Exclude directories and files from Project import

files are excluded from the retest and, therefore, are not tested by Snyk Code and do not appear in the Code Analysis results.If you import a Project through an SCM integration, add the exclusions, folders only, to the bottom of the import window.

When you import a repository to be tested by Snyk Code, you can exclude certain directories and files from the import by using the .snyk file. The .snyk file is a YAML policy file that can contain shell matching patterns (regular expressions), which allow you to specify the directories and files you want to exclude from the import process. The .snyk file should be created in the repository you intend to import.

In Snyk Code, the .snyk file can only be used to exclude directories and files from import. It cannot be used to ignore vulnerabilities or for any other action, as in other Snyk products.
Currently, the exclude option in the .snyk file applies only to the Snyk Web UI and CLI Environments. The exclude option cannot be used when working with Snyk Code in an IDE environment.
In certain situations, your excluded files may not be excluded if there is an invalid .snyk file. In these situations, the scan continues without the .snyk file.

Consider excluding directories and files only if you do not publish or compile them into production. If a trace goes through an excluded file or directory with existing vulnerabilities, Snyk might miss potential issues.

You can also use the instructions in this section to exclude directories and files from the Snyk Code CLI test, by creating the .snyk file in your tested repository.

Exclusion syntax of the .snyk file

Syntax to use to exclude files and directories from Snyk Code testing

Use the following syntax to exclude files and directories by using the .snyk file:

# Snyk (https://snyk.io) policy file
---
exclude:
    global:
        # Exclude a single file. For example, - test.spec.js
        - file_name.ext
        # Exclude a single directory. For example, - src/lib
        - source/directory_name
        # Exclude any file with a specific extension in the specific directory. For example, - tests/.js
        - directory_name/.ext
        # Exclude files with a specific ending in any directory. For example, - “*.spec.js”
        - "*.ending.ext"
        # Exclude files in directories that have the same name with a different ending, like “test” and “tests”. The last character before the question mark is optional. For example, - tests?/
        - directory_name?/
        # Exclude all files and directories located within any specified folder within your Project. For example, directory_name/** matches and excludes all contents under any directory named directory_name. It is not constrained to the root level or the location of the .snyk file.
        - directory_name/**

You can use global or code. Either will exclude the specified directories and files from Snyk code tests. code applies only to Snyk Code analysis. global currently applies only to analysis using Snyk Code but may apply to other products in the future.

Considerations in creating the `.snyk` file

The path in the rule should be relative to the .snyk file location.
All rules must have a preceding dash to be valid: - <exclusion_rule>
For rules beginning with special characters and patterns, such as an asterisk character *, you must wrap them in double quotes (" "). This ensures they are treated as a single entity, avoiding potential misinterpretation or unintended behavior. For example, "*/src"
The following are considerations in using indentations:
- When using the syntax in the .snyk YAML file, pay careful attention to new lines and their indentation. Using the wrong indentation will prevent the execution of your excluding specification.
- Do NOT use tabs for indentation. Use only spaces for indentation.
- To verify that you are using the syntax correctly, you can use a YAML Validator, like YAML Lint. Be aware that some YAML Validators do not differentiate between the use of tabs and spaces for indentation. If you use tabs, a Validator may approve the syntax, but the exclude specifications will not be executed.
For more information on the syntax of shell matching patterns, see, for example. the following:
- GNU Org - Shell Pattern Matching
- Docstore - Pattern Matching Quick Reference with Examples

Use the `.snyk` file to exclude directories and files from import

Follow these steps to exclude directories and files from the import process using the .snyk file:

1. In the repository you want to import, create a YAML file called .snyk, for example:

2. In the .snyk file, specify the directories or files or both that you want to exclude from import according to the following syntax:

# Snyk (https://snyk.io) policy file
exclude:
 global:
   - <Exclusion_rule>
   - <Exclusion_rule>

For example:

# Snyk (https://snyk.io) policy file
exclude:
 global:
   - todolist-goof/**

3. From the Snyk Web UI, import your repository in one of the following ways:

If the repository was already imported to Snyk, retest the repository as follows:
On the Projects page, click the Code analysis Project of the repository. Then, on the Code Analysis page, click Retest now.

If the repository was not imported yet to Snyk, import the repository.

Your repository is imported to Snyk, without the directories and/or files you selected to exclude.

Example: Excluding two files from Snyk Code analysis

You have a repository called snyk-goof, which you want to test for vulnerabilities using Snyk Code. After you import his repository to Snyk, you get a list of ten detected vulnerability issues, which were found in three files:

Now you want to exclude the app.js and db.js files from the Snyk Code analysis. To achieve that, you do the following:

1. You create a .snyk file in the snyk-goof repository in GitHub:

2. In the .snyk file, you enter the following commands to exclude the app.js and db.js files from the import:

3. You retest the snyk-goof repository by clicking the Retest now option on the Code Analysis page for the repository.

The app.js and db.js files are excluded from the retest and, therefore, are not tested by Snyk Code and do not appear in the Code Analysis results. Now, only five vulnerability issues are detected:

PreviousImport Project repository NextRemove imported repository from a Project

Last updated 6 days ago