkFitToScanScope(frameworks[i], scanningScope) {
 			continue
@@ -32,9 +33,12 @@ func (policies *Policies) Set(frameworks []reporthandling.Framework, version str
 					}
 				}
 
-				if isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) && isControlFitToScanScope(frameworks[i].Controls[j], scanningScope) {
-					compatibleRules = append(compatibleRules, frameworks[i].Controls[j].Rules[r])
+				if ShouldSkipRule(frameworks[i].Controls[j], frameworks[i].Controls[j].Rules[r], scanningScope) {
+					continue
 				}
+				// if isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) && isControlFitToScanScope(frameworks[i].Controls[j], scanningScope) {
+				compatibleRules = append(compatibleRules, frameworks[i].Controls[j].Rules[r])
+				// }
 			}
 			if len(compatibleRules) > 0 {
 				frameworks[i].Controls[j].Rules = compatibleRules
@@ -54,18 +58,36 @@ func (policies *Policies) Set(frameworks []reporthandling.Framework, version str
 	}
 }
 
+// ShouldSkipRule checks if the rule should be skipped
+// It checks the following:
+//  1. Rule is compatible with the current kubescape version
+//  2. Rule fits the current scanning scope
+func ShouldSkipRule(control reporthandling.Control, rule reporthandling.PolicyRule, scanningScope reporthandling.ScanningScopeType) bool {
+	if !isRuleKubescapeVersionCompatible(rule.Attributes, versioncheck.BuildNumber) {
+		return true
+	}
+	if !isControlFitToScanScope(control, scanningScope) {
+		return true
+	}
+	return false
+}
+
 // Checks that kubescape version is in range of use for this rule
 // In local build (BuildNumber = ""):
 // returns true only if rule doesn't have the "until" attribute
 func isRuleKubescapeVersionCompatible(attributes map[string]interface{}, version string) bool {
+	normalizedVersion := version
+	if version != "" && !semver.IsValid(version) {
+		normalizedVersion = "v" + version
+	}
+
 	if from, ok := attributes["useFromKubescapeVersion"]; ok && from != nil {
 		switch sfrom := from.(type) {
 		case string:
-			if version != "" && semver.Compare(version, sfrom) == -1 {
+			if normalizedVersion != "" && semver.IsValid(normalizedVersion) && semver.Compare(normalizedVersion, sfrom) == -1 {
 				return false
 			}
 		default:
-			// Handle case where useFromKubescapeVersion is not a string
 			return false
 		}
 	}
@@ -73,11 +95,10 @@ func isRuleKubescapeVersionCompatible(attributes map[string]interface{}, version
 	if until, ok := attributes["useUntilKubescapeVersion"]; ok && until != nil {
 		switch suntil := until.(type) {
 		case string:
-			if version == "" || semver.Compare(version, suntil) >= 0 {
+			if normalizedVersion == "" || (semver.IsValid(normalizedVersion) && semver.Compare(normalizedVersion, suntil) >= 0) {
 				return false
 			}
 		default:
-			// Handle case where useUntilKubescapeVersion is not a string
 			return false
 		}
 	}
@@ -135,3 +156,13 @@ func isFrameworkFitToScanScope(framework reporthandling.Framework, scanScopeMatc
 	}
 	return false
 }
+
+func GetScanningScope(ContextMetadata reporthandlingv2.ContextMetadata) reporthandling.ScanningScopeType {
+	if ContextMetadata.ClusterContextMetadata != nil {
+		if ContextMetadata.ClusterContextMetadata.CloudMetadata != nil && ContextMetadata.ClusterContextMetadata.CloudMetadata.CloudProvider != "" {
+			return reporthandling.ScanningScopeType(ContextMetadata.ClusterContextMetadata.CloudMetadata.CloudProvider)
+		}
+		return reporthandling.ScopeCluster
+	}
+	return reporthandling.ScopeFile
+}

core/cautils/datastructuresmethods_test.go

@@ -239,3 +239,59 @@ func TestIsFrameworkFitToScanScope(t *testing.T) {
 		})
 	}
 }
+
+var rule_v1_0_131 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useUntilKubescapeVersion": "v1.0.132"}}}
+var rule_v1_0_132 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.132", "useUntilKubescapeVersion": "v1.0.133"}}}
+var rule_v1_0_133 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.133", "useUntilKubescapeVersion": "v1.0.134"}}}
+var rule_v1_0_134 = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.134"}}}
+var rule_invalid_from = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": 1.0135, "useUntilKubescapeVersion": "v1.0.135"}}}
+var rule_invalid_until = &reporthandling.PolicyRule{PortalBase: armotypes.PortalBase{
+	Attributes: map[string]interface{}{"useFromKubescapeVersion": "v1.0.135", "useUntilKubescapeVersion": 1.0135}}}
+
+func TestIsRuleKubescapeVersionCompatible(t *testing.T) {
+	// local build- no build number
+
+	// should not crash when the value of useUntilKubescapeVersion is not a string
+	buildNumberMock := "v1.0.135"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_invalid_from.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_invalid_until.Attributes, buildNumberMock))
+	// should use only rules that don't have "until"
+	buildNumberMock = ""
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.130"
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.132"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.133"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+
+	// should only use rules that version is in range of use
+	buildNumberMock = "v1.0.135"
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_131.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_132.Attributes, buildNumberMock))
+	assert.False(t, isRuleKubescapeVersionCompatible(rule_v1_0_133.Attributes, buildNumberMock))
+	assert.True(t, isRuleKubescapeVersionCompatible(rule_v1_0_134.Attributes, buildNumberMock))
+}

core/cautils/display.go

@@ -9,7 +9,7 @@ import (
 
 	spinnerpkg "github.com/briandowns/spinner"
 	"github.com/jwalton/gchalk"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/mattn/go-isatty"
 	"github.com/schollz/progressbar/v3"

core/cautils/fileutils.go

@@ -7,16 +7,14 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
-	"golang.org/x/exp/slices"
-
-	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/opa-utils/objectsenvelopes"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
-
 	"gopkg.in/yaml.v3"
 )
 
@@ -57,7 +55,6 @@ func LoadResourcesFromHelmCharts(ctx context.Context, basePath string) (map[stri
 				logger.L().Ctx(ctx).Warning(fmt.Sprintf("Rendering of Helm chart template '%s', failed: %v", chart.GetName(), errs))
 				continue
 			}
-
 			chartName := chart.GetName()
 			for k, v := range wls {
 				sourceToWorkloads[k] = v
@@ -325,7 +322,7 @@ func glob(root, pattern string, onlyDirectories bool) ([]string, error) {
 			return nil
 		}
 		fileFormat := getFileFormat(path)
-		if !(fileFormat == JSON_FILE_FORMAT || fileFormat == YAML_FILE_FORMAT) {
+		if fileFormat != JSON_FILE_FORMAT && fileFormat != YAML_FILE_FORMAT {
 			return nil
 		}
 		if matched, err := filepath.Match(pattern, filepath.Base(path)); err != nil {

core/cautils/fileutils_test.go

@@ -49,6 +49,7 @@ func TestLoadResourcesFromHelmCharts(t *testing.T) {
 	assert.Equal(t, 6, len(sourceToWorkloads))
 
 	for file, workloads := range sourceToWorkloads {
+
 		assert.Equalf(t, 1, len(workloads), "expected 1 workload in file %s", file)
 
 		w := workloads[0]

core/cautils/getter/downloadreleasedpolicy.go

@@ -5,11 +5,9 @@ import (
 	"strings"
 
 	"github.com/armosec/armoapi-go/armotypes"
-
 	"github.com/kubescape/opa-utils/reporthandling"
 	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
-
-	"github.com/kubescape/regolibrary/gitregostore"
+	"github.com/kubescape/regolibrary/v2/gitregostore"
 )
 
 // =======================================================================================================================
@@ -29,7 +27,7 @@ type DownloadReleasedPolicy struct {
 
 func NewDownloadReleasedPolicy() *DownloadReleasedPolicy {
 	return &DownloadReleasedPolicy{
-		gs: gitregostore.NewDefaultGitRegoStore(-1),
+		gs: gitregostore.NewGitRegoStoreV2(-1),
 	}
 }
 

core/cautils/getter/getpoliciesutils_test.go

@@ -1,7 +1,7 @@
 package getter
 
 import (
-	"io/ioutil"
+	"io"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -102,7 +102,7 @@ func TestHttpRespToString_NilResponse(t *testing.T) {
 
 func TestHttpRespToString_ValidResponse(t *testing.T) {
 	resp := &http.Response{
-		Body:       ioutil.NopCloser(strings.NewReader("test response")),
+		Body:       io.NopCloser(strings.NewReader("test response")),
 		Status:     "200 OK",
 		StatusCode: 200,
 	}
@@ -114,7 +114,7 @@ func TestHttpRespToString_ValidResponse(t *testing.T) {
 // Returns an error with status and reason when unable to read response body.
 func TestHttpRespToString_ReadError(t *testing.T) {
 	resp := &http.Response{
-		Body: ioutil.NopCloser(strings.NewReader("test response")),
+		Body: io.NopCloser(strings.NewReader("test response")),
 	}
 	resp.Body.Close()
 	result, err := httpRespToString(resp)
@@ -125,7 +125,7 @@ func TestHttpRespToString_ReadError(t *testing.T) {
 // Returns an error with status and reason when unable to read response body.
 func TestHttpRespToString_ErrorCodeLessThan200(t *testing.T) {
 	resp := &http.Response{
-		Body:       ioutil.NopCloser(strings.NewReader("test response")),
+		Body:       io.NopCloser(strings.NewReader("test response")),
 		StatusCode: 100,
 	}
 	resp.Body.Close()

core/cautils/getter/kscloudapi_test.go

@@ -5,7 +5,6 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
-	"os"
 	"strings"
 	"sync"
 	"testing"
@@ -25,10 +24,6 @@ const (
 
 var (
 	globalMx sync.Mutex // a mutex to avoid data races on package globals while testing
-
-	testOptions = []v1.KSCloudOption{
-		v1.WithTrace(os.Getenv("DEBUG_TEST") != ""),
-	}
 )
 
 func TestGlobalKSCloudAPIConnector(t *testing.T) {
@@ -113,8 +108,6 @@ func mockAPIServer(t testing.TB) *testServer {
 		defer func() { _ = r.Body.Close() }()
 		_, _ = io.Copy(w, r.Body)
 
-		return
-
 	})
 
 	return server

core/cautils/getter/loadpolicy.go

@@ -226,7 +226,7 @@ func (lp *LoadPolicy) GetControlsInputs(_ /* clusterName */ string) (map[string]
 	buf, err := os.ReadFile(filePath)
 	if err != nil {
 		formattedError := fmt.Errorf(
-			`Error opening %s file, "controls-config" will be downloaded from ARMO management portal`,
+			`error opening %s file, "controls-config" will be downloaded from ARMO management portal`,
 			fileName,
 		)
 
@@ -236,7 +236,7 @@ func (lp *LoadPolicy) GetControlsInputs(_ /* clusterName */ string) (map[string]
 	controlInputs := make(map[string][]string, 100) // from armotypes.Settings.PostureControlInputs
 	if err = json.Unmarshal(buf, &controlInputs); err != nil {
 		formattedError := fmt.Errorf(
-			`Error reading %s file, %v, "controls-config" will be downloaded from ARMO management portal`,
+			`error reading %s file, %v, "controls-config" will be downloaded from ARMO management portal`,
 			fileName, err,
 		)
 

core/cautils/git_native_disabled.go

@@ -1,5 +1,3 @@
-//go:build !gitenabled
-
 package cautils
 
 import (

core/cautils/git_native_enabled.go

@@ -1,146 +0,0 @@
-//go:build gitenabled
-
-package cautils
-
-import (
-	"fmt"
-	"time"
-
-	"github.com/kubescape/go-git-url/apis"
-	git2go "github.com/libgit2/git2go/v33"
-)
-
-type gitRepository struct {
-	git2GoRepo       *git2go.Repository
-	fileToLastCommit map[string]*git2go.Commit
-}
-
-func newGitRepository(root string) (*gitRepository, error) {
-	git2GoRepo, err := git2go.OpenRepository(root)
-	if err != nil {
-		return nil, err
-	}
-
-	return &gitRepository{
-		git2GoRepo: git2GoRepo,
-	}, nil
-}
-
-func (g *gitRepository) GetFileLastCommit(filePath string) (*apis.Commit, error) {
-	if len(g.fileToLastCommit) == 0 {
-		g.buildCommitMap()
-	}
-
-	if relevantCommit, exists := g.fileToLastCommit[filePath]; exists {
-		return g.getCommit(relevantCommit), nil
-	}
-
-	return nil, fmt.Errorf("failed to get commit information for file: %s", filePath)
-}
-
-func (g *gitRepository) buildCommitMap() {
-	filePathToCommitTime := map[string]time.Time{}
-	filePathToCommit := map[string]*git2go.Commit{}
-	allCommits, _ := g.getAllCommits()
-
-	// builds a map of all files to their last commit
-	for _, commit := range allCommits {
-		// Ignore merge commits (2+ parents)
-		if commit.ParentCount() <= 1 {
-			tree, err := commit.Tree()
-			if err != nil {
-				continue
-			}
-
-			// ParentCount can be either 1 or 0 (initial commit)
-			// In case it's the initial commit, prevTree is nil
-			var prevTree *git2go.Tree
-			if commit.ParentCount() == 1 {
-				prevCommit := commit.Parent(0)
-				prevTree, err = prevCommit.Tree()
-				if err != nil {
-					continue
-				}
-			}
-
-			diff, err := g.git2GoRepo.DiffTreeToTree(prevTree, tree, nil)
-			if err != nil {
-				continue
-			}
-
-			numDeltas, err := diff.NumDeltas()
-			if err != nil {
-				continue
-			}
-
-			for i := 0; i < numDeltas; i++ {
-				delta, err := diff.Delta(i)
-				if err != nil {
-					continue
-				}
-
-				deltaFilePath := delta.NewFile.Path
-				commitTime := commit.Author().When
-
-				// In case we have the commit information for the file which is not the latest - we override it
-				if currentCommitTime, exists := filePathToCommitTime[deltaFilePath]; exists {
-					if currentCommitTime.Before(commitTime) {
-						filePathToCommitTime[deltaFilePath] = commitTime
-						filePathToCommit[deltaFilePath] = commit
-					}
-				} else {
-					filePathToCommitTime[deltaFilePath] = commitTime
-					filePathToCommit[deltaFilePath] = commit
-				}
-			}
-		}
-	}
-
-	g.fileToLastCommit = filePathToCommit
-}
-
-func (g *gitRepository) getAllCommits() ([]*git2go.Commit, error) {
-	logItr, itrErr := g.git2GoRepo.Walk()
-	if itrErr != nil {
-
-		return nil, itrErr
-	}
-
-	pushErr := logItr.PushHead()
-	if pushErr != nil {
-		return nil, pushErr
-	}
-
-	var allCommits []*git2go.Commit
-	err := logItr.Iterate(func(commit *git2go.Commit) bool {
-		if commit != nil {
-			allCommits = append(allCommits, commit)
-			return true
-		}
-		return false
-	})
-
-	if err != nil {
-		return nil, err
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	return allCommits, nil
-}
-
-func (g *gitRepository) getCommit(commit *git2go.Commit) *apis.Commit {
-	return &apis.Commit{
-		SHA: commit.Id().String(),
-		Author: apis.Committer{
-			Name:  commit.Author().Name,
-			Email: commit.Author().Email,
-			Date:  commit.Author().When,
-		},
-		Message:   commit.Message(),
-		Committer: apis.Committer{},
-		Files:     []apis.Files{},
-	}
-}

core/cautils/helmchart.go

@@ -1,18 +1,26 @@
 package cautils
 
 import (
+	"fmt"
+	"io"
+	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
-
 	helmchart "helm.sh/helm/v3/pkg/chart"
 	helmloader "helm.sh/helm/v3/pkg/chart/loader"
 	helmchartutil "helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/cli"
+	helmdownloader "helm.sh/helm/v3/pkg/downloader"
 	helmengine "helm.sh/helm/v3/pkg/engine"
+	helmgetter "helm.sh/helm/v3/pkg/getter"
+	helmregistry "helm.sh/helm/v3/pkg/registry"
+	"k8s.io/client-go/util/homedir"
 )
 
 type HelmChart struct {
@@ -24,7 +32,51 @@ func IsHelmDirectory(path string) (bool, error) {
 	return helmchartutil.IsChartDir(path)
 }
 
+// newRegistryClient creates a Helm registry client for chart authentication
+func newRegistryClient(certFile, keyFile, caFile string, insecureSkipTLS, plainHTTP bool, username, password string) (*helmregistry.Client, error) {
+	// Basic client options with debug disabled
+	opts := []helmregistry.ClientOption{
+		helmregistry.ClientOptDebug(false),
+		helmregistry.ClientOptWriter(io.Discard),
+	}
+
+	// Add TLS certificates if provided
+	if certFile != "" && keyFile != "" {
+		opts = append(opts, helmregistry.ClientOptCredentialsFile(certFile))
+	}
+
+	// Add CA certificate if provided
+	if caFile != "" {
+		opts = append(opts, helmregistry.ClientOptCredentialsFile(caFile))
+	}
+
+	// Enable plain HTTP if needed
+	if insecureSkipTLS {
+		opts = append(opts, helmregistry.ClientOptPlainHTTP())
+	}
+
+	registryClient, err := helmregistry.NewClient(opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	return registryClient, nil
+}
+
+// defaultKeyring returns the default GPG keyring path for chart verification
+func defaultKeyring() string {
+	if v, ok := os.LookupEnv("GNUPGHOME"); ok {
+		return filepath.Join(v, "pubring.gpg")
+	}
+	return filepath.Join(homedir.HomeDir(), ".gnupg", "pubring.gpg")
+}
+
 func NewHelmChart(path string) (*HelmChart, error) {
+	// Build chart dependencies before loading if Chart.lock exists
+	if err := buildDependencies(path); err != nil {
+		logger.L().Warning("Failed to build chart dependencies", helpers.String("path", path), helpers.Error(err))
+	}
+
 	chart, err := helmloader.Load(path)
 	if err != nil {
 		return nil, err
@@ -36,6 +88,35 @@ func NewHelmChart(path string) (*HelmChart, error) {
 	}, nil
 }
 
+// buildDependencies builds chart dependencies using the downloader manager
+func buildDependencies(chartPath string) error {
+	// Create registry client for authentication
+	registryClient, err := newRegistryClient("", "", "", false, false, "", "")
+	if err != nil {
+		return fmt.Errorf("failed to create registry client: %w", err)
+	}
+
+	// Create downloader manager with required configuration
+	settings := cli.New()
+	manager := &helmdownloader.Manager{
+		Out:            io.Discard, // Suppress output during scanning
+		ChartPath:      chartPath,
+		Keyring:        defaultKeyring(),
+		SkipUpdate:     false, // Allow updates to get latest dependencies
+		Getters:        helmgetter.All(settings),
+		RegistryClient: registryClient,
+		Debug:          false,
+	}
+
+	// Build dependencies from Chart.lock file
+	err = manager.Build()
+	if e, ok := err.(helmdownloader.ErrRepoNotFound); ok {
+		return fmt.Errorf("%s. Please add missing repos via 'helm repo add'", e.Error())
+	}
+
+	return err
+}
+
 func (hc *HelmChart) GetName() string {
 	return hc.chart.Name()
 }
@@ -44,7 +125,7 @@ func (hc *HelmChart) GetDefaultValues() map[string]interface{} {
 	return hc.chart.Values
 }
 
-// GetWorkloads renders chart template using the default values and returns a map of source file to its workloads
+// GetWorkloadsWithDefaultValues renders chart template using the default values and returns a map of source file to its workloads
 func (hc *HelmChart) GetWorkloadsWithDefaultValues() (map[string][]workloadinterface.IMetadata, []error) {
 	return hc.GetWorkloads(hc.GetDefaultValues())
 }
@@ -55,14 +136,13 @@ func (hc *HelmChart) GetWorkloads(values map[string]interface{}) (map[string][]w
 	if err != nil {
 		return nil, []error{err}
 	}
-
 	sourceToFile, err := helmengine.Render(hc.chart, vals)
 	if err != nil {
 		return nil, []error{err}
 	}
 
-	workloads := make(map[string][]workloadinterface.IMetadata, 0)
-	errs := []error{}
+	workloads := make(map[string][]workloadinterface.IMetadata)
+	var errs []error
 
 	for path, renderedYaml := range sourceToFile {
 		if !IsYaml(strings.ToLower(path)) {
@@ -76,8 +156,7 @@ func (hc *HelmChart) GetWorkloads(values map[string]interface{}) (map[string][]w
 		if len(wls) == 0 {
 			continue
 		}
-		// separate base path and file name. We do not use the os.Separator because the paths returned from the helm engine are not OS specific (e.g. mychart/templates/myfile.yaml)
-		if firstPathSeparatorIndex := strings.Index(path, string("/")); firstPathSeparatorIndex != -1 {
+		if firstPathSeparatorIndex := strings.Index(path, "/"); firstPathSeparatorIndex != -1 {
 			absPath := filepath.Join(hc.path, path[firstPathSeparatorIndex:])
 
 			workloads[absPath] = []workloadinterface.IMetadata{}
@@ -90,3 +169,20 @@ func (hc *HelmChart) GetWorkloads(values map[string]interface{}) (map[string][]w
 	}
 	return workloads, errs
 }
+
+func (hc *HelmChart) AddCommentToTemplate() {
+	for index, t := range hc.chart.Templates {
+		if IsYaml(strings.ToLower(t.Name)) {
+			var newLines []string
+			originalTemplate := string(t.Data)
+			lines := strings.Split(originalTemplate, "\n")
+
+			for index, line := range lines {
+				comment := " #This is the " + strconv.Itoa(index+1) + " line"
+				newLines = append(newLines, line+comment)
+			}
+			templateWithComment := strings.Join(newLines, "\n")
+			hc.chart.Templates[index].Data = []byte(templateWithComment)
+		}
+	}
+}

core/cautils/kustomizedirectory.go

@@ -4,12 +4,12 @@ import (
 	"os"
 	"path/filepath"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
-
 	"sigs.k8s.io/kustomize/api/krusty"
+	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
@@ -76,7 +76,11 @@ func getKustomizeDirectoryName(path string) string {
 func (kd *KustomizeDirectory) GetWorkloads(kustomizeDirectoryPath string) (map[string][]workloadinterface.IMetadata, []error) {
 
 	fSys := filesys.MakeFsOnDisk()
-	kustomizer := krusty.MakeKustomizer(krusty.MakeDefaultOptions())
+	// Use LoadRestrictionsNone to allow loading resources from outside the kustomize directory.
+	// This is necessary for overlays that reference base configurations in parent directories.
+	opts := krusty.MakeDefaultOptions()
+	opts.LoadRestrictions = types.LoadRestrictionsNone
+	kustomizer := krusty.MakeKustomizer(opts)
 	resmap, err := kustomizer.Run(fSys, kustomizeDirectoryPath)
 
 	if err != nil {

core/cautils/kustomizedirectory_test.go

@@ -4,6 +4,8 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestGetKustomizeDirectoryName(t *testing.T) {
@@ -52,7 +54,7 @@ func TestGetKustomizeDirectoryName(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			tempFile := filepath.Join(tt.args.path, "kustomization.yaml")
 			if tt.createKustomization {
-				_ = os.WriteFile(tempFile, []byte(""), 0644)
+				_ = os.WriteFile(tempFile, []byte(""), 0600)
 			}
 			if got := getKustomizeDirectoryName(tt.args.path); got != tt.want {
 				t.Errorf("GetKustomizeDirectoryName() = %v, want %v", got, tt.want)
@@ -61,3 +63,83 @@ func TestGetKustomizeDirectoryName(t *testing.T) {
 		})
 	}
 }
+
+func kustomizeTestdataPath() string {
+	o, _ := os.Getwd()
+	return filepath.Join(o, "testdata", "kustomize")
+}
+
+// TestKustomizeOverlayWithBase tests that kustomize overlays can properly load
+// resources from base directories. This is the main fix for issue #1617.
+func TestKustomizeOverlayWithBase(t *testing.T) {
+	overlayPath := filepath.Join(kustomizeTestdataPath(), "overlays", "prod")
+
+	// Verify it's detected as a kustomize directory
+	assert.True(t, isKustomizeDirectory(overlayPath), "overlay should be detected as kustomize directory")
+
+	// Create kustomize directory and get workloads
+	kd := NewKustomizeDirectory(overlayPath)
+	workloads, errs := kd.GetWorkloads(overlayPath)
+
+	// Should not have errors - this was failing before the fix because
+	// overlays couldn't load resources from parent base directories
+	assert.Empty(t, errs, "should not have errors loading overlay with base reference")
+
+	// Should have workloads from the rendered overlay
+	assert.NotEmpty(t, workloads, "should have workloads from rendered kustomize overlay")
+
+	// The overlay should have produced exactly one deployment with the merged configuration
+	var deploymentFound bool
+	for _, wls := range workloads {
+		for _, wl := range wls {
+			if wl.GetKind() == "Deployment" && wl.GetName() == "test-app" {
+				deploymentFound = true
+
+				// Verify the deployment has the resource limits from the base
+				obj := wl.GetObject()
+				spec, ok := obj["spec"].(map[string]interface{})
+				assert.True(t, ok, "deployment should have spec")
+
+				template, ok := spec["template"].(map[string]interface{})
+				assert.True(t, ok, "deployment should have template")
+
+				templateSpec, ok := template["spec"].(map[string]interface{})
+				assert.True(t, ok, "template should have spec")
+
+				containers, ok := templateSpec["containers"].([]interface{})
+				assert.True(t, ok, "template spec should have containers")
+				assert.NotEmpty(t, containers, "should have at least one container")
+
+				container, ok := containers[0].(map[string]interface{})
+				assert.True(t, ok, "container should be a map")
+
+				resources, ok := container["resources"].(map[string]interface{})
+				assert.True(t, ok, "container should have resources (from base)")
+
+				limits, ok := resources["limits"].(map[string]interface{})
+				assert.True(t, ok, "resources should have limits")
+				assert.Equal(t, "500m", limits["cpu"], "cpu limit should be from base")
+				assert.Equal(t, "256Mi", limits["memory"], "memory limit should be from base")
+
+				// Verify overlay modifications were applied
+				replicas, ok := spec["replicas"].(int)
+				assert.True(t, ok, "replicas should be an int")
+				assert.Equal(t, 3, replicas, "replicas should be modified by overlay")
+			}
+		}
+	}
+	assert.True(t, deploymentFound, "deployment should be found in rendered output")
+}
+
+// TestKustomizeBaseDirectory tests that base directories work on their own
+func TestKustomizeBaseDirectory(t *testing.T) {
+	basePath := filepath.Join(kustomizeTestdataPath(), "base")
+
+	assert.True(t, isKustomizeDirectory(basePath), "base should be detected as kustomize directory")
+
+	kd := NewKustomizeDirectory(basePath)
+	workloads, errs := kd.GetWorkloads(basePath)
+
+	assert.Empty(t, errs, "should not have errors loading base directory")
+	assert.NotEmpty(t, workloads, "should have workloads from base directory")
+}

core/cautils/localgitrepository.go

@@ -1,7 +1,6 @@
 package cautils
 
 import (
-	"errors"
 	"fmt"
 	"path"
 	"strings"
@@ -19,8 +18,6 @@ type LocalGitRepository struct {
 	config    *configv5.Config
 }
 
-var ErrWarnNotSupportedByBuild = errors.New(`git commits retrieval not supported by this build. Build with tag "gitenabled" to enable the full git scan feature`)
-
 func NewLocalGitRepository(path string) (*LocalGitRepository, error) {
 	goGitRepo, err := gitv5.PlainOpenWithOptions(path, &gitv5.PlainOpenOptions{DetectDotGit: true})
 	if err != nil {
@@ -53,7 +50,7 @@ func NewLocalGitRepository(path string) (*LocalGitRepository, error) {
 
 	if repoRoot, err := l.GetRootDir(); err == nil {
 		gitRepository, err := newGitRepository(repoRoot)
-		if err != nil && !errors.Is(err, ErrWarnNotSupportedByBuild) {
+		if err != nil {
 			return l, err
 		}
 

core/cautils/mappingnode.go

@@ -0,0 +1,34 @@
+package cautils
+
+type ObjectID struct {
+	apiVersion string
+	kind       string
+}
+
+type MappingNode struct {
+	ObjectID           *ObjectID
+	Field              string
+	Value              string
+	TemplateFileName   string
+	TemplateLineNumber int
+}
+
+type MappingNodes struct {
+	Nodes            []map[string]MappingNode //Map line number of chart to template obj map[int]MappingNode
+	TemplateFileName string
+}
+
+func (node *MappingNode) writeInfoToNode(objectID *ObjectID, path string, lineNumber int, value string, fileName string) {
+	node.Field = path
+	node.TemplateLineNumber = lineNumber
+	node.ObjectID = objectID
+	node.Value = value
+	node.TemplateFileName = fileName
+}
+
+func NewMappingNodes() *MappingNodes {
+	mappingNodes := new(MappingNodes)
+	mappingNodes.TemplateFileName = ""
+	return mappingNodes
+
+}

core/cautils/normalize_image_name.go

@@ -1,7 +1,7 @@
 package cautils
 
 import (
-	"github.com/docker/distribution/reference"
+	"github.com/distribution/reference"
 )
 
 func NormalizeImageName(img string) (string, error) {

core/cautils/operartorscaninfo_test.go

@@ -81,7 +81,7 @@ func Test_GetRequestPayload(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			result := tc.OperatorScanInfo.GetRequestPayload()
+			result := tc.GetRequestPayload()
 			assert.Equal(t, tc.result, result)
 		})
 	}
@@ -136,8 +136,8 @@ func Test_ValidatePayload(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			payload := tc.OperatorScanInfo.GetRequestPayload()
-			result := tc.OperatorScanInfo.ValidatePayload(payload)
+			payload := tc.GetRequestPayload()
+			result := tc.ValidatePayload(payload)
 			assert.Equal(t, tc.result, result)
 		})
 	}

core/cautils/parseFile.go

@@ -0,0 +1,265 @@
+package cautils
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/kubescape/go-logger"
+	"github.com/mikefarah/yq/v4/pkg/yqlib"
+	"gopkg.in/op/go-logging.v1"
+)
+
+const (
+	CommentFormat = `#This is the (?P<line>\d*) line`
+)
+
+var apiVersionRe = regexp.MustCompile(`apiVersion: (?P<apiVersion>\S*)`)
+var kindRe = regexp.MustCompile(`kind: (?P<kind>\S*)`)
+var pathRe = regexp.MustCompile(`path: (?P<path>\S*)`)
+var typeRe = regexp.MustCompile(`type: '(?P<type>\S*)'`)
+var valueRe = regexp.MustCompile(`value: (?P<value>\[.+\]|\S*)`)
+var commentRe = regexp.MustCompile(CommentFormat)
+var seqRe = regexp.MustCompile(`.(?P<number>\d+)(?P<point>\.?)`)
+var newSeqRe = "[${number}]${point}"
+var newFileSeperator = "---"
+
+// change to use go func
+func GetMapping(fileName string, fileContent string) (*MappingNodes, error) {
+
+	node := new(MappingNode)
+	objectID := new(ObjectID)
+	subFileNodes := make(map[string]MappingNode)
+	mappingNodes := NewMappingNodes()
+	mappingNodes.TemplateFileName = fileName
+
+	lines := strings.Split(fileContent, "\n")
+
+	lastNumber := -1
+	reducedNumber := -1 // uses to make sure line and line in yq is the same
+
+	isApiVersionEmpty := true
+	isKindEmpty := true
+	var err error
+
+	var lineExpression = `..| select(line == %d)| {"destpath": path | join("."),"type": type,"value": .}`
+
+	for i, line := range lines {
+		index := i
+		if apiVersionRe.MatchString(line) {
+			isApiVersionEmpty, err = extractApiVersion(line, objectID)
+			if err != nil {
+				return nil, fmt.Errorf("extractApiVersion error: err, %s", err.Error())
+			}
+			if reducedNumber == -1 {
+				reducedNumber = index + reducedNumber
+			}
+			continue
+		} else if kindRe.MatchString(line) {
+			isKindEmpty, err = extractKind(line, objectID)
+			if err != nil {
+				return nil, fmt.Errorf("extractKind error: err, %s", err.Error())
+			}
+			continue
+		} else if strings.Contains(line, newFileSeperator) { //At least two files in one yaml
+			mappingNodes.Nodes = append(mappingNodes.Nodes, subFileNodes)
+			// Restart a subfileNode
+			isApiVersionEmpty = false
+			isKindEmpty = false
+			subFileNodes = make(map[string]MappingNode)
+			continue
+		}
+
+		if !isApiVersionEmpty || !isKindEmpty {
+			// not sure if it can go to the end
+			index = index - reducedNumber
+			expression := fmt.Sprintf(lineExpression, index)
+			output, err := getYamlLineInfo(expression, fileContent)
+			if err != nil {
+				return nil, err
+			}
+
+			path := extractParameter(pathRe, output, "$path")
+			//if path is empty, continue
+			if path != "" && path != "\"\"" {
+				if isApiVersionEmpty || isKindEmpty {
+					return nil, fmt.Errorf("there is no enough objectID info")
+				}
+				splits := strings.Split(output, "dest")
+				if len(splits) < 2 {
+					return nil, fmt.Errorf("something wrong with the length of the splits, which is %d", len(splits))
+				} else {
+					// cut the redundant one
+					splits = splits[1:]
+					lastNumber, err = writeNodes(splits, lastNumber, fileName, node, objectID, subFileNodes)
+					if err != nil {
+						return nil, fmt.Errorf("writeNodes err: %s", err.Error())
+					}
+				}
+			}
+
+		}
+
+		if i == len(lines)-1 {
+			mappingNodes.Nodes = append(mappingNodes.Nodes, subFileNodes)
+		}
+	}
+	return mappingNodes, nil
+}
+
+func writeNodes(splits []string, lastNumber int, fileName string, node *MappingNode, objectID *ObjectID, subFileNodes map[string]MappingNode) (int, error) {
+	for _, split := range splits {
+		path := extractPath(split)
+		mapMatched, err := extractMapType(split)
+		if err != nil {
+			return -1, fmt.Errorf("extractMapType err: %s", err.Error())
+		}
+		if mapMatched {
+			lastNumber, err = writeNoteToMapping(split, lastNumber, path, fileName, node, objectID, true, subFileNodes)
+			if err != nil {
+				return -1, fmt.Errorf("map type: writeNoteToMapping, err: %s", err.Error())
+			}
+
+		} else {
+			lastNumber, err = writeNoteToMapping(split, lastNumber, path, fileName, node, objectID, false, subFileNodes)
+			if err != nil {
+				return -1, fmt.Errorf("not map type: writeNoteToMapping, err: %s", err.Error())
+			}
+		}
+	}
+	return lastNumber, nil
+}
+
+func writeNoteToMapping(split string, lastNumber int, path string, fileName string, node *MappingNode, objectID *ObjectID, isMapType bool, subFileNodes map[string]MappingNode) (int, error) {
+	newlastNumber, err := writeNodeInfo(split, lastNumber, path, fileName, node, objectID, isMapType)
+	if err != nil {
+		return 0, fmt.Errorf("isMapType: %v, writeNodeInfo wrong err: %s", isMapType, err.Error())
+	}
+	if _, ok := subFileNodes[path]; !ok { // Assume the path is unique in one subfile
+		subFileNodes[path] = *node
+	}
+	// else {
+	// 	return 0, fmt.Errorf("isMapType: %v, %s in mapping.Nodes exists", isMapType, path)
+	// }
+	return newlastNumber, nil
+}
+
+func writeNodeInfo(split string, lastNumber int, path string, fileName string, node *MappingNode, objectID *ObjectID, isMapType bool) (int, error) {
+	value, lineNumber, newLastNumber, err := getInfoFromOne(split, lastNumber, isMapType)
+	if err != nil {
+		return -1, fmt.Errorf("getInfoFromOne wrong err: %s", err.Error())
+	}
+	// lastNumber = newLastNumber
+	node.writeInfoToNode(objectID, path, lineNumber, value, fileName)
+	return newLastNumber, nil
+}
+
+func getInfoFromOne(output string, lastNumber int, isMapType bool) (value string, lineNumber int, newLastNumber int, err error) {
+	if isMapType {
+		value = ""
+	} else {
+		value = extractParameter(valueRe, output, "$value")
+	}
+	number := extractParameter(commentRe, output, "$line")
+	if number != "" {
+		lineNumber, err = strconv.Atoi(number)
+		if err != nil {
+			return "", -1, -1, fmt.Errorf("strconv.Atoi err: %s", err.Error())
+		}
+		if isMapType {
+			lineNumber = lineNumber - 1
+		}
+		// save to structure
+	} else {
+		lineNumber = lastNumber
+		// use the last one number
+	}
+	newLastNumber = lineNumber
+	return value, lineNumber, newLastNumber, nil
+}
+
+func getYamlLineInfo(expression string, yamlFile string) (string, error) {
+	out, err := exectuateYq(expression, yamlFile)
+	if err != nil {
+		return "", fmt.Errorf("exectuate yqlib err: %s", err.Error())
+	}
+	return out, nil
+}
+
+func exectuateYq(expression string, yamlContent string) (string, error) {
+
+	backendLoggerLeveled := logging.AddModuleLevel(logging.NewLogBackend(logger.L().GetWriter(), "", 0))
+	backendLoggerLeveled.SetLevel(logging.ERROR, "")
+	yqlib.GetLogger().SetBackend(backendLoggerLeveled)
+
+	encoder := configureEncoder()
+
+	decoder := configureDecoder(false)
+
+	stringEvaluator := yqlib.NewStringEvaluator()
+
+	out, err := stringEvaluator.Evaluate(expression, yamlContent, encoder, decoder)
+	if err != nil {
+		return "", fmt.Errorf("no matches found")
+	}
+	return out, err
+}
+
+func extractApiVersion(line string, objectID *ObjectID) (bool, error) {
+	apiVersion := extractParameter(apiVersionRe, line, "$apiVersion")
+	if apiVersion == "" {
+		return true, fmt.Errorf("something wrong when extracting the apiVersion, the line is %s", line)
+	}
+	objectID.apiVersion = apiVersion
+	return false, nil
+}
+
+func extractKind(line string, objectID *ObjectID) (bool, error) {
+	kind := extractParameter(kindRe, line, "$kind")
+	if kind == "" {
+		return true, fmt.Errorf("something wrong when extracting the kind, the line is %s", line)
+	}
+	objectID.kind = kind
+	return false, nil
+}
+func extractPath(split string) string {
+	path := extractParameter(pathRe, split, "$path")
+	// For each match of the regex in the content.
+	path = seqRe.ReplaceAllString(path, newSeqRe)
+	return path
+}
+
+func extractMapType(split string) (bool, error) {
+	pathType := extractParameter(typeRe, split, "$type")
+	mapMatched, err := regexp.MatchString(`!!map`, pathType)
+	if err != nil {
+		err = fmt.Errorf("regexp.MatchString err: %s", err.Error())
+		return false, err
+	}
+	return mapMatched, nil
+}
+
+func extractParameter(re *regexp.Regexp, line string, keyword string) string {
+	submatch := re.FindStringSubmatchIndex(line)
+	result := []byte{}
+	result = re.ExpandString(result, keyword, line, submatch)
+	parameter := string(result)
+	return parameter
+}
+
+//yqlib configuration
+
+func configureEncoder() yqlib.Encoder {
+	indent := 2
+	colorsEnabled := false
+	yqlibEncoder := yqlib.NewYamlEncoder(indent, colorsEnabled, yqlib.ConfiguredYamlPreferences)
+	return yqlibEncoder
+}
+
+func configureDecoder(evaluateTogether bool) yqlib.Decoder {
+	prefs := yqlib.ConfiguredYamlPreferences
+	prefs.EvaluateTogether = evaluateTogether
+	yqlibDecoder := yqlib.NewYamlDecoder(prefs)
+	return yqlibDecoder
+}

core/cautils/parseFile_test.go

@@ -0,0 +1,79 @@
+package cautils
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+	helmchartutil "helm.sh/helm/v3/pkg/chartutil"
+	helmengine "helm.sh/helm/v3/pkg/engine"
+)
+
+type HelmChartGetMappingSuite struct {
+	suite.Suite
+	helmChartPath string
+	expectedFiles []string
+	fileContent   map[string]string
+}
+
+func TestHelmChartGetMappingSuite(t *testing.T) {
+	suite.Run(t, new(HelmChartGetMappingSuite))
+}
+
+func (s *HelmChartGetMappingSuite) SetupSuite() {
+	o, _ := os.Getwd()
+
+	s.helmChartPath = filepath.Join(filepath.Dir(o), "..", "examples", "helm_chart_mapping_node")
+
+	s.expectedFiles = []string{
+		filepath.Join(s.helmChartPath, "templates", "clusterrolebinding.yaml"),
+		filepath.Join(s.helmChartPath, "templates", "clusterrole.yaml"),
+		filepath.Join(s.helmChartPath, "templates", "serviceaccount.yaml"),
+		filepath.Join(s.helmChartPath, "templates", "rolebinding.yaml"),
+		filepath.Join(s.helmChartPath, "templates", "role.yaml"),
+		filepath.Join(s.helmChartPath, "templates", "cronjob.yaml"),
+	}
+
+	s.fileContent = make(map[string]string)
+
+	hc, _ := NewHelmChart(s.helmChartPath)
+
+	values := hc.GetDefaultValues()
+
+	vals, _ := helmchartutil.ToRenderValues(hc.chart, values, helmchartutil.ReleaseOptions{}, nil)
+
+	sourceToFile, _ := helmengine.Render(hc.chart, vals)
+
+	s.fileContent = sourceToFile
+
+}
+
+func (s *HelmChartGetMappingSuite) TestGetMapping() {
+	fileNodes, err := GetMapping("rolebinding.yaml", s.fileContent["kubescape/templates/rolebinding.yaml"])
+	s.NoError(err, "Get Mapping nodes correctly")
+	s.Equal(fileNodes.TemplateFileName, "rolebinding.yaml")
+	s.Len(fileNodes.Nodes, 1)
+	s.Len(fileNodes.Nodes[0], 13)
+}
+
+func (s *HelmChartGetMappingSuite) TestGetMappingFromFileContainsMultipleSubFiles() {
+	fileNodes, err := GetMapping("serviceaccount.yaml", s.fileContent["kubescape/templates/serviceaccount.yaml"])
+	s.NoError(err, "Get Mapping nodes correctly")
+	s.Equal(fileNodes.TemplateFileName, "serviceaccount.yaml")
+	s.Len(fileNodes.Nodes, 2)
+	s.Len(fileNodes.Nodes[0], 8)
+	s.Len(fileNodes.Nodes[1], 2)
+}
+
+func (s *HelmChartGetMappingSuite) TestGetMappingFromFileCWithoutKindOrApiVersion() {
+	fileNodes, err := GetMapping("clusterrole.yaml", s.fileContent["kubescape/templates/clusterrole.yaml"])
+	s.Contains(err.Error(), "there is no enough objectID info")
+	s.Nil(fileNodes)
+}
+
+func (s *HelmChartGetMappingSuite) TestGetMappingFromFileCWithoutApiVersion() {
+	fileNodes, err := GetMapping("clusterrolebinding.yaml", s.fileContent["kubescape/templates/clusterrolebinding.yaml"])
+	s.Contains(err.Error(), "there is no enough objectID info")
+	s.Nil(fileNodes)
+}

core/cautils/portforwarder.go

@@ -78,7 +78,7 @@ func (p *portForward) StopPortForwarder() {
 
 func (p *portForward) StartPortForwarder() error {
 	go func() {
-		p.PortForwarder.ForwardPorts()
+		p.ForwardPorts()
 	}()
 	p.waitForPortForwardReadiness()
 

core/cautils/portforwarder_test.go

@@ -64,7 +64,7 @@ func Test_CreatePortForwarder(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			k8sClient := k8sinterface.KubernetesApi{
-				KubernetesClient: fake.NewSimpleClientset(),
+				KubernetesClient: fake.NewClientset(),
 				K8SConfig: &rest.Config{
 					Host: "any",
 				},
@@ -105,7 +105,7 @@ func Test_GetPortForwardLocalhost(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			k8sClient := k8sinterface.KubernetesApi{
-				KubernetesClient: fake.NewSimpleClientset(),
+				KubernetesClient: fake.NewClientset(),
 				K8SConfig: &rest.Config{
 					Host: "any",
 				},

core/cautils/rbac.go

@@ -4,10 +4,9 @@ import (
 	"encoding/json"
 	"time"
 
-	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
-
 	"github.com/google/uuid"
 	"github.com/kubescape/k8s-interface/workloadinterface"
+	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
 	"github.com/kubescape/rbac-utils/rbacscanner"
 	"github.com/kubescape/rbac-utils/rbacutils"
 )
@@ -85,7 +84,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
 		if err != nil {
 			return nil, err
 		}
-		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the the correct apiVersion?
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the correct apiVersion?
 		crIMeta := workloadinterface.NewWorkloadObj(crmap)
 		crIMeta.SetKind("ClusterRole")
 		allresources[crIMeta.GetID()] = crIMeta
@@ -95,7 +94,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
 		if err != nil {
 			return nil, err
 		}
-		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the the correct apiVersion?
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the correct apiVersion?
 		crIMeta := workloadinterface.NewWorkloadObj(crmap)
 		crIMeta.SetKind("Role")
 		allresources[crIMeta.GetID()] = crIMeta
@@ -105,7 +104,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
 		if err != nil {
 			return nil, err
 		}
-		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the the correct apiVersion?
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the correct apiVersion?
 		crIMeta := workloadinterface.NewWorkloadObj(crmap)
 		crIMeta.SetKind("ClusterRoleBinding")
 		allresources[crIMeta.GetID()] = crIMeta
@@ -115,7 +114,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
 		if err != nil {
 			return nil, err
 		}
-		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the the correct apiVersion?
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" // TODO - is the correct apiVersion?
 		crIMeta := workloadinterface.NewWorkloadObj(crmap)
 		crIMeta.SetKind("RoleBinding")
 		allresources[crIMeta.GetID()] = crIMeta

core/cautils/remotegitutils.go

@@ -1,6 +1,7 @@
-package resourcehandler
+package cautils
 
 import (
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	nethttp "net/http"
@@ -12,8 +13,44 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	giturl "github.com/kubescape/go-git-url"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
 )
 
+var tmpDirPaths map[string]string
+
+func hashRepoURL(repoURL string) string {
+	h := sha256.New()
+	h.Write([]byte(repoURL))
+	return string(h.Sum(nil))
+}
+
+func getDirPath(repoURL string) string {
+	if tmpDirPaths == nil {
+		return ""
+	}
+	return tmpDirPaths[hashRepoURL(repoURL)]
+}
+
+// Create a temporary directory this function is called once
+func createTempDir(repoURL string) (string, error) {
+	tmpDirPath := getDirPath(repoURL)
+	if tmpDirPath != "" {
+		return tmpDirPath, nil
+	}
+	// create temp directory
+	tmpDir, err := os.MkdirTemp("", "")
+	if err != nil {
+		return "", fmt.Errorf("failed to create temporary directory: %w", err)
+	}
+	if tmpDirPaths == nil {
+		tmpDirPaths = make(map[string]string)
+	}
+	tmpDirPaths[hashRepoURL(repoURL)] = tmpDir
+
+	return tmpDir, nil
+}
+
 // To Check if the given repository is Public(No Authentication needed), send a HTTP GET request to the URL
 // If response code is 200, the repository is Public.
 func isGitRepoPublic(u string) bool {
@@ -55,34 +92,38 @@ func getProviderError(gitURL giturl.IGitAPI) error {
 
 // cloneRepo clones a repository to a local temporary directory and returns the directory
 func cloneRepo(gitURL giturl.IGitAPI) (string, error) {
-
-	// Create temp directory
-	tmpDir, err := os.MkdirTemp("", "")
-	if err != nil {
-		return "", fmt.Errorf("failed to create temporary directory: %w", err)
-	}
-
-	// Get the URL to clone
 	cloneURL := gitURL.GetHttpCloneURL()
 
-	isGitRepoPublic := isGitRepoPublic(cloneURL)
+	// Check if directory exists
+	if p := getDirPath(cloneURL); p != "" {
+		// directory exists, meaning this repo was cloned
+		return p, nil
+	}
+	// Get the URL to clone
+
+	// Create temp directory
+	tmpDir, err := createTempDir(cloneURL)
+	if err != nil {
+		return "", err
+	}
+
+	isGitTokenPresent := isGitTokenPresent(gitURL)
 
 	// Declare the authentication variable required for cloneOptions
 	var auth transport.AuthMethod
 
-	if isGitRepoPublic {
-		// No authentication needed if repository is public
-		auth = nil
-	} else {
-
-		// Return Error if the AUTH_TOKEN is not present
-		if isGitTokenPresent := isGitTokenPresent(gitURL); !isGitTokenPresent {
-			return "", getProviderError(gitURL)
-		}
+	if isGitTokenPresent {
 		auth = &http.BasicAuth{
 			Username: "x-token-auth",
 			Password: gitURL.GetToken(),
 		}
+	} else {
+		// If the repository is public, no authentication is needed
+		if isGitRepoPublic(cloneURL) {
+			auth = nil
+		} else {
+			return "", getProviderError(gitURL)
+		}
 	}
 
 	// For Azure repo cloning
@@ -102,6 +143,42 @@ func cloneRepo(gitURL giturl.IGitAPI) (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to clone %s. %w", gitURL.GetRepoName(), err)
 	}
+	// tmpDir = filepath.Join(tmpDir, gitURL.GetRepoName())
+	tmpDirPaths[hashRepoURL(cloneURL)] = tmpDir
 
 	return tmpDir, nil
 }
+
+// CloneGitRepo clone git repository
+func CloneGitRepo(path *string) (string, error) {
+	var clonedDir string
+
+	gitURL, err := giturl.NewGitAPI(*path)
+	if err != nil {
+		return "", nil
+	}
+
+	// Clone git repository if needed
+	logger.L().Start("cloning", helpers.String("repository url", gitURL.GetURL().String()))
+
+	clonedDir, err = cloneRepo(gitURL)
+	if err != nil {
+		logger.L().StopError("failed to clone git repo", helpers.String("url", gitURL.GetURL().String()), helpers.Error(err))
+		return "", fmt.Errorf("failed to clone git repo '%s',  %w", gitURL.GetURL().String(), err)
+	}
+	*path = clonedDir
+
+	logger.L().StopSuccess("Done accessing remote repo")
+
+	return clonedDir, nil
+}
+
+func GetClonedPath(path string) string {
+
+	gitURL, err := giturl.NewGitAPI(path)
+	if err != nil {
+		return ""
+	}
+
+	return getDirPath(gitURL.GetHttpCloneURL())
+}