feat(reach): add unified --exclude-paths, deprecate --reach-exclude-paths

Add a single --exclude-paths flag (Node CLI parity) that filters BOTH SCA
manifest discovery and reachability analysis:

- New Core matcher: anchored micromatch-style globs compiled to regex (no new
  deps). Scan-root-relative POSIX paths, '*' does not cross '/', '**' does, each
  pattern P expanded to [P, P/**]. Threaded into find_files via cli_config and a
  no-op when the flag is unset.
- Reach side unions --exclude-paths with the now-deprecated --reach-exclude-paths
  and forwards to coana --exclude-dirs.
- Pattern validation mirrors Node's assertValidExcludePaths (rejects negation,
  absolute paths, '..' traversal, and degenerate match-everything).
- --reach-exclude-paths soft-deprecated: still works, marked [DEPRECATED] in help,
  warns at runtime.

Adds tests including the Node parity cases for the matcher plus validation.

Author: mtorp

pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.4.1"
+version = "2.4.2"
 requires-python = ">= 3.11"
 license = {"file" = "LICENSE"}
 dependencies = [

socketsecurity/__init__.py

@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.4.1'
+__version__ = '2.4.2'
 USER_AGENT = f'SocketPythonCLI/{__version__}'

socketsecurity/config.py

@@ -55,6 +55,30 @@ def load_cli_config_file(config_path: str) -> dict:
         return scoped
     return data
 
+def validate_exclude_paths(patterns: List[str]) -> None:
+    """Validate --exclude-paths patterns (mirrors Node's assertValidExcludePaths).
+
+    Patterns are scan-root-relative globs. Reject the cases coana's --exclude-dirs / fast-glob
+    cannot honor: negation, absolute paths, ``..`` traversal, and degenerate match-everything.
+    Exits with code 1 on the first invalid pattern.
+    """
+    degenerate = {"", ".", "./", "./**", "/", "**", "/**"}
+    for p in patterns:
+        norm = (p or "").strip().replace("\\", "/")
+        if norm.startswith("!"):
+            logging.error(f"--exclude-paths: negation patterns are not supported: {p!r}")
+            exit(1)
+        if norm.startswith("/"):
+            logging.error(f"--exclude-paths: patterns must be scan-root relative (no leading '/'): {p!r}")
+            exit(1)
+        if norm == ".." or norm.startswith("../") or "/../" in norm or norm.endswith("/.."):
+            logging.error(f"--exclude-paths: '..' path traversal is not allowed: {p!r}")
+            exit(1)
+        if norm in degenerate:
+            logging.error(f"--exclude-paths: pattern would exclude everything: {p!r}")
+            exit(1)
+
+
 @dataclass
 class PluginConfig:
     enabled: bool = False
@@ -106,6 +130,7 @@ class CliConfig:
     include_module_folders: bool = False
     repo_is_public: bool = False
     excluded_ecosystems: list[str] = field(default_factory=lambda: [])
+    exclude_paths: Optional[List[str]] = None
     version: str = __version__
     jira_plugin: PluginConfig = field(default_factory=PluginConfig)
     slack_plugin: PluginConfig = field(default_factory=PluginConfig)
@@ -167,6 +192,12 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
 
         args = parser.parse_args(args_list)
 
+        if args.reach_exclude_paths:
+            logging.warning(
+                "--reach-exclude-paths is deprecated; use --exclude-paths instead. "
+                "It is still honored and unioned with --exclude-paths."
+            )
+
         # Get API token from env or args (check multiple env var names)
         api_token = (
             os.getenv("SOCKET_SECURITY_API_KEY") or
@@ -258,6 +289,7 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
             'reach_lazy_mode': args.reach_lazy_mode,
             'reach_ecosystems': args.reach_ecosystems.split(',') if args.reach_ecosystems else None,
             'reach_exclude_paths': args.reach_exclude_paths.split(',') if args.reach_exclude_paths else None,
+            'exclude_paths': [p.strip() for p in args.exclude_paths.split(',') if p.strip()] if args.exclude_paths else None,
             'reach_skip_cache': args.reach_skip_cache,
             'reach_min_severity': args.reach_min_severity,
             'reach_output_file': args.reach_output_file,
@@ -361,6 +393,10 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
             logging.error("--sarif-reachability potentially/reachable-or-potentially requires --sarif-scope full")
             exit(1)
 
+        # Validate --exclude-paths patterns up front (mirrors Node's assertValidExcludePaths).
+        if config_args.get("exclude_paths"):
+            validate_exclude_paths(config_args["exclude_paths"])
+
         # Validate that only_facts_file requires reach
         if args.only_facts_file and not args.reach:
             logging.error("--only-facts-file requires --reach to be specified")
@@ -570,6 +606,15 @@ def create_argument_parser() -> argparse.ArgumentParser:
         help="List of ecosystems to exclude from analysis (JSON array string)"
     )
 
+    path_group.add_argument(
+        "--exclude-paths",
+        dest="exclude_paths",
+        metavar="<list>",
+        help="Comma-separated paths/globs to exclude from BOTH manifest discovery and "
+             "reachability analysis (e.g. 'tests/**,packages/legacy,*.spec.ts'). "
+             "Supersedes --reach-exclude-paths."
+    )
+
     # Branch and Scan Configuration
     config_group = parser.add_argument_group('Branch and Scan Configuration')
     config_group.add_argument(
@@ -920,7 +965,8 @@ def create_argument_parser() -> argparse.ArgumentParser:
         "--reach-exclude-paths",
         dest="reach_exclude_paths",
         metavar="<list>",
-        help="Paths to exclude from reachability analysis (comma-separated)"
+        help="[DEPRECATED: use --exclude-paths] Paths to exclude from reachability analysis "
+             "(comma-separated). Still honored and unioned with --exclude-paths."
     )
     reachability_group.add_argument(
         "--reach-min-severity",

socketsecurity/core/__init__.py

@@ -213,6 +213,67 @@ def is_excluded(file_path: str, excluded_dirs: Set[str]) -> bool:
                 return True
         return False
 
+    @staticmethod
+    def _exclude_glob_to_regex(pattern: str) -> str:
+        """Translate a micromatch-style glob into an anchored regex string.
+
+        Mirrors the Node CLI's --exclude-paths matcher (src/commands/scan/exclude-paths.mts):
+        patterns are matched against scan-root-relative POSIX paths, case-sensitively, where
+        ``*`` does NOT cross ``/`` and ``**`` DOES. Patterns are anchored at the scan root, so
+        ``tests`` matches ``tests`` (not ``src/tests``); use ``**/tests`` to match at any depth.
+        """
+        i, n = 0, len(pattern)
+        out = ["^"]
+        while i < n:
+            c = pattern[i]
+            if c == "*":
+                if i + 1 < n and pattern[i + 1] == "*":
+                    if i + 2 < n and pattern[i + 2] == "/":
+                        out.append("(?:[^/]+/)*")  # '**/' -> zero or more path segments
+                        i += 3
+                    else:
+                        out.append(".*")           # '**' at end / before non-slash -> any, incl '/'
+                        i += 2
+                else:
+                    out.append("[^/]*")            # '*' -> within a single path segment
+                    i += 1
+            elif c == "?":
+                out.append("[^/]")
+                i += 1
+            else:
+                out.append(re.escape(c))
+                i += 1
+        out.append("$")
+        return "".join(out)
+
+    @staticmethod
+    def compile_exclude_paths(patterns: Optional[List[str]]) -> List["re.Pattern"]:
+        """Compile --exclude-paths globs into anchored regexes (compiled once per scan).
+
+        Each pattern ``P`` is expanded the way Node feeds fast-glob's ``ignore``: ``P`` (a file-
+        or dir-shaped exact match) plus ``P/**`` (its subtree), unless ``P`` already ends with
+        ``/**``. Validation of the patterns happens earlier, in CliConfig.from_args.
+        """
+        compiled: List["re.Pattern"] = []
+        for raw in patterns or []:
+            p = (raw or "").strip().replace("\\", "/").rstrip("/")
+            if not p:
+                continue
+            globs = [p] if p.endswith("/**") else [p, f"{p}/**"]
+            compiled.extend(re.compile(Core._exclude_glob_to_regex(g)) for g in globs)
+        return compiled
+
+    @staticmethod
+    def path_matches_exclude_regexes(rel_path: str, regexes: List["re.Pattern"]) -> bool:
+        rp = rel_path.replace(os.sep, "/").replace("\\", "/")
+        return any(r.match(rp) for r in regexes)
+
+    @staticmethod
+    def matches_exclude_paths(file_path: str, base_path: str, patterns: List[str]) -> bool:
+        """Convenience matcher (compiles patterns per call); used in tests/ad-hoc checks."""
+        rel_path = os.path.relpath(file_path, base_path).replace(os.sep, "/")
+        return Core.path_matches_exclude_regexes(rel_path, Core.compile_exclude_paths(patterns))
+
     def save_submitted_files_list(self, files: List[str], output_path: str) -> None:
         """
         Save the list of submitted file names to a JSON file for debugging.
@@ -336,6 +397,17 @@ def find_files(self, path: str, ecosystems: Optional[List[str]] = None) -> List[
         start_time = time.time()
         files: Set[str] = set()
 
+        # Unified --exclude-paths: filter discovered manifests by the same paths/globs that are
+        # forwarded to coana's --exclude-dirs. Only consulted when the user supplied the flag.
+        # Patterns are anchored to `path` (the scan root this pass walks), matching coana's
+        # target and the Node CLI's fast-glob cwd. NOTE: when scanning multiple --sub-path
+        # targets, find_files runs once per sub-path, so a pattern like `tests` anchors to each
+        # sub-path independently (Node anchors all patterns to a single scan-root cwd). This only
+        # differs for the multi-target full-scan + --exclude-paths combo; the reach flow is
+        # single-target, so it matches Node there.
+        exclude_paths = getattr(self.cli_config, "exclude_paths", None) if self.cli_config else None
+        exclude_regexes = Core.compile_exclude_paths(exclude_paths) if exclude_paths else []
+
         # Get supported patterns from the API
         patterns = self.get_supported_patterns()
 
@@ -365,8 +437,15 @@ def find_files(self, path: str, ecosystems: Optional[List[str]] = None) -> List[
 
                     for glob_file in glob_files:
                         glob_file_str = str(glob_file)
-                        if os.path.isfile(glob_file_str) and not Core.is_excluded(glob_file_str, self.config.excluded_dirs):
-                            files.add(glob_file_str.replace("\\", "/"))
+                        if not os.path.isfile(glob_file_str):
+                            continue
+                        if Core.is_excluded(glob_file_str, self.config.excluded_dirs):
+                            continue
+                        if exclude_regexes:
+                            rel = os.path.relpath(glob_file_str, path)
+                            if Core.path_matches_exclude_regexes(rel, exclude_regexes):
+                                continue
+                        files.add(glob_file_str.replace("\\", "/"))
 
                     glob_end = time.time()
                     log.debug(f"Globbing took {glob_end - glob_start:.4f} seconds")

socketsecurity/socketcli.py

@@ -388,7 +388,15 @@ def main_code():
                     timeout=config.reach_analysis_timeout,
                     memory_limit=config.reach_analysis_memory_limit,
                     ecosystems=config.reach_ecosystems,
-                    exclude_paths=config.reach_exclude_paths,
+                    # Union the deprecated --reach-exclude-paths with the unified --exclude-paths
+                    # and forward verbatim to coana's --exclude-dirs. Patterns are scan-root
+                    # relative; coana resolves --exclude-dirs relative to its `run` target, which
+                    # here is `.` == cwd == scan root, so passthrough is correct. If a nested
+                    # target is ever supported, re-anchor patterns to the target first (see Node's
+                    # pathRelativeToTarget in exclude-paths.mts).
+                    exclude_paths=(
+                        (config.reach_exclude_paths or []) + (config.exclude_paths or [])
+                    ) or None,
                     min_severity=config.reach_min_severity,
                     skip_cache=config.reach_skip_cache or False,
                     disable_analytics=config.reach_disable_analytics or False,

tests/unit/test_exclude_paths.py

@@ -0,0 +1,149 @@
+"""Tests for the unified --exclude-paths flag (G2, Node alignment).
+
+Covers the path matcher, config parsing + soft-deprecation of --reach-exclude-paths,
+and that --exclude-paths filters SCA manifest discovery via Core.find_files.
+"""
+import logging
+import types
+from unittest.mock import MagicMock
+
+import pytest
+
+from socketsecurity.config import CliConfig
+from socketsecurity.core import Core
+from socketsecurity.core.socket_config import SocketConfig
+
+# ---- matcher -------------------------------------------------------------
+
+@pytest.mark.parametrize(
+    "rel, patterns, expected",
+    [
+        # directory prefix -> the directory's whole subtree
+        ("packages/legacy/package.json", ["packages/legacy"], True),
+        ("packages/keep/package.json", ["packages/legacy"], False),
+        # root-anchored: a bare name matches at the root only, NOT nested
+        ("tests/x.json", ["tests"], True),
+        ("src/tests/x.json", ["tests"], False),
+        # **/ matches at any depth
+        ("src/tests/x.json", ["**/tests"], True),
+        ("tests/unit/x.json", ["tests/**"], True),
+        ("tests", ["tests/**"], False),                # P/** is the subtree, not P itself
+        # '*' does NOT cross '/': anchored basename glob is root-level only
+        ("index.spec.ts", ["*.spec.ts"], True),
+        ("src/app/index.spec.ts", ["*.spec.ts"], False),
+        ("src/app/index.spec.ts", ["**/*.spec.ts"], True),
+        ("src/app/index.ts", ["**/*.spec.ts"], False),
+        # single-star matches exactly one path segment
+        ("packages/a/node_modules/x.json", ["packages/*/node_modules"], True),
+        ("packages/a/b/node_modules/x.json", ["packages/*/node_modules"], False),
+    ],
+)
+def test_matches_exclude_paths(rel, patterns, expected):
+    assert Core.matches_exclude_paths(rel, ".", patterns) is expected
+
+
+@pytest.mark.parametrize(
+    "pattern, excluded, kept",
+    [
+        # Node parity cases (src/commands/scan/exclude-paths.mts), anchored at scan root.
+        ("tests", "tests/pkg/package.json", "src/tests/package.json"),
+        ("package-lock.json", "package-lock.json", "packages/a/package-lock.json"),
+        ("**/node_modules", "packages/a/node_modules/dep/package.json", "src/app/package.json"),
+        ("packages/legacy", "packages/legacy/p.json", "packages/legacy-x/p.json"),
+        ("src/*.json", "src/a.json", "src/sub/a.json"),
+    ],
+)
+def test_matches_exclude_paths_node_parity(pattern, excluded, kept):
+    assert Core.matches_exclude_paths(excluded, ".", [pattern]) is True
+    assert Core.matches_exclude_paths(kept, ".", [pattern]) is False
+
+
+def test_matches_exclude_paths_empty_is_false():
+    assert Core.matches_exclude_paths("a/b.json", ".", []) is False
+    assert Core.matches_exclude_paths("a/b.json", ".", ["  "]) is False
+
+
+# ---- config parsing ------------------------------------------------------
+
+BASE_ARGS = ["--api-token", "test-token", "--repo", "test-repo"]
+
+
+def test_exclude_paths_parses_to_list():
+    config = CliConfig.from_args(BASE_ARGS + ["--exclude-paths", "tests/**, packages/legacy , *.spec.ts"])
+    assert config.exclude_paths == ["tests/**", "packages/legacy", "*.spec.ts"]
+
+
+def test_exclude_paths_defaults_none():
+    config = CliConfig.from_args(BASE_ARGS)
+    assert config.exclude_paths is None
+
+
+def test_reach_exclude_paths_still_works_and_warns(caplog):
+    with caplog.at_level(logging.WARNING):
+        config = CliConfig.from_args(BASE_ARGS + ["--reach", "--reach-exclude-paths", "a,b"])
+    assert config.reach_exclude_paths == ["a", "b"]
+    assert any("deprecated" in r.message for r in caplog.records)
+
+
+@pytest.mark.parametrize(
+    "bad",
+    ["!foo", "/abs/path", "..", "../escape", "a/../b", ".", "**", "/**", "./**"],
+)
+def test_exclude_paths_validation_rejects(bad):
+    with pytest.raises(SystemExit) as exc:
+        CliConfig.from_args(BASE_ARGS + ["--exclude-paths", bad])
+    assert exc.value.code == 1
+
+
+def test_exclude_paths_validation_rejects_within_csv():
+    with pytest.raises(SystemExit) as exc:
+        CliConfig.from_args(BASE_ARGS + ["--exclude-paths", "src,..,tests"])
+    assert exc.value.code == 1
+
+
+def test_exclude_paths_valid_globs_accepted():
+    config = CliConfig.from_args(BASE_ARGS + ["--exclude-paths", "tests/**,**/*.spec.ts,packages/legacy"])
+    assert config.exclude_paths == ["tests/**", "**/*.spec.ts", "packages/legacy"]
+
+
+# ---- find_files integration ---------------------------------------------
+
+def _make_core(exclude_paths):
+    core = Core.__new__(Core)
+    core.config = SocketConfig(api_key="test-key")
+    core.cli_config = types.SimpleNamespace(exclude_paths=exclude_paths)
+    core.sdk = MagicMock()
+    return core
+
+
+def _seed_manifests(tmp_path):
+    for rel in ("package.json", "sub/package.json", "legacy/package.json"):
+        p = tmp_path / rel
+        p.parent.mkdir(parents=True, exist_ok=True)
+        p.write_text("{}", encoding="utf-8")
+
+
+def test_find_files_excludes_matching_paths(tmp_path, mocker):
+    _seed_manifests(tmp_path)
+    core = _make_core(["legacy"])
+    mocker.patch.object(
+        core, "get_supported_patterns",
+        return_value={"npm": {"package.json": {"pattern": "package.json"}}},
+    )
+
+    found = core.find_files(str(tmp_path))
+    assert any(f.endswith("/package.json") and "/legacy/" not in f for f in found)
+    assert not any("/legacy/" in f for f in found)
+
+
+def test_find_files_no_exclude_paths_keeps_all(tmp_path, mocker):
+    _seed_manifests(tmp_path)
+    core = _make_core(None)
+    mocker.patch.object(
+        core, "get_supported_patterns",
+        return_value={"npm": {"package.json": {"pattern": "package.json"}}},
+    )
+
+    found = core.find_files(str(tmp_path))
+    assert any("/legacy/" in f for f in found)
+    assert len(found) == 3