kubescape · esafak · Dec 18, 2025
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,5 @@
-FROM quay.io/kubescape/kubescape-cli:v3.0.21
+ARG KUBESCAPE_VERSION=v3.0.21
+FROM quay.io/kubescape/kubescape-cli:${KUBESCAPE_VERSION}
 
 # Kubescape uses root privileges for writing the results to a file
 USER root

diff --git a/action.yml b/action.yml
@@ -94,6 +94,12 @@ inputs:
       use these fixes to open Pull Requests from your CI/CD pipeline.
     required: false
     default: "false"
+  version:
+    description: |
+      The version of Kubescape to use.
+
+      Can be a specific version (e.g. "v3.0.21") or "latest".
+    required: true
   image:
     description: |
       An image to scan.
@@ -111,7 +117,44 @@ inputs:
       A password for a private registry that contains the image to be scanned.
     required: false
 runs:
-  using: docker
-  image: Dockerfile
-  # image: docker://quay.io/kubescape/github-actions
-
+  using: 'composite'
+  steps:
+    - id: resolve_version
+      shell: bash
+      run: |
+        VERSION="${{ inputs.version }}"
+        if [ "$VERSION" = "latest" ]; then
+          VERSION=$(curl -s -H "Authorization: Bearer ${{ github.token }}" https://api.github.com/repos/kubescape/kubescape/releases/latest | jq -r .tag_name)
+        fi
+        echo "version=$VERSION" >> $GITHUB_OUTPUT
+    - name: Build Kubescape container
+      shell: bash
+      run: |
+        docker build -t kubescape-action:${{ steps.resolve_version.outputs.version }} \
+          --build-arg KUBESCAPE_VERSION=${{ steps.resolve_version.outputs.version }} \
+          ${{ github.action_path }}
+    - name: Run Kubescape scan
+      shell: bash
+      run: |
+        docker run --rm \
+          -v ${{ github.workspace }}:/scan \
+          -w /scan \
+          -e INPUT_FAILEDTHRESHOLD="${{ inputs.failedThreshold }}" \
+          -e INPUT_COMPLIANCETHRESHOLD="${{ inputs.complianceThreshold }}" \
+          -e INPUT_SEVERITYTHRESHOLD="${{ inputs.severityThreshold }}" \
+          -e INPUT_FILES="${{ inputs.files }}" \
+          -e INPUT_OUTPUTFILE="${{ inputs.outputFile }}" \
+          -e INPUT_VERBOSE="${{ inputs.verbose }}" \
+          -e INPUT_FRAMEWORKS="${{ inputs.frameworks }}" \
+          -e INPUT_CONTROLS="${{ inputs.controls }}" \
+          -e INPUT_CONTROLSCONFIG="${{ inputs.controlsConfig }}" \
+          -e INPUT_ACCOUNT="${{ inputs.account }}" \
+          -e INPUT_ACCESSKEY="${{ inputs.accessKey }}" \
+          -e INPUT_SERVER="${{ inputs.server }}" \
+          -e INPUT_EXCEPTIONS="${{ inputs.exceptions }}" \
+          -e INPUT_FORMAT="${{ inputs.format }}" \
+          -e INPUT_FIXFILES="${{ inputs.fixFiles }}" \
+          -e INPUT_IMAGE="${{ inputs.image }}" \
+          -e INPUT_REGISTRYUSERNAME="${{ inputs.registryUsername }}" \
+          -e INPUT_REGISTRYPASSWORD="${{ inputs.registryPassword }}" \
+          kubescape-action:${{ steps.resolve_version.outputs.version }}
diff --git a/update.sh b/update.sh
@@ -1,12 +1,23 @@
-git clone https://github.com/kubescape/kubescape.git --no-checkout
-cd kubescape
-export LATEST=$(git for-each-ref --format="%(refname:short)" --sort=-authordate --count=1 refs/tags)
-cd ..
-rm -rf kubescape
-export CURRENT=$(cat Dockerfile | head -n1 | cut -d':' -f2)
-if [ "$LATEST" != "$CURRENT" ]; then
-    echo "New version available: $LATEST"
-    sed -i "1 s/:${CURRENT}/:${LATEST}/" Dockerfile
+#!/bin/sh
+
+set -e
+
+echo "Fetching the latest version of Kubescape..."
+# Use GITHUB_TOKEN if available for authenticated requests
+if [ -n "$GITHUB_TOKEN" ]; then
+    latest_version=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" "https://api.github.com/repos/kubescape/kubescape/releases/latest" | grep -o '"tag_name": "[^"]*' | cut -d'"' -f4)
 else
-    echo "No new version available"
+    latest_version=$(curl -s "https://api.github.com/repos/kubescape/kubescape/releases/latest" | grep -o '"tag_name": "[^"]*' | cut -d'"' -f4)
 fi
+
+if [ -z "${latest_version}" ]; then
+    echo "Failed to fetch the latest version."
+    exit 1
+fi
+
+echo "Latest version is: ${latest_version}"
+
+echo "Updating Dockerfile..."
+sed -i "s/^\(ARG KUBESCAPE_VERSION=\).*/\1${latest_version}/" Dockerfile
+
+echo "Dockerfile has been updated."