Skip to content

Config matchers.exclude does not work (matcher e.g. xss not excluded during scan) #36

Description

@sones3

What happened

I wanted to exclude the xss matcher from running because it was taking too much time. I set this in my deepsec.config.ts:

export default defineConfig({
  projects: [
    { id: "myproject", root: ".." },
  ],
  matchers: {
    exclude: ["xss"],
  },
});

But when running npx deepsec scan --project-id myproject, the xss matcher still runs and its candidates show up.

Reproduction

# Use a config with the exclude field as above
npx deepsec scan --project-id myproject

Expected vs actual

  • Expected: exclude: ["xss"] would prevent the xss matcher from running
  • Actual: The xss matcher still runs and is not filtered

Environment

  • deepsec version (1.1.13):
  • Node version (v24.14.1):
  • OS:
  • Agent backend (/):
  • Model: /

Logs
/

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions