CM-53929 Add full support of .cycodeignore for repository and commit … · WlaeedCycode/cycode-cli@c0bf190 · GitHub
Skip to content

Commit c0bf190

Browse files
authored
CM-53929 Add full support of .cycodeignore for repository and commit range scans (cycodehq#351)
1 parent 4e42488 commit c0bf190

13 files changed

Lines changed: 684 additions & 21 deletions

File tree

cycode/cli/apps/report/sbom/path/path_command.py

Lines changed: 6 additions & 1 deletion

cycode/cli/apps/scan/code_scanner.py

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,11 @@
2323
from cycode.cli.models import CliError, Document, LocalScanResult
2424
from cycode.cli.utils.progress_bar import ScanProgressBarSection
2525
from cycode.cli.utils.scan_batch import run_parallel_batched_scan
26-
from cycode.cli.utils.scan_utils import generate_unique_scan_id, set_issue_detected_by_scan_results
26+
from cycode.cli.utils.scan_utils import (
27+
generate_unique_scan_id,
28+
is_cycodeignore_allowed_by_scan_config,
29+
set_issue_detected_by_scan_results,
30+
)
2731
from cycode.cyclient.models import ZippedFileScanResult
2832
from cycode.logger import get_logger
2933

@@ -42,7 +46,13 @@ def scan_disk_files(ctx: typer.Context, paths: tuple[str, ...]) -> None:
4246
progress_bar = ctx.obj['progress_bar']
4347

4448
try:
45-
documents = get_relevant_documents(progress_bar, ScanProgressBarSection.PREPARE_LOCAL_FILES, scan_type, paths)
49+
documents = get_relevant_documents(
50+
progress_bar,
51+
ScanProgressBarSection.PREPARE_LOCAL_FILES,
52+
scan_type,
53+
paths,
54+
is_cycodeignore_allowed=is_cycodeignore_allowed_by_scan_config(ctx),
55+
)
4656
add_sca_dependencies_tree_documents_if_needed(ctx, scan_type, documents)
4757
scan_documents(ctx, documents, get_scan_parameters(ctx, paths))
4858
except Exception as e:

cycode/cli/apps/scan/commit_range_scanner.py

Lines changed: 40 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@
2929
parse_commit_range_sast,
3030
parse_commit_range_sca,
3131
)
32+
from cycode.cli.files_collector.documents_walk_ignore import filter_documents_with_cycodeignore
3233
from cycode.cli.files_collector.file_excluder import excluder
3334
from cycode.cli.files_collector.models.in_memory_zip import InMemoryZip
3435
from cycode.cli.files_collector.sca.sca_file_collector import (
@@ -40,7 +41,11 @@
4041
from cycode.cli.utils.git_proxy import git_proxy
4142
from cycode.cli.utils.path_utils import get_path_by_os
4243
from cycode.cli.utils.progress_bar import ScanProgressBarSection
43-
from cycode.cli.utils.scan_utils import generate_unique_scan_id, set_issue_detected_by_scan_results
44+
from cycode.cli.utils.scan_utils import (
45+
generate_unique_scan_id,
46+
is_cycodeignore_allowed_by_scan_config,
47+
set_issue_detected_by_scan_results,
48+
)
4449
from cycode.cyclient.models import ZippedFileScanResult
4550
from cycode.logger import get_logger
4651

@@ -189,6 +194,12 @@ def _scan_sca_commit_range(ctx: typer.Context, repo_path: str, commit_range: str
189194
from_commit_documents = excluder.exclude_irrelevant_documents_to_scan(consts.SCA_SCAN_TYPE, from_commit_documents)
190195
to_commit_documents = excluder.exclude_irrelevant_documents_to_scan(consts.SCA_SCAN_TYPE, to_commit_documents)
191196

197+
is_cycodeignore_allowed = is_cycodeignore_allowed_by_scan_config(ctx)
198+
from_commit_documents = filter_documents_with_cycodeignore(
199+
from_commit_documents, repo_path, is_cycodeignore_allowed
200+
)
201+
to_commit_documents = filter_documents_with_cycodeignore(to_commit_documents, repo_path, is_cycodeignore_allowed)
202+
192203
perform_sca_pre_commit_range_scan_actions(
193204
repo_path, from_commit_documents, from_commit_rev, to_commit_documents, to_commit_rev
194205
)
@@ -204,6 +215,11 @@ def _scan_secret_commit_range(
204215
consts.SECRET_SCAN_TYPE, commit_diff_documents_to_scan
205216
)
206217

218+
is_cycodeignore_allowed = is_cycodeignore_allowed_by_scan_config(ctx)
219+
diff_documents_to_scan = filter_documents_with_cycodeignore(
220+
diff_documents_to_scan, repo_path, is_cycodeignore_allowed
221+
)
222+
207223
scan_documents(
208224
ctx, diff_documents_to_scan, get_scan_parameters(ctx, (repo_path,)), is_git_diff=True, is_commit_range=True
209225
)
@@ -221,9 +237,14 @@ def _scan_sast_commit_range(ctx: typer.Context, repo_path: str, commit_range: st
221237
to_commit_rev,
222238
reverse_diff=False,
223239
)
240+
224241
commit_documents = excluder.exclude_irrelevant_documents_to_scan(consts.SAST_SCAN_TYPE, commit_documents)
225242
diff_documents = excluder.exclude_irrelevant_documents_to_scan(consts.SAST_SCAN_TYPE, diff_documents)
226243

244+
is_cycodeignore_allowed = is_cycodeignore_allowed_by_scan_config(ctx)
245+
commit_documents = filter_documents_with_cycodeignore(commit_documents, repo_path, is_cycodeignore_allowed)
246+
diff_documents = filter_documents_with_cycodeignore(diff_documents, repo_path, is_cycodeignore_allowed)
247+
227248
_scan_commit_range_documents(ctx, commit_documents, diff_documents, scan_parameters=scan_parameters)
228249

229250

@@ -254,11 +275,18 @@ def _scan_sca_pre_commit(ctx: typer.Context, repo_path: str) -> None:
254275
progress_bar_section=ScanProgressBarSection.PREPARE_LOCAL_FILES,
255276
repo_path=repo_path,
256277
)
278+
257279
git_head_documents = excluder.exclude_irrelevant_documents_to_scan(consts.SCA_SCAN_TYPE, git_head_documents)
258280
pre_committed_documents = excluder.exclude_irrelevant_documents_to_scan(
259281
consts.SCA_SCAN_TYPE, pre_committed_documents
260282
)
261283

284+
is_cycodeignore_allowed = is_cycodeignore_allowed_by_scan_config(ctx)
285+
git_head_documents = filter_documents_with_cycodeignore(git_head_documents, repo_path, is_cycodeignore_allowed)
286+
pre_committed_documents = filter_documents_with_cycodeignore(
287+
pre_committed_documents, repo_path, is_cycodeignore_allowed
288+
)
289+
262290
perform_sca_pre_hook_range_scan_actions(repo_path, git_head_documents, pre_committed_documents)
263291

264292
_scan_commit_range_documents(
@@ -288,8 +316,12 @@ def _scan_secret_pre_commit(ctx: typer.Context, repo_path: str) -> None:
288316
is_git_diff_format=True,
289317
)
290318
)
319+
291320
documents_to_scan = excluder.exclude_irrelevant_documents_to_scan(consts.SECRET_SCAN_TYPE, documents_to_scan)
292321

322+
is_cycodeignore_allowed = is_cycodeignore_allowed_by_scan_config(ctx)
323+
documents_to_scan = filter_documents_with_cycodeignore(documents_to_scan, repo_path, is_cycodeignore_allowed)
324+
293325
scan_documents(ctx, documents_to_scan, get_scan_parameters(ctx), is_git_diff=True)
294326

295327

@@ -301,11 +333,18 @@ def _scan_sast_pre_commit(ctx: typer.Context, repo_path: str, **_) -> None:
301333
progress_bar_section=ScanProgressBarSection.PREPARE_LOCAL_FILES,
302334
repo_path=repo_path,
303335
)
336+
304337
pre_committed_documents = excluder.exclude_irrelevant_documents_to_scan(
305338
consts.SAST_SCAN_TYPE, pre_committed_documents
306339
)
307340
diff_documents = excluder.exclude_irrelevant_documents_to_scan(consts.SAST_SCAN_TYPE, diff_documents)
308341

342+
is_cycodeignore_allowed = is_cycodeignore_allowed_by_scan_config(ctx)
343+
pre_committed_documents = filter_documents_with_cycodeignore(
344+
pre_committed_documents, repo_path, is_cycodeignore_allowed
345+
)
346+
diff_documents = filter_documents_with_cycodeignore(diff_documents, repo_path, is_cycodeignore_allowed)
347+
309348
_scan_commit_range_documents(ctx, pre_committed_documents, diff_documents, scan_parameters=scan_parameters)
310349

311350

cycode/cli/apps/scan/repository/repository_command.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,15 @@
88
from cycode.cli.apps.scan.code_scanner import scan_documents
99
from cycode.cli.apps.scan.scan_parameters import get_scan_parameters
1010
from cycode.cli.exceptions.handle_scan_errors import handle_scan_exception
11+
from cycode.cli.files_collector.documents_walk_ignore import filter_documents_with_cycodeignore
1112
from cycode.cli.files_collector.file_excluder import excluder
1213
from cycode.cli.files_collector.repository_documents import get_git_repository_tree_file_entries
1314
from cycode.cli.files_collector.sca.sca_file_collector import add_sca_dependencies_tree_documents_if_needed
1415
from cycode.cli.logger import logger
1516
from cycode.cli.models import Document
1617
from cycode.cli.utils.path_utils import get_path_by_os
1718
from cycode.cli.utils.progress_bar import ScanProgressBarSection
19+
from cycode.cli.utils.scan_utils import is_cycodeignore_allowed_by_scan_config
1820
from cycode.cli.utils.sentry import add_breadcrumb
1921

2022

@@ -60,6 +62,9 @@ def repository_command(
6062

6163
documents_to_scan = excluder.exclude_irrelevant_documents_to_scan(scan_type, documents_to_scan)
6264

65+
is_cycodeignore_allowed = is_cycodeignore_allowed_by_scan_config(ctx)
66+
documents_to_scan = filter_documents_with_cycodeignore(documents_to_scan, str(path), is_cycodeignore_allowed)
67+
6368
add_sca_dependencies_tree_documents_if_needed(ctx, scan_type, documents_to_scan)
6469

6570
logger.debug('Found all relevant files for scanning %s', {'path': path, 'branch': branch})

cycode/cli/apps/scan/scan_command.py

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,11 @@
1+
import os
12
from pathlib import Path
23
from typing import Annotated, Optional
34

45
import click
56
import typer
67

8+
from cycode.cli.apps.scan.remote_url_resolver import _try_get_git_remote_url
79
from cycode.cli.cli_types import ExportTypeOption, ScanTypeOption, ScaScanTypeOption, SeverityOption
810
from cycode.cli.consts import (
911
ISSUE_DETECTED_STATUS_CODE,
@@ -161,10 +163,15 @@ def scan_command(
161163
scan_client = get_scan_cycode_client(ctx)
162164
ctx.obj['client'] = scan_client
163165

164-
remote_scan_config = scan_client.get_scan_configuration_safe(scan_type)
166+
# Get remote URL from current working directory
167+
remote_url = _try_get_git_remote_url(os.getcwd())
168+
169+
remote_scan_config = scan_client.get_scan_configuration_safe(scan_type, remote_url)
165170
if remote_scan_config:
166171
excluder.apply_scan_config(str(scan_type), remote_scan_config)
167172

173+
ctx.obj['scan_config'] = remote_scan_config
174+
168175
if export_type and export_file:
169176
console_printer = ctx.obj['console_printer']
170177
console_printer.enable_recording(export_type, export_file)

cycode/cli/consts.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,8 @@
1717
IAC_SCAN_SUPPORTED_FILE_EXTENSIONS = ('.tf', '.tf.json', '.json', '.yaml', '.yml', '.dockerfile', '.containerfile')
1818
IAC_SCAN_SUPPORTED_FILE_PREFIXES = ('dockerfile', 'containerfile')
1919

20+
CYCODEIGNORE_FILENAME = '.cycodeignore'
21+
2022
SECRET_SCAN_FILE_EXTENSIONS_TO_IGNORE = (
2123
'.DS_Store',
2224
'.bmp',
Lines changed: 124 additions & 0 deletions

0 commit comments

Comments
 (0)