feat: include dirs

samrose · samrose · commit a2daa464f1b3 · 2025-12-04T19:15:40.000-05:00
diff --git a/nix/packages/cis-audit/scanner/cmd/cis-generate-spec/main.go b/nix/packages/cis-audit/scanner/cmd/cis-generate-spec/main.go
@@ -24,6 +24,7 @@ var (
 	includePorts   bool
 	includeProcess bool
 	shallowDirs    []string
+	shallowDepth   int
 	strict         bool
 	verbose        bool
 	debug          bool
@@ -52,8 +53,11 @@ Examples:
   # Enable verbose logging to stderr
   cis-generate-spec --verbose --log-format json
 
-  # Scan directories without recursing into subdirectories
+  # Scan directories without recursing into subdirectories (depth 1 = top level only)
   cis-generate-spec --shallow-dirs /nix/store --shallow-dirs /data/pgdata
+
+  # Scan shallow dirs including immediate subdirectories (depth 2)
+  cis-generate-spec --shallow-dirs /nix/store --shallow-depth 2
 `,
 	Args:    cobra.MaximumNArgs(1),
 	Version: version,
@@ -66,7 +70,8 @@ func init() {
 	rootCmd.Flags().BoolVar(&includeDynamic, "include-dynamic", false, "Include dynamic kernel parameters")
 	rootCmd.Flags().BoolVar(&includePorts, "include-ports", false, "Include listening ports")
 	rootCmd.Flags().BoolVar(&includeProcess, "include-processes", false, "Include running processes")
-	rootCmd.Flags().StringArrayVar(&shallowDirs, "shallow-dirs", nil, "Directories to scan without recursion (can be specified multiple times)")
+	rootCmd.Flags().StringArrayVar(&shallowDirs, "shallow-dirs", nil, "Directories to scan with limited depth (can be specified multiple times)")
+	rootCmd.Flags().IntVar(&shallowDepth, "shallow-depth", 1, "How deep to scan in shallow dirs (1=top level only, 2=include immediate subdirs)")
 	rootCmd.Flags().BoolVar(&strict, "strict", false, "Fail on any access errors (default: skip and warn)")
 	rootCmd.Flags().BoolVar(&verbose, "verbose", false, "Enable structured logging to stderr")
 	rootCmd.Flags().BoolVar(&debug, "debug", false, "Enable debug logging (implies --verbose)")
@@ -92,6 +97,7 @@ func run(cmd *cobra.Command, args []string) error {
 		IncludePorts:     includePorts,
 		IncludeProcesses: includeProcess,
 		ShallowDirs:      shallowDirs,
+		ShallowDepth:     shallowDepth,
 	}
 	cfg, err := config.Load(configFile, cliOpts)
 	if err != nil {
diff --git a/nix/packages/cis-audit/scanner/internal/config/loader.go b/nix/packages/cis-audit/scanner/internal/config/loader.go
@@ -18,10 +18,16 @@ type Config struct {
 	// Paths to exclude from scanning (glob patterns supported)
 	Paths []string `yaml:"paths,omitempty"`
 
-	// ShallowDirs are directories to scan at top level only (no recursion)
-	// Files directly in these directories are scanned, but subdirectories are skipped
+	// ShallowDirs are directories to scan with limited recursion depth
+	// Files up to ShallowDepth levels deep are scanned, deeper subdirectories are skipped
 	ShallowDirs []string `yaml:"shallowDirs,omitempty"`
 
+	// ShallowDepth controls how many levels deep to scan in shallow directories
+	// 1 = only files directly in the shallow dir (default)
+	// 2 = files in shallow dir + immediate subdirectories
+	// 3 = files in shallow dir + 2 levels of subdirectories, etc.
+	ShallowDepth int `yaml:"shallowDepth,omitempty"`
+
 	// Kernel parameters to exclude from scanning
 	KernelParams []string `yaml:"kernelParams,omitempty"`
 
@@ -49,6 +55,9 @@ type CLIOptions struct {
 
 	// ShallowDirs adds directories to scan without recursion (from CLI)
 	ShallowDirs []string
+
+	// ShallowDepth controls recursion depth in shallow directories (from CLI)
+	ShallowDepth int
 }
 
 // Load reads configuration from defaults, optional config file, and CLI options.
@@ -95,6 +104,16 @@ func Load(configPath string, opts CLIOptions) (*Config, error) {
 		cfg.ShallowDirs = append(cfg.ShallowDirs, opts.ShallowDirs...)
 	}
 
+	// Set shallow depth from CLI (overrides config file and defaults)
+	if opts.ShallowDepth > 0 {
+		cfg.ShallowDepth = opts.ShallowDepth
+	}
+
+	// Default shallow depth to 1 if not set
+	if cfg.ShallowDepth == 0 {
+		cfg.ShallowDepth = 1
+	}
+
 	return &cfg, nil
 }
 
@@ -124,6 +143,11 @@ func merge(base, file Config) Config {
 	result.KernelParams = append(result.KernelParams, file.KernelParams...)
 	result.DisabledScanners = append(result.DisabledScanners, file.DisabledScanners...)
 
+	// ShallowDepth from file overrides base if set
+	if file.ShallowDepth > 0 {
+		result.ShallowDepth = file.ShallowDepth
+	}
+
 	return result
 }
 
diff --git a/nix/packages/cis-audit/scanner/internal/scanners/files.go b/nix/packages/cis-audit/scanner/internal/scanners/files.go
@@ -73,13 +73,28 @@ func (s *FileScanner) Scan(ctx context.Context, opts ScanOptions) (ScanStats, er
 			return nil
 		}
 
-		// Handle shallow directories - scan top level only, skip subdirectories
+		// Handle shallow directories - limit recursion depth
 		if d != nil && d.IsDir() {
 			depth := cfg.GetShallowDirDepth(path)
-			if depth > 1 {
-				// This is a subdirectory inside a shallow dir - skip it
-				opts.Logger.Debug("Skipping subdirectory in shallow dir", "path", path, "depth", depth)
-				return filepath.SkipDir
+			if depth >= 0 {
+				if depth == 0 && cfg.ShallowDepth == 0 {
+					// Depth 0 means capture this directory entry but don't recurse into it
+					info, err := d.Info()
+					if err == nil {
+						dirSpec := s.buildDirSpec(path, info)
+						if err := writer.Add(dirSpec); err != nil {
+							return fmt.Errorf("failed to write dir spec: %w", err)
+						}
+						s.stats.FilesScanned++
+					}
+					opts.Logger.Debug("Captured shallow dir, skipping contents", "path", path)
+					return filepath.SkipDir
+				}
+				if depth >= cfg.ShallowDepth {
+					// This directory is at or beyond the configured shallow depth - skip it
+					opts.Logger.Debug("Skipping directory beyond shallow depth", "path", path, "depth", depth, "max_depth", cfg.ShallowDepth)
+					return filepath.SkipDir
+				}
 			}
 		}
 
@@ -142,6 +157,28 @@ func (s *FileScanner) buildFileSpec(path string, info fs.FileInfo) spec.FileSpec
 	}
 }
 
+// buildDirSpec creates a GOSS file spec for a directory
+func (s *FileScanner) buildDirSpec(path string, info fs.FileInfo) spec.FileSpec {
+	// Extract Unix permissions and ownership
+	sys := info.Sys().(*syscall.Stat_t)
+
+	// Mode with leading zero (GOSS format: "0755" not "755")
+	mode := fmt.Sprintf("0%o", info.Mode().Perm())
+
+	// Get username/groupname from UID/GID
+	owner := getUsername(sys.Uid)
+	group := getGroupname(sys.Gid)
+
+	return spec.FileSpec{
+		Path:     path,
+		Exists:   true,
+		Mode:     mode,
+		Owner:    owner,
+		Group:    group,
+		Filetype: "directory",
+	}
+}
+
 // handleError processes errors based on strict mode
 func (s *FileScanner) handleError(err error, path string, opts ScanOptions) error {
 	// Permission denied is common and expected
