CM-53929 - implement .cycodeignore files filtering for repo and commit range scans

DmytroLynda · DmytroLynda · commit c4c7fe4c1a4f · 2025-10-07T14:43:28.000+02:00
diff --git a/cycode/cli/apps/scan/commit_range_scanner.py b/cycode/cli/apps/scan/commit_range_scanner.py
@@ -31,6 +31,7 @@
 )
 from cycode.cli.files_collector.file_excluder import excluder
 from cycode.cli.files_collector.models.in_memory_zip import InMemoryZip
+from cycode.cli.files_collector.documents_walk_ignore import filter_documents_with_cycodeignore
 from cycode.cli.files_collector.sca.sca_file_collector import (
     perform_sca_pre_commit_range_scan_actions,
     perform_sca_pre_hook_range_scan_actions,
@@ -188,6 +189,9 @@ def _scan_sca_commit_range(ctx: typer.Context, repo_path: str, commit_range: str
     )
     from_commit_documents = excluder.exclude_irrelevant_documents_to_scan(consts.SCA_SCAN_TYPE, from_commit_documents)
     to_commit_documents = excluder.exclude_irrelevant_documents_to_scan(consts.SCA_SCAN_TYPE, to_commit_documents)
+    
+    from_commit_documents = filter_documents_with_cycodeignore(from_commit_documents, repo_path)
+    to_commit_documents = filter_documents_with_cycodeignore(to_commit_documents, repo_path)
 
     perform_sca_pre_commit_range_scan_actions(
         repo_path, from_commit_documents, from_commit_rev, to_commit_documents, to_commit_rev
@@ -203,6 +207,8 @@ def _scan_secret_commit_range(
     diff_documents_to_scan = excluder.exclude_irrelevant_documents_to_scan(
         consts.SECRET_SCAN_TYPE, commit_diff_documents_to_scan
     )
+    
+    diff_documents_to_scan = filter_documents_with_cycodeignore(diff_documents_to_scan, repo_path)
 
     scan_documents(
         ctx, diff_documents_to_scan, get_scan_parameters(ctx, (repo_path,)), is_git_diff=True, is_commit_range=True
@@ -221,8 +227,12 @@ def _scan_sast_commit_range(ctx: typer.Context, repo_path: str, commit_range: st
         to_commit_rev,
         reverse_diff=False,
     )
+    
     commit_documents = excluder.exclude_irrelevant_documents_to_scan(consts.SAST_SCAN_TYPE, commit_documents)
     diff_documents = excluder.exclude_irrelevant_documents_to_scan(consts.SAST_SCAN_TYPE, diff_documents)
+    
+    commit_documents = filter_documents_with_cycodeignore(commit_documents, repo_path)
+    diff_documents = filter_documents_with_cycodeignore(diff_documents, repo_path)
 
     _scan_commit_range_documents(ctx, commit_documents, diff_documents, scan_parameters=scan_parameters)
 
@@ -254,10 +264,14 @@ def _scan_sca_pre_commit(ctx: typer.Context, repo_path: str) -> None:
         progress_bar_section=ScanProgressBarSection.PREPARE_LOCAL_FILES,
         repo_path=repo_path,
     )
+    
     git_head_documents = excluder.exclude_irrelevant_documents_to_scan(consts.SCA_SCAN_TYPE, git_head_documents)
     pre_committed_documents = excluder.exclude_irrelevant_documents_to_scan(
         consts.SCA_SCAN_TYPE, pre_committed_documents
     )
+    
+    git_head_documents = filter_documents_with_cycodeignore(git_head_documents, repo_path)
+    pre_committed_documents = filter_documents_with_cycodeignore(pre_committed_documents, repo_path)
 
     perform_sca_pre_hook_range_scan_actions(repo_path, git_head_documents, pre_committed_documents)
 
@@ -288,7 +302,10 @@ def _scan_secret_pre_commit(ctx: typer.Context, repo_path: str) -> None:
                 is_git_diff_format=True,
             )
         )
+
     documents_to_scan = excluder.exclude_irrelevant_documents_to_scan(consts.SECRET_SCAN_TYPE, documents_to_scan)
+    
+    documents_to_scan = filter_documents_with_cycodeignore(documents_to_scan, repo_path)
 
     scan_documents(ctx, documents_to_scan, get_scan_parameters(ctx), is_git_diff=True)
 
@@ -301,10 +318,14 @@ def _scan_sast_pre_commit(ctx: typer.Context, repo_path: str, **_) -> None:
         progress_bar_section=ScanProgressBarSection.PREPARE_LOCAL_FILES,
         repo_path=repo_path,
     )
+    
     pre_committed_documents = excluder.exclude_irrelevant_documents_to_scan(
         consts.SAST_SCAN_TYPE, pre_committed_documents
     )
     diff_documents = excluder.exclude_irrelevant_documents_to_scan(consts.SAST_SCAN_TYPE, diff_documents)
+    
+    pre_committed_documents = filter_documents_with_cycodeignore(pre_committed_documents, repo_path)
+    diff_documents = filter_documents_with_cycodeignore(diff_documents, repo_path)
 
     _scan_commit_range_documents(ctx, pre_committed_documents, diff_documents, scan_parameters=scan_parameters)
 
diff --git a/cycode/cli/apps/scan/repository/repository_command.py b/cycode/cli/apps/scan/repository/repository_command.py
@@ -11,6 +11,7 @@
 from cycode.cli.files_collector.file_excluder import excluder
 from cycode.cli.files_collector.repository_documents import get_git_repository_tree_file_entries
 from cycode.cli.files_collector.sca.sca_file_collector import add_sca_dependencies_tree_documents_if_needed
+from cycode.cli.files_collector.documents_walk_ignore import filter_documents_with_cycodeignore
 from cycode.cli.logger import logger
 from cycode.cli.models import Document
 from cycode.cli.utils.path_utils import get_path_by_os
@@ -59,6 +60,8 @@ def repository_command(
             )
 
         documents_to_scan = excluder.exclude_irrelevant_documents_to_scan(scan_type, documents_to_scan)
+        
+        documents_to_scan = filter_documents_with_cycodeignore(documents_to_scan, str(path))
 
         add_sca_dependencies_tree_documents_if_needed(ctx, scan_type, documents_to_scan)
 
diff --git a/cycode/cli/consts.py b/cycode/cli/consts.py
@@ -17,6 +17,8 @@
 IAC_SCAN_SUPPORTED_FILE_EXTENSIONS = ('.tf', '.tf.json', '.json', '.yaml', '.yml', '.dockerfile', '.containerfile')
 IAC_SCAN_SUPPORTED_FILE_PREFIXES = ('dockerfile', 'containerfile')
 
+CYCODEIGNORE_FILENAME = '.cycodeignore'
+
 SECRET_SCAN_FILE_EXTENSIONS_TO_IGNORE = (
     '.DS_Store',
     '.bmp',
diff --git a/cycode/cli/files_collector/documents_walk_ignore.py b/cycode/cli/files_collector/documents_walk_ignore.py
@@ -0,0 +1,120 @@
+import os
+from typing import TYPE_CHECKING
+
+from cycode.cli import consts
+from cycode.cli.logger import get_logger
+from cycode.cli.utils.ignore_utils import IgnoreFilterManager
+
+if TYPE_CHECKING:
+    from cycode.cli.models import Document
+
+logger = get_logger('Documents Ignores')
+
+
+def _get_cycodeignore_path(repo_path: str) -> str:
+    """Get the path to .cycodeignore file in the repository root."""
+    return os.path.join(repo_path, consts.CYCODEIGNORE_FILENAME)
+
+
+def _create_ignore_filter_manager(repo_path: str, cycodeignore_path: str) -> IgnoreFilterManager:
+    """Create IgnoreFilterManager with .cycodeignore file."""
+    return IgnoreFilterManager.build(
+        path=repo_path,
+        global_ignore_file_paths=[cycodeignore_path],
+        global_patterns=[],
+    )
+
+
+def _log_ignored_files(repo_path: str, dirpath: str, ignored_dirnames: list[str], ignored_filenames: list[str]) -> None:
+    """Log ignored files for debugging (similar to walk_ignore function)."""
+    rel_dirpath = '' if dirpath == repo_path else os.path.relpath(dirpath, repo_path)
+    display_dir = rel_dirpath or '.'
+    
+    for is_dir, names in (
+        (True, ignored_dirnames),
+        (False, ignored_filenames),
+    ):
+        for name in names:
+            full_path = os.path.join(repo_path, display_dir, name)
+            if is_dir:
+                full_path = os.path.join(full_path, '*')
+            logger.debug('Ignoring match %s', full_path)
+
+
+def _build_allowed_paths_set(ignore_filter_manager: IgnoreFilterManager, repo_path: str) -> set[str]:
+    """Build set of allowed file paths using walk_with_ignored."""
+    allowed_paths = set()
+    
+    for dirpath, dirnames, filenames, ignored_dirnames, ignored_filenames in ignore_filter_manager.walk_with_ignored():
+        _log_ignored_files(repo_path, dirpath, ignored_dirnames, ignored_filenames)
+        
+        for filename in filenames:
+            file_path = os.path.join(dirpath, filename)
+            allowed_paths.add(file_path)
+    
+    return allowed_paths
+
+
+def _get_document_check_path(document: 'Document', repo_path: str) -> str:
+    """Get the normalized absolute path for a document to check against allowed paths."""
+    check_path = document.absolute_path
+    if not check_path:
+        if os.path.isabs(document.path):
+            check_path = document.path
+        else:
+            check_path = os.path.join(repo_path, document.path)
+    
+    return os.path.normpath(check_path)
+
+
+def _filter_documents_by_allowed_paths(
+    documents: list['Document'], 
+    allowed_paths: set[str], 
+    repo_path: str
+) -> list['Document']:
+    """Filter documents by checking if their paths are in the allowed set."""
+    filtered_documents = []
+    
+    for document in documents:
+        try:
+            check_path = _get_document_check_path(document, repo_path)
+            
+            if check_path in allowed_paths:
+                filtered_documents.append(document)
+            else:
+                relative_path = os.path.relpath(check_path, repo_path)
+                logger.debug('Filtered out document due to .cycodeignore: %s', relative_path)
+        except Exception as e:
+            logger.debug('Error processing document %s: %s', document.path, e)
+            # Include document if we can't determine if it should be ignored
+            filtered_documents.append(document)
+    
+    return filtered_documents
+
+
+def filter_documents_with_cycodeignore(documents: list['Document'], repo_path: str) -> list['Document']:
+    """Filter documents based on .cycodeignore patterns.
+    
+    This function uses .cycodeignore file in the repository root to filter out
+    documents whose paths match any of those patterns.
+    
+    Args:
+        documents: List of Document objects to filter
+        repo_path: Path to the repository root
+        
+    Returns:
+        List of Document objects that don't match any .cycodeignore patterns
+    """
+    cycodeignore_path = _get_cycodeignore_path(repo_path)
+    
+    if not os.path.exists(cycodeignore_path):
+        return documents
+    
+    ignore_filter_manager = _create_ignore_filter_manager(repo_path, cycodeignore_path)
+    
+    allowed_paths = _build_allowed_paths_set(ignore_filter_manager, repo_path)
+    
+    filtered_documents = _filter_documents_by_allowed_paths(documents, allowed_paths, repo_path)
+    
+    logger.debug('Filtered %d documents using .cycodeignore patterns', len(documents) - len(filtered_documents))
+    return filtered_documents
diff --git a/cycode/cli/files_collector/walk_ignore.py b/cycode/cli/files_collector/walk_ignore.py
@@ -1,14 +1,16 @@
 import os
 from collections.abc import Generator, Iterable
+from typing import TYPE_CHECKING
 
+from cycode.cli import consts
 from cycode.cli.logger import get_logger
 from cycode.cli.utils.ignore_utils import IgnoreFilterManager
 
 logger = get_logger('Ignores')
 
 _SUPPORTED_IGNORE_PATTERN_FILES = {
     '.gitignore',
-    '.cycodeignore',
+    consts.CYCODEIGNORE_FILENAME,
 }
 _DEFAULT_GLOBAL_IGNORE_PATTERNS = [
     '.git',
@@ -56,4 +58,4 @@ def walk_ignore(path: str) -> Generator[tuple[str, list[str], list[str]], None,
                     full_path = os.path.join(full_path, '*')
                 logger.debug('Ignoring match %s', full_path)
 
-        yield dirpath, dirnames, filenames
+        yield dirpath, dirnames, filenames
diff --git a/tests/cli/files_collector/test_documents_walk_ignore.py b/tests/cli/files_collector/test_documents_walk_ignore.py
