diff --git a/docs/_data/curio.yaml b/docs/_data/curio.yaml index 1124486a4..f9d5f280c 100644 --- a/docs/_data/curio.yaml +++ b/docs/_data/curio.yaml @@ -7,7 +7,7 @@ options: usage: help for this command see_also: - ' config - Scan config files for misconfigurations' - - ' init - writes default config to curio.yml' - - ' scan - Scan git repository' + - ' init - Generates a default config to `curio.yml`' + - ' scan - Scan a directory or file' - ' version - Print the version' aliases: diff --git a/docs/_data/curio_config.yaml b/docs/_data/curio_config.yaml index ba5850d57..95c519bcb 100644 --- a/docs/_data/curio_config.yaml +++ b/docs/_data/curio_config.yaml @@ -2,14 +2,17 @@ name: ' config' synopsis: Scan config files for misconfigurations usage: ' config [flags] DIR' options: + - name: context + usage: | + Expand context of schema classification e.g., --context=health, to include data types particular to health - name: disable-domain-resolution default_value: "false" usage: | - do not attempt to resolve detected domains during classification (default false), eg. --disable-domain-resolution=true + Do not attempt to resolve detected domains during classification (default false), e.g. --disable-domain-resolution=true - name: domain-resolution-timeout default_value: 3s usage: | - set timeout when attempting to resolve detected domains during classification (default 3 seconds), eg. --domain-resolution-timeout=TODO + Set timeout when attempting to resolve detected domains during classification (default 3 seconds), e.g. --domain-resolution-timeout=3s - name: help shorthand: h default_value: "false" @@ -17,11 +20,11 @@ options: - name: internal-domains default_value: '[]' usage: | - define regular expressions for better classification of private or unreachable domains eg. --internal-domains="*.my-company.com,private.sh" + Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains="*.my-company.com,private.sh" - name: skip-path default_value: '[]' usage: | - specify the comma separated files and directories to skip (supports * syntax), eg. --skip-path users/*.go,users/admin.sql + Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql see_also: - ' - ' aliases: conf diff --git a/docs/_data/curio_init.yaml b/docs/_data/curio_init.yaml index 0e0fc9935..234932579 100644 --- a/docs/_data/curio_init.yaml +++ b/docs/_data/curio_init.yaml @@ -1,20 +1,25 @@ name: ' init' -synopsis: writes default config to curio.yml +synopsis: Generates a default config to `curio.yml` usage: ' init [flags]' options: - name: config-file - usage: file from which to load configurations + usage: Load configuration from the defined path + - name: context + usage: | + Expand context of schema classification e.g., --context=health, to include data types particular to health - name: debug default_value: "false" - usage: enable debug logs + usage: Enable debug logs - name: disable-domain-resolution default_value: "false" usage: | - do not attempt to resolve detected domains during classification (default false), eg. --disable-domain-resolution=true + Do not attempt to resolve detected domains during classification (default false), e.g. --disable-domain-resolution=true - name: domain-resolution-timeout default_value: 3s usage: | - set timeout when attempting to resolve detected domains during classification (default 3 seconds), eg. --domain-resolution-timeout=TODO + Set timeout when attempting to resolve detected domains during classification (default 3 seconds), e.g. --domain-resolution-timeout=3s + - name: existing-worker + usage: URL of an existing worker - name: file-size-max default_value: "25000000" usage: ignore files with file size larger than this config @@ -24,7 +29,7 @@ options: - name: format shorthand: f default_value: json - usage: format (json) + usage: Specify report format (json, yaml) - name: help shorthand: h default_value: "false" @@ -32,28 +37,32 @@ options: - name: internal-domains default_value: '[]' usage: | - define regular expressions for better classification of private or unreachable domains eg. --internal-domains="*.my-company.com,private.sh" + Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains="*.my-company.com,private.sh" - name: memory-max default_value: "800000000" usage: | if memory needed to scan a file surpasses this limit, skip the file + - name: only-policy + default_value: '[]' + usage: | + specify the comma separated ids of the policies you would like to run. Skips all other policies. - name: output - usage: path where to save report + usage: Specify output path for report + - name: quiet + default_value: "false" + usage: Suppress non-essential messages - name: report default_value: detectors - usage: specify the kind of report (detectors) + usage: | + Specify the kind of report (detectors, dataflow, policies, stats) - name: skip-path default_value: '[]' usage: | - specify the comma separated files and directories to skip (supports * syntax), eg. --skip-path users/*.go,users/admin.sql + Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql - name: skip-policy default_value: '[]' usage: | specify the comma separated ids of the policies you would like to skip. Runs all other policies. - - name: only-policy - default_value: '[]' - usage: | - specify the comma separated ids of the policies you would like to run. Skips all other policies. - name: timeout default_value: 10m0s usage: time allowed to complete scan @@ -77,4 +86,4 @@ options: usage: number of processing workers to spawn see_also: - ' - ' -aliases: +aliases: diff --git a/docs/_data/curio_scan.yaml b/docs/_data/curio_scan.yaml index f4a3bbea4..98002b622 100644 --- a/docs/_data/curio_scan.yaml +++ b/docs/_data/curio_scan.yaml @@ -1,20 +1,25 @@ name: ' scan' -synopsis: Scan git repository -usage: ' scan [flags] PATH' +synopsis: Scan a directory or file +usage: ' scan [flags] ' options: - name: config-file - usage: file from which to load configurations + usage: Load configuration from the defined path + - name: context + usage: | + Expand context of schema classification e.g., --context=health, to include data types particular to health - name: debug default_value: "false" - usage: enable debug logs + usage: Enable debug logs - name: disable-domain-resolution default_value: "false" usage: | - do not attempt to resolve detected domains during classification (default false), eg. --disable-domain-resolution=true + Do not attempt to resolve detected domains during classification (default false), e.g. --disable-domain-resolution=true - name: domain-resolution-timeout default_value: 3s usage: | - set timeout when attempting to resolve detected domains during classification (default 3 seconds), eg. --domain-resolution-timeout=TODO + Set timeout when attempting to resolve detected domains during classification (default 3 seconds), e.g. --domain-resolution-timeout=3s + - name: existing-worker + usage: URL of an existing worker - name: file-size-max default_value: "25000000" usage: ignore files with file size larger than this config @@ -24,7 +29,7 @@ options: - name: format shorthand: f default_value: json - usage: format (json) + usage: Specify report format (json, yaml) - name: help shorthand: h default_value: "false" @@ -32,28 +37,32 @@ options: - name: internal-domains default_value: '[]' usage: | - define regular expressions for better classification of private or unreachable domains eg. --internal-domains="*.my-company.com,private.sh" + Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains="*.my-company.com,private.sh" - name: memory-max default_value: "800000000" usage: | if memory needed to scan a file surpasses this limit, skip the file + - name: only-policy + default_value: '[]' + usage: | + specify the comma separated ids of the policies you would like to run. Skips all other policies. - name: output - usage: path where to save report + usage: Specify output path for report + - name: quiet + default_value: "false" + usage: Suppress non-essential messages - name: report default_value: detectors - usage: specify the kind of report (detectors) + usage: | + Specify the kind of report (detectors, dataflow, policies, stats) - name: skip-path default_value: '[]' usage: | - specify the comma separated files and directories to skip (supports * syntax), eg. --skip-path users/*.go,users/admin.sql + Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql - name: skip-policy default_value: '[]' usage: | specify the comma separated ids of the policies you would like to skip. Runs all other policies. - - name: only-policy - default_value: '[]' - usage: | - specify the comma separated ids of the policies you would like to run. Skips all other policies. - name: timeout default_value: 10m0s usage: time allowed to complete scan @@ -76,10 +85,8 @@ options: default_value: "1" usage: number of processing workers to spawn example: |4- - # Scan a local project including language-specific files - $ curio s /path/to/your_project - # Scan a single file - $ curio s ./curio-ci-test/Pipfile.lock + # Scan a local project, including language-specific files + $ curio scan /path/to/your_project see_also: - ' - ' aliases: s diff --git a/integration/flags/.snapshots/TestMetadataFlags-help b/integration/flags/.snapshots/TestMetadataFlags-help index 37ee98324..3c8a657ee 100644 --- a/integration/flags/.snapshots/TestMetadataFlags-help +++ b/integration/flags/.snapshots/TestMetadataFlags-help @@ -1,13 +1,27 @@ -Curio is a tool for scanning policy breaches +Curio - discover sensitive data flows and security risks. -Scan Example: - # Scan local repository - $ curio scan +Usage: curio [flags] Available Commands: - scan Scan git repository - init Writes default config to curio.yml + scan Scan a directory or file + init Write the default config to curio.yml version Print the version +Examples: + # Scan local directory or file + $ curio scan + + # Scan current directory and output the data flow to a file + $ curio scan --report dataflow --output . + +Learn More: + Curio scans your source code to discover sensitive data flows + and data security risks in your codebase. This includes detecting + PHI, PII, and PD usage in data stores, internal APIs, and external + APIs. You can run Curio locally or as part of your CI/CD pipeline. + + For more examples, tutorials, and to learn more about the project + visit https://curio.sh + -- diff --git a/integration/flags/.snapshots/TestMetadataFlags-help-scan b/integration/flags/.snapshots/TestMetadataFlags-help-scan index 995c70a18..f21ddcb07 100644 --- a/integration/flags/.snapshots/TestMetadataFlags-help-scan +++ b/integration/flags/.snapshots/TestMetadataFlags-help-scan @@ -1,24 +1,22 @@ -Scan git repository +Scan a directory or file Usage: - scan [flags] PATH + scan [flags] Aliases: scan, s Examples: - # Scan a local project including language-specific files - $ curio s /path/to/your_project - # Scan a single file - $ curio s ./curio-ci-test/Pipfile.lock + # Scan a local project, including language-specific files + $ curio scan /path/to/your_project Scan Flags - --context string expand context of schema classification e.g. --context=health to include data types particular to health - --debug enable debug logs - --disable-domain-resolution do not attempt to resolve detected domains during classification (default false), eg. --disable-domain-resolution=true - --domain-resolution-timeout duration set timeout when attempting to resolve detected domains during classification (default 3 seconds), eg. --domain-resolution-timeout=TODO (default 3s) - --internal-domains strings define regular expressions for better classification of private or unreachable domains eg. --internal-domains="*.my-company.com,private.sh" - --quiet suppress non-essential messages - --skip-path strings specify the comma separated files and directories to skip (supports * syntax), eg. --skip-path users/*.go,users/admin.sql + --context string Expand context of schema classification e.g., --context=health, to include data types particular to health + --debug Enable debug logs + --disable-domain-resolution Do not attempt to resolve detected domains during classification (default false), e.g. --disable-domain-resolution=true + --domain-resolution-timeout duration Set timeout when attempting to resolve detected domains during classification (default 3 seconds), e.g. --domain-resolution-timeout=3s (default 3s) + --internal-domains strings Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains="*.my-company.com,private.sh" + --quiet Suppress non-essential messages + --skip-path strings Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql Policy Flags --only-policy strings specify the comma separated ids of the policies you would like to run. Skips all other policies. @@ -37,12 +35,12 @@ Worker Flags --workers int number of processing workers to spawn (default 1) Report Flags - -f, --format string format (json, yaml) (default "json") - --output string path where to save report - --report string specify the kind of report (detectors, dataflow, policies, stats) (default "detectors") + -f, --format string Specify report format (json, yaml) (default "json") + --output string Specify output path for report + --report string Specify the kind of report (detectors, dataflow, policies, stats) (default "detectors") General Flags - --config-file string file from which to load configurations + --config-file string Load configuration from the defined path -- diff --git a/integration/flags/.snapshots/TestMetadataFlags-scan-help b/integration/flags/.snapshots/TestMetadataFlags-scan-help index 995c70a18..f21ddcb07 100644 --- a/integration/flags/.snapshots/TestMetadataFlags-scan-help +++ b/integration/flags/.snapshots/TestMetadataFlags-scan-help @@ -1,24 +1,22 @@ -Scan git repository +Scan a directory or file Usage: - scan [flags] PATH + scan [flags] Aliases: scan, s Examples: - # Scan a local project including language-specific files - $ curio s /path/to/your_project - # Scan a single file - $ curio s ./curio-ci-test/Pipfile.lock + # Scan a local project, including language-specific files + $ curio scan /path/to/your_project Scan Flags - --context string expand context of schema classification e.g. --context=health to include data types particular to health - --debug enable debug logs - --disable-domain-resolution do not attempt to resolve detected domains during classification (default false), eg. --disable-domain-resolution=true - --domain-resolution-timeout duration set timeout when attempting to resolve detected domains during classification (default 3 seconds), eg. --domain-resolution-timeout=TODO (default 3s) - --internal-domains strings define regular expressions for better classification of private or unreachable domains eg. --internal-domains="*.my-company.com,private.sh" - --quiet suppress non-essential messages - --skip-path strings specify the comma separated files and directories to skip (supports * syntax), eg. --skip-path users/*.go,users/admin.sql + --context string Expand context of schema classification e.g., --context=health, to include data types particular to health + --debug Enable debug logs + --disable-domain-resolution Do not attempt to resolve detected domains during classification (default false), e.g. --disable-domain-resolution=true + --domain-resolution-timeout duration Set timeout when attempting to resolve detected domains during classification (default 3 seconds), e.g. --domain-resolution-timeout=3s (default 3s) + --internal-domains strings Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains="*.my-company.com,private.sh" + --quiet Suppress non-essential messages + --skip-path strings Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql Policy Flags --only-policy strings specify the comma separated ids of the policies you would like to run. Skips all other policies. @@ -37,12 +35,12 @@ Worker Flags --workers int number of processing workers to spawn (default 1) Report Flags - -f, --format string format (json, yaml) (default "json") - --output string path where to save report - --report string specify the kind of report (detectors, dataflow, policies, stats) (default "detectors") + -f, --format string Specify report format (json, yaml) (default "json") + --output string Specify output path for report + --report string Specify the kind of report (detectors, dataflow, policies, stats) (default "detectors") General Flags - --config-file string file from which to load configurations + --config-file string Load configuration from the defined path -- diff --git a/pkg/commands/app.go b/pkg/commands/app.go index ecc7a765d..101e80f0c 100644 --- a/pkg/commands/app.go +++ b/pkg/commands/app.go @@ -29,16 +29,30 @@ func NewApp(version string, commitSHA string) *cobra.Command { } func NewRootCommand() *cobra.Command { - usageTemplate := `Curio is a tool for scanning policy breaches + usageTemplate := `Curio - discover sensitive data flows and security risks. -Scan Example: - # Scan local repository - $ curio scan +Usage: curio [flags] Available Commands: - scan Scan git repository - init Writes default config to curio.yml + scan Scan a directory or file + init Write the default config to curio.yml version Print the version + +Examples: + # Scan local directory or file + $ curio scan + + # Scan current directory and output the data flow to a file + $ curio scan --report dataflow --output . + +Learn More: + Curio scans your source code to discover sensitive data flows + and data security risks in your codebase. This includes detecting + PHI, PII, and PD usage in data stores, internal APIs, and external + APIs. You can run Curio locally or as part of your CI/CD pipeline. + + For more examples, tutorials, and to learn more about the project + visit https://curio.sh ` cmd := &cobra.Command{ diff --git a/pkg/commands/init.go b/pkg/commands/init.go index 5d7de3654..1348d96aa 100644 --- a/pkg/commands/init.go +++ b/pkg/commands/init.go @@ -12,7 +12,7 @@ import ( func NewInitCommand() *cobra.Command { cmd := &cobra.Command{ Use: "init", - Short: "writes default config to curio.yml", + Short: "Generates a default config to `curio.yml`", RunE: func(cmd *cobra.Command, args []string) error { if err := scanFlags.BindForConfigInit(cmd); err != nil { return fmt.Errorf("flag bind error: %w", err) @@ -34,7 +34,7 @@ func NewInitCommand() *cobra.Command { return err } - cmd.PrintErrln("created: curio.yml (default configuration file)") + cmd.PrintErrln("Created: curio.yml (default configuration file)") return nil }, } diff --git a/pkg/commands/scan.go b/pkg/commands/scan.go index 55f1c38d4..f3e8ab27c 100644 --- a/pkg/commands/scan.go +++ b/pkg/commands/scan.go @@ -39,13 +39,11 @@ var scanFlags = &flag.Flags{ func NewScanCommand() *cobra.Command { cmd := &cobra.Command{ - Use: "scan [flags] PATH", + Use: "scan [flags] ", Aliases: []string{"s"}, - Short: "Scan git repository", - Example: ` # Scan a local project including language-specific files - $ curio s /path/to/your_project - # Scan a single file - $ curio s ./curio-ci-test/Pipfile.lock`, + Short: "Scan a directory or file", + Example: ` # Scan a local project, including language-specific files + $ curio scan /path/to/your_project`, PreRunE: func(cmd *cobra.Command, args []string) error { if err := scanFlags.Bind(cmd); err != nil { return xerrors.Errorf("flag bind error: %w", err) diff --git a/pkg/flag/general_flags.go b/pkg/flag/general_flags.go index 393eef7f1..bee14b648 100644 --- a/pkg/flag/general_flags.go +++ b/pkg/flag/general_flags.go @@ -5,7 +5,7 @@ var ( Name: "config-file", ConfigName: "config-file", Value: "", - Usage: "file from which to load configurations", + Usage: "Load configuration from the defined path", DisableInConfig: true, } ) diff --git a/pkg/flag/report_flags.go b/pkg/flag/report_flags.go index 191700bb2..ec9c85f13 100644 --- a/pkg/flag/report_flags.go +++ b/pkg/flag/report_flags.go @@ -18,19 +18,19 @@ var ( ConfigName: "report.format", Shorthand: "f", Value: FormatJSON, - Usage: "format (json, yaml)", + Usage: "Specify report format (json, yaml)", } ReportFlag = Flag{ Name: "report", ConfigName: "report.report", Value: ReportDetectors, - Usage: "specify the kind of report (detectors, dataflow, policies, stats)", + Usage: "Specify the kind of report (detectors, dataflow, policies, stats)", } OutputFlag = Flag{ Name: "output", ConfigName: "report.output", Value: "", - Usage: "path where to save report", + Usage: "Specify output path for report", } ) diff --git a/pkg/flag/scan_flags.go b/pkg/flag/scan_flags.go index 275dcec07..76a227ee4 100644 --- a/pkg/flag/scan_flags.go +++ b/pkg/flag/scan_flags.go @@ -16,43 +16,43 @@ var ( Name: "skip-path", ConfigName: "scan.skip-path", Value: []string{}, - Usage: "specify the comma separated files and directories to skip (supports * syntax), eg. --skip-path users/*.go,users/admin.sql", + Usage: "Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql", } DebugFlag = Flag{ Name: "debug", ConfigName: "scan.debug", Value: false, - Usage: "enable debug logs", + Usage: "Enable debug logs", } DisableDomainResolutionFlag = Flag{ Name: "disable-domain-resolution", ConfigName: "scan.disable-domain-resolution", Value: false, - Usage: "do not attempt to resolve detected domains during classification (default false), eg. --disable-domain-resolution=true", + Usage: "Do not attempt to resolve detected domains during classification (default false), e.g. --disable-domain-resolution=true", } DomainResolutionTimeoutFlag = Flag{ Name: "domain-resolution-timeout", ConfigName: "scan.domain-resolution-timeout", Value: 3 * time.Second, - Usage: "set timeout when attempting to resolve detected domains during classification (default 3 seconds), eg. --domain-resolution-timeout=TODO", + Usage: "Set timeout when attempting to resolve detected domains during classification (default 3 seconds), e.g. --domain-resolution-timeout=3s", } InternalDomainsFlag = Flag{ Name: "internal-domains", ConfigName: "scan.internal-domains", Value: []string{}, - Usage: "define regular expressions for better classification of private or unreachable domains eg. --internal-domains=\"*.my-company.com,private.sh\"", + Usage: "Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains=\"*.my-company.com,private.sh\"", } ContextFlag = Flag{ Name: "context", ConfigName: "scan.context", Value: "", - Usage: "expand context of schema classification e.g. --context=health to include data types particular to health", + Usage: "Expand context of schema classification e.g., --context=health, to include data types particular to health", } QuietFlag = Flag{ Name: "quiet", ConfigName: "scan.quiet", Value: false, - Usage: "suppress non-essential messages", + Usage: "Suppress non-essential messages", } )