-
Notifications
You must be signed in to change notification settings - Fork 4
Options
Options can be set from the command line, from environment variables prefixed by WATCHER_, or from the contents of an .env file in the current directory.
We show the command line options below, with inline references in parentheses to the corresponding environment variable.
--add-existing
For --mode events, existing files in the path will generate an add event (WATCHER_ADD_EXISTING=1). Ignored if --mode scan, negate with --no-add-existing.
Default: false
--api url
Required. Base URL of the STIG Manager API service (WATCHER_API_BASE).
--authority url
Required. Base URL of the OIDC authentication service that issues OAuth2 tokens for the API (WATCHER_AUTHORITY)
-c, --collection-id id
Required. collectionId to manage (WATCHER_COLLECTION).
--cargo-delay ms
Milliseconds to delay processing the queue (WATCHER_CARGO_DELAY)
Range: 2000 to 30000 Default: 2000
--cargo-size number
Maximum queue size that triggers processing (WATCHER_CARGO_SIZE)
Range: 1 to 100 Default: 25
--client-id string
Required. OIDC clientId to authenticate (WATCHER_CLIENT_ID). You will be prompted for the client secret if --client-key is not present and --prompt is present, unless WATCHER_CLIENT_SECRET is set
--client-key path
Path to a PEM encoded private key (WATCHER_CLIENT_KEY). If the key is encrypted, you will be prompted for the passphrase if --prompt is present, unless WATCHER_CLIENT_KEY_PASSPHRASE is set.
--create-objects
Create Assets or STIG Assignments as needed (WATCHER_CREATE_OBJECTS=1). Negate with --no-create-objects.
Default: true
-d, --debug
Shortcut for --log-level debug --log-file-level debug
Default: false
--event-polling
Use polling with --mode events, necessary for watching network files (WATCHER_EVENT_POLLING=1). Ignored if --mode scan, negate with --no-event-polling.
Default: true
--extra-scopes string
Space separated OAuth2 scopes to request in addition to the default scopes. Will not be automatically prefixed with WATCHER_SCOPE_PREFIX value. (WATCHER_EXTRA_SCOPES)
-h, --help
display help for command
--history-file path
When using --mode scan, this specifies the path to a scan history file (WATCHER_HISTORY_FILE). The file will be created if it doesn't exist. This option is not applicable and is disregarded if --mode events is used. To disable the history file feature, use --no-history-file. Each file found by the scanner is recorded in this file, and the scanner will skip over files already listed in it.
Default setting: false
--history-write-interval ms
When using --mode scan and using a history file --history-file <path>, this specifies the interval (WATCHER_HISTORY_WRITE_INTERVAL) in milliseconds for when to periodically sync the current history to disk. This option is not applicable and is disregarded if --mode events is used. To disable the history file feature, use --no-history-file. Range: 10000 to 60000 Default: 15000 (15 seconds).
--ignore-dot
Ignore dotfiles in the path (WATCHER_IGNORE_DOT=1). Negate with --no-ignore-dot.
Default: true
--ignore-glob [glob...]
File or directory glob(s) to ignore. Can be invoked multiple times. (WATCHER_IGNORE_GLOBS=<csv>)
--log-color
Colorize the console log output. Might confound downstream piped processes. Default: false
--log-file path
Path to the log file which will be created if needed (WATCHER_LOG_FILE). Disable file logging with --no-log-file.
Default: false
--log-file-level level
Log level for the log file (WATCHER_LOG_FILE_LEVEL). One of:
- "error"
- "warn"
- "info"
- "http"
- "verbose"
- "debug"
- "silly"
Default: "verbose"
--log-level level
Log level for the console (WATCHER_LOG_LEVEL). One of:
- "error"
- "warn"
- "info"
- "http"
- "verbose"
- "debug"
- "silly"
Default: "info"
--mode mode
Strategy for detecting files to be processed. (WATCHER_MODE). One of:
- "scan"
- "events"
Default: "events"
--no-add-existing
Ignore existing files in the watched path (WATCHER_ADD_EXISTING=0).
--no-create-objects
Do not create Assets or STIG Assignments (WATCHER_CREATE_OBJECTS=0).
--no-event-polling
Don't use polling with --mode events, reduces CPU usage (WATCHER_EVENT_POLLING=0).
--no-history-file
When using --mode scan, this option disables the creation and use of the scan history file. Without this option, a history file tracks the files scanned previously.
--no-ignore-dot
Do not ignore dotfiles in the path (WATCHER_IGNORE_DOT=0).
--no-log-file
Disable logging to a logfile.
--no-strict-revision-check
For CKL, allow checklist of uninstalled STIG revision (WATCHER_STRICT_REVISION_CHECK=0). This is the default behavior.
--one-shot
Process existing files in the path and exit. Sets --add-existing.
Default: false
-p, --path path
Base path to watch (WATCHER_PATH).
Default: "."
--prompt
Prompt for missing client secret or private key passphrase. Default: false
--response-timeout
Specify the timeout duration in milliseconds for an API response to begin. If a response takes longer than this time, an error will be thrown (WATCHER_RESPONSE_TIMEOUT).
Note: Watcher has the default behavior of attempting an API request up to 4 times.
Range: 5000 to 60000 Default: 20000ms
-s, --silent
Disable logging to the console. Default: false
--scan-interval ms
If --mode scan, the interval between scans. Ignored if --mode events (WATCHER_SCAN_INTERVAL).
Range: 60000 to 86400000 Default: 300000
--scope-prefix string
String used as a prefix for default stig-manager scopes (except openid) when authenticating to the OIDC Provider (WATCHER_SCOPE_PREFIX).
Default: ' '
--stability-threshold ms
If --mode events, milliseconds to wait for file size to stabilize. May be helpful when watching network shares. (WATCHER_STABILITY_THRESHOLD). Igonred with --mode scan
Range: 0 to 10000 Default: 0
--strict-revision-check
For CKL, ignore checklist of uninstalled STIG revision (WATCHER_STRICT_REVISION_CHECK=1). Negate with --no-strict-revision-check.
Default: false
--version
Print the current version and exit.