Exclude and include filters help your team to focus their attention on the open source packages that matter most and to improve scan performance. Use inclusion patterns when you have many packages that you want to scan separately and exclusion patterns when you want to filter out packages that are not important to you.
You can include or exclude packages using the following standard patterns:
- Include or exclude specific packages.
- Include or exclude specific directories.
- Include or exclude with a Glob style expressions.
- Use include and exclude patterns together to exclude specific directories such as a test directory from a scan.
- Use multiple include and exclude patterns together to exclude or include specific directories or file paths.
Scoping scans with endorctl
To include or exclude a package based on its file name when you scan with endorctl.
Include path
Exclude path
To include or exclude a package based on its directory
Include Directory
Exclude Directory
Examples of scoping scans
The following examples show how you can use scoping scans.
Exclude an entire directory tree
Use --exclude-path="src/java/**" to exclude all files under src/java, including all subdirectories.
Exclude only top-level files in a directory (not subdirectories)
Use --exclude-path="src/python/*" to exclude only the files directly under src/python, leaving any subdirectories untouched.
* matches files in the current directory only. ** matches files in the current directory and nested subdirectories.
Scan a directory while excluding its test folder
Use --include-path and --exclude-path together to scan a specific directory while skipping test code.
Scan multiple languages in the same repository
Use multiple --include-path flags to scan several tech stacks at once, useful in polyglot monorepos.
Use multiple --exclude-path flags to skip dependency or build-tool directories you don’t want analyzed.
Exclude a single manifest file
Exclude a specific file rather than a whole directory — for example, a package manifest in a legacy module you don’t want scanned.
Exclude multiple specific files
Use multiple --exclude-path flags to target specific manifest files in different locations.
Exclude files by extension across the repository
Use a ** glob to skip a particular file type anywhere in the repository tree.
Combine a quick scan with an exclusion
Add --exclude-path to --quick-scan to run a faster scan while skipping a specific path.
Exclude a directory at any depth
Use a leading **/ to match a directory name regardless of where it appears in the repository tree. This is useful for directories like node_modules that can appear at multiple levels.
Best practices of scoping scans
Here are a few best practices of using scoping scans:
- Ensure that you enclose your exclude pattern in double quotes to avoid shell expansion issues. For example, do not use
--exclude-path=src/test/**, instead, use --exclude-path="src/test/**".
- Inclusion patterns are not designed for documentation or example directories. You cannot explicitly include documentation or example directories:
docs/
documentation/
groovydoc/
javadoc
man/
examples/
demos/
inst/doc/
samples/
- The specified paths must be relative to the root of the directory.
- If you are using JavaScript workspaces, Endor Labs automatically detects workspace roots and their lock files:
- You can scan individual workspace packages without explicitly including the root package. The scanner automatically detects the workspace root and locates the lock file.
- For example, to scan only a specific workspace package:
endorctl scan --include-path="packages/utils/**" - the scanner automatically finds and uses the lock file at the workspace root.
- You can still exclude specific child packages from your scan while the workspace root is automatically detected.