CLI | Container Security filter flags (AST-82260)

internal/commands/scan.go

@@ -53,50 +53,54 @@ const (
 	notExploitable    = "NOT_EXPLOITABLE"
 	ignored           = "IGNORED"
 
-	git                             = "git"
-	invalidSSHSource                = "provided source does not need a key. Make sure you are defining the right source or remove the flag --ssh-key"
-	errorUnzippingFile              = "an error occurred while unzipping file. Reason: "
-	containerRun                    = "run"
-	containerVolumeFlag             = "-v"
-	containerNameFlag               = "--name"
-	containerRemove                 = "--rm"
-	containerImage                  = "checkmarx/kics:v2.1.3"
-	containerScan                   = "scan"
-	containerScanPathFlag           = "-p"
-	containerScanPath               = "/path"
-	containerScanOutputFlag         = "-o"
-	containerScanOutput             = "/path"
-	containerScanFormatFlag         = "--report-formats"
-	containerScanFormatOutput       = "json"
-	containerStarting               = "Starting kics container"
-	containerFormatInfo             = "The report format and output path cannot be overridden."
-	containerFolderRemoving         = "Removing folder in temp"
-	containerCreateFolderError      = "Error creating temporary directory"
-	containerWriteFolderError       = " Error writing file to temporary directory"
-	containerFileSourceMissing      = "--file is required for kics-realtime command"
-	containerFileSourceIncompatible = ". Provided file is not supported by kics"
-	containerFileSourceError        = " Error reading file"
-	containerResultsFileFormat      = "%s/results.json"
-	containerVolumeFormat           = "%s:/path"
-	containerTempDirPattern         = "kics"
-	kicsContainerPrefixName         = "cli-kics-realtime-"
-	cleanupMaxRetries               = 3
-	cleanupRetryWaitSeconds         = 15
-	DanglingSymlinkError            = "Skipping dangling symbolic link"
-	configFilterKey                 = "filter"
-	configFilterPlatforms           = "platforms"
-	configIncremental               = "incremental"
-	configFastScan                  = "fastScanMode"
-	configPresetName                = "presetName"
-	configEngineVerbose             = "engineVerbose"
-	configLanguageMode              = "languageMode"
-	resultsMapValue                 = "value"
-	resultsMapType                  = "type"
-	trueString                      = "true"
-	configTwoms                     = "2ms"
-	falseString                     = "false"
-	maxPollingWaitTime              = 60
-	engineNotAllowed                = "It looks like the \"%s\" scan type does not exist or you are trying to run a scan without the \"%s\" package license." +
+	git                                     = "git"
+	invalidSSHSource                        = "provided source does not need a key. Make sure you are defining the right source or remove the flag --ssh-key"
+	errorUnzippingFile                      = "an error occurred while unzipping file. Reason: "
+	containerRun                            = "run"
+	containerVolumeFlag                     = "-v"
+	containerNameFlag                       = "--name"
+	containerRemove                         = "--rm"
+	containerImage                          = "checkmarx/kics:v2.1.3"
+	containerScan                           = "scan"
+	containerScanPathFlag                   = "-p"
+	containerScanPath                       = "/path"
+	containerScanOutputFlag                 = "-o"
+	containerScanOutput                     = "/path"
+	containerScanFormatFlag                 = "--report-formats"
+	containerScanFormatOutput               = "json"
+	containerStarting                       = "Starting kics container"
+	containerFormatInfo                     = "The report format and output path cannot be overridden."
+	containerFolderRemoving                 = "Removing folder in temp"
+	containerCreateFolderError              = "Error creating temporary directory"
+	containerWriteFolderError               = " Error writing file to temporary directory"
+	containerFileSourceMissing              = "--file is required for kics-realtime command"
+	containerFileSourceIncompatible         = ". Provided file is not supported by kics"
+	containerFileSourceError                = " Error reading file"
+	containerResultsFileFormat              = "%s/results.json"
+	containerVolumeFormat                   = "%s:/path"
+	containerTempDirPattern                 = "kics"
+	kicsContainerPrefixName                 = "cli-kics-realtime-"
+	cleanupMaxRetries                       = 3
+	cleanupRetryWaitSeconds                 = 15
+	DanglingSymlinkError                    = "Skipping dangling symbolic link"
+	configFilterKey                         = "filter"
+	configFilterPlatforms                   = "platforms"
+	configIncremental                       = "incremental"
+	configFastScan                          = "fastScanMode"
+	configPresetName                        = "presetName"
+	configEngineVerbose                     = "engineVerbose"
+	configLanguageMode                      = "languageMode"
+	configContainersFilesFilterKey          = "filesFilter"
+	configContainersImagesFilterKey         = "imagesFilter"
+	configContainersPackagesFilterKey       = "packagesFilter"
+	configContainersNonFinalStagesFilterKey = "nonFinalStagesFilter"
+	resultsMapValue                         = "value"
+	resultsMapType                          = "type"
+	trueString                              = "true"
+	configTwoms                             = "2ms"
+	falseString                             = "false"
+	maxPollingWaitTime                      = 60
+	engineNotAllowed                        = "It looks like the \"%s\" scan type does not exist or you are trying to run a scan without the \"%s\" package license." +
 		"\nTo use this feature, you would need to purchase a license." +
 		"\nPlease contact our support team for assistance if you believe you have already purchased a license." +
 		"\nLicensed packages: %s"
@@ -657,6 +661,12 @@ func scanCreateSubCommand(
 	createScanCmd.PersistentFlags().String(commonParams.SCSEnginesFlag, "", "Specify which scs engines will run (default: all licensed engines)")
 	createScanCmd.PersistentFlags().Bool(commonParams.ScaHideDevAndTestDepFlag, false, scaHideDevAndTestDepFlagDescription)
 
+	// Container config flags
+	createScanCmd.PersistentFlags().String(commonParams.ContainersFileFolderFilterFlag, "", "Filter files and folders to scan in the container")
+	createScanCmd.PersistentFlags().String(commonParams.ContainersPackageFilterFlag, "", "Filter packages to scan in the container")
+	createScanCmd.PersistentFlags().Bool(commonParams.ContainersExcludeNonFinalStagesFlag, false, "Exclude non-final stages from the container scan")
+	createScanCmd.PersistentFlags().String(commonParams.ContainersImageTagFilterFlag, "", "Filter image tags to scan in the container")
+
 	return createScanCmd
 }
 
@@ -764,7 +774,7 @@ func setupScanTypeProjectAndConfig(
 	if apiSecConfig != nil {
 		configArr = append(configArr, apiSecConfig)
 	}
-	var containersConfig = addContainersScan(containerEngineCLIEnabled.Status)
+	var containersConfig = addContainersScan(cmd, resubmitConfig, containerEngineCLIEnabled.Status)
 	if containersConfig != nil {
 		configArr = append(configArr, containersConfig)
 	}
@@ -935,19 +945,61 @@ func addScaScan(cmd *cobra.Command, resubmitConfig []wrappers.Config, hasContain
 	return nil
 }
 
-func addContainersScan(containerEngineCLIEnabled bool) map[string]interface{} {
+func addContainersScan(cmd *cobra.Command, resubmitConfig []wrappers.Config, containerEngineCLIEnabled bool) map[string]interface{} {
 	if !scanTypeEnabled(commonParams.ContainersType) || !containerEngineCLIEnabled {
 		return nil
 	}
 	containerMapConfig := make(map[string]interface{})
 	containerMapConfig[resultsMapType] = commonParams.ContainersType
-
 	containerConfig := wrappers.ContainerConfig{}
 
+	initializeContainersConfigWithResubmitValues(resubmitConfig, &containerConfig)
+
+	fileFolderFilter, _ := cmd.PersistentFlags().GetString(commonParams.ContainersFileFolderFilterFlag)
+	if fileFolderFilter != "" {
+		containerConfig.FilesFilter = fileFolderFilter
+	}
+	packageFilter, _ := cmd.PersistentFlags().GetString(commonParams.ContainersPackageFilterFlag)
+	if packageFilter != "" {
+		containerConfig.PackagesFilter = packageFilter
+	}
+	excludeNonFinalStages, _ := cmd.PersistentFlags().GetBool(commonParams.ContainersExcludeNonFinalStagesFlag)
+	if cmd.PersistentFlags().Changed(commonParams.ContainersExcludeNonFinalStagesFlag) {
+		containerConfig.NonFinalStagesFilter = strconv.FormatBool(excludeNonFinalStages)
+	}
+	imageTagFilter, _ := cmd.Flags().GetString(commonParams.ContainersImageTagFilterFlag)
+	if imageTagFilter != "" {
+		containerConfig.ImagesFilter = imageTagFilter
+	}
+
 	containerMapConfig[resultsMapValue] = &containerConfig
 	return containerMapConfig
 }
 
+func initializeContainersConfigWithResubmitValues(resubmitConfig []wrappers.Config, containerConfig *wrappers.ContainerConfig) {
+	for _, config := range resubmitConfig {
+		if config.Type != commonParams.ContainersType {
+			continue
+		}
+		resubmitFilesFilter := config.Value[configContainersFilesFilterKey]
+		if resubmitFilesFilter != nil && containerConfig.FilesFilter == "" {
+			containerConfig.FilesFilter = resubmitFilesFilter.(string)
+		}
+		resubmitPackagesFilter := config.Value[configContainersPackagesFilterKey]
+		if resubmitPackagesFilter != nil && containerConfig.PackagesFilter == "" {
+			containerConfig.PackagesFilter = resubmitPackagesFilter.(string)
+		}
+		resubmitNonFinalStagesFilter := config.Value[configContainersNonFinalStagesFilterKey]
+		if resubmitNonFinalStagesFilter != nil && containerConfig.NonFinalStagesFilter == "" {
+			containerConfig.NonFinalStagesFilter = resubmitNonFinalStagesFilter.(string)
+		}
+		resubmitImagesFilter := config.Value[configContainersImagesFilterKey]
+		if resubmitImagesFilter != nil && containerConfig.ImagesFilter == "" {
+			containerConfig.ImagesFilter = resubmitImagesFilter.(string)
+		}
+	}
+}
+
 func addAPISecScan(cmd *cobra.Command) map[string]interface{} {
 	if scanTypeEnabled(commonParams.APISecurityType) {
 		apiSecMapConfig := make(map[string]interface{})

internal/params/flags.go

@@ -207,6 +207,12 @@ const (
 	// SCS (Github)
 	SCSRepoTokenFlag = "scs-repo-token"
 	SCSRepoURLFlag   = "scs-repo-url"
+
+	// Containers Config Flags
+	ContainersFileFolderFilterFlag      = "containers-file-folder-filter"
+	ContainersImageTagFilterFlag        = "containers-image-tag-filter"
+	ContainersPackageFilterFlag         = "containers-package-filter"
+	ContainersExcludeNonFinalStagesFlag = "containers-exclude-non-final-stages"
 )
 
 // Parameter values

internal/wrappers/scans.go

@@ -142,6 +142,10 @@ type ScaConfig struct {
 	EnableContainersScan  bool   `json:"enableContainersScan,omitempty"`
 }
 type ContainerConfig struct {
+	FilesFilter          string `json:"filesFilter,omitempty"`
+	ImagesFilter         string `json:"imagesFilter,omitempty"`
+	PackagesFilter       string `json:"packagesFilter,omitempty"`
+	NonFinalStagesFilter string `json:"nonFinalStagesFilter,omitempty"`
 }
 type APISecConfig struct {
 	SwaggerFilter string `json:"swaggerFilter,omitempty"`