add root path option and update triage mode support; update README and Docker helper scripts for clarity

Author: codeyourweb

README.md

@@ -104,10 +104,9 @@ fastfinder [OPTIONS]
 | `-h, --help` | Print help information | |
 | `-c, --configuration` | Configuration file path | |
 | `-b, --build` | Create standalone binary with embedded config | |
-| `-o, --output` | Output log file path | |
-| `-n, --no-window` | Hide application window | `false` |
-| `-u, --no-userinterface` | Disable advanced UI | `false` |
-| `-v, --verbosity` | Log verbosity level (1-4) | `3` |
+| `-r, --root` | Scan root path (override drive enumeration) | |
+| `-s, --silent` | Silent mode - run without any visible window or console | |
+| `-v, --verbosity` | Log verbosity level (1-5) | `3` |
 | `-t, --triage` | Continuous monitoring mode | `false` |
 
 ### Verbosity Levels
@@ -127,11 +126,8 @@ fastfinder [OPTIONS]
 # Continuous monitoring mode
 ./fastfinder -c config.yaml -t
 
-# Silent mode with file output
-./fastfinder -c config.yaml -n -o scan_results.log
-
 # Create standalone executable
-./fastfinder -b standalone_scanner.exe
+./fastfinder -c config.yaml -b standalone_scanner.exe
 ```
 
 > 💡 **Tip**: FastFinder can run with standard user privileges, but administrative rights provide access to all system files.

docker/docker-helper.ps1

@@ -41,6 +41,7 @@ Commands:
     build-runtime      Build the runtime image (FastFinder inside container)
     run-runtime        Run FastFinder inside a container named "runtime"
                          (add -Interactive to drop into shell instead of running the scan)
+                         (add -Triage for continuous monitoring mode)
   clean              Remove Docker build cache
   help               Show this help message
 
@@ -60,9 +61,15 @@ Examples:
     # Run FastFinder inside a privileged container named "runtime"
         .\docker-helper.ps1 run-runtime -ConfigPath ./examples/ -ScanPath /your/root/path
 
+    # Run with specific config file (YARA rules must be in same directory)
+    .\docker-helper.ps1 run-runtime -ConfigPath "C:\scans\my_config.yaml" -ScanPath "C:\target"
+
     # Start runtime container in interactive shell (no scan)
     .\docker-helper.ps1 run-runtime -Interactive
 
+    # Run in triage mode (continuous monitoring)
+    .\docker-helper.ps1 run-runtime -ConfigPath "C:\scans\my_config.yaml" -ScanPath "C:\target" -Triage
+
   # Clean up Docker build cache
   .\docker-helper.ps1 clean
 
@@ -188,7 +195,8 @@ function Run-Runtime {
     param(
         [string]$ConfigPath = "$ProjectRoot/examples",
         [string]$ScanPath = "$ProjectRoot",
-        [switch]$Interactive
+        [switch]$Interactive,
+        [switch]$Triage
     )
 
     # Ensure runtime image exists; build if missing
@@ -216,10 +224,12 @@ function Run-Runtime {
     if ($configIsDir) {
         # Mount directory; expect config.yml inside
         $HostConfigDir = $ResolvedConfig
+        Write-Info "Config mode: directory mounting - looking for config.yml in $ResolvedConfig"
     } else {
         # Mount parent dir; keep config filename
         $HostConfigDir = Split-Path $ResolvedConfig
         $configFileInContainer = "/config/" + (Split-Path $ResolvedConfig -Leaf)
+        Write-Info "Config mode: file mounting - using $(Split-Path $ResolvedConfig -Leaf) from $HostConfigDir"
     }
 
     # Allow Linux-style scan paths (e.g. /host) without Windows Test-Path check
@@ -246,6 +256,10 @@ function Run-Runtime {
         $commandArgs = @()
     } else {
         $commandArgs = @("-c", $configFileInContainer)
+        if ($Triage) {
+            $commandArgs += "-t"
+            Write-Info "Triage mode enabled - continuous monitoring active"
+        }
     }
 
     docker run `
@@ -266,13 +280,32 @@ function Run-Runtime {
 
 # Clean up Docker build cache
 function Clean-Docker {
-    Write-Warning "Cleaning up Docker build cache..."
+    Write-Warning "Cleaning up FastFinder Docker resources..."
+    
+    # Remove FastFinder runtime containers
+    Write-Info "Removing FastFinder containers..."
+    $containers = docker ps -a --filter "name=runtime" --format "{{.ID}}"
+    if ($containers) {
+        docker rm -f $containers 2>$null | Out-Null
+        Write-Success "Removed FastFinder containers"
+    } else {
+        Write-Info "No FastFinder containers found"
+    }
+    
+    # Remove FastFinder images
+    Write-Info "Removing FastFinder images..."
+    $images = docker images --filter "reference=fastfinder:*" --format "{{.ID}}"
+    if ($images) {
+        docker rmi -f $images 2>$null | Out-Null
+        Write-Success "Removed FastFinder images"
+    } else {
+        Write-Info "No FastFinder images found"
+    }
 
-    # Prune build cache
-    Write-Info "Pruning Docker build cache..."
-    docker builder prune -f
+    # Optional: prune all build cache (affects all projects!)
+    Write-Warning "To clean ALL Docker build cache (all projects), run: docker builder prune -f"
 
-    Write-Success "Cleanup complete!"
+    Write-Success "FastFinder cleanup complete!"
 }
 
 # Main logic

docker/docker-helper.sh

@@ -43,7 +43,10 @@ Commands:
   build-binaries     Build Linux and Windows binaries with YARA
   build-linux        Build Linux binary with YARA support
   build-windows      Build Windows binary with YARA support
-  clean              Remove Docker build cache
+  build-runtime      Build the runtime image (FastFinder inside container)
+  run-runtime        Run FastFinder inside a container named "runtime"
+                     Options: --config=PATH --scan=PATH --interactive --triage
+  clean              Remove FastFinder Docker resources
   help               Show this help message
 
 Examples:
@@ -56,7 +59,22 @@ Examples:
   # Build only Windows binary
   $0 build-windows
 
-  # Clean up Docker build cache
+  # Build runtime image
+  $0 build-runtime
+
+  # Run FastFinder in container with config directory
+  $0 run-runtime --config=/path/to/config --scan=/data
+
+  # Run with specific config file
+  $0 run-runtime --config=/path/to/config.yaml --scan=/data
+
+  # Interactive shell mode
+  $0 run-runtime --interactive
+
+  # Triage mode (continuous monitoring)
+  $0 run-runtime --config=/path/to/config --scan=/data --triage
+
+  # Clean up FastFinder Docker resources
   $0 clean
 
 For more details, see docker/README.md
@@ -149,15 +167,141 @@ build_windows() {
     fi
 }
 
+# Build runtime image
+build_runtime() {
+    print_info "Building FastFinder runtime image..."
+    
+    cd "$PROJECT_ROOT"
+    
+    docker build \
+        -f docker/Dockerfile.runtime \
+        -t fastfinder:runtime \
+        .
+    
+    print_success "Runtime image built as fastfinder:runtime"
+}
+
+# Run FastFinder in runtime container
+run_runtime() {
+    local config_path="$PROJECT_ROOT/examples"
+    local scan_path="$PROJECT_ROOT"
+    local interactive=false
+    local triage=false
+    
+    # Parse arguments
+    while [[ $# -gt 0 ]]; do
+        case $1 in
+            --config=*)
+                config_path="${1#*=}"
+                shift
+                ;;
+            --scan=*)
+                scan_path="${1#*=}"
+                shift
+                ;;
+            --interactive)
+                interactive=true
+                shift
+                ;;
+            --triage)
+                triage=true
+                shift
+                ;;
+            *)
+                print_error "Unknown option: $1"
+                return 1
+                ;;
+        esac
+    done
+    
+    # Ensure runtime image exists
+    if ! docker image inspect fastfinder:runtime >/dev/null 2>&1; then
+        build_runtime
+    fi
+    
+    # Check config path exists
+    if [ ! -e "$config_path" ]; then
+        print_error "Config path not found: $config_path"
+        return 1
+    fi
+    
+    # Resolve paths
+    config_path=$(realpath "$config_path")
+    
+    local config_file_in_container="/config/config.yml"
+    local host_config_dir
+    
+    if [ -d "$config_path" ]; then
+        host_config_dir="$config_path"
+        print_info "Config mode: directory mounting - looking for config.yml in $config_path"
+    else
+        host_config_dir=$(dirname "$config_path")
+        config_file_in_container="/config/$(basename "$config_path")"
+        print_info "Config mode: file mounting - using $(basename "$config_path") from $host_config_dir"
+    fi
+    
+    # Resolve scan path if not Linux-style
+    if [[ ! "$scan_path" =~ ^/ ]]; then
+        if [ ! -e "$scan_path" ]; then
+            print_error "Scan path not found: $scan_path"
+            return 1
+        fi
+        scan_path=$(realpath "$scan_path")
+    fi
+    
+    print_info "Running FastFinder in container 'runtime' (privileged for drive discovery)..."
+    
+    # Remove existing container if present
+    docker rm -f runtime >/dev/null 2>&1 || true
+    
+    # Build docker run command
+    local docker_cmd=(docker run --rm -it --name runtime --privileged --pid=host)
+    docker_cmd+=(--cap-add SYS_ADMIN --cap-add SYS_RAWIO)
+    docker_cmd+=(-e "FASTFINDER_DISABLE_MUTEX=1")
+    docker_cmd+=(-v "${host_config_dir}:/config")
+    docker_cmd+=(-v "${scan_path}:/scan:ro")
+    
+    if [ "$interactive" = true ]; then
+        docker_cmd+=(--entrypoint /bin/bash fastfinder:runtime)
+    else
+        docker_cmd+=(fastfinder:runtime -c "$config_file_in_container")
+        if [ "$triage" = true ]; then
+            docker_cmd+=(-t)
+            print_info "Triage mode enabled - continuous monitoring active"
+        fi
+    fi
+    
+    "${docker_cmd[@]}"
+}
+
 # Clean up Docker build cache
 clean_docker() {
-    print_warning "Cleaning up Docker build cache..."
+    print_warning "Cleaning up FastFinder Docker resources..."
+    
+    # Remove FastFinder runtime containers
+    print_info "Removing FastFinder containers..."
+    local containers=$(docker ps -a --filter "name=runtime" --format "{{.ID}}" 2>/dev/null || true)
+    if [ -n "$containers" ]; then
+        docker rm -f $containers >/dev/null 2>&1 || true
+        print_success "Removed FastFinder containers"
+    else
+        print_info "No FastFinder containers found"
+    fi
 
-    # Prune build cache
-    print_info "Pruning Docker build cache..."
-    docker builder prune -f
+    # Remove FastFinder images
+    print_info "Removing FastFinder images..."
+    local images=$(docker images --filter "reference=fastfinder:*" --format "{{.ID}}" 2>/dev/null || true)
+    if [ -n "$images" ]; then
+        docker rmi -f $images >/dev/null 2>&1 || true
+        print_success "Removed FastFinder images"
+    else
+        print_info "No FastFinder images found"
+    fi
+    
+    # Optional: prune all build cache (affects all projects!)
+    print_warning "To clean ALL Docker build cache (all projects), run: docker builder prune -f"
 
-    print_success "Cleanup complete!"
+    print_success "FastFinder cleanup complete!"
 }
 
 # Main logic
@@ -171,6 +315,13 @@ case "${1:-help}" in
     build-windows)
         build_windows
         ;;
+    build-runtime)
+        build_runtime
+        ;;
+    run-runtime)
+        shift
+        run_runtime "$@"
+        ;;
     clean)
         clean_docker
         ;;

finder.go

@@ -166,13 +166,15 @@ func CheckFileChecksumAndContent(path string, content []byte, hashList []string,
 
 // checkForChecksum calculate content checksum and check if it is in hashlist
 func checkForChecksum(path string, content []byte, hashList []string) (matchingFiles []string) {
+	LogMessage(LOG_VERBOSE, "(SCAN)", "Calculating checksums for", path)
 	var hashs []string
 	hashs = append(hashs, fmt.Sprintf("%x", md5.Sum(content)))
 	hashs = append(hashs, fmt.Sprintf("%x", sha1.Sum(content)))
 	hashs = append(hashs, fmt.Sprintf("%x", sha256.Sum256(content)))
 
 	for _, c := range hashs {
 		if Contains(hashList, c) && !Contains(matchingFiles, path) {
+			LogMessage(LOG_ALERT, "(ALERT)", "Checksum match:", c, "in", path)
 			matchingFiles = append(matchingFiles, path)
 		}
 	}
@@ -182,8 +184,10 @@ func checkForChecksum(path string, content []byte, hashList []string) (matchingF
 
 // checkForStringPattern check if file content matches any specified pattern
 func checkForStringPattern(path string, content []byte, patterns []string) (matchingFiles []string) {
+	LogMessage(LOG_VERBOSE, "(SCAN)", "Checking grep patterns in", path)
 	for _, expression := range patterns {
 		if strings.Contains(string(content), expression) {
+			LogMessage(LOG_ALERT, "(ALERT)", "Grep match:", expression, "in", path)
 			matchingFiles = append(matchingFiles, path)
 		}
 	}