@@ -36,11 +36,10 @@ class CLIScannerTool:
3636 ]
3737
3838 exit_code_explained : str = """
39- Exit codes:
40- 0: Scan evaluation "pass"
41- 1: Scan evaluation "fail"
42- 2: Invalid parameters
43- 3: Internal error
39+ 0: Scan evaluation "pass"
40+ 1: Scan evaluation "fail"
41+ 2: Invalid parameters
42+ 3: Internal error
4443 """
4544
4645 def check_sysdig_cli_installed (self ) -> None :
@@ -53,7 +52,7 @@ def check_sysdig_cli_installed(self) -> None:
5352 log .info (f"Sysdig CLI Scanner is installed: { result .stdout .strip ()} )
5453 except subprocess .CalledProcessError as e :
5554 error : dict = {
56- "error" : "Sysdig CLI Scanner is not installed. Check the docs to install it here: https://docs.sysdig.com/en/sysdig-secure/install-vulnerability-cli-scanner/#deployment"
55+ "error" : "Sysdig CLI Scanner is not installed or not in the $PATH . Check the docs to install it here: https://docs.sysdig.com/en/sysdig-secure/install-vulnerability-cli-scanner/#deployment"
5756 }
5857 e .output = error
5958 raise e
@@ -78,16 +77,42 @@ def check_env_credentials(self) -> None:
7877 def run_sysdig_cli_scanner (
7978 self ,
8079 image : Optional [str ] = None ,
81- directory_path : Optional [str ] = None ,
8280 mode : Literal ["vulnerability" , "iac" ] = "vulnerability" ,
81+ standalone : Optional [bool ] = False ,
82+ offline_analyser : Optional [bool ] = False ,
83+ full_vulnerability_table : Optional [bool ] = False ,
84+ separate_by_layer : Optional [bool ] = False ,
85+ separate_by_image : Optional [bool ] = False ,
86+ detailed_policies_evaluation : Optional [bool ] = False ,
87+ path_to_scan : Optional [str ] = None ,
88+ iac_group_by : Optional [Literal ["policy" , "resource" , "violation" ]] = "policy" ,
89+ iac_recursive : Optional [bool ] = True ,
90+ iac_severity_threshold : Optional [Literal ["never" , "high" , "medium" , "low" ]] = "high" ,
91+ iac_list_unsupported_resources : Optional [bool ] = False ,
8392 ) -> dict :
8493 """
8594 Analyzes a Container image for vulnerabilities using the Sysdig CLI Scanner.
8695 Args:
8796 image (str): The name of the container image to analyze.
88- directory_path (str): The path to the directory containing IaC files to analyze.
8997 mode ["vulnerability", "iac"]: The mode of analysis, either "vulnerability" or "iac".
9098 Defaults to "vulnerability".
99+ standalone (bool): In vulnerability mode, run the scan in standalone mode.
100+ Not dependent on Sysdig backend.
101+ offline_analyser (bool): In vulnerability mode, does not perform calls to the Sysdig backend.
102+ full_vulnerability_table (bool): In vulnerability mode, generates a table with all the vulnerabilities,
103+ not just the most important ones.
104+ separate_by_layer (bool): In vulnerability mode, separates vulnerabilities by layer.
105+ separate_by_image (bool): In vulnerability mode, separates vulnerabilities by image.
106+ detailed_policies_evaluation (bool): In vulnerability mode, evaluates policies in detail.
107+ path_to_scan (str): The path to the directory/file to scan in IaC mode.
108+ iac_group_by (str): In IaC mode, groups the results by the specified field.
109+ Options are "policy", "resource", or "violation". Defaults to "policy".
110+ iac_recursive (bool): In IaC mode, scans the directory recursively. Defaults to True.
111+ iac_severity_threshold (str): In IaC mode, sets the severity threshold for vulnerabilities.
112+ Options are "never", "high", "medium", or "low". Defaults to "high".
113+ iac_list_unsupported_resources (bool): In IaC mode, lists unsupported resources.
114+ Defaults to False.
115+
91116 Returns:
92117 dict: A dictionary containing the output of the analysis of vulnerabilities.
93118 Raises:
@@ -100,11 +125,28 @@ def run_sysdig_cli_scanner(
100125 # Prepare the command based on the mode
101126 if mode == "iac" :
102127 log .info ("Running Sysdig CLI Scanner in IaC mode." )
103- cmd = [self .cmd ] + self .default_args + self .iac_default_args + [directory_path ]
128+ extra_iac_args = [
129+ f"--group-by={ iac_group_by } ,
130+ f"--severity-threshold={ iac_severity_threshold } ,
131+ "--recursive" if iac_recursive else "" ,
132+ "--list-unsupported-resources" if iac_list_unsupported_resources else "" ,
133+ ]
134+ # Remove empty strings from the list
135+ extra_iac_args = [arg for arg in extra_iac_args if arg ]
136+ cmd = [self .cmd ] + self .default_args + self .iac_default_args + extra_iac_args + [path_to_scan ]
104137 else :
105138 log .info ("Running Sysdig CLI Scanner in vulnerability mode." )
106139 # Default to vulnerability mode
107- cmd = [self .cmd ] + self .default_args + [image ]
140+ extra_args = [
141+ "--standalone" if standalone else "" ,
142+ "--offline-analyzer" if offline_analyser and standalone else "" ,
143+ "--full-vulns-table" if full_vulnerability_table else "" ,
144+ "--separate-by-layer" if separate_by_layer else "" ,
145+ "--separate-by-image" if separate_by_image else "" ,
146+ "--detailed-policies-eval" if detailed_policies_evaluation else "" ,
147+ ]
148+ extra_args = [arg for arg in extra_args if arg ] # Remove empty strings from the list
149+ cmd = [self .cmd ] + self .default_args + extra_args + [image ]
108150
109151 try :
110152 # Run the command
@@ -114,7 +156,7 @@ def run_sysdig_cli_scanner(
114156 output_file .close ()
115157 return {
116158 "exit_code" : result .returncode ,
117- "output" : output_result ,
159+ "output" : output_result + result . stderr . strip () ,
118160 "exit_codes_explained" : self .exit_code_explained ,
119161 }
120162 # Handle non-zero exit codes speically exit code 1
0 commit comments