What happened
I wanted to exclude the xss matcher from running because it was taking too much time. I set this in my deepsec.config.ts:
export default defineConfig({
projects: [
{ id: "myproject", root: ".." },
],
matchers: {
exclude: ["xss"],
},
});
But when running npx deepsec scan --project-id myproject, the xss matcher still runs and its candidates show up.
Reproduction
# Use a config with the exclude field as above
npx deepsec scan --project-id myproject
Expected vs actual
- Expected:
exclude: ["xss"] would prevent the xss matcher from running
- Actual: The xss matcher still runs and is not filtered
Environment
- deepsec version (
1.1.13):
- Node version (
v24.14.1):
- OS:
- Agent backend (
/):
- Model: /
Logs
/
What happened
I wanted to exclude the
xssmatcher from running because it was taking too much time. I set this in mydeepsec.config.ts:But when running
npx deepsec scan --project-id myproject, thexssmatcher still runs and its candidates show up.Reproduction
# Use a config with the exclude field as above npx deepsec scan --project-id myprojectExpected vs actual
exclude: ["xss"]would prevent the xss matcher from runningEnvironment
1.1.13):v24.14.1):/):Logs
/