Excluding directories and files from the import process
When you import a repository to be tested by Snyk Code, you can exclude certain directories and files from the import by using the .snyk file. The .snyk file is a YAML policy file that can contain shell matching patterns (regular expressions), which allow you to specify the directories and files you want to exclude from the import process. The .snyk file should be created in the repository you intend to import.
Important!
  • In Snyk Code, the .snyk file can ONLY be used for excluding directories and files from import. It CANNOT be used to ignore vulnerabilities or for any other action as in other Snyk products.
  • Currently, the Exclude option in the .snyk file is applicable to the Snyk Web UI and CLI Environments. It is NOT applicable to working with Snyk Code via the IDE Environment.

The Exclusion Syntax of the .snyk File

Use the following syntax to exclude files and directories via the .snyk file:
# Snyk (https://snyk.io) policy file
exclude:
# Use either “global” or “code”. “global” applies to all Snyk products, and will exclude the specified directories and files from all Snyk tests; “code” applies only to the Snyk Code analysis.
global:
# Exclude a single file. For example, - test.spec.ts
- file_name.ext
# Exclude a single directory. For example, - src/lib
- source/directory_name
# Exclude any file with a specific extension in the specific directory. For example, - tests/*.ts
- directory_name/*.ext
# Exclude files with a specific ending in any directory. For example, - “**/*.spec.ts”
- "**/*.ending.ext"
# Exclude files in directories that have the same name with a different ending, like “test” and “tests”. The last character before the question mark is optional. For example, - tests?/*
- directory_name?/*
# Exclude all files and directories in a specific directory. For example, - tests/**
- directory_name/**
Notes:
  • The path in the rule should be relative to the .snyk file location.
  • All rules must have a preceding dash to be valid: - <Exclusion_rule>
  • Any rule beginning with an asterisk must be wrapped in quotes. For example: - ”*/src”
  • Indentations –
    • When using the syntax in the .snyk YAML file, pay careful attention to new lines and their indentation. Using the wrong indentation will prevent the execution of your excluding specification.
    • Do NOT use tabs for indentation. Use only spaces for indentation.
    • To verify that you are using the syntax correctly, you can use a YAML Validator, like the YAML Lint. Be aware that some YAML Validators do not differentiate between the use of tabs and spaces for indentation. If you use tabs, a Validator may approve the syntax, but the exclude specifications will not be executed.
  • For more information on the syntax of shell matching patterns, see for example:

Using the .snyk File to exclude directories and files from import

To exclude directories and files from the import process using the .snyk file:
1. On the repository you want to import, create a YAML file called “.snyk”.
For example:
2. On the .snyk file, specify the directories and/or files you want to exclude from import according to the following syntax:
1
# Snyk (https://snyk.io) policy file
2
exclude:
3
global:
4
- <Exclusion_rule>
5
- <Exclusion_rule>
Copied!
For example:
1
# Snyk (https://snyk.io) policy file
2
exclude:
3
global:
4
- todolist-goof/**
Copied!
3. From the Snyk Web UI, import your repository by one of the following ways:
  • If the repository was already imported to Snyk – retest the repository as follows:
    • On the Projects page, click the Code analysis Project of the repository. Then, on the Code Analysis page, click the Retest now option below the header:
Your repository is imported to Snyk, without the directories and/or files you selected to exclude.

Example: Excluding 2 files from the Snyk Code analysis

We have a repository called “snyk-goof”, which we want to test for vulnerabilities using Snyk Code. After we imported this repository to Snyk, we get a list of 10 detected vulnerability issues, which were found in 3 files:
Now we want to exclude the app.js and db.js files from the Snyk Code analysis. To achieve that, we perform the following:
1. We create a .snyk file in the snyk-goof repository in GitHub:
2. In the .snyk file, we enter the following commands to exclude the app.js and db.js files from the import:
3. We retest the snyk-goof repository, by clicking the Retest now option on the Code Analysis page of the repository:
The app.js and db.js files are excluded from the retest, and therefore are not tested by Snyk Code. For this reason, they do not appear in the Code Analysis results, and now only 5 vulnerability issues are detected: