From 9b54695fe708dab13ee3e49b8649add5dc905415 Mon Sep 17 00:00:00 2001
From: kim-codefresh <kim.aharfi@codefresh.io>
Date: Wed, 10 Jan 2024 10:30:13 +0200
Subject: [PATCH 1/3]  add Docker file for oidc and aws assume role step curl
 jq and aws usage (#671)

* add Docker file for oidc and aws assume role step curl jq and aws usage

* remove unnecessary arg

* add comment
---
 .../aws-sts-assume-role-with-web-identity/Dockerfile     | 9 +++++++++
 incubating/obtain-oidc-id-token/Dockerfile               | 5 +++++
 2 files changed, 14 insertions(+)
 create mode 100644 incubating/aws-sts-assume-role-with-web-identity/Dockerfile
 create mode 100644 incubating/obtain-oidc-id-token/Dockerfile

diff --git a/incubating/aws-sts-assume-role-with-web-identity/Dockerfile b/incubating/aws-sts-assume-role-with-web-identity/Dockerfile
new file mode 100644
index 000000000..8d2e24d5d
--- /dev/null
+++ b/incubating/aws-sts-assume-role-with-web-identity/Dockerfile
@@ -0,0 +1,9 @@
+FROM python:alpine
+
+# using same aws-cli that was used before moving to quay images to prevent regressions
+ARG CLI_VERSION=1.16.284
+
+RUN apk -uv add --no-cache groff jq less && \
+    pip install --no-cache-dir awscli==$CLI_VERSION
+
+WORKDIR /aws
\ No newline at end of file
diff --git a/incubating/obtain-oidc-id-token/Dockerfile b/incubating/obtain-oidc-id-token/Dockerfile
new file mode 100644
index 000000000..9dbf13cf2
--- /dev/null
+++ b/incubating/obtain-oidc-id-token/Dockerfile
@@ -0,0 +1,5 @@
+FROM alpine:3.14
+
+RUN apk add --no-cache curl jq bash
+
+CMD ["/bin/sh"]
\ No newline at end of file

From 9addaf7b72c1293f6af8ee013e2ce51e0252e56d Mon Sep 17 00:00:00 2001
From: Laurent Rochette <laurent.rochette@codefresh.io>
Date: Tue, 23 Jan 2024 11:51:45 -0700
Subject: [PATCH 2/3] Kubescape integration (#674)

* first draft
* Remove composition from example
* Fix syntax
* Add script
* fix indentation
* add script inline
* Add missing shell
* Moving script to file
* Pull base image from quay
* make executable
* change image base and version
* fix script and variable names
* Adding missing parameters
* Add example and fix README
---------
Signed-off-by: Laurent Rochette <laurent.rochette@codefresh.io>
---
 incubating/kubescape/CHANGELOG.md  |   5 +
 incubating/kubescape/Dockerfile    |   8 ++
 incubating/kubescape/README.md     |  11 ++
 incubating/kubescape/entrypoint.sh | 171 +++++++++++++++++++++++++++++
 incubating/kubescape/icon.png      | Bin 0 -> 12018 bytes
 incubating/kubescape/step.yaml     | 146 ++++++++++++++++++++++++
 6 files changed, 341 insertions(+)
 create mode 100644 incubating/kubescape/CHANGELOG.md
 create mode 100644 incubating/kubescape/Dockerfile
 create mode 100644 incubating/kubescape/README.md
 create mode 100755 incubating/kubescape/entrypoint.sh
 create mode 100644 incubating/kubescape/icon.png
 create mode 100644 incubating/kubescape/step.yaml

diff --git a/incubating/kubescape/CHANGELOG.md b/incubating/kubescape/CHANGELOG.md
new file mode 100644
index 000000000..6661463f0
--- /dev/null
+++ b/incubating/kubescape/CHANGELOG.md
@@ -0,0 +1,5 @@
+# Changelog
+
+## [1.0.0] - 2024-01-22
+
+Original version
diff --git a/incubating/kubescape/Dockerfile b/incubating/kubescape/Dockerfile
new file mode 100644
index 000000000..aa167d80d
--- /dev/null
+++ b/incubating/kubescape/Dockerfile
@@ -0,0 +1,8 @@
+FROM quay.io/kubescape/kubescape-cli:v3.0.1
+
+# Kubescape uses root privileges for writing the results to a file
+USER root
+
+COPY entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/incubating/kubescape/README.md b/incubating/kubescape/README.md
new file mode 100644
index 000000000..fa309c519
--- /dev/null
+++ b/incubating/kubescape/README.md
@@ -0,0 +1,11 @@
+# kubescape CLI
+
+Docker image which invokes security script using kubescape CLI
+
+### Prerequisites:
+
+Codefresh Subscription (Dedicated Infrastructure/Hybrid) - https://codefresh.io/
+
+### Documentation:
+
+kubescape CLI: https://github.com/kubescape/kubescape/blob/master/docs/getting-started.md
diff --git a/incubating/kubescape/entrypoint.sh b/incubating/kubescape/entrypoint.sh
new file mode 100755
index 000000000..0c413a415
--- /dev/null
+++ b/incubating/kubescape/entrypoint.sh
@@ -0,0 +1,171 @@
+#!/busybox/sh
+
+# Checks if `string` contains `substring`.
+#
+# Arguments:
+#   String to check.
+#
+# Returns:
+#   0 if `string` contains `substring`, otherwise 1.
+contains() {
+  case "$1" in
+    *$2*) return 0 ;;
+    *) return 1 ;;
+  esac
+}
+
+set -e
+
+# Kubescape uses the client name to make a request for checking for updates
+export KS_CLIENT="codefresh"
+
+if [ -n "${FRAMEWORKS}" ] && [ -n "${CONTROLS}" ]; then
+  echo "Framework and Control are specified. Please specify either one of them"
+  exit 1
+fi
+
+if [ -z "${FRAMEWORKS}" ] && [ -z "${CONTROLS}" ] && [ -z "${IMAGE}" ]; then
+  echo "Neither Framework, Control nor image are specified. Please specify one of them"
+  exit 1
+fi
+
+
+if [ -n "${FRAMEWORKS}" ] && [ -n "${IMAGE}" ] || [ -n "${CONTROLS}" ] && [ -n "${IMAGE}" ] ; then
+  errmsg="Image and Framework / Control are specified. Kubescape does not support scanning both at the moment."
+  errmsg="${errmsg} Please specify either one of them or neither."
+  echo "${errmsg}"
+  exit 1
+fi
+
+if [ -n "${IMAGE}" ] && [ "${FIXFILES}" = "true" ]; then
+  errmsg="The run requests both an image scan and file fix suggestions. Kubescape does not support fixing image scan results at the moment."
+  errmsg="${errmsg} Please specify either one of them or neither."
+  echo "${errmsg}"
+  exit 1
+fi
+
+# Split the controls by comma and concatenate with quotes around each control
+if [ -n "${CONTROLS}" ]; then
+  controls=""
+  set -f
+  IFS=','
+  set -- "${CONTROLS}"
+  set +f
+  unset IFS
+  for control in "$@"; do
+    control=$(echo "${control}" | xargs) # Remove leading/trailing whitespaces
+    controls="${controls}\"${control}\","
+  done
+  controls=$(echo "${controls%?}")
+fi
+
+frameworks_cmd=$([ -n "${FRAMEWORKS}" ] && echo "framework ${FRAMEWORKS}" || echo "")
+controls_cmd=$([ -n "${CONTROLS}" ] && echo control "${controls}" || echo "")
+
+scan_input=$([ -n "${FILES}" ] && echo "${FILES}" || echo .)
+
+output_formats="${FORMAT}"
+have_json_format="false"
+if [ -n "${output_formats}" ] && contains "${output_formats}" "json"; then
+  have_json_format="true"
+fi
+
+verbose=""
+if [ -n "${VERBOSE}" ] && [ "${VERBOSE}" != "false" ]; then
+  verbose="--verbose"
+fi
+
+exceptions=""
+if [ -n "$EXCEPTIONS" ]; then
+  exceptions="--exceptions ${EXCEPTIONS}"
+fi
+
+controls_config=""
+if [ -n "$CONTROLSCONFIG" ]; then
+  controls_config="--controls-config ${CONTROLSCONFIG}"
+fi
+
+should_fix_files="false"
+if [ "${FIXFILES}" = "true" ]; then
+  should_fix_files="true"
+fi
+
+# If a user requested Kubescape to fix their files, but forgot to ask for JSON
+# output, do it for them
+if [ "${should_fix_files}" = "true" ] && [ "${have_json_format}" != "true" ]; then
+  output_formats="${output_formats},json"
+fi
+
+output_file=$([ -n "${OUTPUTFILE}" ] && echo "${OUTPUTFILE}" || echo "results")
+
+account_opt=$([ -n "${ACCOUNT}" ] && echo --account "${ACCOUNT}" || echo "")
+access_key_opt=$([ -n "${ACCESSKEY}" ] && echo --access-key "${ACCESSKEY}" || echo "")
+server_opt=$([ -n "${SERVER}" ] && echo --server "${SERVER}" || echo "")
+
+# If account ID is empty, we load artifacts from the local path, otherwise we
+# load from the cloud (this will enable custom framework support)
+artifacts_path="/home/ks/.kubescape"
+artifacts_opt=$([ -n "${ACCOUNT}" ] && echo "" || echo --use-artifacts-from "${artifacts_path}")
+
+if [ -n "${FAILEDTHRESHOLD}" ] && [ -n "${COMPLIANCETHRESHOLD}" ]; then
+  echo "Both failedThreshold and complianceThreshold are specified. Please specify either one of them or neither"
+  exit 1
+fi
+
+fail_threshold_opt=$([ -n "${FAILEDTHRESHOLD}" ] && echo --fail-threshold "${FAILEDTHRESHOLD}" || echo "")
+compliance_threshold_opt=$([ -n "${COMPLIANCETHRESHOLD}" ] && echo --compliance-threshold "${COMPLIANCETHRESHOLD}" || echo "")
+
+# When a user requests to fix files, the action should not fail because the
+# results exceed severity. This is subject to change in the future.
+severity_threshold_opt=$(
+  [ -n "${SEVERITYTHRESHOLD}" ] &&
+    [ "${should_fix_files}" = "false" ] &&
+    echo --severity-threshold "${SEVERITYTHRESHOLD}" ||
+    echo ""
+)
+
+# Handle image scanning request
+image_subcmd=""
+echo "image is <${IMAGE}>"
+if [ -n "${IMAGE}" ]; then
+
+  # By default, assume we are not authenticated. This means we can pull public
+  # images from the container runtime daemon
+  image_arg="${IMAGE}"
+
+  severity_threshold_opt=$(
+    [ -n "${SEVERITYTHRESHOLD}" ] &&
+      echo --severity-threshold "${SEVERITYTHRESHOLD}" ||
+      echo ""
+  )
+
+  auth_opts=""
+  if [ -n "${REGISTRYUSERNAME}" ] && [ -n "${REGISTRYPASSWORD}" ]; then
+    auth_opts="--username=${REGISTRYUSERNAME} --password=${REGISTRYPASSWORD}"
+
+    # When trying to authenticate, we cannot assume that the runner has access
+    # to an *authenticated* container runtime daemon, so we should always try
+    # to pull images from the registry
+    image_arg="registry://${image_arg}"
+  else
+    echo "NOTICE: Received no registry credentials, pulling without authentication."
+    printf "Hint: If you provide credentials, make sure you include both the username and password.\n\n"
+  fi
+
+  # Build the image scanning subcommand with options
+  image_subcmd="image ${auth_opts}"
+  # Override the scan input
+  scan_input="${image_arg}"
+  echo "Scan subcommand: ${image_subcmd}"
+fi
+
+# TODO: include artifacts_opt once https://github.com/kubescape/kubescape/issues/1040 is resolved
+scan_command="kubescape scan ${image_subcmd} ${frameworks_cmd} ${controls_cmd} ${scan_input} ${account_opt} ${access_key_opt} ${server_opt} ${fail_threshold_opt} ${compliance_threshold_opt} ${severity_threshold_opt} --format ${output_formats} --output ${output_file} ${verbose} ${exceptions} ${controls_config}"
+
+echo "${scan_command}"
+eval "${scan_command}"
+
+if [ "$should_fix_files" = "true" ]; then
+  fix_command="kubescape fix --no-confirm ${output_file}.json"
+  eval "${fix_command}"
+fi
diff --git a/incubating/kubescape/icon.png b/incubating/kubescape/icon.png
new file mode 100644
index 0000000000000000000000000000000000000000..e93cda3fc1618b21a72d4084ddefd87bfc5a78c4
GIT binary patch
literal 12018
zcmd6NQ*@nw)Ao*SHb#TSYV5|gZSSP9-K4RzV>C`<Hg0S?jm;e!@BXjn_&fg&?vs1{
zG}ma&%=J@6Ng55A2pIqXpvlTer~v>_g#Uer@Q^<damO(L0Lvd)2{8???6Y+QFAdFm
zz@;nL7iecSD<hsUjRmFpJAZjm^P~Nutr}TJyY3vBVT&rHI^Rq(B&0QjJ_=1WRLA4I
zwy;n~B{8m16#7_b&gdmD85WgLhSqhn9cVQPepwEqbiL5E{(jK);#3fXDGvV^Iuw%w
z6`wFH!L+uAA`CSY4xZA2kckbEvd<(~4Dk~@3aa=pn~n*l_>ceZmQr6U^_-mb1~qaG
zp#@^XZH}<m>WGLPrO5#}ybr_COJE+MWE2hAx-kI(707~bUB>UP1RLHo0=)uIjMy@C
z+RdjMiApaS>8k@`htemg;B1w7H%Z19K1`!0Cr7rA{Z(gSd}8$49ug`68lXmreQz=#
zp-+IIKjr`<u(P)IU<awf=;AO(f#WaqoOt~FzGwTHwNSqRh6So7vtie-lay|HJxcsf
z$y*e_hUyKPWP|$#vaK8hjyMX7k1p%y^bfr9sR4m>i(nx_z@>MZ!J$i>SFR`7FiE{$
ztC{w~r3k%V;<!M%MEb1|NU6G<pqN*h>A(H)pC2cWbD#fKLQlv&KXlK)ZXjLm;YN6z
zANae#QTC4r5LmFN4ikM&%yoC)ey#C7Od3vl#x6G=tk#y8@x%iQVzT;7+(+&DgfGNu
zc5upS$gWA=F0+z`4bZG4&bu8>@LWz(CDJ$s%X-F;4hbOi8~<<}ucEr6xl;*FOsenk
zI-`bfceFMdgNO<hb~`Ma@k9aU!q%MCbo%)y(=xv#jB8U7@5wSubheW}=hk!|8dUGY
z3O2x2oV_!dUEc+!g#DxJxDibgpIgT{kP!CsqD!(#szBJqjwtrH7i^EgbiSE{(~TDG
z{KFq?Ow>zWvzsGNC0jwJkVXe2qD+{8+^hJh`ij%}6O_KJy2&i5`J|g%-{mA0KNED3
z{=@u3-cF7*m28y!=U|Vdw$d6MF#w0xVaRVq-1<0-FT}#Am03|<he?P@g$T(Pgsz{U
zjz$D9aLMZp=4wmFWWM7P9)hkqTt%<?SkQ>Jn_`cK1mYzUF5zg0ay%31E%G2L#?^LM
z$?eGKNS1*`5`s6!fw%Bf^gkwr-rCPWiDHGmBV$hbopZO1v3Na6lS^~kUl{PI9Y4Ad
zjJ)BU&s%)zE>Jne%Rpbla*!j}A-61F<hB$xSJ#>k!rU2wpos|P+R+s^qLS^GZu25w
z!YOM(0UN0JC5Qbpcgay3qOrgzvF%I*!$J-Vn{HK-{j7^5lx>m{cKWxqh_l_}YBCT7
z;7qL09|l2?h|A%6EDyMqBi|w0N~VzMIxf-ksXemJZD{$$xyk(&`+vAwm5%%T#B{!#
zgrmWiThDQW79j2=-*r5t|Ez&QJC@9ogDJD0gCM5>fjvHQKD}2U-Yba>ZqT0CrBR-U
zJI#}f-UW-o&@Y$f;c}8X_j5l@l4!ldA6syjbh$vfCkuU@Y#|s|lUW~2qieHIAl)kg
zQwT&d^>3sw!Jh*xsG?T8?{(NkG3(^9@v}d)75taCsGw^yS67~jRS+WjcM3oT_DEGF
z%3;k;PV~aSn<I|_FznGr5U<`-XI*DR0EaR9RKDn7?o(YW1^T7N@O|VdnL^DiIGw+U
zGW~KAhUN>YT#Gh38Lk#j>W$Js#ZEIq@-|5zK0ZM|Uho-NIl17Z02*WTn3z%Ga~R78
z91w}CiSxgUf6WW%EZB>nk5;01ADT(Jtb~p@$96+0TT9@JapvIU_PfhfMYofo=1xZb
zmdf97YE>$CchPqDwS0Ze{6^x%2XQt#S%gkA&;37ikEyBckV9x(+<&I*P7?ndfYZf-
zN?Q5qKI7VPQ=8fPM*>?Wtx8|-y&aY!){_OXNh-hGU!&<3$Ds7Kvi10HkpPe^yp)rw
zQr<Q8uR5iEWEMLpAm=`Sb@mL$`|$7RWdo9dKXoup1eVNIZEUACLC+e{=5oi6^cBs)
zyd`1`&G~!+_T39B+{hmaR_e_{7hb0wek+5HOXn_Ql9t|_Kd8Rt`P$sB?@8b5&<xH+
z)uhck?cbSu9B4=Y1K+_T2qBN+@=!h&EQk+=1NlWGZ~9w$sUu|j5%t6bqD=p(tUG_T
zE{C6^J;6jJTvL*!*IUsRU_i*LvfJkX8+bLm62^QZTJ3DGUi1Y}Tup|D+rKMqwbdOM
zWJvi)9lre(f3G}vr7E$8?zry)e9DOdo|XkG3U#xl5pQZW(z_hWHCorQq<p~r?<|Gt
z!@CX%eoBgK6ky3P>-KQv#BrHa6y51qC-o=qui?1SPA11q#{2_c(7(2lTl=T6uuYV5
z#_i=G$ooHMZ5~|F5r1%$7Q-00<op4a4(}iI>?%0czad^(l<o<Q3!rT<>6?7sq0X4R
za)p4K8PUi7s+4}^sL&Q4lHTWWYIP4P+^^4hZh^S2X~)ghNIe|w8mB8mHBS^q;3p*K
ztNnvb)@iPwiA7=LSdZ_D0Y-&F*az4mdTC5-Mr*~LopFik-iN`fi@$h!{Js4y@cdrM
zN$>Ui<g#QM;4NC|jHU!IjF@yy)JUkEqC2=D;nFdS`x^iu!u-On0$`;uHx6ut>9|ka
zO>%E)+DDF2CrP_#itmW?Br9_a>_pv~=X`2>yA)zbIoqA{Xq3ow*J$(gQ@b}~(l)6V
z@_yJpj#)gsf>!9tn<}1(!f^Lu&6A%aO*?LT6HD~iW$T|xFGf~qGau(;v0Y~V?{Z>+
zL{Yo8r}GPD*vF;E$5t+WiNk-581EATNDaCrJ(2T=CuiQ*;a(ua?6YT5H0Om_zYTs)
zuzEpBru-bcYa~p~q|2e<xBvzxWc6c*JS`OEIz;}s7|fvKcod57gdrc>`a$s@<^k<Y
z#qD%^G;`$%Y4mL9wl<!nj?14Rp|07`g*14V_qQzuJaxJh!_lIF#JUq~zNgaY@1Gqv
zY|%8x|Cxj|lykgc<=8Pa+qRQ1Fhdu^Mx{1Xes0|RJYA^{2}VH&dzAbEI{BpafJrcC
z=J_+R=msZrdifK$qo8jm+-1Yv_9v#Y)@W$5cd04-1w^Mpy8#<~`OWJdbP&(V+`MRJ
z20SRu@4U|*sTjRTw(u7f2yb{3#@YvuILC>|<JM2^WWd<zJ1Ga94uU?kRB?mahsrV0
zvo;z(k^ISBBHzskn`y-(goK&w6kX+OJMyN@yB17L-hW?xSdAm@L^3w3bs<?=vdzBN
z79tgP3v}`}Q6LT`Z<_W?nLkx$dNeD~ha=S(;3h9}49Q(}#7zm5Jbaqcic47ID3OPH
zcpiUkL)?_thjjS}4duXnvz8lBy4dRNU6>5JDGNzj?OunbxGet}>kXU%(83?56q~T$
zbf}dknoFmR_pg+De9tMNOZO7D83kA{#>6Lh#N{wHDeNETxD$coVJptWCN!s+GL-1X
z?cNubiGGKvalVdZwvci#MX<#RhrzCO<_c|8E<Lp1Wf)+7@43(xpbpgjlfB=c^?5Hh
z>!Q`07c8j5dB>b`(f0KHzXvRBis!RNOpF*C7yWIi90x8j%o>=}UQPyookNZhtta_3
zdG*0jDKyXih5-GKW8_u-m*OcDStrjiODwt>0fJ%n1!1zvO|OD4-F^v6yMDf{bjAYN
z2`EqrPjtt*fBl!bW&)0@xM4dMfO1H{Gf~E$gq!l~k1ue8lxXMMjcDzCG0iGNXaX=>
zF|Omlhdxht_4t-14(Mslp`3KK$|}V#Y!JO!)6O2p{2aajv;s?>eEm~X0fKBaS9J4|
zeWxTY+J(Q>IXZf{s(IvU=RV=gFneMiZH&EofU}CkHN&6I^|IT&QIcD&ZGs^dsLr{b
zoX1&@hTA?Dh`^TFXEq4u%JsM@UBW|508zXq-9w|i*C7_;w@ppMj;V1>TMuLEHPJfR
zDOeES)GISv_dAKnB=v~@QW>-Eh3(X8I267xNsHqTJi?muSz(sr`K*|z_+^k_PG$hV
zXwPON+PA{<E3=>&uEXV-j^xO2Q#jfI_8qN_mx+980V~8FV<}K~g69>A-anGe!K@`0
zTZ24gTNx<lsJ>ZsQtIUE&+T5{=Xh^U1N}*RZaxO9<$Zs0wF4o+<ew1|;Whf{j$ti@
znqO>W>@x3zGT_k2<O1Or6U^%kZHGN>6~r7lJDRcly$)xv#!(dF1i;_hd7WWTTO)I_
zSpXPQSVU929CQCZ5&1odxUMO{hKcH>Sz8%w#9Hc^NSwG9w-3?13jextI{7t!I|sG+
zhIrXK=Vd#u%1!xjM&h|q+;J0$KbMs(3{Dz>m0=kJMOL}80(cKG4m=D){+6^$RjghS
znpUYeO?MRsoJ%wRKA*+wRGZ1CG-bet`Wg9Ix-s!$UhKt=#fOUb*o2s}`yOg`9p{<>
zTKQFaCQ95OITpGBI<%BiFK-R!xD(V(VshU{<giKfcH?IF!|txrx#^l4_Kx|5=i=W-
zU{Ie_t`u@m#ge$p2i!^Her!Bq0;P47_VMu!Juyx5fxBG81${;PE9J&YGeNTaXE`-n
zPw*P+jt{kc))j8}ZxYwF*8};WbOMQ`nQ3>piqwac^MbK?Gw&Z&k}k3g3>tF9qXuiu
zTX{`t-noTGshLZBJ7no@R{s=?EY(ap;uu-+!+tmD_KOeleoP%06WJ2=eDjp%DPZ}H
zXDje+iQ#1rK~k5Mqr2TwjA4En*)p+Jh&O4T;RA=ibUZf8KNW-va#)&oVcMbC{l_)=
zy18(8U>8fr*{m(PUUZHcyZG&y8@-fGHxK@<NG6vGexz%RWOllB`4h)Md?V`N<L17X
zRh3Dy($1QW**mKbFRV#J)|ypOZ47VATPeqn#`V?e={t$gw$_{`JA7o8&MfDtB%y^5
zPa3enD)wCT7qz@;R@WsAuOPjbD|$97b-W<P_aZ5GhTZDv&4r+5?yHYoHY#ztg>s7=
zLjtdT`Hep$vI^-kD_=Ol13Mw;cRhxB8Uw|jUyEV}X!wy+P@qh~R6p<8yvyy}_zg@r
zvT@>+-D6_1{?b~+DZf|t5wkW0YP1-=>6L33@7JO@zpBe9k~`lw+<MEAva(fQxjHv-
z@z2j{uXVo_S68Y~i3FRouqW8wr7ErQ(cMh$I`eB#eE;X2zIz-~_BD&A@xz)ibt$#h
zC@5WueI~qC(KpExKLW=+7|Vw4OW)UkAMD5ZUUZEO2J}9~deuz*WNa`D<-}6`lh)Uh
zzrLz=_Z&~Mr$dtRk+YKhq1%}Mwlo*oNnH<H;hMmDpFqT-#2d7)BXu<!EnW(uQwDud
zLo6Ki-HF{FqZbkc58cB1o1TqxvkhAkh6-qEwLB9Xgj^>Be)<jf3wY-~M`^N_Dz%NC
z+-NKZK5x;_$)y@(x*DvF>O}k?%n*Tv0_wIaE#$5~0||tAX1&gPybV4M*kd&Gyke#B
znEIY<pKO=%d<oMA7zOYAyB4jV*`?4&%c1O13G8rX?Tlcq`{<MKG#egt>yH92w@Gru
z*Sq>q^2&sCdZ;&R5?^*~C=6a7CRi%H!gRv*3Qh5P)G=6^?DBZz+UvOz#jZZRM6HT(
z%l8ry?zvwjt3?M{yNcWTlhjVHM!<8I?^{rvPk(%Fj00Xgzf;6*>^v#1sc;FE@O&8T
zb|1fx+rO_qHXsZ|z8c!c)l~*Wlr)?zAWez{%|Fp160n%yH-r{4vb7mm>(J6~^BMxu
z<7wG|Y3MZ9yU0PkZo6e&<t+PS@;{=f94lB6KFoODuI-ou{(S8`_C4?E=JBuj`cdEV
z>Zw?oPxjooc>DF5({9%sSEK65evkcpYbXWZ7*7#k`O$5QYoTcKiu2TB2?sphOye|a
zu$c+~q+Ac=!=0|c$0;>xHq7S>s)V%paluJGE0r&GS#&Y3o0p;ivM@jT_`1R0p?J$0
z-t3uH!!1Hn+|kxRGtnmtNMYS8Rt608Se6zQ6nlbyJCL&vPd^(^Q`1p$mwf-}w0*`x
z&|gdQY#Mpo0+rYrHz0A>i;zm*?O^aFZfA5+vFE(DAw9hVBP(!avazRVjpqEg0iJH2
zs3e(lD&;$gaI@qOIqA@Ko($V@8}-P8h_}&EIY|Fwqtz_|tAY{A$UDvjqk|MzGW><i
zRAlmTxm=oYU1;*Lo7*lJ8`*mAHSvv|No^2@qJ(rp&`Ch@jq0h7QG|;Y&!Xs6`);s`
zbAk(KDvWz(<vaSOTJH38^1hCJoe~_dVLqUAU(K;wOSSC!r>Z%wt!Mtnbvj`(GKZQj
zQqK;-`00R#)<RDwhESj2h2zkD{`?syP!aoh;I(Uv{{G{z>|8LR{-a;e$u~3Z9?8An
zl{rf7F^&D0f_fsW_?u%apQEC$jj)F15=ZRH2xYnU9XJiNP^^pb0H_0wV&3m&qi^mC
zE`D)8;&0ABh&Oi+GP{TDU08q?WD9?ri2BC-ai$M?_@{Q@LXa(_qny|uM&xTd!Dm=q
zsPwn*x%p0Y>*$GM4di$_9gPPmCpEr~ccuFC58HhBqnPZM4w4@Ko5l<}9ooRi9K3(n
z1-`Xc5ZsR{MXt>{%3{qOt?+3#bm!uAdIo{GBfbAoA6=G;$@Y=T_nqWUEtiCjC-4~B
z3+nYFavpZTwxh^{25)6T?x&}Jfd(7fx^j~TCgTErBltlT{aynN35I~$vKHR?cAbqB
zURS!{C<57EFou(6kwH&;W8=F@!UZj>1Lrbj-mK>?K8u?+yTNfxNE_Y3TPNdO2Uz_Y
zCJfLGOHX~qB4aG17HOqcN0_L!u}|YSz~D`C3!;YfrSgBmMcQiBJr{dNlzVMIYCCgj
zwxIPdzA2cKiH*Zp4Y+@R3hfpo9cIO>%IOij9I@IlhWu&v*{nD0$9Keb9rdSkMXcGD
zaZEZ@rE?Mjeol4}P?yBO>!+h+3<}18jQ=FG)iu*T66JDWM&Jt%I9;!|%5oOeN1Zz!
z%lmpRP90??;=;5?%#Cd53y!*you29<-&dmq$@~B-jqLp@;J>`30+d-`p=6ZSlbFnK
z)^&SoSL?w%0a>k+)a6^q*4A6s3|%Z_R_Up*2u`WyK9O{ma>P9mD<CV#tZQg*2lifC
zVELjPp2UWi{Nhp!y-K#KQz)PL)1~0;m3~`v(RpS~AlSP#uL}RW*<%ylOi$#%Mc>53
zMgKVO2KA^mPE*h#u1znf)Y|>E^W|SOuy6HFKjT0G&^V+l!hd{0L@FyX^&#uT?#sGX
z){h=%aG!_H%*MzTrB#N%Xv9qfSl*Bl{h?ovxb?CyBLaMx6mNB9cyV{bKtC@<8<mmW
zNL<&NkMJA^mc2ZSA9Ne{dr->g9&*O6K+h4>u{7RBtcrFW&n2olaG{y3iY%1TZLWKr
zhN`HKc}NfL3V81cC?AEVOEDj{b@>id&$NW9y}{6@VsHX`7A^U2Kog)qxfHH{?D7c9
z1N<x;i`C}<c_W7p-krnBfS{=^llHHel&}Z6d@^$L3$vt6e|Ex0po&||53!lDk=iCb
zD!5XAgrvM7l(0WUSdpsCActzAHGnNh2|j_3b@{ot8o}0i*;4^aabpqWD5dVQ=43p%
zaH*qt-J1`?H6L~Ee28)jeg|lLehtAg<8)j^-*fb5orkjOwVso)>JnWl7yuiAmFGs|
zgUkY^E4~it1uKr&;~h8r6#g%4vBY4HdB4jwvFgjNCjkHMd7n&R!uP@YSX-6g;6Zn}
zn+r|`ZjMP;S9e5GQ$luJ<UV(v%^|<0TSw}taHpJEC?#I9p6F5>Y1qBdyv4Jun^EAq
z7z%!<+MV(N+NvuVEW0DcSi%oH(Dx4*@bF2la%@z5OkF8p>!}pOSdc912HUUQ3TBR5
z-2feQ-6F#CCYcnJ%N=9;%3J)Vaea1FtGDE%OjCPfJKg)+lT!w&9n6<ThehbaSX&e@
zd)~Ur|IXwm7jdnn)Wfi<j~p-D73uApxRaETd3_3#!w+?<bfF#<eYzyv-h8{?B>hVH
zC+y7$em;O<`Fph$ew=3h;(Yk^62e~13UE9Mbsq@uI;q=K>S}jANj}q-_nZj%sone?
zX7`a2U^cr^RsC+JY_!I?+gE%lT5det;r`_ii=r@8lD?0QGj(1uGwL*DXKHo;u-5$g
z{7}>N_Q`1MBhp*IyTuS4eGLdS!Ysv+so6Ul`28hdzia15-q`A0-*#`HBr^6KETS8X
z{$Zs~7^L`tO<B;iM4S6?aubMT)`V-d4neL*#YBYNerA6Nt!^;%^%{68?WM8Kb9*G`
zwNlvyDR5jdYBF}Ozw~ymy}>pWK#Ti+{1wDvzj2}{<XmJcQ5a$Yg1R(Rkyo7XLr@=X
zFaR|y^CsK!;GQ&NWYFN`<YjL+nD=^Sr2icHd+(LPT2t$#eipEsJ6}VRry6_X0p5mV
z4a%6|9$q@n*Brf%Hmmu(y!}kcpcFUoK%}7etaL@W!gmXtF5Wh@a4_|CGJ0g#WTOi&
z^~JNJt|h>Kh{4+nOmcwq^8!h9o!ziBQ_CdenkO7>dkQ~mfz0ez{;Q$)%cPKk`Tdn;
zUo1iHN*6gT?C=O3hvR02@aEgu8M=sWc>sZ^wLl;slGLD+Jf0?`oKdS1`lglC^k-q|
z$(>$?VEmJ>#lNzf;Mw~K8eLtaz_m7RgX_tXsE?{+XMo`hg${47t=e?!>T?Z+<ww^q
zWuB&<`S7&ry9jMzORKE1-KaiJO}vVXi?P{m>Gb;tBfWgO96-X3RYp|!QSn&wKk^qo
z^Y6#sr=g{OtNXy0Q8!U5fAyb=EnKy~=vi1?Jk(xdXj+X>0B&Q7n{2Q11dU<6A(iwy
zA$+$po4kChIJ&!Pw+mpfz#jh?JI_CD&*<k5x`mRCA0hQFIfj#hlt>V#U#a;es-VeG
z!?}s^5Oovr_tIRT>l^iXHcUeD1Q*?gop^Dj@bWuuyQ-TZdWZqXPu-3;*at<?{xT8g
z)-xh4h}YNGwpqi)H><8`bc)q1X>qKl(9GI<yPcJRcBi4<GWN`|Rx5;R8pwH&@H(ON
z9#NXbWa%)~l;ZAn|25P6zMsknI!*aqF7~3dC}zs9960(l@W;QiWgriZF;7s88!g|J
zmP&)^3_<u4DfzMx_8$wu7j;UZQmGeQC%6(SHeW->%ZV57rg-$Jn)>zfi<IEb?a9jb
zVOl~;3RH6ZkJA)4`T*CtaRJn5a+Wu&l+{hAJ4}?57@tMzrPx&YQ(B=S8%u|lB58IM
z+cgl{g__(}csb8kC;9<oS!Ec03$_L?K|kGFC8M9+`J>ZPd-cZ(HP~gpfb+_xi(UxB
zJ_Sa^KCUcNB-6kzDhJkhr#lTwVZlP}^~jz8p*C_+J3l9d;!vZvfn3k!nh@a>wa%Pl
zJ9`F8sW)7!SWlIvzzr(H2*S8`@!wzg+XukrEXS85Rn)(5!_;?Ne}FLtj0JUOYqQRg
zkNRx&94G92C(3H%{}6x@+RD2)E+xjJD=-CcSB<FWjYJ$R+hyu$R%sAq;tl$Ch{fn?
z_p6wvKs>*4+9IGuZ*k&vzD`wcr!l<7PiQaHD|;OVXGVUW8)VSh*uluJZ_bg%a}zaZ
z9h^LWpwrtv4DdTzJyH4NAZOp7hK#-`Xm#Z#bYhfFgB(+lYU^wF&QAo0@ue&DXqd?z
zH^bAO@7W9N{>!vc5IG0c+w%w_Zun)lJN|XRIKW&l^xnxFO2*UbYW}&*8d1NnM|5{k
zWAm&EZBL|E00VZ50tTd1um89q_h=gJQu*yj)qls-yrS?)WYTNCaWT>Y;Y-dr`{y>2
zJ5u8@Ttb`dZ2@+Sr7u^9_)2DN3ZhHygb)3dOy9`Dmd{0B?zx$SQOM7AJhU}yv(Ne3
zrOh5<VJL)4*qeGVW`qaS;7Yu6l3bGGRoZ!NL}aOiOLk!^7oEas@`ya$MFsRdW7QnX
ztahaZHcbVN&t+gexn(|mn2~8$eQ>On>QwZI&hZx)o4PN3hx803xvjmx6emCoL>u*z
z;j_Icm_d<u<TGZTql@3+tchu0pO5zn6S$j!UsY68P`>epfc$T3j3jA9Uc?X}Jjogi
zf`67d49hRCE&B2r04^SBo@u_=_DUwj-deP2{cfzlADr|{v>b-HJt6wGGgv{T(shz-
zNZw(q7uuXXL&3{xL82LKA{J521nDzZgxqM4oaBaeIKC~&HJ?tc?&k0meq4SI6OZEx
z_Giia0N8Uk)YPw{%cHN`f`NhH`!?q)*-nBla7B|C?D3WJB4~Pj_i=&?NpSF)i(hE=
z>`v41k1$QRvAP}q3*2wYq`pp3&J`f>hzQ+7uEW^)jKR5k++ZW4zg)B^`iw11K7lX3
zn;DDwzaE4{^HJ9FefYvq1pFpDEKw93c>{kL8%;PRB}n4p1OD;Kg?BpKvkEXN!gy`l
zqLIC8JCNtD%<@77ah!W}z8~|bsEn6T*zBj~`#ElaopDc$^d6{Qf*1P=;#gu!0k!xH
zodokg&{;<<_&0;UwzEyo3Hd*HQcXm~XK1KmN(QO_fVn+Z?iur%*yt)8E(W0w_<kBd
z5vkCq90Og%JKwv!H7WzU5|A4Q^i_b*M!@&EqNln8gnN-{gm3wp8qg`)A<ZA&{I)($
zyV|plBvn`TbGwOo(S9|gj}Ika;tv4d(dO5j5TBz5y}6~~sj}F3Rh6cLn#7?-WAc}&
zX60&skMrJiop&AqD(mi2vD-LPBK35U@E@@sORWW72)b=O5=HH_*^7KMK*%&VDdTr~
z#aak~bhS=~6F}JhQFT-#;uaSJHyI!9V5ueopK$h7i0{%>i;->ME)~4~__r$1^l9@X
zvcK_t>+FpaVA|aO>k75u$HbecePnr!<BELITg7Wbw_1w$u9a;8x9n&AVccp9VU?#I
zPXQZS3WxWymb%`lkJnKNb$z$JNecr5K+5Vs9X>&11T>6dskjnkI`uS~B838N!Nv@~
zU>dIUVx=#R2MWm)0{Uw<J`>ClrPNO$n3?<Q6HyopS`2s^;DYjB6$?aeKi!-0Vn=3K
z$eU*ngu)RcAFp1wp)0^OmMn3zd<8PXQz30#y1#M__sxg{L-ab+B+FXq*|03%5y;>T
zd9L7D`86so>1Gs_&H3F$5%PbD7?wuNKZ1wPD!v%pT5h)(XD#NhKTrTZ^>CLNp$0p)
z)I|-tO;5_yYpGZgAlQ1iZ2jqQmDLKvbVi{&T^QvsM95f)P?x1p@b$?)LDJpOG9&XL
z4|zRsdE<#sG)9Qfe|ldU%0%$hf3-cYg9*IV3MhGEM;q?a7s>SrHb!F0<C$mp@?ufz
z84&ywo9R6AHD7~$?M}$ahYgG74kvFK$^$Yk&G`9QeHd4ov%4sxp}8k}r5fJb{szG_
z6@g(wmswE)y7`Q6JTS27(i)RNZ;->n0FO`*Z<dH-fYFi4f}NS;l<{<cr};d3EMv{`
zeH6U0`dr}cYSiE88npUL_*WSk@-WRV;ZRHsL^YLFn~4iTdDoCTv8cq_ypV3lhKg#M
zlT2P?2W)^&?<NKr-J>03pp=P#!D_V+rZD-XI&@-BI9fB{`B66vpuGyLIzKz0suAW;
z(g_l}6WhLL<#t(~F5C@ZSbu$-WhSrTt`gHv|A6`XL|4M@UW_OXrw$r)z~>3=U>?yE
z`%06GobFcP-9R%VMqh_Td|t3nLC*e`pr@|Im_0*dc)aiab*Slrq6XgLp^9AOd!jLV
z=G-}z8Zz$-3j#D*iOc@AuV}f2Uz&Sz>)BrkNa^iOrX0REMvY3aeyee?ON-OB{F^cJ
zZpbg)QJ1}D+}P46er)E&2}Vm^JH((l(sA5)z%kfX7;m;iR<TTzZ`KQ$f~`|yRYj9k
zsKK;_uf<oO+G%AG4@JQ~w#_&A$SN?DT7w_0(S-D-bz-L(61~e4Sa-@3{8nsPGbv*%
zHr89gYv<yIt-F<8vCSP@FA<&#kY)wR^nw6J5SuVSZWHi*#IKnh13%rI?WNqun-I~#
zeQlBm4}-A}CpDQ2#r?!O3i<2!hBB1qFK)S}hIUJ`Ys%q3)Di}rkA;3b*AFZW1-&xc
zsZL}G*3(YQ5X@y4N}B+wET2Y}YF{?2eYCmFtBCG^3{SEV1q!EC$xJDX)xq%K6?@Ob
zYtd!9(-d*eZtwHw6O&FpbJqDp^yaft(2(XSIb1RSiMdQ6-UA$MVdHyTyVw$1dz^%$
zE7B06lMnKo@-4q^@m%*B#M;IeQ_n%|9VQd_|2b_nLJ${3ul_u+9^)oNknvPu4_7Yo
zCq283a_=(D;~mTKA+v+3O+{{vMSV-A60dvDCydNRqD0t)dJwaqpeRcYYMaC8Jspy&
zNxp5)ER!H!QVp(8rVZU2$cX<4;P!e*%v=|?wSbnVq_5rF*Kwm-lwBt(gHgi%^~o9$
zkHwVe1`)fYhh9&$tmwYk-VIP`*g%ISPVd&VPKQ~`dG6xZ+%n4@_~um2>G!ax`8&XL
zJz@%yQ$UO4XDesE^54tLt>b7EAXVZ`%7H(Y8u#7}#25H%j8|nla=jDtZWpZdR0y{2
zx36~El)*K~+#sHpsoZwVpxSkGBa}e+?VXm4L5FYRc!V~Y#G%Px-Z9LYl+UxN$CipJ
z3t?Z3f!iFNEv*G7?aCfiPs5Gy=Ut4!t3Np7DuN7p0}?HWv8#JD;0^;*%Sy!uQREyF
zm}9MtP_J7EqE8v@6v;3Bz2BmcO74sz_n^OIy`iBL2T+E|XE=m@iVb6An|5Q^Yn2eh
z<H+?2Z=fL%3Vw3?_#*=5XzIaT((Zh|e*W;c)C-;5P!CEl7*wsKG~i8j8Ta^kn$Zz~
zqsEiA77k_F&WqTxv^OjnPq%OanZa{rS$5XdlfD0=)}M0WL+|HuqGiQ3db&81uL!w2
zID=y@x<&9^(gp+_Q+i_l6Cg?%1wy1R4LkcQs?K`AuFKrGmr*#<E7d;Zwry4d(_pGt
zy2N5!Y1ek8&BUq2+V1V^?vk;Mc5Xe@Nq60?U~X5yBewCtKL=8kS%#)Q4fl~W@z_%v
zVMuOFQv1Oh1+7vdX=Se2dHefsWmWWPrLd37`sfGI%Ai<TI|AaQszd0BDdJgnKev?|
z_Wyjb60i93>xTDd&YvD7$GwOLE~SCpnq|nNKm5Fo04KkUyB#k`3ADjO8F`asaA`q{
zDm`3QDcF$oiMwdzL6?g>qMhc3gVi(ENT5!Z5+1SmY9<rBqNV$Kk07w*#7*T<S#-7u
zRcF{M=ww6w@P*g`A(@Fj->;#C<?%k5Y{(eAmm^<~9hvTtcA*y4>v=4?>{!VT^oJsy
z9jSa$%WPhnzca=d1(Fpx)=h}t?D~wI6Kv)8T{ayMvcA3!$YH8Ynx!6MVW|Ql;@<`}
z^|n5#R4lQ@6BidPe;c4h9Y0F0^B}<N^<Y)UO)b3S`lIzG1K~CG&fTp~*E#`?I3AK!
zaIU%U3N$*IObFo1J#4qUA<4^1i377@zL-BK^D_OwV5FD_()XbTb5VR6G`VNA1@THF
z)Gi)S$x0RSiI;d)-Fe=`S?hVFW>glhCE*Hz5EX0G;Vv&cR(}{yLa1p6MMKke`;Lkc
zCTa$`Sqh<-8_{Bp^anY^0TA95713UNi<cv{&rk71%#A;v8O32KC@RoaPl}F(vZSj0
z2*o9%y-R1*X8ofg8?#z~rG{BZn1hF7`S-K#pPCV*%Q$f977()QZVgqst67igi|@b5
zwGrsdor<RvX|)xZ5?oEv=t}yqQ;n#eHtx$lymKnFI`GqL9x#tOlop--m5}L|_OS|R
zkuB1FgOJ?Dk;Qo;-d5ustZQgX?QE8(Q5sFYf+f&XQ<nZtl!{O8=SbI&CDI}TV3(o>
z<f^ls26muFynZ$s>#VeHoVH%qq_j3bj`=My>s6MyvlJk+`d~WlRu<M1#|VWhe-W6{
z$ojivi9Ww_vvhf?n^Kn*uc}8f0ueHW(G9LI@@E|k3&JTQ1Qb7`Y?L?BmK)Cp)wc~h
z3W(@q`;}foB*7A=l7z2V@C1ksh;L%evy;rXN#;k`dzXGMD`H{8LfeiPxmlHdmCWBD
z`47y*B1x81jqYaJFGH~A(h`6Qh#uL&3h1e~tYw9G&+?}itpK;qNKcj#CiM;}g@RIj
zJ9KG-L=GqTzY7_jL=ke&WT;%{+xn;JBE~yOlSH)BjTap^vQl9xm&o0vum;~%^p)Ly
zygbq(5l7n61sl{6iZ+br@G-GXSXAX#b3d+{m7d?a$zJA!!E_%)<9<qa&Q4%>SH-Xu
z(9~sBcqa4Eh@8eLQ-mw_p#f{$_d(Bvpa&GwKEA$G7`@aP5>D&qmv?#{ro_M|iK`8W
zsQq+Pg<hS?L>FV?I+r9Z4Z-)qX*7WYYXDFbPD8FwdPjS*)5S*zEuqgP9K_>u0sR94
zH5R-1(lc&X9Cmb_y@0mrqv9xZjxOu?$ViGJ5}5DD(H)#n9jG=U@o%$6fIWJEiLVh`
zR0zD7qrD7mu}A(F-Hry+IQ}?<zuwfzI@>!lm<&5c77&)J1z!IF^wNwmOln-L5XcDT
zy=o{}FTNC+B8(`W{ra2D17700^x0n-hUIo;>qIT4OCNkn#+eXH3a=bdN9%r)=qMOb
zl)X@VChH`9ge@9uajkEk5sFZa5JaB`N#s##U_TBvgIQcxP(JyxA?n7J1XVl1v)=*P
zBdElcrwah{t9hUzd>RPHRyT3676vw+xXj;cyiVc)EQ->x=JjOB(IFu|ToL&>$i4?Y
zA3HRM;Lcs8`$A&cGDFhtJY0w{j7fejcomwW^#j|NDG5g78e$nV(c`P@6&bOVVTBSB
z#6=|S!6QMeqJUTZ=McT_bg|zaf5}kA(@M(oD~ZJvI)8|<m3wc3lnMLo2>yFV&SEVN
zY&=Za+bzf(DUNairmI-tyFH8%6(uf4q(slc2XX#=vN=WxFzDHRD2sh78uEx8@m(^t
z%}|ifw=;P^8E%y?HiJ^z5TbAtf!;TEL?c#}HCy(f!pS*N6ecKUoq^9SeLeD@!*-Ao
z)p~@yh%vEWXz%nMacp!vg_AqbVIW8i;4!00ltEGM_kzA*6=0}H@2T11CC}^G_m=e_
zQiftC2A$eS!F1(|nY@UqRJ5=~-VwKwql#ZiX}ck&zrz4@NC@P`Ml<^<lqxT=kqW%}
z-FlWhP;G*j#89+2Myf1r7NM}jX^}2k$=&=t&w?Y-&i*Jj$Q-LIhl<fV*_uwL0!0-%
zi2(f|ajXI!fCGF}08GOz#9VL>xdJH><JeRVy&(eKYb3}UTO}>MCoqLlhVdfe3q$3D
zBl*x1;W<W1;UHiR2pFbO8gO$S@WMJMT-!oH2-H6*I=}-U1V8sO(==sH$Ql}GLnKk>
z!?IyG^$7E_yYYvgf5nW#u*310pidA(rwgEr;h+U-pbf3s9<d<E&?KpB@8*XuNxca+
zy}L{kH8&_BEKyOW*!17-{$26K1Msfh-DJMfJo4n2_rq)aC(sPNrigf}7w*v(@W#67
zQW|sFr%ttf%@hN^K!T<O9p1NPM3nUK>xG$TkP*7xB@SY`Fv9mIWNP&u=uj07%sGCT
y1XRFfs9ICBCqE)3E+<Lo|C0><E&>32eBkwpXmflyM2B$M0kV=x64l}+A^!)PsBLus

literal 0
HcmV?d00001

diff --git a/incubating/kubescape/step.yaml b/incubating/kubescape/step.yaml
new file mode 100644
index 000000000..3a4118f65
--- /dev/null
+++ b/incubating/kubescape/step.yaml
@@ -0,0 +1,146 @@
+kind: step-type
+version: '1.0'
+metadata:
+  name: kubescape
+  version: 3.0.1
+  title: Run a kubescape security scan
+  isPublic: true
+  description: Scan a cluster with the kubescape security service.
+  sources:
+    - 'https://github.com/codefresh-io/steps/tree/master/incubating/kubescape'
+  stage: incubating
+  maintainers:
+    - name: Laurent Rochette
+      email: laurent.rochette@codefresh.io
+    - name: Matthias Bertschy
+      email: matthiasb@armosec.io
+  categories:
+    - security
+  official: true
+  tags: []
+  icon:
+    type: image
+    size:
+      large:
+        url: >-
+          https://cdn.jsdelivr.net/gh/codefresh-io/steps/incubating/kubescape/icon.png
+  examples:
+    - description: example-1
+      workflow:
+        kubescape:
+          type: kubescape:3.0.1
+          arguments:
+            VERBOSE: on
+            OUTPUTFILE: results
+            FRAMEWORKS: MITRE
+            ACCESSKEY: ${{KEY}}
+            ACCOUNT: ${{ACCOUNT_ID}}
+            FORMAT: sarif
+
+spec:
+  arguments: |-
+    {
+        "definitions": {},
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "type": "object",
+        "additionalProperties": false,
+        "patterns": [],
+        "required": [],
+        "properties": {
+            "FILES": {
+                "type": "string",
+                "description": "YAML files or Helm charts to scan for misconfigurations. The files need to be provided with the complete path from the root of the repository. Default is '.' which scans the whole repository"
+            },
+            "OUTPUTFILE": {
+                "type": "string",
+                "description": "Name of the output file where the scan result will be stored without the extension. Default is 'result'"
+            },
+            "FRAMEWORKS": {
+                "type": "string",
+                "description": "Security framework(s) to scan the files against. Multiple frameworks can be specified separated by a comma with no spaces. Example - nsa,devopsbest. Run kubescape list frameworks in the Kubescape CLI to get a list of all frameworks. Either frameworks have to be specified or controls."
+            },
+            "CONTROLS": {
+                "type": "string",
+                "description": "Security control(s) to scan the files against. Multiple controls can be specified separated by a comma with no spaces. Example - Configured liveness probe,Pods in default namespace. Run kubescape list controls in the Kubescape CLI to get a list of all controls. You can use either the complete control name or the control ID such as C-0001 to specify the control you want use. You must specify either the control(s) or the framework(s) you want used in the scan."
+            },
+            "ACCOUNT": {
+                "type": "string",
+                "description": "account ID for integrating with a third-party server"
+            },
+            "ACCESSKEY": {
+                "type": "string",
+                "description": "access-key for integrating with a third-party server"
+            },
+            "SERVER": {
+                "type": "string",
+                "description": "URL for integrating with a third-party server"
+            },
+            "FAILEDTHRESHOLD": {
+                "type": "string",
+                "description": "Failure threshold is the percent above which the command fails and returns exit code 1. Default is 0 i.e, action fails if any control fails"
+            },
+            "SEVERITYTHRESHOLD": {
+                "type": "string",
+                "description": "Severity threshold is the severity of a failed control at or above which the command terminates with an exit code 1. Default is 'high', i.e. the action fails if any High severity control fails"
+            },
+            "COMPLIANCETHRESHOLD": {
+                "type": "string",
+                "description": "Compliance threshold is the percent bellow which the command fails and returns exit code 1 (example: if set to 100 the command will fail if any control fails)"
+            },
+            "VERBOSE": {
+                "type": "string",
+                "description": "on|off - Display all of the input resources and not only failed resources. Default is 'off'"
+            },
+            "EXCEPTIONS": {
+                "type": "string",
+                "description": "The JSON file containing at least one resource and one policy. Refer exceptions docs for more info. Objects with exceptions will be presented as exclude and not fail."
+            },
+            "FORMAT": {
+                "type": "string",
+                "description": "Output format. Can take one or more formats, comma separated",
+                "default": "junit"
+            },
+            "CONTROLSCONFIG": {
+                "type": "string",
+                "description": "The file containing controls configuration. Use 'kubescape download controls-inputs' to download the configured controls-inputs."
+            },
+            "FIXFILES": {
+              "type": "string",
+              "default": "false",
+              "description": "Whether Kubescape will automatically fix files or not. If enabled, Kubescape will make fixes to the input files. You can then use these fixes to open Pull Requests from your CI/CD pipeline."
+            },
+            "IMAGE": {
+                "type": "string",
+                "description": "The image you wish to scan. Launches an image scan, which cannot run together with configuration scans."
+            },
+            "REGISTRYUSERNAME": {
+                "type": "string",
+                "description": "Username to a private registry that hosts the scanned image."
+            },
+            "REGISTRYPASSWORD": {
+                "type": "string",
+                "description": "Password to a private registry that hosts the scanned image."
+            },
+            "KS_IMAGE": {
+                "type": "string",
+                "default": "quay.io/codefreshplugins/kubescape",
+                "description": "Kubescape image to use"
+            },
+            "KS_IMAGE_VERSION": {
+                "type": "string",
+                "default": "3.0.1",
+                "description": "Version of the kubescape image to use"
+            }
+        }
+    }
+  stepsTemplate: |-
+    kubescan:
+      image: '[[.Arguments.KS_IMAGE]]:[[.Arguments.KS_IMAGE_VERSION]]'
+      title: kubescape scan
+      environment:
+      [[ range $key, $val := .Arguments ]]
+        - '[[ $key ]]=[[ $val ]]'
+      [[- end ]]
+  delimiters:
+    left: '[['
+    right: ']]'

From c791f9c6990ed8a968601fe750414df1affad1d8 Mon Sep 17 00:00:00 2001
From: Laurent Rochette <laurent.rochette@codefresh.io>
Date: Tue, 6 Feb 2024 13:42:47 -0700
Subject: [PATCH 3/3] Change API call for app status (#673)

* [1.4.2] change API call to improve performance and  decrease lag
* change some info message into debug
* Change logging default level to error to match step
* Update default version for image
---
 incubating/argo-cd-sync/CHANGELOG.md          |  4 ++
 incubating/argo-cd-sync/argocd_sync.py        | 44 +++++++++----------
 .../queries/get_app_status.graphql            | 25 +++++------
 .../queries/get_app_status.orig.graphql       | 18 ++++++++
 incubating/argo-cd-sync/step.yaml             |  4 +-
 5 files changed, 57 insertions(+), 38 deletions(-)
 create mode 100644 incubating/argo-cd-sync/queries/get_app_status.orig.graphql

diff --git a/incubating/argo-cd-sync/CHANGELOG.md b/incubating/argo-cd-sync/CHANGELOG.md
index 36c40d8d6..58f430cde 100644
--- a/incubating/argo-cd-sync/CHANGELOG.md
+++ b/incubating/argo-cd-sync/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## [1.4.2] - 2024-01-17
+### Changed
+New graphql call to speed up query
+
 ## [1.4.1] - 2023-10-31
 ### Changed
 Add CA_BUNDLE option
diff --git a/incubating/argo-cd-sync/argocd_sync.py b/incubating/argo-cd-sync/argocd_sync.py
index 8ad448bf9..3deb5a3b9 100644
--- a/incubating/argo-cd-sync/argocd_sync.py
+++ b/incubating/argo-cd-sync/argocd_sync.py
@@ -22,7 +22,7 @@
 CF_URL      = os.getenv('CF_URL', 'https://g.codefresh.io')
 CF_API_KEY  = os.getenv('CF_API_KEY')
 CF_STEP_NAME= os.getenv('CF_STEP_NAME', 'STEP_NAME')
-LOG_LEVEL   = os.getenv('LOG_LEVEL', "info")
+LOG_LEVEL   = os.getenv('LOG_LEVEL', "error")
 
 # Check the certificate or not accessing the API endpoint
 VERIFY      = True if os.getenv('INSECURE', "False").lower() == "false" else False
@@ -50,24 +50,24 @@ def main():
     ingress_host = get_runtime_ingress_host()
     execute_argocd_sync(ingress_host)
     namespace=get_runtime_ns()
-    status = get_app_status(namespace)
+    status = get_app_status(ingress_host)
 
     if WAIT_HEALTHY:
-        status=waitHealthy (namespace)
+        status=waitHealthy (ingress_host)
 
         # if Wait failed, it's time for rollback
         if status != "HEALTHY" and ROLLBACK:
             logging.info("Application '%s' did not sync properly. Initiating rollback ", APPLICATION)
             revision = getRevision(namespace)
-            logging.info("latest healthy revision is %d", revision)
+            logging.info("Latest healthy revision is %d", revision)
 
             rollback(ingress_host, namespace, revision)
             logging.info("Waiting for rollback to happen")
             if WAIT_ROLLBACK:
-                status=waitHealthy (namespace)
+                status=waitHealthy (ingress_host)
             else:
                 time.sleep(INTERVAL)
-                status=get_app_status(namespace)
+                status=get_app_status(ingress_host)
         else:
             export_variable('ROLLBACK_EXECUTED', "false")
     else:
@@ -108,7 +108,7 @@ def getRevision(namespace):
       }
     }
     result = client.execute(query, variable_values=variables)
-    logging.info(result)
+    logging.debug("getRevision result: %s", result)
 
     loop=0
     revision = -1
@@ -124,18 +124,18 @@ def getRevision(namespace):
         loop += 1
     # we did not find a HEALTHY one in our page
     export_variable('ROLLBACK_EXECUTED', "false")
-    logging.error("Did not find a HEALTHY release among the lat %d", PAGE_SIZE)
+    logging.error("Did not find a HEALTHY release among the last %d", PAGE_SIZE)
     sys.exit(1)
 
-def waitHealthy (namespace):
-    logging.debug ("Entering waitHealthy (ns: %s)", namespace)
+def waitHealthy (ingress_host):
+    logging.debug ("Entering waitHealthy (ns: %s)", ingress_host)
 
     time.sleep(INTERVAL)
-    status = get_app_status(namespace)
+    status = get_app_status(ingress_host)
     logging.info("App status is %s", status)
     loop=0
     while status != "HEALTHY" and loop < MAX_CHECKS:
-        status=get_app_status(namespace)
+        status=get_app_status(ingress_host)
         time.sleep(INTERVAL)
         logging.info("App status is %s after %d checks", status, loop)
         loop += 1
@@ -160,15 +160,15 @@ def rollback(ingress_host, namespace, revision):
       "dryRun": False,
       "prune": True
     }
-    logging.info("Rollback app: %s", variables)
+    logging.debug("Rollback variables: %s", variables)
     result = client.execute(query, variable_values=variables)
-    logging.info(result)
+    logging.debug("Rollback result: %s", result)
     export_variable('ROLLBACK_EXECUTED', "true")
 
 
-def get_app_status(namespace):
+def get_app_status(ingress_host):
     ## Get the health status of the app
-    gql_api_endpoint = CF_URL + '/2.0/api/graphql'
+    gql_api_endpoint = ingress_host + '/app-proxy/api/graphql'
     transport = RequestsHTTPTransport(
         url=gql_api_endpoint,
         headers={'authorization': CF_API_KEY},
@@ -178,13 +178,12 @@ def get_app_status(namespace):
     client = Client(transport=transport, fetch_schema_from_transport=False)
     query = get_query('get_app_status') ## gets gql query
     variables = {
-        "runtime":  RUNTIME,
-        "name": APPLICATION,
-        "namespace": namespace
+        "name": APPLICATION
     }
     result = client.execute(query, variable_values=variables)
 
-    health = result['application']['healthStatus']
+    logging.debug("App Status result: %s", result)
+    health = result['applicationProxyQuery']['status']['health']['status']
     return health
 
 def get_query(query_name):
@@ -245,9 +244,8 @@ def execute_argocd_sync(ingress_host):
             "prune": True
         }
     }
-    logging.info("Syncing app: %s", variables)
     result = client.execute(query, variable_values=variables)
-    logging.info(result)
+    logging.debug("Syncing App result: %s", result)
 
 
 def export_variable(var_name, var_value):
@@ -260,7 +258,7 @@ def export_variable(var_name, var_value):
         with open('/meta/env_vars_to_export', 'a') as a_writer:
             a_writer.write(var_name + "=" + var_value+'\n')
 
-    logging.info("Exporting variable: %s=%s", var_name, var_value)
+    logging.debug("Exporting variable: %s=%s", var_name, var_value)
 
 ##############################################################
 
diff --git a/incubating/argo-cd-sync/queries/get_app_status.graphql b/incubating/argo-cd-sync/queries/get_app_status.graphql
index 796f42dd4..574b0d645 100644
--- a/incubating/argo-cd-sync/queries/get_app_status.graphql
+++ b/incubating/argo-cd-sync/queries/get_app_status.graphql
@@ -1,18 +1,17 @@
-query ApplicationsStatusesQuery(
-  $runtime: String!
-  $name: String!
-  $namespace: String
-) {
-  application(runtime: $runtime, name: $name, namespace: $namespace) {
+query appstatus ($name: String!) {
+  applicationProxyQuery(
+		name: $name
+  ){
     metadata {
-      runtime
       name
-      namespace
-      cluster
-      __typename
     }
-    healthStatus
-    syncStatus
-    syncPolicy
+    status {
+      health {
+        status
+      }
+      sync {
+        status
+      }
+    }
   }
 }
diff --git a/incubating/argo-cd-sync/queries/get_app_status.orig.graphql b/incubating/argo-cd-sync/queries/get_app_status.orig.graphql
new file mode 100644
index 000000000..796f42dd4
--- /dev/null
+++ b/incubating/argo-cd-sync/queries/get_app_status.orig.graphql
@@ -0,0 +1,18 @@
+query ApplicationsStatusesQuery(
+  $runtime: String!
+  $name: String!
+  $namespace: String
+) {
+  application(runtime: $runtime, name: $name, namespace: $namespace) {
+    metadata {
+      runtime
+      name
+      namespace
+      cluster
+      __typename
+    }
+    healthStatus
+    syncStatus
+    syncPolicy
+  }
+}
diff --git a/incubating/argo-cd-sync/step.yaml b/incubating/argo-cd-sync/step.yaml
index 702452bf6..8874a8e20 100644
--- a/incubating/argo-cd-sync/step.yaml
+++ b/incubating/argo-cd-sync/step.yaml
@@ -1,7 +1,7 @@
 kind: step-type
 metadata:
   name: argo-cd-sync
-  version: 1.4.1
+  version: 1.4.2
   isPublic: true
   description: Syncs Argo CD apps managed by our GitOps Runtimes
   sources:
@@ -120,7 +120,7 @@ spec:
         },
         "IMAGE_TAG": {
           "type": "string",
-          "default": "1.3.1",
+          "default": "1.4.2",
           "description": "OPTIONAL - To overwrite the tag to use"
         }
       }