kubescape
diff --git a/‎admission/rules/v1/helpers.go
+7-7 b/‎admission/rules/v1/helpers.go
+7-7
diff --git a/‎admission/webhook/server.go
+1-1 b/‎admission/webhook/server.go
+1-1
diff --git a/‎admission/webhook/server_test.go
+2-2 b/‎admission/webhook/server_test.go
+2-2
diff --git a/‎main.go
+1-1 b/‎main.go
+1-1
diff --git a/‎mainhandler/handlerequests.go
+22-28 b/‎mainhandler/handlerequests.go
+22-28
diff --git a/‎mainhandler/vulnscan.go
+41-30 b/‎mainhandler/vulnscan.go
+41-30
@@ -4,7 +4,7 @@ import (
 	"context"
 	"fmt"
 
-	v1 "k8s.io/api/core/v1"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -22,7 +22,7 @@ func GetControllerDetails(event admission.Attributes, clientset kubernetes.Inter
 
 	pod, err := GetPodDetails(clientset, podName, namespace)
 	if err != nil {
-		return "", "", "", "", fmt.Errorf("failed to get pod details: %v", err)
+		return "", "", "", "", fmt.Errorf("failed to get pod details: %w", err)
 	}
 
 	workloadKind, workloadName, workloadNamespace := ExtractPodOwner(pod, clientset)
@@ -32,16 +32,16 @@ func GetControllerDetails(event admission.Attributes, clientset kubernetes.Inter
 }
 
 // GetPodDetails returns the pod details from the Kubernetes API server.
-func GetPodDetails(clientset kubernetes.Interface, podName, namespace string) (*v1.Pod, error) {
+func GetPodDetails(clientset kubernetes.Interface, podName, namespace string) (*corev1.Pod, error) {
 	pod, err := clientset.CoreV1().Pods(namespace).Get(context.TODO(), podName, metav1.GetOptions{})
 	if err != nil {
-		return nil, fmt.Errorf("failed to get pod: %v", err)
+		return nil, fmt.Errorf("failed to get pod: %w", err)
 	}
 	return pod, nil
 }
 
 // ExtractPodOwner returns the kind, name, and namespace of the controller that owns the pod.
-func ExtractPodOwner(pod *v1.Pod, clientset kubernetes.Interface) (string, string, string) {
+func ExtractPodOwner(pod *corev1.Pod, clientset kubernetes.Interface) (string, string, string) {
 	for _, ownerRef := range pod.OwnerReferences {
 		switch ownerRef.Kind {
 		case "ReplicaSet":
@@ -91,9 +91,9 @@ func GetContainerNameFromExecToPodEvent(event admission.Attributes) (string, err
 		return "", fmt.Errorf("object is not of type *unstructured.Unstructured")
 	}
 
-	podExecOptions := &v1.PodExecOptions{}
+	podExecOptions := &corev1.PodExecOptions{}
 	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(unstructuredObj.Object, podExecOptions); err != nil {
-		return "", fmt.Errorf("failed to decode PodExecOptions: %v", err)
+		return "", fmt.Errorf("failed to decode PodExecOptions: %w", err)
 	}
 
 	return podExecOptions.Container, nil
 
@@ -393,7 +393,7 @@ func parseRequest(r *http.Request) (*admissionv1.AdmissionReview, error) {
 	var admissionReview admissionv1.AdmissionReview
 
 	if err := json.Unmarshal(body, &admissionReview); err != nil {
-		return nil, fmt.Errorf("could not parse admission review request: %v", err)
+		return nil, fmt.Errorf("could not parse admission review request: %w", err)
 	}
 
 	if admissionReview.Request == nil {
 
@@ -14,7 +14,7 @@ import (
 	"github.com/kubescape/node-agent/pkg/watcher"
 	"github.com/stretchr/testify/assert"
 	admissionv1 "k8s.io/api/admission/v1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apiserver/pkg/admission"
@@ -59,7 +59,7 @@ func TestHandleWebhookValidate(t *testing.T) {
 	review := admissionv1.AdmissionReview{
 		Request: &admissionv1.AdmissionRequest{
 			UID:  "12345",
-			Kind: v1.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
+			Kind: metav1.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
 			Object: runtime.RawExtension{
 				Raw: []byte(`{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"test"}}`),
 			},
 
@@ -109,7 +109,7 @@ func main() {
 	k8sConfig.ContentType = "application/vnd.kubernetes.protobuf"
 	ksStorageClient, err := kssc.NewForConfig(k8sConfig)
 	if err != nil {
-		logger.L().Ctx(ctx).Fatal(fmt.Sprintf("Unable to initialize the storage client: %v", err))
+		logger.L().Ctx(ctx).Fatal("unable to initialize the storage client", helpers.Error(err))
 	}
 
 	kubernetesCache := objectcache.NewKubernetesCache(k8sApi)
 
@@ -7,39 +7,33 @@ import (
 	"regexp"
 	"time"
 
+	"github.com/armosec/armoapi-go/apis"
+	"github.com/armosec/armoapi-go/identifiers"
+	"github.com/armosec/utils-go/boolutils"
+	"github.com/armosec/utils-go/httputils"
+	pkgwlid "github.com/armosec/utils-k8s-go/wlid"
 	mapset "github.com/deckarep/golang-set/v2"
-	exporters "github.com/kubescape/operator/admission/exporter"
-
 	"github.com/kubescape/backend/pkg/versioncheck"
-	"github.com/kubescape/k8s-interface/workloadinterface"
-	core1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/client-go/tools/pager"
-
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	instanceidhandlerv1 "github.com/kubescape/k8s-interface/instanceidhandler/v1"
+	"github.com/kubescape/k8s-interface/k8sinterface"
+	"github.com/kubescape/k8s-interface/workloadinterface"
+	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
+	utilsmetav1 "github.com/kubescape/opa-utils/httpserver/meta/v1"
+	exporters "github.com/kubescape/operator/admission/exporter"
 	"github.com/kubescape/operator/config"
 	cs "github.com/kubescape/operator/continuousscanning"
 	"github.com/kubescape/operator/utils"
 	"github.com/kubescape/operator/watcher"
+	kssc "github.com/kubescape/storage/pkg/generated/clientset/versioned"
 	"github.com/panjf2000/ants/v2"
 	"go.opentelemetry.io/otel"
-
-	"github.com/armosec/armoapi-go/identifiers"
-	"github.com/armosec/utils-go/boolutils"
-	"github.com/armosec/utils-go/httputils"
-
-	"github.com/armosec/armoapi-go/apis"
-
-	v1 "github.com/kubescape/opa-utils/httpserver/apis/v1"
-	utilsmetav1 "github.com/kubescape/opa-utils/httpserver/meta/v1"
-
-	pkgwlid "github.com/armosec/utils-k8s-go/wlid"
-	instanceidhandlerv1 "github.com/kubescape/k8s-interface/instanceidhandler/v1"
-	"github.com/kubescape/k8s-interface/k8sinterface"
-	kssc "github.com/kubescape/storage/pkg/generated/clientset/versioned"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/pager"
 )
 
 type MainHandler struct {
@@ -117,7 +111,7 @@ func NewActionHandler(config config.IConfig, k8sAPI *k8sinterface.KubernetesApi,
 func (mainHandler *MainHandler) SetupContinuousScanning(ctx context.Context) error {
 	ksStorageClient, err := kssc.NewForConfig(k8sinterface.GetK8sConfig())
 	if err != nil {
-		logger.L().Ctx(ctx).Fatal(fmt.Sprintf("Unable to initialize the storage client: %v", err))
+		logger.L().Ctx(ctx).Fatal("unable to initialize the storage client", helpers.Error(err))
 	}
 
 	triggeringHandler := cs.NewTriggeringHandler(mainHandler.eventWorkerPool, mainHandler.config)
@@ -301,7 +295,7 @@ func (mainHandler *MainHandler) HandleScopedRequest(ctx context.Context, session
 		if err := pager.New(func(ctx context.Context, opts metav1.ListOptions) (runtime.Object, error) {
 			return mainHandler.k8sAPI.KubernetesClient.CoreV1().Pods(ns).List(ctx, opts)
 		}).EachListItem(ctx, listOptions, func(obj runtime.Object) error {
-			pod := obj.(*core1.Pod)
+			pod := obj.(*corev1.Pod)
 			podId := pkgwlid.GetWLID(mainHandler.config.ClusterName(), pod.GetNamespace(), "pod", pod.GetName())
 			cmd := sessionObj.Command.DeepCopy()
 
@@ -385,8 +379,8 @@ func (mainHandler *MainHandler) HandleImageScanningScopedRequest(ctx context.Con
 		if err := pager.New(func(ctx context.Context, opts metav1.ListOptions) (runtime.Object, error) {
 			return mainHandler.k8sAPI.KubernetesClient.CoreV1().Pods(ns).List(ctx, opts)
 		}).EachListItem(ctx, listOptions, func(obj runtime.Object) error {
-			pod := obj.(*core1.Pod)
-			if pod.Status.Phase != core1.PodRunning {
+			pod := obj.(*corev1.Pod)
+			if pod.Status.Phase != corev1.PodRunning {
 				// skip non-running pods, for some reason the list includes non-running pods
 				return nil
 			}
@@ -428,7 +422,7 @@ func (mainHandler *MainHandler) HandleImageScanningScopedRequest(ctx context.Con
 
 				noContainerSlug, _ := instanceID.GetSlug(true)
 				if appProfile := utils.GetApplicationProfileForRelevancyScan(ctx, mainHandler.ksStorageClient, noContainerSlug, ns); appProfile != nil {
-					cmd := utils.GetApplicationProfileScanCommand(appProfile)
+					cmd := utils.GetApplicationProfileScanCommand(appProfile, pod)
 
 					// send specific command to the channel
 					newSessionObj := utils.NewSessionObj(ctx, mainHandler.config, cmd, sessionObj.JobID, "")
 
@@ -10,33 +10,28 @@ import (
 	"strings"
 	"time"
 
+	"github.com/armosec/armoapi-go/apis"
+	apitypes "github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/armoapi-go/identifiers"
 	"github.com/armosec/registryx/interfaces"
 	"github.com/armosec/registryx/registryclients"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/utils/strings/slices"
-
+	"github.com/armosec/utils-go/httputils"
+	"github.com/armosec/utils-k8s-go/armometadata"
 	"github.com/distribution/reference"
 	dockerregistry "github.com/docker/docker/api/types/registry"
+	"github.com/google/uuid"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/cloudsupport"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	"github.com/kubescape/operator/config"
 	"github.com/kubescape/operator/utils"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
-
 	corev1 "k8s.io/api/core/v1"
-
-	"github.com/google/uuid"
-
-	"github.com/armosec/armoapi-go/apis"
-	apitypes "github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/armoapi-go/identifiers"
-	"github.com/armosec/utils-k8s-go/armometadata"
-
-	"github.com/armosec/utils-go/httputils"
-	"github.com/kubescape/k8s-interface/cloudsupport"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/strings/slices"
 )
 
 func getAPScanURL(config config.IConfig) *url.URL {
@@ -100,7 +95,7 @@ func (actionHandler *ActionHandler) scanRegistriesV2AndUpdateStatus(ctx context.
 	scanTime := time.Now()
 	imageRegistry, err := actionHandler.loadRegistryFromSessionObj()
 	if err != nil {
-		return fmt.Errorf("failed to load registry from sessionObj with err %v", err)
+		return fmt.Errorf("failed to load registry from sessionObj: %w", err)
 	}
 
 	err = actionHandler.scanRegistriesV2(ctx, imageRegistry)
@@ -119,27 +114,27 @@ func (actionHandler *ActionHandler) scanRegistriesV2AndUpdateStatus(ctx context.
 
 func (actionHandler *ActionHandler) scanRegistriesV2(ctx context.Context, imageRegistry apitypes.ContainerImageRegistry) error {
 	if err := actionHandler.loadRegistrySecret(ctx, imageRegistry); err != nil {
-		return fmt.Errorf("failed to load secret with err %v", err)
+		return fmt.Errorf("failed to load secret: %w", err)
 	}
 
 	client, err := registryclients.GetRegistryClient(imageRegistry)
 	if err != nil {
-		return fmt.Errorf("failed to get registry client with err %v", err)
+		return fmt.Errorf("failed to get registry client: %w", err)
 	}
 
 	images, err := client.GetImagesToScan(ctx)
 	if err != nil {
-		return fmt.Errorf("failed to get registry images to scan with err %v", err)
+		return fmt.Errorf("failed to get registry images to scan: %w", err)
 	} else if len(images) == 0 {
 		return errors.New(noImagesToScanError)
 	}
 
 	registryScanCMDList, err := actionHandler.getRegistryImageScanCommands(client, imageRegistry, images)
 	if err != nil {
-		return fmt.Errorf("failed to get registry images scan commands with err %v", err)
+		return fmt.Errorf("failed to get registry images scan commands: %w", err)
 	}
 	if err = sendAllImagesToRegistryScan(ctx, actionHandler.config, registryScanCMDList); err != nil {
-		return fmt.Errorf("failed to send scan commands with err %v", err)
+		return fmt.Errorf("failed to send scan commands: %w", err)
 	}
 
 	return nil
@@ -149,17 +144,17 @@ func (actionHandler *ActionHandler) loadRegistrySecret(ctx context.Context, imag
 	secretName := actionHandler.sessionObj.Command.Args[apitypes.RegistrySecretNameArgKey].(string)
 	secret, err := actionHandler.k8sAPI.KubernetesClient.CoreV1().Secrets(actionHandler.config.Namespace()).Get(ctx, secretName, metav1.GetOptions{})
 	if err != nil {
-		return fmt.Errorf("loadRegistrySecret failed to get secret with err %v", err)
+		return fmt.Errorf("loadRegistrySecret failed to get secret: %w", err)
 	}
 
 	var secretMap map[string]interface{}
 	err = json.Unmarshal(secret.Data[apitypes.RegistryAuthFieldInSecret], &secretMap)
 	if err != nil {
-		return fmt.Errorf("loadRegistrySecret failed to unmarshal registry secret with err %v", err)
+		return fmt.Errorf("loadRegistrySecret failed to unmarshal registry secret: %w", err)
 	}
 	err = imageRegistry.FillSecret(secretMap)
 	if err != nil {
-		return fmt.Errorf("loadRegistrySecret failed to fill registry secret with err %v", err)
+		return fmt.Errorf("loadRegistrySecret failed to fill registry secret: %w", err)
 	}
 	return nil
 }
@@ -168,11 +163,11 @@ func (actionHandler *ActionHandler) loadRegistryFromSessionObj() (apitypes.Conta
 	regInfo := actionHandler.sessionObj.Command.Args[apitypes.RegistryInfoArgKey].(map[string]interface{})
 	regInfoBytes, err := json.Marshal(regInfo)
 	if err != nil {
-		return nil, fmt.Errorf("scanRegistriesV2 failed to marshal command arg with err %v", err)
+		return nil, fmt.Errorf("scanRegistriesV2 failed to marshal command arg: %w", err)
 	}
 	imageRegistry, err := apitypes.UnmarshalRegistry(regInfoBytes)
 	if err != nil {
-		return nil, fmt.Errorf("scanRegistriesV2 failed to unmarshal command with err %v", err)
+		return nil, fmt.Errorf("scanRegistriesV2 failed to unmarshal command: %w", err)
 	}
 	return imageRegistry, nil
 }
@@ -206,7 +201,7 @@ func (actionHandler *ActionHandler) getRegistryImageScanCommands(client interfac
 		}
 		auth, err := client.GetDockerAuth()
 		if err != nil {
-			return nil, fmt.Errorf("failed to get docker auth with err %v", err)
+			return nil, fmt.Errorf("failed to get docker auth: %w", err)
 		}
 		registryScanCommand.Credentialslist = append(registryScanCommand.Credentialslist, *auth)
 		registryScanCMDList = append(registryScanCMDList, &apis.RegistryScanCommand{
@@ -240,7 +235,7 @@ func (actionHandler *ActionHandler) scanImage(ctx context.Context) error {
 	cmd := actionHandler.getImageScanCommand(containerData, imageScanConfig)
 
 	if err := sendCommandToScanner(ctx, actionHandler.config, cmd, actionHandler.sessionObj.Command.CommandName); err != nil {
-		return fmt.Errorf("failed to send command to scanner with err %v", err)
+		return fmt.Errorf("failed to send command to scanner: %w", err)
 	}
 	return nil
 }
@@ -253,6 +248,21 @@ func (actionHandler *ActionHandler) scanApplicationProfile(ctx context.Context)
 		return errors.New("kubevuln is not enabled")
 	}
 
+	// get the pod from the session object
+	pod, _ := actionHandler.sessionObj.Command.Args[utils.ArgsPod].(*corev1.Pod)
+
+	var authConfigs []dockerregistry.AuthConfig
+	if pod != nil {
+		// build a list of secrets from the registry secrets
+		secrets, err := cloudsupport.GetImageRegistryCredentials(actionHandler.k8sAPI, "", pod)
+		if err != nil {
+			return fmt.Errorf("failed to get registry credentials: %w", err)
+		}
+		for i := range secrets {
+			authConfigs = append(authConfigs, secrets[i]...)
+		}
+	}
+
 	span.AddEvent("scanning", trace.WithAttributes(attribute.String("wlid", actionHandler.wlid)))
 	cmd := &apis.WebsocketScanCommand{
 		Wlid: actionHandler.wlid,
@@ -261,13 +271,14 @@ func (actionHandler *ActionHandler) scanApplicationProfile(ctx context.Context)
 				"name":      actionHandler.sessionObj.Command.Args[utils.ArgsName],
 				"namespace": actionHandler.sessionObj.Command.Args[utils.ArgsNamespace],
 			},
+			Credentialslist: authConfigs,
 		},
 	}
 
 	prepareSessionChain(actionHandler.sessionObj, cmd, actionHandler)
 
 	if err := sendCommandToScanner(ctx, actionHandler.config, cmd, apis.TypeScanApplicationProfile); err != nil {
-		return fmt.Errorf("failed to send command to scanner with err %v", err)
+		return fmt.Errorf("failed to send command to scanner: %w", err)
 	}
 	return nil
 }
@@ -344,7 +355,7 @@ func getImageScanConfig(k8sAPI *k8sinterface.KubernetesApi, namespace string, po
 
 	if pod != nil {
 		// TODO: this should not happen every scan
-		// build a list of secrets from the the registry secrets
+		// build a list of secrets from the registry secrets
 		secrets, err := cloudsupport.GetImageRegistryCredentials(k8sAPI, imageTag, pod)
 		if err != nil {
 			return nil, err
@@ -398,7 +409,7 @@ func sendWorkloadWithCredentials(ctx context.Context, scanUrl *url.URL, command
 	}
 
 	if err != nil {
-		return fmt.Errorf("failed to marshal websocketScanCommand with err %v", err)
+		return fmt.Errorf("failed to marshal websocketScanCommand: %w", err)
 	}
 	if command.GetWlid() == "" {
 		logger.L().Debug(fmt.Sprintf("sending scan command to kubevuln: %s", string(jsonScannerC)))
Original file line number	Diff line number	Diff line change
`@@ -393,7 +393,7 @@ func parseRequest(r http.Request) (admissionv1.AdmissionReview, error) {`
`393`	`393`	`var admissionReview admissionv1.AdmissionReview`
`394`	`394`
`395`	`395`	`if err := json.Unmarshal(body, &admissionReview); err != nil {`
`396`		`- return nil, fmt.Errorf("could not parse admission review request: %v", err)`
	`396`	`+ return nil, fmt.Errorf("could not parse admission review request: %w", err)`
`397`	`397`	`}`
`398`	`398`
`399`	`399`	`if admissionReview.Request == nil {`
Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ func main() {`
`109`	`109`	`k8sConfig.ContentType = "application/vnd.kubernetes.protobuf"`
`110`	`110`	`ksStorageClient, err := kssc.NewForConfig(k8sConfig)`
`111`	`111`	`if err != nil {`
`112`		`- logger.L().Ctx(ctx).Fatal(fmt.Sprintf("Unable to initialize the storage client: %v", err))`
	`112`	`+ logger.L().Ctx(ctx).Fatal("unable to initialize the storage client", helpers.Error(err))`
`113`	`113`	`}`
`114`	`114`
`115`	`115`	`kubernetesCache := objectcache.NewKubernetesCache(k8sApi)`