From f78145214a6195efaf64f91b94d58f13964e26a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
 <konstruktoid@users.noreply.github.com>
Date: Thu, 10 May 2018 14:45:59 +0200
Subject: [PATCH] add -e option to exclude checks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
 README.md                |  3 ++-
 docker-bench-security.sh | 14 ++++++++++----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 28f1572..fc85e53 100644
--- a/README.md
+++ b/README.md
@@ -51,7 +51,8 @@ version 1.13.0 or later.
   -h           optional  Print this help message
   -l FILE      optional  Log output in FILE
   -c CHECK     optional  Comma delimited list of specific check(s)
-  -x EXCLUDE   optional  Comma delimited list of patterns within a container to exclude from check
+  -e CHECK     optional  Comma delimited list of specific check(s) to exclude
+  -x EXCLUDE   optional  Comma delimited list of patterns within a container name to exclude from check
 ```
 
 By default the Docker Bench for Security script will run all available CIS tests
diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index 36b274a..89e53a5 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -38,6 +38,7 @@ usage () {
   -h           optional  Print this help message
   -l FILE      optional  Log output in FILE
   -c CHECK     optional  Comma delimited list of specific check(s)
+  -e CHECK     optional  Comma delimited list of specific check(s) to exclude
   -x EXCLUDE   optional  Comma delimited list of patterns within a container name to exclude from check
 EOF
 }
@@ -45,12 +46,13 @@ EOF
 # Get the flags
 # If you add an option here, please
 # remember to update usage() above.
-while getopts hl:c:x: args
+while getopts hl:c:e:x: args
 do
   case $args in
   h) usage; exit 0 ;;
   l) logger="$OPTARG" ;;
   c) check="$OPTARG" ;;
+  e) checkexclude="$OPTARG" ;;
   x) exclude="$OPTARG" ;;
   *) usage; exit 1 ;;
   esac
@@ -121,11 +123,15 @@ main () {
      . ./"$test"
   done
 
-  if [ -z "$check" ]; then
+  if [ -z "$check" ] && [ ! "$checkexclude" ] ; then
     cis
+  elif [ -z "$check" ] && [ "$checkexclude" ]; then
+    checkexcluded="$(echo $checkexclude | sed 's/,/|/g')"
+    for c in $(grep 'check_[0-9]_' functions_lib.sh | grep -vE "$checkexcluded"); do
+      "$c"
+    done
   else
-    for i in $(echo "$check" | sed "s/,/ /g")
-    do
+    for i in $(echo "$check" | sed "s/,/ /g"); do
       if command -v "$i" 2>/dev/null 1>&2; then
         "$i"
       else