aquasecurity
diff --git a/‎cmd/tracee-ebpf/main.go‎
Lines changed: 2 additions & 2 deletions b/‎cmd/tracee-ebpf/main.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎cmd/tracee/cmd/root.go‎
Lines changed: 14 additions & 11 deletions b/‎cmd/tracee/cmd/root.go‎
Lines changed: 14 additions & 11 deletions
diff --git a/‎deploy/helm/tracee/templates/tracee-config.yaml‎
Lines changed: 2 additions & 1 deletion b/‎deploy/helm/tracee/templates/tracee-config.yaml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/docs/flags/runtime.1.md‎
Lines changed: 46 additions & 0 deletions b/‎docs/docs/flags/runtime.1.md‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎docs/docs/install/config/index.md‎
Lines changed: 11 additions & 4 deletions b/‎docs/docs/install/config/index.md‎
Lines changed: 11 additions & 4 deletions
diff --git a/‎docs/docs/policies/usage/cli.md‎
Lines changed: 2 additions & 1 deletion b/‎docs/docs/policies/usage/cli.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/man/runtime.1‎
Lines changed: 50 additions & 0 deletions b/‎docs/man/runtime.1‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎examples/config/global_config.json‎
Lines changed: 3 additions & 1 deletion b/‎examples/config/global_config.json‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎examples/config/global_config.yaml‎
Lines changed: 2 additions & 1 deletion b/‎examples/config/global_config.yaml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎pkg/cmd/cobra/cobra.go‎
Lines changed: 10 additions & 3 deletions b/‎pkg/cmd/cobra/cobra.go‎
Lines changed: 10 additions & 3 deletions
@@ -118,9 +118,9 @@ func main() {
 				Usage: "size, in event objects, of each pipeline stage's output channel",
 			},
 			&cli.StringFlag{
-				Name:  "install-path",
+				Name:  "runtime",
 				Value: "/tmp/tracee",
-				Usage: "path where tracee will install or lookup it's resources",
+				Usage: "runtime config options eg: workdir",
 			},
 			&cli.StringSliceFlag{
 				Name:  server.ServerFlag,
 
@@ -115,6 +115,19 @@ func initCmd() error {
 		"[file|dir]\t\t\t\tPath to a policy or directory with policies",
 	)
 
+	// Runtime flags
+
+	rootCmd.Flags().StringArrayP(
+		"runtime",
+		"r",
+		[]string{"workdir=" + flags.WorkdirDefault},
+		"[workdir=/tmp/tracee]\t\tControl runtime configurations",
+	)
+	err := viper.BindPFlag("runtime", rootCmd.Flags().Lookup("runtime"))
+	if err != nil {
+		return errfmt.WrapError(err)
+	}
+
 	// Output flags
 
 	rootCmd.Flags().StringArrayP(
@@ -123,7 +136,7 @@ func initCmd() error {
 		[]string{"table"},
 		"[json|none|webhook...]\t\tControl how and where output is printed",
 	)
-	err := viper.BindPFlag("output", rootCmd.Flags().Lookup("output"))
+	err = viper.BindPFlag("output", rootCmd.Flags().Lookup("output"))
 	if err != nil {
 		return errfmt.WrapError(err)
 	}
@@ -268,16 +281,6 @@ func initCmd() error {
 		return errfmt.WrapError(err)
 	}
 
-	rootCmd.Flags().String(
-		"install-path",
-		"/tmp/tracee",
-		"<dir>\t\t\t\tPath where tracee will install or lookup it's resources",
-	)
-	err = viper.BindPFlag("install-path", rootCmd.Flags().Lookup("install-path"))
-	if err != nil {
-		return errfmt.WrapError(err)
-	}
-
 	rootCmd.Flags().StringArrayP(
 		"log",
 		"l",
 
@@ -18,7 +18,8 @@ data:
     pyroscope: {{ .Values.config.pyroscope }}
     listen-addr: {{ .Values.config.listenAddr }}
     {{- if .Values.config.installPath }}
-    install-path: {{ .Values.config.installPath }}
+    runtime:
+      - workdir={{ .Values.config.installPath }}
     {{- end }}
     {{- if .Values.config.signaturesDir }}
     signatures-dir: {{ .Values.config.signaturesDir }}
 
@@ -0,0 +1,46 @@
+---
+title: TRACEE-RUNTIME
+section: 1
+header: Tracee Runtime Flag Manual
+date: 2025/01
+...
+
+## NAME
+
+tracee **\-\-runtime** - Control runtime configurations
+
+## SYNOPSIS
+
+tracee **\-\-runtime** [workdir=*path*] [**\-\-runtime** ...]
+
+## DESCRIPTION
+
+The **\-\-runtime** flag allows you to control runtime configurations for Tracee.
+
+### Options
+
+- **workdir**=*path*
+  Set the working directory where Tracee stores temporary files and artifacts. The default value is `/tmp/tracee`.
+
+  Example:
+  ```console
+  --runtime workdir=/tmp/tracee
+  ```
+
+## EXAMPLES
+
+1. Use the default working directory:
+   ```console
+   --runtime workdir=/tmp/tracee
+   ```
+
+2. Set a custom working directory:
+   ```console
+   --runtime workdir=/var/lib/tracee
+   ```
+
+3. Using the short form:
+   ```console
+   -g workdir=/opt/tracee
+   ```
+
@@ -63,16 +63,23 @@ A complete config file with all available options can be found [here](https://gi
     - process
   ```
 
-### Install Path
+### Runtime
 
-- **`--install-path`**: Specifies the directory where Tracee will install or look for its resources. If not specified, the default installation directory is `/tmp/tracee`.
+- **`--runtime` (`-g`)**: Controls runtime configurations for Tracee.
+
+  CLI Examples:
+  ```bash
+  # Set working directory
+  tracee --runtime workdir=/opt/tracee
+  ```
 
   YAML:
   ```yaml
-  install-path: /opt/tracee
+  runtime:
+    - workdir=/opt/tracee
   ```
 
-  __NOTE__: This option is useful when running Tracee in environments where `/tmp` is not suitable or secure.
+  __NOTE__: The working directory is where Tracee stores temporary files and artifacts. The default is `/tmp/tracee`. This option is useful when running Tracee in environments where `/tmp` is not suitable or secure.
 
 ### Log
 
 
@@ -35,7 +35,8 @@ tracee --config ./config.yaml --policy ./policy.yaml && cat /tmp/debug.json
 ### config.yaml (example)
 
 ```yaml
-install-path: /tmp/tracee
+runtime:
+  - workdir=/tmp/tracee
 
 # server configuration
 
 
@@ -0,0 +1,50 @@
+.\" Automatically generated by Pandoc 3.2
+.\"
+.TH "TRACEE\-RUNTIME" "1" "2025/01" "" "Tracee Runtime Flag Manual"
+.SS NAME
+tracee \f[B]\-\-runtime\f[R] \- Control runtime configurations
+.SS SYNOPSIS
+tracee \f[B]\-\-runtime\f[R] [workdir=\f[I]path\f[R]]
+[\f[B]\-\-runtime\f[R] \&...]
+.SS DESCRIPTION
+The \f[B]\-\-runtime\f[R] flag allows you to control runtime
+configurations for Tracee.
+.SS Options
+.IP \[bu] 2
+\f[B]workdir\f[R]=\f[I]path\f[R] Set the working directory where Tracee
+stores temporary files and artifacts.
+The default value is \f[CR]/tmp/tracee\f[R].
+.RS 2
+.PP
+Example:
+.IP
+.EX
+\-\-runtime workdir=/tmp/tracee
+.EE
+.RE
+.SS EXAMPLES
+.IP "1." 3
+Use the default working directory:
+.RS 4
+.IP
+.EX
+\-\-runtime workdir=/tmp/tracee
+.EE
+.RE
+.IP "2." 3
+Set a custom working directory:
+.RS 4
+.IP
+.EX
+\-\-runtime workdir=/var/lib/tracee
+.EE
+.RE
+.IP "3." 3
+Using the short form:
+.RS 4
+.IP
+.EX
+\-g workdir=/opt/tracee
+.EE
+.RE
+
@@ -9,7 +9,9 @@
     "capabilities": [],
     "containers": [],
     "healthz": false,
-    "install-path": "/tmp/tracee",
+    "runtime": [
+        "workdir=/tmp/tracee"
+    ],
     "listen-addr": ":3366",
     "log": [
         "info"
 
@@ -55,7 +55,8 @@ events:
 
 healthz: false
 
-install-path: /tmp/tracee
+runtime:
+  - workdir=/tmp/tracee
 
 listen-addr: :3366
 
 
@@ -316,9 +316,16 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) {
 	}
 
 	// Decide BTF & BPF files to use (based in the kconfig, release & environment info)
+	runtimeFlags, err := GetFlagsFromViper("runtime")
+	if err != nil {
+		return runner, err
+	}
+	runtimeConfig, err := flags.PrepareRuntime(runtimeFlags)
+	if err != nil {
+		return runner, err
+	}
 
-	traceeInstallPath := viper.GetString("install-path")
-	err = initialize.BpfObject(&cfg, kernelConfig, osInfo, traceeInstallPath, version)
+	err = initialize.BpfObject(&cfg, kernelConfig, osInfo, runtimeConfig.Workdir, version)
 	if err != nil {
 		return runner, errfmt.Errorf("failed preparing BPF object: %v", err)
 	}
@@ -339,7 +346,7 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) {
 	cfg.MetricsEnabled = runner.HTTP.MetricsEndpointEnabled()
 	runner.TraceeConfig = cfg
 	runner.Printer = p
-	runner.InstallPath = traceeInstallPath
+	runner.Workdir = runtimeConfig.Workdir
 
 	noSignaturesMode := viper.GetBool("no-signatures")
 	if noSignaturesMode {