flag(enrich)!: new format flag

BREAKING CHANGE: add --enrichment flag to replace --containers

Author: josedonizetti

cmd/tracee/cmd/man.go

@@ -55,14 +55,13 @@ func init() {
 		capabilitiesCmd,
 		captureCmd,
 		configCmd,
-		containersCmd,
+		enrichmentCmd,
 		eventCmd,
 		eventsCmd,
 		loggingCmd,
 		outputCmd,
 		scopeCmd,
 		serverCmd,
-		eventCmd,
 		storesCmd,
 	)
 }
@@ -117,12 +116,12 @@ var configCmd = &cobra.Command{
 	},
 }
 
-var containersCmd = &cobra.Command{
-	Use:     "containers",
+var enrichmentCmd = &cobra.Command{
+	Use:     "enrichment",
 	Aliases: []string{},
-	Short:   "Show manual page for the --containers flag",
+	Short:   "Show manual page for the --enrichment flag",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return runManForFlag("containers")
+		return runManForFlag("enrichment")
 	},
 }
 

cmd/tracee/cmd/root.go

@@ -161,11 +161,11 @@ func initCmd() error {
 	// Container flags
 
 	rootCmd.Flags().StringArray(
-		flags.ContainersFlag,
+		flags.EnrichmentFlag,
 		[]string{},
-		"Configure container enrichment and runtime sockets for container events enrichment (see documentation)",
+		"[container|resolve-fd...]\t\tConfigure enrichment for container events and other enrichment features",
 	)
-	err = viper.BindPFlag(flags.ContainersFlag, rootCmd.Flags().Lookup(flags.ContainersFlag))
+	err = viper.BindPFlag(flags.EnrichmentFlag, rootCmd.Flags().Lookup(flags.EnrichmentFlag))
 	if err != nil {
 		return errfmt.WrapError(err)
 	}

docs/docs/flags/containers.1.md

@@ -0,0 +1,125 @@
+---
+title: TRACEE-ENRICHMENT
+section: 1
+header: Tracee Enrichment Flag Manual
+date: 2025/12
+...
+
+## NAME
+
+tracee **\-\-enrichment** - Configure enrichment for container events and other enrichment options
+
+## SYNOPSIS
+
+tracee **\-\-enrichment** [container|container.cgroupfs.path=*path*|container.cgroupfs.force|container.docker.socket=*socket_path*|container.containerd.socket=*socket_path*|container.crio.socket=*socket_path*|container.podman.socket=*socket_path*|resolve-fd|exec-hash|exec-hash.mode=*mode*|user-stack-trace] [**\-\-enrichment** ...]
+
+## DESCRIPTION
+
+The `--enrichment` flag allows you to configure enrichment options for container events and other enrichment features.
+
+### Flags
+
+- **container**: Enable container enrichment with default settings. When enabled, Tracee will enrich container events with container information.
+
+- **container.cgroupfs.path**=*path*: Enable container enrichment and configure the path to the cgroupfs where container cgroups are created. This is used as a hint for auto-detection. **Note**: Using this option automatically enables container, so you don't need to also specify `--enrichment container`.
+  Example:
+  ```console
+  --enrichment container.cgroupfs.path=/sys/fs/cgroup
+  ```
+
+- **container.cgroupfs.force**: Force the usage of the provided mountpoint path, skipping auto-detection. **Note**: This option requires `container.cgroupfs.path` to be set. It cannot be used alone.
+  Example:
+  ```console
+  --enrichment container.cgroupfs.path=/sys/fs/cgroup container.cgroupfs.force
+  ```
+
+- **container.docker.socket**=*socket_path*: Enable container enrichment and configure container runtime sockets for enrichment. Configure the path to the Docker socket. **Note**: Using this option automatically enables container, so you don't need to also specify `--enrichment container`.
+  Example:
+  ```console
+  --enrichment container.docker.socket=/var/run/docker.sock
+  ```
+
+- **container.containerd.socket**=*socket_path*: Enable container enrichment and configure container runtime sockets for enrichment. Configure the path to the Containerd socket. **Note**: Using this option automatically enables container, so you don't need to also specify `--enrichment container`.
+  Example:
+  ```console
+  --enrichment container.containerd.socket=/var/run/containerd/containerd.sock
+  ```
+
+- **container.crio.socket**=*socket_path*: Enable container enrichment and configure container runtime sockets for enrichment. Configure the path to the CRI-O socket. **Note**: Using this option automatically enables container, so you don't need to also specify `--enrichment container`.
+  Example:
+  ```console
+  --enrichment container.crio.socket=/var/run/crio/crio.sock
+  ```
+
+- **container.podman.socket**=*socket_path*: Enable container enrichment and configure container runtime sockets for enrichment. Configure the path to the Podman socket. **Note**: Using this option automatically enables container, so you don't need to also specify `--enrichment container`.
+  Example:
+  ```console
+  --enrichment container.podman.socket=/var/run/podman/podman.sock
+  ```
+
+  Supported container runtimes for socket configuration:
+  - CRI-O      (`crio`, `cri-o`)
+  - Containerd (`containerd`)
+  - Docker     (`docker`)
+  - Podman     (`podman`)
+
+- **resolve-fd**
+  Enable resolve-fd. Presence of the flag enables it, absence disables it.
+  Example:
+  ```console
+  --enrichment resolve-fd
+  ```
+
+- **exec-hash**: Enable exec-hash with default settings. When enabled, Tracee will compute hash values for executed binaries.
+
+- **exec-hash.mode**=*mode*: Enable exec-hash and configure the mode for exec-hash. **Note**: Using this option automatically enables exec-hash, so you don't need to also specify `--enrichment exec-hash`.
+  Example:
+  ```console
+  --enrichment exec-hash.mode=sha256
+  ```
+
+- **user-stack-trace**
+  Enable user-stack-trace. Presence of the flag enables it, absence disables it.
+  Example:
+  ```console
+  --enrichment user-stack-trace
+  ```
+
+## EXAMPLES
+
+1. Enable container enrichment:
+   ```console
+   --enrichment container
+   ```
+
+2. Configure Docker socket:
+   ```console
+   --enrichment container.docker.socket=/var/run/docker.sock
+   ```
+   Note: `container.docker.socket` automatically enables container, so `--enrichment container` is not needed.
+
+3. Set the cgroupfs path:
+   ```console
+   --enrichment container.cgroupfs.path=/sys/fs/cgroup
+   ```
+   Note: `container.cgroupfs.path` automatically enables container, so `--enrichment container` is not needed.
+
+4. Combine multiple flags:
+   ```console
+   --enrichment container.docker.socket=/var/run/docker.sock container.cgroupfs.path=/sys/fs/cgroup
+   ```
+   Note: Since `container.docker.socket` and `container.cgroupfs.path` automatically enable container, you don't need `--enrichment container`.
+
+5. Enable resolve-fd and exec-hash:
+   ```console
+   --enrichment resolve-fd exec-hash
+   ```
+
+6. Enable exec-hash with custom mode:
+   ```console
+   --enrichment exec-hash.mode=sha256
+   ```
+   Note: `exec-hash.mode` automatically enables exec-hash, so `--enrichment exec-hash` is not needed.
+
+Please refer to the [documentation](../install/container-engines.md) for more information on container events enrichment.
+

docs/docs/flags/enrichment.1.md

@@ -101,24 +101,36 @@ filters, destination file and others.
 
 ### Containers
 
-- To disable container enrichment use: **`--containers enrich=false`**.
+- To enable container enrichment, include the flag: **`--enrichment container`**. To disable it, simply omit the flag. Note: Setting any container sub-option (e.g., `container.docker.socket=/path`) automatically enables container, so `--enrichment container` is not needed.
 
   YAML:
   ```yaml
-  containers:
-    enrich: false
+  enrichment:
+    container:
+      enabled: true
   ```
 
-  __NOTE__: You can view more in the [containers section](../../flags/containers.1.md).
+  __NOTE__: You can view more in the [enrichment section](../../flags/enrichment.1.md).
 
-- **`--containers`**: Configures container enrichment and runtime sockets. For example, to configure runtime sockets:
+- **`--enrichment`**: Configures enrichment options including container enrichment and runtime sockets. For example, to configure runtime sockets:
 
   YAML:
   ```yaml
-  containers:
-    sockets:
-      - runtime: docker
-        socket: /var/run/docker.sock
+  enrichment:
+    container:
+      enabled: true
+      cgroupfs:
+        path: /host/sys/fs/cgroup
+        force: false
+      docker-socket: /var/run/docker.sock
+      containerd-socket: /var/run/containerd/containerd.sock
+      crio-socket: /var/run/crio/crio.sock
+      podman-socket: /var/run/podman/podman.sock
+    resolve-fd: true
+    exec-hash:
+      enabled: true
+      mode: sha256
+    user-stack-trace: true
   ```
 
 ### Capabilities