feat: shallow dirs

Author: samrose

nix/packages/cis-audit/scanner/cmd/cis-generate-spec/main.go

@@ -23,6 +23,7 @@ var (
 	includeDynamic bool
 	includePorts   bool
 	includeProcess bool
+	shallowDirs    []string
 	strict         bool
 	verbose        bool
 	debug          bool
@@ -50,6 +51,9 @@ Examples:
 
   # Enable verbose logging to stderr
   cis-generate-spec --verbose --log-format json
+
+  # Scan directories without recursing into subdirectories
+  cis-generate-spec --shallow-dirs /nix/store --shallow-dirs /data/pgdata
 `,
 	Args:    cobra.MaximumNArgs(1),
 	Version: version,
@@ -62,6 +66,7 @@ func init() {
 	rootCmd.Flags().BoolVar(&includeDynamic, "include-dynamic", false, "Include dynamic kernel parameters")
 	rootCmd.Flags().BoolVar(&includePorts, "include-ports", false, "Include listening ports")
 	rootCmd.Flags().BoolVar(&includeProcess, "include-processes", false, "Include running processes")
+	rootCmd.Flags().StringArrayVar(&shallowDirs, "shallow-dirs", nil, "Directories to scan without recursion (can be specified multiple times)")
 	rootCmd.Flags().BoolVar(&strict, "strict", false, "Fail on any access errors (default: skip and warn)")
 	rootCmd.Flags().BoolVar(&verbose, "verbose", false, "Enable structured logging to stderr")
 	rootCmd.Flags().BoolVar(&debug, "debug", false, "Enable debug logging (implies --verbose)")
@@ -86,6 +91,7 @@ func run(cmd *cobra.Command, args []string) error {
 		IncludeDynamic:   includeDynamic,
 		IncludePorts:     includePorts,
 		IncludeProcesses: includeProcess,
+		ShallowDirs:      shallowDirs,
 	}
 	cfg, err := config.Load(configFile, cliOpts)
 	if err != nil {

nix/packages/cis-audit/scanner/internal/config/defaults.go

@@ -27,6 +27,14 @@ var DefaultExclusions = Config{
 		"/var/cache/apt/*",
 	},
 
+	ShallowDirs: []string{
+		// Nix store - contents change with deployments, only audit top-level structure
+		"/nix/store",
+
+		// PostgreSQL data directory - contents are dynamic database state
+		"/data/pgdata",
+	},
+
 	KernelParams: []string{
 		// Dynamic kernel parameters that change frequently and aren't security-relevant
 		"fs.dentry-state",                 // Dentry cache statistics (dynamic)

nix/packages/cis-audit/scanner/internal/config/loader.go

@@ -18,6 +18,10 @@ type Config struct {
 	// Paths to exclude from scanning (glob patterns supported)
 	Paths []string `yaml:"paths,omitempty"`
 
+	// ShallowDirs are directories to scan at top level only (no recursion)
+	// Files directly in these directories are scanned, but subdirectories are skipped
+	ShallowDirs []string `yaml:"shallowDirs,omitempty"`
+
 	// Kernel parameters to exclude from scanning
 	KernelParams []string `yaml:"kernelParams,omitempty"`
 
@@ -42,6 +46,9 @@ type CLIOptions struct {
 
 	// IncludeProcesses enables process scanning (removes "process" from DisabledScanners)
 	IncludeProcesses bool
+
+	// ShallowDirs adds directories to scan without recursion (from CLI)
+	ShallowDirs []string
 }
 
 // Load reads configuration from defaults, optional config file, and CLI options.
@@ -83,6 +90,11 @@ func Load(configPath string, opts CLIOptions) (*Config, error) {
 		cfg.DisabledScanners = removeItems(cfg.DisabledScanners, []string{"process"})
 	}
 
+	// Add CLI shallow dirs to config
+	if len(opts.ShallowDirs) > 0 {
+		cfg.ShallowDirs = append(cfg.ShallowDirs, opts.ShallowDirs...)
+	}
+
 	return &cfg, nil
 }
 
@@ -108,6 +120,7 @@ func merge(base, file Config) Config {
 
 	// Append file exclusions to base exclusions (additive)
 	result.Paths = append(result.Paths, file.Paths...)
+	result.ShallowDirs = append(result.ShallowDirs, file.ShallowDirs...)
 	result.KernelParams = append(result.KernelParams, file.KernelParams...)
 	result.DisabledScanners = append(result.DisabledScanners, file.DisabledScanners...)
 
@@ -188,3 +201,39 @@ func (c *Config) IsScannerDisabled(scannerType string) bool {
 	}
 	return false
 }
+
+// IsShallowDir checks if the given path is a shallow directory (should not recurse into).
+// Returns true if path exactly matches a shallow dir or is a subdirectory of one.
+func (c *Config) IsShallowDir(path string) bool {
+	for _, shallow := range c.ShallowDirs {
+		// Normalize paths (remove trailing slashes)
+		shallow = strings.TrimSuffix(shallow, "/")
+		path = strings.TrimSuffix(path, "/")
+
+		// Check if this is exactly the shallow dir or a subdirectory
+		if path == shallow || strings.HasPrefix(path, shallow+"/") {
+			return true
+		}
+	}
+	return false
+}
+
+// GetShallowDirDepth returns the depth of the shallow directory that contains this path.
+// Returns -1 if path is not in any shallow directory.
+// Depth 0 = the shallow dir itself, depth 1 = immediate child, etc.
+func (c *Config) GetShallowDirDepth(path string) int {
+	for _, shallow := range c.ShallowDirs {
+		shallow = strings.TrimSuffix(shallow, "/")
+		path = strings.TrimSuffix(path, "/")
+
+		if path == shallow {
+			return 0
+		}
+		if strings.HasPrefix(path, shallow+"/") {
+			// Count the depth relative to shallow dir
+			relPath := strings.TrimPrefix(path, shallow+"/")
+			return strings.Count(relPath, "/") + 1
+		}
+	}
+	return -1
+}

nix/packages/cis-audit/scanner/internal/scanners/files.go

@@ -73,6 +73,16 @@ func (s *FileScanner) Scan(ctx context.Context, opts ScanOptions) (ScanStats, er
 			return nil
 		}
 
+		// Handle shallow directories - scan top level only, skip subdirectories
+		if d != nil && d.IsDir() {
+			depth := cfg.GetShallowDirDepth(path)
+			if depth > 1 {
+				// This is a subdirectory inside a shallow dir - skip it
+				opts.Logger.Debug("Skipping subdirectory in shallow dir", "path", path, "depth", depth)
+				return filepath.SkipDir
+			}
+		}
+
 		// Handle walk errors (permission denied, etc.)
 		if err != nil {
 			return s.handleError(err, path, opts)