Merge pull request #55 from sacha-c/ignore-project-list

sacha-c · web-flow · commit ad21156e8405 · 2025-06-20T16:45:49.000+02:00
feat: ignore project list
diff --git a/README.md b/README.md
@@ -25,6 +25,7 @@ Sheriff is a tool to scan repositories and generate security reports.
       - [verbose](#verbose)
     - [Scanning](#scanning)
       - [targets](#targets)
+      - [ignored](#ignored)
     - [Reporting](#reporting)
       - [report to issue](#report-to-issue)
       - [report to email (TODO #12)](#report-to-email-todo-12)
@@ -166,6 +167,19 @@ The expected format of a target is `platform://path/to/your/group-or-project`
 For example:
 `--target gitlab://namespace/group --target github://organization/project`
 
+##### ignored
+
+| CLI options | File config |
+|---|---|
+| (repeatable) `--ignore` | `ignored` |
+
+Sets the list of groups and projects to be ignored from scanning.
+Useful when you have a `target` which is a group, but you want to ignore a specific project from that group.
+The expected format of a target is `platform://path/to/your/group-or-project`
+
+For example:
+`--ignore gitlab://namespace/group --ignore github://organization/project`
+
 #### Reporting
 
 ##### report to issue
diff --git a/internal/cli/patrol.go b/internal/cli/patrol.go
@@ -27,6 +27,7 @@ const (
 const configFlag = "config"
 const verboseFlag = "verbose"
 const targetFlag = "target"
+const ignoreFlag = "ignore"
 const reportToEmailFlag = "report-to-email"
 const reportToIssueFlag = "report-to-issue"
 const reportToSlackChannel = "report-to-slack-channel"
@@ -56,6 +57,11 @@ var PatrolFlags = []cli.Flag{
 		Usage:    "Groups and projects to scan for vulnerabilities (list argument which can be repeated)",
 		Category: string(Scanning),
 	},
+	&cli.StringSliceFlag{
+		Name:     ignoreFlag,
+		Usage:    "List of repositories or groups to ignore (list argument which can be repeated)",
+		Category: string(Scanning),
+	},
 	&cli.StringSliceFlag{
 		Name:     reportToEmailFlag,
 		Usage:    "Enable reporting to the provided list of emails",
@@ -110,6 +116,7 @@ func PatrolAction(cCtx *cli.Context) error {
 	config, err := config.GetPatrolConfiguration(config.PatrolCLIOpts{
 		PatrolCommonOpts: config.PatrolCommonOpts{
 			Targets: getStringSliceIfSet(cCtx, targetFlag),
+			Ignored: getStringSliceIfSet(cCtx, ignoreFlag),
 			Report: config.PatrolReportOpts{
 				To: config.PatrolReportToOpts{
 					Issue:                 getBoolIfSet(cCtx, reportToIssueFlag),
diff --git a/internal/config/patrol.go b/internal/config/patrol.go
@@ -16,6 +16,7 @@ type ProjectLocation struct {
 
 type PatrolConfig struct {
 	Locations             []ProjectLocation
+	Ignored               []ProjectLocation
 	ReportToEmails        []string
 	ReportToSlackChannels []string
 	ReportToIssue         bool
@@ -39,6 +40,7 @@ type PatrolReportOpts struct {
 
 type PatrolCommonOpts struct {
 	Targets *[]string        `toml:"targets"`
+	Ignored *[]string        `toml:"ignored"`
 	Report  PatrolReportOpts `toml:"report"`
 }
 
@@ -86,6 +88,12 @@ func mergeConfigs(cliOpts PatrolCLIOpts, fileOpts PatrolFileOpts) (config Patrol
 		return config, errors.Join(errors.New("could not parse targets from CLI options"), err)
 	}
 
+	ignored := getCliOrFileOption(cliOpts.Ignored, fileOpts.Ignored, []string{})
+	parsedIgnored, err := parseTargets(ignored)
+	if err != nil {
+		return config, errors.Join(errors.New("could not parse targets from CLI options"), err)
+	}
+
 	config = PatrolConfig{
 		Locations:             parsedLocations,
 		ReportToIssue:         getCliOrFileOption(cliOpts.Report.To.Issue, fileOpts.Report.To.Issue, false),
@@ -94,6 +102,7 @@ func mergeConfigs(cliOpts PatrolCLIOpts, fileOpts PatrolFileOpts) (config Patrol
 		EnableProjectReportTo: getCliOrFileOption(cliOpts.Report.To.EnableProjectReportTo, fileOpts.Report.To.EnableProjectReportTo, false),
 		SilentReport:          getCliOrFileOption(cliOpts.Report.SilentReport, fileOpts.Report.SilentReport, false),
 		Verbose:               cliOpts.Verbose,
+		Ignored:               parsedIgnored,
 	}
 
 	return
diff --git a/internal/config/patrol_test.go b/internal/config/patrol_test.go
@@ -10,6 +10,7 @@ import (
 func TestGetPatrolConfiguration(t *testing.T) {
 	want := PatrolConfig{
 		Locations:             []ProjectLocation{{Type: repository.Gitlab, Path: "group1"}, {Type: repository.Gitlab, Path: "group2/project1"}},
+		Ignored:               []ProjectLocation{},
 		ReportToEmails:        []string{"some-email@gmail.com"},
 		ReportToSlackChannels: []string{"report-slack-channel"},
 		ReportToIssue:         true,
@@ -30,6 +31,7 @@ func TestGetPatrolConfiguration(t *testing.T) {
 func TestGetPatrolConfigurationCLIOverridesFile(t *testing.T) {
 	want := PatrolConfig{
 		Locations:             []ProjectLocation{{Type: repository.Gitlab, Path: "group1"}, {Type: repository.Gitlab, Path: "group2/project1"}},
+		Ignored:               []ProjectLocation{},
 		ReportToEmails:        []string{"email@gmail.com", "other@gmail.com"},
 		ReportToSlackChannels: []string{"other-slack-channel"},
 		ReportToIssue:         false,
diff --git a/internal/config/project.go b/internal/config/project.go
@@ -25,6 +25,7 @@ type ProjectConfig struct {
 	Report       ProjectReport      `toml:"report"`
 	SlackChannel string             `toml:"slack-channel"` // TODO #27: Break in v1.0. Kept for backwards-compatibility
 	Acknowledged []AcknowledgedVuln `toml:"acknowledged"`
+	Ignored      []string           `toml:"ignored"` // List of repositories or groups to ignore
 }
 
 func GetProjectConfiguration(projectName string, dir string) (config ProjectConfig) {
diff --git a/internal/patrol/patrol.go b/internal/patrol/patrol.go
@@ -47,7 +47,7 @@ func New(repoService provider.IProvider, slackService slack.IService, osvService
 
 // Patrol scans the given Gitlab groups and projects, creates and publishes the necessary reports.
 func (s *sheriffService) Patrol(args config.PatrolConfig) (warn error, err error) {
-	scanReports, swarn, err := s.scanAndGetReports(args.Locations)
+	scanReports, swarn, err := s.scanAndGetReports(args.Locations, args.Ignored)
 	if err != nil {
 		return nil, errors.Join(errors.New("failed to scan projects"), err)
 	}
@@ -96,7 +96,7 @@ func (s *sheriffService) Patrol(args config.PatrolConfig) (warn error, err error
 	return warn, nil
 }
 
-func (s *sheriffService) scanAndGetReports(locations []config.ProjectLocation) (reports []scanner.Report, warn error, err error) {
+func (s *sheriffService) scanAndGetReports(locations []config.ProjectLocation, ignored []config.ProjectLocation) (reports []scanner.Report, warn error, err error) {
 	// Create a temporary directory to store the scans
 	err = os.MkdirAll(tempScanDir, os.ModePerm)
 	if err != nil {
@@ -105,7 +105,7 @@ func (s *sheriffService) scanAndGetReports(locations []config.ProjectLocation) (
 	defer os.RemoveAll(tempScanDir)
 	log.Info().Str("path", tempScanDir).Msg("Created temporary directory")
 
-	projects, pwarn := s.getProjectList(locations)
+	projects, pwarn := s.getProjectList(locations, ignored)
 	if pwarn != nil {
 		pwarn = errors.Join(errors.New("errors occured when getting project list"), pwarn)
 		warn = errors.Join(pwarn, warn)
@@ -144,7 +144,18 @@ func (s *sheriffService) scanAndGetReports(locations []config.ProjectLocation) (
 	return
 }
 
-func (s *sheriffService) getProjectList(locs []config.ProjectLocation) (projects []repository.Project, warn error) {
+func (s *sheriffService) getProjectList(locs []config.ProjectLocation, ignored []config.ProjectLocation) (projects []repository.Project, warn error) {
+	// Filter out locations that are in the ignored list
+	locs = pie.Filter(locs, func(loc config.ProjectLocation) bool {
+		return !slices.ContainsFunc(ignored, func(ignoredPath config.ProjectLocation) bool {
+			ignore := ignoredPath.Path == loc.Path && ignoredPath.Type == loc.Type
+			if ignore {
+				log.Info().Str("path", loc.Path).Msg("Ignoring project location as it is in the ignored list")
+			}
+			return ignore
+		})
+	})
+
 	gitlabLocs := pie.Map(
 		pie.Filter(locs, func(loc config.ProjectLocation) bool { return loc.Type == repository.Gitlab }),
 		func(loc config.ProjectLocation) string { return loc.Path },
diff --git a/internal/patrol/patrol_test.go b/internal/patrol/patrol_test.go
@@ -192,6 +192,25 @@ func TestMarkOutdatedAcknowledgements(t *testing.T) {
 	assert.Equal(t, []string{"CVE-3"}, report.OutdatedAcks)
 }
 
+func TestGetProjectList_IgnoresProject(t *testing.T) {
+	mockClient := &mockClient{}
+	mockClient.On("GetProjectList", []string{"group/to/scan"}).Return([]repository.Project{{Name: "Hello World", RepoUrl: "https://gitlab.com/group/to/scan.git", Repository: repository.Gitlab}}, nil)
+
+	mockRepoService := &mockRepoService{}
+	mockRepoService.On("Provide", repository.Gitlab).Return(mockClient)
+
+	svc := New(mockRepoService, nil, nil)
+
+	// The ignored list contains the project path, so it should be filtered out
+	projects, warn := svc.(*sheriffService).getProjectList(
+		[]config.ProjectLocation{{Type: repository.Gitlab, Path: "group/to/scan"}},
+		[]config.ProjectLocation{{Type: repository.Gitlab, Path: "group/to/scan"}},
+	)
+	assert.Nil(t, warn)
+	assert.Empty(t, projects)
+	mockClient.AssertNotCalled(t, "GetProjectList", []string{"group/to/scan"})
+}
+
 type mockRepoService struct {
 	mock.Mock
 }

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ type ProjectConfig struct {`
`25`	`25`	Report ProjectReport `toml:"report"`
`26`	`26`	SlackChannel string `toml:"slack-channel"` // TODO #27: Break in v1.0. Kept for backwards-compatibility
`27`	`27`	Acknowledged []AcknowledgedVuln `toml:"acknowledged"`
	`28`	+ Ignored []string `toml:"ignored"` // List of repositories or groups to ignore
`28`	`29`	`}`
`29`	`30`
`30`	`31`	`func GetProjectConfiguration(projectName string, dir string) (config ProjectConfig) {`