Skip to content

feat(templates): add scan options with 'set' mapping support#1125

Draft
ocervell wants to merge 1 commit into
mainfrom
claude/issue-1118-20260605-1137
Draft

feat(templates): add scan options with 'set' mapping support#1125
ocervell wants to merge 1 commit into
mainfrom
claude/issue-1118-20260605-1137

Conversation

@ocervell

@ocervell ocervell commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Closes #1118

Summary

  • Scan configs can define options with a set key that expands into workflow-specific options when enabled
  • Adds --passive scan-level option to all 5 scan configs (domain, host, subdomain, url, network)
  • Fixes scan option handling to extract default values from definition dicts
  • Prevents workflow options from overwriting scan-level options with same name
  • Strips internal set key from click option configs
  • 5 new unit tests

Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added --passive flag to domain, host, network, subdomain, and URL scans for passive assessment. When enabled, all scanning stages operate without making active network requests.
  • Bug Fixes

    • Fixed command option parameter handling to prevent invalid parameters in command decorators.
  • Tests

    • Added comprehensive tests for scan-level configuration options, passive mode expansion, and override protection.

Scan configs can now define options with a 'set' key that automatically
expands into workflow-specific options when the scan option is enabled.
For example, passing --passive to a scan sets passive mode on all
constituent workflows that support it.

- Add _expand_scan_opts() to Scan runner: expands 'set' mappings from
  scan config options into run_opts before building child workflows
- Fix scan_opts handling in build_celery_workflow: extract default values
  from definition-style options instead of passing the full dicts
- Fix template.py get_config_options: prevent workflow options from
  overwriting scan-level options with the same name
- Add conf.pop('set', None) in cli_helper.py to strip 'set' key before
  passing option config to click
- Add passive scan option with set mappings to all 5 scan configs:
  domain, host, subdomain, url, network
- Add unit tests covering expansion, no-expansion on default=False,
  no-override of explicit opts, and CLI option generation

Co-authored-by: Olivier Cervello <ocervell@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

This PR implements scan-level options with set mappings to control workflow options. Scan configs define passive flags that expand into child workflow options; the runner handles expansion, the CLI filters set keys, and the template prevents naming conflicts.

Changes

Scan-level options with passive mode

Layer / File(s) Summary
Scan configuration and CLI filtering
secator/cli_helper.py, secator/configs/scans/domain.yaml, secator/configs/scans/host.yaml, secator/configs/scans/network.yaml, secator/configs/scans/subdomain.yaml, secator/configs/scans/url.yaml
Adds options.passive flag to five scan configs with set mappings that enable passive-mode workflow options (e.g., domain_recon_passive, url_crawl_passive). CLI helper removes the set key before passing option config to Click to prevent unrecognized parameters.
Scan runner option expansion and workflow wiring
secator/runners/scan.py
Scan._expand_scan_opts() reads option definitions, detects enabled options with set mappings, and injects those mappings into run options for child workflows. build_celery_workflow refactored to extract option defaults from dict-style definitions and build scan options used in orchestration.
Template workflow option conflict detection
secator/template.py
Workflow option conflict detection expands to include top-level config option keys as conflicts, causing conflicting workflow options to be renamed with a prefix to avoid overwriting scan-level options.
Test fixtures and validation
tests/unit/test_template.py
Adds scan_config_with_opts fixture and five test cases validating option name preservation, set mapping expansion, default behavior, explicit option preservation, and workflow condition handling during dry runs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A passive scan option springs to life,
With set keys mapping through the strife,
Child workflows bend to parent's will,
Config options, renamed at skill,
All tested, true, and tuned just right!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 76.92% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely describes the main change: adding support for scan options with 'set' mapping functionality.
Linked Issues check ✅ Passed The PR fully implements the requirements from issue #1118: scan options with 'set' mappings that control workflow options, including _expand_scan_opts(), passive flags across five scan configs, and comprehensive unit tests.
Out of Scope Changes check ✅ Passed All changes are directly related to implementing scan options with 'set' mapping support as specified in issue #1118; no unrelated modifications detected.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-1118-20260605-1137

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@secator/configs/scans/subdomain.yaml`:
- Around line 20-24: The scan config uses option keys subdomain_recon_passive,
host_recon_passive, url_crawl_passive, and url_vuln_passive that do not match
the workflow inputs (workflows use a generic passive via opts.passive); either
(A) update secator/configs/scans/subdomain.yaml to set the workflow-expected key
(replace those set keys with passive: True or set passive.<component>=True if
the workflow expects a namespaced passive object), or (B) add/alias the specific
keys in the corresponding workflow configs under secator/configs/workflows (add
inputs named subdomain_recon_passive, host_recon_passive, url_crawl_passive,
url_vuln_passive that map into opts.passive or the workflow logic) so the
scan-to-workflow mapping is consistent; adjust whichever files reference
opts.passive and the scan keys (search for opts.passive and the four *_passive
symbols) and make them use the same key names.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fc29de27-08cd-4943-82f3-32b2a2515518

📥 Commits

Reviewing files that changed from the base of the PR and between f712990 and 89e10f7.

📒 Files selected for processing (9)
  • secator/cli_helper.py
  • secator/configs/scans/domain.yaml
  • secator/configs/scans/host.yaml
  • secator/configs/scans/network.yaml
  • secator/configs/scans/subdomain.yaml
  • secator/configs/scans/url.yaml
  • secator/runners/scan.py
  • secator/template.py
  • tests/unit/test_template.py

Comment on lines +20 to +24
set:
subdomain_recon_passive: True
host_recon_passive: True
url_crawl_passive: True
url_vuln_passive: True

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify that the workflow options referenced in the set mapping exist in their respective workflow configs.

# Expected: Each workflow config should define a passive option
echo "Checking subdomain_recon workflow for passive option:"
rg -n 'passive' secator/configs/workflows/subdomain_recon.yaml

echo -e "\nChecking host_recon workflow for passive option:"
rg -n 'passive' secator/configs/workflows/host_recon.yaml

echo -e "\nChecking url_crawl workflow for passive option:"
rg -n 'passive' secator/configs/workflows/url_crawl.yaml

echo -e "\nChecking url_vuln workflow for passive option:"
rg -n 'passive' secator/configs/workflows/url_vuln.yaml

Repository: freelabz/secator

Length of output: 2272


🏁 Script executed:

#!/bin/bash
rg -n '(subdomain_recon_passive|host_recon_passive|url_crawl_passive|url_vuln_passive)' secator/configs/workflows

Repository: freelabz/secator

Length of output: 42


Fix scan set keys to match workflow input names (or add matching workflow inputs).

The workflows define a generic passive: input (using opts.passive), but the exact option keys referenced by the scan—subdomain_recon_passive, host_recon_passive, url_crawl_passive, url_vuln_passive—do not appear in secator/configs/workflows (no matches). Either update secator/configs/scans/subdomain.yaml to set the workflow’s expected passive option(s), or add/alias these *_passive option names in the corresponding workflow configs so the mapping is valid.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@secator/configs/scans/subdomain.yaml` around lines 20 - 24, The scan config
uses option keys subdomain_recon_passive, host_recon_passive, url_crawl_passive,
and url_vuln_passive that do not match the workflow inputs (workflows use a
generic passive via opts.passive); either (A) update
secator/configs/scans/subdomain.yaml to set the workflow-expected key (replace
those set keys with passive: True or set passive.<component>=True if the
workflow expects a namespaced passive object), or (B) add/alias the specific
keys in the corresponding workflow configs under secator/configs/workflows (add
inputs named subdomain_recon_passive, host_recon_passive, url_crawl_passive,
url_vuln_passive that map into opts.passive or the workflow logic) so the
scan-to-workflow mapping is consistent; adjust whichever files reference
opts.passive and the scan keys (search for opts.passive and the four *_passive
symbols) and make them use the same key names.

@ocervell ocervell marked this pull request as draft June 10, 2026 09:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core enhancement New feature or request status-needs-change status-needs-human Needs a human design decision / validation before merge status-needs-testing templates

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(templates): add scan options

1 participant