aquasecurity · rafaeldtinoco · Jun 23, 2023 · Jun 14, 2023 · yanivagman · Jun 22, 2023
diff --git a/cmd/tracee-rules/main.go b/cmd/tracee-rules/main.go
@@ -54,10 +54,15 @@ func main() {
 				return fmt.Errorf("invalid target specified: %s", strings.ToLower(c.String("rego-runtime-target")))
 			}
 
+			var rulesDir []string
+			if c.String("rules-dir") != "" {
+				rulesDir = []string{c.String("rules-dir")}
+			}
+
 			sigs, err := signature.Find(
 				target,
 				c.Bool("rego-partial-eval"),
-				c.String("rules-dir"),
+				rulesDir,
 				c.StringSlice("rules"),
 				c.Bool("rego-aio"),
 			)

diff --git a/cmd/tracee/cmd/list.go b/cmd/tracee/cmd/list.go
@@ -15,10 +15,10 @@ import (
 
 func init() {
 	rootCmd.AddCommand(listCmd)
-	listCmd.Flags().String(
+	listCmd.Flags().StringArray(
 		"signatures-dir",
-		"",
-		"Directory where to search for signatures in CEL (.yaml), OPA (.rego), and Go plugin (.so) formats",
+		[]string{},
+		"Directories where to search for signatures in CEL (.yaml), OPA (.rego), and Go plugin (.so) formats",
 	)
 }
 
@@ -30,7 +30,7 @@ var listCmd = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		// Get signatures to update event list
 
-		sigsDir, err := cmd.Flags().GetString("signatures-dir")
+		sigsDir, err := cmd.Flags().GetStringArray("signatures-dir")
 		if err != nil {
 			logger.Fatalw("Failed to get signatures-dir flag", "err", err)
 			os.Exit(1)

diff --git a/cmd/tracee/cmd/root.go b/cmd/tracee/cmd/root.go
@@ -148,10 +148,10 @@ func initCmd() error {
 
 	// Signature flags
 
-	rootCmd.Flags().String(
+	rootCmd.Flags().StringArray(
 		"signatures-dir",
-		"",
-		"Directory where to search for signatures in CEL (.yaml), OPA (.rego), and Go plugin (.so) formats",
+		[]string{},
+		"Directories where to search for signatures in CEL (.yaml), OPA (.rego), and Go plugin (.so) formats",
 	)
 	err = viper.BindPFlag("signatures-dir", rootCmd.Flags().Lookup("signatures-dir"))
 	if err != nil {

diff --git a/docs/docs/events/custom/overview.md b/docs/docs/events/custom/overview.md
@@ -14,6 +14,10 @@ tracee --signatures-dir=/tmp/myevents
 !!! Tip
     Tracee also uses the custom events to add a few events, if you pass your own directory
     for `signatures-dir` you will not load the tracee [Behaviour events](../builtin/signatures.md), 
-    to avoid such problems, place your own events under the same directory of the tracee custom events. 
+    to avoid such problems, you can either place your own events under the same directory of the tracee custom events,
+    or pass multiple directories for example:
+    ```
+    tracee --signatures-dir=/tmp/myevents --signatures-dir=./dist/signatures
+    ```
 
 👈 Please use the side-navigation on the left in order to browse the different topics.
diff --git a/pkg/cmd/cobra/cobra.go b/pkg/cmd/cobra/cobra.go
@@ -48,7 +48,7 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) {
 	sigs, err := signature.Find(
 		rego.RuntimeTarget,
 		rego.PartialEval,
-		viper.GetString("signatures-dir"),
+		viper.GetStringSlice("signatures-dir"),
 		nil,
 		rego.AIO,
 	)

diff --git a/pkg/signatures/signature/signature.go b/pkg/signatures/signature/signature.go
@@ -16,28 +16,40 @@ import (
 	"github.com/aquasecurity/tracee/types/detect"
 )
 
-func Find(target string, partialEval bool, signaturesDir string, signatures []string, aioEnabled bool) ([]detect.Signature, error) {
-	if signaturesDir == "" {
+func Find(target string, partialEval bool, signaturesDir []string, signatures []string, aioEnabled bool) ([]detect.Signature, error) {
+	if len(signaturesDir) == 0 {
 		exePath, err := os.Executable()
 		if err != nil {
 			logger.Errorw("Getting executable path: " + err.Error())
 		}
-		signaturesDir = filepath.Join(filepath.Dir(exePath), "signatures")
+		signaturesDir = []string{filepath.Join(filepath.Dir(exePath), "signatures")}
 	}
-	gosigs, err := findGoSigs(signaturesDir)
-	if err != nil {
-		return nil, err
-	}
-	opasigs, err := findRegoSigs(target, partialEval, signaturesDir, aioEnabled)
-	if err != nil {
-		return nil, err
-	}
-	sigs := append(gosigs, opasigs...)
-	celsigs, err := celsig.NewSignaturesFromDir(signaturesDir)
-	if err != nil {
-		return nil, fmt.Errorf("failed loading CEL signatures: %w", err)
+	var sigs []detect.Signature
+
+	for _, dir := range signaturesDir {
+		if strings.TrimSpace(dir) == "" {
+			continue
+		}
+
+		gosigs, err := findGoSigs(dir)
+		if err != nil {
+			return nil, err
+		}
+
+		sigs = append(sigs, gosigs...)
+
+		opasigs, err := findRegoSigs(target, partialEval, dir, aioEnabled)
+		if err != nil {
+			return nil, err
+		}
+		sigs = append(sigs, opasigs...)
+
+		celsigs, err := celsig.NewSignaturesFromDir(dir)
+		if err != nil {
+			return nil, fmt.Errorf("failed loading CEL signatures: %w", err)
+		}
+		sigs = append(sigs, celsigs...)
 	}
-	sigs = append(sigs, celsigs...)
 
 	var res []detect.Signature
 	if signatures == nil {

diff --git a/pkg/signatures/signature/signature_test.go b/pkg/signatures/signature/signature_test.go
@@ -20,7 +20,7 @@ const (
 )
 
 func TestFindByEventName(t *testing.T) {
-	sigs, err := Find(compile.TargetRego, false, exampleRulesDir, []string{"anti_debugging"}, false)
+	sigs, err := Find(compile.TargetRego, false, []string{exampleRulesDir}, []string{"anti_debugging"}, false)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(sigs))
 
@@ -41,7 +41,7 @@ func TestFindByEventName(t *testing.T) {
 }
 
 func TestFindByRuleID(t *testing.T) {
-	sigs, err := Find(compile.TargetRego, false, exampleRulesDir, []string{"TRC-2"}, false)
+	sigs, err := Find(compile.TargetRego, false, []string{exampleRulesDir}, []string{"TRC-2"}, false)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(sigs))