kubescape · dorkamotorka · Jan 30, 2026 · Feb 1, 2026 · Feb 1, 2026 · Feb 1, 2026
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -0,0 +1,136 @@
+name: build-image
+
+on:
+  workflow_dispatch:
+    inputs:
+      IMAGE_TAG:
+        required: true
+        type: string
+        description: "Image tag for the node-agent image"
+      STORAGE_REF:
+        required: false
+        type: string
+        default: ""
+        description: "Storage image tag to resolve (maps to go/<tag> Git tag). Leave empty to auto-detect latest."
+      PLATFORMS:
+        type: boolean
+        required: false
+        default: false
+        description: "Build for both amd64 and arm64"
+  push:
+    branches:
+      - test/localtestbuild
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Resolve build parameters
+        id: params
+        env:
+          REPO_OWNER: ${{ github.repository_owner }}
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "image_tag=${{ inputs.IMAGE_TAG }}" >> "$GITHUB_OUTPUT"
+            STORAGE_REF="${{ inputs.STORAGE_REF }}"
+          else
+            # Push trigger: derive tag from short commit SHA
+            echo "image_tag=dev-${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
+            STORAGE_REF=""
+          fi
+
+          # If no STORAGE_REF given, auto-detect the most recent go/ tag on storage
+          if [ -z "$STORAGE_REF" ]; then
+            echo "Auto-detecting latest storage go/ tag..."
+            STORAGE_REF=$(git ls-remote --tags "https://github.com/${REPO_OWNER}/storage.git" 'refs/tags/go/*' \
+              | awk '{print $2}' | sed 's|refs/tags/go/||' | sort -V | tail -1)
+            if [ -n "$STORAGE_REF" ]; then
+              echo "Auto-detected storage ref: ${STORAGE_REF}"
+            else
+              echo "No go/ tags found on storage — will use default go.mod dependency"
+            fi
+          fi
+          echo "storage_ref=${STORAGE_REF}" >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.25"
+
+      - name: Resolve storage commit hash
+        if: ${{ steps.params.outputs.storage_ref != '' }}
+        id: resolve-storage
+        env:
+          STORAGE_REF: ${{ steps.params.outputs.storage_ref }}
+          REPO_OWNER: ${{ github.repository_owner }}
+        run: |
+          # The storage build.yaml creates a git tag "go/<IMAGE_TAG>" specifically
+          # for Go module resolution. Try that first, then fall back to raw ref.
+          GO_TAG="go/${STORAGE_REF}"
+          echo "Looking up git tag '${GO_TAG}' on ${REPO_OWNER}/storage..."
+          COMMIT=$(git ls-remote "https://github.com/${REPO_OWNER}/storage.git" "refs/tags/${GO_TAG}" | awk '{print $1}')
+
+          if [ -z "$COMMIT" ]; then
+            echo "Tag '${GO_TAG}' not found, trying raw ref '${STORAGE_REF}'..."
+            COMMIT=$(git ls-remote "https://github.com/${REPO_OWNER}/storage.git" "refs/tags/${STORAGE_REF}" "refs/heads/${STORAGE_REF}" | head -1 | awk '{print $1}')
+          fi
+
+          if [ -z "$COMMIT" ]; then
+            echo "::error::Could not resolve '${STORAGE_REF}' to a commit. Make sure the storage build ran first (it creates the go/ tag)."
+            exit 1
+          fi
+
+          SHORT=$(echo "$COMMIT" | cut -c1-12)
+          echo "Resolved to commit ${COMMIT} (${SHORT})"
+          echo "commit=${COMMIT}" >> "$GITHUB_OUTPUT"
+
+      - name: Update storage dependency
+        if: ${{ steps.params.outputs.storage_ref != '' }}
+        env:
+          COMMIT: ${{ steps.resolve-storage.outputs.commit }}
+          REPO_OWNER: ${{ github.repository_owner }}
+        run: |
+          echo "Replacing github.com/kubescape/storage with github.com/${REPO_OWNER}/storage@${COMMIT}"
+          go mod edit -replace "github.com/kubescape/storage=github.com/${REPO_OWNER}/storage@${COMMIT}"
+          GONOSUMDB=github.com/k8sstormcenter/*,github.com/matthyx/* GONOSUMCHECK=github.com/k8sstormcenter/*,github.com/matthyx/* go mod tidy
+          echo "Resolved storage version:"
+          grep "${REPO_OWNER}/storage" go.sum | head -1
+
+      - name: Ensure ig is installed
+        run: |
+          curl -L https://github.com/inspektor-gadget/inspektor-gadget/releases/download/v0.45.0/ig_0.45.0_amd64.deb -O
+          sudo dpkg -i ig_0.45.0_amd64.deb
+
+      - name: Build gadgets
+        run: make gadgets
+
+      - name: Set up QEMU
+        if: ${{ github.event_name == 'workflow_dispatch' && inputs.PLATFORMS }}
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: build/Dockerfile
+          tags: ghcr.io/${{ github.repository_owner }}/node-agent:${{ steps.params.outputs.image_tag }}
+          build-args: image_version=${{ steps.params.outputs.image_tag }}
+          platforms: ${{ (github.event_name == 'workflow_dispatch' && inputs.PLATFORMS) && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
+          push: true
diff --git a/.github/workflows/bypass.yaml b/.github/workflows/bypass.yaml
@@ -20,7 +20,7 @@ jobs:
     needs: reset-run-number
     uses: ./.github/workflows/incluster-comp-pr-merged.yaml
     with:
-      IMAGE_NAME: quay.io/${{ github.repository_owner }}/node-agent
+      IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/node-agent
       IMAGE_TAG: v0.2.${{ needs.reset-run-number.outputs.run-number }}
       COMPONENT_NAME: nodeAgent
       CGO_ENABLED: 0

diff --git a/.github/workflows/component-tests.yaml b/.github/workflows/component-tests.yaml
@@ -2,23 +2,37 @@ name: Node Agent Component Tests
 on:
   pull_request:
     types: [synchronize, ready_for_review, opened, reopened]
+  workflow_dispatch:
+    inputs:
+      build_image:
+        description: 'Build and push a new container image for the test'
+        type: boolean
+        required: false
+        default: false
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   build-and-push-image:
+    # Only run this job if it's a manual trigger with the box checked.
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.build_image == true
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-      - name: Login to Quay.io
+      - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
-          registry: quay.io/kubescape
-          username: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-          password: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Install IG
         run: |
           sudo apt-get update
@@ -33,9 +47,9 @@ jobs:
         run: |
           COMMIT_HASH=$(git rev-parse --short HEAD)
           export IMAGE_TAG=test-${COMMIT_HASH}
-          export IMAGE_REPO=quay.io/kubescape/node-agent
+          export IMAGE_REPO=ghcr.io/${{ github.repository_owner }}/node-agent
           echo "image_repo=${IMAGE_REPO}" >> "$GITHUB_OUTPUT"
-          export IMAGE_NAME=quay.io/kubescape/node-agent:${IMAGE_TAG}
+          export IMAGE_NAME=ghcr.io/${{ github.repository_owner }}/node-agent:${IMAGE_TAG}
           echo "image_tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
           make docker-build TAG=${IMAGE_TAG} IMAGE=${IMAGE_REPO} && make docker-push TAG=${IMAGE_TAG} IMAGE=${IMAGE_REPO}
     outputs:
@@ -44,7 +58,6 @@ jobs:
 
   component-tests:
     runs-on: ubuntu-latest
-    needs: build-and-push-image
     continue-on-error: true
     strategy:
       matrix:
@@ -72,6 +85,7 @@ jobs:
           Test_22_AlertOnPartialNetworkProfileTest,
           Test_23_RuleCooldownTest,
           Test_24_ProcessTreeDepthTest
+          Test_27_RegexFileOpenMatchTest
-          Test_23_RuleCooldownTest,
-          Test_24_ProcessTreeDepthTest
-          Test_27_RegexFileOpenMatchTest
+          Test_23_RuleCooldownTest,
+          Test_24_ProcessTreeDepthTest,
+          Test_27_RegexFileOpenMatchTest
-          Test_23_RuleCooldownTest,
-          Test_24_ProcessTreeDepthTest
-          Test_27_RegexFileOpenMatchTest
+          Test_23_RuleCooldownTest,
+          Test_24_ProcessTreeDepthTest,
+          Test_27_RegexFileOpenMatchTest
         ]
     steps:
       - name: Checkout code
@@ -101,7 +115,11 @@ jobs:
         run: |
           STORAGE_TAG=$(./tests/scripts/storage-tag.sh)
           echo "Storage tag that will be used: ${STORAGE_TAG}"
-          helm upgrade --install kubescape ./tests/chart --set clusterName=`kubectl config current-context` --set nodeAgent.image.tag=${{ needs.build-and-push-image.outputs.image_tag }} --set nodeAgent.image.repository=${{ needs.build-and-push-image.outputs.image_repo }} --set storage.image.tag=${STORAGE_TAG} -n kubescape --create-namespace --wait --timeout 5m --debug
+          IMAGE_TAG="latest"
+          IMAGE_REPO='ghcr.io/k8sstormcenter/node-agent'
+          echo "Using Node Agent image: ${IMAGE_REPO}:${IMAGE_TAG}"
+          # End of constanze modification
+          helm upgrade --install kubescape ./tests/chart --set clusterName=`kubectl config current-context` --set nodeAgent.image.tag=${IMAGE_TAG} --set nodeAgent.image.repository=${IMAGE_REPO} --set storage.image.tag=${STORAGE_TAG} -n kubescape --create-namespace --wait --timeout 5m --debug
           # Check that the node-agent pod is running
           kubectl wait --for=condition=Ready pod -l app.kubernetes.io/name=node-agent -n kubescape --timeout=300s
           sleep 5

diff --git a/.github/workflows/incluster-comp-pr-merged.yaml b/.github/workflows/incluster-comp-pr-merged.yaml
@@ -109,12 +109,12 @@ jobs:
         id: unit-test
         run: go test -exec sudo -v ./...
 
-      - name: Login to Quay
+      - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
-          registry: quay.io
-          username: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-          password: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
         uses: docker/build-push-action@v6
@@ -349,12 +349,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to Quay
+      - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
-          registry: quay.io
-          username: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-          password: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker retag
         run: |

diff --git a/.github/workflows/pr-created.yaml b/.github/workflows/pr-created.yaml
@@ -13,6 +13,10 @@ concurrency:
 
 jobs:
   pr-created:
+    permissions:
+      pull-requests: write
+      security-events: write
+      contents: read
     uses: ./.github/workflows/incluster-comp-pr-created.yaml
     with:
       GO_VERSION: "1.25"

diff --git a/.github/workflows/pr-merged.yaml b/.github/workflows/pr-merged.yaml
@@ -35,7 +35,7 @@ jobs:
       pull-requests: read
     uses: ./.github/workflows/incluster-comp-pr-merged.yaml
     with:
-      IMAGE_NAME: quay.io/${{ github.repository_owner }}/node-agent
+      IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/node-agent
       IMAGE_TAG: v0.3.${{ needs.reset-run-number.outputs.run-number }}
       COMPONENT_NAME: nodeAgent
       CGO_ENABLED: 0

diff --git a/Makefile b/Makefile
@@ -4,7 +4,7 @@ BINARY_NAME=node-agent
 IMAGE?=quay.io/kubescape/$(BINARY_NAME)
 GADGETS=advise_seccomp trace_capabilities trace_dns trace_exec trace_open
 VERSION=v0.48.1
-KUBESCAPE_GADGETS=bpf exit fork hardlink http iouring_new iouring_old kmod network ptrace randomx ssh symlink unshare
+KUBESCAPE_GADGETS=bpf exit fork hardlink http iouring_new iouring_old kmod kubelet_tls network ptrace randomx ssh symlink unshare
 TAG?=test
 # TAG?=v0.0.1
 
@@ -20,6 +20,23 @@ docker-build: gadgets
 docker-push: docker-build
 	docker push $(IMAGE):$(TAG)
 
+STORAGE_LOCAL_PATH ?= ../storage
+
+.PHONY: local
+local:
+	go mod edit -replace "github.com/kubescape/storage=$(STORAGE_LOCAL_PATH)"
+	GONOSUMDB=github.com/matthyx/* GONOSUMCHECK=github.com/matthyx/* go mod tidy
+
+.PHONY: unlocal
+unlocal:
+	go mod edit -dropreplace "github.com/kubescape/storage"
+	GONOSUMDB=github.com/matthyx/* GONOSUMCHECK=github.com/matthyx/* GOFLAGS=-mod=mod go mod tidy
+
+.PHONY: test
+test: local
+	go test ./pkg/rulemanager/cel/libraries/applicationprofile/... -v -count=1
+	@$(MAKE) unlocal
+
 gadgets:
 	$(foreach img,$(KUBESCAPE_GADGETS),$(MAKE) -C ./pkg/ebpf/gadgets/$(img) build IMAGE=$(img) TAG=latest;)
 	$(foreach img,$(GADGETS),sudo ig image pull ghcr.io/inspektor-gadget/gadget/$(img):$(VERSION);)

diff --git a/go.mod b/go.mod
@@ -459,3 +459,5 @@ require (
 )
 
 replace github.com/inspektor-gadget/inspektor-gadget => github.com/matthyx/inspektor-gadget v0.0.0-20260203101533-6ef87216d3dd
+
+replace github.com/kubescape/storage => ../storage
Original file line number	Diff line number	Diff line change
Expand Up		@@ -459,3 +459,5 @@ require (
		)

		replace github.com/inspektor-gadget/inspektor-gadget => github.com/matthyx/inspektor-gadget v0.0.0-20260203101533-6ef87216d3dd

		replace github.com/kubescape/storage => ../storage
Copy link coderabbitai bot Feb 20, 2026 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. ⚠️ Potential issue \| 🟠 Major Remove the local `replace` directive before merging to `main`. `replace github.com/kubescape/storage => ../storage` is a filesystem-relative path that will cause build failures on any machine (including CI runners in `incluster-comp-pr-merged.yaml`) where `../storage` does not exist. The unit-test step (`go test -exec sudo -v ./...`) has no checkout of the sibling `storage` directory, so the job will fail. Either: Publish the new `kubescape/storage` version containing `CompareExecArgs` and bump the version in `go.mod`, or Keep this replace only in a local `.gitconfig`-excluded file / developer `.gitlocal` overlay rather than committing it. 🤖 Prompt for AI Agents Verify each finding against the current code and only fix it if needed. In `@go.mod` at line 463, Remove the local filesystem replace directive `replace github.com/kubescape/storage => ../storage` from go.mod before merging: either publish the updated github.com/kubescape/storage module (including CompareExecArgs) and update the version in go.mod to that new release, or keep the replace only in a developer-local overlay (e.g., untracked local config) so it is not committed; ensure the committed go.mod references a resolvable module version instead of a relative path.