Skip to content

Commit a1ac3de

Browse files
CM-65436: add SAST fallback ignore-extensions list
When the server returns no scannable extensions for SAST (e.g. the customer has custom rules, so any text file is scannable), the CLI previously relied only on binary detection to filter files. Text-based non-source files such as the EICAR test file (.bin) and ClamAV signature databases (.ndb) slip past binary detection and get uploaded; object-storage antivirus then quarantines the zip, so the scan service can't find the file and the scan fails. Add a SAST fallback block-list (SAST_SCAN_FILE_EXTENSIONS_TO_IGNORE) used only when no server allow-list is present, plus a one-time debug log when the fallback is hit so this is diagnosable from logs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent d651b3c commit a1ac3de

2 files changed

Lines changed: 32 additions & 0 deletions

File tree

cycode/cli/consts.py

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,30 @@
5353
'.iso',
5454
)
5555

56+
# Fallback block-list used for SAST only when the server does not return scannable extensions
57+
# (e.g. when the customer has custom rules, any text file is scannable). These are non-source
58+
# data formats that can slip past binary detection (the EICAR test file and ClamAV signature
59+
# databases are plain ASCII) and may be quarantined by object-storage antivirus after upload.
60+
SAST_SCAN_FILE_EXTENSIONS_TO_IGNORE = (
61+
'.bin',
62+
'.cvd',
63+
'.cld',
64+
'.cud',
65+
'.hdb',
66+
'.hsb',
67+
'.mdb',
68+
'.msb',
69+
'.ndb',
70+
'.ndu',
71+
'.ldb',
72+
'.ldu',
73+
'.idb',
74+
'.fp',
75+
'.sfp',
76+
'.ign',
77+
'.ign2',
78+
)
79+
5680
SCA_CONFIGURATION_SCAN_SUPPORTED_FILES = ( # keep in lowercase
5781
'cargo.lock',
5882
'cargo.toml',

cycode/cli/files_collector/file_excluder.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,10 @@ def __init__(self) -> None:
6363
}
6464
self._non_scannable_extensions: dict[str, tuple[str, ...]] = {
6565
consts.SECRET_SCAN_TYPE: consts.SECRET_SCAN_FILE_EXTENSIONS_TO_IGNORE,
66+
consts.SAST_SCAN_TYPE: consts.SAST_SCAN_FILE_EXTENSIONS_TO_IGNORE,
6667
}
68+
# Tracks scan types for which the SAST fallback log has already been emitted (log once, not per file)
69+
self._logged_sast_fallback = False
6770

6871
def apply_scan_config(self, scan_type: str, scan_config: 'models.ScanConfiguration') -> None:
6972
if scan_config.scannable_extensions:
@@ -86,6 +89,11 @@ def _is_file_extension_supported(self, scan_type: str, filename: str) -> bool:
8689

8790
non_scannable_extensions = self._non_scannable_extensions.get(scan_type)
8891
if non_scannable_extensions:
92+
# For SAST, reaching the block-list means the server returned no scannable extensions
93+
# (e.g. custom rules, or no remote config). Log once so this is diagnosable.
94+
if scan_type == consts.SAST_SCAN_TYPE and not self._logged_sast_fallback:
95+
self._logged_sast_fallback = True
96+
logger.debug('No scannable extensions provided for SAST; falling back to the built-in ignore list')
8997
return not filename.endswith(non_scannable_extensions)
9098

9199
return True

0 commit comments

Comments
 (0)