jetstack · joshw123 · Oct 17, 2025 · Oct 17, 2025 · Oct 17, 2025
diff --git a/cmd/inspect.go b/cmd/inspect.go
@@ -18,6 +18,7 @@ import (
 
 func newInspect(ctx context.Context) *cobra.Command {
 	var imgOpts *options.Image
+	var analyseOpts *options.Analyse
 
 	cmd := &cobra.Command{
 		Use:   "inspect [flags] image",
@@ -47,7 +48,7 @@ Partial certificates are also all printed for further inspection.
 				return err
 			}
 
-			analyser, err := analyse.NewAnalyser()
+			analyser, err := analyse.NewAnalyser(analyseOpts)
 			if err != nil {
 				return errors.Wrap(err, "failed to initialise analyser")
 			}
@@ -97,6 +98,7 @@ Partial certificates are also all printed for further inspection.
 	}
 
 	imgOpts = options.RegisterImage(cmd)
+	analyseOpts = options.RegisterAnalyse(cmd)
 	cmd.Args = cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs)
 
 	return cmd

diff --git a/cmd/options/analyse.go b/cmd/options/analyse.go
@@ -0,0 +1,15 @@
+package options
+
+import "github.com/spf13/cobra"
+
+// Analyse are options for configuring certificate analysis.
+type Analyse struct {
+	// MozillaRemovedCertsURL is the URL to fetch the Mozilla removed CA certificates list from.
+	MozillaRemovedCertsURL string `json:"mozilla_removed_certs_url"`
+}
+
+func RegisterAnalyse(cmd *cobra.Command) *Analyse {
+	var opts Analyse
+	cmd.PersistentFlags().StringVar(&opts.MozillaRemovedCertsURL, "mozilla-removed-certs-url", "https://ccadb.my.salesforce-sites.com/mozilla/RemovedCACertificateReportCSVFormat", "URL to fetch Mozilla's removed CA certificate list from.")
+	return &opts
+}
diff --git a/internal/analyse/analyse.go b/internal/analyse/analyse.go
@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/hako/durafmt"
+	"github.com/jetstack/paranoia/cmd/options"
 )
 
 type NoteLevel string
@@ -36,21 +37,28 @@ type Analyser struct {
 	RemovedCertificates []removedCertificate
 }
 
+const defaultMozillaRemovedCACertificateReportURL = "https://ccadb.my.salesforce-sites.com/mozilla/RemovedCACertificateReportCSVFormat"
+
 // NewAnalyser creates a new Analyzer using the public Mozilla CA removed certificate list as part of
 // its checks. This method performs HTTP requests to retrieve that list. The request will be made with the given
-// context.
-func NewAnalyser() (*Analyser, error) {
-	rc, err := downloadMozillaRemovedCACertsList()
+// context. The options struct configures various aspects of the analysis.
+func NewAnalyser(opts *options.Analyse) (*Analyser, error) {
+	rc, err := downloadMozillaRemovedCACertsList(opts)
 	if err != nil {
 		return nil, err
 	}
 	return &Analyser{RemovedCertificates: rc}, nil
 }
 
-func downloadMozillaRemovedCACertsList() ([]removedCertificate, error) {
-	const mozillaRemovedCACertificateReportURL = "https://ccadb-public.secure.force.com/mozilla/RemovedCACertificateReportCSVFormat"
+func downloadMozillaRemovedCACertsList(opts *options.Analyse) ([]removedCertificate, error) {
+
+	// Use default URL if none provided
+	url := opts.MozillaRemovedCertsURL
+	if url == "" {
+		url = defaultMozillaRemovedCACertificateReportURL
+	}
 
-	resp, err := http.Get(mozillaRemovedCACertificateReportURL)
+	resp, err := http.Get(url)
 	if err != nil {
 		return nil, err
 	}