feat(flag): Support globstar for --skip-files and --skip-directories (#4026)

Signed-off-by: Simar <simar@linux.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-12 07:40:48 -08:00 · 2023-04-16 03:48:20 -07:00
parent 14805002d3
commit b43b19ba54
4 changed files with 22 additions and 3 deletions
--- a/docs/docs/vulnerability/examples/others.md
+++ b/docs/docs/vulnerability/examples/others.md
@@ -33,9 +33,18 @@ $ trivy image --skip-dirs "./testdata/*" .
 Will skip all subdirectories of the testdata directory.

 !!! tip
-    Glob patters work with any trivy subcommand (image, config, etc.) and can be specified to skip both directories (with `--skip-dirs`) and files (with `--skip-files`).
+    Glob patterns work with any trivy subcommand (image, config, etc.) and can be specified to skip both directories (with `--skip-dirs`) and files (with `--skip-files`).


+### Advanced globbing
+Trivy also supports the [globstar](https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Pattern-Matching) pattern matching. 
+
+```bash
+$ trivy image --skip-files "**/foo"``` image:tag
+```
+
+Will skip the file `foo` that happens to be nested under any parent(s). 
+
 ## File patterns
 When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
 The default file patterns are [here](../../misconfiguration/custom/index.md).
--- a/go.mod
+++ b/go.mod
@@ -33,6 +33,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/config v1.18.15
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.89.1
 	github.com/aws/aws-sdk-go-v2/service/sts v1.18.7
+	github.com/bmatcuk/doublestar v1.3.4
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.1.2
 	github.com/containerd/containerd v1.7.0
@@ -189,7 +190,6 @@ require (
 	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
-	github.com/bmatcuk/doublestar v1.3.4 // indirect
 	github.com/briandowns/spinner v1.23.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
--- a/pkg/fanal/walker/walk.go
+++ b/pkg/fanal/walker/walk.go
@@ -6,6 +6,8 @@ import (
 	"path/filepath"
 	"strings"

+	"github.com/bmatcuk/doublestar"
+
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/utils"
 	"github.com/aquasecurity/trivy/pkg/log"
@@ -56,7 +58,7 @@ func (w *walker) shouldSkipFile(filePath string) bool {

 	// skip files
 	for _, pattern := range w.skipFiles {
-		match, err := path.Match(pattern, filePath)
+		match, err := doublestar.Match(pattern, filePath)
 		if err != nil {
 			return false // return early if bad pattern
 		} else if match {
--- a/pkg/fanal/walker/walk_test.go
+++ b/pkg/fanal/walker/walk_test.go
@@ -27,6 +27,14 @@ func Test_shouldSkipFile(t *testing.T) {
 				filepath.Join("/etc/foo/bar"): true,
 			},
 		},
+		{
+			skipFiles: []string{filepath.Join("**/*.txt")},
+			skipMap: map[string]bool{
+				filepath.Join("/etc/foo"):         false,
+				filepath.Join("/etc/foo/bar"):     false,
+				filepath.Join("/var/log/bar.txt"): true,
+			},
+		},
 		{
 			skipFiles: []string{filepath.Join("/etc/*/*"), filepath.Join("/var/log/*.txt")},
 			skipMap: map[string]bool{