trufflesecurity · tannerjones4075 · Apr 15, 2025 · Apr 17, 2025 · Apr 24, 2025 · Apr 24, 2025
@@ -178,9 +178,10 @@ var (
 	circleCiScan      = cli.Command("circleci", "Scan CircleCI")
 	circleCiScanToken = circleCiScan.Flag("token", "CircleCI token. Can also be provided with environment variable").Envar("CIRCLECI_TOKEN").Required().String()
 
-	dockerScan       = cli.Command("docker", "Scan Docker Image")
-	dockerScanImages = dockerScan.Flag("image", "Docker image to scan. Use the file:// prefix to point to a local tarball, otherwise a image registry is assumed.").Required().Strings()
-	dockerScanToken  = dockerScan.Flag("token", "Docker bearer token. Can also be provided with environment variable").Envar("DOCKER_TOKEN").String()
+	dockerScan         = cli.Command("docker", "Scan Docker Image")
+	dockerScanImages   = dockerScan.Flag("image", "Docker image to scan. Use the file:// prefix to point to a local tarball, otherwise a image registry is assumed.").Required().Strings()
+	dockerScanToken    = dockerScan.Flag("token", "Docker bearer token. Can also be provided with environment variable").Envar("DOCKER_TOKEN").String()
+	dockerExcludePaths = dockerScan.Flag("exclude-paths", "Comma separated list of paths to exclude from scan").String()
 
 	travisCiScan      = cli.Command("travisci", "Scan TravisCI")
 	travisCiScanToken = travisCiScan.Flag("token", "TravisCI token. Can also be provided with environment variable").Envar("TRAVISCI_TOKEN").Required().String()
@@ -835,6 +836,7 @@ func runSingleScan(ctx context.Context, cmd string, cfg engine.Config) (metrics,
 			BearerToken:       *dockerScanToken,
 			Images:            *dockerScanImages,
 			UseDockerKeychain: *dockerScanToken == "",
+			ExcludePaths:      strings.Split(*dockerExcludePaths, ","),
 		}
 		if ref, err = eng.ScanDocker(ctx, cfg); err != nil {
 			return scanMetrics, fmt.Errorf("failed to scan Docker: %v", err)

@@ -14,7 +14,10 @@ import (
 
 // ScanDocker scans a given docker connection.
 func (e *Engine) ScanDocker(ctx context.Context, c sources.DockerConfig) (sources.JobProgressRef, error) {
-	connection := &sourcespb.Docker{Images: c.Images}
+	connection := &sourcespb.Docker{
+		Images:       c.Images,
+		ExcludePaths: c.ExcludePaths,
+	}
 
 	switch {
 	case c.UseDockerKeychain:

@@ -7,6 +7,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"regexp"
 	"strings"
 	"time"
 
@@ -30,12 +31,14 @@ import (
 const SourceType = sourcespb.SourceType_SOURCE_TYPE_DOCKER
 
 type Source struct {
-	name        string
-	sourceId    sources.SourceID
-	jobId       sources.JobID
-	verify      bool
-	concurrency int
-	conn        sourcespb.Docker
+	name           string
+	sourceId       sources.SourceID
+	jobId          sources.JobID
+	verify         bool
+	concurrency    int
+	conn           sourcespb.Docker
+	excludePaths   []string
+	excludeRegexes []*regexp.Regexp
 	sources.Progress
 	sources.CommonSourceUnitUnmarshaller
 }
@@ -74,6 +77,22 @@ func (s *Source) Init(_ context.Context, name string, jobId sources.JobID, sourc
 		return fmt.Errorf("error unmarshalling connection: %w", err)
 	}
 
+	// Extract exclude paths from connection and compile regexes
+	if paths := s.conn.GetExcludePaths(); len(paths) > 0 {
+		s.excludePaths = paths
+		s.excludeRegexes = make([]*regexp.Regexp, len(paths))
+		for i, path := range paths {
+			// Convert wildcard pattern to regex
+			pattern := strings.ReplaceAll(path, "*", ".*")
+			pattern = "^" + pattern + "$"
+			regex, err := regexp.Compile(pattern)
+			if err != nil {
+				return fmt.Errorf("error compiling exclude path regex for %q: %w", path, err)
+			}
+			s.excludeRegexes[i] = regex
+		}
+	}
+
 	return nil
 }
 
@@ -349,6 +368,22 @@ func (s *Source) processChunk(ctx context.Context, info chunkProcessingInfo, chu
 		return nil
 	}
 
+	// Check if the file should be excluded
+	filePath := "/" + info.name
+	ctx.Logger().V(2).Info("checking file against exclude paths", "file", filePath, "exclude_paths", s.excludePaths)
+	for i, excludePath := range s.excludePaths {
+		// Check for exact path match first (no regex needed)
+		if filePath == excludePath {
+			ctx.Logger().V(2).Info("skipping file: matches exclude path exactly", "file", filePath, "exclude_path", excludePath)
+			return nil
+		}
+		// Then check against pre-compiled regex
+		if s.excludeRegexes[i].MatchString(filePath) {
+			ctx.Logger().V(2).Info("skipping file: matches exclude pattern", "file", filePath, "exclude_path", excludePath)
+			return nil
+		}
+	}
+
 	chunkReader := sources.NewChunkReader()
 	chunkResChan := chunkReader(ctx, info.reader)
 

@@ -1,6 +1,7 @@
 package docker
 
 import (
+	"regexp"
 	"strings"
 	"sync"
 	"testing"
@@ -166,3 +167,216 @@ func isHistoryChunk(t *testing.T, chunk *sources.Chunk) bool {
 	return metadata != nil &&
 		strings.HasPrefix(metadata.File, "image-metadata:history:")
 }
+
+func TestDockerExcludeExactPath(t *testing.T) {
+	dockerConn := &sourcespb.Docker{
+		Credential: &sourcespb.Docker_Unauthenticated{
+			Unauthenticated: &credentialspb.Unauthenticated{},
+		},
+		Images:       []string{"test-image"},
+		ExcludePaths: []string{"/var/log/test"},
+	}
+
+	conn := &anypb.Any{}
+	err := conn.MarshalFrom(dockerConn)
+	assert.NoError(t, err)
+
+	s := &Source{}
+	err = s.Init(context.TODO(), "test source", 0, 0, false, conn, 1)
+	assert.NoError(t, err)
+
+	// Create test data
+	testFiles := []struct {
+		path     string
+		excluded bool
+	}{
+		{"/var/log/test", true},      // Should be excluded (exact match)
+		{"/var/log/test2", false},    // Should not be excluded (different path)
+		{"/var/log/test/sub", false}, // Should not be excluded (subdirectory)
+		{"/var/log/other", false},    // Should not be excluded (different path)
+	}
+
+	for _, tf := range testFiles {
+		excluded := false
+		for _, excludePath := range s.excludePaths {
+			if tf.path == excludePath {
+				excluded = true
+				break
+			}
+		}
+		assert.Equal(t, tf.excluded, excluded, "Unexpected exclusion result for path: %s", tf.path)
+	}
+}
+
+func TestDockerExcludeWildcardPath(t *testing.T) {
+	dockerConn := &sourcespb.Docker{
+		Credential: &sourcespb.Docker_Unauthenticated{
+			Unauthenticated: &credentialspb.Unauthenticated{},
+		},
+		Images:       []string{"test-image"},
+		ExcludePaths: []string{"/var/log/test/*"},
+	}
+
+	conn := &anypb.Any{}
+	err := conn.MarshalFrom(dockerConn)
+	assert.NoError(t, err)
+
+	s := &Source{}
+	err = s.Init(context.TODO(), "test source", 0, 0, false, conn, 1)
+	assert.NoError(t, err)
+
+	// Create test data
+	testFiles := []struct {
+		path     string
+		excluded bool
+	}{
+		{"/var/log/test/file1", true},     // Should be excluded (direct child)
+		{"/var/log/test/sub/file2", true}, // Should be excluded (nested child)
+		{"/var/log/test", false},          // Should not be excluded (parent dir)
+		{"/var/log/test2/file", false},    // Should not be excluded (different dir)
+		{"/var/log/other/file", false},    // Should not be excluded (unrelated)
+	}
+
+	for _, tf := range testFiles {
+		excluded := false
+		for _, excludePath := range s.excludePaths {
+			// Convert wildcard pattern to regex
+			pattern := strings.ReplaceAll(excludePath, "*", ".*")
+			pattern = "^" + pattern + "$"
+			isMatch, err := regexp.MatchString(pattern, tf.path)
+			assert.NoError(t, err)
+			if isMatch {
+				excluded = true
+				break
+			}
+		}
+		assert.Equal(t, tf.excluded, excluded, "Unexpected exclusion result for path: %s", tf.path)
+	}
+}
+
+func TestShouldExclude(t *testing.T) {
+	tests := []struct {
+		name         string
+		excludePaths []string
+		testPath     string
+		want         bool
+	}{
+		{
+			name:         "exact match should exclude",
+			excludePaths: []string{"/var/log/test"},
+			testPath:     "/var/log/test",
+			want:         true,
+		},
+		{
+			name:         "non-matching path should not exclude",
+			excludePaths: []string{"/var/log/test"},
+			testPath:     "/var/log/other",
+			want:         false,
+		},
+		{
+			name:         "wildcard should match children",
+			excludePaths: []string{"/var/log/*"},
+			testPath:     "/var/log/test",
+			want:         true,
+		},
+		{
+			name:         "wildcard should not match parent",
+			excludePaths: []string{"/var/log/*/deep"},
+			testPath:     "/var/log",
+			want:         false,
+		},
+		{
+			name:         "multiple patterns should work",
+			excludePaths: []string{"/var/log/*", "/etc/nginx/*", "/tmp/test"},
+			testPath:     "/etc/nginx/conf.d/default.conf",
+			want:         true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			dockerConn := &sourcespb.Docker{
+				Credential: &sourcespb.Docker_Unauthenticated{
+					Unauthenticated: &credentialspb.Unauthenticated{},
+				},
+				ExcludePaths: tt.excludePaths,
+			}
+
+			conn := &anypb.Any{}
+			err := conn.MarshalFrom(dockerConn)
+			assert.NoError(t, err)
+
+			s := &Source{}
+			err = s.Init(context.TODO(), "test", 0, 0, false, conn, 1)
+			assert.NoError(t, err)
+
+			// Test if the path should be excluded
+			excluded := false
+			for _, path := range tt.excludePaths {
+				if tt.testPath == path {
+					excluded = true
+					break
+				}
+				// Convert wildcard pattern to regex
+				pattern := strings.ReplaceAll(path, "*", ".*")
+				pattern = "^" + pattern + "$"
+				isMatch, err := regexp.MatchString(pattern, tt.testPath)
+				assert.NoError(t, err)
+				if isMatch {
+					excluded = true
+					break
+				}
+			}
+			assert.Equal(t, tt.want, excluded)
+		})
+	}
+}
+
+func TestDockerScanWithExclusions(t *testing.T) {
+	dockerConn := &sourcespb.Docker{
+		Credential: &sourcespb.Docker_Unauthenticated{
+			Unauthenticated: &credentialspb.Unauthenticated{},
+		},
+		Images:       []string{"trufflesecurity/secrets@sha256:864f6d41209462d8e37fc302ba1532656e265f7c361f11e29fed6ca1f4208e11"},
+		ExcludePaths: []string{"/aws"}, // This path exists in the test image
+	}
+
+	conn := &anypb.Any{}
+	err := conn.MarshalFrom(dockerConn)
+	assert.NoError(t, err)
+
+	s := &Source{}
+	err = s.Init(context.TODO(), "test source", 0, 0, false, conn, 1)
+	assert.NoError(t, err)
+
+	var wg sync.WaitGroup
+	chunksChan := make(chan *sources.Chunk, 1)
+	foundExcludedPath := false
+
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for chunk := range chunksChan {
+			// Skip history chunks
+			if isHistoryChunk(t, chunk) {
+				continue
+			}
+
+			metadata := chunk.SourceMetadata.GetDocker()
+			assert.NotNil(t, metadata)
+
+			// Check if we found a chunk with the excluded path
+			if metadata.File == "/aws" {
+				foundExcludedPath = true
+			}
+		}
+	}()
+
+	err = s.Chunks(context.TODO(), chunksChan)
+	assert.NoError(t, err)
+
+	close(chunksChan)
+	wg.Wait()
+
+	assert.False(t, foundExcludedPath, "Found a chunk that should have been excluded")
+}
@@ -175,6 +175,8 @@ type DockerConfig struct {
 	BearerToken string
 	// UseDockerKeychain determines whether to use the Docker keychain.
 	UseDockerKeychain bool
+	// ExcludePaths is a list of paths to exclude from scanning.
+	ExcludePaths []string
 }
 
 // GCSConfig defines the optional configuration for a GCS source.

@@ -157,6 +157,7 @@ message Docker {
     bool docker_keychain = 4;
   }
   repeated string images = 5;
+  repeated string exclude_paths = 6;
 }
 
 message ECR {