fix: allow combining include and exclude

README.md

@@ -71,6 +71,16 @@ will only run check `2.2 Ensure the logging level is set to 'info'`.
 `sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e check_2_2`
 will run all available checks except `2.2 Ensure the logging level is set to 'info'`.
 
+`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e docker_enterprise_configuration`
+will run all available checks except the docker_enterprise_configuration group
+
+`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e docker_enterprise_configuration,check_2_2`
+will run all available checks except the docker_enterprise_configuration group
+and `2.2 Ensure the logging level is set to 'info'`
+
+`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c container_images -e check_4_5`
+will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`
+
 Note that when submitting checks, provide information why it is a
 reasonable test to add and please include some kind of official documentation
 verifying that information.

docker-bench-security.sh

@@ -102,7 +102,7 @@ main () {
     fi
   done
 
-  # get the image id of the docker_bench_security_image, memorize it:
+  # Get the image id of the docker_bench_security_image, memorize it:
   benchimagecont="nil"
   for c in $(docker images | sed '1d' | awk '{print $3}'); do
     if docker inspect --format '{{ .Config.Labels }}' "$c" | \
@@ -135,22 +135,44 @@ main () {
   done
 
   if [ -z "$check" ] && [ ! "$checkexclude" ]; then
+    # No options just run
     cis
-  elif [ -z "$check" ] && [ "$checkexclude" ]; then
-    checkexcluded="$(echo ",$checkexclude" | sed -e 's/^/\^/g' -e 's/,/\$|/g' -e 's/$/\$/g')"
-    for c in $(grep -E 'check_[0-9]|check_[a-z]' functions_lib.sh | grep -vE "$checkexcluded"); do
+  elif [ -z "$check" ]; then
+    # No check defined but excludes defined set to calls in cis() function
+    check=$(sed -ne "/cis() {/,/}/{/{/d; /}/d; p}" functions_lib.sh)
+  fi
+
+  for c in $(echo "$check" | sed "s/,/ /g"); do
+    if ! command -v "$c" 2>/dev/null 1>&2; then
+      echo "Check \"$c\" doesn't seem to exist."
+      continue
+    fi
+    if [ -z "$checkexclude" ]; then
+      # No excludes just run the checks specified
       "$c"
-    done
-  else
-    for i in $(echo "$check" | sed "s/,/ /g"); do
-      if command -v "$i" 2>/dev/null 1>&2; then
-        "$i"
-      else
-        echo "Check \"$i\" doesn't seem to exist."
+    else
+      # Exludes specified and check exists
+      checkexcluded="$(echo ",$checkexclude" | sed -e 's/^/\^/g' -e 's/,/\$|/g' -e 's/$/\$/g')"
+
+      if echo "$c" | grep -E "$checkexcluded" 2>/dev/null 1>&2; then
+        # Excluded
         continue
+      elif echo "$c" | grep -vE 'check_[0-9]|check_[a-z]' 2>/dev/null 1>&2; then
+        # Function not a check, fill loop_checks with all check from function
+        loop_checks="$(sed -ne "/$c() {/,/}/{/{/d; /}/d; p}" functions_lib.sh)"
+      else
+        # Just one check
+        loop_checks="$c"
       fi
-    done
-  fi
+
+      for lc in $loop_checks; do
+        if echo "$lc" | grep -vE "$checkexcluded" 2>/dev/null 1>&2; then
+          # Not excluded
+          "$lc"
+        fi
+      done
+    fi
+  done
 
   printf "\n"
   info "Checks: $totalChecks"