refactor: move setting scanners when using compliance reports to flag parsing (#6619)

pkg/commands/app_test.go

@@ -172,6 +172,7 @@ func TestFlags(t *testing.T) {
 	type want struct {
 		format     types.Format
 		severities []dbTypes.Severity
+		scanners   types.Scanners
 	}
 	tests := []struct {
 		name      string
@@ -193,6 +194,10 @@ func TestFlags(t *testing.T) {
 					dbTypes.SeverityHigh,
 					dbTypes.SeverityCritical,
 				},
+				scanners: types.Scanners{
+					types.VulnerabilityScanner,
+					types.SecretScanner,
+				},
 			},
 		},
 		{
@@ -208,6 +213,10 @@ func TestFlags(t *testing.T) {
 					dbTypes.SeverityLow,
 					dbTypes.SeverityMedium,
 				},
+				scanners: types.Scanners{
+					types.VulnerabilityScanner,
+					types.SecretScanner,
+				},
 			},
 		},
 		{
@@ -225,6 +234,10 @@ func TestFlags(t *testing.T) {
 					dbTypes.SeverityLow,
 					dbTypes.SeverityHigh,
 				},
+				scanners: types.Scanners{
+					types.VulnerabilityScanner,
+					types.SecretScanner,
+				},
 			},
 		},
 		{
@@ -241,6 +254,33 @@ func TestFlags(t *testing.T) {
 				severities: []dbTypes.Severity{
 					dbTypes.SeverityCritical,
 				},
+				scanners: types.Scanners{
+					types.VulnerabilityScanner,
+					types.SecretScanner,
+				},
+			},
+		},
+		{
+			name: "happy path with scanners for compliance report",
+			arguments: []string{
+				"test",
+				"--scanners",
+				"license",
+				"--compliance",
+				"docker-cis",
+			},
+			want: want{
+				format: types.FormatTable,
+				severities: []dbTypes.Severity{
+					dbTypes.SeverityUnknown,
+					dbTypes.SeverityLow,
+					dbTypes.SeverityMedium,
+					dbTypes.SeverityHigh,
+					dbTypes.SeverityCritical,
+				},
+				scanners: types.Scanners{
+					types.VulnerabilityScanner,
+				},
 			},
 		},
 		{
@@ -264,6 +304,7 @@ func TestFlags(t *testing.T) {
 			flags := &flag.Flags{
 				GlobalFlagGroup: globalFlags,
 				ReportFlagGroup: flag.NewReportFlagGroup(),
+				ScanFlagGroup:   flag.NewScanFlagGroup(),
 			}
 			cmd := &cobra.Command{
 				Use: "test",
@@ -280,6 +321,7 @@ func TestFlags(t *testing.T) {
 
 					assert.Equal(t, tt.want.format, options.Format)
 					assert.Equal(t, tt.want.severities, options.Severities)
+					assert.Equal(t, tt.want.scanners, options.Scanners)
 					return nil
 				},
 			}

pkg/commands/artifact/run.go

@@ -533,25 +533,6 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 		target = opts.Input
 	}
 
-	if opts.Compliance.Spec.ID != "" {
-		// set scanners types by spec
-		scanners, err := opts.Compliance.Scanners()
-		if err != nil {
-			return ScannerConfig{}, types.ScanOptions{}, xerrors.Errorf("scanner error: %w", err)
-		}
-
-		opts.Scanners = scanners
-		opts.ImageConfigScanners = nil
-		// TODO: define image-config-scanners in the spec
-		if opts.Compliance.Spec.ID == "docker-cis" {
-			opts.Scanners = types.Scanners{types.VulnerabilityScanner}
-			opts.ImageConfigScanners = types.Scanners{
-				types.MisconfigScanner,
-				types.SecretScanner,
-			}
-		}
-	}
-
 	scanOptions := types.ScanOptions{
 		VulnType:            opts.VulnType,
 		Scanners:            opts.Scanners,

pkg/flag/options.go

@@ -353,7 +353,7 @@ type Options struct {
 }
 
 // Align takes consistency of options
-func (o *Options) Align() {
+func (o *Options) Align() error {
 	if o.Format == types.FormatSPDX || o.Format == types.FormatSPDXJSON {
 		log.Info(`"--format spdx" and "--format spdx-json" disable security scanning`)
 		o.Scanners = nil
@@ -364,6 +364,34 @@ func (o *Options) Align() {
 		log.Info(`"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.`)
 		o.Scanners = nil
 	}
+
+	if o.Compliance.Spec.ID != "" {
+		if viper.IsSet(ScannersFlag.ConfigName) {
+			log.Info(`The option to change scanners is disabled for scanning with the "--compliance" flag. Default scanners used.`)
+		}
+		if viper.IsSet(ImageConfigScannersFlag.ConfigName) {
+			log.Info(`The option to change image config scanners is disabled for scanning with the "--compliance" flag. Default image config scanners used.`)
+		}
+
+		// set scanners types by spec
+		scanners, err := o.Compliance.Scanners()
+		if err != nil {
+			return xerrors.Errorf("scanner error: %w", err)
+		}
+
+		o.Scanners = scanners
+		o.ImageConfigScanners = nil
+		// TODO: define image-config-scanners in the spec
+		if o.Compliance.Spec.ID == types.ComplianceDockerCIS {
+			o.Scanners = types.Scanners{types.VulnerabilityScanner}
+			o.ImageConfigScanners = types.Scanners{
+				types.MisconfigScanner,
+				types.SecretScanner,
+			}
+		}
+	}
+
+	return nil
 }
 
 // RegistryOpts returns options for OCI registries
@@ -693,7 +721,9 @@ func (f *Flags) ToOptions(args []string) (Options, error) {
 		}
 	}
 
-	opts.Align()
+	if err := opts.Align(); err != nil {
+		return Options{}, xerrors.Errorf("align options error: %w", err)
+	}
 
 	return opts, nil
 }