flag

package
v0.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 4, 2024 License: Apache-2.0 Imports: 40 Imported by: 3

Documentation

Index

Constants

View Source
const (
	DefaultTokenHeader = "Tunnel-Token"
)

Variables

View Source
var (
	// Deprecated
	ClearCacheFlag = Flag[bool]{
		Name:       "clear-cache",
		ConfigName: "cache.clear",
		Usage:      "clear image caches without scanning",
		Removed:    `Use "tunnel clean --scan-cache" instead`,
	}
	CacheBackendFlag = Flag[string]{
		Name:       "cache-backend",
		ConfigName: "cache.backend",
		Default:    "fs",
		Usage:      "[EXPERIMENTAL] cache backend (e.g. redis://localhost:6379)",
	}
	CacheTTLFlag = Flag[time.Duration]{
		Name:       "cache-ttl",
		ConfigName: "cache.ttl",
		Usage:      "cache TTL when using redis as cache backend",
	}
	RedisTLSFlag = Flag[bool]{
		Name:       "redis-tls",
		ConfigName: "cache.redis.tls",
		Usage:      "enable redis TLS with public certificates, if using redis as cache backend",
	}
	RedisCACertFlag = Flag[string]{
		Name:       "redis-ca",
		ConfigName: "cache.redis.ca",
		Usage:      "redis ca file location, if using redis as cache backend",
	}
	RedisCertFlag = Flag[string]{
		Name:       "redis-cert",
		ConfigName: "cache.redis.cert",
		Usage:      "redis certificate file location, if using redis as cache backend",
	}
	RedisKeyFlag = Flag[string]{
		Name:       "redis-key",
		ConfigName: "cache.redis.key",
		Usage:      "redis key file location, if using redis as cache backend",
	}
)

e.g. config yaml:

cache:
  clear: true
  backend: "redis://localhost:6379"
redis:
  ca: ca-cert.pem
  cert: cert.pem
  key: key.pem
View Source
var (
	CleanAll = Flag[bool]{
		Name:       "all",
		Shorthand:  "a",
		ConfigName: "clean.all",
		Usage:      "remove all caches",
	}
	CleanScanCache = Flag[bool]{
		Name:       "scan-cache",
		ConfigName: "clean.scan-cache",
		Usage:      "remove scan cache (container and VM image analysis results)",
	}
	CleanVulnerabilityDB = Flag[bool]{
		Name:       "vuln-db",
		ConfigName: "clean.vuln-db",
		Usage:      "remove vulnerability database",
	}
	CleanJavaDB = Flag[bool]{
		Name:       "java-db",
		ConfigName: "clean.java-db",
		Usage:      "remove Java database",
	}
	CleanChecksBundle = Flag[bool]{
		Name:       "checks-bundle",
		ConfigName: "clean.checks-bundle",
		Usage:      "remove checks bundle",
	}
	CleanVEXRepo = Flag[bool]{
		Name:       "vex-repo",
		ConfigName: "clean.vex-repo",
		Usage:      "remove VEX repositories",
	}
)
View Source
var (
	// Deprecated
	ResetFlag = Flag[bool]{
		Name:       "reset",
		ConfigName: "reset",
		Usage:      "remove all caches and database",
		Removed:    `Use "tunnel clean --all" instead.`,
	}
	DownloadDBOnlyFlag = Flag[bool]{
		Name:       "download-db-only",
		ConfigName: "db.download-only",
		Usage:      "download/update vulnerability database but don't run a scan",
	}
	SkipDBUpdateFlag = Flag[bool]{
		Name:       "skip-db-update",
		ConfigName: "db.skip-update",
		Usage:      "skip updating vulnerability database",
		Aliases: []Alias{
			{
				Name:       "skip-update",
				Deprecated: true,
			},
		},
	}
	DownloadJavaDBOnlyFlag = Flag[bool]{
		Name:       "download-java-db-only",
		ConfigName: "db.download-java-only",
		Usage:      "download/update Java index database but don't run a scan",
	}
	SkipJavaDBUpdateFlag = Flag[bool]{
		Name:       "skip-java-db-update",
		ConfigName: "db.java-skip-update",
		Usage:      "skip updating Java index database",
	}
	NoProgressFlag = Flag[bool]{
		Name:       "no-progress",
		ConfigName: "db.no-progress",
		Usage:      "suppress progress bar",
	}
	DBRepositoryFlag = Flag[[]string]{
		Name:       "db-repository",
		ConfigName: "db.repository",
		Default:    []string{db.DefaultGCRRepository, db.DefaultGHCRRepository},
		Usage:      "OCI repository(ies) to retrieve tunnel-db in order of priority",
	}
	JavaDBRepositoryFlag = Flag[[]string]{
		Name:       "java-db-repository",
		ConfigName: "db.java-repository",
		Default:    []string{javadb.DefaultGCRRepository, javadb.DefaultGHCRRepository},
		Usage:      "OCI repository(ies) to retrieve tunnel-java-db in order of priority",
	}
	LightFlag = Flag[bool]{
		Name:       "light",
		ConfigName: "db.light",
		Usage:      "deprecated",
		Deprecated: `This flag is ignored.`,
	}
)
View Source
var (
	ConfigFileFlag = Flag[string]{
		Name:       "config",
		ConfigName: "config",
		Shorthand:  "c",
		Default:    "tunnel.yaml",
		Usage:      "config path",
		Persistent: true,
	}
	ShowVersionFlag = Flag[bool]{
		Name:       "version",
		ConfigName: "version",
		Shorthand:  "v",
		Usage:      "show version",
		Persistent: true,
	}
	QuietFlag = Flag[bool]{
		Name:       "quiet",
		ConfigName: "quiet",
		Shorthand:  "q",
		Usage:      "suppress progress bar and log output",
		Persistent: true,
	}
	DebugFlag = Flag[bool]{
		Name:       "debug",
		ConfigName: "debug",
		Shorthand:  "d",
		Usage:      "debug mode",
		Persistent: true,
	}
	InsecureFlag = Flag[bool]{
		Name:       "insecure",
		ConfigName: "insecure",
		Usage:      "allow insecure server connections",
		Persistent: true,
	}
	TimeoutFlag = Flag[time.Duration]{
		Name:       "timeout",
		ConfigName: "timeout",
		Default:    time.Second * 300,
		Usage:      "timeout",
		Persistent: true,
	}
	CacheDirFlag = Flag[string]{
		Name:       "cache-dir",
		ConfigName: "cache.dir",
		Default:    cache.DefaultDir(),
		Usage:      "cache directory",
		Persistent: true,
	}
	GenerateDefaultConfigFlag = Flag[bool]{
		Name:       "generate-default-config",
		ConfigName: "generate-default-config",
		Usage:      "write the default config to tunnel-default.yaml",
		Persistent: true,
	}
)
View Source
var (
	ImageConfigScannersFlag = Flag[[]string]{
		Name:       "image-config-scanners",
		ConfigName: "image.image-config-scanners",
		Values: xstrings.ToStringSlice(types.Scanners{
			types.MisconfigScanner,
			types.SecretScanner,
		}),
		Usage: "comma-separated list of what security issues to detect on container image configurations",
	}
	ScanRemovedPkgsFlag = Flag[bool]{
		Name:       "removed-pkgs",
		ConfigName: "image.removed-pkgs",
		Usage:      "detect vulnerabilities of removed packages (only for Alpine)",
	}
	InputFlag = Flag[string]{
		Name:       "input",
		ConfigName: "image.input",
		Usage:      "input file path instead of image name",
	}
	PlatformFlag = Flag[string]{
		Name:       "platform",
		ConfigName: "image.platform",
		Usage:      "set platform in the form os/arch if image is multi-platform capable",
	}
	DockerHostFlag = Flag[string]{
		Name:       "docker-host",
		ConfigName: "image.docker.host",
		Default:    "",
		Usage:      "unix domain socket path to use for docker scanning",
	}
	PodmanHostFlag = Flag[string]{
		Name:       "podman-host",
		ConfigName: "image.podman.host",
		Default:    "",
		Usage:      "unix podman socket path to use for podman scanning",
	}
	SourceFlag = Flag[[]string]{
		Name:       "image-src",
		ConfigName: "image.source",
		Default:    xstrings.ToStringSlice(ftypes.AllImageSources),
		Values:     xstrings.ToStringSlice(ftypes.AllImageSources),
		Usage:      "image source(s) to use, in priority order",
	}
)
View Source
var (
	KubeConfigFlag = Flag[string]{
		Name:       "kubeconfig",
		ConfigName: "kubernetes.kubeconfig",
		Usage:      "specify the kubeconfig file path to use",
	}
	K8sVersionFlag = Flag[string]{
		Name:       "k8s-version",
		ConfigName: "kubernetes.k8s-version",
		Usage:      "specify k8s version to validate outdated api by it (example: 1.21.0)",
	}
	TolerationsFlag = Flag[[]string]{
		Name:       "tolerations",
		ConfigName: "kubernetes.tolerations",
		Usage:      "specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)",
	}
	DisableNodeCollector = Flag[bool]{
		Name:       "disable-node-collector",
		ConfigName: "kubernetes.disableNodeCollector",
		Usage:      "When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.",
	}
	NodeCollectorNamespace = Flag[string]{
		Name:       "node-collector-namespace",
		ConfigName: "kubernetes.node-collector.namespace",
		Default:    "tunnel-temp",
		Usage:      "specify the namespace in which the node-collector job should be deployed",
	}
	NodeCollectorImageRef = Flag[string]{
		Name:       "node-collector-imageref",
		ConfigName: "kubernetes.node-collector.imageref",
		Default:    "ghcr.io/khulnasoft/node-collector:0.3.1",
		Usage:      "indicate the image reference for the node-collector scan job",
	}
	ExcludeOwned = Flag[bool]{
		Name:       "exclude-owned",
		ConfigName: "kubernetes.exclude.owned",
		Usage:      "exclude resources that have an owner reference",
	}
	SkipImages = Flag[bool]{
		Name:       "skip-images",
		ConfigName: "kubernetes.skipImages",
		Usage:      "skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources",
	}
	ExcludeNodes = Flag[[]string]{
		Name:       "exclude-nodes",
		ConfigName: "kubernetes.exclude.nodes",
		Usage:      "indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)",
	}

	ExcludeKinds = Flag[[]string]{
		Name:       "exclude-kinds",
		ConfigName: "kubernetes.excludeKinds",
		Usage:      "indicate the kinds exclude from scanning (example: node)",
	}
	IncludeKinds = Flag[[]string]{
		Name:       "include-kinds",
		ConfigName: "kubernetes.includeKinds",
		Usage:      "indicate the kinds included in scanning (example: node)",
	}
	ExcludeNamespaces = Flag[[]string]{
		Name:       "exclude-namespaces",
		ConfigName: "kubernetes.excludeNamespaces",
		Usage:      "indicate the namespaces excluded from scanning (example: kube-system)",
	}
	IncludeNamespaces = Flag[[]string]{
		Name:       "include-namespaces",
		ConfigName: "kubernetes.includeNamespaces",
		Usage:      "indicate the namespaces included in scanning (example: kube-system)",
	}
	QPS = Flag[float64]{
		Name:       "qps",
		ConfigName: "kubernetes.qps",
		Default:    5.0,
		Usage:      "specify the maximum QPS to the master from this client",
	}
	Burst = Flag[int]{
		Name:       "burst",
		ConfigName: "kubernetes.burst",
		Default:    10,
		Usage:      "specify the maximum burst for throttle",
	}
)
View Source
var (
	LicenseFull = Flag[bool]{
		Name:       "license-full",
		ConfigName: "license.full",
		Usage:      "eagerly look for licenses in source code headers and license files",
	}
	IgnoredLicenses = Flag[[]string]{
		Name:       "ignored-licenses",
		ConfigName: "license.ignored",
		Usage:      "specify a list of license to ignore",
	}
	LicenseConfidenceLevel = Flag[float64]{
		Name:       "license-confidence-level",
		ConfigName: "license.confidenceLevel",
		Default:    0.9,
		Usage:      "specify license classifier's confidence level",
	}

	// LicenseForbidden is an option only in a config file
	LicenseForbidden = Flag[[]string]{
		ConfigName: "license.forbidden",
		Default:    expression.ForbiddenLicenses,
		Usage:      "forbidden licenses",
	}
	// LicenseRestricted is an option only in a config file
	LicenseRestricted = Flag[[]string]{
		ConfigName: "license.restricted",
		Default:    expression.RestrictedLicenses,
		Usage:      "restricted licenses",
	}
	// LicenseReciprocal is an option only in a config file
	LicenseReciprocal = Flag[[]string]{
		ConfigName: "license.reciprocal",
		Default:    expression.ReciprocalLicenses,
		Usage:      "reciprocal licenses",
	}
	// LicenseNotice is an option only in a config file
	LicenseNotice = Flag[[]string]{
		ConfigName: "license.notice",
		Default:    expression.NoticeLicenses,
		Usage:      "notice licenses",
	}
	// LicensePermissive is an option only in a config file
	LicensePermissive = Flag[[]string]{
		ConfigName: "license.permissive",
		Default:    expression.PermissiveLicenses,
		Usage:      "permissive licenses",
	}
	// LicenseUnencumbered is an option only in a config file
	LicenseUnencumbered = Flag[[]string]{
		ConfigName: "license.unencumbered",
		Default:    expression.UnencumberedLicenses,
		Usage:      "unencumbered licenses",
	}
)
View Source
var (
	// Deprecated
	ResetChecksBundleFlag = Flag[bool]{
		Name:       "reset-checks-bundle",
		ConfigName: "misconfiguration.reset-checks-bundle",
		Usage:      "remove checks bundle",
		Removed:    `Use "tunnel clean --checks-bundle" instead`,
		Aliases: []Alias{
			{
				Name:       "reset-policy-bundle",
				ConfigName: "misconfiguration.reset-policy-bundle",
				Deprecated: true,
			},
		},
	}
	IncludeNonFailuresFlag = Flag[bool]{
		Name:       "include-non-failures",
		ConfigName: "misconfiguration.include-non-failures",
		Usage:      "include successes, available with '--scanners misconfig'",
	}
	HelmValuesFileFlag = Flag[[]string]{
		Name:       "helm-values",
		ConfigName: "misconfiguration.helm.values",
		Usage:      "specify paths to override the Helm values.yaml files",
	}
	HelmSetFlag = Flag[[]string]{
		Name:       "helm-set",
		ConfigName: "misconfiguration.helm.set",
		Usage:      "specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)",
	}
	HelmSetFileFlag = Flag[[]string]{
		Name:       "helm-set-file",
		ConfigName: "misconfiguration.helm.set-file",
		Usage:      "specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)",
	}
	HelmSetStringFlag = Flag[[]string]{
		Name:       "helm-set-string",
		ConfigName: "misconfiguration.helm.set-string",
		Usage:      "specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)",
	}
	HelmAPIVersionsFlag = Flag[[]string]{
		Name:       "helm-api-versions",
		ConfigName: "misconfiguration.helm.api-versions",
		Usage:      "Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)",
	}
	HelmKubeVersionFlag = Flag[string]{
		Name:       "helm-kube-version",
		ConfigName: "misconfiguration.helm.kube-version",
		Usage:      "Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.",
	}
	TfVarsFlag = Flag[[]string]{
		Name:       "tf-vars",
		ConfigName: "misconfiguration.terraform.vars",
		Usage:      "specify paths to override the Terraform tfvars files",
	}
	CfParamsFlag = Flag[[]string]{
		Name:       "cf-params",
		ConfigName: "misconfiguration.cloudformation.params",
		Default:    []string{},
		Usage:      "specify paths to override the CloudFormation parameters files",
	}
	TerraformExcludeDownloaded = Flag[bool]{
		Name:       "tf-exclude-downloaded-modules",
		ConfigName: "misconfiguration.terraform.exclude-downloaded-modules",
		Usage:      "exclude misconfigurations for downloaded terraform modules",
	}
	ChecksBundleRepositoryFlag = Flag[string]{
		Name:       "checks-bundle-repository",
		ConfigName: "misconfiguration.checks-bundle-repository",
		Default:    fmt.Sprintf("%s:%d", policy.BundleRepository, policy.BundleVersion),
		Usage:      "OCI registry URL to retrieve checks bundle from",
		Aliases: []Alias{
			{
				Name:       "policy-bundle-repository",
				ConfigName: "misconfiguration.policy-bundle-repository",
				Deprecated: true,
			},
		},
	}
	MisconfigScannersFlag = Flag[[]string]{
		Name:       "misconfig-scanners",
		ConfigName: "misconfiguration.scanners",
		Default: xstrings.ToStringSlice(
			lo.Without(analyzer.TypeConfigFiles, analyzer.TypeYAML, analyzer.TypeJSON),
		),
		Usage: "comma-separated list of misconfig scanners to use for misconfiguration scanning",
	}
	ConfigFileSchemasFlag = Flag[[]string]{
		Name:       "config-file-schemas",
		ConfigName: "misconfiguration.config-file-schemas",
		Usage:      "specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking",
	}
)

e.g. config yaml:

misconfiguration:
  trace: true
  config-policy: "custom-policy/policy"
  policy-namespaces: "user"
View Source
var (
	ModuleDirFlag = Flag[string]{
		Name:       "module-dir",
		ConfigName: "module.dir",
		Default:    module.DefaultDir,
		Usage:      "specify directory to the wasm modules that will be loaded",
		Persistent: true,
	}
	EnableModulesFlag = Flag[[]string]{
		Name:       "enable-modules",
		ConfigName: "module.enable-modules",
		Default:    []string{},
		Usage:      "[EXPERIMENTAL] module names to enable",
		Persistent: true,
	}
)
View Source
var (
	IncludeDevDepsFlag = Flag[bool]{
		Name:       "include-dev-deps",
		ConfigName: "pkg.include-dev-deps",
		Usage:      "include development dependencies in the report (supported: npm, yarn)",
	}
	PkgTypesFlag = Flag[[]string]{
		Name:       "pkg-types",
		ConfigName: "pkg.types",
		Default:    types.PkgTypes,
		Values:     types.PkgTypes,
		Usage:      "list of package types",
		Aliases: []Alias{
			{
				Name:       "vuln-type",
				ConfigName: "vulnerability.type",
				Deprecated: true,
			},
		},
	}
	PkgRelationshipsFlag = Flag[[]string]{
		Name:       "pkg-relationships",
		ConfigName: "pkg.relationships",
		Default:    xstrings.ToStringSlice(ftypes.Relationships),
		Values:     xstrings.ToStringSlice(ftypes.Relationships),
		Usage:      "list of package relationships",
	}
)
View Source
var (
	UsernameFlag = Flag[[]string]{
		Name:       "username",
		ConfigName: "registry.username",
		Usage:      "username. Comma-separated usernames allowed.",
	}
	PasswordFlag = Flag[[]string]{
		Name:       "password",
		ConfigName: "registry.password",
		Usage:      "password. Comma-separated passwords allowed. TUNNEL_PASSWORD should be used for security reasons.",
	}
	PasswordStdinFlag = Flag[bool]{
		Name:       "password-stdin",
		ConfigName: "registry.password-stdin",
		Usage:      "password from stdin. Comma-separated passwords are not supported.",
	}
	RegistryTokenFlag = Flag[string]{
		Name:       "registry-token",
		ConfigName: "registry.token",
		Usage:      "registry token",
	}
)
View Source
var (
	IncludeDeprecatedChecksFlag = Flag[bool]{
		Name:       "include-deprecated-checks",
		ConfigName: "rego.include-deprecated-checks",
		Usage:      "include deprecated checks",
	}
	SkipCheckUpdateFlag = Flag[bool]{
		Name:       "skip-check-update",
		ConfigName: "rego.skip-check-update",
		Usage:      "skip fetching rego check updates",
		Aliases: []Alias{
			{
				Name:       "skip-policy-update",
				ConfigName: "rego.skip-policy-update",
				Deprecated: true,
			},
		},
	}
	TraceFlag = Flag[bool]{
		Name:       "trace",
		ConfigName: "rego.trace",
		Usage:      "enable more verbose trace output for custom queries",
	}
	ConfigCheckFlag = Flag[[]string]{
		Name:       "config-check",
		ConfigName: "rego.check",
		Usage:      "specify the paths to the Rego check files or to the directories containing them, applying config files",
		Aliases: []Alias{
			{Name: "policy", Deprecated: true},
			{Name: "config-policy", Deprecated: true},
		},
	}
	ConfigDataFlag = Flag[[]string]{
		Name:       "config-data",
		ConfigName: "rego.data",
		Usage:      "specify paths from which data for the Rego checks will be recursively loaded",
		Aliases: []Alias{
			{Name: "data"},
		},
	}
	CheckNamespaceFlag = Flag[[]string]{
		Name:       "check-namespaces",
		ConfigName: "rego.namespaces",
		Usage:      "Rego namespaces",
		Aliases: []Alias{
			{Name: "namespaces"},
			{Name: "policy-namespaces", Deprecated: true},
		},
	}
)

e.g. config yaml:

rego:
  trace: true
  config-policy: "custom-policy/policy"
  policy-namespaces: "user"
View Source
var (
	ServerTokenFlag = Flag[string]{
		Name:       "token",
		ConfigName: "server.token",
		Usage:      "for authentication in client/server mode",
	}
	ServerTokenHeaderFlag = Flag[string]{
		Name:       "token-header",
		ConfigName: "server.token-header",
		Default:    DefaultTokenHeader,
		Usage:      "specify a header name for token in client/server mode",
	}
	ServerAddrFlag = Flag[string]{
		Name:       "server",
		ConfigName: "server.addr",
		Usage:      "server address in client mode",
	}
	ServerCustomHeadersFlag = Flag[[]string]{
		Name:       "custom-headers",
		ConfigName: "server.custom-headers",
		Usage:      "custom headers in client mode",
	}
	ServerListenFlag = Flag[string]{
		Name:       "listen",
		ConfigName: "server.listen",
		Default:    "localhost:4954",
		Usage:      "listen address in server mode",
	}
	ServerPathPrefixFlag = Flag[string]{
		Name:       "path-prefix",
		ConfigName: "server.path-prefix",
		Usage:      "prefix for the server endpoint",
		Internal:   true,
	}
)
View Source
var (
	FetchBranchFlag = Flag[string]{
		Name:       "branch",
		ConfigName: "repository.branch",
		Usage:      "pass the branch name to be scanned",
	}
	FetchCommitFlag = Flag[string]{
		Name:       "commit",
		ConfigName: "repository.commit",
		Usage:      "pass the commit hash to be scanned",
	}
	FetchTagFlag = Flag[string]{
		Name:       "tag",
		ConfigName: "repository.tag",
		Usage:      "pass the tag name to be scanned",
	}
)
View Source
var (
	FormatFlag = Flag[string]{
		Name:       "format",
		ConfigName: "format",
		Shorthand:  "f",
		Default:    string(types.FormatTable),
		Values:     xstrings.ToStringSlice(types.SupportedFormats),
		Usage:      "format",
	}
	ReportFormatFlag = Flag[string]{
		Name:       "report",
		ConfigName: "report",
		Default:    "all",
		Values: []string{
			"all",
			"summary",
		},
		Usage: "specify a report format for the output",
	}
	TemplateFlag = Flag[string]{
		Name:       "template",
		ConfigName: "template",
		Shorthand:  "t",
		Usage:      "output template",
	}
	DependencyTreeFlag = Flag[bool]{
		Name:       "dependency-tree",
		ConfigName: "dependency-tree",
		Usage:      "[EXPERIMENTAL] show dependency origin tree of vulnerable packages",
	}
	ListAllPkgsFlag = Flag[bool]{
		Name:       "list-all-pkgs",
		ConfigName: "list-all-pkgs",
		Usage:      "output all packages in the JSON report regardless of vulnerability",
	}
	IgnoreFileFlag = Flag[string]{
		Name:       "ignorefile",
		ConfigName: "ignorefile",
		Default:    result.DefaultIgnoreFile,
		Usage:      "specify .tunnelignore file",
	}
	IgnorePolicyFlag = Flag[string]{
		Name:       "ignore-policy",
		ConfigName: "ignore-policy",
		Usage:      "specify the Rego file path to evaluate each vulnerability",
	}
	ExitCodeFlag = Flag[int]{
		Name:       "exit-code",
		ConfigName: "exit-code",
		Usage:      "specify exit code when any security issues are found",
	}
	ExitOnEOLFlag = Flag[int]{
		Name:       "exit-on-eol",
		ConfigName: "exit-on-eol",
		Usage:      "exit with the specified code when the OS reaches end of service/life",
	}
	OutputFlag = Flag[string]{
		Name:       "output",
		ConfigName: "output",
		Shorthand:  "o",
		Usage:      "output file name",
	}
	OutputPluginArgFlag = Flag[string]{
		Name:       "output-plugin-arg",
		ConfigName: "output-plugin-arg",
		Usage:      "[EXPERIMENTAL] output plugin arguments",
	}
	SeverityFlag = Flag[[]string]{
		Name:       "severity",
		ConfigName: "severity",
		Shorthand:  "s",
		Default:    dbTypes.SeverityNames,
		Values:     dbTypes.SeverityNames,
		Usage:      "severities of security issues to be displayed",
	}
	ComplianceFlag = Flag[string]{
		Name:       "compliance",
		ConfigName: "scan.compliance",
		Usage:      "compliance report to generate",
	}
	ShowSuppressedFlag = Flag[bool]{
		Name:       "show-suppressed",
		ConfigName: "scan.show-suppressed",
		Usage:      "[EXPERIMENTAL] show suppressed vulnerabilities",
	}
)

e.g. config yaml:

format: table
dependency-tree: true
severity: HIGH,CRITICAL
View Source
var (
	SkipDirsFlag = Flag[[]string]{
		Name:       "skip-dirs",
		ConfigName: "scan.skip-dirs",
		Usage:      "specify the directories or glob patterns to skip",
	}
	SkipFilesFlag = Flag[[]string]{
		Name:       "skip-files",
		ConfigName: "scan.skip-files",
		Default:    []string{},
		Usage:      "specify the files or glob patterns to skip",
	}
	OfflineScanFlag = Flag[bool]{
		Name:       "offline-scan",
		ConfigName: "scan.offline",
		Usage:      "do not issue API requests to identify dependencies",
	}
	ScannersFlag = Flag[[]string]{
		Name:       "scanners",
		ConfigName: "scan.scanners",
		Default: xstrings.ToStringSlice(types.Scanners{
			types.VulnerabilityScanner,
			types.SecretScanner,
		}),
		Values: xstrings.ToStringSlice(types.Scanners{
			types.VulnerabilityScanner,
			types.MisconfigScanner,
			types.SecretScanner,
			types.LicenseScanner,
		}),
		ValueNormalize: func(ss []string) []string {
			return lo.Map(ss, func(s string, _ int) string {
				switch s {
				case "vulnerability":
					return string(types.VulnerabilityScanner)
				case "misconf", "misconfiguration":
					return string(types.MisconfigScanner)
				case "config":
					log.Warn("'--scanners config' is deprecated. Use '--scanners misconfig' instead. See https://github.com/khulnasoft/tunnel/discussions/5586 for the detail.")
					return string(types.MisconfigScanner)
				}
				return s
			})
		},
		Aliases: []Alias{
			{
				Name:       "security-checks",
				ConfigName: "scan.security-checks",
				Deprecated: true,
			},
		},
		Usage: "comma-separated list of what security issues to detect",
	}
	FilePatternsFlag = Flag[[]string]{
		Name:       "file-patterns",
		ConfigName: "scan.file-patterns",
		Usage:      "specify config file patterns",
	}
	SlowFlag = Flag[bool]{
		Name:       "slow",
		ConfigName: "scan.slow",
		Default:    false,
		Usage:      "scan over time with lower CPU and memory utilization",
		Deprecated: `Use "--parallel 1" instead.`,
	}
	ParallelFlag = Flag[int]{
		Name:       "parallel",
		ConfigName: "scan.parallel",
		Default:    5,
		Usage:      "number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism",
	}
	SBOMSourcesFlag = Flag[[]string]{
		Name:       "sbom-sources",
		ConfigName: "scan.sbom-sources",
		Values: []string{
			"oci",
			"rekor",
		},
		Usage: "[EXPERIMENTAL] try to retrieve SBOM from the specified sources",
	}
	RekorURLFlag = Flag[string]{
		Name:       "rekor-url",
		ConfigName: "scan.rekor-url",
		Default:    "https://rekor.sigstore.dev",
		Usage:      "[EXPERIMENTAL] address of rekor STL server",
	}
	DetectionPriority = Flag[string]{
		Name:       "detection-priority",
		ConfigName: "scan.detection-priority",
		Default:    string(ftypes.PriorityPrecise),
		Values: xstrings.ToStringSlice([]ftypes.DetectionPriority{
			ftypes.PriorityPrecise,
			ftypes.PriorityComprehensive,
		}),
		Usage: `specify the detection priority:
  - "precise": Prioritizes precise by minimizing false positives.
  - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
`,
	}
)
View Source
var (
	IgnoreUnfixedFlag = Flag[bool]{
		Name:       "ignore-unfixed",
		ConfigName: "vulnerability.ignore-unfixed",
		Usage:      "display only fixed vulnerabilities",
	}
	IgnoreStatusFlag = Flag[[]string]{
		Name:       "ignore-status",
		ConfigName: "vulnerability.ignore-status",
		Values:     dbTypes.Statuses,
		Usage:      "comma-separated list of vulnerability status to ignore",
	}
	VEXFlag = Flag[[]string]{
		Name:       "vex",
		ConfigName: "vulnerability.vex",
		Usage:      `[EXPERIMENTAL] VEX sources ("repo", "oci" or file path)`,
	}
	SkipVEXRepoUpdateFlag = Flag[bool]{
		Name:       "skip-vex-repo-update",
		ConfigName: "vulnerability.skip-vex-repo-update",
		Usage:      `[EXPERIMENTAL] Skip VEX Repository update`,
	}
)
View Source
var (
	SecretConfigFlag = Flag[string]{
		Name:       "secret-config",
		ConfigName: "secret.config",
		Default:    "tunnel-secret.yaml",
		Usage:      "specify a path to config file for secret scanning",
	}
)

Functions

This section is empty.

Types

type AWSFlagGroup

type AWSFlagGroup struct {
	Region       *Flag[string]
	Endpoint     *Flag[string]
	Services     *Flag[[]string]
	SkipServices *Flag[[]string]
	Account      *Flag[string]
	ARN          *Flag[string]
}

func NewAWSFlagGroup

func NewAWSFlagGroup() *AWSFlagGroup

func (*AWSFlagGroup) Flags

func (f *AWSFlagGroup) Flags() []Flagger

func (*AWSFlagGroup) Name

func (f *AWSFlagGroup) Name() string

func (*AWSFlagGroup) ToOptions

func (f *AWSFlagGroup) ToOptions() (AWSOptions, error)

type AWSOptions

type AWSOptions struct {
	Region       string
	Endpoint     string
	Services     []string
	SkipServices []string
	Account      string
	ARN          string
}

type Alias

type Alias struct {
	Name       string
	ConfigName string
	Deprecated bool
}

type CacheFlagGroup

type CacheFlagGroup struct {
	ClearCache   *Flag[bool]
	CacheBackend *Flag[string]
	CacheTTL     *Flag[time.Duration]

	RedisTLS    *Flag[bool]
	RedisCACert *Flag[string]
	RedisCert   *Flag[string]
	RedisKey    *Flag[string]
}

CacheFlagGroup composes common printer flag structs used for commands requiring cache logic.

func NewCacheFlagGroup

func NewCacheFlagGroup() *CacheFlagGroup

NewCacheFlagGroup returns a default CacheFlagGroup

func (*CacheFlagGroup) Flags

func (fg *CacheFlagGroup) Flags() []Flagger

func (*CacheFlagGroup) Name

func (fg *CacheFlagGroup) Name() string

func (*CacheFlagGroup) ToOptions

func (fg *CacheFlagGroup) ToOptions() (CacheOptions, error)

type CacheOptions

type CacheOptions struct {
	ClearCache bool

	CacheBackend string
	CacheTTL     time.Duration
	RedisTLS     bool
	RedisCACert  string
	RedisCert    string
	RedisKey     string
}

type CleanFlagGroup

type CleanFlagGroup struct {
	CleanAll             *Flag[bool]
	CleanScanCache       *Flag[bool]
	CleanVulnerabilityDB *Flag[bool]
	CleanJavaDB          *Flag[bool]
	CleanChecksBundle    *Flag[bool]
	CleanVEXRepositories *Flag[bool]
}

func NewCleanFlagGroup

func NewCleanFlagGroup() *CleanFlagGroup

func (*CleanFlagGroup) Flags

func (fg *CleanFlagGroup) Flags() []Flagger

func (*CleanFlagGroup) Name

func (fg *CleanFlagGroup) Name() string

func (*CleanFlagGroup) ToOptions

func (fg *CleanFlagGroup) ToOptions() (CleanOptions, error)

type CleanOptions

type CleanOptions struct {
	CleanAll             bool
	CleanScanCache       bool
	CleanVulnerabilityDB bool
	CleanJavaDB          bool
	CleanChecksBundle    bool
	CleanVEXRepositories bool
}

type DBFlagGroup

type DBFlagGroup struct {
	Reset              *Flag[bool]
	DownloadDBOnly     *Flag[bool]
	SkipDBUpdate       *Flag[bool]
	DownloadJavaDBOnly *Flag[bool]
	SkipJavaDBUpdate   *Flag[bool]
	NoProgress         *Flag[bool]
	DBRepositories     *Flag[[]string]
	JavaDBRepositories *Flag[[]string]
	Light              *Flag[bool] // deprecated
}

DBFlagGroup composes common printer flag structs used for commands requiring DB logic.

func NewDBFlagGroup

func NewDBFlagGroup() *DBFlagGroup

NewDBFlagGroup returns a default DBFlagGroup

func (*DBFlagGroup) Flags

func (f *DBFlagGroup) Flags() []Flagger

func (*DBFlagGroup) Name

func (f *DBFlagGroup) Name() string

func (*DBFlagGroup) ToOptions

func (f *DBFlagGroup) ToOptions() (DBOptions, error)

type DBOptions

type DBOptions struct {
	Reset              bool
	DownloadDBOnly     bool
	SkipDBUpdate       bool
	DownloadJavaDBOnly bool
	SkipJavaDBUpdate   bool
	NoProgress         bool
	DBRepositories     []name.Reference
	JavaDBRepositories []name.Reference
}

type Flag

type Flag[T FlagType] struct {
	// Name is for CLI flag and environment variable.
	// If this field is empty, it will be available only in config file.
	Name string

	// ConfigName is a key in config file. It is also used as a key of viper.
	ConfigName string

	// Shorthand is a shorthand letter.
	Shorthand string

	// Default is the default value. It should be defined when the value is different from the zero value.
	Default T

	// Values is a list of allowed values.
	// It currently supports string flags and string slice flags only.
	Values []string

	// ValueNormalize is a function to normalize the value.
	// It can be used for aliases, etc.
	ValueNormalize func(T) T

	// Usage explains how to use the flag.
	Usage string

	// Persistent represents if the flag is persistent.
	Persistent bool

	// Deprecated represents if the flag is deprecated.
	// It shows a warning message when the flag is used.
	Deprecated string

	// Removed represents if the flag is removed and no longer works.
	// It shows an error message when the flag is used.
	Removed string

	// Internal represents if the flag is for internal use only.
	// It is not shown in the usage message.
	Internal bool

	// Aliases represents aliases
	Aliases []Alias
	// contains filtered or unexported fields
}

func (*Flag[T]) Add

func (f *Flag[T]) Add(cmd *cobra.Command)

func (*Flag[T]) Bind

func (f *Flag[T]) Bind(cmd *cobra.Command) error

func (*Flag[T]) BindEnv

func (f *Flag[T]) BindEnv() error

func (*Flag[T]) Clone

func (f *Flag[T]) Clone() *Flag[T]

func (*Flag[T]) GetAliases

func (f *Flag[T]) GetAliases() []Alias

func (*Flag[T]) GetConfigName

func (f *Flag[T]) GetConfigName() string

func (*Flag[T]) GetDefaultValue

func (f *Flag[T]) GetDefaultValue() any

func (*Flag[T]) GetName

func (f *Flag[T]) GetName() string

func (*Flag[T]) Hidden

func (f *Flag[T]) Hidden() bool

func (*Flag[T]) Parse

func (f *Flag[T]) Parse() error

func (*Flag[T]) Value

func (f *Flag[T]) Value() (t T)

type FlagGroup

type FlagGroup interface {
	Name() string
	Flags() []Flagger
}

type FlagType

type FlagType interface {
	int | string | []string | bool | time.Duration | float64
}

type Flagger

type Flagger interface {
	GetName() string
	GetConfigName() string
	GetDefaultValue() any
	GetAliases() []Alias
	Hidden() bool

	Parse() error
	Add(cmd *cobra.Command)
	Bind(cmd *cobra.Command) error
}

type Flags

type Flags struct {
	GlobalFlagGroup        *GlobalFlagGroup
	AWSFlagGroup           *AWSFlagGroup
	CacheFlagGroup         *CacheFlagGroup
	CleanFlagGroup         *CleanFlagGroup
	DBFlagGroup            *DBFlagGroup
	ImageFlagGroup         *ImageFlagGroup
	K8sFlagGroup           *K8sFlagGroup
	LicenseFlagGroup       *LicenseFlagGroup
	MisconfFlagGroup       *MisconfFlagGroup
	ModuleFlagGroup        *ModuleFlagGroup
	PackageFlagGroup       *PackageFlagGroup
	RemoteFlagGroup        *RemoteFlagGroup
	RegistryFlagGroup      *RegistryFlagGroup
	RegoFlagGroup          *RegoFlagGroup
	RepoFlagGroup          *RepoFlagGroup
	ReportFlagGroup        *ReportFlagGroup
	ScanFlagGroup          *ScanFlagGroup
	SecretFlagGroup        *SecretFlagGroup
	VulnerabilityFlagGroup *VulnerabilityFlagGroup
}

func (*Flags) AddFlags

func (f *Flags) AddFlags(cmd *cobra.Command)

func (*Flags) Bind

func (f *Flags) Bind(cmd *cobra.Command) error

func (*Flags) ToOptions

func (f *Flags) ToOptions(args []string) (Options, error)

nolint: gocyclo

func (*Flags) Usages

func (f *Flags) Usages(cmd *cobra.Command) string

type GlobalFlagGroup

type GlobalFlagGroup struct {
	ConfigFile            *Flag[string]
	ShowVersion           *Flag[bool] // spf13/cobra can't override the logic of version printing like VersionPrinter in urfave/cli. -v needs to be defined ourselves.
	Quiet                 *Flag[bool]
	Debug                 *Flag[bool]
	Insecure              *Flag[bool]
	Timeout               *Flag[time.Duration]
	CacheDir              *Flag[string]
	GenerateDefaultConfig *Flag[bool]
}

GlobalFlagGroup composes global flags

func NewGlobalFlagGroup

func NewGlobalFlagGroup() *GlobalFlagGroup

func (*GlobalFlagGroup) AddFlags

func (f *GlobalFlagGroup) AddFlags(cmd *cobra.Command)

func (*GlobalFlagGroup) Bind

func (f *GlobalFlagGroup) Bind(cmd *cobra.Command) error

func (*GlobalFlagGroup) Flags

func (f *GlobalFlagGroup) Flags() []Flagger

func (*GlobalFlagGroup) Name

func (f *GlobalFlagGroup) Name() string

func (*GlobalFlagGroup) ToOptions

func (f *GlobalFlagGroup) ToOptions() (GlobalOptions, error)

type GlobalOptions

type GlobalOptions struct {
	ConfigFile            string
	ShowVersion           bool
	Quiet                 bool
	Debug                 bool
	Insecure              bool
	Timeout               time.Duration
	CacheDir              string
	GenerateDefaultConfig bool
}

GlobalOptions defines flags and other configuration parameters for all the subcommands

type ImageFlagGroup

type ImageFlagGroup struct {
	Input               *Flag[string] // local image archive
	ImageConfigScanners *Flag[[]string]
	ScanRemovedPkgs     *Flag[bool]
	Platform            *Flag[string]
	DockerHost          *Flag[string]
	PodmanHost          *Flag[string]
	ImageSources        *Flag[[]string]
}

func NewImageFlagGroup

func NewImageFlagGroup() *ImageFlagGroup

func (*ImageFlagGroup) Flags

func (f *ImageFlagGroup) Flags() []Flagger

func (*ImageFlagGroup) Name

func (f *ImageFlagGroup) Name() string

func (*ImageFlagGroup) ToOptions

func (f *ImageFlagGroup) ToOptions() (ImageOptions, error)

type ImageOptions

type ImageOptions struct {
	Input               string
	ImageConfigScanners types.Scanners
	ScanRemovedPkgs     bool
	Platform            ftypes.Platform
	DockerHost          string
	PodmanHost          string
	ImageSources        ftypes.ImageSources
}

type K8sFlagGroup

type K8sFlagGroup struct {
	KubeConfig             *Flag[string]
	K8sVersion             *Flag[string]
	Tolerations            *Flag[[]string]
	DisableNodeCollector   *Flag[bool]
	NodeCollectorImageRef  *Flag[string]
	NodeCollectorNamespace *Flag[string]
	ExcludeOwned           *Flag[bool]
	SkipImages             *Flag[bool]
	ExcludeNodes           *Flag[[]string]
	ExcludeKinds           *Flag[[]string]
	IncludeKinds           *Flag[[]string]
	ExcludeNamespaces      *Flag[[]string]
	IncludeNamespaces      *Flag[[]string]
	QPS                    *Flag[float64]
	Burst                  *Flag[int]
}

func NewK8sFlagGroup

func NewK8sFlagGroup() *K8sFlagGroup

func (*K8sFlagGroup) Flags

func (f *K8sFlagGroup) Flags() []Flagger

func (*K8sFlagGroup) Name

func (f *K8sFlagGroup) Name() string

func (*K8sFlagGroup) ToOptions

func (f *K8sFlagGroup) ToOptions() (K8sOptions, error)

type K8sOptions

type K8sOptions struct {
	KubeConfig             string
	K8sVersion             string
	Tolerations            []corev1.Toleration
	NodeCollectorImageRef  string
	NodeCollectorNamespace string
	ExcludeOwned           bool
	DisableNodeCollector   bool
	ExcludeNodes           map[string]string
	ExcludeKinds           []string
	IncludeKinds           []string
	ExcludeNamespaces      []string
	IncludeNamespaces      []string
	QPS                    float32
	SkipImages             bool
	Burst                  int
}

type LicenseFlagGroup

type LicenseFlagGroup struct {
	LicenseFull            *Flag[bool]
	IgnoredLicenses        *Flag[[]string]
	LicenseConfidenceLevel *Flag[float64]

	// License Categories
	LicenseForbidden    *Flag[[]string] // mapped to CRITICAL
	LicenseRestricted   *Flag[[]string] // mapped to HIGH
	LicenseReciprocal   *Flag[[]string] // mapped to MEDIUM
	LicenseNotice       *Flag[[]string] // mapped to LOW
	LicensePermissive   *Flag[[]string] // mapped to LOW
	LicenseUnencumbered *Flag[[]string] // mapped to LOW
}

func NewLicenseFlagGroup

func NewLicenseFlagGroup() *LicenseFlagGroup

func (*LicenseFlagGroup) Flags

func (f *LicenseFlagGroup) Flags() []Flagger

func (*LicenseFlagGroup) Name

func (f *LicenseFlagGroup) Name() string

func (*LicenseFlagGroup) ToOptions

func (f *LicenseFlagGroup) ToOptions() (LicenseOptions, error)

type LicenseOptions

type LicenseOptions struct {
	LicenseFull            bool
	IgnoredLicenses        []string
	LicenseConfidenceLevel float64
	LicenseRiskThreshold   int
	LicenseCategories      map[types.LicenseCategory][]string
}

type MisconfFlagGroup

type MisconfFlagGroup struct {
	IncludeNonFailures     *Flag[bool]
	ResetChecksBundle      *Flag[bool]
	ChecksBundleRepository *Flag[string]

	// Values Files
	HelmValues                 *Flag[[]string]
	HelmValueFiles             *Flag[[]string]
	HelmFileValues             *Flag[[]string]
	HelmStringValues           *Flag[[]string]
	HelmAPIVersions            *Flag[[]string]
	HelmKubeVersion            *Flag[string]
	TerraformTFVars            *Flag[[]string]
	CloudformationParamVars    *Flag[[]string]
	TerraformExcludeDownloaded *Flag[bool]
	MisconfigScanners          *Flag[[]string]
	ConfigFileSchemas          *Flag[[]string]
}

MisconfFlagGroup composes common printer flag structs used for commands providing misconfiguration scanning.

func NewMisconfFlagGroup

func NewMisconfFlagGroup() *MisconfFlagGroup

func (*MisconfFlagGroup) Flags

func (f *MisconfFlagGroup) Flags() []Flagger

func (*MisconfFlagGroup) Name

func (f *MisconfFlagGroup) Name() string

func (*MisconfFlagGroup) ToOptions

func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error)

type MisconfOptions

type MisconfOptions struct {
	IncludeNonFailures     bool
	ResetChecksBundle      bool
	ChecksBundleRepository string

	// Values Files
	HelmValues              []string
	HelmValueFiles          []string
	HelmFileValues          []string
	HelmStringValues        []string
	HelmAPIVersions         []string
	HelmKubeVersion         string
	TerraformTFVars         []string
	CloudFormationParamVars []string
	TfExcludeDownloaded     bool
	MisconfigScanners       []analyzer.Type
	ConfigFileSchemas       []string
}

type ModuleFlagGroup

type ModuleFlagGroup struct {
	Dir            *Flag[string]
	EnabledModules *Flag[[]string]
}

ModuleFlagGroup defines flags for modules

func NewModuleFlagGroup

func NewModuleFlagGroup() *ModuleFlagGroup

func (*ModuleFlagGroup) Flags

func (f *ModuleFlagGroup) Flags() []Flagger

func (*ModuleFlagGroup) Name

func (f *ModuleFlagGroup) Name() string

func (*ModuleFlagGroup) ToOptions

func (f *ModuleFlagGroup) ToOptions() (ModuleOptions, error)

type ModuleOptions

type ModuleOptions struct {
	ModuleDir      string
	EnabledModules []string
}

type Options

type Options struct {
	GlobalOptions
	AWSOptions
	CacheOptions
	CleanOptions
	DBOptions
	ImageOptions
	K8sOptions
	LicenseOptions
	MisconfOptions
	ModuleOptions
	PackageOptions
	RegistryOptions
	RegoOptions
	RemoteOptions
	RepoOptions
	ReportOptions
	ScanOptions
	SecretOptions
	VulnerabilityOptions

	// Tunnel's version, not populated via CLI flags
	AppVersion string

	// We don't want to allow disabled analyzers to be passed by users, but it is necessary for internal use.
	DisabledAnalyzers []analyzer.Type
	// contains filtered or unexported fields
}

Options holds all the runtime configuration

func (*Options) Align

func (o *Options) Align(f *Flags) error

Align takes consistency of options

func (*Options) CacheOpts

func (o *Options) CacheOpts() cache.Options

CacheOpts returns options for scan cache

func (*Options) ClientScannerOpts

func (o *Options) ClientScannerOpts() client.ScannerOption

func (*Options) FilterOpts

func (o *Options) FilterOpts() result.FilterOptions

FilterOpts returns options for filtering

func (*Options) OutputWriter

func (o *Options) OutputWriter(ctx context.Context) (io.Writer, func() error, error)

OutputWriter returns an output writer. If the output file is not specified, it returns os.Stdout.

func (*Options) RegistryOpts

func (o *Options) RegistryOpts() ftypes.RegistryOptions

RegistryOpts returns options for OCI registries

func (*Options) RemoteCacheOpts

func (o *Options) RemoteCacheOpts() cache.RemoteOptions

RemoteCacheOpts returns options for remote scan cache

func (*Options) SetOutputWriter

func (o *Options) SetOutputWriter(w io.Writer)

SetOutputWriter sets an output writer.

type PackageFlagGroup

type PackageFlagGroup struct {
	IncludeDevDeps   *Flag[bool]
	PkgTypes         *Flag[[]string]
	PkgRelationships *Flag[[]string]
}

PackageFlagGroup composes common package flag structs. These flags affect both SBOM and vulnerability scanning.

func NewPackageFlagGroup

func NewPackageFlagGroup() *PackageFlagGroup

func (*PackageFlagGroup) Flags

func (f *PackageFlagGroup) Flags() []Flagger

func (*PackageFlagGroup) Name

func (f *PackageFlagGroup) Name() string

func (*PackageFlagGroup) ToOptions

func (f *PackageFlagGroup) ToOptions() (PackageOptions, error)

type PackageOptions

type PackageOptions struct {
	IncludeDevDeps   bool
	PkgTypes         []string
	PkgRelationships []ftypes.Relationship
}

type RegistryFlagGroup

type RegistryFlagGroup struct {
	Username      *Flag[[]string]
	Password      *Flag[[]string]
	PasswordStdin *Flag[bool]
	RegistryToken *Flag[string]
}

func NewRegistryFlagGroup

func NewRegistryFlagGroup() *RegistryFlagGroup

func (*RegistryFlagGroup) Flags

func (f *RegistryFlagGroup) Flags() []Flagger

func (*RegistryFlagGroup) Name

func (f *RegistryFlagGroup) Name() string

func (*RegistryFlagGroup) ToOptions

func (f *RegistryFlagGroup) ToOptions() (RegistryOptions, error)

type RegistryOptions

type RegistryOptions struct {
	Credentials   []types.Credential
	RegistryToken string
}

type RegoFlagGroup

type RegoFlagGroup struct {
	IncludeDeprecatedChecks *Flag[bool]
	SkipCheckUpdate         *Flag[bool]
	Trace                   *Flag[bool]
	CheckPaths              *Flag[[]string]
	DataPaths               *Flag[[]string]
	CheckNamespaces         *Flag[[]string]
}

RegoFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning.

func NewRegoFlagGroup

func NewRegoFlagGroup() *RegoFlagGroup

func (*RegoFlagGroup) Flags

func (f *RegoFlagGroup) Flags() []Flagger

func (*RegoFlagGroup) Name

func (f *RegoFlagGroup) Name() string

func (*RegoFlagGroup) ToOptions

func (f *RegoFlagGroup) ToOptions() (RegoOptions, error)

type RegoOptions

type RegoOptions struct {
	IncludeDeprecatedChecks bool
	SkipCheckUpdate         bool
	Trace                   bool
	CheckPaths              []string
	DataPaths               []string
	CheckNamespaces         []string
}

type RemoteFlagGroup

type RemoteFlagGroup struct {
	// for client/server
	Token       *Flag[string]
	TokenHeader *Flag[string]
	PathPrefix  *Flag[string]

	// for client
	ServerAddr    *Flag[string]
	CustomHeaders *Flag[[]string]

	// for server
	Listen *Flag[string]
}

RemoteFlagGroup composes common printer flag structs used for commands requiring reporting logic.

func NewClientFlags

func NewClientFlags() *RemoteFlagGroup

func NewServerFlags

func NewServerFlags() *RemoteFlagGroup

func (*RemoteFlagGroup) Flags

func (f *RemoteFlagGroup) Flags() []Flagger

func (*RemoteFlagGroup) Name

func (f *RemoteFlagGroup) Name() string

func (*RemoteFlagGroup) ToOptions

func (f *RemoteFlagGroup) ToOptions() (RemoteOptions, error)

type RemoteOptions

type RemoteOptions struct {
	Token       string
	TokenHeader string

	ServerAddr    string
	Listen        string
	CustomHeaders http.Header

	// Server endpoint: <baseURL>[<prefix>]/<package>.<Service>/<Method> (default prefix: /twirp)
	// e.g., http://localhost:4954/twirp/tunnel.scanner.v1.Scanner/Scan
	PathPrefix string
}

type RepoFlagGroup

type RepoFlagGroup struct {
	Branch *Flag[string]
	Commit *Flag[string]
	Tag    *Flag[string]
}

func NewRepoFlagGroup

func NewRepoFlagGroup() *RepoFlagGroup

func (*RepoFlagGroup) Flags

func (f *RepoFlagGroup) Flags() []Flagger

func (*RepoFlagGroup) Name

func (f *RepoFlagGroup) Name() string

func (*RepoFlagGroup) ToOptions

func (f *RepoFlagGroup) ToOptions() (RepoOptions, error)

type RepoOptions

type RepoOptions struct {
	RepoBranch string
	RepoCommit string
	RepoTag    string
}

type ReportFlagGroup

type ReportFlagGroup struct {
	Format          *Flag[string]
	ReportFormat    *Flag[string]
	Template        *Flag[string]
	DependencyTree  *Flag[bool]
	ListAllPkgs     *Flag[bool]
	IgnoreFile      *Flag[string]
	IgnorePolicy    *Flag[string]
	ExitCode        *Flag[int]
	ExitOnEOL       *Flag[int]
	Output          *Flag[string]
	OutputPluginArg *Flag[string]
	Severity        *Flag[[]string]
	Compliance      *Flag[string]
	ShowSuppressed  *Flag[bool]
}

ReportFlagGroup composes common printer flag structs used for commands requiring reporting logic.

func NewReportFlagGroup

func NewReportFlagGroup() *ReportFlagGroup

func (*ReportFlagGroup) Flags

func (f *ReportFlagGroup) Flags() []Flagger

func (*ReportFlagGroup) Name

func (f *ReportFlagGroup) Name() string

func (*ReportFlagGroup) ToOptions

func (f *ReportFlagGroup) ToOptions() (ReportOptions, error)

type ReportOptions

type ReportOptions struct {
	Format           types.Format
	ReportFormat     string
	Template         string
	DependencyTree   bool
	ListAllPkgs      bool
	IgnoreFile       string
	ExitCode         int
	ExitOnEOL        int
	IgnorePolicy     string
	Output           string
	OutputPluginArgs []string
	Severities       []dbTypes.Severity
	Compliance       spec.ComplianceSpec
	ShowSuppressed   bool
}

type ScanFlagGroup

type ScanFlagGroup struct {
	SkipDirs          *Flag[[]string]
	SkipFiles         *Flag[[]string]
	OfflineScan       *Flag[bool]
	Scanners          *Flag[[]string]
	FilePatterns      *Flag[[]string]
	Slow              *Flag[bool] // deprecated
	Parallel          *Flag[int]
	SBOMSources       *Flag[[]string]
	RekorURL          *Flag[string]
	DetectionPriority *Flag[string]
}

func NewScanFlagGroup

func NewScanFlagGroup() *ScanFlagGroup

func (*ScanFlagGroup) Flags

func (f *ScanFlagGroup) Flags() []Flagger

func (*ScanFlagGroup) Name

func (f *ScanFlagGroup) Name() string

func (*ScanFlagGroup) ToOptions

func (f *ScanFlagGroup) ToOptions(args []string) (ScanOptions, error)

type ScanOptions

type ScanOptions struct {
	Target            string
	SkipDirs          []string
	SkipFiles         []string
	OfflineScan       bool
	Scanners          types.Scanners
	FilePatterns      []string
	Parallel          int
	SBOMSources       []string
	RekorURL          string
	DetectionPriority ftypes.DetectionPriority
}

type SecretFlagGroup

type SecretFlagGroup struct {
	SecretConfig *Flag[string]
}

func NewSecretFlagGroup

func NewSecretFlagGroup() *SecretFlagGroup

func (*SecretFlagGroup) Flags

func (f *SecretFlagGroup) Flags() []Flagger

func (*SecretFlagGroup) Name

func (f *SecretFlagGroup) Name() string

func (*SecretFlagGroup) ToOptions

func (f *SecretFlagGroup) ToOptions() (SecretOptions, error)

type SecretOptions

type SecretOptions struct {
	SecretConfigPath string
}

type VulnerabilityFlagGroup

type VulnerabilityFlagGroup struct {
	IgnoreUnfixed     *Flag[bool]
	IgnoreStatus      *Flag[[]string]
	VEX               *Flag[[]string]
	SkipVEXRepoUpdate *Flag[bool]
}

func NewVulnerabilityFlagGroup

func NewVulnerabilityFlagGroup() *VulnerabilityFlagGroup

func (*VulnerabilityFlagGroup) Flags

func (f *VulnerabilityFlagGroup) Flags() []Flagger

func (*VulnerabilityFlagGroup) Name

func (f *VulnerabilityFlagGroup) Name() string

func (*VulnerabilityFlagGroup) ToOptions

type VulnerabilityOptions

type VulnerabilityOptions struct {
	IgnoreStatuses    []dbTypes.Status
	VEXSources        []vex.Source
	SkipVEXRepoUpdate bool
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL