xfhg
diff --git a/‎.github/workflows/package.yml
+43-19 b/‎.github/workflows/package.yml
+43-19
diff --git a/‎.github/workflows/release.yml
+20-8 b/‎.github/workflows/release.yml
+20-8
diff --git a/‎Makefile
+45-31 b/‎Makefile
+45-31
diff --git a/‎cmd/api.go
+51-10 b/‎cmd/api.go
+51-10
@@ -18,17 +18,26 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@v4
+      with:
+        fetch-depth: 0  # Fetch all history for all tags and branches
 
     - name: Setup Go
       uses: actions/setup-go@v4
       with:
         go-version-file: go.mod
 
-    - name: Fetch Tags
+    - name: Get latest tag
       run: |
-        git fetch --tags -f
-        TAG=$(git describe --tags --always)
-        VERSION=${TAG#v}
+        # Try to get tag for the current commit
+        CURRENT_TAG=$(git describe --exact-match --tags HEAD 2>/dev/null || echo "")
+        
+        # If no tag for current commit, get the most recent tag
+        if [ -z "$CURRENT_TAG" ]; then
+          CURRENT_TAG=$(git describe --tags --abbrev=0)
+        fi
+        
+        # Remove 'v' prefix if present
+        VERSION=${CURRENT_TAG#v}
         echo "VERSION=$VERSION" >> $GITHUB_ENV
 
     - name: Get dependencies
@@ -39,11 +48,10 @@ jobs:
             dep ensure
         fi
 
-    - name: Update
-      run: sudo apt-get update -y
-
-    - name: Make all release artifacts
-      run: make build-all
+    - name: Build binaries
+      run: |
+        make build-linux/amd64
+        make build-linux/arm64
 
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v2
@@ -66,19 +74,35 @@ jobs:
 
     - name: Build and push Docker images
       run: |
-        PLATFORMS=(linux/amd64 linux/arm linux/arm64)
+        PLATFORMS=(linux/amd64 linux/arm64)
         for platform in "${PLATFORMS[@]}"; do
+          make docker-build-$platform
+          
           os=$(echo $platform | cut -d'/' -f1)
           arch=$(echo $platform | cut -d'/' -f2)
           
-          docker buildx build --platform $platform \
-            --build-arg BINARY=release/intercept-$os-$arch \
-            -t xfhg/intercept:${{ env.VERSION }}-$os-$arch \
-            -t xfhg/intercept:latest-$os-$arch \
-            -t ghcr.io/${{ github.repository }}:${{ env.VERSION }}-$os-$arch \
-            -t ghcr.io/${{ github.repository }}:latest-$os-$arch \
-            --push \
-            .
+          docker tag test/intercept:$os-$arch xfhg/intercept:${{ env.VERSION }}-$os-$arch
+          docker tag test/intercept:$os-$arch xfhg/intercept:latest-$os-$arch
+          docker tag test/intercept:$os-$arch ghcr.io/${{ github.repository }}:${{ env.VERSION }}-$os-$arch
+          docker tag test/intercept:$os-$arch ghcr.io/${{ github.repository }}:latest-$os-$arch
+          
+          docker push xfhg/intercept:${{ env.VERSION }}-$os-$arch
+          docker push xfhg/intercept:latest-$os-$arch
+          docker push ghcr.io/${{ github.repository }}:${{ env.VERSION }}-$os-$arch
+          docker push ghcr.io/${{ github.repository }}:latest-$os-$arch
         done
 
-    
+    - name: Create multi-arch manifests
+      run: |
+        # Create and push multi-arch manifest for DockerHub
+        docker manifest create xfhg/intercept:latest \
+          xfhg/intercept:latest-linux-amd64 \
+          xfhg/intercept:latest-linux-arm64
+        docker manifest push xfhg/intercept:latest
+
+        # Create and push multi-arch manifest for GitHub Container Registry
+        docker manifest create ghcr.io/${{ github.repository }}:latest \
+          ghcr.io/${{ github.repository }}:latest-linux-amd64 \
+          ghcr.io/${{ github.repository }}:latest-linux-arm64
+        docker manifest push ghcr.io/${{ github.repository }}:latest
+
@@ -19,11 +19,26 @@ jobs:
 
       - name: Check out code 
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Fetch all history for all tags and branches
 
       - uses: actions/setup-go@v4
         with: 
           go-version-file: go.mod
 
+      - name: Get latest tag
+        id: get_latest_tag
+        run: |
+          # Try to get tag for the current commit
+          CURRENT_TAG=$(git describe --exact-match --tags HEAD 2>/dev/null || echo "")
+          
+          # If no tag for current commit, get the most recent tag
+          if [ -z "$CURRENT_TAG" ]; then
+            CURRENT_TAG=$(git describe --tags --abbrev=0)
+          fi
+          
+          echo "LATEST_TAG=${CURRENT_TAG}" >> $GITHUB_OUTPUT
+
       - name: Fetch Tags
         run: |
           git fetch --tags -f
@@ -40,19 +55,16 @@ jobs:
       - name: Make all release artifacts
         run: make build-all
 
-      - name: Get the version
-        id: get_version
-        run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
-
       - name: Upload All artifacts
         uses: meeDamian/[email protected]
         with:
+          tag: ${{ steps.get_latest_tag.outputs.LATEST_TAG }}
           allow_override: "true"
           draft: "true"
           token: ${{ secrets.GITHUB_TOKEN }}
-          name: ${{ steps.get_version.outputs.VERSION }}
+          name: ${{ steps.get_latest_tag.outputs.LATEST_TAG }}
           body: >
-            Release ${{ steps.get_version.outputs.VERSION }}
+            Release ${{ steps.get_latest_tag.outputs.LATEST_TAG }}
           gzip: "true"
           files: >
             release/intercept-darwin-amd64
@@ -61,8 +73,8 @@ jobs:
             release/intercept-darwin-arm64.sha256
             release/intercept-linux-amd64
             release/intercept-linux-amd64.sha256
-            release/intercept-linux-arm
-            release/intercept-linux-arm.sha256
+            release/intercept-linux-arm-v7
+            release/intercept-linux-arm-v7.sha256
             release/intercept-linux-arm64
             release/intercept-linux-arm64.sha256
             release/intercept-windows-amd64.exe
 
@@ -5,25 +5,26 @@ BINARY_NAME=intercept
 GIT_TAG := $(shell git describe --tags --abbrev=0 2>/dev/null || echo "v1.0.X")
 GIT_COMMIT := $(shell git rev-parse --short HEAD 2>/dev/null || echo "unknown")
 
-
-
 # Go parameters
 GOCMD=go
 GOBUILD=$(GOCMD) build
 GOCLEAN=$(GOCMD) clean
 GOTEST=$(GOCMD) test
 
 # Build flags
-# LDFLAGS=-ldflags="-s -w"
-# BUILD_FLAGS=-mod=readonly $(LDFLAGS)
-
-BUILD_FLAGS=-mod=readonly -ldflags="-s -w -X intercept/cmd.buildVersion=$(GIT_TAG)-$(GIT_COMMIT)" 
+BUILD_FLAGS=-mod=readonly -ldflags="-s -w -X intercept/cmd.buildVersion=$(GIT_TAG)-$(GIT_COMMIT)"
 
 # All compilation platforms
-ALL_PLATFORMS=darwin/amd64 darwin/arm64 linux/amd64 linux/arm linux/arm64 windows/amd64
+PLATFORMS := \
+    darwin/amd64 \
+    darwin/arm64 \
+    windows/amd64 \
+    linux/amd64 \
+    linux/arm64 \
+    linux/arm/v7
 
 # Docker build platforms
-DOCKER_PLATFORMS=linux/amd64 linux/arm linux/arm64
+DOCKER_PLATFORMS := linux/amd64 linux/arm64 
 
 # Docker image name
 DOCKER_IMAGE=test/intercept
@@ -34,7 +35,7 @@ all: clean build-all
 # Clean
 clean:
 	$(GOCLEAN)
-	rm -f release/$(BINARY_NAME)*
+	rm -rf release/$(BINARY_NAME)*
 
 # Run tests
 test:
@@ -46,46 +47,59 @@ build: clean
 
 # Compress binary using UPX
 compress-binary:
-	- docker run --rm -w $(shell pwd) -v $(shell pwd):$(shell pwd) xfhg/upx:latest -9 release/$(BINARY_NAME)
+	- docker run --rm -v $(shell pwd):/workspace -w /workspace docker.io/xfhg/upx:latest -9 release/$(BINARY_NAME)
 
-#Checksums
+# Checksums
 sha256sums:
-	@for file in release/*; do \
+	@for file in release/$(BINARY_NAME)*; do \
 		echo "Generating SHA256 for $$file"; \
 		sha256sum "$$file" > "$$file.sha256"; \
 	done
 
 # Build for all platforms
-build-all: clean $(ALL_PLATFORMS) sha256sums
+build-all: clean $(PLATFORMS) sha256sums
 
 define BUILD_PLATFORM
-build-$(1)-$(2):
-	CGO_ENABLED=0 GOOS=$(1) GOARCH=$(2) $(GOBUILD) $(BUILD_FLAGS) -o release/$(BINARY_NAME)-$(1)-$(2)$(if $(filter windows,$(1)),.exe,) .
-	$(MAKE) compress-binary BINARY_NAME=$(BINARY_NAME)-$(1)-$(2)$(if $(filter windows,$(1)),.exe,)
-
-.PHONY: build-$(1)-$(2)
+build-$(1):
+	@echo "Building for platform $(1)"
+	$(eval GOOS := $(word 1, $(subst /, ,$(1))))
+	$(eval GOARCH := $(word 2, $(subst /, ,$(1))))
+	$(eval GOARM := $(word 3, $(subst /, ,$(1))))
+	$(eval BIN_SUFFIX := $(if $(GOARM),-$(GOARM),))
+	$(eval OUTPUT_NAME := $(BINARY_NAME)-$(GOOS)-$(GOARCH)$(BIN_SUFFIX)$(if $(filter windows,$(GOOS)),.exe,))
+	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) $(if $(GOARM),GOARM=$(GOARM),) \
+		$(GOBUILD) $(BUILD_FLAGS) -o release/$(OUTPUT_NAME) .
+	$(MAKE) compress-binary BINARY_NAME=$(OUTPUT_NAME)
+.PHONY: build-$(1)
 endef
 
-$(foreach platform,$(ALL_PLATFORMS),$(eval $(call BUILD_PLATFORM,$(word 1,$(subst /, ,$(platform))),$(word 2,$(subst /, ,$(platform))))))
+$(foreach platform,$(PLATFORMS),$(eval $(call BUILD_PLATFORM,$(platform))))
 
-$(ALL_PLATFORMS): 
-	$(MAKE) build-$(word 1,$(subst /, ,$@))-$(word 2,$(subst /, ,$@))
+$(PLATFORMS):
+	$(MAKE) build-$@
 
 # Docker build commands for specific platforms
 define DOCKER_BUILD_PLATFORM
-docker-build-$(1)-$(2): build-$(1)-$(2)
-	docker buildx build --platform $(1)/$(2) \
-		--build-arg BINARY=release/$(BINARY_NAME)-$(1)-$(2) \
-		-t $(DOCKER_IMAGE):$(1)-$(2) \
+docker-build-$(1):
+	$(eval GOOS := $(word 1, $(subst /, ,$(1))))
+	$(eval GOARCH := $(word 2, $(subst /, ,$(1))))
+	$(eval GOARM := $(word 3, $(subst /, ,$(1))))
+	$(eval BIN_SUFFIX := $(if $(GOARM),-v$(GOARM),))
+	$(eval OUTPUT_NAME := $(BINARY_NAME)-$(GOOS)-$(GOARCH)$(BIN_SUFFIX)$(if $(filter windows,$(GOOS)),.exe,))
+	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) $(if $(GOARM),GOARM=$(GOARM),) \
+		$(GOBUILD) $(BUILD_FLAGS) -tags container -o release/$(OUTPUT_NAME) .
+	$(MAKE) compress-binary BINARY_NAME=$(OUTPUT_NAME)
+	docker buildx build --platform $(GOOS)/$(GOARCH)$(if $(GOARM),/v$(GOARM),) \
+		--build-arg BINARY=release/$(OUTPUT_NAME) \
+		-t $(DOCKER_IMAGE):$(GOOS)-$(GOARCH)$(BIN_SUFFIX) \
 		--load \
 		.
-
-.PHONY: docker-build-$(1)-$(2)
+.PHONY: docker-build-$(1)
 endef
 
-$(foreach platform,$(DOCKER_PLATFORMS),$(eval $(call DOCKER_BUILD_PLATFORM,$(word 1,$(subst /, ,$(platform))),$(word 2,$(subst /, ,$(platform))))))
+$(foreach platform,$(DOCKER_PLATFORMS),$(eval $(call DOCKER_BUILD_PLATFORM,$(platform))))
 
-# Build Docker images for all specified Linux platforms
-docker-build-all: $(foreach platform,$(DOCKER_PLATFORMS),docker-build-$(word 1,$(subst /, ,$(platform)))-$(word 2,$(subst /, ,$(platform))))
+# Build Docker images for all specified platforms
+docker-build-all: $(foreach platform,$(DOCKER_PLATFORMS),docker-build-$(platform))
 
-.PHONY: all clean build build-all test docker-build-all compress-binary $(ALL_PLATFORMS) sha256sums
+.PHONY: all clean build build-all compress-binary docker-build-all $(PLATFORMS) sha256sums
@@ -21,12 +21,12 @@ func ProcessAPIType(policy Policy, rgPath string) error {
 	req := client.R()
 
 	req.SetHeader("Content-Type", policy.API.ResponseType)
-	req.SetHeader("User-Agent", "Intercept/v1.0.0")
+	req.SetHeader("User-Agent", "INTERCEPT/v1.0.X")
 
 	// Apply authentication
 	if err := applyAuth(req, policy.API.Auth); err != nil {
 		log.Error().Err(err).Msg("error applying authentication")
-		return fmt.Errorf("error applying authentication: %w", err)
+		return handlePolicyError(policy, fmt.Errorf("error applying authentication: %w", err))
 	}
 
 	// Set request body if method is POST
@@ -38,7 +38,8 @@ func ProcessAPIType(policy Policy, rgPath string) error {
 	resp, err := req.Execute(policy.API.Method, policy.API.Endpoint)
 	if err != nil {
 		log.Error().Err(err).Msg("error making API request")
-		return fmt.Errorf("error making API request: %w", err)
+		return handlePolicyError(policy, fmt.Errorf("error making API request: %w", err))
+
 	}
 
 	// check for accepted policy.API.ResponseType and map to schema type is defined , or use regex
@@ -50,7 +51,7 @@ func ProcessAPIType(policy Policy, rgPath string) error {
 		return processWithRegex(policy, resp.Body(), rgPath)
 	}
 
-	return fmt.Errorf("no processing method specified for policy %s", policy.ID)
+	return handlePolicyError(policy, fmt.Errorf("no processing method specified for policy %s", policy.ID))
 }
 
 func applyAuth(req *resty.Request, auth map[string]string) error {
@@ -67,9 +68,12 @@ func applyAuth(req *resty.Request, auth map[string]string) error {
 	case "bearer":
 		token := os.Getenv(auth["token_env"])
 		req.SetHeader("Authorization", "Bearer "+token)
-	case "api_key":
+	case "header":
 		key := os.Getenv(auth["key_env"])
 		req.SetHeader(auth["header"], key)
+	case "authorization":
+		key := fmt.Sprintf("%s %s", auth["prefix"], os.Getenv(auth["key_env"]))
+		req.SetHeader("Authorization", key)
 	default:
 		return fmt.Errorf("unsupported authentication type: %s", authType)
 	}
@@ -78,7 +82,7 @@ func applyAuth(req *resty.Request, auth map[string]string) error {
 }
 
 func processWithCUE(policy Policy, data []byte) error {
-	valid, issues := validateContentAndCUE(data, policy.Schema.Structure, "json", policy.Schema.Strict)
+	valid, issues := validateContentAndCUE(data, policy.Schema.Structure, "json", policy.Schema.Strict, policy.ID)
 
 	// Generate SARIF report
 	sarifReport, err := GenerateAPISARIFReport(policy, policy.API.Endpoint, valid, issues)
@@ -152,12 +156,25 @@ func processWithRegex(policy Policy, data []byte, rgPath string) error {
 	}
 
 	// Write SARIF report
-	err = writeSARIFReport(policy.ID, sarifReport)
-	if err != nil {
-		log.Error().Err(err).Msg("error writing SARIF report for policy %s")
-		return fmt.Errorf("error writing SARIF report for policy %s: %w", policy.ID, err)
+	var sarifOutputFile string
+
+	if policy.RunID != "" {
+		if err := writeSARIFReport(policy.RunID, sarifReport); err != nil {
+			log.Error().Err(err).Msg("error writing SARIF report")
+			return fmt.Errorf("error writing SARIF report: %w", err)
+		}
+		sarifOutputFile = fmt.Sprintf("%s.sarif", policy.RunID)
+	} else {
+		if err := writeSARIFReport(policy.ID, sarifReport); err != nil {
+			log.Error().Err(err).Msg("error writing SARIF report")
+			return fmt.Errorf("error writing SARIF report: %w", err)
+		}
+		sarifOutputFile = fmt.Sprintf("%s.sarif", NormalizeFilename(policy.ID))
+
 	}
 
+	log.Debug().Msgf("Policy %s processed. SARIF report written to: %s ", policy.ID, sarifOutputFile)
+
 	if matchesFound {
 		log.Debug().Msgf("Policy %s assurance passed for API response (pattern found) ", policy.ID)
 	} else {
@@ -207,3 +224,27 @@ func executeAssureForAPI(policy Policy, rgPath, filePath string) (bool, error) {
 
 	return matchesFound, nil
 }
+
+func handlePolicyError(policy Policy, err error) error {
+	issues := []string{err.Error()}
+	sarifReport, sarifErr := GenerateAPISARIFReport(policy, policy.API.Endpoint, false, issues)
+	if sarifErr != nil {
+		log.Error().Err(sarifErr).Msg("error generating SARIF report for policy error")
+		return fmt.Errorf("error generating SARIF report for policy error: %w", sarifErr)
+	}
+
+	var sarifOutputFile string
+	if policy.RunID != "" {
+		sarifOutputFile = fmt.Sprintf("%s.sarif", policy.RunID)
+	} else {
+		sarifOutputFile = fmt.Sprintf("%s.sarif", NormalizeFilename(policy.ID))
+	}
+
+	if writeErr := writeSARIFReport(sarifOutputFile, sarifReport); writeErr != nil {
+		log.Error().Err(writeErr).Msg("error writing SARIF report for policy error")
+		return fmt.Errorf("error writing SARIF report for policy error: %w", writeErr)
+	}
+
+	log.Debug().Msgf("Policy %s failed. SARIF report written to: %s", policy.ID, sarifOutputFile)
+	return err
+}