Skip to main content
Exclude and include filters help your team to focus their attention on the open source packages that matter most and to improve scan performance. Use inclusion patterns when you have many packages that you want to scan separately and exclusion patterns when you want to filter out packages that are not important to you. You can include or exclude packages using the following standard patterns:
  1. Include or exclude specific packages.
  2. Include or exclude specific directories.
  3. Include or exclude with a Glob style expressions.
  4. Use include and exclude patterns together to exclude specific directories such as a test directory from a scan.
  5. Use multiple include and exclude patterns together to exclude or include specific directories or file paths.

Scoping scans with endorctl

To include or exclude a package based on its file name when you scan with endorctl.
To include or exclude a package based on its directory

Examples of scoping scans

The following examples show how you can use scoping scans.

Exclude an entire directory tree

Use --exclude-path="src/java/**" to exclude all files under src/java, including all subdirectories.

Exclude only top-level files in a directory (not subdirectories)

Use --exclude-path="src/python/*" to exclude only the files directly under src/python, leaving any subdirectories untouched.
* matches files in the current directory only. ** matches files in the current directory and nested subdirectories.

Scan a directory while excluding its test folder

Use --include-path and --exclude-path together to scan a specific directory while skipping test code.

Scan multiple languages in the same repository

Use multiple --include-path flags to scan several tech stacks at once, useful in polyglot monorepos.

Include a directory while excluding specific build-tool directories

Use multiple --exclude-path flags to skip dependency or build-tool directories you don’t want analyzed.

Exclude a single manifest file

Exclude a specific file rather than a whole directory — for example, a package manifest in a legacy module you don’t want scanned.

Exclude multiple specific files

Use multiple --exclude-path flags to target specific manifest files in different locations.

Exclude files by extension across the repository

Use a ** glob to skip a particular file type anywhere in the repository tree.

Combine a quick scan with an exclusion

Add --exclude-path to --quick-scan to run a faster scan while skipping a specific path.

Exclude a directory at any depth

Use a leading **/ to match a directory name regardless of where it appears in the repository tree. This is useful for directories like node_modules that can appear at multiple levels.

Best practices of scoping scans

Here are a few best practices of using scoping scans:
  • Ensure that you enclose your exclude pattern in double quotes to avoid shell expansion issues. For example, do not use --exclude-path=src/test/**, instead, use --exclude-path="src/test/**".
  • Inclusion patterns are not designed for documentation or example directories. You cannot explicitly include documentation or example directories:
    • docs/
    • documentation/
    • groovydoc/
    • javadoc
    • man/
    • examples/
    • demos/
    • inst/doc/
    • samples/
  • The specified paths must be relative to the root of the directory.
  • If you are using JavaScript workspaces, Endor Labs automatically detects workspace roots and their lock files:
    • You can scan individual workspace packages without explicitly including the root package. The scanner automatically detects the workspace root and locates the lock file.
    • For example, to scan only a specific workspace package: endorctl scan --include-path="packages/utils/**" - the scanner automatically finds and uses the lock file at the workspace root.
    • You can still exclude specific child packages from your scan while the workspace root is automatically detected.