File exclusion

Last updated: Jul 1, 2026


You can exclude specific files or directories from the security analysis by creating an exclusion file in the root of your repository. The integration supports two exclusion file formats:

Using the .fluidattacksignore file

Create a file named .fluidattacksignore in the root directory of your repository. This file uses pattern matching (similar to .gitignore) to exclude files from analysis.

Example

*.pyc
*__pycache__*
*.log
node_modules/*
tests/*
dist/*
build/*
*.min.js

Using the fluidattacks-exclude.txt file

Alternatively, you can create a file named fluidattacks-exclude.txt in the root directory of your repository with the same pattern format.

Example

*.pyc
*__pycache__*
*.log
node_modules/*

Pattern matching rules

The exclusion patterns support the following matching rules:

  • Wildcards: Use * to match any sequence of characters
  • *.pyc matches all files ending with .pyc
  • test_*.py matches files starting with test_ and ending with .py
  • Directory exclusion: Add a /* suffix to exclude a directory's contents (the * also spans nested paths); a bare directory name or a trailing slash alone does not match the files inside it
  • node_modules/* excludes everything under node_modules
  • tests/* excludes everything under tests
  • *__pycache__* excludes any __pycache__ directory anywhere in the tree
  • Path matching: Patterns can match relative paths from the repository root
  • src/legacy/* excludes all files in src/legacy/
  • config/local.* excludes files like config/local.yaml and config/local.json
  • Comments: Lines starting with # are treated as comments and ignored
  • Empty lines: Empty lines are ignored

Example of .fluidattacksignore with comments

# Compiled Python files
*.pyc
*__pycache__*

# Log files
*.log

# Dependencies
node_modules/*

# Test files (optional - uncomment if you want to exclude tests)
# tests/*

# Build artifacts
dist/*
build/*

Files matching any pattern in the exclusion file will be skipped during the security analysis, reducing false positives from generated code, dependencies, or test files.

On this page