Apply Default Exclusion Patterns Only to Subdirectories or parameter to control it (Including JAS Scans) #530
Description
Description:
Currently, the default exclusion patterns used to skip jas scanning are as follows:
--exclusions [Default: .git;node_modules;target;venv;test;dist]
These patterns are applied globally across scans, including JFrog Advanced Security (JAS) scans, which means they exclude both matching subdirectories and matching items in the root directory.
Request:
Introduce an option (or modify the default behavior) so that exclusions apply only to subdirectories and not to the root directory. This would allow root-level files or directories that match the exclusion patterns to still be scanned (e.g., by JAS), while avoiding unnecessary scanning of these same directories when they appear deeper in the project structure.
Customer mentioned the following:
The current “expected” behavior is less than ideal. Users have to create extensive documentation warnings to alert engineers about this limitation and instruct them to override the default configuration in every project. This adds friction, increases the risk of misconfiguration, and requires ongoing vigilance to ensure compliance, particularly when ensuring JAS scans run on critical root-level artifacts.
Proposed Solution:
Add a flag to limit exclusions to subdirectories only, applicable across all scan types including JAS.
Alternatively, provide separate patterns for root-level exclusions and subdirectory exclusions, with explicit JAS configuration options.
Effects CLI version 2.78.2