Merge pull request #1718 from kubescape/fixfix

fix include/exclude NS for SA discovered via CRB

.github/workflows/00-pr-scanner.yaml

@@ -23,7 +23,6 @@ jobs:
     permissions:
       actions: read
       checks: read
-      contents: read
       deployments: read
       id-token: write
       issues: read
@@ -35,6 +34,7 @@ jobs:
       security-events: read
       statuses: read
       attestations: read
+      contents: write
     uses: ./.github/workflows/a-pr-scanner.yaml
     with:
       RELEASE: ""
@@ -48,7 +48,7 @@ jobs:
     permissions:
       actions: read
       checks: read
-      contents: read
+      contents: write
       deployments: read
       discussions: read
       id-token: write

.github/workflows/02-release.yaml

@@ -19,7 +19,6 @@ jobs:
     permissions:
       actions: read
       checks: read
-      contents: read
       deployments: read
       discussions: read
       id-token: write
@@ -30,6 +29,7 @@ jobs:
       repository-projects: read
       security-events: read
       statuses: read
+      contents: write
       attestations: write
     needs: [retag]
     uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
@@ -68,7 +68,6 @@ jobs:
     permissions:
       actions: read
       checks: read
-      contents: read
       deployments: read
       discussions: read
       id-token: write
@@ -80,6 +79,7 @@ jobs:
       security-events: read
       statuses: read
       attestations: read
+      contents: write
     uses: ./.github/workflows/d-publish-image.yaml
     needs: [create-release, retag]
     with:

.github/workflows/b-binary-build-and-e2e-tests.yaml

@@ -18,7 +18,7 @@ on:
       GO_VERSION:
         required: false
         type: string
-        default: "1.21"
+        default: "1.22"
       GO111MODULE:
         required: false
         type: string
@@ -30,7 +30,32 @@ on:
       BINARY_TESTS:
         type: string
         required: false
-        default: '["ks_microservice_create_2_cronjob_mitre_and_nsa_proxy", "ks_microservice_triggering_with_cron_job", "ks_microservice_update_cronjob_schedule", "ks_microservice_delete_cronjob", "ks_microservice_create_2_cronjob_mitre_and_nsa", "ks_microservice_ns_creation", "ks_microservice_on_demand", "ks_microservice_mitre_framework_on_demand", "ks_microservice_nsa_and_mitre_framework_demand", "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_with_exception_to_backend", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score", "control_cluster_from_CLI_config_scan_exclude_namespaces", "control_cluster_from_CLI_config_scan_include_namespaces", "control_cluster_from_CLI_config_scan_host_scanner_enabled", "control_cluster_from_CLI_config_scan_MITRE_framework", "control_cluster_from_CLI_vulnerabilities_scan_default", "control_cluster_from_CLI_vulnerabilities_scan_include_namespaces"]'
+        default: '[
+          "ks_microservice_create_2_cronjob_mitre_and_nsa_proxy",
+          "ks_microservice_triggering_with_cron_job",
+          "ks_microservice_update_cronjob_schedule",
+          "ks_microservice_delete_cronjob",
+          "ks_microservice_create_2_cronjob_mitre_and_nsa",
+          "ks_microservice_ns_creation",
+          "ks_microservice_on_demand",
+          "ks_microservice_mitre_framework_on_demand",
+          "ks_microservice_nsa_and_mitre_framework_demand",
+          "scan_nsa",
+          "scan_mitre",
+          "scan_with_exceptions",
+          "scan_repository",
+          "scan_local_file",
+          "scan_local_glob_files",
+          "scan_local_list_of_files",
+          "scan_with_exception_to_backend",
+          "scan_nsa_and_submit_to_backend",
+          "scan_mitre_and_submit_to_backend",
+          "scan_local_repository_and_submit_to_backend",
+          "scan_repository_from_url_and_submit_to_backend",
+          "scan_with_custom_framework",
+          "scan_customer_configuration",
+          "scan_compliance_score"
+          ]'
 
   workflow_call:
     inputs:
@@ -45,7 +70,7 @@ on:
         type: string
       GO_VERSION:
         type: string
-        default: "1.21"
+        default: "1.22"
       GO111MODULE:
         required: true
         type: string
@@ -54,7 +79,25 @@ on:
         default: 1
       BINARY_TESTS:
         type: string
-        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score", "scan_custom_framework_scanning_file_scope_testing", "scan_custom_framework_scanning_cluster_scope_testing", "scan_custom_framework_scanning_cluster_and_file_scope_testing" ]'
+        default: '[ 
+          "scan_nsa", 
+          "scan_mitre", 
+          "scan_with_exceptions", 
+          "scan_repository", 
+          "scan_local_file", 
+          "scan_local_glob_files", 
+          "scan_local_list_of_files", 
+          "scan_nsa_and_submit_to_backend", 
+          "scan_mitre_and_submit_to_backend", 
+          "scan_local_repository_and_submit_to_backend", 
+          "scan_repository_from_url_and_submit_to_backend", 
+          "scan_with_custom_framework", 
+          "scan_customer_configuration", 
+          "scan_compliance_score", 
+          "scan_custom_framework_scanning_file_scope_testing", 
+          "scan_custom_framework_scanning_cluster_scope_testing", 
+          "scan_custom_framework_scanning_cluster_and_file_scope_testing"
+          ]'
 
 jobs:
   wf-preparation:
@@ -103,31 +146,48 @@ jobs:
     needs: wf-preparation
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-large
     steps:
+      - name: (debug) Step 1 - Check disk space before checkout
+        run: df -h
 
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           submodules: recursive
 
+      - name: (debug) Step 2 - Check disk space before installing Go
+        run: df -h
+
       - uses: actions/setup-go@v4
         name: Installing go
         with:
           go-version: ${{ inputs.GO_VERSION }}
           cache: true
 
+      - name: (debug) Step 3 - Check disk space before build
+        run: df -h
+
       - name: Test core pkg
         run: ${{ env.DOCKER_CMD }} go test -v ./...
         if: startsWith(github.ref, 'refs/tags')
 
+      - name: (debug) Step 4 - Check disk space before testing httphandler pkg
+        run: df -h
+
       - name: Test httphandler pkg
         run: ${{ env.DOCKER_CMD }} sh -c 'cd httphandler && go test -v ./...'
         if: startsWith(github.ref, 'refs/tags')
 
+      - name: (debug) Step 5 - Check disk space before setting up Syft
+        run: df -h
+
       - uses: anchore/sbom-action/download-syft@v0.15.2
         name: Setup Syft
 
+      - name: (debug) Step 6 - Check disk space before goreleaser
+        run: df -h
+
       - uses: goreleaser/goreleaser-action@v5
         name: Build
         with:
@@ -139,12 +199,18 @@ jobs:
           CLIENT: ${{ inputs.CLIENT }}
           CGO_ENABLED: ${{ inputs.CGO_ENABLED }}
 
+      - name: (debug) Step 7 - Check disk space before smoke testing
+        run: df -h
+
       - name: Smoke Testing
         env:
           RELEASE: ${{ inputs.RELEASE }}
           KUBESCAPE_SKIP_UPDATE_CHECK: "true"
         run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ${PWD}/dist/kubescape-ubuntu-latest
 
+      - name: (debug) Step 8 - Check disk space before golangci-lint
+        run: df -h
+
       - name: golangci-lint
         continue-on-error: true
         uses: golangci/golangci-lint-action@v3
@@ -155,6 +221,9 @@ jobs:
           skip-pkg-cache: true
           skip-build-cache: true
 
+      - name: (debug) Step 9 - Check disk space before uploading artifacts
+        run: df -h
+
       - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1
         name: Upload artifacts
         with:
@@ -162,9 +231,12 @@ jobs:
           path: dist/kubescape*
           if-no-files-found: error
 
+      - name: (debug) Step 10 - Check disk space after uploading artifacts
+        run: df -h
+
   build-http-image:
     permissions:
-      contents: read
+      contents: write
       id-token: write
       packages: write
       pull-requests: read
@@ -177,7 +249,7 @@ jobs:
       CGO_ENABLED: 0
       GO111MODULE: "on"
       BUILD_PLATFORM: linux/amd64,linux/arm64
-      GO_VERSION: "1.21"
+      GO_VERSION: "1.22"
       REQUIRED_TESTS: '[
                 "ks_microservice_create_2_cronjob_mitre_and_nsa_proxy", 
                 "ks_microservice_triggering_with_cron_job",
@@ -202,15 +274,8 @@ jobs:
                 "scan_repository_from_url_and_submit_to_backend", 
                 "scan_with_custom_framework", 
                 "scan_customer_configuration", 
-                "host_scanner", 
-                "scan_compliance_score", 
-                "control_cluster_from_CLI_config_scan_exclude_namespaces", 
-                "control_cluster_from_CLI_config_scan_include_namespaces", 
-                "control_cluster_from_CLI_config_scan_host_scanner_enabled", 
-                "control_cluster_from_CLI_config_scan_MITRE_framework", 
-                "control_cluster_from_CLI_vulnerabilities_scan_default", 
-                "control_cluster_from_CLI_vulnerabilities_scan_include_namespaces"
-              ]'
+                "scan_compliance_score"
+                ]'
       COSIGN: true
       HELM_E2E_TEST: true
       FORCE: true

.github/workflows/build-image.yaml

@@ -23,7 +23,7 @@ jobs:
     permissions:
       id-token: write
       packages: write
-      contents: read
+      contents: write
       pull-requests: read
     uses: kubescape/workflows/.github/workflows/incluster-comp-pr-merged.yaml@main
     with:

.github/workflows/c-create-release.yaml

@@ -24,8 +24,8 @@ jobs:
       MAC_OS: macos-latest
       UBUNTU_OS: ubuntu-latest
       WINDOWS_OS: windows-latest
-    # permissions:
-    #   contents: write
+    permissions:
+      contents: write
     steps:
       - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
         id: download-artifact

.github/workflows/d-publish-image.yaml

@@ -2,7 +2,7 @@ name: d-publish-image
 permissions:
   actions: read
   checks: read
-  contents: read
+  contents: write
   deployments: read
   discussions: read
   id-token: write

.golangci.yml

@@ -1,6 +1,6 @@
 linters-settings:
   govet:
-    check-shadowing: true
+    shadow: true
   dupl:
     threshold: 200
   goconst:
@@ -24,7 +24,6 @@ linters:
     - gosimple
   disable:
     # temporarily disabled
-    - varcheck
     - errcheck
     - dupl
     - gocritic
@@ -36,8 +35,6 @@ linters:
     - unparam
     #- forbidigo # <- see later
     # should remain disabled
-    - deadcode   # deprecated linter
-    - maligned
     - lll
     - gochecknoinits
     - gochecknoglobals

README.md

@@ -20,13 +20,23 @@
   <img alt="Kubescape logo" align="right" src="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
 </picture>
 
-_An open-source Kubernetes security platform for your clusters, CI/CD pipelines, and IDE that seperates out the security signal from the scanner noise_
+_Comprehensive Kubernetes Security from Development to Runtime_
 
-Kubescape is an open-source Kubernetes security platform, built for use in your day-to-day workflow, by fitting into your clusters, CI/CD pipelines and IDE. It serves as a one-stop-shop for Kuberenetes security and includes vulnerability and misconfiguration scanning. You can run scans via the CLI, or add the Kubescape Helm chart, which gives an in-depth view of what is going on in the cluster.
+Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments.
 
-Kubescape includes misconfiguration and vulnerability scanning as well as risk analysis and security compliance indicators. All results are presented in context and users get many cues on what to do based on scan results.Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.
+**Key features of Kubescape include**
 
-Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) and the [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)).
+* **Shift-left security**: Kubescape enables developers to scan for misconfigurations as early as the manifest file submission stage, promoting a proactive approach to security.  
+* **IDE and CI/CD integration**: The tool integrates seamlessly with popular IDEs like VSCode and Lens, as well as CI/CD platforms such as GitHub and GitLab, allowing for security checks throughout the development process.
+* **Cluster scanning**: Kubescape can scan active Kubernetes clusters for vulnerabilities, misconfigurations, and security issues
+* **Multiple framework support**: Kubescape can test against various security frameworks, including NSA, MITRE, SOC2, and more.
+* **YAML and Helm chart validation**: The tool checks YAML files and Helm charts for correct configuration according to the frameworks above, without requiring an active cluster.
+* **Kubernetes hardening**: Kubescape ensures proactive identification and rapid remediation of misconfigurations and vulnerabilities through manual, recurring, or event-triggered scans.
+* **Runtime security**: Kubescape extends its protection to the runtime environment, providing continuous monitoring and threat detection for deployed applications.
+* **Compliance management**: The tool aids in maintaining compliance with recognized frameworks and standards, simplifying the process of meeting regulatory requirements.
+* **Multi-cloud support**: Kubescape offers frictionless security across various cloud providers and Kubernetes distributions.
+
+By providing this comprehensive security coverage from development to production, Kubescape enables organizations to implement a robust security posture throughout their Kubernetes deployment, addressing potential vulnerabilities and threats at every stage of the application lifecycle.
 
 Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository) and is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/).
 
@@ -68,20 +78,29 @@ Kubescape can be used as a GitHub Action. This is a great way to integrate Kubes
 ## Under the hood
 
 Kubescape uses [Open Policy Agent](https://github.com/open-policy-agent/opa) to verify Kubernetes objects against [a library of posture controls](https://github.com/kubescape/regolibrary).
+For image scanning, it uses [Grype](https://github.com/anchore/grype).
+For image patching, it uses [Copacetic](https://github.com/project-copacetic/copacetic).
 
 By default, the results are printed in a console-friendly manner, but they can be:
 
-* exported to JSON or junit XML
+* exported to JSON, junit XML or SARIF
 * rendered to HTML or PDF
 * submitted to a [cloud service](docs/providers.md)
 
 It retrieves Kubernetes objects from the API server and runs a set of [Rego snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io?utm_source=github&utm_medium=repository).
 
+## Architecture 
+![kubescape](docs/img/architecture-diagram.png)
+
+**Otel collector** - is not built-in, Otel endpoint spec is need to be added at setup [Setting Otel](https://kubescape.io/docs/operator/telemetry/)
+
+
 ## Community
 
-Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the Kubernetes community and are building more tests and controls as the ecosystem develops.
+Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the cloud-native community and are enhancing the project as the ecosystem develops.
 
-We hold [community meetings](https://zoom.us/j/95174063585) on Zoom, every second week on Tuesdays, at 15:00 CET. ([See that in your local time zone](https://time.is/compare/1500_in_CET)).
+
+We hold [community meetings](https://zoom.us/j/95174063585) on Zoom, every other week, at 15:00 CET. ([See that in your local time zone](https://time.is/compare/1500_in_CET).
 
 The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
 
@@ -109,7 +128,7 @@ Kubescape changes are tracked on the [release](https://github.com/kubescape/kube
 
 ## License
 
-Copyright 2021-2023, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.
+Copyright 2021-2024, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.
 
 Kubescape is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/) and was contributed by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository).
 

build/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.21-bullseye as builder
+FROM --platform=$BUILDPLATFORM golang:1.22-bullseye AS builder
 
 ENV GO111MODULE=on CGO_ENABLED=0
 WORKDIR /work

cmd/config/delete.go

@@ -3,7 +3,7 @@ package config
 import (
 	"context"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"

cmd/config/set.go

@@ -5,7 +5,7 @@ import (
 	"sort"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"

cmd/config/view.go

@@ -3,7 +3,7 @@ package config
 import (
 	"os"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/spf13/cobra"

cmd/download/download.go

@@ -6,7 +6,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/core"
 	"github.com/kubescape/kubescape/v3/core/meta"

cmd/list/list.go

@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/core"
 	"github.com/kubescape/kubescape/v3/core/meta"

cmd/patch/README.md

@@ -47,6 +47,7 @@ The patch command can be run in 2 ways:
 | -a, --addr     | Address of the buildkitd service                       | No       | unix:///run/buildkit/buildkitd.sock |
 | -t, --tag      | Tag of the resultant patched image                     | No       | image_name-patched                  |
 | --timeout      | Timeout for the patching process                       | No       | 5m                                  |
+| --ignore-errors| Ignore errors during patching                          | No       | false                               |
 | -u, --username | Username for the image registry login                  | No       |                                     |
 | -p, --password | Password for the image registry login                  | No       |                                     |
 | -f, --format   | Output file format.                                    | No       |                                     |

cmd/patch/patch.go

@@ -7,7 +7,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/distribution/reference"
+	"github.com/docker/distribution/reference"
 
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/cmd/shared"
@@ -69,6 +69,7 @@ func GetPatchCmd(ks meta.IKubescape) *cobra.Command {
 	patchCmd.PersistentFlags().StringVarP(&patchInfo.PatchedImageTag, "tag", "t", "", "Tag for the patched image. Defaults to '<image-tag>-patched' ")
 	patchCmd.PersistentFlags().StringVarP(&patchInfo.BuildkitAddress, "address", "a", "unix:///run/buildkit/buildkitd.sock", "Address of buildkitd service, defaults to local buildkitd.sock")
 	patchCmd.PersistentFlags().DurationVar(&patchInfo.Timeout, "timeout", 5*time.Minute, "Timeout for the operation, defaults to '5m'")
+	patchCmd.PersistentFlags().BoolVar(&patchInfo.IgnoreError, "ignore-errors", false, "Ignore errors and continue patching other images. Default to false")
 
 	patchCmd.PersistentFlags().StringVarP(&patchInfo.Username, "username", "u", "", "Username for registry login")
 	patchCmd.PersistentFlags().StringVarP(&patchInfo.Password, "password", "p", "", "Password for registry login")

cmd/root.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/kubescape/v3/cmd/completion"
@@ -16,6 +16,7 @@ import (
 	"github.com/kubescape/kubescape/v3/cmd/patch"
 	"github.com/kubescape/kubescape/v3/cmd/scan"
 	"github.com/kubescape/kubescape/v3/cmd/update"
+	"github.com/kubescape/kubescape/v3/cmd/vap"
 	"github.com/kubescape/kubescape/v3/cmd/version"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"
@@ -97,6 +98,7 @@ func getRootCmd(ks meta.IKubescape) *cobra.Command {
 	rootCmd.AddCommand(update.GetUpdateCmd())
 	rootCmd.AddCommand(fix.GetFixCmd(ks))
 	rootCmd.AddCommand(patch.GetPatchCmd(ks))
+	rootCmd.AddCommand(vap.GetVapHelperCmd())
 	rootCmd.AddCommand(operator.GetOperatorCmd(ks))
 
 	// deprecated commands

cmd/rootutils.go

@@ -8,7 +8,7 @@ import (
 	v1 "github.com/kubescape/backend/pkg/client/v1"
 	"github.com/kubescape/backend/pkg/servicediscovery"
 	sdClientV2 "github.com/kubescape/backend/pkg/servicediscovery/v2"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/go-logger/iconlogger"
 	"github.com/kubescape/go-logger/zaplogger"

cmd/scan/control.go

@@ -9,7 +9,7 @@ import (
 
 	apisv1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/cmd/shared"
 	"github.com/kubescape/kubescape/v3/core/cautils"

cmd/scan/framework.go

@@ -13,7 +13,7 @@ import (
 	"github.com/kubescape/opa-utils/reporthandling/results/v1/reportsummary"
 	"golang.org/x/exp/slices"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/cmd/shared"
 	"github.com/kubescape/kubescape/v3/core/cautils"

cmd/scan/image.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"fmt"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/cmd/shared"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"

cmd/scan/scan.go

@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"
 	"github.com/kubescape/kubescape/v3/core/meta"

cmd/scan/workload.go

@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/meta"
 	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"

cmd/update/update.go

@@ -10,7 +10,7 @@ import (
 	"strings"
 
 	"github.com/kubescape/backend/pkg/versioncheck"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/spf13/cobra"

cmd/vap/vap.go

@@ -0,0 +1,236 @@
+package vap
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"regexp"
+
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/kubescape/v3/core/cautils"
+	"sigs.k8s.io/yaml"
+
+	"github.com/spf13/cobra"
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+var vapHelperCmdExamples = fmt.Sprintf(`
+  vap command can be used for managing Validating Admission Policies in a Kubernetes cluster.
+  This is an experimental feature and it might change.
+
+  Examples:
+
+  # Install Kubescape CEL admission policy library
+  %[1]s vap deploy-library | kubectl apply -f -
+  # Create a policy binding
+  %[1]s vap create-policy-binding --name my-policy-binding --policy c-0016 --namespace=my-namespace | kubectl apply -f -
+`, cautils.ExecName())
+
+func GetVapHelperCmd() *cobra.Command {
+
+	vapHelperCmd := &cobra.Command{
+		Use:     "vap",
+		Short:   "Helper commands for managing Validating Admission Policies in a Kubernetes cluster",
+		Long:    ``,
+		Example: vapHelperCmdExamples,
+	}
+
+	// Create subcommands
+	vapHelperCmd.AddCommand(getDeployLibraryCmd())
+	vapHelperCmd.AddCommand(getCreatePolicyBindingCmd())
+
+	return vapHelperCmd
+}
+
+func getDeployLibraryCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:   "deploy-library",
+		Short: "Install Kubescape CEL admission policy library",
+		Long:  ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return deployLibrary()
+		},
+	}
+}
+
+func getCreatePolicyBindingCmd() *cobra.Command {
+	var policyBindingName string
+	var policyName string
+	var namespaceArr []string
+	var labelArr []string
+	var action string
+	var parameterReference string
+
+	createPolicyBindingCmd := &cobra.Command{
+		Use:   "create-policy-binding",
+		Short: "Create a policy binding",
+		Long:  ``,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			// Validate the inputs
+			if err := isValidK8sObjectName(policyBindingName); err != nil {
+				return fmt.Errorf("invalid policy binding name %s: %w", policyBindingName, err)
+			}
+			if err := isValidK8sObjectName(policyName); err != nil {
+				return fmt.Errorf("invalid policy name %s: %w", policyName, err)
+			}
+			for _, namespace := range namespaceArr {
+				if err := isValidK8sObjectName(namespace); err != nil {
+					return fmt.Errorf("invalid namespace %s: %w", namespace, err)
+				}
+			}
+			for _, label := range labelArr {
+				// Label selector must be in the format key=value
+				if !regexp.MustCompile(`^[a-zA-Z0-9]+=[a-zA-Z0-9]+$`).MatchString(label) {
+					return fmt.Errorf("invalid label selector: %s", label)
+				}
+			}
+			if action != "Deny" && action != "Audit" && action != "Warn" {
+				return fmt.Errorf("invalid action: %s", action)
+			}
+			if parameterReference != "" {
+				if err := isValidK8sObjectName(parameterReference); err != nil {
+					return fmt.Errorf("invalid parameter reference %s: %w", parameterReference, err)
+				}
+			}
+
+			return createPolicyBinding(policyBindingName, policyName, action, parameterReference, namespaceArr, labelArr)
+		},
+	}
+	// Must specify the name of the policy binding
+	createPolicyBindingCmd.Flags().StringVarP(&policyBindingName, "name", "n", "", "Name of the policy binding")
+	createPolicyBindingCmd.MarkFlagRequired("name")
+	createPolicyBindingCmd.Flags().StringVarP(&policyName, "policy", "p", "", "Name of the policy to bind the resources to")
+	createPolicyBindingCmd.MarkFlagRequired("policy")
+	createPolicyBindingCmd.Flags().StringSliceVar(&namespaceArr, "namespace", []string{}, "Resource namespace selector")
+	createPolicyBindingCmd.Flags().StringSliceVar(&labelArr, "label", []string{}, "Resource label selector")
+	createPolicyBindingCmd.Flags().StringVarP(&action, "action", "a", "Deny", "Action to take when policy fails")
+	createPolicyBindingCmd.Flags().StringVarP(&parameterReference, "parameter-reference", "r", "", "Parameter reference object name")
+
+	return createPolicyBindingCmd
+}
+
+// Implementation of the VAP helper commands
+// deploy-library
+func deployLibrary() error {
+	logger.L().Info("Downloading the Kubescape CEL admission policy library")
+	// Download the policy-configuration-definition.yaml from the latest release URL
+	policyConfigurationDefinitionURL := "https://github.com/kubescape/cel-admission-library/releases/latest/download/policy-configuration-definition.yaml"
+	policyConfigurationDefinition, err := downloadFileToString(policyConfigurationDefinitionURL)
+	if err != nil {
+		return err
+	}
+
+	// Download the basic-control-configuration.yaml from the latest release URL
+	basicControlConfigurationURL := "https://github.com/kubescape/cel-admission-library/releases/latest/download/basic-control-configuration.yaml"
+	basicControlConfiguration, err := downloadFileToString(basicControlConfigurationURL)
+	if err != nil {
+		return err
+	}
+
+	// Download the kubescape-validating-admission-policies.yaml from the latest release URL
+	kubescapeValidatingAdmissionPoliciesURL := "https://github.com/kubescape/cel-admission-library/releases/latest/download/kubescape-validating-admission-policies.yaml"
+	kubescapeValidatingAdmissionPolicies, err := downloadFileToString(kubescapeValidatingAdmissionPoliciesURL)
+	if err != nil {
+		return err
+	}
+
+	logger.L().Info("Successfully downloaded admission policy library")
+
+	// Print the downloaded files to the STDOUT for the user to apply connecting them to a single YAML with ---
+	fmt.Println(policyConfigurationDefinition)
+	fmt.Println("---")
+	fmt.Println(basicControlConfiguration)
+	fmt.Println("---")
+	fmt.Println(kubescapeValidatingAdmissionPolicies)
+
+	return nil
+}
+
+func downloadFileToString(url string) (string, error) {
+	// Send an HTTP GET request to the URL
+	response, err := http.Get(url) //nolint:gosec
+	if err != nil {
+		return "", err // Return an empty string and the error if the request fails
+	}
+	defer response.Body.Close()
+
+	// Check for a successful response (HTTP 200 OK)
+	if response.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("failed to download file: %s", response.Status)
+	}
+
+	// Read the response body
+	bodyBytes, err := io.ReadAll(response.Body)
+	if err != nil {
+		return "", err // Return an empty string and the error if reading fails
+	}
+
+	// Convert the byte slice to a string
+	bodyString := string(bodyBytes)
+	return bodyString, nil
+}
+
+func isValidK8sObjectName(name string) error {
+	// Kubernetes object names must consist of lower case alphanumeric characters, '-' or '.',
+	// and must start and end with an alphanumeric character (e.g., 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')
+	// Max length of 63 characters.
+	if len(name) > 63 {
+		return errors.New("name should be less than 63 characters")
+	}
+
+	regex := regexp.MustCompile(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`)
+	if !regex.MatchString(name) {
+		return errors.New("name should consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character")
+	}
+
+	return nil
+}
+
+// Create a policy binding
+func createPolicyBinding(bindingName string, policyName string, action string, paramRefName string, namespaceArr []string, labelMatch []string) error {
+	// Create a policy binding struct
+	policyBinding := &admissionv1.ValidatingAdmissionPolicyBinding{}
+	// Print the policy binding after marshalling it to YAML to the STDOUT
+	// The user can apply the output to the cluster
+	policyBinding.APIVersion = "admissionregistration.k8s.io/v1"
+	policyBinding.Name = bindingName
+	policyBinding.Kind = "ValidatingAdmissionPolicyBinding"
+	policyBinding.Spec.PolicyName = policyName
+	policyBinding.Spec.MatchResources = &admissionv1.MatchResources{}
+	if len(namespaceArr) > 0 {
+		policyBinding.Spec.MatchResources.NamespaceSelector = &metav1.LabelSelector{
+			MatchExpressions: []metav1.LabelSelectorRequirement{
+				{
+					Key:      "kubernetes.io/metadata.name",
+					Operator: metav1.LabelSelectorOpIn,
+					Values:   namespaceArr,
+				},
+			},
+		}
+	}
+
+	if len(labelMatch) > 0 {
+		policyBinding.Spec.MatchResources.ObjectSelector = &metav1.LabelSelector{}
+		policyBinding.Spec.MatchResources.ObjectSelector.MatchLabels = make(map[string]string)
+		for _, label := range labelMatch {
+			labelParts := regexp.MustCompile(`=`).Split(label, 2)
+			policyBinding.Spec.MatchResources.ObjectSelector.MatchLabels[labelParts[0]] = labelParts[1]
+		}
+	}
+
+	policyBinding.Spec.ValidationActions = []admissionv1.ValidationAction{admissionv1.ValidationAction(action)}
+	if paramRefName != "" {
+		policyBinding.Spec.ParamRef = &admissionv1.ParamRef{
+			Name: paramRefName,
+		}
+	}
+	// Marshal the policy binding to YAML
+	out, err := yaml.Marshal(policyBinding)
+	if err != nil {
+		return err
+	}
+	fmt.Println(string(out))
+	return nil
+}

cmd/vap/vap_test.go

@@ -0,0 +1,10 @@
+package vap
+
+import (
+	"testing"
+)
+
+func TestGetVapHelperCmd(t *testing.T) {
+	// Call the GetFixCmd function
+	_ = GetVapHelperCmd()
+}

core/cautils/customerloader.go

@@ -14,7 +14,7 @@ import (
 	"github.com/kubescape/backend/pkg/servicediscovery"
 	servicediscoveryv1 "github.com/kubescape/backend/pkg/servicediscovery/v1"
 	servicediscoveryv2 "github.com/kubescape/backend/pkg/servicediscovery/v2"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"

core/cautils/display.go

@@ -9,7 +9,7 @@ import (
 
 	spinnerpkg "github.com/briandowns/spinner"
 	"github.com/jwalton/gchalk"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/mattn/go-isatty"
 	"github.com/schollz/progressbar/v3"

core/cautils/fileutils.go

@@ -13,7 +13,7 @@ import (
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"golang.org/x/exp/slices"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/opa-utils/objectsenvelopes"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
 

core/cautils/helmchart.go

@@ -5,7 +5,7 @@ import (
 	"strconv"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"

core/cautils/kustomizedirectory.go

@@ -4,7 +4,7 @@ import (
 	"os"
 	"path/filepath"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"

core/cautils/parseFile.go

@@ -6,7 +6,7 @@ import (
 	"strconv"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/mikefarah/yq/v4/pkg/yqlib"
 	"gopkg.in/op/go-logging.v1"
 )

core/cautils/remotegitutils.go

@@ -1,11 +1,11 @@
 package cautils
 
 import (
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	nethttp "net/http"
 	"os"
-	"path/filepath"
 
 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/plumbing"
@@ -17,6 +17,40 @@ import (
 	"github.com/kubescape/go-logger/helpers"
 )
 
+var tmpDirPaths map[string]string
+
+func hashRepoURL(repoURL string) string {
+	h := sha256.New()
+	h.Write([]byte(repoURL))
+	return string(h.Sum(nil))
+}
+
+func getDirPath(repoURL string) string {
+	if tmpDirPaths == nil {
+		return ""
+	}
+	return tmpDirPaths[hashRepoURL(repoURL)]
+}
+
+// Create a temporary directory this function is called once
+func createTempDir(repoURL string) (string, error) {
+	tmpDirPath := getDirPath(repoURL)
+	if tmpDirPath != "" {
+		return tmpDirPath, nil
+	}
+	// create temp directory
+	tmpDir, err := os.MkdirTemp("", "")
+	if err != nil {
+		return "", fmt.Errorf("failed to create temporary directory: %w", err)
+	}
+	if tmpDirPaths == nil {
+		tmpDirPaths = make(map[string]string)
+	}
+	tmpDirPaths[hashRepoURL(repoURL)] = tmpDir
+
+	return tmpDir, nil
+}
+
 // To Check if the given repository is Public(No Authentication needed), send a HTTP GET request to the URL
 // If response code is 200, the repository is Public.
 func isGitRepoPublic(u string) bool {
@@ -58,16 +92,21 @@ func getProviderError(gitURL giturl.IGitAPI) error {
 
 // cloneRepo clones a repository to a local temporary directory and returns the directory
 func cloneRepo(gitURL giturl.IGitAPI) (string, error) {
+	cloneURL := gitURL.GetHttpCloneURL()
+
+	// Check if directory exists
+	if p := getDirPath(cloneURL); p != "" {
+		// directory exists, meaning this repo was cloned
+		return p, nil
+	}
+	// Get the URL to clone
 
 	// Create temp directory
-	tmpDir, err := os.MkdirTemp("", "")
+	tmpDir, err := createTempDir(cloneURL)
 	if err != nil {
-		return "", fmt.Errorf("failed to create temporary directory: %w", err)
+		return "", err
 	}
 
-	// Get the URL to clone
-	cloneURL := gitURL.GetHttpCloneURL()
-
 	isGitTokenPresent := isGitTokenPresent(gitURL)
 
 	// Declare the authentication variable required for cloneOptions
@@ -104,6 +143,8 @@ func cloneRepo(gitURL giturl.IGitAPI) (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to clone %s. %w", gitURL.GetRepoName(), err)
 	}
+	// tmpDir = filepath.Join(tmpDir, gitURL.GetRepoName())
+	tmpDirPaths[hashRepoURL(cloneURL)] = tmpDir
 
 	return tmpDir, nil
 }
@@ -125,9 +166,19 @@ func CloneGitRepo(path *string) (string, error) {
 		logger.L().StopError("failed to clone git repo", helpers.String("url", gitURL.GetURL().String()), helpers.Error(err))
 		return "", fmt.Errorf("failed to clone git repo '%s',  %w", gitURL.GetURL().String(), err)
 	}
+	*path = clonedDir
 
-	*path = filepath.Join(clonedDir, gitURL.GetPath())
-	logger.L().StopSuccess("Done accessing local objects")
+	logger.L().StopSuccess("Done accessing remote repo")
 
 	return clonedDir, nil
 }
+
+func GetClonedPath(path string) string {
+
+	gitURL, err := giturl.NewGitAPI(path)
+	if err != nil {
+		return ""
+	}
+
+	return getDirPath(gitURL.GetHttpCloneURL())
+}

core/cautils/remotegitutils_test.go

@@ -93,3 +93,63 @@ func TestCloneRepo(t *testing.T) {
 		})
 	}
 }
+func TestGetClonedPath(t *testing.T) {
+	testCases := []struct {
+		name     string
+		path     string
+		expected string
+	}{
+		{
+			name:     "Valid Git URL",
+			path:     "https://github.com/kubescape/kubescape.git",
+			expected: "/path/to/cloned/repo", // replace with the expected path
+		},
+		{
+			name:     "Invalid Git URL",
+			path:     "invalid",
+			expected: "",
+		},
+	}
+	tmpDirPaths = make(map[string]string)
+	tmpDirPaths[hashRepoURL("https://github.com/kubescape/kubescape.git")] = "/path/to/cloned/repo" // replace with the actual path
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := GetClonedPath(tc.path)
+			if result != tc.expected {
+				t.Errorf("Expected %q, got %q", tc.expected, result)
+			}
+		})
+	}
+}
+func TestGetDirPath(t *testing.T) {
+	testCases := []struct {
+		name     string
+		repoURL  string
+		expected string
+	}{
+		{
+			name:     "Existing Repo URL",
+			repoURL:  "https://github.com/user/repo.git",
+			expected: "/path/to/cloned/repo", // replace with the expected path
+		},
+		{
+			name:     "Non-Existing Repo URL",
+			repoURL:  "https://github.com/user/nonexistentrepo.git",
+			expected: "",
+		},
+	}
+
+	// Initialize tmpDirPaths
+	tmpDirPaths = make(map[string]string)
+	tmpDirPaths[hashRepoURL("https://github.com/user/repo.git")] = "/path/to/cloned/repo" // replace with the actual path
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := getDirPath(tc.repoURL)
+			if result != tc.expected {
+				t.Errorf("Expected %q, got %q", tc.expected, result)
+			}
+		})
+	}
+}

core/cautils/scaninfo.go

@@ -25,10 +25,11 @@ import (
 type ScanningContext string
 
 const (
-	ContextCluster  ScanningContext = "cluster"
-	ContextFile     ScanningContext = "single-file"
-	ContextDir      ScanningContext = "local-dir"
-	ContextGitLocal ScanningContext = "git-local"
+	ContextCluster   ScanningContext = "cluster"
+	ContextFile      ScanningContext = "single-file"
+	ContextDir       ScanningContext = "local-dir"
+	ContextGitLocal  ScanningContext = "git-local"
+	ContextGitRemote ScanningContext = "git-remote"
 )
 
 const ( // deprecated
@@ -281,6 +282,9 @@ func scanInfoToScanMetadata(ctx context.Context, scanInfo *ScanInfo) *reporthand
 	case ContextGitLocal:
 		// local-git
 		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.GitLocal
+	case ContextGitRemote:
+		// remote
+		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.Repo
 	case ContextDir:
 		// directory
 		metadata.ScanMetadata.ScanningTarget = reporthandlingv2.Directory
@@ -308,6 +312,7 @@ func (scanInfo *ScanInfo) GetScanningContext() ScanningContext {
 }
 
 // getScanningContext get scanning context from the input param
+// this function should be called only once. Call GetScanningContext() to get the scanning context
 func (scanInfo *ScanInfo) getScanningContext(input string) ScanningContext {
 	//  cluster
 	if input == "" {
@@ -321,7 +326,7 @@ func (scanInfo *ScanInfo) getScanningContext(input string) ScanningContext {
 				scanInfo.cleanups = append(scanInfo.cleanups, func() {
 					_ = os.RemoveAll(repo)
 				})
-				return ContextGitLocal
+				return ContextGitRemote
 			}
 		}
 	}
@@ -389,6 +394,13 @@ func (scanInfo *ScanInfo) setContextMetadata(ctx context.Context, contextMetadat
 			logger.L().Ctx(ctx).Warning("in setContextMetadata", helpers.Interface("case", ContextGitLocal), helpers.Error(err))
 		}
 		contextMetadata.RepoContextMetadata = repoContext
+	case ContextGitRemote:
+		// remote
+		repoContext, err := metadataGitLocal(GetClonedPath(input))
+		if err != nil {
+			logger.L().Ctx(ctx).Warning("in setContextMetadata", helpers.Interface("case", ContextGitRemote), helpers.Error(err))
+		}
+		contextMetadata.RepoContextMetadata = repoContext
 	}
 }
 

core/cautils/scaninfo_test.go

@@ -71,7 +71,7 @@ func TestGetScanningContext(t *testing.T) {
 		{
 			name:  "git URL input",
 			input: "https://github.com/kubescape/http-request",
-			want:  ContextGitLocal,
+			want:  ContextGitRemote,
 		},
 		{
 			name:  "local git input",

core/core/download.go

@@ -8,7 +8,7 @@ import (
 	"sort"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"

core/core/fix.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 
 	"github.com/kubescape/kubescape/v3/core/pkg/fixhandler"

core/core/image_scan.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 
 	"github.com/anchore/grype/grype/presenter/models"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	ksmetav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling"

core/core/patch.go

@@ -5,10 +5,11 @@ import (
 	"fmt"
 	"os"
 	"strings"
+	"time"
 
 	"github.com/anchore/grype/grype/presenter"
 	"github.com/anchore/grype/grype/presenter/models"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 
 	"github.com/kubescape/kubescape/v3/core/cautils"
@@ -17,8 +18,13 @@ import (
 	"github.com/kubescape/kubescape/v3/pkg/imagescan"
 
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling"
-	copa "github.com/project-copacetic/copacetic/pkg/patch"
 	log "github.com/sirupsen/logrus"
+
+	copaGrype "github.com/anubhav06/copa-grype/grype"
+	"github.com/project-copacetic/copacetic/pkg/buildkit"
+	"github.com/project-copacetic/copacetic/pkg/pkgmgr"
+	"github.com/project-copacetic/copacetic/pkg/types/unversioned"
+	"github.com/project-copacetic/copacetic/pkg/utils"
 )
 
 func (ks *Kubescape) Patch(ctx context.Context, patchInfo *ksmetav1.PatchInfo, scanInfo *cautils.ScanInfo) (*models.PresenterConfig, error) {
@@ -38,6 +44,11 @@ func (ks *Kubescape) Patch(ctx context.Context, patchInfo *ksmetav1.PatchInfo, s
 	if err != nil {
 		return nil, err
 	}
+
+	// If the scan results ID is empty, set it to "grype"
+	if scanResults.ID.Name == "" {
+		scanResults.ID.Name = "grype"
+	}
 	// Save the scan results to a file in json format
 	pres := presenter.GetPresenter("json", "", false, *scanResults)
 
@@ -46,27 +57,27 @@ func (ks *Kubescape) Patch(ctx context.Context, patchInfo *ksmetav1.PatchInfo, s
 
 	writer := printer.GetWriter(ctx, fileName)
 
-	if err := pres.Present(writer); err != nil {
+	if err = pres.Present(writer); err != nil {
 		return nil, err
 	}
 	logger.L().StopSuccess(fmt.Sprintf("Successfully scanned image: %s", patchInfo.Image))
 
 	// ===================== Patch the image using copacetic =====================
 	logger.L().Start("Patching image...")
+	patchedImageName := fmt.Sprintf("%s:%s", patchInfo.ImageName, patchInfo.PatchedImageTag)
 
 	sout, serr := os.Stdout, os.Stderr
 	if logger.L().GetLevel() != "debug" {
 		disableCopaLogger()
 	}
 
-	if err := copa.Patch(ctx, patchInfo.Timeout, patchInfo.BuildkitAddress, patchInfo.Image, fileName, patchInfo.PatchedImageTag, ""); err != nil {
+	if err = copaPatch(ctx, patchInfo.Timeout, patchInfo.BuildkitAddress, patchInfo.Image, fileName, patchedImageName, "", patchInfo.IgnoreError, patchInfo.BuildKitOpts); err != nil {
 		return nil, err
 	}
 
 	// Restore the output streams
 	os.Stdout, os.Stderr = sout, serr
 
-	patchedImageName := fmt.Sprintf("%s:%s", patchInfo.ImageName, patchInfo.PatchedImageTag)
 	logger.L().StopSuccess(fmt.Sprintf("Patched image successfully. Loaded image: %s", patchedImageName))
 
 	// ===================== Re-scan the image =====================
@@ -97,7 +108,6 @@ func (ks *Kubescape) Patch(ctx context.Context, patchInfo *ksmetav1.PatchInfo, s
 			Image:           patchedImageName,
 		},
 	}
-	resultsHandler.HandleResults(ctx)
 
 	return scanResultsPatched, resultsHandler.HandleResults(ctx)
 }
@@ -107,3 +117,110 @@ func disableCopaLogger() {
 	null, _ := os.Open(os.DevNull)
 	log.SetOutput(null)
 }
+
+// copaPatch is a slightly modified copy of the Patch function from the original "project-copacetic/copacetic" repo
+// https://github.com/project-copacetic/copacetic/blob/main/pkg/patch/patch.go
+func copaPatch(ctx context.Context, timeout time.Duration, buildkitAddr, image, reportFile, patchedImageName, workingFolder string, ignoreError bool, bkOpts buildkit.Opts) error {
+	timeoutCtx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	ch := make(chan error)
+	go func() {
+		ch <- patchWithContext(timeoutCtx, buildkitAddr, image, reportFile, patchedImageName, workingFolder, ignoreError, bkOpts)
+	}()
+
+	select {
+	case err := <-ch:
+		return err
+	case <-timeoutCtx.Done():
+		// add a grace period for long running deferred cleanup functions to complete
+		<-time.After(1 * time.Second)
+
+		err := fmt.Errorf("patch exceeded timeout %v", timeout)
+		log.Error(err)
+		return err
+	}
+}
+
+func patchWithContext(ctx context.Context, buildkitAddr, image, reportFile, patchedImageName, workingFolder string, ignoreError bool, bkOpts buildkit.Opts) error {
+	// Ensure working folder exists for call to InstallUpdates
+	if workingFolder == "" {
+		var err error
+		workingFolder, err = os.MkdirTemp("", "copa-*")
+		if err != nil {
+			return err
+		}
+		defer os.RemoveAll(workingFolder)
+		if err := os.Chmod(workingFolder, 0o744); err != nil {
+			return err
+		}
+	} else {
+		if isNew, err := utils.EnsurePath(workingFolder, 0o744); err != nil {
+			log.Errorf("failed to create workingFolder %s", workingFolder)
+			return err
+		} else if isNew {
+			defer os.RemoveAll(workingFolder)
+		}
+	}
+
+	// Parse report for update packages
+	updates, err := tryParseScanReport(reportFile)
+	if err != nil {
+		return err
+	}
+
+	client, err := buildkit.NewClient(ctx, bkOpts)
+	if err != nil {
+		return err
+	}
+	defer client.Close()
+
+	// Configure buildctl/client for use by package manager
+	config, err := buildkit.InitializeBuildkitConfig(ctx, client, image, updates)
+	if err != nil {
+		return err
+	}
+
+	// Create package manager helper
+	pkgmgr, err := pkgmgr.GetPackageManager(updates.Metadata.OS.Type, config, workingFolder)
+	if err != nil {
+		return err
+	}
+
+	// Export the patched image state to Docker
+	patchedImageState, _, err := pkgmgr.InstallUpdates(ctx, updates, ignoreError)
+	if err != nil {
+		return err
+	}
+
+	if err = buildkit.SolveToDocker(ctx, config.Client, patchedImageState, config.ConfigData, patchedImageName); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// This function adds support to copa for patching Kubescape produced results
+func tryParseScanReport(file string) (*unversioned.UpdateManifest, error) {
+
+	parser := copaGrype.GrypeParser{}
+	manifest, err := parser.Parse(file)
+	if err != nil {
+		return nil, err
+	}
+
+	// Convert from v1alpha1 to unversioned.UpdateManifest
+	var um unversioned.UpdateManifest
+	um.Metadata.OS.Type = manifest.Metadata.OS.Type
+	um.Metadata.OS.Version = manifest.Metadata.OS.Version
+	um.Metadata.Config.Arch = manifest.Metadata.Config.Arch
+	um.Updates = make([]unversioned.UpdatePackage, len(manifest.Updates))
+	for i, update := range manifest.Updates {
+		um.Updates[i].Name = update.Name
+		um.Updates[i].InstalledVersion = update.InstalledVersion
+		um.Updates[i].FixedVersion = update.FixedVersion
+		um.Updates[i].VulnerabilityID = update.VulnerabilityID
+	}
+
+	return &um, nil
+}

core/core/scan.go

@@ -169,7 +169,7 @@ func (ks *Kubescape) Scan(ctx context.Context, scanInfo *cautils.ScanInfo) (*res
 
 	// ===================== resources =====================
 	ctxResources, spanResources := otel.Tracer("").Start(ctxInit, "resources")
-	err = resourcehandler.CollectResources(ctxResources, interfaces.resourceHandler, scanInfo.PolicyIdentifier, scanData, cautils.NewProgressHandler(""), scanInfo)
+	err = resourcehandler.CollectResources(ctxResources, interfaces.resourceHandler, scanData, scanInfo)
 	if err != nil {
 		spanInit.End()
 		return resultsHandling, err
@@ -182,7 +182,7 @@ func (ks *Kubescape) Scan(ctx context.Context, scanInfo *cautils.ScanInfo) (*res
 	defer spanOpa.End()
 
 	deps := resources.NewRegoDependenciesData(k8sinterface.GetK8sConfig(), interfaces.tenantConfig.GetContextName())
-	reportResults := opaprocessor.NewOPAProcessor(scanData, deps, interfaces.tenantConfig.GetContextName())
+	reportResults := opaprocessor.NewOPAProcessor(scanData, deps, interfaces.tenantConfig.GetContextName(), scanInfo.ExcludedNamespaces, scanInfo.IncludeNamespaces)
 	if err = reportResults.ProcessRulesListener(ctxOpa, cautils.NewProgressHandler("")); err != nil {
 		// TODO - do something
 		return resultsHandling, fmt.Errorf("%w", err)

core/meta/datastructures/v1/patch.go

@@ -1,12 +1,18 @@
 package v1
 
-import "time"
+import (
+	"time"
+
+	"github.com/project-copacetic/copacetic/pkg/buildkit"
+)
 
 type PatchInfo struct {
 	Image           string        // image to be patched
 	PatchedImageTag string        // can be empty, if empty then the image tag will be patched with the latest tag
 	BuildkitAddress string        // buildkit address
 	Timeout         time.Duration // timeout for patching an image
+	IgnoreError     bool          // ignore errors and continue patching
+	BuildKitOpts    buildkit.Opts //build kit options
 
 	// Image registry credentials
 	Username string // username for registry login

core/pkg/fixhandler/fixhandler.go

@@ -15,7 +15,7 @@ import (
 	"github.com/armosec/armoapi-go/armotypes"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/opa-utils/objectsenvelopes"
 	"github.com/kubescape/opa-utils/objectsenvelopes/localworkload"
 	"github.com/kubescape/opa-utils/reporthandling"

core/pkg/fixhandler/fixhandler_test.go

@@ -8,7 +8,7 @@ import (
 	"testing"
 
 	"github.com/armosec/armoapi-go/armotypes"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	metav1 "github.com/kubescape/kubescape/v3/core/meta/datastructures/v1"
 	"github.com/kubescape/kubescape/v3/internal/testutils"
 	reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"

core/pkg/fixhandler/testdata/hybrids/tc-01-00-input.yaml

@@ -14,6 +14,6 @@ metadata:
 spec:
   containers:
   - name: nginx_container
-    image: nginx
     securityContext:
       runAsRoot: true
+    image: nginx

core/pkg/fixhandler/testdata/hybrids/tc-02-00-input-indented-list.yaml

@@ -14,6 +14,6 @@ metadata:
 spec:
   containers:
     - name: nginx_container
-      image: nginx
       securityContext:
         runAsRoot: true
+      image: nginx

core/pkg/fixhandler/testdata/hybrids/tc-03-00-input-comments.yaml

@@ -16,6 +16,6 @@ spec:
   containers:
     # These are the first containers comments
     - name: nginx_container
-      image: nginx
       securityContext:
         runAsRoot: true
+      image: nginx

core/pkg/fixhandler/testdata/hybrids/tc-04-00-input-separated-keys.yaml

@@ -15,7 +15,7 @@ spec:
   containers:
     - name: nginx_container
 
-      image: nginx
-
       securityContext:
         runAsRoot: true
+
+      image: nginx

core/pkg/fixhandler/testdata/hybrids/tc-04-01-expected.yaml

@@ -15,7 +15,7 @@ spec:
   containers:
     - name: nginx_container
 
+
       image: nginx
   securityContext:
     runAsRoot: false
-

core/pkg/fixhandler/testdata/hybrids/tc-05-00-input-leading-doc-separator.yaml

@@ -16,7 +16,7 @@ spec:
   containers:
     - name: nginx_container
 
-      image: nginx
-
       securityContext:
         runAsRoot: true
+
+      image: nginx

core/pkg/fixhandler/testdata/hybrids/tc-05-01-expected.yaml

@@ -16,7 +16,7 @@ spec:
   containers:
     - name: nginx_container
 
+
       image: nginx
   securityContext:
     runAsRoot: false
-

core/pkg/fixhandler/testdata/removals/tc-01-00-input.yaml

@@ -9,6 +9,6 @@ metadata:
 spec:
   containers:
   - name: nginx_container
-    image: nginx
     securityContext:
-      runAsRoot: false
+      runAsRoot: false
+    image: nginx

core/pkg/fixhandler/testdata/removals/tc-01-01-expected.yaml

@@ -9,4 +9,4 @@ metadata:
 spec:
   containers:
   - name: nginx_container
-    image: nginx
+    image: nginx

core/pkg/fixhandler/testdata/removals/tc-02-00-input.yaml

@@ -12,4 +12,5 @@ spec:
     image: nginx
 
   - name: container_with_security_issues
-    image: image_with_security_issues
+    image: image_with_security_issues
+  restartPolicy: Always

core/pkg/fixhandler/testdata/removals/tc-02-01-expected.yaml

@@ -10,3 +10,5 @@ spec:
   containers:
   - name: nginx_container
     image: nginx
+
+  restartPolicy: Always

core/pkg/fixhandler/testdata/removals/tc-03-00-input.yaml

@@ -8,7 +8,7 @@ metadata:
 spec:
   containers:
   - name: nginx1
-    image: nginx
     securityContext:
       capabilities:
-        drop: ["NET_RAW", "SYS_ADM"]
+        drop: ["NET_RAW", "SYS_ADM"]
+    image: nginx

core/pkg/fixhandler/testdata/removals/tc-03-01-expected.yaml

@@ -8,7 +8,7 @@ metadata:
 spec:
   containers:
   - name: nginx1
-    image: nginx
     securityContext:
       capabilities:
-        drop: ["NET_RAW"]
+        drop: ["NET_RAW"]
+    image: nginx

core/pkg/fixhandler/testdata/removals/tc-04-00-input.yaml

@@ -9,9 +9,9 @@ metadata:
 spec:
   containers:
   - name: nginx_container
-    image: nginx
     securityContext:
       runAsRoot: false
+    image: nginx
 
 ---
 
@@ -29,4 +29,5 @@ spec:
     image: nginx
 
   - name: container_with_security_issues
-    image: image_with_security_issues
+    image: image_with_security_issues
+  restartPolicy: Always

core/pkg/fixhandler/testdata/removals/tc-04-01-expected.yaml

@@ -25,3 +25,5 @@ spec:
   containers:
   - name: nginx_container
     image: nginx
+
+  restartPolicy: Always

core/pkg/fixhandler/testdata/replaces/tc-01-00-input.yaml

@@ -9,6 +9,6 @@ metadata:
 spec:
   containers:
   - name: nginx_container
-    image: nginx
     securityContext:
-      runAsRoot: true
+      runAsRoot: true
+    image: nginx

core/pkg/fixhandler/testdata/replaces/tc-01-01-expected.yaml

@@ -9,6 +9,6 @@ metadata:
 spec:
   containers:
   - name: nginx_container
-    image: nginx
     securityContext:
-      runAsRoot: false
+      runAsRoot: false
+    image: nginx

core/pkg/fixhandler/testdata/replaces/tc-02-00-input.yaml

@@ -10,9 +10,9 @@ metadata:
 spec:
   containers:
   - name: nginx1
-    image: nginx
     securityContext:
       capabilities:
         drop:
         - "NET_RAW"
-        add: ["SYS_ADM"]
+        add: ["SYS_ADM"]
+    image: nginx

core/pkg/fixhandler/testdata/replaces/tc-02-01-expected.yaml

@@ -10,9 +10,9 @@ metadata:
 spec:
   containers:
   - name: nginx1
-    image: nginx
     securityContext:
       capabilities:
         drop:
         - "SYS_ADM"
-        add: ["NET_RAW"]
+        add: ["NET_RAW"]
+    image: nginx

core/pkg/fixhandler/yamlhandler.go

@@ -182,7 +182,7 @@ func addLinesToRemove(ctx context.Context, fixInfoMetadata *fixInfoMetadata) (in
 	newOriginalListTracker := updateTracker(fixInfoMetadata.originalList, fixInfoMetadata.originalListTracker)
 	*fixInfoMetadata.linesToRemove = append(*fixInfoMetadata.linesToRemove, linesToRemove{
 		startLine: currentDFSNode.node.Line,
-		endLine:   getNodeLine(fixInfoMetadata.originalList, newOriginalListTracker),
+		endLine:   getNodeLine(fixInfoMetadata.originalList, newOriginalListTracker-1), // newOriginalListTracker is the next node
 	})
 
 	return newOriginalListTracker, fixInfoMetadata.fixedListTracker

core/pkg/fixhandler/yamlhelper.go

@@ -12,7 +12,7 @@ import (
 	"os"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/mikefarah/yq/v4/pkg/yqlib"
 	"gopkg.in/yaml.v3"
 )

core/pkg/hostsensorutils/hostsensordeploy.go

@@ -8,7 +8,7 @@ import (
 	"sync"
 	"time"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/k8s-interface/workloadinterface"

core/pkg/hostsensorutils/hostsensorgetfrompod.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 	"sync"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/opa-utils/objectsenvelopes/hostsensor"
 	"github.com/kubescape/opa-utils/reporthandling/apis"

core/pkg/hostsensorutils/hostsensorworkerpool.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"sync"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/opa-utils/objectsenvelopes/hostsensor"
 )

core/pkg/opaprocessor/processorhandler.go

@@ -3,10 +3,11 @@ package opaprocessor
 import (
 	"context"
 	"fmt"
+	"strings"
 	"sync"
 
 	"github.com/armosec/armoapi-go/armotypes"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils"
@@ -37,10 +38,12 @@ type OPAProcessor struct {
 	clusterName          string
 	regoDependenciesData *resources.RegoDependenciesData
 	*cautils.OPASessionObj
-	opaRegisterOnce sync.Once
+	opaRegisterOnce   sync.Once
+	excludeNamespaces []string
+	includeNamespaces []string
 }
 
-func NewOPAProcessor(sessionObj *cautils.OPASessionObj, regoDependenciesData *resources.RegoDependenciesData, clusterName string) *OPAProcessor {
+func NewOPAProcessor(sessionObj *cautils.OPASessionObj, regoDependenciesData *resources.RegoDependenciesData, clusterName string, excludeNamespaces string, includeNamespaces string) *OPAProcessor {
 	if regoDependenciesData != nil && sessionObj != nil {
 		regoDependenciesData.PostureControlInputs = sessionObj.RegoInputData.PostureControlInputs
 		regoDependenciesData.DataControlInputs = sessionObj.RegoInputData.DataControlInputs
@@ -50,6 +53,8 @@ func NewOPAProcessor(sessionObj *cautils.OPASessionObj, regoDependenciesData *re
 		OPASessionObj:        sessionObj,
 		regoDependenciesData: regoDependenciesData,
 		clusterName:          clusterName,
+		excludeNamespaces:    split(excludeNamespaces),
+		includeNamespaces:    split(includeNamespaces),
 	}
 }
 
@@ -211,6 +216,9 @@ func (opap *OPAProcessor) processRule(ctx context.Context, rule *reporthandling.
 		inputResources = objectsenvelopes.ListMapToMeta(enumeratedData)
 
 		for i, inputResource := range inputResources {
+			if opap.skipNamespace(inputResource.GetNamespace()) {
+				continue
+			}
 			resources[inputResource.GetID()] = &resourcesresults.ResourceAssociatedRule{
 				Name:                  rule.Name,
 				ControlConfigurations: ruleRegoDependenciesData.PostureControlInputs,
@@ -229,6 +237,9 @@ func (opap *OPAProcessor) processRule(ctx context.Context, rule *reporthandling.
 		for _, ruleResponse := range ruleResponses {
 			failedResources := objectsenvelopes.ListMapToMeta(ruleResponse.GetFailedResources())
 			for _, failedResource := range failedResources {
+				if opap.skipNamespace(failedResource.GetNamespace()) {
+					continue
+				}
 				var ruleResult *resourcesresults.ResourceAssociatedRule
 				if r, found := resources[failedResource.GetID()]; found {
 					ruleResult = r
@@ -387,3 +398,25 @@ func (opap *OPAProcessor) makeRegoDeps(configInputs []reporthandling.ControlConf
 		PostureControlInputs: postureControlInputs,
 	}
 }
+
+func (opap *OPAProcessor) skipNamespace(ns string) bool {
+	if includeNamespaces := opap.includeNamespaces; len(includeNamespaces) > 0 {
+		if !slices.Contains(includeNamespaces, ns) {
+			// skip ns not in IncludeNamespaces
+			return true
+		}
+	} else if excludeNamespaces := opap.excludeNamespaces; len(excludeNamespaces) > 0 {
+		if slices.Contains(excludeNamespaces, ns) {
+			// skip ns in ExcludeNamespaces
+			return true
+		}
+	}
+	return false
+}
+
+func split(namespaces string) []string {
+	if namespaces == "" {
+		return nil
+	}
+	return strings.Split(namespaces, ",")
+}

core/pkg/opaprocessor/processorhandler_test.go

@@ -197,7 +197,7 @@ func TestProcessResourcesResult(t *testing.T) {
 	opaSessionObj.K8SResources = k8sResources
 	opaSessionObj.AllResources[deployment.GetID()] = deployment
 
-	opap := NewOPAProcessor(opaSessionObj, resources.NewRegoDependenciesDataMock(), "test")
+	opap := NewOPAProcessor(opaSessionObj, resources.NewRegoDependenciesDataMock(), "test", "", "")
 	opap.AllPolicies = policies
 	opap.Process(context.TODO(), policies, nil)
 

core/pkg/opaprocessor/processorhandlerutils.go

@@ -3,7 +3,9 @@ package opaprocessor
 import (
 	"context"
 
-	logger "github.com/kubescape/go-logger"
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils"
@@ -97,7 +99,7 @@ func isEmptyResources(counters reportsummary.ICounters) bool {
 
 func getAllSupportedObjects(k8sResources cautils.K8SResources, externalResources cautils.ExternalResources, allResources map[string]workloadinterface.IMetadata, rule *reporthandling.PolicyRule) map[string][]workloadinterface.IMetadata {
 	k8sObjects := getKubernetesObjects(k8sResources, allResources, rule.Match)
-	externalObjs := getKubenetesObjectsFromExternalResources(externalResources, allResources, rule.DynamicMatch)
+	externalObjs := getKubernetesObjectsFromExternalResources(externalResources, allResources, rule.DynamicMatch)
 	if len(externalObjs) > 0 {
 		l, ok := k8sObjects[clusterScope]
 		if !ok {
@@ -109,7 +111,7 @@ func getAllSupportedObjects(k8sResources cautils.K8SResources, externalResources
 	return k8sObjects
 }
 
-func getKubenetesObjectsFromExternalResources(externalResources cautils.ExternalResources, allResources map[string]workloadinterface.IMetadata, match []reporthandling.RuleMatchObjects) []workloadinterface.IMetadata {
+func getKubernetesObjectsFromExternalResources(externalResources cautils.ExternalResources, allResources map[string]workloadinterface.IMetadata, match []reporthandling.RuleMatchObjects) []workloadinterface.IMetadata {
 	k8sObjects := []workloadinterface.IMetadata{}
 
 	for m := range match {
@@ -215,16 +217,39 @@ func removePodData(workload workloadinterface.IWorkload) {
 	workloadinterface.RemoveFromMap(workload.GetObject(), "metadata", "managedFields")
 	workloadinterface.RemoveFromMap(workload.GetObject(), "status")
 
-	containers, err := workload.GetContainers()
-	if err != nil || len(containers) == 0 {
-		return
+	// containers
+	if containers, err := workload.GetContainers(); err == nil && len(containers) > 0 {
+		removeContainersData(containers)
+		workloadinterface.SetInMap(workload.GetObject(), workloadinterface.PodSpec(workload.GetKind()), "containers", containers)
 	}
+
+	// init containers
+
+	if initContainers, err := workload.GetInitContainers(); err == nil && len(initContainers) > 0 {
+		removeContainersData(initContainers)
+		workloadinterface.SetInMap(workload.GetObject(), workloadinterface.PodSpec(workload.GetKind()), "initContainers", initContainers)
+	}
+
+	// ephemeral containers
+	if ephemeralContainers, err := workload.GetEphemeralContainers(); err == nil && len(ephemeralContainers) > 0 {
+		removeEphemeralContainersData(ephemeralContainers)
+		workloadinterface.SetInMap(workload.GetObject(), workloadinterface.PodSpec(workload.GetKind()), "ephemeralContainers", ephemeralContainers)
+	}
+}
+
+func removeContainersData(containers []corev1.Container) {
+	for i := range containers {
+		for j := range containers[i].Env {
+			containers[i].Env[j].Value = "XXXXXX"
+		}
+	}
+}
+func removeEphemeralContainersData(containers []corev1.EphemeralContainer) {
 	for i := range containers {
 		for j := range containers[i].Env {
 			containers[i].Env[j].Value = "XXXXXX"
 		}
 	}
-	workloadinterface.SetInMap(workload.GetObject(), workloadinterface.PodSpec(workload.GetKind()), "containers", containers)
 }
 
 func ruleData(rule *reporthandling.PolicyRule) string {

core/pkg/opaprocessor/processorhandlerutils_test.go

@@ -3,21 +3,152 @@ package opaprocessor
 import (
 	"testing"
 
+	corev1 "k8s.io/api/core/v1"
+
 	"github.com/stretchr/testify/assert"
 
 	"github.com/kubescape/k8s-interface/workloadinterface"
 )
 
 func TestRemoveData(t *testing.T) {
+	type args struct {
+		w string
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "remove data",
+			args: args{
+				w: `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"demoservice-server", "annotations": {"name": "kubectl.kubernetes.io/last-applied-configuration", "value": "blabla"}},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"demoservice-server"}},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}}}`,
+			},
+		},
+		{
+			name: "remove data with init containers and ephemeral containers",
+			args: args{
+				w: `{"apiVersion": "v1", "kind": "Pod", "metadata": {"name": "example-pod", "namespace": "default"}, "spec": {"containers": [{"name": "container1", "image": "nginx", "ports": [{"containerPort": 80}], "env": [{"name": "CONTAINER_ENV", "value": "container_value"}]}], "initContainers": [{"name": "init-container1", "image": "busybox", "command": ["sh", "-c", "echo 'Init Container'"], "env": [{"name": "INIT_CONTAINER_ENV", "value": "init_container_value"}]}], "ephemeralContainers": [{"name": "debug-container", "image": "busybox", "command": ["sh", "-c", "echo 'Ephemeral Container'"], "targetContainerName": "container1", "env": [{"name": "EPHEMERAL_CONTAINER_ENV", "value": "ephemeral_container_value"}]}]}}`,
+			},
+		},
+		{
+			name: "remove secret data",
+			args: args{
+				w: `{"apiVersion": "v1", "kind": "Secret", "metadata": {"name": "example-secret", "namespace": "default", "annotations": {"kubectl.kubernetes.io/last-applied-configuration": "{}"}}, "type": "Opaque", "data": {"username": "dXNlcm5hbWU=", "password": "cGFzc3dvcmQ="}}`,
+			},
+		},
+		{
+			name: "remove configMap data",
+			args: args{
+				w: `{"apiVersion": "v1", "kind": "ConfigMap", "metadata": {"name": "example-configmap", "namespace": "default", "annotations": {"kubectl.kubernetes.io/last-applied-configuration": "{}"}}, "data": {"exampleKey": "exampleValue"}}`,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			obj, _ := workloadinterface.NewWorkload([]byte(tt.args.w))
+			removeData(obj)
 
-	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"demoservice-server"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"demoservice-server"}},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}}}`
-	obj, _ := workloadinterface.NewWorkload([]byte(w))
-	removeData(obj)
+			workload := workloadinterface.NewWorkloadObj(obj.GetObject())
 
-	workload := workloadinterface.NewWorkloadObj(obj.GetObject())
-	c, _ := workload.GetContainers()
-	for i := range c {
-		for _, e := range c[i].Env {
+			_, found := workload.GetAnnotation("kubectl.kubernetes.io/last-applied-configuration")
+			assert.False(t, found)
+
+			_, found = workloadinterface.InspectMap(workload.GetObject(), "metadata", "managedFields")
+			assert.False(t, found)
+
+			_, found = workloadinterface.InspectMap(workload.GetObject(), "status")
+			assert.False(t, found)
+
+			if d, ok := workloadinterface.InspectMap(workload.GetObject(), "data"); ok {
+				data, ok := d.(map[string]interface{})
+				assert.True(t, ok)
+				for key := range data {
+					assert.Equal(t, "XXXXXX", data[key])
+				}
+			}
+
+			if c, _ := workload.GetContainers(); c != nil {
+				for i := range c {
+					for _, e := range c[i].Env {
+						assert.Equal(t, "XXXXXX", e.Value, e.Name)
+					}
+				}
+			}
+
+			if ic, _ := workload.GetInitContainers(); ic != nil {
+				for i := range ic {
+					for _, e := range ic[i].Env {
+						assert.Equal(t, "XXXXXX", e.Value, e.Name)
+					}
+				}
+			}
+
+			if ec, _ := workload.GetEphemeralContainers(); ec != nil {
+				for i := range ec {
+					for _, e := range ec[i].Env {
+						assert.Equal(t, "XXXXXX", e.Value, e.Name)
+					}
+				}
+			}
+		})
+	}
+}
+
+func TestRemoveContainersData(t *testing.T) {
+	containers := []corev1.Container{
+		{
+			Env: []corev1.EnvVar{
+				{
+					Name:  "TEST_ENV",
+					Value: "test_value",
+				},
+				{
+					Name:  "ENV_2",
+					Value: "bla",
+				},
+				{
+					Name:  "EMPTY_ENV",
+					Value: "",
+				},
+			},
+		},
+	}
+
+	removeContainersData(containers)
+
+	for _, c := range containers {
+		for _, e := range c.Env {
+			assert.Equal(t, "XXXXXX", e.Value)
+		}
+	}
+}
+
+func TestRemoveEphemeralContainersData(t *testing.T) {
+	containers := []corev1.EphemeralContainer{
+		{
+			EphemeralContainerCommon: corev1.EphemeralContainerCommon{
+				Env: []corev1.EnvVar{
+					{
+						Name:  "TEST_ENV",
+						Value: "test_value",
+					},
+					{
+						Name:  "ENV_2",
+						Value: "bla",
+					},
+					{
+						Name:  "EMPTY_ENV",
+						Value: "",
+					},
+				},
+			},
+		},
+	}
+
+	removeEphemeralContainersData(containers)
+
+	for _, c := range containers {
+		for _, e := range c.Env {
 			assert.Equal(t, "XXXXXX", e.Value)
 		}
 	}

core/pkg/opaprocessor/utils.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/opa-utils/reporthandling"

core/pkg/policyhandler/handlepullpolicies.go

@@ -7,7 +7,7 @@ import (
 	"strings"
 
 	"github.com/armosec/armoapi-go/armotypes"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"

core/pkg/resourcehandler/filesloader.go

@@ -3,7 +3,6 @@ package resourcehandler
 import (
 	"context"
 	"fmt"
-	"os"
 	"path/filepath"
 	"strings"
 
@@ -15,7 +14,6 @@ import (
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils"
-	"github.com/kubescape/kubescape/v3/core/pkg/opaprocessor"
 )
 
 // FileResourceHandler handle resources from files and URLs
@@ -26,7 +24,7 @@ func NewFileResourceHandler() *FileResourceHandler {
 	return &FileResourceHandler{}
 }
 
-func (fileHandler *FileResourceHandler) GetResources(ctx context.Context, sessionObj *cautils.OPASessionObj, _ opaprocessor.IJobProgressNotificationClient, scanInfo *cautils.ScanInfo) (cautils.K8SResources, map[string]workloadinterface.IMetadata, cautils.ExternalResources, map[string]bool, error) {
+func (fileHandler *FileResourceHandler) GetResources(ctx context.Context, sessionObj *cautils.OPASessionObj, scanInfo *cautils.ScanInfo) (cautils.K8SResources, map[string]workloadinterface.IMetadata, cautils.ExternalResources, map[string]bool, error) {
 	allResources := map[string]workloadinterface.IMetadata{}
 	externalResources := cautils.ExternalResources{}
 
@@ -45,10 +43,7 @@ func (fileHandler *FileResourceHandler) GetResources(ctx context.Context, sessio
 		var err error
 
 		if scanInfo.ChartPath != "" && scanInfo.FilePath != "" {
-			workloadIDToSource, workloads, workloadIDToMappingNodes, err = getWorkloadFromHelmChart(ctx, scanInfo.ChartPath, scanInfo.FilePath)
-			if err != nil {
-				// We should probably ignore the error so we can continue scanning other charts
-			}
+			workloadIDToSource, workloads, workloadIDToMappingNodes, _ = getWorkloadFromHelmChart(ctx, scanInfo.InputPatterns[path], scanInfo.ChartPath, scanInfo.FilePath)
 		} else {
 			workloadIDToSource, workloads, workloadIDToMappingNodes, err = getResourcesFromPath(ctx, scanInfo.InputPatterns[path])
 			if err != nil {
@@ -107,26 +102,22 @@ func (fileHandler *FileResourceHandler) GetResources(ctx context.Context, sessio
 func (fileHandler *FileResourceHandler) GetCloudProvider() string {
 	return ""
 }
-func getWorkloadFromHelmChart(ctx context.Context, helmPath, workloadPath string) (map[string]reporthandling.Source, []workloadinterface.IMetadata, map[string]cautils.MappingNodes, error) {
-	clonedRepo, err := cautils.CloneGitRepo(&helmPath)
-	if err != nil {
-		return nil, nil, nil, err
-	}
+func getWorkloadFromHelmChart(ctx context.Context, path, helmPath, workloadPath string) (map[string]reporthandling.Source, []workloadinterface.IMetadata, map[string]cautils.MappingNodes, error) {
+	clonedRepo := cautils.GetClonedPath(path)
+
 	if clonedRepo != "" {
-		defer func(path string) {
-			_ = os.RemoveAll(path)
-		}(clonedRepo)
+		// if the repo was cloned, add the workload path to the cloned repo
+		workloadPath = filepath.Join(clonedRepo, workloadPath)
+	} else {
+		// if the repo was not cloned
+		clonedRepo = path
 	}
 
 	// Get repo root
-	repoRoot, gitRepo := extractGitRepo(helmPath)
+	repoRoot, gitRepo := extractGitRepo(clonedRepo)
 
 	helmSourceToWorkloads, helmSourceToChart, helmSourceToNodes := cautils.LoadResourcesFromHelmCharts(ctx, helmPath)
 
-	if clonedRepo != "" {
-		workloadPath = clonedRepo + workloadPath
-	}
-
 	wlSource, ok := helmSourceToWorkloads[workloadPath]
 	if !ok {
 		return nil, nil, nil, fmt.Errorf("workload %s not found in chart %s", workloadPath, helmPath)
@@ -195,14 +186,10 @@ func getResourcesFromPath(ctx context.Context, path string) (map[string]reportha
 	workloadIDToNodes := make(map[string]cautils.MappingNodes)
 	var workloads []workloadinterface.IMetadata
 
-	clonedRepo, err := cautils.CloneGitRepo(&path)
-	if err != nil {
-		return nil, nil, nil, err
-	}
+	clonedRepo := cautils.GetClonedPath(path)
 	if clonedRepo != "" {
-		defer func(path string) {
-			_ = os.RemoveAll(path)
-		}(clonedRepo)
+		// if the repo was cloned, add the workload path to the cloned repo
+		path = clonedRepo
 	}
 
 	// Get repo root

core/pkg/resourcehandler/handlepullresources_test.go

@@ -100,12 +100,12 @@ func Test_CollectResources(t *testing.T) {
 	}
 
 	assert.NotPanics(t, func() {
-		CollectResources(context.TODO(), resourceHandler, []cautils.PolicyIdentifier{}, objSession, cautils.NewProgressHandler(""), &cautils.ScanInfo{})
+		CollectResources(context.TODO(), resourceHandler, objSession, &cautils.ScanInfo{})
 	}, "Cluster named .*eks.* without a cloud config panics on cluster scan !")
 
 	assert.NotPanics(t, func() {
 		objSession.Metadata.ScanMetadata.ScanningTarget = reportv2.File
-		CollectResources(context.TODO(), resourceHandler, []cautils.PolicyIdentifier{}, objSession, cautils.NewProgressHandler(""), &cautils.ScanInfo{})
+		CollectResources(context.TODO(), resourceHandler, objSession, &cautils.ScanInfo{})
 	}, "Cluster named .*eks.* without a cloud config panics on non-cluster scan !")
 
 }

core/pkg/resourcehandler/handlerpullresources.go

@@ -4,19 +4,18 @@ import (
 	"context"
 	"fmt"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	cloudsupportv1 "github.com/kubescape/k8s-interface/cloudsupport/v1"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils"
-	"github.com/kubescape/kubescape/v3/core/pkg/opaprocessor"
 	"github.com/kubescape/opa-utils/reporthandling/apis"
 	helpersv1 "github.com/kubescape/opa-utils/reporthandling/helpers/v1"
 	reportv2 "github.com/kubescape/opa-utils/reporthandling/v2"
 	"go.opentelemetry.io/otel"
 )
 
-func CollectResources(ctx context.Context, rsrcHandler IResourceHandler, policyIdentifier []cautils.PolicyIdentifier, opaSessionObj *cautils.OPASessionObj, progressListener opaprocessor.IJobProgressNotificationClient, scanInfo *cautils.ScanInfo) error {
+func CollectResources(ctx context.Context, rsrcHandler IResourceHandler, opaSessionObj *cautils.OPASessionObj, scanInfo *cautils.ScanInfo) error {
 	ctx, span := otel.Tracer("").Start(ctx, "resourcehandler.CollectResources")
 	defer span.End()
 	opaSessionObj.Report.ClusterAPIServerInfo = rsrcHandler.GetClusterAPIServerInfo(ctx)
@@ -26,7 +25,7 @@ func CollectResources(ctx context.Context, rsrcHandler IResourceHandler, policyI
 		setCloudMetadata(opaSessionObj, rsrcHandler.GetCloudProvider())
 	}
 
-	resourcesMap, allResources, externalResources, excludedRulesMap, err := rsrcHandler.GetResources(ctx, opaSessionObj, progressListener, scanInfo)
+	resourcesMap, allResources, externalResources, excludedRulesMap, err := rsrcHandler.GetResources(ctx, opaSessionObj, scanInfo)
 	if err != nil {
 		return err
 	}

core/pkg/resourcehandler/interface.go

@@ -5,12 +5,11 @@ import (
 
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils"
-	"github.com/kubescape/kubescape/v3/core/pkg/opaprocessor"
 	"k8s.io/apimachinery/pkg/version"
 )
 
 type IResourceHandler interface {
-	GetResources(context.Context, *cautils.OPASessionObj, opaprocessor.IJobProgressNotificationClient, *cautils.ScanInfo) (cautils.K8SResources, map[string]workloadinterface.IMetadata, cautils.ExternalResources, map[string]bool, error)
+	GetResources(context.Context, *cautils.OPASessionObj, *cautils.ScanInfo) (cautils.K8SResources, map[string]workloadinterface.IMetadata, cautils.ExternalResources, map[string]bool, error)
 	GetClusterAPIServerInfo(ctx context.Context) *version.Info
 	GetCloudProvider() string
 }

core/pkg/resourcehandler/k8sresources.go

@@ -5,14 +5,15 @@ import (
 	"fmt"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/metrics"
 	"github.com/kubescape/kubescape/v3/core/pkg/hostsensorutils"
-	"github.com/kubescape/kubescape/v3/core/pkg/opaprocessor"
 	"github.com/kubescape/opa-utils/objectsenvelopes"
 	"github.com/kubescape/opa-utils/reporthandling/apis"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/pager"
 
 	"github.com/kubescape/k8s-interface/cloudsupport"
 	cloudapis "github.com/kubescape/k8s-interface/cloudsupport/apis"
@@ -60,7 +61,7 @@ func NewK8sResourceHandler(k8s *k8sinterface.KubernetesApi, hostSensorHandler ho
 	return k8sHandler
 }
 
-func (k8sHandler *K8sResourceHandler) GetResources(ctx context.Context, sessionObj *cautils.OPASessionObj, progressListener opaprocessor.IJobProgressNotificationClient, scanInfo *cautils.ScanInfo) (cautils.K8SResources, map[string]workloadinterface.IMetadata, cautils.ExternalResources, map[string]bool, error) {
+func (k8sHandler *K8sResourceHandler) GetResources(ctx context.Context, sessionObj *cautils.OPASessionObj, scanInfo *cautils.ScanInfo) (cautils.K8SResources, map[string]workloadinterface.IMetadata, cautils.ExternalResources, map[string]bool, error) {
 	logger.L().Start("Accessing Kubernetes objects...")
 	var err error
 
@@ -145,7 +146,7 @@ func (k8sHandler *K8sResourceHandler) GetResources(ctx context.Context, sessionO
 
 	// check that controls use cloud resources
 	if len(cloudResources) > 0 {
-		err := k8sHandler.collectCloudResources(ctx, sessionObj, allResources, ksResourceMap, cloudResources, progressListener)
+		err := k8sHandler.collectCloudResources(ctx, sessionObj, allResources, ksResourceMap, cloudResources)
 		if err != nil {
 			cautils.SetInfoMapForResources(err.Error(), cloudResources, sessionObj.InfoMap)
 			logger.L().Debug("failed to collect cloud data", helpers.Error(err))
@@ -173,9 +174,9 @@ func (k8sHandler *K8sResourceHandler) findScanObjectResource(resource *objectsen
 	}
 
 	if resource.GetApiVersion() != "" {
-		group, version := k8sinterface.SplitApiVersion(resource.GetApiVersion())
-		gvr.Group = group
-		gvr.Version = version
+		g, v := k8sinterface.SplitApiVersion(resource.GetApiVersion())
+		gvr.Group = g
+		gvr.Version = v
 	}
 
 	fieldSelectors := getNameFieldSelectorString(resource.GetName(), FieldSelectorsEqualsOperator)
@@ -208,7 +209,7 @@ func (k8sHandler *K8sResourceHandler) findScanObjectResource(resource *objectsen
 	return wl, nil
 }
 
-func (k8sHandler *K8sResourceHandler) collectCloudResources(ctx context.Context, sessionObj *cautils.OPASessionObj, allResources map[string]workloadinterface.IMetadata, externalResourceMap cautils.ExternalResources, cloudResources []string, progressListener opaprocessor.IJobProgressNotificationClient) error {
+func (k8sHandler *K8sResourceHandler) collectCloudResources(ctx context.Context, sessionObj *cautils.OPASessionObj, allResources map[string]workloadinterface.IMetadata, externalResourceMap cautils.ExternalResources, cloudResources []string) error {
 
 	if k8sHandler.cloudProvider == "" {
 		return fmt.Errorf("failed to get cloud provider, cluster: %s", k8sHandler.clusterName)
@@ -322,7 +323,7 @@ func (k8sHandler *K8sResourceHandler) pullResources(queryableResources Queryable
 		result, err := k8sHandler.pullSingleResource(&gvr, nil, queryableResources[i].FieldSelectors, globalFieldSelectors)
 		if err != nil {
 			if !strings.Contains(err.Error(), "the server could not find the requested resource") {
-				logger.L().Error("failed to pull resource", helpers.String("resource", queryableResources[i].GroupVersionResourceTriplet), helpers.Error(err))
+				logger.L().Warning("failed to pull resource", helpers.String("resource", queryableResources[i].GroupVersionResourceTriplet), helpers.Error(err))
 				// handle error
 				if errs == nil {
 					errs = err
@@ -356,7 +357,7 @@ func (k8sHandler *K8sResourceHandler) pullResources(queryableResources Queryable
 }
 
 func (k8sHandler *K8sResourceHandler) pullSingleResource(resource *schema.GroupVersionResource, labels map[string]string, fields string, fieldSelector IFieldSelector) ([]unstructured.Unstructured, error) {
-	resourceList := []unstructured.Unstructured{}
+	var resourceList []unstructured.Unstructured
 	// set labels
 	listOptions := metav1.ListOptions{}
 	fieldSelectors := fieldSelector.GetNamespacesSelectors(resource)
@@ -376,30 +377,29 @@ func (k8sHandler *K8sResourceHandler) pullSingleResource(resource *schema.GroupV
 		clientResource := k8sHandler.k8s.DynamicClient.Resource(*resource)
 
 		// list resources
-		result, err := clientResource.List(context.Background(), listOptions)
-		if err != nil || result == nil {
-			return nil, fmt.Errorf("failed to get resource: %v, labelSelector: %v, fieldSelector: %v, reason: %v", resource, listOptions.LabelSelector, listOptions.FieldSelector, err)
+		if err := pager.New(func(ctx context.Context, opts metav1.ListOptions) (runtime.Object, error) {
+			return clientResource.List(ctx, opts)
+		}).EachListItem(context.Background(), listOptions, func(obj runtime.Object) error {
+			uObject := obj.(*unstructured.Unstructured)
+			if k8sinterface.IsTypeWorkload(uObject.Object) && k8sinterface.WorkloadHasParent(workloadinterface.NewWorkloadObj(uObject.Object)) {
+				logger.L().Debug("Skipping resource with parent", helpers.String("kind", uObject.GetKind()), helpers.String("name", uObject.GetName()))
+				return nil
+			}
+			resourceList = append(resourceList, *obj.(*unstructured.Unstructured))
+			return nil
+		}); err != nil {
+			return nil, fmt.Errorf("failed to get resource: %v, labelSelector: %v, fieldSelector: %v, reason: %w", resource, listOptions.LabelSelector, listOptions.FieldSelector, err)
 		}
 
-		resourceList = append(resourceList, result.Items...)
-
 	}
 
 	return resourceList, nil
 
 }
 func ConvertMapListToMeta(resourceMap []map[string]interface{}) []workloadinterface.IMetadata {
-	workloads := []workloadinterface.IMetadata{}
+	var workloads []workloadinterface.IMetadata
 	for i := range resourceMap {
 		r := resourceMap[i]
-
-		// skip workloads with parents. e.g. Pod with a ReplicaSet ownerReference. This will not skip resources with CRDs asa parents
-		if k8sinterface.IsTypeWorkload(r) {
-			if k8sinterface.WorkloadHasParent(workloadinterface.NewWorkloadObj(r)) {
-				continue
-			}
-		}
-
 		if w := objectsenvelopes.NewObject(r); w != nil {
 			workloads = append(workloads, w)
 		}
@@ -415,8 +415,8 @@ func (k8sHandler *K8sResourceHandler) collectHostResources(ctx context.Context,
 	}
 
 	for rscIdx := range hostResources {
-		group, version := getGroupNVersion(hostResources[rscIdx].GetApiVersion())
-		groupResource := k8sinterface.JoinResourceTriplets(group, version, hostResources[rscIdx].GetKind())
+		g, v := getGroupNVersion(hostResources[rscIdx].GetApiVersion())
+		groupResource := k8sinterface.JoinResourceTriplets(g, v, hostResources[rscIdx].GetKind())
 		allResources[hostResources[rscIdx].GetID()] = &hostResources[rscIdx]
 
 		grpResourceList, ok := externalResourceMap[groupResource]

core/pkg/resourcesprioritization/prioritizationhandler.go

@@ -5,7 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils"

core/pkg/resultshandling/printer/printresults.go

@@ -6,7 +6,7 @@ import (
 	"os"
 	"path/filepath"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 )

core/pkg/resultshandling/printer/v1/jsonprinter.go

@@ -8,7 +8,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer"
 )

core/pkg/resultshandling/printer/v1/prometheusprinter.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"os"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer"

core/pkg/resultshandling/printer/v2/htmlprinter.go

@@ -9,7 +9,7 @@ import (
 	"sort"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer"

core/pkg/resultshandling/printer/v2/jsonprinter.go

@@ -11,7 +11,7 @@ import (
 	"github.com/anchore/clio"
 	"github.com/anchore/grype/grype/presenter"
 	"github.com/anchore/grype/grype/presenter/models"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer"

core/pkg/resultshandling/printer/v2/junit.go

@@ -9,7 +9,7 @@ import (
 	"sort"
 	"strings"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils"

core/pkg/resultshandling/printer/v2/pdf.go

@@ -10,7 +10,7 @@ import (
 	"strings"
 	"time"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer"

core/pkg/resultshandling/printer/v2/prettyprinter.go

@@ -11,7 +11,7 @@ import (
 	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/enescakir/emoji"
 	"github.com/jwalton/gchalk"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils"

core/pkg/resultshandling/printer/v2/prettyprinter/reposcan.go

@@ -3,6 +3,7 @@ package prettyprinter
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer/v2/prettyprinter/tableprinter/configurationprinter"
@@ -77,9 +78,8 @@ func (rp *RepoPrinter) getWorkloadScanCommand(ns, kind, name string, source repo
 	}
 
 	if source.FileType == reporthandling.SourceTypeHelmChart {
-		return fmt.Sprintf("%s --chart-path=%s --file-path=%s", cmd, source.HelmPath, fmt.Sprintf("%s/%s", source.Path, source.RelativePath))
-
+		return fmt.Sprintf("%s --chart-path=%s --file-path=%s", cmd, source.HelmPath, filepath.Join(source.Path, source.RelativePath))
 	} else {
-		return fmt.Sprintf("%s --file-path=%s", cmd, fmt.Sprintf("%s/%s", source.Path, source.RelativePath))
+		return fmt.Sprintf("%s --file-path=%s", cmd, filepath.Join(source.Path, source.RelativePath))
 	}
 }

core/pkg/resultshandling/printer/v2/prettyprinter/reposcan_test.go

@@ -1,6 +1,7 @@
 package prettyprinter
 
 import (
+	"path/filepath"
 	"testing"
 
 	"github.com/kubescape/opa-utils/reporthandling"
@@ -50,7 +51,18 @@ func TestRepoScan_getWorkloadScanCommand(t *testing.T) {
 				Path:         "path",
 				RelativePath: "relativePath",
 			},
-			want: "$ kubescape scan workload kind/name --namespace ns --file-path=path/relativePath",
+			want: "$ kubescape scan workload kind/name --namespace ns --file-path=" + filepath.Join("path", "relativePath"),
+		},
+		{
+			testName: "relative file path",
+			ns:       "ns",
+			kind:     "kind",
+			name:     "name",
+			source: reporthandling.Source{
+				Path:         "",
+				RelativePath: "relativePath",
+			},
+			want: "$ kubescape scan workload kind/name --namespace ns --file-path=relativePath",
 		},
 		{
 			testName: "helm path",
@@ -63,7 +75,7 @@ func TestRepoScan_getWorkloadScanCommand(t *testing.T) {
 				HelmPath:     "helmPath",
 				FileType:     "Helm Chart",
 			},
-			want: "$ kubescape scan workload kind/name --namespace ns --chart-path=helmPath --file-path=path/relativePath",
+			want: "$ kubescape scan workload kind/name --namespace ns --chart-path=helmPath --file-path=" + filepath.Join("path", "relativePath"),
 		},
 		{
 			testName: "file path - no namespace",
@@ -73,7 +85,7 @@ func TestRepoScan_getWorkloadScanCommand(t *testing.T) {
 				Path:         "path",
 				RelativePath: "relativePath",
 			},
-			want: "$ kubescape scan workload kind/name --file-path=path/relativePath",
+			want: "$ kubescape scan workload kind/name --file-path=" + filepath.Join("path", "relativePath"),
 		},
 		{
 			testName: "helm path - no namespace",
@@ -85,7 +97,7 @@ func TestRepoScan_getWorkloadScanCommand(t *testing.T) {
 				HelmPath:     "helmPath",
 				FileType:     "Helm Chart",
 			},
-			want: "$ kubescape scan workload kind/name --chart-path=helmPath --file-path=path/relativePath",
+			want: "$ kubescape scan workload kind/name --chart-path=helmPath --file-path=" + filepath.Join("path", "relativePath"),
 		},
 	}
 

core/pkg/resultshandling/printer/v2/prometheus.go

@@ -6,7 +6,7 @@ import (
 	"os"
 
 	"github.com/anchore/grype/grype/presenter/models"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils"

core/pkg/resultshandling/printer/v2/sarifprinter.go

@@ -14,7 +14,7 @@ import (
 
 	"github.com/anchore/grype/grype/presenter"
 	"github.com/anchore/grype/grype/presenter/models"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/pkg/fixhandler"

core/pkg/resultshandling/reporter/v2/reporteventreceiver.go

@@ -10,7 +10,7 @@ import (
 	"github.com/armosec/armoapi-go/apis"
 	client "github.com/kubescape/backend/pkg/client/v1"
 	v1 "github.com/kubescape/backend/pkg/server/v1"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"github.com/kubescape/kubescape/v3/core/cautils"

core/pkg/resultshandling/reporter/v2/reporteventreceiver_test.go

@@ -9,7 +9,7 @@ import (
 	"testing"
 
 	v1 "github.com/kubescape/backend/pkg/client/v1"
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/prettylogger"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/cautils/getter"

core/pkg/resultshandling/results.go

@@ -5,7 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 
-	logger "github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/kubescape/v3/core/cautils"
 	"github.com/kubescape/kubescape/v3/core/pkg/resultshandling/printer"
@@ -146,7 +146,7 @@ func ValidatePrinter(scanType cautils.ScanTypes, scanContext cautils.ScanningCon
 	if printFormat == printer.SARIFFormat {
 		// supported types for SARIF
 		switch scanContext {
-		case cautils.ContextDir, cautils.ContextFile, cautils.ContextGitLocal:
+		case cautils.ContextDir, cautils.ContextFile, cautils.ContextGitLocal, cautils.ContextGitRemote:
 			return nil
 		default:
 			return fmt.Errorf("format \"%s\" is only supported when scanning local files", printFormat)

docs/getting-started.md

@@ -6,7 +6,7 @@ The best way to get started with Kubescape is to download it to the machine you
 
 ## Install Kubescape
 
-```sh
+```bash
 curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
 ```
 
@@ -16,175 +16,255 @@ You can also check [other installation methods](installation.md)
 
 ## Run your first scan
 
-```sh
-kubescape scan --verbose
+```bash
+kubescape scan
 ```
 
 You will see output like this:
 
-<img src="img/summary.png">
+```bash
+Kubescape security posture overview for cluster: minikube
 
-## Usage
+In this overview, Kubescape shows you a summary of your cluster security posture, including the number of users who can perform administrative actions. For each result greater than 0, you should evaluate its need, and then define an exception to allow it. This baseline can be used to detect drift in future.
 
-_Some documentation on using Kubescape is yet to move here from the [ARMO Platform docs](https://hub.armosec.io/docs?utm_source=github&utm_medium=repository)_.
+Control plane
+┌────┬─────────────────────────────────────┬────────────────────────────────────┐
+│    │ Control Name                        │ Docs                               │
+├────┼─────────────────────────────────────┼────────────────────────────────────┤
+│ ✅ │ API server insecure port is enabled │ https://hub.armosec.io/docs/c-0005 │
+│ ❌ │ Anonymous access enabled            │ https://hub.armosec.io/docs/c-0262 │
+│ ❌ │ Audit logs enabled                  │ https://hub.armosec.io/docs/c-0067 │
+│ ✅ │ RBAC enabled                        │ https://hub.armosec.io/docs/c-0088 │
+│ ❌ │ Secret/etcd encryption enabled      │ https://hub.armosec.io/docs/c-0066 │
+└────┴─────────────────────────────────────┴────────────────────────────────────┘
+
+Access control
+┌─────────────────────────────────────────────────┬───────────┬────────────────────────────────────┐
+│ Control Name                                    │ Resources │ View Details                       │
+├─────────────────────────────────────────────────┼───────────┼────────────────────────────────────┤
+│ Cluster-admin binding                           │     1     │ $ kubescape scan control C-0035 -v │
+│ Data Destruction                                │     6     │ $ kubescape scan control C-0007 -v │
+│ Exec into container                             │     1     │ $ kubescape scan control C-0002 -v │
+│ List Kubernetes secrets                         │     6     │ $ kubescape scan control C-0015 -v │
+│ Minimize access to create pods                  │     2     │ $ kubescape scan control C-0188 -v │
+│ Minimize wildcard use in Roles and ClusterRoles │     1     │ $ kubescape scan control C-0187 -v │
+│ Portforwarding privileges                       │     1     │ $ kubescape scan control C-0063 -v │
+│ Validate admission controller (mutating)        │     0     │ $ kubescape scan control C-0039 -v │
+│ Validate admission controller (validating)      │     0     │ $ kubescape scan control C-0036 -v │
+└─────────────────────────────────────────────────┴───────────┴────────────────────────────────────┘
+
+Secrets
+┌─────────────────────────────────────────────────┬───────────┬────────────────────────────────────┐
+│ Control Name                                    │ Resources │ View Details                       │
+├─────────────────────────────────────────────────┼───────────┼────────────────────────────────────┤
+│ Applications credentials in configuration files │     1     │ $ kubescape scan control C-0012 -v │
+└─────────────────────────────────────────────────┴───────────┴────────────────────────────────────┘
+
+Network
+┌────────────────────────┬───────────┬────────────────────────────────────┐
+│ Control Name           │ Resources │ View Details                       │
+├────────────────────────┼───────────┼────────────────────────────────────┤
+│ Missing network policy │    13     │ $ kubescape scan control C-0260 -v │
+└────────────────────────┴───────────┴────────────────────────────────────┘
+
+Workload
+┌─────────────────────────┬───────────┬────────────────────────────────────┐
+│ Control Name            │ Resources │ View Details                       │
+├─────────────────────────┼───────────┼────────────────────────────────────┤
+│ Host PID/IPC privileges │     2     │ $ kubescape scan control C-0038 -v │
+│ HostNetwork access      │     1     │ $ kubescape scan control C-0041 -v │
+│ HostPath mount          │     1     │ $ kubescape scan control C-0048 -v │
+│ Non-root containers     │     6     │ $ kubescape scan control C-0013 -v │
+│ Privileged container    │     1     │ $ kubescape scan control C-0057 -v │
+└─────────────────────────┴───────────┴────────────────────────────────────┘
+
+Highest-stake workloads
+────────────────────────
+High-stakes workloads are defined as those which Kubescape estimates would have the highest impact if they were to be exploited.
+
+1. namespace: gadget, name: gadget, kind: DaemonSet
+   '$ kubescape scan workload DaemonSet/gadget --namespace gadget'
+2. namespace: kafka, name: my-cluster-kafka-0, kind: Pod
+   '$ kubescape scan workload Pod/my-cluster-kafka-0 --namespace kafka'
+3. namespace: kafka, name: my-cluster-zookeeper-0, kind: Pod
+   '$ kubescape scan workload Pod/my-cluster-zookeeper-0 --namespace kafka'
+
+Compliance Score
+────────────────
+The compliance score is calculated by multiplying control failures by the number of failures against supported compliance frameworks. Remediate controls, or configure your cluster baseline with exceptions, to improve this score.
+
+* MITRE: 77.39%
+* NSA: 69.97%
+
+View a full compliance report by running '$ kubescape scan framework nsa' or '$ kubescape scan framework mitre'
+
+What now?
+─────────
+* Run one of the suggested commands to learn more about a failed control failure
+* Scan a workload with '$ kubescape scan workload' to see vulnerability information
+* Install Kubescape in your cluster for continuous monitoring and a full vulnerability report: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-operator
+
+```
+
+# Usage
+
+Capabilities
+* Scan Kubernetes clusters for misconfigurations
+* Scan Kubernetes YAML files/Helm charts for misconfigurations
+* Scan container images for vulnerabilities
+
+## Misconfigurations Scanning
+Scan Kubernetes clusters, YAML files, Helm charts for misconfigurations.
+Kubescape will highlight the misconfigurations and provide remediation steps.
+The misconfigurations are based on multiple frameworks (including [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) and the [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)).
 
 ### Examples
 
-* Scan a running Kubernetes cluster:
+#### Scan a running Kubernetes cluster:
 
-    ```sh
-    kubescape scan --verbose
+```bash
+kubescape scan
+```
+
+> **Note**  
+> [Read more about host scanning](https://hub.armosec.io/docs/host-sensor?utm_source=github&utm_medium=repository).
+
+#### Scan NSA framework
+Scan a running Kubernetes cluster with the [NSA framework](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/):
+
+```bash
+kubescape scan framework nsa
+```
+
+#### Scan MITRE framework
+Scan a running Kubernetes cluster with the [MITRE ATT&CK® framework](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/):
+
+```bash
+kubescape scan framework mitre
+```
+
+#### Scan a control
+Scan for a specific control, using the control name or control ID. [See the list of controls](https://hub.armosec.io/docs/controls?utm_source=github&utm_medium=repository).
+
+```bash
+kubescape scan control c-0005 -v
+```
+
+#### Use an alternative kubeconfig file
+
+```bash
+kubescape scan --kubeconfig cluster.conf
+```
+
+#### Scan specific namespaces
+
+```bash
+kubescape scan --include-namespaces development,staging,production
+```
+
+#### Exclude certain namespaces
+
+```bash
+kubescape scan --exclude-namespaces kube-system,kube-public
+```
+
+#### Scan local YAML files
+```sh
+kubescape scan /path/to/directory-or-directory
+```
+
+Take a look at the [example](https://youtu.be/Ox6DaR7_4ZI).
+
+#### Scan git repository
+Scan Kubernetes manifest files from a Git repository:
+
+```bash
+kubescape scan https://github.com/kubescape/kubescape
+```
+
+#### Scan with exceptions
+
+```bash
+kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
+```
+
+Objects with exceptions will be presented as `exclude` and not `fail`.
+
+[See more examples about exceptions.](/examples/exceptions/README.md)
+
+#### Scan Helm charts 
+
+```bash
+kubescape scan </path/to/directory>
+```
+
+> **Note**  
+> Kubescape will load the default VALUES file.
+
+#### Scan a Kustomize directory 
+
+```bash
+kubescape scan </path/to/directory>
+```
+
+> **Note**  
+> Kubescape will generate Kubernetes YAML objects using a `kustomize` file and scan them for security.
+
+#### Trigger in cluster components for scanning your cluster
+
+If the [kubescape-operator](https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-operator#readme) is installed in your cluster, you can trigger scanning of the in cluster components from the kubescape CLI.
+
+Trigger configuration scanning:
+```bash
+kubescape operator scan configurations
+```
+
+Trigger vulnerabilities scanning:
+```bash
+kubescape operator scan vulnerabilities
+```
+
+#### Compliance Score
+
+We offer two important metrics to assess compliance:
+
+- Control Compliance Score: This score measures the compliance of individual controls within a framework. It is calculated by evaluating the ratio of resources that passed to the total number of resources evaluated against that control.
+    ```bash
+    kubescape scan --compliance-threshold <SCORE_VALUE[float32]>
     ```
-
-    > **Note**  
-    > [Read more about host scanning](https://hub.armosec.io/docs/host-sensor?utm_source=github&utm_medium=repository).
-
-* Scan a running Kubernetes cluster with the [NSA framework](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/):
-
-    ```sh
-    kubescape scan framework nsa
+- Framework Compliance Score: This score provides an overall assessment of your cluster's compliance with a specific framework. It is calculated by averaging the Control Compliance Scores of all controls within the framework.
+    ```bash
+    kubescape scan framework <FRAMEWORK_NAME> --compliance-threshold <SCORE_VALUE[float32]>
     ```
 
-* Scan a running Kubernetes cluster with the [MITRE ATT&CK® framework](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/):
-
-    ```sh
-    kubescape scan framework mitre
-    ```
-
-* Scan for a specific control, using the control name or control ID. [See the list of controls](https://hub.armosec.io/docs/controls?utm_source=github&utm_medium=repository).
-
-    ```sh
-    kubescape scan control "Privileged container"
-    ```
-
-* Use an alternative kubeconfig file:
-
-    ```sh
-    kubescape scan --kubeconfig cluster.conf
-    ```
-
-* Scan specific namespaces:
-
-    ```sh
-    kubescape scan --include-namespaces development,staging,production
-    ```
-
-* Exclude certain namespaces:
-
-    ```sh
-    kubescape scan --exclude-namespaces kube-system,kube-public
-    ```
-
-* Scan local YAML/JSON files before deploying:
-    ```sh
-    kubescape scan *.yaml
-    ```
-
-    [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI).
-
-* Scan Kubernetes manifest files from a Git repository:
-
-    ```sh
-    kubescape scan https://github.com/kubescape/kubescape
-    ```
-
-* Scan with exceptions
-
-    ```sh
-    kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
-    ```
-
-    Objects with exceptions will be presented as `exclude` and not `fail`.
-
-    [See more examples about exceptions.](/examples/exceptions/README.md)
-
-* Scan Helm charts 
-
-    ```sh
-    kubescape scan </path/to/directory>
-    ```
-
-    > **Note**  
-    > Kubescape will load the default VALUES file.
-
-* Scan a Kustomize directory 
-
-    ```sh
-    kubescape scan </path/to/directory>
-    ```
-
-    > **Note**  
-    > Kubescape will generate Kubernetes YAML objects using a `kustomize` file and scan them for security.
-
-* Trigger in cluster components for scanning your cluster:
-
-    If kubescape helm chart is install in your cluster we can trigger scanning of the in cluster components from the kubescape CLI.
-    ```sh
-    kubescape operator scan config
-    ```
-    ```sh
-    kubescape operator scan vulnerabilities
-    ```
-
-* Compliance Score
-
-    We offer two important metrics to assess compliance:
-
-    - Control Compliance Score: This score measures the compliance of individual controls within a framework. It is calculated by evaluating the ratio of resources that passed to the total number of resources evaluated against that control.
-        ```sh
-        kubescape scan --compliance-threshold <SCORE_VALUE[float32]>
-        ```
-    - Framework Compliance Score: This score provides an overall assessment of your cluster's compliance with a specific framework. It is calculated by averaging the Control Compliance Scores of all controls within the framework.
-        ```sh
-        kubescape scan framework <FRAMEWORK_NAME> --compliance-threshold <SCORE_VALUE[float32]>
-        ```
-        Kubescape scan with compliance score
-        <img src="img/ks-scan-with-compliance.gif">
-
 ### Output formats
 
-* JSON:
+#### JSON:
 
-    ```sh
-    kubescape scan --format json --format-version v2 --output results.json
-    ```
+```bash
+kubescape scan --format json --output results.json
+```
 
-    > **Note**  
-    > Add the `--format-version v2` flag for maximum compatibility.
+#### junit XML: 
 
-* junit XML: 
+```bash
+kubescape scan --format junit --output results.xml
+```
+#### SARIF: 
 
-    ```sh
-    kubescape scan --format junit --output results.xml
-    ```
+SARIF is a standard format for the output of static analysis tools. It is supported by many tools, including GitHub Code Scanning and Azure DevOps. [Read more about SARIF](https://docs.github.com/en/code-security/secure-coding/sarif-support-for-code-scanning/about-sarif-support-for-code-scanning).
 
-* PDF:
+```bash
+kubescape scan --format sarif --output results.sarif
+```
+> **Note**
+> SARIF format is supported only when scanning local files or git repositories, but not when scanning a running cluster.
 
-    ```sh
-    kubescape scan --format pdf --output results.pdf
-    ```
+#### HTML
 
-    _Contributed by [@alegrey91](https://github.com/alegrey91)_
-
-* Prometheus metrics:
-
-    ```
-    kubescape scan --format prometheus
-    ```
-
-    _Contributed by [@Joibel](https://github.com/Joibel)_
-
-* HTML
-
-    ```
-    kubescape scan --format html --output results.html
-    ```
-
-* Display all scanned resources (including the resources which passed):
-
-    ```sh
-    kubescape scan --verbose
-    ```
+```bash
+kubescape scan --format html --output results.html
+```
 
 ## Offline/air-gapped environment support
 
@@ -194,7 +274,7 @@ It is possible to run Kubescape offline!  Check out our [video tutorial](https:/
 
 1. Download the controls and save them in the local directory.  If no path is specified, they will be saved in `~/.kubescape`.
 
-   ```sh
+   ```bash
    kubescape download artifacts --output path/to/local/dir
    ```
 
@@ -202,7 +282,7 @@ It is possible to run Kubescape offline!  Check out our [video tutorial](https:/
 
 3. Scan using the downloaded artifacts:
 
-   ```sh
+   ```bash
    kubescape scan --use-artifacts-from path/to/local/dir
    ```
 
@@ -212,7 +292,7 @@ You can also download a single artifact, and scan with the `--use-from` flag:
 
 1. Download and save in a file. If no file name is specified, the artifact will be saved as `~/.kubescape/<framework name>.json`.
 
-    ```sh
+    ```bash
     kubescape download framework nsa --output /path/nsa.json
     ```
 
@@ -220,9 +300,32 @@ You can also download a single artifact, and scan with the `--use-from` flag:
 
 3. Scan using the downloaded framework:
 
-    ```sh
+    ```bash
     kubescape scan framework nsa --use-from /path/nsa.json
     ```
+## Image scanning
+
+Kubescape can scan container images for vulnerabilities.  It uses [Grype]() to scan the images.
+
+### Examples
+
+#### Scan image
+
+```bash
+kubescape scan image nginx:1.19.6
+```
+
+#### Scan image from a private registry
+
+```bash
+kubescape scan image --username myuser --password mypassword myregistry/nginx:1.19.6
+```
+
+#### Scan image and see full report
+    
+```bash
+kubescape scan image nginx:1.19.6 -v
+```
 
 ## Other ways to use Kubescape
 

examples/exceptions/README.md

@@ -22,7 +22,6 @@ e.g. When a `kube-system` resource fails and it is ok, simply add the resource t
     * `frameworkName` - Framework names can be found [here](https://github.com/armosec/regolibrary/tree/master/frameworks) (regex supported)
     * `controlName` - Control names can be found [here](https://github.com/armosec/regolibrary/tree/master/controls) (regex supported)
     * `controlID` - Control ID can be found [here](https://github.com/armosec/regolibrary/tree/master/controls) (regex supported)
-    * `ruleName` - Rule names can be found [here](https://github.com/armosec/regolibrary/tree/master/rules) (regex supported)
  
 You can find [here](https://github.com/kubescape/kubescape/tree/master/examples/exceptions) some examples of exceptions files
 

go.mod

@@ -1,8 +1,6 @@
 module github.com/kubescape/kubescape/v3
 
-go 1.21.1
-
-toolchain go1.21.6
+go 1.22.3
 
 require (
 	github.com/adrg/xdg v0.4.0
@@ -10,12 +8,14 @@ require (
 	github.com/anchore/grype v0.77.1
 	github.com/anchore/stereoscope v0.0.3-0.20240423181235-8b297badafd5
 	github.com/anchore/syft v1.3.0
+	github.com/anubhav06/copa-grype v1.0.3-alpha.1
 	github.com/armosec/armoapi-go v0.0.330
 	github.com/armosec/utils-go v0.0.57
 	github.com/armosec/utils-k8s-go v0.0.26
 	github.com/briandowns/spinner v1.23.0
 	github.com/chainguard-dev/git-urls v1.0.2
 	github.com/distribution/reference v0.6.0
+	github.com/docker/distribution v2.8.3+incompatible
 	github.com/enescakir/emoji v1.0.0
 	github.com/francoispqt/gojay v1.2.13
 	github.com/go-git/go-git/v5 v5.12.0
@@ -27,7 +27,7 @@ require (
 	github.com/kubescape/backend v0.0.20
 	github.com/kubescape/go-git-url v0.0.30
 	github.com/kubescape/go-logger v0.0.22
-	github.com/kubescape/k8s-interface v0.0.161
+	github.com/kubescape/k8s-interface v0.0.168
 	github.com/kubescape/opa-utils v0.0.281
 	github.com/kubescape/rbac-utils v0.0.21-0.20230806101615-07e36f555520
 	github.com/kubescape/regolibrary/v2 v2.0.1
@@ -36,52 +36,54 @@ require (
 	github.com/mattn/go-isatty v0.0.20
 	github.com/mikefarah/yq/v4 v4.29.1
 	github.com/olekukonko/tablewriter v0.0.6-0.20230417144759-edd1a71a5576
-	github.com/open-policy-agent/opa v0.61.0
+	github.com/open-policy-agent/opa v0.63.0
 	github.com/owenrumney/go-sarif/v2 v2.2.0
-	github.com/project-copacetic/copacetic v0.0.0-00010101000000-000000000000
+	github.com/project-copacetic/copacetic v0.4.1-0.20231017020916-013c118454b8
 	github.com/schollz/progressbar/v3 v3.13.0
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3
-	github.com/sigstore/cosign/v2 v2.2.3
+	github.com/sigstore/cosign/v2 v2.2.4
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.9.0
-	go.opentelemetry.io/otel v1.22.0
-	go.opentelemetry.io/otel/metric v1.22.0
+	go.opentelemetry.io/otel v1.24.0
+	go.opentelemetry.io/otel/metric v1.24.0
 	golang.org/x/exp v0.0.0-20240222234643-814bf88cf225
 	golang.org/x/mod v0.17.0
-	golang.org/x/term v0.19.0
+	golang.org/x/term v0.21.0
 	gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.14.4
-	k8s.io/api v0.29.2
-	k8s.io/apimachinery v0.29.2
-	k8s.io/client-go v0.29.2
+	k8s.io/api v0.30.0
+	k8s.io/apimachinery v0.30.0
+	k8s.io/client-go v0.30.0
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3
 	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3
+	sigs.k8s.io/yaml v1.4.0
 )
 
 require github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 
 require (
-	cloud.google.com/go v0.111.0 // indirect
-	cloud.google.com/go/compute v1.23.3 // indirect
+	cloud.google.com/go v0.112.1 // indirect
+	cloud.google.com/go/compute v1.25.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/container v1.29.0 // indirect
-	cloud.google.com/go/iam v1.1.5 // indirect
-	cloud.google.com/go/storage v1.35.1 // indirect
+	cloud.google.com/go/container v1.33.0 // indirect
+	cloud.google.com/go/iam v1.1.6 // indirect
+	cloud.google.com/go/storage v1.39.1 // indirect
 	dario.cat/mergo v1.0.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
 	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization v1.0.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.1.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v2 v2.4.0 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
@@ -90,7 +92,7 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/CycloneDX/cyclonedx-go v0.8.0 // indirect
 	github.com/DataDog/zstd v1.5.5 // indirect
@@ -105,6 +107,7 @@ require (
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
 	github.com/a8m/envsubst v1.3.0 // indirect
 	github.com/acobaugh/osrelease v0.1.0 // indirect
+	github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/alecthomas/participle/v2 v2.0.0-beta.5 // indirect
 	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
@@ -126,33 +129,29 @@ require (
 	github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 // indirect
 	github.com/anchore/packageurl-go v0.1.1-0.20240312213626-055233e539b4 // indirect
 	github.com/andybalholm/brotli v1.0.4 // indirect
-	github.com/antchfx/xmlquery v1.3.17 // indirect
-	github.com/antchfx/xpath v1.2.4 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 // indirect
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect
-	github.com/aquasecurity/trivy v0.44.1 // indirect
-	github.com/aquasecurity/trivy-db v0.0.0-20230726112157-167ba4f2faeb // indirect
 	github.com/armosec/gojay v1.2.15 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go v1.50.0 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.24.1 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.26.6 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.16.16 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect
+	github.com/aws/aws-sdk-go v1.51.6 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.26.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.9 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.9 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/eks v1.28.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/iam v1.21.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
-	github.com/aws/smithy-go v1.19.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 // indirect
+	github.com/aws/smithy-go v1.20.1 // indirect
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/becheran/wildmatch-go v1.0.0 // indirect
@@ -162,6 +161,8 @@ require (
 	github.com/bmatcuk/doublestar/v2 v2.0.4 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect
 	github.com/boombuler/barcode v1.0.1 // indirect
+	github.com/bugsnag/bugsnag-go/v2 v2.3.0 // indirect
+	github.com/bugsnag/panicwrap v1.3.4 // indirect
 	github.com/buildkite/agent/v3 v3.62.0 // indirect
 	github.com/buildkite/go-pipeline v0.3.2 // indirect
 	github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 // indirect
@@ -175,15 +176,15 @@ require (
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
 	github.com/containerd/cgroups v1.1.0 // indirect
 	github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81 // indirect
-	github.com/containerd/containerd v1.7.12 // indirect
+	github.com/containerd/containerd v1.7.14 // indirect
 	github.com/containerd/continuity v0.4.2 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
-	github.com/containerd/ttrpc v1.2.2 // indirect
+	github.com/containerd/ttrpc v1.2.3 // indirect
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/coreos/go-oidc v2.2.1+incompatible // indirect
-	github.com/coreos/go-oidc/v3 v3.9.0 // indirect
+	github.com/coreos/go-oidc/v3 v3.10.0 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
 	github.com/cpuguy83/go-docker v0.2.1 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
@@ -193,14 +194,16 @@ require (
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
-	github.com/distribution/distribution v2.8.2+incompatible // indirect
+	github.com/docker/buildx v0.11.2 // indirect
 	github.com/docker/cli v26.1.0+incompatible // indirect
-	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker v26.1.0+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.0 // indirect
+	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
+	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/edsrzf/mmap-go v1.1.0 // indirect
@@ -210,10 +213,11 @@ require (
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
 	github.com/facebookincubator/nvdtools v0.1.5 // indirect
-	github.com/fatih/color v1.15.0 // indirect
+	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/fgprof v0.9.3 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fvbommel/sortorder v1.1.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/github/go-spdx/v2 v2.2.0 // indirect
 	github.com/glebarez/go-sqlite v1.21.2 // indirect
@@ -225,18 +229,19 @@ require (
 	github.com/go-gota/gota v0.12.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/analysis v0.22.0 // indirect
-	github.com/go-openapi/errors v0.21.0 // indirect
-	github.com/go-openapi/jsonpointer v0.20.2 // indirect
-	github.com/go-openapi/jsonreference v0.20.4 // indirect
-	github.com/go-openapi/loads v0.21.5 // indirect
-	github.com/go-openapi/runtime v0.27.1 // indirect
-	github.com/go-openapi/spec v0.20.13 // indirect
-	github.com/go-openapi/strfmt v0.22.0 // indirect
-	github.com/go-openapi/swag v0.22.9 // indirect
-	github.com/go-openapi/validate v0.22.4 // indirect
+	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/errors v0.22.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/loads v0.22.0 // indirect
+	github.com/go-openapi/runtime v0.28.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/strfmt v0.23.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/go-piv/piv-go v1.11.0 // indirect
 	github.com/go-restruct/restruct v1.2.0-alpha // indirect
 	github.com/go-test/deep v1.1.0 // indirect
@@ -244,14 +249,15 @@ require (
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/goccy/go-yaml v1.9.6 // indirect
 	github.com/gofrs/flock v0.8.1 // indirect
+	github.com/gofrs/uuid v4.3.1+incompatible // indirect
 	github.com/gogo/googleapis v1.4.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/certificate-transparency-go v1.1.7 // indirect
+	github.com/google/certificate-transparency-go v1.1.8 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/go-github/v55 v55.0.0 // indirect
@@ -261,17 +267,18 @@ require (
 	github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
-	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
 	github.com/gookit/color v1.5.4 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect
 	github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-getter v1.7.4 // indirect
+	github.com/hashicorp/go-getter v1.7.5 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
@@ -305,7 +312,6 @@ require (
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
-	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mholt/archiver/v3 v3.5.1 // indirect
 	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
@@ -326,6 +332,7 @@ require (
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/moby/sys/signal v0.7.0 // indirect
 	github.com/moby/sys/user v0.1.0 // indirect
+	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
@@ -342,13 +349,13 @@ require (
 	github.com/oleiade/reflections v1.0.1 // indirect
 	github.com/olvrng/ujson v1.1.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opencontainers/runtime-spec v1.1.0 // indirect
 	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/openvex/go-vex v0.2.5 // indirect
 	github.com/owenrumney/go-sarif v1.1.2-0.20231003122901-1000f5e05554 // indirect
-	github.com/package-url/packageurl-go v0.1.1 // indirect
+	github.com/package-url/packageurl-go v0.1.2-0.20230812223828-f8bb31c1f10b // indirect
 	github.com/pborman/indent v1.2.1 // indirect
 	github.com/pborman/uuid v1.2.1 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
@@ -360,9 +367,9 @@ require (
 	github.com/pkg/profile v1.7.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/pquerna/cachecontrol v0.2.0 // indirect
-	github.com/prometheus/client_golang v1.18.0 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.45.0 // indirect
+	github.com/prometheus/client_golang v1.19.0 // indirect
+	github.com/prometheus/client_model v0.6.0 // indirect
+	github.com/prometheus/common v0.51.1 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
@@ -372,7 +379,6 @@ require (
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect
-	github.com/samber/lo v1.38.1 // indirect
 	github.com/sassoftware/go-rpmutils v0.3.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e // indirect
@@ -380,10 +386,10 @@ require (
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
-	github.com/sigstore/fulcio v1.4.3 // indirect
-	github.com/sigstore/rekor v1.3.4 // indirect
-	github.com/sigstore/sigstore v1.8.1 // indirect
-	github.com/sigstore/timestamp-authority v1.2.1 // indirect
+	github.com/sigstore/fulcio v1.4.5 // indirect
+	github.com/sigstore/rekor v1.3.6 // indirect
+	github.com/sigstore/sigstore v1.8.3 // indirect
+	github.com/sigstore/timestamp-authority v1.2.2 // indirect
 	github.com/skeema/knownhosts v1.2.2 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
@@ -392,7 +398,7 @@ require (
 	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.18.2 // indirect
-	github.com/spiffe/go-spiffe/v2 v2.1.7 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.2.0 // indirect
 	github.com/stripe/stripe-go/v74 v74.28.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/sylabs/sif/v2 v2.11.5 // indirect
@@ -402,6 +408,7 @@ require (
 	github.com/thales-e-security/pool v0.0.2 // indirect
 	github.com/therootcompany/xz v1.0.1 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/theupdateframework/notary v0.6.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/tonistiigi/fsutil v0.0.0-20230629203738-36ef4d8c0dbb // indirect
@@ -418,7 +425,7 @@ require (
 	github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 // indirect
 	github.com/wagoodman/go-presenter v0.0.0-20211015174752-f9c01afc824b // indirect
 	github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 // indirect
-	github.com/xanzy/go-gitlab v0.96.0 // indirect
+	github.com/xanzy/go-gitlab v0.102.0 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@@ -429,40 +436,41 @@ require (
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/zclconf/go-cty v1.14.0 // indirect
 	github.com/zeebo/errs v1.3.0 // indirect
-	go.mongodb.org/mongo-driver v1.13.1 // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.44.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/runtime v0.44.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.41.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.41.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.22.0 // indirect
 	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.18.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.22.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v0.41.0 // indirect
-	go.opentelemetry.io/otel/trace v1.22.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
-	go.step.sm/crypto v0.42.1 // indirect
+	go.step.sm/crypto v0.44.2 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
-	golang.org/x/net v0.24.0 // indirect
+	golang.org/x/crypto v0.24.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
 	golang.org/x/oauth2 v0.19.0 // indirect
-	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.19.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	gonum.org/v1/gonum v0.9.1 // indirect
-	google.golang.org/api v0.159.0 // indirect
-	google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac // indirect
-	google.golang.org/grpc v1.61.0 // indirect
+	google.golang.org/api v0.172.0 // indirect
+	google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
+	google.golang.org/grpc v1.62.1 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -472,8 +480,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gorm.io/gorm v1.25.10 // indirect
 	k8s.io/apiextensions-apiserver v0.29.0 // indirect
-	k8s.io/klog/v2 v2.110.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	modernc.org/libc v1.49.3 // indirect
 	modernc.org/mathutil v1.6.0 // indirect
 	modernc.org/memory v1.8.0 // indirect
@@ -482,15 +490,11 @@ require (
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/release-utils v0.7.7 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
 )
 
 // Using the forked version of tablewriter
 replace github.com/olekukonko/tablewriter => github.com/kubescape/tablewriter v0.0.6-0.20231106230230-aac7d2659c94
 
-// TODO(anubhav06): Remove this once we have a release of copacetic with the support for patching kubescape image scan results.
-replace github.com/project-copacetic/copacetic => github.com/anubhav06/copacetic v0.0.0-20230821175613-0a7915a62e10
-
 replace github.com/anchore/stereoscope => github.com/matthyx/stereoscope v0.0.0-20240426103125-b762a3538c32
 
 replace github.com/google/go-containerregistry => github.com/matthyx/go-containerregistry v0.0.0-20240227132928-63ceb71ae0b9