Skip to content

CNF-23786: Add --dry-run flag to preview scan targets without scanning#51

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
sebrandon1:add-dry-run-flag
May 13, 2026
Merged

CNF-23786: Add --dry-run flag to preview scan targets without scanning#51
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
sebrandon1:add-dry-run-flag

Conversation

@sebrandon1
Copy link
Copy Markdown
Member

@sebrandon1 sebrandon1 commented Apr 23, 2026
edited
Loading

Summary

  • Extract discovery phase from PerformClusterScan() into reusable DiscoverTargets() function
  • Add --dry-run flag that runs pod/port discovery only and prints a tabular summary of scan targets and skipped ports
  • Works with --all-pods, --targets, and single-host modes
  • Skips testssl.sh installation check when --dry-run is set since it is not needed for discovery

Jira: CNF-23786

Example output

$ tls-scanner --all-pods --dry-run --namespace-filter openshift-etcd

=== DISCOVERY COMPLETE: 6 pods -> 102 scan jobs (0 deduplicated), 38 skipped ===

========================================
DRY RUN: Discovery complete
========================================
Scan targets:          102
Skipped (localhost):   35
Skipped (no ports):    3
Skipped (probe ports): 0
========================================

SCAN TARGETS:
IP            Port   Pod Name               Namespace       Component
10.46.97.140  9107   etcd-cnfdt16-master-1  openshift-etcd  openshift-component
10.46.97.140  2380   etcd-cnfdt16-master-1  openshift-etcd  openshift-component
10.46.97.140  2379   etcd-cnfdt16-master-1  openshift-etcd  openshift-component
10.46.97.140  6443   etcd-cnfdt16-master-1  openshift-etcd  openshift-component
...

SKIPPED PORTS:
IP            Port   Pod Name               Namespace       Status          Reason
10.46.97.140  8797   etcd-cnfdt16-master-1  openshift-etcd  LOCALHOST_ONLY  Bound to 127.0.0.1, not accessible from pod IP
10.46.97.140  9537   etcd-cnfdt16-master-1  openshift-etcd  LOCALHOST_ONLY  Bound to 127.0.0.1, not accessible from pod IP
10.46.97.140  10248  etcd-cnfdt16-master-1  openshift-etcd  LOCALHOST_ONLY  Bound to 127.0.0.1, not accessible from pod IP
...

Test plan

  • go build ./... passes
  • go test ./... passes
  • go vet ./... passes
  • tls-scanner --all-pods --dry-run prints target table and exits without scanning
  • tls-scanner --all-pods --dry-run --namespace-filter openshift-etcd filters correctly
  • tls-scanner --targets 10.0.0.1:443 --dry-run prints target list
  • tls-scanner --dry-run (single host default) prints single target
  • Normal scan without --dry-run still works identically

@openshift-ci openshift-ci Bot requested review from rhmdnd and smith-xyz April 23, 2026 17:42
smith-xyz
smith-xyz requested changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@smith-xyz smith-xyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a good feature, I think just a few things to clean up would be great before we merge. Let me know if I missed anything

Comment thread internal/output/dryrun.go Outdated
Comment thread internal/scanner/scanner.go
Comment thread internal/scanner/scanner.go Outdated
Comment thread internal/scanner/scanner.go Outdated
Comment thread internal/scanner/scanner.go
@sebrandon1 sebrandon1 force-pushed the add-dry-run-flag branch 2 times, most recently from ccd7158 to 4d0705e Compare May 7, 2026 19:29
@smith-xyz
Copy link
Copy Markdown
Contributor

smith-xyz commented May 7, 2026

/retest

@smith-xyz
Copy link
Copy Markdown
Contributor

smith-xyz commented May 7, 2026

/approve

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label May 7, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 7, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sebrandon1, smith-xyz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 7, 2026
@openshift-merge-bot
Copy link
Copy Markdown
Contributor

openshift-merge-bot Bot commented May 7, 2026

/retest-required

Remaining retests: 0 against base HEAD eee0a3a and 2 for PR HEAD 4d0705e in total

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 7, 2026
edited
Loading

@sebrandon1: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/tls13-conformance 6585541 link false /test tls13-conformance
ci/prow/tls13-adherence 4d0705e link false /test tls13-adherence
ci/prow/default-tls 4d0705e link false /test default-tls
ci/prow/tls13-pqc-readiness 4d0705e link false /test tls13-pqc-readiness
ci/prow/default-pqc-readiness 4d0705e link false /test default-pqc-readiness

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@sebrandon1
Add --dry-run flag to preview scan targets without scanning
ab28e2e 
- Extract discovery phase from PerformClusterScan() into reusable
  DiscoverTargets() function
- Add --dry-run flag that runs pod/port discovery only and prints a
  tabular summary of scan targets and skipped ports
- Works with --all-pods, --targets, and single-host modes
- Skip testssl.sh installation check when --dry-run is set
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label May 13, 2026
@sebrandon1 sebrandon1 changed the title Add --dry-run flag to preview scan targets without scanning CNF-23786: Add --dry-run flag to preview scan targets without scanning May 13, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 13, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented May 13, 2026
edited by openshift-ci Bot
Loading

@sebrandon1: This pull request references CNF-23786 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

  • Extract discovery phase from PerformClusterScan() into reusable DiscoverTargets() function
  • Add --dry-run flag that runs pod/port discovery only and prints a tabular summary of scan targets and skipped ports
  • Works with --all-pods, --targets, and single-host modes
  • Skips testssl.sh installation check when --dry-run is set since it is not needed for discovery

Jira: CNF-23786

Example output

$ tls-scanner --all-pods --dry-run --namespace-filter openshift-etcd

=== DISCOVERY COMPLETE: 6 pods -> 102 scan jobs (0 deduplicated), 38 skipped ===

========================================
DRY RUN: Discovery complete
========================================
Scan targets:          102
Skipped (localhost):   35
Skipped (no ports):    3
Skipped (probe ports): 0
========================================

SCAN TARGETS:
IP            Port   Pod Name               Namespace       Component
10.46.97.140  9107   etcd-cnfdt16-master-1  openshift-etcd  openshift-component
10.46.97.140  2380   etcd-cnfdt16-master-1  openshift-etcd  openshift-component
10.46.97.140  2379   etcd-cnfdt16-master-1  openshift-etcd  openshift-component
10.46.97.140  6443   etcd-cnfdt16-master-1  openshift-etcd  openshift-component
...

SKIPPED PORTS:
IP            Port   Pod Name               Namespace       Status          Reason
10.46.97.140  8797   etcd-cnfdt16-master-1  openshift-etcd  LOCALHOST_ONLY  Bound to 127.0.0.1, not accessible from pod IP
10.46.97.140  9537   etcd-cnfdt16-master-1  openshift-etcd  LOCALHOST_ONLY  Bound to 127.0.0.1, not accessible from pod IP
10.46.97.140  10248  etcd-cnfdt16-master-1  openshift-etcd  LOCALHOST_ONLY  Bound to 127.0.0.1, not accessible from pod IP
...

Test plan

  • go build ./... passes
  • go test ./... passes
  • go vet ./... passes
  • tls-scanner --all-pods --dry-run prints target table and exits without scanning
  • tls-scanner --all-pods --dry-run --namespace-filter openshift-etcd filters correctly
  • tls-scanner --targets 10.0.0.1:443 --dry-run prints target list
  • tls-scanner --dry-run (single host default) prints single target
  • Normal scan without --dry-run still works identically

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@smith-xyz
Copy link
Copy Markdown
Contributor

smith-xyz commented May 13, 2026

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label May 13, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit 615a07b into openshift:main May 13, 2026
4 checks passed
@qodo-for-rh-openshift qodo-for-rh-openshift Bot mentioned this pull request May 20, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smith-xyz smith-xyz smith-xyz approved these changes

@rhmdnd rhmdnd Awaiting requested review from rhmdnd

Assignees

@smith-xyz smith-xyz

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sebrandon1 @smith-xyz @openshift-ci-robot