Scan depending on severity and classifications scan args

api/curl.go

@@ -33,9 +33,14 @@
 	opts.Cookies = ctx.Request.Cookies()
 	client := request.NewClient(opts)
 
-	s, err := scenario.NewURLScan(form.Method, form.URL, form.Data, client, &scan.ScanOptions{
-		IncludeScans: form.Opts.Scans,
-		ExcludeScans: form.Opts.ExcludeScans,
+	s, err := scenario.NewURLScan(form.Method, form.URL, form.Data, client, nil, &scan.ScanOptions{
+		IncludeScans:     form.Opts.Scans,
+		ExcludeScans:     form.Opts.ExcludeScans,
+		MinIssueSeverity: form.Opts.MinSeverity,
+		IncludeCWEs:      form.Opts.IncludeCWEs,
+		ExcludeCWEs:      form.Opts.ExcludeCWEs,
+		IncludeOWASPs:    form.Opts.IncludeOWASPs,
+		ExcludeOWASPs:    form.Opts.ExcludeOWASPs,
 	})
 	if err != nil {
 		span.RecordError(err)

api/graphql.go

@@ -32,9 +32,14 @@
 	opts.Cookies = ctx.Request.Cookies()
 	client := request.NewClient(opts)
 
-	s, err := scenario.NewGraphQLScan(form.Endpoint, client, &scan.ScanOptions{
-		IncludeScans: form.Opts.Scans,
-		ExcludeScans: form.Opts.ExcludeScans,
+	s, err := scenario.NewGraphQLScan(form.Endpoint, client, nil, &scan.ScanOptions{
+		IncludeScans:     form.Opts.Scans,
+		ExcludeScans:     form.Opts.ExcludeScans,
+		MinIssueSeverity: form.Opts.MinSeverity,
+		IncludeCWEs:      form.Opts.IncludeCWEs,
+		ExcludeCWEs:      form.Opts.ExcludeCWEs,
+		IncludeOWASPs:    form.Opts.IncludeOWASPs,
+		ExcludeOWASPs:    form.Opts.ExcludeOWASPs,
 	})
 	if err != nil {
 		span.RecordError(err)

api/openapi.go

@@ -59,9 +59,14 @@
 		}
 	}
 	securitySchemesValues := openapi.NewSecuritySchemeValues(values)
-	s, err := scenario.NewOpenAPIScan(doc, securitySchemesValues, client, &scan.ScanOptions{
-		IncludeScans: form.Opts.Scans,
-		ExcludeScans: form.Opts.ExcludeScans,
+	s, err := scenario.NewOpenAPIScan(doc, securitySchemesValues, client, nil, &scan.ScanOptions{
+		IncludeScans:     form.Opts.Scans,
+		ExcludeScans:     form.Opts.ExcludeScans,
+		MinIssueSeverity: form.Opts.MinSeverity,
+		IncludeCWEs:      form.Opts.IncludeCWEs,
+		ExcludeCWEs:      form.Opts.ExcludeCWEs,
+		IncludeOWASPs:    form.Opts.IncludeOWASPs,
+		ExcludeOWASPs:    form.Opts.ExcludeOWASPs,
 	})
 	if err != nil {
 		span.RecordError(err)

api/request.go

@@ -10,8 +10,13 @@ type ScanOptions struct {
 	RateLimit int    `json:"rateLimit"`
 	ProxyURL  string `json:"proxy"`
 
-	Scans        []string `json:"scans"`
-	ExcludeScans []string `json:"excludeScans"`
+	Scans         []string `json:"scans"`
+	ExcludeScans  []string `json:"excludeScans"`
+	MinSeverity   float64  `json:"minSeverity"`
+	IncludeCWEs   []string `json:"includeCWEs"`
+	ExcludeCWEs   []string `json:"excludeCWEs"`
+	IncludeOWASPs []string `json:"includeOWASPs"`
+	ExcludeOWASPs []string `json:"excludeOWASPs"`
 }
 
 func parseScanOptions(opts *ScanOptions) request.NewClientOptions {

cmd/scan/curl.go

@@ -41,9 +41,14 @@
 			}
 			request.SetDefaultClient(client)
 
-			s, err := scenario.NewURLScan(curlMethod, curlUrl, curlData, client, &scan.ScanOptions{
-				IncludeScans: internalCmd.GetIncludeScans(),
-				ExcludeScans: internalCmd.GetExcludeScans(),
+			s, err := scenario.NewURLScan(curlMethod, curlUrl, curlData, client, nil, &scan.ScanOptions{
+				IncludeScans:     internalCmd.GetIncludeScans(),
+				ExcludeScans:     internalCmd.GetExcludeScans(),
+				MinIssueSeverity: internalCmd.GetScanMinIssueSeverity(),
+				IncludeCWEs:      internalCmd.GetScanIncludeCWEs(),
+				ExcludeCWEs:      internalCmd.GetScanExcludeCWEs(),
+				IncludeOWASPs:    internalCmd.GetScanIncludeOWASPs(),
+				ExcludeOWASPs:    internalCmd.GetScanExcludeOWASPs(),
 			})
 			if err != nil {
 				span.RecordError(err)

cmd/scan/graphql.go

@@ -35,9 +35,14 @@
 			}
 			request.SetDefaultClient(client)
 
-			s, err := scenario.NewGraphQLScan(graphqlEndpoint, client, &scan.ScanOptions{
-				IncludeScans: internalCmd.GetIncludeScans(),
-				ExcludeScans: internalCmd.GetExcludeScans(),
+			s, err := scenario.NewGraphQLScan(graphqlEndpoint, client, nil, &scan.ScanOptions{
+				IncludeScans:     internalCmd.GetIncludeScans(),
+				ExcludeScans:     internalCmd.GetExcludeScans(),
+				MinIssueSeverity: internalCmd.GetScanMinIssueSeverity(),
+				IncludeCWEs:      internalCmd.GetScanIncludeCWEs(),
+				ExcludeCWEs:      internalCmd.GetScanExcludeCWEs(),
+				IncludeOWASPs:    internalCmd.GetScanIncludeOWASPs(),
+				ExcludeOWASPs:    internalCmd.GetScanExcludeOWASPs(),
 			})
 			if err != nil {
 				span.RecordError(err)

cmd/scan/openapi.go

@@ -78,9 +78,14 @@
 			}
 			request.SetDefaultClient(client)
 
-			s, err := scenario.NewOpenAPIScan(doc, securitySchemesValues, client, &scan.ScanOptions{
-				IncludeScans: internalCmd.GetIncludeScans(),
-				ExcludeScans: internalCmd.GetExcludeScans(),
+			s, err := scenario.NewOpenAPIScan(doc, securitySchemesValues, client, nil, &scan.ScanOptions{
+				IncludeScans:     internalCmd.GetIncludeScans(),
+				ExcludeScans:     internalCmd.GetExcludeScans(),
+				MinIssueSeverity: internalCmd.GetScanMinIssueSeverity(),
+				IncludeCWEs:      internalCmd.GetScanIncludeCWEs(),
+				ExcludeCWEs:      internalCmd.GetScanExcludeCWEs(),
+				IncludeOWASPs:    internalCmd.GetScanIncludeOWASPs(),
+				ExcludeOWASPs:    internalCmd.GetScanExcludeOWASPs(),
 			})
 			if err != nil {
 				span.RecordError(err)

internal/cmd/args.go

@@ -25,6 +25,12 @@ var (
 	noProgress        bool
 	severityThreshold float64
 
+	scanMinIssueSeverity float64
+	scanIncludeCWEs      []string
+	scanExcludeCWEs      []string
+	scanIncludeOWASPs    []string
+	scanExcludeOWASPs    []string
+
 	placeholderString string
 	placeholderBool   bool
 )
@@ -48,6 +54,12 @@ func AddCommonArgs(cmd *cobra.Command) {
 
 	cmd.Flags().BoolVarP(&noProgress, "no-progress", "", false, "Disable progress output")
 	cmd.Flags().Float64VarP(&severityThreshold, "severity-threshold", "", 1, "Threshold to trigger stderr output if at least one vulnerability CVSS is higher")
+
+	cmd.Flags().Float64VarP(&scanMinIssueSeverity, "scan-min-severity", "", 0, "Minimum severity score (CVSS) to report an issue")
+	cmd.Flags().StringArrayVarP(&scanIncludeCWEs, "scan-include-cwe", "", scanIncludeCWEs, "Include specific CWEs (e.g., CWE-200, CWE-22)")
+	cmd.Flags().StringArrayVarP(&scanExcludeCWEs, "scan-exclude-cwe", "", scanExcludeCWEs, "Exclude specific CWEs (e.g., CWE-200, CWE-22)")
+	cmd.Flags().StringArrayVarP(&scanIncludeOWASPs, "scan-include-owasp", "", scanIncludeOWASPs, "Include specific OWASP")
+	cmd.Flags().StringArrayVarP(&scanExcludeOWASPs, "scan-exclude-owasp", "", scanExcludeOWASPs, "Exclude specific OWASP")
 }
 
 func AddPlaceholderArgs(cmd *cobra.Command) {
@@ -126,6 +138,26 @@ func GetSeverityThreshold() float64 {
 	return severityThreshold
 }
 
+func GetScanMinIssueSeverity() float64 {
+	return scanMinIssueSeverity
+}
+
+func GetScanIncludeCWEs() []string {
+	return scanIncludeCWEs
+}
+
+func GetScanExcludeCWEs() []string {
+	return scanExcludeCWEs
+}
+
+func GetScanIncludeOWASPs() []string {
+	return scanIncludeOWASPs
+}
+
+func GetScanExcludeOWASPs() []string {
+	return scanExcludeOWASPs
+}
+
 func basicAuth(user string) string {
 	credentials := strings.Split(user, ":")
 	if len(credentials) != 2 || credentials[0] == "" {
@@ -148,4 +180,9 @@ func ClearValues() {
 	reportURL = ""
 	noProgress = false
 	severityThreshold = 1
+	scanMinIssueSeverity = 0
+	scanIncludeCWEs = []string{}
+	scanExcludeCWEs = []string{}
+	scanIncludeOWASPs = []string{}
+	scanExcludeOWASPs = []string{}
 }