New output

.github/workflows/00-pr-scanner.yaml

@@ -2,12 +2,9 @@ name: 00-pr_scanner
 on:
   pull_request:
     types: [opened, reopened, synchronize, ready_for_review]
-    branches:
-      - 'master'
-      - 'main'
-      - 'dev'
     paths-ignore:
       - '**.yaml'
+      - '**.yml'
       - '**.md'
       - '**.sh'
       - 'website/*'
@@ -29,3 +26,18 @@ jobs:
       RELEASE: ""
       CLIENT: test
     secrets: inherit
+
+  binary-build:
+    if: ${{ contains( github.event.pull_request.labels.*.name, 'trigger-integration-test') }} ## run only if labeled as "trigger-integration-test"
+    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
+    needs: pr-scanner
+    with:
+      COMPONENT_NAME: kubescape
+      CGO_ENABLED: 1
+      GO111MODULE: ""
+      GO_VERSION: "1.20"
+      RELEASE: ""
+      CLIENT: test
+      ARCH_METRIX: ""
+      OS_METRIX: "ubuntu-20.04"
+    secrets: inherit

.github/workflows/a-pr-scanner.yaml

@@ -87,15 +87,3 @@ jobs:
             - Credentials scan: ${{ steps.credentials-scan.outcome }}
             - Vulnerabilities scan: ${{ steps.vulnerabilities-scan.outcome }}
           reactions: 'eyes'
-  basic-tests:
-    needs: scanners
-    uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml
-    with:
-      COMPONENT_NAME: kubescape
-      CGO_ENABLED: 1
-      GO111MODULE: ""
-      GO_VERSION: "1.20"
-      RELEASE: ${{ inputs.RELEASE }}
-      CLIENT: ${{ inputs.CLIENT }}
-      CHECKOUT_REPO: ${{ github.repository }}
-    secrets: inherit

.github/workflows/b-binary-build-and-e2e-tests.yaml

@@ -1,5 +1,45 @@
 name: b-binary-build-and-e2e-tests
+
 on:
+  workflow_dispatch:
+    inputs:
+      COMPONENT_NAME:
+        required: false
+        type: string
+        default: "kubescape"
+      RELEASE:
+        required: false
+        type: string
+        default: ""
+      CLIENT:
+        required: false
+        type: string
+        default: "test"
+      GO_VERSION:
+        required: false
+        type: string
+        default: "1.20"
+      GO111MODULE:
+        required: false
+        type: string
+        default: ""
+      CGO_ENABLED:
+        type: number
+        default: 1
+        required: false
+      OS_METRIX:
+        type: string
+        required: false
+        default: '[ "ubuntu-20.04", "macos-latest", "windows-latest"]'
+      ARCH_METRIX:
+        type: string
+        required: false
+        default: '[ "", "arm64"]'
+      BINARY_TESTS:
+        type: string
+        required: false
+        default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score" ]'
+
   workflow_call:
     inputs:
       COMPONENT_NAME:
@@ -23,18 +63,22 @@ on:
       BINARY_TESTS:
         type: string
         default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score" ]'
-      CHECKOUT_REPO:
+      OS_METRIX:
+        type: string
         required: false
+        default: '[ "ubuntu-20.04", "macos-latest", "windows-latest"]'
+      ARCH_METRIX:
         type: string
-
-
-
+        required: false
+        default: '[ "", "arm64"]'
 jobs:
   wf-preparation:
     name: secret-validator
     runs-on: ubuntu-latest
     outputs:
       TEST_NAMES: ${{ steps.export_tests_to_env.outputs.TEST_NAMES }}
+      OS_METRIX: ${{ steps.export_os_to_env.outputs.OS_METRIX }}
+      ARCH_METRIX: ${{ steps.export_arch_to_env.outputs.ARCH_METRIX }}
       is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
     steps:
       - name: check if the necessary secrets are set in github secrets
@@ -49,32 +93,46 @@ jobs:
           REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
         run: "echo \"is-secret-set=${{ env.CUSTOMER != '' && \n                        env.USERNAME != '' &&\n                        env.PASSWORD != '' &&\n                        env.CLIENT_ID != '' &&\n                        env.SECRET_KEY != '' &&\n                        env.REGISTRY_USERNAME != '' &&\n                        env.REGISTRY_PASSWORD != ''\n                      }}\" >> $GITHUB_OUTPUT\n"
 
+      - id: export_os_to_env
+        name: set test name
+        run: |
+          echo "OS_METRIX=$input" >> $GITHUB_OUTPUT
+        env:
+          input: ${{ inputs.OS_METRIX }}
+
       - id: export_tests_to_env
         name: set test name
         run: |
           echo "TEST_NAMES=$input" >> $GITHUB_OUTPUT
         env:
           input: ${{ inputs.BINARY_TESTS }}
-
+
+      - id: export_arch_to_env
+        name: set test name
+        run: |
+          echo "ARCH_METRIX=$input" >> $GITHUB_OUTPUT
+        env:
+          input: ${{ inputs.ARCH_METRIX }}
+
 
   binary-build:
     name: Create cross-platform build
+    needs: wf-preparation
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       GOARCH: ${{ matrix.arch }}
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-20.04, macos-latest, windows-latest]
-        arch: ["", arm64]
+        os: ${{ fromJson(needs.wf-preparation.outputs.OS_METRIX) }}
+        arch: ${{ fromJson(needs.wf-preparation.outputs.ARCH_METRIX) }}
         exclude:
         - os: windows-latest
           arch: arm64
     steps:
 
       - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
         with:
-          repository: ${{inputs.CHECKOUT_REPO}}
           fetch-depth: 0
           submodules: recursive
 

cmd/scan/framework.go

@@ -78,14 +78,15 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 
 			var frameworks []string
 
-			if len(args) == 0 { // scan all frameworks
+			if len(args) == 0 {
 				scanInfo.ScanAll = true
 			} else {
 				// Read frameworks from input args
 				frameworks = strings.Split(args[0], ",")
 				if cautils.StringInSlice(frameworks, "all") != cautils.ValueNotFound {
 					scanInfo.ScanAll = true
 					frameworks = getter.NativeFrameworks
+
 				}
 				if len(args) > 1 {
 					if len(args[1:]) == 0 || args[1] != "-" {
@@ -105,6 +106,7 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 					}
 				}
 			}
+			scanInfo.SetScanType(cautils.ScanTypeFramework)
 			scanInfo.FrameworkScan = true
 
 			scanInfo.SetPolicyIdentifiers(frameworks, apisv1.KindFramework)
@@ -118,7 +120,8 @@ func getFrameworkCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Comm
 			if err = results.HandleResults(ctx); err != nil {
 				logger.L().Fatal(err.Error())
 			}
-			if !scanInfo.VerboseMode {
+
+			if !scanInfo.VerboseMode && scanInfo.ScanType == cautils.ScanTypeFramework {
 				logger.L().Info("Run with '--verbose'/'-v' flag for detailed resources view\n")
 			}
 			if results.GetRiskScore() > float32(scanInfo.FailThreshold) {

cmd/scan/image.go

@@ -3,14 +3,14 @@ package scan
 import (
 	"context"
 	"fmt"
-	"os"
 
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/kubescape/v2/core/cautils"
+	"github.com/kubescape/kubescape/v2/core/core"
 	"github.com/kubescape/kubescape/v2/core/meta"
+	"github.com/kubescape/kubescape/v2/core/pkg/resultshandling"
 	"github.com/kubescape/kubescape/v2/pkg/imagescan"
 
-	"github.com/anchore/grype/grype/presenter"
 	"github.com/spf13/cobra"
 )
 
@@ -58,15 +58,30 @@ func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo, imgScanInfo *im
 			}
 
 			userInput := args[0]
+
+			logger.L().Info(fmt.Sprintf("Scanning image: %s", userInput))
 			scanResults, err := svc.Scan(ctx, userInput, creds)
 			if err != nil {
 				return err
 			}
+			logger.L().Success("Image scan completed successfully")
+
+			scanInfo.SetScanType(cautils.ScanTypeImage)
+
+			outputPrinters := core.GetOutputPrinters(scanInfo, ctx)
 
-			presenterConfig, _ := presenter.ValidatedConfig("table", "", false)
-			pres := presenter.GetPresenter(presenterConfig, *scanResults)
+			uiPrinter := core.GetUIPrinter(ctx, scanInfo)
+
+			resultsHandler := resultshandling.NewResultsHandler(nil, outputPrinters, uiPrinter)
+
+			resultsHandler.ImageScanData = []cautils.ImageScanData{
+				{
+					PresenterConfig: scanResults,
+					Image:           userInput,
+				},
+			}
 
-			pres.Present(os.Stdout)
+			resultsHandler.HandleResults(ctx)
 
 			if imagescan.ExceedsSeverityThreshold(scanResults, failOnSeverity) {
 				terminateOnExceedingSeverity(scanInfo, logger.L())

cmd/scan/scan.go

@@ -1,6 +1,7 @@
 package scan
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"strings"
@@ -9,6 +10,7 @@ import (
 	"github.com/kubescape/kubescape/v2/core/cautils"
 	"github.com/kubescape/kubescape/v2/core/cautils/getter"
 	"github.com/kubescape/kubescape/v2/core/meta"
+	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
 	"github.com/spf13/cobra"
 )
 
@@ -41,14 +43,20 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 		Long:    `The action you want to perform`,
 		Example: scanCmdExamples,
 		Args: func(cmd *cobra.Command, args []string) error {
-			if len(args) > 0 {
+			// setting input patterns for framework scan is only relevancy for non-security view
+			if len(args) > 0 && !scanInfo.IsSecurityView {
 				if args[0] != "framework" && args[0] != "control" {
 					return getFrameworkCmd(ks, &scanInfo).RunE(cmd, append([]string{strings.Join(getter.NativeFrameworks, ",")}, args...))
 				}
 			}
 			return nil
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if scanInfo.IsSecurityView {
+				setSecurityViewScanInfo(args, &scanInfo)
+
+				return securityScan(scanInfo, ks)
+			}
 
 			if len(args) == 0 {
 				return getFrameworkCmd(ks, &scanInfo).RunE(cmd, []string{strings.Join(getter.NativeFrameworks, ",")})
@@ -90,6 +98,8 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Submit the scan results to Kubescape SaaS where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.OmitRawResources, "omit-raw-resources", "", false, "Omit raw resources from the output. By default the raw resources are included in the output")
 	scanCmd.PersistentFlags().BoolVarP(&scanInfo.PrintAttackTree, "print-attack-tree", "", false, "Print attack tree")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.ScanImages, "scan-images", "", false, "Scan resources images")
+	scanCmd.PersistentFlags().BoolVarP(&scanInfo.IsSecurityView, "security-view", "", false, "Show security view")
 
 	scanCmd.PersistentFlags().MarkDeprecated("silent", "use '--logger' flag instead. Flag will be removed at 1.May.2022")
 	scanCmd.PersistentFlags().MarkDeprecated("fail-threshold", "use '--compliance-threshold' flag instead. Flag will be removed at 1.Dec.2023")
@@ -117,9 +127,38 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
 
 	scanCmd.AddCommand(getControlCmd(ks, &scanInfo))
 	scanCmd.AddCommand(getFrameworkCmd(ks, &scanInfo))
+	scanCmd.AddCommand(getWorkloadCmd(ks, &scanInfo))
 
 	isi := &imageScanInfo{}
 	scanCmd.AddCommand(getImageCmd(ks, &scanInfo, isi))
 
 	return scanCmd
 }
+
+func setSecurityViewScanInfo(args []string, scanInfo *cautils.ScanInfo) {
+	if len(args) > 0 {
+		scanInfo.SetScanType(cautils.ScanTypeRepo)
+		scanInfo.InputPatterns = args
+	} else {
+		scanInfo.SetScanType(cautils.ScanTypeCluster)
+	}
+	scanInfo.SetPolicyIdentifiers([]string{"clusterscan", "mitre", "nsa"}, v1.KindFramework)
+}
+
+func securityScan(scanInfo cautils.ScanInfo, ks meta.IKubescape) error {
+
+	ctx := context.TODO()
+
+	results, err := ks.Scan(ctx, &scanInfo)
+	if err != nil {
+		return err
+	}
+
+	if err = results.HandleResults(ctx); err != nil {
+		return err
+	}
+
+	enforceSeverityThresholds(results.GetData().Report.SummaryDetails.GetResourcesSeverityCounters(), &scanInfo, terminateOnExceedingSeverity)
+
+	return nil
+}