feat: support path-based rule exclusions via exclude-rules (#1465)

* add path-based rule exclusions

Implements #1287

* Ssupport for excluding specific rules from specific paths, enabling large monorepos to apply different security rules to different components (e.g., CLI tools vs services).

* fix formatting issuue with path filter test to pass gci

Author: ravisastryk

README.md

@@ -261,6 +261,45 @@ A number of global settings can be provided in a configuration file as follows:
 $ gosec -conf config.json .
 ```
 
+### Path-Based Rule Exclusions
+
+Large repositories with multiple components may need different security rules
+for different paths. Use `exclude-rules` to suppress specific rules for specific
+paths.
+
+**Configuration File:**
+```json
+{
+  "exclude-rules": [
+    {
+      "path": "cmd/.*",
+      "rules": ["G204", "G304"]
+    },
+    {
+      "path": "scripts/.*",
+      "rules": ["*"]
+    }
+  ]
+}
+```
+
+**CLI Flag:**
+```bash
+# Exclude G204 and G304 from cmd/ directory
+gosec --exclude-rules="cmd/.*:G204,G304" ./...
+
+# Exclude all rules from scripts/ directory  
+gosec --exclude-rules="scripts/.*:*" ./...
+
+# Multiple exclusions
+gosec --exclude-rules="cmd/.*:G204,G304;test/.*:G101" ./...
+```
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `path` | string (regex) | Regular expression matched against file paths |
+| `rules` | []string | Rule IDs to exclude. Use `*` to exclude all rules |
+
 #### Rule Configuration
 
 Some rules accept configuration flags as well; these flags are documented in [RULES.md](https://github.com/securego/gosec/blob/master/RULES.md).

cmd/gosec/main.go

@@ -59,6 +59,11 @@ USAGE:
 	# Run all rules except the provided
 	$ gosec -exclude=G101 $GOPATH/src/github.com/example/project/...
 
+	# Exclude specific rules from specific paths
+	$ gosec --exclude-rules="cmd/.*:G204,G304" ./...
+
+	# Exclude all rules from scripts directory
+	$ gosec --exclude-rules="scripts/.*:*" ./...
 `
 	// Environment variable for AI API key.
 	aiAPIKeyEnv = "GOSEC_AI_API_KEY" // #nosec G101
@@ -79,6 +84,12 @@ var (
 	// #nosec flag
 	flagIgnoreNoSec = flag.Bool("nosec", false, "Ignores #nosec comments when set")
 
+	// Path-based exclusions
+	flagExcludeRules = flag.String("exclude-rules", "",
+		`Path-based rule exclusions. Format: "path:rule1,rule2;path2:rule3"
+Example: "cmd/.*:G204,G304;test/.*:G101"
+Use "*" to exclude all rules for a path: "scripts/.*:*"`)
+
 	// show ignored
 	flagShowIgnored = flag.Bool("show-ignored", false, "If enabled, ignored issues are printed")
 
@@ -353,6 +364,27 @@ func exit(issues []*issue.Issue, errors map[string][]gosec.Error, noFail bool) {
 	os.Exit(0)
 }
 
+// buildPathExclusionFilter creates a PathExclusionFilter from config and CLI flags
+func buildPathExclusionFilter(config gosec.Config, cliFlag string) (*gosec.PathExclusionFilter, error) {
+	// Parse CLI exclude-rules
+	cliRules, err := gosec.ParseCLIExcludeRules(cliFlag)
+	if err != nil {
+		return nil, fmt.Errorf("invalid --exclude-rules flag: %w", err)
+	}
+
+	// Get config file exclude-rules
+	configRules, err := config.GetExcludeRules()
+	if err != nil {
+		return nil, fmt.Errorf("invalid exclude-rules in config: %w", err)
+	}
+
+	// Merge rules (CLI takes precedence)
+	allRules := gosec.MergeExcludeRules(configRules, cliRules)
+
+	// Create and return filter
+	return gosec.NewPathExclusionFilter(allRules)
+}
+
 func main() {
 	// Makes sure some version information is set
 	prepareVersionInfo()
@@ -440,6 +472,12 @@ func main() {
 		logger.Fatal("No rules/analyzers are configured")
 	}
 
+	// Build path exclusion filter
+	pathFilter, err := buildPathExclusionFilter(config, *flagExcludeRules)
+	if err != nil {
+		logger.Fatalf("Path exclusion filter error: %v", err)
+	}
+
 	// Create the analyzer
 	analyzer := gosec.NewAnalyzer(config, *flagScanTests, *flagExcludeGenerated, *flagTrackSuppressions, *flagConcurrency, logger)
 	analyzer.LoadRules(ruleList.RulesInfo())
@@ -476,6 +514,13 @@ func main() {
 	// Collect the results
 	issues, metrics, errors := analyzer.Report()
 
+	// Apply path-based exclusions first
+	var pathExcludedCount int
+	issues, pathExcludedCount = pathFilter.FilterIssues(issues)
+	if pathExcludedCount > 0 {
+		logger.Printf("Excluded %d issues by path-based rules", pathExcludedCount)
+	}
+
 	// Sort the issue by severity
 	if *flagSortIssues {
 		sortIssues(issues)

config.go

@@ -11,6 +11,8 @@ const (
 	// Globals are applicable to all rules and used for general
 	// configuration settings for gosec.
 	Globals = "global"
+	// ExcludeRulesKey is the config key for path-based rule exclusions
+	ExcludeRulesKey = "exclude-rules"
 )
 
 // GlobalOption defines the name of the global options
@@ -135,3 +137,38 @@ func (c Config) IsGlobalEnabled(option GlobalOption) (bool, error) {
 	}
 	return (value == "true" || value == "enabled"), nil
 }
+
+// GetExcludeRules retrieves the path-based exclusion rules from the configuration.
+// Returns nil if no exclusion rules are configured.
+func (c Config) GetExcludeRules() ([]PathExcludeRule, error) {
+	if c == nil {
+		return nil, nil
+	}
+
+	rawRules, exists := c[ExcludeRulesKey]
+	if !exists {
+		return nil, nil
+	}
+
+	// The config is unmarshaled as map[string]interface{}, so we need to
+	// re-marshal and unmarshal to get the proper typed struct
+	rulesJSON, err := json.Marshal(rawRules)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal exclude-rules: %w", err)
+	}
+
+	var rules []PathExcludeRule
+	if err := json.Unmarshal(rulesJSON, &rules); err != nil {
+		return nil, fmt.Errorf("failed to parse exclude-rules: %w", err)
+	}
+
+	return rules, nil
+}
+
+// SetExcludeRules sets the path-based exclusion rules in the configuration.
+func (c Config) SetExcludeRules(rules []PathExcludeRule) {
+	if c == nil {
+		return
+	}
+	c[ExcludeRulesKey] = rules
+}

examples/gosec-with-exclude-rules.json

@@ -0,0 +1,36 @@
+{
+  "global": {
+    "audit": false,
+    "nosec": false,
+    "show-ignored": false
+  },
+  "G101": {
+    "pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token|api_key",
+    "ignore_entropy": false,
+    "entropy_threshold": "80.0",
+    "per_char_threshold": "3.0",
+    "truncate": "32"
+  },
+  "exclude-rules": [
+    {
+      "path": "cmd/.*",
+      "rules": ["G204", "G304"]
+    },
+    {
+      "path": "internal/testutil/.*",
+      "rules": ["G101", "G401", "G501"]
+    },
+    {
+      "path": "scripts/.*",
+      "rules": ["*"]
+    },
+    {
+      "path": ".*_test\\.go$",
+      "rules": ["G101", "G304"]
+    },
+    {
+      "path": "internal/(mock|fake|stub)s?/.*",
+      "rules": ["*"]
+    }
+  ]
+}