Our usage of the flags package was struggling with the amount of functionality introduced over the past several months.
This PR moves to the urfave/cli package for the CLI functionality and focuses on:
Global flags
Making scan and diff commands
Adding command-level flags for scan
The changes in this PR will be breaking (as evidenced by the updated refresh-testdata.sh script); however, there is some flexibility around specifying the scan flags. Omitting the flags will default to the original path scanning behavior (i.e., non-image scans). Otherwise, specifying -i will scan OCI images and -p will scan a local file path.
$ bincapz -h
NAME:
bincapz - Detect malicious program behaviors
USAGE:
bincapz <flags> [diff, scan] <path>
VERSION:
bincapz v0.19.0
COMMANDS:
diff scan and diff two paths
scan scan an image or path
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--all Ignore nothing within a provided scan path (default: false)
--err-first-miss Exit with error if scan source has no matching capabilities (default: false)
--err-first-hit Exit with error if scan source has matching capabilities (default: false)
--format value Output format (json, markdown, simple, terminal, yaml) (default: "terminal")
--ignore-self Ignore the bincapz binary (default: true)
--ignore-tags value Rule tags to ignore
--include-data-files Include files that are detected as non-program (binary or source) files (default: false)
--jobs value, -j value Concurrently scan files within target scan paths (default: 12)
--min-file-level value Obsoleted by --min-file-risk (default: -1)
--min-file-risk value Only show results for files which meet the given risk level (any, low, medium, high, critical) (default: "low")
--min-level value Obsoleted by --min-risk (default: -1)
--min-risk value Only show results which meet the given risk level (any, low, medium, high, critical) (default: "low")
--output value, -o value Write output to specified file instead of stdout
--profile, -p Generate profile and trace files (default: false)
--quantity-increases-risk Increase file risk score based on behavior quantity (default: true)
--stats, -s Show scan statistics (default: false)
--third-party Include third-party rules which may have licensing restrictions (default: true)
--verbose Emit verbose logging messages to stderr (default: false)
--help, -h show help
--version, -v print the version
To view command help:
$ bincapz diff -h
NAME:
bincapz diff - scan and diff two paths
USAGE:
bincapz diff [command options]
OPTIONS:
--help, -h show help
$ bincapz scan -h
NAME:
bincapz scan - scan an image or path
USAGE:
bincapz scan [command options]
OPTIONS:
--image value, -i value Scan an image
--path value, -p value Scan a file path
--help, -h show help
Our usage of the
flags
package was struggling with the amount of functionality introduced over the past several months.This PR moves to the
urfave/cli
package for the CLI functionality and focuses on:scan
anddiff
commandsscan
The changes in this PR will be breaking (as evidenced by the updated
refresh-testdata.sh
script); however, there is some flexibility around specifying thescan
flags. Omitting the flags will default to the original path scanning behavior (i.e., non-image scans). Otherwise, specifying-i
will scan OCI images and-p
will scan a local file path.The new use looks like this:
To view the flags:
To view command help:
To view the version: