Checkmarx · rogeriopeixotocx · Apr 27, 2021 · Apr 26, 2021 · Apr 27, 2021 · Apr 27, 2021
@@ -85,19 +85,19 @@ exclude-results: "exclude results by providing a list of similarity IDs of a res
 log-file: true
 log-level: INFO
 log-path: path to the log file
-silent: false
-no-color: false
 minimal-ui: false
+no-color: false
 no-progress: false
 output-path: "directory path to store reports"
 path: "path to file or directory to scan"
 payload-path: "file path to store source internal representation in JSON format"
 preview-lines: 3
+profiling: "enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)"
 queries-path: "path to directory with queries (default ./assets/queries) (default './assets/queries')"
 report-formats: "formats in which the results will be exported (json, sarif, html)"
+silent: false
 type: "type of queries to use in the scan"
 verbose: true
-profiling: "enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)"
 ```
 
 #### TOML Format
@@ -110,19 +110,19 @@ exclude-results = "exclude results by providing a list of similarity IDs of a re
 log-file = true
 log-level = "INFO"
 log-path = "path to the log file"
-silent = false
 minimal-ui = false
 no-color = false
 no-progress = false
 output-path = "directory path to store reports"
 path = "path to file or directory to scan"
 payload-path = "file path to store source internal representation in JSON format"
 preview-lines = 3
+profiling = "enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)"
 queries-path = "path to directory with queries (default ./assets/queries) (default './assets/queries')"
 report-formats = "formats in which the results will be exported (json, sarif, html)"
+silent = false
 type = "type of queries to use in the scan"
 verbose = true
-profiling = "enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)"
 ```
 
 #### HCL Format
@@ -135,19 +135,19 @@ profiling = "enables performance profiler that prints resource consumption metri
 "log-file" = true
 "log-level" = "INFO"
 "log-path" = "path to the log file"
-"silent" = false
 "minimal-ui" = false
 "no-color" = false
 "no-progress" = false
 "output-path" = "directory path to store reports"
 "path" = "path to file or directory to scan"
 "payload-path" = "file path to store source internal representation in JSON format"
 "preview-lines" = 3
+"profiling" = "enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)"
 "queries-path" = "path to directory with queries (default ./assets/queries) (default './assets/queries')"
 "report-formats" = "formats in which the results will be exported (json, sarif, html)"
+"silent" = false
 "type" = "type of queries to use in the scan"
 "verbose" = true
-"profiling" = "enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)"
 ```
 
 ---
@@ -174,4 +174,17 @@ kics scan --config kics-config.json
 kics scan
 ```
 
-**Note**: CLI flags will have priority over the configuration file properties!
+**Note**: If more than one path is given, KICS will warn that `--config` must be used to explicit decide.
+
+#### Environment variables
+KICS also accepts environment variables to fill flags values. To use it you just need to have the flag with a `KICS_` prefix. For example:
+
+- To use path flag as environment variable, you should have `KICS_PATH` on your environment;
+- To use multiple names variables, like `--output-path`, you should use it with `KICS_` and each word separated by `_`, e.g.: `KICS_OUTPUT_PATH`
+
+## Flags precedence
+KICS will use the following precende to fill flags:
+
+- CLI flags
+- Environment variables
+- Configuration file
@@ -61,7 +61,8 @@ Flags:
       --minimal-ui                   simplified version of CLI output
       --no-progress                  hides the progress bar
   -o, --output-path string           directory path to store reports
-  -p, --path string                  path or directory path to scan
+  -p, --path strings                 paths or directories to scan
+                                     example: "./somepath,somefile.txt"
   -d, --payload-path string          path to store internal representation JSON file
       --preview-lines int            number of lines to be display in CLI results (min: 1, max: 30) (default 3)
   -q, --queries-path string          path to directory with queries (default "./assets/queries")

@@ -101,7 +101,7 @@ var tests = []struct {
 		args: args{
 			args: []cmdArgs{
 				[]string{"scan", "--silent", "-q", "../assets/queries", "-p", "fixtures/samples/terraform.tf",
-					"--payload-path", "fixtures/payload.json", "-q", "../assets/queries"},
+					"--payload-path", "fixtures/payload.json"},
 			},
 			expectedOut: []string{
 				"E2E_CLI_005",
@@ -297,6 +297,20 @@ var tests = []struct {
 		},
 		wantStatus: 126,
 	},
+	// E2E-CLI-018 - KICS scan with multiple paths
+	{
+		name: "E2E-CLI-018",
+		args: args{
+			args: []cmdArgs{
+				[]string{"scan", "--silent", "-q", "../assets/queries", "-p", "fixtures/samples/terraform.tf,fixtures/samples/terraform-single.tf"},
+			},
+			expectedOut: []string{
+				"E2E_CLI_018",
+			},
+		},
+		wantStatus:    50,
+		removePayload: []string{"payload.json"},
+	},
 }
 
 func Test_E2E_CLI(t *testing.T) {

@@ -27,7 +27,8 @@ Flags:
       --minimal-ui                   simplified version of CLI output
       --no-progress                  hides the progress bar
   -o, --output-path string           directory path to store reports
-  -p, --path string                  path or directory path to scan
+  -p, --path strings                 paths or directories to scan
+                                     example: "./somepath,somefile.txt"
   -d, --payload-path string          path to store internal representation JSON file
       --preview-lines int            number of lines to be display in CLI results (min: 1, max: 30) (default 3)
   -q, --queries-path string          path to directory with queries (default "./assets/queries")

@@ -26,7 +26,8 @@ Flags:
       --minimal-ui                   simplified version of CLI output
       --no-progress                  hides the progress bar
   -o, --output-path string           directory path to store reports
-  -p, --path string                  path or directory path to scan
+  -p, --path strings                 paths or directories to scan
+                                     example: "./somepath,somefile.txt"
   -d, --payload-path string          path to store internal representation JSON file
       --preview-lines int            number of lines to be display in CLI results (min: 1, max: 30) (default 3)
   -q, --queries-path string          path to directory with queries (default "./assets/queries")

@@ -26,7 +26,8 @@ Flags:
       --minimal-ui                   simplified version of CLI output
       --no-progress                  hides the progress bar
   -o, --output-path string           directory path to store reports
-  -p, --path string                  path or directory path to scan
+  -p, --path strings                 paths or directories to scan
+                                     example: "./somepath,somefile.txt"
   -d, --payload-path string          path to store internal representation JSON file
       --preview-lines int            number of lines to be display in CLI results (min: 1, max: 30) (default 3)
   -q, --queries-path string          path to directory with queries (default "./assets/queries")

@@ -33,7 +33,8 @@ Flags:
       --minimal-ui                   simplified version of CLI output
       --no-progress                  hides the progress bar
   -o, --output-path string           directory path to store reports
-  -p, --path string                  path or directory path to scan
+  -p, --path strings                 paths or directories to scan
+                                     example: "./somepath,somefile.txt"
   -d, --payload-path string          path to store internal representation JSON file
       --preview-lines int            number of lines to be display in CLI results (min: 1, max: 30) (default 3)
   -q, --queries-path string          path to directory with queries (default "./assets/queries")

@@ -26,7 +26,8 @@ Flags:
       --minimal-ui                   simplified version of CLI output
       --no-progress                  hides the progress bar
   -o, --output-path string           directory path to store reports
-  -p, --path string                  path or directory path to scan
+  -p, --path strings                 paths or directories to scan
+                                     example: "./somepath,somefile.txt"
   -d, --payload-path string          path to store internal representation JSON file
       --preview-lines int            number of lines to be display in CLI results (min: 1, max: 30) (default 3)
   -q, --queries-path string          path to directory with queries (default "./assets/queries")

@@ -1,6 +1,7 @@
 package console
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
@@ -50,6 +51,19 @@ func TestConsole_Execute(t *testing.T) { //nolint
 			wantErr: false,
 			remove:  "",
 		},
+		{
+			name: "test_kics_multiple_paths",
+			args: []string{
+				"kics",
+				"-p",
+				fmt.Sprintf("%s,%s",
+					filepath.FromSlash("../../test/fixtures/tc-sim01/positive1.tf"),
+					filepath.FromSlash("../../test/fixtures/tc-sim01/positive2.tf")),
+				"-q", filepath.FromSlash("../../assets/queries/terraform/aws/alb_is_not_integrated_with_waf"),
+			},
+			wantErr: false,
+			remove:  "",
+		},
 		{
 			name:    "test_kics_no_queries_flag",
 			args:    []string{"kics", "-p", filepath.FromSlash("../../test/fixtures/tc-sim01/positive1.tf")},

@@ -50,7 +50,7 @@ var (
 	min               bool
 	noProgress        bool
 	outputPath        string
-	path              string
+	path              []string
 	payloadPath       string
 	previewLines      int
 	queryPath         string
@@ -131,13 +131,20 @@ func initializeConfig(cmd *cobra.Command) error {
 	}
 
 	if cfgFile == "" {
-		configpath := path
-		info, err := os.Stat(path)
+		if len(path) == 0 {
+			return nil
+		}
+		if len(path) > 1 {
+			warning = append(warning, "Any kics.config file will be ignored, please use --config if kics.config is wanted")
+			return nil
+		}
+		configpath := path[0]
+		info, err := os.Stat(configpath)
 		if err != nil {
 			return nil
 		}
 		if !info.IsDir() {
-			configpath = filepath.Dir(path)
+			configpath = filepath.Dir(configpath)
 		}
 		_, err = os.Stat(filepath.ToSlash(filepath.Join(configpath, constants.DefaultConfigFilename)))
 		if err != nil {
@@ -146,7 +153,7 @@ func initializeConfig(cmd *cobra.Command) error {
 			}
 			return err
 		}
-		cfgFile = filepath.ToSlash(filepath.Join(path, constants.DefaultConfigFilename))
+		cfgFile = filepath.ToSlash(filepath.Join(configpath, constants.DefaultConfigFilename))
 	}
 
 	base := filepath.Base(cfgFile)
@@ -214,11 +221,11 @@ func setBoundFlags(flagName string, val interface{}, cmd *cobra.Command) {
 }
 
 func initScanFlags(scanCmd *cobra.Command) {
-	scanCmd.Flags().StringVarP(&path,
+	scanCmd.Flags().StringSliceVarP(&path,
 		pathFlag,
 		pathFlagShorthand,
-		"",
-		"path or directory path to scan")
+		[]string{},
+		"paths or directories to scan\nexample: \"./somepath,somefile.txt\"")
 	scanCmd.Flags().StringVarP(&cfgFile,
 		configFlag,
 		"",
@@ -334,13 +341,16 @@ func getFileSystemSourceProvider() (*provider.FileSystemSourceProvider, error) {
 	if len(excludePath) > 0 {
 		excludePaths = append(excludePaths, excludePath...)
 	}
-
-	absPath, err := filepath.Abs(path)
-	if err != nil {
-		return nil, err
+	absPaths := make([]string, len(path))
+	for idx, scanPath := range path {
+		absPath, err := filepath.Abs(scanPath)
+		if err != nil {
+			return nil, err
+		}
+		absPaths[idx] = absPath
 	}
 
-	filesSource, err := provider.NewFileSystemSourceProvider(absPath, excludePaths)
+	filesSource, err := provider.NewFileSystemSourceProvider(absPaths, excludePaths)
 	if err != nil {
 		return nil, err
 	}

@@ -82,12 +82,12 @@ type Inspector struct {
 // QueryContext contains the context where the query is executed, which scan it belongs, basic information of query,
 // the query compiled and its payload
 type QueryContext struct {
-	ctx          context.Context
-	scanID       string
-	files        map[string]model.FileMetadata
-	query        *preparedQuery
-	payload      model.Documents
-	baseScanPath string
+	ctx           context.Context
+	scanID        string
+	files         map[string]model.FileMetadata
+	query         *preparedQuery
+	payload       model.Documents
+	baseScanPaths []string
 }
 
 var (
@@ -203,7 +203,7 @@ func (c *Inspector) Inspect(
 	scanID string,
 	files model.FileMetadatas,
 	hideProgress bool,
-	baseScanPath string) ([]model.Vulnerability, error) {
+	baseScanPaths []string) ([]model.Vulnerability, error) {
 	log.Debug().Msg("engine.Inspect()")
 	combinedFiles := files.Combine()
 
@@ -223,12 +223,12 @@ func (c *Inspector) Inspect(
 		}
 
 		vuls, err := c.doRun(&QueryContext{
-			ctx:          ctx,
-			scanID:       scanID,
-			files:        files.ToMap(),
-			query:        query,
-			payload:      combinedFiles,
-			baseScanPath: baseScanPath,
+			ctx:           ctx,
+			scanID:        scanID,
+			files:         files.ToMap(),
+			query:         query,
+			payload:       combinedFiles,
+			baseScanPaths: baseScanPaths,
 		})
 		if err != nil {
 			sentry.CaptureException(err)

@@ -297,7 +297,7 @@ func TestInspect(t *testing.T) { //nolint
 				excludeResults:       tt.fields.excludeResults,
 				detector:             inspDetector,
 			}
-			got, err := c.Inspect(tt.args.ctx, tt.args.scanID, tt.args.files, true, filepath.FromSlash("assets/queries/"))
+			got, err := c.Inspect(tt.args.ctx, tt.args.scanID, tt.args.files, true, []string{filepath.FromSlash("assets/queries/")})
 			if tt.wantErr {
 				if err == nil {
 					t.Errorf("Inspector.Inspect() = %v,\nwant %v", err, tt.want)