feat: add --exclude parameter support for IaC scanning [IDE-1462]

[bastiandoetsch]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages are release-note ready, emphasizing what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

This PR adds support for the --exclude parameter in IaC scanning commands, allowing users to exclude specific files and directories from IaC scans. The implementation supports both the legacy IaC flow (v1) and the new IaC engine (v2).

Key Features:

• Exclude specific files or directories from IaC scans
• Support for comma-separated exclude patterns (e.g., --exclude=dir1,dir2,file.tf)
• Nested directory exclusion (excluding a parent directory excludes all children)
• Proper filesystem semantics using path.normalize() and path.relative()
• Works with both IaC v1 (legacy) and v2 (new engine) flows

Where should the reviewer start?

1. Type definitions: Start with src/cli/commands/test/iac/local-execution/types.ts and src/lib/iac/test/v2/types.ts to understand the new exclude parameter
2. Core implementation: Review src/cli/commands/test/iac/local-execution/directory-loader.ts for the main exclude logic
3. Validation: Check src/cli/main.ts for CLI validation updates
4. Tests: Review test/jest/unit/iac/directory-loader.spec.ts for comprehensive test coverage

How should this be manually tested?

# Create test directory structure
mkdir -p test-iac-exclude/{included,excluded,ignored}
echo 'resource "aws_s3_bucket" "included" {}' > test-iac-exclude/included/main.tf
echo 'resource "aws_s3_bucket" "excluded" {}' > test-iac-exclude/excluded/main.tf
echo 'resource "aws_s3_bucket" "ignored" {}' > test-iac-exclude/ignored/main.tf

# Test single directory exclusion
snyk iac test --exclude=excluded test-iac-exclude

# Test multiple exclusions
snyk iac test --exclude=excluded,ignored test-iac-exclude

# Test file exclusion
snyk iac test --exclude=excluded/main.tf test-iac-exclude

# Verify excluded files/directories are not scanned

What's the product update that needs to be communicated to CLI users?

New Feature: Exclude files and directories from IaC scans

Users can now exclude specific files and directories from IaC scans using the --exclude parameter:

# Exclude directories
snyk iac test --exclude=test-dir,ignored-files .

# Exclude specific files  
snyk iac test --exclude=config.tf,secrets.tf .

# Multiple patterns
snyk iac test --exclude=test-dir,*.tmp,ignored-files .

This is particularly useful for excluding test files, temporary files, or other non-production IaC files from security scans.

Risk assessment: Low

• Low risk: This is an additive feature that doesn't change existing behavior
• Backward compatible: All existing functionality remains unchanged
• Well tested: Comprehensive unit and integration test coverage
• No breaking changes: Existing commands continue to work as before

Any background context you want to provide?

This feature was requested to allow users to exclude test files, temporary files, and other non-production IaC files from security scans. The implementation uses proper filesystem semantics to ensure reliable path matching across different operating systems.

What are the relevant tickets?

• IDE-1462: Add --exclude parameter support for IaC scanning

Files Changed

• src/cli/commands/test/iac/local-execution/ - Legacy IaC flow implementation
• src/cli/commands/test/iac/v2/ - New IaC flow implementation
• src/lib/iac/test/v2/ - IaC v2 types and scanning logic
• src/cli/main.ts - CLI validation updates
• test/jest/ - Comprehensive test coverage (316 new lines of tests)

[snyk-io]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ license/snyk check is complete. No issues have been found. (View Details)

✅ code/snyk check is complete. No issues have been found. (View Details)

[github-actions]

	Warnings
⚠️	Since the CLI is unifying on a standard and improved tooling, we're starting to migrate old-style imports and exports to ES6 ones. A file you've modified is using either module.exports or require(). If you can, please update them to ES6 import syntax and export syntax. Files found: src/cli/main.ts test/jest/unit/iac/directory-loader.spec.ts
⚠️	There are multiple commits on your branch, please squash them locally before merging!

Generated by 🚫 dangerJS against acc4bb5

[hoerup]

Please note that the package/dependency bumps also fixes
github.com/go-viper/mapstructure/v2 GHSA-2464-8j7c-4cjm
github.com/ulikunitz/xz CVE-2025-58058

[PeterSchafer]

Thank you @bastiandoetsch for the contribution.

Is there any reason why the test description on how to manually test this change is not automated as an acceptance test? This looks pretty straight forward and will help detect regression in the future.

[PeterSchafer]

Question: Is this change related to the feature?

[bastiandoetsch]

I don't know where it comes from.

[PeterSchafer]

Question: Is this change related to the feature?

[bastiandoetsch]

I don't know where it comes from.

[PeterSchafer]

Question: Is this change related to the feature?

[bastiandoetsch]

I don't know where it comes from.

[PeterSchafer]

Question: This seems to implement --exclude different to the existing implementation in test. Is this intentional?

[PeterSchafer]

The corresponding implementation lives here.

IMHO we need to ensure consistency between our implementations when we have the same arguments being used. Otherwise it can easily get confusing and decrease the UX.

[bastiandoetsch]

I'm not familiar with the test implementation, but it is the minimally invasive approach with regards to IaC. I'm pretty sure, the test implementation does filtering based on the .snyk file. Where do you see issues with the current logic?

[PeterSchafer]

The description of --exclude for test states the following:

Can be used with --all-projects and --yarn-workspaces to indicate directory names and file names to exclude.  Must be comma-separated, and cannot include a path.

Example: $ snyk test --all-projects --exclude=dir1,file2

This will exclude any directories and files named dir1 and file2 when scanning for project manifest files such as: ./dir1, ./src/dir1, ./file2, ./src/file2 and so on.

Note: --exclude=dir1 will find both ./dir1, and ./src/dir1.
However, --exclude=./src/dir1 will result in an error because it includes a path.

From the implementation here, it explicitly requires a path while the other doesn't allow it.

[PeterSchafer]

If you look at the linked code, the comparison is an includes rather than an equals.

[bastiandoetsch]

Thank you @bastiandoetsch for the contribution.

Is there any reason why the test description on how to manually test this change is not automated as an acceptance test? This looks pretty straight forward and will help detect regression in the future.

added an acceptance test. will not update this pr more this week, though.