feat(scan): add --exclude-paths flag for full Tier 1 exclusion (port of #1298)#1306
Conversation
#1298) Port of #1298 (originally targeted v1.x by @simonhj) to main. Adds a --exclude-paths flag to socket scan create and socket scan reach that excludes the listed glob patterns from BOTH SCA/SBOM manifest discovery and (when --reach is enabled) Tier 1 reachability analysis. Patterns are matched relative to the project root; bare directory names are auto-extended to recursive globs (tests -> tests/**); trailing slashes are stripped; gitignore-style negation patterns (!path) are rejected up front. Internally, --exclude-paths is wired into projectIgnorePaths for SCA manifest discovery and into Coana's --exclude-dirs for reachability, preserving existing --reach-exclude-paths semantics for users who only need the Coana-side exclusion. Translation notes for v1.x -> main: - @socketsecurity/registry/lib/* -> @socketsecurity/lib/* - ../../utils/errors.mts -> ../../utils/error/errors.mts - co-located tests live under packages/cli/test/{integration,unit}/... - preserved existing test snapshots; only the new --exclude-paths line was added to help-text snapshots. DISABLE_PRECOMMIT_TEST=1 used for this commit because pre-existing unrelated analytics tests are broken on origin/main (verified against a pristine checkout). Type checks and the new exclude-paths unit tests all pass.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 3cfb459. Configure here.
| const targetPath = path.isAbsolute(options.target) | ||
| ? path.relative(options.cwd, options.target) | ||
| : options.target | ||
| const targetPattern = toPosixPath(stripTrailingSlash(targetPath)) |
There was a problem hiding this comment.
Nested relative targets drop excludes
Medium Severity
The projectIgnorePathsToReachExcludePaths function preserves leading ./ in relative targets, while projectIgnorePaths are normalized without it. This path normalization mismatch prevents --exclude-paths from correctly applying to nested targets, causing Coana to analyze directories that should be excluded.
Reviewed by Cursor Bugbot for commit 3cfb459. Configure here.
| */ | ||
| export function excludePathToProjectIgnorePath(path: string): string { | ||
| const stripped = stripTrailingSlash(path) | ||
| return stripped.endsWith('/**') ? stripped : `${stripped}/**` |
There was a problem hiding this comment.
Windows paths miss SCA exclusion
Medium Severity
excludePathToProjectIgnorePath stores --exclude-paths values in projectIgnorePaths without converting backslashes. Windows-style paths can still reach Coana after later normalization, but SCA manifest discovery receives unmatched patterns and includes manifests from excluded directories.
Reviewed by Cursor Bugbot for commit 3cfb459. Configure here.
| if (normalized.startsWith(recursiveTargetPrefix)) { | ||
| return normalized.slice(targetPrefix.length) | ||
| } | ||
| return undefined |
There was a problem hiding this comment.
Wildcard excludes miss nested targets
Medium Severity
pathRelativeToTarget treats glob patterns as literal prefixes when translating to Coana paths. Project-root patterns containing wildcards before the target, such as workspace globs, are dropped for nested reachability targets even when they match directories inside that target.
Reviewed by Cursor Bugbot for commit 3cfb459. Configure here.
1 participant
Summary
--exclude-pathsflag tosocket scan createandsocket scan reachthat excludes the listed glob patterns from BOTH SCA/SBOM manifest discovery and (when--reachis enabled) Tier 1 reachability analysis.tests→tests/**); trailing slashes are stripped; gitignore-style negation patterns (!path) are rejected up front.Translation notes (v1.x → main)
@socketsecurity/registry/lib/*→@socketsecurity/lib/*../../utils/errors.mts→../../utils/error/errors.mtspackages/cli/test/{integration,unit}/...--exclude-pathsline was added to help-text snapshots.Internally,
--exclude-pathsis wired intoprojectIgnorePathsfor SCA manifest discovery and into Coana's--exclude-dirsfor reachability, preserving existing--reach-exclude-pathssemantics for users who only need the Coana-side exclusion.Credit: original implementation by Simon (@simonhj) on the v1.x branch.
Test plan
pnpm exec tsc --noEmitpasses for@socketsecurity/clipnpm exec vitest run test/unit/commands/scan/exclude-paths.test.mtspasses (13 new unit tests for the helpers)pnpm exec vitest run test/unit/commands/scan/handle-create-new-scan.test.mts test/unit/commands/scan/handle-scan-reach.test.mtspasses (existing handler tests adapted to the newexcludePathsfield)pnpm exec vitest run test/unit/commands/scan/— all 665 scan unit tests passpnpm run buildfor@socketsecurity/clisucceedspnpm --filter @socketsecurity/cli run checkpasses (path hygiene + bundle deps + size + link deps)socket scan create --exclude-paths tests --dry-runsucceeds;--exclude-paths '!tests/keep'fails with the expected error.Note: pre-existing analytics test failures on
origin/main(verified against a pristine checkout) are unrelated to this port and were not addressed here.Note
Medium Risk
Adds new exclusion semantics that affect which manifests are discovered and which directories reachability analysis skips, so misconfiguration could change scan coverage. The change touches core scan/reach handlers but is guarded by validation and new unit/integration tests.
Overview
Adds a new
--exclude-pathsflag tosocket scan createandsocket scan reachto exclude user-specified globs from both manifest discovery (viasocket.ymlprojectIgnorePaths) and Tier 1 reachability analysis (by translating them into Coana--exclude-dirs).Introduces
exclude-paths.mtshelpers to normalize/translate patterns and reject negation (!) up front, threadsexcludePathsthrough reachability option types and call sites (handle-create-new-scan,handle-scan-reach, CI/default scan creation), and updates bash completions and help-text snapshots/tests accordingly.Reviewed by Cursor Bugbot for commit 3cfb459. Configure here.