feat(templates): add scan options with 'set' mapping support#1125
feat(templates): add scan options with 'set' mapping support#1125ocervell wants to merge 1 commit into
Conversation
Scan configs can now define options with a 'set' key that automatically
expands into workflow-specific options when the scan option is enabled.
For example, passing --passive to a scan sets passive mode on all
constituent workflows that support it.
- Add _expand_scan_opts() to Scan runner: expands 'set' mappings from
scan config options into run_opts before building child workflows
- Fix scan_opts handling in build_celery_workflow: extract default values
from definition-style options instead of passing the full dicts
- Fix template.py get_config_options: prevent workflow options from
overwriting scan-level options with the same name
- Add conf.pop('set', None) in cli_helper.py to strip 'set' key before
passing option config to click
- Add passive scan option with set mappings to all 5 scan configs:
domain, host, subdomain, url, network
- Add unit tests covering expansion, no-expansion on default=False,
no-override of explicit opts, and CLI option generation
Co-authored-by: Olivier Cervello <ocervell@users.noreply.github.com>
WalkthroughThis PR implements scan-level options with ChangesScan-level options with passive mode
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@secator/configs/scans/subdomain.yaml`:
- Around line 20-24: The scan config uses option keys subdomain_recon_passive,
host_recon_passive, url_crawl_passive, and url_vuln_passive that do not match
the workflow inputs (workflows use a generic passive via opts.passive); either
(A) update secator/configs/scans/subdomain.yaml to set the workflow-expected key
(replace those set keys with passive: True or set passive.<component>=True if
the workflow expects a namespaced passive object), or (B) add/alias the specific
keys in the corresponding workflow configs under secator/configs/workflows (add
inputs named subdomain_recon_passive, host_recon_passive, url_crawl_passive,
url_vuln_passive that map into opts.passive or the workflow logic) so the
scan-to-workflow mapping is consistent; adjust whichever files reference
opts.passive and the scan keys (search for opts.passive and the four *_passive
symbols) and make them use the same key names.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: fc29de27-08cd-4943-82f3-32b2a2515518
📒 Files selected for processing (9)
secator/cli_helper.pysecator/configs/scans/domain.yamlsecator/configs/scans/host.yamlsecator/configs/scans/network.yamlsecator/configs/scans/subdomain.yamlsecator/configs/scans/url.yamlsecator/runners/scan.pysecator/template.pytests/unit/test_template.py
| set: | ||
| subdomain_recon_passive: True | ||
| host_recon_passive: True | ||
| url_crawl_passive: True | ||
| url_vuln_passive: True |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify that the workflow options referenced in the set mapping exist in their respective workflow configs.
# Expected: Each workflow config should define a passive option
echo "Checking subdomain_recon workflow for passive option:"
rg -n 'passive' secator/configs/workflows/subdomain_recon.yaml
echo -e "\nChecking host_recon workflow for passive option:"
rg -n 'passive' secator/configs/workflows/host_recon.yaml
echo -e "\nChecking url_crawl workflow for passive option:"
rg -n 'passive' secator/configs/workflows/url_crawl.yaml
echo -e "\nChecking url_vuln workflow for passive option:"
rg -n 'passive' secator/configs/workflows/url_vuln.yamlRepository: freelabz/secator
Length of output: 2272
🏁 Script executed:
#!/bin/bash
rg -n '(subdomain_recon_passive|host_recon_passive|url_crawl_passive|url_vuln_passive)' secator/configs/workflowsRepository: freelabz/secator
Length of output: 42
Fix scan set keys to match workflow input names (or add matching workflow inputs).
The workflows define a generic passive: input (using opts.passive), but the exact option keys referenced by the scan—subdomain_recon_passive, host_recon_passive, url_crawl_passive, url_vuln_passive—do not appear in secator/configs/workflows (no matches). Either update secator/configs/scans/subdomain.yaml to set the workflow’s expected passive option(s), or add/alias these *_passive option names in the corresponding workflow configs so the mapping is valid.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@secator/configs/scans/subdomain.yaml` around lines 20 - 24, The scan config
uses option keys subdomain_recon_passive, host_recon_passive, url_crawl_passive,
and url_vuln_passive that do not match the workflow inputs (workflows use a
generic passive via opts.passive); either (A) update
secator/configs/scans/subdomain.yaml to set the workflow-expected key (replace
those set keys with passive: True or set passive.<component>=True if the
workflow expects a namespaced passive object), or (B) add/alias the specific
keys in the corresponding workflow configs under secator/configs/workflows (add
inputs named subdomain_recon_passive, host_recon_passive, url_crawl_passive,
url_vuln_passive that map into opts.passive or the workflow logic) so the
scan-to-workflow mapping is consistent; adjust whichever files reference
opts.passive and the scan keys (search for opts.passive and the four *_passive
symbols) and make them use the same key names.
Closes #1118
Summary
setkey that expands into workflow-specific options when enabled--passivescan-level option to all 5 scan configs (domain, host, subdomain, url, network)setkey from click option configsGenerated with Claude Code
Summary by CodeRabbit
New Features
--passiveflag to domain, host, network, subdomain, and URL scans for passive assessment. When enabled, all scanning stages operate without making active network requests.Bug Fixes
Tests