feat: add iac --exclude param [IAC-3473]

[alexandru-manea-snyk]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

This PR implements the --exclude parameter for IaC scanning. The implementation is designed to be consistent with the existing snyk test exclude behavior, focusing on global basename matching.

Behavior

• Matches the provided name(s) anywhere in the file tree( --exclude=dir1 matches ./dir1 and ./src/dir1
• If a directory name is excluded, the scanner ignores the directory itself and all of its contents
• Strictly forbids the use of directory separators (/ or \) in the exclude flag

Where should the reviewer start?

• Logic Definition: src/cli/commands/test/iac/local-execution/file-utils.ts - Review createPathExclusionMatcher. This is where input strings are converted into global glob patterns (**/name and **/name/**).
• Integration:src/cli/commands/test/iac/local-execution/file-utils.ts - Check how makeFileAndDirectoryGenerator uses the matcher to skip excluded branches during the directory walk.

How should this be manually tested?

mkdir -p test-iac-exclude/{included,excluded,ignored}

printf 'data "aws_iam_policy_document" "s" {\n  statement {\n    actions = ["*"]\n    resources = ["arn:aws:s3:::example"]\n  }\n}\n' > test-iac-exclude/included/included.tf
cp test-iac-exclude/included/included.tf test-iac-exclude/excluded/excluded.tf
cp test-iac-exclude/included/included.tf test-iac-exclude/ignored/ignored.tf

# Test single exclusion: only 'included.tf' and 'ignored.tf' should appear
snyk iac test --exclude=excluded test-iac-exclude

# Test multiple exclusions: only 'included.tf' should appear
snyk iac test --exclude=excluded,ignored test-iac-exclude

# Test file exclusion: only 'included.tf' and 'excluded.tf' should appear
snyk iac test --exclude=ignored.tf test-iac-exclude

What's the product update that needs to be communicated to CLI users?

New Feature: Exclude files and directories from IaC scans

Users can now exclude specific files and directories from IaC scans using the --exclude parameter:

snyk iac test --exclude=excluded-folder,ignored-file.tf

This update allows you to skip specific files or folders by name, no matter where they are located in your project. If the name matches a folder, Snyk CLI will ignore that folder and every file inside it. This is particularly useful for excluding test files, temporary files, or other non-production IaC files from security scans.

Risk assessment: Low

• Low risk: This is an additive feature that doesn't change existing behavior
• Well tested: Comprehensive unit and integration test coverage
• No breaking changes: Existing commands continue to work as before

Any background context you want to provide?

This feature was requested to allow users to exclude test files, temporary files, and other non-production IaC files from security scans.

What are the relevant tickets?

• IAC-3473 - Add --exclude parameter support for IaC scanning

[github-actions]

	Warnings
⚠️	Since the CLI is unifying on a standard and improved tooling, we're starting to migrate old-style imports and exports to ES6 ones. A file you've modified is using either module.exports or require(). If you can, please update them to ES6 import syntax and export syntax. Files found: src/cli/main.ts test/jest/unit/iac/directory-loader.spec.ts
⚠️	There are multiple commits on your branch, please squash them locally before merging!
⚠️	"[feat: skip excluded folders during scan for better performance IAC-3473](https://api.github.com/repos/snyk/cli/git/commits/c9e66a54f5b09f72620290eff74b184fcabb6507)" is too long. Keep the first line of your commit message under 72 characters.

Generated by 🚫 dangerJS against a130394

[j-luong]

issue: is this tested? options.iac is configured here, do we intend to support the exclude flag for all scenarios where options.iac === true?

issue: the resulting MissingOptionError output also doesn't make sense:

 FATAL   Invalid flag option (SNYK-CLI-0004)
                                                                                        
           The --exclude option can only be used in combination with --all-projects or  
           --iac or --yarn-workspaces.                                                  

Docs:    https://docs.snyk.io/scan-with-snyk/error-catalog#snyk-cli-0004 
                                                                         
ID:      urn:snyk:interaction:0b9d5ff3-c3a6-4b53-9d6e-aadc18bd2fef 

--iac is not a flag option.

[alexandru-manea-snyk]

This was included by mistake. We are not changing anything regarding open source logic.