diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 000000000..0f379ae0b
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,73 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      # write is needed for:
+      # - OIDC for cosign's use in ecm-distro-tools/publish-image.
+      # - Read vault secrets in rancher-eio/read-vault-secrets.
+      id-token: write
+    
+    strategy:
+      matrix:
+        include:
+          - target: controller
+            rancher_target: neuvector-controller
+            make-target: push-controller-image
+            platforms: linux/amd64,linux/arm64
+          - target: enforcer
+            rancher_target: neuvector-enforcer
+            make-target: push-enforcer-image
+            platforms: linux/amd64,linux/arm64
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Load Secrets from Vault
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
+
+    - name: Get controller
+      env:
+        GH_TOKEN: ${{ secrets.ACCESS_TOKEN }}
+      run: |
+        gh release download ${{ github.ref_name }} -D controller/ -p controller-amd64 -R neuvector/neuvector-private
+        gh release download ${{ github.ref_name }} -D controller/ -p controller-arm64 -R neuvector/neuvector-private
+        gh release download ${{ github.ref_name }} -D controller/ -p sha256sum-controller-amd64 -R neuvector/neuvector-private
+        gh release download ${{ github.ref_name }} -D controller/ -p sha256sum-controller-arm64 -R neuvector/neuvector-private
+        cd controller
+        cat sha256sum-controller-amd64 | sha256sum --check
+        cat sha256sum-controller-arm64 | sha256sum --check
+
+    - name: Publish manifest
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
+      with:
+        image: ${{ matrix.rancher_target }}
+        tag: ${{ github.ref_name }}
+        platforms: ${{ matrix.platforms }}
+        make-target: ${{ matrix.make-target }}
+
+        public-registry: docker.io
+        public-repo: neuvector
+        public-username: ${{ env.DOCKER_USERNAME }}
+        public-password: ${{ env.DOCKER_PASSWORD }}
+
+        prime-registry: ${{ env.PRIME_REGISTRY }}
+        prime-repo: rancher
+        prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
diff --git a/Makefile b/Makefile
index 8b6c96a47..9f57f081b 100644
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,4 @@
+# Legacy Makefile.  Keep for backward compatibility
 .PHONY: fleet
 
 STAGE_DIR = stage
@@ -151,3 +152,87 @@ fleet:
 	@echo "Making $@ ..."
 	@docker pull neuvector/build_fleet:${BUILD_IMAGE_TAG}
 	@docker run --rm -ia STDOUT --name build -e NV_BUILD_TARGET=$(NV_BUILD_TARGET) --net=none -v $(CURDIR):/go/src/github.com/neuvector/neuvector -w /go/src/github.com/neuvector/neuvector --entrypoint ./make_fleet.sh neuvector/build_fleet:${BUILD_IMAGE_TAG}
+
+# Newer Makefile
+
+RUNNER := docker
+IMAGE_BUILDER := $(RUNNER) buildx
+MACHINE := neuvector
+BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max --cache-to type=gha --cache-from type=gha
+DEFAULT_PLATFORMS := linux/amd64,linux/arm64,linux/x390s,linux/riscv64
+
+COMMIT = $(shell git rev-parse --short HEAD)
+ifeq ($(VERSION),)
+	# Define VERSION, which is used for image tags or to bake it into the
+	# compiled binary to enable the printing of the application version, 
+	# via the --version flag.
+	CHANGES = $(shell git status --porcelain --untracked-files=no)
+	ifneq ($(CHANGES),)
+		DIRTY = -dirty
+	endif
+
+	COMMIT = $(shell git rev-parse --short HEAD)
+	VERSION = $(COMMIT)$(DIRTY)
+
+	GIT_TAG = $(shell git tag -l --contains HEAD | head -n 1)
+
+	# Override VERSION with the Git tag if the current HEAD has a tag pointing to
+	# it AND the worktree isn't dirty.
+	ifneq ($(GIT_TAG),)
+		ifeq ($(DIRTY),)
+			VERSION = $(GIT_TAG)
+		endif
+	endif
+endif
+
+ifeq ($(TAG),)
+	TAG = $(VERSION)
+	ifneq ($(DIRTY),)
+		TAG = dev
+	endif
+endif
+
+TARGET_PLATFORMS ?= linux/amd64,linux/arm64
+REPO ?= neuvector
+CONTROLLER_IMAGE = $(REPO)/controller:$(TAG)
+ENFORCER_IMAGE = $(REPO)/enforcer:$(TAG)
+BUILD_ACTION = --load
+
+buildx-machine:
+	docker buildx ls
+	@docker buildx ls | grep $(MACHINE) || \
+	docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS)
+
+test-controller-image:
+	# Instead of loading image, target all platforms, effectivelly testing
+	# the build for the target architectures.
+	$(MAKE) build-controller-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"
+
+build-controller-image: buildx-machine ## build (and load) the container image targeting the current platform.
+	$(IMAGE_BUILDER) build -f package/Dockerfile.controller \
+		--builder $(MACHINE) $(IMAGE_ARGS) \
+		--build-arg VERSION=$(VERSION) -t "$(CONTROLLER_IMAGE)" $(BUILD_ACTION) .
+	@echo "Built $(CONTROLLER_IMAGE)"
+
+push-controller-image: buildx-machine
+	$(IMAGE_BUILDER) build -f package/Dockerfile.controller \
+		--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
+		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/neuvector-controller:$(TAG)" --push .
+	@echo "Pushed $(REPO)/controller:$(TAG)"
+	
+test-enforcer-image:
+	# Instead of loading image, target all platforms, effectivelly testing
+	# the build for the target architectures.
+	$(MAKE) build-enforcer-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"
+
+build-enforcer-image: buildx-machine ## build (and load) the container image targeting the current platform.
+	$(IMAGE_BUILDER) build -f package/Dockerfile.enforcer \
+		--builder $(MACHINE) $(IMAGE_ARGS) \
+		--build-arg VERSION=$(VERSION) -t "$(ENFORCER_IMAGE)" $(BUILD_ACTION) .
+	@echo "Built $(ENFORCER_IMAGE)"
+
+push-enforcer-image: buildx-machine
+	$(IMAGE_BUILDER) build -f package/Dockerfile.enforcer \
+		--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
+		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/neuvector-enforcer:$(TAG)" --push .
+	@echo "Pushed $(REPO)/enforcer:$(TAG)"
diff --git a/package/Dockerfile.controller b/package/Dockerfile.controller
new file mode 100644
index 000000000..210f563c0
--- /dev/null
+++ b/package/Dockerfile.controller
@@ -0,0 +1,89 @@
+#
+# Builder
+#
+FROM registry.suse.com/bci/golang:1.22 AS builder
+
+ARG VERSION
+
+ENV GOPATH=/go
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+
+# Setup build dependencies
+RUN zypper install -y pcre-devel
+
+# Build controller
+COPY agent/ /src/agent
+COPY controller/ /src/controller
+COPY db/ /src/db
+COPY monitor/ /src/monitor
+COPY package/ /src/package
+COPY tools/ /src/tools
+COPY share/ /src/share
+COPY scripts/ /src/scripts
+COPY templates/ /src/templates
+COPY upgrader/ /src/upgrader
+COPY vendor /src/vendor
+COPY go.mod go.sum base.h defs.h genlic.sh /src/
+WORKDIR /src
+RUN sed -i -e 's/interim.*xxxx/'"${VERSION:1}"'/g' ./controller/version.go
+RUN bash package/build_controller.sh
+
+#
+# Base image
+#
+FROM registry.suse.com/bci/bci-micro:15.6 AS micro
+FROM registry.suse.com/bci/bci-base:15.6 AS base
+
+ARG TARGETOS
+ARG TARGETARCH
+
+COPY --from=micro / /chroot/
+
+RUN zypper --non-interactive install --no-recommends unzip
+
+# Runtime dependencies
+RUN zypper refresh && zypper --non-interactive --installroot /chroot install --no-recommends \
+    ca-certificates iproute2 ethtool lsof procps curl jq iptables grep tar awk libpcre2-posix3 && \
+    zypper --non-interactive --installroot /chroot clean -a && \
+    rm -rf /chroot/var/log/
+
+RUN touch /chroot/usr/local/bin/.nvcontainer
+RUN mkdir -p /chroot/etc/neuvector/certs/internal/
+
+COPY package/deps /deps/
+
+ARG CONSUL_VERSION=1.20.1
+RUN curl -fL https://releases.hashicorp.com/consul/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_${TARGETOS}_${TARGETARCH}.zip -o consul.zip \
+    && cat /deps/${TARGETOS}_${TARGETARCH}/consul.checksum | sha256sum --check --status && unzip consul.zip -d /chroot/usr/local/bin/
+
+ARG OPA_VERSION=v0.69.0
+RUN curl -fL https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_${TARGETOS}_${TARGETARCH}_static -o opa \
+    && cat /deps/${TARGETOS}_${TARGETARCH}/opa.checksum | sha256sum --check --status && chmod +x opa && mv opa /chroot/usr/local/bin
+
+RUN cd /chroot/usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch
+
+#
+# Artifact
+#
+FROM micro
+ARG VERSION
+ARG COMMIT
+WORKDIR /
+COPY --from=base /chroot/ /
+COPY --from=builder /src/stage /
+
+
+LABEL "name"="controller" \
+      "vendor"="SUSE Security" \
+      "neuvector.image"="neuvector/controller" \
+      "neuvector.role"="controller" \
+      "neuvector.rev"="${COMMIT}" \
+      "io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \
+      "io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/neuvector/${VERSION}/README.md" \
+      "org.opencontainers.image.description"="SUSE Security Controller" \
+      "org.opencontainers.image.title"="SUSE Security Controller" \
+      "org.opencontainers.image.source"="https://github.com/neuvector/neuvector/" \
+      "org.opencontainers.image.version"="${VERSION}" \
+      "org.opensuse.reference"="neuvector/controller:${VERSION}"
+
+ENTRYPOINT ["/usr/local/bin/monitor", "-c"]
diff --git a/package/Dockerfile.enforcer b/package/Dockerfile.enforcer
new file mode 100644
index 000000000..29707bf24
--- /dev/null
+++ b/package/Dockerfile.enforcer
@@ -0,0 +1,95 @@
+#
+# Builder
+#
+FROM registry.suse.com/bci/golang:1.22 AS builder
+
+ARG VERSION
+ARG TARGETOS
+ARG TARGETARCH
+
+RUN zypper ref && \
+    zypper install -y --no-recommends gcc13 gcc13-c++ make glibc-devel glibc-devel-static \
+    automake autoconf libtool libpcap-devel pcre-devel pcre2-devel curl wget zip git \
+    libnfnetlink-devel libnetfilter_queue-devel libmnl-devel liburcu-devel libjansson-devel \
+    jemalloc-devel && \
+    update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-13 10 && \
+    update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-13 10
+
+# Install hyperscan
+RUN zypper addrepo https://download.opensuse.org/repositories/isv:SUSE:neuvector/15.6/isv:SUSE:neuvector.repo && \
+    rpm --import https://download.opensuse.org/repositories/isv:SUSE:neuvector/15.6/repodata/repomd.xml.key && \
+    zypper --non-interactive refresh && \
+    zypper install -y libhs5-vectorscan5 vectorscan-devel
+
+ENV GOPATH=/go
+ENV DEBIAN_FRONTEND=noninteractive
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+
+COPY . /src
+WORKDIR /src
+RUN sed -i -e 's/interim.*xxxx/'"${VERSION:1}"'/g' ./agent/version.go
+RUN bash package/build_enforcer.sh
+
+#
+# Base image
+# 
+FROM registry.suse.com/bci/bci-micro:15.6 AS micro
+FROM registry.suse.com/bci/bci-base:15.6 AS base
+
+ARG TARGETOS
+ARG TARGETARCH
+
+RUN zypper -n in --no-recommends unzip
+
+COPY --from=micro / /chroot/
+RUN zypper refresh && zypper --installroot /chroot -n in --no-recommends \
+    ca-certificates iproute2 ethtool lsof procps curl jq iptables grep tar awk tcpdump sed kmod wget unzip \
+    libnetfilter_queue-devel liburcu-devel libpcap-devel pcre2-devel libjansson-devel libmnl-devel jemalloc-devel
+ 
+# Install yq and vectorscan
+RUN zypper addrepo https://download.opensuse.org/repositories/isv:SUSE:neuvector/15.6/isv:SUSE:neuvector.repo && \
+    rpm --import https://download.opensuse.org/repositories/isv:SUSE:neuvector/15.6/repodata/repomd.xml.key && \
+    zypper -n refresh && \
+    zypper --installroot /chroot install -y yq libhs5-vectorscan5 vectorscan-devel
+
+RUN zypper --installroot /chroot clean -a && \
+    rm -rf /chroot/var/log/
+
+RUN touch /chroot/usr/local/bin/.nvcontainer && mkdir -p /chroot/etc/neuvector/certs/internal/
+
+COPY package/deps /deps/
+
+ARG CONSUL_VERSION=1.20.1
+RUN curl -fL https://releases.hashicorp.com/consul/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_linux_${TARGETARCH}.zip -o consul.zip \
+    && cat /deps/${TARGETOS}_${TARGETARCH}/consul.checksum | sha256sum --check --status && unzip consul.zip -d /chroot/usr/local/bin/
+
+RUN cd /usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch
+
+#
+# Artifact
+#
+FROM micro
+
+ARG COMMIT
+ARG VERSION
+
+WORKDIR /
+COPY --from=base /chroot/ /
+COPY --from=builder /src/stage /
+
+RUN ln -s /usr/lib64/libpcap.so /usr/lib64/libpcap.so.0.8
+
+LABEL "name"="enforcer" \
+      "vendor"="SUSE Security" \
+      "neuvector.image"="neuvector/enforcer" \
+      "neuvector.role"="enforcer" \
+      "neuvector.rev"="${COMMIT}" \
+      "io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \
+      "io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/neuvector/${VERSION}/README.md" \
+      "org.opencontainers.image.description"="SUSE Security Enforcer" \
+      "org.opencontainers.image.title"="SUSE Security Enforcer" \
+      "org.opencontainers.image.source"="https://github.com/neuvector/neuvector/" \
+      "org.opencontainers.image.version"="${VERSION}" \
+      "org.opensuse.reference"="neuvector/enforcer:${VERSION}"
+
+ENTRYPOINT ["/usr/local/bin/monitor", "-r"]
diff --git a/package/build_controller.sh b/package/build_controller.sh
new file mode 100755
index 000000000..9c2a01ac5
--- /dev/null
+++ b/package/build_controller.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+set -e
+
+STAGE_DIR=stage
+
+machine=$(uname -m)
+echo "Machine hardware architecture is \"$machine\""
+
+if [ "$machine" == "x86_64" ]; then
+    echo "==> Unitest"
+    go test github.com/neuvector/neuvector/...
+fi
+
+echo "==> Making monitor"
+make -C monitor
+echo "==> Making nstools"
+make -C tools/nstools/
+if [ "$machine" == "x86_64" ]; then
+	CONTROLLER_FILE="controller/controller-amd64"
+else
+	CONTROLLER_FILE="controller/controller-arm64"
+fi
+if [ -f "$CONTROLLER_FILE" ];then
+	cp "$CONTROLLER_FILE" controller/controller
+	chmod +x controller/controller
+else 
+	echo "==> Making controller"
+	make -C controller/
+fi
+echo "==> Making upgrader"
+make -C upgrader/
+
+mkdir -p ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+mkdir -p ${STAGE_DIR}/etc/
+mkdir -p ${STAGE_DIR}/etc/neuvector/templates
+mkdir -p ${STAGE_DIR}/licenses
+#
+cp monitor/monitor ${STAGE_DIR}/usr/local/bin/
+cp controller/controller ${STAGE_DIR}/usr/local/bin/
+cp upgrader/upgrader ${STAGE_DIR}/usr/local/bin/
+cp tools/nstools/nstools ${STAGE_DIR}/usr/local/bin/
+#
+cp scripts/sysctl.conf ${STAGE_DIR}/etc/
+cp scripts/teardown.sh ${STAGE_DIR}/usr/local/bin/scripts/
+cp scripts/runtime-gdb.py ${STAGE_DIR}/usr/local/bin/scripts/
+#
+cp templates/podTemplate.json ${STAGE_DIR}/etc/neuvector/templates/podTemplate.json
+cp -r agent/nvbench/kubernetes-cis-benchmark/cis-1.6.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/cis-1.23/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/cis-1.24/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/cis-1.8.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/cis-k3s-1.8.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/gke-1.4.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/aks-1.4.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/eks-1.4.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/ocp/rh-1.4.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cd vendor && ../genlic.sh > ../${STAGE_DIR}/licenses/neuvector-license.txt
+cd ..
diff --git a/package/build_enforcer.sh b/package/build_enforcer.sh
new file mode 100644
index 000000000..a3d83c254
--- /dev/null
+++ b/package/build_enforcer.sh
@@ -0,0 +1,91 @@
+#!/bin/bash
+set -e
+
+STAGE_DIR=stage
+
+machine=$(uname -m)
+echo "Machine hardware architecture is \"$machine\""
+
+if [ "$machine" == "x86_64" ]; then
+    echo "==> Unitest"
+    go test github.com/neuvector/neuvector/...
+fi
+
+echo "==> Making dp"
+cd monitor; make || exit $?; cd ..
+if [ "$machine" == "aarch64" ]; then
+    cd dp; make -f Makefile_arm64 || exit $?; cd ..
+elif [ "$machine" == "x86_64" ]; then
+    cd dp; make || exit $?; cd ..
+fi
+echo "==> Making monitor"
+make -C monitor/
+echo "==> Making nstools"
+make -C tools/nstools/
+echo "==> Making agent"
+make -C agent/
+echo "==> Making pathWalker"
+make -C agent/workerlet/pathWalker
+
+mkdir -p ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+mkdir -p ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+mkdir -p ${STAGE_DIR}/usr/local/bin/scripts/rem/
+mkdir -p ${STAGE_DIR}/etc/
+mkdir -p ${STAGE_DIR}/licenses
+#
+cp monitor/monitor ${STAGE_DIR}/usr/local/bin/
+cp agent/agent ${STAGE_DIR}/usr/local/bin/
+cp agent/workerlet/pathWalker/pathWalker ${STAGE_DIR}/usr/local/bin/
+cp dp/dp ${STAGE_DIR}/usr/local/bin/
+cp agent/nvbench/kube_runner.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/rh_runner.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/host.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/container.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/check_kube_version.sh ${STAGE_DIR}/usr/local/bin/scripts/
+cp agent/nvbench/kube_master_1_0_0.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_worker_1_0_0.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_master_1_2_0.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_worker_1_2_0.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_master_1_4_1.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_worker_1_4_1.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_master_1_5_1.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_worker_1_5_1.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_master_1_6_0.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_worker_1_6_0.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_master_gke_1_0_0.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_worker_gke_1_0_0.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_master_ocp_4_3.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_worker_ocp_4_3.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_master_ocp_4_5.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kube_worker_ocp_4_5.tmpl ${STAGE_DIR}/usr/local/bin/scripts/tmpl/
+cp agent/nvbench/kubecis_1_0_0.rem ${STAGE_DIR}/usr/local/bin/scripts/rem/
+cp agent/nvbench/kubecis_1_2_0.rem ${STAGE_DIR}/usr/local/bin/scripts/rem/
+cp agent/nvbench/kubecis_1_4_1.rem ${STAGE_DIR}/usr/local/bin/scripts/rem/
+cp agent/nvbench/kubecis_1_5_1.rem ${STAGE_DIR}/usr/local/bin/scripts/rem/
+cp agent/nvbench/kubecis_1_6_0.rem ${STAGE_DIR}/usr/local/bin/scripts/rem/
+cp agent/nvbench/kubecis_gke_1_0_0.rem ${STAGE_DIR}/usr/local/bin/scripts/rem/
+cp agent/nvbench/kubecis_ocp_4_5.rem ${STAGE_DIR}/usr/local/bin/scripts/rem/
+cp agent/nvbench/kubecis_ocp_4_3.rem ${STAGE_DIR}/usr/local/bin/scripts/rem/
+cp agent/nvbench/journal.tmpl ${STAGE_DIR}/usr/local/bin/scripts/
+cp tools/nstools/nstools ${STAGE_DIR}/usr/local/bin/
+cp -r agent/nvbench/utils/ ${STAGE_DIR}/usr/local/bin/scripts/
+cp -r agent/nvbench/kubernetes-cis-benchmark/cis-1.6.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/cis-1.23/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/cis-1.24/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/cis-1.8.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/cis-k3s-1.8.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/gke-1.4.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/aks-1.4.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/kubernetes-cis-benchmark/eks-1.4.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+cp -r agent/nvbench/ocp/rh-1.4.0/ ${STAGE_DIR}/usr/local/bin/scripts/cis_yamls/
+
+#
+cp scripts/sysctl.conf ${STAGE_DIR}/etc/
+cp scripts/configure.sh ${STAGE_DIR}/usr/local/bin/scripts/
+cp scripts/teardown.sh ${STAGE_DIR}/usr/local/bin/scripts/
+cp scripts/runtime-gdb.py ${STAGE_DIR}/usr/local/bin/scripts/
+
+cd vendor && ../genlic.sh > ../${STAGE_DIR}/licenses/neuvector-license.txt
+cd ..
+cd dp && ../genlic.sh >> ../${STAGE_DIR}/licenses/neuvector-license.txt
+cd ..
diff --git a/package/deps/linux_amd64/consul.checksum b/package/deps/linux_amd64/consul.checksum
new file mode 100644
index 000000000..8fd5eccd5
--- /dev/null
+++ b/package/deps/linux_amd64/consul.checksum
@@ -0,0 +1 @@
+d38e7571177909d437a9cbcc62fb65083bc567266b74a62d02c6abe783951648 consul.zip
diff --git a/package/deps/linux_amd64/opa.checksum b/package/deps/linux_amd64/opa.checksum
new file mode 100644
index 000000000..a16ea5b66
--- /dev/null
+++ b/package/deps/linux_amd64/opa.checksum
@@ -0,0 +1 @@
+c81aa9c1da779d0a8646c837a96d52e1a7040ff562318d9743b8ef51c93b49d6  opa
diff --git a/package/deps/linux_arm64/consul.checksum b/package/deps/linux_arm64/consul.checksum
new file mode 100644
index 000000000..5ff03bebf
--- /dev/null
+++ b/package/deps/linux_arm64/consul.checksum
@@ -0,0 +1 @@
+03ad4cf513819413016a79154e74161bcfa3c9e1fbfcbdc9eca525b2123d4779 consul.zip
diff --git a/package/deps/linux_arm64/opa.checksum b/package/deps/linux_arm64/opa.checksum
new file mode 100644
index 000000000..985f6ab95
--- /dev/null
+++ b/package/deps/linux_arm64/opa.checksum
@@ -0,0 +1 @@
+951cb3237a183a6259f68166b7d1dc66bda330ef70d895452db68e8261bed906  opa
diff --git a/tools/nstools/Makefile b/tools/nstools/Makefile
index 957db5e92..9e047aa2f 100644
--- a/tools/nstools/Makefile
+++ b/tools/nstools/Makefile
@@ -1,2 +1,2 @@
 all:
-	@gcc -static -Wall -Werror -o nstools nstools.c nsrun.c nsget.c 
+	@gcc -Wall -Werror -o nstools nstools.c nsrun.c nsget.c