feat: exclude test files by default across all languages

- Test files are now excluded from scans by default
- Add --include-tests flag to opt-in to scanning test files
- Deprecate --skip-tests (tests excluded by default now)
- Unify test patterns: security command now uses same 70+ patterns as scan
- Patterns cover: JS/TS, Python, Go, Rust, Java, Kotlin test conventions

BREAKING CHANGE: Tests are now excluded by default. Use --include-tests to scan them.

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: bumahkib7

CHANGELOG.md

@@ -6,6 +6,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+
+### Changed
+- **Test Files Excluded by Default**: Tests are now excluded from scans by default across all languages
+  - Use `--include-tests` to opt-in to scanning test files
+  - Unified test pattern detection: 70+ patterns for JS/TS, Python, Go, Rust, Java, Kotlin
+  - `--skip-tests` flag deprecated (tests excluded by default)
+  - `security` command now uses same comprehensive patterns as `scan` command
+
 ## [0.15.1] - 2026-02-02
 
 ### Fixed

crates/cli/src/commands/scan.rs

@@ -55,10 +55,12 @@ pub struct ScanArgs {
     pub diff_base: String,
     /// Read unified diff from stdin instead of running git diff
     pub diff_stdin: bool,
-    /// Skip test files and directories (security rules still apply)
-    pub skip_tests: bool,
+    /// Include test files in analysis (tests excluded by default)
+    pub include_tests: bool,
     /// Skip ALL findings in tests including security rules
     pub skip_tests_all: bool,
+    /// [DEPRECATED] Tests are now excluded by default
+    pub skip_tests: bool,
     /// Maximum findings to display
     pub limit: usize,
     /// Show all findings without limit
@@ -464,14 +466,14 @@ fn apply_mode_defaults(args: &ScanArgs) -> EffectiveScanSettings {
         }
         Some(ScanMode::Local) | None => {
             // Local mode: use all explicit settings
-            // --skip-tests or --skip-tests-all enables default test/example suppressions
+            // Tests are excluded by default; use --include-tests to scan them
             EffectiveScanSettings {
                 format: args.format,
                 severity: args.severity,
                 changed_only: args.changed_only,
                 baseline_mode: args.baseline_mode,
                 timing: args.timing,
-                use_default_presets: args.skip_tests || args.skip_tests_all,
+                use_default_presets: !args.include_tests,
                 skip_security_in_tests: args.skip_tests_all,
                 include_suppressed: args.include_suppressed,
                 diff: args.diff,
@@ -1557,6 +1559,7 @@ mod tests {
             diff: false,
             diff_base: "origin/main".to_string(),
             diff_stdin: false,
+            include_tests: false,
             skip_tests: false,
             skip_tests_all: false,
             limit: 20,
@@ -1603,7 +1606,20 @@ mod tests {
         assert!(effective.changed_only);
         assert!(effective.baseline_mode);
         assert!(effective.timing);
-        assert!(!effective.use_default_presets); // Local mode doesn't use presets
+        assert!(effective.use_default_presets); // Tests excluded by default
+    }
+
+    #[test]
+    fn test_include_tests_disables_presets() {
+        let args = ScanArgs {
+            mode: Some(ScanMode::Local),
+            include_tests: true, // Opt-in to scan test files
+            ..create_test_args()
+        };
+
+        let effective = apply_mode_defaults(&args);
+
+        assert!(!effective.use_default_presets); // Tests included when flag is set
     }
 
     #[test]

crates/cli/src/commands/security.rs

@@ -12,28 +12,16 @@
 use anyhow::Result;
 use colored::Colorize;
 use rma_analyzer::providers::{AnalysisProvider, OsvProvider, RustSecProvider};
-use rma_common::{Finding, OsvEcosystem, OsvProviderConfig, RmaConfig, Severity};
+use rma_common::{
+    Finding, OsvEcosystem, OsvProviderConfig, RmaConfig, Severity,
+    DEFAULT_EXAMPLE_IGNORE_PATHS, DEFAULT_TEST_IGNORE_PATHS,
+};
 use rma_parser::ParserEngine;
 use serde::{Deserialize, Serialize};
 use std::collections::{BTreeMap, BTreeSet, HashMap, HashSet};
 use std::fs;
 use std::path::{Path, PathBuf};
 
-/// Default patterns to exclude from code security scanning (test fixtures)
-pub const DEFAULT_SECURITY_EXCLUDES: &[&str] = &[
-    "**/tests/**",
-    "**/test/**",
-    "**/fixtures/**",
-    "**/__tests__/**",
-    "**/*.test.*",
-    "**/*.spec.*",
-    "**/testdata/**",
-    "**/test_*",
-    "**/*_test.rs",
-    "**/*_test.go",
-    "**/*_test.py",
-];
-
 #[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord)]
 pub enum FailSeverity {
     None,
@@ -1270,7 +1258,11 @@ fn scan_code_security(args: &SecurityArgs, report: &mut SecurityReport) -> Resul
 
     for parsed in &parsed_files {
         // Check if file should be excluded (default excludes for tests/fixtures)
-        if !args.include_tests && matches_exclude_pattern(&parsed.path, DEFAULT_SECURITY_EXCLUDES) {
+        // Use the same comprehensive patterns as the scan command
+        if !args.include_tests
+            && (matches_exclude_pattern(&parsed.path, DEFAULT_TEST_IGNORE_PATHS)
+                || matches_exclude_pattern(&parsed.path, DEFAULT_EXAMPLE_IGNORE_PATHS))
+        {
             files_excluded += 1;
             continue;
         }
@@ -2008,35 +2000,39 @@ mod tests {
 
     #[test]
     fn test_matches_exclude_pattern() {
+        // Test patterns should match test directories
         assert!(matches_exclude_pattern(
             Path::new("/project/src/tests/test_foo.rs"),
-            DEFAULT_SECURITY_EXCLUDES
+            DEFAULT_TEST_IGNORE_PATHS
         ));
 
+        // Example patterns should match fixtures
         assert!(matches_exclude_pattern(
             Path::new("/project/fixtures/secrets.json"),
-            DEFAULT_SECURITY_EXCLUDES
+            DEFAULT_EXAMPLE_IGNORE_PATHS
         ));
 
+        // Test patterns should match *.test.ts files
         assert!(matches_exclude_pattern(
             Path::new("/project/src/foo.test.ts"),
-            DEFAULT_SECURITY_EXCLUDES
+            DEFAULT_TEST_IGNORE_PATHS
         ));
 
+        // Test patterns should match __tests__ directories
         assert!(matches_exclude_pattern(
             Path::new("/project/__tests__/auth.spec.js"),
-            DEFAULT_SECURITY_EXCLUDES
+            DEFAULT_TEST_IGNORE_PATHS
         ));
 
         // Should NOT match regular source files
         assert!(!matches_exclude_pattern(
             Path::new("/project/src/auth/login.rs"),
-            DEFAULT_SECURITY_EXCLUDES
+            DEFAULT_TEST_IGNORE_PATHS
         ));
 
         assert!(!matches_exclude_pattern(
             Path::new("/project/lib/security.py"),
-            DEFAULT_SECURITY_EXCLUDES
+            DEFAULT_TEST_IGNORE_PATHS
         ));
     }
 

crates/cli/src/main.rs

@@ -181,16 +181,20 @@ pub enum Commands {
         #[arg(long, requires = "diff")]
         diff_stdin: bool,
 
-        /// Skip test files and test directories (security rules still apply)
-        /// Automatically excludes common test patterns: *_test.go, *.test.ts, test_*.py, src/test/**, etc.
+        /// Include test files in analysis (tests are excluded by default)
+        /// Use this flag to scan test files: *_test.go, *.test.ts, test_*.py, src/test/**, etc.
         #[arg(long)]
-        skip_tests: bool,
+        include_tests: bool,
 
         /// Skip ALL findings in test files including security rules
-        /// Use with caution - security vulnerabilities in tests can still be exploited
+        /// By default, tests are excluded but security rules still apply if tests are included
         #[arg(long)]
         skip_tests_all: bool,
 
+        /// [DEPRECATED] Tests are now excluded by default. Use --include-tests to scan them.
+        #[arg(long, hide = true)]
+        skip_tests: bool,
+
         /// Maximum findings to display (default: 20, use --all for unlimited)
         #[arg(long, default_value = "20")]
         limit: usize,
@@ -929,6 +933,7 @@ fn main() -> Result<()> {
             diff,
             diff_base,
             diff_stdin,
+            include_tests,
             skip_tests,
             skip_tests_all,
             limit,
@@ -981,6 +986,7 @@ fn main() -> Result<()> {
             diff,
             diff_base,
             diff_stdin,
+            include_tests,
             skip_tests,
             skip_tests_all,
             limit,