Skip to content

fix(scanner): honor config matchers.only/exclude#44

Open
yusufnuru wants to merge 3 commits into
vercel-labs:mainfrom
yusufnuru:fix/honor-config-matchers-filter
Open

fix(scanner): honor config matchers.only/exclude#44
yusufnuru wants to merge 3 commits into
vercel-labs:mainfrom
yusufnuru:fix/honor-config-matchers-filter

Conversation

@yusufnuru
Copy link
Copy Markdown

@yusufnuru yusufnuru commented May 5, 2026

What changed

scan() now honors matchers.only and matchers.exclude from deepsec.config.ts via a new resolveMatchers() helper. Closes #36.

Why

The matchers.only / matchers.exclude fields were declared in the schema but never read — only the --matchers CLI flag had any effect. Setting matchers: { exclude: ["xss"] } in deepsec.config.ts did nothing; xss still ran.

Verification

  • pnpm test passes (79 unit tests, incl. 8 new in resolve-matchers.test.ts)
  • pnpm lint passes
  • pnpm knip passes
  • If this adds a matcher: ran it against at least one real repo and confirmed the candidate count is sane — N/A (no new matcher)

Notes for reviewer

Precedence: CLI --matchers is exact and overrides config entirely. Otherwise base = cfg.only ?? all, then cfg.exclude is subtracted. Unknown slugs in only/exclude warn (visible) instead of erroring — matches existing silent-drop behavior of getBySlugs but adds visibility. CLI also logs the resolved config-driven filter so it's clear what ran.

@vercel
Copy link
Copy Markdown

vercel Bot commented May 5, 2026

@yusufnuru is attempting to deploy a commit to the Vercel Labs Team on Vercel.

A member of the Team first needs to authorize it.

@yusufnuru yusufnuru mentioned this pull request May 5, 2026
Open
@cramforce
Copy link
Copy Markdown
Contributor

cramforce commented May 5, 2026

Please re-push with signed commits

yusufnuru added 2 commits May 6, 2026 07:12
@yusufnuru
fix(scanner): honor config matchers.only/exclude
4578c73 
The `matchers.only` and `matchers.exclude` fields in `defineConfig` were
declared in the schema but never read by `scan()` — only the CLI
`--matchers` flag had any effect. Setting `matchers: { exclude: ["xss"] }`
in `deepsec.config.ts` had no effect; xss still ran (vercel-labs#36).

Add a pure `resolveMatchers(registry, cliSlugs, cfg)` helper that wires
the config into matcher selection:
- CLI `--matchers` is treated as exact and overrides config entirely.
- Otherwise, base = `cfg.only ?? all`, then `cfg.exclude` is subtracted.
- Unknown slugs in `only`/`exclude` warn and are ignored.

`scan()` now calls this helper. The CLI also logs the resolved
config-driven filter so the user sees what was applied.

Closes vercel-labs#36
@yusufnuru
chore: sort imports in resolve-matchers test
7a37d8c
@yusufnuru yusufnuru force-pushed the fix/honor-config-matchers-filter branch from 9978c0a to 7a37d8c Compare May 5, 2026 23:18
@yusufnuru
Copy link
Copy Markdown
Author

yusufnuru commented May 6, 2026

Done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Config matchers.exclude does not work (matcher e.g. xss not excluded during scan)

2 participants

@yusufnuru @cramforce