feat(flags): simplify detectors flag and add short aliases

- Change --detectors to accept paths directly (no yaml-dir= prefix)
- Add -d alias for --detectors, -E alias for --enrichment
- Simplify config file format to flat list under detectors key
- Update --buffers description to 'Set buffers size'
- Add detectors man page and update man index with new aliases

Author: yanivagman

cmd/tracee/cmd/man.go

@@ -55,6 +55,7 @@ func init() {
 		capabilitiesCmd,
 		artifactsCmd,
 		configCmd,
+		detectorsCmd,
 		enrichmentCmd,
 		eventCmd,
 		eventsCmd,
@@ -122,9 +123,18 @@ var configCmd = &cobra.Command{
 	},
 }
 
+var detectorsCmd = &cobra.Command{
+	Use:     "detectors",
+	Aliases: []string{"d"},
+	Short:   "Show manual page for the --detectors flag",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		return runManForFlag("detectors")
+	},
+}
+
 var enrichmentCmd = &cobra.Command{
 	Use:     "enrichment",
-	Aliases: []string{},
+	Aliases: []string{"E"},
 	Short:   "Show manual page for the --enrichment flag",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		return runManForFlag("enrichment")

cmd/tracee/cmd/root.go

@@ -152,8 +152,9 @@ func initCmd() error {
 
 	// Container flags
 
-	rootCmd.Flags().StringArray(
+	rootCmd.Flags().StringArrayP(
 		flags.EnrichmentFlag,
+		"E",
 		[]string{},
 		"[container|resolve-fd...]\t\tConfigure enrichment for container events and other enrichment features",
 	)
@@ -190,10 +191,11 @@ func initCmd() error {
 
 	// Detector flags
 
-	rootCmd.Flags().StringArray(
+	rootCmd.Flags().StringArrayP(
 		flags.DetectorsFlag,
+		"d",
 		[]string{},
-		"[yaml-dir=<dir>]\t\t\tConfigure YAML detector search directories",
+		"[path...]\t\t\t\tConfigure YAML detector search directories",
 	)
 	err = viper.BindPFlag(flags.DetectorsFlag, rootCmd.Flags().Lookup(flags.DetectorsFlag))
 	if err != nil {
@@ -211,7 +213,7 @@ func initCmd() error {
 			fmt.Sprintf("kernel.artifacts=%d", flags.GetDefaultPerfBufferSize()),
 			"pipeline=1000",
 		},
-		"[kernel.events|...]\t\tSize for kernel and user buffers",
+		"[kernel.events|...]\t\tSet buffers size",
 	)
 	err = viper.BindPFlag(flags.BuffersFlag, rootCmd.Flags().Lookup(flags.BuffersFlag))
 	if err != nil {

docs/docs/detectors/yaml-detectors.md

@@ -910,15 +910,14 @@ Specify custom directories using:
 
 **CLI Flag:**
 ```bash
-tracee --detectors yaml-dir=/custom/path
+tracee --detectors /custom/path
 ```
 
 **Config File:**
 ```yaml
 detectors:
-  yaml-dir:
-    - /custom/path1
-    - /custom/path2
+  - /custom/path1
+  - /custom/path2
 ```
 
 ## Validation

docs/docs/flags/buffers.1.md

@@ -7,7 +7,7 @@ date: 2025/12
 
 ## NAME
 
-tracee **\-\-buffers** - Configure the buffers sizes for kernel and user buffers
+tracee **\-\-buffers** - Set kernel/user buffers size
 
 ## SYNOPSIS
 

docs/docs/flags/detectors.1.md

@@ -0,0 +1,49 @@
+---
+title: TRACEE-DETECTORS
+section: 1
+header: Tracee Detectors Flag Manual
+date: 2026/01
+...
+
+## NAME
+
+tracee **\-\-detectors** - Configure YAML detector search directories
+
+## SYNOPSIS
+
+tracee **\-\-detectors** [path...] [**\-\-detectors** path...]
+
+## DESCRIPTION
+
+The **\-\-detectors** flag lets you add directories or files to search for YAML detectors and shared lists.
+
+Each path can be a directory or a YAML file. If not specified, Tracee uses the default search path `/etc/tracee/detectors`.
+
+## EXAMPLES
+
+1. Use the default search path:
+   ```console
+   tracee
+   ```
+
+2. Add a custom directory:
+   ```console
+   --detectors /custom/detectors
+   ```
+
+3. Add multiple directories:
+   ```console
+   --detectors /dir1 --detectors /dir2
+   ```
+
+4. Add a specific YAML detector file:
+   ```console
+   --detectors ./detectors/suspicious_exec.yaml
+   ```
+
+5. Config file format:
+   ```yaml
+   detectors:
+     - /custom/path1
+     - /custom/path2
+   ```

docs/docs/flags/man.1.md

@@ -25,7 +25,8 @@ The **man** command accepts subcommands that correspond to tracee flags:
 - **buffers** - Show manual page for the --buffers flag
 - **capabilities**, **C** - Show manual page for the --capabilities flag
 - **config**, **c** - Show manual page for the --config flag
-- **enrichment** - Show manual page for the --enrichment flag
+- **detectors**, **d** - Show manual page for the --detectors flag
+- **enrichment**, **E** - Show manual page for the --enrichment flag
 - **events**, **e** - Show manual page for the --events flag
 - **list** - Show manual page for the list command
 - **list-events** - Show manual page for the list events subcommand

docs/man/buffers.1

@@ -2,11 +2,11 @@
 .\"
 .TH "TRACEE\-BUFFERS" "1" "2025/12" "" "Tracee Buffers Flag Manual"
 .SS NAME
-tracee \f[B]\-\-buffers\f[R] \- Configure the buffers sizes for kernel
-and user buffers
+tracee \f[B]\-\-buffers\f[R] \- Set kernel/user buffers size
 .SS SYNOPSIS
-tracee \f[B]\-\-buffers\f[R] [kernel.events=<size> | kernel.artifacts=<size>
-| kernel.control\-plane=<size> | pipeline=<size>] \&...
+tracee \f[B]\-\-buffers\f[R] [kernel.events=<size> |
+kernel.artifacts=<size> | kernel.control\-plane=<size> |
+pipeline=<size>] \&...
 [\f[B]\-\-buffers\f[R] [kernel.events=<size> | kernel.artifacts=<size> |
 kernel.control\-plane=<size> | pipeline=<size>] \&...]
 .SS DESCRIPTION
@@ -24,8 +24,8 @@ Possible buffer options:
 \f[B]kernel.events=<size>\f[R]: Sets the size, in pages, of the internal
 perf ring buffer used to submit events from the kernel.
 .IP \[bu] 2
-\f[B]kernel.artifacts=<size>\f[R]: Sets the size, in pages, of the internal
-perf ring buffer used to send artifacts from the kernel.
+\f[B]kernel.artifacts=<size>\f[R]: Sets the size, in pages, of the
+internal perf ring buffer used to send artifacts from the kernel.
 .IP \[bu] 2
 \f[B]kernel.control\-plane=<size>\f[R]: Sets the size, in pages, of the
 internal perf ring buffer used to submit events from the control plane.

docs/man/detectors.1

@@ -0,0 +1,59 @@
+.\" Automatically generated by Pandoc 3.2
+.\"
+.TH "TRACEE\-DETECTORS" "1" "2026/01" "" "Tracee Detectors Flag Manual"
+.SS NAME
+tracee \f[B]\-\-detectors\f[R] \- Configure YAML detector search
+directories
+.SS SYNOPSIS
+tracee \f[B]\-\-detectors\f[R] [path\&...]
+[\f[B]\-\-detectors\f[R] path\&...]
+.SS DESCRIPTION
+The \f[B]\-\-detectors\f[R] flag lets you add directories or files to
+search for YAML detectors and shared lists.
+.PP
+Each path can be a directory or a YAML file.
+If not specified, Tracee uses the default search path
+\f[CR]/etc/tracee/detectors\f[R].
+.SS EXAMPLES
+.IP "1." 3
+Use the default search path:
+.RS 4
+.IP
+.EX
+tracee
+.EE
+.RE
+.IP "2." 3
+Add a custom directory:
+.RS 4
+.IP
+.EX
+\-\-detectors /custom/detectors
+.EE
+.RE
+.IP "3." 3
+Add multiple directories:
+.RS 4
+.IP
+.EX
+\-\-detectors /dir1 \-\-detectors /dir2
+.EE
+.RE
+.IP "4." 3
+Add a specific YAML detector file:
+.RS 4
+.IP
+.EX
+\-\-detectors ./detectors/suspicious_exec.yaml
+.EE
+.RE
+.IP "5." 3
+Config file format:
+.RS 4
+.IP
+.EX
+detectors\f[B]:\f[R]
+  \f[B]\-\f[R] /custom/path1
+  \f[B]\-\f[R] /custom/path2
+.EE
+.RE

docs/man/man.1

@@ -28,7 +28,11 @@ flags:
 \f[B]config\f[R], \f[B]c\f[R] \- Show manual page for the \[en]config
 flag
 .IP \[bu] 2
-\f[B]enrichment\f[R] \- Show manual page for the \[en]enrichment flag
+\f[B]detectors\f[R], \f[B]d\f[R] \- Show manual page for the
+\[en]detectors flag
+.IP \[bu] 2
+\f[B]enrichment\f[R], \f[B]E\f[R] \- Show manual page for the
+\[en]enrichment flag
 .IP \[bu] 2
 \f[B]events\f[R], \f[B]e\f[R] \- Show manual page for the \[en]events
 flag

examples/config/global_config.yaml

@@ -107,10 +107,10 @@ artifacts:
     #     path: /tmp/tracee
     #     clear: false
 
-# Detectors configuration
+# Detectors configuration - list of paths to search for YAML detectors
 detectors:
-    # yaml-dir:
-    #     - /path/to/detector/dir
+    # - /path/to/detector/dir
+    # - /another/detector/path
 
 # Logging configuration
 logging: