feat(docker): implement exclude paths functionality #4057
Conversation
Add support for excluding paths in Docker source scanning: - Add ExcludePaths field to Docker protobuf - Implement path exclusion logic in docker.go - Add comprehensive test coverage for exact and wildcard path matching - Update engine to pass exclude paths configuration - Add CLI support for --exclude-paths flag The implementation supports: - Exact path matching (e.g., /var/log/test) - Wildcard path matching (e.g., /var/log/test/*) - Multiple exclude paths Tests ensure proper handling of: - Exact path exclusions - Wildcard exclusions - Edge cases and similar paths
|
|
|
Thank you for opening this PR @tannerjones4075. Can you sign the CLA? |
I have signed the CLA :) |
There was a problem hiding this comment.
Thanks for this PR! It's a very clear and straightforward improvement. In particular, thank you for the detailed description and the tests. I've found a couple of small improvements I'd like to make before getting this in that I think will substantially reduce our future maintenance burden - please see my inline comments.
|
I appreciate the feedback. I'll make some changes and add another commit. |
…on to compile once per pattern.
…075/trufflehog into docker-exclude-path
|
One thing I didn't mention in earlier reviews - that I probably should have - is that the existing codebase has glob inclusion/exclusion implementation logic you could possibly reuse instead of adding this new regex-based technique. I'm not going to insist on it (because I didn't bring it up earlier) but it's probably worth at least giving it a glance to see if it would be helpful. |
…ctored TestDockerScanWithExclusions test
…075/trufflehog into docker-exclude-path
I replaced the regex with globfilter. Thanks for the suggestion and I think it reduces complexity and improved maintainability. |
There was a problem hiding this comment.
This looks super clean, nice work! I have a couple of small questions, and I see you've got a conflicting sources.pb.go file. Once you've resolved the former, you can resolve the latter by merging from main and then running make protos, but if you're running into trouble with it, I'm happy to do that part for you, since it was my extended review that caused the drift in the first place :)
|
Let me know if you want me to take this over and do the protobuf merge! |
Yes, the help would be great to get it merged. |
Description:
Add support for excluding paths in Docker source scanning:
The implementation supports:
Tests ensure proper handling of:
References:
https://github.com/trufflesecurity/trufflehog/issues/2216?utm_source=chatgpt.com
Checklist:
make test-community)?make lintthis requires golangci-lint)?