fix: allow paths in --exclude parameter for IaC commands while maintaining backwards compatibility

bastiandoetsch · bastiandoetsch · commit 2be5d6143969 · 2025-09-22T10:03:07.000+02:00
- Remove path separator validation only for IaC commands (--iac flag)
- Keep existing validation for open source scanning to maintain backwards compatibility
- Update tests to verify both behaviors work correctly
- IaC commands now support: --exclude=path/to/dir, --exclude=subdir/file.tf
- Open source commands still restrict to: --exclude=dirname, --exclude=filename

Fixes issue where --exclude parameter only worked with single files and directories
without path separators for IaC commands.
diff --git a/src/cli/main.ts b/src/cli/main.ts
@@ -443,7 +443,8 @@ function validateUnsupportedOptionCombinations(
     if (typeof options.exclude !== 'string') {
       throw new ExcludeFlagBadInputError();
     }
-    if (options.exclude.indexOf(pathLib.sep) > -1) {
+    // Only apply path separator validation for non-IaC commands to maintain backwards compatibility
+    if (!options.iac && options.exclude.indexOf(pathLib.sep) > -1) {
       throw new ExcludeFlagInvalidInputError();
     }
   }
diff --git a/test/jest/acceptance/cli-args.spec.ts b/test/jest/acceptance/cli-args.spec.ts
@@ -245,7 +245,7 @@ describe('cli args', () => {
     expect(code).not.toEqual(2);
   });
 
-  test('snyk test --exclude=path/to/dir displays error message', async () => {
+  test('snyk test --exclude=path/to/dir displays error message for open source', async () => {
     const exclude = path.normalize('path/to/dir');
     const { code, stdout } = await runSnykCLI(
       `test --all-projects --exclude=${exclude}`,
@@ -260,6 +260,23 @@ describe('cli args', () => {
     expect(code).toEqual(2);
   });
 
+  test('snyk iac test --exclude=path/to/dir should work with paths', async () => {
+    const exclude = path.normalize('path/to/dir');
+    const { code, stdout } = await runSnykCLI(
+      `iac test --exclude=${exclude}`,
+      {
+        env,
+      },
+    );
+
+    // Should not display error message about paths not being allowed for IaC
+    expect(stdout).not.toContainText(
+      'The --exclude argument must be a comma separated list of directory or file names and cannot contain a path.',
+    );
+    // Should not fail with error code 2 due to path validation for IaC
+    expect(code).not.toEqual(2);
+  });
+
   [
     'config',
     'ignore',

Original file line number	Diff line number	Diff line change
`@@ -443,7 +443,8 @@ function validateUnsupportedOptionCombinations(`
`443`	`443`	`if (typeof options.exclude !== 'string') {`
`444`	`444`	`throw new ExcludeFlagBadInputError();`
`445`	`445`	`}`
`446`		`- if (options.exclude.indexOf(pathLib.sep) > -1) {`
	`446`	`+ // Only apply path separator validation for non-IaC commands to maintain backwards compatibility`
	`447`	`+ if (!options.iac && options.exclude.indexOf(pathLib.sep) > -1) {`
`447`	`448`	`throw new ExcludeFlagInvalidInputError();`
`448`	`449`	`}`
`449`	`450`	`}`