Merge pull request #55 from rapidfort/52-add-buildah-opt

Add --buildah-opt

Author: eve-rf

CHANGELOG.md

@@ -8,12 +8,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- Added `--buildah-opt` to pass arguments directly to Buildah
 - Added `--export-cache` and `--import-cache` flags for BuildKit advanced caching.
+
 ### Changed
 
 ### Fixed
 - Temporary build directories are now cleaned up on failed builds
 - fixed bug where digest file was not being created when --no-push is set
+
 ### Removed
 
 ## [1.0.23] - 2026-02-18

README.md

@@ -299,6 +299,7 @@ Kimia supports a comprehensive set of command-line arguments. Key options includ
 | Argument | Description |
 |----------|-------------|
 | `--buildkit-opt` | Pass options directly to BuildKit |
+| `--buildah-opt` | Pass additional flags to Buildah |
 
 **Full reference:** See [CLI Reference](docs/cli-reference.md) for complete documentation.
 

docs/cli-reference.md

@@ -507,6 +507,19 @@ kimia --context=. \
   --buildkit-opt=platform=linux/amd64,linux/arm64
 ```
 
+### Buildah Options
+
+| Argument | Description | Example |
+|----------|-------------|---------|
+| `--buildah-opt` | Pass options directly to Buildah | `--buildah-opt "--squash"` |
+
+
+```bash
+# Squash all layers into one
+kimia --context=. \
+  --destination=registry.io/myapp:latest \
+  --buildah-opt "--squash"
+
 ### Storage Driver
 
 Kimia supports two storage drivers:

src/cmd/kimia/args.go

@@ -23,6 +23,7 @@ func parseArgs(args []string) *Config {
 		ImportCache:        []string{},            // BuildKit --import-cache options
 		CosignKeyPath:      "/etc/cosign/cosign.key",
 		CosignPasswordEnv:  "COSIGN_PASSWORD",
+		BuildahOpts:        []string{}, // Direct Buildah bud options
 	}
 
 	// If no arguments provided, show help
@@ -384,6 +385,18 @@ func parseArgs(args []string) *Config {
 				logger.Fatal("--cosign-password-env requires a value")
 			}
 
+		case "--buildah-opt":
+			var optStr string
+			if value != "" {
+				optStr = value
+			} else if i+1 < len(args) {  // no HasPrefix guard — value may start with -
+				i++
+				optStr = args[i]
+			} else {
+				logger.Fatal("--buildah-opt requires a value")
+			}
+			config.BuildahOpts = append(config.BuildahOpts, optStr)
+
 		default:
 			if !strings.HasPrefix(arg, "-") {
 				logger.Warning("Unexpected argument: %s", arg)

src/cmd/kimia/config.go

@@ -66,11 +66,14 @@ type Config struct {
 
 	// Level 3: Direct BuildKit options (escape hatch)
 	BuildKitOpts []string // Raw --opt values to pass to buildctl
-	
+
 	// Signing
 	Sign              bool   // Enable cosign signing
 	CosignKeyPath     string // Path to cosign private key
 	CosignPasswordEnv string // Environment variable for cosign password
+
+	// Direct Buildah options
+	BuildahOpts []string // Raw --opt values to pass to buildah bud
 }
 
 // AttestationConfig represents a single --attest flag

src/cmd/kimia/help.go

@@ -33,6 +33,14 @@ func printHelp() {
 	fmt.Println("  --no-push                             Build only, skip push")
 	fmt.Println("  --cache                               Enable layer caching")
 	fmt.Println("  --cache-dir PATH                      Cache directory path")
+	if build.DetectBuilder() == "buildah" {
+			fmt.Println("BUILDAH OPTIONS:")
+			fmt.Println("  --buildah-opt \"FLAG [VALUE]\"          Pass additional flags to buildah bud (Buildah only, repeatable)")
+			fmt.Println("                                        Values cannot contain shell metacharacters")
+			fmt.Println("                                        (;, &, |, etc.).")
+			fmt.Println("                                        Example: --buildah-opt \"--squash\"")
+			fmt.Println()
+		}
 	if build.DetectBuilder() == "buildkit" {
 		fmt.Println("  --export-cache SPEC                   Export build cache (BuildKit only, repeatable)")
 		fmt.Println("                                        Examples:")

src/cmd/kimia/main.go

@@ -226,6 +226,7 @@ func run(config *Config, builder string) error {
 		Sign:                       config.Sign,
 		CosignKeyPath:              config.CosignKeyPath,
 		CosignPasswordEnv:          config.CosignPasswordEnv,
+		BuildahOpts:                config.BuildahOpts,
 	}
 
 	// Execute build

src/internal/build/builder.go

@@ -71,6 +71,9 @@ type Config struct {
 	Sign              bool   // Enable signing with cosign
 	CosignKeyPath     string // Path to cosign private key
 	CosignPasswordEnv string // Environment variable for cosign password
+
+	// Direct Buildah options
+	BuildahOpts []string
 }
 
 // AttestationConfig represents a single --attest flag
@@ -125,6 +128,11 @@ func executeBuildah(config Config, ctx *Context) error {
 		logger.Debug("Running as non-root (UID %d) - using chroot isolation with user namespaces", os.Getuid())
 	}
 
+	// Warn if --buildkit-opt was passed — these are ignored by Buildah
+	if len(config.BuildKitOpts) > 0 {
+		logger.Warning("--buildkit-opt flags are ignored when using Buildah backend: %v", config.BuildKitOpts)
+	}
+
 	logger.Info("Starting buildah build...")
 
 	// ========================================
@@ -262,13 +270,35 @@ func executeBuildah(config Config, ctx *Context) error {
 		args = append(args, "-t", dest)
 	}
 
+	// ========================================
+	// Pass-through args — must be added before ctx.Path
+	// ========================================
+	// Supports both "--flag=value" and "--flag value" (e.g. Buildah's --sbom flags).
+	// Each --buildah-opt is split into at most two tokens; validateBuildahInputs
+	// enforces that the flag name portion contains no dangerous characters.
+	for _, opt := range config.BuildahOpts {
+		parts := strings.SplitN(opt, " ", 2)
+		if len(parts) == 2 {
+			args = append(args, parts[0], parts[1])
+		} else {
+			args = append(args, parts[0])
+		}
+	}
+
 	// Add context path
 	args = append(args, ctx.Path)
 
 	// Log the command
-	logger.Debug("Buildah command: buildah %s", strings.Join(args, " "))
+	logger.Debug("Buildah command: buildah %s", strings.Join(sanitizeCommandArgs(args), " "))
 
 	// Execute buildah
+	// #nosec G204 -- all args validated by validateBuildahInputs:
+	//   - BuildahOpts: flag name validated by ValidateBuildctlArg (null bytes,
+	//     shell metacharacters); value portion checked for null bytes only since
+	//     scanner commands and paths may contain characters the general validator
+	//     would reject; conflict-checked against Kimia-managed flags
+	//   - All other args (dockerfile, build-arg, label, dest) are Kimia-constructed
+	//     from validated inputs
 	cmd := exec.Command("buildah", args...)
 	var stdoutBuf, stderrBuf bytes.Buffer
 	cmd.Stdout = io.MultiWriter(os.Stdout, &stdoutBuf)
@@ -482,18 +512,97 @@ func validateBuildahInputs(config Config, ctx *Context) error {
 			homeDir = "/home/kimia"
 		}
 		homeDir = filepath.Clean(homeDir)
-		
+
 		if err := validation.ValidatePathWithinBase(config.TarPath, homeDir); err != nil {
 			return fmt.Errorf("invalid tar path: %v", err)
 		}
 	}
 
+	// Flags already managed explicitly by Kimia.
+	// IMPORTANT: If new flags are added to executeBuildah, add them here too.
+	conflictingFlags := map[string]string{
+		"-f":                  "use -f/--dockerfile instead",
+		"--file":              "use -f/--dockerfile instead",
+		"--build-arg":         "use --build-arg instead",
+		"--label":             "use --label instead",
+		"--target":            "use -t/--target instead",
+		"--platform":          "use --custom-platform instead",
+		"--timestamp":         "use --timestamp or --reproducible instead",
+		"--source-date-epoch": "use --timestamp or --reproducible instead",
+		// Don't prevent users from overriding --tls-verify
+		//"--tls-verify":        "use --insecure or --insecure-registry instead",
+		"--retry":             "use --image-download-retry instead",
+		"-t":                  "use -d/--destination instead",
+		"--tag":               "use -d/--destination instead",
+		"--no-cache":          "use --cache=false instead",
+		"--layers":            "use --cache instead",
+		// Security-sensitive flags managed implicitly by Kimia via BUILDAH_ISOLATION=chroot
+		"--isolation":         "isolation is managed by Kimia (chroot)",
+		"--userns":            "user namespace configuration is managed by Kimia",
+		"--userns-uid-map":    "user namespace configuration is managed by Kimia",
+		"--userns-gid-map":    "user namespace configuration is managed by Kimia",
+		"--cap-add":           "capability management is outside Kimia's scope",
+		"--cap-drop":          "capability management is outside Kimia's scope",
+		"--security-opt":      "security options are managed by Kimia",
+		"--privileged":        "privileged mode is not supported by Kimia",
+	}
+
+	for i, opt := range config.BuildahOpts {
+		opt = strings.TrimSpace(opt)
+
+		if opt == "" {
+			return fmt.Errorf("--buildah-opt value %d is empty", i)
+		}
+
+		// Split into at most two tokens: "--flag" and optional "value".
+		// This matches the split logic in executeBuildah and correctly handles
+		// both "--flag=value" and "--flag value" (e.g. Buildah's --sbom flags).
+		parts := strings.SplitN(opt, " ", 2)
+		flagName := parts[0]
+		if idx := strings.Index(flagName, "="); idx != -1 {
+			flagName = flagName[:idx]
+		}
+
+		// Validate the flag name only — not the full opt string.
+		// The old ValidateBuildctlArg(opt) call blocked spaces, which breaks
+		// legitimate "--flag value" opts like "--sbom syft-cyclonedx".
+		if err := validation.ValidateBuildctlArg(flagName); err != nil {
+			return fmt.Errorf("invalid --buildah-opt flag name %d (%q): %v", i, flagName, err)
+		}
+
+		// Validate the value portion for null bytes regardless of form.
+		// Space-separated values (parts[1]) are passed through as-is since
+		// they may be paths or scanner commands that ValidateBuildctlArg
+		// would incorrectly reject.
+		var optValue string
+		if len(parts) == 2 {
+			optValue = parts[1] // "--flag value" form
+		} else if idx := strings.Index(parts[0], "="); idx != -1 {
+			optValue = parts[0][idx+1:] // "--flag=value" form
+		}
+		if strings.Contains(optValue, "\x00") {
+			return fmt.Errorf("--buildah-opt value %d contains null byte", i)
+		}
+
+		if suggestion, conflicts := conflictingFlags[flagName]; conflicts {
+			return fmt.Errorf(
+				"--buildah-opt %q is managed by Kimia: %s",
+				flagName, suggestion,
+			)
+		}
+	}
+
 	return nil
 }
 
 func executeBuildKit(config Config, ctx *Context) error {
 	logger.Info("Starting BuildKit build...")
 
+	// Warn if --buildah-opt was passed — these are ignored by BuildKit
+	if len(config.BuildahOpts) > 0 {
+		logger.Warning("--buildah-opt flags are ignored when using BuildKit backend: %v", config.BuildahOpts)
+	}
+
 	// ========================================
 	// SETUP: Environment and paths
 	// ========================================
@@ -1720,7 +1829,7 @@ func sanitizeCommandArgs(args []string) []string {
 		"SECRET",
 		"CREDENTIALS",
 	}
-	
+
 	sanitized := make([]string, len(args))
 	for i, arg := range args {
 		if strings.HasPrefix(arg, "context=") || strings.HasPrefix(arg, "dockerfile=") {
@@ -1753,8 +1862,17 @@ func sanitizeCommandArgs(args []string) []string {
 				sanitized[i] = arg
 			}
 		} else {
-			// For any other arg that might be a URL
-			sanitized[i] = logger.SanitizeGitURL(arg)
+			// Only sanitize args that look like URLs -- calling SanitizeGitURL
+			// on non-URL values (e.g. --buildah-opt scanner commands) causes
+			// spaces and braces to be URL-encoded in log output.
+			if strings.HasPrefix(arg, "http://") ||
+				strings.HasPrefix(arg, "https://") ||
+				strings.HasPrefix(arg, "git://") ||
+				strings.HasPrefix(arg, "git@") {
+				sanitized[i] = logger.SanitizeGitURL(arg)
+			} else {
+				sanitized[i] = arg
+			}
 		}
 	}
 	return sanitized