Commit a1ac3de
CM-65436: add SAST fallback ignore-extensions list
When the server returns no scannable extensions for SAST (e.g. the customer
has custom rules, so any text file is scannable), the CLI previously relied
only on binary detection to filter files. Text-based non-source files such as
the EICAR test file (.bin) and ClamAV signature databases (.ndb) slip past
binary detection and get uploaded; object-storage antivirus then quarantines
the zip, so the scan service can't find the file and the scan fails.
Add a SAST fallback block-list (SAST_SCAN_FILE_EXTENSIONS_TO_IGNORE) used only
when no server allow-list is present, plus a one-time debug log when the
fallback is hit so this is diagnosable from logs.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>1 parent d651b3c commit a1ac3de
2 files changed
Lines changed: 32 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
53 | 53 | | |
54 | 54 | | |
55 | 55 | | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
56 | 80 | | |
57 | 81 | | |
58 | 82 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
63 | 63 | | |
64 | 64 | | |
65 | 65 | | |
| 66 | + | |
66 | 67 | | |
| 68 | + | |
| 69 | + | |
67 | 70 | | |
68 | 71 | | |
69 | 72 | | |
| |||
86 | 89 | | |
87 | 90 | | |
88 | 91 | | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
89 | 97 | | |
90 | 98 | | |
91 | 99 | | |
| |||
0 commit comments