Skip to main content

Exclude files and folders for Contrast Scan

You have the option to exclude specified files or folders from scans. This feature is useful when you want to exclude artifacts that generate a lot of noise or are irrelevant to the scan.

Contrast excludes some files and folders by default.

Before you begin

  • This feature is available only for multi-language source code scans with the Scan local engine.

  • If you exclude files from a previously scanned project, Contrast changes the status of vulnerabilities affected by the exclusions to Remediated. For example, after you exclude files, the number of vulnerabilities in the scan results could be reduced from the original findings and the number of remediated vulnerabilities could increase.

  • Specified file and folder names are case-sensitive.

Steps

  1. In the root folder of the source code you are scanning, create a file named .contrast-scan.json.

  2. In the JSON file, specify the files and folders you want to exclude using this format:

    {
  "excludes": [
    "**/MavenWrapperDownloader.java",
    "**/*.js"
  ]
}

    Replace the examples of MavenWrapperDownloader.java and *.js with the names of your files and folders.

Pattern examples

These examples show how you can specify excluded files and folders.

Patterns are considered relative paths.

This pattern example:

Excludes...

*.java

Files with zero or more than one character before the .java extension. For example: .javax.java, and FooBar.java.

Not excluded: Files that are not in the root directory being scanned, even if the filename has an extension of .java.

?.java

Files with one character before the .java extension For example: x.java or A.java.

Not excluded: Files such as .java or xyz.java because they have zero or more than one character before the .java extension.

**/*.java

All folders and files with the extension of .java.

**/CVS/*

All files in CVS directories that exist anywhere in the directory tree.

org/apache/jakarta/**

All files in the org/apache/jakarta directory tree.

Not excluded: The file org/apache/xyz.java because jakarta is not included in the path 

org/apache/**/CVS/*

All files in CVS directories that are located anywhere in the directory tree under org/apache.

Not excluded: A file named org/apache/CVS/foo/bar/Entries because foo/bar/ does not match the pattern.

**/test/**

All files that have test in their path, including test as part of a filename.

**/*test*/**

Excludes the string test wherever it is found in the path.

Default exclusions

By default, Contrast Scan excludes these files, folders, patterns, and extensions:

Excluded file and folder patterns

Excluded extensions

Excluded files

  • /src/test/

  • /__MACOSX/

  • /*.min.js,

  • /.Designer.vb

  • **/.designer.vb

  • /*Reference.vb

  • /Service.vb

  • /*Silverlight.vb

  • /.Designer.cs

  • /*.designer.cs

  • /Reference.cs

  • /*Service.cs

  • /Silverlight.cs

  • **/.

  • /Pods/BuildHeaders//.h

  • /Pods/Headers//*.h

  • /node_modules/

  • /bower_components/

  • /target/

  • /bin/

  • /obj/

  • /dist/

  • /lib/

  • exe

  • dll

  • so

  • bin

  • arc

  • arj

  • zip

  • rar

  • ear

  • tar

  • tgz

  • gz

  • gzip

  • z

  • readme

  • changelog

  • changes

  • todo

  • license

  • copying

  • maintainers

  • thumbs.db

See also

Directory-based tasks provides additional information on patterns for specifying files and folders.

In this section: