Merge remote-tracking branch 'origin/main' into feat/parse-project-tags-for-code-report

Author: apzuk3

cliv2/go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/rs/zerolog v1.34.0
 	github.com/snyk/cli-extension-ai-bom v0.0.0-20260115091503-3d0699c466ef
 	github.com/snyk/cli-extension-dep-graph v0.15.1
-	github.com/snyk/cli-extension-iac v0.0.0-20250829110702-b41ac109dab0
+	github.com/snyk/cli-extension-iac v0.0.0-20260115084339-e0c36e4dffdf
 	github.com/snyk/cli-extension-iac-rules v0.0.0-20260115114457-a8ac3358ec57
 	github.com/snyk/cli-extension-mcp-scan v0.0.0-20260120142932-0eea0566625a
 	github.com/snyk/cli-extension-os-flows v0.0.0-20260115160519-84f621016a34
@@ -23,7 +23,7 @@ require (
 	github.com/snyk/go-application-framework v0.0.0-20260126103810-195f34e2e0a2
 	github.com/snyk/go-httpauth v0.0.0-20240307114523-1f5ea3f55c65
 	github.com/snyk/snyk-iac-capture v0.6.5
-	github.com/snyk/snyk-ls v0.0.0-20260123134153-c85af1965c75
+	github.com/snyk/snyk-ls v0.0.0-20260128094006-1a31e5aa396e
 	github.com/snyk/studio-mcp v1.3.0
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.10
@@ -94,7 +94,7 @@ require (
 	github.com/clipperhouse/displaywidth v0.6.1 // indirect
 	github.com/clipperhouse/stringish v0.1.1 // indirect
 	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
-	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cloudflare/circl v1.6.2 // indirect
 	github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f // indirect
 	github.com/containerd/console v1.0.3 // indirect
 	github.com/creachadair/jrpc2 v1.3.0 // indirect
@@ -207,10 +207,10 @@ require (
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
 	github.com/sagikazarmark/locafero v0.7.0 // indirect
 	github.com/samber/lo v1.52.0 // indirect
-	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/shirou/gopsutil v3.21.11+incompatible // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/skeema/knownhosts v1.3.1 // indirect
+	github.com/skeema/knownhosts v1.3.2 // indirect
 	github.com/snyk/code-client-go v1.25.0 // indirect
 	github.com/snyk/dep-graph/go v0.0.0-20251219134535-fcb262dc6d25 // indirect
 	github.com/snyk/policy-engine v1.1.2 // indirect
@@ -250,7 +250,7 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.47.0 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
-	golang.org/x/net v0.48.0 // indirect
+	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/oauth2 v0.34.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.40.0 // indirect

cliv2/go.sum

@@ -162,8 +162,8 @@ github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfa
 github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
 github.com/clipperhouse/uax29/v2 v2.3.0 h1:SNdx9DVUqMoBuBoW3iLOj4FQv3dN5mDtuqwuhIGpJy4=
 github.com/clipperhouse/uax29/v2 v2.3.0/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g=
-github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
-github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cloudflare/circl v1.6.2 h1:hL7VBpHHKzrV5WTfHCaBsgx/HGbBYlgrwvNXEVDYYsQ=
+github.com/cloudflare/circl v1.6.2/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
 github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f h1:Y8xYupdHxryycyPlc9Y+bSQAYZnetRJ70VMVKm5CKI0=
 github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f/go.mod h1:HlzOvOjVBOfTGSRXRyY0OiCS/3J1akRGQQpRO/7zyF4=
 github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw=
@@ -522,21 +522,21 @@ github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppK
 github.com/sahilm/fuzzy v0.1.0/go.mod h1:VFvziUEIMCrT6A6tw2RFIXPXXmzXbOsSHF0DOI8ZK9Y=
 github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
 github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
-github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
-github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
+github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=
+github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/shirou/gopsutil v3.21.11+incompatible h1:+1+c1VGhc88SSonWP6foOcLhvnKlUeu/erjjvaPEYiI=
 github.com/shirou/gopsutil v3.21.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
-github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
+github.com/skeema/knownhosts v1.3.2 h1:EDL9mgf4NzwMXCTfaxSD/o/a5fxDw/xL9nkU28JjdBg=
+github.com/skeema/knownhosts v1.3.2/go.mod h1:bEg3iQAuw+jyiw+484wwFJoKSLwcfd7fqRy+N0QTiow=
 github.com/snyk/cli-extension-ai-bom v0.0.0-20260115091503-3d0699c466ef h1:w+PLQGOM3wHGZ89Hhh16AL0OVFfgbZiGs8XYEYxHgks=
 github.com/snyk/cli-extension-ai-bom v0.0.0-20260115091503-3d0699c466ef/go.mod h1:vcRqbTJ3oEM4I6q88opeq2erDtdXW9TLKhU63iJXPM4=
 github.com/snyk/cli-extension-dep-graph v0.15.1 h1:SK1cMIfIzpmQhcfVnn77FZHQgcXT/3d9ZzTog1uPT3c=
 github.com/snyk/cli-extension-dep-graph v0.15.1/go.mod h1:Do/xNThRKSbZcIC2JCCgkBJ2X/h/YbN5i12znPEEvjY=
-github.com/snyk/cli-extension-iac v0.0.0-20250829110702-b41ac109dab0 h1:ecGoMisVTnz5xRnt9yXW2hlRrIyYM123yMt1NeNEo6s=
-github.com/snyk/cli-extension-iac v0.0.0-20250829110702-b41ac109dab0/go.mod h1:tLxyhtrRiEvbSLQ6PbCsl29ZXK6s2aunRuL6cSe/8cE=
+github.com/snyk/cli-extension-iac v0.0.0-20260115084339-e0c36e4dffdf h1:43ITDrUkpPC0Hy/CvPsuYQVdZVFoaol5CNK253YdS6A=
+github.com/snyk/cli-extension-iac v0.0.0-20260115084339-e0c36e4dffdf/go.mod h1:M5nvpEfsPTCaD7hNSzMBoeTgHaYHWct5fVPqn05szpQ=
 github.com/snyk/cli-extension-iac-rules v0.0.0-20260115114457-a8ac3358ec57 h1:8A/m+2Kqq7YylEZxAO/Ap6C5Fr+21WRM9BecxzOg098=
 github.com/snyk/cli-extension-iac-rules v0.0.0-20260115114457-a8ac3358ec57/go.mod h1:AFto63ozNmCXtKb5oTTD3Qz1jEl/HCqCVwpZCfTpSIE=
 github.com/snyk/cli-extension-mcp-scan v0.0.0-20260120142932-0eea0566625a h1:ElZXU6njO7McDQ7u7nAsJ5PCcwvA2+dEsadRM4P41JQ=
@@ -545,10 +545,10 @@ github.com/snyk/cli-extension-os-flows v0.0.0-20260115160519-84f621016a34 h1:Vtb
 github.com/snyk/cli-extension-os-flows v0.0.0-20260115160519-84f621016a34/go.mod h1:s3HX7yjdyP5PYe+ZTMyrJA5wv6hCnmfGdh7Nk5la6tY=
 github.com/snyk/cli-extension-sbom v0.0.0-20260109124810-cfdd074f8eeb h1:5cAi3VwdoE4d6kc6D6qSge11e/ALBMmuBatySFd8rfE=
 github.com/snyk/cli-extension-sbom v0.0.0-20260109124810-cfdd074f8eeb/go.mod h1:jIACVV10j4pW7LFrlYYtjn9mZm2JnXeFBM6/aTNJgvM=
-github.com/snyk/code-client-go v1.25.0 h1:1lcg6asMpMWwpaZLKVDdci3OrAv6rRoCsCcT8Ci/fUI=
-github.com/snyk/code-client-go v1.25.0/go.mod h1:YYggK3UbOHl5rg7uBhLzsKZBFNavcwFUse/EWCKWdzw=
 github.com/snyk/cli-extension-secrets v0.0.0-20260119125200-a69877b835d2 h1:IajF3ZDyMByXr5vLzQ9+fzLAKI0VT3I1fQBX+mtpft4=
 github.com/snyk/cli-extension-secrets v0.0.0-20260119125200-a69877b835d2/go.mod h1:7UzFzUBGY6hlY+fYx/IjjIjEFryxoAPaGvn985m/fcE=
+github.com/snyk/code-client-go v1.25.0 h1:1lcg6asMpMWwpaZLKVDdci3OrAv6rRoCsCcT8Ci/fUI=
+github.com/snyk/code-client-go v1.25.0/go.mod h1:YYggK3UbOHl5rg7uBhLzsKZBFNavcwFUse/EWCKWdzw=
 github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7 h1:/2+2piwQtB9fEJCkXEOjboZjY+77lQfnvqBZ/60xNHk=
 github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7/go.mod h1:38w+dcAQp9eG3P5t2eNS9eG0reut10AeJjLv5lJ5lpM=
 github.com/snyk/dep-graph/go v0.0.0-20251219134535-fcb262dc6d25 h1:dwJ4Kdp4c5aaWI+waHomarhouWF6BUYzfen0B6aqaNA=
@@ -563,8 +563,8 @@ github.com/snyk/policy-engine v1.1.2 h1:BYWigTxPjiQer4m2jYhO623KmGdmmzA3S60k9AJP
 github.com/snyk/policy-engine v1.1.2/go.mod h1:WW0eEb6adCEZ8CPGYsq19J6iPsvoeeTet+OWdU5Nrlw=
 github.com/snyk/snyk-iac-capture v0.6.5 h1:992DXCAJSN97KtUh8T5ndaWwd/6ZCal2bDkRXqM1u/E=
 github.com/snyk/snyk-iac-capture v0.6.5/go.mod h1:e47i55EmM0F69ZxyFHC4sCi7vyaJW6DLoaamJJCzWGk=
-github.com/snyk/snyk-ls v0.0.0-20260123134153-c85af1965c75 h1:vESgXzdRk44Gz3Ro1ZAodTD6DyexC4GFGGPbjkO/6CQ=
-github.com/snyk/snyk-ls v0.0.0-20260123134153-c85af1965c75/go.mod h1:+DFpqPnUgqNDCa1bhszp+oPh/MP4HGLQCf4lMTBwVVQ=
+github.com/snyk/snyk-ls v0.0.0-20260128094006-1a31e5aa396e h1:8TPdi3tQTCMbqU/4Bu3SSDPCw56WmDK6zjUFG68abAc=
+github.com/snyk/snyk-ls v0.0.0-20260128094006-1a31e5aa396e/go.mod h1:+DFpqPnUgqNDCa1bhszp+oPh/MP4HGLQCf4lMTBwVVQ=
 github.com/snyk/studio-mcp v1.3.0 h1:6eqjiaab9hILdoY4awAF2z+xj03VOB93DbLhlzYyRB4=
 github.com/snyk/studio-mcp v1.3.0/go.mod h1:+OuCQy/pOysingGYHNUojmpSVse/q36KODBaJlOvsNQ=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
@@ -708,8 +708,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
 golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
 golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

src/cli/commands/test/iac/local-execution/assert-iac-options-flag.ts

@@ -44,6 +44,7 @@ const keys: (keyof IaCTestFlags)[] = [
   // Report options
   'remote-repo-url',
   'target-name',
+  'exclude',
 ];
 const integratedKeys: (keyof IaCTestFlags)[] = ['snyk-cloud-environment'];
 

src/cli/commands/test/iac/local-execution/directory-loader.ts

@@ -1,36 +1,49 @@
 import * as path from 'path';
-import { makeFileAndDirectoryGenerator } from './file-utils';
+import {
+  makeFileAndDirectoryGenerator,
+  type ExclusionMatcher,
+} from './file-utils';
 import { VALID_FILE_TYPES } from './types';
 import { isLocalFolder } from '../../../../../lib/detect';
 
 /**
  * Gets all nested directories for the path that we ran a scan.
  * @param pathToScan - the path to scan provided by the user
  * @param maxDepth? - An optional `maxDepth` argument can be provided to limit how deep in the file tree the search will go.
+ * @param isExcluded - A pre-compiled matcher function to skip specific paths
  * @returns {string[]} An array with all the non-empty nested directories in this path
  */
 export function getAllDirectoriesForPath(
   pathToScan: string,
   maxDepth?: number,
+  isExcluded: ExclusionMatcher = () => false,
 ): string[] {
   // if it is a single file (it has an extension), we return the current path
   if (!isLocalFolder(pathToScan)) {
     return [path.resolve(pathToScan)];
   }
-  return [...getAllDirectoriesForPathGenerator(pathToScan, maxDepth)];
+  return [
+    ...getAllDirectoriesForPathGenerator(pathToScan, maxDepth, isExcluded),
+  ];
 }
 
 /**
  * Gets all the directories included in this path
  * @param pathToScan - the path to scan provided by the user
  * @param maxDepth? - An optional `maxDepth` argument can be provided to limit how deep in the file tree the search will go.
+ * @param isExcluded - A pre-compiled matcher function to skip specific paths
  * @returns {Generator<string>} - a generator which yields the filepaths for the path to scan
  */
 function* getAllDirectoriesForPathGenerator(
   pathToScan: string,
   maxDepth?: number,
+  isExcluded: ExclusionMatcher = () => false,
 ): Generator<string> {
-  for (const filePath of makeFileAndDirectoryGenerator(pathToScan, maxDepth)) {
+  for (const filePath of makeFileAndDirectoryGenerator(
+    pathToScan,
+    maxDepth,
+    isExcluded,
+  )) {
     if (filePath.directory) yield filePath.directory;
   }
 }
@@ -39,32 +52,37 @@ function* getAllDirectoriesForPathGenerator(
  * Gets all file paths for the specific directory
  * @param pathToScan - the path to scan provided by the user
  * @param currentDirectory - the directory which we want to return files for
+ * @param isExcluded - A pre-compiled matcher function to skip specific paths
  * @returns {string[]} An array with all the Terraform filePaths for this directory
  */
 export function getFilesForDirectory(
   pathToScan: string,
   currentDirectory: string,
+  isExcluded: ExclusionMatcher = () => false,
 ): string[] {
   if (!isLocalFolder(pathToScan)) {
     if (
       shouldBeParsed(pathToScan) &&
-      !isIgnoredFile(pathToScan, currentDirectory)
+      !isIgnoredFile(pathToScan, currentDirectory) &&
+      !isExcluded(pathToScan)
     ) {
       return [pathToScan];
     }
     return [];
   } else {
-    return [...getFilesForDirectoryGenerator(currentDirectory)];
+    return [...getFilesForDirectoryGenerator(currentDirectory, isExcluded)];
   }
 }
 
 /**
  * Iterates through the makeFileAndDirectoryGenerator function and gets all the Terraform files in the specified directory
  * @param pathToScan - the pathToScan to scan provided by the user
+ * @param isExcluded - A pre-compiled matcher function to skip specific paths
  * @returns {Generator<string>} - a generator which holds all the filepaths
  */
 export function* getFilesForDirectoryGenerator(
   pathToScan: string,
+  isExcluded: ExclusionMatcher = () => false,
 ): Generator<string> {
   for (const filePath of makeFileAndDirectoryGenerator(pathToScan)) {
     if (filePath.file && filePath.file.dir !== pathToScan) {
@@ -74,7 +92,8 @@ export function* getFilesForDirectoryGenerator(
     if (
       filePath.file &&
       shouldBeParsed(filePath.file.fileName) &&
-      !isIgnoredFile(filePath.file.fileName, pathToScan)
+      !isIgnoredFile(filePath.file.fileName, pathToScan) &&
+      !isExcluded(filePath.file.fileName)
     ) {
       yield filePath.file.fileName;
     }

src/cli/commands/test/iac/local-execution/file-utils.ts

@@ -9,6 +9,8 @@ import {
 import { CUSTOM_RULES_TARBALL } from './rules/oci-pull';
 import { readdirSync } from 'fs';
 import { join } from 'path';
+import * as mm from 'micromatch';
+import { ExcludeFlagInvalidInputError } from '../../../../../lib/errors/exclude-flag-invalid-input';
 
 function hashData(s: string): string {
   const hashedData = crypto.createHash('sha1').update(s).digest('hex');
@@ -72,16 +74,31 @@ export function computeCustomRulesBundleChecksum(): string | undefined {
  * makeFileAndDirectoryGenerator is a generator function that helps walking the directory and file structure of this pathToScan
  * @param root
  * @param maxDepth? - An optional `maxDepth` argument can be provided to limit how deep in the file tree the search will go.
+ * @param isExcluded - Function to skip specific paths
  * @returns {Generator<object>} - a generator which yields an object with directories or paths for the path to scan
  */
 // eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types
-export function* makeFileAndDirectoryGenerator(root = '.', maxDepth?: number) {
+export function* makeFileAndDirectoryGenerator(
+  root = '.',
+  maxDepth?: number,
+  isExcluded: ExclusionMatcher = () => false,
+) {
   function* generatorHelper(pathToScan, currentDepth) {
+    if (isExcluded(pathToScan)) {
+      return;
+    }
+
     {
       yield { directory: pathToScan };
     }
     if (maxDepth !== currentDepth) {
       for (const dirent of readdirSync(pathToScan, { withFileTypes: true })) {
+        const fullPath = join(pathToScan, dirent.name);
+        // Skip excluded directory paths
+        if (isExcluded(fullPath)) {
+          continue;
+        }
+
         if (
           dirent.isDirectory() &&
           fs.readdirSync(join(pathToScan, dirent.name)).length !== 0
@@ -103,3 +120,40 @@ export function* makeFileAndDirectoryGenerator(root = '.', maxDepth?: number) {
   }
   yield* generatorHelper(root, 0);
 }
+
+export type ExclusionMatcher = (pathToCheck: string) => boolean;
+
+/**
+ * Creates a path matcher function from a comma-separated string of basenames.
+ * @param rawExcludeFlag - Comma-separated basenames: "node_modules,temp"
+ * @returns A function that takes a path and returns true if it should be excluded.
+ */
+export function createPathExclusionMatcher(
+  rawExcludeFlag: string,
+): ExclusionMatcher {
+  if (!rawExcludeFlag || rawExcludeFlag.trim() === '') {
+    return () => false;
+  }
+
+  const rawEntries = rawExcludeFlag.split(',');
+  const patterns: string[] = [];
+
+  for (const entry of rawEntries) {
+    const trimmed = entry.trim();
+
+    if (trimmed === '') {
+      continue;
+    }
+
+    // Strictly forbid paths (matches both / and \ for cross-platform safety)
+    if (trimmed.includes('/') || trimmed.includes('\\')) {
+      throw new ExcludeFlagInvalidInputError();
+    }
+    // Create global patterns to match the basename at any depth.
+    // '**/name' matches a file or folder named 'name' anywhere.
+    // '**/name/**' ensures if 'name' is a directory, its contents are also excluded.
+    patterns.push(`**/${trimmed}`, `**/${trimmed}/**`);
+  }
+  // mm.matcher returns a pre-compiled regex function
+  return mm.matcher(patterns);
+}

src/cli/commands/test/iac/local-execution/index.ts

@@ -33,6 +33,7 @@ import { getErrorStringCode } from './error-utils';
 import { NoFilesToScanError } from './file-loader';
 import { Tag } from '../../../../../lib/types';
 import { CLI } from '@snyk/error-catalog-nodejs-public';
+import { createPathExclusionMatcher } from './file-utils';
 
 // this method executes the local processing engine and then formats the results to adapt with the CLI output.
 // this flow is the default GA flow for IAC scanning.
@@ -49,12 +50,14 @@ export async function test(
   const attributes = parseAttributes(options);
 
   const policy = await findAndLoadPolicy(pathToScan, 'iac', options);
+  const isPathExcluded = createPathExclusionMatcher(options.exclude || '');
 
   let allParsedFiles: IacFileParsed[] = [],
     allFailedFiles: IacFileParseFailure[] = [];
   const allDirectories = getAllDirectoriesForPath(
     pathToScan,
     options.detectionDepth,
+    isPathExcluded,
   );
 
   // we load and parse files directory by directory
@@ -63,6 +66,7 @@ export async function test(
     const filePathsInDirectory = getFilesForDirectory(
       pathToScan,
       currentDirectory,
+      isPathExcluded,
     );
     if (
       currentDirectory === pathToScan &&

src/cli/commands/test/iac/local-execution/types.ts

@@ -200,6 +200,7 @@ export type IaCTestFlags = Pick<
   // Report options
   | 'remote-repo-url'
   | 'target-name'
+  | 'exclude'
 > & {
   // Supported flags not yet covered by Options or TestOptions
   'json-file-output'?: string;

src/cli/commands/test/iac/v2/assert-iac-options.ts

@@ -38,6 +38,7 @@ const keys: (keyof IaCTestFlags)[] = [
   'remote-repo-url',
   'target-name',
   'target-reference',
+  'exclude',
   // Hidden flag to use the output file from the IaC CLI extension
   'iac-test-output-file',
 ];

src/cli/commands/test/iac/v2/index.ts

@@ -107,6 +107,7 @@ async function prepareTestConfig(
   const insecure = options.insecure;
   const customRules = options['custom-rules'];
   const experimental = options.experimental;
+  const exclude = getFlag(options, 'exclude') as string | undefined;
 
   return {
     paths: relativePaths,
@@ -129,5 +130,6 @@ async function prepareTestConfig(
     customRules,
     experimental,
     iacNewEngine,
+    exclude,
   };
 }

src/cli/main.ts

@@ -433,7 +433,7 @@ function validateUnsupportedOptionCombinations(
   }
 
   if (options.exclude) {
-    if (!(options.allProjects || options.yarnWorkspaces)) {
+    if (!options.iac && !(options.allProjects || options.yarnWorkspaces)) {
       throw new MissingOptionError('--exclude', [
         '--yarn-workspaces',
         '--all-projects',