Improve CLI flags parsing (#624)

* Unify CLI flags usage
---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: frjcomp

.github/copilot-instructions.md

@@ -187,7 +187,7 @@ make serve-docs  # Installs dependencies if needed, generates and serves docs
 - Each command should have a corresponding test file
 - Commands are organized by platform (gitlab, github, bitbucket, devops, gitea)
 - Use consistent flag naming across commands
-- **When adding or modifying command flags**: Update both `docs/introduction/configuration.md` and `pipeleek.example.yaml` to reflect the changes
+- **When adding or modifying command flags**: Update `docs/introduction/configuration.md` and ensure `pipeleek config gen` output remains accurate
 
 ### Configuration Loading Pattern (MANDATORY)
 

Makefile

@@ -1,4 +1,4 @@
-.PHONY: help build build-all build-gitlab build-github build-bitbucket build-devops build-gitea build-circle test test-unit test-e2e lint clean coverage coverage-html serve-docs
+.PHONY: help build build-all build-gitlab build-github build-bitbucket build-devops build-gitea build-circle test test-unit test-e2e lint clean coverage coverage-html serve-docs release-guard
 
 # Default target
 help:
@@ -18,6 +18,7 @@ help:
 	@echo "  make test-e2e         - Run e2e tests (builds binary first)"
 	@echo "  make coverage         - Generate test coverage report"
 	@echo "  make coverage-html    - Generate and open HTML coverage report"
+	@echo "  make release-guard    - Compare against latest release and run pre-release safety checks"
 	@echo "  make lint             - Run golangci-lint"
 	@echo "  make serve-docs       - Generate and serve CLI documentation"
 	@echo "  make clean            - Remove built artifacts"
@@ -126,6 +127,13 @@ coverage-html: coverage
 		echo "Open coverage.html in your browser to view the report"; \
 	fi
 
+# Compare current branch against latest release and run release-safety checks
+# Set STRICT_ALLOWLIST=1 to fail if changed files fall outside ALLOWLIST_REGEX.
+# Set FAST_MODE=1 to skip gosec and golangci-lint for faster iteration.
+release-guard:
+	@echo "Running pre-release guard..."
+	./scripts/pre_release_guard.sh
+
 # Run golangci-lint
 lint:
 	@echo "Running golangci-lint..."

docs/guides/gitlab.md

@@ -33,7 +33,7 @@ Prefer the authenticated scan over the unauthenticated one whenever possible, as
 
 ```bash
 # Scan all publicly accessible CI/CD logs, including artifacts (breadth-first)
-pipeleek gluna scan -g https://leakycompany.com -a --job-limit 10
+pipeleek gluna scan -u https://leakycompany.com -a --job-limit 10
 ```
 
 ## Authenticated Access
@@ -55,7 +55,7 @@ Make sure to verify manually as well.
 > To create a Personal Access Token visit https://leakycompany.com/-/user_settings/personal_access_tokens
 
 ```bash
-pipeleek gl vuln -g https://leakycompany.com -t glpat-[redacted]
+pipeleek gl vuln -u https://leakycompany.com -t glpat-[redacted]
 2024-11-14T14:29:05+01:00 info GitLab version=17.5.1-ee
 2024-11-14T14:29:05+01:00 info Fetching CVEs for this version version=17.5.1-ee
 ```
@@ -68,16 +68,16 @@ Dump all CI/CD variables you have access to, to find more secrets.
 
 ```bash
 # Dump variables defined in the projects settings
-pipeleek gl variables -g https://leakycompany.com -t glpat-[redacted]
+pipeleek gl variables -u https://leakycompany.com -t glpat-[redacted]
 
 # Schedules can have separately defined variables
-pipeleek gl schedule -g https://leakycompany.com -t glpat-[redacted]
+pipeleek gl schedule -u https://leakycompany.com -t glpat-[redacted]
 
 # Secure files are an alternative to variables and often times contain sensitive info
-pipeleek gl secureFiles -g https://leakycompany.com -t glpat-[redacted]
+pipeleek gl secureFiles -u https://leakycompany.com -t glpat-[redacted]
 
 # Terraform states can contain secrets
-pipeleek gl tf --token -g https://leakycompany.com -t glpat-[redacted]
+pipeleek gl tf -u https://leakycompany.com -t glpat-[redacted]
 ```
 
 ## Secret Detection in Source Code
@@ -158,7 +158,7 @@ There are many reasons why credentials might be included in the job output. More
 [Pipeleek](https://github.com/CompassSecurity/pipeleek) can be used to scan for credentials in the job outputs.
 
 ```bash
-$ pipeleek gl scan --token glpat-[redacted] --gitlab https://gitlab.example.com -c [gitlab session cookie]]  -v -a -j 5 --confidence high-verified,high
+$ pipeleek gl scan --token glpat-[redacted] --url https://gitlab.example.com -c [gitlab session cookie]]  -v -a -j 5 --confidence high-verified,high
 2024-09-26T13:47:09+02:00 debug Verbose log output enabled
 2024-09-26T13:47:10+02:00 info Gitlab Version Check revision=2e166256199 version=17.5.0-pre
 2024-09-26T13:47:10+02:00 debug Setting up queue on disk
@@ -209,7 +209,7 @@ curl --request GET --header "PRIVATE-TOKEN: glpat-[redacted]" https://gitlab.exa
 }
 
 # Verify using Pipeleek
-pipeleek gl enum -g https://gitlab.example.com -t glpat-[redacted]
+pipeleek gl enum -u https://gitlab.example.com -t glpat-[redacted]
 2025-09-29T12:25:51Z info Enumerating User
 2025-09-29T12:25:51Z warn Current user admin=false bot=false email=test@example.com name="Pipe Leak" username=pipeleek_user
 2025-09-29T12:25:51Z info Enumerating Access Token
@@ -236,7 +236,7 @@ Runners can be attached globally, on the group level or on individual projects.
 Using pipeleek we can automate runner enumeration:
 
 ```bash
-$ pipeleek gl runners --token glpat-[redacted] --gitlab https://gitlab.example.com -v list
+$ pipeleek gl runners --token glpat-[redacted] --url https://gitlab.example.com -v list
 2024-09-26T14:26:54+02:00 info group runner description=2-green.shared-gitlab-org.runners-manager.gitlab.example.com name=comp-test-ia paused=false runner=gitlab-runner tags=gitlab-org type=instance_type
 2024-09-26T14:26:55+02:00 info group runner description=3-green.shared-gitlab-org.runners-manager.gitlab.example.com/dind name=comp-test-ia paused=false runner=gitlab-runner tags=gitlab-org-docker type=instance_type
 2024-09-26T14:26:55+02:00 info group runner description=blue-3.saas-linux-large-amd64.runners-manager.gitlab.example.com/default name=comp-test-ia paused=false runner=gitlab-runner tags=saas-linux-large-amd64 type=instance_type
@@ -250,7 +250,7 @@ Pipeleek can generate a `.gitlab-ci.yml` or directly create a project and launch
 
 ```bash
 # Manual creation
-$ pipeleek gl runners --token glpat-[redacted] --gitlab https://gitlab.example.com -v exploit --tags saas-linux-small-amd64 --shell --dry
+$ pipeleek gl runners --token glpat-[redacted] --url https://gitlab.example.com -v exploit --tags saas-linux-small-amd64 --shell --dry
 2024-09-26T14:32:26+02:00 debug Verbose log output enabled
 2024-09-26T14:32:26+02:00 info Generated .gitlab-ci.yml
 2024-09-26T14:32:26+02:00 info ---
@@ -276,7 +276,7 @@ pipeleek-job-saas-linux-small-amd64:
 2024-09-26T14:32:26+02:00 info Done, Bye Bye 🏳️‍🌈🔥
 
 # Automated
-$ pipeleek gl runners --token glpat-[redacted]  --gitlab https://gitlab.example.com -v exploit --tags saas-linux-small-amd64 --shell
+$ pipeleek gl runners --token glpat-[redacted]  --url https://gitlab.example.com -v exploit --tags saas-linux-small-amd64 --shell
 2024-09-26T14:33:48+02:00 debug Verbose log output enabled
 2024-09-26T14:33:49+02:00 info Created project name=pipeleek-runner-exploit url=https://gitlab.example.com/[redacted]/pipeleek-runner-exploit
 2024-09-26T14:33:50+02:00 info Created .gitlab-ci.yml file=.gitlab-ci.yml
@@ -415,7 +415,7 @@ docker run --rm --entrypoint sh registry.gitlab.example.com/auser/artipacked:lat
 Then validate and create PoC exploit:
 
 ```bash
-pipeleek gl jobToken exploit --project auser/artipacked --token glcbt-6c_z1CoZjUyFfAu6cE2XFTC
+pipeleek gl jobToken exploit --repo auser/artipacked --token glcbt-6c_z1CoZjUyFfAu6cE2XFTC
 2026-02-09T15:25:30Z info Job token validation succeeded
 2026-02-09T15:25:30Z info Job token context resolved job_id=13042619352 project=auser/artipacked project_id=79339419 ref=main status=running web_url=https://gitlab.example.com/auser/artipacked/-/jobs/13042619352
 2026-02-09T15:25:30Z info Fetching secure files project=auser/artipacked

docs/guides/renovate.md

@@ -35,7 +35,7 @@ Use the `enum` command to scan your GitLab instance for Renovate bot jobs and co
 For example, we enumerated Renovate configs found on GitLab.com. One project was found that enables Renovate's autodiscovery of projects and does **not** set any autodiscovery filters.
 
 ```bash
-pipeleek gl renovate enum -g https://gitlab.com -t glpat-[redacted] --dump
+pipeleek gl renovate enum -u https://gitlab.com -t glpat-[redacted] --dump
 2025-09-30T07:11:06Z info Fetching projects
 2025-09-30T07:11:12Z warn Identified Renovate (bot) configuration autodiscoveryFilterType= autodiscoveryFilterValue= hasAutodiscovery=true hasAutodiscoveryFilters=false hasConfigFile=true pipelines=enabled selfHostedConfigFile=true url=https://gitlab.com/test-group/renovate-bot
 2025-09-30T07:11:16Z info Fetched all projects
@@ -53,7 +53,7 @@ The Renovate bot from the example above is configured to autodiscover new projec
 The following command creates a repository that includes an exploit script called `exploit.sh`. Whenever a Renovate bot picks up this repo, the script will be executed.
 
 ```bash
-pipeleek gl renovate autodiscovery -g https://gitlab.com -t glpat-[redacted] -v
+pipeleek gl renovate autodiscovery -u https://gitlab.com -t glpat-[redacted] -v
 2025-09-30T07:19:33Z info Created project name=devfe-pipeleek-renovate-autodiscovery-poc url=https://gitlab.com/myuser/devfe-pipeleek-renovate-autodiscovery-poc
 2025-09-30T07:19:35Z debug Created file fileName=renovate.json
 2025-09-30T07:19:35Z debug Created file fileName=pom.xml
@@ -112,6 +112,7 @@ In that file, extract all sensitive environment variables and use them for later
 > After receiving a merge request from the Renovate bot, you must fully delete both the branch and the merge request. This ensures the bot will recreate them, allowing your script to run again. Otherwise, the script will not be executed a second time. Ensure to revert the commits as well if they were merged.
 
 ### Dump Renovate Process Heap
+
 In some cases the Renovate bot configuration file might have been [deleted](https://docs.renovatebot.com/self-hosted-configuration/#deleteconfigfile) and you want to recover it. The following script can be used to dump the heap for further analysis.
 
 ```bash
@@ -174,7 +175,7 @@ Your goal is to abuse the Renovate bot's access level to merge a malicious `gitl
 Using Pipeleek, you can monitor your repository for new Renovate branches. When a new one is detected, Pipeleek tries to add a new job into the `gitlab-ci.yml`. As this needs to exploit a race condition (adding new changes to the Renovate branch before the bot activates auto-merge), this might take a few attempts.
 
 ```bash
-pipeleek gl renovate privesc -g https://gitlab.com -t glpat-[redacted] --repo-name company1/a-software-project --renovate-branches-regex 'renovate/.*' -v
+pipeleek gl renovate privesc -u https://gitlab.com -t glpat-[redacted] --repo company1/a-software-project --renovate-branches-regex 'renovate/.*' -v
 2025-09-30T07:56:57Z debug Verbose log output enabled
 2025-09-30T07:56:57Z info Ensure the Renovate bot does have a greater access level than you, otherwise this will not work, and is able to auto merge into the protected main branch
 2025-09-30T07:56:58Z debug Testing push access level for default branch branch=main requiredAccessLevel=40 userAccessLevel=30

docs/guides/scanning.md

@@ -20,7 +20,7 @@ Start by creating a personal access token (`Menu` → `Preferences` → `Access
 For an initial scan, target all repositories you can access, including public ones. To keep the scan fast and broad, limit it to the latest 15 jobs per project:
 
 ```bash
-pipeleek gl scan -g https://gitlab.com -t glpat-[redacted] --cookie [redacted] --artifacts --job-limit 15
+pipeleek gl scan -u https://gitlab.com -t glpat-[redacted] --cookie [redacted] --artifacts --job-limit 15
 2025-09-30T09:53:30Z info Gitlab Version Check revision=f0455ea9f90 version=18.5.0-pre
 2025-09-30T09:53:30Z info Fetching projects
 2025-09-30T09:53:30Z info Provided GitLab session cookie is valid
@@ -34,5 +34,5 @@ As shown, Pipeleek can detect secrets in job logs and build artifacts. Security
 If you find a repository that looks particularly interesting e.g. `secret-pipelines`, you can scan all its job logs, not just the most recent ones:
 
 ```bash
-pipeleek gl scan -g https://gitlab.com -t glpat-[redacted] --cookie [redacted] --artifacts --repo mygroup/my-secret-pipelines-project
+pipeleek gl scan -u https://gitlab.com -t glpat-[redacted] --cookie [redacted] --artifacts --repo mygroup/my-secret-pipelines-project
 ```