flag(enrich): new format flag

cmd/tracee-ebpf/main.go

@@ -97,8 +97,8 @@ func main() {
 				Usage: "dns cache options. run '--dnscache help' for more info",
 			},
 			&cli.StringSliceFlag{
-				Name:  flags.ContainersFlag,
-				Usage: "configure container enrichment and runtime sockets. run '--containers help' for more info.",
+				Name:  flags.EnrichFlag,
+				Usage: "configure enrichment options. run '--enrich help' for more info.",
 				Value: cli.NewStringSlice(),
 			},
 			&cli.IntFlag{

cmd/tracee/cmd/man.go

@@ -54,7 +54,7 @@
 		capabilitiesCmd,
 		captureCmd,
 		configCmd,
-		containersCmd,
+		enrichCmd,
 		eventsCmd,
 		logCmd,
 		outputCmd,
@@ -114,12 +114,12 @@
 	},
 }
 
-var containersCmd = &cobra.Command{
-	Use:     "containers",
+var enrichCmd = &cobra.Command{
+	Use:     "enrich",
 	Aliases: []string{},
-	Short:   "Show manual page for the --containers flag",
+	Short:   "Show manual page for the --enrich flag",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return runManForFlag("containers")
+		return runManForFlag("enrich")
 	},
 }
 

cmd/tracee/cmd/root.go

@@ -149,11 +149,11 @@
 	// Container flags
 
 	rootCmd.Flags().StringArray(
-		flags.ContainersFlag,
+		flags.EnrichFlag,
 		[]string{},
-		"Configure container enrichment and runtime sockets for container events enrichment (see documentation)",
+		"enrichment",
 	)
-	err = viper.BindPFlag(flags.ContainersFlag, rootCmd.Flags().Lookup(flags.ContainersFlag))
+	err = viper.BindPFlag(flags.EnrichFlag, rootCmd.Flags().Lookup(flags.EnrichFlag))
 	if err != nil {
 		return errfmt.WrapError(err)
 	}

docs/docs/flags/enrich.1.md

@@ -0,0 +1,120 @@
+---
+title: TRACEE-ENRICH
+section: 1
+header: Tracee Enrich Flag Manual
+date: 2025/04
+...
+
+## NAME
+
+tracee **\-\-enrich** - Configure enrichment for container events and other enrichment options
+
+## SYNOPSIS
+
+tracee **\-\-enrich** [container.enabled=*true|false*|container.cgroup.path=*path*|container.docker.socket=*socket_path*|container.containerd.socket=*socket_path*|container.crio.socket=*socket_path*|container.podman.socket=*socket_path*|resolve-fd=*true|false*|exec-hash.enabled=*true|false*|exec-hash.mode=*mode*|user-stack-trace=*true|false*] [**\-\-enrich** ...]
+
+## DESCRIPTION
+
+The `--enrich` flag allows you to configure enrichment options for container events and other enrichment features.
+
+### Flags
+
+- **container.enabled**=*true|false*
+  Enable or disable container enrichment.
+  Example:
+  ```console
+  --enrich container.enabled=true
+  ```
+
+- **container.cgroup.path**=*path*
+  Configure the path to the cgroupfs where container cgroups are created. This is used as a hint for auto-detection.
+  Example:
+  ```console
+  --enrich container.cgroup.path=/sys/fs/cgroup
+  ```
+
+- **container.docker.socket**=*socket_path*
+  Configure the path to the docker socket.
+  Example:
+  ```console
+  --enrich container.docker.socket=/var/run/docker.sock
+  ```
+
+- **container.containerd.socket**=*socket_path*
+  Configure the path to the containerd socket.
+  Example:
+  ```console
+  --enrich container.containerd.socket=/var/run/containerd/containerd.sock
+  ```
+
+- **container.crio.socket**=*socket_path*
+  Configure the path to the crio socket.
+  Example:
+  ```console
+  --enrich container.crio.socket=/var/run/crio/crio.sock
+  ```
+
+- **container.podman.socket**=*socket_path*
+  Configure the path to the podman socket.
+  Example:
+  ```console
+  --enrich container.podman.socket=/var/run/podman/podman.sock
+  ```
+
+- **resolve-fd**=*true|false*
+  Enable or disable resolve-fd.
+  Example:
+  ```console
+  --enrich resolve-fd=true
+  ```
+
+- **exec-hash.enabled**=*true|false*
+  Enable or disable exec-hash.
+  Example:
+  ```console
+  --enrich exec-hash.enabled=true
+  ```
+
+- **exec-hash.mode**=*mode*
+  Configure the mode for exec-hash.
+  Example:
+  ```console
+  --enrich exec-hash.mode=sha256
+  ```
+
+- **user-stack-trace**=*true|false*
+  Enable or disable user-stack-trace.
+  Example:
+  ```console
+  --enrich user-stack-trace=true
+  ```
+
+## EXAMPLES
+
+1. Enable container enrichment:
+   ```console
+   --enrich container.enabled=true
+   ```
+
+2. Configure Docker socket:
+   ```console
+   --enrich container.docker.socket=/var/run/docker.sock
+   ```
+
+3. Set the cgroupfs path:
+   ```console
+   --enrich container.cgroup.path=/sys/fs/cgroup
+   ```
+
+4. Combine multiple flags:
+   ```console
+   --enrich container.enabled=true container.docker.socket=/var/run/docker.sock container.cgroup.path=/sys/fs/cgroup
+   ```
+
+5. Enable resolve-fd and exec-hash:
+   ```console
+   --enrich resolve-fd=true exec-hash.enabled=true
+   ```
+
+Please refer to the [documentation](../install/container-engines.md) for more information on container events enrichment.
+

docs/docs/install/config/index.md

@@ -89,23 +89,24 @@ A complete config file with all available options can be found [here](https://gi
 
 ### Containers
 
-- To disable container enrichment use: **`--containers enrich=false`**.
+- To disable container enrichment use: **`--enrich container.enabled=false`**.
 
   YAML:
   ```yaml
-  containers:
-    enrich: false
+  enrich:
+    container:
+      enabled: false
   ```
 
-  __NOTE__: You can view more in the [containers section](../../flags/containers.1.md).
+  __NOTE__: You can view more in the [enrich section](../../flags/enrich.1.md).
 
-- **`--containers`**: Configures container enrichment and runtime sockets. For example, to configure runtime sockets:
+- **`--enrich`**: Configures enrichment options including container enrichment and runtime sockets. For example, to configure runtime sockets:
 
   YAML:
   ```yaml
-  containers:
-    sockets:
-      - runtime: docker
+  enrich:
+    container:
+      docker:
         socket: /var/run/docker.sock
   ```