-
Notifications
You must be signed in to change notification settings - Fork 157
Can I exclude files from a scan?
There is no mechanism today to exclude files in the command-line. The best solution is to post-process the log files to exclude results based on filename/path.
Excluding files require significant manual maintenance for developers to get their analysis properly configured. Depending on the build system you use, you'll need to properly differentiate production code from test, as well as from utilities and other checked in code that doesn’t get deployed.
Encouraging developers to exclude these files with a file argument won't properly solve the problem and will create a whole new set of issues, such as:
- User invokes Binskim via build system that pulls in too much code
- User gets reasonably frustrated because of quantity of results
- User gets further frustrated on realizing that results that don’t need to get fixed are included in output
- User must discover Binskim mechanism for excluding files
- User must manually modify command-line to account for problem
- If new test code gets added, return to item #1 above
However, if you still prefer a hand-constructed command-line, here’s what you can do:
- Take the generated response file produced by your build system
- Check that file in. Configure Binskim to use it
- Delete any files from the response file that you don’t want analyzed
At the end of the day, the goal is to ensure you're shipping secure binaries, even if it means going through a few additional files.