kubescape · entlein · May 15, 2026 · May 16, 2026 · May 16, 2026 · May 16, 2026
diff --git a/cmd/main.go b/cmd/main.go
@@ -228,7 +228,7 @@ func main() {
 		ruleBindingCache = rulebindingcachev1.NewCache(cfg, k8sClient, ruleCreator)
 		rulesWatcher := ruleswatcher.NewRulesWatcher(k8sClient, ruleCreator, func() {
 			ruleBindingCache.RefreshRuleBindingsRules()
-		})
+		}, &cfg)
 		dWatcher.AddAdaptor(rulesWatcher)
 	}
 
@@ -297,6 +297,15 @@ func main() {
 		ruleBindingCache.AddNotifier(&ruleBindingNotify)
 
 		cpc := containerprofilecache.NewContainerProfileCache(cfg, storageClient, k8sObjectCache, prometheusExporter)
+		// Wire the rule-alert exporter into the tamper-detection path so R1016
+		// ('Signed profile tampered') alerts actually reach alertmanager when
+		// a user-defined ApplicationProfile or NetworkNeighborhood fails its
+		// signature check. Without this call, tamper detection logs the
+		// failure but no alert is emitted — Test_31_TamperDetectionAlert
+		// catches the gap. (Lost during the merge/upstream-profile-rearch
+		// rebase; pkg/objectcache/containerprofilecache/tamper_alert.go has
+		// the receiver method.)
+		cpc.SetTamperAlertExporter(exporter)
 		cpc.Start(ctx)
 		logger.L().Info("ContainerProfileCache active; legacy AP/NN caches removed")
 
@@ -395,9 +404,13 @@ func main() {
 	if apiURL == "" {
 		apiURL = "api.armosec.io"
 	}
-	if services, svcErr := config.LoadServiceURLs(apiURL); svcErr == nil && services.GetReportReceiverHttpUrl() != "" {
-		failureReporter = sbommanagerv1.NewHTTPSbomFailureReporter(services.GetReportReceiverHttpUrl(), accessKey, clusterData.AccountID, clusterData.ClusterName)
-		logger.L().Info("scan failure reporting enabled", helpers.String("eventReceiverURL", services.GetReportReceiverHttpUrl()))
+	if services, svcErr := config.LoadServiceURLs(apiURL); svcErr != nil {
+		logger.L().Ctx(ctx).Warning("scan failure reporting disabled: LoadServiceURLs failed", helpers.String("apiURL", apiURL), helpers.Error(svcErr))
+	} else if url := services.GetReportReceiverHttpUrl(); url == "" {
+		logger.L().Ctx(ctx).Warning("scan failure reporting disabled: empty report receiver URL", helpers.String("apiURL", apiURL))
+	} else {
+		failureReporter = sbommanagerv1.NewHTTPSbomFailureReporter(url, accessKey, clusterData.AccountID, clusterData.ClusterName)
+		logger.L().Info("scan failure reporting enabled", helpers.String("eventReceiverURL", url))
 	}
 
 	// Create the SBOM manager

diff --git a/cmd/sign-object/Dockerfile b/cmd/sign-object/Dockerfile
@@ -0,0 +1,20 @@
+FROM --platform=$BUILDPLATFORM golang:1.25-trixie AS builder
+
+ENV GO111MODULE=on CGO_ENABLED=0
+WORKDIR /src
+ARG TARGETOS TARGETARCH
+
+COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    go mod download
+
+COPY . .
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /sign-object ./cmd/sign-object
+
+FROM gcr.io/distroless/static-debian13:latest
+COPY --from=builder /sign-object /usr/local/bin/sign-object
+WORKDIR /work
+ENTRYPOINT ["sign-object"]