Add --exclude glob flag to skill scan#17
Open
serval-frenchie wants to merge 1 commit into
Open
Conversation
Adds a repeatable `--exclude PATTERN` option to `skillspector scan`. Patterns use fnmatch semantics against the path relative to the scan root and are applied during file discovery in build_context, so excluded files are absent from both the components list and any analyzer findings. The motivating case is binary assets (e.g. a marketing-template PDF in `assets/`) whose raw bytes happen to match static regex patterns like `shell=True` or `-rf /`, producing HIGH-severity false positives that block adoption in CI. With this flag, those files can be filtered without moving them out of the skill bundle. Excluded files are logged at DEBUG, surfaced via `--verbose`. Excluding everything is valid; the scan succeeds with no findings.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--exclude PATTERNoption toskillspector scanbuild_context, so excluded files are absent from both the Components table and any analyzer findingsfnmatchsemantics against the path relative to the scan rootProblem
SkillSpector's static analyzers read every file with
utf-8 + errors='replace'and run regex patterns against the result. When a skill bundle ships binary assets (PDFs, images), raw bytes can incidentally match patterns likeshell=True,-rf /, or--no-verify, producing HIGH-severity false positives. There is currently no way to suppress these short of moving the file out of the skill folder, which is a non-starter for adoption in CI: every push surfaces a HIGH finding that has to be dismissed manually in the GitHub Security tab.Solution
List[str]via Typer), threaded into graph state asexclude_patterns_walk_skill_files, beforecomponents,file_cache, andcomponent_metadataare built — so the rest of the pipeline is unchanged--verbose)Tests
tests/nodes/test_build_context.py: exclusion filters components/file_cache/metadata, directory glob patterns, no-match leaves the list intact, exclude-everything yields empty statetests/unit/test_cli.py: end-to-end CLI invocation with a fixture skill containing a PDF whose bytes match TM1 (Tool Parameter Abuse) — asserts the PDF is absent fromcomponentsand produces noissues; also covers the repeatable form and the exclude-everything casemake test-unit)Test plan
make test-unitis greenmake lintandmake format-checkare clean--exclude '*.pdf'and reappears without it