feat(reach): unified --exclude-paths, deprecate --reach-exclude-paths#227
Merged
Conversation
Martin Torp (mtorp)
had a problem deploying
to
socket-firewall
GitHub Actions
Error
|
🚀 Preview package published! Install with: pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.4.3.dev6Docker image: |
Martin Torp (mtorp)
had a problem deploying
to
socket-firewall
GitHub Actions
Error
Martin Torp (mtorp)
force-pushed
the
martin/reach-exclude-paths
branch
from
b513478 to
e8f54ba
Compare
Martin Torp (mtorp)
had a problem deploying
to
socket-firewall
GitHub Actions
Error
Martin Torp (mtorp)
force-pushed
the
martin/reach-flag-parity
branch
from
f59f6f2 to
eb17457
Compare
Martin Torp (mtorp)
force-pushed
the
martin/reach-exclude-paths
branch
from
e8f54ba to
f67f91a
Compare
Martin Torp (mtorp)
had a problem deploying
to
socket-firewall
GitHub Actions
Error
Martin Torp (mtorp)
force-pushed
the
martin/reach-flag-parity
branch
from
eb17457 to
e4d642d
Compare
Martin Torp (mtorp)
force-pushed
the
martin/reach-exclude-paths
branch
from
f67f91a to
a279f97
Compare
Martin Torp (mtorp)
had a problem deploying
to
socket-firewall
GitHub Actions
Error
Martin Torp (mtorp)
changed the base branch from
martin/reach-flag-parity
to
main
Martin Torp (mtorp)
force-pushed
the
martin/reach-exclude-paths
branch
from
a279f97 to
a46a3e6
Compare
Martin Torp (mtorp)
had a problem deploying
to
socket-firewall
GitHub Actions
Error
…aths Add a single --exclude-paths flag (Node CLI parity) that filters BOTH SCA manifest discovery and reachability analysis: - New Core matcher: anchored micromatch-style globs compiled to regex (no new deps). Scan-root-relative POSIX paths, '*' does not cross '/', '**' does, each pattern P expanded to [P, P/**]. Threaded into find_files via cli_config; no-op when unset. - Reach side unions --exclude-paths with the now-deprecated --reach-exclude-paths and forwards to coana --exclude-dirs. - Validation mirrors Node's assertValidExcludePaths (rejects negation, absolute paths, '..' traversal, degenerate match-everything; trailing slash stripped so '**/' is rejected). Accepts comma-strings and config-file lists. - --reach-exclude-paths soft-deprecated: still works, [DEPRECATED] in help, warns at runtime. Docs: document --exclude-paths under 'Path and File' (it affects every scan, not just reach), mark --reach-exclude-paths deprecated, and refresh the reachability flag table (--reach-analysis-timeout/-memory-limit primary names, --reach-debug, --reach-disable-external-tool-checks, defaults delegated to coana). Adds a CHANGELOG 2.4.3 entry and tests incl. the Node parity cases, validation, and config-file paths.
Martin Torp (mtorp)
force-pushed
the
martin/reach-exclude-paths
branch
from
a46a3e6 to
5347d86
Compare
Martin Torp (mtorp)
had a problem deploying
to
socket-firewall
GitHub Actions
Failure
Benjamin Barslev Nielsen (barslev)
approved these changes
Jun 3, 2026
Martin Torp (mtorp)
added a commit
that referenced
this pull request
Jun 3, 2026
Layered on top of the v2.4.3 --exclude-paths work (#227). Fixes the reachability-reference items #227 left: - Document the uv + Enterprise-plan prerequisites the CLI enforces before running reachability (exit 3), and that per-ecosystem build toolchains are the analysis engine's runtime check, not a CLI pre-check. - Correct --reach-min-severity values to info/low/moderate/high/critical. - Document --reach-enable-analysis-splitting, --reach-detailed-analysis-log-file, --reach-lazy-mode, --reach-use-only-pregenerated-sboms. - Clarify --only-facts-file submits only the facts file when creating the full scan (no pre-existing scan required). - Note --reach creates a tier-1 full-application scan (scan_type=socket_tier1). Docs-only; the 2.4.3->2.4.4 bump + uv.lock are mandated by the sync-version hook.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the unified
--exclude-pathsflag for Node CLI parity. Follows #226 (the reachability flag/env/retry alignment, now merged tomain); this PR targetsmaindirectly and contains only the--exclude-pathswork.Changes
--exclude-paths(comma-separated globs) that filters both SCA manifest discovery and reachability analysis.Corestatic methods): anchored micromatch-style globs compiled to regex — no new dependency. Scan-root-relative POSIX paths, case-sensitive,*does not cross/,**does; each patternPexpanded to[P, P/**]. Threaded intofind_filesviacli_config; strict no-op when the flag is unset, so existing scans are unchanged.--exclude-pathswith the now-deprecated--reach-exclude-pathsand forwards verbatim to coana--exclude-dirs(correct because coana's target.== cwd == scan root).assertValidExcludePaths: rejects negation (!), absolute paths,..traversal, and degenerate match-everything (trailing slash stripped first, so**/is rejected too). Accepts both comma-separated strings and--config-file lists (a config-file list is normalized and validated, not bypassed).--reach-exclude-pathssoft-deprecated: still works, marked[DEPRECATED]in--help, warns at runtime, unions into--exclude-dirs. (Flip to hidden in a later minor release.)Parity
Matcher verified against the Node
exclude-paths.mtssource. Pinned the exact parity cases as tests, e.g.:testsexcludestests/pkg/package.jsonbut keepssrc/tests/package.json(root-anchored)package-lock.jsonmatches root only, notpackages/a/package-lock.json(no basename match)src/*.jsonexcludessrc/a.jsonbut keepssrc/sub/a.json(*doesn't cross/)**/node_modulesmatches at any depth (globstar)Known edge (documented, not fixed)
With multiple
--sub-pathtargets,find_filesanchors patterns per-subpath, whereas Node anchors all to a single scan-root cwd. Cannot affect the reach flow (single-target). Noted in a code comment.Testing
test_exclude_paths.py: matcher semantics, Node parity cases, validation (incl.**/rejection and--config-file list/string/validation paths), andfind_filesintegration.Rebased onto
mainafter #226 merged; single commit, version 2.4.3.